Exam Ref 70-743 Upgrading Your Skills To MCSA Windows Server 2016

Exam Ref 70-743
Upgrading Your Skills

to MCSA: Windows
Server 2016
Charles Pluta
Exam Ref 70-743 Upgrading Your Skills to MCSA: Windows Server 2016
Published with the authorization of Microsoft Corporation by:
Pearson Education, Inc.
Copyright © 2017 by Pearson Education, Inc.
A r ghts reserved. Pr nted n the Un ted States of Amer ca. Th s pub cat on s protected by copyr ght, and perm ss on must be
obta ned from the pub sher pr or to any proh b ted reproduct on, storage n a retr eva system, or transm ss on n any form or
by any means, e ectron c, mechan ca , photocopy ng, record ng, or kew se. For nformat on regard ng perm ss ons, request
forms, and the appropr ate contacts w th n the Pearson Educat on G oba R ghts & Perm ss ons Department, p ease v s t www.
pearsoned.com/perm ss ons/. No patent ab ty s assumed w th respect to the use of the nformat on conta ned here n.
A though every precaut on has been taken n the preparat on of th s book, the pub sher and author assume no respons b ty for
errors or om ss ons. Nor s any ab ty assumed for damages resu t ng from the use of the nformat on conta ned here n.
SBN 13: 978 0 7356 9743 0
SBN 10: 0 7356 9743 4
L brary of Congress Contro Number: 2016959957
F rst Pr nt ng December 2016
Trademarks
M crosoft and the trademarks sted at https://www.m crosoft.com on the “Trademarks” webpage are trademarks of the
M crosoft group of compan es. A other marks are property of the r respect ve owners.
Warning and Disclaimer
Every effort has been made to make th s book as comp ete and as accurate as poss b e, but no warranty or fitness s
mp ed. The nformat on prov ded s on an “as s” bas s. The author, the pub sher, and M crosoft Corporat on sha have
ne ther ab ty nor respons b ty to any person or ent ty w th respect to any oss or damages ar s ng from the nformat on
conta ned n th s book or programs accompany ng t.
Special Sales
For nformat on about buy ng th s t t e n bu k quant t es, or for spec a sa es opportun t es (wh ch may nc ude e ectron c
vers ons; custom cover des gns; and content part cu ar to your bus ness, tra n ng goa s, market ng focus, or brand ng
nterests), p ease contact our corporate sa es department at corpsa es@pearsoned.com or (800) 382 3419.
For government sa es nqu r es, p ease contact governmentsa es@pearsoned.com.
For quest ons about sa es outs de the U.S., p ease contact nt cs@pearson.com.
Editor-in-Chief Greg W egand

Acquisitions Editor Tr na MacDona d
Development Editor R ck Kughen
Managing Editor Sandra Schroeder
Senior Project Editor Tracey Croom
Editorial Production Backstop Med a, Troy Mott
Copy Editor Jordan Severn
Indexer Ju e Grady
Proofreader Chr st na Rud off
Technical Editor Ron Hand on
Cover Designer Tw st Creat ve, Seatt e
This page intentionally left blank
Manage W ndows Server Core nsta at ons us ng W ndows
PowerShe , command ne, and remote management capab t es 8
Imp ement W ndows PowerShe Des red State Configurat on
to nsta and ma nta n ntegr ty of nsta ed env ronments 9
Perform upgrades and m grat ons of servers and core
work oads from W ndows Server 2008 and W ndows
Server 2012 to W ndows Server 2016 10
Determ ne the appropr ate act vat on mode for server
nsta at on, such as Automat c V rtua Mach ne Act vat on,
Key Management Serv ce, and Act ve D rectory-based Act vat on 11
Sk 1 2 Insta and configure Nano Server 14

Determ ne appropr ate usage scenar os and
requ rements for Nano Server 15
Insta Nano Server 15
Imp ement ro es and features on Nano Server 17
Manage and configure Nano Server 19
Sk 1 3 Create, manage, and ma nta n mages for dep oyment 20

P an for W ndows Server v rtua zat on 21
P an for L nux and FreeBSD dep oyments 22
Assess v rtua zat on work oads us ng the M crosoft
Assessment and P ann ng Too k t, determ ne cons derat ons
for dep oy ng work oads nto v rtua zed env ronments 24
Manage and ma nta n W ndows Server Core, Nano
Server mages, and VHDs us ng W ndows PowerShe ,
update mages w th patches, hotfixes, and dr vers
and nsta ro es and features n offl ne mages 25
Chapter summary 26
Thought Exper ment 26
Thought Exper ment Answer 27
vi Contents
Chapter 3 Implement Hyper-V 51
Sk 3 1 Insta and configure Hyper-V 51
Determ ne hardware and compat b ty requ rements
for nsta ng Hyper-V 52
Insta Hyper-V 52
Insta management too s 52
Upgrade from ex st ng vers ons of Hyper-V 54
De egate v rtua mach ne management 55
Perform remote management of Hyper-V hosts 58
Configure v rtua mach nes us ng W ndows PowerShe D rect 59
Imp ement nested v rtua zat on 60
Sk 3 2 Configure v rtua mach ne sett ngs 62

Add or remove memory n runn ng a VM 62
Configure dynam c memory 63
Configure Non-Un form Memory Access support 63
Configure smart pag ng 64
Configure Resource Meter ng 65
Manage Integrat on Serv ces 67
Create and configure Generat on 1 and 2 VMs and
determ ne appropr ate usage scenar os 68
Imp ement enhanced sess on mode 68
Create L nux and FreeBSD VMs, nsta and configure
L nux Integrat on Serv ces, and nsta and configure
FreeBSD Integrat on Serv ces 69
Imp ement Secure Boot for W ndows and L nux env ronments 70
Move and convert VMs from prev ous vers ons of
Hyper-V to W ndows Server 2016 Hyper-V 70
Export and mport VMs 71
Imp ement D screte Dev ce Ass gnment (DDA) 72
viii Contents
Chapter 4 Implement Windows Containers 93
Sk 4 1 Dep oy W ndows Conta ners 93
Determ ne nsta at on requ rements and
appropr ate scenar os for W ndows Conta ners 94
Insta and configure conta ners 94
Insta Docker on W ndows Server and Nano Server 95
Configure Docker daemon start-up opt ons 96
Insta a base operat ng system 97
Tag an mage 98
Un nsta an operat ng system mage 98
Create W ndows Server conta ners 99
Create Hyper-V conta ners 99
Sk 4 2 Manage W ndows Conta ners 101

Manage W ndows or L nux conta ners us ng the
Docker daemon 101
Manage W ndows or L nux conta ners us ng
W ndows PowerShe 102
Manage conta ner network ng 103
Manage conta ner data vo umes 106
Manage resource contro 106
Create new conta ner mages us ng Dockerfi e 107
Manage conta ner mages us ng Docker Hub
repos tory for pub c and pr vate scenar os 107
Manage conta ner mages us ng M crosoft Azure 109
Chapter summary 110
Thought Exper ment Answers 111
x Contents
Sk 5 3 Imp ement Storage Spaces D rect 148
Determ ne scenar o requ rements for mp ement ng
Storage Spaces D rect 148
Enab e Storage Spaces D rect us ng W ndows PowerShe 148
Imp ement a d saggregated Storage Spaces D rect
scenar o n a c uster 149
Imp ement a hyper-converged Storage Spaces D rect
scenar o n a c uster 150
Sk 5 4 Manage fa over c uster ng 152

Configure ro e-spec fic sett ngs, nc ud ng
cont nuous y ava ab e shares 152
Configure VM mon tor ng 153
Configure fa over and preference sett ngs 154
Imp ement stretch and s te-aware fa over c usters 157
Enab e and configure node fa rness 157
Sk 5 5 Manage VM movement n c ustered nodes 158

Perform ve m grat on 158
Perform qu ck m grat on 158
Perform storage m grat on 158
Import, export, and copy VMs 159
Configure VM network hea th protect on 159
Configure dra n on shutdown 160
Chapter summary 160
xii Contents
Chapter 7 Implement IP Address Management 183
Sk 7 1 Insta and configure IPAM 183
Prov s on IPAM manua y or by us ng Group Po cy 184
Configure server d scovery 191
Create and manage IP b ocks and ranges 193
Mon tor ut zat on of IP address space 195
M grate ex st ng work oads to IPAM 198
Configure IPAM database storage us ng SQL Server 198
Determ ne scenar os for us ng IPAM w th System
Center V rtua Mach ne Manager for phys ca and
v rtua IP address space management 199
Manage DHCP server propert es us ng IPAM 200
Configure DHCP scopes and opt ons 201
Configure DHCP po c es and fa over 202
Manage DNS server propert es us ng IPAM 202
Manage DNS zones and records 203
Manage DNS and DHCP servers n mu t p e
Act ve D rectory forests 204
De egate adm n strat on for DNS and DHCP
us ng Ro e-Based Access Contro (RBAC) 204
Chapter summary 206
Chapter 8 Implement network connectivity

and remote access solutions 209
Imp ement V rtua Pr vate Network and D rectAccess so ut ons 209
Imp ement remote access and s te-to-s te
VPN so ut ons us ng Remote Access Gateway 210
Configure d fferent VPN protoco opt ons 215
Configure authent cat on opt ons 216
Configure VPN reconnect 217
xiv Contents
Determ ne scenar os for mp ementat on of Software
Load Ba ancer for North-South and East-West oad ba anc ng 237
Determ ne mp ementat on scenar os for var ous types
of W ndows Server Gateways, nc ud ng L3, GRE, and
S2S, and the r uses 239
Determ ne requ rements and scenar os for d str buted
firewa po c es and network secur ty groups 239
Chapter summary 241
Chapter 10 Install and configure Active Directory

Domain Services 243
Sk 10 1 Insta and configure doma n contro ers 243
Insta a new forest 244
Add or remove a doma n contro er from a doma n 248
Upgrade a doma n contro er 250
Insta AD DS on a Server Core nsta at on 251
Insta a doma n contro er from Insta from Med a 253
Reso ve DNS SRV record reg strat on ssues 257
Configure a g oba cata og server 258
Transfer and se ze operat ons master ro es 260
Insta and configure a read-on y doma n contro er 263
Configure doma n contro er c on ng 267
Chapter summary 270
Thought exper ment Upgrad ng the forest 270
Thought exper ment answers 271
xvi Contents
Introduction
W th each re ease of W ndows Server, more and more features are added or mod fied
that makes know ng the product ns de and out more and more d fficu t The 70-743
exam “Upgrad ng your sk s to W ndows Server 2016” s for adm n strators that have prev -
ous y ach eved the MCSA cert ficat on for W ndows Server 2008, or W ndows Server 2012, and
p an to ach eve the atest cert ficat on offer ng
Understand ng that the exam s geared spec fica y towards adm n strators w th ex st ng
know edge, th s Exam Ref book assumes you remember and know the know edge that s nec-
essary to pass the prev ous vers ons of the exam Therefore, we focus so e y on the sk s that
are measured n the 70-743 exam, somet mes sk pp ng the bas cs of the sk A ot of these
sk s bu d on the know edge you’ve reta ned from W ndows Server 2008 or W ndows Server
2012 However, some of the sk s are brand new to W ndows Server 2016, and are expected
to be h gh ghted on the exam
The goa of th s book s to act as a reference to g ve you the too s and know edge that you
need to succeed n pass ng the exam Wh e we cover every sk that the exam measures and
focus on rea -wor d examp es of how to use the techno og es that are sted, there s no way
of guarantee ng that you w pass the exam s mp y by us ng th s book As you are we aware
as an ex st ng MCSA credent a ho der, noth ng s better than gett ng hands-on exper ence
w th each of the ro es and features n W ndows Server 2016 before tak ng the exam It s rec-
ommended that you use the nformat on n th s book, comb ned w th a hands-on approach
of try ng each ro e or feature d scussed by us ng both graph ca and W ndows PowerShe (or
command- ne) too s Th s w ensure that you have the best opportun ty to succeed when
tak ng the exam
Th s book covers every major top c area found on the exam, but t does not cover every
exam quest on On y the M crosoft exam team has access to the exam quest ons, and
M crosoft regu ar y adds new quest ons to the exam, mak ng t mposs b e to cover spec fic
quest ons You shou d cons der th s book a supp ement to your re evant rea -wor d exper -
ence and other study mater a s If you encounter a top c n th s book that you do not fee
comp ete y comfortab e w th, use the “Need more rev ew?” nks you’ find n the text to find
more nformat on and take the t me to research and study the top c Great nformat on s
ava ab e on MSDN, TechNet, MVA, and n b ogs and forums
Introduction xix
Free ebooks from Microsoft Press
From techn ca overv ews to n-depth nformat on on spec a top cs, the free ebooks from M -
crosoft Press cover a w de range of top cs These ebooks are ava ab e n PDF, EPUB, and Mob
for K nd e formats, ready for you to down oad at
https://aka.ms/mspressfree
Check back often to see what s new!
Microsoft Virtual Academy

Bu d your know edge of M crosoft techno og es w th free expert- ed on ne tra n ng from
M crosoft V rtua Academy (MVA) MVA offers a comprehens ve brary of v deos, ve events,
and more to he p you earn the atest techno og es and prepare for cert ficat on exams You’
find what you need here
https://www.microsoftvirtualacademy.com
Quick access to online references

Throughout th s book are addresses to webpages that the author has recommended you v s t
for more nformat on Some of these addresses (a so known as URLs) can be pa nstak ng to
type nto a web browser, so we’ve comp ed a of them nto a s ng e st that readers of the
pr nt ed t on can refer to wh e they read
Down oad the st at https://aka.ms/examref743/downloads.
The URLs are organ zed by chapter and head ng Every t me you come across a URL n the
book, find the hyper nk n the st to go d rect y to the webpage
Introduction xxi
Errata, updates, & book support
We’ve made every effort to ensure the accuracy of th s book and ts compan on content You
can access updates to th s book— n the form of a st of subm tted errata and the r re ated
correct ons—at
https://aka.ms/examref743/errata
If you d scover an error that s not a ready sted, p ease subm t t to us at the same page
If you need add t ona support, ema M crosoft Press Book Support at
mspinput@microsoft.com.
P ease note that product support for M crosoft software and hardware s not offered
through the prev ous addresses For he p w th M crosoft software or hardware, go to
https://support.microsoft.com.
We want to hear from you

At M crosoft Press, your sat sfact on s our top pr or ty, and your feedback our most va uab e
asset P ease te us what you th nk of th s book at
https://aka.ms/tellpress
We know you’re busy, so we’ve kept t short w th just a few quest ons Your answers go
d rect y to the ed tors at M crosoft Press (No persona nformat on w be requested ) Thanks
n advance for your nput!
Stay in touch
Let’s keep the conversat on go ng! We’re on Tw tter http://twitter.com/MicrosoftPress
Important: How to use this book to study for the exam
Cert ficat on exams va date your on-the-job exper ence and product know edge To gauge
your read ness to take an exam, use th s Exam Ref to he p you check your understand ng of
the sk s tested by the exam Determ ne the top cs you know we and the areas n wh ch you
need more exper ence To he p you refresh your sk s n spec fic areas, we have a so prov ded
“Need more rev ew?” po nters, wh ch d rect you to more n-depth nformat on outs de the
book
The Exam Ref s not a subst tute for hands-on exper ence Th s book s not des gned to
teach you new sk s
We recommend that you round out your exam preparat on by us ng a comb nat on of
ava ab e study mater a s and courses Learn more about ava ab e c assroom tra n ng at
https://www.microsoft.com/learning M crosoft Offic a Pract ce Tests are ava ab e for many
exams at https://aka.ms/practicetests You can a so find free on ne courses and ve events
from M crosoft V rtua Academy at https://www.microsoftvirtualacademy.com
Th s book s organ zed by the “Sk s measured” st pub shed for the exam The
“Sk s measured” st for each exam s ava ab e on the M crosoft Learn ng webs te
https://aka.ms/examlist
Note that th s Exam Ref s based on th s pub c y ava ab e nformat on and the author’s
exper ence To safeguard the ntegr ty of the exam, authors do not have access to the exam
quest ons
Introduction xxiii
CHAPTER 1
Install Windows Servers in host

and compute environments
I n th s chapter we d scuss the requ rements for nsta ng, upgrad ng, and m grat ng servers
to W ndows Server 2016 We’ a so cover Nano Server, the new vers on of W ndows Server
F na y, we w d scuss how to create, manage, and ma nta n mages that can be used for
W ndows Server dep oyments
W ndows Server 2016 ntroduces severa new features
compared to W ndows Server 2012 These features nc ude
I M P O R TA N T
■ Nano Server Offers a new nsta at on type that
does not prov de a graph ca or command prompt Have you read
exper ence and must be managed remote y
page xxiii?
It contains valuable
■ Containers Iso ates app cat ons from the operat- information regarding
ng system Each conta ner s so ated, but runs on the the skills you need to
base operat ng system You can further so ate a con- pass the exam.
ta ner by runn ng t as a v rtua mach ne w th Hyper-V
■ Docker Prov des a method of manag ng conta n-
ers, and s supported for W ndows Server 2016 and Hyper-V
■ Rolling upgrades Enab es you to add W ndows Server 2016 nodes to an ex st ng
W ndows Server 2012 R2 fa over c uster and cont nue to operate the c uster unt a
nodes have been upgraded
■ Hyper-V memory enhancements Enab es you to dynam ca y add or remove
v rtua memory and network ng adapters from runn ng v rtua mach nes (VM)
■ Nested virtualization Prov des a method of runn ng a nested Hyper-V nsta at on
w th n a VM
■ Shielded virtual machines Sh e ds us ng a v rtua mach ne that prov des protec-
t on for the data that s stored on the VM
■ PowerShell Direct Enab es you to run PowerShe on a VM w thout add t ona
secur ty po c es, network, or firewa sett ngs
■ Windows Defender Enab es by defau t that W ndows Server 2016 nsta at ons and
ant -ma ware patterns are automat ca y kept up-to-date
■ Storage Spaces Direct Enab es you to bu d a h gh y-ava ab e storage set w th
d rect attached storage by us ng Server Message B ock vers on 3 0 (SMB 3 0)
1
Determine appropriate Windows Server 2016 editions per
workload
M crosoft offers severa vers ons of W ndows Server 2016 Se ect ng the appropr ate vers on
for your env ronment depends on the s ze or funct ona ty that you expect to rece ve from the
server Tab e 1-1 sts the W ndows Server 2016 ed t ons that are ava ab e
TABLE 1-1 Compar ng W ndows Server 2016 Ed t ons
Edition Description License model Client access license

W ndows Server 2016 H gh y v rtua zed env ron Per core W ndows Server
Datacenter ments
W ndows Server 2016 Phys ca or m n ma y v rtu Per core W ndows Server
Standard a zed env ronments
W ndows Server 2016 Sma bus nesses Per processor N/A
Essent a s
W ndows Server 2016 Academ c vo ume cens ng Per processor W ndows Server and Remote
Mu t Po nt Prem um Server Desktop Serv ces
W ndows Storage Server OEM channe Per processor N/A
2016
M crosoft Hyper V Server Free hyperv sor N/A N/A
2016
Another nsta at on opt on of W ndows Server s Nano Server, wh ch s d scussed ater n

th s chapter n “Sk 1 2 Insta and configure Nano Server ”
Install Windows Server 2016

A though there are a few d fferent ed t ons of W ndows Server 2016, the nsta at on process
s fa r y s m ar n each of them Manua y nsta ng W ndows Server s as s mp e as comp et-
ng the GUI w zard and se ect ng the opt ons The most mportant aspect of the nsta at on
process s se ect ng the type of nsta at on that you prefer
■ Server Core (Defau t)
■ Server w th Desktop Exper ence
In prev ous vers ons of W ndows Server, you can use Server Manager or W ndows
PowerShe to adjust whether the server has a GUI W th W ndows Server 2016, once the
nsta at on type has been se ected, t cannot be changed F gure 1-1 shows the ava ab e
opt ons when manua y nsta ng W ndows Server 2016
4 CHAPTER 1 nsta W ndows Servers n host and compute env ronments

The fo ow ng features have been removed as of W ndows Server 2016
■ Ink and Handwr t ng Serv ces
■ User Interfaces and Infrastructure
Three new features have been added to W ndows Server 2016
■ Setup and Boot Event Collection Enab es you to co ect and og the setup and boot
events from other computers on the network
■ VM Shielding Tools for Fabric Management Prov des sh e d ng too s for the Fabr c
Management server on a network For the upgrade exam, Fabr c Management s not
spec fica y ca ed out n the sk s measured
■ Windows Defender Features Comes pre- nsta ed and prov des ma ware protect on
for the server
Remember that n add t on to us ng Server Manager, you can a so nsta server ro es and
features by us ng the Install-WindowsFeature cmd et To obta n the st of ava ab e features
that can be nsta ed, use the Get-WindowsFeature cmd et For examp e, to see the ava ab e
server ro es and features that re ate to Act ve D rectory, run the fo ow ng command
Get-WindowsFeature -Name AD* | FT Name
W ndows returns a st of server ro es and features s m ar to the fo ow ng

Name
----
AD-CertificateADCS-Cert-Authority
ADCS-Enroll-Web-Pol
ADCS-Enroll-Web-Svc
ADCS-Web-Enrollment
ADCS-Device-Enrollment
ADCS-Online-Cert
AD-Domain-Services
ADFS-Federation
ADLDS
ADRMS
ADRMS-Server
ADRMS-Identity

Install and configure Windows Server Core
Perform ng a defau t nsta at on by us ng the GUI to nsta W ndows Server creates a Server
Core nsta at on The defau t sett ngs for nsta ng W ndows Server do not nc ude the Desk-
top Exper ence features F gure 1-2 shows the n t a ogon screen after perform ng a Server
Core nsta at on
FIGURE 1-2 Server Core og on screen
As F gure 1-2 shows, there s no graph ca e ement to the nsta at on Un ke some prev -
ous vers ons, you cannot sw tch from a Server Core nsta at on to an nsta at on w th a GUI
The Desktop Exper ence nsta at on opt on must be se ected dur ng nsta at on to add these
spec fic features
After chang ng the password or ogg ng n for the first t me, you are s mp y presented w th
a b ank command prompt To make any configurat on changes oca y on the server, run the
sconfig.cmd command from the command prompt F gure 1-3 shows the ava ab e configu-
rat on opt ons by runn ng sconfig
FIGURE 1-3 sconf g.cmd
Sk 1.1: nsta , upgrade, and m grate servers and work oads CHAPTER 1 7
Implement Windows PowerShell Desired State
Configuration to install and maintain integrity of installed
environments
Des red State Configurat on (DSC) extends W ndows PowerShe and enab es you to dep oy
and configure a server based on a temp ate or base ne Us ng DSC you are ab e to automate
the configurat on of severa sett ngs, nc ud ng
■ Server ro es and features
■ Reg stry sett ngs
■ F es and d rector es
■ Processes and serv ces
■ Groups and user accounts
■ Env ronment var ab es
■ PowerShe scr pts
In add t on to perform ng the n t a configurat on, you can a so use DSC to dent fy serv-
ers that no onger conform to the des red state DSC has bu t- n resources to enab e you to
determ ne the actua configurat on of a server, and mp ement changes f necessary There are
three pr mary components of DSC
■ Local Configuration Manager (LCM) The LCM runs on every server (or target node)
be ng managed The LCM configures the target node based on the DSC The LCM a so
performs other act ons for the target node, nc ud ng the refresh method, determ n ng
how frequent y to perform refreshes, and mak ng part a configurat ons
■ Resources Used to mp ement the chang ng states of a configurat on change Re-
sources are part of the PowerShe modu es, and can be wr tten to m m c a fi e, process,
server, or even a VM
■ Configuration Defined as the scr pts that compr se and configure the resources
When runn ng the configurat on, DSC and the resources perform the configurat on and
ensure that the target node s configured as defined
When bu d ng a DSC Script, there are a few components of the syntax to be aware of The
Scr pt s composed of
■ GetScript Th s b ock of code shou d return the current state of the node be ng
tested The va ue must be a Str ng that s returned as the resu t
■ TestScript Th s b ock of code determ nes f the node that s be ng tested needs to be
mod fied based on the returned configurat on If any configurat on s found to be out
of date, then t s remed ed by the SetScr pt b ock
■ SetScript Th s b ock of code mod fies the node to the des red configurat on
■ Credential The credent a s that are needed for the scr pt, f any are requ red
■ DependsOn Th s nd cates that another resource must be runn ng before the scr pt
can be run and configured
Sk 1.1: nsta , upgrade, and m grate servers and work oads CHAPTER 1 9
To use AVMA, you must configure the v rtua zat on host w th an AVMA key us ng the
s mgr too and the / pk sw tch For examp e slmgr /ipk <key>.
The AVMA act vat on for a VM s on y va d for seven days As the t me per od gets c oser
to exp rat on, the VM commun cates w th the v rtua zat on host aga n to act vate and reset
the t me per od To determ ne f a VM has been act vated by AVMA, or to see the atest status,
run the s gmgr vbs /d v command F gure 1-4 shows the resu ts of the command
FIGURE 1-4 AVMA resu ts
Note that n F gure 1-4, the descr pt on fie d nc udes the str ng VIRTUAL MACHINE
ACTIVATION Th s nd cates that the v rtua mach ne s act vated us ng AVMA
If you p an to automate the nsta of a v rtua zat on host, you can a so spec fy the AVMA
key n the Unattended Setup fi e Once configured, the reg stry on the v rtua zat on server
prov des the fo ow ng track ng and report ng nformat on for the guest operat ng system
■ Fu y qua fied doma n name
■ Operat ng system and serv ce packs nsta ed
■ Processor arch tecture
■ IPv4 and IPv6 network addresses
■ RDP addresses

FIGURE 1-5 Act vat on scenar os
Skill 1.2: Install and configure Nano Server

Nano Server s a new ed t on of W ndows Server that s des gned to be ghtwe ght wh e
prov d ng the same serv ces as a fu nsta at on In th s sect on, we d scuss the requ rements
and scenar os n wh ch you can use Nano Server We a so d scuss how to nsta Nano Server,
as we as the supported ro es and features for Nano Serv ce Then we exp a n how to manage
and configure a Nano Server nsta at on
Th s sect on covers how to
■ Determ ne appropr ate usage scenar os and requ rements for Nano Server
■ Insta Nano Server
■ Imp ement ro es and features on Nano Server
■ Manage and configure Nano Server

Determine appropriate usage scenarios and requirements
for Nano Server
Nano Server s a new nsta at on opt on for the W ndows Server fam y Usage of Nano Server
can nc ude mu t p e scenar os
■ Hyper-V hosts
■ Storage hosts for Sca e-Out F e Servers
■ DNS servers
■ IIS servers
■ C oud app cat on servers
Nano Server s supported as both a v rtua mach ne and as a phys ca host As of th s
wr t ng, there are no spec fic hardware requ rements for nsta ng Nano Server The sma -
est Nano Server configurat on s approx mate y 450 MB w th m n ma packages and features
se ected A VHD w th IIS and OEM dr vers s more than 500 MB
Install Nano Server

To nsta Nano Server, you must first use the Nano Server Image Generator to create the
Nano Server mage that you use for nsta at on The mage generator s ocated n the
NanoServer fo der of the W ndows Server 2016 nsta at on med a The steps n creat ng a
Nano Server mage are
1. Copy the NanoServer fo der from the nsta at on med a to your computer
2. Us ng PowerShe , change d rector es to the cop ed fo der and mport the
NanoServerImageGenerator modu e
3. Run the New-NanoServerImage cmd et to create the nsta at on fi e

Import ng the PowerShe modu e s a re at ve y s mp e task, but can be troub esome f you
use the PowerShe shortcuts Ensure that you remove the tra ng backs ash when us ng tab
shortcuts to comp ete the modu e name F gure 1-6 d sp ays successfu y mport ng the mage
generator PowerShe modu e
Sk 1.2: nsta and configure Nano Server CHAPTER 1 15

FIGURE 1-6 mport ng the Nano Server mage Generator
The New-NanoServerImage cmd et has severa parameters that are configured when run-
n ng For examp e
■ Edition Spec fies the ed t on type of the nsta at on, and can be e ther Standard or
Datacenter
■ DeploymentType Spec fies whether Nano Server runs as a v rtua mach ne guest, or
as a phys ca host The accepted va ues are Guest or Host
■ MediaPath Spec fies the ocat on of the nsta at on med a for W ndows Server 2016
Th s can be a mounted ISO ocat on, or a cop ed ocat on
■ BasePath Th s s the d rectory to wh ch the packages and W ndows mage are
cop ed
■ TargetPath Th s s the path, fi ename, and extens on where the Nano Server VHD,
VHDX, or WIM fi e s created
■ ComputerName Th s s the hostname of the Nano Server after nsta at on has com-
p eted
For examp e, to create a Standard Nano Server v rtua mach ne named NanoSvr1 that s
ocated n the current fo der, run the fo ow ng command
New-NanoServerImage -Edition Standard -DeploymentType Guest -MediaPath D:\ -BasePath .\
-TargetPath .\NanoSvr1\NanoSvr.vhdx -ComputerName NanoSvr1
You can opt ona y nc ude the Adm n stratorPassword parameter dur ng the command,
but the password wou d be p a ntext Om tt ng the parameter causes PowerShe to prompt

you for the Adm n strator account password F gure 1-7 shows runn ng the command success-
fu y, spec fy ng the password separate y
FIGURE 1-7 New NanoServer mage
Once you have created the mage type that you’d ke to use, you can mount that mage
through Hyper-V, or nsta t on a phys ca server For phys ca servers, t s recommended that
you a so nc ude the OEMDr vers parameter After the Nano Server mage has been gener-
ated, th s process s not any d fferent than a norma VM or nsta at on
Implement roles and features on Nano Server

The ro es and features for Nano Server can be spec fied dur ng the mage creat on to nc ude
these packages w th n the mage The packages that are bu t nto the base server mage can
be nc uded w th Nano Server S mp y spec fy the parameter dur ng the mage creat on Some
of the parameters that can be spec fied nc ude
■ Storage Th s nc udes the fi e server ro e and other storage components
■ Compute Th s nc udes the Hyper-V server ro e
■ Defender Th s nc udes W ndows Defender, w th a defau t s gnature fi e
■ Clustering Th s nc udes the Fa over C uster ng server ro e
After a Nano Server has been nsta ed, you can manage the server ro es and features by
us ng the PackageManagement prov der To nsta the prov der, run the Install-Package-
Provider NanoServerPackage command You can then mport the prov der by runn ng the
Import-PackageProvider NanoServerPackage command

Manage and configure Nano Server
After nsta ng and s gn ng nto Nano Server, there are m ted opt ons for configur ng the
server d rect y form the conso e The ava ab e nformat on from the conso e nc udes
■ Computer name
■ Workgroup or doma n
■ Operat ng system vers on
■ Loca data, t me, and t me zone
■ Network configurat on
F gure 1-8 d sp ays the oca conso e of a Nano Server nsta at on
FIGURE 1-8 Nano Server Recovery Conso e
The bas c network ng nformat on for the Nano Server mach ne can be configured through
the Network ng screen of the Recovery Conso e You can configure the des red network
adapter from the screen, and then configure the des red network sett ngs Both IPv4 and IPv6
can be configured from the recovery conso e F gure 1-9 d sp ays the network ng configura-
t on of a Nano Server through the Recovery Conso e

FIGURE 1-9 Nano Server Network Adapter Sett ngs
The firewa sett ngs must be configured to enab e remote management Remote Man-
agement F rewa Sett ngs can be found n the Inbound F rewa Ru es screen of the Recovery
Conso e For add t ona secur ty, you can a so configure outbound firewa ru es
The W nRM screen of the recovery conso e enab es you to reset the firewa and remote
management sett ngs for the server back to defau t Th s s usefu f you can no onger access
the server remote y, but are unaware of any network changes that m ght be prevent ng you
from connect ng
Skill 1.3: Create, manage, and maintain images for

deployment
You can use mages to standard ze dep oyments across phys ca or v rtua mach nes In th s
sect on, we d scuss p ann ng for W ndows Server v rtua zat on, as we as best pract ces for
L nux and FreeBSD VM dep oyments We a so exp a n how to use the M crosoft Assessment
and P ann ng Too k t to assess an ex st ng env ronment for upgrad ng or m grat ng to a
W ndows Server 2016 env ronment Then we exp ore other cons derat ons for v rtua zat on,

V rtua Host ID for h gh ava ab ty If a host or VM fa s, then another act ve VM can
transparent y take over the serv ces that were be ng prov ded
■ Add UUIDs For a dev ces that are sted n fstab, ensure that the appropr ate UUIDs
are configured When Hyper-V storage ntegrat on serv ces are nsta ed on a VM,
some dev ces’ UUIDs m ght change, and the entry n fstab w no onger be va d
■ Disable Fast IDE drivers The Fast IDE dr ver confl cts w th the Hyper-V IDE dr ver,
and can resu t n the v rtua CD-ROM be ng unava ab e D sab ng Fast IDE enab es the
use of the v rtua CD-ROM
■ Create GEOM labels When us ng FreeBSD 8 x, dev ce nodes are created as d scov-
ered dur ng the startup Dev ce abe s can change dur ng th s process, wh ch m ght
resu t n d sk mount errors By creat ng permanent abe s for each IDE part t on, you
avo d mount ng errors
There are a so best pract ces for us ng L nux on Hyper-V, nc ud ng
■ Tuning file systems Some L nux fi e systems use add t ona d sk space, even f the
fi e system s most y empty You can reduce the amount of extra space consumpt on by
us ng a 1 MB b ock s ze, and formatt ng the v rtua d sk as ext4
■ Extend boot timeout Us ng the Grub boot menu on a Generat on 2 v rtua mach ne
m ght cause the countdown t mer to end qu ck y The defau t t meout va ue s set to 5,
but s recommended to be set to 100000 for Generat on 2 v rtua mach nes
■ PXE Boot Generat on 2 VMs do not have a PIT t mer, and network connect ons to
a PXE TFTP server can be term nated ear y, prevent ng the network boot oader from
start ng A egacy grub boot oader can be spec fied to m t gate the t meout ssue
■ Static MAC addresses L nux v rtua mach nes that are be ng used n a fa over c uster
shou d have stat c MAC addresses defined In some vers ons of L nux, the network
configurat on deta s can be ost after a fa over To ensure that a serv ces perform as
expected, define a stat c MAC address
■ Network adapters It s recommended that you use the Hyper-V spec fic network
adapters, and not a egacy network adapter Legacy network adapters m ght d sp ay
random va ues for parameters n fconfig
■ I/O Scheduler For opt m zed d sk I/O performance, use the NOOP I/O schedu ed for
L nux VMs Th s can be changed n the boot oader configurat on parameters
■ NUMA For L nux VMs that have more than 7 v rtua processors or 30 GB of RAM, t s
recommended that you d sab e NUMA n the boot oader configurat on
Sk 1.3: Create, manage, and ma nta n mages for dep oyment CHAPTER 1 23
Assess virtualization workloads using the Microsoft
Assessment and Planning Toolkit, determine considerations
for deploying workloads into virtualized environments
One too that s ava ab e to assess and p an for a m grat on—whether t s phys ca or v r-
tua — s the M crosoft Assessment and P ann ng (MAP) Too k t MAP s c ass fied as a so ut on
acce erator that takes an nventory of your organ zat on’s ex st ng nfrastructure Based on
the d scovered nformat on, MAP prov des an assessment and report that you can use for
upgrades, m grat ons, and v rtua zat on work oads MAP s ava ab e for severa M crosoft
products
■ W ndows Server 2016
■ W ndows Server 2012 R2
■ W ndows 10
■ W ndows 8 1
■ SQL Server 2014
■ Hyper-V
Some of the genera tasks that you can use MAP to perform nc ude
■ Inventory D scover dev ces on the network and generate a deta ed report of the
servers that can run W ndows Server 2016
■ Reporting Generate a report or proposa us ng the W ndows Server 2016 Read ness
Assessment The proposa generates an Execut ve Overv ew, Assessment Ru es, Next
Steps, and a summary of overa read ness for W ndows Server 2016
■ Performance metrics Use MAP to capture the performance of the current nfra-
structure to ensure that the work oads are acceptab e for W ndows Server 2016
■ Utilization Est mate server ut zat on before and after v rtua zat on of work oads
You can a so determ ne wh ch phys ca hosts are spec fica y su ted to become a VM
F gure 1-11 shows the MAP Too k t on the server v rtua zat on overv ew screen

Chapter summary
One of the ma n features of W ndows Server 2016 s the ab ty to dep oy a server w thout a
GUI, as Nano Server Nano Server prov des most of the core server ro es and features that a
fu graph ca nsta at on offers, w th a much sma er footpr nt and ess attack surface In th s
chapter, we d scussed
■ Ava ab e ed t ons for W ndows Server 2016, that nc ude Standard, Datacenter and
Nano Server
■ Insta at on opt ons for W ndows Server 2016, nc ud ng the defau t Server Core or w th
the Desktop Exper ence
■ Server Core nsta at on and remote management opt ons
■ The three pr mary act vat on mode s, nc ud ng AVMA, KMS, and AD-based act vat on
■ How to generate and use a Nano Server mage
■ Add ng server ro es and features to a Nano Server mage
■ Us ng DISM to ma nta n on ne and offl ne mages
Thought Experiment
You are a consu tant for a sma hea thcare prov der, wh ch has two offices and about 75 em-
p oyees You p an to dep oy two new servers to support the fo ow ng ro es
■ Act ve D rectory Doma n Serv ces (AD DS)
■ DNS
■ DHCP
■ Internet Informat on Serv ces (IIS)
You need to m n m ze the amount of resources that the servers consume Wh ch vers on,
ed t on, and act vat on method of W ndows Server 2016 wou d you choose?

