Upgrading Your Skills To MCSA Windows Server 2012: Official Microsoft Learning Product

MCT USE ONLY.
STUDENT USE PROHIBITED

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20417A
Upgrading Your Skills to MCSA
Windows Server® 2012
MCT USE ONLY. STUDENT USE PROHIBITED
ii Upgrading Your Skills to MCSA Windows Server® 2012
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty

/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners
Product Number: 20417A
Part Number: X18-48638
Released: 08/2012
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS
MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to
the Licensed Content named above, which includes the media on which you received it, if any. These license
terms also apply to any updates, supplements, internet based services and support services for the Licensed
Content, unless other terms accompany those items. If so, those terms apply.
BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT
THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft Learning Competency Member, Microsoft IT Academy
Program Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the Microsoft-authorized instructor-led training class using only
MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that you own or control that meets or
exceeds the hardware level specified for the particular MOC Course located at your training facilities or
primary business location.
d. “End User” means an individual who is (i) duly enrolled for an Authorized Training Session or Private
Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the MOC Course and any other content accompanying this agreement.
Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft
Certification in the technology that is the subject of the training session.
g. “Microsoft IT Academy Member” means a current, active member of the Microsoft IT Academy
Program.
h. “Microsoft Learning Competency Member” means a Microsoft Partner Network Program Member in
good standing that currently holds the Learning Competency status.
i. “Microsoft Official Course” or “MOC Course” means the Official Microsoft Learning Product instructor-
led courseware that educates IT professionals or developers on Microsoft technologies.
j. “Microsoft Partner Network Member” or “MPN Member” means a silver or gold-level Microsoft Partner
Network program member in good standing.
k. “Personal Device” means one (1) device, workstation or other digital electronic device that you
personally own or control that meets or exceeds the hardware level specified for the particular MOC
Course.
l. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective. These classes are not advertised or
promoted to the general public and class attendance is restricted to individuals employed by or
contracted by the corporate customer.
m. “Trainer Content” means the trainer version of the MOC Course and additional content designated
solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include
Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta
feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not
include virtual hard disks or virtual machines.
2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is
licensed on a one copy per user basis, such that you must acquire a license for each individual that
accesses or uses the Licensed Content.
2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.
a. If you are a Authorized Learning Center:

i. If the Licensed Content is in digital format for each license you acquire you may either:
1. install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure
server located on your premises where the Authorized Training Session is held for access and
use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching
the Authorized Training Session, or
2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom
Device for access and use by one (1) End User attending the Authorized Training Session, or by
one (1) MCT teaching the Authorized Training Session.
ii. You agree that:
1. you will acquire a license for each End User and MCT that accesses the Licensed Content,
2. each End User and MCT will be presented with a copy of this agreement and each individual
will agree that their use of the Licensed Content will be subject to these license terms prior to
their accessing the Licensed Content. Each individual will be required to denote their
acceptance of the EULA in a manner that is enforceable under local law prior to their accessing
the Licensed Content,
3. for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable
competency to teach the particular MOC Course that is the subject of the training session,
4. you will not alter or remove any copyright or other protective notices contained in the
Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of the Authorized Training Session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
b. If you are a MPN Member.

i. If the Licensed Content is in digital format for each license you acquire you may either:
1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1)
Classroom Device, or (B) one (1) dedicated, secure server located at your premises where
the training session is held for use by one (1) of your employees attending a training session
provided by you, or by one (1) MCT that is teaching the training session, or
2. install one (1) copy of the Licensed Content in the form provided to you on one (1)
Classroom Device for use by one (1) End User attending a Private Training Session, or one (1)
MCT that is teaching the Private Training Session.
ii. You agree that:
1. you will acquire a license for each End User and MCT that accesses the Licensed Content,
2. each End User and MCT will be presented with a copy of this agreement and each individual
will agree that their use of the Licensed Content will be subject to these license terms prior
to their accessing the Licensed Content. Each individual will be required to denote their
acceptance of the EULA in a manner that is enforceable under local law prior to their
accessing the Licensed Content,
3. for all training sessions, you will only use qualified MCTs who hold the applicable
competency to teach the particular MOC Course that is the subject of the training session,
4. you will not alter or remove any copyright or other protective notices contained in the
Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of each training session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
c. If you are an End User:

You may use the Licensed Content solely for your personal training use. If the Licensed Content is in
digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in
the form provided to you on one (1) Personal Device and install another copy on another Personal
Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1)
copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device
you do not own or control.
d. If you are a MCT.
i. For each license you acquire, you may use the Licensed Content solely to prepare and deliver an
Authorized Training Session or Private Training Session. For each license you acquire, you may
install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal
Device and install one (1) additional copy on another Personal Device as a backup copy, which may
be used only to reinstall the Licensed Content. You may not install or use a copy of the Licensed
Content on a device you do not own or control.
ii. Use of Instructional Components in Trainer Content. You may customize, in accordance with the
most recent version of the MCT Agreement, those portions of the Trainer Content that are logically
associated with instruction of a training session. If you elect to exercise the foregoing rights, you
agree: (a) that any of these customizations will only be used for providing a training session, (b) any
customizations will comply with the terms and conditions for Modified Training Sessions and
Supplemental Materials in the most recent version of the MCT agreement and with this agreement.
For clarity, any use of “customize” refers only to changing the order of slides and content, and/or
not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you
may not separate the components and install them on different devices.
2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable

installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion
thereof (including any permitted modifications) to any third parties without the express written permission
of Microsoft.
2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These
license terms will apply to your use of those third party programs or services, unless other terms accompany
those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to that respective component and supplements the terms described in this Agreement.
3. PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (“beta”) version, in addition to the other
provisions in this agreement, then these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the
same information and/or work the way a final version of the Licensed Content will. We may change it
for the final version. We also may not release a final version. Microsoft is under no obligation to
provide you with any further content, including the final release version of the Licensed Content.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the
beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for
using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content,
whichever is earliest (“beta term”). Upon expiration or termination of the beta term, you will
irretrievably delete and destroy all copies of same in the possession or under your control.
4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content,
which may change or be canceled at any time.
a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an
Internet-based wireless network. In some cases, you will not receive a separate notice when they
connect. Using the Licensed Content operates as your consent to the transmission of standard device
information (including but not limited to technical information about your device, system and
application software, and peripherals) for internet-based services.
b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could
harm it or impair anyone else’s use of it. You may not use the service to try to gain unauthorized access
to any service, data, account or network by any means.
5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights
to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• install more copies of the Licensed Content on devices than the number of licenses you acquired;
• allow more individuals to access the Licensed Content than the number of licenses you acquired;
• publicly display, or make the Licensed Content available for others to access or use;
• install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend,
make available or distribute the Licensed Content to any third party, except as expressly permitted
by this Agreement.
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation;
• access or use any Licensed Content for which you are not providing a training session to End Users
using the Licensed Content;
• access or use any Licensed Content that you have not been authorized by Microsoft to access and
use; or
• transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.
6. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in
this agreement. The Licensed Content is protected by copyright and other intellectual property laws and
treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that
appear on the Licensed Content or any components thereof, as delivered to you.
7. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You
must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, End Users and end use. For additional
information, see www.microsoft.com/exporting.
8. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or
sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement.
9. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
10. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you
agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed
Content in your possession or under your control.
11. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content.
The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the
contents of any third party sites, any links contained in third party sites, or any changes or updates to third
party sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any third party sites. Microsoft is providing these links to third party sites to you only as a convenience,
and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are
the entire agreement for the Licensed Content.
13. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of
your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE
AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO
THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS
WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS,
MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR
CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NON-INFRINGEMENT.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY
LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT
DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING
CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT
CORPORATION AND ITS RESPECTIVE SUPPLIERS.
This limitation applies to

o anything related to the Licensed Content, services made available through the Licensed Content, or
content (including code) on third party Internet sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce
contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous

pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement
à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y
compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage.
Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects,
accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera
pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus
par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays
si celles-ci ne le permettent pas.
Revised December 2011

x Upgrading Your Skills to MCSA Windows Server® 2012
Upgrading Your Skills to MCSA Windows Server® 2012 xi
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Stan Reimer – Content Developer

Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author.
Stan has extensive experience consulting on Active Directory® and Exchange Server deployments for some
of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft
Press. For the last nine years, Stan has been writing courseware for Microsoft Learning, specializing in
Active Directory and Exchange Server courses. Stan has been a Microsoft Certified Trainer (MCT) for 12
years.
Damir Dizdarevic – Subject Matter Expert/Content Developer

Damir Dizdarevic is an MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology
Specialist (MCTS), and a Microsoft Certified Information Technology Professional (MCITP). He is a manager
and trainer of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir has
more than 17 years of experience on Microsoft platforms and he specializes in Windows Server®,
Exchange Server, security, and virtualization. He has worked as a subject-matter expert and technical
reviewer on many Microsoft Official Courses (MOC) courses, and has published more than 400 articles in
various IT magazines, such as Windows ITPro and INFO Magazine. He's also a frequent and highly rated
speaker on most of Microsoft conferences in Eastern Europe. Additionally, he is a Microsoft Most Valuable
Professional for Windows Server Infrastructure Management.
Gary Dunlop – Subject Matter Expert

Gary Dunlop is based in Winnipeg, Canada and is a technical consultant and trainer for Broadview
Networks. He has authored a number of Microsoft Learning titles and has been an MCT since 1997.
Siegfried Jagott – Content Developer

Siegfried Jagott is a Principal Consultant and Team Lead for the Messaging and Collaboration team at
Atos Germany. He is an award-winning author of Microsoft Exchange Server 2010 Best Practices (Microsoft
Press), and has authored and technically reviewed several Microsoft Official Curriculum (MOC) courses
on various topics such as MOC 10165: Updating Your Skills from Microsoft Exchange Server 2003 or
Exchange Server 2007 to Exchange Server 2010 SP1. He has coauthored various books on Windows,
Microsoft System Center Virtual Machine Manager, and Exchange, and is a frequent presenter on these
topics at international conferences such as IT & Dev Connections Spring 2012 in Las Vegas. Siegfried
has planned, designed, and implemented some of the world’s largest Windows and Exchange Server
infrastructures for international customers. He received an MBA from Open University in England, and has
been an MCSE since 1997.
Orin Thomas – Content Developer

Orin Thomas is an MVP, an MCT and has a string of Microsoft MCSE and MCITP certifications. He has
written more than 20 books for Microsoft® Press and is a contributing editor at Windows IT Pro magazine.
He has been working in IT since the early 1990s. He is a regular speaker at events such as TechED in
Australia and around the world on Windows Server, Windows Client, System Center, and security topics.
Orin founded and runs the Melbourne System Center Users Group.
xii Upgrading Your Skills to MCSA Windows Server® 2012
Vladimir Meloski – Content Developer

Vladimir is a Microsoft Certified Trainer, an MVP on Exchange Server, and consultant, providing unified
communications and infrastructure solutions based on Microsoft Exchange Server, Lync Server, and
System Center. Vladimir has 16 years of professional IT experience, and has been involved in Microsoft
conferences in Europe and the United States as a speaker, moderator, proctor for hands-on labs, and
technical expert. He has also been involved as a subject matter expert and technical reviewer for several
Microsoft Official Curriculum courses.
Upgrading Your Skills to MCSA Windows Server® 2012 xiii
Contents
Module 1: Installing and Configuring Servers Based on Windows Server 2012
Lesson 1: Installing Windows Server 2012 1-2
Lesson 2: Configuring Windows Server 2012 1-13
Lesson 3: Configuring Remote Management for Windows
Server 2012 Servers 1-21
Lab: Installing and Configuring Servers Based on Windows
Server 2012 1-25
Module 2: Monitoring and Maintaining Windows Server 2012

Lesson 1: Reasons for Monitoring Servers 2-2
Lesson 2: Implementing Windows Server Backup 2-11
Lesson 3: Implementing Server and Data Recovery 2-15
Lab: Monitoring and Maintaining Windows 2012 Servers 2-19
Module 3: Managing Windows Server 2012 by Using Windows PowerShell 3.0

Lesson 1: Overview of Windows PowerShell 3.0 3-2
Lesson 2: Using Windows PowerShell 3.0 to Manage AD DS 3-9
Lesson 3: Managing Servers by Using Windows PowerShell 3.0 3-20
Lab: Managing Servers Running Windows Server 2012 by Using
Windows PowerShell 3.0 3-26
Module 4: Managing Storage for Windows Server 2012

Lesson 1: New Features in Windows Server 2012 Storage 4-2
Lesson 2: Configuring iSCSI Storage 4-12
Lesson 3: Configuring Storage Spaces in Windows Server 2012 4-18
Lab A: Managing Storage for Servers Based on Windows Server 2012 4-23
Lesson 4: Configuring BrancheCache in Windows Server 2012 4-25
Lab: Implementing BranchCache 4-36
Module 5: Implementing Network Services

Lesson 1: Implementing DNS and DHCP Enhancements 5-2
Lesson 2: Implementing IP Address Management 5-10
Lesson 3: NAP Overview 5-14
Lesson 4: Implementing NAP 5-20
Lab: Implementing Network Services 5-25
Module 6: Implementing DirectAccess

Lesson 1: Overview of DirectAccess 6-2
Lesson 2: Installing and Configuring DirectAccess Components 6-14
Lab: Implementing DirectAccess 6-24
xiv Upgrading Your Skills to MCSA Windows Server® 2012
Module 7: Implementing Failover Clustering

Lesson 1: Overview of Failover Clustering 7-2
Lesson 2: Implementing a Failover Cluster 7-13
Lesson 3: Configuring Highly Available Applications and Services
on a Failover Cluster 7-18
Lesson 4: Maintaining a Failover Cluster 7-22
Lesson 5: Implementing a Multisite Failover Cluster 7-27
Lab: Implementing Failover Clustering 7-32
Module 8: Implementing Hyper-V

Lesson 1: Configuring Hyper-V Servers 8-2
Lesson 2: Configuring Hyper-V Storage 8-8
Lesson 3: Configuring Hyper-V Networking 8-16
Lesson 4: Configuring Hyper-V Virtual Machines 8-21
Lab: Implementing Server Virtualization with Hyper-V 8-27
Module 9: Implementing Failover Clustering with Hyper-V

Lesson 1: Overview of the Integration of Hyper-V with
Failover Clustering 9-2
Lesson 2: Implementing Hyper-V Virtual Machines on Failover
Clusters 9-7
Lesson 3: Implementing Hyper-V Virtual Machine Movement 9-14
Lesson 4: Managing Hyper-V Virtual Environments by Using
System Center Virtual Machine Manager 9-19
Lab: Implementing Failover Clustering with Hyper-V 9-29
Module 10: Implementing Dynamic Access Control

Lesson 1: Overview of Dynamic Access Control 10-2
Lesson 2: Planning for a Dynamic Access Control Implementation 10-8
Lesson 3: Configuring Dynamic Access Control 10-13
Lab: Implementing Dynamic Access Control 10-22
Module 11: Implementing Active Directory Domain Services

Lesson 1: Deploying AD DS Domain Controllers 11-2
Lesson 2: Configuring AD DS Domain Controllers 11-11
Lesson 3: Implementing Service Accounts 11-16
Lesson 4: Implementing Group Policy in AD DS 11-19
Lesson 5: Maintaining AD DS 11-28
Lab: Implementing AD DS 11-35
Upgrading Your Skills to MCSA Windows Server® 2012 xv
Module 12: Implementing Active Directory Federation Services

Lesson 1: Overview of Active Directory Federation Services 12-2
Lesson 2: Deploying Active Directory Federation Services 12-11
Lesson 3: Implementing AD FS for a Single Organization 12-17
Lesson 4: Deploying AD FS in a Business-to-Business Federation
Scenario 12-23
Lab: Implementing AD FS 12-28
Lab Answer Keys

Module 1 Lab: Installing and Configuring Servers Based on Windows
Server 2012 L1-1
Module 2 Lab: Monitoring and Maintaining Windows 2012 Servers L2-7
Module 3 Lab: Managing Servers Running Windows Server 2012 by
Using Windows PowerShell 3.0 L3-15
Module 4 Lab A: Managing Storage for Servers Based on Windows
Server 2012 L4-19
Module 4 Lab B: Implementing BrancheCache L4-26
Module 5 Lab: Implementing Network Services L5-31
Module 6 Lab: Implementing DirectAccess L6-43
Module 7 Lab: Implementing Failover Clustering L7-55
Module 8 Lab: Implementing Server Virtualization with Hyper-V L8-63
Module 9 Lab: Implementing Failover Clustering with Hyper-V L9-71
Module 10 Lab: Implementing Dynamic Access Control L10-77
Module 11 Lab: Implementing AD DS L11-89
Module 12 Lab: Implementing AD FS L12-97
About This Course xvii
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and
course objectives.
Course Description
Note: This first release (“A”) Microsoft® Official Courses (MOC) version of course 20417A has
been developed on Windows Server® 2012 RC. Microsoft Learning will release a “B” version of
this course after the release-to-manufacturing (RTM) version of the software is available.
This course is designed primarily for people who want to upgrade their technical skills from Windows
Server 2008 and Windows Server 2008 R2 to Windows Server 2012. It presumes a high level of knowledge
about previous Windows Server versions. This course also serves as preparation for taking exam 70-417,
on the upgrade path to a new MCSA: Windows Server 2012 certification.
Audience
The primary audience for this course is Information Technology (IT) professionals who are experienced
Windows Server 2008 Server Administrators, and who carry out day-to-day management and
administrative tasks, and want to update their skills and knowledge to Windows Server 2012.
The secondary audience for this course includes candidates who hold existing credentials in Windows
Server 2008 at Technology Specialist (TS) or Professional (PRO) level, and who want to migrate their
current credentials to the new credential of Microsoft Certified Solutions Associate (MCSA) with Windows
Server 2012.
Student Prerequisites
In addition to their professional experience, students who attend this training should have the following
technical knowledge:
• Two or more years of experience deploying and managing Windows Server 2008
• Experience with Windows networking technologies and implementation
• Experience with Active Directory® technologies and implementation
• Experience with Windows Server 2008 server virtualization technologies and implementation
Students attending this course are expected to have passed the following exams, or have equivalent
knowledge:
• Exam 70-640: Windows Server 2008 Active Directory, Configuring
• Exam 70-642: Windows Server 2008 Network Infrastructure, Configuring
• Exam 70-646: Windows Server 2008, Server Administrator

xviii About This Course
Course Objectives
After completing this course, students will be able to:
• Install and configure Windows Server 2012 servers.
• Monitor and maintain Windows Server 2012 servers.

• Use Windows PowerShell® 3.0 to manage Windows Server 2012 servers.
• Configure storage on Windows Server 2012 servers.
• Deploy and manage network services.

• Deploy and manage a DirectAccess infrastructure.
• Provide high availability for network services and applications by implementing failover clustering.
• Deploy and configure virtual machines on Hyper-V®.
• Deploy and manage Hyper-V virtual machines in a failover cluster.
• Configure Dynamic Access Control to manage and audit access to shared files.
• Implement the new features in Active Directory Domain Services (AD DS) for Windows Server 2012.
• Plan and implement an Active Directory Federation Services (AD FS) deployment.
Course Outline
This section provides an outline of the course:
Module 1, Installing and Configuring Servers Based on Windows Server 2012
Module 2, Monitoring and Maintaining Windows Server 2012
Module 3, Managing Windows Server 2012 by Using Windows PowerShell 3.0
Module 4, Managing Storage for Windows Server 2012
Module 5, Implementing Network Services
Module 6, Implementing DirectAccess
Module 7, Implementing Failover Clustering
Module 8, Implementing Hyper-V
Module 9, Implementing Failover Clustering with Hyper-V
Module 10, Implementing Dynamic Access Control
Module 11, Implementing Active Directory Domain Services
Module 12, Implementing Active Directory Federation Services

About This Course xix
Exam/Course Mapping
This course, 20417A: Upgrading Your Skills to MCSA Windows Server 2012, has a direct mapping of its
content to the objective domain for the Microsoft exam 70-417: Upgrading Your Skills to MCSA Windows
Server 2012.
The below table is provided as a study aid that will assist you in preparation for taking this exam and
to show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directly
covered in the examination and will use the unique experience and skills of your qualified Microsoft
Certified Trainer.
Note: The exam objectives are available online at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab2.
Exam Objective Domains Course Content

Exam 70-410: Installing and Configuring Windows Server 2012
Install and Configure Servers Module Lesson Lab
This objective may include but is not limited Mod 1 Lesson 1/2 Mod 1
to: Plan for a server installation; plan for Ex 1
server roles; plan for a server upgrade; install
Server Core; optimize resource utilization by
using Features on Demand; migrate roles from
Install servers. previous versions of Windows Server
to: Configure Server Core; delegate Ex 2/3
administration; add and remove features in
offline images; deploy roles on remote
servers; convert Server Core to/from full GUI;
Configure servers. configure services; configure NIC teaming
This objective may include but is not limited Mod 4 Lesson 3 Mod 4
to: Design storage spaces; configure basic and Ex 2/3
dynamic disks; configure MBR and GPT disks;
manage volumes; create and mount virtual
Configure local hard disks (VHDs); configure storage pools and
storage. disk pools
Configure Server Roles and Features
This objective may include but is not limited Mod 1 Lesson 1/2/3 Mod 1
to: Configure WinRM; configure down-level Ex 1/2
server management; configure servers for
Configure servers for day-to-day management tasks; configure
remote multi-server management; configure Server
management. Core; configure Windows Firewall
xx About This Course

Exam 70-410: Installing and Configuring Windows Server 2012 (continued)
Configure Hyper-V
Create and configure to: Configure dynamic memory; configure Ex 3
virtual machine smart paging; configure Resource Metering;
settings. configure guest integration services
to: Create VHDs and VHDX; configure Ex 2/3
Create and configure differencing drives; modify VHDs; configure
virtual machine pass-through disks; manage snapshots;
storage. implement a virtual Fibre Channel adapter
This objective may include but is not limited Mod 8 Lesson 3
to: Implement Hyper-V Network
Virtualization; configure Hyper-V virtual
switches; optimize network performance;
configure MAC addresses; configure network
Create and configure isolation; configure synthetic and legacy
virtual networks. virtual network adapters
Install and Administer Active Directory
to: Add or remove a domain controller from a Ex 2/3
domain; upgrade a domain controller; install
Active Directory Domain Services (AD DS) on a
Server Core installation; install a domain
controller from Install from Media (IFM);
Install domain resolve DNS SRV record registration issues;
controllers. configure a global catalog server
Exam 70-411: Administering Windows Server 2012
Deploy, Manage, and Maintain Servers
to: Configure Data Collector Sets (DCS); Ex 1
configure alerts; monitor real-time
performance; monitor virtual machines (VMs);
monitor events; configure event subscriptions;
Monitor servers. configure network monitoring
Configure Network Services and Access
to: Implement server requirements; Ex
implement client configuration; configure DNS 1/2/3
Configure for Direct Access; configure certificates for
DirectAccess. Direct Access
About This Course xxi

Exam 70-411: Administering Windows Server 2012 (continued)
Configure a Network Policy Server Infrastructure
to: Configure System Health Validators (SHVs); Ex 3
configure health policies; configure NAP
enforcement using DHCP and VPN; configure
Configure Network isolation and remediation of non-compliant
Access Protection computers using DHCP and VPN; configure
(NAP). NAP client settings
Configure and Manage Active Directory
to: Configure Universal Group Membership Ex 1
Caching (UGMC); transfer and seize
operations masters; install and configure a
Configure Domain read-only domain controller (RODC); configure
Controllers. Domain Controller cloning
This objective may include but is not limited Mon 11 Lesson 5
to: Back up Active Directory and SYSVOL;
manage Active Directory offline; optimize an
Active Directory database; clean up metadata;
configure Active Directory snapshots; perform
Maintain Active object- and container-level recovery; perform
Directory. Active Directory restore
Configure and Manage Group Policy
to: Configure processing order and Ex 2
precedence; configure blocking of inheritance;
configure enforced policies; configure security
filtering and WMI filtering; configure loopback
processing; configure and manage slow-link
Configure Group processing; configure client-side extension
Policy processing. (CSE) behavior
xxii About This Course

Exam 70-412: Configuring Advanced Windows Server 2012 Services
Configure and Manage High Availability
to: Configure Quorum; configure cluster Ex
networking; restore single node or cluster 1/2/4
configuration; configure cluster storage;
Configure failover implement Cluster Aware Updating; upgrade a
clustering. cluster
to: Configure role-specific settings including Ex 2
continuously available shares; configure VM
Manage failover monitoring; configure failover and preference
clustering roles. settings
This objective may include but is not limited Mod 8 Lesson 4
to: Perform live migration; perform quick
Manage Virtual migration; perform storage migration; import,
Machine (VM) export, and copy VMs; migrate from other Mod 9 Lesson 3/4 Mod 9
movement. platforms (P2V and V2V) Ex 3
Configure File and Storage Solutions
to: Configure user and device claim types; Ex
implement policy changes and staging; 2/3/4/5
Implement Dynamic perform access-denied remediation; configure
Access Control (DAC). file classification
Implement Business Continuity and Disaster Recovery
to: Configure Windows Server backups; Ex
configure Windows Online backups; configure 2/3/4
role-specific backups; manage VSS settings
Configure and using VSSAdmin; create System Restore
manage backups. snapshots
to: Configure Hyper-V Replica including Hyper- Ex 1
V Replica Broker and VMs; configure multi-site
Configure site-level clustering including network settings,
fault tolerance. Quorum, and failover settings
Configure Network Services
to: Configure IPAM manually or by using Ex 2
Group Policy; configure server discovery;
create and manage IP blocks and ranges;
monitor utilization of IP address space;
Deploy and manage migrate to IPAM; delegate IPAM
IPAM. administration; manage IPAM collections
About This Course xxiii

Exam 70-412: Configuring Advanced Windows Server 2012 Services
Configure Identity and Access Solutions
to: Implement claims-based authentication Ex
including Relying Party Trusts; configure 1/2/3/4
Claims Provider Trust rules; configure
Implement Active attribute stores including Active Directory
Directory Federation Lightweight Directory Services (AD LDS);
Services 2.1 (AD manage AD FS certificates; configure AD FS
FSv2.1). proxy, Integration with Cloud Services
Important Attending this course in itself will not successfully prepare you to pass any
associated certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In
addition to attendance at this course, you should also have the following:
• Experience with implementing, managing and administering a Windows Server 2008 and Windows
Server 2008 R2 environment
• Knowledge equivalent to the MCSA: Windows Server 2008 credential
• Minimum of one to two years real world, hands-on experience Installing and configuring a Windows
Server Infrastructure
• Additional study outside of the content in this handbook

There may also be additional study and preparation resources, such as practice tests, available for you to
prepare for this exam. Details of these are available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab3
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam is
available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab1
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to
change at any time and Microsoft bears no responsibility for any discrepancies between the version
published here and the version available online and will provide no notification of such changes.
xxiv About This Course
Course Materials
The following materials are included with your kit:
• Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
• Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
• Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when it’s
needed.
• Course evaluation At the end of the course, you have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
• To provide additional comments or feedback on the course, send email to

support@mscourseware.com. To inquire about the Microsoft Certification Program, send email to
mcphelp@microsoft.com.
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Hyper-V to perform the labs.
Important At the end of each lab, you must revert the virtual machines to a snapshot.
You can find the instructions for this procedure at the end of each lab. For the Module 8
lab, you should leave the virtual machines running for the Module 9 lab.
The following table shows the role of each virtual machine used in this course:
Virtual machine Role

Domain controller that is running Windows Server 2012 in the Adatum.com
20417A-LON-DC1
domain
20417A-LON-SVR1 Windows Server 2012 server, member of Adatum.com domain
20417A-LON-SVR5 Server with blank vhd

About This Course xxv
Virtual machine Role

20417A-LON-TMG Threat Management Gateway server in Adatum.com domain
Domain controller that is running Windows Server 2012 in the

20417A-MUN-DC1
TreyResearch.com
Client computer running Windows® 8 and Office 2010 Service Pack 1 (SP1)
20417A-LON-CL1
in the Adatum.com domain
Client computer running Windows 8 and Office 2010 SP1 in the

20417A-LON-CL2
Adatum.com domain
Software Configuration
The following software is installed on each virtual machine:
• Windows Server 2012 RC
• Windows 8 RP
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.
Hardware Level 6
• Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
• Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better*
• 8 GB random access memory (RAM) or higher
• DVD drive
• Network adapter
• Super VGA (SVGA) 17-inch monitor
• Microsoft Mouse or compatible pointing device
• Sound card with amplified speakers

1-1
Module 1
Installing and Configuring Servers Based on
Windows Server 2012
Contents:
Module Overview 1-1
Lesson 1: Installing Windows Server 2012 1-2
Lesson 2: Configuring Windows Server 2012 1-13
Lesson 3: Configuring Remote Management for Windows Server 2012 Servers 1-21
Lab: Installing and Configuring Servers Based on Windows Server 2012 1-25
Module Review and Takeaways 1-30
Module Overview
Knowing the capabilities of the Windows Server® 2012 operating system enables you to use it effectively,
and to take complete advantage of what it can offer your organization. Some of the many improvements
to Windows Server 2012 include:
• Increased scalability and performance
• Virtualization features, such as Hyper-V Replica
• Improved Windows PowerShell® and scripting support
• High performance SMB 3.0 file shares

This module introduces you to Windows Server 2012, how to install it, how to perform post-installation
configuration tasks, and how to configure it to support remote management.
Objectives
After completing this module, you will be able to:
• Describe the installation requirements for Windows Server 2012.
• Configure Windows Server 2012.

• Configure Windows Remote Management.
• Install the Windows Server 2012 operating system on servers.

1-2 Installing and Configuring Serveers Based on Window
ws Server 2012
Lesson 1
Installiing Win
ndows Server
S 2012
2
Youu must have a firm
f understan
nding of your organization's
o s requirementss so that you can deploy the
e
app on of Windowss Server 2012. You must also
propriate editio o understand wwhich hardwarre configuratio
on
is apppropriate for Windows Servver 2012, whetther a virtual d
deployment mmight be more suitable than a
phyysical deployment, and whichh installation source enabless you to deployy Windows Server 2012
efficciently.
Thiss lesson provid
des an overvieww of the differeent Windows SServer 2012 ed
ditions, hardw
ware requireme
ents,
dep
ployment optio ons, and installlation process..
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
• Describe the different editio

ons of Window
ws Server 20122.
• Determine wh
hether a particcular hardware
e configuration
n is appropriatte for Window
ws Server 2012..
• Explain how to
t perform a physical
p or a virtual deploym
ment of Window
ws Server 2012
2.
• Select an app
propriate installlation source for a Windowss Server 2012 deployment.
• hen you can upgrade and when

Determine wh w you mustt migrate to W
Windows Serverr 2012.
• Decide betwe
een a Server Core installation
n and full instaallation.
• Install Windows Server 2012.
• Perform post-installation co
onfiguration ta
asks.
Wiindows Server 2012 Editions

There are several editions of Wiindows Server 2012.
Org
ganizations can n select the edition of Windoows
Servver 2012 that best
b meets the
eir needs. Syste
ems
Admministrators can save costs by selecting the e
app
propriate editio on when deplo oying a server for a
speccific role. The editions
e of Windows Server 2012
are listed in the fo
ollowing table..
Edittion Description
D
Win
ndows Server 2012 Standard
d edition • Provides alll roles and fea tures available
e on the Windows
Server 20122 platform.
p to 64 socketts and up to 4 terabytes (TB)) of
• Supports up
RAM.
• Includes 2 vvirtual machin
ne licenses.
Upgrading Your Skills to MCSA Windows Server® 2012 1-3
Edition Description
Windows Server 2012 Datacenter edition • Provides all roles and features that are available on the
Windows Server 2012 platform.
• Supports 64 sockets, up to 640 processor cores, and up
to 4 terabytes of RAM.
• Includes unlimited virtual machine licenses for virtual
machines run on the same hardware.
Windows Server 2012 Foundation • Allows only 15 users and cannot be joined to a domain.
edition
• Supports one processor core and up to 32 GB of RAM.
• Includes limited server roles.
Windows Server 2012 Essentials • Serves as the next edition of Small Business Server.
• Cannot function as a Hyper-V, failover clustering, server
core, or remote desktop services server.
• Supports up to 25 users, 50 devices.
• Supports 2 processor cores and 64 GB of RAM.
• Must be root server in domain.
Microsoft Hyper-V Server 2012 • Stand-alone Hyper-V platform for virtual machines with
no UI.
• No licensing cost for host OS, virtual machines to be
licensed normally.
• Supports 64 sockets and 4 TB of RAM.
• Supports domain join.
• Does not support other Windows Server 2012 roles other
than limited file services features.
Windows Storage Server 2012 • Entry-level unified storage appliance.

Workgroup
• Supports up to 50 users.
• Supports one processor core, 32 GB of RAM.
Windows Storage Server 2012 Standard • Supports 64 sockets, but is licensed on a 2 socket
incrementing basis.
• Supports 4 TB of RAM.
• Includes 2 virtual machine licenses.
• Supports some roles, including DNS and DHCP Server
roles, but does not support others, including Active
Directory® Domain Services (AD DS), Active Directory
Certificate Services (AD CS), and Active Directory
Federation Services (AD FS).
ws Server 2012
Edittion Description
D
Winndows MultiPo
oint Server 201
12 • Supports mmultiple users aaccessing the ssame host
Standard computer ddirectly using sseparate mousse, keyboard, aand
monitors.
• Supports onne socket, 32 G
GB of RAM and a maximum of
12 sessions .
• Supports so ome roles, including DNS an nd DHCP Serveer
roles, but d
does not suppo ort others inclu
uding, AD DS, AD
CS, and AD D FS.
• Does not su
upport domain
n join.
Winndows MultiPo
oint Server 201
12 • Supports mmultiple users aaccessing the ssame host
Pre
emium computer ddirectly using sseparate mousse, keyboard, aand
monitors.
B of RAM and a maximum of 22
• Limited to 2 sockets, 4 TB
sessions.
• Supports so ome roles, including DNS an nd DHCP Serve
er
roles, but d
does not suppo ort others, including AD DS, AD
CS, and AD D FS.
• Supports do
omain join.
Additional Reading: For more informa ation about thee differences b

between Windows Server
2012 editions, see
e http://www.w
windowsserverrcatalog.com/ssvvp.aspx.
Ha
ardware Re
equiremen
nts for Insttalling Win
ndows Servver 2012
Hardware requirements define the t absolute
minnimum required to run the se erver software. The
actuual hardware requirements depend
d on the
e
servvices that the server
s is hostin
ng, the load on
n the
servver, and how reesponsive you want the servver to
be.
The services and features

f of eacch role put a unique
load
d on network, disk I/O, proceessor, and mem mory
reso
ources.
Virtualized deployyments of Win

ndows Server 2012
2
musst match the saame hardwaree specificationss as
phyysical deployments. Windowss Server 2012 is
supported on Hyp per-V® and certain third-parrty virtualizatio
on platforms.
Upgradingg Your Skills to MCSAA Windows Server® 2012 1-5
Th
he minimum hardware
h requirements for Windows
W Serveer 2012 are sho
own in the folllowing table.
Component Requirement
Processor
P architecture x86-64
4
Processor
P spee
ed 1.4 GH
Hz
Memory
M (RAM) 512 MB
M
Hard
H disk drive
e space 32 GB,, or more if thee server has m
more than 16 G
GB of RAM
Additionaal Reading: Foor more inform

mation about tthe Windows SServer Virtualizzation
Validation Program, see http:///www.windowwsservercatalo
og.com/svvp.asspx.
Considerat
C ions for Deploying Physical
P orr Virtual M
Machines
With
W virtualization you can be e more efficien
nt in the
way
w that you allocate resourcces to servers. Instead
I
off allocating sep
parate hardwaare to a server that
minimally
m uses resources, you
u can virtualize
e that
se
erver and enab ble those minim
mally used harrdware
re
esources to be shared with other
o virtual machines.
When
W determinning whether to o deploy a serrver
ust determine how
physically or virrtually, you mu
th
hat server usess hardware resoources. Considder
th
hese points:
• Servers thatt constantly puut hardware under

resource prressure are poo or candidates for
virtualizatio
on. This is beca
ause virtual ma
achines share resources. A siingle virtual m
machine that usses a
disproportionate amountt of hypervisorr resources can n have an adveerse effect on other virtual
machines hosted
h on the same
s hypervisor.
• Servers thatt put minimal pressure on hardware resouurces are good d candidates foor virtualization. These
servers are unlikely to mo
onopolize the host resourcess, ensuring thaat each virtual machine hosted on
the hyperviisor can accesss enough hard
dware resourcees to perform aadequately.
Fo
or example, a particular data abase server thhat heavily usees disk and nettwork resource es would be beetter
de
eployed on a physical
p compputer. If it were
e deployed as a virtual mach hine, other virtu
ual machines oon the
sa
ame hypervisor would have to t compete fo or access to tho
ose heavily-us ed disk and ne etwork resourcces.
Alternatively, allocating a phyysical platform to a server th at requires miinimal hardware resources, ssuch as
a server running ervices, meanss that powerfu l hardware is u
g Certificate Se underused.
Other
O things to consider when determining
g whether to d eploy a serverr virtually or ph
hysically are:
• High Availlability. After you

y have builtt a highly availlable virtual m machine clusterr, any virtual m
machine
deployed to o that cluster also
a becomes highly availab ble. This is simp
pler than settin
ng up separate e
failover clusters for physical servers tha
at host the sam
me role.
ws Server 2012
• Scalability. Moving
M a virtua
al machine witth its associateed applicationss and data to a new host plaatform
is significantlyy simpler than migrating a physically
p depl oyed server, itts applications, and data to a new
host platformm. If you must quickly
q scale-u
up capacity, yo ou can also mi grate a virtual machine to a cloud
provider, sommething that is far more difficult to do with deployed server.
h a physically d
Wiindows Server 2012 Installatio

on Sourcess
Microsoft distribu
utes Windows Server
S 2012 either
on optical
o media or in an .iso im
mage format.
Youu can install Wiindows Server 2012 by using g
seveeral methods, including thosse listed in the
follo
owing table.
Method Note
es
Optical
O media • Requires
R that th
he computer h
has access to a DVD drive.
• Optical
O media is
i usually sloweer than USB m
media.
• You
Y cannot upd
date the installlation image w
without replaccing the mediaa.
Y can only perform one insstallation per D
• You DVD at a time
e.
USB media • Requires

R the ad dministrator to
o perform speccial steps to prrepare USB me
edia
frrom ISO file.
• All
A computers support
s bootin
ng from USB m
media.
• Im
mage can be updated
u w software up dates and drivvers become
as new
available.
• Answer
A file can be stored on USB drive, red eraction that the
ducing the inte
administrator must
m perform.
Mounted
M ISO im
mage • Virtualization
V so
oftware enablees you to direcctly mount the
e ISO image.
• Does
D not require writing the ISO image to optical media.
Network share • Deploy

D from installation files on network sh
hare.
• Requires
R you boot the serverr off a boot de vice (DVD or U USB drive) and
d
in
nstall from insttallation files h
hosted on a neetwork share.
• Much
M slower th
han using Wind
dows Deploym
ment Services ((WDS).
• Iff you already have
h access to a DVD or USB
B media, it is siimpler to use
thhose tools for operating systtem deploymeent.
Windows
W Deplo
oyment • WDS
W let you de eploy Window ws Server 2012 from Window
ws Imaging Forrmat
Se
ervices (WDS) (W
WIM) image files or speciallyy prepared VH
HD files.
• You
Y can use thee Windows Au
utomated Instaallation Kit to cconfigure lite-
to
ouch deploym
ment.
Method Notes
• Clients perform a Pre-Boot Execution Environment (PXE) boot to contact
the WDS server. The operating system image is then transmitted to the
server over the network.
• WDS supports multiple concurrent installations of Windows Server 2012
using multicast network transmissions.
System Center • Microsoft® System Center Configuration Manager enables you to fully
Configuration automate the deployment of Windows Server 2012 to “bare metal”
Manager servers.
• Enables Zero Touch deployment.
Virtual Machine • Requires Virtual Machine Manager (VMM) in System Center.

Manager templates
• Enables rapid deployment of Windows Server 2012 in private cloud
scenarios.
• Can be used to enable self-service deployment of Windows Server 2012
virtual machines.
Microsoft distributes Windows Server 2012 either on optical media or in an .iso image format.
You can install Windows Server 2012 by using several methods, including those listed in the following
table.
Method Notes
Optical media • Requires that the computer has access to a DVD drive.
• Optical media is usually slower than USB media.
• You cannot update the installation image without replacing the media.
• You can only perform one installation per DVD at a time.
USB media • Requires the administrator to perform special steps to prepare USB
media from ISO file.
• All computers support booting from USB media.
• Image can be updated as new software updates and drivers become
available.
• Answer file can be stored on USB drive, reducing the interaction that the
administrator must perform.
Mounted ISO image • Virtualization software enables you to directly mount the ISO image.
• Does not require writing the ISO image to optical media.
Network share • Deploy from installation files on network share.

• Requires you boot the server off a boot device (DVD or USB drive) and
install from installation files hosted on a network share.
• Much slower than using Windows Deployment Services (WDS).
• If you already have access to a DVD or USB media, it is simpler to use
those tools for operating system deployment.
ws Server 2012
Method No
otes
Windows
W Deplo
oyment • WDS let you deploy
d Window ws Server 2012 2 from Window ws Imaging
Se
ervices (WDS) Format (WIM)) image files o r specially pre pared VHD file
es.
• You can use th
he Windows A
Automated Insttallation Kit to
o configure lite
e-
touch deploymment.
• Clients perform a Pre-Boot Execution Envvironment (PXEE) boot to contact
the WDS serve er. The operat ing system im age is then traansmitted to th
he
server over the network.
• WDS supportss multiple conccurrent installaations of Wind
dows Server 20
012
using multicasst network tran
nsmissions.
Syystem Center • Microsoft® Syystem Center C

Configuration M
Manager enabbles you to fullly
Configuration Manager
M automate the deployment o of Windows Seerver 2012 to ““bare metal”
servers.
• Enables Zero Touch
T deploym
ment.
Virtual Machine
e • Requires Virtu
ual Machine M
Manager (VMM
M) in System Ce
enter.
Manager
M templates
• Enables rapid deployment o
of Windows Seerver 2012 in p
private cloud
scenarios.
• Can be used to
t enable self-sservice deployyment of Wind
dows Server 20
012
virtual machin
nes.
Op
ptions for Upgrading
U g and Migrating to W
Windows SServer 201
12
Whe en considering
g whether to upgrade
u or mig
grate
a se
erver to Windoows Server 201 12, consider the
e
options describedd in the followiing table.
Insttallation optio
on Descrip
ption
Upgrade An upgrade preserve es the files, setttings, and app

plications instaalled on the
originaal server. You perform an up pgrade when yyou want to ke eep all these ittems
and want to continu ue using the saame server harrdware. Upgrade requires an n x64
processsor architectuure and an x644 edition of thee Windows Serrver operating
system
m. You can onlyy upgrade to W Windows Servver 2012 from xx64 versions o of
Windo ows Server 200 03, Windows S erver 2003 R2 2, Windows Serrver 2008, and d
Windo ows Server 200 08 R2. You can n only upgradee to an equivalent or a later
edition
n of Windows Server 2012. Y You start an uppgrade by running Setup.exe e
from the
t original op perating system m.
In
nstallation opttion Desccription
Migration
M Use migration whe en you migratte from an x86 6 version of Wiindows Server 2003,
Windows Server 2003 R2, or Win ndows Server 2008. Use mig gration when yyou
want to replace th
he original servver with one ruunning an earlier edition, for
exammple replacing
g Windows Serrver 2008 R2 EEnterprise editiion with Windows
Servver 2012 Stand
dard edition. Yoou can use thee Windows Serrver Migration n Tools
feature in Windowws Server 20122 to transfer fil es and settings from compu uters
runnning the Windows Server 20 03, Windows SServer 2003 R2 2, Windows Seerver
2008 8, Windows Se
erver 2008 R2 aand Windows Server 2012 o operating systeems.
Choosing
C Between
B Se
erver Core
e and Full Installation
Se
erver Core is a minimal instaallation option for
Windows
W Server 2012. With Server Core, yo ou
pe
erform manag gement tasks lo ocally from the e
co
ommand-line or remotely fro om another
co
omputer. Serve er Core is the default
d installa
ation
op
ption for Winddows Server 20 012. Server Core has
th
he following addvantages ove er a traditional
de
eployment of Windows Servver 2012:
• Reduced up pdate requiremments. Because e Server

Core installs fewer compo onents, Server Core
deploymen nts require the application off fewer
software uppdates. This reduces the timee that is
required fo
or an administrrator to service
e Server Core.
• Reduced haardware footprint. Server Coore computers require less RA AM and less h
hard disk space
e. This
means thatt when virtualizzed, more servvers can be deeployed on thee same host.
In
ncreasing numbers of Microssoft server app designed to ru n on compute
plications are d ers that have SServer
Core installation
ns. Microsoft SQL
S Server® 20012 can be insttalled on com puters running
g the Server Core
ve
ersion of Wind dows Server 20008 R2.
Th
here are two options
o for insttalling the Servver Core, as deescribed in thee following tab
ble.
Option
O Descripttion
Server
S Core This is the standard deployment of Server Core. B By default all g graphical
adminisstration compo onents are in a Removed staate. Simply statted, Removed
compon nents occupy no n disk space o on the server. Server Core syystems are managed
locally by
b using comm mand-line inte rface only, or can be manag ged by a remotte
system using graphica al administrati on tools. You can convert to the full versiion of
Window ws Server 2012 2 that includes the graphical administration componentss only
if you have access to an a installation source with aall server files, ssuch as a mou
unted
WIM im mage. Any Servver Core comp onent in a Rem moved state caan only be insttalled
by using g an installatio
on source.
Server
S Core witth This is also
a known as Server Core-Fu ull Server. Thiss works the samme as a deployyment
Management
M of Wind dows Server 20012 with the g raphical comp ponents. With this installation
option the
t graphical administration
a n components are not in a Removed state..
Instead,, these components are avai lable (they aree located on th he server’s diskk), but
not installed into the OS. You can c onvert betweeen Server Core e with Manage ement
and Win ndows Server 2012
2 with a grraphical interfaace by installin
ng the graphiccal
featuress, but without having to speccify an installaation source.
1-10 Installing and Configuring Servers Based on Windows Server 2012
On a local connection, you can use the tools described in the following table to manage Server Core
installations of Windows Server 2012.
Tool Function
Cmd.exe Enables you to run traditional command-line utilities, such as ping.exe,

ipconfig.exe, and netsh.exe.
PowerShell.exe Enables you to start a Windows PowerShell session on the Server Core
deployment. You can then perform Windows PowerShell tasks as usual.
Sconfig.cmd Command-line menu driven administrative tool that enables you to perform
most common server administrative tasks.
Notepad.exe Enables you to use the Notepad.exe Text Editor in the Server Core environment.
Registry Editor Provides registry access within the Server Core environment.
Msinfo32.exe Enables you to view system information about the server core deployment.
Taskmgr.exe Starts the Task Manager.
Note: If you accidentally close the Command Prompt window on a computer running
Server Core, you can restore it using this procedure:
1. Press Ctrl+Alt+Delete.
2. On the menu, click Task Manager.
3. On the File menu, click New Task (Run…).
4. Type cmd.exe and then press Enter.
Server Core supports most, but not all, Windows Server 2012 roles and features. You cannot install the
following roles on a computer running Server Core:
1. AD FS
2. Application Server
3. Network Policy and Access Services

4. Windows Deployment Services
Even if a role is available to a computer running the Server Core installation option, a specific role service
associated with that role may not be.
Note: You can check which roles are not available on Server Core by running the following
query.
Get-WindowsFeature | where-object {$_.InstallState -eq Removed}

The Windows Server 2012 administration model focuses on managing many servers from one console
instead of the traditional method of managing each server separately. When you want to perform an
administrative task, you are more likely to manage multiple computers running the Server Core operating
system from one computer than you are to connect to each computer individually. You can enable
remote management of a computer running Server Core by using sconfig.cmd or by executing the
command:
Netsh.exe firewall set service remoteadmin enable ALL
Installation Process for Windows Server 2012

In a typical installation of Windows Server 2012, if you do not have an existing answer file, you perform
the following steps:
1. Connect to the installation source. Some options for this include:
o Inserting a DVD-ROM that has the Windows Server 2012 installation files and booting from the
DVD-ROM.
o Connecting a USB drive that is made bootable and contains a copy of the Windows Server 2012
installation files.
o Performing a PXE boot from the computer that Windows Server 2012 will be installed on to, and
connecting to a WDS server.
2. On the first page of the Windows Setup Wizard, select the following:
o Language to install
o Time and currency format
o Keyboard or input method
3. On the second page of the Windows Setup Wizard, click Install now. You can also use this page to
select Repair Your Computer. Use this option if an installation has become corrupted and you can
no longer boot into Windows Server 2012.
4. On the Select The Operating System You Want To Install page of the Windows Setup Wizard,
select from the available operating system installation options. The default option is Server Core
installation.
5. On the License Terms page of the Windows Setup Wizard, review the terms of the operating system
license. You must accept the license terms before you can continue with the installation process.
6. On the Which Type Of Installation Do You Want page of the Windows Setup Wizard, you have the
following options:
o Upgrade. Select this option if you have an existing Windows Server installation that you want to
upgrade to Windows Server 2012. You should start upgrades from the earlier version of Windows
Server instead of booting from the installation source.
o Custom. Select this option if you want to perform a new installation.
7. On the Where do you want to install Windows page of the Windows Setup Wizard, select an
available disk on which to install Windows. You can also choose to repartition and reformat disks
from this page. When you click Next, the installation process will copy files and restart the computer
several times. This part of the installation can take several minutes, depending on the speed of the
platform on which you are installing Windows Server 2012.
1-12 Installing and Configuring Serrvers Based on Windoows Server 2012
8. On the Settin
ngs page, provvide a passworrd for the loca l Administrato
or account. Aftter you have
u can log on to the server an
provided this password, you nd begin perfoorming post innstallation
configuration
n tasks.
Post-Installation Taskss
In earlier
e versions of Windows operating
o syste
ems,
the installation required you to configure network
connections, computer name, user u account, and
a
dommain membersship informatio on. The Windo ows
Servver 2012 installlation processs reduces the
nummber of questio ons that you have
h to answerr.
The only informattion that you provide
p during
g
installation is the password thatt is used by thee
defaault local Admministrator accoount.
Afteer it is installed wing steps can be

d, all the follow
perfformed when you y select the Local Server node
in th
he Server Man nager console:
• Configure the
e IP address
• Set the comp

puter name
• e Directory domain
Join an Active
• Configure the
e time zone
• Enable autom
matic updates
• Add roles and

d features
• Enable remotte desktop
• Configure Windows Firewall settings

Lesson 2
Configuring Windows Server 2012
By correctly configuring a server first, you can avoid significant problems later. When planning to
configure a server, you must determine what roles to deploy. You must also assess whether roles can be
co-located on the same server or if you deploy certain roles on separate servers.
Lesson Objectives
After completing this lesson you will be able to:
• Describe Windows Server 2012 server roles.
• Install roles and use the Best Practice Analyzer to check role configuration.
• Configure a computer running the Server Core installation option.
• Switch a computer between Server Core and the full GUI installation option.
• Configure networking and network interface teaming.
Demonstration: Exploring Server Manager in Windows Server 2012

In this demonstration, you will see how to use Server Manager to perform the following tasks:
• Log on to Windows Server 2012.

• View the Windows Server 2012 desktop.
• Start the Server Manager console.
• Add a server role or feature.

• View role related events.
• Run the Best Practice Analyzer for a role.
• List the tools available from Server Manager.

• Open the Start menu.
• Log off the currently logged on user.
• Restart Windows Server 2012.
Demonstration Steps
1. On LON-DC1, open the Add Roles and Features Wizard from the Server Manager Console.
2. Start the Add Roles and Features Wizard and select the following options:
o Role-based or feature-based installation
o LON-DC1
o FAX Server role
o BranchCache feature
3. Use the notification area to review the messages.
4. On the Dashboard, view DNS Events.

5. Configure the
e DNS - Eventss Detail View with
w the follow
wing settings:
o Time perriod: 12 hours

o Event Sources: All
6. View the DNS

S Best Practice
e Analyzer (BPA
A) with the fol lowing setting
gs:
o Severity Levels:
L All
7. Use the Toolss menu to view

w the tools tha
at are installed
d on LON-DC1
1.
8. Demonstrate log off LON-D

DC1 and then log back on.
9. Open Window
ws PowerShell and then use the shutdown
n command to
o shut the serve
er down.
Serrver Roles in Window

ws Server 2012
Rolees and their asssociated Role Services are sttill a
primmary function ofo a server. Simmilarly, if you install
the Web Server (IIS) role, Windo ows Server 201 12 by
defaault only selects critical services that are
requuired for the roole to functionn. If you want tot
use additional com mponents with h the Web Servver
(IIS) role, such as Windows
W Authhentication, yoou
musst select and innstall that commponent as a ro ole
servvice.
Winndows Server 2012

2 supports the roles desccribed
in th
he following ta
able.
Role
e Fun
nction
Acttive Directory Certificate

C Servvices Enaables the deplo
oyment of cerrtification auth
horities and rellated
role
e services.
AD
D DS Cenntralized storee of informatio
on about network objects
including user an nd computer aaccounts. Used
d for
autthentication annd authorization.
AD
D FS Pro
ovides web sin gle sign-on (SSSO) and securred identify
fed
deration suppo
ort.
Acttive Directory Lightweight Sup

pports storagee of application
n specific dataa for directory--
Dirrectory Services (AD LDS) aware application
ns that do nott require the fuull infrastructure of
AD
D DS.
Acttive Directory Rights Manage

ement Ena
ables you to p
prevent unauth horized access to sensitive
Serrvices(AD RMS) doccuments by appplying rights management policies.
Application Serve
er Sup
pports centraliized managem ment and hostiing of high-
perrformance disttributed business applicationns, such as tho
ose
buiilt with the .NEET Frameworkk 4.5 and Enterrprise Services.
DH
HCP Server Pro
ovisions client computers on
n the network w
with temporarry IP
add
dresses.
DN
NS Server Pro
ovides name reesolution for TTCP/IP networkks.
Role Function
Fax Server Supports sending and receiving of faxes. Also enables you to
manage fax resource on the network.
File and Storage Services Supports the storage of management of shared folders,
Distributed File System, and network storage.
Hyper-V Enables you to host virtual machines on computers running

Windows Server 2012.
Network Policy and Access Services Authorization infrastructure for remote connections, including
Health Registration Authority for Network Access Protection.
Print and Document Services Supports centralized management of document tasks,

including network scanners and networked printers.
Remote Access Supports Seamless Connectivity, Always On, Always Managed

features based on DirectAccess. Also supports Remote Access
through VPN and dial-up.
Remote Desktop Services Supports access to virtual desktops, session-based desktops,

and RemoteApp programs.
Volume Activation Services New to Windows Server 2012. Enables you to automate and
simplify the management of volume license keys and volume
key activation. Also enables you to manage a Key
Management Service host or configure AD DS-based
activation for computers that are members of the domain.
Web Server (IIS) The Windows Server 2012 web server component.
Windows Deployment Services Enables you to deploy server operating systems to clients over
the network.
Windows Server Update Services Provides a method of deploying updates for Microsoft
products to computers on the network.
When you deploy a role, Windows Server 2012 automatically configures aspects of the server’s
configuration, such as firewall settings, to support the role. When you deploy a role, Windows Server 2012
automatically deploys role dependencies at the same time. For example, when you install the Windows
Server Update Services role, Windows Server 2012 installs the Web Server (IIS) role components that are
required to support the Web Server role.
You add and remove roles using the Add Roles and Features Wizard, available from the Server Manager
console. You can also add and remove roles using the Install-WindowsFeature and Remove-
WindowsFeature Windows PowerShell cmdlets.
De
emonstration: Installing and Optimizing
O Server Ro
oles in
Wiindows Server 2012
In th
his demonstration you will see how to insttall and optimiize a server role in Windowss Server 2012.
Dem
monstration
n Steps
1. Use the Add Roles and Feattures Wizard to add the App
plication Serv
ver role to LON
N-DC1.
2. View App Serrver Performan

nce.
3. View DHCP BPA
B results.
Co
onfiguring Server Core in Wind
dows Serveer 2012
Youu must perform m several aspeccts of post-
installation config
guration of servver core opera ating
systems from the command-line e. You can perrform
mosst post-installaation configura ation tasks usin
ng
the menu-driven command pro ompt utility
sconfig.cmd. By using
u this utilitty, you minimiize
the possibility of the
t Administra ator making syyntax
erro
ors when you useu more complex command d-line
utilities. You can use
u sconfig.cm md to perform m the
follo
owing tasks:
• Configure Doomain and Workgroup

information
• Configure the
e computer’s name
n
• Add local Adm

ministrator acccounts
• Configure Remote Manage

ement
• Enable Windo
ows Update
• Download an
nd install updates
• Enable Remote Desktop

• Configure Ne
etwork Address information
• Set the date and

a time
• Perform Wind
dows Activatio
on
• Enable the Grraphic User Intterface
• Log off
• Restart the se
erver
• Shut down th
he server
Con
nfigure IP Address
A Info
ormation
Youu can configure
e the IP addresss and DNS infformation by u
using sconfig..cmd or netsh
h.exe. To confiigure
IP address information by using
g sconfig.cmd d, perform the following step
ps:
1. Run sconfig.cmd from the command-lin

ne.
2. Select option
n 8 to configurre Network Settings.
3. Select the index number of the network adapter to which you want to assign an IP address.
4. In the Network Adapter Settings area, select between one of the following options:
o Set Network Adapter Address
o Set DNS Servers
o Clear DNS Server Settings
o Return to Main Menu
Change Server Name

You can change the server name using the netdom command with the renamecomputer option. For
example, to rename a computer to Melbourne, type the following command:
Netdom renamecomputer %computername% /newname:Melbourne
You can change a server name using sconfig.cmd by performing the following steps:
1. Run sconfig.cmd from the command-line.

2. Select option 2 to configure the computer name.
3. Type the new computer name and then press Enter.
You must restart a server for the configuration change to take effect.
Joining the Domain

You can join a Server Core computer to a domain using the netdom command with the join option. For
example, to join the adatum.com domain using the Administrator account, and to be prompted for a
password, issue the command:
Netdom join %computername% /domain:adatum.com /UserD:Administrator /PasswordD:*
To join a server core computer to the domain using sconfig.cmd, perform the following steps:
1. Run sconfig.cmd from the command-line.