Thought Experiment Answer
Based on the scenar o that s prov ded, we can dep oy one server w th a GUI that has the
management too s nsta ed, as we as the graph ca server ro es that are necessary For the
second server, you can use Nano Server to m n m ze the number of server resources that are
needed Any serv ce or app cat on that the customer has that cannot run on the Nano Server
cou d be nsta ed on the fu nsta at on
There s no add t ona nformat on n the scenar o that wou d requ re us ng the Datacenter
ed t on of W ndows Server 2016 However, based on the number of emp oyees, KMS or AD-
based act vat on cou d be a va d act vat on type for the server, as we as any future dep oy-
ment p ans The scenar o does not say that the customer s runn ng Hyper-V, so AVMA s not
an opt on The dec d ng factor wou d be f the customer needs to act vate computers that are
not members of the doma n If so, they shou d use KMS over AD-based act vat on
Thought Exper ment Answer CHAPTER 1 27

Configure storage pools
Storage poo s enab e you to group phys ca d sks together for more a effic ent use of capac ty
and, n some cases, to ncrease performance You can create a storage poo w th e ther Server
Manager, or W ndows PowerShe The steps through Server Manager are fa r y s mp e
1. From Server Manager, nav gate to F e and Storage Serv ces, and then c ck Storage
Poo s
2. C ck Tasks, and then c ck New Storage Poo
3. C ck Next to bypass the Before You Beg n page
4. On the Storage Poo Name page, shown n F gure 2-1, enter a name for the poo
Ensure that the group of d sks that are ava ab e to the server are se ected
FIGURE 2-1 New Storage Poo W zard, Storage Poo Name
5. On the Phys ca D sk page, se ect the nd v dua d sks that make up the poo F gure
2-2 shows three d sks ava ab e Se ect what you need to a ocate to the poo , and then
c ck Next
30 CHAPTER 2 mp ement storage so ut ons

FIGURE 2-2 New Storage Poo W zard, Phys ca D sks
6. After se ect ng the d sks, you’ be prompted to rev ew the nformat on on the Confir-
mat on page C ck Create to confirm the deta s of the storage poo The summary s
shown n F gure 2-3
FIGURE 2-3 New Storage Poo W zard, Conf rmat on
Sk 2.1: mp ement server storage CHAPTER 2 31

Us ng PowerShe to create the storage poo s s ght y more comp cated, on y because you
need to dent fy the phys ca d sks that are ava ab e for the poo F rst, to dent fy those d sks,
run the fo ow ng command
Get-PhysicalDisk -CanPool $True
Th s returns the ava ab e d sks to poo To make the d sks eas er to pass to the
NewStoragePoo cmd et, set the d sks to a var ab e Then you can create a poo by us ng
the fo ow ng commands
$Disks = Get-PhysicalDisk -CanPool $True
New-StoragePool -FriendlyName "Pool1" -StorageSubSystemFriendlyName "SubSystemName"

-PhysicalDisks $Disks
The resu ts of the commands are shown n F gure 2-4
FIGURE 2-4 Creat ng a storage poo w th PowerShe
Implement simple, mirror, and parity storage layout

options for disks or enclosures
After a storage poo has been configured, you need to create a v rtua d sk that uses the poo
V rtua d sks enab e you to create res ent storage by us ng the d sks n the storage poo
There are three types of res ency ayouts
■ Simple Data s str ped across the phys ca d sks, enab ng you to max m ze capac ty
and throughput However, a s ng e d sk fa ure causes the poo to be unava ab e
■ Mirror Data s str ped across phys ca d sks, creat ng two or three cop es of the same
data Th s ncreases the re ab ty of the data, ensur ng that you can w thstand a s ng e
(or mu t p e) d sk fa ures w thout os ng access to the data or the poo However, stor-
age capac ty s d m n shed because the add t ona phys ca dr ves are be ng used for
redundancy nstead of capac ty
■ To protect aga nst a s ng e d sk fa ure, use at east two phys ca d sks n the poo
■ To protect aga nst two d sk fa ures, use at east five d sks n the poo
■ Parity Data and a par ty b t s str ped access the phys ca d sks, ncreas ng both re -
ab ty and storage capac ty Storage capac ty s not max m zed because of the par ty
data that must a so be wr tten, but protects aga nst d sk fa ures

■ To protect aga nst a s ng e d sk fa ure, use at east three d sks
■ To protect aga nst two d sk fa ures, use at east seven d sks
F gure 2-5 shows se ect ng the storage ayout from the New V rtua D sk W zard
FIGURE 2-5 New V rtua D sk W zard, Storage Layout
The v rtua d sk a so enab es you to se ect the prov s on ng type

■ Thin Vo umes on the v rtua d sk on y uses space as data s be ng wr tten, up to the
max mum s ze of the vo ume
■ Fixed The vo ume a ocates space from the storage poo mmed ate y, regard ess of
any actua data wr tten Th s ensures that you do not oversubscr be capac ty from the
poo
Creat ng a v rtua d sk us ng PowerShe s a so stra ghtforward The New-V rtua D sk cmd-
et s used to create the v rtua d sk For examp e, to create a th n y-prov s oned d sk named
vDIsk2 us ng par ty that s 50 GB, run the fo ow ng command
New-VirtualDisk -StoragePoolFriendlyName Pool1 -FriendlyName vDisk2
-ResiliencySettingName Parity -Size 50GB -ProvisioningType Thin
An a ternate step to creat ng a v rtua d sk s to create a vo ume In add t on to the sett ngs
that you can configure for a v rtua d sk, a vo ume s what s actua y presented to the server
and used by the operat ng system, accessed by a dr ve etter To create a vo ume n the GUI,

Configure iSCSI target and initiator
Configur ng an SCSI target or n t ator hasn’t changed much s nce W ndows Server 2012 R2
And configur ng an SCSI target server enab es you to network boot computers from a s ng e
boot mage that has been prov ded to the network from a centra ocat on You can use SCSI
targets w th W ndows Server 2016 to boot hundreds of computers from a s ng e operat ng
system mage
Insta ng the SCSI Target Server server ro e can be performed from both Server Manager
and PowerShe SCSI Target Server s a part of the F e and Storage Serv ces storage ro e
Insta ng the server ro e a so nsta s the management features that are used to configure the
server ro e After nsta ng the ro e, you can configure SCSI v rtua d sks
1. To create a new SCSI v rtua d sk, aunch the w zard from Server Manager The first
screen of the w zard configures where to store the v rtua d sk Ensure that the server
s se ected, se ect the vo ume or path of the storage, then c ck Next F gure 2-7 shows
the C vo ume se ected for Adatum-DC1
FIGURE 2-7 SCS v rtua d sk ocat on
2. On the SCSI V rtua D sk S ze page, enter a s ze for the v rtua d sk You can a so con-
figure whether the d sk s fixed, dynam ca y expand ng, or d fferenc ng As shown n

F gure 2-8, the defau t d sk type s set to Dynam ca y Expand ng C ck Next to con-
t nue the w zard
FIGURE 2-8 SCS v rtua d sk s ze
3. On the SCSI Target page, se ect e ther an ex st ng target or a new target, and then
c ck Next
4. On the Target Name And Access page, enter a name for the target and then c ck Next
5. On the Access Servers page, c ck Add to spec fy the SCSI n t ators that access the new
v rtua d sk F gure 2-9 shows add ng the SCSI n t ator

FIGURE 2-9 SCS v rtua d sk s ze
6. On the Enab e Authent cat on page, se ect whether you want to Enab e CHAP or Enab e
Reverse CHAP for authent cat on These are opt ona protoco s to authent cate the n -
t ator connect ons or target F gure 2-10 shows the ava ab e opt ons to configure CHAP
and Reverse CHAP
FIGURE 2-10 SCS authent cat on method

7. C ck Create to create the v rtua d sk us ng the sett ngs that you spec fied dur ng the
w zard
As w th other v rtua d sks, you can a so create an SCSI v rtua d sk by us ng PowerShe
w th the New-Iscs V rtua D sk cmd et For examp e, to create a 10GB d sk, run the fo ow ng
command
New-IscsiVirtualDisk –Path “C:\temp\test.vhdx” -Size 10GB
Configure iSNS
The Internet Storage Name Serv ce ( SNS) s a protoco , wh ch can be added to a W ndows
Server nsta at on, and used to commun cate between SNS servers and c ents SNS c ents
are computers, or n t ators, that search for storage dev ces, or targets, on a network SNS
prov des automated d scovery, management, and configurat on of SCSI and F bre Channe
dev ces on a network F gure 2-11 shows the SNS Server propert es page
FIGURE 2-11 SNS Server Propert es
By defau t, when you create an SNS Server, there are no SCSI targets sted even f they
have been configured a ready To ensure that the configured SCSI targets a so appear n
the SNS Server, the SNS Server must be added to the SCSI In t ator propert es, as shown n
F gure 2-12

FIGURE 2-12 SCS n t ator Propert es
In the SNS propert es, you can then see the connected dev ces, and whether they are an
n t ator or target SNS does not have any spec fic PowerShe cmd ets, but can be configured
from the command- ne by us ng the isnscli.exe ut ty
Configure Datacenter Bridging

Datacenter Br dg ng (DCB) enhances the Ethernet connect v ty between servers on a network
DCB requ res DCB-capab e network adapters on servers that are prov d ng DCB, as we as
DCB-capab e network sw tches that the servers connect to DCB can be nsta ed by us ng the
InstallWindowsFeature cmd et
Install-WindowsFeature "data-center-bridging"
After nsta ng the DCB feature, you can manage DCB on a server by mport ng three d f-
ferent PowerShe modu es
Import-Module netqos
Import-Module dcbqos
Import-Module netadapter

To enab e MPIO for Nano Server, run the fo ow ng command
Enable-WindowsOptionalFeature -Online -FeatureName MultiPathIO
When MPIO s nsta ed on a Nano Server, the d sks that are presented are sted as dup -
cates, w th a s ng e d sk be ng ava ab e through each path MPIO must be configured to c a m
and manage the d sks to ensure that on y one path s used A scr pt has been prov ded by
M crosoft to c a m and manage the d sks, and can be found at https://technet.microsoft.com/
en-us/windows-server-docs/compute/nano-server/mpio-on-nano-server.
Determine usage scenarios for Storage Replica

Storage Rep ca s a new funct on ava ab e w th W ndows Server 2016 that prov des d saster-
recovery capab t es Storage Rep ca enab es you to effic ent y use many datacenters by
stretch ng or rep cat ng c usters If one datacenter goes offl ne, the work oad can be moved
to another Some scenar os where Store Rep ca can be used nc ude
■ Stretch Cluster Enab es the configurat on of computers and storage as part of a
s ng e c uster In th s scenar o, some nodes share one set of asymmetr c storage, and
other nodes share another set, then rep cate the data w th s te awareness The storage
for th s scenar o can be JBOD, SAN, or SCSI-attached d sks A stretch c uster can be
managed by us ng W ndows PowerShe and the Fa over C uster Manager too , and
can be configured for automated fa over F gure 2-13 ustrates us ng Storage Rep ca
n a Stretch C uster
FIGURE 2-13 Stretch C uster
■ Cluster-to-Cluster Enab es rep cat on between two comp ete y separate c usters,
where one c uster cop es the data to another c uster Th s scenar o can a so use Storage
Spaces on JBOD, SAN, or SCSI-attached d sks as the backend storage A c uster-to-

Implement and configure deduplication
Data dedup cat on s another server ro e that can be nsta ed through the Add Ro es and
Features W zard, or by us ng the Install-WindowsFeature cmd et The Data Dedup cat on
server ro e a so requ res the F e Server server ro e to be nsta ed Once nsta ed, dedup ca-
t on can be enab ed on spec fic vo umes by runn ng the Enable-DedupVolume cmd et For ex-
amp e, to enab e dedup cat on on the E dr ve, and beg n an opt m zat on job on that vo ume,
run these commands
Import-Module Deduplication
Enable-DedupVolume E: -UsageType Default -DataAccess
Start-DedupJob E: -Optimization
The DataAccess parameter nd cates that data access w be enab ed as part of the
dedup cated vo ume There are three poss b e opt ons for the UsageType parameter when
enab ng dedup cat on
■ Default Th s nd cates a genera purpose vo ume as the expected work oad for the
under y ng d sk
■ Hyper-V Th s nd cates that the vo ume stores VHDs for a Hyper-V server
■ Backup Th s nd cates that the vo ume s opt m zed for v rtua zed backup servers
There are four types of dedup cat on jobs that run per od ca y, or can be run manua y
■ Optimization Th s manua y starts the process of opt m z ng the vo ume for dedup -
cat on, and ensures that dup cated data does not consume add t ona storage
■ GarbageCollection Garbage co ect on ensures that de eted or mod fied data s
removed from the reference tab e
■ Scrubbing Th s starts the data ntegr ty scrubb ng on the dedup cated vo ume
■ Unoptimization Th s removes the dedup cat on on a spec fic vo ume
Determine appropriate usage scenarios for deduplication

Typ ca scenar os for dedup cat on are f e shares that have user documents, software
dep oyment mages, or VHD f es These scenar os often generate a arge sav ngs of
storage space by us ng dedup cat on Tab e 2-2 shows some common dedup cat on
scenar os
Sk 2.2: mp ement data dedup cat on CHAPTER 2 45

TABLE 2-2 Dedup cat on scenar os
Scenario Content Typical savings

User documents Documents and photos 30 50 percent
Dep oyment shares Software b nar es and mages 70 80 percent
V rtua zat on brar es VHDs 80 95 percent

Genera fi e share A of the above 50 60 percent
After you have nsta ed the data dedup cat on feature, you can a so use the Dedup cat on
Sav ngs Eva uat on Too The fo ow ng output s an examp e of the ddpeva exe too
Data Deduplication Savings Evaluation Tool
Copyright 2011-2012 Microsoft Corporation. All Rights Reserved.
Evaluated folder: E:
Processed files: 128
Processed files size: 120.03MB
Optimized files size: 40.02MB
Space savings: 80.01MB
Space savings percent: 66
Optimized files size (no compression): 11.47MB
Space savings (no compression): 571.53KB
Space savings percent (no compression): 40
Files with duplication: 20
Files excluded by policy: 20
Files excluded by error: 0
Based on the percentage returned by the too , you can dec de whether to mp ement data
dedup cat on n the env ronment W th W ndows Server 2016, data dedup cat on ntroduces
the fo ow ng changes
■ Increased volume sizes NTFS vo umes up to 64 TB can have dedup cat on enab ed
Th s has been enhanced by ncreas ng the number of threads work ng n para e for
nd v dua vo umes

■ Increased file sizes Ind v dua fi es up to 1 TB can effic ent y be dedup cated on a
storage vo ume
■ Nano Server support Dedup cat on s fu y supported on vo umes that are present-
ed to a Nano Server nsta at on
Monitor deduplication
The bu t- n dedup cat on jobs support week y schedu ng for opt m zat on, garbage
co ect on, and scrubb ng Add t ona y, jobs can be configured by us ng the W ndows
Task Schedu er Remember that the garbage co ector rec a ms space by remov ng data
that s no onger be ng used The defau t week y schedu e can be v ewed by runn ng the
Get-DedupSchedu e cmd et
Get-DedupSchedule
The fo ow ng output s returned

Enabled Type StartTime Days Name
------- ---- --------- ---- ----
True Optimization
BackgroundOptimization
True GarbageCollection 2:45 AM Saturday

WeeklyGarbageCollection
True Scrubbing 3:45 AM Saturday WeeklyScrubbing
The Get-DedupStatus cmd et can be used to see the overa status of a server
Get-DedupStatus

FreeSpace SavedSpace OptimizedFiles InPolicyFiles Volume
-------------- ---------- -------------- ------------- ------
140.26 GB 265.94 GB 36124 36125 E:
76.26 GB 42.19 GB 43017 43017 F:
To force a refresh of the dedup cat on serv ce and requ re t to rescan the ava ab e vo -
umes, use the Update-DedupStatus cmd et
Sk 2.2: mp ement data dedup cat on CHAPTER 2 47

Thought Experiment
A company has two datacenters n two d fferent geograph c reg ons Servers have d rect-at-
tached d sks that are configured as JBOD Each d rect-attached storage system has a m xture
of HDDs and SSDs The JBOD storage must max m ze the storage capac ty presented to the
server Servers n each datacenter are members of a fa over c uster The fa over c uster s
m ted to a s ng e datacenter A group of servers used for market ng conta n a fi e share w th
market ng documents and photos Another group of servers use oca storage for Hyper-V
VHDs
Us ng th s nformat on, answer the fo ow ng quest ons
1. What type of storage poo shou d the JBOD storage systems use?
2. Wou d t ered storage ncrease the performance of the JBOD array?
3. Wh ch storage rep ca scenar o works best for th s company?
4. Wou d the Market ng servers benefit from us ng data dedup cat on?
5. Wou d the Hyper-V servers benefit from us ng data dedup cat on?
Thought Experiment Answers

1. The JBOD storage system shou d use a par ty poo to max m ze the amount of storage
that s presented to the server
2. Yes, t ered storage wou d ensure that data that s frequent y accessed s stored on the
SSDs, wh e data that s not accessed frequent y s stored on the HDDs
3. Because the fa over c usters are m ted to a s ng e datacenter, a c uster to c uster stor-
age rep ca scenar o s the best fit for th s env ronment A stretch c uster s not feas b e
because they are not members of the same c uster Th s a so e m nates nd v dua
server to server storage rep cas
4. Yes, documents and photos are a v ab e storage type for data dedup cat on
5. Yes, Hyper-V mach nes w th VHDs are a v ab e storage type for data dedup cat on
Thought Exper ment Answers CHAPTER 2 49

Determine hardware and compatibility requirements for
installing Hyper-V
In add t on to the system requ rements that we d scussed n Chapter 1 for W ndows Server
2016, the Hyper-V ro e a so has add t ona hardware requ rements Hyper-V requ res a 64-b t
processor that uses second- eve address trans at on (SLAT) The v rtua zat on components of
Hyper-V w not be nsta ed f the processor does not support SLAT Note that th s s str ct y
for the v rtua zat on components The Hyper-V Manager, PowerShe cmd ets, and manage-
ment too s can be used w thout SLAT
You shou d a so ensure that the Hyper-V host has enough memory to support both the
Hyper-V OS tse f, as we as the v rtua mach nes As a m n ma configurat on w th the host OS
and one VM, you shou d p an for at east 4 GB of RAM
W ndows Server 2016 a so ntroduces Sh e ded v rtua mach nes These VMs re y on v rtu-
a zat on-based secur ty The Hyper-V host must support UEFI 2 3 1c or ater Th s s for secure,
measured boot To support opt ona features, the Hyper-V host shou d a so have a TPM v2 0,
and IOMMU so that the host can prov de d rect memory access protect on
Install Hyper-V
The process for nsta ng Hyper-V has not changed much s nce W ndows Server 2008 and
W ndows Server 2012 Hyper-V s a server ro e that can be nsta ed by us ng the Add Ro es
and Features W zard from Server Manager, or by us ng W ndows PowerShe
Install-WindowsFeature –Name Hyper-V -ComputerName Server1 -IncludeManagementTools
-Restart
Install management tools

If you on y need to nsta the management too s, th s can a so be performed by us ng the
Add Ro es and Features W zard from Server Manager, or by us ng W ndows PowerShe How-
ever, there are a few d fferent opt ons when nsta ng on y the management too s
When us ng Server Manager, the opt on for nsta ng the management too s s actua y
part of the Remote Server Adm n strat on Too s (RSAT), not Hyper-V Expand ng RSAT shows
management too s that can be nsta ed, nc ud ng too s for Hyper-V
52 CHAPTER 3 mp ement Hyper V

FIGURE 3-1 Add Ro es and Features W zard
F gure 3-1 shows the two components of nsta ng Hyper-V, wh ch are

■ Hyper-V GUI Management Tools Th s s the Hyper-V Manager and V rtua Mach ne
Connect to manage and v ew v rtua mach nes
■ Hyper-V Module for Windows PowerShell These are the PowerShe cmd ets that
can be used to manage Hyper-V
When us ng PowerShe to nsta the management features, there are a few d fferent opt ons
■ Microsoft-Hyper-V-All Th s nsta s Hyper-V tse f as we as a of the management
too s
■ Microsoft-Hyper-V-Tools-All Th s nsta s a of the management too s, nc ud ng
the manager, V rtua Mach ne Connect, and PowerShe modu e
■ Microsoft-Hyper-V-Management-Clients Th s nsta s on y the GUI manager and
V rtua Mach ne Connect
■ Microsoft-Hyper-V-Management-PowerShell Th s nsta s on y the PowerShe
modu e for Hyper-V
To use PowerShe to nsta the management too s, use the fo ow ng command
Enable-WindowsOptionalFeature -Feature 'Microsoft-Hyper-V-Tools-All' -Online
Sk 3.1: nsta and configure Hyper V CHAPTER 3 53

Upgrade from existing versions of Hyper-V
Th s cou d mean upgrad ng the operat ng system, or upgrad ng the v rtua mach ne vers on
n Hyper-V Upgrad ng the operat ng system s a separate task that doesn’t spec fica y nvo ve
Hyper-V The on y cons derat on from a Hyper-V perspect ve s the VMs You have the opt on
of shutt ng them down temporar y wh e the upgrade s performed, or m grat ng them to a
d fferent host
Certa n operat ng systems on y support spec fic vers ons of v rtua mach nes Tab e 3-1 sts
the supported VM vers ons for each operat ng system
TABLE 3-1 Supported VM vers ons
Hyper-V host operating system Supported VM version number

W ndows 8.1 5.0
W ndows Server 2012 R2 5.0
W ndows 10 bu ds ear er than 10565 5.0, 6.2
W ndows 10 bu d 10565 and ater 5.0, 6.2, 7.0, 7.1, 8.0
W ndows Server 2016 5.0, 6.2, 7.0, 7.1, 8.0
Each configurat on represents the VM configurat on fi e, saved state, and snapshots that
are assoc ated w th the VM on the host By us ng a newer v rtua mach ne configurat on, you
a so ensure that the v rtua mach ne supports the atest features Tab e 3-2 shows features that
are on y supported n spec fic VM configurat on vers ons
TABLE 3-2 Vers on spec f c features
Feature Minimum VM version

Hot Add/Remove memory 6.2
Secure Boot for L nux VMs 6.2
Product on Checkpo nts 6.2
PowerShe D rect 6.2
V rtua Mach ne Group ng 6.2
V rtua Trusted P atform Modu e (vTPM) 7.0
V rtua mach ne mu t queues (VMMQ) 7.1
Nested v rtua zat on 8.0

Delegate virtual machine management
The most s mp e and effect ve method of enab ng others to manage Hyper-V and v rtua
mach nes s to add them to the Hyper-V Adm n strators oca secur ty group for each of the
Hyper-V hosts to wh ch you p an to de egate management However, th s m ght not be the
most secure method because do ng so g ves the new adm n strators perm ss ons to change
v rtua sw tch and host sett ngs n add t on to VMs
To de egate access to nd v dua VMs, you need to mod fy the Hyper-V Author zat on
Manager store Th s enab es you to create task and ro e defin t ons to wh ch you can de egate
access The genera steps to mod fy ng the Hyper-V serv ces author zat on nc ude
1. Launch a M crosoft Management Conso e (MMC) sess on, and add the Author zat on
Manager to the conso e, as shown n F gure 3-2
FIGURE 3-2 Add or Remove Snap ns
2. R ght-c ck the Author zat on Manager, and then c ck Open Author zat on Store
3. In the Open Author zat on Store w ndow, ensure that XML F e s se ected C ck Browse
Nav gate to %systemroot%\ProgramData\M crosoft\W ndows\Hyper-V\ and se ect
In t a Store xm , as shown n F gure 3-3 C ck OK

FIGURE 3-3 Open Author zat on Store
4. Expand Author zat on Manager, In t a Store, Hyper-V serv ces, Ro e Ass gnments Note
that by defau t, the on y ro e ass gnment s an Adm n strator, as shown n F gure 3-4
FIGURE 3-4 Author zat on Manager Ro e Ass gnments
5. Expand Defin t ons, and then r ght-c ck Task Defin t ons C ck New Task Defin t on
6. Name the task defin t on “VM Managers ” In the not ficat on prompt, c ck OK In the
Add Defin t on screen, c ck the Operat ons tab
7. Se ect operat ons that you wou d want the VM Managers ro e to do In th s examp e,
se ect a operat ons that are assoc ated w th a v rtua mach ne, as shown n F gure 3-5,
and then c ck OK tw ce

FIGURE 3-5 Add Def n t on
8. Now that you have created a group of tasks, you can create the ro e that can use these
tasks R ght-c ck Ro e Defin t ons, and then c ck New Ro e Defin t on
9. Name the Ro e Defin t on, such as VM Managers Ro e, and then c ck Add C ck the
Tasks tab, se ect VM Managers, and then c ck OK There are now be two ro e defin -
t ons, as shown n F gure 3-6
FIGURE 3-6 Author zat on Manager Ro e Def n t ons

10. Next, you can create the Ro e Ass gnment, wh ch s what user accounts are nked to
for the perm ss ons R ght-c ck Ro e Ass gnments, and then c ck New Ro e Ass gnment
Se ect the VM Managers Ro e, and then c ck OK
11. R ght-c ck the new ro e ass gnment, se ect Ass gn Users and Groups, and then c ck
From W ndows and Act ve D rectory Se ect a user that you p an to de egate the per-
m ss ons to, and then c ck OK F gure 3-7 shows the fina configurat on, w th the user
Adm n on a host named Host01 that can manage the tasks ass gned as part of the VM
Managers Ro e
FIGURE 3-7 Author zat on Manager Ro e Ass gnments
Perform remote management of Hyper-V hosts

Perform ng remote management w th n the same doma n s mp y requ res the perm ss ons or
de egat on d scussed n the prev ous sect on However, manag ng a Hyper-V server that s n a
workgroup s s ght y more comp cated
F rst, the Hyper-V server must have PowerShe remot ng enab ed Th s s eas y accom-
p shed by runn ng the Enab e-PSRemot ng cmd et Note that the network prov ded on the
server must be set to Pr vate Otherw se, you a so need to spec fy the -Sk pNetworkProfi eCh-
eck parameter
The second task on the Hyper-V host s to enab e the WSMan credent a ro e as a server To
do th s, run the fo ow ng command
Enable-WSManCredSSP -Role Server
The more comp cated steps occur on the computer from wh ch you p an to manage the
Hyper-V F rst, you must trust the Hyper-V server from the remote c ent If the Hyper-V host
s named Host01, run the fo ow ng command
Set-Item "WSMan:\localhost\Client\TrustedHosts" -Value "Host01"

When mak ng the connect on, you are prompted to enter the credent a s for the v rtua
mach ne, as shown n F gure 3-9
FIGURE 3-9 W ndows PowerShe credent a request
Us ng EnterPSSess on a ows you to nteract ve y manage the v rtua mach ne You can con-
t nue to run commands w th n the v rtua mach ne unt you exp c t y ex t the sess on W th
InvokeCommand, you are m ted to on y what s w th n the Scr ptB ock parameter Once the
command s over, you are returned to the oca PowerShe sess on
In add t on to the VMName, you can a so use the VMId or the VMGUID to connect to a
spec fic VM To enter a PowerShe d rect sess on, you must be ogged onto the host as a
Hyper-V adm n strator The VM must be runn ng oca y and a ready booted to the OS
Implement nested virtualization

Nested v rtua zat on s a new feature that enab es you to run Hyper-V ns de of a v rtua
mach ne that s a ready runn ng on Hyper-V Th s s usefu f you p an to use conta ners, use
Hyper-V n a ab env ronment, or are test ng mu t -mach ne scenar os w thout add t ona
hardware

Configure dynamic memory
Dynam c memory enab es a VM to sca e up w th add t ona memory automat ca y based on
the needs of the VM operat ng system To enab e dynam c memory, the VM must be pow-
ered off Dynam c Memory can be enab ed n the GUI by s mp y p ac ng a checkmark next to
the opt on, and then configur ng the M n mum RAM and Max mum RAM The Startup RAM
s the amount of memory ass gned to the VM when t s first powered on Dynam c Memory
s a so configured by us ng the Set-VMMemory cmd et For examp e, to enab e Dynam c
Memory w th an n t a va ue and m n mum of 4 GB, and a max mum of 8 GB, run the fo ow-
ng command
Set-VMMemory -VMName 743-02 -StartupBytes 4GB -DynamicMemoryEnabled $True -MinimumBytes
4GB -MaximumBytes 8GB
Configure Non-Uniform Memory Access support

W ndows Server 2012 ntroduced support for v rtua NUMA w th Hyper-V, ensur ng that VMs
w th arge amounts of memory performed as expected The NUMA topo ogy can be config-
ured n a few ways
■ Maximum processors per virtual NUMA node The max mum number of v rtua
processors that be ong to the same VM, between 1 and 32
■ Maximum memory per virtual NUMA Node The max mum amounts of memory
that can be a ocated to a VM, up to 256 GB
■ Maximum virtual NUMA nodes per socket The max mum number of VMs that are
a owed on a s ng e socket, between 1 and 64
■ NUMA Spanning A ows nd v dua NUMA VMs to access non- oca memory, and s
enab ed by defau t
F gure 3-10 shows the defau t NUMA configurat on for a Hyper-V VM
Sk 3.2: Configure v rtua mach ne sett ngs CHAPTER 3 63

FIGURE 3-11 Smart Pag ng F e Locat on
Add t ona y, smart pag ng can be configured from PowerShe w th the Set-VM cmd et To
set the smart pag ng fi e ocat on to E \VMs\743\03\Pag ng, run the fo ow ng command
Set-VM -VMName 743-03 -SmartPagingFilePath "E:\VMs\743\03\Paging"
Configure Resource Metering

Resource Meter ng s a bu t- n funct on that enab es you to mon tor the performance of a
VM, nc ud ng
■ Average CPU usage
■ Average memory usage
■ M n mum memory usage
■ Max mum memory usage
■ Max mum amount of a ocated d sk space
■ Tota nbound network traffic
■ Tota outbound network traffic

Resource Meter ng s not enab ed for a VM by defau t To enab e, run the
Enab eVMResourceMeter ng cmd et For examp e, to enab e t on a VM named 743-01,
run the fo ow ng command
Enable-VMResourceMetering -VMName 743-01
Once Resource Meter ng has been enab ed, you can v ew the data by runn ng the
MeasureVM cmd et The fo ow ng examp e s for a VM named 743-01
Measure-VM -VMName 743-01 | FL
And the output

VMId : 85c4c297-9553-41ed-80c5-553b275faf49
VMName : 743-01
CimSession : CimSession: .
ComputerName : HOST01
AverageProcessorUsage : 9
AverageMemoryUsage : 2048
MaximumMemoryUsage : 2048
MinimumMemoryUsage : 2048
TotalDiskAllocation : 130048
AggregatedAverageNormalizedIOPS : 2
AggregatedAverageLatency : 240
AggregatedDiskDataRead : 0
AggregatedDiskDataWritten : 2
AggregatedNormalizedIOCount : 301
AvgCPU : 9
AvgRAM : 2048
MinRAM : 2048
MaxRAM : 2048
TotalDisk : 130048

Manage Integration Services
W th W ndows Server 2016, the method of prov d ng ntegrat on serv ces has changed The
vmguest so fi e s no onger nc uded w th Hyper-V because ntegrat on serv ces are prov ded
through W ndows Update The enab es you to centra ze the management of ntegrat on
serv ces a ong w th W ndows Updates Th s s a so usefu n scenar os where d fferent groups
or organ zat ons manage nd v dua VMs By us ng W ndows Update, the owner of the VM can
determ ne when to upgrade the ntegrat on serv ces for the r VM
The ava ab e ntegrat on serv ces are
■ Guest Serv ce Interface
■ Heartbeat
■ Key-Va ue Pa r Exchange
■ Shutdown
■ T me Synchron zat on
■ VSS
You can obta n the current ntegrat on serv ces configurat on of a VM by runn ng the Get-
VMIntegrat onServ ce cmd et For examp e
Get-VMIntegrationService -VMName 743-01
By defau t, a ntegrat on serv ces except for Guest Serv ce Interface are enab ed To en-
ab e a spec fic serv ce, run the Enab e-VMIntegrat onServ ce cmd et For examp e
Enable-VMIntegrationService -VMName 743-01 -Name "Guest Service Interface"
You can a so manage ntegrat on serv ces from w th n the VM tse f To v ew the st of
serv ces from w th n the VM, run the Get-Serv ce cmd et For examp e
Get-Service -Name VM*
The Get-Serv ce cmd et returns the same st of ntegrat on serv ces, but w th the r serv ce
names
■ vm cguest nterface
■ vm cheartbeat
■ vm ckvpexchange
■ vm crdv
■ vm shutdown
■ vm ct mesync
■ vm ccvmsess on
■ vm cvss
From w th n the VM, you can run Start-Serv ce or Stop-Serv ce to manage the ntegrat on
serv ces