2. Select option 1 to configure Domain/Workgroup.
3. Type D and press Enter to select the Domain option.
4. Type the name of the domain to which you want to join the computer.
5. Provide the details of an account authorized to join the domain in domain\username format.
6. Type the password associated with that account.
To complete a domain join operation you must restart the computer.
Note: Before joining the domain, verify that you can ping the DNS server by host name.
Add Roles and Features Using Windows PowerShell

You can add and remove roles and features to a computer running the Server Core installation option by
using the Get-WindowsFeature, Install-WindowsFeature, and Remove-WindowsFeature Windows
PowerShell cmdlets. These cmdlets are available after you load the Server Manager module.
For example, you can view a listt of roles and features

f that aare installed byy executing the
e following
Win
ndows PowerSh hell command d:
Get-WindowsFeature | Where-Object {$_.I

InstallState -eq “Install
led”}
Youu can install a Windows

W role or feature usinng the Install--WindowsFea
ature cmdlet. FFor example, to
o
install the Networrk Load Balanccing feature, exxecute the commmand:
Install-WindowsFeature NLB
Nott all features arre directly available for insta

allation on a co
omputer runniing the Server Core operatin ng
system. You can determine
d whicch features are
e not directly aavailable for in
nstallation by rrunning the
follo
owing command:
Get-WindowsFeature | Where-Object {$_.I

InstallState -eq Removed}
}
You
u can add a role or feature thhat is not available for instal lation by using
g the -Source parameter of the
Insttall-WindowsFeature cmdle et. You must specify
s a sourcce location that hosts a mounted installatio on
image that includes the full verssion of Window ws Server 20122. You can mo ount an installaation image ussing
the DISM.exe com mmand promp pt utility.
Sw
witching Be
etween Server Core, Full, and M
Minimal SServer Interface Optiions
Win ndows Server 2012
2 offers the
e option of
swittching between Server Core and the full
installation. Whenn you install Seerver Core, the e
necessary compon nents to conve ert to the full
verssion are not installed. You caan install thesee if
you have access to a mounted imagei of the full
verssion of the Winndows Server 2012
2 installatio
on
filess.
Youu can switch fro

om Server Corre to the graph
hical
verssion of Windowws Server 20122 by running the
follo
owing Window ws PowerShell cmdlet, where e
c:\m
mount is the rooot directory of
o a mounted
image that hosts the
t full versionn of the Windo
ows Server 20112 installation files:
Impo
ort-Module ServerManager
r
Install-WindowsFeature -Inc
cludeAllSubFe
eature User-I
Interfaces-In
nfra -Source c:\mount
Thiss gives you the

e option of perrforming admiinistrative taskks using the grraphical tools. You can also aadd
the graphical toolls using the sconfig.cmd meenu-driven co mmand prompt utility.
Afte
er you have peerformed the necessary
n administrative taskks, you can retturn the computer to its orig
ginal
guration. You can switch a computer that has the graph
Servver Core config hical version off Windows Serrver
2012 to Server Coore by removinng the followin
ng features:
• Graphical Ma
anagement Too
ols and Infrastructure
• Server Graphical Shell

Upgrading YYour Skills to MCSA W
Windows Server® 20012 1-19
Thhe Minimal Server interface differs from Se erver Core beccause it has alll components available and does
noot require you to provide acccess to a mounted directoryy that containss the full versio on of the Wind
dows
Se
erver 2012 insttallation files. You
Y can use th he Install-WinndowsFeature e command without specifying a
so
ource location when you con nvert the Minimmal Server inteerface to the ffull installation
n of Windows SServer
20012. The advan ntage of the Server Core installation optio
on over Minim al Server is thaat, even thoug gh they
lo
ook similar, Serrver Core requuires a smaller amount of harrd disk space aas it does not have all components
avvailable for insstallation.
Configuring
C g Network
king and Network
N In
nterface Te
eaming
Configuring the e network invoolves setting orr
ve
erifying the server’s IP addre
ess configuratioon. By
de
efault, a newlyy-deployed serrver tries to ob
btain IP
ad
ddress informa ation from a DHCP
D server. Yo
ou can
view a server’s IP address configuration by clicking
c
th
he Local Serve er node in Servver Manager.
If the server hass an IPv4 addre

ess in the Auto
omatic
Prrivate Internet Protocol Addressing (APIPA A) range
off 169.254.0.1 to
t 169.254.255 5.254, the serve
er has
noot been configgured with an IP address fromma
DHCP server. Th his may be beccause a DHCP server
haas not been coonfigured on the network, or
be w the networrk infrastructurre that blocks the adapter frrom receiving an
ecause there iss a problem with
adddress.
Note: If you
y are using a purely IPv6 network,
n an IPvv4 address in tthis range is no
ot a problem,
an
nd IPv6 addresss information is still configu
ured automaticcally. You will learn more ab bout
mplementing IPv6 in Module
im e 8, “Implemen nting IPv6.”
Configuratio
C on Using Serrver Manag
ger
To dress information for a serve r, perform thee following step
o manually configure IP add ps:
1.. In the Serve onsole, click the address nextt to the netwo
er Manager co ork adapter thaat you want to
o
T will open the Network Connections
configure. This C w
window.
2.. Right-click the network adapter

a that yo
ou want to con
nfigure an add
dress for, and tthen click Prop
perties.
3.. In the Adap

pter Propertie
es dialog box, click Internett Protocol Version 4 (TCP//IPv4), and the
en click
Properties.
4.. In the Interrnet Protocol Version 4 (TCCP/IPv4) Prop perties dialog

g box, enter the following IPvv4
address infoormation, and then click OK
K, and then clicck OK again:
o IP addrress
o Subnett Mask
o Defaultt Gateway
o Preferrred DNS serverr
o Alterna
ative DNS servver
Command-Line IPv4 Address Configuration

You can manually set IPv4 address information from an elevated command prompt by using the
netsh.exe command from the interface ipv4 context. For example, to configure the adapter named Local
Area Connection with the IPv4 address 10.10.10.10 and subnet mask 255.255.255.0, type the following
command:
Netsh interface ipv4 set address “Local Area Connection” static 10.10.10.10 255.255.255.0
You can use the same context of the netsh.exe command to configure DNS configuration. For example, to
configure the adapter named Local Area Connection to use the DNS server at IP address 10.10.10.5 as
the primary DNS server, type the following command:
Netsh interface ipv4 set dnsservers “Local Area Connection” static 10.10.10.5 primary
Network Card Teaming

Network Card Teaming is a new feature in Windows Server 2012. With Network Card Teaming you
can increase the availability of a network resource. When you configure Network Card Teaming, a
computer uses one network address for multiple cards. If one of the cards fails, the computer continues
communicating with other hosts on the network that are using that shared address. This enables you to
provide hardware redundancy for a server's network cards. Network Card Teaming does not require that
the network cards be the same model or use the same driver.
Windows Server 2012 supports up to 32 network adapters in a team. When a computer has separate
network adapters that are not part of a team, incoming and outgoing traffic may not be balanced across
those adapters. Network Card Teaming also provides bandwidth aggregation, ensuring that traffic is
balanced across network interfaces as a way to increase effective bandwidth.
To team network cards, perform the following steps:
1. Ensure that the server has more than one network adapter.
2. In Server Manager, click the Local Server node.
3. Click Disabled next to Network Adapter Teaming. This opens the NIC Teaming dialog box.
4. In the NIC Teaming dialog box, press the Ctrl key, and then click each network adapter that you
want to add to the team.
5. Right-click these selected network adapters, and then click Add to New Team.
6. In the New Team dialog box, enter a name for the team, and then click OK.
Lesson
n3
Configuring Remote Manaagemen
nt for
Windows Server 2012 Serv
vers
When
W you wantt to perform an administratioon task, it is m
more efficient tto manage mu ultiple servers ffrom
a single consolee than to conn
nect to each seerver separatelyy. You should spend time en nsuring that ne ewly
deeployed serverrs are configurred so that you
u can managee them centrallly. This enables you to spend d more
time at your desk administering those serve ers, instead of having to trekk into the dataacenter to startt a
diirect connectio
on.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
• he different Wiindows Server 2012 remote management technologies.

Describe th
• Configure Windows
W Serve pport Remote Management.
er 2012 to sup
• Collect servvers into Serve
er Groups.
• Deploy role
es and featuress remotely.
What
W Is Rem
mote Man
nagement??
With
W Windows Remote Management, you can c
usse Remote She ell, remote Win ndows PowerS Shell,
annd remote management too ols to remotelyy
manage
m a compputer. Remote Shell enables you
to
o run comman nd-line utilities against correcctly
coonfigured remote servers as long as the
coommand prom mpt utility is prresent on the remote
r
se
erver. Remote Windows Pow werShell lets yo
ou run
Windows
W PowerShell comman nds or scripts against
a
coorrectly config
gured remote servers
s when the
sccript is hosted on the local seerver. Remote
Windows
W PowerShell also letss you load Win ndows
PoowerShell mod dules, such as Server Manager locally and execute the cm
mdlets availab
ble in that mod
dule
aggainst suitablyy configured reemote servers. Remote Manaagement is enabled by default on computters
ru
unning Window ws Server 2012 2.
Yo
ou can enable and disable Remote
R Manag
gement from SServer Manageer by clicking tthe text next to o the
Re
emote Management item when
w you have the Local Servver node selec ted in the Servver Manager cconsole.
To
o enable remoote manageme ommand-line, type the com
ent from the co mmand WinRM M qc. The "qc" is an
ab
bbreviation of Quick Configu
uration. You ca
an disable Rem
mote Managemment by using
g the same metthod
th
hat you use to enable it.
Too disable remo

ote manageme
ent on a comp
puter running tthe Server Corre installation o
option, use
scconfig.cmd.
Remmote Desktop is still a necesssary Windows Server 2012 reemote manageement technology because
som
me environmen nts have not uppgraded their administrator 's workstations from Window ws® XP and otther
environments may have Window ws Server 20122 deployed evven when the uusers in those environments
prim
marily use thirdd-party operatting systems. You
Y can config gure Remote D Desktop on a ccomputer runn ning
the full version off Windows Servver 2012 by peerforming the following stepps:
1. In the Server Manager conssole, click the Local

L Server n
node.
2. Click Disable
ed next to Rem
mote Desktop.
3. ote tab of the System Prope

On the Remo erties dialog b
box, select bettween one of tthe following
options:
o Don’t alllow connectio

ons to this co
omputer. The d of remote deskktop is disabled.
default state o
o Allow co
onnections fro
om computerrs running anyy version of R Remote Desktop. Enables
connectio
ons from Remote Desktop clients that do not support N Authentication
Network Level A n
o Allow Coonnections onnly from Com mputers runni ng Remote D Desktop with N
Network Leve el
Authentication. Enables secure conn nections from computers running Remote
e Desktop clien
nts
that supp evel authentication.
port network le
Youu can enable an mote Desktop on computerss running the SServer Core installation optio
nd disable Rem on by
usin
ng the sconfig
g.cmd menu-d driven comman
nd prompt uti lity.
Ho
ow Remote
e Managem
ment Worrks In Wind
dows Servver 2012
Winndows Remote e Managementt (WinRM) is
ollection of tecchnologies that enables
a co
admministrators to manage serve er hardware whhen
loggged on directlyy or over the network.
n Windows
Servver 2012 uses WinRM
W to enaable managem ment
of multiple
m compu uters concurreently through a
sing
gle Server Man nager console. Windows Rem mote
Man nagement includes the follow wing components:
• WS-Management protoco ol. A SOAP-ba

ased
firewall-aware
e protocol that enables
computers too exchange ma anagement
information. SOAP
S uses XMML messages when
w
transmitting information.
i
• WinRM Scrippting API. This scripting APII enables systeems to obtain d
data from rem
mote computerrs
through WS-Management protocol operrations.
• Winrm.cmd. Command-lin ne systems management toool that enabless you to config

gure WinRM. FFor
example, you can use this tool to enable Windows Rem
mote Managem ment on a servver.
• Winrs.exe. Tool that enables you to execcute most cmd

d.exe comman
nds on remote
e servers.
For example, to obtain the IP ad

ddress informa
ation and list o
of running taskks on server LO
ON-SVR1, issue
e the
com
mmand:
Winrs -r:lon-svr1 ipconfig;tasklist
Note: You can

c learn more e about Windo ows Remote M
Management att:
http
p://msdn.micro
osoft.com/en-u
us/library/wind
dows/desktop
p/aa384291(v=
=vs.85).aspx.
You can enable Windows Remote Management by issuing the following command:
Winrm qc
Running this command does the following:
1. Configures the WinRM service to with the Automatic startup type.
2. Starts the WinRM service.
3. Configures a listener that will accept WinRM requests on any IP address.
4. Creates a firewall exception for WS-Management traffic using the HTTP protocol.
If you do not know whether a server is configured for Windows Remote Management, you can run the
following command to obtain Windows Remote Management configuration information:
Winrm get winrm/config
Additional Reading: You can learn more about configuring Windows Remote
Management by reading the following Performance Team post: http://blogs.technet.com/b
/askperf/archive/2010/09/24/an-introduction-to-winrm-basics.aspx.
You can use Remote Windows PowerShell to run commands against a correctly configured remote server.
There are several methods that you can use to accomplish this. You can use the Invoke-Command
cmdlet to run a command or a script. For example, to view the list of installed roles and features on
LON-SVR1 and LON-SVR2 when the ServerManager module is loaded and both are configured for
Windows Remote Management, issue the command:
Invoke-Command -Computername LON-SVR1, LON-SVR2 -scriptblock {Get-WindowsFeature | Where-

Object {$_.InstallState -eq "Installed"}}
You can also start a remote Windows PowerShell session by using the Enter-PSSession cmdlet. To end
the session, run the Exit-PSSession cmdlet. For example, to start a remote Windows PowerShell session to
LON-SVR1, issue the command:
Enter-PSSession -computername LON-SVR1
Additional Reading: You can learn more about Remote Windows PowerShell at:
http://msdn.microsoft.com/en-us/library/windows/desktop/ee706585(v=vs.85).aspx.
Demonstration: Configuring Servers for Remote Management

In this demonstration you will disable and enable Remote Management from Server Manager.
Demonstration Steps
1. Use Server Manger on LON-DC1 to disable Remote Management.
2. Use the winrm qc command from a Windows PowerShell prompt to re-enable remote management
on LON-DC1.
3. Use Server Manager to verify that Remote Management is re-enabled.

Ma
anaging Se
erver Grou
ups in Serv
ver Manag
ger
Servver Manager in n Windows Server 2012
autoomatically groups servers byy role. This enaables
you to perform ro ole-based tasks across all serrvers
thatt host that role
e in the organiization. For
exammple, rather thhan connecting to each DNS S
servver in the domain to performm a particular task,
t
you can select the e DNS node, seelect all servers that
hostt DNS that you u want to perfform the task on,
o
and then perform m the task againnst that selection of
servvers.
A be
enefit to administrators is th
hat servers in your
y
orga
anization are automatically
a grouped
g by ro
ole.
For example, all se
ervers that hosst the IIS or NAAP roles are au
utomatically grouped underr the category
nod
des for those rooles in the Servver Manager console.
c
You t Server Manager console to create custtom server gro

u can also use the oups. A custom m server group
p is a
userr-defined grou
up of servers ra
ather than a group of serverrs that share a specific role.
De
emonstration: Mana
aging Rem
mote Serverrs by Using
g Server M
Manager
In th
his demonstration you will see how to creaate a server grroup. You will then perform a remote
man nagement task
k on both serve ers that are members of thee group using a single actionn.
Dem
monstration
n Steps
1. On LON-DC1
1, use Server Manager
M to create a server grroup named L ONDON-GRO
OUP that has
LON-DC1 and
d LON-SVR4 asa members.
2. Use the group node as a method

m of starting the perforrmance counteers on both servers using the
e one
action, ratherr than enabling
g performance dividually.
e counters on eeach server ind
3. Use the Mana

ageability colu
umn to verify that both LON -DC1 and LON
N-SVR5 are listted as Online.
Lab: Installing and Configuring Servers Based on Windows

Server 2012
Scenario
A. Datum is an engineering and manufacturing company. The organization is based in London, England.
The organization is quickly expanding the London location as well as internationally. Because the
company has expanded, some business requirements are changing as well. To address some business
requirements, A. Datum has decided to deploy Windows Server 2012 on an existing network populated
with servers running the Windows Server 2008 and Windows Server 2008 R2 operating systems.
As one of the experienced Windows Server 2008 administrators, you are responsible for implementing
many of the new features on Windows Server 2012. To become familiar with the new operating system,
you plan to install a new Windows Server 2012 server running the Server Core version and complete the
initial configuration tasks. You also plan to configure and explore the remote management features that
are available in Windows Server 2012.
Objectives
• Install Windows Server 2012 server core.
• Configure a Windows Server 2012 server core.
• Configure remote management for Windows Server 2012 Servers.
Lab Setup
Estimated time: 60 minutes
Virtual Machines 20417A-LON-DC1

20417A-LON-SVR5
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
Exercise 1: Install Windows Server 2012 Server Core

Scenario
After having problems effectively deploying and configuring the Server Core version of Windows Server
2008, A. Datum is interested in using the Server Core installation of Windows Server 2012 when possible
because of the reduced hardware footprint and minimized update requirements. To become familiar with
the new operating system, you plan to install and configure a new Windows Server 2012 server running
the Server Core version as a way to determine whether the product is more easily managed than the
earlier version.
The main tasks in this exercise are:
1. Install Windows Server 2012.

2. Convert a Windows Server 2012 server core installation to a full installation.
3. Convert a Windows Server 2012 full installation to a server core installation.
X Task 1: Install Windows Server 2012

1. In the Hyper-V Manager console, open the settings for 20417A-LON-SVR5.
2. Configure the DVD drive to use the Windows Server 2012 image file named Win2012_RC.ISO. This
file is located at C:\Program Files\Microsoft Learning\20417\Drives.
3. Start 20417A-LON-SVR5. On the Windows Server 2012 page of the Windows Setup Wizard, verify
the following settings, click Next, and then click Install Now:
o Language to install: English (United States)
o Time and currency format: English (United States)

o Keyboard or input method: US
4. Select to install the Windows Server 2012 Release Candidate Datacenter (Server Core
Installation) operating system.
5. Accept the license terms and then select Custom: Install Windows Only (Advanced).
6. Install Windows Server 2012 on Drive 0.
o Depending on the speed of the host computer, the installation will take approximately 20
minutes.
o The virtual machine will restart several times during this process.
7. On the log on page, click OK and then enter Pa$$w0rd in both the Password and Confirm
password boxes.
8. Click OK to complete the installation and log on.
X Task 2: Convert a Windows Server 2012 Server Core Installation to a Full Installation
1. On LON-SVR5 at the command prompt type:
mkdir c:\mount
2. Issue the following command and press Enter:
dism.exe /mount-image /ImageFile:d:\sources\install.wim /Index:4 /Mountdir:c:\mount

/readonly
3. Start Windows PowerShell by typing the following command:
PowerShell.exe
4. From Windows PowerShell issue the following commands, pressing Enter after each:
Import-Module ServerManager
Install-WindowsFeature -IncludeAllSubfeature User-Interfaces-Infra -

Source:c:\mount\windows
5. When prompted, restart the server and then log on as Administrator with the password of
Pa$$w0rd to verify the presence of the full GUI components.
X Task 3: Convert a Windows Server 2012 Full Installation to a Server Core Installation
1. Log on to LON-SVR5 and attempt to start Internet Explorer.
2. Start Windows PowerShell and issue the following commands:
Uninstall-WindowsFeature User-Interfaces-Infra
Shutdown /r /t 5
3. Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify that it now
configured to use the Server Core configuration.
Exercise 2: Configure a Computer Running a Server Core Installation of

Windows Server 2012
Scenario
After you install Server Core, you want to configure some basic network and firewall settings and join
computer to domain. During this initial deployment, you plan to perform these steps manually from the
command-line.
The main tasks for this exercise are as follows:
1. Configure the network.
2. Add the server to the domain.
3. Configure Windows Firewall.
X Task 1: Configure the network

1. On LON-SVR5 in the command prompt, type sconfig.
2. Set the computer name LON-SVR5.

3. Restart the server as prompted and log on to LON-SVR5 as Administrator with the password of
Pa$$w0rd.
4. Use the hostname command to verify the name change.
5. Start sconfig and configure Network Settings.
6. Select the index number of the network adapter that you want to configure.
7. Set the Network Adapter Address to the following:
o IP address: 172.16.0.111.
o Subnet Mask: 255.255.0.0.
o Default gateway 172.16.0.1.
8. Set the preferred DNS server to 172.16.0.10. Do not configure an alternative DNS server address.
9. Exit sconfig and verify network connectivity to lon-dc1.adatum.com using the ping utility.
X Task 2: Add the server to the domain

1. Use sconfig to switch to configure Domain/Workgroup.
2. Join the domain adatum.com using account adatum\administrator and the password of
Pa$$w0rd.
3. Restart the server.
4. Log on to LON-SVR5 with the adatum\administrator account and a password of Pa$$w0rd.
X Task 3: Configure Windows Firewall

1. Use sconfig.cmd to Enable Remote Management.
2. At the command prompt, type PowerShell.exe.
3. Issue the following command to view the enabled Firewall rules that allow traffic:
Get-NetFirewallRule | Where-Object {$_.Action -eq "Allow"} | Format-Table -Property

DisplayName
4. Issue the following command to view all disabled Firewall rules:
Get-NetFirewallRule | Where-Object {$_.Enabled -eq "False"} | Format-Table -Property

Displayname
5. Issue the following command to view all Windows PowerShell cmdlets related to NetFirewallRule:
Get-Command -Noun NetFirewallRule
6. View the status of the Remote Desktop inbound firewall rule by issuing the following command:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
7. Issue the following command to enable the Remote Desktop Inbound Firewall rule:
Enable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
8. Issue the following command to verify that the Remote Desktop Inbound Firewall rule is enabled:
9. Issue the following command to disable the Remote Desktop Inbound Firewall Rule:
Disable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
10. Verify that the Remote Desktop Inbound Firewall Rule is disabled.
Exercise 3: Configure Remote Management for Servers Running Windows

Server 2012
Scenario
IT management at A. Datum expects that many servers running Windows Server 2012 will be deployed
in remote offices or as part of an online services deployment. To ensure that these servers can all be
managed from a central location, you must configure the server for remote management. You must also
verify the remote management functionality, and use Server Manager to manage multiple servers.
1. Validate the WinRM configuration.
2. Configure Server Manager for multiple server management.
3. Deploy a feature to the Server Core server.
4. To prepare for next module.
X Task 1: Validate the WinRM configuration

1. On LON-DC1 use Server Manager to disable Remote Management.
2. Close the Server Manager console.
3. Open Windows PowerShell and issue the command winrm qc. When you are prompted, type Y and
press Enter.
4. Open the Server Manager console and verify that Remote Management is now enabled.
X Task 2: Configure Server Manager for multiple server management

1. On LON-DC1 in Server Manager, create a server group named LONDON-GROUP that has LON-DC1
and LON-SVR5 as members.
2. In the details pane, select both servers.
3. Scroll down to the Performance section, select both listed servers, right-click LON-DC1, and then
click Start Performance Counters.
4. Scroll up and verify that in the Manageability column, both LON-DC1 and LON-SVR5 are listed as
Online.
X Task 3: Deploy a feature to the Server Core server

1. In the Server Manager console on LON-DC1, click LONDON-GROUP.
2. Add the Windows Server Backup feature to LON-SVR5.
3. In Server Manager, click the Flag and verify that the remote installation of Windows Server Backup
has occurred.
X Task 4: To prepare for next module

• When you are finished with the lab, revert the virtual machines to their initial state.
Module Review and Takeaways

Best Practices
• Unless you must have a full installation to support roles and features, deploy Server Core.
• Use Windows Remote Management to manage multiple servers from a single server using the Server
Manager console.
• Use Windows PowerShell remoting to run remote Windows PowerShell sessions rather than logging
on locally to perform the same task.
Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip
Remote management connections fail
Windows PowerShell commands not

available
Cannot install GUI features on Server Core

Deployment
Unable to restart a computer running

Server Core
Unable to join the domain
Review Question
Why is the Server Core installation the default installation option for Windows Server 2012
installations?
Real-world Issues and Scenarios

Unless a particular role requires it, consider using the Server Core installation option as your default server
deployment option. You can always install the GUI later if required.
Understand what roles and features you must deploy on a server prior to deploying that server, rather
than deploying roles and features to servers without planning.
You should plan to manage many servers from one console, rather than logging on to each server
individually.
2-1
Module 2
Monitoring and Maintaining Windows Server 2012
Contents:
Module Overview 2-1
Lesson 1: Monitoring Windows Server 2012 2-2
Lesson 2: Implementing Windows Server Backup 2-11
Lesson 3: Implementing Server and Data Recovery 2-15
Lab: Monitoring and Maintaining Windows 2012 Servers 2-19
Module Overview
After you deploy Windows Server® 2012, you must ensure that it continues to run optimally by
maintaining a healthy and stable environment. As in earlier versions of Windows Server, to maintain
a healthy and stable environment, you must monitor Windows Server 2012 performance and make
adjustments as required. Additionally, you must identify your important data and create backup copies.
Finally, you must know how to restore your important data and servers by using the backup copies that
you have created.
Objectives
• Monitor Windows Server 2012.
• Implement Windows Server Backup.
• Restore data and servers by using Windows Server Backup.

2-2 Monitoringg and Maintaining Wiindows Server 2012
Lesson 1
Monito
oring Window
W ws Server 2012
Whe en a system fa
ailure or an eveent that affectss system perfo
ormance occurrs, you must bee able to repair the
problem or resolvve the issue qu o many variablles and possibilities in the m
uickly and efficciently. With so modern
netwwork environmment, the abilitty to determine the cause qu uickly frequenttly depends on
n having an
effe
ective performaance monitoring methodolo ogy and tool seet.
Youu can use perfoormance-moniitoring tools too identify commponents that rrequire additio
onal tuning annd
trou
ubleshooting. ByB identifying components that
t require ad
dditional tunin
ng, you can im
mprove the efficciency
of your
y servers. In
n addition to monitoring
m systtem performan nce, Windows Server 2012 p provides tools for
reso
ource management. In this le esson, you will learn about t ools in Windo
ows Server 2012 that you can n use
for performance and
a resource monitoring
m and
d managemen nt.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe the reasons for mo
onitoring serve
ers.
• Describe the typical perform

mance bottlen
necks.
• Describe the tools for moniitoring in Wind

dows Server 20012.
• Create data collector
c sets.
• Describe the most common

n performance
e counters.
• Describe the use of alerts.

• Describe the use of event subscriptions.
• Configure eve
ent subscriptio
ons.
• w to monitor a network.
Describe how
Reasons for Monitorin

ng Servers
Monnitoring serverrs provides sevveral benefits, and
you might monito or a Windows--based server forf
seve
eral reasons. So
ome reasons include:
• To monitor th
he health of th
he IT infrastruccture.
• To monitor se
ervice-level ag
greements (SLA
As).
• To plan for fu
uture requirem
ments.
• To identify isssues.
IT Infrastructu
I ure Health
The effective operration of the server infrastructure
is frequently criticcal to your organization’s
business goals.
The key factors in maintaining the

t consistencyy of server opeeration includee correctly fun
nctioning and
configured hardw ware, and sufficcient use and assignment
a of resources.
Usin
ng performancce-monitoring tools, you can n record perfo rmance statisttics that you caan use to dete
ermine
wheen a server is slower at respo
onding to user requests, insteead of relying on user perce
eption of slow and
Upg
grading Your Ski lls to MCSA Win
ndows Server® 2
2012 2-3
fa
ast response timmes. You can use
u these statistics to determ
mine which com mponent or co
omponents off the
se
erver infrastruccture may be the
t source of performance-r
p related issues.
SLA Monitorring
Many
M organizattions maintain SLAs that dicttate the requirred availabilityy for servers an
nd server-hoste
ed
ap
pplications. Th
hese SLAs may contain stipulations about sserver availability (for examp ple, the LON-D
DC1
erver must be available 99.99
se 95 percent of business hourss), or they mayy specify perfo ormance-relateed
re
equirements (for example, thhe average que ery time for th
his database seerver must be less than five sseconds
fo
or any given daay).
Frrequently, violation of an SLA duction of payyment for services or similar penalties. The
A results in red erefore,
yo
ou want to enssure that the SLAs
S imposed upon your envvironment are met on a continuing basis.
Yo
ou can use performance-mo onitoring toolss to monitor thhe specific areaas related to yyour SLAs and help
yo
ou identify issu
ues that could affect your SLLA before theyy become a pro oblem.
Planning
P forr Future Req
quirements
Thhe business an
nd technical ne
eeds of your organization arre subject to chhange. New innitiatives may rrequire
neew servers to host
h new applications or increased storagee within your eenvironment. Monitoring these
arreas over time enables you to
t assess effecttively how the server resourcces are being used currentlyy. Then,
yo
ou can make ana informed de ecision on howw the server ennvironment haas to grow or cchange to mee et future
re
equirements.
Id
dentifying Issues
Trroubleshootingg problems that arise in the server environ
nment can be tedious. Issuess that affect ussers
haave to be resolved as quicklyy as possible and with minim
mal effect on th
he business ne
eeds of your
orrganization.
Trroubleshootingg an issue onlyy on the symptoms provided d by users or aanecdotal evidence frequenttly leads
to
o misdiagnosiss and wasted tiime and resou urces. Monitoriing the server environment lets you take a more
in
nformed and proactive
p appro
oach to troubleshooting. Wh hen you have an effective mmonitoring soluution
im
mplemented, you
y can identiffy issues withinn your infrastru
ucture before they cause a pproblem for thhe end-
ussers. You can also
a have more dence of repo rted issues and
e concrete evid d narrow the ccause of problems,
sa
aving you inveestigative time..
Question: List four troub

bleshooting pro
ocedures that would benefitt from server m
monitoring.
Typical
T Perrformance Bottleneccks
Analysis of yourr monitoring data
d can reveal
problems such asa excessive deemand on certtain
ha
ardware resources that resullt in bottlenecks.
Causes
C of Bo
ottlenecks
Demand on cerrtain hardware resources may
be
ecome extrem me enough to cause
c resource
e
bo
ottlenecks for the following reasons:
• The resourcces are insufficcient, and addiitional
or upgrade
ed components are required..
• The resourcces are not sha

aring workload
ds
evenly and have to be ba alanced.
• A resource is malfunction
ning and has to
o be replaced..
2-4 Monitoring and Maintaining Windows Server 2012
• A program is monopolizing a particular resource. This might require substituting another program,
having a developer rewrite the program, adding or upgrading resources, or running the program
during periods of low demand.
• A resource is configured incorrectly and configuration settings have to be changed.
• A security issue, such as viruses or Denial of Service attacks can be the reason for a bottleneck.
By monitoring the basic hardware components of your servers, you can determine the most likely
bottleneck that is affecting the performance of your servers. By adding additional capacity to
components, you can tune the servers to overcome initial limitations. The following table lists suggestions
for improving performance on various types of hardware.
Hardware Suggestion
Processors • You may be able to overcome performance bottlenecks that occur with
processors by:
• Adding processors.
• Increasing the speed of processors.
• Reducing or controlling process or affinity, or the number of processor cores an
application uses. Limiting an application to only some processor cores frees the
remaining cores for other applications to use.
Disks • You may be able to increase disk performance by:

• Adding faster disks.
• Performing routine maintenance tasks such as defragmenting.
• Moving data, applications, and the page files onto separate disks.
Memory You can improve memory bottlenecks by adding additional physical memory. If
the memory requested exceeds the physical memory, information will be written
to virtual memory, which is slower than physical memory.
However, increasing a computer’s virtual memory could enable applications that
consume a large amount of memory to run on a computer that has limited
physical memory.
Or, you can reduce the load on the server by reducing the number of users on
the server or through application tuning.
Networks You can reduce network bottlenecks by:

• Upgrading network infrastructure, including network adapters to support
increased network bandwidth.
• Installing multiple network adapters in a server to distribute network load.
• Reducing the traffic.
You should consider the limitations of network bandwidth and segment networks,
where appropriate. You can increase network throughput by tuning the network
adapter and other network devices such as switches, firewalls, and routers.
Upg
ndows Server® 2
2012 2-5
Tools
T for Monitoring
M g in Windo
ows Serverr 2012
Se
everal tools are
e available to help you in
monitoring
m the server environnment, both historical
an T following is a list of toolss to
nd real time. The
he
elp you in mon nitoring the se
erver environm
ment.
Tool
T Description
n
Event Viewer Event Viewwer collects infformation thatt relates to servver operationss. This
informatioon can help ideentify perform mance issues on n a server. You
u
should seaarch for specifiic events in thee event log file
e to locate and
d
identify prroblems.
Task Manager Task Mana ager helps you

u monitor the rreal-time aspeects of the servver.
You can view informatioon related to hhardware perfoormance and the
application
ns and processses that are cu
urrently runnin
ng on the serve er.
Resource Mon
nitor Resource Monitor
M helps you to look deeper into the e real-time
performannce of the servver. It provides performance information reelated
U, memory, ha rd disk, and neetwork compo
to the CPU onents of the sserver.
Performance Monitor Performan nce Monitor is the most robu ust monitoringg tool in Windoows
Server 20112. It enables b
both real-time and historicall monitoring o
of the
server’s pe
erformance an d configuratioon data.
Reliability Mo
onitor Reliability Monitor proviides a historicaal view of the sserver’s reliabiility-
related infformation such
h as event log errors and warnings.
Demonstra
D ation: Crea
ating Data
a Collectorr Sets
Th
he data collecttor set is a custom set of perrformance cou
unters, event trraces, and systtem configurattion
da
ata.
A data collectorr set organizess multiple dataa-collection po
oints into a single, portable ccomponent. Yo ou can
usse a data colle
ector set on its own, group itt with other daata collector seets, and incorp
porate it into lo
ogs, or
view it in the Pe
erformance Mo onitor. You can configure a data collector set to generatte alerts when n it
re
eaches thresho olds.
Yoou can also coonfigure a dataa collector set to run at a schheduled time, for a specific length of time,, or until
it reaches a predefined size. For
F example, yo ou can run thee data collecto or set for ten m hour
minutes every h
duuring your working hours to o create a perfo ormance base line. You can aalso set the daata collector to
o restart
when
w set limits are reached so
o that a separaate file is creatted for each in
nterval.
After you have created a commbination of daata collectors tthat describe u

useful system iinformation, you can
sa
ave them as a data collector set, and then run the set an
nd view the ressults.
n this demonsttration, you will create a data

In a collector set..
Dem
monstration
n Steps
Cre
eate a new data
d collector set name
ed Windowss Server Mo
onitoring
1. On LON-SVR1, open the Pe
erformance Mo
onitor, and creeate a data collector set nam
med Windowss
Server Monitoring.
2. Configure the
e data collecto
or set to includ
de the Perform
mance counter data logs for Processor/%
Processor Tim
me, Memory/ Available
A Mbyttes, and Logicaal Disk/% Freee Disk Space.
Verrify that the

e data collecctor set worrks correctly
y
1. Start the Windows Server Monitoring
M datta collector sett, and let it run
n for one minu
ute.
2. Stop the Windows Server Monitoring

M datta collector sett, and then revview the latest report.
Mo
ost Common Perform
mance Cou
unters
Specific server roles install a ran
nge of perform
mance
obje
ects and associated counterss. The common n
perfformance coun nters include:
• Cache counteers. These coun nters monitor the

t
file system ca
ache. The cachee is an area off
physical mem mory that is use
ed to store
recently-usedd data to enable access to thhe
data without having to read d from the disk.
• Memory coun nters. These co

ounters monito or
physical, rand
dom access me emory (RAM),
virtual memo ory, and disks, including
i pagiing,
which is the movement
m of pages
p of code and
data between n disk and phyysical memory.
• Counters for objects.

o These counters mon
nitor logical ob
bjects in the syystem, includin
ng threads and
d
processes.
• Paging file co
ounters. Paging
g file is the rese
erved space o n the disk thatt complementts committed
physical mem mory.
• Physical disk counters. Thesse counters moonitor the phyysical disks such ers or fixed driives.
h as hard drive
The drives thaat appear in th
he Disk Manag gement consolle are monitorred by these co ounters. Hardw ware
redundant array of indepen ndent disks (RA
AID) may not b be visible to th
hese counters.
• Process countters. These cou

unters monitorr running appl ications and syystem processses. All the thre
eads
in a process share
s e address space and have ac cess to the sam
the same me data.
• unters. These counters measu

Processor cou ure aspects of processor actiivity. Each processor is
represented as
a an instance of the object.
• nters measure communicatio
Server counteers. These coun on between th
he local compu
uter and netwo
ork.
• System countters. These cou

unters apply to
o more than on
ne instance of component p
processes on th
he
computer.
• Thread countters. These counters measure e aspects of th read behaviorr. A thread is th
he basic objectt that
runs instructio essor. All running processes have at least o
ons on a proce one thread.
Win
ndows Server 2012
2 uses serve
er roles to imp
prove server effficiency and ssecurity. Only tthe performan
nce
obje
ects and countters that are re
elevant to the installed serveer role are avaiilable to monittor.
You can enable missing performance objects and counters by installing additional server roles or adding
features. Additional performance objects that are installed with each server role can help with server
monitoring. The following table identifies common server roles and the performance objects that can be
monitored to assess performance.
Server role Performance counters to monitor
Active Directory® Domain If you notice slow write or read operations, under the Physical Disk
Services (AD DS) category, check the following disk I/O counters to see whether
many queued disk operations exist:
• Avg. Disk Queue Length
• Avg. Disk Read Queue Length
• Avg. Disk Write Queue Length
If Local Security Authority Subsystem or lsass.exe uses lots of physical
memory, under the Database category, check the following Database
counters to see how much memory is used to cache the database for
Active Directory Domain Services:
• Database Cache % Hit
• Database Cache Size (MB)
File Server File Servers are typically heavily dependent on their physical disk
systems for file read and write operations. You should measure the
following counters to ensure that the PhysicalDisk subsystem is keeping
up with server demand:
• % Disk Time
• Avg. Disk Queue Length
• Avg. Disk Bytes/Transfer
Network performance is also a primary component of file server
performance. You should monitor the following counters to ensure that
required network bandwidth is available to the file server:
• Bytes Received Per Second
• Bytes Sent Per Second
• Output Queue Length
Hyper-V® (virtualization) Performance troubleshooting and tuning can be difficult on virtualized

servers. Virtual hardware provides a less consistent monitoring
environment than physical hardware.
Two layers of performance monitoring are usually recommended in a
virtualized scenario. One at the physical or host server level to monitor
key physical hardware components, and one at the virtualized server
level to monitor the virtual hardware and its effect on the operating
system and applications of the virtual server.
Web Server (IIS) Network-related performance counters are an important tool in

measuring web server performance.
Additionally, processor related counters can be helpful in identifying
issues in which web server applications are running processor intensive
processes.
The Web Service performance counters provide valuable information
about requests to the web server, bandwidth consumed, and web
server–specific statistics like page not found errors.
Wh
hat Are Ale
erts?
Alerrt is a functionality in Windo ows Server 20112
thatt notifies you when
w certain events
e have
occuurred or when n certain perforrmance thresh holds
are reached. You can configure alerts in Wind dows
Servver 2012 as ne etwork messages or as events that
are logged in the application evvent log. You can c
also
o configure ale erts to start appplications and
perfformance logss.
You
u can configure e alerts when you
y create datta
colle
ectors, by selecting the Perfformance Cou
unter
Alerrt type of the data
d collector.
Whe en you create the alert, conffigure the follo

owing
settings:
• Alert when. This is the alert threshold settting for a speccific performan
nce counter.
• Alert Action. This
T setting specifies whethe ntry in the app lication event log, or start
er to log an en
another data collector set.
• his setting speccifies which command task sshould be trigg
Alert Task. Th gered and whe
en alert thresh
hold is
reached. In adddition, you may
m specify com mmand param
meters, if appliccable.
Wh
hat Are Ev
vent Subscriptions?
Event log subscrip ptions is a featture when it is
configured, enables a single serrver to collect
copies of events from
f multiple systems.
s Usingg
WinnRM and the Windows
W Eventt Collector servvice,
you can collect evvents in the evvent logs of a
centtralized serverr, where you ca an analyze theem
toge ether with the event logs of other computters
thatt are being colllected on the same central
servver.
bscriptions can be either colle

Sub ector-initiated
d or
source computer– –initiated:
• Collector-initiiated. A collecttor-initiated
subscription, or a pull subsccription identiffies all the com
mputers that thhe collector wwill receive even
nts
from, and will typically pull events from these
t ubscription, the
computeers. In a collecttor-initiated su
subscription definition
d is sto
ored and main ntained on thee collector com
mputer. You usse pull subscrip ptions
when much of o the compute ers have to be configured to o forward the ssame types of events to a ce entral
location. In th
his manner, on nly one subscription definitioon has to be defined and spe ecified to applly to
all computerss in the group..
• Source compu uter–initiated. In a source computer–initiatted subscriptio on, or push subbscription, sou
urce
computers pu ush events to the
t collector. In a source com mputer–initiat ed subscriptio
on, the subscrip
ption
definition is created
c and managed on the e source comp puter, which is the computerr that is sendinng
events to a ceentral source. You
Y can define e these subscr iptions manuaally, or by using Group Policyy. You
create push subscriptions when
w ng a different set of event th
each servver is forwardin han other servvers,
or when conttrol over the evvent forwardin ng process hass to be maintained at the source computer;
possibly when n frequent cha anges have to be made to th he subscriptionn.
Event Subscription Requirements

To implement event subscriptions in your environment, several prerequisites must be met:
• You must enable and configure WinRM on both the source and the collector computers by using the
following command.
winrm qc
• You must start and configure the Windows Event Collector (Wecutil) service to receive events on the
collector computer. You can achieve this by running the following command.
Wecutil qc
Events that are collected by a subscription can be collected into any of the collector computer’s default
event logs, or they can be collected into an event log specifically created to host collected events.
Demonstration: Configuring Event Subscriptions

Event subscription is a cost-effective and customizable tool to get a consolidated view of monitored
activities and events in target servers, and timely issue alerts. In Windows Server 2012, subscribing and
forwarding events with triggers to send out alerts is a straight-forward process.
Demonstration Steps
Configure the source computer
1. Switch to LON-SVR1.
2. At the command prompt, run the winrm quickconfig command to enable the administrative
changes that are required on a source computer.
3. Add the LON-DC1 computer to the local Administrators group.
Configure the collector computer

1. Switch to LON-DC1.
2. At the command prompt, run the wecutil qc command to enable the administrative changes that are
required on a collector computer.
Create a subscribed log

1. Open Event Viewer.
2. Create a new subscription with the following properties:

o Computers: LON-SVR1
o Name: LON-SVR1 Events
o Type of subscription: Collector Initiated
o Events: Critical, Warning, Information, Verbose, and Error
o Logged: last 7 days
o Logs: Windows Logs
Check the subscribed log

2. In Performance Monitor, check for events in the subscribed Application log.

2-10 Monitorinng and Maintaining Windows
W Server 20122
Mo
onitoring a Network
k
Because network infrastructure services are ann
impportant foundaation of many other server-bbased
servvices, you mustt make sure th
hat they are
configured correcctly and are running optimally.
mance-related data on the

Colllecting perform
work infrastruccture services benefits your
netw
orgaanization in:
• Helping to opptimize network infrastructure

server perform
mance. By pro oviding
performance baseline and trend
t data, you
can help yourr organization optimize netw work
infrastructure
e server performance.
• Troubleshootting servers. Where
W server pe
erformance haas decreased, eeither over tim
me or during pe eriods
of peak activiity, you can he
elp identify possible causes aand take corrective action to
o ensure that yyou
can bring the
e service back within
w the limiits of your SLA
A.
You
u can use Perfo
ormance Monitor to collect and
a analyze th
he relevant datta.
Mo
onitoring Do
omain Nam
me System DNS
D
Dommain Name System (DNS) prrovides name resolution
r servvices on the neetwork. You caan monitor the
e DNS
Servver role of Win
ndows Server 2012
2 to determ
mine the followwing aspects oof your DNS infrastructure:
• he number of overall queriess and response

General DNS server statisticcs, including th es that are
processed by the DNS serve er
• User Datagram Protocol (UDP) or Transm mission Contro l Protocol (TCP
P) counters, fo
or measuring D
DNS
queries and responses that are processed
d respectively b
by using either of these tran
nsport protoco
ols
• Dynamic upd date and secure date counters, for measuring

e dynamic upd g registration aand update acctivity
that is genera
ated by dynam
mic clients
• Memory usag or measuring system memorry usage and m

ge counters, fo memory allocation patterns tthat
are created by
b operating thhe server as a DNS
D server
• Recursive lookup counters, for measuring
g queries and rresponses wheen the DNS serrvice uses recu
ursion
to look up an
nd fully resolve
e DNS names on
o behalf of reequesting clien
nts
• Zone transferr counters, inclluding specificc counters for m

measuring thee following: all zone transfer
(AXFR), increm
mental zone trransfer (IXFR), and DNS zonee update notiffication activityy
Mo
onitoring DH
HCP
The Dynamic Host Configuratioon Protocol (DH
HCP) service p
provides dynam
mic IP configuration servicess on
the network. You can monitor the Windows Server
S 2012 DHHCP Server rol e to determine the following
aspe
ects of your DHCP server:
• The Average Queue Length h indicates the current lengt h of the intern
nal message quueue of the DHHCP
server. This number represe ents the numb ber of unproce ssed messagess that are rece
eived by the se
erver.
A large numb ber might indiccate heavy server traffic.
• The Milliseconds per packet (Avg.) counte er is the avera ge time in milliseconds thatt is used by
the DHCP serrver to processs each packet iti receives. Thi s number varies, depending g on the serverr
hardware and d its I/O subsysstem. A spike could
c indicatee a problem, eiither with the I/O subsystem
m
becoming sloower or becausse of a processsing overhead on the server..
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 2-11
Lesson
n2
Imple
ementin
ng Wind
dows Se
erver Baackup
In
n order to prottect critical datta, every organ
nization must perform a bacckup regularly.. Having a well-
deefined and tessted backup strategy ensuress that compan nies can restoree data if there is any unexpe
ected
ailures or data loss. This lesso
fa on describes thhe Windows Seerver Backup ffeature in Windows Server 2 2012 and
th
he Microsoft Online
O Backup Service for Windows Server 2012.
Le
esson Objecctives
After completin y will be able to:
ng this lesson, you
• Describe th
he features of Windows
W Serve
er Backup.
• Describe th
he Microsoft Online
O Backup Service.
S
• Describe th
he methods forr backing up server roles run ws Server 2012.
nning Window
• Back up Wiindows Server 2012 by using

g Windows Serrver Backup.
Features off Windowss Server Ba

ackup in W
Windows 2
2012
Th
he Windows Server Backup feature
f in Windows
Se
erver 2012 con
nsists of a Micrrosoft Manage ement
Console (MMC)) snap-in and command-line
c e tools.
Yo
ou can use wizzards in the Windows
W Serverr
Ba
ackup feature to guide you through
t running
ba
ackups and reccoveries. You can
c use Windo ows
Se
erver Backup 2012
2 to back up:
u
• Full server (all

( volumes)
• Selected vo
olumes
• Select specific items for backup

b
In
n addition, Win
ndows Server Backup
B 2012 le
ets you:
• Perform a bare-metal
b resstore. Bare-meetal restore inc ludes all volum equired for Windows
mes that are re
to run. You can use this backup
b type to
ogether with th he Windows R Recovery Enviro
onment to reccover
from a hard
d disk failure, or
o if you have to recover thee whole compu uter image to new hardwaree.
• Use system state. System state is the ab

bility to use thee GUI interfacee to create a system state baackup.
• Recover ind dividual files and folders. Thee Individual fil es and folderss option enable
es you to backk up
selected file
es and folders,, instead of jusst full volumes .
• Exclude sele
ected files or file
f types. For example,
e you ccan exclude .tm
mp files.
• Select from
m more storage
e locations. You can store baackups on rem
mote shares or non-dedicated
d
volumes.
• Use the Miccrosoft Online Backup Servicce. The Microssoft Online Bacckup Service iss a cloud-based
backup solu
ution for Winddows Server 20012 which ena bles files and ffolders to be b
backed up and d
recovered from
f the cloud
d to provide offf-site backup..
If there are disa
asters such as hard
h disk failurres, you can peerform system
m recovery by u
using a full servver
baackup and the e Windows Reccovery Environ nment—this w ill restore yourr complete sysstem onto the new
haard disk.
W Server 20122
The ab bility to take ju

ust a system sttate backup is not exposed i n the GUI inteerface of backu
up. If you wantt to
take juust a system sttate backup, yo ou must use thhe wbadmin.exxe utility. WBaadmin.exe is a command pro ompt
utility..
Wha
at Is Micro
osoft Onlin
ne Backup Service?
The Microsoft
M Onlinne Backup Servvice is a cloud--
based backup solutiion for Window ws Server 2012
2
managged by Microssoft. You can useu this service
e to
back up
u files and folders and reco over them fromm the
cloud to provide offf-site protectio
on against data
a loss
caused t service to back
d by disasters. You can use this
up and protect criticcal data from any
a location.
This se
ervice is built on
o the Window ws Azure® plattform
and uses Windows AzureA blob sto
orage for storin
ng
custommer data. Wind dows Server 2012 uses the
downloadable Micro osoft Online Backup Agent tot
transfe
er file and foldder data secure
ely to the Micrrosoft
Onlinee Backup Serviice. After you install
i the Microsoft Online Backup Agentt, the Microsofft Online Backu
up
Service Agent integrates its functionality throug gh the familiar Windows Servver Backup intterface.
Key Features
F
The ke
ey features tha erver 2012 provides through
at Windows Se h the Microsoftt Online Backu
up service inclu
ude:
• Simple configuration and management.

m Inntegration wit h the familiar Windows Servver Backup utillity
provides a seamless backup
p and recoveryy experience to
o a local disk, o d. Other features
or to the cloud
include:
o Simple user interface to

o configure an
nd monitor thee backups
o Integrate
ed recovery experience to recover files and
d folders from local disk or ffrom cloud
o Easily reccover any data that was back ny server of yo

ked up onto an our choice
o Scripting capability tha

at is provided by ws PowerShell command-lin
b the Window ne interface
• Block-level incremental bacckups. The Microsoft Online B Backup Agentt performs incrremental backups
by tracking file and block-le a only trans ferring the chaanged blocks, therefore, red
evel changes and ducing
the storage and bandwidth h usage. Differe
ent point-in-ti me versions o
of the backups use storage
efficiently by only storing th
he changed bllocks between n these versionns.
• Data compresssion, encryptio osoft Online Baackup Agent ensures that daata is
on and throttliing. The Micro
compressed and
a encrypted on the serverr before it is seent to the Micrrosoft Online B Backup Service e on
the network. Therefore, thee Microsoft On nline Backup Seervice only stoores encrypted d data in the cloud
storage. The encryption
e passsphrase is nott available to tthe Microsoft OOnline Backup p Service, and
therefore, the
e data is neverr decrypted in the service. Al so, users can sset up throttlin
ng and configu ure
how the Micrrosoft Online Backup
B service
e uses the netwwork bandwidtth when backin ng up or restooring
information.
• Data integrityy verified in thee cloud. In add

dition to the seecure backups,, the backed u
up data is also
automaticallyy checked for integrity after the backup is finished. Thereefore, any corrruptions which h may
arise because
e of data transffer can be easiily identified a nd they are fixxed in next backup automattically.
dows Server® 20
012 2-13
• Configurable retention po
olicies for storin
ng data in the cloud. The Miccrosoft Online
e Backup Servicce
accepts and
d implements retention policcies to recycle backups that exceed the de esired retentio
on
range, thereby meeting business
b policie
es and manag ging backup coosts.
nal Reading: Windows

Addition W Azure
e Storage
htttp://www.windowsazure.com/en-us/home/features/sto
orage/
Methods
M to
o Back Up Server Ro
oles
Yoou can back up most servicees on compute ers
ru
unning Window ws Server 2012
2 by performin ng a
syystem state backup. Some seervices also ena
able
coonfiguration and data backuup from their
re
espective mana agement console.
Th
he following taable lists the methods
m that you
y can
usse to back up specific roles on
o computers
ru
unning Window ws Server 2012 2.
Role Method
M
DHCP • System state backup backss up all scopes and options.

• DHCP console backup bac ks up individu
ual scopes or all scopes.
Certificate • System state backup backss up whole con

nfiguration and certificate se
ervices
database.
• Certification Authority con
nsole backup b
backs up certifiicate services d
data
and settings.
Internet Information • System state backup enablles the back up

p of IIS data an
nd settings.
Services (IIS)
• Appcmd.exe lets you back up IIS compo nents.
• Website files and folders h ave to be backked up. When backing up IISS
components,, ensure that t he website filees and folders are also backe
ed up.
These are noot backed up bby a system staate backup.
Network Policcy and • System state backup enablles the back up

p of NPAS con
nfiguration.
Access Service
es
(NPAS)
DNS • System state backup backss up all DNS co

onfigurations aand zones storred on
the server.
• Dnscmd.exe lets you exporrt and import zzones.
File and Print Services • System state backs up sharred folder perm
missions and ssettings.
• Volume back kup enables a back up of all files and folde
ers that are loccated
on that volum
me.
• File and folde
er backup baccks up contentt of shared fold
ders.
Demonstration: Backing Up Windows Server 2012 by Using Windows

Server Backup
In this demonstration, you will see how to use the backup wizard to back up a folder.
Demonstration Steps
1. On LON-SVR1, start Windows Server Backup.
2. Run the Backup Once Wizard to back up the C:\HR Data folder to the remote folder,
\\LON-DC1\Backup.
dows Server® 20
012 2-15
Lesson
n3
Imple
ementin
ng Serve
er and Data
D Re
ecovery
Evvery organization might exp perience losing
g some of its daata, because oof reasons, such as hardware e
fa
ailures, file systtem corruption
n, or when a user unintentioonally deletes ccritical data. Th
herefore,
orrganizations must
m have well-defined and tested
t hat will help them to bring th
recoverry strategies th heir
se
ervers and data a back to a healthy and operational state, in the fastest time possible. This lesson de
escribes
hoow to restore datad and serveers by using Windows
W Serverr Backup featu ure in Window ws Server 2012 and
Microsoft
M Onlin
ne Backup Servvice in Window ws Server 20122.
Le
esson Objecctives
• Describe th
he options for server
s recoverry.
• Describe th
he option for se
erver restore.
• Describe th ons for data recovery.

he consideratio
• Perform a restore
r with Windows
W Serverr Backup.
• Describe ho
ow to perform a restore with
h online backu
up.
Options
O forr Server Re
ecovery
Windows
W Server Backup in Windows
W Serverr 2012
provides the folllowing recove
ery options:
• Files and foolders. You can back up indivvidual

ders as long as the backup is on an
files or fold
external dissk or in a remo
ote shared foldder.
• Applications and data. Yoou can recoverr

applications and data if the applicationn has a
Volume Sha adow Copy Se ervice writer an
nd is
registered with
w Windows Server Backup p.
• Volumes. Restoring a volu ume always restores
all the conttents of the voolume. You can
nnot
restore indiividual files or folders.
• Operating system.
s an recover the operating systtem through W
You ca Windows Reco
overy Environm
ment
(WinRE).
• Full server. You can recovver the full servver through W

WinRE.
• System statte. System state creates a point-in-time baackup that you

u can use to restore a server to a
previous woorking state.
he Windows Server Backup Recovery

Th R Wiza
ard provides seeveral options for managing
g file and folde
er
re
ecovery. They are:
a
• Recovery Destination. Und

der Recovery Destination,
D yo
ou can select aany one of the
e following opttions:
o Origina
al location. The
e original locattion restores t he data to thee location it waas backed up
origina
ally.
o other location restores the d

Anotheer location. Ano data to a differrent location.
W Server 20122
• Conflict Resollution. Restorinng data from a backup frequ

uently conflictss with existing versions of th
he
data. Conflictt resolution letts you determine how those conflicts will b
be handled. WWhen these con nflicts
occur, you haave the following options:
o Create co e both versions
opies and have
o e existing version with recovvered version
Overwrite
o Do not re
ecover items iff they already exist in the reccovery locatio n
• Security Settin
ngs. You can use
u this option to restore perrmissions to th
he data being recovered.
Op
ptions for Server
S Resstore
Youu perform serveer restore by starting
s the
commputer from thhe Windows Se erver 2012
installation media
a, selecting the
e computer rep
pair
option, and then selecting the full
f server resto
ore
option.
Whe en you perform
m full server re
estore, conside
er the
follo
owing aspects::
• Bare-metal reestore. Bare-metal restore is the

process durin ng which you restore
r an existting
server in its entirety to neww or replacemeent
hardware. Wh hen you perform a bare-mettal
restore, the reestore proceed ds and the servver
ecomes operattional. In somee cases, you may have to resset the computter’s
restarts. Laterr, the server be
Active Directo ory account be ecause these can
c sometimess become desyynchronized.
• Same or largeer disk drives. TheT server hard dware that yo u are restoring g to must have e disk drives th
hat
are the same size or larger than the drive es of the origin
nal host server . If this is not tthe case, the re
estore
will fail. It is possible,
p althou
ugh not advise
ed, to successffully restore to
o hosts that havve slower
processors an nd less RAM.
• Importing to Hyper-V.
H Because server bacckup data is wrritten to the V VHD format, whhich is also thee
format that iss used for virtu
ual machine ha
ard disks, it is p
possible, with some care, to use full serverr
backup data as the basis off creating a virtual machine. Doing this givves you the op ption of ensurin ng
business conttinuity while soourcing the ap
ppropriate repllacement hard dware.
Co
onsideratio
ons for Datta Recoverry
There are several strategies thatt you can purssue in
developing a data a recovery procedure. Data is the
mosst frequently re
ecovered component of an IT
infra
astructure.
Connsider the follo

owing compon
nents in a data
reco
overy strategy::
• Letting users recover their own

o data by using
u
the earlier version’s functionality (volume
e
shadow copy)
• Performing a recovery to an alternative location
• Performing a recovery to the original location
• Performing a full volume recovery
Earlier Versions of Files: Users Recover Their Own Data

The most common form of data recovery performed by IT departments is the recovery of files and folders
that users have deleted, lost, or in some way made corrupted. The Previous Versions of Files functionality,
which you can enable on all computers running Windows Server 2012 lets users recover their own files.
After end-users are trained to do this, the IT department spends time recovering more important data.
From a planning perspective, you should consider increasing the frequency at which snapshots for
previous versions of files are generated. This gives users more options when they try to recover files that
have recently become deleted or corrupted.
Recovering Data to an Alternative Location

A common recovery problem is the unintentional replacement of important data when recovering from
backup. This can occur when recovery is performed to a location with live data, instead of to a separate
location where the necessary data can be located and the unnecessary data discarded.
When you perform a recovery to an alternative location, always ensure that permissions are also restored.
A common problem is administrators recovering data that includes restricted material to a location where
important permissions are not applied, enabling unintended access to data for those that should not have
it.
Recovering Data to the Original Location

During some types of failures, such as data corruption or deletion, you have to restore data to the original
location, because applications or users who access those data are preconfigured with the information on
where the data is located.
Recovering Volumes
If a disk fails, the quickest way to recover the data sometimes is to do a volume recovery, instead of a
selective recovery of files and folders. When you do a volume recovery, you must check whether any
shared folders are configured for the disks, and if the quotas and File Server Resource Manager
management policies are still in effect.
Demonstration: Restoring with Windows Server Backup

In this demonstration, you will see how to use the Recovery Wizard to restore a folder.
Demonstration Steps
1. On LON-SVR1, delete the C:\HR Data folder.
2. In the Windows Server Backup MMC, run Recovery Wizard and specify the following information:
o Getting Started: A backup stored on another location

o Specify Location type: Remote Shared Folder
o Specify Remote Folder: \\LON-DC1\Backup
o Select Backup Date: Default value, Today
o Select Recovery Type: Default value, Files and Folders

W Server 20122
o Select Ite
ems to Recover: LON-SVR1\\Local Disk (C
C:)\HR Data
o Specify Recovery
R Optio
ons: Another Location
L (C:)
3. Locate C:\ an
nd ensure that the files are re
estored.
Restoring wiith an Onliine Backup

p Solution
n
Youu can use Micro osoft Online Backup Service only
on Windows
W er 2012 serverrs. You do not have
Serve
to restore data onn the same servver that you
backed up. You ca an restore dataa on some oth
her
servver, instead.
Youu can recover files

f and folderrs by using botth
Microsoft Online Backup MMC in Server Man nager,
or Windows
W PoweerShell® by perrforming the
follo
owing steps:
1. Select the serrver where bacckup data was

originally creaated, that is, whether
w it is a local
server or another server. If you
y select Ano other
server option, you must pro ovide your Miccrosoft Online Backup Servicce Administrattor credentials.
2. Browse for files that have to

o be restored can or them in the Microsoft Online
c be browseed or search fo
Backup Servicce.
3. After you loca elect them for recovery, and select a locat ion where the files will be
ate the files, se
restored.
4. When restorin
ng files, select from the follo
owing options::
o Create co
opies so that you
y have both the restored ffile and originaal file in the saame location. T
The
restored file has its nam
me in the following format: R
Recovery Datee+Copy of+Orriginal File Nam me
o Overwrite
e the existing versions with the
t recovered version
o Do not re ms that already exist on the recovery destiination

ecover the item
Afte
er you complette the restore procedure, the
e files will be rrestored on W
Windows Serverr 2012 located in
your site.
Lab: Monitoring and Maintaining Windows 2012 Servers

Scenario
To obtain accurate information about server usage, it is important to establish a performance baseline
with a typical load for the new Windows Server 2012 servers. In addition, to make the process of
monitoring and troubleshooting easier, IT management wants to implement centralized monitoring of
event logs.
Much of the data that is stored on the A. Datum network is very valuable to the organization. Losing this
data permanently would be a very significant loss to the organization. Also, several servers that run on the
network provide very valuable services for the organization; losing these servers for a significant time
would also result in losses to the organization. Because of the significance of the data and services, it is
important that they can be restored even if there is any disaster.
One of the options that A. Datum is considering is backing up some critical data to a cloud-based service.
A. Datum is considering this as an option for small branch offices that do not have a full data center
infrastructure.
As one of the senior network administrators at A. Datum, you are responsible for planning and
implementing a monitoring and system recovery solution that will meet the management and business
requirements.
Objectives
After completing this lab, you will be able to:
• Configure centralized monitoring for Windows 2012 servers.
• Back up Windows Server 2012 Servers.
• Restore files by using Windows Server Backup.

• Perform an online backup and restore for Windows Server 2012 servers.
Lab Setup
Virtual Machine(s) 20417A-LON-DC1

20417A-LON-SVR1
Password Pa$$w0rd
Virtual Machine(s) MSL-TMG1
User Name Administrator
Password Pa$$w0rd
Lab Setup
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
5. Repeat steps 2-4 for 20417A-LON-SVR1.
6. Repeat steps 2-3 for MSL-TMG1. Log on as Administrator with the password of Pa$$w0rd.
Exercise 1: Configuring Centralized Monitoring for Windows Server 2012

servers
Scenario
The management at A.Datum has asked for a monthly report on server performance. To provide a
monthly report, you plan to establish centralized monitoring of the server. You decide to configure
Server Manager to monitor all servers from a single console. You also decide to configure performance
monitoring for some critical resources, and to collect events from several business-critical servers at a
central location.
1. Configure Server Manager to monitor multiple servers.

2. Configure a data collector set.
3. Configure an event subscription.
X Task 1: Configure Server Manager to monitor multiple servers

2. In the Server Manager console, in the navigation pane, click All Servers.
3. In the Server Manager console add LON-DC1 as another server to be monitored.
4. In the Actions pane, start the performance counters for both LON-SVR1 and LON-DC1.
X Task 2: Configure a data collector set

1. On LON-SVR1, open the Performance Monitor, and create a data collector set named Windows
Server Monitoring.
2. Configure the data collector set to include the Performance counter data logs for
Processor/% Processor Time, Memory/ Available MBytes and Logical Disk/% Free Disk Space.
3. Start the Windows Server Monitoring data collector set, and let it run for one minute.
4. Stop the Windows Server Monitoring data collector set, and then review the latest report.
X Task 3: Configure an event subscription

2. At the command prompt, run the winrm quickconfig command to enable the administrative
changes that are required on a source computer.
3. Add the LON-DC1 computer to the local Administrators group.
5. At the command prompt, run the wecutil qc command to enable the administrative changes that are
required on a collector computer.
6. Open Event Viewer.
7. Create a new subscription with the following properties:
o Computers: LON-SVR1
o Name: LON-SVR1 Events

o Type of subscription: Collector Initiated
o Events: Critical, Warning, Information, Verbose, and Error
o Logged: last 7 days
o Logs: Windows Logs
8. Expand Event Viewer, expand Windows Logs, and then click Forwarded Events. Verify that events are
forwarded from LON-SVR1.
Results: After completing this exercise, you will have configured Server Manager to monitor multiple
servers, configured a data collector set, and configured an event subscription.
Exercise 2: Backing up Windows Server 2012

Scenario
The LON-SVR1 server contains financial data that must be backed up regularly. This data is important to
the organization. You decide to use Windows Server Backup to back up critical data. You plan to install
this feature and configure a scheduled backup.
1. Install the Windows Server Backup feature.
2. Configure a scheduled backup.
3. Complete an on-demand backup.
X Task 1: Install the Windows Server Backup feature

2. Open Server Manager and install the Windows Server Backup role.
3. Install the role on LON-SVR1 and then accept the default values on the Add Role wizard.
X Task 2: Configure a scheduled backup

2. Configure Backup Schedule with the following options:
o Backup Configuration: Full server (recommended).
o Backup Time: Once a day, 1:00 AM.
o Destination Type: Back up to a shared network folder
o Remote Shared Folder: \\LON-DC1\Backup.

Register Backup Schedule: Username: Administrator
Password: Pa$$w0rd
3. Close Windows Server Backup.
X Task 3: Complete an on-demand backup

To prepare for this task, you need to create a folder on LON-SVR1, with a name Financial Data on drive
C: and within Financial Data folder you need to create a text file with a name Financial Report.txt.
To complete an on-demand backup, perform the following steps:
2. Run the Backup Once Wizard to back up the C:\Financial Data folder to the remote folder,
\\LON-DC1\Backup.
Results: After completing this exercise, you will have installed the Windows Server Backup feature,
configured a scheduled backup, and ran an on demand backup.
Exercise 3: Restoring files by using Windows Server Backup

Scenario
To ensure that the financial data can be restored, you must validate the procedure for restoring the data
to an alternative location. You may also have to restore different versions of the data. For this purpose,
you may have to use the Vssadmin tool to review backups.
1. Delete a file from the file server.
2. View the available restores by using the Vssadmin command.
3. Restore the file from backup.
X Task 1: Delete a file from the file server

• On LON-SVR1, delete the C:\Financial Data folder.
X Task 2: View the available restores by using the Vssadmin command

1. On LON-SVR1, run Windows PowerShell.
2. At the Windows PowerShell prompt, run Vssadmin list shadows command to list existing volume
shadow copies.
X Task 3: Restore the file from backup

1. In the Windows Server Backup MMC, run the Recovery Wizard and specify the following information:
o Getting Started: A backup stored on another location
o Specify Location type: Remote Shared Folder
o Specify Remote Folder: \\LON-DC1\Backup
o Select Backup Date: Default value, Today
o Select Recovery Type: Default value, Files and Folders
o Select Items to Recover: LON-SVR1\Local Disk (C:)\Financial Data
o Specify Recovery Options: Another Location (C:)

2. Locate C:\ and ensure that the files are restored.
Results: After completing this exercise, you will have deleted a folder to simulate data loss, viewed
available resources, and then restored the folder the backup that you created.
Exercise 4: Implementing Microsoft Online Backup and Restore

Scenario
A. Datum has to protect critical data in small branch offices. Those offices do not have backup hardware
and full data center infrastructure. Therefore A. Datum has decided to back up the critical data in branch
offices to a cloud-based service by using Microsoft Online Backup Service in Windows Server 2012.
1. Install the Microsoft Online Backup Service component.
2. Register the server with Microsoft Online Backup.

3. Configure an online backup.
4. Restore files by using the online backup.
5. Unregister the server from the Microsoft Online Backup Service.
X Task 1: Install the Microsoft Online Backup Service component

1. On LON-SVR1, in drive E, locate the installation file of the Microsoft Online Sign-in Assistant,
msoidcli.msi. Install the application.
2. On LON-SVR1, in drive E, locate the installation file of the Microsoft Online Backup Agent,
OBSInstaller.exe.
3. Start the installation of Microsoft Online Backup Agent by double-clicking the installation file
OBSInstaller.exe.
4. Complete the setup by specifying the following information:
o Installation Folder: C:\Program Files
o Cache Location: C:\Program Files\Microsoft Online Backup Service Agent
o Microsoft Update Opt-In: I don't want to use Microsoft Update.

5. Verify the installation; ensure you receive the following message: Microsoft Online Backup Service
Agent installation has completed successfully. Clear the Check for newer updates check box, and
then click Finish.
6. On the Start screen, verify the installation by clicking Microsoft Online Backup Service and
Microsoft Online Backup Service Shell.
X Task 2: Register the server with Microsoft Online Backup

Before you start this task, you should rename LON-SVR1 to YOURCITYNAME-YOURNAME, for example
NEWYORK-ALICE. This is because this exercise will be performed online, and therefore the computer
names used in this lab should be unique. If there is more than one student in the classroom with the same
name, add a number at the end of the computer name, such as NEWYORK-ALICE-1.
To rename LON-SVR1, perform the following steps:
1. In the Server Manager window, rename LON-SVR1 as YOURCITYNAME-YOURNAME, and then restart
YOURCITYNAME-YOURNAME.
2. Wait until YOURCITYNAME-YOURNAME is restarted, and then log on as Adatum\Administrator

with password Pa$$w0rd.
To register the server with Microsoft Online Backup, perform the following steps:
1. In the Microsoft Online Backup Service console, register LON-SVR1 by specifying the following
information:
o Account Credentials:
Username: holuser@onlinebackupservice.onmicrosoft.com,
Password: Pa$$w0rd
Note: In real-life scenario, you would type username and password of your Microsoft Online
Backup Service subscription account.
o Encryption Settings:
Enter passphrase: Pa$$w0rdPa$$w0rd
Confirm passphrase: Pa$$w0rdPa$$w0rd
2. Verify that you receive the following message: Microsoft Online Backup Service is now available
for this server.
X Task 3: Configure an online backup

1. Switch to the Microsoft Online Backup Service console.
2. Configure an online backup by using the following options:
o Select Items to back up: C:\Financial Data

o Specify Backup Time: Saturday, 1:00AM
o Specify Retention Setting: Default values
3. In the Microsoft Online Backup Service console, start the backup by clicking Backup Now.
X Task 4: Restore files by using the online backup

2. Restore files and folders by using the Recover Data option and specify the following information:
o Identify the server on which the backup was originally created: This server
o Select Recovery Mode: Browse for files
o Select Volume and Date: C:\ and date and time of the latest backup.
o Select Items to Recover: C:\Financial Data
o Specify Recovery Options: Original location and Create copies so that you have both versions
X Task 5: Unregister the server from the Microsoft Online Backup Service
2. Unregister the server from the Microsoft Online Backup Service using the following credentials:
o Username: holuser@onlinebackupservice.onmicrosoft.com,
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.
X Task: To prepare for next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps.
1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20417A-LON-SVR1 and MSL-TMG1.


Review Questions
Question: Why is monitoring important?
Question: You want to create a strategy on how to back up different technologies that are
used in your organization such as DHCP, DNS, Active Directory, and SQL Server. What should
you do?
Question: How frequently should we perform backup on critical data?
Best Practices
• Create an end-to-end monitoring strategy for your IT infrastructure. Monitoring should focus on
proactively detecting potential failures or performance issues.
• When monitoring, estimate the baseline of system utilizations for each server. This will help you
determine whether the system is performing well or is overused.
• Analyze your important infrastructure resources and mission-critical and business-critical data. Based
on that analysis, create a backup strategy that will protect the company's critical infrastructure
resources and business data.
• Identify with the organization’s business managers the minimum recovery time for business-critical
data. Based on that information, create an optimal restore strategy.
• Always test backup and restore procedures regularly, even if data loss or system failures never occur.
Perform testing in a non-production and isolated environment.

During monitoring, multiple sources are

concurrently reporting different problems.
The server has suffered a major failure on

its components.
You must have a way to back up and

restore your data quickly on a different
company's locations. You do not have
backup media or backup hardware in each
site
You must restore your data because of

failure of the disk system. However, you
find that your backup media is corrupted.

Your organization needs information on which data to back up, how frequently to back up different types
of data and technologies, where to store backed up data (onsite or in the cloud), and how fast they can
restore backed up data if a failure were to occur? Also, what is your suggestion to improve your
organization’s ability to efficiently restore data when it is necessary?
Tools
Tool Use for Where to find it
Server Manager Dashboard Monitoring multiple servers Server Manager
Performance Monitor Monitoring services and application and Server Manager/Tools

hardware performance data
Resource Monitor Controlling how your system resources are Server Manager/Tools
being used by processes and services
Windows Server Backup Performing on demand or scheduled Server Manager/Tools

backup and restoring data and servers
Microsoft Online Backup Performing on demand or schedule backup Server Manager/Tools

Service to the cloud and restoring data from the
backup located in the cloud
3-1
Module 3
Managing Windows Server 2012 by Using Windows
PowerShell 3.0
Contents:
Module Overview 3-1
Lesson 1: Overview of Windows PowerShell 3.0 3-2
Lesson 2: Using Windows PowerShell 3.0 to Manage AD DS 3-9
Lesson 3: Managing Servers by Using Windows PowerShell 3.0 3-20
Lab: Managing Servers Running Windows Server 2012 by Using Windows

PowerShell 3.0 3-26
Module Overview
Windows PowerShell is a core feature of Windows Server® 2012 that enables command line management
and configuration of the operating system. It is a standardized, task-based command-line shell and
scripting language that offers administrators more flexibility and choice in how they manage computers
running Windows®.
Windows PowerShell 3.0, included in Windows Server 2012, has more functionality and features than
earlier versions. You can now use Windows PowerShell® to manage all the Windows Server roles and
features. This enables administrators to quickly automate configuration tasks with a single tool, instead of
having to use multiple tools, such as batch scripts, Microsoft Visual Basic® Script Edition scripts (VBScript),
and manual configuration steps.
In this module, you will learn key Windows PowerShell concepts and new Windows PowerShell 3.0
features. This module will also describe how to practically use Windows PowerShell in your daily activities.
Objectives
• Describe the Windows PowerShell command-line interface.
• Use Windows PowerShell to manage Active Directory® Domain Service (AD DS).
• Manage servers by using Windows PowerShell.

3-2 Managing Windows
W Server 2012 by Using Windows PowerShell 3.0
Lesson 1
Overviiew of Window
W ws Powe
erShell 3
3.0
As a Windows Serrver administra ator, you can use
u Windows P PowerShell to install and con nfigure native
2 roles and features and to administer software such as Microsoft EExchange Servver
and Microsoft Sysstem Center 20 012. Although you can use a graphical useer interface (GUI) for
admministration, ussing Windows PowerShell wiith these appli cations enablees bulk adminiistration. This
provvides the abilitty to create au
utomation scrippts for admini stration and a ccess to config
guration optio
ons
thatt are not availa
able when you u use a GUI. Soome tasks thatt you can perfoorm in Windows PowerShelll will
already be familiaar to you, such as listing the contents of a ddirectory. To u
use Windows P PowerShell
ectively, you must have a bassic understand
effe ding of Window ws PowerShell.
Lessson Objectiives
Afte
ou will be able to:
• Describe Windows PowerSh

hell.
• Describe the Windows Pow
werShell syntaxx.
• Describe cmd
dlet aliases.
• Use the Wind ell Integrated Scripting Envirronment (ISE)..

dows PowerShe
• Access Help in Windows Po
owerShell.

hell modules.

hell remoting.
• Describe the new features in Windows Po
owerShell 3.0.
Wh
hat Is Wind
dows Pow
werShell?
Win ndows PowerSh hell is a comm
mand-line
man nagement inteerface that you
u can use to
configure Window ws Server 20122 and productss
suchh as System Ce
enter 2012, Excchange Serverr
2010, and Microsooft SharePointt® Server 2010. This
man nagement inteerface providess an alternative
e to
the GUI managem ment that enabbles administra ators
to:
• Create autom
mation scripts.
• Perform batch modification
ns.
• Access setting
gs that might be unavailablee or
more difficultt to configure in the GUI.
A GUI can guide you
y through co omplex operattions, and can help you und derstand your cchoices and.
How an be inefficient for tasks that you have to
wever, a GUI ca o perform repeeatedly, such aas creating new
w user
acco
ounts. By build
ding administrrative functionality in the forrm of Window
ws PowerShell ccommands,
u select the right method forr a given task.
Microsoft lets you
As you
y become more m comfortable with Windows PowerSheell, you may usse it in place o of other low-levvel
adm ols that you may have used. For example, W
ministrative too Windows Pow werShell has access to the sam
me
feattures that VBSccript does, butt in many cases provides eassier ways to peerform the sam
me tasks.
Upg
ndows Server® 2
2012 3-3
Windows
W PowerShell may alsoo change the way
w you use W Windows Manaagement Instru umentation (W WMI).
Windows
W PowerShell can wrap task-specificc commands a round the und derlying WMI functionality. W
When
yo
ou use Window ws PowerShell with WMI, your work is sim plified becausse Windows Po
owerShell provvides
ea
asy to use, task
k-based comm
mands.
Windows
W PowerShell
P l Syntax
Windows
W PowerShell has rules for naming anda
im
mplementing functions.
f For example,
e Wind
dows
Po
owerShell com mmands, known as cmdlets, use u a
aming convention of verb or action, follow
na wed by
a hyphen and a noun or subje ect. For examp
ple, to
re
etrieve a list off virtual machin
nes (VMs), you
u would
usse the cmdlet Get-VM. This standardizatio on
he
elps you more e easily learn how to performm
ad
dministrative tasks.
t mple, to change
For exam
se
ettings of a VM M, you would useu the cmdlett
Se
et-VM.
Optionally,
O one or more parameters can be e used
with
w a cmdlet to o modify its beehavior or specify settings. P
Parameters aree written after the cmdlet.
ach parameterr that is used iss separated byy a space, and begins with a hyphen. Not aall cmdlets use
Ea e the
sa
ame parameters. Some cmdllets have param meters that ar e unique to itss functionality. For example, the
Move-Item
M cm
mdlet has the Destination
D parrameter to speecify the locatio
on to move th he object; whereas the
Get-ChildItem has the -Recu urse switch parameter. Theree are several k inds of parameters, including the
fo
ollowing:
• Named. Na amed parameters are most common. Theyy are parameteers that can be e specified and
d require
a value or modifier.
m For example,
e by using the Movee-Item cmdlet,, you would sp
pecify the -Desstination
parameter along with the e exact destina
ation to move the item.
• Switch. Swittch parameterrs modify the behavior

b of thee cmdlet, but d e any additional
do not require
modifiers or
o values. For example,
e you can
c specify thee -Verbose paraameter withou ut specifying a value
of $True.
• Positional. Positional
P para
ameters are pa arameters thatt can be omitteed and can still accept value es based
on where th he informationn is specified in
n the comman nd. For example, you could rrun Get-EventtLog
-EventLog System to rettrieve information from the System event log. However,, because the
-EventLog positional
p ameter acceptss values for thee first position
para n, you can also
o run Get-Even ntLog
System to get the same results. When the -EventLog g parameter iss not present, tthe cmdlet still
accepts the em because it is the first item
e value of Syste m after the cm mdlet name.
arameters thatt are common to many cmdlets include op

Pa ptions to test tthe actions of the cmdlet or to
enerate verbose information
ge n about the execution of cm dlet. Common n parameters include:
• -Verbose. This
T parameter displays detaiiled informatio on about the p performed commmand. You sh
hould
use this parrameter to obttain more info
ormation aboutt the executio n of the comm
mand.
• -WhatIf. Th
his parameter displays
d utcome of run ning the comm
the ou mand without running it. This is
helpful whe
en testing a ne
ew cmdlet or script
s and you do not want tthe cmdlet to rrun.
• -Confirm. This
T parameterr displays a con ompt before exxecuting the command. Thiss is
nfirmation pro
helpful wheen you are run
nning scripts an
nd you want too prompt the user before exxecuting a spe
ecific
step in the script.
Additional Reading: Cm
mdlet Verbs
http
p://msdn.micro
osoft.com/en-u
us/library/wind
dows/desktop
p/ms714428(v=
=vs.85).aspx
Cm
mdlet Aliasses
Alth
hough the stan ndard naming convention
usedd by cmdlets facilitate
f learniing, the namess
themmselves can be e very long, annd sometimes do
not match commo on terminolog gy associated with
w
perfforming a taskk. For example,, you may be
fam
miliar with the dir
d command which lists the e
contents of a dire
ectory (or folde er). The Windo ows
PowwerShell cmdle et for this task, however, is
Gett-ChildItem. To make using cmdlets easier,
Winndows PowerSh hell enables aliases to be cre
eated
for cmdlets.
c Theree is an alias cre
eated by defauult for
dir that points to Get-ChildItem m.
You
u can create neew aliases for your
y common cmdlets, scrip
pts, and prograams by using the New-Aliass
cmd
dlet. Default alliases include:
• cd -> Set-Location
• copy -> Copy-Item

• kill -> Stop-P
Process
• move -> Mo
ove-Item
• rm -> Remov
ve-Item
• type -> Get-Content
• help -> Get-Help
De
emonstration: Using
g the Wind
dows PoweerShell ISEE
The Windows Pow werShell ISE ap pplication is a graphical
g tool that enables yyou to write an
nd test Windoows
PowwerShell scriptss similar to the
e way a develo oper would wriite an applicattion by using MMicrosoft Visuaal
Studdio®. The Wind dows PowerSh ndows PowerS hell 3.0 includ
hell ISE for Win des IntelliSense
e to provide
instance suggestio ons on the corrrect script synntax and availaable cmdlet paarameters. Winndows PowerSh hell
ISE is divided into
o two main parrts: the Script pane
p and the CConsole pane.
Dem
monstration
n Steps
1. Logon to LON
N-DC1 as the domain
d admin
nistrator.
2. Open Window
ws PowerShell ISE as an adm
ministrator and
d review the Sccript pane and the Console p
pane.
3. Follow the ste
eps in the follo
owing demonsstration script: E:\ModXA\D
Democode\Ussing Windowss
PowerShell ISE.ps1.
I
Upg
ndows Server® 2
2012 3-5
Accessing
A Help
H in Wiindows Po
owerShell
Whether
W you arre an experienced professionnal or
neew to Window ws PowerShell, the cmdlet He elp
doocumentation is rich source of information n. To
acccess the Help documentatio on, use the Ge
et-Help
cm
mdlet or its alias help followe
ed by the cmddlet
naame. Get-Help p has parametters to adjust the
t
Help content thhat is displayedd. The parametters
arre:
• -Detailed. This
T parameterr displays more e
detailed heelp than the de
efault option.
• -Examples. This parameteer displays onlyy the

examples fo
or using the cm
mdlet.
• -Full. This parameter
p disp
plays detailed help
h and usag e examples.
• -Online. This parameter opens

o a Web browser
b to thee cmdlet docum
mentation on tthe Microsoft website.
Windows
W PowerShell 3.0 inclu d the latest hel p document from Microsoftt for
udes the abilityy to download
usse locally. To do
d this, use the
e Update-Help cmdlet. Also o, new in Wind dows PowerShe ell 3.0 is the
Sh
how-Comman nd cmdlet. Thiis helps PowerrShell beginnin
ng users interaact with the inp
put and outpu ut
opptions for a cmmdlet by usingg a graphical in
nterface.
Thhe Get-Comm mand cmdlet re nd aliases. You can use

eturns a list off all locally avaailable cmdletss, functions, an
it to discover ne
ew cmdlets by using wildcard searches. Fo or example, to return a list off all cmdlets th
hat
in
nclude VM in them, you coulld run Get-Command *VM**.
Using
U Wind
dows Powe
erShell Mo
odules
Windows
W PowerShell is designned to be exte
ensible.
Adding new cmmdlets and funcctions in Winddows
Po
owerShell 3.0 is performed in part throughh
modules.
m
Note: In earlier versions of Windows

Po
owerShell, exte
ensibility was provided
p by using
sn
nap-ins. For ba
ackward comp patibility, Windows
Po
owerShell 3.0 continues
c to support snap-in ns.
Windows
W PowerShell uses the e
Microsoft.Powe
M rShell.Manage ement modulee which provid es basic functiionality. Whenn you install ad
dditional
ro
oles on a serveer, additional Windows
W PoweerShell modulees are installed
d and registere
ed. For examplle, you
in
nstall the Micro
osoft Hyper-V® Role and also o choose to in
nstall the Hypeer-V module foor Windows
PoowerShell. To manage Hyper-V from Wind dows PowerSh hell, you must iimport the Hyyper-V module e into
th
he Windows Po owerShell session. To importt the Hyper-V module, run tthe following ccommand:
Im
mport-Module Hyper-V
Run
n the following
g command to list all module
es that are imp
ported:
Get-Module
It is not always neecessary to manually import modules. For example, the W Windows Pow werShell module for
Exch hange Server 2010
2 is automatically importted during prooduct installatiion. However, if you cannot run
cmd dlets for a speccific Windows Role or appliccation, it may i ndicate that yyou have to import the
app propriate Winddows PowerShe ell module.
There are two bassic module typ
pes:
• Binary. A bina
ary module is created
c by using the .NET Frramework and d is frequently provided withh
a product to provide Windo ows PowerShe ell support. Bin
nary modules mmany times ad dd cmdlets thaat
consists of no
oun or subject types that are
e newly created d in the AD DSS schema to suupport the prooduct.
An example is the New-Ma ailbox cmdlet of Exchange SServer 2010.
• Script. A scrip
pt module is co
omposed of Windows
W PowerrShell cmdlets that already eexist in the
environment.. These scripts can provide additional funcctions and variables to autommate repetitive e or
tedious tasks.. You may wan nt to create your own modu le that includees functions orr variables speccific
to your enviro onment as a tiimesaving or configuration
c m
management m measure.
Additional Reading: Winndows PowerS Shell Modules

http
ps://msdn.micrrosoft.com/en--us/library/win
ndows/desktop p/dd878324(vv=vs.85).aspx
Wh
hat Is Wind
dows Pow
werShell Re
emoting?
The purpose of Windows
W PowerrShell remoting
is to
o connect to reemote computters, to run
commmands on tho ose computerss, and to directt the
resuults back to your local computer. This enab bles
singgle-seat adminnistration, or th
he ability to
man nage the comp puters on the network
n from the
cliennt computer, instead of haviing to physically
visitt each computter. A key goal of Windows
Pow werShell remotting is to enable batch
adm ministration, which lets you run commandss on a
who ole set of remoote computers concurrently.
There are three main

m ways to usse remoting:
• One-to-One remoting.
r In th
his scenario, yo
ou connect to a single remotte computer and run shell
commands on it, exactly as if you had log
gged into the cconsole and o
opened a Winddows PowerShe ell
window.
• One-to-Manyy remoting, or Fan-Out remo oting. In this sccenario, you isssue a comman
nd that will be
o or more remote computers in paralle l. You are not working with each remote
executed on one
mmands are isssued and exec uted in a batch and the resu
computer interactively. Insttead, your com ults
are returned to your compu uter for your use.
u
• Many-to-Onee remoting, or Fan-In remotin ng. In this scen

nario, multiplee administratorrs make remotte
connections tot a single com
mputer. Typica
ally, those adm nt permissions on
ministrators wil l have differen
the remote co omputer and might
m be workking in a restriccted runspace within the she ell. This scenarrio
t restricted runspace and will not be co
usually requirres custom devvelopment of the overed further in this
course.
Upg
ndows Server® 2
2012 3-7
Reemoting requiires both Wind dows PowerShell and Windo ows Remote M anagement (W WinRM) utilitie
es on
yo
our local comp puter and on any
a remote computers to wh hich you want to connect. W WinRM is a Miccrosoft
im
mplementation n of Web Services for Manag gement, or WSS-MAN, which is a set of pro otocols that is w
widely-
dopted across different operrating systemss. As the name implies, WS-M
ad MAN and WinRM use web-b based
protocols. An ad dvantage to thhese protocolss is that they u se a single, deefinable port. T
This makes theem
ea
asier to pass thhrough firewallls than older protocols
p that randomly seleected a port. W WinRM commu unicates
byy using the Hyypertext Transffer Protocol (H
HTTP). By defau ult, WinRM an nd Windows Po owerShell remoting
usses TCP port 5985
5 for incom
ming connectio ons that are noot encrypted a nd TCP port 5986 for incom ming
en
ncrypted conn nections. Applications that usse WinRM, succh as Windowss PowerShell, ccan also apply their
owwn encryption n to the data th
hat is passed too the WinRM service. WinRM M supports authentication and, by
deefault, uses the
e Active Directtory native Kerrberos protocool in a domain n environment. Kerberos doe es not
paass credentialss over the netw
work and it suppports mutual authenticatio on to ensure th hat incoming
co
onnections are e coming fromm valid computters.
Esstablishing a One-to-One
O remoting session by using Winndows PowerSShell ISE is performed by cliccking
th
he New Remo ote PowerShelll tab on the File
F menu. You u can also establish a remote
e Windows Pow werShell
se
ession by usingg the Enter-PSSSession cmdllet. For examp
ple, to open a R
Remote PowerrShell session oon a
co
omputer name ed LON-SVR2, you would use the following g syntax:
En
nter-PSSessio
on –ComputerName LON-SVR
R2
One-to-Many
O re
emoting is primarily perform
med by using tthe Invoke-Co
ommand cmdlet. To run the e
Get-EventLog cmdlet against the compute ers named LONN-SVR1 and LOON-SVR2, use the following
co
ommand:
In
nvoke-Command
d -ScriptBlock { Get-EventLog System
m -Newest 5 } -Computerna
ame LON-SVR1, LON-
SV
VR2
Note: Un
nlike in earlier versions,
v Wind
dows Server 20012 has Windo
ows PowerShell remoting
an
nd WinRM ena
abled by defau ult.
What
W Is Ne
ew in Wind
dows Powe
erShell 3.0
0?
Windows
W PowerShell 3.0 has new features that
t
fa
acilitate manag
ging larger gro
oups of serverss
th
hrough better scaling, additional functiona
ality,
an
nd better man nagement. Win ndows PowerSh hell 3.0
in
ncludes the following new feeatures:
• Windows PowerShell Worrkflow. This enables

coordinatio
on of complex parallel and
sequenced commands.
• Windows PowerShell Web b Access. This feature

f
enables enccrypted and au
uthenticated access
a
to Windows PowerShell byb using a Web b
browser on
n any device.
• Scheduled Jobs.
J This featu
ure enables schheduling of W
Windows PowerrShell comman
nds and scriptss to
automatica
ally run administrative tasks.
3-8 Managing Windows Server 2012 by Using Windows PowerShell 3.0
• Enhanced Online Help. You can now download the latest Help files from Microsoft by using the
Update-Help cmdlet and view the latest help online. This guarantees you are getting the latest
information about how to use Windows PowerShell.
• Windows PowerShell ISE Autosense. Windows PowerShell ISE provides hints for cmdlets, including
valid parameters that make it easier than ever to use Windows PowerShell.
• Robust Session Connectivity. These connections enable you to connect to a remote server and if
connectivity is lost or you intentionally disconnect, you can resume the connection at the point it was
disconnected. Previously, if connection to a session was lost, all the session data, variables, and
command history would be lost.
Upg
ndows Server® 2
2012 3-9
Lesson
n2
Using
g Windo
ows Pow
werShelll 3.0 to
o Manag
ge AD D
DS
Active Directoryy is the technoology that man ny administratoors spend mosst of their time
e using, complleting
daay-to-day adm ministrative tassks such as add
ding users andd updating direectory objects.. With the num
mber
off Active Directory–focused cmdlets in Windows Server 22012, those ad ministrators caan save time aand
en
nergy by using g Windows Pow utomate many of their more time-consuming or repetitive tasks.
werShell to au
Automation can n also help imp prove security and consistenncy because it is less prone to repeated huuman
errror than manu ual administration. If you aree already comffortable performing commo on Active Direcctory
ad
dministrative tasks
t in other tools,
t uld quickly be able to learn tto perform eq
you shou quivalent tasks in
Windows
W PowerShell.
Th
his lesson will help you unde erstand the approach used b by the Active DDirectory cmdllets. It will help
p
yo
ou develop the e skills that you must have too discover, exp nd use other add-in commands,
plore, learn, an
whether
w they arre included witth Windows Se erver 2012 or wwith another MMicrosoft or th
hird-party softtware
product.
Le
esson Objecctives
After completin
ng this lesson, students
s will be
b able to:
• he Active Direcctory modules for Windows P
Describe th PowerShell.
• Describe ho
ow to use varia
ables.
• Describe ho
ow to use pipe
elines and scrip
pts.
• Describe ho
ow to format output
o from a Windows Pow
werShell comm
mand.
• ow to create and run Windo

Describe ho ows PowerShel l scripts.
• Describe ho hell loops and conditional exxpressions.

ow to use Windows PowerSh
• Manage AD
D DS with Windows PowerSh
hell.
• Describe ho
ow to obtain the Windows PowerShell
P histtory informatio
on from Active
e Directory
Administrattive Center.
Using
U the Active
A Dire
ectory Module for W
Windows P
PowerShelll
Yoou may be commfortable mannaging AD DS by
mon graphical tools such as Active
ussing the comm A
Directory Users and Compute ers. Another opption
th
hat you may noot be as comfoortable with is the
Windows
W PowerShell cmdlets. Using the ADD DS
cm
mdlets to perfo
orm common tasks will help p you
earn how to use Windows Po
le owerShell.
Th he Active Direcctory PowerShhell module inccluded

in
n Windows Serrver 2012, provvides over 130 0
cmmdlets for man naging Active Directory obje
ects
suuch as computter and user acccounts, group ps,
trrusts, and policcies.
3-10 Managingg Windows Server 20012 by Using Window
ws PowerShell 3.0
Using Windo
ows PowerrShell Variables
Win ndows PowerSh hell enables yo ou to retrieve,
mod dify, and filter data from many different
sources. In some cases,
c you mayy want to store e
data a for comparisson or use. Forr example, you u
mayy want to retrie eve a list of the members off a
partticular securityy group and th hen modify the e
desccription field of
o each of the users. Variable es are
used d to store and retrieve data in memory du uring
a Windows
W PowerrShell session. A variable alw ways
beg gins with a dolllar ($) sign and d can then be
nammed with descrriptive text or numbers,
n such
h
as $Variable1,
$ $x, and $MemberList. Windowss
Pow werShell variab bles are typed. This means th hat they are creeated to store a specific type
e of data whetther it
is te
ext, numbers, objects,
o time, arrays,
a or other defined objeect.
Youu can declare a variable in on

ne of two wayss, the first of w
which is using tthe Set-Variab
ble cmdlet. Fo
or
exammple to declarre a variable named $ADDS and assign it tthe object retu urned from Ge et-ADDomain n by
ng the Set-Varriable cmdlet, use the follow
usin wing command d:
Set-Variable –Name ADDS –Va

alue (Get-ADD
Domain)
Youu will notice yoou do not speccify the $ symbbol when you u use the Set-Va ariable cmdlett to declare
variables. The seco ond way to creeate a variable
e is by declarin
ng it, and then
n assigning a vaalue to it. To d
do
this,, start the com
mmand with the name of the e variable followwed by an equ ual sign and th
hen the comm mand,
com
mmands, or vallue to assign. For
F example to o declare a varriable named $ $ADDS and assign it the object
retu
urned from Ge et-ADDomain use the follow wing command d:
$ADDS = Get-ADDomain
The $ADDS variab ble now holds a copy of the object outputt by the Get-A ADDomain cm mdlet. The outp put
obje he type that is defined in the
ect takes on th e relevant classs and the variaable maintains that structure
e.
Youu can now readd and manipulate the variable as similar to o how you wou uld a .NET obje
ect. To obtain
ormation about the propertie
info es or to run methods, you caan use dotted notation on th he variable.
For example, to determine the domain
d functio
onal level repo
orted by the DDomainMode property of
Gett-ADDomain, you can use th he following coommand:
> $A
ADDS.DomainMode
Windows2008R2Domain
You
u can also acce
ess methods orr actions from a variable. Forr example, to d
determine the
e BaseType of
$AD
DDS, you can use
u the GetTyp pe() method byy running the following com mmand:
> $A
ADDS.GetType().BaseType
Microsoft.ActiveDirecto
ory.Managemen
nt.ADPartitio
on
Whe en you use me ethods, you must follow the method with () to distinguissh that it is a m
method and no
ot a
property. You cann also use varia
ables in calcula
ations, for exam
mple, you can add the conte ents of two
variables. To decla
are two variab
bles and then add
a them togeether, use the ffollowing com mmands:
> $A
A = 1
> $B = 2
> $A
A + $B
3
dows Server® 20
012 3-11
When
W you use variables
v in callculations, mak
ke sure that th
hey are typed ccorrectly because typing the em
ncorrectly could lead to unexxpected resultss. For examplee, notice when variables are ttyped as string
in g data
in
nstead of numbbers:
> $C = “3”
> $D = “4”
> $C + $D
34
4
In
nstead of addin
ng the two values numerically, they are cooncatenated to ogether. When n you mix typees
ogether, there is more poten
to ntial for unexpe
ected results b
because Windo ows PowerShe ell will automattically
ca
ast or convert some data typ
pes. For exampple, see how thhe data is cast in the followin
ng example:
> $A + $C
4
> $C + $A
31
1
In
n these examples, the type of the first varia able is used to cast the other variables for the calculation. To
beetter control how
h data is casst, you can spe
ecify the data ttype for each vvariable. To co
ontrol how eacch
va
ariable is cast, see the follow
wing example:
> [string] $A + $C
13
3
> [int] $C + $A
$
2
Addition
nal Reading: about_Variable es
htttp://technet.m
microsoft.com//en-us/library//dd347604.asp
px
Question: How do you declare

d variable
es and assign vvalues to them
m?
The
T Windo
ows PowerS
Shell Pipeline
Windows
W PowerShell is an objject-based
ennvironment. Th his means thatt the input and d
ouutputs of the cmdlets
c bjects that can be
are ob
manipulated.
m In
n some instancces, you may want
w
to
o take the outp put of one cmd dlet and pass it
to
o another cmd dlet for additional actions. Foor
exxample, when you have to enable all disab bled
AD DS accountss in the domain, you could
manually
m list each user by using the Get-AD DUser
cm
mdlet. Then byy using Windo ows PowerShell, you
ca
an use the Ena able-ADAccou unt cmdlet forr each
lo
ocked user account. To make e this easier, yo
ou can
diirectly pass the e output data from one cmd dlet into anoth her cmdlet, whhich is called piping. Piping iss
peerformed by putting
p the pip
pe (|) characterr between cmd dlets. Each cmddlet is execute
ed from the lefft to the
rig
ght, each passsing its output to the next cm mdlet in line. FFor example, yoou can get a liist of all users in the
doomain and the en pipe the listt to the Enable e-ADAccountt cmdlet, by ru unning the following commaand:
Ge
et-ADUser –Fi
ilter * | Enable-ADAccount
ws PowerShell 3.0
Piping can be use ed extensively in Windows Po owerShell as itt is in other sheells. Windows PowerShell differs
from
m typical shellss because the data in the pip
peline is an objbject instead off just simple te
ext. Having an
obje
ect in the pipeeline enables you to easily pe
ersist all the prroperties of the returned datta. The data in n the
pipe
eline is assigne
ed to a special variable name ed $_ which on nly exists whilee the pipeline is executing. FFor
mple, if you want to enable accounts that are disabled, yyou can use th
exam he Where-Objject cmdlet to o
urn only accounts are disable
retu ed. To do this, run the followwing command d:
Get-ADUser | Where-Object {$_.Enabled –eq

– $false} | Enable-ADA
Account
By piping
p an obje
ect with a list of
o all the users, you can use tthe Where-Ob
bject cmdlet to
o filter the acccounts
thatt are disabled based on the Enabled prope erty of the acc ount.
Note: This example is forr teaching purp

poses only. It eenables all thee disabled acco
ounts in the
dom
main and should not be perfformed in a prooduction envirronment because this may e enable
acco
ounts that sho
ould remain dissabled.
Op
ptions for Formatting
F g Window
ws PowerSh
hell Outpu
ut
Whe en you work with
w AD DS datta, you may ha ave
to retrieve lists of users, computters, or groupss and
have to visualize the
t data by using a tool such h as
Microsoft Office Excel
E ® or you may
m have to viiew
onlyy the specific properties
p on screen.
s Window ws
PowwerShell enable es both such scenarios. First
form
matting data fo or viewing on screen. There are
seveeral default cmmdlets available
e to control hoow
dataa is formatted.. These cmdletts are describeed in
the following tablle.
Cm
mdlet Descriptio
on
Fo
ormat-List This cmdlet outputs datta in a list form
mat with each property on itts
own line. You can speciify the propertties that you wwant displayed by
using the –Property parrameter. You ccan call this cm
mdlet by using the
alias of FLL. This cmdlet is useful when
n you view a sm
mall number oof
objects with
w a large num mber of propeerties.
Fo
ormat-Table This cmdlet outputs datta in a table fo
ormat with eacch property as its
own colum mn. You can s pecify the prooperties that yoou want displaayed
by using the
t –Property parameter. Yo ou can call thiss cmdlet by usiing
the alias of
o FT. This cmd
dlet is useful w
when you view a large numb ber of
objects with
w a small num mber of propeerties.
Fo
ormat-Wide This cmdlet outputs datta in a table foormat with onlly one propertty for
each objeect. You can sppecify the propperty that you want displayeed by
using the –Property parrameter and th he number of columns to dissplay
the data by
b using the ––column param meter. You can call this cmdleet by
using the alias of FW. TThis cmdlet is u
useful when yoou view a large
e
number ofo objects and you only need d to see one property for each
object succh as the namee.
dows Server® 20
012 3-13
Cmdlet
C Descripttion
Format-Custtom This cm
mdlet outputs d data in a formaat previously d defined by usin ng a
PS1XML file. The settiings in this filee can specify w
which propertie es to
show annd how to arraange and grou up them. You ccan call this cm
mdlet
by using
g the alias of FFC. This cmdleet is useful wheen you view daata
that you access frequuently and hav e to customize e which prope erties
are shown.
Another set of cmdlets

c enable
e complex form
matting and reeporting. Thesse are listed in the following table.
Cmdlet
C Description
Measure-Objject Th
his cmdlet take es the input obbject from the pipelines or vvariable and
peerforms calculaations on spec ified propertiees and on text in strings and files.
Caalculations incllude counting objects, deterrmining the avverage, minimu um,
ma aximum, and sum
s of properrty values. It caan also count tthe number orr
occcurrences of words
w and cha racters in a filee or string. It is used when yyou
ha
ave to quickly calculate
c the n
number of useers selected as part of a querry or
deetermining thee memory a sett of processes is using.
Select-Objecct Thhis cmdlet take

es the input obbject from the pipeline or vaariable and outtputs
obbjects that have only the seleected properties. It can also select a subset of
ite
ems in each obbject by using the -First, -Lasst, -Unique, an
nd -Index parammeters,
whhich is valuable
e when you wo ork large dataasets.
Sort-Object Th
his cmdlet take
es the input ob bject from the pipeline or vaariable and sorrts the
da he selected pr operties. This is helpful when you have to
ata based on th
provide a sorted
d list of data.
Where-Objecct Thhis cmdlet take es the input obbject from the pipeline or vaariable and the
en
appplies a filter th
hat is based on n a specified q
query. The que
eries used for
filttering are encllosed in brace s and include a comparison.. This is helpfuul when
yoou have to sele ect specific typ
pes of data.
Yo
ou can use all these cmdletss together to create customizzed output to the screen. Yo ou can also use
e the
Out-File
O to write the output to a text file, orr Export-Csv to
o export the d
data as a comm
ma separated vvalues
(C
CSV) file.
Creating
C an
nd Running Window
ws PowerSh
hell Scriptts
Yoou can perform m complicated d multi-step taasks
byy using a pipeline and multiple cmdlets. There
may
m be times wherew you havee to run multip ple
fu
unctions, make e choices, wait for tasks to
coomplete, or run the same co ode repeatedlyy. In
th
hese cases, you u can use a Windows PowerS Shell
sccript to put all the steps toge ether. A script is a
te
ext-based file that
t includes at
a least one Wiindows
PoowerShell com mmand and savved with a .PS1 1 file
naame extension b created to take
n. Scripts can be
in
nput from the command
c line
e letting you
cuustomize how the script execcutes.
Execution Policy
By default, the execution policy does not enable Windows PowerShell scripts to be executed
automatically. This safeguards the computer from enabling unattended scripts to run without the
administrator from knowing. There are four execution policies that can be set and are as follows:
• Restricted. This is the default policy for Windows Server 2012 and does not enable configuration
files to load, nor does it enable scripts to be run. The Restricted execution policy is perfect for any
computer for which you do not run scripts or for which you run scripts only rarely. (Be Aware That
you could always manually open the shell with a less-restrictive execution policy.)
• AllSigned. This policy requires that all scripts and configuration files be signed by a trusted publisher,
including scripts created on your local computer. This execution policy is useful for environments
where you do not want to accidentally run any script unless is has an intact, trusted digital signature.
This policy is less convenient because it requires you to digitally sign every script that you write, and
re-sign each script every time that you make any changes to it.
• RemoteSigned. This policy requires that all scripts and configuration files downloaded from the
Internet be signed by a trusted publisher. This execution policy is useful because it assumes that local
scripts are ones that you create yourself, and you trust them. It does not require those scripts to be
signed. Scripts that are downloaded from the Internet or received through e-mail, however, are
not trusted unless they carry an intact, trusted digital signature. You could definitely still run those
scripts—by running the shell under a lesser execution policy, for example, or even by signing the
script yourself—but those are additional steps that you have to take, so it is unlikely that you would
be able to run such a script accidentally or unknowingly.
• Unrestricted. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, you are warned about potential dangers and must grant permission
for the script to run. The Unrestricted execution policy is not usually appropriate for production
environments because it provides little protection against accidentally or unknowingly running
untrusted scripts.
• Bypass. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, the script will run without any warnings. This execution policy is not
usually appropriate for production environments because it provides no protection against
accidentally or unknowingly running untrusted scripts.
You can view the execution policy for the computer by using the Get-ExecutionPolicy cmdlet. To
configure the execution policy, you must open an elevated Windows PowerShell window and run the
Set-ExecutionPolicy cmdlet. After the execution policy is configured, you can run a script by typing in
the name of the script.
Simple Scripts
Scripts are text files that have a .PS1 file name extension. These files contain one or more commands
that you want the shell to execute in a particular order. You can edit scripts by using Notepad, but the
Windows PowerShell ISE provides a better editing experience. In it, you can type commands interactively,
obtain hints on the correct command syntax, and immediately see the results. You can then paste those
results into a script for long-term use. Or you can type your commands directly into a script, highlight
each command, and press F8 to execute only the highlighted command. If you are pleased with the
results, you save the script and you are finished. Generally, there are very few differences between what
you can do in a script and what you would do on the command line. Commands work in the same
manner in a script. This means that a script can just be created by pasting commands that you have
already tested at the command line. The following is a simple script in a text file that is named
Get-LatestLogon.ps1.
dows Server® 20
012 3-15
# This script will return the last user who has l ogged on to the domain.
Ge
et-ADUser -Fi
ilter * -Properties lastLogon | `
So
ort-Object -P
Property lastLogon -Descending| `
Se
elect-Object -first 5 | `
Fo
ormat-Table name,
n `
@{
{Label="LastL
Logon";Expression={[datetime]::FromF
FileTime($_.llastLogon)}}``
-AutoSize
-
Although this sccript contains a single pipeline statement it is broken up p by using the backtick (`) ch haracter.
Yoou can break up
u long lines of o code by usin ng the backtic k character to make the script easier to re ead.
mark (#). A line that begins w
Notice that the first line of this script starts with a hash m with a hash mark will
noot be processe
ed. Therefore, you
y can use sttart a line with h a hash mark aand write note es and comme ents
ab
bout the scriptt. To run a script, you must type
t either thee full or the relative path of tthe script. For
exxample, to run
n the Get-Late estLogon.ps1 script, you can n use either off the followingg options if the e script
in
n your current directory or se earch path:
.\
\Get-LatestLo
ogon.ps1
E:\ModXA\Democ
code\Get-LatestLogon.ps1
If the script nam

me or path hass spaces in it yo
ou have to encclose the nam e single or double quotation
n marks
annd echo the naame to the console by using g an ampersan d (&) characteer. The followin
ng example sh
hows
hoow to do this by
b using both the relative an nd a full path.
& ‘.\Get Lates

st Logon.ps1’
& ‘E:\ModXA\De
emocode\Get Latest Logon.ps1’
Using
U Wind
dows Powe
erShell Loo
ops and Conditional Expressio
ons
Advanced Wind dows PowerShell scripts mayy
re
equire repeatinng commands a certain num mber of
times, until a sp
pecific conditio
on is met, or on
nly if a
sp
pecific conditio
on is met. Thesse test conditio
ons are
deefined by using comparison statements.
Boolean
B Com
mparisons
Te
est, or comparrison statemen nts, are used ass test
co
onditions for lo
oops and cond ditional constructs.
Th
hese typically compare,
c eithe
er of two or more
m
ob
bjects or two or
o more prope erty values, andd are
de
esigned to result in a True or
o False value. These
T
co
omparisons are e frequently known as Booleean
co
omparisons, be ecause they caan only result in one of the tw
wo Boolean vaalues, True or False. As part o
of
de
esigning a Win ndows PowerS Shell script usin
ng Boolean coomparisons aree common eno ough task: Youu might
co
ompare two co omputer name es to see whether they are e qual, or comppare a performance counter vvalue to
a predetermined threshold va alue to see which of the two is greater. Thee comparison operators sit b
between
th
he two items thhat you want tot compare. Yo ou probably reemember simp ple comparisons from grade e school
math
m with comp parisons like 10 > 4, 5 < 10, and 15 = 15. WWindows Pow werShell performs compariso ons the
sa
ame way, althoough it has its own syntax. So ome common comparison o operators are aas follows:
• -eq. Equal to
t
• -ne. Not eq
qual to
• -le. Less tha
an or equal to
• -ge. Greater than or equal to
• -gt. Greater than
• -lt. Less than
Windows PowerShell defines two special variables for comparisons, $True, and $False, which represent
the Boolean values true and false. If a comparison is true, the expression is evaluated as $True and if the
comparison is not true, the expression is evaluated as $False. For example, the comparison 4 is greater
than 10 (4 –gt 10), will produce $False as its result, whereas, 10 is equal to 10 (10 –eq 10) would produce
$True. Windows PowerShell enables you to execute comparisons right on the command line. Type your
comparison and press Enter to see the result of the comparison. The real value of the Boolean
comparisons are shown when they are used in loops and conditional expressions.
There are several Windows PowerShell constructs that make use Boolean comparisons to control the
execution of code in a script. These constructs are if, switch, for, while, and foreach.
The if Statement
The if statement can be used to execute a block of code if the specified criteria are met. The basic
functionality of an if statement is shown in the following example:
if (Boolean comparison)
{
Code to complete if test expression is true
}
Another option available to allow for additional possibilities is using else and elseif statements. When you
want to execute special code if a condition exists or execute other code if it does not exist, you can use
the else. If there are additional conditions that you want to test for you could use the elseif statement
consider the following example:
$Today = Get-Date
$Admin = Get-ADUser –Identity Administrator –Properties StreetAddress
Write-Host $Admin.Name “has an address of” $Admin.StreetAddress
if ($Today.DayOfWeek –eq “Monday”)
{
Set-ADUser –Identity Administrator –StreetAddress “Headquarters”
}
elseif ($Today.DayOfWeek –eq “Thursday”)
{
Set-ADUser –Identity Administrator –StreetAddress “London Office”
}
else
{
Set-ADUser –Identity Administrator –StreetAddress “Out of the Office”
}
# Confirm Settings were made
Write-Host “Today is” $Today.DayOfWeek “and “ $Admin.Name `
“is working from the” $Admin.StreetAddress
The switch Statement

The switch statement is closely related to how ifelse statements work. The statement enables a single
condition statement to have multiple options for execution. The switch statement has the following
syntax:
switch (Value Testing)

{
Value 1 { Code run if value 1 condition exists}
default { Code run if no other condition exists}
}
Using the previous example, you can achieve the same functionality with less work as shown in this
example:
$Today = Get-Date
# Write current settings to console
Write-Host $Admin.Name “has an address of” $Admin.StreetAddress
switch ($Today.DayOfWeek)
{
“Monday” {Set-ADUser –Identity Administrator –StreetAddress “Headquarters”}
“Thursday” {Set-ADUser –Identity Administrator –StreetAddress `
“London Office”}
default {Set-ADUser –Identity Administrator –StreetAddress `
“Out of the office”}
}
# Confirm Settings were made
Write-Host “Today is” $Today.DayOfWeek “and “ $Admin.Name `
“is working from the” $Admin.StreetAddress
If a larger number of false statements are needed, the switch statement may be an easier option to use
and debug.
The for Loop

The for loop can be used to execute a block of code a specific number of times. This can be when multiple
items have to be requested, or created. The for statement syntax is as follows:
for (setup loop variables ; Boolean comparison ; action after each loop)
{
Code to complete while Boolean comparison is true
}
The for loop begins with settings to configure variables, the Boolean comparison, and an action to
complete after each loop. Consider the following example that creates five new computer accounts with
unique names using a for statement:
# Create a variable named $i and assign it a value of 1

# Execute the for loop for as long as $i is less than 6
# After each loop add 1 to the value of $i
for ($i = 1 ; $i –lt 6 ; $i++)
{
# Create a variable with the name of the computer account
$ComputerAcct = “LON-SRV” + $i
New-ADComputer –Name $ComputerAcct
}
The while Loop

The while loop can be used to execute a block of code while a specific condition exists and resembles the
for loop, except that it does not have built in mechanisms to set up variables and actions to run after each
loop. This enables the while statement to continue executing until a condition is met instead of a set
number of times. The while statement syntax is as follows:
while (Boolean comparison)

{
Code to complete while Boolean expression is true
}
This script prints a random number on the screen until one of the random numbers is less than
50,000,000. The $i variable’s value must be set before the while loop so that the while loop executes as
follows:
$i = 99999999999
while ($i -gt 50000000)
{
Write-Host “Random Value: “ $i
$i = Get-Random
}
Also available is the do/while loop which works just as while loop however the Boolean expression is
evaluated at the end of the loop instead of the beginning. This means that the code block in a do/while
loop will always be executed at least one time. The value of $i does not have to be set before the do/while
loop because it is evaluated at the end of the loop. The following example shows a do/while loop:
do {
Write-Host “Random Value: “ $i
$i = Get-Random
} while ($i -gt 50000000)
The foreach Statement

The foreach statement iterates through an array (collection), item by item, assigning a specifically named
variable to the current item of the collection. Then it runs the code block for that element.
foreach (item in collection)

{
Code to complete for each item in the collection.
}
Using the foreach statement can make batch modifications easier. Consider, for example, setting a
description for all users who are members of a specific group, as shown in the following example:
# Get a list of the members of the Domain Admins group

$DAdmins = Get-ADGroupMember "Domain Admins"
# Go through each member and set the Description
foreach ($user in $DAdmins)
{
Set-ADUser $user -Description “In the Domain Admins Group”
}
dows Server® 20
012 3-19
Demonstra
D ation: Man
naging AD
D DS by Using Windo
ows PowerrShell
In
n this demonsttration, you will review how to
t manage useers and group in Windows P
PowerShell.
Demonstrati
D ion Steps
1.. Start and lo
og on to LON-DC1. Log on as
a the domain administratorr.
2.. Open Wind
dows PowerShe
ell ISE as an ad
dministrator.
3.. Refer to the

e demonstratio
on script in virrtual machine LON-DC1 at EE:\ModXA\Dem
mocode
\Managing Users and Gro oups.ps1.
Active
A Dire
ectory Adm
ministrative
e Center In
ntegration
n with Win
ndows
PowerShell
P l
Active Directoryy Administrativve Center is bu
uilt
on
n Windows Po owerShell technology. It provvides
ad
dministrators the
t ability to perform
p enhan nced
da
ata manageme ent by using a GUI. Using Acctive
Directory Administrative Centter, you can pe erform
th
he following ta
asks:
• Manage user and compu

uter accounts
• Manage groups
• Manage organizational units
u (OUs)
• Use build queries

q to filterr Active Directory
information
n
Be ministrative Center is built on
ecause Active Directory Adm n Windows Po owerShell, it can expose the
Windows
W PowerShell comman nds that are ussed to interactt with the GUI.. These commaands can be used to
le
earn Windows PowerShell, buuild Active Directory manag ement scripts,, and keep tracck of changes that are
made
m within the
e GUI.
ws PowerShell 3.0
Lesson 3
Manag
ging Serrvers by
y Using Windo
ows Pow
werShelll 3.0
As you
y become fa amiliar with Windows PowerrShell, you can perform admministrative and
d managementt tasks
withh more ease. There
T are advanced features in Windows PPowerShell 3.0 which let you manage a single
al console and to manage many servers fro
servver from a loca om a remote location. The aadvanced featu
ures
include Windows PowerShell Web W Access, Windows PowerSShell jobs, and d Windows Pow werShell workfflow.
Thiss lesson introduces some mo

ore advanced features
f ndows PowerSShell 3.0 and d
of Win discusses how yyou
mig
ght use the features to manage servers in your
y environm
ment.
Lessson Objectiives
Afte
er completing this lesson, stu
udents will be able to:
• Describe the need to use Windows
W PowerShell for man
naging servers..
• w to configure and use Windows PowerSheell Web Accesss.