Implement Secure Boot for Windows and Linux
environments
W th W ndows Server 2016, both W ndows and L nux operat ng systems that are runn ng n a
Generat on 2 VM can use Secure Boot Before boot ng w th secure boot, you must configure
the M crosoft UEFI Cert ficate Author ty To configure the VM, run the fo ow ng command
Set-VMFirmware 743-01 -SecureBootTemplate MicrosoftUEFICertificateAuthority
S m ar to the ntegrat on serv ces, you shou d not memor ze spec fic vers ons of operat-
ng systems that are supported w th Secure Boot However, you shou d be aware of the L nux
d str but ons that are supported w th secure boot
■ Ubuntu
■ SUSE L nux Enterpr se
■ Red Hat Enterpr se
■ CentOS
Move and convert VMs from previous versions of Hyper-V

to Windows Server 2016 Hyper-V
Mov ng a VM from one host to another can be accomp shed a few d fferent ways
■ Online migration Requ res that a Hyper-V c uster be created so that a c ustered VM
can move from one host to another The two phys ca servers shou d have the same
processor to avo d corrupt on
■ Storage migration and import W th th s opt on, you can power off the VM to per-
form a storage m grat on Th s ensures that a data assoc ated w th that VM s moved
from the ex st ng p atform to the new p atform
■ Export and import Th s opt on enab es you to export the data from the d sk, and
then mport the data back nto Hyper-V as a d fferent VM
An on ne m grat on can be performed to move a runn ng VM from one host to another
W th W ndows Server 2016, the hosts do not have to be members of a fa over c uster S mp y
add both Hyper-V hosts to the Hyper-V Manager conso e, and use the Move w zard, or the
Move-VM cmd et For examp e
Move-VM 743-01 Host02 -IncludeStorage -DestinationStoragePath D:\743-01
An offl ne method of m grat on wou d be to power down the VM and move a of the as-
soc ated fi es w th the VM, and then mport the VM on the new Hyper-V host We expand on
th s n the next sect on

Once a VM has been m grated from a prev ous vers on of Hyper-V, t can be upgraded to
the atest vers on that s ava ab e, 8 0 F gure 4-13 shows a port on of the Hyper-V manager,
part cu ar y the Upgrade Configurat on Vers on opt on
FIGURE 3-13 Hyper V Management Sett ngs
After the VM has been upgraded, t cannot be downgraded to a prev ous vers on of VM
Export and import VMs

Beg nn ng w th W ndows Server 2012, perform ng an export of a VM s not requ red for t to
be mported The funct on st ex sts from the conso e and PowerShe , and can be an easy
way to prepare the VM to be moved, espec a y f the fi es are scattered n mu t p e d recto-
r es The fi es n the export are organ zed n the fo ow ng fo ders
■ Snapshots If the VM has any checkpo nts, an XML fi e for each checkpo nt ex sts
w th the checkpo nt GUID as the name
■ Virtual Hard Disks The base VHDX d sk and any assoc ated checkpo nt AVDHX d sk
fi es

■ Differencing A d fferenc ng d sk uses a parent-ch d re at onsh p type In th s
case, the parent d sk conta ns read-on y data that does not change A changes are
wr tten to a d fferent d sk—the d fferenc ng d sk
5. On the Spec fy Name and Locat on screen, prov de a fi ename for the d sk, as we as
the d rectory n wh ch you wou d ke to store the d sk Th s does not spec fica y have
to be w th a VM, and can be anywhere that the Hyper-V host has access to C ck Next
to cont nue
6. F na y, the Configure D sk screen a ows you to se ect from three opt ons, as shown n
F gure 3-14 Se ect Create a New B ank V rtua Hard D sk, and enter 100 n the S ze box
C ck F n sh
■ Create A New Blank Virtual Hard Disk Th s s s mp y a b ank d sk that you can
attach to a VM
■ Copy The Contents Of The Specified Physical Disk Any phys ca d sk that s
presented to the Hyper-V host can be cop ed to the v rtua d sk After the copy s
comp ete, they are two separate sets of data Any changes that a VM makes to the
v rtua d sk s ndependent of the phys ca storage
■ Copy The Contents Of The Specified Virtual Hard Disk Th s enab es you to
se ect an ex st ng VHD or VHDX and copy the contents of the ex st ng d sk to the
new d sk
FIGURE 3-14 Conf gure New V rtua Hard D sk W zard

Create shared VHDX files
Beg nn ng w th W ndows Server 2012, a shared VHD can be used to connect a s ng e VHD to
mu t p e VMs Th s shared VHD can act as shared storage for c uster configurat ons w thout
the need for SAN equ pment
A shared VHD s s mp y a VHD that s be ng accessed by mu t p e VMs After creat ng a new
d sk, you can add the dr ve to a VM w th the ShareV rtua D sk parameter For examp e
Add-VMHardDiskDrive -VMName 743-01 -Path "\\Host01\Disks\Disk1.vhdx" -ShareVirtualDisk
Us ng a UNC path ensures that even f you move the VM to a d fferent host, t can st ac-
cess the storage If you are us ng Hyper-V Manager, a shared dr ve can be created by add ng
a dr ve from the contro er F gure 3-15 shows the opt on to add a shared dr ve to a VM
FIGURE 3-15 SCS Contro er Sett ngs for a VM
Sk 3.3: Configure Hyper V storage CHAPTER 3 75

Configure differencing disks
As we ment oned ear er n th s chapter, a d fferenc ng d sk uses a parent-ch d re at onsh p
type In th s case, the parent d sk conta ns read-on y data that does not change A d ffer-
enc ng d sk s created us ng the same methods as a typ ca VHD, through the w zard or the
New-VHD cmd et, us ng the D fferenc ng and ParentPath parameters There are two pr mary
methods of us ng d fferenc ng d sks
■ Many child objects to one parent In th s scenar o, a s ng e parent d sk s used and
many ch d d sks are formed off of th s parent Th s s usefu n ab env ronments where
a VMs share the same mage On y one base VHD s necessary, and then each VM has
a d fferenc ng d sk n the ab for nd v dua changes on that VM F gure 3-16 ustrates
th s scenar o
FIGURE 3-16 Many ch d objects
■ A chain of child and parent disks In th s scenar o, d sks bu d on the parent d sk

Th s scenar o s usefu for patch ng mu t p e systems that use d fferenc ng d sks The
base d sk can be the nsta at on of the operat ng system, and each ch d d sk can rep-
resent a serv ce pack or ann versary update F gure 3-17 ustrates th s scenar o

FIGURE 3-17 Cha n of d sks
Configure pass-through disks

A pass-through d sk enab es you to present a phys ca d sk on the Hyper-V host and present t
d rect y to a VM Before present ng a d sk to a VM, t must be n t a zed as e ther MBR or GPT,
but set to offl ne F gure 3-18 shows add ng an offl ne phys ca d sk to a VM
FIGURE 3-18 Add ng phys ca hard d sk to a VM
Resize a virtual hard disk

You can res ze an ex st ng v rtua d sk by us ng the Ed t V rtua Hard D sk W zard, or by us ng
the Res ze-VHD cmd et F gure 3-19 shows the opt ons to ed t a VHD

FIGURE 3-19 Ed t ng a VHD
The ava ab e opt ons for ed t ng a VHD are

■ Compact Th s opt m zes the capac ty of a VHD and reduces the overa footpr nt on
the Hyper-V host storage
■ Convert Th s enab es you to change the d sk type to other types d scussed ear er n
the chapter
■ Expand Th s s mp y ncreases the capac ty of the VHD
When us ng PowerShe to manage VHDs, there s a separate PowerShe cmd et to per-
form each of these act ons
■ Optimize-VHD Opt m z ng a VHD prov des the same act ons as Compact n the
w zard
■ Convert-VHD Th s enab es you to change the d sk type of the VHD
■ Resize-VHD Th s a ows you to res ze the VHD

Manage checkpoints
Checkpo nts enab e you to capture po nt- n-t me snapshots of a VM Th s g ves you an easy
method of qu ck y restor ng to a known work ng configurat on, mak ng them usefu before
nsta ng or updat ng an app cat on When a checkpo nt s created, the or g na VHD be-
comes read-on y, and a changes are captured n an AVHD fi e Converse y, when a check-
po nt s de eted, the contents of the AVHD are merged w th the or g na d sk, wh ch becomes
the pr mary wr tab e fi e
Standard checkpo nts take a snapshot of both the d sk and the memory state at the t me
that the checkpo nt s taken By defau t, n W ndows Server 2016, snapshots are taken w th
Product on checkpo nts We cover product on checkpo nts n the next sect on The sett ng for
product on or standard s configured at the VM eve , so you use the Set-VM cmd et to make
th s change For examp e
Set-VM -Name 743-01 -CheckpointType Standard
Implement production checkpoints

W ndows Server 2016 ntroduces product on checkpo nts, w th uses the Vo ume
Shadow Copy Serv ce on W ndows guests or F e System Freeze on L nux guests Th s
enab es you to take a cons stent snapshot of a VM w thout the runn ng memory If
tak ng a product on checkpo nt fa s, by defau t the host attempts to create a standard
checkpo nt You can conf gure the type of checkpo nt a VM uses by us ng the Set-VM
cmd et For examp e
Set-VM -Name 743-01 -CheckpointType Production
To set the VM to on y use product on checkpo nts, w thout the ab ty to fa back to a stan-
dard checkpo nt, rep ace the Product on opt on w th Product onOn y Checkpo nts can a so be
configured from Hyper-V Manager by ed t ng the sett ngs of a VM F gure 3-20 d sp ays the
checkpo nt management of a VM

FIGURE 3-20 V rtua Mach ne Checkpo nt Sett ngs
Implement a virtual Fibre Channel adapter

A v rtua F bre Channe (FC) adapter can be used w th a v rtua SAN to prov de d rect SAN ac-
cess to a v rtua mach ne Th s enab es you to present LUNs from a SAN to a VM by us ng the
v rtua Wor d W de Name (WWN) that s ass gned to the adapter A FC adapter can be added
from the sett ngs screen of an nd v dua VM F gure 3-21 shows the new FC Adapter screen

FIGURE 3-21 V rtua Mach ne F bre Channe Adapter Sett ngs
Add ng a FC adapter can a so be accomp shed by us ng PowerShe w th the

Add-VMF berChanne Hba cmd et For examp e
Add-VMFibreChannelHba -VMName 743-01 -SanName vSAN1 -GenerateWwn
If you need to spec fy the WWNs that the VM uses the adapter, rep ace the GenerateWwn
opt on w th the fo ow ng
■ Wor dW deNodeNameSetA
■ Wor dW deNodeNameSetB
■ Wor dW dePortNameSetA
■ Wor dW dePortNameSetB
For examp e, run the fo ow ng command to create a FC adapter us ng these WWNs
Add-VMFibreChannelHba -VMName 743-Nano -SanName vSAN1 -WorldWideNodeNameSetA
C003FF0000FFFF00 -WorldWidePortNameSetA C003FF73FD70000C -WorldWideNodeNameSetB
C003FF0000FFFF00 -WorldWidePortNameSetB C003FF73FD70000D

Add and remove virtual network interface cards,
configuring network adapters, configuring virtual machine
queue, and configuring bandwidth management
A v rtua network adapter can be added by a s m ar method to a dr ve or F bre Channe
adapter from w th n Hyper-V Manager S mp y ed t the sett ngs of the VM, and se ect the
opt on to add the network adapter For Generat on 1 VMs, you have the opt on of creat ng a
standard network adapter, or a egacy network adapter A standard adapter offers better per-
formance, and a egacy adapter enab es PXE boot F gure 3-22 shows the opt ons after add ng
a new network adapter
FIGURE 3-22 V rtua Mach ne Network Adapter Sett ngs
Sk 3.4: Configure Hyper V network ng CHAPTER 3 83

Add ng a network adapter can a so be accomp shed by us ng PowerShe w th the
Add-VMNetworkAdapter cmd et For examp e
Add-VMNetworkAdapter -VMName 743-01 -SwitchName Switch01
After add ng a network adapter to a VM, you can configure the VLAN dent ficat on, f
necessary, for that adapter Referr ng back to F gure 3-22, a synthet c network adapter a so
supports a few add t ona features
■ Bandwidth management You can configure the m n mum and max mum band-
w dth targets for the network adapter
■ Virtual machine queue (VMQ) If supported by the correspond ng phys ca adapter,
VMQ can be enab ed on the v rtua adapter
■ IPsec task offloading If supported by the correspond ng phys ca adapter, IPsec
tasks can be offloaded to hardware
A egacy network adapter does not support these features, and can on y be configured
w th a part cu ar VLAN Regard ess of the adapter type, you can manage the adapter w th
PowerShe by us ng the Set-VMNetworkAdapter cmd et
Configure Hyper-V virtual switches and configure

network isolation
For the purpose of prepar ng for the exam, we’ve comb ned configur ng v rtua sw tches
and network so at on Hyper-V v rtua sw tches enab e connect on from the VM to the
Hyper-V, depend ng on the connect on type of the sw tch Network so at on can be
configured on a VM based on the network adapter and sw tch sett ngs There are three
opt ons to choose from when creat ng a v rtua sw tch
■ External network Th s connects the v rtua sw tch to the se ected phys ca network
adapter of the Hyper-V host Th s phys ca adapter can be ded cated to the VMs that
are runn ng, or t can be shared w th the host operat ng system
■ Internal network Th s connects the VM on y to the Hyper-V host and other VMs
that have a network adapter connected to th s sw tch The VM does not have access to
the phys ca adapter on the host
■ Private network Th s s mp y prov des a connect on to the VM, a though t cannot
commun cate w th the host or w th other VMs on the same sw tch on other Hyper-V
hosts
F gure 3-23 shows the configurat on opt ons for a v rtua sw tch from the V rtua Sw tch
Manager

FIGURE 3-23 V rtua Sw tch Manager
V rtua sw tches can be added from PowerShe by us ng the New-VMSw tch cmd et For
examp e, to create a new nterna v rtua sw tch, run the fo ow ng command
New-VMSwitch -Name Internal1 -SwitchType Internal
Optimize network performance

Opt m z ng network performance can be ach eved from both a Hyper-V host perspect ve, as
we as an nd v dua VM perspect ve When prepar ng for the exam, some performance op-
t ons to be aware of nc ude

FIGURE 3-24 V rtua Sw tch Manager MAC Address Range
A though s t managed from the V rtua Sw tch Manager, t s configured from PowerShe
by us ng the Set-VMHost cmd et For examp e
Set-VMHost -MacAddressMinimum 00155DA7E700 -MacAddressMaximum 00155DA7E7FF
Configur ng the MAC address on an nd v dua network adapter s accomp shed from the
sett ngs of the VM, as shown n F gure 3-25

FIGURE 3-25 VM Sett ngs Advanced Features
The MAC address sett ngs for a v rtua network adapter can be configured w th PowerShe
by us ng the Set-VMNetworkAdapter cmd et For examp e, to ass gn a stat c MAC address, run
the fo ow ng command
Set-VMNetworkAdapter -VMName 743-01 -StaticMacAddress 00155DA7E73B
Configure NIC teaming in VMs

If you present mu t p e network adapters to a VM, you can configure them to be teamed
w th n the VM However, you must a so enab e the network adapter to be a member of the
team from the Hyper-V host F gure 3-26 shows the Advanced Features of a network adapter,
where NIC team ng can be enab ed

FIGURE 3-26 Advanced Features of a V rtua Network Adapter
Enab ng NIC team ng for a v rtua network adapter can a so be performed through Pow-
erShe by us ng the Set-VMNetworkAdapter cmd et Note that a though the A owTeam ng
parameter expects a Boo ean va ue, the va d opt ons are On and Off, not $True or $Fa se For
examp e
Set-VMNetworkAdapter -VMName 743-01 -AllowTeaming On
Enable Remote Direct Memory Access on network adapters

bound to a Hyper-V virtual switch using Switch Embedded
Teaming
In prev ous vers ons of W ndows Server and Hyper-V, you cou d not configure RDMA w th
network adapters that were part of a NIC team or a v rtua sw tch W th W ndows Server 2016,
you can now enab e RMDA on both network adapters that are part of a v rtua sw tch, w th

Thought Experiment
A company s p ann ng to create two servers that run Hyper-V n a workgroup The servers
must consume on y the m n mum resources that are requ red, and must be managed remote-
y One of the Hyper-V servers must host a VM that must a so use the Hyper-V ro e
After dep oy ng the hosts, the company p ans to dep oy both W ndows and L nux guest
operat ng systems Both operat ng systems must nc ude the dr vers for hardware that s be-
ng passed to the VM
The d sks on the VMs must be th n y prov s oned to max m ze the capac ty that s ava ab e
on the hosts Checkpo nts that use VSS must be used to capture cons stent snapshots
1. How shou d the company nsta Hyper-V?
2. How shou d the management ro es be configured?
3. Name a L nux operat ng system that the company can use
4. What type of d sks must the VMs use?
5. What type of checkpo nts must the VMs use?

1. Based on th s scenar o, Hyper-V shou d be nsta ed on a Nano Server Th s consumes
the abso ute m n mum amount of resources for the env ronment
2. Because the hosts are n a workgroup, the WSMAN-trusted hosts must be configured
for remote management
3. Red Hat, CentOS, Ubuntu, or SUSE
4. The d sks must be dynam ca y expand ng to be th n y prov s oned
5. On y Product on checkpo nt types use VSS for cons stent snapshots

Determine installation requirements and appropriate
scenarios for Windows Containers
W ndows Conta ners s a new feature that s on y ava ab e on W ndows Server 2016, Nano
Server, and W ndows 10 Profess ona and Enterpr se Ann versary Update ed t ons If you p an
on us ng Hyper-V conta ners, then the Hyper-V ro e must a so be nsta ed on the computer or
server To use W ndows Conta ners, the operat ng system must be nsta ed as the C dr ve If you
p an to on y use Hyper-V conta ners, then the operat ng system can be nsta ed on any dr ve
From a phys ca aspect, W ndows Conta ners w th Hyper-V requ res nested v rtua zat on
Nested v rtua zat on has the fo ow ng requ rements
■ At east 4 GB of RAM for the Hyper-V host
■ A processes that uses Inte VT-x
A so, the conta ner host VM must have at east two v rtua processors and dynam c
memory must be d sab ed As of th s wr t ng, W ndows Server 2016 offers two conta ner m-
ages Server Core and Nano Server If the host operat ng system s a Nano Server, then on y
the Nano Server mage s ava ab e
Install and configure containers

For the purpose of prepar ng for the exam, we’ve comb ned two of the sted sk s
■ Insta and configure W ndows Server conta ner host n phys ca or v rtua zed
env ronments
■ Insta and configure W ndows Server conta ner host to W ndows Server Core or Nano
Server n a phys ca or v rtua zed env ronment
For e ther host’s operat ng system, whether t s phys ca or v rtua , conta ners s sted as a
W ndows Feature For servers w th a GUI, t can be nsta ed from the Add Ro es and Features
w zard Conta ners can a so be nsta ed by us ng W ndows PowerShe by us ng the Insta -
W ndowsFeature cmd et For examp e
F gure 4-1 shows nsta ng the Conta ners feature by us ng the Insta -W ndowsFeature
cmd et
FIGURE 4-1 nsta W ndowsFeature
94 CHAPTER 4 mp ement W ndows Conta ners

After the nsta at on s comp ete, run the docker info command A port on of the output
s shown n F gure 4-3
FIGURE 4-3 Docker nfo
The above examp e s broken down ke th s

1. F rst, the Docker eng ne and c ent s down oaded from the Docker webs te
2. Then, the code extracts the compressed fo der nto the Program F es d rectory
3. The path s set as a system var ab e, and the serv ce s created and started
4. F na y, the Docker mage must be tagged w th the vers on “ atest ”
For nsta ng Docker on Nano Server, the same overa process must be fo owed However,
Nano Server does not current y support the Invoke-WebRequest cmd et Therefore, you must
manua y down oad the Docker fi es and copy them to the Nano Server operat ng system
From there you can set the env ronment var ab e, create the serv ce, and then start the ser-
v ce For Nano Server, you must a so enab e the FPS-SMB-In-TCP firewa ru e For examp e
Set-NetFirewallRule -Name FPS-SMB-In-TCP -Enabled True
Configure Docker daemon start-up options

Docker s configured by us ng a daemon json fi e, wh ch s ocated n the nsta at on path of
the d rectory When us ng Docker on W ndows Server 2016, on y a subset of the configurat on
opt ons s ava ab e When creat ng the JSON fi e, on y the necessary configurat on changes
need to be nc uded n the fi e For examp e, to configure the Docker Eng ne to accept con-
nect ons on port 2375, add the fo ow ng to the daemon json fi e
{
"hosts": ["tcp://0.0.0.0:2375"]
You can a so configure Docker by us ng the sc config command When us ng sc config,

you are mod fy ng the Docker Eng ne configurat on flags d rect y on the Docker serv ce For
examp e

Create Windows Server containers
You can dep oy a conta ner by us ng the Docker daemon One of the first tasks you m ght
need to do s v ew a st of the ava ab e conta ner mages For examp e, the fo ow ng com-
mand returns a st of ava ab e M crosoft mages
docker search Microsoft
A port on of the output s nc uded for reference

NAME DESCRIPTION
microsoft/aspnet ASP.NET is an open source server-side Web ...
microsoft/dotnet Official images for working with .NET Core...
mono Mono is an open source implementation of M...
microsoft/azure-cli Docker image for Microsoft Azure Command L...
microsoft/iis Internet Information Services (IIS) instal...
Therefore, f you want to use the ASP NET mage, use the Docker daemon to pu the m-
age
docker pull microsoft/aspnet
Create Hyper-V containers

W ndows Server conta ners and Hyper-V conta ners are created and managed, and are func-
t ona y dent ca Both types of conta ners a so use the same conta ner mages The d fference
between a W ndows Server conta ner and a Hyper-V conta ner s the eve of so at on that s
present to the host, or other conta ners on that host The first d fference s that when creat ng
the conta ner, spec fy the --isolation=hyperv parameter
docker run -it --isolation=hyperv nanoserver cmd
To demonstrate the so at on of a Hyper-V conta ner, assume that a W ndows Server con-
ta ner has been dep oyed You start a runn ng p ng on the conta ner
docker run -d windowsservercore ping localhost -t
If you use the docker daemon, you can v ew the task thread that s runn ng the p ng
docker top windowservercore
4369 ping
In th s examp e, the process ID w th n the conta ner s 4369 W th n the conta ner, you can
a so v ew the thread
get-process -Name ping
Sk 4.1: Dep oy W ndows Conta ners CHAPTER 4 99

Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id SI ProcessName
------- ------ ----- ----- ----- ------ -- -- -----------
67 5 820 3836 ...71 0.03 4369 3 PING
If you fo ow the same process when us ng a Hyper-V conta ner, you rece ve a d fferent
end resu t You can create and v ew the process from the host, us ng the Docker daemon
docker run -d --isolation=hyperv nanoserver ping -t localhost
docker top nanoserver
2371 ping
However, the d fference s when try ng to v ew the process on the conta ner host
Get-process -Name ping
Get-Process : Cannot find a process with the name "ping". Verify the process name and
call the cmdlet again.
At line:1 char:1
+ Get-Process -Name ping
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (ping:String) [Get-Process],

ProcessCommandException
+ FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.
GetProcessCommand
The d fference s n the process name By us ng a Hyper-V conta ner, the process s run by
the vmwp process The vmwp process s the v rtua mach ne process on the host, and s pro-
tect ng the process from the host operat ng system
Get-Process -Name vmwp
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id SI ProcessName
------- ------ ----- ----- ----- ------ -- -- -----------
1737 15 39452 19620 ...61 5.55 2376 0 vmwp

Remov ng an mage s performed by us ng the Docker daemon w th the rmi parameter
However, f any other conta ner depends on the mage that you are try ng to remove, the
command fa s The rmi parameter accepts e ther the mage name or the ID of the mage
docker rmi windowsservercoreiis
To v ew the st of dependenc es w th Docker, use the history parameter

docker history windowsservercoreiis

IMAGE CREATED CREATED BY SIZE COMMENT
2236b49aaaef 3 minutes ago cmd 171.2 MB
6801d964fda5 2 weeks ago 0 B
Manage Windows or Linux containers using Windows

PowerShell
As of th s wr t ng, the PowerShe for Docker modu e s n deve opment The team wr t ng the
modu e has adopted the M crosoft Open Source Code of Conduct, and we comes contr bu-
t ons to the project n the form of bugs, suggest ons, proposa s, and pu requests through
the G thub repos tory The project s ava ab e on G thub here https://github.com/Microsoft/
Docker-PowerShell/
The PowerShe modu e for Docker s s mp y an a ternat ve to the Docker daemon You can
use the modu e as a rep acement for, or n conjunct on w th, the Docker daemon The Pow-
erShe modu e can target any operat ng system that s runn ng the Docker eng ne on both
W ndows and L nux
To comp e the project, you need to obta n the NET Core SDK, and the NET SDKs for ver-
s ons 4 5 and 4 6 The Docker endpo nt that you are p ann ng to connect to must support the
API vers on 1 24
The atest re ease vers on of Docker can a so be down oaded from G tHub here https://
github.com/Microsoft/Docker-PowerShell/releases Down oad and extract the compressed
fo der, and then use the Import-Modu e cmd et, po nt ng to the extracted fo der Th s makes
the Docker cmd ets ava ab e on the computer

Manage container networking
Conta ner networks are s m ar to v rtua networks through Hyper-V Each conta ner has a
v rtua network adapter that s connected to a v rtua sw tch To force so at on between con-
ta ners that are runn ng on the same host, compartments are created for each conta ner A
W ndows Server host uses Host vNICs to attach to the v rtua , wh e Hyper-V conta ners use a
synthet c VM NIC to attach to the v rtua sw tch
Conta ners support four d fferent network ng modes
■ Network Address Translation (NAT) Each conta ner rece ves an IP address from a
pr vate address poo Port forward ng or mapp ng can be configured to transm t data
from the host to the conta ner
■ Transparent Each conta ner endpo nt has a d rect connect on to the phys ca
network that the host s us ng The IP address range that s be ng used on the phys -
ca network can be used on the conta ner e ther as a stat c address or dynam ca y
ass gned
■ L2 Bridge Each conta ner endpo nt s n the same subnet as the host that s runn ng
t The conta ner IP address s ass gned stat ca y from the same prefix as the host A
conta ner endpo nts on the host use the same MAC address
■ L2 Tunnel Th s mode shou d on y be used n a M crosoft C oud Stack
By defau t, the Docker eng ne creates an NAT network when the Docker serv ce runs
for the first t me The defau t network that s used s 172 16 0 0/12 You can custom ze the
network prefix used by mod fy ng the daemon json configurat on fi e The endpo nts n the
conta ner are attached to th s network and ass gned an IP address from the pr vate network
Tab e 4-1 out nes connect ons for a s ng e-host env ronment
TABLE 4-1 S ng e host connect on types
Single host Container to container Container to external

NAT Connects us ng Hyper V V rtua Routed through W nNAT w th address
Sw tch trans at on
Transparent Connects us ng Hyper V V rtua D rect access to phys ca network
Sw tch
L2 Br dge Connects through Hyper V V rtua Access to phys ca network by us ng MAC
Sw tch address trans at on
Add t ona y, Tab e 4-2 out nes the connect ons for a mu t -host env ronment
Sk 4.2: Manage W ndows Conta ners CHAPTER 4 103

Manage container data volumes
Data vo umes are storage ocat ons that are v s b e to both the conta ner host and the
conta ner endpo nt The data that s n the vo ume can be shared between the two systems,
as we as w th other conta ners on the same host Creat ng a new vo ume s part of the run
parameter w th the Docker daemon
docker run -it -v c:\volume1 windowsservercore cmd
By defau t, new data vo umes are created n C \ProgramData\Docker\Vo umes on the con-
ta ner host In the command, the C \Vo ume1 nd cates that the vo ume s be access b e w th n
the conta ner endpo nt at that path
After you have created a vo ume, to mount t to a d fferent conta ner, spec fy the source
and dest nat on paths us ng the same parameters
docker run -it -v c:\source:c:\destination windowsservercore cmd
You can a so pass-through a s ng e fi e from the conta ner host to the endpo nt The syntax
s bas ca y the same as spec fy ng an ex st ng vo ume
docker run -it -v c:\container-share\config.ini windowsservercore cmd
S m ar y, you can a so mount a fu dr ve from the conta ner host to the endpo nt Note
that when mount ng a fu dr ve, a backs ash s not nc uded w th the dr ve etter
docker run -it -v d: windowsservercore cmd
F na y, data vo umes can be nher ted from other endpo nts us ng the --vo umes-from
sw tch n the run parameter Th s s usefu f the app cat ons n mu t p e conta ners are shar ng
the same data
docker run -it --volumes-from Volume1 windowsservercore cmd
Manage resource control

Docker nc udes the ab ty to manage the CPU, d sk IO, network, and memory consumpt on
that an endpo nt consumes Th s ensures that you are ab e to manage the conta ner host
resources effic ent y, as we as ensur ng that you max m ze the performance of a serv ces
runn ng on a host
By defau t, the CPU s d v ded equa y among a endpo nts runn ng on a conta ner host To
change the share that an endpo nt has, use the --cpu-shares sw tch w th the run parameter
The --cpushares parameter accepts a va ue between 1 and 10000 The defau t we ght of a
endpo nts s 5,000
docker run -it --cpu-shares 2 --name dockerdemo windowsservercore cmd

Down oad ng an mage from the Docker Hub s the same as retr ev ng a base mage Use
the pull parameter w th the Docker daemon
docker pull microsoft/aspnet

Using default tag: latest
latest: Pulling from microsoft/aspnet
f9e8a4cc8f6c: Pull complete
b71a5b8be5a2: Download complete
After down oad ng the mage, t s ava ab e when v ew ng the mages through the Docker
daemon
docker images

REPOSITORY TAG IMAGE ID CREATED VIRTUAL
SIZE
microsoft/aspnet latest b3842ee505e5 5 hours ago 101.7 MB
To up oad an mage to the Docker Hub, use the push parameter w th the Docker daemon
F rst, you must og n w th your Docker ID to access the Hub
docker login

Login with your Docker ID to push and pull images from Docker Hub. If you don't have a
Docker ID, head over to https://hub.docker.com to create one.
Username: username
Password:

Chapter summary
■ The bas cs of us ng conta ners to run v rtua zed mages
■ How to nsta Docker on W ndows Server and Nano Server
■ How to configure the start-up opt ons for the Docker daemon
■ Perform ng a base operat ng system nsta
■ Tagg ng an mage for use w th conta ners
■ Creat ng conta ners for both W ndows Server and Hyper-V
■ Manag ng conta ners us ng the Docker daemon and W ndows PowerShe
■ Creat ng NAT, Transparent, and L2 Br dge networks for conta ners
■ Creat ng and manag ng data vo umes for use by mu t p e conta ner endpo nts
■ Manag ng conta ner host resources us ng Resource Contro
■ Automat ng the bu d process for an mage us ng Dockerfi e
■ Us ng the Azure VM Extens on w th Docker
Thought Experiment
A company s test ng conta ners and mages n the r deve opment env ronment They have
nsta ed the Docker eng ne on a W ndows Server host, and dep oyed a base mage con-
nected to the defau t network The company wou d ke the mages to connect d rect y to the
phys ca network They a so p an to automate the creat on of future mages and store them n
the Docker Hub
1. What shou d be mod fied to configure the Docker daemon startup opt ons?
2. Wh ch network s the mage that has been dep oyed connected to?
3. What type of network must the company create to ach eve the goa ?
4. What type of fi e does the Dockerfi e need to be?
5. Wh ch Docker daemon command s used to store mages n the Docker Hub repos -
tory?

1. The JSON configurat on fi e shou d be created or mod fied to change the startup op-
t ons of the Docker daemon
2. By defau t, mages connect to a defau t NAT network
3. A transparent network must be created to enab e the mages to connect d rect y to the
phys ca network
4. The Dockerfi e scr pt s a p a n-text fi e that conta ns the act ons to create an mage
5. The docker push command up oads the spec fied mage to the Docker Hub after
ogg ng nto the serv ce

CHAPTER 5
Implement high availability

T h s chapter covers a major component of the upgrade exam In add t on to severa sk s
be ng covered, there are many new features that have been ntroduced or enhanced
that we d scuss n th s chapter These features nc ude
■ C uster Operat ng System Ro ng Upgrade
■ Storage Rep ca
■ C oud w tness
■ V rtua mach ne res ency
■ S te-aware c usters
■ Workgroup and mu t -doma n c usters
■ V rtua mach ne node fa rness
■ V rtua mach ne start order
In add t on to these top cs, we a so cover other deta s of h gh ava ab ty us ng Hyper-V,
fa over c uster ng, and Storage Spaces D rect
Skills in this chapter:

■ Imp ement h gh ava ab ty and d saster recovery opt ons n Hyper-V
■ Imp ement fa over c uster ng
■ Imp ement Storage Spaces D rect
■ Manage fa over c uster ng
■ Manage VM movement n c ustered nodes
113
To perform a ve m grat on, first enab e t from the sett ngs of the Hyper-V host To enab e
ve m grat ons, the mach ne must be a doma n member L ve m grat on s not ava ab e n a
Hyper-V workgroup F gure 5-1 shows the sett ngs from the Hyper-V Manager
FIGURE 5-1 L ve M grat on sett ngs
The first step to perform the m grat on us ng Hyper-V Manager s to r ght-c ck the VM
you p an to m grate, and c ck Move The Move W zard s d sp ayed, as shown n F gure 5-2
The first opt on s whether to move the v rtua mach ne, or move the storage of the v rtua
mach ne In th s sect on, we move the v rtua mach ne
116 CHAPTER 5 mp ement h gh ava ab ty

FIGURE 5-2 Move W zard choose move type
You are then prompted to spec fy the dest nat on for the move Th s can be any other
Hyper-V host that you have perm ss on to adm n ster F gure 5-3 shows spec fy ng the dest -
nat on host
Sk 5.1: mp ement h gh ava ab ty and d saster recovery opt ons n Hyper V CHAPTER 5 117
FIGURE 5-3 Move W zard spec fy dest nat on
You are then prompted for add t ona deta s of the m grat on type The ava ab e opt ons
dur ng a VM m grat on are shown n F gure 5-4
■ Move The Virtual Machine’s Data To A Single Location Th s opt on moves a VM
fi es, nc ud ng d sks, snapshots, and configurat on nformat on to a s ng e spec fied
ocat on
■ Move The Virtual Machine’s Data By Selecting Where To Move The Items Th s
opt on presents add t ona opt ons for mov ng the storage of the VM, wh ch we d scuss
n a ater sect on
■ Move Only The Virtual Machine Th s opt on moves on y the runn ng configurat on
of the VM, but not the storage The storage of the VM must be shared between the
source and dest nat on Hyper-V hosts

FIGURE 5-4 Move W zard choose move opt ons
If you se ect to move on y the v rtua mach ne, then no add t ona opt ons are d sp ayed
and you comp ete the w zard If you p an to move a of the VM fi es to a s ng e ocat on, one
add t ona screen s d sp ayed, prompt ng you for the dest nat on d rectory to store the VM
and ts fi es F gure 5-5 shows spec fy ng the dest nat on d rectory
FIGURE 5-5 Move W zard v rtua mach ne
You can a so move a VM by us ng W ndows PowerShe and us ng the Move-VM cmd et

For examp e, to move a VM named VM1 to a Hyper-V server named Host2, run the fo ow ng
command
Move-VM "VM1" Host2
You must a so configure a network to be used by the ve m grat on serv ce, wh ch s ac-
comp shed by us ng the Set-VMHost cmd et For examp e
Set-VMHost –UseAnyNetworkForMigration $true
Implement shared nothing Live Migration

A “shared noth ng” m grat on s s mp y the ab ty to m grate a VM across hosts that do
not share common features, and are not n a fa over c uster By defau t, a m grat on us ng
the Move w zard as d scussed comp etes, even f the Hyper-V hosts do not share the same
storage
One add t ona component to m grat ng VMs s processor compat b ty If you need to
m grate a VM between Hyper-V hosts that do not share the same phys ca features, you can
m t some VM features to ensure that a m grat on can occur For examp e, f you need to

move from an Inte -based Hyper-V server to an AMD-based host, you shou d enab e processor
compat b ty before comp et ng the m grat on These sett ngs are per-VM w th n the Processor
tree, as shown n F gure 5-6
FIGURE 5-6 Processor compat b ty
Configure CredSSP or Kerberos authentication protocol for

Live Migration
W th W ndows Server 2016, the Hyper-V Manager commun cates w th the hosts by us ng the
WS-MAN protoco Th s enab es us ng Credent a Secur ty Support Prov der (CredSSP), Ker-
beros, or HTML authent cat on CredSSP s now the defau t method of authent cat on for ve
m grat ons, and does not requ re constra ned de egat on to be enab ed n Act ve D rectory
F gure 5-7 shows the advanced features of configur ng L ve M grat on, nc ud ng CredSSP
FIGURE 5-7 L ve M grat on advanced sett ngs
Enab ng Kerberos can a so be performed from PowerShe by us ng the Set-VMHost cmd-

et For examp e
Set-VMHost –VirtualMachineMigrationAuthenticationType Kerberos
You can a so enhance the performance of a ve m grat on by configur ng add t ona op-
t ons These nc ude
■ TCP/IP W th th s opt on, the memory of the VM s transferred dur ng the m grat on
by us ng the ava ab e network over a typ ca TCP/IP connect on
■ Compression W th th s opt on, the memory of the VM s first compressed before be-
ng sent to the dest nat on by us ng a TCP/IP connect on
■ SMB W th th s opt on, the memory of the VM s cop ed to the dest nat on by us ng
a SMB connect on If both the source and dest nat on network adapters use Remote
D rect Memory Access (RDMA), then SMB D rect s used for the copy

If you p an to use Kerberos as the authent cat on protoco , then you must a so configure
constra ned de egat on w th n Act ve D rectory for each Hyper-V host Constra ned de egat on
s enab ed by mod fy ng the computer object propert es for the host n Act ve D rectory For
each host n the env ronment, add two serv ces that refer to the other Hyper-V hosts n the
env ronment cifs and Microsoft Virtual System Migration Service
For examp e, f you had four Hyper-V hosts named Host1 – Host4, then the de egat on
sett ngs on Host1 must conta n each serv ce for Host2, Host3, and Host4 F gure 5-8 shows
add ng these two serv ces on the Host02 computer object, spec fy ng Host01 for each serv ce
FIGURE 5-8 Host02 De egat on propert es
Implement storage migration

Perform ng a m grat on from Hyper-V manager s as s mp e as r ght-c ck ng a VM, and then
se ect ng Move The Move W zard s d sp ayed, wa k ng you through the ava ab e opt ons to
move the VM or VM storage, based on what s ava ab e F gure 5-9 shows the second screen
of the Move W zard
FIGURE 5-9 Move W zard move type se ect on
When mov ng the storage of a v rtua mach ne, there are a few d fferent opt ons n the
w zard, as shown n F gure 5-10
■ Move All Of The Virtual Machine’s Data To A Single Location Th s opt on moves
a VM data, regard ess of ts current ocat on, to a s ng e dest nat on
■ Move the Virtual Machine’s Data to Different Locations Th s opt on enab es you
to first se ect wh ch tems you p an to move, and then spec fy the dest nat on for each
tem Items nc ude the VHD fi es, configurat on fi es, checkpo nts, and smart pag ng
fi es
■ Move Only the Virtual Machine’s Virtual Hard Disks Th s opt on enab es you to
move on y the VHDs that are be ng used w th the VM

FIGURE 5-10 Move W zard choose move opt ons
Depend ng on the opt on you se ect, the w zard s automat ca y prompt for add t ona
nformat on For examp e, choos ng Move the v rtua mach ne’s data to d fferent ocat ons
adds a new page n the w zard for each configurat on tem F gure 5-5 shows an examp e of
spec fy ng the dest nat on for the VM
FIGURE 5-11 Move W zard v rtua mach ne
Mov ng a VM’s storage can a so be accomp shed by us ng the Move-VM cmd et For
examp e, to move a VM named VM1 to Host02 n the E \VMs d rectory run the fo ow ng
command
Move-VM "VM1" Host02 –IncludeStorage –DestinationStoragePath E:\VMs
Skill 5.2: Implement failover clustering

In th s sect on, we d scuss severa sk s that are nvo ved or need to be cons dered when
creat ng a fa over c uster Th s nc udes the type of c uster to mp ement, c uster deta s such
as quorum, network ng, or storage We a so cover c uster management features nc ud ng
c uster-aware updat ng and c uster operat ng system ro ng upgrade F na y, we d scuss
features that can be used to augment fa over c usters, such as CSVs, Storage Rep ca, and
v rtua zed c usters

The first step to creat ng a fa over c uster of any type s to nsta the Fa over C uster
feature Th s can be accomp shed from Server Manager us ng the Add Ro es and Features
W zard, or by us ng the Insta -W ndowsFeature cmd et
After you have nsta ed the Fa over C uster feature, you can create a c uster from Pow-
erShe or by us ng the Fa over C uster Manager The first step s to se ect the servers that
you are nc ud ng n the c uster The Fa over C uster Manager ensures that the server has
the Fa over C uster feature nsta ed, and ver fy the sett ngs on the server Add ng a server s
shown n F gure 5-12
FIGURE 5-12 Create C uster W zard se ect servers
The next step, perform ng va dat on, s opt ona Va dat on ensures that the servers you
are configur ng as part of a fa over c uster meet the supported requ rements If you se ect
Yes, then a separate w zard aunches above the Create C uster W zard and must be comp eted
before return ng The va dat on warn ng s shown n F gure 5-13

FIGURE 5-13 Create C uster W zard va dat on warn ng
Next, set a name for the c uster that s ess than 15 characters Th s s the name that s used
when adm n ster ng the c uster, as shown n F gure 5-14
FIGURE 5-14 Create C uster W zard adm n strat on access po nt
Sk 5.2: mp ement fa over c uster ng CHAPTER 5 129

F na y, the confirmat on screen deta s the sett ngs for the c uster Not ce n F gure 5-15
that the c uster reg strat on s set to DNS on y Th s nd cates that the c uster s not a member
of Act ve D rectory doma n, and s a workgroup c uster
FIGURE 5-15 Create C uster W zard conf rmat on
Configure quorum and configure cloud witness

The atest recommendat on from M crosoft s to a ways configure a quorum w tness, regard-
ess of how many nodes n the c uster ex st By us ng Dynam c Quorum, the c uster automat -
ca y manages the vote that the quorum w tnesses There are three types of quorum ava ab e
when configur ng a fa over c uster
■ Disk Witness Th s was prev ous y known as Node and D sk Major ty D sk w tness
mon tors a storage vo ume to use to dec de quorum
■ File Share Witness Th s was prev ous y known as Node and F e Share Major ty F e
share w tness mon tors a UNC path fi e share to dec de quorum The fi e share must
not be used by the c uster
■ Cloud Witness Th s s new for W ndows Server 2016 C oud w tness uses Azure b ob
storage to dec de quorum Th s sect on focuses pr mar y on us ng a c oud w tness
W th a c oud w tness, a b ob fi e s created n the b ob storage There s very tt e cost
assoc ated w th us ng a c oud w tness, as the b ob fi e s on y updated when the state of the
c uster changes F gure 5-16 shows a d agram of a common mu t -s te fa over c uster that uses
a c oud w tness

FIGURE 5-16 Mu t s te fa over c uster w th c oud w tness
The four genera steps to us ng a c oud w tness for quorum are

1. Create an Azure storage account using locally-redundant replication It s
mportant to se ect oca y redundant, so that there s cons stency for the c uster
management
2. Copy the storage access keys associated with the storage account By defau t,
each storage account generates two access keys that can be used to access the storage
account The key s necessary to connect to Azure from the on-prem ses c uster
3. Copy the blob URL There are three URLs assoc ated w th the storage account b obs,
tab es, and queues A c oud w tness uses b ob storage, so th s s the URL that s used to
connect to Note that the URL can vary by country or reg on, so be sure to document
the URL for any storage account that you create
4. Complete the quorum configuration on the cluster by using the wizard, or
PowerShell The Configure C uster Quorum W zard wa ks you through the steps
to creat ng a c oud w tness You can a so configure the c uster quorum by us ng the
Set-C usterQuorum cmd et
The Configure C uster Quorum W zard can be aunched from the More Act ons menu of
the Fa over C uster Manager To add a quorum w tness, choose the Se ect the Quorum W t-
ness opt on n the w zard, as shown n F gure 5-17

FIGURE 5-17 Conf gure C uster Quorum W zard se ect quorum conf gurat on opt on
Next, you are ab e to se ect the type of quorum w tness to configure, as shown n F gure
5-18 Aga n, focus on creat ng a c oud w tness
FIGURE 5-18 Conf gure C uster Quorum W zard se ect quorum w tness

The w zard prompts you for the name of the storage account that the b ob conta ner was
created n, one of the access keys for the storage account, and the endpo nt URL for the con-
ta ner The configured deta s are shown n F gure 5-19
FIGURE 5-19 Conf gure C uster Quorum W zard conf gure quorum w tness
The configurat on deta s that are needed are a to be found n the Azure porta where the
storage account s configured F gure 5-20 d sp ays a port on of the Azure porta that conta ns
the storage account name and access key for the conta ner The serv ce endpo nt s popu ated
by defau t, and does not need to be changed

FIGURE 5-20 Storage account n Azure porta
In the above examp e, the storage account name s nfxxxstorage1 The access key s the
str ng that beg ns w th the numbers 74 To configure the quorum w tness by us ng PowerShe ,
use the Set-C usterQuorum cmd et For examp e, us ng the same nformat on, run the fo ow-
ng command
Set-ClusterQuorum –CloudWitness –AccountName infxxxstorage1 -AccessKey 74dxzkTUdxWAUbwuH
m4gPoVW5XgOeG+6ivP3lthzbVPicp/NEK6ivjGdA1J0oVcUuNRfLtaeYQ6WHZSwzq3/9Q==
F gure 5-21 shows the successfu resu t of runn ng the command
FIGURE 5-21 Set C usterQuorum command
Configure cluster networking

After configur ng the c uster and add ng the nodes, the Fa over C uster Manager automat -
ca y detects the networks that are ava ab e on the nodes F gure 5-22 shows the defau t
configurat on after add ng two hosts to the c uster, w th each host hav ng access to the same
two networks

FIGURE 5-22 Fa over C uster Manager Networks
Each network can be configured to e ther a ow or prevent c uster network commun ca-
t ons Th s commun cat on s for c uster operat ons, and does not nc ude any c ent traffic For
c ent connect v ty, a network must spec fica y be granted as c ent use F gure 5-23 shows the
propert es of a c uster network, w th both opt ons enab ed
FIGURE 5-23 C uster Network Propert es

Restore single node or cluster configuration
Perform ng a restore on a s ng e node n a c uster, or ent re c uster configurat on, s no d ffer-
ent than perform ng a backup and restore of any serv ce or component on a W ndows Server
Comb n ng a fa over c uster and W ndows Backup scenar o for an tem on the exam seems
un ke y; but you can prepare by understand ng the defau t backup opt ons w th n W ndows
Server 2016
Configure cluster storage and implement a Clustered

Storage Spaces solution using Shared SAS storage
enclosures
There are three d fferent types of storage that can be configured w th fa over c uster ng
■ Disks D sks that are shared between nodes can be added to a C uster Shared Vo ume
or ass gned to a spec fic fa over c uster ro e
■ Pools Groups of d sks that are comb ned og ca y to create a s ng e vo ume C us-
tered poo s use the under y ng Storage Spaces techno ogy to create a v rtua d sk us ng
the group of phys ca d sks on the node
■ Enclosures D rect-attached d sk chass s that conta n mu t p e phys ca d sks
You shou d va date the configurat on of the c uster before attempt ng to configure stor-
age Th s ensures that the c uster s configured and can support c ustered storage across a
nodes As an examp e, we create a storage poo for the c uster From the Fa over C uster
Manager on the Poo s screen, c ck the New Storage Poo F gure 5-24 shows the New Storage
Poo W zard

FIGURE 5-24 New Storage Poo W zard storage poo name
Then, you are prompted to se ect the d sks to use for the storage poo You need at east
three d sks to create a storage poo for use w th fa over c uster ng F gure 5-25 shows the
ava ab e d sks for the storage poo
FIGURE 5-25 New Storage Poo W zard phys ca d sks

Implement Cluster-Aware Updating
C uster-Aware Updat ng (CAU) was ntroduced n W ndows Server 2012 to reduce the effort
and d fficu ty of perform ng software updates on c uster nodes CAU has not been updated
s gn ficant y for W ndows Server 2016 To use CAU, the c uster must be jo ned to an Act ve
D rectory doma n CAU s not ava ab e on workgroup c usters
Perform ng W ndows Updates typ ca y requ res a system reboot after perform ng the
update CAU he ps to automate the process of perform ng the updates for a nodes that are
n a c uster F gure 5-26 shows the CAU too for a c uster named WGC uster1 Ne ther node n
the c uster has been updated
FIGURE 5-26 C uster Aware Updat ng
You cannot app y updates w thout enab ng the CAU se f-updat ng ro e To enab e the ro e,
configure the se f-updat ng opt ons from the CAU screen F gure 5-27 shows the first configu-
rat on screen of the se f-updat ng opt ons w zard

FIGURE 5-27 Se f Updat ng Opt ons c uster ro e
After se ect ng the opt on to enab e the ro e, you can configure the schedu e to perform
the se f-updat ng process Then you can configure advanced opt ons for the c uster The
advanced opt ons enab e you to configure t me boundar es, retry m ts, and pre and post
update scr pts that must a so be run when updat ng F gure 5-28 shows a port on of the ad-
vanced opt ons that are ava ab e

FIGURE 5-28 Se f Updat ng Opt ons advanced opt ons
By defau t, on y mportant updates are nsta ed based on the CAU too An add t ona
opt on s to a so nc ude the recommended updates on the c uster After app y ng the se f-
updat ng opt ons, the c uster can be updated by us ng CAU
Implement Cluster Operating System Rolling Upgrade

C uster Operat ng System Ro ng Upgrade s a new feature n fa over c uster ng for W ndows
Server 2016 If a W ndows Server 2012 R2 fa over c uster s runn ng the Hyper-V or Sca e-Out
F e Server ro es, you can add W ndows Server 2016 nodes w thout tak ng the fa over c uster
offl ne
For each node n the c uster, fo ow the process to upgrade the operat ng system n the
correct phase Th s ensures that the c uster does not requ re downt me to comp ete the up-
grade The overa steps to perform the upgrade nc ude
1. Pause the node and dra n a v rtua mach nes, f necessary
2. Ensure that a v rtua mach nes are m grated to another node n the c uster

3. Suspend and ev ct the node from the c uster
4. Insta W ndows Server 2016 on the node and add t to the c uster
5. Repeat steps 1-4 for each node n the c uster
6. After a nodes have been upgraded, run the Update-C usterFunct ona Leve cmd et
Unt the Update-C usterFunct ona Leve cmd et s run, the process can be suspended
or reversed You can a so add W ndows Server 2012 R2 hosts unt the funct ona eve has
been updated To retr eve the current funct ona eve , run the Get-C uster cmd et
Get-Cluster | Select ClusterFunctionalLevel
If the C usterFunct ona Leve va ue s set to 8, then the c uster s at W ndows Server 2012
R2 If the va ue s 9, then the c uster s at W ndows Server 2016 It s a so recommended that
you d sab e C uster-Aware Updat ng before attempt ng to perform za Ro ng Operat ng
System Upgrade Wh e the name mp es upgrad ng the operat ng system, a best pract ce s
to perform a c ean nsta at on of the operat ng system An n-p ace upgrade s not recom-
mended for c uster nodes
Configure and optimize clustered shared volumes (CSVs)

CSVs were ntroduced n W ndows Server 2008 R2 and have become a w de y used featured
of fa over c usters CSVs can be c ustered VHDs for Hyper-V VMs, or sca e-out fi e shares us-
ng the Sca e-Out F e Server (SoFS) c ustered ro e NTFS and Res ent F e System (ReFS) can
be used for VMs, however, ReFS s not supported w th SoFS
CSVs can be created from a c uster-ava ab e d sks n the nodes of the c uster You can
e ther use the w zard n the Fa over C uster Manager, or by us ng W ndows PowerShe To
retr eve a st of d sks that can be used n a c uster, run the Get-C usterAva ab eD sk cmd et
To add the d sks, run the Add-C usterD sk cmd et You can comb ne these two nto a s ng e
command
Get-ClusterAvailableDisk | Add-ClusterDisk
After you have added the ava ab e d sks, create a CSV by us ng the Add-C usterSharedVo -
ume cmd et
Add-ClusterSharedVolume -Name "CSV1"

Configure clusters without network names
A fa over c uster w thout a network name s s mp y an Act ve D rectory-detached c uster
However, th s s d fferent than a workgroup c uster, where the nodes are not jo ned to a
doma n For an Act ve D rectory-detached c uster, the nodes must be jo ned to a doma n
As w th a workgroup c uster, the adm n strat ve access po nt s a so DNS W thout Act ve
D rectory, the fa over c uster uses NTLM as the authent cat on method, and not Kerberos
You can create an Act ve D rectory-detached c uster by us ng the New-C uster W ndows
cmd et, not the Fa over C uster Manager For examp e
New-Cluster Cluster1 -Node Server1,Server2 -StaticAddress 10.0.0.10 -NoStorage
-AdministrativeAccessPoint Dns
Implement Scale-Out File Server (SoFS)

SoFS s a subset of the F e Server ro e when configur ng a fa over c uster SoFS requ res that
CSVs be configured for storage SoFS s usefu for h gh-performance app cat ons that need
access to data across any node F gure 5-29 shows add ng the SoFS ro e to a fa over c uster
FIGURE 5-29 H gh Ava ab ty W zard

Determine different scenarios for the use of SoFS vs.
clustered File Server
SoFS s not des gned for use n a genera purpose fi e share env ronment SoFS s des gned
for app cat ons that keep fi es open for ong per ods of t me, and requ re add t ona
resources to process and change those fi es SoFS d str butes c ent connect ons across a
nodes n the c uster to enhance performance, and can ncrease comp ex ty and troub e-
shoot ng for genera fi e shares Add t ona y, SoFS on y use CSVs as storage, and cannot
use nd v dua d sks SoFS s not compat b e w th other fi e share techno og es, nc ud ng
dedup cat on, DFS, and BranchCache
Determine usage scenarios for implementing guest

clustering
W th advances n pass-through techno og es n Hyper-V, guest c uster ng sn’t as com-
p ex w th W ndows Server 2016 A guest c uster s a fa over c uster that s created us ng
VMs nstead of phys ca hosts However, Hyper-V offers v rtua SAN connect v ty, so c us-
ter ng storage and network ng us ng VMs can be performed the same as f us ng phys ca
hosts
Implement Storage Replica

As d scussed n Chapter 2, Storage Rep ca can be used for b ock- eve rep cat on be-
tween servers or c usters for d saster recovery You can a so use Storage Rep ca to stretch
a fa over c uster between s tes You can use synchronous rep cat on to enab e crash-
cons stent vo umes, or use asynchronous rep cat on for onger d stance or ower atency
connect ons
W th fa over c usters, Storage Rep ca can be used to rep cate data from one c uster
to another, or stretch a c uster across d fferent s tes W th c uster to c uster rep cat on,
you grant Storage Rep ca access on the c uster name nstead of nd v dua nodes For
examp e
Grant-SRAccess -ComputerName SR-SRV01 -Cluster SR-SRVCLUSB
Figure 5-30 shows a cluster to cluster Storage Replica.

FIGURE 5-31 C uster to c uster Storage Rep ca
Implement VM resiliency
W ndows Server 2016 nc udes ncreased res ency w th Hyper-V fa over c usters There are
two pr mary res ency enhancements
■ Compute resiliency There are add t ona opt ons that can be configured for Hyper-V
VMs that he p to reduce ntra-c uster commun cat on
■ Storage resiliency VMs are more res ent to trans ent storage fa ures
New opt ons for compute res ency nc ude
■ Resiliency level Defines how fa ures are hand ed
■ Resiliency period Defines how ong VMs can run when they are so ated
You can a so configure quarant nes for nodes that are deemed unhea thy These nodes
cannot jo n a c uster, and prevents nodes from affect ng other nodes n the c uster

In W ndows Server 2012, shar ng was an advanced opt on of a VHDX fi e In W ndows
Server 2016, a shared dr ve uses a VHDS fi e format, and can be shared among v rtua ma-
ch nes VHDS fi e can on y be fixed or dynam ca y expand ng, and cannot be a d fferenc ng
d sk F gure 5-33 shows creat ng a VHD Set by us ng the New V rtua Hard D sk W zard
FIGURE 5-33 Creat ng a shared dr ve
The shared storage can be added to mu t p e v rtua mach nes, enab ng you to create a
v rtua zed c uster w thout expos ng any under y ng storage

By runn ng the command, Storage Spaces D rect automat ca y performs a few tasks
1. Create a storage poo us ng the ava ab e d sks
2. Configure a cache, f necessary Th s s on y used f there s more than one med a type
ava ab e
3. Create two t ers The first t er s named Capac ty The second t er s named Perfor-
mance The t ers are configured w th a m x of dev ce types and res ency
Other PowerShe cmd ets that can be used w th Storage Spaces D rect nc ude
■ Test-Cluster Th s tests the su tab ty of a configurat on
■ Enable-ClusterS2D Configures a c uster for the Storage Spaces D rect us ng oca
SATA or NVMe dev ces
■ Optimize-StoragePool Reba ances the storage opt m zat on f the under y ng stor-
age changes
■ Debug-StorageSubsystem D sp ays any fau ts that can affect the storage
Implement a disaggregated Storage Spaces Direct scenario

in a cluster
As d scussed n the ear er sect on, “Determ ne scenar o requ rements for mp ement ng Stor-
age Spaces D rect,” a d saggregated scenar o s s mp y a separat on of the storage env ron-
ment from the comput ng env ronment In th s scenar o, you wou d configure the Hyper-V
Fa over C uster as usua Then configure the Storage Spaces env ronment on a separate
c uster of servers F gure 5-34 ustrates th s separat on of ro es
Sk 5.3: mp ement Storage Spaces D rect CHAPTER 5 149

FIGURE 5-34 D saggregated Storage Spaces D rect dep oyment
Implement a hyper-converged Storage Spaces Direct

scenario in a cluster
As d scussed n the ear er sect on, “Determ ne scenar o requ rements for mp ement ng Stor-
age Spaces D rect,” a hyper-converged scenar o s the comb nat on of the comput ng and
storage env ronment nto the same c uster of servers Th s dep oyment type e m nates the
need for a Sca e-Out F e Server F gure 5-35 shows a hyper-converged dep oyment scenar o

■ iSCSI Target Server Prov des SCSI storage over TCP/IP n the fa over c uster
■ iSNS Server An Internet Storage Name Serv ce server that prov des d scovery of
SCSI Targets
■ Message Queuing Enab es d str buted app cat ons runn ng at d fferent t mes to
commun cate across networks
■ Other server Prov des a c ent access po nt and storage on y
■ Virtual Machine Enab es VMs that are runn ng on a phys ca host
■ WINS server Enab es users to access resources by us ng NetBIOS names
You can comb ne fi e servers runn ng n a fa over c uster w th the SMB 3 protoco to
prov de cont nuous y ava ab e fi e shares to an env ronment SMB 3 prov des severa benefits,
nc ud ng
■ SMB Transparent Failover Enab es a fi e share to be cont nuous y ava ab e w th
SMB 3 c ents When a fa over occurs, the SMB 3 c ent refreshes the connect on to
another node n the c uster
■ SMB Scale-out Enab es add t ona bandw dth to be used by mu t p e c uster nodes
■ SMB Multichannel Uses mu t p e network nterfaces to ncrease the performance of
the SMB connect on
Configure VM monitoring
VMs that are configured n a fa over c uster can have the VM tse f as we as app cat ons
n the VM mon tored by the Hyper-V host The guest VM and the Hyper-V host must e ther
be ong to the same doma n, or have a trust re at onsh p configured between doma ns The
pre-defined V rtua Mach ne Mon tor ng ru es must a so be enab ed on the VM F gure 5-36
shows the ru es that must be enab ed These ru es nc ude
■ V rtua Mach ne Mon tor ng (DCOM-In)
■ V rtua Mach ne Mon tor ng (Echo Request – ICMPv4-In)
■ V rtua Mach ne Mon tor ng (Echo Request – ICMPv6-In)
■ V rtua Mach ne Mon tor ng (NB-Sess on-In)
■ V rtua Mach ne Mon tor ng (RPC)
Sk 5.4: Manage fa over c uster ng CHAPTER 5 153

FIGURE 5-36 W ndows F rewa nbound Ru es
After you have mod fied the firewa , you can configure mon tor ng for the VM from the
Fa over C uster Manager R ght-c ck a VM, and n the More Act ons menu, c ck Configure
Mon tor ng You are prompted w th a st of serv ces that ex st on the VM
After se ect ng the serv ce to mon tor, you can a so configure recovery sett ngs for the
serv ce By defau t, the first two t mes a serv ce fa s, the fa over c uster attempts to restart
the serv ce If the serv ce fa s to start, then a fa over wou d be performed Therefore, f you
need to mmed ate y fa over (rather than try to wa t for the serv ce to restart), you need to
change the first recovery act on to Take No Action Th s ensures that the VM fa overs, as the
mon tored serv ce s cons dered down
Configure failover and preference settings

You can mod fy the propert es of a ro e to ass gn sett ngs for a ro e, as shown n F gure 5-37
■ Preferred owners The ordered st of nodes that attempt to hand e c ent requests
or moves
■ Start-up priority In the event of a fa ure, you can ass gn Low, Med um, H gh, or No
Auto Start for a ro e If No Auto Start s configured, the ro e s fa ed over after a other
ro es, but s not automat ca y started By defau t, a ro es have a Med um pr or ty

FIGURE 5-37 Ro e genera propert es
You can a so contro the number of t mes that the fa over c uster serv ce tr es to
restart or fa over a ro e These sett ngs can be configured from the Fa over tab, as
shown n F gure 5-38

FIGURE 5-38 Ro e fa over propert es
W ndows Server 2016 a so ntroduces the ab ty to contro the start order of VMs VMs
can be grouped nto t ers, wh ch can be used to define dependenc es for start ng order Th s
ensures that more mportant v rtua mach nes are started before others For examp e, you can
configure a doma n contro ers to start first

Implement stretch and site-aware failover clusters
We d scussed us ng a stretch c uster ear er n the “Storage Rep ca” sect on However, us ng
a s te-aware fa over s new to W ndows Server 2016 A s te-aware fa over c uster bu ds on a
stretch c uster, where nodes n the same c uster are not n the same phys ca s te S te-aware-
ness g ves the c uster the ab ty to better contro fa overs, p acement, heartbeats between
nodes, and quorum
A new configurat on opt on s to contro the cross-s te heartbeat These thresho ds can be
configured by mod fy ng new c uster propert es
■ CrossSiteDelay Th s property s set to 1,000 by defau t, and defines the amount of
t me n m seconds that a heartbeat s sent to nodes across s tes
■ CrossSiteThreshold Th s property s set to 20 by defau t, and defines the number of
heartbeats that can be m ssed before the nterface s cons dered to be down
■ PreferredSite The s te that s ass gned to a ro e for p acement The nodes of the s te
must first be ass gned to the s te before t can be set to preferred Dur ng a co d start,
VMs are a so p aced n the preferred s te The preferred s te s a so e ected to be the
act ve s te n the event of a sp t quorum The LowerQuorumPriorityNodeID property s
deprecated w th W ndows Server 2016
Preferred s tes can a so be configured more granu ar y by us ng c uster groups Th s enab es
you to contro s te p acement on a group bas s, n add t on to the c uster Groups n a c uster
are p aced based on the fo ow ng pr or ty order
1. Storage affin ty s te
2. Group preferred s te
3. C uster preferred s te
Enable and configure node fairness

VM node fa rness s another new feature n W ndows Server 2016 Node fa rness enab es oad
ba anc ng between nodes n a c uster Nodes that are overcomm tted are dent fied based on
v rtua mach ne memory and processor use n the node VMs are then automat ca y m grated
to nodes that are not as heav y used, f ava ab e The thresho d of the oad ba anc ng can
be configured and tuned to ensure the best c uster performance By defau t, node fa rness s
enab ed n a W ndows Server 2016 fa over c uster; but s d sab ed when System Center V rtua
Mach ne Manager Dynam c Opt m zat on s enab ed

Import, export, and copy VMs
Import ng, export ng, and copy ng VMs are methods of manua y transferr ng a VM from one
node to another Export ng a VM conso dates the VM nto the fi es that are spec fied dur ng
the export process They can then be cop ed and mported to a d fferent node
Configure VM network health protection

W ndows Server 2012 R2 ntroduced a new opt on named Protected Network n the ad-
vanced sett ngs of VM network adapters Configur ng a protected network s usefu to protect
a h gh y ava ab e VM from a fa ed network connect on W th the protected network opt on
enab ed, the phys ca node mon tors the network for d srupt ons If the network connect on
goes down, then the VM s m grated to another phys ca node that has a work ng network
connect on
FIGURE 5-39 V rtua mach ne network adapter advanced features
Sk 5.5: Manage VM movement n c ustered nodes CHAPTER 5 159

Configure drain on shutdown
Dra n on shutdown s a necessary process to effic ent y suspend a node When a node s ac-
t ve, there can be severa connect ons to the ro es that operate on the node By sett ng a node
to dra n, a node does not respond to any future requests n the c uster Therefore, as ex st ng
connect ons comp ete or drop, the node s essent a y removed from a c uster w thout affect-
ng any ex st ng, or future, connect ons
FIGURE 5-40 Dra n ng a fa over c uster node
Chapter summary
■ How to use the Hyper-V Manager to perform bas c VM management
■ Configure m grat on and authent cat on deta s for Hyper-V servers
■ Insta and configure a fa over c uster
■ Configure quorum opt ons, nc ud ng Azure C oud W tness
■ Use C uster-Aware Updat ng to perform W ndows Updates
■ Seam ess y upgrade c usters from W ndows Server 2012 R2 to W ndows Server 2016
■ Opt m ze c usters us ng storage techno og es ke CSVs and Storage Rep ca
■ Imp ement Storage Spaces D rect for ncreased storage performance
■ Manage fa over c usters us ng fa over and preference sett ngs
■ Perform bas c VM management by us ng the Fa over C uster Manager

Thought Experiment
A company current y has a s ng e s te w th two standa one Hyper-V hosts Each Hyper-V host
s connected to an externa SCSI enc osure The storage enc osure stores the data for a v r-
tua mach nes that the hosts run
The company p ans to open an add t ona office n the same c ty As part of the p an, the
secondary office shou d be used w th act ve connect ons, and serve as a backup f the pr mary
office exper ences a fa ure Both offices shou d use a th rd s te to determ ne wh ch s te s
pr mary n the event of a fa ure If the th rd s te s unava ab e from both offices, the or g na
pr mary shou d accept the act ve c ent requests
Us ng the above scenar o, answer the fo ow ng quest ons
1. What shou d be dep oyed n the pr mary office to accomp sh the goa ?
2. What shou d be dep oyed n the secondary office to accomp sh the goa ?
3. What techno ogy shou d be used to ensure the secondary office ma nta ns the atest
ava ab e data?
4. What techno ogy shou d be used to ensure on y one s te s act ve n the event of a
fa ure?
5. What shou d be configured to ensure that the pr mary s te s used n the event of a
th rd-s te fa ure?