Describe how

hell jobs.
hell workflows and how theyy can be used.
• Manage a serrver by using Windows

W Powe
erShell 3.0.
Disscussion: The
T Need for
f Windo
ows PowerShell for SServer Man
nagement
Win ndows PowerSh hell has many features that make m
arge and smalll environments.
it usseful in both la
Freqquently the mo ost difficult pa
art of using
Win ndows PowerSh hell is the startting point. Using
Win ndows PowerSh hell to performm tasks that yo ou
perfform every dayy will help you u become more
commfortable and more proficien nt in using it.
Con nsider the follo
owing question ns:
Que estion: Why usse Windows Po

owerShell for
servver managemeent?
Que
estion: What tasks
t will you use
u Windows
Pow
werShell to perrform?
dows Server® 20
012 3-21
What
W Is Windows PowerShell Web
W Accesss?
Windows
W PowerShell Web Access is a new feature
f
in
n Windows Serrver 2012 that provides a we eb-
baased gateway to Windows PowerShell.
P Thiis
nables authorized users to administer a server
en
without
w having management tools directly
nstalled on their client computer, or having
in g to use
Reemote Desktop to connect to t the server. The
T
dministrator only has to configure a Windows
ad
PoowerShell Web b Access gatewway, and use a web
browser to conn nect.
Windows
W PowerShell Web Access gateway
re
equires the We eb Server Interrnet Informatio
on
Se ET Framework 4.5 and Windo
ervices (IIS) rolle, and the .NE ows PowerSheell 3.0 to be insstalled. Many
client types are supported to access Window ws PowerShelll Web Access aand still otherss are tested to work
su
uccessfully. In order
o to work,, the web brow
wser must allow pport connecting to the gate
w cookies, sup eway by
ussing Secure So ockets Layer (SSL), and also support
s JavaSccript.
In
nstalling Wiindows Pow
werShell We
eb Access Ga
ateway
To
o install Windo
ows PowerShe
ell Web Access gateway:
1.. Install Wind

dows PowerSh
hell Web Accesss role.
2.. Install a SSLL certificate. An SSL certificatte is required. A self-signed certificate can
n be created ass part of
the configu uration processs, however a trrusted third-paarty certificatee is recommended.
3.. Create or configure an IIS

S site with the Windows Pow werShell Web A
Access Gatewaay web applicaation.
This can be
e configured byy using Interneet Information
n Services Man
nager or by usiing the
Install-Psw
waWebApplication cmdlet.
4.. Configure Windows

W Powe erShell Web Access
A authorizzation rules. Byy default, no o
one will be able
e to use
Windows PowerShell
P Web Access until at least one a uthorization ru ule is created. An authorizattion rule
defines whiich users and groups
g have acccess to speciffic cmdlets andd which computers they can n access
from the ga
ateway. Autho orization rules are
a added by using the Add d-PswaAuthorrizationRule ccmdlet.
You can validate the funcctionality of th
he rules by usin
ng the Test-PsswaAuthoriza ationRule cmd dlet.
Authorization rules are, by
b default, storre in %windir% %\Web\Powe erShellWebAcccess\data
\AuthorizaationRules.xm ml.
5.. Configure destination

d computer authen ntication and aauthorization rules. You must configure th
he
destination computer seccurity settings to enable remmote access fro om the gatewaay. As you assig
gn
administrattive permission
n to the targett computers, wwe recommend d assigning only the minimally
required pe
ermissions and ppropriate exeecution policy for your envirronment.
d setting the ap
6.. Configure additional

a secu A in any envirronment, apprropriate security best practicces
urity options. As
should be followed.
f One example is as installing and monitoring a ntivirus and an
nti-malware prroducts
on all the servers. Additio ord expiration, lockout, and ccomplexity po
onally, passwo olicies should aalso be
implemente ed.
Using
U Windo
ows PowerS
Shell Web Access
A
To
o use Window ws PowerShell Web
W Access, open a web bro owser and con nnect to the server by using
htttps://ServerName/pswa. The logon page lets you conneect directly to the gateway, tto another serrver on
he organization network, or to a custom URI.
th U Using the o optional conneection settingss on the logonn page
an specify one user account to log on to th
ca he gateway an
nd specify another account tto connect to tthe
ws PowerShell 3.0
servver on the orga

anization netw
work. This is useful if the acco
ount authorizeed to connect to the gatewaay
doees not have permissions on the internal serrver.
Afte
er you have esttablished a Wiindows PowerShell session b by using Windoows PowerShe ell Web Accesss,
you can begin using Windows PowerShell
P cm
mdlets and execcuting scripts based on the e execution policy
settings. Although
h most of the functionality
f iss the same as u
using Windowws PowerShell rremoting, therre are
som
me differences. For example, you cannot usse some shortccut keys to int eract with Winndows PowerSShell
Web b Access such as Ctrl+C to copy data, or any of the funcction keys used
d for things such as comman nd
history.
Additional Reading: Dep ploy Windows PowerShell WWeb Access

http
p://technet.miccrosoft.com/en
n-us/library/hh
h831611.aspx
Wh
hat Are Windows Po
owerShell Jobs?
J
A Windows
W PowerShell backgro ound job runs a
com
mmand or set of o commands without intera acting
withh the current Windows
W Powe erShell session. You
can start a backgrround job by using
u the Startt-Job
cmd dlet and then you
y can contin nue to work in the
sesssion. Using job
bs can be usefuul when you
perfform tasks that can take an extended
e time
e to
com
mplete. You can n also use jobss to perform th
he
sam
me task on seve eral computerss. The following
exammple shows crreating a new jobj on the local
com
mputer:
Start-J
Job -ScriptBl
lock {Get-ADUser –Filter
r *}
Youu can see the sttatus of the job by using thee Get-Job cmd dlet and use th
he Wait-Job to o be notified
wheen the job is co
omplete. If you u have to remoove a job that has not execu uted, you can ddo so with thee
Remmove-Job cmd dlet. These jobbs are run in th
he background d so they do no ot return results to your Win
ndows
PowwerShell session. If you outpu ut data to the console in a b
background job b, you can retuurn those resuults by
usin
ng the Receive e-Job cmdlet.
Win ndows PowerSh hell 3.0 introduced an impro ovement to baackground jobs, which are kn nown as sched duled
jobss. These jobs can be trigged to start autom matically or pe rformed on a recurring scheedule. When a
scheeduled job is created
c it is sto nd then registeered in Task S cheduler. Whe
ored on disk an en a scheduledd job
is ru
un, it creates an instance of thet job that ca an then be ma naged by usin ng the common job manage ement
cmd dlets. The onlyy difference between scheduled jobs and b background jobs is that sche eduled jobs savve
theiir results on disk.
Sche
eduled jobs arre created by using
u the Regiister-Schedule edJob cmdlett. You can speccify the ScriptB
Block
para
ameter to run a Windows Po owerShell com
mmand, or you can specify a script by usingg the FilePath
para
ameter. The fo
ollowing example shows how w to register a scheduled job
b to run the Geet-
Late
estLogon.ps1 1 script.
Register-ScheduledJob –Name
e LastLogonJo
ob –FilePath \\LON-SVR1\S
Scripts\Mod3\
\democode\Get-
LastLogon.ps1
dows Server® 20
012 3-23
To o enable the scheduled job tot run, a sched dule or triggerr must be defin ned. Triggers aare created byy using
th
he New-JobTrrigger cmdlet.. Using this cm mdlet, you can use the Add-JJobTrigger ccmdlet to add the
ed scheduled job or use it to
trrigger to an alrready registere o assign a triggger when a new w scheduled jo ob is
re
egistered. Trigg gers can be scheduled once,, daily, weekly,, at server starrtup, when you u log on. The
ollowing example shows crea
fo ating a triggerr that runs eve ry Monday an nd Friday at 9:000 am and the en
re
egisters the new scheduled jo ob together with
w the triggerr:
$T
Trigger = New
w-JobTrigger –Weekly –DaysOfWeek Mon
nday,Friday –
–At 9:00AM
Re
egister-Sched
duledJob –Name ScheduledLastLogonJob
b –FilePath `
\\
\LON-SVR1\Scripts\Mod3\democode\Get-LastLogon.ps
s1 -Trigger $
$Trigger
Yo
ou can also use the Add-Job
bTrigger cmd
dlet to modify an existing sch
heduled job ass shown in the
e
fo
ollowing example:
Ad
dd-JobTrigger -Name LastLogonJob -Trigger `
(N
New-JobTrigge
er -Daily -At 9:00AM)
Sccheduled jobs can be used to automatically run task for:: creating repo
orts, verifying cconfiguration
se
ettings, perform
ming user and
d group mainte
enance, and m many others.
In
ntroductio
on to Wind
dows Powe
erShell Wo
orkflow
Windows
W PowerShell Workflo ow is a new feaature
in
n Windows Pow werShell 3.0. Itt enables easy to use
workflows,
w ask sequences within the fam
or ta miliar
Windows
W PowerShell interface e. A workflow
ca
an include ind dividual Windo ows PowerShe ell
co
ommands or complete scriptts. The differen nce
beetween a work kflow and perh haps an intricaately
deesigned script is that a workkflow is designeed
to
o also be stoppped, paused, and resumed.
Thhe workflow ca an wait until stteps successfully
co
omplete to con ntinue to the next
n workflow step.
Fo
or example, yo ou can create a workflow tha at
makes
m changes to a multiple computers and waits for theem all to restarrt before continuing to the n
next
onfiguration sttep in the workflow.
co
Windows
W PowerShell workflowws can be creaated by using a Windows PoowerShell conssole, the Windo ows
PoowerShell ISE, or by using Microsoft
M Visual Studio® Worrkflow Designeer. Workflows ccreated in Visu
ual
Sttudio Workfloww Designer aree saved as with
h a XAML file n
name extensioon. These workkflows are impported
byy using the Im
mport-Module e cmdlet.
Workflows
W are run
r as Window ws PowerShell jobs.
j Thereforre, you can usee the same cmdlets to manage
ru
unning workflo
ows as you do jobs. A workflow is created by using the ffollowing syntaax:
Wo
orkflow Workf
flowName { Commands to execute as pa
art of the wo
orkflow }
After a workflow is created, it is executed as a cmdlet is executed. Each workflow can be executed with the
parameters that are listed in the following table.
Parameter Description
-PSComputerName A list of target computers for the workflow to execute on
-PSRunningTimeoutSec Length of time to allow for the workflow to execute
-PSConnectionRetryCount Enable the workflow to retry connections several times
-PSPersist Toggles the workflow to checkpoint data and state after each activity
In a workflow, commands can be performed in a parallel or sequential manner. Commands that can
be run in parallel are identified by using the parallel keyword. Commands that must be performed
sequentially are identified by using the sequence keyword. The following example shows a workflow
with both keywords being used:
Workflow Get-DomainServerStats
{
# The following are executed in any order
Parallel
{
Get-Process
Get-ADUser –Filter *
# The following are executed sequentially
Sequence
{
Set-AdUser Administrator –Description “Updated content”
Get-AdUser Administrator –Properties Description
}
}
}
Windows has number of built in workflows to enable configuration of multi-server deployments of

Remote Desktop Services, retrieve information about installed Windows roles, and restarting servers. To
view defined workflows use the following command:
Get-Command –CommandCapability workflow
Demonstration: Managing a Server by Using Windows PowerShell 3.0

In this demonstration, you will review how to use Windows PowerShell Web Access and Windows
PowerShell jobs.
Demonstration Steps
1. Start virtual machines LON-DC1, LON-SVR1, and LON-SVR2, and then log on to LON-DC1 as the
domain administrator.
2. Open Windows PowerShell Web Access at http://LON-DC1/pswa by using the following

information:
o User name: Administrator
o Computer: LON-DC1
3. Start a new job to list all Active Directory users, by using the Start-Job cmdlet.
4. Obtain the status of the job by running Get-Job.
5. Create a new scheduled job by running the following commands each followed by Enter:
$Trigger = New-JobTrigger –Weekly –DaysOfWeek Monday,Friday –At 9:00AM

Register-ScheduledJob –Name ScheduledJob1 –ScriptBlock {Get-ADUser –Filter * } -
Trigger $Trigger
6. Run the scheduled job immediately by using the Start-Job cmdlet.

Lab: Managing Servers Running Windows Server 2012 by

Using Windows PowerShell 3.0
Scenario
As the A. Datum network grows in size and complexity, it is becoming increasingly apparent that some IT
management processes have to be streamlined. The number of users in the organization is increasing
quickly with users distributed in many locations. Servers are also being deployed in multiple data centers
and in private and public clouds. A. Datum is deploying most new servers as virtual servers in Hyper-V. A.
Datum has to ensure that both the host computers and virtual machines are managed consistently.
To address these server and AD DS management issues, you have to gain familiarity with Windows
PowerShell. You have to understand how to run simple and complex commands and how to create scripts
that will automate many of the regular management tasks.
Objectives
• Explore Windows PowerShell commands and tools.
• Manage AD DS by using Windows PowerShell.
• Manage local and remote servers by using Windows PowerShell.
Lab Setup
Estimated time: 30-60 minutes
Virtual Machine(s) 20417-LON-DC1

20417-LON-SVR1
20417-LON-SVR2
Password Pa$$w0rd
Lab Setup
5. Repeat steps 2-4 for 20417A-LON-SVR1 and 20417A-LON-SVR2.

Exercise 1: Introduction to Windows PowerShell 3.0

Scenario
As a part of becoming familiar with the Windows PowerShell interface, you will explore interface and
browse through available cmdlets.
1. Use Windows PowerShell ISE to retrieve basic information about LON-DC1.
2. Use Windows PowerShell ISE to retrieve a list of stopped services on LON-DC1.

3. Use a Remote Windows PowerShell session to install XPS Viewer on LON-SVR1.
X Task 1: Use Windows PowerShell ISE to retrieve basic information about LON-DC1
1. Start the following virtual machines: LON-DC1, LON-SVR1, and LON-SVR2.
1. On LON-DC1, open Windows PowerShell ISE as an administrator.

2. Retrieve a list of installed Windows features by using Get-WindowsFeature.
3. List the contents of the E:\ModX\Democode directory by running Get-ChildItem

E:\ModXA\Democode.
4. List the contents of C:\Windows, by running dir C:\Windows.
5. Use tab completion to find the correct cmdlet that begins with Get-Ex to see the execution policy
setting on LON-DC1.
X Task 2: Use Windows PowerShell ISE to retrieve a list of stopped services on

LON-DC1
1. If it is necessary, open Windows PowerShell ISE as an administrator.
2. Retrieve a list of services by running Get-Service.
3. Assign the results of Get-Service to the $Services variable.
4. Use the Get-Help cmdlet to view the examples of how to use Where-Object.
5. Use a pipeline to pipe the $Services variable to the Where-Object cmdlet to show only services that
have a status of stopped.
X Task 3: Use a Remote Windows PowerShell session to install XPS Viewer on

LON-SVR1
1. If it is necessary, open Windows PowerShell ISE as an administrator and open a new remote
PowerShell tab.
2. Establish a Remote PowerShell session with LON-SVR1.
3. Retrieve a list of all installed Windows Features on LON-SVR1 by using Get-WindowsFeature.
4. Install XPS Viewer on LON-SVR by using Add-WindowsFeature.
5. Use command history to run Get-WindowsFeature and verify that XPS Viewer is installed.
6. Close the Remote PowerShell session.
Results: After this exercise, you will have explored the Windows PowerShell ISE interface and used
cmdlets, variables, and pipelining.
Exercise 2: Managing AD DS by Using Windows PowerShell 3.0

Scenario
After you explore Windows PowerShell interface and cmdlets, you want to explore options and available
cmdlets in the Active Directory module for Windows PowerShell and begin to use it for basic tasks such as
formatting Windows PowerShell output, using variables and loops, and creating scripts.
1. Import the Active Directory PowerShell module and view the available cmdlets.
2. View options on how to create a report of users in the Active Directory domain.
3. Use a script to create new users in the domain by using a CSV-based file.
4. Create a script to modify the address of a user based on the day of the week.
X Task 1: Import the Active Directory PowerShell module and view the available
cmdlets
2. Import the Active Directory module by using the Import-Module cmdlet.
3. Use the Get-Command cmdlet to view the cmdlets available in the Active Directory module.
X Task 2: View options on how to create a report of users in the Active Directory
domain
1. If it is necessary, open Windows PowerShell ISE as an administrator and import the Active Directory
module.
2. Use the Get-Command cmdlet to view the cmdlets available in the ActiveDirectory module.
3. Use Windows PowerShell to view a list of all Users in the domain. Review how Format-List modifies
formatting by running the following commands by using:
Get-ADUser -Filter * | Format-List

Get-ADUser –Filter * |
Format-List -Property GivenName, Surname
Get-ADUser –Filter * -Properties * | Format-List *
4. Use Windows PowerShell to view a list of all Users in the domain. Review how Format-Table modifies
the formatting by running the following commands by using:
Get-ADUser -Filter * | Format-Table

Format-Table -Property GivenName, Surname
Get-ADUser –Filter * -Properties * | Format-Table
5. Use Windows PowerShell to view a list of all OUs in the domain. Review how Format-Wide modifies
the formatting by running the following commands:
Get-ADOrganizationalUnit -Filter * | Format-Wide

Get- ADOrganizationalUnit –Filter * |
Format-Wide –column 3
6. Use Windows PowerShell to adjust the formatting of the users report. Review how the Sort-Object
cmdlet modified the output, by running the following:
Get-ADUser -Filter * | Sort-Object| Format-Wide

Get-ADUser -Filter * | Sort-Object -Property ObjectGUID | Format-Wide -Property
ObjectGUID
7. Run the following commands to see how to use the Measure-Object cmdlet:
Get-ADUser -Filter * | Measure-Object
X Task 3: Use a script to create new users in the domain by using a CSV-based file
1. On LON-DC1, browse to the Start screen and then type Notepad.exe. Press Enter.
2. Use Notepad.exe to view E:\ModXA\Democode\LabUsers.csv. You will need to change the file type
to all files.
3. Use Windows PowerShell ISE to open the script that is located at

E:\ModXA\Democode\LabUsers.ps1
4. On line 13, modify the $OU variable to read: $OU = “ou=sales, dc=adatum,dc=com”
5. Run the LabUsers.ps1 script.
6. Use Get-ADUser –Filter * –SearchBase “OU=Sales,DC=Adatum,DC=com” to confirm Luka Abrus,

Marcel Truempy, Andy Brauninger, and Cynthia Cary were created were created.
X Task 4: Create a script to modify the address of a user based on the day of the week
module.
2. Use Windows Powershell ISE to open the script that is located at E:\ModXA\Democode
\Using If Statements.ps1
3. Verify that line 9 reads:

$Admin = Get-ADUser –identity Administrator –Properties StreetAddress
4. Review each section of the script and then run the script. Run the script a second time to view the
changes.
Results: After completing this lab, you will have explored the Active Directory Windows PowerShell
module, experienced formatting output in Windows PowerShell, used a Windows PowerShell script to
create users, and used Windows PowerShell conditional loops to modify Active Directory properties.
Exercise 3: Managing Servers by Using Windows PowerShell 3.0

Scenario
Because of plans for remote server management, you want to explore possibilities to use Windows
PowerShell for remote management. You want to test remote connections in Windows PowerShell and
Windows PowerShell Web Access.
1. 1. Install and configure Windows PowerShell Web Access.
2. 2. Verify Windows PowerShell Web Access configuration.

X Task 1: Install and configure Windows PowerShell Web Access

1. Install Windows PowerShell Web Access on LON-DC1 by using the following command:
Install-WindowsFeature –Name WindowsPowerShellWebAccess -ComputerName LON-DC1 -

IncludeManagementTools –Restart
2. Configure Windows PowerShell Web Access by running Install-PswaWebApplication –

UseTestCertificate.
3. Create a Windows PowerShell Web Access Authorization Rule that only enables the administrator to
access the gateway by using the Add-PSWaAuthorizationRule.
X Task 2: Verify Windows PowerShell Web Access configuration

1. Open Internet Explorer and navigate to https://LON-DC1/pswa.
2. Sign in to Windows PowerShell Web Access by using the following information:
o User: Administrator
o Computer: LON-DC1
3. Verify that you can retrieve information from LON-SVR1 by retrieving the five newest System events.
Run the following command:
Get-EventLog System –Newest 5
4. Obtain the same information from LON-SVR2 and LON-DC1 by running the following command:
Invoke-Command -ScriptBlock { Get-Eventlog Security -Newest 20 } -ComputerName LON-

DC1,LON-SVR2
Results: After this exercise, you will have performed one to many management of remote servers by using
Windows PowerShell, installed and configured Windows PowerShell Web Access, and managed servers by
using Windows PowerShell Web Access.
X To prepare for the next module

When you are finished the lab, revert the virtual machines to their initial state. To do this, perform the
following steps:
2. In the Virtual Machines list, right-click 20417A-LON-SVR1, and then click Revert.
4. Repeat steps 2 and 3 for 20417A-LON-SVR2 and 20417A-LON-DC1.


Review Questions
Question: Which cmdlet will display the content of a text file?
Question: Which cmdlet will move a file to another directory?
Question: Which cmdlet will rename a file?
Question: Which cmdlet will create a new directory?
Question: Which cmdlet do you think would retrieve information from the event log?
Question: Which cmdlet do you think would start a stopped VM?
Best Practices
• Make a goal to spend time learning how to use Windows PowerShell for your common tasks. This will
make you more comfortable with working with Windows PowerShell and will equip you for using it to
resolve more difficult problems.
• Save the commands that you have used to resolve problems in a script file for later reference.
• Use Windows PowerShell ISE to help write scripts and ensure you have the correct syntax.

Administrators cannot find the correct

Windows PowerShell cmdlet for a task.
Administrator cannot connect to a server

by using remote Windows PowerShell.
Get-Help does not provide any help for

cmdlets.
An administrator is new to Windows

PowerShell and is uncomfortable with the
command-line.
Tools
You can use the tools in the following table to work with Windows PowerShell.
Tool Description
Windows PowerShell Integrated Windows PowerShell ISE provides a simple, yet powerful
Script Editor (ISE) interface to create and test scripts, and discover new
cmdlets.
Microsoft Visual Studio Workflow This is a development tool that is used to create
Designer Windows PowerShell workflows.
Powershell.exe This is the Windows PowerShell executable.
Active Directory Administrative This tool enables you to perform common Active
Center Directory management tasks such as creating and
modifying user and computer accounts. All the changes
that you made by using this management tool are
logged in the Windows PowerShell History pane.

Many common tools can be replaced with Windows PowerShell cmdlets. The following table gives some
examples of common commands that can be replaced with Windows PowerShell cmdlets in Windows
Server 2012.
Old Command Windows PowerShell Equivalent
ipconfig /a Get-NetIPConfiguration
Shutdown.exe Restart-Computer
Net Start Start-Service (Restart-Service)
Net Stop Stop-Service (Restart-Service)
Net Use New-SmbMapping
Netstat Get-NetTCPConnection
Netsh advfirewall add New-NetFirewallRule
Route Print Get-NetRoute

4-1
Module 4
Managing Storage for Windows Server 2012
Contents:
Module Overview 4-1
Lesson 1: New Features in Windows Server 2012 Storage 4-2
Lesson 2: Configuring iSCSI Storage 4-12
Lesson 3: Configuring Storage Spaces in Windows Server 2012 4-18
Lab A: Managing Storage for Servers Based on Windows Server 2012 4-23
Lesson 4: Configuring BranchCache in Windows Server 2012 4-25
Lab B: Implementing BranchCache 4-36

Module Overview
Storage space requirements have been increasing ever since the invention of server-based file shares. The
Windows Server® 2012 and Windows® 8 operating systems include two new features to reduce the disk
space that is required and to effectively manage physical disks: data deduplication and storage spaces.
This module provides an overview of these features and explains the steps required to configure them.
Another concern in storage is the connection between the storage and the remote disks. Internet small
computer system interface (iSCSI) storage in Windows Server 2012 is a cost-effective feature that helps
create a connection between the servers and the storage. To implement iSCSI storage in Windows Server
2012, you must be familiar with the iSCSI architecture and components. In addition, you must be
familiar with the tools that are provided in Windows Server to implement an iSCSI-based storage. Also,
in organizations that have branch offices, you have to consider slow links and how to use these links
efficiently when data is sent between your offices. The BranchCache feature in Windows Server 2012 helps
address the problem of slow connectivity. This module explains the BranchCache feature and the steps to
configure BranchCache.
Objectives
• Describe the new features in Windows Server 2012 storage.
• Configure iSCSI storage.
• Configure storage spaces.
• Configure BranchCache.
4-2 Managing Storage for Windowss Server 2012
Lesson 1
New Featuress in Win
ndows Server
S 2
2012 Sto
orage
The storage demaand on serverss is ever-increa
asing, and storaage comprisess a larger part of an IT
dep
partment’s buddget. Larger vo
olumes are req ble disks that ccan be added or removed
quired on flexib
dynamically. Wind
dows Server 20012 includes changes to the storage area tthat will help aadministratorss to
ease
e the managemment of physiccal disks and provide
p technoologies to reduuce disk space consumption..
Lessson Objectiives
Afte
ou will be able to:
• Describe the File and Storag

ge Services in Windows Servver 2012.
• Describe the data deduplication process.
• Configure data deduplicatio

on.
• Describe the capabilities off thin provision

ning and trim sstorage.
• Describe the new features in File Server Resource

R Manaager.
• Describe basic and dynamicc disks.
• Describe Resilient File Syste

em (ReFS) and its advantage s.
• Describe removed and dep

precated featurres.
File
e and Storrage Servicces in Windows Servver 2012
File and Storage Services
S includes technologie es
thatt help you set up and manag ge one or morre file
servvers. File serverrs are servers that
t act as central
locaations on the network
n where e you can store
e files
and optionally, sh hare them with h users.
Win
ndows Server 2012
2 offers the
e following new
w file
and storage servicces features:
• Multiterabytee volumes. You can use this

feature to deploy multiterabyte NTFS file e
system volum mes, which support consolida ation
scenarios and d maximizes storage use. The e
Chkdsk tool introduces a ne ew approach that
t
prioritizes vollume availabiliity and allows for the detecttion of corrupttion while the volume remains
online with data available.
• Data dedupliccation. You can

n use this featu oring a single ccopy of identiccal
ure to save dissk space by sto
data on the volume.
v
• iSCSI target seerver. You can use this featu
ure to block sto
orage to otherr servers and aapplications on
n the
network by using the iSCSI standard.
• Storage spacees and storage pools. You can

n use this feat ure to virtualizze storage by g
grouping indu
ustry-
standard disk
ks into storage pools, and the
en create storaage spaces fro om the available capacity in the
storage poolss.
Upg
ndows Server® 2
2012 4-3
• Unified rem
mote managem
ment of File and d Storage Serviices in Server MManager. You can use this fe eature
to remotelyy manage multiple file servers, including th
heir role servicces and storag
ge, all from a siingle
window.
• Windows PowerShell® cm mdlets for File and

a Storage Seervices. You can n use the Wind
dows PowerSh
hell
cmdlets forr performing most
m administrration tasks forr file and storaage servers.
Addition
nal Reading: File
F and Storage Services oveerview
htttp://technet.m
microsoft.com//en-us/library//hh831487(d=
=lightweight,v=
=ws.11)
Question: Are
A you curren ntly implemen nting volumes that are 10 terrabytes or larg
ger? What are
the problem
ms with volum
mes of that size
e?
What
W Is Data Deduplication?
Data deduplicattion is a role seervice of Winddows
Se
erver 2012. Da ata deduplicatiion identifies and
a
re
emoves duplica ations within data
d without
co
ompromising its i integrity to achieve the ultimate
gooal of storing more data while concurrently
ussing less physical disk space..
Data integrity and recoverability are mainta ained
in
n a process thaat involves evaluating checkssum
re
esults and othe er algorithms. Data dedupliccation
is highly scalablle, resource effficient, and
noonintrusive. It can run on doozens of large
voolumes of primmary data conccurrently witho out
afffecting other workloads on the server. Low w impact on t he server workkloads is maintained by thro ottling
th
he CPU and me emory resourcces that are consumed. Using g data deduplication jobs, you can schedu ule
when
w data deduuplication should run, speciffy the resourcees to deduplicaate, and tune ffile selection.
When
W combined with BranchCache, the samme optimizatioon techniques are applied to o data that is
trransferred over the wide area
a network (WA
AN) to a brancch office. This rresults in faste
er file downloaad times
annd reduced baandwidth consumption.
Volume
V Requ
uirements for
f Data Ded
duplication
n
After the featurre is installed, you
y can enable
e data dedupl ication on a peer volume bassis. Each volum
me must
meet
m the follow
wing requireme ents:
• Volumes must
m not be a syystem or boott volume. Dedu
uplication is no on volumes where the
ot supported o
operating system
s is installled.
• Volumes may
m be partition ned by using master
m boot reecord (MBR) or GUID partitio on table (GPT) format,
and must be
b formatted byb using the NT m. The new Ressilient File Systtem (ReFS) file system
TFS file system
is not supported for use on
o a data deduuplication voluume.
• Volumes must
m be expose
ed to Windowss as non-removvable drives, that is, no USB or floppy drivves.
• Volumes ca an be on share
ed storage, succh as a Fibre C hannel or Serial Attached SC
CSI (SAS) arrayy, or an
iSCSI storag
ge area network (SAN).
• Cluster Shared Volumes (CSV)

( volumes are not suppo
orted.
4-4 Managing Storage for Windows Server 2012
The Data Deduplication Process

When you enable data deduplication on a volume, a background task runs with low-priority that
processes the files on the volume. That is, the background task segments all file data on the volume into
small, variable sized chunks (32 to 128 KB). Then, it identifies chunks that have one or more duplicates on
the volume. All duplicate chunks are then replaced (erased from disk) with a reference to a single copy of
that chunk. Finally, all remaining chunks are compressed so that even more disk space is saved.
When to Use Data Deduplication

Data deduplication is designed to be installed on primary (and not logically extended) data volumes
without adding any additional dedicated hardware. You can install and use the feature without affecting
the primary workload on the server. The default settings are non-intrusive because only files older than
30 days are processed. The implementation is designed for low memory and CPU priority. However, if
memory use becomes high, deduplication backs off and waits for available resources. You can schedule
deduplication based on the type of data involved and the frequency and volume of changes that occur to
the volume or particular file types.
You should consider using deduplication for the following areas:
• File shares. This includes group content publication or sharing, user home folders, and profile
redirection (offline files). You may be able to save approximately 30–50 percent disk space.
• Software deployment shares. This includes software binaries, images, and updates. You may be able to
save approximately 70–80 percent space.
• Virtual hard disk (VHD) libraries. This includes VHD file storage for provisioning to hypervisors. You
may be able to save approximately 80–95 percent space.
Note: Use the deduplication evaluation tool (DDPEval.exe) to analyze a volume about
expected savings that you would get when enabling deduplication. This utility is automatically
installed to \\Windows\System32\ of the local computer when data deduplication is enabled.
When data deduplication is enabled, and the data is optimized, the volume contains the following:
• Unoptimized files. These are skipped files. For example, system state files, encrypted files, files with
extended attributes, files smaller than 32KB, and reparse point files—previously optimized files that
contain pointers to the respective chunks in the chunk store needed to build the file.
• Optimized files. These are stored as reference points to the chunk store.
• Chunk store. This is the optimized file data.
Additional Reading:
Data Deduplication Overview
http://technet.microsoft.com/en-us/library/hh831602
Introduction to Data Deduplication in Windows Server 2012
http://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-to-data-deduplication-in-
windows-server-2012.aspx
Question: On which of your shares can you use data deduplication?

Upg
ndows Server® 2
2012 4-5
Demonstra
D ation: Configuring Data
D Dedu plication
In
n this demonsttration, you will see how to add
a the data d
deduplication rrole service an
nd enable dataa
deeduplication on
o drive E.
Demonstrati
D ion Steps
Add
A the Data Deduplication
D n role service
1.. Log on to LON-DC1

L with a username of
o Adatum\Ad
dministrator aand the passw
word of Pa$$w
w0rd.
2.. In Server Manager,

M start the
t Add Roless and Feature es Wizard, insttall the following roles and ffeatures
to the locall server and acccept the defau
ult values:
o File An ervices (Installed)\File and iSCSI Service

nd Storage Se es\Data Deduplication
En eduplication on E: Drive
nable Data De
1.. On LON-DC C1, in Server Manager,
M in the
e navigation p e and Storage Services, and
pane, click File d then
click Volum
mes.
2.. In the Volumes pane, righ

ht-click E:, and
d select Config
gure Data Ded
duplication.
3.. Configure data
d deduplica
ation with the following sett ings:
o Enable data dedupliccation: Enabled

d
o Deduplicate files older than (in dayys): 3
o Set Ded
duplication Schedule: Enablle throughputt optimizatio n
o Start time: current tim

me
What
W Are Thin
T Provissioning an
nd Trim Sto
orage?
Windows
W Server 2012 introdu
uces two new storage
s
co
oncepts. They are:
• Thin provisiioning. This is a functionalityy that

you can use e to allocate sttorage space ono a
just-in-timee basis and is available
a with storage
spaces or virtual disks. Ussing traditional disk
provisioning methods, a volume
v would d
immediatelly consume all the disk space e it was
F example, a 2 GB volume would
sized for. For
occupy 2 GBG of disk space. Even if the data
d
inside that volume is less than 2 GB, tha at
entire stora
age amount is reserved on th he disk.
Similar to a dynamically expanding
e VHD, a virtual dissk configured as thin provisioning would o only use
the space from a storage pool on as-ne eeded basis. Th he virtual disk is only allocatted space on the
volume as data
d y create virttual disks that have a larger maximum size
is added. This also lets you e than
the free spaace in the storage pool. For example, with thin provision ning, you can ccreate a 1 teraabyte
virtual disk even though your
y storage pool
p only has 5500 GB of freee space availab ble.
• Trim storage. This is a functtionality that you

y can use to reclaim storag ge that is no lo
onger needed.. The
file system ca
an inform an underlying physical storage d device that thee contents of specified sectors are
no longer important. There efore, these secctors can be ussed by anotheer volume in a storage pool. Trim
requests to a mounted VHD D or inside Hyper-V® are now w propagated d to the underllying storage
device.
Thin
n provisioning and trim stora
age are availab
ble by default in Windows S erver 2012; no
o feature or ro
ole has
to be
b installed.
Thin
n provisioning and trim stora
age in Window
ws Server 20122 provides thee following cap
pabilities:
• Identification. Windows Servver 2012 uses a standardized d method to d detect and identify thinly-
provisioned virtual
v hereby enabling additional ccapabilities delivered by the storage stack. The
disks, th
storage stackk is provided in g system and iis available thrrough storage management
n the operating
applications.
• Notification. When
W the conffigured physiccal storage usee thresholds are reached, Windows Server 2012
notifies the ad hrough eventss. This enables the administrator to take ap
dministrator th ppropriate acttion as
soon as possible. These eveents can also sttart automated d actions from
m sophisticated
d managementt
applications, such as Microssoft System Ceenter.
• Optimization.. Windows Server 2012 provvides a new AP PI that enables applications rreturn storage when
it is no longer needed. NTFFS issues trim notifications
n n real time, wh en appropriate. Additionallyy, trim
in
notifications are
a issued as part
p of storage e consolidationn (optimizationn), which is performed regularly
on a schedule ed basis.
Additional Reading: Thin Provisioning g and Trim Sto

orage Overview
w
http
n-us/library/hh
h831391.aspx
Wh
hat’s New in File Serrver Resou
urce Manag
ger?
Youu can use the File
F Server Reso ource Manage er
to manage
m at is stored on file
and classify data tha
servvers. File Server Resource Ma anager include es the
follo
owing featuress:
• File classificattion infrastructture. This featu

ure
automates the data classificcation process. You
can dynamica ally apply acceess policies to files
f
based on their classification n. Example pollicies
include Dynamic Access Co ontrol for restriicting
access to filess, file encryptioon, and file
expiration. Yo ou can classify files automatiically
by using file classification
c ruules, or manuaally
by modifying the propertie es of a selectedd file or folder..
• File managem ment tasks. You u can use this feature

f to appply a condition
nal policy or acction to files,
based on their classification n. The conditio ons of a file maanagement tassk include the file location, tthe
classification properties, the e date the file was created, tthe last modifi ed date of the
e file, or the lasst
time that the file was accessed. The actions that a file m management ttask can take in nclude the abiility to
expire files, encrypt files, orr run a custom command.
• Quota management. You can use this feature to limit the space allowed for a volume or folder.
Quotas can be automatically applied to new folders that are created on a volume. You can also define
quota templates that you can apply to new volumes or folders.
• File screening management. You can use this feature to control the types of files that users can store
on a file server. You can limit the extension that can be stored on your file shares. For example, you
can create a file screen that does not enable files that have an MP3 extension to be stored in personal
shared folders on a file server.
• Storage reports. You can use this feature to identify trends in disk usage and how your data is
classified, and monitor attempts by a selected group of users to save unauthorized files.
You can configure and manage the File Server Resource Manager by using the File Server Resource
Manager Microsoft Management Console (MMC) console or by using Windows PowerShell.
The following features of the File Server Resource Manager are new and are added in Windows Server
2012:
• Dynamic Access Control. Dynamic Access Control uses file classification infrastructure to help you
centrally control and audit access to files on your file servers.
• Manual classification. Manual classification enables users to classify files and folders manually without
the need to create automatic classification rules.
• Access-denied assistance. You can use access-denied assistance to customize the access denied error
message that users see in Windows 8 Consumer Preview when they do not have access to a file or a
folder.
• File management tasks. The updates to file management tasks include Active Directory® Rights
Management Services (AD RMS) file management tasks, continuous file management tasks, and
dynamic namespace for file management tasks.
• Automatic classification. The updates to automatic classification enable you to get more precise
control on how data is classified on your file servers, including continuous classification, using
Windows PowerShell for custom classification, updates to the existing content classifier, and dynamic
namespace for classification rules.
Additional Reading: What's new in File Server Resource Manager

http://technet.microsoft.com/en-us/library/hh831746.aspx
Question: Are you currently using the File Server Resource Manager in Windows Server 2008
R2? If yes, what areas do you use it for?
Wh
hat Are Ba
asic and Dy
ynamic Dissks?
2 continuess to support basic
disk
ks and dynamicc disks.
Bassic Disk
Basiic storage usess typical partition tables
supported by MS--DOS, and all versions
v of thee
Winndows operatin ng system. A disk
d initialized
for basic storage is
i called a basiic disk. A basicc
disk
k contains basic partitions, suuch as primaryy
parttitions and an extended parttition. An extended
parttition can be subdivided into o logical drivess.
By default,
d when you
y initialize a disk in Windo ows,
the disk is configu
ured as a basicc disk. Basic dissks can easily b
be converted tto dynamic dissks without an ny loss
of data.
d However, when you con nvert a dynam mic disk to basi c disk, all dataa on the disk w
will be lost.
Somme applications such as the storage

s spacess feature in Wi ndows Server 2012 cannot u use dynamic disks.
In addition, there is no performance gain by converting
c bassic disks to dyn or these reasons,
namic disks. Fo
mosst administratoors do not con
nvert basic disk
ks to dynamic disks unless th hey have to use some additioonal
volu
ume configuration options available
a with dynamic
d disks..
Dyn
namic Disk
Dynnamic storage is supported in n all Windows operating sysstems including
g the Window ws XP operating
g
systems and the Microsoft
M ® Winndows NT Servver 4.0 operatiing system. A d
disk initialized for dynamic
k. A dynamic disk contains dyynamic volum
storrage is called a dynamic disk mes. With dynamic storage, yyou
can perform disk and volume management
m without
w the neeed to restart W
Windows.
Whe en you configuure dynamic disks,

d you creatte volumes insstead of partitiions. A volume
e is a storage u
unit
mad de from free sppace on one or I can be form atted with a fiile system and can be assign
o more disks. It ned a
nfigured with a mount point.
drivve letter or con
The dynamic volu

umes include:
• Simple volummes. A simple vo ee space from a single disk. It can be a single region on a disk
olume uses fre
or consist of multiple,
m concatenated regio ons. A simple vvolume can bee extended witthin the same disk
or onto addittional disks. If a simple volum
me is extended
d across multipple disks, it beccomes a spann
ned
volume.
• Spanned voluumes. A spanne ed volume is created
c from frree disk space that is linked from multiple
disks. You can
n extend a spaanned volume onto a maxim mum of 32 diskks. A spanned vvolume canno ot be
mirrored and is not fault-to
olerant. Thereffore if you losee one disk, you
u lose all the sp
panned volum
me.
• Striped volum
mes. A striped volume
v is a volume whose d more physical disks.
data is spread aacross two or m
t type of volume is allocatted alternatelyy and evenly to
The data on this physical disks. A
o each of the p
striped volum
me cannot be mirrored
m or exttended and is not fault-tolerant, again meeaning the losss of
one disk will cause
c the loss of data immediately. Stripin
ng is also knowwn as redundant array of
independent disks (RAID)-0 0.
• Mirrored voluumes. A mirrored volume is a fault-tolerantt volume whose data is duplicated on two o
o one volume is copied to another disk tto provide data redundancy.. If
physical diskss. All the data on
one of the dissks fails, the da
ata can still be
e accessed from
m the remainin
ng disk. A mirrrored volume
cannot be exttended. Mirrorring is also kno own as RAID-11.
Upg
ndows Server® 2
2012 4-9
• RAID-5 volu umes. A RAID--5 volume is a fault-tolerant volume whosee data is stripe ed across a minimum
of three or more disks. Paarity (a calculated value thatt can be used tto reconstruct data after a faailure) is
also striped
d across the dissk array. If a physical disk faiils, the portion 5 volume that was on
n of the RAID-5
that failed disk
d can be re--created from the remaining g data and thee parity. A RAIDD-5 volume caannot be
mirrored orr extended.
Required
R Dissk Volumes
Re
egardless of which
w type of disk
d that you use, you must cconfigure a sysstem volume aand a boot volume on
on
ne of the hard
d disks in the se
erver:
• System volu
umes. The system volume co
ontains the harrdware-specific files that are
e needed to loaad
Windows (ffor example, Bootmgr, BOOT
TSECT.bak, and d BCD). The syystem volume can be, but do oes not
have to be, the same as the
t boot volum
me.
• Boot volummes. The boot volume

v contain ws operating system files thaat are located in the
ns the Window
%Systemroot% and %Sysstemroot%'Sysstem32 folderss. The boot vollume can be, b but does not hhave to
be, the sam
me as the system volume.
Note: Wh hen you installl the Windowss 8 operating ssystem or Wind

dows Server 2012 in a
clean installatio
on, a separate system
s volumee is created to enable encryp
pting the boott volume by
ussing BitLocker®.
Addition
nal Reading:
How Basic Diskss and Volumess Work
htttp://go.microsoft.com/fwlin
nk/?LinkID=199648
Dynamic Disks and
a Volumes
htttp://go.microsoft.com/fwlin
nk/?LinkID=199649
What
W Is the
e Resilient File System?
Re
esilient File Sysstem (ReFS) is a new file systtem
provided in Win ndows Server 2012.
2 ReFS is based
b
on
n the NTFS file e system and provides
p the
fo
ollowing advan ntages:
• Metadata in
ntegrity with checksums
c
• Integrity strreams providin
ng optional usser data
integrity
• Allocation on
o write transaactional mode
el for
robust disk updates (also known as cop
py on
write)
• me, file, and diirectory sizes
Large volum
• Storage pooling and virtu
ualization mak
king file system
m creation and
d managementt easy
• ng for perform
Data stripin mance (bandwid
dth can be maanaged) and reedundancy forr fault tolerancce
• Disk scrubb
bing for protecction against la
atent disk erro
ors
• Resiliency to
t corruptions with salvage for
f maximum vvolume availab
bility in every case
• Shared storrage pools acro
oss computerss for additionaal failure toleraance and load balancing
4-10 Managingg Storage for Window
ws Server 2012
ReFS inherits the features

f from NTFS including BitLocker en ncryption, acceess-control listts for security,
Upd
date Sequence e Number (USN N) journal, cha ons, symbolic links, junction points, mount
ange notificatio
poin
nts, reparse po
oints, volume snapshots,
s file IDs, and oploccks.
Because ReFS uses a subset of features from NTFS,

N it is desi gned to mainttain backward compatibility with
its older
o counterppart. Therefore, Windows 8 clients
c or earlieer can read and d write to ReFS hard-drive
parttitions and sha er, just as they can with thosee running NTFFS. But, as implied in its nam
ares on a serve me, the
neww file system offfers more resiiliency, meanin n, and scalability.
ng better data verification, eerror correction
Beyond its greater resiliency, Re

eFS also surpassses NTFS by ooffering larger maximum size
es for individu
ual
filess, directories, disk
d volumes, and
a other item ms, as listed in tthe following ttable.
Atttribute Limit
Maximum
M size of
o a single file 264-1 b
bytes (18.446.7
744.073.709.55
51.616 bytes)
Maximum
M size of
o a single volu
ume 278 byytes with 16KB cluster size (2
264 * 16 * 210)
Windo ows stack addressing allows 264 bytes
Maximum
M number of files in a directory 264
Maximum
M number of directorries in a volum
me 264
Maximum
M file name
n length 32K u nicode characcters
Maximum
M path length 32K
Maximum
M size of
o any storage
e pool 4 petaabyte
Maximum
M number of storage
e pools in a sysstem No lim
mit
Maximum
M number of spaces in a storage po
ool No lim
mit
Removed and Depreca

ated Featu
ures
The following storage-related fe
eatures are
rem
moved and dep precated from Windows Servver
2012:
• The Storage Manager

M for SA
ANs snap-in fo
or
MMC is remo y can manage
oved. Instead, you
storage with Windows
W PowwerShell cmdletts
and Server Manager.
• The Storage Explorer

E snap--in for MMC is
removed.
• The SCSIport host-bus adap pter driver is

removed. Insttead, you can either use a
Storport drive
er or a differen
nt host-bus adapter.
• The File Serve

er Resource Manager command-line toolss such as dirquuota.exe, filescrrn.exe, and
storrept.exe are T functionality is availablee in Windows P
a removed. This PowerShell.
• The File Repliication Service
e (FRS) is replacced by DFS Reeplication.
• The Share and Storage Management snap-in is replaced by the File and Storage Services role in
Server Manager.
• The Shared Folders snap-in is replaced by the File and Storage Services role in Server Manager.
• The Virtual Disk Service (VDS) provider is replaced by the Storage Management APIs and storage
provider or the Storage Management Initiative – Specification (SMI-S) standard and a compliant
storage provider.
ws Server 2012
Lesson 2
Config
guring iSCSI Sto
orage
In th
his lesson, you
u will learn how
w to create a connection bettween servers and iSCSI storage. You will
perfform these tassks by using IP-based iSCSI storage. iSCSI sstorage is an in
nexpensive and d simple way tto
configure a conne ection to remoote disks. Manyy application rrequirements ddictate that remote storage
connections mustt be redundantt in nature for fault toleranc e or high availability. For this purpose, you will
also
o learn how to create both single and redu undant connecctions to an iSCCSI target. Youu will do so byy using
the iSCSI initiator software that is available in Windows Servver 2012.
Lessson Objectiives
Afte
ou will be able to:
• SI and its comp
Describe iSCS ponents.
• erver and the iSCSI initiator.

Describe the iSCSI target se
• w to configure high-availability and locate iSCSI storage.

Describe how
• Configure iSC
CSI target.
• Connect to th
he iSCSI storag
ge.
Wh
hat Is iSCSI?
iSCS
SI is a protocol that supportss access to rem mote,
SCSI-based storag ge devices ove er a TCP/IP nettwork.
iSCS
SI carries stand
dard SCSI commands over IP P
netw
works to facilittate data transsfers over intra
anets
and to manage sttorage over lon ng distances. You
Y
can use iSCSI to trransmit data over
o LANs, WA ANs,
or even
e over the larger Internett.
iSCS
SI relies on standard Etherne et networking
arch
hitecture, and use of specialiized hardware such
as a host bus adap pter (HBA) or network switch hes is
optional. iSCSI usees TCP/IP (typiically, TCP porrt
3260). This meanss that, iSCSI sim
mply enables twot
hostts to negotiatee (session establishment, floww control, and or example) and then
d packet size, fo
exchhange SCSI commands by ussing an existin ng Ethernet nettwork. By doin ng this, iSCSI taakes a popularr,
high
h performance e, local storagee bus subsystem architecturee and emulatees it over LANs and WANs,
crea
ating a SAN. Unlike some SA AN protocols, iSCSI requires n no specialized cabling; it cann be run over
existing switchingg and IP infrasttructure. Howe ever, the perfo
ormance of an iSCSI SAN dep ployment can be
seve
erely decreased if not operatted on a dediccated networkk or subnet, as best practices recommend.
Note: Whilee you can use a standard Ethhernet networrk adapter to cconnect the server to the
iSCS
SI storage deviice, you can also use dedicatted HBAs.
dows Server® 20
012 4-13
An iSCSI SAN de
eployment inccludes the follo
owing:
• IP network. You can use standard

s network interface aadapters and sstandard Etherrnet protocol n network
switches to connect the servers
s to the storage
s devicee. To provide s ufficient perfo
ormance, the nnetwork
should provvide speeds off at least 1 gigabit per secon
nd (Gbps), and should provid de multiple paths to
arget. We recommend a ded
the iSCSI ta dicated physicaal and logical n
network in ord der to achieve fast,
reliable thro
oughput.
• iSCSI targetts. This is another way to refer to the netw work interface o of the storage device to gain n access
to the storaage. iSCSI targets present or advertise storrage, similar to o controllers fo
or hard disk drrives of
locally attacched storage. However, this storage is acccessed over a n network, insteaad of locally. M
Many
storage ven ndors impleme ent hardware level iSCSI targ gets as part of their storage ddevice’s hardw ware.
Other devicces or appliancces, such as Windows
W Storagge Server devicces, implemen nt iSCSI targetss by
using a softtware driver toogether with at least one Eth hernet adapterr. Windows Server 2012 provvides
the iSCSI ta
arget server—w which is effectiively a driver ffor the iSCSI prrotocol—as a role service.
• he iSCSI initiator (also known

iSCSI initiattors. The iSCSI target displayys storage to th n as the client)), which
acts as a loccal disk contro
oller for the remmote disks. Al l versions of W
Windows Serve er starting fromm
Windows Server 2008 incclude the iSCSII initiator and can connect to o iSCSI targetss.
• iSCSI Qualiffied Name (IQN). IQNs are unique

u identifieers that are ussed to address initiators and targets
on an iSCSI network. Whe en you configuure an iSCSI taarget, you musst configure th he IQN for the iSCSI
initiators th
hat will be connecting to the onnect to the iSCSI
e target. iSCSI iinitiators also use IQNs to co
targets. Ho owever, if name resolution on
o the iSCSI neetwork is a posssible issue, iSCCSI endpoints ((both
target and initiator) can always
a be idenntified by theirr IP addresses.
Question: Can you use your

y organizatiion’s internal I P network to p
provide iSCSI??
iS
SCSI Targe
et Server and iSCSI In
nitiator
Thhe iSCSI initiattor service is a standard part ever
since Windows Server 2008. Before B Window ws
Se
erver 2012, the e iSCSI Software Target, how wever,
neeeded to be downloaded an nd installed
opptionally. Now w, it is integrate
ed as role servvice
in
nto Windows Server
S 2012. Thhe new feature es in
Windows
W Server 2012 include e:
• Authenticattion. You can enable

e Challennge-
Handshake Authenticatio on Protocol (CH
HAP) to
authenticatte initiator con
nnections or en
nable
reverse CHAAP to allow the initiator to
authenticatte the iSCSI tarrget.
• ator computer for ID. This is only

Query initia o supported
d with Window
ws 8 or Windo
ows Server 201
12.
iSCSI Target Server

The iSCSI target server role service provides for software-based and hardware-independent iSCSI disk
subsystem. You can use the iSCSI target server to create iSCSI targets and iSCSI virtual disks. You can then
use the Server Manager to manage these iSCSI targets and virtual disks.
The iSCSI target server included in Windows Server 2012 provides the following functionality:
• Network/diskless boot. By using boot-capable network adapters or a software loader, you can use
iSCSI targets to deploy diskless servers quickly. By using differencing virtual disks, you can save up to
90 percent of the storage space for the operating system images. This is ideal for large deployments
of identical operating system images, such as a Hyper-V server farm or High Performance Computing
(HPC) clusters.
• Server application storage. Some applications such as for example, Hyper-V and Exchange Server
require block storage. The iSCSI target server can provide these applications with continuously
available block storage. Because the storage is remotely accessible, it can also combine block storage
for central or branch office locations.
• Heterogeneous storage. iSCSI target server supports iSCSI initiators that are not based on Windows, so
you can share storage on Windows Servers in mixed environments.
• Lab environments. The iSCSI target server role enables your Windows Server 2012 computers to be a
network-accessible block storage device. This is useful in situations such as when you want to test
applications before deployment on SAN storage.
Enabling iSCSI target server to provide block storage takes advantage of your existing Ethernet network.
No additional hardware is needed. If high availability is an important criterion, consider setting up a high
availability cluster. With a high availability cluster, you will need shared storage for the cluster—either
hardware Fibre Channel storage or a serial attached SCSI (SAS) storage array. iSCSI target server is directly
integrated into the failover cluster feature as a cluster role.
iSCSI Initiator
The iSCSI Initiator is included in Windows Server 2012 and Windows 8 as a service and installed by default.
To connect your computer to an iSCSI target, you just have to start the service and configure it.
Additional Reading: Introduction of iSCSI Target in Windows Server 2012

http://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-of-iscsi-target-in-windows-
server-2012.aspx
Question: When would you consider implementing diskless booting from iSCSI targets?
dows Server® 20
012 4-15
Advanced
A iSCSI
i Conffiguration Options
In
n addition to configuring the e basic iSCSI ta
arget
se
erver and iSCSI initiator settings, you can
ntegrate these services into more
in m advancedd
co
onfigurations.
Lo
ocating iSCSI Storage
Thhere are two common
c approoaches for loca
ating
sttorage that is exposed
e to a network
n by an iSCSI
Taarget.
Thhe first approaach is through the use of the e

iS
SCSI SendTarge ets command. This functiona ality
is available with nitiator wizard of
hin the iSCSI In
Windows
W Server. Using SendT Targets in the iSCSI
i Initiator retrieves a list of available taargets from a ttarget
deevice. To use this
t command,, you must kno ow both the IP P address of th he storage devvice that is hostting the
ta
argets, and whether the deviice is suitable for
f your storag ge needs. The iSCSI SendTarrgets command is only
workable
w in smaaller iSCSI environments beccause as the nu umber of iSCSI targets increases in your
coompany, the more
m complex this approach is.
Th
he second app arge networks. On large netw
proach is for la works, locating
g storage can b be more difficult. One
so
olution that can help you is the
t Internet Sttorage Name SService (iSNS), which is a Winndows Server 2012
fe
eature similar to
t Domain Name System (DNS) and lets yo ou locate a tarrget on severaal target device
es.
iS
SNS contains th
hree distinct se
ervices:
• Name Regisstration Service. This service enables initiattors and targets to register aand query the iSNS
server direcctory for inform
mation about initiator and taarget IDs and addresses.
• Network Zooning and Logo on Control Serrvice. You can uuse this servicee to restrict iSN
NS initiators to
o
zones so th
hat iSCSI initiattors do not disscover any targ
get devices outside their own zone or disccovery
domains. This prevents in nitiators from accessing
a storaage devices thhat are not inte ended for their use.
Logon conttrol enables targets to determine which in itiators can acccess them.
• State Chang ge Notification

n Service. This service
s enablees iSNS to notiffy clients of ch
hanges in the nnetwork,
such as the addition or reemoval of targ gets, or changees in zoning mmembership. Only initiators that you
register to receive notifications will gett these packetss, which reduc es random bro oadcast traffic on the
network.
Configuring
C iSCSI for Hiigh Availability
Creating a singlle connection to iSCSI storag
ge makes that storage availaable. However,, it does not m make
th
hat storage hig
ghly available. Losing the con
nnection resullts in the serveer losing accesss to its storage
e.
Th
herefore, mostt iSCSI storage
e connections are
a made redu undant throug gh one of two high-availabiliity
te
echnologies: Multiple
M Conneections per Session (MCS) an d Multipath I//O (MPIO).
Although simila ar in the result they achieve, these two tech

hnologies use different apprroaches to ach
hieve
hiigh availabilityy for iSCSI storage connectio
ons.
MCS
M is a feature
e of the iSCSI protocol
p that:
• Enables mu
ultiple TCP/IP connections
c from the initiato
or to the targeet for the same
e iSCSI session.
• Supports au
utomatic failovver. If a failure
e were to occurr, all outstandiing iSCSI comm
mands are reassigned
to another connection auutomatically.
• Requires exxplicit support by iSCSI SAN devices, altho ugh the iSCSI target server rrole supports iit.
MPIO is a different way to provide redundancy that:
• Requires a device specific module (DSM) if you want to connect to a third SAN device such as HP’s
EVA SAN connected to the iSCSI initiator. Windows includes a default MPIO DSM, installed as the
Multipath I/O feature within Server Manager.
• Is widely supported. Many SANs can use the default DSM without any additional software, while
others require a specialized DSM from the manufacturer.
• Is more complex to configure and not as fully automated during failover as MCS.
Demonstration: Configuring iSCSI Target

In this demonstration, you will add an iSCSI target server role service and create an iSCSI virtual disk and
iSCSI target on LON-DC1.
Demonstration Steps
Add the iSCSI Target Server role service
1. On LON-DC1, in Server Manager, click the Dashboard button.

2. In the Add Roles and Features Wizard, install the following roles and features to the local server and
accept the default values:
o File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
Create two iSCSI virtual disks and an iSCSI target on LON-DC1
1. On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click iSCSI.
2. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk. Create a virtual disk that has the following settings:
o Name: iSCSIDisk1
o Disk size: 5 GB
o iSCSI target: New
o Target name: LON-SVR2
o Access servers: 172.16.0.22
3. On the View results page, wait until the creation is completed, and then close the View Results
page.
4. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk. Create a virtual disk that has these settings:
o Name: iSCSIDisk2
o Disk size: 5 GB
o iSCSI target: LON-SVR2
5. On the View Results page, wait until the creation is completed, and then close the View Results
page.
Demonstration: Connecting to the iSCSI Storage

In this demonstration, you will connect LON-SVR2 to the iSCSI target and verify the presence of the
iSCSI drive.
Demonstration Steps
Connect LON-SVR2 to the iSCSI target
1. Log on to LON-SVR2 with username of Adatum\Administrator and password of Pa$$w0rd.
2. In Server Manager on the Tools menu, open iSCSI Initiator.

3. In the iSCSI Initiator Properties dialog box, configure the following:
o Quick Connect: LON-DC1
o Discover targets: iqn.1991-05.com.microsoft:lon-dc1-lon-svr2-target
Verify the presence of the iSCSI drive
1. In Server Manager, on the Tools menu, open Computer Management.
2. In the Computer Management console, under Storage, access Disk Management.

Notice that the new disks are added. They all are currently offline and not formatted.
ws Server 2012
Lesson 3
Config
guring Storage
S Spacess in Win
ndows SServer 2
2012
Mannaging physica
al disks attache
ed directly to a server proveed to be a tedious task for th
he administrato
ors.
To overcome
o this problem, man ny organizations used SANs that basically grouped physsically disks
toge
ether.
Howwever, SANs re
equire special configuration
c and sometimees special hard dware and are therefore
expensive. To ove
ercome these isssues, storage spaces in Win
ndows Server 2 2012 is a feature that pools d
disks
toge
ether and pressents them to the operating system as a siingle disk. Thiss lesson explains how to con
nfigure
and implement sttorage spaces.
Lessson Objectiives
Afte
ou will be able to:
• Describe the use of storage

e spaces.
• Describe the features of sto

orage spaces.
• Configure a storage
s space.
• Implement re
edundant stora
age spaces.
Wh
hat Are Sto
orage Spacces?
A sttorage space iss a storage virttualization
capability built intto Windows Se erver 2012 and d
Win ndows 8. You can
c use storage e spaces to addd
phyysical disks of any
a type and size to a storag ge
poo ol and create highly-available
h e virtual disks from
it. The primary advantage of sto orage spaces iss that
you do not manag ge single diskss any longer, but
b
man nage them as one
o unit.
To create
c a highlyy-available virttual disk, you must
m
have the followingg:
• Disk drive. Thhis is a volume that you can

access from your
y OS. For exxample, using a
drive letter.
• Virtual disk (o
or storage spacce). This resem
mbles a physicaal disk from thee perspective oof users and
applications. However, virtu ual disks are more
m flexible beecause it inclu des thin provisioning or justt-in-
time allocatioons and resilien
ncy to physical disk failures w
with built-in fu
unctionality su
uch as mirrorin
ng.
• Storage pool. A storage poo

ol is a collectio
on of one or m
more physical ddisks that you ccan use to create
virtual disks. You
Y can add to
o a storage po ble physical dissk that is not formatted or
ool any availab
attached to another storage pool.
• Physical disk. These are con

nnected physiccal disks such aas SAS disks atttached to you
ur server. If you
u
want to add them
t to a storage pool, theyy have to satisffy the followin
ng requirements:
o One physsical drive is re

equired to creaate a storage p
pool; a minimu
um of two phyysical drives is
required to create a ressilient mirror virtual
v disk.
o A minimuum of three ph
hysical drives are
a required to
o create a virtu
ual disk with re
esiliency throu
ugh
parity.
dows Server® 20
012 4-19
o Three-w
way mirroring requires at lea
ast five physic al drives.
o Drives must be blank

k and unforma
atted, no volum
me must exist on them.
o Drives can be attache

ed using differrent bus interffaces including
g iSCSI, SAS, Se
erial Advanced d
Techno ology Attachm
ment (SATA), SCCSI, and USB. Y You cannot use SATA, USB o or SCSI disks in
na
failover cluster.
A storage space
e is a feature available for bo
oth NTFS and RReFS volumes that can provide redundanccy and
po
ooled storage for many internal and exterrnal drives of d
different sizes aand interfaces.
Storage Spaces Featu

ures
To
o configure stoorage spaces as
a per your
re y must have to consider th
equirements, you he
fe
eatures describ
bed in the follo
owing table be
efore
yo
ou implement virtual disks.
Feature Descrip
ption
Sttorage layout This de

efines the nummber of disks frrom the storag ge pool that arre allocated. V
Valid
options are:
• Simp ple. A simple space has data striping but n no redundancyy. In data striping,
logiccally sequentia
al data is segm
mented across aall disks in a w
way that accesss to
these sequential seegments can b be made to diffferent physicaal storage drives.
Strip
ping makes it possible
p to acccess multiple seegments of daata at the same e time.
Do not
n host imporrtant data on a simple volum me, because it provides no faailover
capaabilities when the
t disk wheree the data is sttored on fails.
• Two-way and three-way mirrors.. Mirror spaces maintain two o or three copies of
the data
d they hostt (two data cop pies for two-w way mirrors and d three data coopies
for three-way mirrrors). Duplicatiion happens w with every write e to ensure all data
copies are always current.
c Mirro r spaces also sstripe the data across multip ple
physsical drives. Miirror spaces aree attractive beecause of theirr greater data
throughput and lo ower access lattency. They alsso do not intro oduce a risk off
corruupting at-rest data and do n not require thee additional joournaling stage e when
writing data.
• Paritty. A parity spaace resembles a simple spacce. Data, along with parity
inforrmation, is striped across mu ultiple physical drives. Parityy enables storage
spacces to continue e to service reaad and write reequests even w when a drive h
has
failed. Parity is alw
ways rotated accross availablee disks to enabble IO optimizaation.
A stoorage space re equires a minimmum of three physical drives for parity spaaces.
Paritty spaces have e increased res iliency throug h journaling.
Feature Description
Disk sector size A storage pool's sector size is set the moment it is created. If the list of drives
being used contains only 512 and 512e drives, the pool is defaulted to 512e.
However, if the list contains at least one 4-KB drive, the pool sector size is
defaulted to 4 KB. Optionally, an administrator can explicitly define the sector size
that all contained spaces in the pool will inherit. After an administrator defines
this, Windows will only enable addition of drives that have a compliant sector size,
that is: 512 or 512e for a 512e storage pool and 512, 512e, or 4 KB for a 4-KB
pool.
Cluster disk Failover clustering prevents interruption to workloads or data if there is a

requirement computer failure. For a pool to support failover, clustering all assigned drives must
support a multi-initiator protocol, such as SAS.
Drive allocation This defines how the drive is allocated to the pool. Options are:
• Data-store. This is the default allocation when any drive is added to a pool.
Storage spaces can automatically select available capacity on data-store drives
for both storage space creation and just-in-time allocation.
• Manual. Administrators can choose to specify manual as the usage type for
drives added to a pool. A manual drive is not automatically used as part of a
storage space unless it is specifically selected at the creation of that storage
space. This usage property lets administrators specify particular types of drives
for use by only certain storage spaces.
• Hot-Spare. Drives added as “Hot-Spares” to a pool are reserve drives that are
not used in the creation of a storage space. If a failure occurs on a drive that is
hosting columns of a storage space, a reserve drive is called on to replace the
failed drive.
Provisioning You can provision a virtual disk by using two schemes:

schemes
• Thin provisioning space. Thin provisioning is a mechanism that enables storage
to be easily allocated on a just-enough and just-in-time basis. Storage capacity
in the pool is organized into provisioning slabs that are not allocated until the
point in time when datasets grow to actually require the storage. Instead of
the traditional fixed storage allocation method, where large pools of storage
capacity are allocated but may remain unused, thin provisioning optimizes use
of available storage. Organizations are also able to save on operating costs such
as electricity and floor space associated with keeping unused drives spinning.
• Fixed provisioning space. In storage spaces, fixed provisioned spaces also use the
flexible provisioning slabs. The difference here is that the storage capacity is
allocated up front, at the time that the space is created.
Note: Storage spaces allows for the creation of both thin and fixed provisioning virtual
disks within the same storage pool. Having both provisioned types in the same storage pool is
very convenient especially when they are related to the same workload. For example, you can
choose to have a thin provisioning space to host a database and a fixed provisioning space to
host its log.
Demonstration: Configuring a Storage Space

In this demonstration, you will create a storage pool and create a simple virtual disk and a volume.
Demonstration Steps
Create a storage pool
1. On LON-SVR2, in Server Manager, navigate to File and Storage Services, and Storage Pools.
2. In the STORAGE POOLS pane, create a New Storage Pool named StoragePool1, and then add all
available disks.
Create a simple virtual disk and a volume
1. In the VIRTUAL DISKS pane, create a New Virtual Disk with these settings:
o Storage pool: StoragePool1
o Disk name: Simple vDisk
o Storage layout: Simple
o Provisioning type: Thin

o Size: 2 GB
2. On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.
3. In the New Volume Wizard, create a volume with these settings:
o Virtual disk: Simple vDisk
o File system: ReFS

o Volume label: Simple Volume
Demonstration: Implementing Redundant Storage Spaces

In this demonstration, you will create a redundant virtual disk and a volume, simulate a drive failure, and
test volume access.
Demonstration Steps
Create a redundant virtual disk and a volume
1. On LON-SVR2, in Server Manager, in the VIRTUAL DISKS pane, click TASKS, and then in the TASKS
drop-down list, select New Virtual Disk and create a virtual disk with these settings:
o Disk name: Mirrored vDisk
o Storage layout: Mirror
o Size: 5 GB

o Virtual disk: Mirrored vDisk
o File system: ReFS
o Volume label: Mirrored Volume
4. On the Completion page, wait until the creation is completed, and then click Close.
5. On the Start screen, type command prompt and then press Enter.
6. At the command prompt, type the following command and then press Enter:
Copy C:\windows\system32\write.exe F:\
7. In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select
Computer Management.
8. In the Computer Management console, under Storage, click Disk Management.
Notice that the two volumes E: and F: are available.