1. The two Hyper-V servers shou d be p aced n a fa over c uster
2. Two Hyper-V servers shou d be dep oyed as part of the same fa over c uster, to serv ce
act ve requests when on ne
3. Storage Rep ca shou d be used to synchronous y transfer data from the pr mary office
to the secondary, and back aga n f necessary
4. A c oud w tness shou d be configured to ensure a s te s a ways act ve n the event of a
fa ure
5. The pr mary s te shou d be configured as the preferred s te to ensure t s act ve n the
event the c oud w tness s unava ab e

CHAPTER 6
Implement DNS
T h s chapter covers one sk that s represented on the exam, mp ement ng and configur-
ng DNS servers There are a few new techno og es ntroduced n W ndows Server 2016
for DNS servers
■ DNS Policies Po c es can be created to spec fy how DNS servers respond to c ent
requests
■ Response Rate Limiting M t gates den a of serv ce attacks on DNS
■ DNS-based Authentication of Named Entities Uses Transport Layer Secur ty
Authent cat on to nform c ents to expect a cert ficate from a Cert ficat on Author ty
for the DNS zone
■ Unknown record support Add records that are not exp c t y supported by W n-
dows Server DNS
■ IPv6 root hints Nat ve IPv6 root h nts have been added to DNS
We d scuss these new techno og es and rev ew key techno og es that a ready ex st for
DNS n th s chapter

■ Imp ement and configure DNS servers
Implement and configure DNS servers

Th s sect on exp a ns how DNS s used n a W ndows Server env ronment DNS has severa
components that nc ude forwarders, root h nts, po c es, ogg ng, and more Each of these
components are d scussed, nc ud ng how to configure the opt ons for a typ ca enterpr se
env ronment
163
Determine supported DNS deployment scenarios on
Nano Server
DNS can be nsta ed on Nano Server, and offers the same features, secur ty, and funct ona ty
as nsta ng t on Server Core or graph ca vers ons of W ndows Server The on y d fference n
us ng Nano Server s the management of the server ro e after t has been dep oyed
After dep oy ng DNS on a Nano Server, you can manage t by us ng W ndows PowerShe
remot ng Create a new sess on w th the Nano Server by runn ng the Enter-PSSess on cmd et
Enter-PSSession -ComputerName "Nano1"
After connect ng remote y to the Nano Server, you can mport the PowerShe modu e for
DNS by runn ng the Import-Modu e cmd et
Import-Module DNSServer
You can then run any DNS PowerShe cmd et on the Nano Server A ternat ve y, you
can run the DNS Manager from a separate management computer, and connect to the
DNS serv ce that s runn ng on the Nano Server Th s g ves you the ab ty to manage the
DNS serv ce through the DNS Manager conso e as f t was nsta ed on a server w th a
graph ca nterface
Install DNS
DNS can be nsta ed by us ng the Add Ro es and Features W zard through Server Manager,
or by us ng W ndows PowerShe w th the Insta -W ndowsFeature cmd et
Install-WindowsFeature DNS
If add ng the package to Nano Server, the package wou d be nsta ed by us ng the
Insta -NanoServerPackage cmd et
Install-NanoServerPackage -Package Microsoft-NanoServer-DNS-Package
Configure forwarders
When a DNS server rece ves a request to trans ate a doma n name that t does not know, a
forwarder s used to transfer the request to another DNS server DNS forwarders use recur-
s ve quer es as the st of forwarders are processed A recurs ve query e ther accepts a record
that s prov ded, or d sp ays an error f the record cannot be found Forwarders do not accept
referra s to other DNS servers The next DNS server cou d be a d fferent DNS server w th n a
corporate network, the ISP, or a pub c DNS server F gure 6-1 shows the Forwarders config-
ured for a DNS server, us ng Ver s gn and OpenDNS pub c servers, respect ve y
mp ement and configure DNS servers CHAPTER 6 165

FIGURE 6-1 DNS Forwarders
An opt on shown n F gure 6-1 for forwarders s the Use Root H nts If No Forwarders
Are Ava ab e Th s uses any configured root h nts f the forwarders that have been
configured are not ava ab e By defau t, th s opt on s d sab ed From the GUI, forwarders
are managed by mod fy ng the propert es of the DNS server However, us ng W ndows
PowerShe , forwarders have separate cmd ets To configure a forwarder w th PowerShe ,
use the Add-DnsServerForwarder cmd et
Add-DnsServerForwarder 8.8.8.8
To configure whether root h nts are used f a forwarder s unava ab e, run the
Set-DnsServerForwarer cmd et
Set-DnsServerForwarder -UseRootHint $False
166 CHAPTER 6 mp ement DNS

Conditional forwarders
Another type of forwarder s a cond t ona forwarder Cond t ona forwarders are usefu for
partner organ zat ons or other DNS doma ns that an organ zat on m ght have access to For
examp e, f your organ zat on has partnered w th adatum com, then you can configure a con-
d t ona forwarder Rather than use the g oba forwarders or root h nts to dent fy unknown
resources n the doma n, a cond t ona forwarder routes DNS requests for adatum com to the
spec fied server F gure 6-2 shows creat ng a cond t ona forwarder from DNS Manager
FIGURE 6-2 Cond t ona forwarder
After forwarders have been configured, you can ver fy DNS s work ng proper y by us ng
ns ookup The ns ookup too s a command- ne ut ty that enab es you to query spec fic re-
cord types us ng DNS F gure 6-3 shows perform ng successfu quer es for M crosoft com, the
oca doma n contosoforest com, and the partner doma n adatum com
If you p an to use PowerShe to create a cond t ona forwarder, use the
Add-DnsServerCond t ona ForwarderZone cmd et
Add-DnsServerConditionalForwarderZone -Name adatum.com -MasterServers 10.0.0.105

FIGURE 6-3 ns ookup resu ts
Configure root hints

Un ke forwarders wh ch perform recurs ve quer es, root h nts perform terat ve quer es If a
DNS server cannot find the record for a query n the oca configurat on, t can query a DNS
server on the nternet A root server responds w th a referra to the DNS server that hosts the
author tat ve zone for the top- eve doma n ( com, net, etc) The oca server then quer es the
referred server for the record, wh ch responds w th another referra to the author tat ve server
for the DNS doma n (contoso com) The query and referra process cont nues unt the record
s successfu y ocated, or the author tat ve server says that the record does not ex st
W ndows Server 2016 ntroduces defau t root h nts for IPv6 quer es, so that IPv6 records
can be ocated us ng terat ve quer es just as IPv4 addresses can be These root h nts have
been pushed by Internet Ass gned Numbers Author ty (IANA), and can be used for IPv6 que-
r es F gure 6-4 shows the defau t root h nts that have been added to W ndows Server 2016

FIGURE 6-4 Root h nts
Root H nts can a so be retr eved or configured by us ng PowerShe To retr eve the same
st that the GUI d sp ays, run the Get-DnsServerRootH nt cmd et To add add t ona root h nts,
use the Add-DnsServerRootH nt cmd et
Add-DnsServerRootHint -NameServer a.root-servers.net -IPAddress 2001:503:ba3e::2:30
Configure delegation
Zone de egat on enab es you to d v de a DNS namespace nto mu t p e zones These add -
t ona zones can be stored and rep cated to other DNS servers Th s s usefu f you need to
de egate management for a port on of a namespace, or want to mprove network d str but on
by d v d ng arger zones
Creat ng a new de egat on zone can be performed from DNS Manager by r ght-c ck ng
the forward ookup zone that you p an to sp t, then c ck New De egat on The New De ega-
t on W zard appears The first configurat on screen prompts for the doma n that s de egated
For examp e, we spec fy the fu y qua fied doma n name (FQDN) emea contosoforest com to
be de egated as a separate doma n F gure 6-5 shows the New De egat on W zard

FIGURE 6-5 New De egat on W zard
You are then prompted to enter the FQDN of the DNS server that s author tat ve for the
zone You must a so reso ve the FQDN to the ava ab e IP addresses for that spec fic server
F gure 6-6 d sp ays configur ng the FQDN and assoc ated IP addresses for de egat on
FIGURE 6-6 New Name Server Record
After you comp ete the w zard, the de egat on zone s created n the forward ookup zone
You can a so create the zone by us ng the Add-DnsServerZoneDe egat on cmd et
Add-DnsServerZoneDelegation -Name contosoforest.com -ChildZoneName emea.contosoforest.
com -IPAddress 10.0.0.100 -NameServer DC1

Implement DNS policies
W ndows Server 2016 ntroduces DNS po c es to manage quer es based on configurab e
parameters There are a few scenar os n wh ch DNS po c es can be usefu
■ Application high availability DNS quer es are forwarded to the hea th est endpo nt
for an app cat on
■ Traffic management Use the c osest ava ab e DNS server for c ent quer es
■ Split-brain DNS If DNS records are sp t for nterna and externa addresses, c ents
rece ve the appropr ate response depend ng on the r ocat on
■ Filtering Manage an IP b ock ng st to prevent ma c ous quer es
■ Forensics DNS c ents that are suspected to be ma c ous can be red rected
■ Time-based redirects Prov de d fferent responses to DNS quer es based on the t me
of day
There are three new objects n DNS that are used to manage DNS po c es
■ Client subnet Represents an IPv4 or IPv6 subnet where quer es or g nate from
■ Recursion scope Groups of sett ngs that contro recurs on for a DNS server
■ Zone scope Sets of DNS records for zones on the DNS server
There are two po c es that can be configured at e ther the zone or server eve , and a
s ng e server-on y eve po cy
■ Query Resolution Policy Can be app ed to e ther a DNS server or a spec fic DNS
zone Query reso ut on po c es are used to contro ncom ng c ent quer es and define
how the DNS server hand es the requests
■ Zone Transfer Policy Can be app ed to e ther a DNS server or a spec fic DNS zone
Zone transfer po c es contro whether zone transfers are configured to e ther Deny or
Ignore zone changes for a DNS topo ogy
■ Recursion policy Recurs on po c es are on y app ed to the server eve and contro
whether quer es are den ed or gnore recurs on for the quer es You can a so choose to
configure a set of forwarders that are used for the quer es
The overa process to creat ng a po cy nc udes first creat ng the objects, and then creat-
ng the po c es For examp e
1. Create the subnet objects that DNS c ents are connect ng from
2. Create the zone scopes and resource records for each network as needed
3. Create a po cy to manage the quer es from the defined subnets
As of th s wr t ng, po c es are on y configured by us ng PowerShe To v ew the ava ab e
cmd ets that can be used w th po c es, run the Get-Command cmd et
Get-Command -Module DNSServer *policy* | Select Name

The overa check st to dep oy ng DNSSEC nc udes
1. Se ect ng a dep oyment method
2. S gn ng a DNS zone
3. Dep oy ng trust anchors
4. Dep oy ng DNS c ent po c es
5. Dep oy IPsec po c es to protect zone transfers
6. Rev ew and manage name reso ut on
Configure DNS socket pool

The DNS socket poo random zes the source port that s used w th DNS quer es In W ndows
Server 2008, the DNS serv ce used a pred ctab e source port number When us ng a socket
poo , the DNS server random y se ects a port number to m t gate attacks on the server Be-
g nn ng w th W ndows Server 2012 R2, the DNS socket poo has 2,500 random ports enab ed
by defau t and does not typ ca y requ re add t ona configurat on To mod fy the number of
ports, use the dnscmd ut ty
dnscmd /Config /SocketPoolSize 3000
Configure cache locking

W th cache ock ng, when a DNS server rece ves a query and then prov des a response, the
response s cached oca y so that t can respond qu cker to future requests The t meout
va ue for the cache s determ ned by the T me To L ve (TTL) va ue of the DNS record that was
obta ned Cache ock ng prevents the record from be ng overwr tten f an update s rece ved,
unt the TTL has exp red Cache ock ng was ntroduced n W ndows Server 2008 R2 and has
not changed s gn ficant y through to W ndows Server 2016 By defau t, the cache ock ng
percentage s set to 100 To mod fy the percentage, use dnscmd
dnscmd /Config /CacheLockingPercent 90
Enable Response Rate Limiting (RRL)

Response Rate L m t ng (RRL) s a new feature that s ntroduced w th W ndows Server 2016
RRL enab es you to avo d Den a of Serv ce (DoS) attacks on c ents us ng the DNS server RRL
prov des configurat on sett ngs to contro how to respond to requests when rece v ng numer-
ous requests Th s m t gates a DoS attack us ng the DNS servers The fo ow ng sett ngs can be
configured w th RRL
■ Responses per second The max mum number of responses a s ng e c ent rece ves
n one second
■ Errors per second The max mum number of errors that are sent to a s ng e c ent n
one second

■ Window The number of seconds that responses are suspended f a server b ocks a
c ent
■ Leak rate Determ nes the frequency that a DNS server responds to quer es when
requests are suspended By defau t, f a server suspends a c ent for 10 seconds,
the eak rate s 5 The DNS server responds to one of every five requests sent to
the server
■ TC rate Informs the c ent that DNS requests have been suspended By defau t, f the
TC rate s 3, the server ssues a request for a TCP connect on for every 3 quer es that
are rece ved The TC rate shou d be configured ower than the eak rate to ensure that
the c ent can connect us ng TCP before eak ng responses
■ Maximum responses The max mum number of response that the server ssues to
c ents wh e n a suspended state
■ White list domains The st of doma ns that are exc uded from RRL sett ngs
■ White list subnets The st of subnets that are exc uded from RRL sett ngs
■ White list server interfaces The DNS server nterfaces that are exc uded from RRL
sett ngs
By defau t, RRL s d sab ed You can e ther set RRL to og on y the effects a configurat on
wou d have, or to enab e the configurat on To enab e or mod fy the RRL sett ngs, use the
Set-DnsServerResponseRateL m t ng cmd et You can a so use the Set-DnsServerRRL a as to
reference the cmd et
Set-DnsServerRRL -Mode LogOnly
To create any of the wh te st objects, use the Add-DnsServerResponseRateL m t ngEx-

cept onL st cmd et
Add-DnsServerResponseRateLimitingExceptionlist -Name "Whitelist1" -Fqdn "EQ,*.contoso.
com"
Configure DNS-based Authentication of Named Entities

DANE s another new feature that s ntroduced w th W ndows Server 2016 DANE uses Trans-
port Layer Secur ty Authent cat on to commun cate to DNS c ents to expect a cert ficate from
a Cert ficat on Author ty for the DNS zone Th s ensures that a man- n-the-m dd e attack from
present ng a d fferent cert ficate to successfu y corrupt DNS
For examp e, f the webs te www contoso com uses a cert ficate from a CA named Trust-
edCA, the DNS server wou d dent fy and save that the cert ficate s ssued from that server
Then, f a ma c ous red rect occurs send ng users to a d fferent web server that presents a
cert ficate s gned from Externa CA, the connect on wou d be aborted Th s s because by us-
ng DANE, the c ent s aware that the cert ficate that appears va d, s not actua y from the CA
that s trusted and reg stered w th DNS

FIGURE 6-8 Server eve perm ss ons
If you need to prov de jun or adm n strators the ab ty to v ew the DNS contents of the
zones, create a new secur ty group and ass gn the Read perm ss on You cou d a so have a
separate group that can create and update DNS objects, but not de ete them
Mod fy ng the propert es of a zone s a s m ar process The zone nher ts the perm ss ons
that have been ass gned at the server eve You can a so add add t ona secur ty groups that
can manage the zone F gure 6-9 shows the defau t propert es of a forward ookup zone

FIGURE 6-9 Zone eve perm ss ons
Configure recursion settings

As d scussed n the ear er sect on “Configured Root H nts," recurs ve DNS quer es use for-
warders and references to dent fy a DNS record By us ng a forwarder n DNS, the DNS server
uses recurs ve quer es by defau t Th s enab es the server to forward the DNS request for
unknown doma ns to the next DNS server configured The next server refers the request to a
d fferent DNS server f t, too, does not have nformat on about the record Th s process cou d
cont nue a few t mes before ocat ng a non-author tat ve response for the request You can
enab e or d sab e recurs on at the server eve by us ng the Set-DnsServerRecurs on cmd et,
or by us ng DNS Manager D sab ng recurs on shou d be used n m ted env ronments, as t
can proh b t access to the Internet f not configured proper y F gure 6-10 shows the ava ab e
opt ons on the Advanced tab, nc ud ng recurs on

FIGURE 6-10 Advanced DNS sett ngs
In add t on to enab ng or d sab ng recurs on, the PowerShe cmd et a so ets you config-
ure spec fic recurs on sett ngs For examp e, the RetryInterval sett ng spec fies the amount
of t me n seconds before a DNS server uses recurs on By defau t, the RetryInterval s set to
three seconds, but can be configured w th a va ue from 1 to 15 Another configurab e pa-
rameter s the AdditionalTimeout sett ng Th s spec fies the number of seconds before a DNS
server wa ts after us ng a recurs ve request to rece ve a response from the next DNS server By
defau t, th s sett ng s set to four seconds, but accepts a va ue from 0 to 15
Set-DnsServerRecursion -RetryInterval 2
Recurs on can a so be enab ed or d sab ed for spec fied forwarders by us ng a recurs on

scope A scope spec fies a spec fic forwarder or forwarders to enab e or d sab e recurs on w th
The Set-DnsServerRecurs onScope cmd et prov des th s opt on
Set-DnsServerRecursionScope -Name "DisabledScope" -Forwarder 192.168.0.1
-EnableRecursion $False

Chapter summary
■ Prepar ng for and nsta ng the DNS Server ro e
■ Configur ng forwarders and cond t ona forwarders for ookup zones
■ Us ng Root H nts to dent fy author tat ve DNS servers
■ Configur ng de egat on for DNS
■ Imp ement ng po c es to be used by DNS servers and c ents
■ Us ng secur ty extens ons to secure DNS
■ Exp a n ng the Socket Poo and cache ock ng to m t gate DNS attacks
■ Enab ng Response Rate L m t ng to m t gate DNS attacks
■ De egat ng adm n strat on to manage or v ew DNS for other adm n strators
■ Enab ng, d sab ng, and configur ng recurs ve DNS quer es
■ Us ng W ndows PowerShe to manage DNS servers and sett ngs
Thought Experiment
A company has a product on env ronment and a test env ronment The product on env ron-
ment s n an Act ve D rectory doma n w th DNS ntegrated nto the doma n The test env ron-
ment s n a workgroup w th a separate DNS server The company needs to proh b t the test
env ronment from reso v ng any names n the product on env ronment, but must use the pro-
duct on server as a name server for the Internet The product on servers must be configured
to suspend responses to quer es n the event of a DNS request flood The test env ronment
must a so wa t 10 seconds before us ng non-author tat ve DNS servers You must a so enab e
a jun or adm n strator to be ab e to v ew a objects and sett ngs on the DNS server w thout
enab ng them to make changes
G ven the above scenar o, answer these quest ons
1. What shou d be used to proh b t reso ut on between networks?
2. What shou d be used to suspend quer es when flooded?
3. How shou d the jun or adm n strator be granted perm ss ons?
4. What must be configured n the test env ronment to wa t 10 seconds for non-author -
tat ve responses?

1. You can d sab e recurs on to prevent the test DNS server from us ng the forwarder Use
a scope to spec fy recurs on for the spec fic forwarder
2. Response Rate L m t ng shou d be configured to suspend quer es when the DNS server
s flooded w th requests
3. The jun or adm n strator can be de egated perm ss ons based on a custom secur ty
group that on y has the Read perm ss on to the DNS server
4. The test env ronment must have the t meout per od recurs on sett ng mod fied to wa t
10 seconds before us ng non-author tat ve responses

CHAPTER 7
Implement IP Address
Management
In th s chapter, we w d scuss how to nsta , configure, and use the bu t- n IP Address
Management funct ona ty In past exams, IPAM was a major component of the exam sk s
that are tested You shou d ant c pate and be prepared to understand how to nsta and
configure IPAM on W ndows Server 2016
■ W ndows Server 2016 ntroduces new features to IPAM, nc ud ng
■ Enhanced DNS serv ce management
■ Mu t p e Act ve D rectory Doma n Serv ces forest support
■ Purge Ut zat on Data
■ W ndows PowerShe cmd ets for Ro e-Based Access Contro
IPAM n W ndows Server 2016 a so mproves on the ex st ng IP address management and
ntegrated DNS and DHCP management from the IPAM conso e

■ Insta and configure IPAM
■ Manage DNS and DHCP us ng IPAM
Skill 7.1: Install and configure IPAM

In th s sect on, we exp a n how to nsta and configure the bas c IPAM configurat on Th s
nc udes the defau t database to use, prov s on ng the server and Group Po cy sett ngs,
configur ng server d scovery, and sett ng IP addresses We a so exp a n how to back up and
restore an IPAM database, wh ch enab es you to m grate that database from a prev ous ver-
s on of W ndows Server to W ndows Server 2016 We a so cover how to use a M crosoft SQL
Server as the database eng ne, and how to ntegrate IPAM w th System Center
183
You can prov s on the server by us ng the Invoke-IpamServerProv s on ng cmd et, then
prov s on the GPOs by us ng the Invoke-IpamGpoProv s on ng cmd et
Invoke-IpamServerProvisioning -ProvisioningMethod Automatic -GpoPrefix "IPAM-"
Invoke-IpamGpoProvisioning –Domain contosoforest.com –GpoPrefixName IPAM –IpamServerFqdn
ipam.contosoforest.com
Choos ng the manua dep oyment method requ res you to manua y create or configure
d fferent opt ons on each managed server, nc ud ng
■ Network shares
■ Secur ty groups
■ F rewa ru es
DHCP servers
A managed DHCP server requ res that a three opt ons be configured on the servers Tab e
7-1 summar zes the ru es that must be configured on a managed DHCP server
Tab e 7 1 DHCP server f rewa changes
Firewall direction Setting name Description

nbound DHCP Server Management Access DHCP server configurat on data
nbound Remote Serv ce Management Access DHCP server configurat on data
nbound F e and Pr nter Shar ng Access DHCP server ut zat on data
nbound Remote Event Log Management Access DHCP server ogs
A un versa secur ty group must a so be created n the doma n w th the name IPAMUG The
members of the secur ty group must nc ude the computer account objects for each DHCP
server F gure 7-3 shows the correct sett ngs for the group
186 CHAPTER 7 mp ement P Address Management

FIGURE 7-3 PAMUG Propert es
Once created, the IPAMUG un versa secur ty group must be added to the DHCP Users and
Event Log Readers secur ty groups on each managed server F gure 7-4 shows add ng the user
group to the oca groups on the DHCP server If the server s a so a doma n contro er, then
the Event Log Readers group n the Bu t n conta ner shou d be used
FIGURE 7-4 Event Log Readers Propert es
Sk 7.1: nsta and configure PAM CHAPTER 7 187

The th rd configurat on that must be made on a managed DHCP server s to create a
network share of the %w nd r%\system32\dhcp d rectory, named dhcpaud t F gure 7-5 shows
the propert es of the DHCP d rectory that has been shared
FIGURE 7-5 DHCP d rectory propert es
The perm ss ons of the share must be mod fied to enab e the IPAMUG un versa secur ty
group to read the contents of the d rectory F gure 7-6 shows the share perm ss ons that are
app ed to the d rectory

FIGURE 7-6 Dhcpaud t share perm ss ons
After mak ng the requ red group membersh p changes, you must restart the DHCP serv ce
Th s ensures that the new perm ss on eve s are act vated
DNS Servers
S m ar to DHCP servers, DNS servers must have severa configurat on changes when dep oy-
ng IPAM manua y These changes nc ude
■ Inbound firewa ru es
■ Secur ty group changes
■ De egated DNS access
Tab e 7-2 summar zes the DNS server firewa changes
TABLE 7-2 DNS server f rewa changes
Firewall direction Setting name Description

nbound DNS Serv ce D scover managed DNS servers
nbound Remote Serv ce Management Manage DNS servers
nbound Remote Event Log Management Mon tor DNS zones and serv ces

Just as w th a DHCP server, a DNS server must have the IPAMUG un versa secur ty group
added to the Event Log Readers secur ty group Event og mon tor ng must a so be enab ed
on a managed DNS server To enab e event og mon tor ng, perform these steps
1. Open a PowerShe sess on, and run the fo ow ng command
Get-ADComputer <IPAM Server Name>
2. Copy the SID va ue for the IPAM server to the c pboard, as shown n F gure 7-7
FIGURE 7-7 Get ADComputer cmd et
3. On the DNS server, open the reg stry ed tor

4. Nav gate to the HKLM\System\CurrentContro Set\Serv ces\EventLog\DNS Server h ve
5. Doub e-c ck the CustomSD key
6. At the end of the va ue fie d, append the fo ow ng to the str ng, rep ac ng the SID
va ue for the server F gure 7-8 shows add ng the va ue to the key
(A;;0x1;;; S-1-5-21-1910878678-1601286290-2698553502-1000)
FIGURE 7-8 CustomSD reg stry key
7. C ck OK and then c ose the reg stry ed tor

The th rd configurat on for managed DNS servers s to add the IPAM server to the DnsAd-
m ns secur ty group Th s ensures that the IPAM server can perform adm n strat ve tasks on
the DNS server F gure 7-9 shows that the IPAMUG, wh ch conta ns the computer object for
the IPAM servers, has been de egated r ghts to the DNS server
FIGURE 7-9 DnsAdm ns secur ty group
Domain controller or NPS servers

For managed DCs or Network Po cy Servers (NPS), there are s m ar configurat on changes
that must be made These servers must have the nbound Remote Event Log Management
firewa ru e enab ed The IPAMUG un versa secur ty group must be added to the Event Log
Readers secur ty group on both DCs and NPS servers
Configure server discovery

After prov s on ng the IPAM server, the next n the dep oyment process s to configure and
start server d scovery F gure 7-10 shows the d scovery set for the forest and root doma n To
nc ude the doma n n d scovery, c ck Add

FIGURE 7-10 Conf gure server d scovery
W th W ndows Server 2016, you can a so manage other Act ve D rectory forests f a two-
way forest trust has been configured After you c ck add for the doma n, you can configure
whether to d scover the doma n contro ers, DHCP servers, and DNS servers for the doma n
You can a so add the doma n to be d scovered by us ng the Add-IpamD scoveryDoma n
cmd et
Add-IpamDiscoveryDomain -Name "contosoforest.com"
By defau t, after d scover ng the servers n the env ronment the manageab ty status s set
to unspec fied To configure a server as be ng managed, ed t the server n the d scovery st
Set the Manageab ty Status to Managed, as shown n F gure 7-11

FIGURE 7-11 Ed t server
Create and manage IP blocks and ranges

IPAM address b ocks define the IPv4 or IPv6 addresses that are be managed IPAM automat -
ca y abe s the IPv4 b ocks as e ther pub c or pr vate b ocks based on Internet Ass gned
Numbers Author ty (IANA) ranges IP address b ocks are typ ca y d v ded nto sma er chunks,
named ranges IP address ranges can be used as a DHCP scope or poo of stat c addresses
that can be used on hosts Ranges are compr sed of nd v dua IP addresses F gure 7-12 shows
creat ng an IPv4 address b ock

FIGURE 7-12 Pv4 address b ock
Add ng a b ock of IP addresses can a so be comp eted from PowerShe us ng the Add-
IpamB ock cmd et
Add-IpamBlock -NetworkId "10.0.0.0/8"
Add ng a range of IP addresses s ke creat ng a b ock The range expects the network
ID and e ther the subnet prefix or subnet mask F gure 7-13 shows creat ng an IPv4 address
range

FIGURE 7-13 Pv4 address b ock
L ke creat ng a b ock of IP addresses, a range can be created by us ng the Add-IpamRange

cmd et
Add-IpamRange -NetworkId "192.168.0.0/24"
Monitor utilization of IP address space

After you have added the b ocks and ranges to the IPAM configurat on, you can find ava ab e
addresses a few d fferent ways From the IPAM nterface n server manager, r ght-c ck a range
and then c ck F nd and A ocate Ava ab e IP Address The too searches the IP address range
for the next ava ab e IP address based on the search cr ter a, as shown n F gure 7-14

FIGURE 7-14 F nd and A ocate Ava ab e P Address
After ocat ng an ava ab e IP address, you can use the same too to then a ocate that IP
address as a DHCP reservat on, create a DNS record, or prov de any other custom configura-
t on w th the IP address
The IP Address B ocks and IP Address Range Groups pages n the IPAM nterface a so
d sp ays the ut zat on rate for each b ock or range The three states that a b ock or range can
be n are
■ Under If the IP address a ocat on s ess than 20 percent, then the b ock or range s
cons dered under-ut zed
■ Optimal If the IP address a ocat on s between 20 and 80 percent, then the b ock or
range s cons dered opt ma
■ Over If the IP address a ocat on s over 80 percent, then the b ock or range s cons d-
ered over-ut zed
F gure 7-15 shows a port on of the IPAM nterface that d sp ays the ut zat on rate

FIGURE 7-15 P address range ut zat on
The under and over ut zat on rates can a so be configured by mod fy ng the ut zat on
thresho d for the IPAM configurat on From Server Manager, c ck Manage, and then c ck
IPAM Sett ngs On the IPAM Sett ngs screen, c ck Configure Ut zat on Thresho d F gure 7-16
shows the configurat on screen for the thresho d sett ngs
FIGURE 7-16 Conf gure P Address Ut zat on Thresho d
There are a so three PowerShe cmd ets that can be used to dent fy ava ab e IP addresses
■ Find-IpamFreeAddress Th s cmd et finds one or more ava ab e IP addresses that are
n a range of addresses defined on the IPAM server
■ Find-IpamFreeRange Th s cmd et finds free IP ranges that are ava ab e on the IPAM
server
■ Find-IpamFreeSubnet Th s cmd et finds free IP subnets that are ava ab e on the
IPAM server

Migrate existing workloads to IPAM
If you se ected the defau t nsta at on opt ons when nsta ng IPAM, the W ndows Interna
Database (WID) fi es are ocated n the %WINDIR%\System32\ pam\Database d rectory There
are two fi es sted ipam.mdf and ipam log.ldf To m grate from an ex st ng nsta at on, fo ow
these genera steps
1. Stop the WID serv ce on the ex st ng server
2. Backup the IPAM database fi es on the ex st ng server
3. Insta the IPAM feature on the new server, spec fy ng the WID database type
4. Stop the WID serv ce on the new server
5. Restore the database fi es from the backup
6. Start the WID serv ce on the new server
After m grat ng the work oad to a new server, or perform ng an n-p ace upgrade, use the
Update-IpamServer cmd et to update the IPAM schema based on the new operat ng system
If you are us ng a M crosoft SQL Server to host the database on the ex st ng server, you can
s mp y spec fy the server dur ng the IPAM nsta at on on the new server If you need to m -
grate the SQL database, use the Move-IpamDatabase cmd et as exp a ned n the next sect on
Configure IPAM database storage using SQL Server

As ment oned n the ear er sect on named “Prov s on IPAM manua y or by us ng Group
Po cy,” a M crosoft SQL Server can a so be used to store the IPAM database The SQL server
nstance and database must be created to be used w th IPAM IPAM uses the NT AUTHORITY\
Network Serv ce user account for a operat ons, for e ther a WID or SQL server database To
use a SQL server, the network serv ce account must be granted the fo ow ng SQL ro es
■ db datareader
■ db datawr ter
■ db dd adm n
Add t ona y, the user account must a so be granted the A ter and V ew database state
perm ss on eve s for dbo After the nstance and database have been created, and you have
ass gned the appropr ate perm ss ons to the network serv ce account, you can m grate the
database to the SQL server by us ng the Move-IpamDatabase cmd et
Move-IpamDatabase -DatabaseServer SQL1 -DatabaseName IPAMDB -DatabasePort 1433
-DatabaseAuthType Windows

Manage DHCP server properties using IPAM
After configur ng the IPAM env ronment and successfu y manag ng the d scovered servers,
you can beg n manag ng the nd v dua serv ces on these servers F gure 7-17 shows the DNS
and DHCP serv ces that are on a d scovered server
FIGURE 7-17 Managed DHCP and DNS serv ces
R ght-c ck ng a serv ce offers mu t p e opt ons, nc ud ng manag ng the DHCP server prop-
ert es from IPAM F gure 7-18 d sp ays the Ed t DHCP Server propert es configurat on screen
from the IPAM nterface
FIGURE 7-18 Ed t DHCP Server Propert es

■ Configure Predefined DHCP Options Th s enab es you to create DHCP Standard
Opt ons for the server
■ Configure DHCP User Class Th s enab es you to create user c asses on the DHCP
server
■ Configure DHCP Vendor class Th s enab es you to create vendor c asses on the
DHCP server
Configure DHCP policies and failover

Configur ng DHCP po c es and fa over s a so performed by r ght-c ck ng the DHCP
serv ce from the IPAM conso e F gure 7-12 a so shows that you can manage DHCP po c es
from IPAM
■ Configure DHCP Policy Enab es you to create a DHCP po cy that conta ns cr ter a,
cond t ons, and opt ons for the spec fied po cy
■ Import DHCP Policy Enab es you to mport an ex st ng po cy at e ther the server or
scope eve to the IPAM database
■ Deactivate DHCP Policies Th s deact vates the po c es that are app ed to the se-
ected DHCP server
Manage DNS server properties using IPAM

Manag ng DNS from the IPAM nterface s performed the same way as DHCP, but w th fewer
opt ons when you r ght-c ck the serv ce F gure 7-20 shows a port on of the IPAM nterface
w th the ava ab e DNS opt ons
FIGURE 7-20 DNS opt ons n PAM
The ava ab e opt ons nc ude

■ Launch MMC Th s aunches the DNS Manager MMC snap- n from the IPAM nter-
face

■ Create DNS zone Th s enab es you to create a forward or reverse ookup zone w th
advanced opt ons d rect y from IPAM
■ Create DNS Conditional Forwarder Th s enab es you to create a cond t ona for-
warder w th advanced opt ons d rect y from IPAM
■ Set Access Scope Configure the access scope for the DNS server
■ Retrieve Server Data Obta n the atest data from the DNS server
Manage DNS zones and records

Ind v dua zones and records can be managed from the DNS Zones tab of the IPAM nterface
F gure 7-21 shows a port on of the IPAM nterface that d sp ays the ava ab e DNS zone op-
t ons
FIGURE 7-21 DNS zone opt ons n PAM
The ava ab e DNS zone opt ons that can be configured from the IPAM nterface nc ude
■ Add DNS Resource Record Th s creates a record type, such as an A record, n the
DNS zone
■ Configure Preferred DNS Server Se ect the author tat ve DNS server for the DNS
zone that s used by IPAM
■ Reset Zone Status Reset the status of the DNS zone n the IPAM database Use the
Retr eve Server Data opt on to co ect the atest data from the DNS server
■ Edit DNS Zone Enab es you to mod fy the name servers, scaveng ng, updates, and
zone transfer sett ngs for the zone
■ Delete DNS Zone Remove the zone from the DNS server
■ Set Access Scope Set the access scope on the IPAM server

Manage DNS and DHCP servers in multiple Active
Directory forests
In W ndows Server 2012 R2, IPAM had to be n the same forest as the DNS and DHCP servers
that were to be managed W th W ndows Server 2016, IPAM can d scover DNS and DHCP
servers across forests, prov ded there s a two-way forest trust estab shed After the forest
trust has been estab shed, s mp y se ect the add t ona forests n the Configure Server D s-
cover d a og box to add doma ns from remote forests F gure 7-22 shows the Configure Server
D scovery screen To dent fy add t ona forests, c ck the Get Forests button
FIGURE 7-22 Conf gure server d scovery
After the add t ona doma ns have been added to the IPAM database, the management
process s the same regard ess of wh ch forest the server s n
Delegate administration for DNS and DHCP using Role-

Based Access Control (RBAC)
Wh e the day-to-day tasks of manag ng and configur ng IPAM are s mp e enough, the more
comp ex aspect s understand ng the d fferent ro e-based secur ty groups that are used w th
IPAM Tab e 7-3 summar zes the ava ab e groups and the r assoc ated perm ss on eve

Chapter summary
■ How to dep oy and prov s on IPAM and the requ red GPOs
■ Configur ng server d scovery to ocate servers to be managed by IPAM
■ Creat ng and manag ng IP address b ocks and ranges
■ Locat ng ava ab e IP addresses by us ng the nterface and PowerShe
■ Mov ng and m grat ng a WID database to a new server
■ Mov ng the WID database to a M crosoft SQL Server database
■ Configur ng IPAM w th System Center VMM
■ Manag ng DHCP servers and scopes by us ng IPAM
■ Manag ng DNS servers and zones by us ng IPAM
■ Us ng IPAM to manage mu t p e forests
■ Ro e-based perm ss ons that are used by IPAM
Thought Experiment
A company has a s ng e Act ve D rectory forest w th mu t p e ch d doma ns The company has
partnered w th another organ zat on, and a two-way Act ve D rectory forest trust has been
estab shed The company p ans to use IPAM w th a W ndows Interna Database, but needs to
ensure that the database s part of the backup strategy The fo ow ng users must be config-
ured to manage the IPAM env ronment Each user must not have more perm ss ons than are
necessary
■ User1 must be configured to manage IP address b ocks
■ User2 must be configured to manage DNS and DHCP servers
■ User3 must be configured to manage IP address a ocat on n IPAM
Us ng the above nformat on, answer the fo ow ng quest ons
1. How many IPAM servers must be dep oyed to manage both forests?
2. How shou d the IPAM database be nc uded n the backup strategy?
3. Wh ch ro e shou d User1 be added to?

1. One W th W ndows Server 2016, IPAM can manage mu t p e Act ve D rectory forests f
a two-way trust has been estab shed
2. The MDF and LDF fi es shou d be nc uded n backup, that are typ ca y ocated n the
%WINDIR%\System32\IPAM\Database d rectory
3. User1 shou d be a member of the IPAM ASM Adm n strator Ro e Th s enab es the user
to manage IP address b ocks and ranges, but not other aspects of the IPAM configura-
t on
4. User2 shou d be a member of the IPAM MSM Adm n strator Ro e Th s enab es the user
to manage DNS and DHCP w thout manag ng other aspects of IPAM
5. User3 shou d be a member of the IPAM IP Address Record Adm n strator Ro e Th s
enab es the user to manage IP address a ocat on w th n IPAM

CHAPTER 8
Implement network
connectivity and remote
access solutions
Th s chapter covers one sk that s represented on the exam, wh ch s mp ement ng V rtua
Pr vate Networks (VPNs) and D rectAccess Th s s a sma port on of the exam, and has not
changed s gn ficant y s nce W ndows Server 2012 R2 The same protoco s, authent cat on
opt ons, and D rectAccess requ rements that ex st n W ndows Server 2012 R2 st app y to
W ndows Server 2016

■ Imp ement V rtua Pr vate Network and D rectAccess so ut ons
Implement Virtual Private Network and DirectAccess

solutions
In th s sect on, we d scuss how to mp ement a VPN and D rectAccess so ut on We exp a n
the var ous VPN protoco s and authent cat on opt ons that can be used w th the protoco s
D rectAccess s a so exp a ned, nc ud ng how to nsta and configure t us ng the ava ab e
w zard
209
When configur ng a RAS Gateway, there are a few d fferent VPN opt ons
■ Site-to-site VPN Th s connects two networks together, such as a branch office to a
corporate office
■ Point to site VPN Th s enab es nd v dua remote connect ons from c ent computers
to a corporate office
■ Dynamic routing with Border Gateway Protocol (BGP) BGP prov des automat c
route reconfigurat on based on the routes that are connected from s te-to-s te VPNs
■ Network Address Translation (NAT) NAT enab es you to share a s ng e IP address
to connect mu t p e dev ces to a network
■ DirectAccess server D rectAccess prov des a method of seam ess VPN serv ces for
c ent computers that are connect ng to a corporate network
The Remote Access server ro e can be nsta ed by us ng the Add Ro es and Features w z-
ard, or by us ng the Insta -W ndowsFeature cmd et After nsta ng the ro e, use the Rout ng
and Remote Access MMC snap- n to manage the server ro e The n t a setup requ res com-
p et ng the Rout ng and Remote Access Server Setup W zard F gure 8-1 shows the defau t
configurat on of the RAS snap- n Note that the server con s show ng as down because no
configurat on has been defined
FIGURE 8-1 RAS snap n
To perform the n t a configurat on on the RAS server, r ght-c ck the server and then
se ect Configure And Enab e Rout ng And Remote Access F gure 8-2 shows the ava ab e op-
t ons to configure the RAS server
mp ement V rtua Pr vate Network and D rectAccess so ut ons CHAPTER 8 211

FIGURE 8-2 RAS Setup W zard Conf gurat on
To enab e remote access and VPN access for remote c ents, use the Remote Access opt on
The next configurat on screen n the w zard prompts to configure the server for the type of
connect VPN or D a -up F gure 8-3 shows se ect ng VPN as the connect on type
FIGURE 8-3 RAS Setup W zard Remote Access
212 CHAPTER 8 mp ement network connect v ty and remote access so ut ons

The next configurat on opt on n the w zard s to b nd the serv ces to a spec fic network
adapter The ava ab e network adapters on the server are be d sp ayed By defau t, when a
network adapter s se ected, the necessary firewa ru es are enab ed for the adapter to a ow
nbound traffic on the adapter F gure 8-4 shows the network adapter se ect on screen of the
w zard
FIGURE 8-4 RAS Setup W zard VPN Connect on
For c ents to connect to the network, they must have an IP address that s e ther on the
network, or s routab e for the network The RAS server prov des the opt on to ass gn IP ad-
dresses to c ents automat ca y, from e ther a DHCP server on the network, or act as a DHCP
server tse f You can a so define a certa n range of IP addresses for the RAS server to use spe-
c fica y for remote c ents F gure 8-5 shows the IP Address Ass gnment screen of the w zard

FIGURE 8-5 RAS Setup W zard VPN P Address Ass gnment
F na y, the ast opt on n the w zard s to configure the authent cat on method for the re-
mote c ents By defau t, the RAS server authent cates the c ents us ng W ndows Authent ca-
t on through Extens b e Authent cat on Protoco (EAP) or M crosoft encrypted authent cat on
vers on 2 (MS-CHAP v2) Opt ona y, you can configure a RADIUS server to authent cate the
c ents, or configure the RAS server to act as a RADIUS server F gure 8-6 shows the authent -
cat on configurat on dur ng the w zard

FIGURE 8-6 RAS Setup W zard authent cat on opt ons
You can a so configure the RAS ro e by us ng the Insta -RemoteAccess cmd et

Install-RemoteAccess -VpnType Vpn
Configure different VPN protocol options

A RAS server supports a few d fferent VPN protoco s for connect v ty These protoco s nc ude
■ Point-to-Point Tunneling Protocol (PPTP) PPTP enab es traffic to be encrypted
and encapsu ated before t s sent across the network PPTP can be used for remote ac-
cess and s te-to-s te VPNs PPTP uses M crosoft Po nt-to-Po nt Encrypt on (MPPE) w th
encrypt on keys generated from MS-CHAP v2 or EAP-TLS authent cat on
■ Layer Two Tunneling Protocol (L2TP) L2TP encrypts traffic over any po nt-to-po nt
network, nc ud ng IP and Asynchronous Transfer Mode (ATM) connect ons L2TP uses
IPsec Transport Mode for encrypt on serv ces nstead of MPPE
■ Secure Socket Tunneling Protocol (SSTP) SSTP s the newest of the protoco s and
uses HTTPS to secure VPN traffic Th s reduces firewa footpr nt by enab ng an ex st ng
firewa port (443) to be used for VPN traffic SSTP encapsu ates the network traffic
over SSL to prov de transport- eve secur ty

Configure authentication options
There are two pr mary authent cat on opt ons that are used w th a RAS server
■ Windows authentication Th s method s used by defau t for VPN connect ons, and
quer es Act ve D rectory or oca accounts as part of the authent cat on process
■ RADIUS authentication. RADIUS authent cat on uses an externa source for authen-
t cat on and author zat on serv ces The RAS server can be configured as a RADIUS
server, or you can spec fy an externa RADIUS server from the RAS server propert es
By defau t, W ndows authent cat on s configured w th RAS VPN serv ces When us ng
W ndows authent cat on, there are a few authent cat on methods that can be used
■ Extensible Authentication Protocol (EAP) Th s method s enab ed by defau t, and
shou d be used f Network Access Protect on (NAP) s a so be ng used w th the VPN
serv ce
■ Microsoft Encrypted Authentication version 2 (MS-CHAP v2) Th s method s a so
enab ed by defau t
■ Encrypted authentication (CHAP) By defau t, th s s d sab ed for VPN serv ces
■ Unencrypted password (PAP) By defau t, th s s d sab ed for VPN serv ces
■ Allow machine certificate authentication for IKEv2 By defau t, th s cert ficate-
based authent cat on s d sab ed for VPN serv ces
■ Unauthenticated access By defau t, th s s d sab ed for VPN serv ces
F gure 8-7 shows the Authent cat on Methods d a og box w th the defau t opt ons se ected
FIGURE 8-7 W ndows Authent cat on Methods

■ Multitenant edge A RAS gateway for mu t tenant env ronments enab es a c oud
prov der to offer a the same features of a s ng e tenant, nc ud ng BGP, D rectAccess,
and NAT The pr mary d fference s that the dev ce fi ters or reroutes traffic based on
the tenant that s be ng accessed
Single tenant mode

Most corporate env ronments use the s ng e tenant mode In s ng e tenant mode, a RAS gate-
way can be dep oyed as an edge dev ce for a VPN server, D rectAccess server, or both The
RAS gateway can enab e remote c ent computers w th mu t p e opt ons for connect ng back
to the corporate network
Multitenant mode
If there are mu t p e tenants hosted n the datacenter that are accessed, then the mu t tenant
mode shou d be used Mu t tenancy enab es a datacenter to prov de a c oud nfrastructure to
support v rtua mach ne work oads, v rtua networks, and storage
V rtua networks can be created by us ng Hyper-V Network V rtua zat on A RAS gateway
can be ntegrated w th the Hyper-V Network V rtua zat on stack to route network traffic ef-
fic ent y depend ng on the tenant that s be ng accessed
W th W ndows Server 2016, a RAS gateway can route traffic to any resource w th n a pr -
vate or hybr d c oud network The RAS gateway can route traffic between phys ca and v rtua
networks at any ocat on
Install and configure DirectAccess

D rectAccess s a component of the Remote Access server ro e that prov des seam ess con-
nect v ty for remote c ents to a corporate network After configur ng the RAS ro e on a server,
D rectAccess can be enab ed from e ther the Rout ng and Remote Access MMC snap- n, from
the Remote Access Management Conso e, or by us ng W ndows PowerShe F gure 8-8 shows
the Remote Access Management Conso e, where D rectAccess can be enab ed from the Tasks
pane
FIGURE 8-8 Remote Access Management Conso e

Enab ng D rectAccess aunches the Enab e D rectAccess W zard One of the first steps of
the w zard s to perform a prerequ s te check on the server that you are enab ng D rectAccess
on If successfu , the w zard enab es you to cont nue w th the configurat on The first configu-
rat on tem n the w zard s to se ect the secur ty groups that conta n the computer objects
foe wh ch D rectAccess s enab ed You can a so determ ne whether to on y enab e D rectAc-
cess for mob e computers, or to force tunne ng so that a Internet traffic from the computer
uses the corporate network F gure 8-9 shows the configurat on opt ons for D rectAccess
groups
FIGURE 8-9 Se ect ng D rectAccess computer groups
Next, you dent fy the topo ogy of the D rectAccess mp ementat on The RAS server can
be n one of three configurat ons
■ Edge The RAS server s d rect y connected to the Internet w th no phys ca firewa or
NAT dev ce n p ace
■ Behind An Edge Device (With Two Network Adapters) The RAS server s beh nd a
network firewa or other dev ce and has two network adapters One network adapter
s on the network w th the firewa The second network adapter s on the corporate
nterna network
■ Behind An Edge Device (With A Single Network Adapter) The RAS server s
beh nd a network firewa or edge dev ce The network adapter on the RAS server s
connected to both the firewa and the nterna corporate network

For any configurat on, the externa FQDN or IP address that c ents uses to connect must
be spec fied F gure 8-10 shows the network topo ogy configurat on n the w zard
FIGURE 8-10 Spec fy ng the network topo ogy
After se ect ng the network topo ogy, you can configure the DNS Suffix st that s used by
D rectAccess c ents Th s s s m ar to sett ng a suffix st from DHCP Anyt me a D rectAccess
c ent uses a s ng e- abe name, such as Server1, the server appends a st of DNS suffixes unt
a response s found for a FQDN The order that the st s n s a so mportant If a match s
found, then the rema n ng doma ns are sk pped If there are two Server1 objects n d fferent
ookup zones (or FQDNs), then the first n the st s returned to the D rectAccess c ent F gure
8-11 shows configur ng D rectAccess w th the doma n name and an add t ona doma n

FIGURE 8-11 Spec fy ng the network topo ogy
The fina step s to configure the Group Po cy Objects (GPOs) that are used to app y the
D rectAccess po c es Two GPOs are created and nked to the doma n
■ DirectAccess client GPO Th s conta ns the c ent sett ngs for the D rectAccess c -
ents
■ DirectAccess server GPO Th s conta ns the RAS server sett ngs for the D rectAccess
server
F gure 8-12 shows the confirmat on to create the two new GPOs n the doma n

Chapter summary
■ Imp ement ng the remote access server ro e
■ Configur ng VPN opt ons by us ng the RAS server ro e
■ Configur ng authent cat on opt ons through W ndows or RADIUS authent cat on
■ Us ng VPN reconnect to automat ca y reconnect mob e c ents
■ Sett ng connect on profi es by us ng Intune or System Center
■ Understand ng scenar os for s ng e tenant and mu t tenant dep oyments
■ Insta ng and configur ng the D rectAccess serv ce
■ Imp ement ng prerequ s tes for D rectAccess
■ Us ng GPOs to manage c ent configurat on
■ Understand ng bas c troub eshoot ng methods for D rectAccess
Thought Experiment
A company has a corporate office and three branch offices The corporate office has ap-
prox mate y 10,000 c ent computers Each branch office has approx mate y 1,000 c ent
computers Each branch office must have connect v ty to the corporate office The company
a so emp oys 1,000 sa es and fie d staff that must connect remote y to the corporate net-
work A mob e c ents run W ndows 8 1 or W ndows 10 Enterpr se ed t ons Execut ve- eve
staff must have the ab ty to connect to the corporate network us ng the r home computers
that are not doma n jo ned IT staff must have the ab ty to VPN nto the corporate net-
work ng us ng SSL
1. How shou d the sa es and fie d staff connect to the corporate office?
2. How shou d execut ve- eve staff connect to the corporate network?
3. How shou d the branch offices connect to the corporate office?
4. Wh ch VPN protoco shou d the IT staff use for the VPN connect on?

1. Sa es and fie d staff shou d connect us ng D rectAccess for the most seam ess exper -
ence
2. Execut ve- eve staff shou d use a company porta to access corporate resources from
computers that are not doma n jo ned
3. The branch offices shou d be configured w th a s te-to-s te VPN to connect to the
corporate office
4. IT staff shou d use the SSTP protoco , as t s the on y protoco that connects us ng SSL

CHAPTER 9
Implement an advanced
network infrastructure
In th s chapter, we w rev ew the new features and sk s that can be used w th a network
nfrastructure n W ndows Server 2016 From a network ng perspect ve, the pr mary
change to W ndows Server 2016 s n the Software Defined Network ng (SDN) components
These updat ng nc ude the ab ty to
■ M rror and route traffic to new or ex st ng app ances
■ Dynam ca y segment work oads s m ar to M crosoft Azure
■ Use a d str buted firewa and network secur ty groups
■ Dep oy and manage the SDN w th System Center V rtua Mach ne Manager
■ Comb ne SDN w th Docker for conta ner network ng
W ndows Server 2016 a so nc udes enhancements to the TCP stack, however, these
changes are not ca ed out on the exam sk s These mprovements nc ude
■ Increas ng the In t a Congest on W ndow from 4 to 10
■ TCP Fast Open (TFO) has been enab ed to reduce the t me to estab sh a TCP
connect on
■ TCP Ta Loss Probe (TLP) has been mp emented to ass st n recover ng from
packet oss
■ Recent Acknow edgement (RACK) has been mp emented to reduce the t me
requ red to transm t a packet

■ Imp ement h gh performance network so ut ons
■ Determ ne scenar os and requ rements for mp ement ng Software Defined
Network ng
227
FIGURE 9-1 N C Team ng
Enable and configure Receive Side Scaling and enable and

configure virtual Receive Side Scaling on a Virtual Machine
Queue capable network adapter
Rece ve S de Sca ng (RSS) can be used for a v rtua mach ne path to enab e the VM to support
add t ona network traffic oads RSS d str butes the traffic oads across mu t p e processor
cores on the Hyper-V host and the VM A VM can on y use RSS f the processor on the host
supports the feature, and f the VM s configured to use mu t p e processor cores
RSS can be enab ed from the Advanced tab of the network adapter propert es F gure 9-2
d sp ays the Advanced tab w th RSS enab ed
Sk 9.1: mp ement h gh performance network so ut ons CHAPTER 9 229

FIGURE 9-2 Network Adapter Propert es
You can a so enab e RSS by us ng the netsh command F gure 9-3 shows runn ng the fu
netsh command
netsh interface tcp set global rss=enabled
FIGURE 9-3 netsh RSS command
If you p an to use RSS n a v rtua env ronment, then the Hyper-V host processor and net-
work adapter must support RSS S mp y configure RSS by us ng the same methods w th n the
v rtua mach ne
230 CHAPTER 9 mp ement an advanced network nfrastructure

Enable and configure network Quality of Service with Data
Center Bridging
Data Center Br dg ng (DCB) s based on an Inst tute of E ectr ca and E ectron cs Eng neers
(IEEE) standard for network ng DCB enab es mu t p e types of network traffic to be sent
across the same phys ca Ethernet med a DCB a ocates bandw dth and Qua ty of Serv ce
(QoS) at the hardware eve , rather than from the operat ng system DCB s a feature that can
be nsta ed on server that runs W ndows Server 2012 and ater Nano Server a so supports
us ng DCB by spec fy ng the M crosoft-NanoServer-DCB-Package opt on
Us ng DCB requ res that each component of the network topo ogy supports the capab -
t es From a W ndows Server perspect ve, DCB can on y be configured by us ng the fo ow ng
PowerShe modu es
■ netqos
■ dcbqos
■ netadapter
Some mportant cmd ets n the dcbqos modu e to be aware of nc ude
■ Enable-NetQoSFlowControl Enab es pr or ty-based flow contro w th DCB
■ New-NetQoSTrafficClass Creates a new traffic c ass to be used w th DCB
■ Switch-NetQoSDcbxSetting Sets the po cy for g oba y or for spec fic network
adapters on the server
Enable and configure SMB Direct on Remote Direct

Memory Access enabled network adapters
As d scussed n Chapter 3, “Imp ement Hyper-V,” Remote D rect Memory Access (RDMA) pro-
v des d rect memory access between computers w thout the need for the operat ng system
RDMA enab es h gh performance w th ow atency for storage env ronments RDMA s cur-
rent y supported on three types of network adapters
■ Infin band
■ Internet W de Area RDMA Protoco ( WARP)
■ RDMA over Converged Ethernet (RoCE)
W ndows Server 2016 ntroduces new RDMA support, nc ud ng
■ Converged RMDA RDMA adapters can be teamed for mu t p e types of network traf-
fic
■ Sw tch Embedded Team ng (SET) Up to e ght network adapters can be teamed and
used w th v rtua sw tches and prov de the same benefits as d scussed ear er n th s
chapter
Sk 9.1: mp ement h gh performance network so ut ons CHAPTER 9 231

FIGURE 9-5 V rtua Mach ne Hardware Acce erat on Sett ngs
Skill 9.2: Determine scenarios and requirements for

implementing Software Defined Networking
In th s sect on, we d scuss the scenar os are requ rements that are common y used w th SDN
That nc udes the requ rements for us ng Hyper-V Network V rtua zat on, Gener c Route En-
capsu at on, and V rtua Extens b e LAN encapsu at on We w a so d scuss new features that
can be used w th Software Load Ba anc ng to manage d fferent traffic oads F na y, we w
exp a n how to mp ement a W ndows Server Gateway w th d fferent SDN needs, and how to
use new firewa po c es to manage network traffic

v rtua networks, and does not requ re any add t ona configurat on on phys ca net-
work ng dev ces when mov ng or creat ng v rtua mach nes
■ IP address management V rtua mach nes that are n d fferent v rtua networks can
use the same IP address, even f they are on the same phys ca network
Network V rtua zat on Gener c Route Encapsu at on (NVGRE) s the process of us ng two IP
addresses for a s ng e v rtua network adapter These two IP addresses nc ude
■ Customer Address (CA) The IP address that s used by the v rtua mach ne’s guest
operat ng system and by the tenant of the v rtua mach ne Th s IP address s used for
commun cat on w th other v rtua mach nes on the same network
■ Provider Address (PA) The IP address that s used by the c oud prov der and s
ass gned to a v rtua mach ne by the Hyper-V host When used w th network v rtua -
zat on, the Hyper-V host encapsu ates packets from v rtua mach nes and sends them
w th the source mod fied to be the PA address Th s ensures that the phys ca network
can route the packet appropr ate y, and that the Hyper-V hosts de ver responses to
the correct v rtua mach ne
Tab e 9-1 sts IP addresses that m ght ex st n an examp e env ronment
TABLE 9-1 Examp e P address w th network v rtua zat on
Server name CA PA
Server1 192.168.1.100 10.0.0.1
Server2 192.168.1.101 10.0.0.2
Server3 192.168.1.102 10.0.0.3
Us ng the nformat on n the above tab e, when Server1 commun cates w th Server2, on y
the CA addresses are used dur ng the commun cat on These addresses are on a v rtua net-
work that are on y used by the v rtua mach nes assoc ated w th the network However, when
any of the servers commun cate w th the Internet, the CA s encapsu ated by the Hyper-V
host The Hyper-V host then mod fies the source IP address of the packet header as the PA
The PA s used on the phys ca network to ex t the v rtua network and onto the Internet
When a response s rece ved, t s sent to the PA address The Hyper-V hosts then trans ate the
PA back to the CA to de ver to the nd v dua v rtua mach ne
Determine scenarios for implementation of Software Load

Balancer for North-South and East-West load balancing
A new feature ntroduced w th W ndows Server 2016 s Network Contro er The Network
Contro er feature prov des two APIs Southbound and Northbound The Southbound API
enab es you to commun cate w th a g ven network The Northbound API enab es you to
commun cate w th the Network Contro er
Sk 9.2: Determ ne scenar os and requ rements for mp ement ng Software Defined Network ng CHAPTER 9 237
The Southbound API enab es you to
■ D scover network dev ces
■ Detect network configurat ons
■ Ascerta n network topo ogy deta s
■ Push configurat on changes to the network nfrastructure
The Northbound API enab es you to obta n nformat on from the Network Contro er to
mon tor and configure a g ven network The Northbound API can be used w th
■ W ndows PowerShe
■ REST API
■ Management app cat ons, nc ud ng System Center
The Network Contro er features can be used w th Software Load Ba anc ng (SLB) to
d str bute network traffic based on the po c es defined n the oad ba ancer Th s nc udes
■ Layer 4 oad ba anc ng for North-South and East-West network traffic
■ Interna and externa network traffic
■ Dynam c IP addresses
■ Hea th probes
An SLB maps v rtua IP addresses to the dynam c addresses n an env ronment The com-
ponents of an SLB env ronment nc ude
■ Virtual machine Manager System Center can be used to manage the Network
Contro er and SLB
■ Network Controller Dep oy ng the Network Contro er feature s a requ rement for
dep oy ng SLB n an env ronment
■ SLB Multiplexer Maps and d rects traffic so that t s sent to the correct dynam c IP
address
■ SLB Host Agent L stens for po cy updates from the Network Contro er and
configures v rtua sw tches w th the configured po cy
■ BGP-enabled router BGP enab es you to route the traffic to and from the SLB
Mu t p exer

Determine implementation scenarios for various types of
Windows Server Gateways, including L3, GRE, and S2S, and
their uses
W th W ndows Server 2016 and System Center, you can dep oy a W ndows Server Gateway
to for rout ng n a mu t tenant env ronment W ndows Server Gateway supports BGP opt ons,
nc ud ng Loca BGP IP Address and Autonomous System Numbers (ASN), L st of BGP Peer IP
Addresses, and ASN va ues Th s enab es a c oud prov der to route datacenter traffic between
v rtua and phys ca networks to and from the nternet
A RAS Gateway can be used w th Hyper-V Network V rtua zat on to prov de severa benefits
■ Site-to-site VPNs Connect two networks at d fferent phys ca ocat ons together
over the Internet
■ Point-to-site VPNs Connect nd v dua c ents to a corporate network over the Inter-
net
■ GRE tunneling Prov de connect v ty for tenant v rtua networks and externa net-
works
■ BGP routing Uses a dynam c rout ng protoco to earn subnets and routes that are
connected to the RAS gateway
A RAS Gateway s usefu n severa scenar os, nc ud ng
■ Multitenant gateway V rtua networks d rect traffic to the RAS gateway The RAS
gateway can then d rect the traffic over a s te-to-s te VPN or other dest nat on based
on the packet
■ Multitenant NAT The RAS gateway can a so forward the traffic from v rtua net-
works to the Internet, and trans ate the addresses to pub c y routab e addresses
■ Forwarding gateway If the v rtua networks need access to phys ca resources on a
network, the RAS gateway can forward the traffic to the appropr ate resource
Determine requirements and scenarios for distributed

firewall policies and network security groups
A new serv ce w th W ndows Server 2016 s the Datacenter F rewa Datacenter firewa
prov des statefu , mu t tenant firewa protect on at the network ayer F gure 9-6 out nes the
how the firewa s used by a Network Contro er
Sk 9.2: Determ ne scenar os and requ rements for mp ement ng Software Defined Network ng CHAPTER 9 239
FIGURE 9-6 V rtua Mach ne Hardware Acce erat on Sett ngs
The Datacenter F rewa prov des severa benefits

■ Sca ab e and manageab e software-defined firewa
■ Move v rtua networks w thout effect ng tenant networks
■ Protect tenant serv ces outs de of an operat ng system
By us ng a Datacenter F rewa , you can app y firewa po c es to v rtua mach nes or sub-
nets L ke a network access st, a Datacenter F rewa po cy can be configured to ook at five
key network traffic e ements
■ Protoco
■ Source port number
■ Dest nat on port number
■ Source IP address
■ Dest nat on IP address

Chapter summary
■ Us ng NIC Team ng w th v rtua sw tches and Sw tch Embedded Team ng
■ How to enab e Rece ve S de Sca ng
■ Us ng Qua ty of Serv ce w th Data Center Br dg ng
■ Enab ng SMB D rect w th RDMA
■ Enab ng VMMQ and SR-IOV on v rtua mach ne network adapters
■ Define scenar os for us ng Software Defined Network ng
■ Configur ng Network V rtua zat on w th Gener c Route Encapsu at on
■ Us ng Software Load Ba anc ng w th Network Contro er
■ Us ng a RAS Gateway as a W ndows Server Gateway
■ Us ng a Datacenter F rewa for mu t tenant network protect on
Thought Experiment
A c oud prov der s p ann ng an expans on of the r serv ces Add t ona Hyper-V hosts, net-
work resources, storage, and other support components are nsta ed The c oud prov der
p ans to prov de new capab t es to the r customers as part of the expans on These capab -
t es must nc ude
■ Bu t- n firewa serv ces for tenant networks
■ Tenant networks must support over app ng IP addresses
■ Enhanced storage performance
The prov der a so p ans to use a Software Load Ba ancer for the r network
1. What feature shou d the prov der use to protect tenant networks?
2. How can the prov de ensure that tenant networks can over ap us ng the same IP ad-
dresses?
3. What techno ogy shou d the network equ pment support to enhance storage perfor-
mance?
Thought Exper ment CHAPTER 9 241

1. The prov der shou d use the Network Contro er and Datacenter F rewa features to
ensure that tenant networks have an add t ona ayer of protect on
2. Network V rtua zat on w th Gener c Route Encapsu at on (NVGRE) can be used to
ensure that tenants can ass gn IP addresses that m ght over ap w th other v rtua net-
works
3. Network ng equ pment shou d support us ng RDMA to ensure that storage perfor-
mance s max m zed over the network

CHAPTER 10
Install and configure Active

Directory Domain Services
Organ zat ons around the wor d use Act ve D rectory Doma n Serv ces (AD DS) n the r
nfrastructures to support and manage the users and dev ces on the r networks In do ng so,
they benefit from enterpr se-grade sca ab ty, secur ty, and manageab ty AD DS everages
a h erarch ca des gn structure, enab ng adm n strators to organ ze user and dev ce objects
across mu t p e conta ners based on the needs of the bus ness For the exam, you need to
be fam ar w th the var ous dep oyment e ements for AD DS, such as the nsta at on and
configurat on of doma n contro ers

■ Insta and configure doma n contro ers
Skill 10.1: Install and configure domain controllers

The first step n mp ement ng AD DS nvo ves nsta ng and configur ng a doma n con-
tro er In ts s mp est form, a doma n contro er s a server runn ng the W ndows Server
operat ng system w th the AD DS ro e nsta ed Depend ng on the s ze of an organ zat on,
the number of doma n contro ers support ng AD DS can vary Cons derat ons ke ocat on,
secur ty, and redundancy p ay a major ro e n the arch tectura des gn of AD DS Imag ne
you are a system adm n strator for W de Wor d Importers The organ zat on has twe ve
offices across the g obe w th 3,500 emp oyees Four of these offices have m ted phys ca
secur ty, but a of them requ re re ab e authent cat on to the network In th s scenar o, you
m ght expect to see redundant doma n contro ers at each office to mprove performance
and re ab ty The four offices w th m ted phys ca secur ty cou d ut ze read-on y doma n
contro ers (RODC) to mprove og ca secur ty
There are a few d fferent approaches for nsta ng doma n contro ers, nc ud ng the cre-
at on of a new forest and add ng and remov ng doma n contro ers from that forest After
nsta ng AD DS, we spend some t me rev ew ng bas c configurat on tasks, such as how to
243
referred to as the parent doma n Doma ns jo ned to the parent doma n are referred to
as ch d doma ns
■ Forests Make up a comp ete Act ve D rectory nstance Each forest acts as a secur ty
boundary for the nformat on conta ned w th n that Act ve D rectory nstance A forest
can conta n mu t p e doma ns and a objects w th n
To get started w th AD DS, we first need to nsta a new forest In the fo ow ng examp e,
W ngt p Toys has dec ded to mp ement AD DS nto the r env ronment They are us ng W n-
dows Server 2016 for a the r doma n contro ers For th s exam, you shou d be fam ar w th
nsta ng a forest us ng Server Manager and PowerShe
Install a new forest using Server Manager

In th s sect on, we are go ng to nsta a new forest us ng Server Manager Fo ow these steps
to comp ete the nsta at on
1. Open Server Manager
2. On the Server Manager Dashboard, c ck Add Ro es And Features
3. On the Before You Beg n page of the Add Ro es And Features W zard, c ck Next
4. On the Insta at on Type page, confirm Ro e-Based or Feature-Based Insta at on s
se ected and c ck Next
5. On the Server Se ect on page, make sure that Se ect A Server From The Server Poo s
se ected and your server s h gh ghted n the st C ck Next
6. On the Server Ro es page, check the box for Act ve D rectory Doma n Serv ces
When prompted to add add t ona features, rev ew the st and se ect Inc ude Man-
agement Too s (If App cab e) s checked C ck Add Features and c ck Next
7. On the Features page, c ck Next
8. On the AD DS page, c ck Next
9. On the Confirmat on page, rev ew the st of ro es and features to be nsta ed Refer to
F gure 10-1 as a reference C ck Insta to beg n the nsta at on of AD DS
Sk 10.1: nsta and configure doma n contro ers CHAPTER 10 245

FIGURE 10-1 The Add Ro es and Features W zard shows a st of new ro es and features to be
nsta ed for AD DS
10. After comp et ng the nsta at on of AD DS, a new warn ng not ficat on s d sp ayed n
Server Manager C ck the not ficat on con and c ck Promote Th s Server To A Doma n
Contro er
11. On the Dep oyment Configurat on page of the Act ve D rectory Doma n Serv ces
Configurat on W zard, se ect Add A New Forest For the Root Doma n Name, type
WingtipToys.local and c ck Next
12. On the Doma n Contro er Opt ons page, rev ew the defau t sett ngs for forest and
doma n funct ona eve Confirm that Doma n Name System (DNS) Server s checked
For the D rectory Serv ces Restore Mode (DSRM) Password, type P@ssw0rd n the two
fie ds and c ck Next
13. On the DNS Opt ons page, note the DNS warn ng at the top of the w zard Th s s ex-
pected as th s s a new s ng e-server nsta at on of AD DS and we do not current y have
a DNS server C ck Next
14. On the Add t ona Opt ons page, rev ew the NetBIOS doma n name and c ck Next
15. On the Paths page, rev ew the defau t paths for the AD DS database, og fi es, and
sysvo fo der C ck Next
16. On the Rev ew Opt ons page, rev ew the st of configurat on opt ons C ck V ew Scr pt
Th s opens a text fi e w th the PowerShe commands used to configure AD DS Copy
246 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
the contents of th s text fi e for use n the next sect on of th s object ve C ose the text
fi e and c ck Next
17. On the Prerequ s tes Check page, rev ew any warn ngs d sp ayed n the resu ts pane
and c ck Insta Once nsta at on comp etes, the server automat ca y reboots to fin sh
the AD DS configurat on
After comp et ng these steps, you have a new AD DS forest for W nt pToys oca that cons sts
of a s ng e doma n contro er The first t me you og nto a new forest, use the WINGTIPTOYS\
Adm n strator account Once ogged n you can create add t ona adm n strat ve accounts for
manag ng the objects n the doma n
Install a new forest using PowerShell

In th s sect on, we are go ng to nsta a new forest us ng PowerShe We ut ze the PowerShe
scr pt generated n the Server Manager examp e to ass st w th th s task Fo ow these steps to
comp ete the nsta at on
1. Save the fo ow ng PowerShe code to a text fi e under C \ADDS and name the fi e
ADDSSetup ps1
Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath “C:\Windows\NTDS” `
-DomainMode “WinThreshold” `
-DomainName “WingtipToys.local” `
-DomainNetbiosName “WINGTIPTOYS” `
-ForestMode “WinThreshold” `
-InstallDns:$true `
-LogPath “C:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-SysvolPath “C:\Windows\SYSVOL” `
-Force:$true
2. Open an e evated PowerShe w ndow

3. Run the fo ow ng command to nsta the Act ve D rectory Doma n Serv ces ro e and
a requ red features
Install-WindowsFeature AD-Domain-Services –IncludeAllSubFeature –
IncludeManagementTools
4. Run the fo ow ng command to run the ADDSSetup ps1 scr pt

C:\ADDS\ADDSSetup.ps1
5. When prompted for the Safe Mode Adm n strator Password, type P@ssw0rd
6. Rev ew the status messages n the PowerShe w ndow as AD DS s configured on your
server Once the operat on comp etes, the server automat ca y reboots

At th s po nt, we have comp eted the nsta at on and configurat on of a new AD DS forest
us ng both Server Manager and PowerShe Both methods are effect ve and re at ve y stra ght
forward, but as w th most operat ons, PowerShe does enab e you to automate the nsta -
at on In the next sect on, we wa k through the process of add ng and remov ng doma n
contro ers from an ex st ng forest
Add or remove a domain controller from a domain

As an adm n strator of AD DS, you occas ona y need to ret re doma n contro ers and dep oy
new ones Th s m ght be due to an operat ng system update, or poss b y due to some recent
expans on n your organ zat on In these s tuat ons, t s mportant to know the process
Install a new domain controller

In the fo ow ng examp e, you are a system adm n strator for W ngt p Toys Th s organ zat on
has a hea thy AD forest runn ng a s ng e doma n Ins de the W ngt pToys oca doma n, there
are three doma n contro ers ocated across three geograph ca y d spersed offices W ngt p
Toys has dec ded to c ose ts Ch cago office and open a new ocat on n Wash ngton You
have been tasked w th demot ng the doma n contro er n Ch cago and dep oy ng a new one
n Wash ngton We start the process by dep oy ng the new doma n contro er n Wash ngton
Before you beg n, you need to set up a new server runn ng W ndows Server 2016 Confirm
that the server s on your network and can successfu y reso ve the W ngt pToys oca doma n
Comp ete the fo ow ng steps to nsta a new doma n contro er us ng Server Manager
5. On the Server Se ect on page, h gh ght Se ect A Server From The Server Poo , and be
sure that your server s h gh ghted n the st C ck Next
6. On the Server Ro es page, check the box for Act ve D rectory Doma n Serv ces When
prompted to add add t ona features, rev ew the st and confirm that Inc ude Manage-
ment Too s (If App cab e) s checked C ck Add Features and c ck Next
Contro er
Configurat on W zard, se ect Add A Doma n Contro er To An Ex st ng Doma n C ck
the Se ect opt on that appears next to the Doma n fie d When prompted, enter the
doma n credent a s for an account n the w ngt ptoys oca doma n that s a member of
the Doma n Adm ns group Se ect the W ngt pToys oca doma n and c ck Next
12. On the Doma n Contro er Opt ons page, rev ew the defau t opt ons Confirm that
Doma n Name System (DNS) Server and G oba Cata og (GC) are checked For the
D rectory Serv ces Restore Mode (DSRM) password, type P@ssw0rd n the two fie ds
and c ck Next
13. On the DNS Opt ons page, c ck Next
14. On the Add t ona Opt ons page, note the defau t opt on for Rep cat on and c ck Next
Th s opens a text fi e w th the PowerShe commands used to configure the new do-
ma n contro er, wh ch s s m ar to what we saw when we nsta ed a new forest C ose
the text fi e and c ck Next
and c ck Insta Once the nsta at on s comp ete, the server automat ca y reboots to
comp ete the nsta at on
After comp et ng these steps, the new doma n contro er s now assoc ated as an object n
the W ngt pToys oca doma n Open Act ve D rectory Users and Computers from an ex st-
ng doma n contro er and confirm that the new server s shown n the Doma n Contro ers
organ zat ona un t As w th the nsta at on of a new forest, add ng a new doma n contro er
can a so be automated us ng the PowerShe scr pt output seen n Step 16 Most notab y, the
Insta -ADDSDoma nContro er cmd et
Demoting an existing domain controller