Simulate a drive failure and test volume access
1. On LON-DC1, in Server Manager, in the left pane, click File and Storage Services.
2. In the File and Storage Services pane, click iSCSI.
3. In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, right-click iSCSIDisk1.vhd, and then click
Disable iSCSI Virtual Disk.
5. In the Computer Management console, under Storage, right-click Disk Management, and then in
drop-down list, select Rescan Disks.
Notice that the Simple Volume (E:) is not available and the Mirrored Volume (F:) is available.
6. On the taskbar, open Windows Explorer and then click Mirrored Volume (F:). You should now see
write.exe in the file list.
7. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage
Pools” button. Notice the warning that appears right next to Mirrored vDisk.
8. In the VIRTUAL DISKS pane, in the drop-down list, right-click Simple vDisk, and then select
Properties.
9. In the Simple vDisk Properties dialog box, in the navigation pane, click Health.
Notice the Health Status that should indicate Unknown. The Operational Status should indicate
Detached. This means that the disk is not available on this computer any longer.
10. In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select
Properties.
11. In the Mirrored vDisk Properties window, in the navigation pane, click Health.
Notice the Health Status should indicate a Warning. The Operational Status should indicate
Incomplete or Degraded.
Lab A: Managing Storage for Servers Based on Windows

Server 2012
Scenario
With the growth in A. Datum, the requirements for managing storage and shared file access has also
expanded. Although the cost of storage has decreased significantly over the last few years, the data
produced by the A. Datum business groups has increased even more. The organization is considering
alternative ways to reduce the cost of storing data on the network in addition to the options for
optimizing data access for both physical and virtual servers. Also, to meet some requirements for high
availability, the organization is exploring options for making storage highly available.
As one of the senior network administrators at A. Datum, you are responsible for implementing some new
file storage technologies for the organization. You will implement iSCSI storage to provide a less complex
option for deploying large amounts of storage in the organization. You will also implement the storage
spaces on the Windows Server 2012 servers to simplify storage access and to provide redundancy at the
storage level.
Objectives
• Configure iSCSI storage for Windows Server 2012 servers.
• Configure a redundant storage space.
Lab Setup

20417A-LON-SVR2
Password Pa$$w0rd
Lab Setup
5. Repeat steps 2 to 4 for 20417A-LON-SVR2.
For this lab, on 20417A-LON-SVR2, disable Routing and Remote Access. In Server Manager, click Tools,
and then click Routing and Remote Access. In the Routing and Remote Access console, right-click
LON-SVR2 and then click Disable Routing and Remote Access.
Exercise 1: Configuring iSCSI Storage

Scenario
In order to reduce the cost and complexity of configuring centralized storage, A. Datum is exploring the
option of using iSCSI to provide storage. To get started, you will install and configure the iSCSI targets,
and configure access to the targets by configuring the iSCSI initiators.
1. Install the iSCSI Target feature.
2. Configure the iSCSI targets.
3. Configure MPIO.
4. Connect to and configure the iSCSI targets.
X Task 1: Install the iSCSI Target feature

1. Log on to LON-DC1 with username of Adatum\Administrator and the password of Pa$$w0rd.
2. In Server Manager, start the Add Roles and Features Wizard, install the following roles and features
to the local server and accept the default values:
o File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
X Task 2: Configure the iSCSI targets

1. On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click iSCSI.
2. Create a virtual disk with these settings:
o Storage location: C:
o Disk name: iSCSIDisk1
o Size: 5 GB
o iSCSI target: New
o Target name: lon-svr2
o Access servers: 172.16.0.22 and 131.107.0.2
3. On the View results page, wait until the creation is completed, and then click Close.
4. Create a New iSCSI Virtual Disk with these settings:

o Size: 5 GB
o iSCSI target: lon-svr2
o Size: 5 GB


o Size: 5 GB
o Size: 5 GB
X Task 3: Configure MPIO

1. Log on to LON-SVR2.
2. In Server Manager, start the Add Roles and Features Wizard and install the Multipath I/O feature.
3. In Server Manager, on the Tools menu, open iSCSI Initiator, and configure the following:
o Enable the iSCSI Initiator service
o Quick Connect to target: LON-DC1
4. In Server Manager, on the Tools menu, open MPIO, and configure the following:
o Enable Add support for iSCSI devices on Discover Multi-paths
5. After the computer restarts, log on to LON-SVR2, on the Tools menu in Server Manager, open MPIO
and verify that Device Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.
X Task 4: Connect to and configure the iSCSI targets

1. On LON-SVR2, in Server Manager, on the Tools menu, open iSCSI Initiator.
2. In the iSCSI Initiator Properties dialog box, perform the following steps:
a. Disconnect all Targets.
b. Connect and Enable multi-path.
c. Set Advanced options as follows:

Local Adapter: Microsoft iSCSI Initiator
Initiator IP: 172.16.0.22
Target Portal IP: 172.16.0.10 / 3260
d. Connect to another target, enable multi-path, and configure the following Advanced settings:
Local Adapter: Microsoft iSCSI Initiator
Initiator IP: 131.107.0.2
Target Portal IP: 131.107.0.1 / 3260
3. In the Targets list, open Devices for iqn.1991-05.com.microsoft:lon-dc1-lon-svr2-target, access
the MPIO information, and then verify that in Load balance policy, Round Robin is selected. Verify
that two paths are listed by looking at the IP addresses of both network adapters.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
Exercise 2: Configuring a Redundant Storage Space

Scenario
After you have configured the iSCSI components, you want to take advantage of the storage pools to
simplify the configuration of storage on the Windows Server 2012 servers. To meet some requirements for
high availability, you decided to evaluate redundancy features in storage spaces. Also, you want to test
provisioning of new disks to the storage pool.

1. Create a storage pool by using the iSCSI disks attached to the server.
2. Create a 3-way mirrored disk.
3. Copy a file to the volume and verify visibility in Windows Explorer.
4. Disconnect an iSCSI disk.
5. Verify that the file is still accessible and check the health of the virtual disk.
6. Add a new iSCSI virtual disk.
7. Add the new disk to the storage pool and extend the virtual disk.
X Task 1: Create a storage pool by using the iSCSI disks attached to the server
1. On LON-SVR2, open Server Manager by clicking the icon on the taskbar.
2. In the navigation pane, click File and Storage Services, and then in the Servers pane, click Storage
Pools.
3. Create a storage pool with the following settings:
o Name: StoragePool1
4. On the View results page, wait until the creation is completed, then click Close.
X Task 2: Create a 3-way mirrored disk

1. On LON-SVR2, in Server Manager, in the VIRTUAL DISKS pane, create a virtual disk with these
settings:

o Name: Mirrored vDisk
o Storage Layout: Mirror
o Resiliency settings: Three-way mirror
o Virtual disk size: 10 GB
o Virtual disk: Mirrored vDisk
o Drive letter: E
o File system: ReFS
o Volume label: Mirrored Volume

X Task 3: Copy a file to the volume and verify visibility in Windows Explorer
1. On the Start screen, type command prompt and then press ENTER.
2. Type the following command:
Copy C:\windows\system32\write.exe E:\
3. Use Windows Explorer and access Mirrored Volume (E:). You should now see write.exe in the file list.
X Task 4: Disconnect an iSCSI disk

2. In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, disable the iSCSI Virtual Disk named
iSCSIDisk1.vhd.
X Task 5: Verify that the file is still accessible and check the health of the virtual disk
2. Use Windows Explorer and open E:\write.exe to make sure access to the volume is still available.
Pools” button. Notice the warning that appears right next to Mirrored vDisk.
4. In the VIRTUAL DISK pane, right-click Mirrored vDisk, in the drop-down list, select Properties.
5. In Mirrored vDisk Properties window, in the Health pane, notice that the Health Status indicates a
Warning. The Operational Status should indicate Degraded.
X Task 6: Add a new iSCSI virtual disk

2. In Server Manager, in the iSCSI Virtual VIRTUAL DISKS pane, click TASKS, and then in the TASKS
drop-down list, select New iSCSI Virtual Disk.
3. Create a NEW iSCSI Virtual Disk with these settings:

o Size: 5 GB
X Task 7: Add the new disk to the storage pool and extend the virtual disk
Pools” button.
3. In the STORAGE POOLS pane, right-click StoragePool1, and then in the drop-down list, select Add
Physical Disk, and add PhysicalDisk1 (LON-SVR2).
4. In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select Extend
Virtual Disk and extend the disk to 15 GB.
Results: After completing this exercise, you will have created a storage pool and added a new disk to the
storage pool and extended the disk.
X To prepare for the next lab

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:

4. Repeat steps 2 and 3 for 20417A-LON-SVR2.
dows Server® 20
012 4-29
Lesson
n4
Configuring Branch
hCache in
i Wind
dows Se
erver 20
012
Brranch offices have
h unique management
m ch
hallenges. A brranch office tyypically has slo
ow connectivityy to the
en
nterprise netwwork and limite
ed infrastructure for securingg servers. Ther efore, the challenge is being
g able to
es for users in branch officess. The BranchC
provide efficient access to nettwork resource Cache feature h
helps
yo
ou overcome these
t problemms by caching files
f so they doo not have to bbe transferred over the netw work
ag
gain.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• ow BranchCache works.
Describe ho
• he BranchCache requirementts.
Describe th
• Configure the
t BranchCacche server settiings.
• Configure the
t BranchCacche client settin
ngs.
• Configure BranchCache.
B
• ow to monitorr BranchCache.
Describe ho
How
H Does BranchCacche Work??
Th
he BranchCach he feature introduced with
Windows
W Server 2008 R2 and Windows 7 re educes
th
he network usee on WAN con nnections betw
ween
branch offices and
a the headquarters by loca ally
ca
aching frequenntly used files on computers in the
branch office.
BrranchCache immproves the peerformance of

ap at use one of the following
pplications tha
protocols:
• HTTP or HT
TTPS protocols.. These protoccols are
used by we
eb browsers an
nd other appliccations.
• Server messsage block (SM
MB), including signed
s SMB tra
affic protocol. TThis protocol iis used for accessing
shared fold
ders.
• Background d Intelligent Trransfer Service (BITS). A Wind

dows componeent that distrib
butes content from a
server to clients by using only idle netw work bandwidtth.
BrranchCache re etrieves data frrom a server when

w the clientt requests the data. Because BranchCache is a
pa ease WAN use.. BranchCache only caches the read reque
assive cache, itt will not incre ests and will no
ot
in
nterfere when a user saves a file.
BrranchCache im
mproves the reesponsiveness ofo common neetwork applicaations that acccess intranet se ervers
accross slow WA
AN links. Because BranchCach he does not reequire addition
nal infrastructu
ure, you can im
mprove
th
he performancce of remote networks by de eploying Windo ows 7 or 8 to cclient computers and Windo ows
Se
erver 2012 to servers,
s and byy enabling the
e BranchCachee feature.
BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL),
SMB Signing, and end-to-end Internet Protocol Security (IPsec). You can use BranchCache to reduce the
network bandwidth use and improve application performance, even if the content is encrypted.
You can configure BranchCache to use Hosted Cache mode or Distributed Cache mode:
• Hosted Cache. This mode operates by deploying a computer that is running Windows Server 2008 R2
or later versions as a hosted cache server in the branch office. Client computers are configured with
the fully qualified domain name (FQDN) of the host computer so that they can retrieve content from
the Hosted Cache when available. If the content is not available in the Hosted Cache, the content is
retrieved from the content server by using a WAN link and then provided to the Hosted Cache so that
the successive client requests can get it from there.
• Distributed Cache. You can configure BranchCache in the Distributed Cache mode for small remote
offices without requiring a server. In this mode, local client computers running Windows 7 or
Windows 8 keep a copy of the content and make it available to other authorized clients that request
the same data. This eliminates the need to have a server in the branch office. However, unlike the
Hosted Cache mode, this configuration works across a single subnet only. In addition, clients who
hibernate or disconnect from the network cannot provide content to other requesting clients.
BranchCache in Windows Server 2012 is improved in the following ways:

• More than one hosted cache servers per location to allow for scale.
• New underlying database that uses the Extensible Storage Engine (ESE) database technology from
Microsoft Exchange Server. This enables a hosted cache server to store significantly more data (in the
order of terabytes).
• The deployment is made much simpler such that you do not require a Group Policy Object (GPO) for
each location. A single GPO that contains the settings is all that is required to deploy BranchCache.
How Client Computer Retrieves Data by Using BranchCache

When BranchCache is enabled on the client computer and the server, the client computer performs the
following process to retrieve data when using the HTTP, HTTPS, or SMB protocol:
1. The client computer that is running Windows 7 connects to a content server that is running Windows
Server 2008 R2 in the head office and requests content similar to the way it would retrieve content
without using BranchCache.
2. The content server in the head office authenticates the user and verifies that the user is authorized to
access the data.
3. The content server in the head office returns identifiers or hashes of the requested content to the
client computer instead of sending the content itself. The content server sends that data over the
same connection that the content would have typically been sent.
4. Using retrieved identifiers, the client computer does the following:
o If you configure it to use Distributed Cache, the client computer multicasts on the local subnet to
find other client computers that have already downloaded the content.
o If you configure it to use Hosted Cache, the client computer searches for the content on the
configured Hosted Cache.
5. If the content is available in the branch office, either on one or more clients or on the Hosted Cache,
the client computer retrieves the data from the branch office and ensures that the data is updated
and has not been tampered with or corrupted.
dows Server® 20
012 4-31
6.. If the conte

ent is not available in the rem
mote office, th
he client comp uter retrieves the content diirectly
from the seerver across thee WAN link. Th he client compputer then eith
her makes it avvailable on the
e local
network to other requestting client com mputers (Distrib
buted Cache m mode) or sends it to the Hossted
Cache, whe ere it is made available
a to other client com
mputers.
BranchCach
B he Require
ements
BrranchCache op ptimizes trafficc flow betweenn head
offfice and brancch offices. Winndows Server 2008
2
R2 2, Windows Se erver 2012, and d clients based
d on
client computerrs running Win ndows 7 or Windows
8 Enterprise Edition can only benefit from
BrranchCache. The earlier verssions of Windo ows
op perating systems do not ben nefit from this
fe
eature. You can n cache only th he content thaat is
sttored on file se
ervers or web servers
s runningg
Windows
W Server 2008 R2 or Windows
W Serve
er 2012
byy using Branch hCache.
Requirement
R ts for Using
g BranchCacche
To
o use BranchC
Cache, you musst perform the
e following tas ks:
• Install the BranchCache

B fe
eature or the BranchCache
B ffor Network Fiiles role service
e on the serve
er
running Wiindows Server 2012 that is hosting the datta.
• Configure client
c compute
ers either by using Group Po
olicy or the nettsh branchcacche set servicce
command.
If you want to use
u BranchCache for caching g content fromm the web servver, you must install the
BrranchCache fe eature on the web
w server. Ad dditional configgurations are n not needed. If you want to u
use
BrranchCache to o cache contennt from the file
e server, you m
must install thee BranchCache e for the Netwo
ork Files
ro
ole service on the
t file server, configure hassh publication for BranchCacche, and create e BranchCachee-
ennabled file sha
ares.
BrranchCache is supported on Full Installatio

on of Windowss Server 2012 and on Serverr Core.
Requirement
R ts for Distributed Cach
he and Hoste
ed Cache M
Modes
In
n the Distributeed Cache mod de, BranchCach he works acrosss a single subnet only. If clie
ent computerss are
co
onfigured to use
u the Distribu uted Cache mo ode, any clientt computer ca n search locallly for the computer
th
hat has alreadyy downloaded and cached th he content by using a multiccast protocol ccalled WS-Disccovery.
In
n the Distributeed Cache mod de, content serrvers across thee WAN link m ust run Windo ows Server 20008 R2 or
la
ater versions, and the clients in the branch must run at leeast Windows 7 or Windowss Server 2008 R R2. You
sh
hould configurre the client firrewall to enable incoming trraffic, HTTP, an
nd WS-Discove ery.
In
n the Hosted Cache
C mode, thhe client compputers are conffigured with th
he FQDN of th he host server to
re
etrieve contentt from the Hossted Cache. Th BranchCache h ost server musst have a digital
herefore, the B
ce
ertificate, whicch is used to en
ncrypt commu unication with client computters. In the Hossted Cache mo ode,
co
ontent servers across the WA AN link must run Windows SServer 2008 R2 2 or later versio
ons. Hosted Caache in
th
he branch musst run Window ws Server 2008 R2 or later verrsions and thee client in the b
branch must ruun at
le
east Windows 7. 7 You must co onfigure a firew
wall to enable incoming HTTTP traffic from m the Hosted CCache
se
erver. In both cache
c modes, BranchCache uses the HTTP P protocol for ddata transfer bbetween clientt
omputers and the computerr that is hosting
co g the cached ddata.
ws Server 2012
Additional Reading: Win ndows Server 2008

2 R2
http
p://go.microso
oft.com/fwlink//?LinkID=2148
828&clcid=0x4409
Co
onfiguring BranchCache Serverr Settings
You
u can use BrancchCache to cache web conte ent,
which is delivered
d by HTTP or HTTPS.
H You can
n also
use BranchCache to cache share ed folder content,
which is delivered
d by the SMB protocol.
p By
defaault, BranchCa
ache is not insttalled on Winddows
Servver 2012.
The following table lists the servvers that you can

c
configure for Bran
nchCache.
Se
erver Desccription
Web
W server or Background
B To configure
c a W indows Serverr 2012 web serrver or an
In
ntelligent Transsfer Service (BITS) appplication serverr that uses the BITS protocoll, install the
se
erver Bran nchCache featture. Ensure thhat the BranchC Cache service has
nfigure clients who will use tthe BranchCache
starrted. Then, con
featture; no additio
onal configuraation of the weeb server is
needed.
File server The BranchCache for the Netwo ork Files role service of the FFile
Servvices server ro le has to be in
nstalled before e you can enab ble
BrannchCache for aany file sharess. After you insstall the
BrannchCache for tthe Network FFiles role servicce, use Group
Policy to enable B BranchCache o on the server. FFinally, you mu ust
configure each fil e share to enaable BranchCacche. You also h have
to configure
c clien
nts who will usee the BranchCache feature.
Hosted Cache server For the Hosted Caache mode, yo ou must add th he BranchCach he
featture to the Win ndows Server 2012 server th hat you are
configuring as a H Hosted Cache server.
To help
h ommunication,, client computers use Transport
secure co
Layeer Security (TLLS) when comm municating witth the Hosted
Cache server. To ssupport authentication, the Hosted Cache e
servver must be prrovisioned with h a certificate tthat is trusted by
clien
nts and is suitaable for serverr authenticatioon.
By default,
d BranchhCache allocattes five percen nt of disk space e on
the active partitio
on for hosting cache data. Ho owever, you caan
change this valuee by using Grou up Policy or thhe netsh tool.
dows Server® 20
012 4-33
Configuring
C g BranchC
Cache Clien
nt Settingss
Yoou do not havve to install the
e BranchCache e
fe
eature because e BranchCache e is already included
if the client runss Windows 7 or
o Windows 8.
However, BrancchCache is disa abled by defau ult on
client computerrs. To enable and
a configure
BrranchCache, you must perfo orm the following
stteps:
1.. Enable Bran

nchCache
2.. Enable the Distributed Ca

ache mode or Hosted
Cache mod de
3.. Configure the

t client firew
wall To enable
BranchCachhe protocols
Enabling Bra
anchCache
If you enable th
he Distributed Cache or Hostted Cache mod de without enabling the ove erall BranchCache
fe
eature, the BranchCache featture will still be
e disabled on the client com
mputers. However, you can e enable
th
he BranchCach he feature on a client compu nabling the Distributed Cach
uter without en he mode or the
Hosted Cache mode.
m In this configuration, the
t client commputer uses only the local cache and does not
atttempt to dowwnload from otther BranchCache clients on the same sub net or from a Hosted Cache e server.
Thherefore, multiple users of a single compu uter can benefiit from a shareed local cache in this local caaching
mode.
m
Enabling the
e Distributed
d Cache Mo
ode or Hoste
ed Cache M
Mode
Yo
ou can enable the BranchCaache feature on
n client compu
uters by using Group Policy or the netsh
branchcache seet service com
mmand.
To
o configure BrranchCache setttings by using
g Group Policyy, perform the following step
ps for a domaiin-
ba
ased GPO:
1.. Open the Group

G Policy Management
M console.
2.. Browse to C:\Computer

C Configuration\
C \Policies\Admi nistrative Tem
mplates\Network, and then click
BranchCachhe.
3.. Turn on Bra

anchCache and
d set either the
e Distributed C Hosted Cache mode.
Cache or the H
To
o configure BrranchCache setttings by using
g the netsh braanchcache sett service comm
mand, perform the
fo
ollowing steps::
1.. Use the folllowing netsh syntax

s for the Distributed Caache mode:
netsh bra
anchcache set
t service mode=distribut
ted
2.. Use the folllowing netsh syntax

s for the hosted
h mode:
netsh bra
anchcache set
t service mode=hostedcli ent location
n=<Hosted Cac
che server>
Configuring the Client Firewall To Enable BranchCache Protocols

In the Distributed Cache mode, BranchCache clients use the HTTP protocol for data transfer between
client computers and the WS-Discovery protocol (WSD) for cached content discovery. You should
configure the client firewall to enable the following incoming rules:
• BranchCache–Content Retrieval (Uses HTTP)
• BranchCache–Peer Discovery (Uses WSD)
In the Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between client
computers, but it does not use the WS-Discovery protocol. In the Hosted Cache mode, you should
configure the client firewall to enable the incoming rule, BranchCache–Content Retrieval (Uses HTTP).
Additional Configuration Tasks for BranchCache

After you configure BranchCache, clients can access the cached data in BranchCache-enabled content
servers, available locally in the branch office, and not across a slow WAN link. You can modify
BranchCache settings and perform additional configuration tasks, such as:
• Setting the cache size
• Setting the location of the Hosted Cache server
• Clearing the cache
• Creating and replicating a shared key for using in a server cluster
Demonstration: How to Configure BranchCache

In this demonstration, you will add BranchCache for the Network Files role service, configure BranchCache
in Local Group Policy Editor, and enable BranchCache for a file share.
Demonstration Steps
Add BranchCache for the Network Files role service
1. Log on to LON-DC1 and open Server Manager.
2. In the Add Roles and Features Wizard, install the following roles and features to the local server:
o File And Storage Services (Installed)\File and iSCSI Services\BranchCache for Network Files
Enable BranchCache for the server
1. On the Start screen, type gpedit.msc, and press ENTER.
2. Browse to Computer Configuration\Administrative Templates\Network\Lanman Server and do

the following:
o Enable Hash Publication for BranchCache
o Select Allow hash publication only for shared folder on which BranchCache is enabled
Enable BranchCache for a file share
1. Open Windows Explorer and create a folder named Share on C:\.
2. Configure the Share folder properties as follows:
o Enable Share this folder
o Check Enable BranchCache in Offline Settings

dows Server® 20
012 4-35
Monitoring
M g BranchCa
ache
After the initial configuration,, you might wa ant to
ve
erify that BranchCache is con nfigured corre ectly
an
nd functioning g correctly. You u can use the netsh
branchcache sh how status all command to o
diisplay the BrannchCache service status. On client
an
nd Hosted Cacche servers, ad dditional informmation
su
uch as the loca ation of the loccal cache, the size of
he local cache, and the status of the firewa
th all rules
fo
or HTTP and WS-Discovery
W protocols
p that
BrranchCache usses is shown.
ou can also use the following tools to mon

Yo nitor
BrranchCache:
• Event Vieweer. You can use
e this tool to monitor
m Branch
hCache eventss in Event View
wer.
• Performancce counters. Yoou can use thiss tool to monittor BranchCac he work and pperformance b by using
the BranchC Cache performmance monitorr counters. BraanchCache perrformance monitor counterss are
useful debu or monitoring BranchCache effectiveness and health. Yo
ugging tools fo ou can also usee
BranchCach he performancce monitor for determining tthe bandwidth h savings in the Distributed C
Cache
mode or in the Hosted Cache mode. If you have Systtem Center Op perations Manager 2007 SP2 2 or
later versions implemente ed in the envirronment, you can use Windo ows BranchCache Managem ment
Pack for Op perations Manager 2007
Lab B: Implementing BranchCache

Scenario
A. Datum has deployed a new branch office. This office has a single server. To support branch staff
requirements, you must configure BranchCache. Data is centralized at the head office. To reduce WAN use
out to the branch office, you must configure BranchCache for these data.
Objectives
• Perform initial configuration tasks for BranchCache.
• Configure BranchCache clients.
• Configure BranchCache on the branch server.
Lab Setup

20417A-LON-SVR1
20417A-LON-CL1
20417A-LON-CL2
Password Pa$$w0rd
Lab Setup
5. Do not start 20417A-LON-SVR1, 20417A-LON-CL1 and 20417A-LON-CL2 until directed to do so.

Exercise 1: Performing Initial Configuration Tasks for BranchCache

Scenario
Before you can configure the BranchCache feature for your branch offices, you must configure the
network components.
1. Configure LON-DC1 to use BranchCache.
2. Simulate slow link to the branch office.

3. Enable a file share for BranchCache.
4. Configure client firewall rules for BranchCache.
X Task 1: Configure LON-DC1 to use BranchCache

2. Open Server Manager and install the BranchCache for network files role service.
3. Open the Local Group Policy Editor (gpedit.msc).
4. Navigate to and open Computer Configuration/Administrative Templates/Network

/Lanman Server/Hash Publication for BranchCache. Enable this setting and then select Allow
hash publication only for shared folders on which BranchCache is enabled.
X Task 2: Simulate slow Link to the branch office

1. Navigate to Computer Configuration\Windows Settings\Policy-based QoS.
2. Create a new policy with the following settings:
o Name: Limit to 100Kbps
o Specify Outbound Throttle Rate: 100
Note: This task is required to simulate a slow network connection in a test environment
where all the computers are connected by a fast network connection.
X Task 3: Enable a file share for BranchCache

1. In Windows Explorer, create a new folder named C:\Share.
2. Share this folder with the following properties:

o Sharename: Share
o Permissions: default
o Caching: Enable BranchCache
3. Copy C:\Windows\System32\mspaint.exe to the C:\Share folder.
X Task 4: Configure client firewall rules for BranchCache

1. On LON-DC1, open Group Policy Management.
2. Navigate to Forest: Adatum.com\Domains\Adatum.com\Default Domain Policy. Open the policy

for editing.
3. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Windows

Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules.
4. Create a new inbound firewall rule with the following properties:

o Rule type: predefined
o Use BranchCache – Content Retrieval (Uses HTTP)
o Action: Allow
5. Create a new inbound firewall rule with the following properties:
o Rule type: predefined
o Use BranchCache – Peer Discovery (Uses WSD)
o Action: Allow
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.
Exercise 2: Configuring BranchCache Client Computers

Scenario
After you have configured the network components, you must now make sure the client computers are
configured correctly. This is a preparatory task to be able to use BranchCache.
The main task for this exercise is to configure client computers to use BranchCache in the Hosted Cache
mode.
X Task: Configure client computers to use BranchCache in the Hosted Cache mode
1. On LON-DC1, in Group Policy Management Editor, and configure the following at Computer
Configuration\Policies\Administrative Templates\Network\BranchCache:
o Turn on BranchCache: Enable

o Set BranchCache Hosted Cache mode: Enable
o Type the name of the hosted Cache server: LON-SVR1.adatum.com
o Configure BranchCache for network files: Enable
o Type the maximum round trip network latency value (milliseconds) after which caching begins: 0
2. Start the 20417A-LON-CL1, open a Command Prompt window, and refresh the Group Policy settings
(gpupdate /force).
3. At the command prompt, type netsh branchcache show status all, and then press Enter.
4. Start the 20417A-LON-CL2, open the Command Prompt window, and refresh the Group Policy
settings (gpupdate /force).
5. At the command prompt, type netsh branchcache show status all, and then press Enter.
Note: To test BranchCache in a test lab, you should deploy two client computers. This
enables you to request a file from one of the client computers, and then verify that the file is
retrieved from the local cache on the second client computer.
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
Exercise 3: Configuring BranchCache on the Branch Server

Scenario
The next step you must perform is to configure a file server for the BranchCache feature. You will install
the BranchCache feature and configure it as BranchCache Host Server.
1. Install the BranchCache Feature on LON-SVR1.
2. Start the BranchCache Host Server.
X Task 1: Install the BranchCache feature on LON-SVR1

1. Start 20417A-LON-SVR1. After the computer starts, log on as Adatum\Administrator with the
password of Pa$$w0rd.
2. Open Server Manager and add the BranchCache for Network Files role service.
3. Add the BranchCache feature.
X Task 2: Start the BranchCache host server

1. On, LON-DC1, open Active Directory Users and Computers. Create a new OU called
BranchCacheHost and move LON-SVR1 into this OU.
2. Open Group Policy Management and block GPO inheritance on the BranchCacheHost OU.
3. Switch to LON-SVR1 and restart the computer. Log on as Adatum\Administrator with the password
of Pa$$w0rd
4. Open Windows PowerShell by clicking the icon on the taskbar and run the following cmdlets:
Enable-BCHostedServer –RegisterSCP
Get-BCStatus
Note: BranchCache is only available on Windows 8 Enterprise edition. This edition was not
available when this course was created, so the BranchCache verification steps are not included in
this lab.
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.

steps:
4. Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-CL1, and 20417A-LON-CL2.


Question: How does BranchCache differ from DFS?
Question: Why would you want to implement BranchCache in Hosted Cache mode instead
of the Distributed Cache mode?
Question: Is the storage spaces feature also available on Windows 8?
Question: Can you configure data deduplication on a boot volume?
Tools
Tool Use Where to find it
iSCSI target server Configure iSCSI targets In Server Manager, under File
and Storage Servers
iSCSI initiator Configure a client to connect to In Server Manager, in the Tools

an iSCSI target virtual disk drop-down list
Deduplication Evaluation tool Analyze a volume on the C:\windows\system32

(DDPEval.exe) potential saving when enabling
data deduplication
5-1
Module 5
Implementing Network Services
Contents:
Module Overview 5-1
Lesson 1: Implementing DNS and DHCP Enhancements 5-2
Lesson 2: Implementing IP Address Management 5-10
Lesson 3: NAP Overview 5-14
Lesson 4: Implementing NAP 5-20
Lab: Implementing Network Services 5-25
Module Overview
As seasoned administrators are aware, network services such as Domain Name System (DNS) provide
critical support for name resolution of network and Internet resources. With Dynamic Host Configuration
Protocol (DHCP) you can manage and distribute IP addresses to client computers. DHCP is essential in
managing IP-based networks. DHCP failover can prevent client computers from losing access to the
network if there is a DHCP server failure. IP Address Management provides a unified means of controlling
IP addressing. With Network Access Protection (NAP), administrators can control which computers have
access to corporate networks based on the computer’s adherence to corporate security policies.
This module introduces DNS and DHCP improvements, what is new in IP address management, and
describes how to implement these features. It also provides an overview and implementation guidance for
NAP.
Objectives
• Implement DHCP and DNS enhancements.

• Implement IP address management.
• Describe NAP.
• Implement NAP.
5-2 Implementing Network Servicess
Lesson 1
Implem
menting
g DNS and
a DHCP Enhanceme
ents
In TCP/IP
T networkks of any size, certain service
es are required
d. DNS is one o of the most im
mportant netwo ork
servvices. Many othher applicationns and servicess, including Acctive Directoryy® Domain Services (AD DS), rely
on DNS
D to resolve
e resource nam mes to IP addre esses. Withoutt DNS availability user authe
entications cann fail,
and network base ed resources an nd applicationns can becomee inaccessible. TTo prevent thiis, DNS has to be
prottected. Windo ows Server® 2012 implementts DNS Securityy Extensions (D DNSSEC) to prrotect the
authhenticity of DNNS responses.
DHC CP has long be

een used to ea
ase the distribu
ution of IP add
dresses to netw
work client com
mputers. Wind
dows
Servver 2012 impro
oves the functionality of DHCP by providinng failover cap
pabilities.
Lessson Objectiives
Afte
ou will be able to:
• Describe the new DNS features in Windows Server 201 2.
• Configure DN
NSSEC.
• atures in Windows Server 20012.

Describe the new DHCP fea
• Configure failover for DHCP.
Wh
hat's New in DNS in Windowss Server 20
012
DNS SSEC and Glob bal Name Zone es are two feattures
thatt continue to be
b available in Windows Servver
2012. However, th he DNSSEC implementation has
been simplified inn Windows Serrver 2012.
DN
NSSEC
Inteercepting and tampering
t with an organizattion’s
DNS S query respon nse is a common attack method.
n attacker can alter the respo
If an onse from a DNS
D
servver, or send a spoofed
s response to point client
commputers to theiir own servers,, they can gain n
acce e information. This is known as a
ess to sensitive
man n-in-the-middle attack. Any service that re elies
on DNS
D for the initial connectioon, such as e-commerce web b servers and eemail servers aare vulnerable.
DNS SSEC is intended to protect clients
c that are
e making DNSS queries from accepting falsse DNS respon nses.
New
w Resource
e Records
Validation of DNS S responses is achieved
a by asssociating a prrivate/public kkey pair (generrated by the
admministrator) witth a DNS zone and defining additional DN NS resource reccords to sign aand publish keeys.
ource records distribute the public key wh
Reso hile the privatee key remains o on the server. When the clie
ent
uests validation, DNSSEC adds data to the response thatt enables the cclient to authe
requ enticate the
resp
ponse.
Windows Server 2012 defines the new resource records in the following table.
Resource Record Purpose
DNSKEY This record publishes the public key for the zone. It checks the
authority of a response against the private key held by the DNS
server. These keys require periodic replacement. This is known as
key rollovers. Windows Server 2012 supports automated key
rollovers.
DS This is a delegation record that contains the hash of the public key
of a child zone. This record is signed by the parent zone’s private
key. If a child zone of a signed parent is also signed, the DS records
from the child must be manually added to the parent so a chain of
trust can be created.
RRSIG This record holds a signature for a set of DNS records. It is used to
check the authority of a response.
NSEC When the DNS response has no data to provide to the client this
record authenticates that the host does not exist.
Trust Anchors
A trust anchor is an authoritative entity represented by a public key. The TrustAnchors zone stores
preconfigured public keys that are associated with a specific zone. In DNS the trust anchor is the DNSKEY
or DS resource record. Client computers use these records to build trust chains. A trust anchor from the
zone must be configured on every domain DNS server in order to validate responses from that signed
zone. If the DNS server is a domain controller then Active Directory integrated zones can distribute the
trust anchors.
Name Resolution Policy Table (NRPT)

The NRPT contains rules that control the DNS client behavior for sending DNS queries and processing
the responses from those queries. For example, a DNSSEC rule prompts the client computer to check for
validation of the response for a particular DNS domain suffix. Group policy is the preferred method of
configuring the NRPT. If there is no NRPT present the client computer does not validate responses.
Considerations when implementing DNSSEC

Consider the following before you implement DNSSEC:
• The zone replication scope or type cannot be changed while a zone is signed.
• DNS response messages are larger.
• DNS traffic increases are caused by queries for DNSKEY records.
• Zone files are larger.

• The client computer has to spend more time authenticating responses.
• There is an added level of administration to maintain.
GlobalNames Zones
GlobalNames zones address a problem in multiple DNS domain environments. GlobalName zones are
used when you must maintain a list of DNS search suffixes on client computers to resolve names among
these multiple DNS domains. For example, if an organization supports two DNS domains, such as
Widgets.com and Corp.com, users in the Widgets.com DNS domain have to use the fully qualified domain
name (FQDN) to locate the servers in corp or the domain administrator has to add a DNS search suffix for
Corp.com on all the systems in the Widgets.com domain. In other words, if users in the Widgets.com
dom
main want to lo
ocate a server named Data in the Corp.com m domain, theey would have e to search for the
DN of Data.Corp.com to loca
FQD ate that server. If they just seearch for the s erver name Daata, then the search
wou
uld fail.
Global names are based on crea ating Canonicaal Name (CNA AME) records (oor aliases) in a special forward
look
kup zone that use single nam mes to point to
o FQDNs. Glob balNames zones enables clie ents in any DNNS
dommain to use a single
s label name, such as Daata, to locate a server whosee FQDN is Dataa.corp.com witthout
having to use the FQDN.
Cre
eating Globa
alNames Zo
ones
To create
c GlobalN
Names zones:
• Use the Dnscmd utility to enable

e GlobalN
Names zones f unctionality.
• Create a new forward looku

up zone named GlobalNamees (not case-seensitive). Do no
ot enable dynaamic
updates for th
his zone.
• Manually crea
ate CNAME re
ecords that poiint to records tthat already exxist in the othe
er zones hoste
ed on
your DNS servers.
For example, you could create a CNAME reco ord in the Glob
balNames zonee for Data thatt points to
Data.corp.com. Th
his enables clie
ents from any DNS domain iin the organizaation to find th
his server by th
he
sing
gle label name of Data.
Ho
ow to Conffigure DNS
SSEC
Alth
hough DNSSEC C was supporte ed in Windowss
Servver 2008 R2, most
m of the con
nfigurations annd
admministration weere performed manually, and d
zones were signed d when they were
w offline.
2 includes a DNSSEC wiza ard
to simplify the configuration annd signing proccess,
and enables onlinne signing.
Dep
ploying DNSSEC
To deploy
d DNSSEC:
1. Install Windows Server 2012 in the

environment and assign the e server the DNS
role. Typicallyy a domain con
ntroller also accts as the DNSS server. Howevver, that is nott a requiremen
nt.
2. Sign the DNS

S zone by using
g the DNSSEC configuration
n wizard in the DNS Manage
er console.
3. ust anchor distribution points.

Configure tru
4. Configure the e client computers.

e NRPT on the
Asssign the DN
NS Server Ro
ole
To add
a the DNS server role, from m the Server Manager
M Dash board, use thee Add Roles annd Features WWizard.
Youu can also add this role can when
w you add the AD DS rolle. Configure tthe primary zo
ones on the DN NS
servver. After a zon
ne is signed, an
ny new DNS seervers on Wind
dows Server 20 012 automaticcally receives the
DNS SSEC paramete ers.
Sign the Zone

To access the DNSSEC zone signing wizard, right-click the primary zone. You can sign zones on any
Windows Server 2012 that hosts a primary DNS zone. You cannot configure DNSSEC on secondary zones.
The wizard guides you through all the configuration steps required to sign the zone.
The following signing options are available:
• The Configure the zone signing parameters option guides you through the steps and enables you
to set all values for the Key Signing Key (KSK) and the Zone Signing Key (ZSK).
• The Sign the zone with parameters of an existing zone option enables you to keep the same
values and options as another signed zone.
• The Use recommended settings option signs the zone by using the default values.
Note: Zones can also be unsigned by using the DNSSEC management user interface.
Configure Trust Anchor Distribution Points

If the zone is Active Directory Integrated, you should select to distribute the trust anchors to all the servers
in the forest. If trust anchors are required on computers that are not joined to the domain, for example, a
DNS server in the perimeter network (also known as DMZ, demilitarized zone, and screened subnet), then
you should enable automated key rollover.
Configure NRPT on Client Computers

The DNS client computer only performs DNSSEC validation on domain names where it is configured to
do so by the NRPT. A client computer running Windows® 7 is DNSSEC aware, but does not perform
validation. It relies on the security aware DNS server to perform validation on its behalf.
Demonstration: Configuring DNSSEC

In this demo you will see how to use the wizard in the DNS management console to configure DNSSEC.
Demonstration Steps
1. Log on to LON-DC1 as Adatum\Administrator.
2. Start the DNS Management console.
3. Use the DNSSEC zone signing wizard to sign the Adatum.com zone. Accept all the default settings.
4. Verify the DNSKEY resource records were created in the Trust Points zone.
5. Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix and requires DNS client computers to check that the name and address data is
validated.
6. Close all open Windows.
Wh
hat’s New in DHCP in
i Window
ws Server 2
2012
DHC CP failover is a new feature for
f Windows Server
S
2012. It addressess the issue of client
c compute ers
losin
ng connectivitty to the netwoork and all its
reso
ources if there is DHCP serve er failure.
Anoother new feature in Window ws Server 20122

is DHCP name pro otection. Nam mes that are
regiistered in DNS
S by DHCP on behalf of syste ems
musst be protectedd from being overwritten
o byy non-
e same name. For
Microsoft systemss that have the
exammple, a Unix based
b system named
n Client1
could potentially overwrite the DNS address that
t
was assigned and registered by DHCP on beh half of
a Windows-based
W d system also named
n Client1. DHCP name protection addresses this isssue.
DH
HCP Failoverr
DHC CP client comp puters renew their
t lease on their
t IP addresss at regular, configurable in
ntervals. If the DHCP
servver service failss, then leases time-out,
t and eventually clieent computers no longer havve IP addresses. In
the past, DHCP failover was nott possible beca ause DHCP serrvers were indeependent and unaware of one
anoother. Configuring two separate DHCP servers to distribu ute IP addressses within the ssame pool cou uld
d to duplicate address assign
lead nment if the addministrator inncorrectly conffigured overlapping ranges. The
DHC CP server failover feature enables an altern native DHCP s erver to distrib bute IP addressses and associated
option configurattion to the sam me subnet or sccope. Lease in formation is reeplicated betw ween the two D DHCP
servvers. If one of the
t DHCP servvers fails, then the other DHC CP server serviices the client computers forr the
who ole subnet. In Windows
W Serveer 2012 you caan configure o one alternativee DHCP server for failover.
Addditionally, only IPv4 scopes and subnets are e supported b because IPv6 uses a differentt IP address
assignment schem me.
Note: For more

m information about DHC CP options in I Pv6, see:
http
n-us/library/ccc753493.
DH
HCP Name Protection
P
“Name squatting”” describes the e problem whe ere a DHCP clieent computer registers a nam me with DNS, but
thatt name is activvely being used d by another computer.
c The original comp puter then beccomes inaccesssible.
Thiss problem typically occurs be etween non-W Windows system ms that have dduplicate name es of Windowss
systems. DHCP Na ame Protection uses a resource record kno own as a DHC ID to keep track of which
commputer originally requested the t name. Thiss record is provvided by the D DHCP server an nd stored in D
DNS.
Whe en the DHCP server
s receivess a request to update
u a host record that is currently asso
ociated with a
diffe
erent compute er, the DHCP server
s can veriffy the DHCID iin DNS to che ck whether the e requester is the
orig
ginal owner of the name. If itt is not the samme computer, the record in DNS is not updated. To reso olve
this issue, either the current hosst name ownerr must release the IP address, or the reque ester must useea
diffe
erent host nam me. You can im mplement nam me protection for both IPv4 and IPv6. Configuration is se et in
the properties pag ddress level or the scope leveel.
ge at the IP ad
How
H to Configure Fa
ailover for DHCP
To
o configure failover of DHCP P you must esttablish
a failover relatio
onship betwee en the two servvers.
Yo
ou must give this
t relationshiip a unique na ame.
Th
his name is excchanged with the failover pa artner
uring the conffiguration. Thiss enables a single
du
DHCP server to have multiple e failover relationships
with
w other DHC CP servers, as lo
ong as they alll have
un
nique names. Failover is con nfigured throug gh a
wizard
w that you can start on the
t shortcut menu
m of
th
he IP node or the
t scope node.
Note: DH HCP failover is time

t sensitive. Time
must
m be kept syynchronized be etween the pa artners in the rrelationship. If the time difference is
greater than on
ne minute the failover
f processs will stop witth a critical errror.
Configure
C Maximum
M Cliient Lead Tiime
Th
he administrattor configures the Maximum m Client Lead TTime (MCLT) parameter to determine the ttime
th
hat a DHCP serrver waits if the partner is un ore assuming ccontrol of the whole addresss range.
navailable befo
his value cannot be zero and
Th d the default iss one hour.
Configure
C Fa
ailover Mod
de
Fa
ailover can be configured in one of two modes:
m
Mode
M Characteristics
Hot
H Standby Mode
M In this mode one server is the p primary server and the otherr is a secondarry.
Thee primary serve er actively dist ributes IP conffigurations forr the scope or
subbnet. The otherr DHCP server will only take over this role if the primaryy server
beccomes unavaila able. A DHCP sserver can act as the primaryy for one scop pe or
subbnet while it is the secondaryy for another. A Administratorss must configu ure a
percentage of the e scope addressses to be assig gned to the sttandby server. These
adddresses are disttributed during g the MCLT in nterval if the prrimary server iis
dow wn. The default value is 5 peercent of the sccope. The seco ondary takes control
of the whole rang ge after the MC CLT has passed d. Hot Standby mode is bestt
suitted to deploymments where a data recoveryy (DR) site is lo ocated at a diffferent
locaation. Then, the DHCP serve r does not servvice client com mputers unlesss there
is an outage of th he main serverr.
Load
L Sharing Mode
M Thiss is the defaultt mode. In thiss mode both seervers concurrrently distributte IP
connfiguration to client
c computeers. Which serrver responds to IP configuration
requests dependss on how the aadministrator cconfigures the e load distributtion
ratio. The default ratio is 50:50.
Configure
C Au
uto State Sw
witchover In
nterval
When
W a server loses contact with
w its partnerr it goes into a communicatiion interrupted d state. Because
th
he server cannot determine what
w is causing
g the commun nication loss, itt stays in this sstate until the
addministrator manually
m changges it to a parttner down statte. The administrator can also enable auto omatic
trransition to partner down staate by configuring the auto state switchovver interval. Th he default value for
th
his interval is 10
1 minutes.
5-8 Implementing Network Services
Configure Message Authentication

Windows Server 2012 enables you to authenticate the failover message traffic between the replication
partners. The administrator can establish a shared secret, much like a password, in the configuration
wizard for DHCP failover. This validates that the failover message comes from the failover partner.
Firewall Considerations
DHCP uses TCP port 647 to listen for failover traffic. The DHCP installation creates the following incoming
and outgoing firewall rules:
• Microsoft-Windows-DHCP-Failover-TCP-In
• Microsoft-Windows-DHCP-Failover-TCP-Out
Configure DHCP Failover

The Configuration Failover Wizard steps you through the process of creating a failover relationship. The
wizard prompts you to enter the following information:
• Name of the relationship
• Which scopes are selected for failover

• Name of the partner server
• The MCLT
• The Mode
• The Load Balance Percentage
• The Auto State Switchover Interval
• Message Authentication setting

• A shared secret
The failover relationship can then be modified as required through the Failover tab in the properties
of IPv4.
Demonstration: Configuring Failover for DHCP

In the demonstration you will see how to use the DHCP console to configure DHCP failover in load
sharing mode.
Demonstration Steps
1. Log on to LON-SVR1 as the Adatum\administrator.
2. Start the DHCP console and view the current state of DHCP. Note the server is authorized but no
scopes are configured.
4. Open the DHCP Management console and start the Configure Failover Wizard.
5. Configure failover replication with the following settings:

o Partner server = 172.16.0.21
o Relationship Name = Adatum
o Maximum Client Lead Time = 15 minutes

o Mode = Load balance
o Load Balance Percentage = 50%
o State Switchover Interval = 60 minutes
o Message authentication shared secret: Pa$$w0rd
6. Complete the wizard.

5-10 Implemennting Network Services
Lesson 2
Implem
menting
g IP Add
dress Managem
M ment
With the development of IPv6 and a more and more devices requiring IP aaddresses, netw
works have beccome
veryy complex andd difficult to manage. Windows Server 201 2 has implemeented IP Addre
ess Manageme ent
(IPA
AM) as a tool to
o manage IP addresses.
a
Lessson Objectiives
Afte ou will be able to:
• M.
Describe IPAM
• Describe the IPAM architeccture.
• Describe the requirements for IPAM.
Wh
hat is IP Ad
ddress Ma
anagementt?
IP management
m iss difficult in larrge networks
because tracking IP address usa age is largely a
man nual operation n. IPAM is a fra amework for
disccovering, utilization monitoring, auditing, and a
man naging the IP address
a space in a network. IPAM
enables the admin nistration and monitoring off
DHC CP and DNS. IP PAM provides a comprehensive
vieww of where IP addresses
a are used. IPAM co ollects
ormation from domain contrrollers and Nettwork
info
Policy Servers (NP PS) and stores that information in
the Windows Inte ernal Database.
IPAM e areas of IP administration

M assists in the
show
wn in the follo
owing table.
IP Administration
A n Area IPAM Capab
bilities
Planning Provides a tool

t set that caan reduce the time and expe ense of the
planning prrocess when ch hanges occur iin the networkk.
Ma
anaging Provides a single
s point off managementt and assists in optimizing
utilization and capacity pllanning for DH
HCP and DNS.
Tra
acking Enables traccking and foreecasting of IP aaddress utilizattion.
Aud
diting Assists with compliance reequirements, ssuch as HIPAA and Sarbaness-
Oxley, and provides
p reporrting for foren
nsics and chang
ge manageme ent.
Ben
nefits of IPA
AM
IPAM
M benefits include:
• IPv4 and IPv6

6 address space
e planning and
d allocation.
• ace utilization statistics and trend monitorring.

IP address spa
• Static IP inven
ntory management, lifetime managementt and DHCP an
nd DNS record
d creation and
deletion.
• Service and
d zone monitoring of DNS se
ervices.
• IP address lease
l and logo
on event trackiing.
• Role-based access contro
ol.
• upport through Remote Servver Administraation Tools (RSSAT).