Cont nu ng w th our task, we now demote the doma n contro er n the W ngt p Toys Ch cago
office For th s operat on, et’s use PowerShe to demonstrate how qu ck y a doma n contro -
er can be demoted Note that th s same procedure can be accomp shed n Server Manager
us ng the Remove Ro es And Features W zard Fo ow these steps to demote the doma n
contro er us ng PowerShe
2. Type the fo ow ng command to un nsta the AD DS doma n contro er ro e
Uninstall-ADDSDomainController
3. When prompted, type the oca adm n strator password for the server

4. When prompted, type Y to comp ete the operat on Mon tor the output shown n the
PowerShe w ndow for any warn ngs or errors Refer to F gure 10-2 for an examp e of
the expected output Once comp ete, the server automat ca y reboots
FIGURE 10-2 The Un nsta ADDSDoma nContro er cmd et can be used to demote a doma n
contro er from an ex st ng forest.
The process of promot ng or demot ng a doma n contro er s someth ng you need to

be comfortab e w th There are many s tuat ons where th s can be a requ red task Another
poss b e scenar o nvo ves upgrad ng a doma n contro er to ach eve a more current doma n
funct ona eve , wh ch we d scuss n the next sect on
Upgrade a domain controller

Once a doma n contro er s dep oyed, often they rema n untouched, as de from rout ne
ma ntenance and patches Of course, there are t mes where t does become mportant to
upgrade or refresh these servers One such scenar o nvo ves upgrad ng the funct ona eve
for your doma n W th each terat on of W ndows Server, new features and enhancements
are ntroduced for AD DS Some of these features are doma n-w de, such as the AD recyc e
b n However, before you can enab e doma n-w de features, you must first ra se the func-
t ona eve of your doma n Th s task nvo ves updat ng each of the doma n contro ers n
your doma n to the atest vers on of W ndows Server and then ra s ng the doma n func-
t ona eve to match
Imag ne you are a systems adm n strator for W de Wor d Importers Th s organ zat on
has a s ng e doma n that cons sts of 18 doma n contro ers The doma n funct ona eve s
current y set to W ndows Server 2008 R2 and there s a m xture of operat ng system ver-
s ons among the ex st ng doma n contro ers Ha f of the servers are three to four years o d
and are runn ng W ndows Server 2008 R2 The other ha f are one to two years o d and are
runn ng W ndows Server 2012 R2 Your team has been tasked w th upgrad ng the operat-
ng system across a 18 doma n contro ers to W ndows Server 2016, fo owed by ra s ng the
doma n funct ona eve to match There are three approaches to cons der when faced w th
th s scenar o
■ In-place upgrade In-p ace upgrades of the W ndows Server operat ng system are
supported They a so tend to be more cost effect ve, a ow ng you to reuse the ex st ng
hardware If you p an to do an n-p ace upgrade of the operat ng system, be aware of
the updated system requ rements for the new operat ng system vers on A so, take nto
cons derat on any app cat on compat b ty concerns f the doma n contro er s host ng
add t ona ro es for your organ zat on
■ Demote, upgrade, and promote If costs are a concern but a fresh nsta at on s
preferred over an n-p ace upgrade, cons der demot ng the ex st ng doma n contro er,
formatt ng t, nsta ng the atest vers on of W ndows Server, and promot ng t back
nto the doma n When tak ng th s approach, you st need to cons der the system
requ rements for the newer vers on of W ndows Server, and the fecyc e of the phys ca
hardware you are reus ng
■ Side-by-side upgrade A s de-by-s de upgrade s not as cost effic ent as the prev -
ous two opt ons, but m ght be mandatory f ex st ng hardware has reached end-of- fe
or doesn’t meet the system requ rements for the atest vers on of W ndows Server In
th s s tuat on, you wou d bu d a new server and promote t as a doma n contro er
You want to cons der the need for new host names, IP addresses, and poss b y firewa
changes to support the s de-by-s de upgrade After a new doma n contro er s on ne,
you w trans t on any ro es from the ex st ng doma n contro er, and then demote the
ex st ng doma n contro er
After rev ew ng the above opt ons, the best approach for W de Wor d Importers nvo ves
a m xture of s de-by-s de upgrades and refresh ng ex st ng doma n contro ers Know ng that
a port on of the ex st ng doma n contro ers are three to four years o d, t s safe to assume
that the hardware for those doma n contro ers s reach ng end-of- fe and shou d be rep aced
soon Whereas the servers that are one to two years o d cou d be demoted, refreshed, and
promoted back nto the doma n
Install AD DS on a Server Core installation

The first t me you nsta W ndows Server 2016, not ce that the defau t nsta at on type s set
to Server Core Server Core s a m n ma st c nsta of the W ndows Server operat ng system
Th s nsta type on y prov des access to certa n core server ro es, w th the opt on to nsta
add t ona ro es as needed Th s type of nsta at on reduces system overhead and great y
mproves the secur ty posture of the server S nce ts ntroduct on w th W ndows Server 2008,
severa enhancements have been made to Server Core, enab ng adm n strators to manage
these servers centra y For examp e, you can add and manage dozens of Server Core nsta s
from a centra management server us ng Server Manager and PowerShe

As we ment oned ear er n th s chapter, doma n contro ers are often dep oyed and then
managed from a centra ocat on, or through a set of too s that do not requ re d rect access
to the server A Server Core nsta at on s an dea nsta n these work ng cond t ons, wh e
co ect ng on the benefits that Server Core prov des
In the fo ow ng examp e, we are go ng to wa k through the steps for nsta ng AD DS on
a Server Core nsta at on of W ndows Server 2016 Let’s create a new forest for W ngt p Toys
Before nsta ng AD DS on any server, t s mportant that we configure the network nterface
first There are mu t p e ways to accomp sh th s task n Server Core The Server Configura-
t on too s one opt on, wh ch prov des you w th a bas c text nterface for configur ng core
components You can access the Server Configurat on too by typ ng sconfig at the command
prompt Another opt on s to use PowerShe Let’s ook at the PowerShe cmd ets used for
configur ng the network adapter on our server
1. Log n to your server runn ng W ndows Server 2016 Server Core
2. At the command prompt, type powershell.exe to start PowerShe
3. Run the Get-NetAdapter command to retr eve a st of ava ab e network adapters on
your server Make a note of the adapter name that you are configur ng
4. Run the fo ow ng command to ass gn a stat c IP address, rep ac ng the va ue for
InterfaceAlias w th the name of your network adapter
New-NetIPAddress -IPAddress 10.0.0.10 -InterfaceAlias “Ethernet”

-DefaultGateway 10.0.0.254 -AddressFamily IPv4 -PrefixLength 24
5. Run the fo ow ng command to ass gn the DNS servers

Set-DnsClientServerAddress -InterfaceAlias “Ethernet” -ServerAddresses
(“10.0.0.1”,”10.0.0.10”)
6. Run the ipconfig /all command and rev ew the IP and DNS sett ngs for your network
adapter Confirm that the va ues match the ass gnments set above
W th the network adapter configured, we can now nsta the AD DS ro e on th s server To
do so, ut ze the same PowerShe cmd ets d scussed ear er n th s chapter
1. Log n to your server runn ng W ndows Server 2016 Server Core
2. At the command prompt, type powershell.exe to start PowerShe
3. Run the fo ow ng command to nsta the Act ve D rectory Doma n Serv ces ro e and a
requ red features
Install-WindowsFeature AD-Domain-Services –IncludeAllSubFeature –
IncludeManagementTools
4. Run the fo ow ng command to create the new forest and promote the server to a
doma n contro er
Install-ADDSForest –DomainName WintipToys.local
5. When prompted for the Safe Mode Adm n strator Password, type P@ssw0rd
As a systems adm n strator for W de Wor d Importers, you are respons b e for dep oy-
ng new doma n contro ers when the need ar ses You work at the corporate headquarters,
ocated n San Franc sco, CA Your manager has just nformed you that a new office s set to
open n Dub n, Ire and ater th s year Th s s the company’s first office n Dub n, w th the
expectat on of future growth In t a y you are m ted to a 10 MB WAN nk between the new
office and the corporate headquarters In the fo ow ng examp e, we wa k through the process
of export ng the ex st ng AD database, copy ng t to a new server, and us ng the IFM opt on to
promote the server to a doma n contro er
1. Log n to a doma n contro er on your doma n
2. Open an e evated command prompt
3. At the command prompt, run the ntdsutil command to start the command- ne too
for manag ng AD DS
4. Run the activate instance ntds command to set NTDS as the act ve nstance
5. Run the ifm command to start the Insta from Med a process
6. Run the fo ow ng command to beg n export ng a copy of your AD database and cor-
respond ng fi es In th s examp e, we are us ng the create sysvo fu med a type
7. create sysvol full C:\IFM
Severa status messages appear n the command prompt; these prov de you w th a prog-
ress report as the export runs Once the export has comp eted successfu y you rece ve a
status message, as shown n F gure 10-3 At th s stage, you can copy the contents of the IFM
d rectory to a removab e med a source, or to the dr ve on the new server before you sh p t to
ts future dest nat on
FIGURE 10-3 The ntdsut command ne too s used to manage Act ve D rectory, nc ud ng the
ab ty to create nsta at on med a for new doma n contro ers
In th s examp e, we copy the contents of the IFM fo der to the root of the system dr ve on
our new server Upon arr va , the server s powered up and ready to be promoted The fo ow-
ng steps demonstrate wa k through promot ng a doma n contro er us ng the IFM export
4. On the Insta at on Type page, confirm Ro e-Based Or Feature-Based Insta at on s
5. On the Server Se ect on page, confirm Se ect A Server From The Server Poo s se ected
and your server s h gh ghted n the st C ck Next
6. On the Server Ro es page, se ect Act ve D rectory Doma n Serv ces When prompted to
add add t ona features, rev ew the st and confirm that Inc ude Management Too s (If
App cab e) s checked C ck Add Features and c ck Next
Contro er
11. On the Dep oyment Configurat on page of the Act ve D rectory Doma n Serv ces Con-
figurat on W zard, se ect Add A Doma n Contro er To An Ex st ng Doma n C ck Se ect
next to the Doma n fie d When prompted, enter the doma n credent a s for an account
n the w ngt ptoys oca doma n that s a member of the Doma n Adm ns group Se ect
the W ngt pToys oca doma n and c ck Next
12. On the Doma n Contro er Opt ons page, rev ew the defau t opt ons Confirm that
Doma n Name System (DNS) Server and G oba Cata og (GC) are checked For the
D rectory Serv ces Restore Mode (DSRM) password, type P@ssw0rd n the two fie ds
and c ck Next
14. On the Add t ona Opt ons page, check the box for Insta From Med a, as shown n
F gure 10-4 In the path fie d, enter C \IFM, where we cop ed the database export, and
c ck Ver fy to confirm the fi es can be accessed C ck Next

FIGURE 10-4 The Act ve D rectory Doma n Serv ces Conf gurat on w zard nc udes the nsta
from Med a ( FM) feature on the Add t ona Opt ons page
Note the add t ona parameter for Insta at onMed aPath C ose the text fi e and c ck
Next
17. On the Prerequ s tes Check page, rev ew any warn ngs d sp ayed n the Resu ts pane
and c ck Insta Once nsta at on comp etes the server automat ca y reboots to com-
p ete the nsta at on
18. After your new doma n contro er s on ne, og n and open Act ve D rectory Users and
Computers Compare the contents w th an ex st ng doma n contro er Confirm that the
OU structure, objects, and attr butes match across both doma n contro ers
At th s stage n the chapter we have wa ked through mu t p e nsta at on scenar os for
promot ng a new doma n contro er IFM adds some add t ona flex b ty n your dep oyments,
enab ng you to re ab y dep oy doma n contro ers remote y, w th m ted saturat on to your
organ zat on’s WAN These same methods can be used to prepare for arger dep oyments For
examp e, an organ zat on that spec a zes n reta m ght have hundreds of stores across the
g obe, each w th the r own doma n contro er Us ng IFM n th s s tuat on can be very benefi-
c a n reduc ng overhead
Resolve DNS SRV record registration issues
Throughout th s chapter, we have dep oyed a few doma n contro ers under d fferent
c rcumstances One common component among those doma n contro ers has been DNS
For AD DS to funct on proper y, DNS must be nsta ed and configured correct y Every
env ronment s d fferent when t comes to DNS, and that p ays a major ro e n the overa
hea th of your AD DS forest
AD DS re es on SRV records—a so referred to as serv ce records Each record performs a
d fferent purpose, such as gu d ng c ents to the r nearest LDAP server, or a ow ng servers to
commun cate w th each other As the adm n strator for AD DS, you need to be fam ar w th
these SRV records and how to troub eshoot reg strat on ssues When prob ems do ar se,
there are a few resources that you can use to find a so ut on Let’s ook at those now
■ DNS Manager The DNS management conso e s part of the AD DS management
too s You can exp ore the SRV records n your doma n us ng DNS Manager In F gure
10-5, you can see we are ook ng at the forward ookup zone for W ngt pToys oca In
the s tes d rectory, we can confirm that the Ldap and Kerberos SRV records are present
for our doma n contro ers
FIGURE 10-5 The DNS Manager management conso e s an mportant too for check ng on SRV
records
■ Dcdiag The dcd ag ut ty s a command- ne too that prov des tests that can ass st
n troub eshoot ng ssues n your AD DS forest A DNS test can be n t ated from any of
your doma n contro ers by runn ng the fo ow ng command from an e evated com-
mand prompt dcdiag /test:dns.

■ Ipconfig The pconfig ut ty prov des network-spec fic nformat on on your w ndows
dev ces If DNS s setup to accept dynam c DNS updates, and you suspect a worksta-
t on or server has not reg stered the r SRV record, you can run the fo ow ng command
from an e evated command prompt ipconfig /registerdns
■ Netlogon.dns In env ronments where dynam c DNS s not enab ed—and DNS s
managed by a separate app ance—you can retr eve the mandatory SRV records from
the net ogon dns fi e on your doma n contro ers Th s nformat on can be prov ded to
your DNS team so they can ensure t s added Th s fi e s ocated n the fo ow ng path
%W nD r%\System32\Config\net ogon dns
The DNS hea th among your doma n contro ers s an mportant var ab e when manag-
ng your AD DS env ronment For the exam, make sure you are fam ar w th each of the too s
ment oned above Spend t me exp or ng DNS manager and rev ew ng the SRV records n your
doma n
Configure a global catalog server

In AD DS, the g oba cata og s des gned to mprove performance n env ronments w th
mu t p e doma n contro ers, or s tes w th m ted bandw dth The g oba cata og conta ns
part a representat on of every object n your AD DS forest Doma n Contro ers can be
des gnated as g oba cata og servers, enab ng them to answer g oba cata og requests
If an app cat on s connected to Act ve D rectory, and that app cat on ssues a search to
a nearby g oba cata og server, the search comp etes faster because t has the necessary
nformat on ava ab e
Let’s start by determ n ng whether a doma n contro er has been configured as a g oba
cata og server There are p aces we can ook for th s nformat on The first ocat on s n Act ve
D rectory Users And Computers If you nav gate to the Doma n Contro ers conta ner, there s
a co umn named DC Type Doma n contro ers that have been des gnated as g oba cata og
servers have a DC type of GC (G oba Cata og) In F gure 10-6, you can see that two of our
three doma n contro ers are set up as G oba Cata og servers
FIGURE 10-6 The Act ve D rectory Users and Computers management conso e d sp ays the DC type for
the doma n contro ers n your doma n
Another ocat on for rev ew ng the status of a g oba cata og server s w th n the Act ve D -
rectory S tes And Serv ces Management conso e To revea these opt ons, you need to expand
s tes, fo owed by the s te where your doma n contro er s ass gned Under the s te, expand
Servers W th the des red doma n contro er se ected, r ght-c ck NTDS Sett ngs and choose
Propert es On the Genera tab of the NTDS Sett ngs propert es w ndow, there s a checkbox
for des gnat ng the g oba cata og ro e, as shown n F gure 10-7 If you need to togg e th s ro e
on or off, app y the act on here and the AD DS topo ogy s updated
FIGURE 10-7 The Act ve D rectory Users and Computers management conso e d sp ays the DC type for
the doma n contro ers n your doma n

Transferring FSMO roles
Transferr ng and se z ng FSMO ro es s accomp shed us ng the ntdsut ut ty F gure 10-8
shows that WTT-DC-01 conta ns a the FSMO ro es for the doma n Let’s transfer the nfra-
structure master ro e to WTT-DC-03
1. Log n to a doma n contro er on your doma n
2. Open an e evated command prompt
3. Type ntdsutil and press enter
4. Type roles and press enter
5. Type connections and press enter
6. Type connect to server WTT-DC-03 Rev ew the output and confirm that the connec-
t on was successfu
7. Type q and press enter
8. Type transfer infrastructure master and press enter When prompted to confirm
the transfer, c ck Yes Rev ew the output and confirm that the transfer was successfu
9. Type q to ex t FSMO ma ntenance and q aga n to ex t the ntdsut
After the ro e has been transferred, run the netdom ut ty aga n and confirm that the
nfrastructure master ro e s now ass gned to WTT-DC-03, as shown n F gure 10-9
FIGURE 10-9 The netdom ut ty can ass st n dent fy ng where the FSMO ro es are ass gned n your
doma n.
Seizing FSMO roles

Let’s mag ne that WTT-DC-03 has suffered a catastroph c fa ure, wh ch s prevent ng us from
c ean y transferr ng the ass gned FSMO ro es In th s examp e, the doma n contro er s no onger
on the network, so et’s use the se ze opt on to recover the ro e and reass gn t to WTT-DC-01
TABLE 10-1 RODC secur ty feature chart
Feature Description
Un d rect ona rep cat on Un ke wr tab e doma n contro ers, RODCs are des gned to rep cate
changes nbound but not outbound. The other doma n contro ers n
your forest does not rep cate changes from an RODC. Th s mproves
secur ty by prevent ng the poss b ty of a ma c ous update from
rep cat ng outward through your forest.
Spec a krbtgt account The krbtgt account prevents a compr sed RODC from access ng re
sources at a remote s te.
Password Rep cat on Po cy (PRP) The PRP prevents passwords from be ng cached oca y on the
RODC. f an RODC s comprom sed, no account passwords can be
obta ned.
RODC F tered attr bute set (FAS) The FAS enab es the adm n strator to ass gn wh ch app cat ons can
rep cate data to RODCs. Th s s accomp shed by add ng the at
tr butes for the app cat on to the RODC FAS and mark ng them as
confident a .
For examp e, W ngt p Toys has recent y expanded nto the reta market, w th 12 new
stores set to open n the next s x months These stores requ re oca doma n contro ers to
support the mu t p e po nt-of-sa e computers at each ocat on The phys ca secur ty of these
stores s m ted, and n some cases, requ res your servers to share some centra zed rack space
w th the jo n ng stores Based on these requ rements you have chosen to promote RODCs at
each store Let’s wa k through process of promot ng a RODC
5. On the Server Se ect on page, confirm Se ect A Server From The Server Poo s se ected
and your server s h gh ghted n the st C ck Next
6. On the Server Ro es page, check the box for Act ve D rectory Doma n Serv ces When
prompted to add add t ona features, rev ew the st and se ect Inc ude Management
Too s (If App cab e) C ck Add Features and c ck Next
Contro er
Configurat on W zard, se ect Add A Doma n Contro er To An Ex st ng Doma n C ck
Doma n fie d opt on When prompted, enter the doma n credent a s for an account n
the w ngt ptoys oca doma n that s a member of the Doma n Adm ns group Se ect
the W ngt pToys oca doma n and c ck Next
12. On the Doma n Contro er Opt ons page, rev ew the defau t opt ons Check the box
for Read On y Doma n Contro er (RODC), as shown n F gure 10-10 For the D rectory
Serv ces Restore Mode (DSRM) password, type P@ssw0rd n the two fie ds and c ck
Next
FIGURE 10-10 The Act ve D rectory Doma n Serv ces Conf gurat on W zard nc udes the opt on for
promot ng a RODC on the Doma n Contro er Opt ons page
13. On the RODC Opt ons page, rev ew the defau t accounts and groups that rep cate pass-
words to the RODC and those that are den ed, as shown n F gure 10-11 C ck Next

FIGURE 10-11 The Act ve D rectory Doma n Serv ces Conf gurat on W zard nc udes password
rep cat on perm ss ons on the RODC Opt ons page

15. On the Add t ona Opt ons page, note the defau t opt on for rep cat on and c ck Next
Th s opens a text fi e w th the PowerShe commands used to configure the RODC
C ose the text fi e and c ck Next
and c ck Insta Once nsta at on comp etes, the server automat ca y reboots to com-
p ete the nsta at on
After comp et ng the steps above, you shou d have a new doma n contro er n your
doma n w th a DC type of Read-on y Let’s connect to th s doma n contro er and see what
opt ons are ava ab e
1. Log n to one of your doma n contro ers
2. Open Act ve D rectory Users And Computers
3. In the eft pane of the Act ve D rectory Users And Computer Management conso e,
r ght-c ck W ngt pToys oca and choose Change Doma n Contro er
4. On the Change D rectory Server d a og w ndow, se ect the RODC n the st and c ck
OK Before connect ng to the RODC you are presented w th a warn ng stat ng that
wr te operat ons are not perm tted, as shown n F gure 10-12 C ck OK
FIGURE 10-12 RODC does not a ow you to perform wr te operat ons
5. R ght-c ck the Users conta ner Not ce that the opt on to create new tems s not ava -
ab e
6. C ck the Users conta ner R ght-c ck the Adm n strator account Not ce the opt ons
to update group membersh p, d sab e the account, and reset the password are a
d sab ed
Now that you have dep oyed an RODC and exp ored some of the bas c funct ona ty, con-
s der the cases where th s wou d make sense n your env ronment The RODC s very effect ve
at prevent ng changes to your ex st ng AD DS forest However, be caut ous n your dep oy-
ments I had a customer that ns sted on rep ac ng a the wr tab e doma n contro ers w th
RODCs at each of the r remote offices Th s qu ck y ntroduced a ot of management over-
head Changes cou d on y be made on the wr tab e doma n contro ers at the centra office
Th s affected rep cat on when mu t p e changes needed to be made Offices were thousands
of m es apart and operated n d fferent t me zones These doma n contro ers were a racked
n secure ocat ons, so the RODC topo ogy d dn’t make sense for th s env ronment
Configure domain controller cloning

Pr or to W ndows Server 2012, t was an unsupported pract ce to use any form of dup cat on
to dep oy a new doma n contro er Th s nc uded operat ons ke c on ng the VHD of an ex st-
ng doma n contro er Do ng so cou d severe y affect your AD DS nfrastructure Th s has s nce
changed w th the ntroduct on of W ndows Server 2012 and subsequent re eases of W ndow
Server Under the r ght c rcumstances, adm n strators can now c one an act ve v rtua doma n
contro er, enab ng them to do cons stent dep oyments, n rap d success on f needed
Before you can c one a v rtua doma n contro er, you must meet the fo ow ng requ re-
ments
■ The target doma n contro must be runn ng a W ndows Server 2012 or ater
■ The adm n strator perform ng the c on ng operat on must be a member of the Doma n
Adm ns group

■ The doma n contro er conta n ng the PDC emu ator ro e must be on ne dur ng the
c on ng process and
■ The hyperv sor for the doma n contro er must support VM-Generat on ID
W th these prerequ s tes n m nd, et’s wa k through the process of c on ng an ex st ng
v rtua doma n contro er In th s examp e, et’s use Hyper-V for our hyperv sor
1. Log n to the source doma n contro er n your doma n Th s s the doma n contro er
that we p an on c on ng In th s examp e, the name of our doma n contro er s WTT-
DC-02
2. Confirm that the PDC emu ator ro e s not current y ass gned to th s doma n contro er
To do so, run the fo ow ng command from an e evated command prompt
netdom /query FSMO

4. Add the source doma n contro er to the AD secur ty group C oneab e Doma n Con-
tro ers secur ty group n AD To do so, run the fo ow ng command
Add-ADGroupMember -Identity “Cloneable Domain Controllers” -Members “WTT-
DC-02$”
5. Confirm that the source doma n contro er does not have any app cat ons or serv ces
nsta ed that are not compat b e w th c on ng To do so, run the fo ow ng command
Get-ADDCCloningExcludedApplicationList
6. If any tems appear n the app cat on st, they need to be removed from the doma n
contro er or added to a CustomDCC oneA owL st xm before you can proceed w th
c on ng To create the CustomDCC oneA owL st xm , run the fo ow ng command
Get-ADDCCloningExcludedApplicationList -GenerateXML
7. Create a new c one configurat on fi e for the source doma n contro er To do so, run
the fo ow ng command and rev ew the output for any warn ngs or errors
New-ADDCCloneConfigFile -CloneComputerName “WTT-DC-03” -SiteName Default-
First-Site-Name -IPv4Address 10.0.0.15 -IPv4DefaultGateway 10.0.0.254
-IPv4SubnetMask 255.255.255.0 -IPv4DNSResolver 10.0.0.1,10.0.0.15 –Static
8. Shutdown the source doma n contro er

At th s po nt we have prepared the source doma n contro er for c on ng by grant ng t
access n the d rectory, va dat ng the runn ng serv ces, and creat ng a configurat on fi e Next
et’s c one the VM by first export ng a copy of the source doma n contro er and re- mport ng
t Because we are us ng Hyper-V, et’s ut ze PowerShe for these steps
1. Open an e evated PowerShe w ndow on your Hyper-V host
2. Run the fo ow ng command to export a copy of your source Doma n Contro er
Export-VM –Name WTT-DC-02 –path D:\VMExports
3. Run the fo ow ng command to mport the new v rtua mach ne
Import-VM -Path “<XMLFile> -Copy -GenerateNewId -VhdDestinationPath D:\WTT-
DC-03
Once the mport has comp eted, power on the new v rtua mach ne Be sure to eave the
source doma n contro er powered off dur ng th s t me When you start the new v rtua mach ne,
t n t a y runs under the context of the source doma n contro er unt the c on ng process has
comp eted, at wh ch po nt you can restore the source doma n contro er to act ve duty
When the new doma n contro er powers up for the first t me the c on ng process tr ggers
automat ca y Th s process ut zes the c on ng configurat on fi e that we created ear er n
th s sect on The boot sequence d sp ays a s mp e percentage to nd cate how far a ong the
c on ng process s, as shown n F gure 10-13
FIGURE 10-13 The doma n contro er c on ng process starts automat ca y
Once the c on ng process has comp eted, og n to your new doma n contro er Open
Act ve D rectory S tes and Serv ces on your new doma n contro er Nav gate to the Defau t-
F rst-S te-Name s te and ook n the Servers d rectory Confirm that a three doma n contro -
ers are present At th s stage, you can power on your source doma n contro er that was
prev ous y eft offl ne
In preparat on for the exam, fam ar ze yourse f w th the PowerShe cmd ets used to
generate the custom app cat on st XML and c on ng configurat on XML Be prepared to
answer quest ons re ated to prerequ s tes, such as know ng w th vers ons of W ndows Server
support doma n contro er c on ng

Chapter summary
■ How to nsta a new forest by us ng the GUI and PowerShe
■ Add ng and remov ng a doma n contro er
■ Upgrad ng a doma n contro er
■ Us ng Server Core w th AD DS
■ Us ng the Insta from Med a opt on to prov s on a doma n contro er
■ Us ng DNS SRV records w th AD DS
■ Configur ng a doma n contro er as a g oba cata og
■ Us ng FSMO ro es n AD DS
■ Insta ng a read-on y doma n contro er
■ Configur ng doma n contro er c on ng
Thought experiment: Upgrading the forest

In th s thought exper ment, demonstrate your sk s and know edge of the top cs covered n
th s chapter You can find answers to th s thought exper ment n the next sect on
You are a systems adm n strator for W ngt p Toys, an organ zat on w th 16 offices around
the g obe, and an add t ona 45 stores that spec a ze n h gh performance quadcopters and
drones Your team s re at ve y new to the organ zat on, nher t ng a s ng e-doma n w th a
tota of 72 doma n contro ers A s ng e phys ca wr teab e doma n contro er s present at each
reta store, and a m xture of 1-2 doma n contro ers are present at each office A the doma n
contro ers are runn ng W ndows Server 2008 R2 and the doma n funct ona eve s set to
match A the hardware for these doma n contro ers are reach ng end-of-support over the
next s x months Your enterpr se app cat ons team s a so nterested n ntegrat ng AD DS w th
the r pub c fac ng reta web porta Your manager has added a doma n contro er refresh to
the annua budget In preparat on for th s work, he has requested answers to the fo ow ng
quest ons
1. There s a concern w th the m ted phys ca secur ty at each of the reta stores What
wou d you recommend for enhanc ng the og ca secur ty of the doma n contro ers at
these ocat ons?
2. System ma ntenance for the reta stores can on y occur after hours, and t s cr t -
ca that a systems are on ne before stores open What s your recommendat on for
dep oy ng the new doma n contro ers n th s m ted t meframe?
3. The ma n offices are not runn ng a cons stent number of doma n contro ers at each
ocat on What s your recommendat on for mprov ng th s topo ogy?
4. What type of nsta wou d you recommend for the pub c fac ng reta web porta ?
Thought experiment answers
1. Imp ement ng RODCs at the reta stores he ps restr ct potent a ma c ous act v t es f
the oca doma n contro er s comprom sed
2. Ut z ng IFM for the dep oyment of these new doma n contro ers enab es the team
to rap d y dep oy the new servers, as we as great y reduc ng the rep cat on overhead
across the mu t p e WAN nks
3. To mprove re ab ty and redundancy, each office shou d ut ze two doma n con-
tro ers New servers shou d be dep oyed to offices that on y conta n a s ng e doma n
contro er
4. For the web porta , ut z ng a server core nsta at on to host the doma n contro er m-
proves secur ty and m t downt me for rout ng patch ng, due to the reduced number
of secur ty patches
Thought exper ment answers CHAPTER 10 271

CHAPTER 11
Implement identity
federation and access
solutions
In th s chapter, we d scuss the dent fy management so ut ons that are prov ded w th
Act ve D rectory Federat on Serv ces (AD FS) AD FS can a so be comb ned w th the Remote
Access server ro e, wh ch can be used to enab e a Web App cat on Proxy (WAP) AD FS can
be used to manage federated env ronments, and enab e mu t -factor authent cat on for
organ zat ons Used together w th a WAP, c ents can be preauthent cated by an app cat on
or serv ce before be ng d rected to the app cat on server
W ndows Server 2016 ntroduces a few new features to AD FS, not a of wh ch are n-
c uded on the upgrade exam New features nc ude
■ Azure multi-factor authentication (MFA) Use Azure to enab e MFA for an
app cat on or server n the organ zat on
■ Password-less access from devices Use Azure AD or Intune MDM po c es to en-
ab e s gn-on and access contro based on the comp ance status for the dev ce
■ Sign in using Windows Hello for Business Th s was prev ous y known as
M crosoft Passport for Work
■ Enable sign-in using third-party LDAP LDAP v3-comp ance d rector es can
be used as a source for authent cat ng users
■ Customizable sign-in The ogon screen for nd v dua app cat ons can be
custom zed for compan es or brands
■ Enhanced auditing AD FS n W ndows Server 2016 has been stream ned and ess
verbose to reduce adm n strat ve comp ex ty
■ SAML 2.0 support AD FS can be used w th InCommon Federat ons and other
SAML 2 0 configurat ons
■ Simplified password management When federat ng w th Office 365, password
exp rat on not ficat ons can be sent and managed by AD FS when a user s be ng
authent cated
273
FIGURE 11-1 Add Re y ng Party Trust
The next step of configur ng a re y ng party trust s to spec fy the source data for the
re y ng party Th s nformat on can be prov ded n one of three ways
■ From a pub shed source, on ne or on the network
■ From a federat on metadata fi e
■ Entered manua y n the w zard
F gure 11-2 shows the ava ab e opt ons for prov d ng the configurat on deta s
276 CHAPTER 11 mp ement dent ty federat on and access so ut ons

FIGURE 11-2 Spec fy ng data source
When spec fy ng the deta s manua y, the nformat on that s requ red nc udes
■ D sp ay name
■ Opt ona cert ficate
■ Federat on URLs
■ Re y ng party trust dent fiers
After spec fy ng the trust deta s, the next configurat on tem s whether to set access
contro po c es These po c es can be configured now, or at a ater t me A common access
method s to perm t everyone, but requ re mu t -factor authent cat on when the request s
externa F gure 11-3 shows se ect ng an access contro po cy
Sk 11.1: nsta and configure Act ve D rectory Federat on Serv ces CHAPTER 11 277
FIGURE 11-3 Spec fy ng data source
Configure authentication policies

Authent cat on po c es, or access contro po c es as defined n the AD FS management
snap- n, define the authent cat on methods for an app cat on These po c es can be used
to define how users or dev ces can access an app cat on by us ng AD FS F gure 11-4 shows
the bu t- n po c es from the AD FS management snap- n

FIGURE 11-4 Access Contro Po c es
You can a so spec fy a custom access contro po cy from the AD FS management snap- n
The ava ab e opt ons to perm t
■ Everyone
■ Users
■ From a spec fic network
■ From spec fic secur ty groups
■ From dev ces that have a spec fic trust eve
■ W th spec fic c a ms n the request
■ And requ re mu t -factor authent cat on
You can a so perm t these users or groups w th the fo ow ng except ons
■ Spec fic networks
■ Spec fic groups
■ Dev ces w th spec fic trust eve s
■ Spec fic c a ms n the request
F gure 11-5 shows defin ng a custom access contro po cy
FIGURE 11-5 Custom access contro po cy
Configure multi-factor authentication

Us ng Azure mu t -factor authent cat on (MFA) w th AD FS has severa pre-requ s tes
■ Azure subscr pt on that nc udes Azure Act ve D rectory
■ Azure mu t -factor authent cat on
■ As of th s wr t ng, th s s nc uded w th Azure AD Prem um and the Enterpr se
Mob ty Su te subscr pt on opt ons
■ On-prem ses AD FS at the W ndows Server 2016 Farm Behav or Leve
■ The on-prem ses AD FS must be federated w th Azure AD
■ The W ndows Azure Act ve D rectory Modu e for W ndows PowerShe must be
nsta ed
■ You must have g oba adm n strator perm ss ons to mod fy Azure AD
■ You must have Enterpr se Adm n strator credent a s to configure the AD FS farm