Remote administration su
AM does not su
Note: IPA upport management and co
onfiguration off non-Microsoft network
ellements.
IP
PAM Architecture
IP
PAM consists of
o four main modules,
m as sho
own in
th
he following ta
able:
Module
M Desccription
IPAM discoveryy Youu use Active Directory to disccover servers rrunning Windoows Server 200 08 and
late
er versions thatt have DNS, D HCP, or AD DSS installed. Administrators caan
defiine the scope of
o discovery too a subset of d
domains in the
e forest. They ccan also
man nually add servvers.
IP address spacce You

u can use this module
m to vieww, monitor and d manage the IP address spaace.
management
m (ASM) You
u can dynamica ally issue or staatically assign addresses. Yo
ou can also tracck
add
dress utilization
n and detect o overlapping DH HCP scopes.
Multi-server
M You
u can manage and monitor m multiple DHCP P servers. This e
enables tasks tto be
management
m and
a execcuted across multiple
m serverrs. For examplee, you can connfigure and edit DHCP
monitoring
m properties and scoopes and trackk the status off DHCP and sco ope utilization
n. You
can also monitor Multiple DNS servers, and m monitor the he ealth and statuus of
DNSS zones acrosss authoritative DNS servers.
Operational
O au
uditing Youu can track usee the auditing ttools to track potential conffiguration probblems.
and
a IP address Youu can also colle
ect, manage, a nd view detaills of configuraation changes from
tracking man naged DHCP servers.
s You caan also collect address lease tracking from DHCP
leasse logs, and co
ollect logon evvent informatioon from Netwo ork Policy Servvers
(NPPS) and domain n controllers.
The IPAM server can

c only mana
age one Active
e Directory foreest. IPAM is deeployed in one
e of three
topo
ologies:
• Distributed – An IPAM server is deployed to every sitee in the forest.
• Centralized – Only one IPA

AM server is de
eployed in thee forest.
• Hybrid – A ce
entral IPAM se with a dedicateed IPAM server in each site.
erver is deployyed together w
Note: IPAM
M servers do noot communicatte with one an nother or sharee database information.
If yo
ou deploy multiple IPAM serrvers, you musst customize th
he discovery sccope of each sserver.
IPAM
M has two main componentts:
• IPAM Serverr – performs thhe data collecttion from the m

managed serveers. It also man
nages the Win
ndows
Internal Database and provvides role base
ed access contrrol.
• IPAM Client – provides thee client compu

uter user interfface and interaacts with the IP
PAM server an
nd
invokes Powe
erShell to perfo
orm DHCP con nfiguration tassks, DNS monittoring and rem mote managem ment.
Requirementts for IPAM

M Implementation
You
u must meet se everal prerequisites to ensure
ea
succcessful IPAM deployment:
d
• The IPAM serrver must be a domain member,

but cannot bee a domain co
ontroller.
• The IPAM serrver should be a single purpo ose

ot install other network roles such
server. Do no
as DHCP or DNS
D on the samme server.
• To manage thhe IPv6 addresss, space IPv6 must

m
be enabled on the IPAM seerver.
• e IPAM server with
Log on to the w a domain
n
account, not a local accoun
nt.
• You must be a member of the

t correct IPA
AM local securrity group on tthe IPAM serve
er.
• Ensure that lo
ogging of acco
ount logon eve
ents is enabled
d on DC and N
NPS servers forr the IP Addresss
Tracking and auditing featu
ure of IPAM.
Hardware and sofftware requirem

ments:
• Dual core pro
ocessor of 2.0 GHZ
G or higherr
• Windows Servver 2012 operating system
• 4 GB of RAM or more
• 80 GB of free hard disk space
Demonstration: Implementing IPAM

In this demonstration you will see how to install IPAM. You will also see how to create the related GPOs
and begin server discovery.
Demonstration Steps
1. Log on to LON-SVR1 as Adatum\Administrator.
2. In Server Manager add the IPAM feature and all required supporting features.
3. From the IPAM Overview pane provision the IPAM server by using Group Policy.
4. Enter IPAM as the GPO name prefix and provision IPAM.
5. From the IPAM Overview pane configure server discovery for the Adatum domain.
6. From the IPAM Overview pane start the server discovery process.
Lesson 3
NAP Overview
O w
NAP P is a policy-en
nforcement pla atform that is built into the W
Windows XP w with Service Paack 3 (SP3) and
d
later operating syystems, and intto Windows Se erver 2008 and d later operatin ng systems. NAAP enables you
to protect
p networrk assets by enforcing complliance with sysstem-health reequirements. N NAP provides tthe
necessary softwarre componentss to help ensurre that compu uters that are cconnected or cconnecting to the
netwwork remain manageable
m o that they do not become a security risk tto the networkk and other
so
atta
ached compute ers.
Lessson Objecctives
Afte
ou will be able to:
• Describe NAP
P.
• Describe NAP
P architecture.
• Describe scen
narios for using
g NAP.
• Describe the considerationss for using NA

AP.
Wh
hat is NAP
P?
NAP P enforces client computer health
h before it
enables client commputers to acccess the netwo ork.
Client health can be based on characteristics
c such
as antivirus
a softwaare status, Winndows Firewall
status, or the insta urity updates. The
allation of secu
mon nitored characcteristics are baased on which
system health age ents are installed.
NAPP enables you to create solutions for valida

ating
com
mputers that coonnect to yourr networks, in
add ding needed updates or acce
dition to provid ess to
needed health uppdate resources, and limitingg the
acce
ess or commun nication of noncompliant
com
mputers.
Youu can integratee NAP’s enforcement feature es with softwarre from other vvendors or witth custom
prog grams. You can customize th he health-mainntenance soluttion that deveelopers within your organization
migght develop an nd deploy, whe ether for monitoring the commputers accesssing the netwoork for health policy
com
mpliance, autom matically upda ating computeers with softwaare updates to meet health ppolicy requirem
ments,
or liimiting the acccess to a restricted network of computers that do not m meet health policy requireme ents.
NAPP does not pro otect a network from malicio

ous users. Insteead, it enables you maintain the health of
your organization n’s networked computers auttomatically, wh hich in turn heelps maintain tthe network’s
overall integrity. For
F example, iff a computer has
h all the softw ware and conffiguration settings that the hhealth
policy requires, th
he computer iss compliant and has unlimiteed network acccess. NAP does not prevent an
auth w has a compliant computter from uploaading a malicio
horized user who ous program to o the network or
eng
gaging in otherr unsuitable be ehavior.
Also
o, unless config gured specifica
ally, NAP cann
not determine whether a clieent computer iis free of viruse
es,
trojaans, rootkits or malware. Default behaviorr is to check fo
or compliance in having current antivirus
softtware and conffigurations.
Fe
eatures of NAP
N
NAP has three important and
d distinct features:
• Health statte validation: When a clientt computer tri es to connect to the networrk, NAP validattes the
computer’ss health state against
a the heaalth-requiremeent policies that the adminisstrator definess. You
can also de efine what to do
d if a computer is not comp pliant. In a mo nitoring-only environment, all
computers have their hea uated and the compliance sttate of each co
alth state evalu omputer is log gged for
analysis. In a limited acceess environmen nt, computers that comply w h-requirement policies
with the health
have unlimited network access.
a Compu not comply witth health-requirement policies
uters that do n
could find their
t mited to a restricted networkk.
access lim
• Health pollicy compliance: You can he elp ensure commpliance with health-require ement policiess
by choosing g to update no
oncompliant computers
c autoomatically with missing software updates
or configurration changess through mannagement softw Microsoft Systtem Center
ware, such as M
Configuratiion Manager. In
I a monitorinng-only environ nment, compu uters have netwwork access beefore
they are up
pdated with req quired update
es or configuraation changes. In a limited acccess environm
ment,
noncomplia ant computerss have limited access until th
he updates and d configuration changes are
completed.. In both enviroonments, com
mputers that arre compatible w with NAP can become comp pliant
automaticaally and you ca
an define excepptions for com
mputers that arre not NAP compatible.
• Limited Acccess: You can protect your networks by li miting the acccess of noncom mpliant compu uters.
You can base limited netw
work access on me, or on the rresources that the noncompliant
n a specific tim
computer can
c access. In the
t latter case,, you define a restricted netw work that conttains health up
pdate
resources, and
a the limitedd access lasts until
u the nonco ompliant computer comes into compliancce. You
can also configure excepttions so that computers thatt are incompattible with NAP P do not have limited
network access.
What’s
W New
w for NAP in Windows Server 2012
Support for Windows

W PowerShell
Yo
ou can now usse Windows Po owerShell® to
au nstallation of the Network Po
utomate the in olicy
nd Access Servvices server rolle. You can also use
an
Windows
W PowerShell to deplo oy and configu ure
so
ome aspects off Network Poliicy Server.
Removed
R Functionality
n Windows Serrver 2008 R2 and Windows Server
In S
008, Network Policy and Acccess Services in
20 ncluded
th
he Routing andd Remote Acceess Service role
e
se
ervice. In Wind
dows Server 20
012, RRAS is noow a role servi ce in the Rem ote Access serrver role
NA
AP Architecture
The following table describes th
he NAP
com
mponents.
Com
mponents Desccription
NA
AP Clients Com
mputers that su upport the NA
AP platform forr system healthh-validated
netw
work access or communicatio hitecture consists of:
on. Client arch
• NAP enforcement client (EC C): ECs monito or attempts to connect to thee
neetwork. Differe
ent EC componnents exist for different type
es of network
acccess.
• Syystem health agents (SHA)): SHAs report on one or mo ore elements oof
syystem health. For
F example, th here might bee an SHA for ch
hecking antivirrus
deefinitions and another for chhecking Windo ows updates. TThe SHA return ns a
staatement of heealth (SoH) to tthe NAP agentt which passess that to the NAP
heealth policy server for evaluaation.
• NAP agent: Collects and storres SoHs from the SHAs and supplies it to tthe
Cs when reque
EC ested.
NA
AP enforcemen
nt NAPP enforcement points are com mputers or neetwork-access devices that use
poiints NAPP to evaluate a NAP client co omputer’s hea lth state. NAP enforcement
poin
nts rely on poliicies from a Neetwork Policy Server (NPS) to perform that
evaluation and determine wheth her network acccess or comm munication is
enab
bled, and the set
s of remediaation actions th hat a noncomp pliant NAP clieent
com
mputer must pe erform.
NAPP enforcement points can incclude:
• Health Registra ation Authoriity (HRA) is a server running g Windows Se erver
20
012 with Intern net Informatioon Services (IIS)) installed thatt obtains healtth
ce
ertificates from
m a certification
n authority (CAA) for compliaant computers..
• VPPN server is a Windows 20112 server that runs Routing aand Remote
Acccess, and thatt enables remo N intranet connections throu
ote access VPN ugh
re
emote access.
• DHCP server is a Windows 20012 server tha t runs the DHC
CP Server servvice.
• Network access devices are Ethernet switcches or wirelesss access pointts
hat support IEE
th EE 802.1X auth
hentication.
Components De
escription
NAP
N health policy Windows
W 2012 servers
s run thee NPS service aand store health-requiremennt
servers poolicies and pro
ovide health-sttate validation for NAP. NPS replaces the
Intternet Authentication Servicce (IAS), and th
he Remote Autthentication D
Dial-In
Usser Service (RA
ADIUS) server aand proxy thatt Windows Serrver 2003 provvides.
Th
he NAP health policy server has the follow wing componen nts:
• NPS service: Receives RADIIUS requests aand extracts the System State e of
Health (SSoH)) and passes it to the NAP ad dministration sserver compon
nent.
• NAP Adminisstration Serve er: Makes Com
mmunication EEasier between
n the
NPS service an
nd the SHVs.
• System Healtth Validators (SHV): You deefine SHVs forr system health h
elements and match them tto an SHA. An example of th hese would be a SHV
for an antiviruus software thaat tracks the laatest version of the antivirus
definition file..
NPPS also acts as an authenticaation, authorizzation, and acccounting (AAAA)
se
erver for netwoork access. Wh en acting as an AAA server or NAP health h policy
se
erver, NPS typiccally runs on a separate servver for centralized configuration of
ne
etwork access anda health-req quirement pollicies. The NPSS service also runs on
Windows
W Serverr 2012-based NNAP enforcem ment points thaat do not have ea
bu
uilt-in RADIUS client computter, such as an n HRA or DHCP P server. Howe
ever, in
these configurattions, the NPS service acts ass a RADIUS proxy to exchange
RA
ADIUS messages with a NAP P health policy server.
AD
A DS ADD DS stores account credenttials and propeerties, and storres Group Policy
se
ettings. Althoug
gh not requireed for health-sstate validation
n, Active Direcctory is
required for IPSe
ec-protected ccommunicatio ons, 802.1X-autthenticated
co
onnections, andd remote acceess VPN conneections.
Restricted
R netw
work Th
his is a separate logical or ph
hysical networkk that has the following
co
omponents:
• Remediation servers
s that co
ontain health u
update resourcces, such as anntivirus
definition disttribution pointts and Windowws software up pdate servers, w
which
NAP client computers can aaccess to remeedy their nonco ompliant statee.
• NAP client computers that hhave limited a ccess are adde
ed on the restrricted
network when n they do not ccomply with h
health-requiremment policies.
Scenarios for Using NAP

N
NAP provides a solution for thhe common sccenarios
de
escribed in this section. Depending on youur
ne
eeds, you can configure a soolution to addrress
an
ny of these sce
enarios for you
ur network.
Roaming
R Porrtable comp
puters
Po
ortability and flexibility are two
t primary poortable
co
omputer advan ntages, but the ese features allso
present a systemm health threa at. Users frequeently
co
onnect their po ortable compu uters to other
ne
etworks. When n users are awa ay from your
heir portable computers mig
orrganization, th ght not
re
eceive the mosst recent softw ware updates or
o
configuration changes. Addition nally, exposuree to unprotectted networks, ssuch as the Intternet, could
intro
oduce securityy-related threa
ats to the porta
able computerrs. NAP lets yo
ou check any p portable comp puter’s
health state whenn it reconnects to the organizzation’s netwo
ork, whether thhrough a VPN,, DirectAccess
connection, or thee workplace neetwork connecction.
Dessktop Comp
puters
Althhough desktop p computers arre usually not taken out of t he company b building, they sstill can presen
nt a
threeat to the netw
work. To minimmize this threatt, you must maaintain these ccomputers with the most reccent
upd dates and requuired software. Otherwise, these computerss are at risk off infection fromm websites, em mail,
filess from shared folders,
f and otther publicly available resou rces. NAP enaables you to auutomate health h
state checks to ve ktop computerr’s compliance with health-reequirement po
erify each desk olicies. You cann
check log files to determine which computerss do not comp ply. Additionallly, by using maanagement
softtware enables you
y to generate automatic reports
r and au
utomatically up pdate noncom mpliant computers.
Whe en you change e health-requirement policie es, computers can be provisiioned automattically with the e
mosst recent upda ates.
Visiting Portab
ble Computters
Orgganizations freq
quently have to t enable conssultants, busineess partners, aand guests to cconnect to theeir
privvate networks. The portable computers
c tha
at these visitorrs bring into yo on might not meet
our organizatio
system health reqquirements and d can present health risks. N AP enables yo ou to determin
ne which visitin
ng
porttable compute ers are noncommpliant and lim mit their accesss to restricted networks. Typ
pically, you wo
ould
not require or pro
ovide any upda ates or configuuration changees for visiting portable comp puters. You can
configure Internett access for vissiting portable
e computers, b but not for other organizatioonal computerss that
have limited access.
Unmanaged Home
H Comp
puters
Unmmanaged home computers thatt are not a member
m of thee company’s AActive Directorry domain can
connect to a managed company network thro ough VPN. Un nmanaged hom me computers provide an
add
ditional challen
nge because yo
ou cannot phyysically access tthese computeers. Lack of phhysical access m
makes
enfo
orcing compliaance with health requiremennts—such as th —more difficult.
he use of antivvirus software—
wever, NAP enables you to verify

How v the healtth state of a hoome computer every time th hat it makes a VPN
connection to the
e company nettwork, and to limit
l its access to a restricted
d network until it meets systtem
health requiremennts.
Co
onsideratio
ons for NA
AP
Befoore you implemment NAP, you
u must conside
er the
follo
owing points.
Con
nsiderations for NAP Client
C Comp
puter
Dep
ployment
Befoore you can usse NAP on client computers, you
musst configure thhe NAP setting gs. Although yoou
can use the Netsh h commands to o configure alll
aspeects of the NA
AP client computer, Group Po olicy
is th
he preferred method
m of deplloying client
commputer settingss. The NAP Clie ent Configurattion
console and NAP client computter configuration
settings in the Grooup Policy Management Console
provvide a graphiccal user interface for configuring NAP clien
nt computer seettings.
Consideration for a NAP Enforcement Type

Deciding on the best enforcement type for your organization is very important.
NAP provides four mechanisms:
• VPN: The VPN server relays the policy from the Network Policy Server (NPS) to the requesting client
computer and performs the validation. This method requires a computer certificate to perform PEAP-
based user or computer authentication.
• DHCP: The DHCP server interacts with the policies from the NPS to determine the client computer's
compliance.
• IPsec: enforces the policy and configures the systems out of compliance with a limited access local IP
security policy for remediation. This method requires a computer certificate to perform PEAP-based
user or computer authentication.
• 802.1X: authenticates over an 802.1X authenticated network and is the best solution when
integrating hardware from other vendors.
Considerations for a Remediation Network

You can provide a remediation network as a location for client computers that are out of compliance to
resolve issues and then gain access to the network. It is important to make the remediation network a
place where client computers can gain the required updates or definitions without help desk intervention.
Administrative Effort and Support

NAP is not a simple solution to implement and requires a good level of understanding and ongoing
support.
Lesson 4
Implem
menting
g NAP
There are differen
nt NAP procedures, depending on the typee of enforcement you are im
mplementing. T
This
lesson describes the main requirements for ea
ach of the NAP
P enforcementt methods.
Lessson Objectiives
Afte
u will be able to:
t
• Describe the requirements for implementting NAP.
• Describe the requirements for NAP with VPN.

V
• Describe the requirements for NAP with IPsec.

I
• Describe the requirements for NAP DHCP

P.
• Describe the requirements for NAP with 802.1X.
8
Requirementts for Implementing

g NAP
All NAP
N enforcem ment methods require that
the NAP Agent seervice is runnin
ng on the clien
nt
commputer and thaat at least one enforcement client
commputer is enabled. Depending on the desirred
enfoorcement method there mayy be other servvices
and settings required.
A Network Policy Server (NPS) is required to create

c
and enforce organ nization-wide network accesss
policies for client computer heaalth, connectio
on
requ
uest authentication and auth horization. The
e NPS
can also act as a RADIUS
R server.. The NPS evalluates
the statements off health (SoH) sent
s by NAP client
com
mputers.
Systtem Health Validators (SHVs) are required to determine what the systeem health poliicy checks for. SHVs
ndows Firewall settings, antivvirus and spyw
can check for Win ware protection
n, Windows Uppdates, and so o on.
Heaalth policies co
ompare the sta
ate of a client computer’s
c he alth according
g to SHVs that are defined b
by
corp
porate requirements and determine wheth her the client ccomputer is co
ompliant or no
oncompliant w with
the corporate policy. A health policy
p can be defined
d to checck one of the ffollowing:
• Client passes all SHV checks
• Client fails all SHV checks
• Client passes one or more SHV

S checks
• Client fails on
ne or more SHV
V checks
Network policies are

a required to o determine what
w happens iif the client co
omputer reque esting networkk
acce
ess is complian
nt or noncomp pliant. These policies determ
mine what levell of access, if aany, the client
com
mputer will receive to the nettwork.
ertification autthority (CA) is required to isssue computer certificates to validate comp

A ce puter identity if
Prottected EAP (PEEAP) is used fo or authenticatioon. This may b
be an enterprisse CA or a thirrd-party CA.
Re
emediation ne etworks are noot an absolute requirement, bbut can providde a means forr a client comp
puter
to
o become com mpliant. For exa
ample, a netwoork policy can direct a nonco
ompliant clien
nt computer to oa
ne
etwork segment that contain ns a Web site from
f which th e client computer can obtain current viruss
de
efinitions or Windows
W Updates.
NAP
N with VPN
V
NAP enforceme ent for VPN me ethod works by b using
a set of remote access IP pack ket filters to lim
mit the
trraffic of a nonccompliant VPNN client compu uter
soo that it can onnly reach the resources
r on thhe
re
estricted netwo ork. Compliantt client compu uters will
be e granted full access. VPN seervers can enfo orce the
he ealth policy fo
or computers th hat are considered to
be e noncomplian nt by applying
g the filters.
Note: Site
e–to-site VPN connections do
d not
su
upport NAP heealth evaluatio
on.
To
o deploy NAP with VPN you
u must:
• Install RRAS
S as a VPN servver and config
gure the NPS aas the primary RADIUS serve
er.
• Configure the
t VPN servers as RADIUS client
c computeers in the NPS..
• Configure a connection request

r policy with the sourcce set to the V
VPN server.
• Configure SHVs
S to test fo
or health conditions.
• Create commpliant health policies to passs selected SHV

Vs and a noncompliant health policy to fail
selected SH
HVs.
• Configure a network policy with the source set to thee VPN server. FFull access willl be granted to
o
compliant computers
c and
d limited accesss to noncomp pliant computeers.
• Enable the NAP Remote Access

A and EA nt clients on cl ient computerrs. You can do this by
AP enforcemen
using Group Policy or loccal policy settin
ngs.
• Enable the NAP agent service on clientt computers.
• Issue comp
puter certificate
es to use PEAP
P authenticatio
on.
NA
AP with IPssec
NAPP IP security (IPsec) enforcem
ment provides
the strongest and most flexible method for
maintaining clientt computer co ompliance with
h
netw
work health re equirements.
To implement NA
AP with IPsec you
y must:
• Configure a certification
c au
uthority (CA) to
o
issue health certificates:
c the
e System Healtth
Authenticatio on template must be issued anda
the HRA must be granted permission
p to enroll
e
the certificate
e.
• Install Health Registration Authority

A (HRAA): the
HRA is a component of NA AP that is central to IPsec enfforcement. Thee HRA obtains health certificcates
on behalf of NAP
N client com mputers when they are com pliant with nettwork health rrequirements. T These
health certificcates authenticcate NAP clien
nt computers ffor IPsec-proteected communnications with o other
NAP client coomputers on an intranet. If a NAP client co omputer does not have a health certificate e, the
IPsec peer authentication fa ails.
• Select authenntication requirements: the HRA

H can provid de health certiificate to authenticated dom
main
ovide health certificates to aanonymous us ers.
users only, orr optionally pro
• Configure the
e NPS server with ed health policcies.
w the require
• Configure NA
AP client comp
puters for IPsecc NAP enforceement: NAP ag
gent must be rrunning and th he
NAP IPsec EC
C must be runn
ning. You can do
d this throug h Group Polic y or local policcy or Netsh
commands.
• Use IPsec policies to create logical netwo

orks: IPsec enfo des a physical network into tthree
orcement divid
logical netwo
orks. A computer is a member of only onee logical netwo ork at any time
e. The logical
networks are::
o Secure ne
etwork - Comp
puters on the secure networrk have health certificates an
nd require thatt
incomingg communication is authentiicated by using
g these certificcates.
o Boundaryy network - Co network have health certificaates, but do no

omputers on the boundary n ot
require IP ming commun ication attemp
Psec authenticcation of incom pts.
o Restricted
d network - Co
omputers on the
t restricted n
network do no
ot have health certificates.
NA
AP with DH
HCP
NAP P enforcementt can be integrrated with DHCP
so that NAP policies can be enfo orced when a client
com
mputer tries to lease or renew w its DHCP add
dress.
The NPS server usses health policies and SHVs to
evaluate client computer health h. Based on the
e
evaluation the NP PS tells the DHCP server to
provvide full access to compliantt computers an
nd
to restrict access to
t noncomplia ant computers.
Th
he componentts listed in the following table must be deffined on the N
NPS.
Component
C Description
Radius client Iff DHCP is insta

alled on a sepaarate computeer, the NAP DH
HCP server must be
computers configured as a RADIUS clien nt computer in
n NPS. You muust also select
RADIUS
R client computer
c is NAAP-capable.
Network policcy Source

S must be e set to DHCP server. Both ccompliant and noncompliantt
policies
p are set to grant accesss.
Connection re
equest Source
S is set to
o DHCP server.. The policy au
uthenticates re
equests on thiss
policy server.
Health policie
es Must
M be config
gures to pass SSHVs in the com
mpliant policyy and fail SHVss in the
noncompliant
n policy.
p
SHVs Health
H checks are
a configured
d on the NPS sserver.
NAP agent Must

M be runnin
ng on the clien
nt computer.
IP address Must
M be config
gured to use D
DHCP. Clients t hat have staticc IP address caannot
configuration
n be
b evaluated.
Demonstra
D ation: Imp
plementing
g NAP with
h DHCP
Be
ecause you aree configuring NPS on the DH
HCP server you
u do not have to designate the DHCP servver as a
RA
ADIUS client computer.
c
Yo
ou will configu
ure the policy for all scopes.
Demonstrati
D ion Steps
1.. work Policy and Access Serrvices on LON
Install Netw N-DC1.
2.. Use the Configure NAP Wizard

W to creatte a DHCP enfforcement poliicy.
3.. Configure DHCP

D to enable Network Acccess Protectio
on for all scopees.
Network
N Access Prottection witth 802.1X
Yo
ou can provide e NAP enforce ement to an IEEE
80
02.1X-capablee device, such asa a wireless acccess
po
oint, authenticcating switch, or
o other netwo ork
de
evice. NAP enfforcement occcurs when clien nt
co
omputers try to access the network
n throug gh these
de
evices.
NAP with 802.1x has the follo

owing characte
eristics:
• Radius clien
nt computers must
m be added
d in the
NPS console and are idenntified by host name
or IP address.
• A shared se
ecret must be configured
c in the
NPS server and the device to identify th
he radius clien
nt computer.
• Server certificates must be installed and client computers must trust these certificates.
• Network authentication must use EAP authentication methods – secure passwords, smart cards or
other certificates.
• If your access points support VLANs, you can configure that information for NPS. For example, the
restricted network may be a VLAN.
• When you create network policies and connection request policies, the type of network access server
should be set to Unspecified.
• Connection request policies must be configured to use PEAP authentication in the policy.
Lab: Implementing Network Services

Scenario
A. Datum has grown quickly over the last few years in several ways. The company has deployed several
new branch offices, it has significantly increased the number of users in the organization, and it has
expanded the number of partner organizations and customers who are accessing A. Datum websites and
applications. This expansion has resulted in increasing complexity of the network infrastructure at A.
Datum, and has also meant that the organization has to be much more aware of network level security.
IT management and the security group at A. Datum are also concerned with the level of compliance for all
client computers on the network. A. Datum plans to implement NAP for all client computers and all client
computer connections, but is starting with a pilot program to enable NAP for VPN users.
As one of the senior network administrators at A. Datum, you are responsible for implementing the
new features in the Windows Server 2012 environment. You will implement some new DHCP and DNS
features, and then implement IPAM to simplify the process for managing the IP infrastructure. You will
also implement NAP for external VPN users.
Objectives
• Configure new features in DNS and DHCP.
• Configure IP Address Management.
• Configure NAP for VPN client computers.
• Verify the NAP deployment.
Lab Setup

20417A-LON-SVR1
20417A-LON-SVR2
20417A-LON-CL1
Password Pa$$w0rd
5. Repeat steps 2 - 4 for 20417A-LON-SVR1, 20417A-LON-SVR2 and 20417A-LON-CL1.

Exercise 1: Configure new features in DNS and DHCP

Scenario
To increase security in your network, you want to implement new security features in DNS and DHCP.
Also, you want to achieve high availability for IP addressing system. Therefore, you decided to implement
DHCP Failover.
1. Configure DNSSEC.
2. Configure DHCP Name Protection.
3. Configure DHCP Failover.
X Task 1: Configure DNSSEC

1. On LON-DC1, start the DNS Management console.
2. Use the DNSSEC zone signing wizard to sign the Adatum.com zone. Accept all the default settings.
3. Verify the DNSKEY resource records were created in the Trust Points zone.
4. Close the DNS Management console.

5. Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix and requires DNS client computers to check that the name and address data is
validated.
6. Close the Group Policy Management Editor and Group Policy Management console.
X Task 2: Configure DHCP Name Protection

1. Start the DHCP Management console.
2. Configure Name Protection for the IPv4 node.
X Task 3: Configure DHCP Failover

1. On LON-SVR1, start the DHCP console and view the current state of DHCP. Note the server is
authorized but no scopes are configured.
2. On LON-DC1, in the DHCP Management console, start the failover wizard.

3. Configure failover replication with the following settings:
o Partner server = 172.16.0.21
o Relationship Name = Adatum
o Maximum Client Lead Time = 15 minutes
o Mode = Load balance
o Load Balance Percentage = 50%
o State Switchover Interval = 60 minutes
o Message authentication shared secret is Pa$$w0rd
o Complete the wizard
4. Switch to LON-SVR1 and notice that the IPv4 node is active and the Adatum scope is configured.
5. Close the DHCP console on both LON-DC1 and LON-SVR1.
Results: After completing this exercise you will be able to configure DNSSEC, configure DHCP name
protection, and configure and verify DHCP failover.
Exercise 2: Configuring IP Address Management

Scenario
A. Datum is evaluating solutions for simplifying IP management. Because you implemented Windows
Server 2012, you decide to implement IPAM.
1. Install the IPAM Feature.
2. Configure IPAM Related GPOs.

3. Configure IP Management Server Discovery.
4. Configure Managed Servers.
5. Configure and Verify a New DHCP Scope with IPAM.
X Task 1: Install the IPAM Feature

• On LON-SVR2, in Server Manager, add the IPAM feature and all required supporting features.
X Task 2: Configure IPAM Related GPOs

1. On LON-SVR2, in Server Manager, click IPAM.
2. From the IPAM Overview pane provision the IPAM server.

3. Enter IPAM as the GPO name prefix.
X Task 3: Configure IP Management Server Discovery

1. From the IPAM Overview pane, configure server discovery for the Adatum domain.
2. From the IPAM Overview pane, start the server discovery process.
3. In the yellow banner, click the More link to determine the discovery status.
X Task 4: Configure Managed Servers

1. From the IPAM Overview pane, add the servers to manage. Verify that IPAM access is currently
blocked for LON-DC1.
2. Start Windows PowerShell and grant the IPAM server permission. Use the following command:
Invoke-IpamGpoProvisioning –Domain Adatum.com –GpoPrefixName IPAM –IpamServerFqdn

LON-SVR2.adatum.com
3. In the IPAM console, for LON-SVR1 and LON-DC1, set the manageability status to be Managed.
4. Switch to LON-DC1 and refresh Group Policy.
5. Switch to LON-SVR1, and refresh Group Policy.
6. Switch back to LON-SVR2 and refresh the IPAM console view.
7. Switch back to LON-SVR2, and in the IPAM console, configure LON-SVR1 to be Managed.
8. Refresh the Server Access Status and refresh the console view until LON-DC1 and LON-SVR1 shows an
IPAM Access Status Unblocked. This may take 10-15 minutes to complete.
9. From the IPAM Overview pane retrieve data from the managed server.
X Task 5: Configure and Verify a New DHCP Scope with IPAM

1. Use IPAM to create a new DHCP scope called TestScope with the following parameters:
o The scope start address will be 10.0.0.50.
o The scope end address will be 10.0.0.100.
o The subnet mask will be 255.0.0.0.
o The default gateway will be 10.0.0.1.
2. On LON-DC1, verify the TestScope in the DHCP MMC.
3. Right-click the TestScope and then click Deactivate. Click Yes.
4. Close the DHCP console.

5. On LON-SVR2, close all open windows.
Results: After completing this exercise you will be able to install and configure the IPAM feature,
configure IPAM related GPOs, configure IP Management server discovery, configure managed servers, and
configure and verify a new DHCP scope with IPAM.
Exercise 3: Configuring NAP

Scenario
A. Datum has identified that remote client computers who connect through VPN have inconsistent
security configuration. Because these client computers are accessing important data, it is important for all
client computers to comply with company security policy. To increase security of your network and better
manage client computers who establish remote connection, you decide to implement NAP for all VPN
connections.
1. Configure Server and Client Certificate Requirements.
2. Install the Network Policy Server Role.
3. Configure Health Policies.
4. Configure Network Policies for Compliant and Noncompliant Computers.
5. Configure Connection Request Policies for VPN.
X Task 1: Configure Server and Client Certificate Requirements

1. On LON-SVR2, create a new management console for Certificates focused on the local computer.
2. Enroll a Computer certificate for LON-SVR2.
3. Switch to LON-CL1 and log on as Adatum\administrator with the password of Pa$$w0rd.

4. Create a new management console for Certificates focused on the local computer.
5. Enroll a Computer certificate for LON-CL1.
X Task 2: Install the Network Policy Server Role

• On LON-SVR2, add the Network Policy Server role service.
X Task 3: Configure Health Policies

1. On LON-SVR2, open the Network Policy Server console.
2. Configure the Windows Security Health Validator to only validate that the Windows Firewall is
enabled.
3. Create two new Health Policies. One for compliant computers that pass all SHV checks and one for
noncompliant computers that fail one or more SHV checks.
X Task 4: Configure Network Policies for Compliant and Noncompliant Computers

1. Configure a network policy for compliant computers in such a way that the health policy allows them
full network access. Name the policy Compliant Full-Access.
2. Configure a network policy for noncompliant computers in such a way that the health policy enables
them to exchange packets with LON-DC1 at 172.16.0.10 only. Name the policy Noncompliant-
Restricted.
X Task 5: Configure Connection Request Policies for VPN

1. Disable the two default connection request policies.
2. Configure a new Connection Request Policy called VPN connections.
3. Add conditions for Point to Point Tunneling Protocol (PPTP), Secure Socket Tunneling Protocol (SSTP),
and Layer 2 Tunneling Protocol (L2TP).
4. Ensure requests are authenticated on this server and will override network policy authentication.
5. Add Protected Extensible Authentication Protocol (PEAP) and edit it to enforce network access
protection.
Results: After completing this exercise you will be able to configure server and client computer certificate
requirements, install the NPS server role, configure health policies, configure network policies, and
configure connection request policies for VPN.
Exercise 4: Verifying the NAP Deployment

Scenario
After you implemented NAP infrastructure and configured policies, you want to test NAP with VPN client
computer.
1. Configure Security Center.
2. Enable a Client NAP Enforcement Method.
3. Allow Ping on LON-SVR2.
4. Move the Client to the Internet and Establish a VPN Connection.
X Task 1: Configure Security Center

1. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.
2. Use gpedit.msc to open Local Group Policy and turn on the Security Center.
X Task 2: Enable a Client NAP Enforcement Method

1. Use the NAP Client Configuration MMC to enable the EAP Quarantine Enforcement Client on
LON-CL1.
2. Enable and start the NAP agent service.
X Task 3: Allow Ping on LON-SVR2

• On LON-SVR2, open Windows Firewall with Advanced Security.
• Configure a new inbound rule that allows ICMPv4 echo packets through the firewall.
X Task 4: Move the Client to the Internet and Establish a VPN Connection
1. Configure LON-CL1 with the following IP address settings:
o IP address: 131.107.0.20
o Subnet Mask: 255.255.0.0

2. In Hyper-V Manager, right-click 20417A-LON-CL1 and then click Settings.
3. Click Legacy Network Adapter and then under Network select Private Network 2, click OK.
4. Verify that you can ping 131.107.0.1.
5. Create a VPN on LON-CL1 with the following settings:
o Name: Adatum VPN
o Internet address: 131.107.0.2

6. Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
7. Under Authentication, click Use Extensible Authentication Protocol (EAP).
8. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft:
Protected EAP (PEAP) (encryption enabled) and then click Properties.
9. Ensure that the Verify the server’s identity by validating the certificate check box is already
selected. Clear the Connect to these servers check box, and then ensure that Secured password
(EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast
Reconnect check box and then select the Enforce Network Access Protection check box.
10. Test the VPN connection.
X To prepare for next module

• Revert virtual machines to their initial state.
Results: After completing this exercise you will be able to configure Security Center, enable a client
computer NAP enforcement method, allow Ping on LON-SVR2, and move the client computer to the
Internet and establish a VPN connection.

Best Practices
• Ensure that IPv6 is enabled on the IPAM server in order to manage IPv6 address spaces.
• Use Group Policy to configure NRPT tables for DNSSEC client computers.
• Disable authentication protocols that you are not using.
• Document the NPS configuration by using the NetshNps Show Config>Path\File.txt to save the
configuration to a text file.

Unable to connect to the IPAM server.
Noncompliant NAP client computers are

being denied network access instead of
being sent to the restricted network
Review Question
Question: What is a major drawback of IPAM?

Scenario: Tailspin Toys wants to implement IPsec NAP enforcement. What infrastructure components
have to be in place to support this method?
Scenario: You have implemented DNSSEC, but now you have to disable DNSSEC. How will you disable
DNSSEC?
Tools
Tool Use Where to find it
DNS Management Console Configure all aspects of DNS In Server Manager under the Tools
drop-down list.
DHCP Management Configure all aspects of DHCP In Server Manager under the Tools
Console drop-down list.
Remote Access Configure remote access such In Server Manager under the Tools
Management Console as VPN drop-down list.
NAP configuration wizard Configure the NAP Open the NPS (Local) console. In
Enforcement Point Getting Started, under Standard
Configuration, select Network Access
Protection (NAP), and then click
Configure NAP.
6-1
Module 6
Implementing DirectAccess
Contents:
Module Overview 6-1
Lesson 1: Overview of DirectAccess 6-2
Lesson 2: Installing and Configuring DirectAccess Components 6-14
Lab: Implementing DirectAccess 6-24
Module Overview
Introduced in Windows Server® 2008 R2, the DirectAccess feature is a technology that enables users to
securely connect to data and resources in corporate networks without using traditional virtual private
network (VPN) technology. In Windows Server 2012, DirectAccess is now one of three component
technologies (DirectAccess, Routing, and Remote Access) that is integrated with a single, unified server
role called Windows Server 2012 Remote Access. DirectAccess seamlessly integrates and coexists with
what was formerly called Routing and Remote Access service (RRAS). Direct Access itself is expanded to
add features such as integrated accounting, express setup for small and medium deployments, and
multiple domain support.
In this module, you will learn how DirectAccess works for internal and external clients. You will also learn
the new DirectAccess features introduced in Windows Server 2012 and Windows® 8. In addition, you will
learn how to install and configure DirectAccess in different scenarios.
Objectives
• Describe the DirectAccess functionality in Windows Server 2012 and Windows 8.
• Install and configure DirectAccess in Windows Server 2012 and Windows 8.

6-2 Implementing DirectAccess
Lesson 1
Overviiew of DirectAc
D ccess
Dire
ectAccess enab bles remote ussers to securelyy access corpo
orate resourcess, such as email servers,
sharred folders, or internal websites without co onnecting to a VPN. Also, D irectAccess pro
ovides increased
prodductivity for a mobile workfo orce by offerin
ng the same co perience both inside and ou
onnectivity exp utside
the office. With thhe new unified
d managementt experience, yyou can config gure DirectAccess and older VPN
connections from one location. Other enhanccements in DireectAccess inclu d deployment, and
ude simplified
imp
proved perform mance and scalability. This le esson providess an overview of the DirectA
Access architeccture
and components.
Lessson Objectiives
Afte
ou will be able to:
• Discuss the problems with remote

r connections.
• Describe the use of DirectA

Access.
• Describe the new features of
o DirectAccess in Windows Server 2012.
• Describe the DirectAccess components.

c
• Describe the use of the Nam

me Resolution Policy Table.
• Describe how
w DirectAccess works for inte
ernal clients.
• Describe how
w DirectAccess works for exte
ernal clients.
Pro
oblems with Remote
e Connections
Org
ganizations often rely on trad ditional VPN
connections to prrovide remote users with seccure
acce
ess to data andd resources on n the corporate e
netw
work. VPN con nnections need d to be configu
ured
mosst of the time manually. Thiss sometimes
pressent interoperability issues in
n situations wh
hen
the users are using multiple diffferent VPN clieents.
Addditionally, VPN connections face
f the follow
wing
problems:
• The user musst initiate the VPN

V connectio
on.
• The connectioon requires sevveral steps andd the

connection process takes att least several
seconds, or evven more.
• on could require additional configuration on the corporrate firewall. Iff not properly
The connectio
configured on
n the firewall, VPN connectio nable remote aaccess to the entire corporatte
ons usually en
network.
• Troubleshootting failed VPN

N connections can make up a significant p
portion of Help
p Desk calls forr
many organizzations.
Morreover, organizzations cannott effectively manage

m remotee computers u nless they are connected. VP
PN-
base
ed remote clie
ent computers present a challenge to IT prrofessionals beecause these computers mig ght
not connect to the internal netw
work for weekss at a time, preeventing them
m from downlo oading Group Policy
obje
ects (GPOs) an
nd software uppdates.
Upg
ndows Server® 2
2012 6-3
Also, if the orga

anization does not require addditional healtth checks in orrder to establissh a network VVPN
co
onnection, com mputers that are not updated and protect ed on a regulaar basis may co ontain malwarre. This
malware
m could attempt to sprread inside the
e corporate neetwork throug h e-mail, share ed folders, or
au
utomated netw work attacks.
DirectAccess
D s Extends th
he Network to the Rem
motely-Conn
nected Computers and Users
To
o overcome th hese limitations in traditional VPN connecttions, organizaations can imp
plement DirectAccess
to
o provide a sea
amless connecction between the internal neetwork and the remote com mputer on the IInternet.
With
W DirectAcce ons can effortlessly manage remote comp
ess, organizatio puters becausee they are alwaays
co
onnected.
What
W Is DirrectAccesss?
Thhe DirectAccesss feature in Windows
W Server 2012
en
nables seamlesss remote acce ess to intranet
re
esources withoout first establishing a user-in
nitiated
VPN connection n. The DirectAccess feature also
a
en
nsures seamlesss connectivityy to the applicaation
in
nfrastructure fo
or internal users and remote e users.
Unlike traditional VPNs that require

r user
in
ntervention to initiate a conn
nection to an
in
ntranet, DirectA
Access enabless any IPv6-cappable
ap
pplication on the
t client computer to have
omplete access to intranet re
co esources.
DirectAccess alsso enables youu to specify ressources
an
nd client-side applications th
hat are restrictted for remotee access.
Organizations
O benefit
b from DirectAccess beecause remote computers caan be managed d as if they are
e local
co
omputers. Usinng the same management
m and update serv
rvers, you can eensure they arre always up-too-date
an
nd in complian nce with security and system
m health policiees. You can alsso define more
e detailed acceess
ontrol policies for remote acccess when com
co mpared with ddefining accesss control policies in VPN soluutions.
DirectAccess offfers the follow

wing features:
• Connects automatically to
o corporate in
ntranet when cconnected to tthe Internet
• Uses variou ncluding HTTPS, to establish IPv6 connectiivity—HTTPS iss typically allowed
us protocols, in
through fire
ewalls and prooxy servers
• Supports seelected server access and end-to-end Interrnet Protocol SSecurity (IPsecc) authenticatio
on with
intranet nettwork servers
• Supports en
nd-to-end autthentication an
nd encryption with intranet network serve
ers
• Supports management
m of remote client computers
• Allows remote users to co

onnect directlyy to intranet seervers
DirectAccess provides the following benefitts:
• Always-on connectivity. Whenever

W the user
u connects the client commputer to the IInternet, the client
computer is also connectted to the intra
anet. This conn ent computers to
nectivity enablles remote clie
access and update appliccations more easily. It also m
makes intranet resources alwaays available, aand
enables use
ers to connect to the corporaate intranet fro
om anywhere and anytime, thereby impro oving
their produ
uctivity and performance.
• Seamless connectivity. DirecctAccess provides a consiste nt connectivityy experience w whether the cliient
computer is local or remote e. This allows users
u to focus more on prod ductivity and le
ess on connecttivity
options and process.
p This co
onsistency can n reduce traini ng costs for users, with fewe
er support inciidents.
• Bidirectional access.
a You can configure DiirectAccess in a way that thee DirectAccess clients have aaccess
to intranet resources and yo ou can also ha m the intranet to those DirecctAccess clientts.
ave access from
Therefore, DirectAccess can n be bidirectional. This ensurres that the client computers are always
updated with h recent securitty updates, the
e domain Grou up Policy is en
nforced, and th
here is no diffe
erence
whether the users
u are on th
he corporate in ntranet or on tthe public netwwork. This bidirectional acce
ess
also results in
n:
o Decrease
ed update time
e
o Increased
d security
o Decrease
ed update misss rate
o Improved
d compliance monitoring
• Manage-out Support.
S This feature
f is new in Windows Seerver 2012 and d provides the e ability to
enable only remote management functio DirectAccess cl ient. This new sub-option off
onality in the D
the DirectAcccess client conffiguration wizaard automatess the deploym ent of policiess that are usedd for
managing the e client compu uter. Manage-out support do oes not implemment any policcy options thaat
allow users to
o connect to thhe network forr file or applicaation access. M
Manage-out su upport is
unidirectional, incoming on nly access for administration
a purposes onlyy.
• Improved secu urity. Unlike trraditional VPNs, DirectAcces s offers many levels of accesss control to
network resources. This tigh hter degree off control allow
ws security arch
hitects to preciisely control re
emote
users who acccess specified resources. You u can use a graanular policy to specifically d
define which u user
can use DirecctAccess, and the location fro om which the user can accesss it. IPsec encryption is used d for
protecting DirectAccess traffic so that use ers can ensuree that their com
mmunication is safe.
• Integrated sollution. DirectA

Access fully inte main Isolation and Network
egrates with Seerver and Dom
Access Protecction (NAP) solutions, resulting in the seammless integration of security,, access, and h
health
requirement policies betwe een the intrane et and remote computers.
Wh
hat’s New in DirectA
Access in Windows
W SServer 2012
In Windows
W Serve
er 2012, DirectAccess has
seve ments, especially in regards to
eral enhancem o
byppassing some common
c techn
nology issues such
s
as re
equirements foor public key infrastructure (PKI)
(
and public IP addresses.
Imp
proved Dire
ectAccess Management
M t
Dire
ectAccess in Windows
W Serverr 2012 has bee
en
imp
proved in the fo
ollowing wayss:
• DirectAccess and
a RRAS coexxistence.
Windows Servver 2012 DirecctAccess and RRASR
unified serverr role solve the
e problems of
interoperabiliity of Denial of Service Prote
ection (DoSP) aand Internet K
Key Exchange vversion 2 (IKEvv2).
• Rich monitoring of clients. You can view the health of user computers and servers along with
deployment monitoring and diagnostics in a single console in DirectAccess. Using the dashboard,
you can have top-level information about Remote Access servers and client activity. User and client
computer monitoring can provide you with information on which resources are accessed by the
clients.
• Integrated accounting and reporting. Accounting and reporting is now integrated in the console and
provides the ability to measure specific metrics. It also enables administrators to generate rich usage
reports on various user and server statistics.
• Windows PowerShell® and Server Core support. Windows Server 2012 provides full Windows
PowerShell support for the setup, configuration, management, monitoring, and troubleshooting of
the Remote Access Server Role.
• Unified management wizard and tools. You can use a single wizard and console for DirectAccess
configuration, management, and monitoring.
• Works with existing infrastructure. You do not need to upgrade your existing domain controllers to
Windows Server 2012.
• IPv6 for internal network is no longer required. This is because transition technologies such as network
address translation 64 (NAT64) and Domain Name System 64 (DNS64) allow access to internal
resources that are run only on IPv4 computers. Previously, this functionality was only possible to
achieve with deployments that included Microsoft Unified Access Gateway Server.
• Single network adapter. You can implement your DirectAccess server behind a NAT with a single
network adapter.
• Single IP address. In certain deployment scenarios, you can even use a single IP address for the
DirectAccess server. This makes deployment easier in comparison to the DirectAccess deployment
in Windows Server 2008.
Simplified DirectAccess Deployment

The DirectAccess deployment has been simplified. Windows Server 2012 provides Express Setup for small
and medium deployment. Express Setup includes the following characteristics:
• PKI deployment is optional, because the wizard creates a self-signed certificate without the need
for certificate revocation lists (CRL) lists. This functionality is achieved by the using the HTTPS-based
Kerberos proxy (built into Windows Server 2012) which accepts client authentication requests and
sends them to domain controllers on behalf of the client.
• Single IPsec tunnel configuration.
• Single factor authentication only; no support for smart card integration or using one-time
password (OTP).
• Works only with client computers running Windows 8.
Performance and Scalability Improvements

DirectAccess includes the following improved features in performance and scalability:
• Support for high availability and external load balancers. Windows Server 2012 supports network load
balancing (NLB) to achieve high availability and scalability for both DirectAccess and RRAS. The setup
process also provides integrated support for third party external hardware-based load balancer
solutions.
• Improved suppport for Receivve Site Scaling (RSS). DirectA

Access providess support for R
RSS and suppo
orts
running DirecctAccess in virttual machines with increased d density:
o IP-HTTPSS interoperabiliity and perform
mance improveements. Windo ows Server 201 12 DirectAccesss
implementation removves double enccryption when using IP-HTTP PS. Also, it reduces the time for
duplicate
e address detection, resultingg in a significaant performancce improveme ent.
o Lower baandwidth utiliza ation. Window
ws Server 2012 reduces the o overhead assocciated with
establishing of connecttivity methodss, optimizes baatched send beehavior, and re eceives bufferss,
which ressult in overall lower bandwid dth utilization.. Additionally W
Windows Servver 2012
DirectAcccess receives site scaling with User Datagraam Protocol (U UDP).
New
w Deploym
ment Scenariios
The new DirectAcccess deployme
ent scenarios in
i Windows Seerver 2012 incllude:
• Deploying mu ultiple endpoin

nts. When you implement Di rectAccess on multiple serve ers in differentt
network locattions, the Wind dows 8 device e automaticallyy chooses the cclosest endpoint. (For the
Windows 7 operating system, you have to o specify the eendpoint manu ually). This also
o works for
distributed fille system (DFS
S) shares that are
a redirected to an approprriate Active Dirrectory® site.
• Multiple domain support. Th

his feature is in
ntegrated with
h Windows Serrver 2012.
• Deploy a servver behind a NA AT. You can de eploy Window ws Server 2012 DirectAccess behind a NAT T
device, with the
t support for a single or multiple
m interfa ces, removing the prerequissite for a public
address. In th
his configuratio
on, only IP ove
er HTTPS (IP-H HTTPS) is deplo
oyed which alloows secure IP
tunnel to be established
e byy using a securre HTTP conneection.
• Support for OTP
O and virtuall smart cards. This
T feature reequires a PKI d deployment. If the option is
selected in th
he DirectAccesss Setup Wizard d, the Use com mputer certificaates option is automatically
selected. Also
o, DirectAccesss can use the Trusted
T Platforrm Module (TP PM)–based virttual smart cardd
which use TPM of a client computer
c to acct as a virtual ssmart card forr two-factor au
uthentication.
• Offload netwo ork adapters with

w support forr network team Windows Server
ming. Networkk teaming in W
2012 is fully supported
s with
hout the need for third-partyy drivers.
• Off-premise provisioning.
p W the new djjoin tool, you can easily pro
With ovision non-do
omain compute er
with an Active
e Directory blo
ob, so that the
e computer can hout the need to be
n be joined in a domain with
ever connecteed in your inte
ernal premises.
DirrectAccesss Compone
ents
To deploy
d and configure DirectA
Access, your
orgaanization must support the following
f
infra
astructure com
mponents:
• DirectAccess server
• DirectAccess clients
• Network loca
ation server
• Internal resou
urces
• Active Directo
ory domain
• Group Policy
• nal network)
PKI (Optional for the intern
• DNS server
• NAP server
DirectAccess Server
DirectAccess server can be any Windows Server 2012 joined in a domain, which accepts connections
from DirectAccess clients and establishes communication with intranet resources. This server provides
authentication services for DirectAccess clients and acts as an IPsec tunnel mode endpoint for external
traffic. The new Remote Access server role allows centralized administration, configuration, and
monitoring for both DirectAccess and VPN connectivity.
Compared with previous implementation in Windows Server 2008 R2, the new wizard-based setup
simplifies DirectAccess management for small and medium organizations, by removing the need for
full PKI deployment and removing the requirement for two consecutive public IPv4 addresses for the
physical adapter that is connected to the Internet. In Windows Server 2012, the wizard detects the actual
implementation state of the DirectAccess server, and automatically selects the best deployment; thereby,
hiding from the administrator the complexity of configuring manually IPv6 transition technologies.
DirectAccess Clients
DirectAccess clients can be any domain-joined computer running Windows 8, Windows 7 Enterprise
Edition, or Windows 7 Ultimate Edition.
Note: With off-premise provisioning, you can join the client computer in a domain without
connecting the client computer in your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Note that the user does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client computer using 6to4 or Teredo from connecting to the
DirectAccess server, the client computer automatically attempts to connect by using the IP-HTTPS
protocol, which uses a Secure Sockets Layer (SSL) connection to ensure connectivity.
Network Location Server

DirectAccess clients use the network location server (NLS) to determine their location. If the client
computer can connect with HTTPS, then the client computer assumes it is on the intranet and disables
DirectAccess components. If the NLS is not contactable, the client assumes it is on the Internet. The NLS
server is installed with the web server role.
Note: The URL for the NLS is distributed by using GPO.
Internal Resources
You can configure any IPv6-capable application which is running on internal servers or client computers
to be available for DirectAccess clients. For older applications and servers not based on Windows and
have no IPv6 support, Windows Server 2012 now includes native support for protocol translation (NAT64)
and name resolution (DNS64) gateway to convert IPv6 communication from DirectAccess client to IPv4 for
the internal servers.
Note: As done in the past, this functionality can also be achieved with Microsoft®
Forefront® Unified Access Gateway Server. Likewise, as in past versions, these translation services
do not support sessions initiated by internal devices; rather they support requests originating
from ipv6 DirectAccess clients only.
Active Directory Domain

You must deploy at least one Active Directory domain, running at a minimum Windows Server 2008 R2
domain functional level. Windows Server 2012 DirectAccess provides integrated multiple domain support
which allows client computers from different domains to access resources that may be located in different
trusted domains.
Group Policy
Group Policy is required for the centralized administration and deployment of DirectAccess settings. The
DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess
server, and selected servers.
PKI
PKI deployment is optional for simplified configuration and management. Windows Server 2012
DirectAccess enables client authentication requests to be sent over a HTTPS based Kerberos proxy
service running on the DirectAccess server. This eliminates the need for establishing a second IPsec
tunnel between clients and domain controllers. The Kerberos proxy will send Kerberos requests to
domain controllers on behalf of the client.
However, for a full DirectAccess configuration, that allows NAP integration, two-factor authentication,
and force tunneling, you still need to implement certificates for authentication for every client that will
participate in DirectAccess communication.
DNS Server
When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use at least Windows
Server 2008 R2, Windows Server 2008 with the Q958194 hotfix, Windows Server 2008 SP2 or later, or a
third-party DNS server that supports DNS message exchanges over the ISATAP.
NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance
checking and enforce security policy for DirectAccess clients over the Internet. Windows Server 2012
DirectAccess provides the ability to configure NAP health check directly from the setup user interface
instead of manual editing of GPO as it was in Windows Server 2008 R2 DirectAccess.
Additional Reading: The DNS server does not listen on the ISATAP interface on a
Windows Server 2008-based computer
http://go.microsoft.com/fwlink/?LinkID=159951
IPv6 - Technology Overview
Upg
ndows Server® 2
2012 6-9
Name
N Reso
olution Pollicy Table
Too separate Inte
ernet traffic fro
om intranet tra
affic in
DirectAccess, Windows
W Serverr 2012 and Windows
8 include the Name Resolutio on Policy Tablee
(N
NRPT), a featurre that allows DNS
D servers to
o be
deefined per DNS namespace, rather than pe er
in
nterface.
he NRPT stores a list of ruless. Each rule defines a
Th
DNS namespace e and configurration settingss that
de
escribe the DN
NS client’s behavior for that
na
amespace.
When
W Access client is on the Interne
a DirectA et, each
na
ame query req
quest is compa ared against thhe
na
amespace rule
es stored in thee NRPT:
• If a match is found, the re

equest is proce
essed accordin
ng to the settin
ngs in the NRP
PT rule.
• If a name query
q request does
d not matcch a namespacce listed in the NRPT, the req quest is sent to
o the
DNS servers configured in the TCP/IP settings for thee specified network interface
e.
DNS settings arre configured depending

d on the client locaation:
• For a remotte client comp

puter, the DNS servers are tyypically the Inteernet DNS servvers configure
ed
through the
e Internet Servvice Provider (ISP).
• For a DirecttAccess client on the intrane

et, the DNS serrvers are typicaally the intrane
et DNS serverss
configured through Dyna amic Host Con nfiguration Pro
otocol (DHCP)..
Siingle-label nam
mes, for examp
ple, http://inte
ernal, typically have configurred DNS search suffixes appe
ended
to
o the name before they are checked
c against the NRPT.
If no DNS search suffixes are configured,

c an
nd the single-laabel name doees not match aany other sing gle-label
naame entry in the NRPT, the request
r is sentt to the DNS seervers specified in the client’s TCP/IP settin
ngs.
Namespaces, fo or example, intternal.adatum.com, are ente red into the N NRPT, followed by the DNS servers
to
o which requessts matching that namespace should be diirected. If an IP ntered for the DNS
P address is en
se
erver, all DNS requests
r are se
ent directly to the DNS serveer over the DirrectAccess con nnection. You nneed
no
ot specify any additional seccurity for such configuration s. However, if a name is specified for the DDNS
se
erver, such as dns.adatum.co
d om in the NRPT T, the name m must be publiclly resolvable w
when the clientt
qu
ueries the DNS S servers specified in its TCP//IP settings.
Th
he NRPT allowws DirectAccesss clients to use
e intranet DNSS servers for naame resolution
n of internal re
esources
an
nd Internet DNNS for name re
esolution of otther resources.. Dedicated DN NS servers are not required ffor
naame resolution
n. DirectAccesss is designed to
t prevent the exposure of yyour intranet n namespace to tthe
In
nternet.
So
ome names ne eed to be treatted differently with regards tto name resol ution; these naames should n
not be
re
esolved by usinng intranet DNNS servers. To ensure
e that th ese names aree resolved with
h the DNS servvers
sp P settings, you must add theem as NRPT exxemptions.
pecified in the client’s TCP/IP
NRPT is controlled through Group

G Policy. When
W the comp
puter is config
gured to use N
NRPT, the name
e
re
esolution mech
hanism uses th
he following inn order:
• The local na
ame cache
• The hosts file

• NRPT
6-10 Implemennting DirectAccess
Then, the name re

esolution mech
hanism finally sends the queery to the DNSS servers speciffied in the TCP
P/IP
settings.
ow can you be
Question: Ho enefit from NR
RPT?
Question: Ho enefit by using connection seecurity rules fo

ow can you be or Direct Accesss?
Ho
ow DirectA
Access Worrks for Inte
ernal Clien
nt Computters
An NLS is an interrnal network se erver that hostts
an HTTPS-based
H URL.
U DirectAcccess clients try to
acceess a NLS URL to determine if they are located
on the
t intranet orr on a public network.
n The
DireectAccess serve er can also be the NLS. In so ome
orgaanizations whe ere DirectAcce ess is a businesss-
critical service, the
e NLS should be b highly available.
Gennerally, the web server on the e NLS does no ot
have to be dedica ated just for su
upporting
DireectAccess clien nts.
It is critical that th
he NLS is availa
able from each
h
com mpany location n, because the behavior of th
he
DireectAccess clien nt depends on the response from the NLS. Branch locatio
ons may need a separate NLLS at
each h branch locattion to ensure that the NLS remains
r accesssible even wheen there is a lin
nk failure betw
ween
bran nches.
How DirectAcccess Works for Internal Clients

The DirectAccess connection prrocess happenss automaticallyy, without requiring user inttervention.
Dire
ectAccess clien
nts use the follo
owing processs to connect to
o intranet reso
ources:
1. me (FQDN) of the NLS URL.