Overa , the genera configurat on process for us ng MFA w th Azure nc udes
1. Generate a cert ficate for Azure MFA on each AD FS server
2. Add the credent a s to the Azure MFA Auth-c ent SPN
3. Configure the AD FS farm
Generat ng a cert ficate for Azure MFA s comp eted by runn ng the New-AdfsAzureM-
faTenantCert ficate cmd et Th s cert ficate s generated and p aced n the oca mach nes
cert ficate store on the AD FS server The subject name of the cert ficate s the TenantID for
the Azure AD d rectory
To add the credent a s to the SPN for Azure MFA, obta n the credent a s from the gener-
ated cert ficate Add the credent a s by us ng the New-Mso Serv cePr nc pa Credent a cmd et
and spec fy the GUID for the Azure MFA Auth C ent
F na y, you can configure the AD FS farm by us ng the Set-AdfsAzureMfaTenant cmd et
Th s cmd et requ res the TenantId and C entId for the Azure subscr pt on After mak ng the
configurat on change, the AD FS serv ce must be restarted on each server n the farm After
restart ng the serv ce, Azure MFA s ava ab e as an authent cat on method F gure 11-6 shows
us ng Azure MFA as an authent cat on method
FIGURE 11-6 Authent cat on methods
Implement and configure device registration
AD FS n W ndows Server 2016 enhances dev ce reg strat on to enab e s gn on and access
contro based on the comp ance status of a dev ce When users authent cate us ng a dev ce
credent a , the dev ce’s comp ance s re-eva uated to ensure that po c es are app ed
appropr ate y Th s can nc ude
■ Enab e access on y from dev ces that are managed and/or comp ant
■ Enab e externa access for dev ces that are managed and/or comp ant
■ Requ re MFA for computers that are not managed or comp ant
F gure 11-7 ustrates us ng dev ce reg strat on w th AD FS Users and dev ces can be
enro ed by us ng Azure AD or M crosoft Intune Both serv ces use Azure AD w th Azure AD
Connect dev ce wr te-back The dev ces can connect to on-prem ses serv ces that m ght a so
conta n cond t ona access po c es, dev ce authent cat on, or MFA
FIGURE 11-7 Dev ce reg strat on ustrat on
A dev ce’s trust eve s one of three eve s

■ Authenticated Dev ces that have been authent cated are reg stered n Azure AD, but
have not been enro ed n a mob e dev ce management (MDM) po cy
■ Managed Managed dev ces are reg stered dev ces that are a so enro ed n an MDM
po cy
■ Compliant Dev ces that are comp ant are reg stered and enro ed n an MDM po cy
In add t on, the dev ce meets the requ rements of the MDM po cy

Configure AD FS to enable authentication of users stored
in LDAP directories
AD FS n W ndows Server 2016 ntroduces supports for three new LDAP scenar os
■ Th rd-party LDAP v3 comp ant d rector es
■ AD forests that do not have a two-way trust
■ AD L ghtwe ght D rectory Serv ces (AD LDS)
You can create a connect on from AD FS to the LDAP d rectory by us ng the New-Adf-
sLdapServerConnect on cmd et F gure 11-8 shows creat ng a new LDAP server connect on
FIGURE 11-8 New AdfsLdapServerConnect on
Then, you can map LDAP attr butes to AD FS c a ms by us ng the New-AdfsLdapAttr b-

uteToC a mMapp ng cmd et For examp e, you can map name, surname, and d sp ayname
f e ds to the appropr ate AD FS c a m F na y, reg ster the LDAP store w th the AD FS farm
as a c a ms prov der by us ng the Add-AdfsLoca C a mProv derTrust cmd et
Skill 11.2: Implement Web Application Proxy

In th s sect on, we exp a n how to nsta and configure a reverse proxy by us ng the Web
App cat on Proxy (WAP) A WAP s usefu for ntegrat ng w th AD FS and prov d ng access
to nterna app cat ons A WAP enab es organ zat ons to use e ther pass-through or AD FS
preauthent cat on n a per meter network for externa users

As part of the configurat on w zard, you connect to the AD FS farm and obta n the cert fi-
cates that are ava ab e and can be used w th the Web App cat on Proxy Se ect the des red
cert ficate, as shown n F gure 11-10, and then comp ete the w zard
FIGURE 11-10 Web App cat on Proxy Conf gurat on
Add t ona y, you can configure the Web App cat on Proxy by us ng the
Insta -WebApp cat onProxy cmd et The cmd et must spec fy the federat on
serv ce name and cert ficate thumbpr nt to be used
Install-WebApplicationProxy -CertificateThumbprint
'A142A369FC60C7984A70A56A17E31228546D85D8' -FederationServiceName 'host02.contosoforest.
com'
Implement WAP in pass-through mode

Pass-through mode nstructs the WAP to not perform any authent cat on A requests that
are rece ved by the WAP are automat ca y forwarded to the dest nat on app cat on F gure
11-11 shows se ect ng pass-through as the WAP authent cat on method

FIGURE 11-11 Pub sh New App cat on W zard
A ternat ve y, you can use the Add-WebApp cat onProxyApp cat on cmd et and spec fy
PassThrough for the Externa PreAuthent cat on parameter
Add-WebApplicationProxyApplication -BackendServerURL 'https://app1.contosoforest.com/'
-ExternalCertificateThumbprint '1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b'
-ExternalURL 'https://app1.contosoforest.com/' -Name 'App1 (no preauthentication)'
-ExternalPreAuthentication PassThrough
Implement and integrate WAP as AD FS proxy

There are two sect ons of the sk s that nc ude us ng WAP w th AD FS, wh ch we comb ne
for th s sect on F gure 11-10 a so shows the other pre-authent cat on opt on for WAP, wh ch
s AD FS If the WAP rece ves a request that s not authent cated, then the request s red -
rected to the AD FS farm After be ng authent cated by AD FS, the request s then sent to
the backend app cat on If the c ent s us ng W ndows ntegrated authent cat on, then the
WAP can forward the credent a s to the backend app cat on
Sk 11.2: mp ement Web App cat on Proxy CHAPTER 11 287

F gure 11-12 shows the supported c ents that can be used w th an AD FS proxy, nc ud ng
■ Web and MSOFBA Authent cates web apps, nc ud ng M crosoft Office
■ HTTP Basic New for W ndows Server 2016, th s s used for c ents that do not
support HTTP red rect, such as Exchange Act veSync
■ OAuth2 W ndows Store apps or Office c ents that support OAuth2 authent cat on
FIGURE 11-12 Supported c ents
Configure AD FS requirements
The on y requ rement for us ng a WAP w th AD FS s that a farm s configured w th a re y ng
party trust W thout a re y ng party trust, you are not ab e to pub sh an app cat on to be
used w th the WAP

Publish web apps via WAP
Pub sh ng an app cat on s performed from the Remote Access Management Conso e by
us ng the Pub sh New App cat on W zard When pub sh ng an app cat on, you must spec fy
spec fic nformat on for the app cat on
■ Preauthent cat on method
■ Supported c ents
■ Re y ng party trust
■ Pub sh ng sett ngs
F gure 11-13 shows the pub sh ng sett ngs that must be defined for an app cat on
FIGURE 11-13 Pub sh New App cat on W zard
A ternat ve y, you can use the Add-WebApp cat onProxyApp cat on cmd et to pub sh an
app cat on
Add-WebApplicationProxyApplication -BackendServerUrl 'https://app1.contosoforest.com'
-ExternalCertificateThumbprint '2FC38D0224B0A6412F450A9597271179878708B0'
-EnableHTTPRedirect:$true -ExternalUrl 'https://app1.contosoforest.com'
-Name 'App1' -ExternalPreAuthentication ADFS -ADFSRelyingPartyName 'AD FS'
Sk 11.2: mp ement Web App cat on Proxy CHAPTER 11 289

Chapter summary
■ Us ng the Farm Behav or Leve n AD FS to determ ne features
■ Creat ng a re y ng party trust for c a ms-based authent cat on
■ Configur ng access contro po c es for AD FS
■ Us ng mu t -factor authent cat on w th AD FS
■ Understand ng dev ce reg strat on w th AD FS
■ Integrat ng W ndows He o for Bus ness w th AD FS
■ Us ng th rd-party LDAP w th AD FS
■ Insta ng and configur ng a Web App cat on Proxy
■ Us ng pass-through or AD FS modes of a WAP
■ Pub sh ng app cat ons through a WAP
■ Pub sh ng Remote Desktop Gateways through WAP
■ Red rect ng user requests to be secure w th HTTPS
■ Understand ng the externa and backend URLs w th WAP
Thought Experiment
An organ zat on has an ex st ng W ndows Server 2012 R2 AD FS farm They p an to upgrade
the farm to W ndows Server 2016 After the upgrade, they a so p an to mp ement Azure MFA
w th the r app cat ons The organ zat on does not current y have any add t ona configurat on
software n the r env ronment The MFA so ut on must a so work w th b ometr c opt ons After
the upgrade, they p an to centra ze user requests by us ng a reverse proxy A user requests
must be secured
1. How shou d the organ zat on comp ete the upgrade?
2. What add t ona software shou d the organ zat on use to ntegrate Azure MFA?
3. What techno ogy shou d the organ zat on use to enab e b ometr c MFA?
4. How shou d the organ zat on ensure that a requests are secure?
Thought Exper ment CHAPTER 11 291

1. The organ zat on shou d perform nd v dua upgrades to ra se the Farm Behav or Leve
of the AD FS farm They shou d not re nsta AD FS and export the configurat on
2. They shou d use System Center Configurat on Manager to s mp fy the configurat on
and management of Azure MFA
3. W ndows He o for Bus ness shou d be used to ensure that b ometr c authent cat on
can be used w th the pub shed app cat ons
4. They shou d set the WAP to red rect a HTTP requests to HTTPS for each pub shed
app cat on

Add-WebApplicationProxyApplication cmdlet
Add WebApp cat onProxyApp cat on cmd et

287, 289, 290
B
AD FS. See Act ve D rectory Federat on Serv ces; See Ac backend server URLs 290
t ve D rectory Federat on Serv ces backup opt ons 136
Adm n stratorPassword parameter 16 backup so ut ons
A ow mach ne cert ficate authent cat on for KEv2 216 dedup cat on and 48
app cat ons bandw dth management 84
Remote Desktop Gateway 290 base operat ng system
web based 210 nsta at on 97
web, pub sh ng 289 BGP. See Border Gateway Protoco
apps. See also app cat on management BGP enab ed router 238
App V. See M crosoft App cat on V rtua zat on BGP rout ng 239
ASN. See Autonomous System Numbers B tLocker Dr ve Encrypt on 3
Asynchronous Transfer Mode (ATM) 215 b ob fi es 130
ATM. See Asynchronous Transfer Mode Border Gateway Protoco (BGP) 211
aud t ng
AD FS 273
aud t ogg ng 175
C
authent cat on CA. See Customer Address
A ow mach ne cert ficate authent cat on for KEv2 216 cache ock ng 173
CHAP 38 cert ficates. See d g ta cert ficates;
c a ms based 275 278 See user cert ficates
DNS based 163 Cert ficat on Author ty (CA) 114
Encrypted 216 CHAP protoco 38
Extens b e Authent cat on Protoco 216 checkpo nts
HTML 121 management of 79
Kerberos 121 123 ch d doma ns 244
KerbProxy 222 c a ms based authent cat on 275 278
M crosoft Encrypted Authent cat on vers on 2 216 c ent configurat on
mu t factor 273, 280 281 for D rectAccess 223
OAuth2 288 c ent subnets 171
opt ons 216 c on ng
po cy configurat on 278 280 doma n contro ers 267 269
RAD US 216 c oud w tnesses
remote c ents 214 215 configurat on of 130 134
Reverse CHAP 38 C uster Aware Updat ng (CAU) 138 140
W ndows 216 c ustered shared vo umes (CSVs) 141
W ndows ntegrated Authent cat on 275 c uster network ng 134 135
Author zat on Manager ro e 55 57 C uster Operat ng System Ro ng Upgrade 140 141
Automat c V rtua Mach ne Act vat on (AVMA) 11 12 C uster OS Ro ng Upgrade 10
Autonomous System Numbers (ASN) 239 c usters
Azure guest 146 147
AD FS and 283 mu t doma n 127 130
mu t factor authent cat on 273, 280 281 nam ng 129
Azure porta s ng e 127
storage account n 133 134 s te aware 157 158
Azure Structured Query Language (SQL) 2 storage configurat on 136 137
294
DCB
DCB. See Data Center Br dg ng d saggregated Storage Spaces D rect 149

dcd ag ut ty 257 d saster recovery
DCP. See Data Co ect on Package Storage Rep ca for 42 44
DDA. See D screte Dev ce Ass gnment D screte Dev ce Ass gnment (DDA) 72
Deact vate DHCP Po c es 202 d sks 136
Debug StorageSubsystem cmd et 149 d sk w tness 130
defau t gateways 236 d str buted firewa po c es 239 240
de egated adm n strat on DLP. See Data Loss Prevent on; See Data Loss Prevent o
of DNS server 175 177 DNS. See Doma n Name System
De ete DNS Zone opt on 203 DnsAdm ns Act ve D rectory secur ty group 175
Den a of Serv ce (DoS) attacks 173 DnsAdm ns secur ty group 191 192
DependsOn 9 DNS based Authent cat on of Named Ent t es (DANE)
dep oyment 20 25 174
FreeBSD 22 23 DNS Manager 257
L nux 22 23 DNS Record Adm n strator Ro e 205
W ndows Conta ners 93 99 DNSSEC. See Doma n Name System Secur ty Extens on
Dep oyment mage Serv ces and Management DNS servers 163 182
(D SM) 25 cache ock ng 173
Des red State Configurat on (DSC) 9 10 configurat on, for PAM dep oyment 189 191
components of 9 de egated adm n strat on 175 177
scr pts 9 de egat on configurat on 169 170
Desktop Exper ence 7 dynam c updates 201
Dev ce Hea th Attestat on 5 forwarders configurat on 165 168
dev ce reg strat on 282 nsta at on 164 165
DFS. See D str buted F e System manag ng, n mu t p e AD forests 204
DHCP. See Dynam c Host Configurat on Protoco mod fy ng g oba sett ngs us ng PowerShe 179
DHCP d rectory propert es 188 performance tun ng 179
d agnost c ogg ng 175 propert es 175
d fferenc ng d sks 74 manag ng, us ng PAM 202 203
configurat on of 76 recurs on sett ngs 177 178
D rectAccess 209 Response Rate L m t ng 173 174
c ent configurat on 223 root h nts 168 169
configurat on 218 222 usage scenar ors 164
DNS Suffix st 220 DNS Suffix st 220
Group Po cy Objects 221 222 docker 1
nsta at on 218 222 docker command 97
network topo ogy 220 221 Docker daemon
server requ rements 222 Docker Hub and 107
troub eshoot ng 223 nsta at on 95 96
D rectAccess and VPN (RAS) ro e serv ce 210 st ng ava ab e networks us ng 105
D rectAccess c ent GPO 221 M crosoft Azure and 109
D rectAccess server 211 resource contro us ng 106
D rectAccess server GPO 221 start up opt ons 96 97
D rectory Serv ces Restore Mode (DSRM) password 249, W ndows Conta ner management us ng 101 102
265 Dockerfi e 107
296
Fabric Management
F FBL. See farm behav or eve

federated env ronments 273
Fabr c Management F bre Channe (FC) adapters
sh e d ng too s for 6 v rtua 80 81
fa over fi es
DHCP 202 shared. See shared resources
Fa over C uster feature 128 fi e share w tness 130
fa over c uster ng 126 146 fi e s zes
C uster Aware Updat ng 138 140 dedup cat on and 47
c ustered shared vo umes 141 fi e system
c uster network ng 134 135 sett ngs 34 35
C uster Operat ng System Ro ng Upgrade 140 141 fi tered attr bute set (FAS) 264
c usters w thout network names 142 F nd pamFreeAddress cmd et 197
configure dra n on shutdown 160 161 F nd pamFreeRange cmd et 197
guest c usters 143, 146 147 F nd pamFreeSubnet cmd et 197
ve m grat on 158 firewa po c es
management of 152 157 d str buted 239 240
manag ng VMs n c ustered nodes 158 161 firewa port 443 215
mu t doma n c usters 127 130 firewa propert es 179, 186, 189, 213
node fa rness 157 firewa sett ngs
preference sett ngs 154 155 Nano Server 20
quorum and c oud w tnesses 130 134 fixed s ze d sks 73
restore s ng e node or c uster configurat on 136 F ex b e S ng e Master Operat on (FSMO) ro es 260 263
ro e spec fic sett ngs 152 funct ons of 260
Sca e Out F e Server 142 nsta at on 261
s ng e c usters 127 130 se z ng 261, 262 263
s te aware c usters 157 158 transferr ng 261, 262
storage configurat on 136 137 forests
Storage Rep ca 143 144 about 245
stretch c usters 157 158 DHCP servers n mu t p e 204
VHDX shar ng 146 147 DNS servers n mu t p e 204
VM mon tor ng 153 nsta at on 244 249
VM res ency 145 us ng PowerShe 247 248
us ng Server Manager 245 247
workgroup c usters 127 130
forwarders 177
Fa over C uster Manager 128, 141
cond t ona 167
fa over c usters
configurat on of 165 168
upgrad ng 10
forward ng gateways 239
fa overs
FPS SMB n TCP firewa ru e 96
p anned 114
FreeBSD
test 114
dep oyment 22 23
unp anned 115
v rtua mach nes 69
w th Hyper V rep ca 114 115
FreeBSD ntegrat on Serv ces (B S) 69
farm behav or eve (FBL) 275
FSMO. See F ex b e S ng e Master Operat on
farms
fu y qua fied doma n name (FQDN) 169 170, 220
upgrad ng 275
configurat on 290
Fast DE dr vers 23
298
Hyper-V Administrators group
Hyper V Adm n strators group 55 L nux ntegrat on Serv ces (L S) 69

Hyper V Author zat on Manager store 55 Nano Server 14 18
Hyper V Manager Server Core 7 8
add ng v rtua network adapters 83 85 server ro es 6
checkpo nt configurat on 79 W ndows Conta ners 94 95
creat ng VHD and VHDX fi es w th 73 74 W ndows Server 2016 2 14
Hyper V network v rtua zat on 234, 235, 236 237, 239 act vat on mode s 11 14
Hyper V Network V rtua zat on 218 features and ro es 5 6
requ rements 3
Hyper V V rtua Sw tch 235
nsta at on med a
I
nsta from Med a feature 253 256
types of 253
nsta from Med a ( FM) 253 256
dent ty management 273 292
nsta NanoServerPackage cmd et 18
Web App cat on Proxy 284 290
nsta PackageProv der NanoServerPackage command
FM. See nsta from Med a
17
KEv2 tunne ng protoco 217
nsta RemoteAccess cmd et 215
mages
nsta WebApp cat onProxy cmd et 286
base operat ng system 97
nsta W ndowsFeature cmd e 94
creat ng new conta ner 107
nsta W ndowsFeature cmd et 184, 211
for dep oyment 20 25
nsta W ndowsFeature cmd et 6, 40
management of
us ng Docker Hub 107 108 nst tute of E ectr ca and E ectron cs Eng neers ( EEE)
us ng M crosoft Azure 109 231
manag ng 25 ntegrat on serv ces
tagg ng 98 99 management of 67
un nsta ng operat ng system 98 nternet Ass gned Numbers Author ty ( ANA) 168, 193
v ew ng st of ava ab e conta ner 99 nternet Storage Name Serv ce ( SNS)
mage temp ates. See temp ate mages configurat on 39 40
mport DHCP Po cy 202 nternet W de Area RDMA Protoco ( WARP) 231
mport ng ntune 217. See M crosoft ntune
v rtua mach nes 71 72 nvokeCommand 60
mport Modu e cmd et 165 nvoke pamGpoProv s on ng cmd et 186
mport PackageProv der NanoServerPackage command nvoke pamServerProv s on ng cmd et 186
17 /O schedu er 23
mport V rtua Mach ne w zard 72 P Address B ocks page 196
nfin band 231 P addresses 103
nfrastructure master ro e 260 fi ter ng 171
n t a Congest on W ndow 227 for v rtua mach nes 236
n p ace upgrades 251 RAS server 213 214
nsta at on space ut zat on 195 197, 199
base operat ng system 97 v rtua 238
Docker 95 96 w th network v rtua zat on 237
FreeBSD ntegrat on Serv ces 69 P address management ( PAM) 183 208
GU 3 configurat on of database storage us ng SQL Server
Hyper V 51 58 198
SCS Target Server server ro e 36 DHCP management us ng 199 202, 204 205
300
MAC addresses
M Move pamDatabase cmd et. 198

mpc a m 41
MAC addresses MP O dev ces 41
configurat on 86 88 MPPE. See M crosoft Po nt to Po nt Encrypt on
spoofing 61, 104 MRM. See Messag ng Records Management
stat c 23 mu t doma n c usters 127 130
MAC address fi ters 201 mu t factor authent cat on (MFA) 273, 280 281
MAC spoofing 86 mu t host env ronment
ma flow. See also ema de very; See also message connect on types 103 104
de very Mu t Path O (MP O)
management too s configurat on 41 42
Hyper V Mu t Po nt Serv ces 5
nsta at on 52 53 mu t s te fa over c usters 131
Master Boot Record (MBR) 68 mu t tenant edge 218
master ro es 260 263 mu t tenant gateways 239
MBR. See Master Boot Record mu t tenant NAT 239
MeasureVM cmd et 66 mu t tenant network so at on 236 237
memory
add ng or remov ng, n VM 62
dynam c 63
N
Non Un form Memory Access 63 64 Name Reso ut on Po cy Tab e (NRPT) 223
message de very. See also ema de very Nano Server 1, 4
message transport. See transport configurat on and management 19 20
MFA. See mu t factor authent cat on dedup cat on and 47
M crosoft Assessment and P ann ng (MAP) Too k t DNS dep oyment scenar os on 165
assess ng v rtua zat on work oads us ng 24 25 Docker nsta at on 95 96
M crosoft Azure firewa sett ngs 20
manag ng conta ner mages us ng 109 nsta at on 14 18
M crosoft Encrypted Authent cat on vers on 2 (MS CHAP MP O on 41 42
v2) 216 requ rements for 15
M crosoft Hyper V Server 2016 4. See also Hyper V ro es and features mp ementat on 17 18
M crosoft ntune 217 usage scenar os for 15
M crosoft Management Conso e (MMC) 55 v rtua mach nes and 68
M crosoft NanoServer DCB Package opt on 231 W ndows Conta ner nsta at on 95
M crosoft Open Source Code of Conduct 102 Nano Server mage Generator 15 16
M crosoft Passport 2 Nano Server Package 95
M crosoft Passport for Work 273 Nano Server Recovery Conso e 19
M crosoft Po nt to Po nt Encrypt on (MPPE) 215 NAT. See network address trans at on
M crosoft UEF Cert ficate Author ty 70 NAT networks 104
m grat on nested v rtua zat on 1
of ex st ng work oads to PAM 198 mp ementat on of 60
on ne 70 requ rements for 94
to W ndows Server 2016 10 11 netdom ut ty 261, 263
m rror storage ayout 32 34 net ogon.dns fi e 258
Mob e Dev ce Management (MDM) 5 netsh command 230
Move pamDatabase cmd et 198 network adapter buffers 179
302
PackageManagement provider
P PowerShe D rect
configur ng v rtua mach nes us ng 59
PackageManagement prov der 17 PPTP. See Po nt to Po nt Tunne ng Protoco
parent ch d d sks 76 preference sett ngs
parent doma ns 244 for fa over c uster ng 154 155
par ty storage ayout 32 34 PreferredS te property 157
pass through d sks processor compat b ty
configurat on 77 VMs and 120 121
pass through mode product on checkpo nts 79 80
WAP 286 287 Protected Network 159
Password Rep cat on Po cy (PRP) 264 Prov der Address (PA) 237
passwords prov s on ng types 33 35
D rectory Serv ces Restore Mode (DSRM) 249, 265 prox es
management, n AD FS 273 web app cat on 210
Safe Mode Adm n strator Password 247 Pub sh New App cat on W zard 289
unencrypted 216 PXE boot 83
PDC emu ator ro e 260 PXE TFTP server 23
performance tun ng 179
PFS. See Perfect Forward Secrecy Q
Phys ca Funct ons 233
p anned fa overs 114 Qua ty of Serv ce (QoS) 231
p atform as a serv ce. See PaaS storage 82
Po nt to Po nt Tunne ng Protoco (PPTP) 215 query reso ut on po cy 171
po nt to s te VPNs 211, 239 qu ck m grat on
port 443 215 of VMs 158
port mapp ng 104 quorum w tnesses
PowerShe configurat on of 130 134
add ng d sks us ng 35
add ng FC adapter us ng 81 R
add ng network adapters us ng 84
conta ner management us ng 102 RAD US authent cat on 216
d rect runn ng of 1 RAD US server 214
D SM n 25 RAS Gateway 210 215
Docker nsta at on 95 dep oyment scenar os 217 218
enab ng remot ng n 58 mu t tenant edge 218
export ng and mport ng VMs us ng 72 73 s ng e tenant edge 217, 218
Hyper V nsta at on us ng 52 VPN opt ons 211
mport ng 15 w th Hyper V Network V rtua zat on 239
MAC address configurat on from 87 RDG. See Remote Desktop Gateway
management too s nsta at on us ng 53 RDMA. See Remote D rect Memory Access
manag ng v rtua hard d sks us ng 78 RDMA based storage networks 236
N C team ng n 89 RDMA over Converged Ethernet (RoCE) 231
storage poo creat on us ng 32 33 RDS. See Remote Desktop Serv ces
Storage Rep ca modu e 44 read on y doma n contro ers (RODCs) 243, 260,
v rtua d sk creat on us ng 33 34, 39 263 267
v rtua sw tches from 85 secur ty features 264
W ndows Conta ner nsta at on us ng 94 Rece ve S de Sca ng (RSS) 229 230
304
second-level address translation (SLAT)
second eve address trans at on (SLAT) 52 Set VMHost cmd et 122

Secure Boot 70 SetVMHost cmd et 87
Secure Socket Tunne ng Protoco (SSTP) 215 Set VMMemory cmd et 63
secur ty. See also passwords SetVMNetworkAdapter cmd et 88, 89
secur ty groups 186 187, 190 192 Set WebApp cat onProxyApp cat on cmd et 290
Se f Updat ng Opt ons c uster ro e 139 shared noth ng m grat on 120 121
Server Core share perm ss ons 189
AD DS nsta at on on 251 253 Sharepo nt. See M crosoft Sharepo nt
nsta at on 7 8 ShareV rtua D sk parameter 75
remote management 8 shar ng. See also co aborat on
server d scovery 191 193, 204 externa . See externa users
Server Manager 8 sh e ded v rtua mach nes 52
forest nsta at on us ng 245 247 s de by s de upgrades 251
storage poo creat on n 30 31 s gn ns
Server Message B ock vers on 3 (SMB 3) 1 custom zab e 273
Server M grat on Too s 11 us ng th rd party LDAP 273
server ro es s mp e storage ayout 32 34
nsta ng 6 s ng e doma n c usters 127
st of 6 s ng e host env ronment
Nano Server 17, 18 connect on types 103
server storage S ng e Root O V rtua zat on (SR OV) 233 234
Datacenter Br dg ng configurat on 40 S P addresses. See Sess on n t at on Protoco (S P) ad
mp ementat on of 29 44 dresses
SCS target and n t ator 35 40 s te aware c usters 157 158
Mu t Path O configurat on 41 42 s te to s te (S2S) VPNs 210 215, 217 218, 239
server poo s 34 35 SLAT. See second eve address trans at on
storage poo s 30 32 SLB. See Software Load Ba anc ng
Storage Rep ca 42 44 SLB Host Agent 238
t ered storage 35 SLB Mu t p exer 238
v rtua d sks 32 34 s mgr too 12
server to server rep cat on 43 s mgr.vbs scr pt 13
serv ce records 257 258 Smart Pag ng
SET. See Sw tch Embedded Team ng (SET); See Sw tch configurat on 64 65
Embedded Team ng SMB D rect 231 232
Set Access Scope opt on 203 SMB Mu t channe 232
Set AdfsAzureMfaTenant cmd et 281 SMTP. See S mp e Ma Transfer Protoco
Set DnsServerForwarer cmd et 166 socket poo s 173
Set DnsServerRecurs on cmd et 177 Software Defined Network ng (SDN)
Set DnsServerRecurs onScope cmd et 178 dep oyment scenar os 235 236
Set pamConfigurat on cmd et 185 firewa po c es 239 240
Set NetAdapterVmq cmd et 233 Hyper V network v rtua zat on and 236 237
Set NetOffloadG oba Sett ng cmd et 232 network contro er 237 238
SetScr pt 9 network requ rements 235 236
Set SmbC entConfigurat on cmd et 232 network secur ty groups 239 240
Set SmbServerConfigurat on cmd et 232 W ndows Server Gateway 239 240
Setup and Boot Event Co ect on 6 Software Defined Network ng (SDN) 234 240
SetVM cmd et 79 Software Load Ba anc ng (SLB) 234, 238
306
validation
V enhanced sess on mode 68 69

export and mport 71 72
va dat on FreeBSD 69
fa over c usters 128 129 Generat on 1 or Generat on 2 68
VHD fi e extens on 68 ntegrat on serv ces 67
VHD fi es L nux 69
creat ng 73 74 mov ng and convert ng 70 71
shared 75 nested v rtua zat on 60
VHDX fi e extens on 68 network ng configurat on 83 91
VHDX fi es N C team ng 88 89
creat ng 73 74 Non Un form Memory Access (NUMA) 63 64
shared 75 product on checkpo nts 79 80
VHDX shar ng 146 147 QoS po c es 82
v rtua d sks Resource Meter ng 65 66
creat ng 32 34 SCS Contro er sett ngs for 75
SCS 36 40 sh e ded 1, 52
prov s on ng types 33 35 Smart Pag ng 64 65
V rtua Extens b e LAN encapsu at on 234 supported 54
v rtua F bre Channe (FC) adapters 80 81 v rtua F bre Channe (FC) adapters 80 81
V rtua Funct ons 233 v rtua mach nes (VMs)
v rtua hard d sks configure dra n on shutdown 160 161
res z ng 77 78 copy ng 159
v rtua zat on export ng 159
hosts 11 mport ng 159
Hyper V network 236 237 P addresses for 236
nested 1 L ve M grat on of 115 120, 158
S ng e Root O V rtua zat on 233 234 manag ng, n c ustered nodes 158 161
W ndows Server mon tor ng 153
p ann ng for 21 22 network hea th protect on 159
work oad assessment 24 25 node fa rness 157
V RTUAL MACH NE ACT VAT ON str ng 12 processor compat b ty 120 121
V rtua Mach ne Manager (VMM) qu ck m grat on of 158
object names 199 Rece ve S de Sca ng on 229 230
us ng PAM w th 199 rep cat on of 114 115
V rtua Mach ne Mu t Queue (VMMQ) 233 res ency 145
v rtua mach ne queue (VMQ) 84 shared noth ng m grat on of 120 121
dynam c 86 storage m grat on of 123 126, 158
v rtua mach nes System Center V rtua Mach ne Manager 199
add ng or remov ng memory 62 VHDX shar ng 146 147
add ng phys ca hard d sk to 77 v rtua network adapters 88, 89
Automat c V rtua Mach ne Act vat on (AVMA) 11 12 v rtua network nterface cards (vN Cs) 83 85
checkpo nts 79 v rtua networks
configurat on 62 72 creat on of 218
us ng W ndows PowerShe D rect 59 V rtua Pr vate Network (VPN) 209 218
de egat on of management 55 58 connect on profi es 217
D screte Dev ce Ass gnment (DDA) 72 dynam c rout ng 211
dynam c memory configurat on 63 po nt to s te 211, 239
308
Windows Server 2016 Datacenter
server storage 29 44
upgrades and m grat ons to 10 11
v rtua zat on
p ann ng for 21 22
W ndows Server 2016 Datacenter 4
W ndows Server 2016 Essent a s 4
W ndows Server 2016 Mu t Po nt Prem um Server 4
W ndows Server 2016 Standard 4
W ndows Server Backup 48
W ndows Server Core. See Server Core
W ndows Server Gateway 235
mp ementat on scenar os 239 240
W ndows Storage Server 2016 4
W ndows Update 67
W ndows Updates 138
workgroup c usters 127 130
Wor d W de Name (WWN) 80
WS MAN protoco 121
310
Digitally signed by vahid
DN: cn=vahid, o=IT, ou,
email=azarpara.vahid@gmail.co
m, c=US
'Date: 2017.07.27 11:50:22 +04'30

Exam Ref 70-743 Upgrading Your Skills To MCSA Windows Server 2016

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exam Ref 70-743 Upgrading Your Skills To MCSA Windows Server 2016

Uploaded by

Copyright:

Available Formats

Exam Ref 70-743

Upgrading Your Skills

Editor-in-Chief Greg W egand

Sk 1 2 Insta and configure Nano Server 14

Sk 1 3 Create, manage, and ma nta n mages for dep oyment 20

Thought Exper ment 26

Thought Exper ment Answer 27

Sk 3 2 Configure v rtua mach ne sett ngs 62

Sk 4 2 Manage W ndows Conta ners 101

Chapter summary 110

Thought Exper ment 110

Thought Exper ment Answers 111

Sk 5 4 Manage fa over c uster ng 152

Sk 5 5 Manage VM movement n c ustered nodes 158

Chapter summary 160

Thought Exper ment 161

Thought Exper ment Answers 161

Chapter summary 206

Thought Exper ment 206

Thought Exper ment Answers 207

Chapter 8 Implement network connectivity

Chapter summary 241

Thought Exper ment 241

Thought Exper ment Answers 242

Chapter 10 Install and configure Active Directory

Chapter summary 270

Thought exper ment Upgrad ng the forest 270

Thought exper ment answers 271

Microsoft Virtual Academy

Quick access to online references

We want to hear from you

Install Windows Servers in host

TABLE 1-1 Compar ng W ndows Server 2016 Ed t ons

Edition Description License model Client access license

Another nsta at on opt on of W ndows Server s Nano Server, wh ch s d scussed ater n

Install Windows Server 2016

4 CHAPTER 1 nsta W ndows Servers n host and compute env ronments

W ndows returns a st of server ro es and features s m ar to the fo ow ng

6 CHAPTER 1 nsta W ndows Servers n host and compute env ronments

FIGURE 1-2 Server Core og on screen

FIGURE 1-3 sconf g.cmd

FIGURE 1-4 AVMA resu ts

12 CHAPTER 1 nsta W ndows Servers n host and compute env ronments

Skill 1.2: Install and configure Nano Server

14 CHAPTER 1 nsta W ndows Servers n host and compute env ronments

Install Nano Server

3. Run the New-NanoServerImage cmd et to create the nsta at on fi e

Sk 1.2: nsta and configure Nano Server CHAPTER 1 15

16 CHAPTER 1 nsta W ndows Servers n host and compute env ronments

FIGURE 1-7 New NanoServer mage

Implement roles and features on Nano Server

Sk 1.2: nsta and configure Nano Server CHAPTER 1 17

FIGURE 1-8 Nano Server Recovery Conso e

Sk 1.2: nsta and configure Nano Server CHAPTER 1 19

Skill 1.3: Create, manage, and maintain images for

20 CHAPTER 1 nsta W ndows Servers n host and compute env ronments

24 CHAPTER 1 nsta W ndows Servers n host and compute env ronments

26 CHAPTER 1 nsta W ndows Servers n host and compute env ronments

Thought Exper ment Answer CHAPTER 1 27

FIGURE 2-1 New Storage Poo W zard, Storage Poo Name

30 CHAPTER 2 mp ement storage so ut ons

FIGURE 2-3 New Storage Poo W zard, Conf rmat on

Sk 2.1: mp ement server storage CHAPTER 2 31