The DirectAcccess client tries to resolve the fully qualifieed domain nam
Because the FQDN

F N URL corressponds to an eexemption rulee in the NRPT, the DirectAcccess
of the NLS
client instead sends the DN
NS query to a lo
ocally-configu
ured DNS serveer (an intranet-based DNS seerver).
The intranet-based DNS server resolves the name.
2. The DirectAcccess client acce

esses the HTTP
PS-based URL of the NLS, du
uring which prrocess it obtain
ns the
certificate of the NLS.
3. d of the NLS’s certificate, thee DirectAccess client checks the

Based on the CRL distribution points field
CRL revocatio
on files in the CRL
C distributioon point to dettermine if the NLS’s certificaate has been
revoked.
4. Based on an HTTP
H 200 Succcess of the NLS URL (successsful access and
d certificate au
uthentication aand
revocation ch
heck), the DirecctAccess clientt switches to d
domain firewall profile and ig
gnores the
DirectAccess rules in the NR
RPT for the remmainder of thee session.
5. The DirectAcccess client com

mputer attemppts to locate an
nd log on to th
he Active Direcctory Domain
Services (AD DS) domain byy using its com
mputer accoun nt.
Because the client

c no longe a DirectAcceess rules in thee NRPT for the rest of the
er references any
connected se ent through intterface-config ured DNS servvers (intranet-based
ession, all DNS queries are se
DNS servers).
With the commbination of ne etwork location detection an
nd computer d
domain logon,, the DirectAcccess
client configu
ures itself for normal
n intranet access.
dows Server® 20
012 6-11
6.. Based on th he computer’s successful loggon to the dom

main, the DirecctAccess clientt assigns the domain
(firewall network) profile to the attache
ed network.
Byy design the DirectAccess
D Coonnection Security tunnel ru ules are scopedd for the public and private firewall
profiles, they arre disabled from the list of acctive connectio
on security rulles.
Thhe DirectAccesss client has su

uccessfully determined that iit is connectedd to its intranet and does no
ot use
DirectAccess setttings (NRPT rules or Connection Security tunnel rules). The DirectAcccess client can access
in
ntranet resourcces normally. Itt can also acce gh normal means, such as a proxy
ess Internet ressources throug
se
erver.
How
H DirecttAccess Works for Ex
xternal Client Comp
puters
When
W a DirectA
Access client starts, the DirectAccess
client assumes that
t it is not co
onnected to th he
in
ntranet by tryin
ng to reach the e URL address
sp
pecified for NLLS. Because the e client compu uter
ca
annot commun nicate with NLLS, it starts to use
u
NRPT and conn nection securityy rules. The NR RPT
haas DirectAccesss-based rules for name reso olution,
an
nd connection n security rules define DirectA Access
IP
Psec tunnels foor communicattion with intranet
re
esources. Internet-connected d DirectAccess clients
usse the followin
ng process to connect
c to intrranet
re
esources.
he DirectAccesss client first atttempts to acccess the NLS. TThen, the client attempts to locate a domaain
Th
co
ontroller. Afterrwards, the clie
ent attempts to access intran net resources aand internet re
esources.
DirectAccess
D s Client Atte
empts To Acccess the Ne
etwork Loca
ation Server
Th
he DirectAccesss client attem
mpts to access the
t NLS as foll ows:
1.. The client tries

t e the FQDN of the NLS URL. Because the FQDN of the N
to resolve NLS URL corresponds
mption rule in the NRPT, the DirectAccess cclient does nott send the DNSS query to a lo
to an exem ocally-
configured DNS server (a an Internet-bassed DNS serveer). An eternal Internet-based
d DNS server w
would
not be ablee to resolve thee name.
2.. Access client processes the name

The DirectA n resolutio
on request as d
defined in the DirectAccess
exemption rules in the NRPT.
3.. Because thee NLS is not fo

ound on the saame network aas the DirectAcccess client is ccurrently locatted on,
the DirectA
Access client ap
pplies a public or private fireewall network profile to the attached netwwork.
4.. The Connecction Security tunnel rules fo d private profiles,

or DirectAccesss, scoped for tthe public and
provide the
e public or privvate firewall ne
etwork profile..
Thhe DirectAccesss client uses a combination of NRPT ruless and connection security rules to locate and
acccess intranet resources acro et through the DirectAccess sserver.
oss the Interne
DirectAccess Client Attempts To Locate a Domain Controller

After starting up and determining its network location, the DirectAccess client attempts to locate and log
on to a domain controller. This process creates an IPsec tunnel or infrastructure tunnel by using the IPsec
tunnel mode and Encapsulating Security Payload (ESP) to the DirectAccess server. The process is as
follows:
1. The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which
specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS
name query that is addressed to the IPv6 address of the intranet DNS server and forwards it to the
DirectAccess client’s TCP/IP stack for sending.
2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3. Because the destination IPv6 address in the DNS name query matches a connection security rule that
corresponds with the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiate
and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client (both
the computer and the user) authenticates itself with its installed computer certificate and its NT LAN
Manager (NTLM) credentials, respectively.
Note: AuthIP enhances authentication in IPsec by adding support for user-based

authentication with Kerberos v5 or SSL certificates. AuthIP also supports efficient protocol
negotiation and usage of multiple sets of credentials for authentication.
4. The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the
DirectAccess server.
5. The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name
query response is sent back to the DirectAccess server and back through the IPsec infrastructure
tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When the user on the
DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel.
DirectAccess Client Attempts To Access Intranet Resources

The first time that the DirectAccess client sends traffic to an intranet location that is not on the list of
destinations for the infrastructure tunnel (such as an email server), the following process occurs:
1. The application or process that attempts to communicate constructs a message or payload and hands
it off to the TCP/IP stack for sending.
3. Because the destination IPv6 address matches the connection security rule that corresponds with the
intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client
uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess
server. The DirectAccess client authenticates itself with its installed computer certificate and the user
account’s Kerberos credentials.
4. The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
5. The DirectAccess server forwards the packet to the intranet resources. The response is sent back to
the DirectAccess server and back through the intranet tunnel to the DirectAccess client.
Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure
tunnel connection security rule goes through the intranet tunnel.
DirectAccess Client Attempts To Access Internet Resources

When the user or a process on the DirectAccess client attempts to access an Internet resource (such as an
Internet web server), the following process occurs:
1. The DNS client service passes the DNS name for the Internet resource through the NRPT. There
are no matches. The DNS client service constructs the DNS name query that is addressed to the
IP address of an interface-configured Internet DNS server and hands it off to the TCP/IP stack for
sending.
3. Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query
normally.
4. The Internet DNS server responds with the IP address of the Internet resource.
5. The user application or process constructs the first packet to send to the Internet resource. Before
sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing
rules or connection security rules for the packet.
6. Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Any subsequent Internet resource traffic that does not match a destination in either the infrastructure
intranet tunnel or connection security rules is sent and received normally.
Like the connection process, accessing the domain controller and intranet resources is also a very similar
process, because both of these processes are using NRPT tables to locate appropriate DNS server to
resolve the name queries, with the differences of the IPsec tunnel that is established between the client
and DirectAccess server. When accessing the domain controller, all the DNS queries are sent through the
IPsec infrastructure tunnel, and when accessing intranet resources, a second IPsec tunnel is established
(intranet tunnel).
Lesson 2
Installiing and
d Config
guring DirectAc
D ccess Co
omponents
In order
o to install and configure
e DirectAcess in your organizzation, you neeed to meet a n number of
requuirements perttaining to Active Directory configuration,
c DNS configuraation, and certtificate services.
Afte
er these requirrements are met, you then in nstall and conffigure the DireectAccess role. Finally, you
configure client coomputers, andd verify that DiirectAccess is ffunctional wheen connecting from both the e
inte
ernal network and
a the Internet.
In th
his lesson, you
u will learn abo
out DirectAccess requiremennts, how to pla n the DirectAcccess solution, and
the process of installation and deployment
d off DirectAccess.. You will also learn about th
he new feature
es for
impplementing DirrectAcess in Windows
W 8.
Lessson Objectiives
Afte
ou will be able to:
• Describe the prerequisites for

f implementting DirectAcceess.
• Describe the process of con
nfiguring DirecctAccess.
• Configure AD
D DS services fo
or DirectAccesss.
• Install and co
onfigure DirecttAccess Server..
• Configure the
e DirectAccess clients.
• Describe the differences in DirectAccess between

b Wind
dows 7 and Wiindows 8.
Pre
erequisitess for Imple
ementing DirectAcceess
To deploy
d DirectA
Access, the DireectAccess servver,
the client computter, and infrasttructure shouldd
meeet certain requuirements.
Req
quirements for DirectA
Access Serve
er
In order
o to deployy DirectAccess, you need to
ensuure that the se
erver meets the
e hardware annd
netwwork requiremments:
• The server mu
ust be joined to
t an Active
Directory dom
main.
• The server mu
ust have Wind
dows Server 20012 or
Windows Servver 2008 R2 operating system
installed.
• The Windowss Server 2012 that

t will be insstalled as the D
DirectAccess Seerver can havee a single netw
work
adapter installed which is connected to th he intranet an d published over Microsoft Forefront Thre eat
Managementt Gateway 2010 (TMG) or Miicrosoft Forefrront Unified Acccess Gatewayy 2010 (UAG) ffor
Internet conn
nection. In the deployment scenario
s n an Edge server, it
wheree DirectAccess is installed on
needs to havee two network k adapters, one e connected to network and the other conn
o the internal n nected
to the externa
al network.
Note: An Ed dge server is any

a server thatt resides on thee edge betweeen two or morre
works, typicallyy a private nettwork and Inte
netw ernet.
• Implementation of DirectAccess in Windows Server 2012 does not require two consecutive
static, public IPv4 addresses be assigned to the network adapter. However, to achieve two-factor
authentication with smart card or OTP deployment, DirectAccess server will still need two public
IP addresses.
• You can even deploy Windows Server 2012 DirectAccess behind a NAT device, with support for a
single or multiple interfaces, thereby circumnavigating the need for an additional public address. In
this configuration, only IP over HTTPS (IP-HTTPS) is deployed which allows a secure IP tunnel to be
established using a secure HTTP connection.
• On the DirectAccess server, you can install the Remote Access role to configure DirectAccess settings
for the DirectAccess server and clients, and monitor the status of the DirectAccess server. The Remote
Access wizard provides you with the option to configure only DirectAccess, only VPN, or both
scenarios on the same server running Windows Server 2012. This was not possible in Windows Server
2008 R2 deployment of DirectAccess.
• For Load Balancing Support, Windows Server 2012 has the ability to use NLB (up to 8 nodes) to
achieve high availability and scalability for both DirectAccess and RRAS.
Requirements for DirectAccess Client

To deploy DirectAccess, you also need to ensure that the client computer meets certain requirements:
• The client computer should be joined to an Active Directory domain.
• With the new 2012 DirectAccess scenario it is possible to offline provision computers for domain
membership without the need for the computer to be on premises.
• The client computer can be loaded with Windows 8, Windows 7 Enterprise Edition, Windows 7
Ultimate Edition, Windows Server 2012, or Windows Server 2008 R2 operating system.
You cannot deploy DirectAccess on clients running Windows Vista®, Windows Server 2008, or other earlier
versions of the Windows operating systems.
Infrastructure Requirements
The following are the infrastructure requirements to deploy DirectAccess:
• Active Directory. You must deploy at least one Active Directory domain. Workgroups are not
supported.
• Group Policy. You need Group Policy for centralized administration and deployment of DirectAccess
client settings. The DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess
clients, DirectAccess servers, and management servers.
• DNS and domain controller. You must have at least one domain controller and DNS server running
Windows Server 2012, or Windows Server 2008 SP2 or Windows Server 2008 R2.
• PKI. You need to use PKI to issue computer certificates for authentication and health certificates
only when NAP is deployed. You do not need external certificates. The SSL certificate installed on
the DirectAccess server must have a CRL distribution point that is reachable from the Internet. The
certificate Subject field must contain the FQDN that can be resolved to a public IPv4 address assigned
to the DirectAccess server by using the Internet DNS.
• IPsec policies. DirectAccess utilizes IPsec policies that are configured and administered as part of
Windows Firewall with Advanced Security.
• Internet Control Message Prrotocol Version

n 6 (ICMPv6) EEcho Request ttraffic. You must create separate
inbound and outbound rule es that allow ICMPv6 Echo R Request messaages. The inbound rule is req quired
to allow ICMPPv6 Echo Requ uest messages and is scoped d to all profiless. The outboun nd rule to allow
w
ICMPv6 Echo Request messsages is scoped d to all profile s and is only rrequired if the Outbound blo ock is
turned on. DirectAccess clie
ents that use Teredo
T for IPv66 connectivity to the intrane et use the ICMP Pv6
message whe en establishing
g communication.
• IPv6 and tran

nsition technolo
ogies. IPv6 and
d the transitionn technologiess such as ISATA
AP, Teredo, an
nd
6to4 must bee available for use on the DirrectAccess servver. For each D
DNS server runnning Window ws
Server 2008 or
o Windows Se erver 2008 R2, you need to rremove the ISA ATAP name fro om the global query
block list.
Question: Yo ou have Windo ows Server 200 03 Certificate A

Authority serveer in your dom
main. Can
you use the existing
e PKI inffrastructure forr DirectAccess or should youu set up the ne
ew
Certificate Au
uthority server on Windows Server
S 2008 R22?
Pro
ocess of Co
onfiguring
g DirectAcccess
To configure
c DirectAccess, perfo
orm the follow
wing
step
ps:
1. Configure AD DS and DNS requiremen

nts
o Create a security groupp in Active

Directoryy and add all client compute er
accounts that will be acccessing intran
net
through DirectAccess.
o Configure both interna

al and externall DNS
servers with
w appropriatte host names and
IP addressses.
2. Configure th
he PKI environ
nment
o Add and configure the Certificate Au uthority server role, create th

he certificate template and C
CRL
distribution point, publish the CRL lisst, and distribu
ute the compuuter certificatess.
3. Configure DirectAccess Se
erver
o Install Windows Server 2012 on a serrver computer with one or tw
wo physical ne
etwork adapte
ers
(dependss on DirectAcccess design sce
enario).
o Join the DirectAccess

D server to an Acctive Directory domain.
o Install the
e Remote Acce
ess role and co
onfigure the D
DirectAccess seerver so that it is either one o
of the
following g:
The DirectAccess server
s is on thee perimeter neetwork with onne network adaapter connecteed to
the perimeter
p netwwork and at leaast one other network adapter connected to the intrane et. In
this deployment
d sccenario, DirecttAccess server is placed betw
ween a front-end firewall and
d
backk-end firewall.
s is published by using IIPsec Gatewayy (TMG or UAG G). In this
deployment scenario, DirectAcce ess is placed b
behind a front--end firewall and it has one
work adapter connected to in
netw nternal networrk.
s is installe
ed on an Edgee server (typicaally front end ffirewall) with o
one
work adapter connected to th
netw he Internet an
nd at least one other network adapter
conn
nected to the intranet.
An alternative design is that the DirectAccess server has only one, and not two, network interface. For
this design, perform the following steps:
o Verify that the ports and protocols needed for DirectAccess and Internet Control Message
Protocol (ICMP) Echo Request are enabled in the firewall exceptions and opened on the
perimeter and Internet-facing firewalls.
o The DirectAccess server in simplified implementation can use a single public IP address in
combination with Kerberos Proxy services for client authentication against domain controllers.
For two-factor authentication and integration with NAP, you need to configure at least two
consecutive public static IPv4 addresses that are externally resolvable through DNS. Ensure that
you have an IPv4 address available and that you have the ability to publish that address in your
externally-facing DNS server.
o If you have disabled IPv6 on clients and servers, enable IPv6 because it is required for
DirectAccess.
o Install a web server on the DirectAccess server to enable DirectAccess clients and determine if
they are inside or outside the intranet. You can install this web server on a separate internal
server for determining the network location.
o Based on the deployment scenario, you need to designate one of the server network adapters as
the Internet-facing interface (in deployment with two network adapters) or publish the
DirectAccess server which is deployed behind NAT for Internet access.
o On the DirectAccess server, ensure that the Internet-facing interface is configured to be either a
Public or a Private interface, depending on your network design. Configure the intranet interfaces
as domain interfaces. If you have more than two interfaces, ensure that no more than two
classification types are selected.
4. Configure the DirectAccess clients and test intranet and Internet access
o Verify that DirectAccess group policy has been applied and certificates have been distributed to
client computers:
o Test whether you can connect to DirectAccess server from an intranet.
o Test whether you can connect to DirectAccess server from the Internet.
Demonstration: Configuring AD DS and Network Services for DirectAccess

In this demonstration, you will see how to:
• Create a security group for DirectAccess computers.

• Configure firewall rules for ICMPv6 traffic.
• Create required DNS records.
• Configure the PKI environment.
Demonstration Steps
Create a security group for DirectAccess client computers

1. On LON-DC1, open the Active Directory Users and Computers console, and create an organizational
unit with the name DA_Clients OU and inside that organizational unit, create a Global Security group
with the name DA_Clients.
2. Add LON-SVR3 to the DA_Clients security group.

3. Close the Active Directory Users and Computers console.
Question: Why did you create the DA_Clients group?
Configure firewall rules GPO for ICMPv6 traffic

1. Open the Group Policy Management console, and then right-click Default Domain Policy.
2. In the console tree of the Group Policy Management Editor, navigate to Computer Configuration
\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security
\Windows Firewall with Advanced Security.
3. Create a new inbound rule with the following settings:
o Rule Type: Custom
o Protocol type: ICMPv6
o Specific ICMP types: Echo Request
o Name: Inbound ICMPv6 Echo Requests
4. Create a new outbound rule with the following settings:
o Rule Type: Custom

o Protocol type: ICMPv6
o Specific ICMP types: Echo Request
o Action: Allow the connection
o Name: Outbound ICMPv6 Echo Requests
5. Close the Group Policy Management Editor and Group Policy Management consoles.
Create required DNS records

1. Open the DNS Manager console and then create two new host records with the following settings:
o Name: nls; IP Address: 172.16.0.22
o Name: crl; IP Address: 172.16.0.22
2. Close the DNS Manager console.
Question: What is the purpose of the nls.adatum.com DNS host record that you associated
with an internal IP address?
Configure the PKI environment

2. Open the Certification Authority console.

3. Configure the AdatumCA certification authority with the following extension settings:
o Add Location: http://crl.adatum.com/crld/
o Variable: CAName, CRLNameSuffix, and DeltaCRLAllowed
o Location: .crl
o Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP
extension of issued certificates
o Do not restart Certificate Services.
o Add Location: \\lon-svr2\crldist$\

o Variable: CAName, CRLNameSuffix, and DeltaCRLAllowed
o Location: .crl
o Select Publish CRLs to this location and Publish Delta CRLs to this location
4. Restart Certificate Services.
5. Close the Certificate Authority console.
Configure permissions on the web server certificate template
Note: Users require the Enroll permission on the certificate.
1. Right-click Certificate Template in the Certification Authority console and then click manage.
2. In the Certificate Template console, in Web Server template Properties, configure security settings
for Authenticated Users to be allowed to Enroll for a certificate.
3. Close the Certificate Templates console.
Configure computer certificate auto-enrollment

1. On LON-DC1, open Group Policy Management console.
2. In the console tree, expand Forest: Adatum.co\Domains\Adatum.com.
3. Edit the Default Domain Policy and in the console tree of the Group Policy Management Editor, open
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
4. At Automatic Certificate Request Settings, configure Automatic Certificate Request with a
Computer.
5. On the Certificate Template page, click Computer, click Next, and then click Finish.
6. Close the Group Policy Management Editor and close the Group Policy.
Demonstration: Configuring the DirectAccess Server

In this demonstration, you will see how to:
• Obtain certificates for IPsec.
• Configure DirectAccess.
Demonstration Steps
Obtain the required certificates for LON-SVR2

2. Open Microsoft Management Console by typing the mmc command, and then add the Certificates
snap-in for Local computer.
3. In the Certificates snap-in, in the Microsoft Management Console, request a new certificate with the
following settings:
• Certificate template: Web Server
• Common name: 131.107.0.2
4. Verify that a new certificate with the name 131.107.0.2 has been issued with Intended Purposes of
Server Authentication.
5. For the 131.107.0.2 certificate, in Properties, specify the Friendly Name as IP-HTTPS Certificate,
and then click OK.
6. In the Certificates console, right-click the certificate with the name lon-svr2.adatum.com, and then
click delete.
7. Close the Certificates snap-in console without saving it.
8. Close the console.
Complete the DirectAccess setup wizard on LON-SVR2

1. Open the Server Manager console.
2. In the Server Manager console, open the Remote Access Management console.
3. Click Configuration; the Enable Direct Access Wizard will start automatically.
4. Click Next. Wait until the DirectAccess prerequisites page completes loading.
5. Complete the Enable Direct Access Wizard by using the following settings:
o DirectAccess Client Setup page; Enter the object names to select: DA_clients
o Remote Access Server setup page,

Network Topology: Edge
Type the public name or IPv4 address used by clients to connect to the Remote Access
server: 131.107.0.2
Note: On this page, you might notice that you are using IP address of the Edge server
instead of FQDN. This is because in this lab environment there is no public DNS server, as it
would exist in real-life scenario.
Infrastructure Server Setup page: Accept default values

Configure Remote Access page: Accept default values
6. Wait until Enable DirectAccess Wizard Apply completes, and then click Close.
7. At the command prompt, type the following command:
GPUpdate /force
Demonstration: Configuring the DirectAccess Client

To prepare the DirectAccess clients and test the DirectAccess environment, complete the following tasks:
• Configure the DirectAccess client.
• Verify that DirectAccess clients have the computer certificate that is required for DirectAccess
authentication. This should have been distributed with Group Policy.
• Verify that the client can connect to intranet resources.

Demonstration Steps
Configure the DirectAccess client

2. Open the Command Prompt window and type gpupdate/force to force apply Group Policy on
LON-SVR3.
3. At command prompt, type gpresult /R to verify that the DirectAccess Client Settings GPO is
applied to the Computer Settings.
Note: If DirectAccess Client Settings GPO is not applied, restart LON-SVR3, and then
repeat step 2 on LON-SVR3.
4. Verify that DNS Effective Name Resolution Policy Table Settings is applied by typing the following
command at the command prompt:
netsh name show effectivepolicy
5. Verify that DNS Effective Name Resolution Policy Table Settings is displayed in the Command
Prompt window.
6. Simulate moving the client computer LON-SVR3 out of the corporate network, that is to the Internet,
by changing the network adapter settings with external IP address to the following values:
o IP address: 131.107.0.10
o Subnet mask: 255.255.0.0

o Default gateway: 131.107.0.2
7. Disable and then again enable the Local Area Connection network adapter.
8. In Hyper-V Manager, right-click 20417A-LON-SVR3 and then click Settings. Change the Legacy
Network Adapter to be on the Private Network 2 network.
Verify connectivity to the internal network resources

1. Move the mouse to the lower-left part of screen, click Start, and then click the Internet Explorer
icon.
2. In the Address bar, type http://lon-svr1.adatum.com and then press Enter. The default IIS 8 web
page for LON-SVR1 appears.
3. Leave the Internet Explorer window open.
4. Click Start, type \\Lon-SVR1\Files, and then press Enter. A folder window with the contents of the
Files shared folder appears.
5. In the Files shared folder window, double-click the example.txt file. The content of the example.txt
file is displayed.
6. Close all open windows.
7. Move the mouse pointer to the lower-right corner of the screen, and in the notification area, click
search, and in the search box, type cmd.
8. At the command prompt, type ipconfig.

9. Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an IP-HTTPS
address.
Verrify connecttivity to the

e DirectAcce
ess server
1. At the command prompt, type the follow
wing command
d:
Netsh name show effectivepolicy
Verify that DN
NS Effective Name
N Resoluttion Policy Taable Settings present two e
entries for
adatum.com m and Directacccess-NLS.Ada
atum.com.
2. At the PowerShell prompt, type the follow

wing comman
nd, and then press Enter.
Get-DAClientExperienceConfiguratio
on
Notice the DirectAccess

D cllient settings.
Verrify client co
onnectivity on DirectA
Access Serve
er
1. Switch to LON
N-SVR2.
2. In the Remote Access Mana

agement conso
ole pane, clickk Remote Clie
ent Status.
Notice that Client
C is connected via IPHtttps. In the Con
nnection Detaiils pane, in the
e bottom rightt of
the screen, no
ote the use of Kerberos for the
t Machine a nd the User.
3. Close all open

n programs.
Question: Ho
ow will you configure IPv6 ad
ddress for Win
ndows 8 to usee DirectAccesss?
Wiindows 7 Client
C vs. Windows
W 8 Client Im
mplementaation
Users working witth DirectAccess in the Windo
ows 8
ope
erating system will have a be
etter user
experience than those working in Windows 7.
In Windows
W e DirectAccess solution is
8, the
commpletely transp parent for the user. Howeverr, in
Winndows 7, it is hard to troubleeshoot the netw work
connectivity problems. Usually, when problem ms
start, there are noo native tools that
t can easily track
the network beha avior and so addministrators often
o
use network monitoring tools to o get informattion
regaarding connecctivity issues.
Win
ndows 8 Cliient Implem
mentation
• Windows 8 in
ncludes an in-bbox user interfface for DirectAAccess clients that help userrs understand
network conn
nectivity experrience. Simplified user interfaace that run ab
bove the Wind dows PowerSh hell
commands provide basic innformation reg garding conne ctivity.
• Users can eassily check theirr connectivity status.

s Users caan even customize the look of the interfacce
providing add mation such as support emai l addresses.
ditional inform
• Users might choose

c e that they want to connect to in the multtisite environm
the site ment and even
choose not to
o be connectedd to any site.
• Remediation options for actionable problems are presented clearly to the user. Instead of using other
tools, remediation and problem solving can be done in the same user interface for DirectAccess.
Typical problems that can be flagged for remediation are:
o Credentials (Smartcard, TPM, and OTP)
o NAP
o Proxy authentication issue
o Proxy configuration issue
o Lack of Internet connectivity

• Users can easily send customized logs to their helpdesk by using the properties of Network
Connectivity Assistance. Users can manually select the DirectAccess entry point that should be used.
They can collect logs (HTML plus custom logs) and send these logs to already configured email
addresses.
• When using Windows 7 in a multi-site deployment, you need to create multiple GPOs with different
settings. However, in Windows 8, clients can easily select the closest DirectAccess server in a multisite
deployment.
• Easy setup of DirectAccess automatically configures Windows 8 computers to participate in a

DirectAccess scenario without the need for additional configuration.
• The receive side scaling concept for UDP traffic helps in improving performance in enterprise
deployment.
Lab: Implementing DirectAccess

Scenario
Because A. Datum has expanded, many of the employees are now frequently out of the office, either
working from home or traveling. A. Datum wants to implement a remote access solution for its employees
so they can connect to the corporate network while they are away from the office. Although the VPN
solution implemented with NAP provides a high level of security, business management is concerned
about the complexity of the environment for end users. Also IT management is concerned that they are
not able to manage the remote clients effectively.
To address these issues, A. Datum has decided to implement DirectAccess on client computers running
Windows 8.
As a senior network administrator, you are required to deploy and validate the DirectAccess deployment.
You will configure the DirectAccess environment and validate that the client computers can connect to
the internal network when operating remotely.
Objectives
• Configure the server infrastructure to deploy DirectAccess.

• Configure the DirectAccess clients.
• Validate the DirectAccess implementation.
Lab Setup

20417A-LON-SVR1
20417A-LON-SVR2
20417A-LON-SVR3
Password Pa$$w0rd
5. Repeat steps 2-4 for 20417A-LON-SVR1, 20417A-LON-SVR2, and 20417A-LON-SVR3.
Exercise 1: Configuring the DirectAccess Infrastructure

Scenario
You decided to implement DirectAccess as a solution for remote client computers that are not able to
connect through VPN. Also, you want to address management problems, such as GPO application for
remote client computers. For this purpose, you will configure the prerequisite components of
DirectAccess, and configure the DirectAccess server.
1. Configure the AD DS and DNS requirements.
2. Configure certificate requirements.
3. Configure the internal resources for DirectAccess.

4. Configure DirectAccess server.
X Task 1: Configure the AD DS and DNS requirements

1. Create a security group for DirectAccess client computers by performing the following steps:
a. Switch to LON-DC1.
b. Open the Active Directory Users and Computers console, and create an Organizational Unit
named DA_Clients OU, and within that organizational unit, create a Global Security group
named DA_Clients.
c. Modify the membership of the DA_Clients group to include LON-SVR1.
d. Close the Active Directory Users and Computers console.
2. Configure firewall rules for ICMPv6 traffic by performing the following steps:
a. Open the Group Policy Management console, and then open Default Domain Policy.
b. In the console tree of the Group Policy Management Editor, navigate to Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security.
c. Create a new inbound rule with the following settings:

Rule Type: Custom
Protocol type: ICMPv6
Specific ICMP types: Echo Request
Name: Inbound ICMPv6 Echo Requests
d. Create a new outbound rule with the following settings:
Rule Type: Custom
Protocol type: ICMPv6
Specific ICMP types: Echo Request
Action: Allow the connection
Name: Outbound ICMPv6 Echo Requests
e. Close the Group Policy Management Editor and Group Policy Management consoles.
3. Create required DNS records by performing the following steps:
a. Open the DNS Manager console, and then create new host records with the following settings:
Name: nls; IP Address: 172.16.0.21
Name: crl; IP Address: 172.16.0.22
b. Close the DNS Manager console.
4. Remove ISATAP from the DNS global query block list by performing the following steps:
a. Open the Command Prompt window, type the following command, and then press Enter:
dnscmd /config /globalqueryblocklist wpad
Ensure that the Command completed successfully message appears.
b. Close the Command Prompt window.
5. Configure the DNS suffix on LON-SVR2 by performing the following steps:

a. Switch to LON-SVR2, and in the Local Area Connection Properties dialog box, in the Internet
Protocol Version 4 (TCP/IPv4) dialog box, add the Adatum.com DNS suffix.
b. Close the Local Area Connection Properties dialog box.
X Task 2: Configure certificate requirements

1. Configure the CRL distribution settings by performing the following steps:
a. Switch to LON-DC1 and open the Certification Authority console.
b. Configure Adatum-LON-DC1-CA certification authority with the following extension settings:

Add Location: http://crl.adatum.com/crld/
Variable: CAName, CRLNameSuffix, DeltaCRLAllowed
Location: .crl
Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the
CDP extension of issued certificates
Do not restart Certificate Services.
Add Location: \\lon-svr2\crldist$\.
Variable: CAName, CRLNameSuffix, DeltaCRLAllowed
Location: .crl
Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the
CDP extension of issued certificates
Restart Certificate Services.
Close the Certificate Authority console.
2. To duplicate the web certificate template and configure appropriate permission by performing the
following steps:
a. In the Certificate Templates console, in the contents pane, duplicate the Web Server template by
using the following options:
Template display name: Adatum Web Server Certificate
Request Handling: Allow private key to be exported
Authenticated Users permissions: under Allow, click Enroll
b. Close the Certificate Templates console.
c. In the Certification Authority console, choose to issue a New Certificate Template and select the
Adatum Web Server Certificate template.
d. Close the Certification Authority console.
3. Configure computer certificate auto-enrollment by performing the following steps:

a. On LON-DC1, open the Group Policy Management console.
b. In the console tree, navigate to Forest: Adatum.com, Domains, and Adatum.com.
c. Edit the Default Domain Policy and in the console tree of the Group Policy Management Editor,
navigate to Computer Configuration\Policies\Windows Settings\Security Settings
\Public Key Policies.
d. Under Automatic Certificate Request Settings, configure Automatic Certificate Request to

issue the Computer certificate.
e. Close the Group Policy Management Editor and close the Group Policy Management console.
X Task 3: Configure the internal resources for DirectAccess

1. To request a certificate for LON-SVR1 by performing the following steps:
a. On LON-SVR1, open a command prompt, type the following command, and then press Enter.
gpupdate /force
b. At the command prompt, type the following command, and then press Enter.
mmc
c. Add the Certificates snap-in for Local computer.

d. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
\Personal\Certificates, request a new certificate, and then under Request Certificates, select
Adatum Web Server Certificate with the following setting:
Subject name: Under Common name, type nls.adatum.com
e. In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.adatum.com was enrolled with Intended Purposes of Server Authentication.
f. Close the console window. When you are prompted to save settings, click No.
2. To change the HTTPS bindings, perform the following steps:
a. Open Internet Information Services (IIS) Manager.
b. In the console tree of Internet Information Services (IIS), navigate to and click Default Web site.
c. Configure Site Bindings by selecting nls.adatum.com for SSL Certificate.
d. Close the Internet Information Services (IIS) Manager console.
X Task 4: Configure DirectAccess server.

1. Obtain required certificates for LON-SVR2 by performing the following steps:
a. Switch to LON-SVR2.
b. Open a command prompt and refresh group policy by typing gpupdate /force.
c. Open Microsoft Management Console by typing mmc command, and then add the Certificates
snap in for Local computer.
d. In the Certificates snap-in, in the mmc console, request a new certificate with the following
settings:
Certificate template: Adatum Web Server Certificate
Common name: 131.107.0.2
Friendly name: IP-HTTPS Certificate
e. Close the console.
2. Create CRL distribution point on LON-SVR2 by performing the following steps:
a. Switch to Server Manager
b. In Internet Information Services (IIS) Manager, create new virtual directory CRLD and assign
c:\crldist as a home directory.
3. Share and secure the CRL distribution point by performing the following step:
Note: You perform this step to assign permissions to the CRL distribution point.
In the details pane of Windows Explorer, right-click the CRLDist folder, and then click
Properties, and grant Full Share and NTFS permission.
4. Publish the CRL to LON-SVR2 by performing the following steps:
Note: This step makes the CRL available on the edge server for Internet-based
DirectAccess clients.
b. Start the Certification Authority console.
c. In the console tree, open ADATUMCA, right-click Revoked Certificates, point to All Tasks, and
then click Publish.
5. Complete DirectAccess setup wizard on LON-SVR2 by performing the following steps:
a. On LON-SVR2, open the Server Manager console.
b. In the Server Manager console, start the Remote Access Management console, click
Configuration, and start the Enable Direct Access Wizard with following settings:
Select Groups: DA_Clients
Network Topology: Edge is selected, and verify that 131.107.0.2 is used by clients to
connect to the Remote Access server.
Infrastructure Server Setup page, click Next
Configure Remote Access page, click Next
In Summary, click Finish, to apply DirectAccess Settings
Note: Since the server you already configured is a VPN server, you can only
use the getting started wizard which generates self-signed certificate for DirectAccess
communication. Next steps will modify default DirectAccess settings to include already
deployed certificates from the internal Certification Authority.
c. In the details pane of the Remote Access Management console, under Step 2, click Edit.
d. On the Network Topology page, verify that Edge is selected, and type 131.107.0.2.
e. On the Network Adapters page, verify that CN=131.107.0.2 is used as a certificate to

authenticate IP-HTTPS connection.
f. On the Authentication page, select Use computer certificates, click Browse, and then select
Adatum Lon-Dc1 CA.
g. On the VPN Configuration page, click Finish.
h. In details pane of the Remote Access Management console, under Step 3, click Edit.
i. On the Network Location Server page, select the The network location server is deployed on
a remote web server (recommended) and in the URL of the NLS, type
https://nls.adatum.com, and then click Validate.
j. Ensure that URL is validated.

k. On the DNS page, examine the values, and then click Next.
l. In the DNS Suffix Search List, select Next.
m. On the Management page, click Finish.

n. In details pane of the Remote Access Management console, review the setting for Step 4.
o. In Remote Access Review, click Apply.
p. Under Applying Remote Access Setup Wizard Settings, click Close.

6. Update Group Policy settings on LON-SVR2 by performing the following step:
Open the command prompt, and type the following commands:
gpupdate /force
Ipconfig
Note: Verify that LON-SVR2 has an IPv6 address for Tunnel adapter
IPHTTPSInterface starting with 2002.
Results: After completing this exercise, you will have configured the DirectAccess infrastructure.
Exercise 2: Configuring the DirectAccess Clients

Scenario
After you configured the DirectAccess server and the required infrastructure, you must configure
DirectAccess clients. You decide to use Group Policy mechanism to apply DirectAccess settings to the
clients and for certificate distribution.
1. Configure Group Policy to configure client settings for DirectAccess.
2. Verify client computer certificate distribution.
3. Verify IP address configuration.

X Task 1: Configure Group Policy to configure client settings for DirectAccess.

2. Restart LON-SVR3 and then log back on as Adatum\Administrator with the password of Pa$$w0rd.
Open the Command Prompt window and then type the following commands:
gpupdate /force
gpresult /R
3. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for
the Computer Settings.
X Task 2: Verify client computer certificate distribution.

1. On LON-SVR3, open the Certificates MMC.
2. Verify that a certificate with the name LON-SVR3.adatum.com is present with Intended Purposes
of Client Authentication and Server Authentication.
3. Close the console window without saving it.
Question: Why did you install a certificate on the client computer?
X Task 3: Verify IP address configuration.

1. On LON-SVR3, open Internet Explorer and go to http://lon-svr1.adatum.com/. The default IIS 8
web page for LON-SVR1 appears.
2. In Internet Explorer, go to https://nls.adatum.com/. The default IIS 8 web page for LON-SVR1
appears.
3. Open Windows Explorer, and type \\Lon-SVR1\Files, and then press Enter. You should see a folder
window with the contents of the Files shared folder.
Results: After completing this exercise, you will have configured the DirectAccess clients.
Exercise 3: Verifying the DirectAccess Configuration

Scenario
When client configuration is completed, it is important to verify that DirectAccess works. You do this by
moving the DirectAccess client to the Internet and trying to access internal resources.
1. Move the client computer to the Internet virtual network.
2. Verify connectivity to the DirectAccess server.
3. Verify connectivity to the internal network resources.

X Task 1: Move the client computer to the Internet virtual network
Note: To verify the DirectAccess functionality, you must move the client computer to the
Internet.
2. Change the network adapter configuration with the following settings:
o IP address: 131.107.0.10
3. Disable and then again enable the Local Area Network network adapter.
4. Close the Network Connections window.
Network Adapter to be on the Private Network 2 network. Click OK.
X Task 2: Verify connectivity to the DirectAccess server

1. On LON-SVR3, open a command prompt, and type the following command:
ipconfig
2. Notice the IP address that starts with 2002. This is IP-HTTPS address.
3. At the command prompt, type the following command, and then press Enter.
powershell
5. At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration
X Task 3: Verify connectivity to the internal network resources

1. Open Internet Explorer and go to http://lon-svr1.adatum.com/. You should see the default IIS 8
web page for LON-SVR1.
2. Open Windows Explorer, type \\LON-SVR1\Files, and then press Enter.
3. You should see a folder window with the contents of the Files shared folder.
4. At the command prompt, type the following command:
ping lon-dc1.adatum.com
Verify that you are receiving replies from lon-dc1.adatum.com.
gpupdate /force

8. Start the Remote Access Management console and review the information on Remote Client
Status.
Note: Notice that LON-SVR3 is connected via IPHttps. In the Connection Details pane, in
the bottom-right of the screen, note the use of Kerberos for the Machine and the User.
Results: After completing this exercise, you will have verified the DirectAccess configuration.

steps:
4. Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-SVR2, and 20410A-LON-SVR3.


Review Questions
Question: What are the main benefits of using DirectAccess for providing remote
connectivity?
Question: How do you configure a DirectAccess server?
Question: How do you configure DirectAccess clients?
Question: How does the DirectAccess client determine if it is connected to the intranet or
the Internet?
Question: What is the use of an NRPT?
Best Practices
Although DirectAccess was present in previous Windows 7 and Windows 2008 R2 edition, Windows 8
introduces new features for improved manageability, ease of deployment, and improved scale and
performance.
Monitoring of the environment is now much easier with support of PowerShell, Windows Management
Instrumentation (WMI), GUI monitoring, along with Network Connectivity Assistant on the client side.
One of the best enhancements is that DirectAccess can now access IP4 servers on your network and your
servers do not need to have IP6 addresses to be exposed through DirectAccess, because your DirectAccess
server acts as a proxy.
For ease of deployment you do not need to have IP addresses on the Internet-facing network. Therefore,
this is a good scenario for proof of concept. However, if you are concerned about security and if you want
to integrate with NAP, you still need two public addresses.
Consider integrating DirectAccess with your existing Remote Access solution because Windows Server
2012 can implement DirectAccess server behind the NAT device which is the most common Remote
Access Server (RAS) solution for companies.

You have configured DirectAcess, but users

are complaining about connectivity issues.
You want to troubleshoot those issues
more efficiently.
The DirectAccess client tries to connect to

the DirectAccess server by using IPv6 and
IPsec with no success.

You are considering implementing DirectAccess in your organization. You are planning to implement
Windows Server 2012 servers. What are the other considerations that you should be aware of?
Tools
Tool Use for Where to find it
Express Setup, Remote Access A graphical tool that simplifies Server Manager/Tools
Configuration the configuration of DirectAccess
Dnscmd.exe A command-line tool used for Run from command-line

DNS management
Services.msc Helps in managing Windows Server Manager/Tools

services
Gpedit.msc Helps in editing the Local Group Run from command-line

Policy
IPconfig.exe A command-line tool that Run from command-line

displays current TCP/IP network
configuration
DNS Manager console Helps in configuring name Server Manager/Tools

resolution
Mmc.exe Helps in the creation and Run from command-line

management of the Management
Console
Gpupdate.exe Helps in managing Group Policy Run from command-line

application
Active Directory Users and Is useful in configuring group Server Manager/Tools

Computers membership for client computers
that will be configured with
DirectAccess
7-1
Module 7
Implementing Failover Clustering
Contents:
Module Overview 7-1
Lesson 1: Overview of Failover Clustering 7-2
Lesson 2: Implementing a Failover Cluster 7-13
Lesson 3: Configuring Highly-Available Applications and Services on a

Failover Cluster 7-18
Lesson 4: Maintaining a Failover Cluster 7-22
Lesson 5: Implementing a Multi-Site Failover Cluster 7-27

Lab: Implementing Failover Clustering 7-32
Module Overview
Providing high availability is very important for any organization that wants to provide continuous
services to its users. Failover Clustering is one of the main technologies in Windows Server® 2012 that can
provide high availability for various applications and services. In this module, you will learn about Failover
Clustering, Failover Clustering components, and implementation techniques.
Objectives
• Describe Failover Clustering.
• Implement a failover cluster.
• Configure highly-available applications and services.
• Maintain a failover cluster.
• Implement multi-site Failover Clustering.

7-2 Implementing Failover Clusterinng
Lesson 1
Overviiew of Failover
F r Clusterring
Failo
over clusters in
n Windows Server 2012 provvide a high-avvailability soluttion for many sserver roles an nd
appplications. By im
mplementing failover
f e availability if one
clusterrs, you can maaintain applicattion or service
or more
m compute ers in the failovver cluster fail. Before you im
mplement Failo over Clusteringg, you should b be
fam
miliar with gene eral high-availaability conceptts. You must u understand cluustering termin nology and also
howw failover clusters work.
Also
o, it is important to be familiiar with new cllustering featu
ures in Window
ws Server 2012
2.
Lessson Objectiives
Afte
ou will be able to:
• Describe availability.
• Describe Failo
over Clustering
g improvemen
nts in Windowss Server 2012.
• Describe failo
over cluster components.
• Define failove
er and failback
k.
• over cluster networks.

Describe failo
• Describe failo
over cluster sto
orage.
• Describe a qu
uorum.
• Describe quorum modes.
• Describe Clusster Shared Vo

olumes (CSVs).
Wh
hat Is Avaiilability?
Availability refers to a level of seervice that
appplications, serviices, or system
ms provide, and d is
expressed as the percentage
p of time that a se
ervice
or system is availaable. Highly-avvailable system ms
have minimal dow wntime—whetther planned or o
unpplanned—and are available more m than 99
me, depending on the needs and
perccent of the tim
the budget of the e organization.. For example, a
system that is una available for 8.75 hours per year
y
wouuld have a 99.9 9 percent availlability rating.
To improve availa ability, you must implement fault-

tole
erance mechan nisms that massk or minimizee how
failu
ures of the servvice’s compon
nents and depe endencies affeect the system. You can achie
eve fault toleraance
by implementing redundancy to o single pointss of failure.
Availability requirrements must be

b expressed so s that there aare no misundeerstandings ab bout the
impplications. Misccommunicationn about service level expectaations betwee n the custome er and the IT
orgaanization can result in poor business decissions, such as u
unsuitable inveestment levelss and customer
dissatisfaction.
Upg
ndows Server® 2
2012 7-3
Th
he availability measurement period can alsso have a signnificant effect o
on the definitio
on of availability.
or example, a requirement fo
Fo or 99.9 percen
nt availability o
over a one-yeaar period allow ws for 8.75 houurs of
do
owntime, whereas a requiremment for 99.9 percent availaability over a roolling four-weeek window allows for
on
nly 40 minutess of downtime
e per period.
Yo
ou also have too identify and negotiate planned outages maintenance activities, servvice pack updaates,
an
nd software up a scheduled outages, and typically are n
pdates. These are not included as downtime w
when
ca
alculating the system’s availa
ability. You typ
pically calculatte availability b
based on unplaanned outage
es only.
However, you have
h ate exactly which planned o utages you co
to negotia onsider as dowwntime.
Failover Clu
ustering Im
mproveme
ents in Win
ndows Serrver 2012
Fa
ailover Clustering has not siggnificantly changed
since Windows Server 2008 R2. However, th here are
so
ome new featu ures and techn nologies in Win ndows
Se
erver 2012 thaat help increase e scalability an
nd
nd provide better and
cluster storage availability, an
ea
asier managem ment and faste er failover.
Th
he important new
n features in
n Windows Server
20
012 Failover Clustering inclu
ude:
• Increased sccalability. In Windows

W Server 2012,
failover cluster can have 64 6 physical no odes
and can run n 4,000 virtual machines on each
cluster. Thiss is a significan
nt improvemen nt over
Windows Server 2008 R2 which supporrts only 16 phyysical nodes an nd 1,000 virtuaal machines peer
cluster. Each cluster you create
c is now available
a from Server Manag ger console. Seerver Managerr in
Windows Server 2012 can n discover andd manage all c lusters createdd in an Active Directory® Do omain
Services (ADD DS) domain.. If the cluster is deployed in n multi-site sceenario, the admministrator can
n now
control whiich nodes in a cluster have votes
v for estab lishing quorumm. Failover Cluustering scalab
bility is
also improvved for virtual machines thatt are running o on clusters. Th ussed in more detail
his will be discu
in Module 8:8 Implementin ng Hyper-V.
• Improved Cluster
C Shared Volumes (CSV Vs) volumes. Thhis technology was introduce ed in Windowss Server
2008 R2, an
nd it became very
v popular foor providing viirtual machinee storage. In WWindows Server 2012,
CSV volume es appear as CSV
C File System m and it suppoorts server messsage block (SM MB) version2.2 2
storage for Hyper-V and other applicattions. Also, CSV V can use SMB B multichannel and SMB Dire ect to
enable trafffic to stream across
a multiple e networks in a cluster. For a dditional secu
urity, you can uuse
BitLocker Drive
D Encryptio
on for CSV disk n also make C SV storage visible only to a ssubset
ks, and you can
of nodes in V volumes can be scanned a nd repaired w
n a cluster. For reliability, CSV with zero offline
e time.
• Cluster-awaare updating. Updating

U clustter nodes requ preparation and planning in earlier
uired a lot of p
versions of Windows Servver, to minimizze or avoid do owntime. Also, procedure of updating clustter
nodes was mostly manua ed additional aadministrative effort. In Wind
al, which cause dows Server 20
012, a
new technoology is introduced for this purpose.
p This ttechnology is ccalled Cluster--Aware Updating. This
technologyy automaticallyy updates clustter nodes with h Windows Up date hotfix, byy keeping the cluster
online, and minimizing downtime. This technology w will be explaineed in more dettail in Lesson 4
4:
Maintainingg a Failover Clluster.
• Active Direcctory® integrattion improvem

ments. Because Windows Servver 2008, Failo over Clusteringg is
integrated in Active Direcctory Domain Services (AD D DS). In Window ws Server 20122, this integratiion is
improved. Administrators
A s can create cluster computeer objects in taargeted organizational units (OUs),
or by defauult in the same
e OUs as the cluster nodes. TThis aligns failo
over cluster de
ependencies on n AD DS
with the delegated domain n administratio

on model that is used in manny IT organizattions. Also, now
w
failover cluste
ers can be dep
ployed with acccess only to reead-only domaain controllers.
• Managemeent improvemeents. Although Failover Clusttering in Windows Server 2012 still uses almost
the same management
m console and the e same admin istrative techn niques, it bring
gs some imporrtant
manageme ent improveme ents. Validation
n wizard is impproved in whicch the validation speed for large
failover clusters is improvved and new te ests for CSVs, tthe Hyper-V roole, and virtuaal machines are
e
added. Also o, new Window ws PowerShell cmdlets are a vailable for managing cluste ers, monitoring
g
clustered virtual machine e applications, and creating h highly availablle iSCSI target.
Rem
moved and Deprecated
d Features
In Windows
W Serve oved or depreccated. If you are moving from an
er 2012 clusterring, some feattures are remo
olde
er version of Failover Clusterring, you should be aware off these featurees:
• The Cluster.exxe command-line tool is dep wever, it can bee optionally insstalled with th
precated. How he
Failover Clusttering Tools. Fa
ailover Clusterring Windows PowerShell cm mdlets provide e a functionalitty that
is generally th
he same as Clu uster.exe commmands.
• The Cluster Automation

A Server (MSClus) COM interfacee is deprecated
d, but it can be
e optionally
installed with the Failover Clustering
C Tools.
• The Support forf 32-bit cluster resource DLLs

D is deprecaated, but 32-biit DLLs can be optionally
installed. Clusster resource DLLs
D should be
e updated to 664 bit.
• The Print Servver role is removed from the bility Wizard, and it cannot b
e High Availab be configured iin
Failover Clustter Manager.
• The Add-ClussterPrintServerrRole cmdlet iss deprecated, aand it is not su
upported in W
Windows Serverr
2012.
Faiilover Clusster Components

A fa
ailover cluster is a group of in
ndependent
com
mputers that workw together to
t increase the e
avaiilability of app
plications and services.
s Physiccal
cables and softwa are connect thee clustered serrvers,
kno
own as nodes. If one of the clluster nodes fa ails,
ano
other node beg gins to providee service. This
proccess is known as failover. With failover, use ers
experience a miniimum of servicce disruptions.
A Fa
ailover Clustering solution co
onsists of seve
eral
com
mponents, whicch include:
• Nodes. These are computerrs that are

members of a failover clustter. These
un cluster service and resourcces and appliccations associaated to cluster..
computers ru
• Network. Thiss is a network across

a which cluster
c nodes ccan communiccate with one aanother and w with
clients. There are three typees of networkss that can be uused in a clusteer. These networks are discusssed
in more detaiil in the “Failovver Cluster Nettworks” sectio n.
• Resource. Thiss is an entity that is hosted by

b a node. It iss managed by the Cluster service the Clustter
service and ca
an be started, stopped, and moved to ano other node.
Upg
ndows Server® 2
2012 7-5
• Cluster storrage. This is a storage

s system
m that is usuallyy shared betw
ween cluster no
odes. In some
scenarios, such
s as clusterss of servers run
nning Microso oft® Exchange Server, sharedd storage is no
ot
required.
• Clients. The
ese are computers (or users) that are using
g the Cluster seervice.
• Service or application.
a e entity that is presented to clients and use
Thiis is a software ed by clients.
• Witness. Th
his can be a file
e share or disk
k which is used
d to maintain q quorum. Ideallyy the witness sshould
be located a network that is both logically and physiccally separate from those ussed by the failo over
cluster. Ho
owever, the wittness must rem main accessiblee by all clusterr node membe ers. The conceepts of
quorum and how the witness comes into play will bee examined mo ore closely in tthe coming lesssons of
this modulee.
n a failover cluster, each node in the cluste

In er:
• nnectivity and communicatio
Has full con on with the ot her nodes in tthe cluster.
• Is aware wh
hen another no
ode joins or le
eaves the clusteer.
• Is connecte puters can acccess the cluster.

ed to a network through whiich client comp
• Is connecte
ed through a shared bus or iSCSI connectio
on to shared sstorage.
• Is aware of the services or applications that are runniing locally, and

d the resource
es that are runn
ning on
all other clu
uster nodes.
Cluster storage usually refers to logical devices—typicallyy hard disk drivves or logical uunit numbers ((LUN)—
th
hat all the clustter nodes attach to, through
h a shared bus . This bus is seeparate from thhe bus that co ontains
he system and boot disks. Th
th he shared diskss store resourcces such as app plications and file shares thaat the
cluster will mannage.
A failover cluste
er typically deffines at least tw
wo data comm
munications neetworks: one network enable es the
cluster to commmunicate with clients, and the second, isolaated network eenables the cluuster node meembers
to
o communicate e directly with one another. If a directly-co
onnected sharred storage is n
not being used
d, then
a third network segment (for iSCSI or Fibre Channel) can exist between n the cluster noodes and a datta
sttorage networkk.
Most
M clustered applications and their associated resourcees are assigned d to one clusteer node at a timme. The
ode that proviides access to those cluster resources
no r is thee active node. If the nodes d
detect the failuure of
th
he active nodee for a clustered application, or if the activee node is taken offline for m
maintenance, th he
clustered appliccation is started on another cluster
c node. TTo minimize th he impact of thhe failure, clien
nt
re
equests are immediately and d transparentlyy redirected too the new clustter node.
What
W Are Failover
F an
nd Failback
k?
Fa
ailover transfers the responsibility of providing
acccess to resourrces in a cluste
er from one noode to
an
nother. Failoveer can occur when
w an administrator
in
ntentionally mo oves resourcess to another no ode for
maintenance,
m or when unplan nned downtim me of
onne node happens because of o hardware faiilure or
otther reasons. Also,
A service failure on an acttive
noode can initiatte failover to another node.
A fa
ailover attemptt consists of th
he following stteps:
1. The Cluster seervice takes alll the resourcess in the instancce offline in an
n order that is determined bby
the instance’ss dependency hierarchy. Tha at is, dependen nt resources firrst, followed b
by the resource
es on
which they de epend. For exaample, if an ap pplication depeends on a phyysical disk resource, the Clustter
service the Cluster service takes the application offline first, which en nables the application to writte
changes to thhe disk before the disk is takken offline.
2. After all the resources

r are offline,
o the Cluster service atttempts to tran
nsfer the instan
nce to the nod
de
that is listed next
n on the insstance’s list of preferred ownners.
3. If the Cluster service successsfully moves the instance to
o another nodee, it attempts tto bring all the
e
resources online. This time, it starts at the
e lowermost paart of the depeendency hieraarchy. Failover is
complete whe en all the reso
ources are onlinne on the neww node.
The Cluster service can failback instances thatt were originallly hosted on tthe offline nod de, after the offfline
nod
de becomes acctive again. Wh hen the Cluster service fails bback an instance, it uses the same procedu ures
thatt it performs during failover. That is, the Cluster service ttakes all the reesources in the
e instance offline,
movves the instancce, and then brings all the re esources in thee instance backk online.
Faiilover Clusster Netwo

orks
Network and netw work adapters are importantt
partts of each clustter implementtation. You can nnot
configure a clusteer without conffiguring the
netw
works that the e cluster will usse. A network can
c
perfform one of thhe following ro oles in a cluster:
• Private netwo ork. A private network

n carriess
internal clusteer communica ation. By using this
network, cluster nodes exch hange heartbe eats
and check forr another node e or nodes. The
failover cluste
er authenticate es all internal
communication. However, administrators
a s who
are especiallyy concerned ab bout security maym
want to restrict internal commmunication to t physically seecure networkks.
• Public networrk. A public network provide ms with access to cluster app

es client system plication servicces. IP
address resou
urces are creatted on network Cluster service..
ks that providee clients with aaccess to the C
• Public-and-prrivate networkk. A public-and
d-private netwo ork (also knowwn as a mixed network) carries
internal cluste
er communica ation and connnects clients to
o cluster appliccation services..
Whe en you configu ure networks in failover clusters, you mustt also dedicatee a network to connect to th he
sharred storage. If you use iSCSI for the sharedd storage connnection, the neetwork will use
e an IP-based
Etheernet commun nications network. However, you should no ot use this nettwork for nodee or client
mmunication. Sharing the iSCSI network in
com n this manner may result in ccontention and d latency issue
es
for both users and d for the resou
urce that is beiing provided b
by the cluster.
Tho
ough not a besst practice, you
u can use the private
p and puublic networks for both client and
nod
de communications. Preferab bly, you should d dedicate an iisolated netwo ork for the privvate node
com
mmunication. The
T reasoning for this is similar using a sep parate Etherneet network for iSCSI – namelyy to
avoid issues resou
urce bottleneck and contention issues. Thee public netwo ork is configurred to allow client
connections to the failover clustter. Although the
t public nettwork can provvide backup fo or the private
netw
work, a better design practicce is to define alternative ne tworks for thee primary privaate and public
netw
works or at lea
ast team the neetwork interfaces used for th hese networkss.
Upg
ndows Server® 2
2012 7-7
Th
he networking
g features in Windows
W Serverr 2012–based clusters includ
de the followin
ng:
• The nodes transmit and receive

r heartbe
eats by using U User Datagramm Protocol (UDDP) unicast, insstead of
UDP broadcast (which waas used in lega
acy clusters). T he messages aare sent on po
ort 3343.
• You can incclude clustered

d servers on diifferent IP subn
nets, which red
duces the com
mplexity of settting up
multi-site clusters.
c
• The Failove
er Cluster Virtu
ual Adapter is a hidden devicce that is addeed to each nodde when you in nstall
the Failover Clustering fe
eature. The ada MAC) address based
apter is assigneed a media access control (M
on the MAC C address thatt is associated with the first eenumerated phhysical networrk adapter in the
node.
• usters fully support IPv6 for both

Failover clu b node-to--node and nod
de-to-client co
ommunication..
• You can use e Dynamic Ho ost Configuratioon Protocol (DDHCP) to assig

gn IP addressess, or assign staatic
IP addressees to all nodes in the cluster. However, if so
ome nodes have static IP addresses and yo ou
configure others
o to use DHCP,
D the Validdate a Configuuration Wizard
d will raise an e
error. The clusster
IP address resources
r are obtained
o he network interface supporting
based on the confiiguration of th
that clusterr network.
Faiilover Clusster Storag

ge
Mosst Failover Clusstering scenarios require shaared
storrage to providee consistent da
ata to a highlyy-
avaiilable service or
o application after failover. There
T
are three shared storage
s ns for a failover
option
cluster:
• Shared seria al attached SC

CSI (SAS). Share ed
hed SAS is the lowest cost option.
serial attach
However, itt is not very fle
exible for deplo oyment
because the e two cluster nodes
n must be e
physically close
c together.. In addition, the
shared storrage devices th hat are supporrting
SAS have a limited numb ber of connections for
cluster nodes.
• Internet SCS SI is a type of storage area neetwork (SAN) tthat transmits SCSI comman
SI (iSCSI). iSCS nds
over IP netwworks. Perform mance is accep ptable for mostt scenarios whhen 1 gigabit pper second (Gb bps)
or 10 Gbps Ethernet is ussed as the physsical medium ffor data transm mission. This tyype of SAN is fairly
inexpensivee to implemen nt because no specialized
s nettworking harddware is requirred. In Window ws
Server 2012 2, you can imp plement iSCSI target
t softwaree on any serveer, and presentt local storage
e over
iSCSI interfa
ace to clients.
• Fibre chann
nel. Fibre channel SANs typiccally have bettter performancce than iSCSI SSANs, but are m
much
more expennsive. Specializzed knowledgee and hardwarre are requiredd to implemen nt a fibre channel SAN.
Note: The Microsoft iSC CSI Software Target

T is now aan integrated ffeature in Win
ndows Server
20012. It can pro
ovide storage from
f a server over
o a TCP/IP n network, inclu ding shared sttorage for
appplications tha
at are hosted in a failover clu
uster. Also, in W
Windows Serveer 2012, a high hly-available
iS
SCSI Target Serrver can be configured as a clustered
c role by using Failo
over Cluster Maanager or
Windows
W PowerShell®.
Sto
orage Requirements
Afte
er you choose the type of sto
orage, you sho
ould also be aw
ware of the following storag
ge requirementts:
• ative disk supp
To use the na port included in
n Failover Clusstering, use baasic disks and n
not dynamic d
disks.
• We recomme end that you fo ormat the parttitions with NTTFS. For the dissk witness, the
e partition musst be
NTFS, becausse FAT is not su
upported.
• For the partition style of the disk, you can
n use either m aster boot reccord (MBR) or GUID partition
n
table (GPT).
• Because imprrovements in failover

f clusterrs require that the storage reespond correcttly to specific SSCSI
commands, the storage mu ust follow the SCSI
S Commands-3 ((SPC-3) standaard. In particular,
Primary C
the storage must
m support Persistent
P Reservations, as sppecified in the SPC-3 standarrd.
• The miniport driver used fo or the storage must work witth the Microsooft Storport sto
orage driver.
Storport offerrs a higher perrformance archhitecture and better Fiber C hannel compaatibility in Windows
systems.
• You must isollate storage de evices. That is, one cluster peer device. Servvers from diffe
erent clusters m
must
be unable to access the sam me storage devvices. In most cases, a logicaal unit numberr (LUN) that is used
for one set off cluster serverrs should be isolated from alll other serverss through LUN N masking or
zoning.
• Consider usinng multipath I//O software. In
n a highly-avaiilable storage ffabric, you can
n deploy failovver
clusters with multiple host bus adapters byb using multi path I/O softwware. This provvides the highe est
level of redun
ndancy and avvailability. For Windows
W Serveer 2012, your multipath solu ution must be based
on Microsoft Multipath I/OO (MPIO). Your hardware ven ndor usually suupplies an MPIO device-speccific
module (DSM M) for your harrdware, although Windows SServer 2012 inccludes one or more DSMs ass part
of the operating system.
Wh
hat Is Quo
orum?
Quoorum is the number of eleme ents that mustt be
online for a clusteer to continue running. In efffect,
eachh element can cast one votee to determine
wheether the cluste er continues to o run. Each clu
uster
nodde is an elemen nt that has one e vote. In case,
therre is an even number
n of nod
des, then an
addditional elemen nt, which is kno own as a witneess is
assigned to the cluster. The witn ness element canc
be either
e a disk orr a file share. Each
E voting
ment contains a copy of the cluster
elem
configuration; and d the Cluster service
s works to
keep all copies synchronized at all times.
The cluster will stoop providing failover

f protection if most off the nodes faiil or if there is a problem witth
commmunication between
b the clu
uster nodes. Without
W a quorrum mechanism m, each set off nodes could
continue to opera ate as a failove
er cluster. This results in a paartition within tthe cluster. Quuorum preventts two
or more
m nodes fro
om concurrenttly operating a failover clusteer resource. If a clear majority is not achie eved
betwween the node e members, th hen the vote off the witness b becomes cruciaal to maintain the validity off the
clusster. Concurrennt operation co ould occur wh hen network prroblems preveent one set of n nodes from
commmunicating withw another se et of nodes. Th hat is, a situatioon might occuur where more than one nod de
triess to control access to a resouurce. If that ressource is, for eexample, a dattabase applicattion, damage could
resuult. Imagine the consequence if two or mo ore instances o of the same dattabase are maade available o on the
network, or if data was accessed and written to a target from more than one source at a time. If the
application itself is not damaged, the data could easily become corrupted.
Because a given cluster has a specific set of nodes and a specific quorum configuration, the cluster can
calculate the number of votes that are required for the cluster to continue providing failover protection.
If the number of votes drops below the majority, the cluster stops running. That is, it will not provide
failover protection if there is a node failure. Nodes will still listen for the presence of other nodes, in case
another node appears again on the network, but the nodes will not function as a cluster until a majority
consensus or quorum is achieved.
Note: The full functioning of a cluster depends not just on quorum, but on the capacity of
each node to support the services and applications that fail over to that node. For example, a
cluster that has five nodes could still have quorum after two nodes fail, but each remaining
cluster node would continue serving clients only if it has enough capacity (such as disk space,
processing power, network bandwidth, RAM) to support the services and applications that failed
over to it. An important part of the design process is planning each node’s failover capacity. A
failover node must be able to run its own load and also the load of additional resources that
might failover to it.
The Process of Achieving Quorum

Because a given cluster has a specific set of nodes and a specific quorum configuration, the cluster
software on each node stores information about how many votes constitute a quorum for that cluster. If
the number drops below the majority, the cluster stops providing services. Nodes will continue listening
for incoming connections from other nodes on port 3343, in case they appear again on the network, but
the nodes will not begin to function as a cluster until quorum is achieved.
There are several phases a cluster must complete to achieve quorum. As a given node comes up, it
determines whether there are other cluster members that can be communicated with. This process
may be in progress on multiple nodes at the same time. After communication is established with other
members, the members compare their membership “views” of the cluster until they agree on one view
(based on timestamps and other information). A determination is made whether this collection of
members “has quorum;” or has enough members the total of which creates sufficient votes so that a
“split” scenario cannot exist. A “split” scenario means that another set of nodes that are in this cluster are
running on a part of the network inaccessible to these nodes. Therefore, more than one node could be
actively trying to provide access to the same clustered resource. If there are not enough votes to achieve
quorum, the voters (the currently recognized members of the cluster) wait for more members to appear.
After at least the minimum vote total is attained, the Cluster service the Cluster service begins to bring
cluster resources and applications into service. With quorum attained, the cluster becomes fully functional.
7-10 Implemennting Failover Clusterring
Qu
uorum Modes in Win
ndows Serrver 2012 FFailover Cllustering
Sam
me quorum mo odes from Win ndows Server 2008
2
are also present inn Windows Serrver 2012. As
befoore, a majorityy of votes deteermines whethe er
a clu
uster achieves quorum. Nod des can vote, and
wheere appropriate, either a disk k in cluster storage
(kno
own as a disk witness)
w or a file share (know wn
ness) can vote.. There is also a
as a file share witn
quoorum mode called No Majority: Disk Only,
which functions like the disk-ba ased quorum in n
Winndows Server 2003.
2 Other than that mode,,
therre is no single point of failurre with the quo orum
mod des, because only
o the number of votes is
impportant and no ot whether a pa articular elemeent is availablee to vote.
Thiss quorum mod

de is flexible. You
Y can choose
e the mode beest suited to yo
our cluster.
Be aware
a that, mo
ost of the time
e, it is best to use
u the quorum m mode selectted by the clusster software. IIf you
run the Quorum Configuration
C Wizard, the qu uorum mode tthat the wizard ommended” is the
d lists as “reco
quo
orum mode chosen by the cluster software e. We recomm end changing the quorum cconfiguration o only if
you have determined that the change
c is apprropriate for yo ur cluster.
There are four quorum modes:
• Node Majority
ty. Each node that
t is available and in commmunication can n vote. The clu
uster functionss only
with a majority of the votess. That is, more
e than half. Th is model is preeferred when tthe cluster connsists
of an odd number of serverr nodes (no wiitness is needeed to maintain n or achieve qu uorum).
• Node and Dissk Majority. Each node plus a designated d disk in the clusster storage, th
he disk witnesss, can
vote, when thhey are availabble and in commmunication. TThe cluster fun ctions only witth a majority o of the
alf. This model is based on a n even numbeer of server no
votes. That is,, more than ha odes being able e to
communicate e with one ano other in the clu
uster in additio
on to the disk witness.
• Node and Filee Share Majoriity. Each node plus a designaated file share created by the administrato or,
which is the file
f share witneess, can vote when
w they are aavailable and in communicaation. The clustter
functions onlyy with a majorrity of the vote
es. That is, morre than half. Th
his model is baased on an eve en
number of se erver nodes being able to communicate wiith one anotheer in the cluste er, in addition to the
file share witn
ness.
• No Majority: Disk Only. The e cluster has qu

uorum if one n
node is availab ble and in com
mmunication w
with a
specific disk in the cluster storage. Only the nodes thatt are also in co
ommunication with that disk can
join the clusteer.
Exceept for the No

o Majority: Diskk Only mode, all
a quorum mo odes in Windo ows Server 201 12 failover clusters
are based on a sim
mple majority vote model. As A long as a maajority of the vvotes are availaable, the cluste er
continues to function. For exam mple, if there arre five votes in
n the cluster, th
he cluster continues to functtion
as lo
ong as there are at least thre
ee available vo
otes. The sourcce of the votess is not relevan nt—the vote co ould
be a node, a disk witness, or a file share witneess. The clusterr will stop funcctioning if a m
majority of vote
es is
not available.
In th
he No Majorityy: Disk Only mode,
m the quorrum-shared dissk can veto alll other possible votes. In thiss
mod de, the cluster will continue to function as long as the q uorum-shared
d disk and at leeast one node are
avaiilable. This typ
pe of quorum also
a prevents more
m than onee node from asssuming the p primary role.
dows Server® 20
012 7-11
Note: If the
t quorum-sh hared disk is no
ot available, th
he cluster will sstop functioning, even if all
no
odes are still available.
a In thiis mode, the quorum-shared d disk is a sing le point of faillure, so this
mode
m is not reccommended.
When
W you configure a failove
er cluster in Wiindows Server 2012, the Insttallation Wizarrd automatically
se
elects one of tw
wo default con
nfigurations. By
B default, Failo
over Clustering
g selects:
• Node Majo
ority if there is an odd number of nodes in the cluster.
• D Majority if there is an evven number o

Node and Disk of nodes in thee cluster.
Modify
M this settting only if you
u determine th
hat a change iss appropriate ffor your cluste
er, and ensure that
yo
ou understand d the implicatioons of making the change.
In
n addition to planning
p your quorum
q modee, you should aalso consider tthe capacity off the nodes in your
cluster, and their ability to sup
pport the services and appliccations that m
may fail over too that node. Foor
exxample, a clustter that has four nodes and a disk witness will still have quorum after two nodes fail.
However, if youu have several applications or services dep loyed on the ccluster, each re emaining clustter
noode may not have
h the capaccity to provide
e services.
What
W Are Cluster
C Sha
ared Volum
mes?
In
n a classic failover cluster dep
ployment, onlyy a
single node at a time controlss an LUN on th he
sh
hared storage. This means th hat the other nodes
n
caannot “see” shared storage, until each nod de
be ecomes an acttive node. CSV V is a technologgy
in
ntroduced in Windows
W er 2008 R2 which
Serve
ennables multiple nodes to con ncurrently share a
single LUN. Each node obtain ns exclusive acccess to
in
ndividual files on
o the LUN insstead of the whole
w
LUUN. In other words,
w CSVs proovide a distributed
fille access solution so that muultiple nodes in
n the
cluster can simu ultaneously acccess the same NTFS
fille system.
In
n Windows Serrver 2008 R2, CSVs C were designed only forr hosting virtuaal machines ru unning on a Hyyper-V
erver in a failovver cluster. This enabled adm
se ministrators to
o have a single LUN that hosts multiple virttual
machines
m in a fa
ailover cluster.. Multiple clustter nodes havee access to thee LUN, but eacch virtual mach hine
ru
uns only on on ne node at a tim me. If the node on which thee virtual mach hine was runnin ng fails, CSV le
ets
th
he virtual mach hine to be resttarted on a different node in n the failover ccluster. Additio
onally, this pro
ovides
simplified disk management
m for
f hosting virttual machines compared to each virtual m machine requirring a
se
eparate LUN.
In
n Windows Serrver 2012, CSV Vs have been additionally enh hanced. It is now possible to o use CSVs for other
ro
oles, and not juust Hyper-V. For example, yo ou can now co onfigure file seerver role in a ffailover clusterr in a
Sccale-Out File Server
S scenario
o. The Scale-Ou ut File Server i s designed to provide scale--out file sharess that
arre continuously available forr file-based serrver applicatio
on storage. Scaale-out file shaares provides th he
abbility to share the same foldeer from multipple nodes of th he same clusteer. In this conte ext, CSVs in WWindows
Seerver 2012 intrroduces suppo ort for a read cache,
c which caan significantl y improve perrformance in ccertain
sccenarios. Also, a CSV File System (CSVFS) can
c perform CH HKDSK withou ut affecting applications with h open
haandles on the file system.
7-12 Implementing Failover Clustering
Other important improvements in Cluster Shared Volumes in Windows Server 2012 are:
• CSVFS benefits. In Disk Management, CSV volumes now appear as CSVFS. However, this is not a
new file system. The underlying technology is still the NTFS file system, and CSVFS volumes are still
formatted with NTFS. However, because volumes appear as CSVFS, applications can discover that they
are running on CSVs, which helps improves compatibility. And because of a single file namespace, all
files have the same name and path on any node in a cluster.
• Multisubnet support for CSVs. CSVs have been enhanced to integrate with SMB Multichannel to help
achieve faster throughput for CSV volumes.
• Support for BitLocker drive encryption. Windows Server 2012 support BitLocker volume encryption for
both traditional clustered disks and CSVs. Each node performs decryption by using the computer
account for the cluster itself.
• Support for SMB 3.0 storage. CSVs in Windows Server 2012 provide support for SMB 3.0 storage for
Hyper-V and applications such as Microsoft SQL Server.
• Integration with SMB Multichannel and SMB Direct. This allows CSV traffic to stream across multiple
networks in the cluster and to take advantage of network adapters that support Remote Direct
Memory Access (RDMA).
• Integration with the Storage Spaces feature in Windows Server 2012. This can provide virtualized
storage on clusters of inexpensive disks.
• Ability to scan and repair volumes. CSVs in Windows Server 2012 support the ability to scan and repair
volumes with zero offline time.
Implementing Cluster Shared Volumes

You can configure a CSV only when you create a failover cluster. After you create the failover cluster, you
can enable the CSV for the cluster, and then add storage to the CSV.
Before you can add storage to the CSV, the LUN must be available as shared storage to the cluster. When
you create a failover cluster, all the shared disks configured in Server Manager are added to the cluster,
and you can add them to a CSV. If you add more LUNs to the shared storage, you must first create
volumes on the LUN, add the storage to the cluster, and then add the storage to the CSV.
As a best practice, you should configure CSV before you make any virtual machines highly available.
However, you can convert from regular disk access to CSV after deployment. The following considerations
apply:
• When you convert from regular disk access to CSV, the LUN’s drive letter or mount point is removed.
This means that you must re-create all virtual machines that are stored on the shared storage. If you
must retain the same virtual machine settings, consider exporting the virtual machines, switching to
CSV, and then importing the virtual machines in Hyper-V.
• You cannot add shared storage to CSV if it is in use. If you have a running virtual machine that is
using a cluster disk, you must shut down the virtual machine, and then add the disk to CSV.
Additional Reading:
Server Message Block overview
Storage Spaces Overview
dows Server® 20
012 7-13
Lesson
n2
Imple
ementin
ng a Failover Cluster
Fa
ailover clusterss Windows Serrver 2012 havee specific recommmended harrdware and sofftware configu urations
th
hat enable Miccrosoft to supp
port the cluster. Failover clussters are intend
ded to provide
e a higher leveel of
se
ervice than stand-alone serveers. Therefore,, cluster hardw
ware requiremeents are frequeently stricter th
han
re
equirements fo or stand-alone
e servers.
Thhis lesson desccribes how to prepare

p for clu
uster impleme ntation and allso discusses th
he hardware, n
network,
sttorage, infrastrructure, and so
oftware requireements for Wi ndows Server 2012 failover clusters. This lesson
also outlines the ng the Validate a Configurattion Wizard to
e steps for usin o ensure correcct cluster
coonfiguration.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• ow to prepare for implemen

Describe ho nting Failover C
Clustering.
• Describe ha ailover Clusteri ng.
ardware requirrements for Fa
• Describe ne ements for Failover Clusterin

etwork require ng.
• Describe infrastructure re or Failover Clusstering.

equirements fo
• Describe so
oftware require
ements for Failover Clusterin
ng.
• nd configure a cluster.
Validate an
Preparing
P for
f Implem
menting Fa
ailover Clu
ustering
Beefore you implement Failove er Clustering
te
echnology, you u must identifyy services and
appplications tha at you want to make highly
avvailable. Failovver clustering cannot
c be appplied to
all applications. Also, you should be aware that t
Faailover Clustering does not provide
p improvved
sccalability by ad
dding nodes. You Y can only obtain
o
sccalability by scaling up and using
u more poowerful
haardware for th he individual no odes. Thereforre, you
sh
hould only use e Failover Clusttering when yo our
gooal is high ava ad of scalability.
ailability, instea
ailover clusteriing is best suited for statefull

Fa
ap
pplications thaat are restrictedd to a single se
et of data. On e example of ssuch an appliccation is a dataabase.
Data is stored in
n a single location and can only
o be used b
by one databasse instance. Yo ou can also use e
Fa
ailover Clustering for Hyper--V virtual mach hines.
Fa
ailover clusteriing uses only IP-based protoocols and is, th
herefore, suited
d only to IP-baased applicatio
ons.
oth IP version 4 (IPv4) and IP
Bo P version 6 (IPvv6) are supporrted.
Th
he best resultss for Failover Clustering
C occu
ur when the cliient can do recconnecting to the applicatio
on
au
utomatically affter failover. Iff the client doe
es not reconneect automaticaally, then the u
user must restaart the
client applicatio
on.
Con
nsider the follo
owing guidelines when plann
ning node cap
pacity in a failo
over cluster:
• Spread out th he highly-available applicatio

ons from a failled node. Wheen all nodes in
n a failover clusster
are active, the
e highly-availa
able services or applications from a failed node should bbe spread out
among the re emaining node es to prevent a single node ffrom being ovverloaded.
• Ensure that each node has sufficient idle capacity to se rvice the highly-available se ervices or
applications that
t are allocatted to it when another nodee fails. This idlee capacity should be a sufficcient
buffer to avoid nodes running at near cap pacity after a ffailure event. FFailure to adeq
quately plan
resource utilizzation can resuult in decrease
e in performan nce following n node failure.
• Use hardware e with similar capacity

c for all nodes in a clu
uster. This sim plifies the plan
nning process for
failover becau
use the failoveer load will be evenly distribu
uted among th he surviving no odes.
• Use standby servers

s to simp
plify capacity planning.
p Wheen a passive no
ode is included d in the clusterr, then
all highly-ava
ailable services or application
ns from a failed
d node can bee failed over to
o the passive n node.
This avoids th
he need for complex capacity planning. If tthis configurattion is selected
d, it is importaant
dby server has sufficient capacity to run th
that the stand he load from m
more than one node failure.
u should also examine
You e all cluster configuration componeents to identifyy single points of failure. You u can
rem
medy many sing gle points of faailure with sim
mple solutions, such as addin ng storage con ntrollers to sep parate
and stripe disks, or
o teaming nettwork adapterss, and using m multipathing so oftware. These solutions redu uce
the probability that a failure of a single device e causing a faiilure in the clu
uster. Typically,, server class
com
mputer hardwa are has optionss for multiple power
p suppliees for power reedundancy, and for creating
redu
undant array ofo independen nt disks (RAID) sets for disk d
data redundanccy.
Ha
ardware Re
equiremen
nts for Failo
over Clustter Implem
mentation
It is very importan nt to make goo od decisions when
w
you select hardwa are for cluster nodes. Failoveer
clussters have to sa atisfy the following criteria to
mee et availability and
a support re equirements:
• All hardware that you selecct for a failoverr

cluster shouldd meet the “Ce ertified for
Windows Servver 2012” logo o requirements.
Hardware tha at has this logoo was
independentlly tested to me eet the highest
technical bar for reliability, availability,
stability, security, and platfoorm compatib bility.
Also, this mea ans that officia
al support optiions
exist in case malfunctions
m arise.
a
• You should in
nstall the same example, if you
e or similar harrdware on eac h failover clus ter node. For e
choose a speccific model of network adap pter, you shoul d install this adapter on eacch of the cluste
er
nodes.
• ng Serial Attacched SCSI or Fiber Channel sstorage conne ctions, the maass-storage devvice
If you are usin
controllers that are dedicatted to the clustter storage sho
ould be identical in all cluste
ered servers. T
They
should also use the same firmware versio on.
• If you are usin

ng iSCSI storag
ge connections, each clusterred server musst have one or more networkk
adapters or host
h bus adapters dedicated to the cluster storage. The nnetwork that yyou use for iSC CSI
storage connections should d not be used for
f network co ommunication n. In all clustere
ed servers, the
e
network adap pters that you use to connecct to the iSCSI storage targett should be ide entical, and wee
recommend thatt you use Gigabit
G Etherne
et or more.
dows Server® 20
012 7-15
• After you configure the servers with the

e hardware, al l tests provideed in the Validate a Configurration
Wizard must be passed before
b the cluster is considerred a configuraation that is su
upported by
Microsoft.
Network
N Re
equiremen
nts for Faillover Clustter Implem
mentation
Fa
ailover cluster network comp ponents must have
th
he Certified forr Windows Serrver 2012 logoo and
also pass the tests in the Valid
date a Configu
uration
Wizard.
W Additio
onally:
• The networrk adapters in each node sho ould

be identical and have the e same IP protoocol
version, spe
eed, duplex, an nd flow contro
ol
capabilities that are availa
able.
• The networrks and network equipment to

which you connect
c the noodes should be
redundant so that even a single failure allows
for the nod
des to continuee communicating
with one an
nother. You caan use network k adapter team
ming to provid e single netwo
ork redundanccy.
We recomm mend multiple e networks to provide
p multip
ple paths betw
ween nodes forr inter-node
communica ation; otherwisse, a warning will
w be generatted during thee validation pro
ocess.
• The networrk adapters in a cluster netwwork must havee the same IP aaddress assign
nment method
d, which
means either that they all use static IP addresses
a or t hat they all usse DHCP.
Note: If you
y connect cluster nodes with
w a single neetwork, the nettwork passes tthe
re
edundancy req quirement in th
he Validate a Configuration
C Wizard. Howeever, the reporrt from the
wizard
w ude a warning that the network should no
will inclu ot have single p
points of failurre.
In
nfrastructu
ure Requirrements fo
or Failoverr Cluster
Fa
ailover clusterss depend on in
nfrastructure services.
Ea
ach server nodde must be in the
t same Activve
Directory doma ain, and if you use Domain Name
N
Syystem (DNS), the
t nodes shou uld use the sam
me
DNS servers forr name resolution.
We
W recommend d that you install the same
Windows
W Server 2012 feature es and roles on
n each
no
ode. Inconsisteent configuration on cluster nodes
ca
an cause instabbility and perfo
ormance issuees. In
ad
ddition, you sh
hould not insta all the AD DS role
r on
an
ny of the cluster nodes because AD DS hass its
ow
wn fault-toleraance mechanissm. If you instaall the
AD DS role on one
o of the nod des, you must install it on all nodes.
You
u must have the following ne
etwork infrastrructure for a faailover cluster:
• Network settings and IP add dresses. When you use identtical network aadapters for a network, also use
identical com
mmunication se duplex mode, fflow control, and
ettings on thosse adapters su ch as speed, d
media type. Also,
A compare the settings between the neetwork adapteer and the switch it connects to,
and ensure thhat no settingss are in conflict. Otherwise, n e loss might occur
network congeestion or frame
which could adversely
a affecct how the clusster nodes com mmunicate ammong themselvves, with clientts or
with storage systems.
• Unique subneets. If you havee private netwo orks that are n
not routed to tthe rest of the network
infrastructure
e, ensure that each
e of these private
p networrks uses a uniq
que subnet. Th his is necessaryy even
if you give ea
ach network ad dapter a uniquue IP address. FFor example, iff you have a ccluster node in a
central office that uses one physical netwwork, and anot her node in a branch office that uses a sep parate
physical netwwork; do not sppecify 10.0.0.0//24 for both n etworks, even if you give eaach adapter a
unique IP add ops and other network com munications p
dress. This avoids routing loo problems if, forr
example, the segments are accidentally configured
c into
o the same colllision domain because of
incorrect vLAN assignments.
• DNS. The servvers in the clusster typically use
u DNS for naame resolution
n. DNS dynamiic update prottocol
is a supported
d configuration.
• Domain role. All servers in the
t cluster mu ust be in the saame Active Dirrectory domainn. As a best
practice, all clustered servers should have
e the same dom main role (eith
her member seerver or domaiin
controller). Thhe recommend ded role is member server b because AD DSS inherently inccludes its own
failover proteection mechanism.
• Account for administering th he cluster. When you first crreate a cluster or add serverss to it, you must be
logged on to the domain withw an accoun nt that has admministrator righhts and permisssions on all se
ervers
in that clusterr. The accountt does not have to be a Dom main Admins acccount, but caan be a Domain
Users account that is in the Administrators group on eaach clustered sserver. In addittion, if the acccount
is not a Doma ain Admins acccount, the acccount (or the g group that the account is a m member of) mu ust be
given the Creeate Computerr Objects perm mission in the ddomain.
In Windows
W Serveer 2012, there is no cluster se
ervice accountt. Instead, the C Cluster service
e the Cluster se
ervice
autoomatically runs in a special context
c that prrovides the speecific permissions and crede entials that are
e
necessary for the service (similar to the local system
s contextt, but with redduced credentiials). When a
failo
over cluster is created
c and a corresponding g computer ob d in AD DS, that object is
bject is created
configured to pre event accidentaal deletion. Alsso, the cluster Network Nam me resource haas additional health
check logic, which h periodically checks
c the heaalth and propeerties of the co omputer objecct that represents
the Network Nam me resource.
Sofftware Req
quirementts for Failo
over Clusteer Impleme
entation
Failoover clusters re
equire that each cluster nod de
musst run the same edition of Windows
W Serverr
2012. The edition can be either Windows Servver
2012 Enterprise or Windows Server 2012
Datacenter. The nodes
n should also
a have the
sam
me software up pdates and servvice packs.
Deppending on the e role that will be clustered,
a Seerver Core installation may also
a meet the
softtware requirem ments. Howeve er, you cannot
install Server Coree and full editions in the samme
clusster.
It is also very important that the same version of service packs or any operating system updates, exist on
all nodes that are parts of a cluster.
Note: Windows Server 2012 provides Cluster-Aware Updating technology that can help
you maintain updates on cluster nodes. This feature will be discussed in more detail in Lesson 4:
Maintaining a Failover Cluster.
Each node must run the same processor architecture. This means that each node must have the same
processor family, which might be the Intel Xeon processor family with Extended Memory 64Technology,
the AMD Opteron AMD64 family, or the Intel Itanium–based processor family.
Demonstration: Validating and Configuring a Failover Cluster

The Validate a Configuration Wizard runs tests that confirm if the hardware and hardware settings are
compatible with Failover Clustering. Using the wizard, you can run the complete set of configuration tests
or a subset of the tests. We recommend that you run the tests on servers and storage devices before you
configure the failover cluster, and again after any major changes are made to the cluster. You can access
the test results in the %windir%\cluster\Reports directory.
Demonstration Steps
1. Start Failover Cluster Manager on the LON-SVR3 machine.
2. Start the Validate Configuration Wizard. Add LON-SVR3 and LON-SVR4 as cluster nodes.
3. Review the report.
4. Create a new cluster. Add LON-SVR3 and LON-SVR4 as cluster nodes.
5. Name the cluster as Cluster1.
6. Use 172.16.0.125 as IP address.

Lesson 3
Configguring Highly-A
H Available Applicationss and Se
ervices on
a Failo
over Cluster
Afte
er you have co onfigured clusttering infrastruucture, you shoould configuree specific role o or service to b
be
high
hly available. Not
N all roles ca an be clustered d. Therefore, y ou should firstt identify the rresource that yyou
wannt to put in a cluster
c and cheeck whether it is supported. In this lesson, you will learn about configu uring
role
es and applicattions in clusterrs as well as ab
bout configurinng cluster settings.
Lessson Objectiives
Afte
ou will be able to:
• Describe and identify cluste
er resources an
nd services.
• Describe the process for clu

ustering serverr roles.
• Configure a cluster
c role.
• Describe how
w to configure cluster properrties.
• Describe how
w to manage clluster nodes.
• w to configure application failover settings .

Describe how
Ide
entifying Cluster
C Ressources an
nd Servicess
A clustered service that contains an IP address
reso
ource and a ne etwork name resource (and othero
ources) is published to a client on the netw
reso work
undder a unique se erver name. Be ecause this gro
oup
of re
esources is dissplayed as a sin ngle logical server
to clients,
c it is called a cluster in
nstance.
Users access appliications or servvices on an

instance in the same manner th hey would if the
appplications or services were on n a nonclustere
ed
servver. Usually, ap
pplications or users
u do not kn
now
thatt they are connnecting to a cluster and the node
theyy are connecte ed to.
Resoources are phyysical or logicaal entities, such

h as a file sharee, disk, or IP ad
ddress that the
e failover clustter
mannages. Resourcces may provid de a service to clients or mayy be an importtant part of th he cluster. Resoources
are the most basicc and smallest configurable unit. At any tim me, a resourcee can run only on a single no ode in
a clu
uster, and it is online on a noode when it provides its servvice to that specific node.
Serrver Cluster Resources

A cluster resource
e is any physica
al or logical co
omponent thatt has the follow
wing characteristics:
• It can be brou
ught online an
nd taken offline.
• It can be man
naged in a servver cluster.
• It can be hostted (owned) by only one nod

de at a time.
dows Server® 20
012 7-19
To
o manage reso ources, the Clu
uster service co
ommunicates tto a resource D DLL through a resource monnitor.
When
W the Cluster service mak
kes a request of
o a resource, tthe resource m
monitor calls th
he appropriate
e entry-
po
oint function in the resource
e DLL to check k and control tthe resource sttate.
Dependent
D Resources
R
A dependent re esource is one that requires another
a resourrce to operatee. For example,, a network naame
must
m be associa
ated with an IP P address. Becaause of this req
quirement, a n network name resource depe ends
onn an IP addresss resource. De ependent resou urces are take n offline beforre the resource
es upon which h they
deepend are take en offline; similarly, they are
e brought onlinne after the reesources on wh hich they depeend
arre brought online. A resourcce can specify oneo or more reesources on w which it is depeendent. Resourrce
deependencies also
a determine e bindings. For example, clien nts will be bouund to the parrticular IP addrress that
a network name e resource dep pends on.
When
W you creatte resource deependencies, co onsider the facct that, althou gh some depe endencies are strictly
re ecommended. For example, a file share thaat is not a Disttributed
equired, otherss are not requiired but are re
File System (DFS S) root has no required depe endencies. How wever, if the d disk resource that holds the ffile
sh
hare fails, the file
f share will be
b inaccessible e to users. Therrefore, it is log
gical to make tthe file share
de
ependent on the t disk resourrce.
A resource can also specify a list of nodes on

o which it can
n run. Possible nodes and de
ependencies arre
im
mportant considerations whe en administrattors organize rresources into groups.
The
T Process for Clusttering Serv
ver Roles
Fa
ailover clusteriing supports th he clustering of
o
se
everal Window ws Server roles,, such as File Services,
DHCP, and Hyp per-V. To imple ement clusterin ng for
a server role, orr for external applications such as
SQ
QL Server or Exchange Serve er, perform thee
fo
ollowing proce edure:
1.. Install the Failover

F Clustering feature. Use
U
Server Man nager or Ocsetup to install thhe
Failover Cluustering featurre on all computers
that will be cluster memb bers.
2.. Verify confiiguration and create a cluste

er with
the approppriate nodes. Use the Failover
Cluster Mannagement snap-in to first va alidate a config
guration, and tthen create a ccluster with se
elected
nodes.
3.. Install the role

r on all cluster nodes. Use
e Server Manag
ger to install t he server role that you wantt to use
in the cluster.
4.. Create a clu

ustered applica
ation by using the Failover C
Clustering Man
nagement snap-in.
5.. Configure the

t application
n. Configure options on the application th
hat is being use
ed in the cluster.
6.. Test failove

er. Use the Failover Cluster Management
M sn
nap-in to test failover by inttentionally mo
oving
the service from one nod de to another.
After the cluster is created, yo

ou can monitor its status by using the Failo
over Cluster M
Management co
onsole,
an
nd manage avvailable options.
De
emonstration: Cluste
ering a File
e Server Role
Dem
monstration
n Steps
1. Open Failover Cluster Mana
ager and verifyy that three Clluster Disks aree available.
2. Start the Configure Role Wizard and Configure the File

e Server as clu
ustered role.
3. For the Clientt Access Point,, use the name
e AdatumFS aand the IP address of 172.16
6.0.130.
4. e storage for the File Server role.

Select Cluster Disk 2 as the
Faiilover Clusster Manag

gement Ta
asks
You
u can perform several failove
er cluster
mannagement taskks. These tasks range from
add
ding and removving cluster noodes to modifyying
ngs. Some of the most frequently
the quorum settin
used
d configuration tasks include
e:
• Managing clu uster nodes – forf each node

in a cluster, you can stop cluster service
temporary, pa ause it, initiate
e remote deskttop
to the node oro evict node fromf the cluste
er
• Managing clu uster networkss – You can add

or remove clu uster networkss and you can also
configure nettworks that will be dedicatedd just
for inter-clustter communica ation
• Managing pe ermission you delegate rightts to administe

ermissions – Byy managing pe er cluster
• Configuring cluster
c quorum
m settings – Byy configuring qquorum setting
gs you determ
mine the way how
quorum is achieved as well as who can ha ave vote in a ccluster
• Migrating serrvices and app

plications to a cluster
c – You ccan implementt existing serviices to the clusster
and make theem highly avaiilable
• Configuring new
n services and application nt new services to
ns to work in a cluster – You can implemen
the cluster
• Removing a cluster
c
You
u can perform most of these administrative
e tasks by usin
ng the Failoverr Cluster Manaagement conso
ole.
dows Server® 20
012 7-21
Managing
M Cluster No
odes
Cluster nodes are mandatory for each cluster.
After you create
e a cluster and
d put it into
production, youu might have to
t manage cluster
no
odes occasionally.
here are three aspects to ma

Th anaging cluster
no
odes:
• You can add a node to an n established failover
f
cluster by selecting
s Add Node
N in the Fa
ailover
Cluster Man nagement Acttions pane. Thee Add
Node Wizard prompts yo ou for informattion
about the additional
a nod
de.
• You can pause a node to prevent resouurces from bei ng failed over or moved to tthe node. You
ause a node wh
typically pa hen a node is undergoing m
maintenance orr troubleshootting.
• You can evict a node, which is an irreve ersible processs for a cluster n
node. After yoou evict the node, it
must be re--added to the cluster. You evvict nodes wheen a node is d damaged beyo ond repair or iss no
longer need ded in the clusster. If you evicct a damaged node, you can n repair or reb
build it, and the
en add
it back to th
he cluster by using
u the Add Node Wizard..
Yo
ou can manag
ge cluster node e Failover Clus ter Managemeent console.
es by using the
Configuring
C g Applicattion Failov
ver Setting
gs
Yo
ou can adjust the failover settings, includin ng
preferred owners and failback k settings, to control
c
ho
ow the cluster responds whe en the applicattion or
se
ervice fails. You
u can configurre these settinggs on
th
he property sheet for the cluustered service or
ap
pplication (on the General ta ab or on the Fa ailover
ta
ab). The followwing table provvides exampless that
sh
how how these e settings work
k.
Settiing Resu
ult
Exammple 1: If the service or ap

pplication failss over from Noode1 to Node2 2, when
Gen neral tab, Prefe
erred owner: Node1
N Nod de1 is again avvailable, the service or appliccation will fail b
back to
Nod de1.
Failo
over tab, Failback setting: Allow
back (Immediately)
failb
Exammple 2: In a six-hour perio od, if the appli cation or serviice fails no mo ore than two
Failo
over tab, Maximum failures in the timees, it will be resstarted or faileed over every ttime. If the application or
speccified period: 2 service fails a thirdd time in the s ix-hour period d, it will be leftt in the
faile
ed state.
Failo
over tab, Perio
od (hours): 6
The default value for the maxim mum number o of failures is n-1, where n
is th
he number of n nodes. You can n change the vvalue, but we rrecommend
ures occur, the application
a faiirly low value sso that if mult iple node failu
or seervice will not be moved bettween nodes indefinitely.
Lesson 4
Mainta
aining a Failover Clustter
Whe en cluster infra
astructure is up and running g, it is very impportant to estaablish monitoriing to preventt
possible failures. Also,
A it is impo
ortant to have backup and reestore procedu ures for clusterr configuration
n. In
Winndows Server 2012,
2 there is a new technolo
ogy that lets yyou update clu uster nodes witthout downtim me. In
this lesson, you will learn about monitoring, backup,
b and reestore and abo out updating ccluster nodes.
Lessson Objectiives
Afte
ou will be able to:
• Describe how
w to monitor fa
ailover clusterss.
• Describe how
w to back up an
nd restore clusster configurattion.
• Describe how
w to troublesho
oot failover clu
usters.
• Describe Clusster-Aware Updating.
• uster-Aware Updating.
Configure Clu
Mo
onitoring Failover
F Cllusters
Man ny tools are avvailable to help
p you monitor
failo
over clusters. You
Y can use sta andard Windo ows
Servver tools, such as the Event Viewer
V and the
e
Perfformance and Reliability Mo onitor snap-in,
to review cluster event
e logs, and
d performance e
mettrics. You can also
a use Cluste er.exe and
Traccerpt.exe to exxport data for analysis.
Add ditionally, you can use the MHTML-format
M tted
clusster configuration reports annd the Validateea
Con nfiguration Wizzard to troubleeshoot problems
with onfiguration and hardware
h the cluster co
changes.
Eve
ent Viewer
Whe en problems arise
a in the clusster, use the Evvent Viewer to
o view events wwith a Critical, Error, or Warn
ning
seveerity level. Add
ditionally, inforrmational leveel events are lo
ogged to the FFailover Clusterring Operation ns log,
which can be foun nd in the Even nt Viewer in the e Applicationss and Services Logs\Microsofft\Windows fo older.
Info
ormational-leve el events are usually
u commo on cluster operrations, such aas cluster nodees leaving and
joining the clusterr, or resources going offline or coming on line.
In previous
p Windoows Server verrsions, event loogs were repliccated to each node in the cluster. This
simplified cluster troubleshootin ng, because yo ou could review w all event log
gs on a single cluster node.
2 does not replicate the event
e logs bettween nodes. H However, the FFailover Clusteer
Man nagement snap-in has a Cluster Events option that enab bles you to vieww and filter evvents across all
clusster nodes. This feature is helpful in correla
ating events accross cluster nodes.
The Failover Clustter Managemeent snap-in also provides a R Recent Cluster Events option
n that will querry all
the Error and Warrning events frrom all the cluster nodes in tthe last 24 hou
urs.
Youu can access addditional logs, such as the De
ebug and Ana lytic logs, in th
he Event Viewe
er. To display tthese
logss, modify the view
v on the top menu by selecting the Sho
ow Analytic an nd Debug Logss options.
dows Server® 20
012 7-23
Windows
W Eve
ent Tracing
Windows
W event tracing is a ke
ernel compone ent that is avaiilable early aftter startup, and
d late into shutdown.
It is designed to
o allow for fastt tracing and delivery
d of eve nts to trace files and to conssumers. Because it is
deesigned to be fast, it enabless only basic in-process filteriing of events b based on even nt attributes.
Thhe event trace log contains a comprehensive accounting g of the failoveer cluster actio
ons. Depending on
hoow you want tot view the datta, use either Cluster.exe
C or TTracerpt.exe to
o access the innformation in tthe
evvent trace log.
Trracerpt.exe willl parse the eve

ent trace logs only on the no
ode on which it is run. All th
he individual lo
ogs are
co
ollected in a ce
entral location m the XML file into a text file or an HTML ffile that can be
n. To transform e
oppened in Interrnet Explorer®, you can parse e the XML-bassed file by usinng the Microsooft XSL parsingg
co
ommand prom mpt utility msxsl.exe, and an XSL style sheeet.
Performance
P e and Reliab
bility Monito
or Snap-In
Th
he Performancce and Reliability Monitor sn
nap-in lets you
u:
• Trend application perform

mance on each h node. To dettermine how aan application is performing, you
can view an
nd trend speciffic information
n on system reesources that aare being used
d on each node
e.
• Trend application failuress and stability on each nodee. You can pinppoint when application failurres
occur and match
m the appplication failure node.
es with other eevents on the n
• Modify tracce log settings. You can startt, stop, and adj
djust trace logss, including the
eir size and loccation.
Backing
B Up
p and Restoring Failo
over Clusteer Configu
uration
Cluster configurration can be a time-consum ming
process with ma any details, and so backup of o
cluster configurration is very im
mportant. You u
ca
an perform backup and resto ore of cluster
co
onfiguration with
w Windows Server S Backup or
a third-party ba
ackup tool.
When
W you backk up the cluster configuration
n, be
aw
ware of the following:
• You must teest your backu

up and recovery
efore putting a cluster into
process, be
production.
• You must fiirst add the Windows

W Serverr Backup featu re, if you decid
de to use it. Yo
ou can do thiss by
using Serve
er Manager.
Windows
W Server Backup is the
e built-in back
kup and recoveery software fo
or Windows Se
erver 2012. To
co
omplete a succcessful backup
p, consider the following:
• For a backu up to succeed in a failover clluster, the clusster must be ru

unning and mu ust have quoru
um. In
other words, enough nod des must be ru unning and com mmunicating (perhaps with a witness diskk or
witness file share, depend
ding on the qu uorum configu uration,) that t he cluster has achieved quorum.
• You must back

b up all clusstered applicattions. If you cl uster a Microssoft SQL Server® database, yyou must
have a back
kup plan for th
he databases and
a configurattion outside th he cluster conffiguration.
• If applicatio
on data must be
b backed up, the disks that you store thee data on mustt be made available to
the backup p software. You
u can achieve this
t by running g the backup ssoftware from the cluster noode that
owns the disk resource, or
o by running a backup againnst the clusterred resource ovver the network.
• The cluster seervice keeps traack of which cluster

c configu
uration is the mmost recent, annd it replicatess that
configurationn to all cluster nodes. If the cluster
c has a w
witness disk, thee Cluster servicce the Cluster
service also re
eplicates the configuration tot the witness disk.
Resstoring a Cluster
There are two typ
pes of restore:
• Non-authoritative restore. UseU a non-auth horitative resto

ore when a sin ngle node in th
he cluster is
damaged or rebuilt,
r and the rest of the cluster is operaating correctly.. Perform a noon-authoritativve
restore by resstoring the sysstem recovery (system state) information t o the damage ed node. When n you
restart that no
ode, it will join
n the cluster an
nd receive thee latest cluster configuration automaticallyy.
• Authoritative restore. Use an authoritativee restore whenn the cluster co

onfiguration m must be rolled back
to a previous point in time. For example, you would usee an authoritaative restore if an administrator
accidentally removed
r cluste other cluster seettings. Perforrm the authoritative
ered resourcess or modified o
restore by sto
opping the cluster resource ono each node, and then perfforming a systtem recovery
(system state)) on a single node by using the
t command -line Windowss Server Backu up interface. Affter
the restored node
n restarts the
t cluster servvice, the rema ining cluster n
nodes can also start the clustter
service.
Tro
oubleshoo
oting Failov
ver Clusters
Alth
hough cluster validation
v imp
plemented in
2 Failover Clustering
C prevvents
miscconfigurationss and non-worrking clusters, in
som
me cases, you have
h to perform
m cluster
trou
ubleshooting.
To troubleshoot
t a failover cluste
er, follow these
guid
delines:
• Use the Validate a Configurration Wizard to

highlight con
nfiguration issu
ues that might
cause cluster problems.
• Review cluste
er events and trace
t logs to
identify application or hard
dware issues th
hat might causse an unstable cluster.
• Review hardwware events an p pinpoint speccific hardware components tthat might cau
nd logs to help use an
unstable clustter.
• Review SAN components,
c switches,
s adaptters, and storaage controllerss to help identify any potenttial
problems.
Whe
en troubleshooting failover clusters, you must:
m
• Identify the perceived

p prob
blem by collectting and docu menting the s ymptoms of th
he problem.
• Identify the scope of the prroblem so thatt you can undeerstand what is being affecte
ed by the prob
blem,
and what imp pact that effect has on the application and
d the clients.
• Collect informmation so that you can accurrately understaand and pinpo oint the possib ble problem. AAfter
you identify a list of possible problems, you can prioritiize them by prrobability, or tthe impact of a
repair. If the problem
p cannoot be pinpointted, you shoul d attempt to rre-create the p problem.
dows Server® 20
012 7-25
• Create a schedule for rep

pairing the pro
oblem. For exammple, if the prroblem only afffects a small ssubset of
users, you can
c delay the repair
r to an offf-peak time so
o that you cann schedule dowwntime.
• Complete and
a test each repair
r one at a time so that yyou can identiify the fix.
Too troubleshoott SAN issues, start

s by checking physical co onnections and d each of the h
hardware component
lo
ogs. Additionallly, run the Vallidate a Configguration Wizarrd to verify thaat the current cluster configu uration
is still supportab
ble. When you u run the Validate a Configurration Wizard, ensure that th he storage testts that
yoou select can be
b run on an online
o failover cluster. Severaal of the storag
ge tests cause loss of service
e on the
clustered disk when
w the tests are run.
Troubleshoo
oting Group and Resource Failuress
To
o troubleshoott group and re
esource failure
es:
• Use the Dependency View Management snap-in to iden

wer in the Failover Cluster M ntify dependen
nt
resources.
• Check the Event

E Viewer and
a trace logs for errors from
m the dependeent resources.
• Determine whether the problem

p only happens
h on a sspecific node, or nodes, by ttrying to re-cre
eate the
problem on
n different nod
des.
What
W Is Clu
uster-Awarre Updatin
ng?
Applying operating system up pdates to node es in a
cluster requires special attention. If you wan nt to
provide zero doowntime for a clustered role,, you
must
m manually update clusterr nodes one affter
annother, and yo
ou must manua ally move reso ources
from the node being
b updated d to another node.
Thhis procedure can be very timme-consuming g. In
Windows
W Server 2012, Microssoft has implem mented
a new feature foor automatic update
u of clustter
noodes.
Cluster-Aware Updating
U (CAU U) is a feature that
t
le
ets administrators automatica ally update cluuster
no odes with little uring the upda te process. Du
e or no loss in availability du uring an updatte procedure, CCAU
trransparently taakes each clustter node offline, installs the u
updates and aany dependentt updates, perfforms a
re
estart if necessary, brings the e node back on nline, and then
n moves to uppdate the next node in a clusster.
Foor many cluste ered roles, this automatic up

pdate process ttriggers a plannned failover, aand it can causse a
trransient service
e interruption for connectedd clients. Howeever, for continnuously availabble workloads in
Windows
W Server 2012, such as Hyper-V with h live migratio
on or file server with SMB Traansparent Failo over,
CA AU can orchesstrate cluster updates
u with no effect on thee service availaability.
Cluster Updating Modes

CAU can orchestrate the complete cluster updating operation in two modes:
• Remote-updating mode. In this mode, a computer that is running Windows Server 2012 or
Windows 8, is called and configured as an orchestrator. To configure a computer as a CAU
orchestrator, you must install Failover Clustering administrative tools on it. The orchestrator computer
is not a member of the cluster that is updated during the procedure. From the orchestrator computer,
the administrator triggers on-demand updating by using a default or custom Updating Run profile.
Remote-updating mode is useful for monitoring real-time progress during the Updating Run, and for
clusters that are running on Server Core installations of Windows Server 2012.
• Self-updating mode. In this mode, the CAU clustered role is configured as a workload on the failover
cluster that is to be updated, and an associated update schedule is defined. In this scenario, CAU does
not have a dedicated orchestrator computer. The cluster updates itself at scheduled times by using a
default or custom Updating Run profile. During the Updating Run, the CAU orchestrator process
starts on the node that currently owns the CAU clustered role, and the process sequentially performs
updates on each cluster node. In the self-updating mode, CAU can update the failover cluster by
using a fully automated, end-to-end updating process. An administrator can also trigger updates on-
demand in this mode, or use the remote-updating approach if desired. In the self-updating mode, an
administrator can access summary information about an Updating Run in progress by connecting to
the cluster and running the Get-CauRun Windows PowerShell cmdlet.
To use CAU, you must install the Failover Clustering feature in Windows Server 2012 and create a failover
cluster. The components that support CAU functionality are automatically installed on each cluster node.
You must also install the CAU tools, which are included in the Failover Clustering Tools (which are also
part of the Remote Server Administration Tools, or RSAT). The CAU tools consist of the CAU UI and the
CAU Windows PowerShell cmdlets. The Failover Clustering Tools are installed by default on each cluster
node when you install the Failover Clustering feature. You can also install these tools on a local or a
remote computer that is running Windows Server 2012 or Windows 8 and that has network connectivity
to the failover cluster.
Demonstration: Configuring Cluster-Aware Updating

Demonstration Steps
1. Make sure that the cluster is configured and running on LON-SVR3 and LON-SVR4.
2. Add the Failover Clustering Feature to LON-DC1.
3. Run Cluster-Aware Updating on LON-DC1 and configure it to connect to Cluster1.
4. Preview updates that are available for nodes LON-SVR3 and LON-SVR4.
5. Review available options for the Updating Run Profile.

6. Apply available updates to Cluster1 from LON-DC1.
7. After updates are applied, configure Cluster self-updating options on LON-SVR3.

dows Server® 20
012 7-27
Lesson
n5
Imple
ementin
ng a Mu
ulti-Site
e Failove
er Clustter
In
n some scenarios, you have to t deploy clustter nodes on d different sites. Usually, you d
do this when yo
ou build
diisaster-recoverry solutions. In ou will learn a bout deployin
n this lesson, yo ng multi-site cllusters.
Le
esson Objecctives
After completin y will be able to:
ng this lesson, you
• Describe a multi-site cluster.

• Describe syynchronous and asynchronou
us replication.
• Describe ho
ow to choose a quorum mod
de for multi-si te clusters.
• Describe th f implementing multi-site clusters.

he challenges for
• Describe th ons for deploying multi-site clusters.
he consideratio
What
W Is a Multi-Site
M Cluster?
C
A multi-site clusster provides highly-availabl
h le
se
ervices in moree than one location. Multi-site
clusters can solvve several speccific problems..
However, they also
a present sp pecific challeng
ges.
In
n a multi-site cluster,
c each sitte usually has a
eparate storage system with replication be
se etween
he sites. Multi-site cluster sto
th orage replicatioon
ennables each sitte to be independent, and provides
p
fa
ast access to th
he local disk. With
W separate storage
s
syystems, you cannot share a single
s disk betwween
sittes.
A multi-site clusster has three main advantagges in a

fa
ailover site com
mpared to a re emote server:
• When a site utomatically fa ils over the clu

e fails, a multi--site cluster au e or application to
ustered service
another site
e.
• Because the e cluster config
guration is auttomatically repplicated to eacch cluster node
e in a multi-sitte
cluster, there is less administrative overrhead than a ccold standby seerver, which reequires you to
manually re eplicate changges.
• The automaated processess in a multi-site cluster reducce the possibillity of human error, which iss present
in manual processes.
p
Be
ecause of incre eased cost and d complexity ofo a multi-site ffailover cluster, it might not be an ideal so olution
fo
or every appliccation or business. When you u are consideriing whether to o deploy a mu ulti-site cluster,, you
sh
hould evaluate e the importan nce of the appllications to thee business, thee type of applications, and any
alternative soluttions. Some ap pplications cann provide multti-site redundaancy easily with log shipping g or
otther processess, and can still achieve sufficient availabilityy with only a m
modest increasse in cost and
co
omplexity.
Th
he complexity of a multi-site
e cluster requirres better arch
hitectural and hardware plan
nning. It also re
equires
yo
ou to develop business processes to routinnely test the clluster function
nality.
Syn
nchronouss and Asyn
nchronouss Replicatio
on
It is not possible for
f a geograph hically-disperse
ed
failo
over cluster to use shared sto orage between n
phyysical locations. Wide area ne etwork (WAN)
links are too slow and have too much latencyy to
support shared storage. Geogra aphically-dispeersed
failo
over clusters must
m synchronize data betwe een
locaations by usingg specialized hardware.
h Multti-site
data a replication caan be either syynchronous orr
asyn nchronous:
• When you use synchronouss replication, the
host receives a “write comp
plete” responsee
from the prim
mary storage after the data iss
written successfully on both
h storage syste
ems. If the dat a is not written successfully to both storag
ge
systems, the application
a muust attempt to write to the d
disk again. With synchronouss replication, b both
storage systems are identical.
• When you use asynchronou us replication, the node receeives a write co omplete respo onse from the
storage after the data is written successfuully on the prim
mary storage. The data is wrritten to the
secondary stoorage on a diffferent schedule, depending on the hardwaare or software e vendor’s
implementatiion. Asynchron nous replicatioon can be storaage-based, ho ost-based, or evven applicatio on-
based. Howevver, not all forms of asynchro onous replicattion are sufficieent for a multi-site cluster. FFor
example, Disttributed File Syystem Replicattions (DFS-R) pprovides file-leevel asynchronnous replication.
However, it does not suppo ort multi-site Failover
F on. This is because DFS-R
Cluste ring replicatio
replicates sma
aller documen nts that are nott held open coontinuously. Th herefore, it waas not designed d for
high-speed, open-file
o repliccation.
Wh
hen to Use Synchronou
S us or Asynch
hronous Rep
plication
Use synchronous replication wh hen data loss cannot
c be tolerrated. Synchro onous replication solutions
requuire low-disk write
w latency, because
b the appplication waitts for both storage solutionss to acknowled dge
the data writes. Th
he requiremen nt for low laten
ncy disk writess also limits thee distance betwween the storaage
systems because increased
i dista
ance can cause e higher latenccy. If the disk l atency is high, the performaance
and even the stab bility of the application can be
b affected.
Asynchronous rep plication overccomes latency and distance l imitations by acknowledging local disk wrrites
onlyy, and by reprooducing the disk write on the remote storaage system in a separate traansaction. Becaause
asyn
nchronous rep plication writess to the remote e storage systeem after it writtes to the locaal storage syste
em,
the possibility of data
d loss durin
ng a failure is increased.
dows Server® 20
012 7-29
Choosing
C a Quorum Mode for Multi-Sitee Clusters
Fo
or a geographically-disperse ed cluster, you cannot
usse quorum con nfigurations th
hat require a sh
hared
diisk, because geeographically--dispersed clussters do
no
ot use shared disks. Both the e Node and Diisk
Majority,
M and No
N Majority: Disk Only quoru um
modes
m require a shared witneess disk to provvide a
vo
ote for determmining quorum m. You should only
o
usse these two quorum
q modess if the hardwaare
ve
endor specifica ally recommen nds and suppo orts
th
hem.
To
o use the Node and Disk Ma ajority and No
Majority:
M Disk Only
O modes in a multi-site cluster,
he shared disk requires that:
th
• You preservve the semantics of the SCSI commands accross the sites,, even if a com
mplete communication
failure occu
urs between sittes.
• You replicate the witness disk in real-time synchrono
ous mode acro
oss all sites.
Beecause multi-ssite clusters can have WAN failures

f in addiition to node aand local netwwork failures, N Node
Majority
M and No ode and File Share Majority are better soluutions for multi-site clusters. If there is a W
WAN
fa
ailure that causses the primaryy and seconda
ary sites to losee communicattion, a majorityy must still be
avvailable to con
ntinue operatio ons.
o number of nodes, then use the Node Majority quorrum. If there is an even number of
If there are an odd
noodes, which is typical in a ge dispersed clus ter, you can use the Node M
eographically-d Majority with FFile
Shhare quorum.
If you are using Node Majoritty and the sites lose commu nication, you n need a mechanism to determ mine
which
w nodes sta
ay up, and whiich nodes drop p out of clusteer membershipp. The second ssite requires another
voote to obtain quorum
q after a failure. To ob
btain another vvote for quoru
um, you must jjoin another n node to
th
he cluster, or create a file sha
are witness.
Th
he Node and File F Share Majo ority mode can n help maintaiin quorum witthout adding aanother node tto the
cluster. To provvide for a singlee-site failure and enable auttomatic failoveer, the file sharre witness mig ght have
to ulti-site clusterr, a single serveer can host thee file share wittness. However, you
o exist at a thirrd site. In a mu
must
m create a se eparate file shaare for each clluster.
Yoou must use th

hree locations to enable autoomatic failoveer of a highly-aavailable servicce or applicatio
on.
Lo
ocate one nodde in the primaary location tha
at runs the hig
ghly-available service or app plication. Locatte a
se
econd node in a disaster-reccovery site, and
d locate the th witness in another
hird node for t he file share w
lo
ocation.
Th
here must be direct
d network
k connectivity between all th
hree locations. In this manne
er, if one site b
becomes
un
navailable, the
e two remainin
ng sites can still communicatte and have en
nough nodes ffor a quorum.
Note: In Windows
W Servver 2008 R2, ad
dministrators ccould configurre the quorum m to include
noodes. However, if the quorum configuratio on included no odes, all nodess were treated equally
acccording to their votes. In Windows
W Serverr 2012, clusterr quorum settinngs can be adjjusted so
th
hat when the cluster
c determines whether it has quorum,, some nodes h have a vote annd some do
noot. This adjustm
ment, can be useful,
u when so mplemented accross multiple sites.
olutions are im
Challenges fo
or Implem
menting a Multi-Site
M Cluster
Impplementation ofo multi-site clu
usters is more
commplex than imp plementation ofo single-site
clussters, and can also
a present se everal challengges
to the administrattor. Most impoortant challengges
whe en you implem ment multi-site
e clusters are
related to storagee and network..
In a multi-site cluster, there is no shared stora

age
thatt the cluster no
ode uses. This means that no odes
on each
e site mustt have its own storage instannce.
On the other hand d, Failover Clustering does not
n
include any built-in functionalitty to replicate data
betwween sites. The ere are three options
o for
repllicating data: block
b level hardware-based replication,
r sofftware-based file replication
n installed on tthe
hostt, or applicatio
on-based replication.
Mullti-site data rep

plication can be
b either synch
hronous or asyynchronous. Syynchronous re eplication doess
not acknowledge data changes that are made e in, for examp uccessfully written
ple, Site A untiil the data is su
to Site
S B. With asyynchronous replication, data a changes thatt are made in SSite A are even ntually written to
Site B.
Whe en you deployy a multi-site cluster and run
n the Validate a Configuratioon Wizard, the disk tests will not
find ot run. Howeveer, you can still create a clustter. If you follo
d any shared sttorage, and will therefore no ow
the hardware man nufacturer’s re
ecommendatio ons for Window ws Server Failo
over Clusteringg hardware,
Microsoft will sup
pport the solution.

2 enables cluster
c nodes to exist on diffeerent IP subneets, which enab
bles a clustered
appplication or servvice to change
e its IP addresss based on thee IP subnet. DN NS updates thee clustered
appplication’s DNSS record so thaat clients can lo
ocate the IP adddress change. Because clien nts rely on DNS to
find
d a service or application afte ou might havee to adjust thee DNS records’ Time to Live, and
er a failover, yo
the speed at whicch DNS data is replicated. Ad dditionally, wh en cluster nod
des are in multtiple sites, netw
work
latency might require you to modify the interr-node commu unication (heartbeat) delay aand time-out
thre
esholds.
De
eploying Consideratiions for a Multi-Sitee Cluster
Mullti-site clusterss are not appro
opriate for eveery
appplication or eve ery business. When
W you desiggn
a multi-site solutio on with a hard
dware vendor,
clea
arly identify the e business requirements and d
expectations. Nott every scenario o that involvess
morre than one location is appro opriate for mu
ulti-
site cluster.
Mullti-site clustering is a high-avvailability strattegy

thatt primarily focuuses on hardwware platform
avaiilability. However, specific multi-site
m clusteer
configuration and d deployment have availabiliity
ram
mifications, rang ging from the ability of userrs to
connect to the ap he quality of performance off the applicatio
pplication to th on. Multi-site cclustering can be a
pow
werful solution in dealing witth planned and d unplanned d
downtime, butt its benefits m
must be examin ned
against all the dimmensions of ap pplication availability.
Multi-site clusters do require some more overhead than local clusters. Instead of a local cluster, in which
each node of the cluster is attached to the mass storage device, each site of a multi-site cluster must have
comparable storage. In addition, you will also have to consider vendors to set up your data replication
schemes between cluster sites, possibly pay for additional network bandwidth between sites, and develop
the management resources within your organization to efficiently administer your multi-site cluster.
Additionally, carefully consider the quorum mode that you will use, and the location of the available
cluster votes.
Lab: Implementing Failover Clustering

Scenario
As A. Datum’s business grows, it is becoming increasingly important that many of the applications and
services on the network are available at all times. A. Datum has many services and applications that have
to be available to internal and external users who work in different time zones around the world. Many of
these applications cannot be made highly available by using Network Load Balancing. Therefore, you have
to use a different technology to make these applications highly available.
As one of the senior network administrators at A. Datum, you will be responsible for implementing
Failover Clustering on the Windows Server 2012 servers in order to provide high availability for network
services and applications. You will also be responsible for planning the Failover Cluster configuration, and
deploying applications and services on the Failover Cluster.
Objectives
• Configure a failover cluster.
• Deploy and configure a highly-available file server.
• Validate the deployment of the highly-available file server.

• Configure Cluster-Aware Updating on the failover cluster.
Lab Setup

20417A-LON-SVR1
20417A-LON-SVR3
20417A-LON-SVR4
Password Pa$$w0rd
Virtual Machine(s) MSL-TMG1
User Name Administrator
Password Pa$$w0rd
5. Repeat steps 2-4 for 20417A-LON-SVR1, 20417A-LON-SVR3, and 20417A-LON-SVR4.
6. Repeat steps 2-3 for MSL-TMG1. Log on as Administrator with the password of Pa$$w0rd.
Exercise 1: Configuring a Failover Cluster

Scenario
A. Datum has important applications and services that they want to make highly available. Some of these
services cannot use Network Load Balancing. Therefore, you decided to implement Failover clustering.
Because iSCSI storage is set up, you decided to use the iSCSI storage for Failover Clustering. First, you will
implement the core components for Failover Clustering, validate the cluster, and then create the failover
cluster.

1. Connect clients to the iSCSI targets.
2. Install the Failover Clustering feature.
3. Validate the servers for Failover Clustering.
4. Create the Failover Cluster.
X Task 1: Connect clients to the iSCSI targets

1. On LON-SVR3, start iSCSI Initiator, and configure Discover Portal with IP address 172.16.0.21.
2. Connect to the discovered target in the Targets list.

3. Repeat steps 1 and 2 on LON-SVR4.
4. Open Disk Management on LON-SVR3.
5. Bring online and initialize the three new disks.

6. Make a simple volume on each disk and format it with NTFS.
7. On LON-SVR4, open Disk Management, and bring online and initialize the three new disks.
X Task 2: Install the Failover Clustering feature

1. On LON-SVR3, install the Failover Clustering feature by using Server Manager.
2. On LON-SVR4, install the Failover Clustering feature by using Server Manager.
X Task 3: Validate the servers for Failover Clustering

1. On LON-SVR3, open the Failover Cluster Manager console.
2. Start the Validate a Configuration Wizard.

3. Use LON-SVR3 and LON-SVR4 as nodes for test.
4. Review report.
X Task 4: Create the Failover Cluster

1. On LON-SVR3, in the Failover Cluster Manager, start the Create Cluster Wizard.
2. Use LON-SVR3 and LON-SVR4 as cluster nodes.

3. Specify Cluster1 as the Access Point name.
4. Specify the IP address as 172.16.0.125.
Results: After this exercise, you will have installed and configured the Failover Clustering feature.
Exercise 2: Deploying and Configuring a Highly-Available File Server

Scenario
In A. Datum, File Services is one of the important services that must be highly available. After you have
created a cluster infrastructure, you decided to configure a highly-available file server and implement
settings for failover and failback.
1. Add the File Server application to the failover cluster.
2. Add a shared folder to a highly-available file server.
3. Configure failover and failback settings.
X Task 1: Add the File Server application to the failover cluster

1. Add the File Server role service to LON-SVR3 and LON-SVR4.
2. On LON-SVR3, open the Failover Cluster Manager console.
3. In the Storage node, click Disks and verify that three cluster disks are online.
4. Add File Server as a cluster role.

5. Specify AdatumFS as Client Access Name.
6. Specify 172.16.0.130 as the IP address for the cluster role.
7. Select Cluster Disk 2 as the storage disk for AdatumFS role.
X Task 2: Add a shared folder to a highly-available file server

1. On LON-SVR4, open Failover Cluster Manager.
2. Start the New Share Wizard and add a new shared folder to the AdatumFS cluster role.
3. Specify the File share profile as SMB Share – Quick.
4. Name the shared folder as Docs.
X Task 3: Configure failover and failback settings

1. On LON-SVR4, in the Failover Cluster Manager, open the Properties for the AdatumFS cluster role.
2. Enable failback between 4 and 5 hours.

3. Select both LON-SVR3 and LON-SVR4 as the preferred owners.
4. Move LON-SVR4 to be first in the Preferred Owners list.
Results: After this exercise, you will have configured a highly-available file server.
Exercise 3: Validate the Deployment of the Highly-Available File Server

Scenario
In the process of implementing failover cluster, you want to perform failover and failback tests.
1. Validate the highly-available file server deployment.
2. Validate the failover and quorum configuration for the File Server role.
X Task 1: Validate the highly-available file server deployment

1. On LON-DC1, open Windows Explorer, and attempt to access the \\AdatumFS\ location. Make sure
that you can access the Docs folder.
2. Create a test text document inside this folder.
3. On LON-SVR3, in the Failover Cluster Manager, move AdatumFS to the second node.
4. On LON-DC1, in Windows Explorer, verify that you can still access \\AdatumFS\ location.
X Task 2: Validate the failover and quorum configuration for the File Server role
1. On LON-SVR3, determine the current owner for the AdatumFS role.
2. Stop the Cluster service on the node that is the current owner of the AdatumFS role.
3. Verify that AdatumFS has moved to another node and that the \\AdatumFS\ location is still
available.
4. Start the Cluster service on the node in which you stopped it in step 2.
5. Browse to the Disks node, and take the disk witness offline.
6. Verify that AdatumFS is still available.
7. Bring the disk witness online.
Results: After this exercise, you will have tested the failover scenarios.
Exercise 4: Configuring Cluster-Aware Updating on the Failover Cluster

Scenario
Earlier, implementing updates to servers with critical service was causing unwanted downtime. To enable
seamless and zero downtime cluster updating, you want to implement the Cluster-Aware Updating
feature and test updates for cluster nodes.
1. Configure Cluster-Aware Updating.
2. Update the failover cluster and configure self-updating.
X Task 1: Configure Cluster-Aware Updating

1. On LON-DC1, install the Failover Clustering feature.
2. From Server Manager, open Cluster-Aware Updating.
3. Connect to Cluster1.
4. Preview the updates available for nodes in Cluster1.

X Task 2: Update the failover cluster and configure self-updating

1. On LON-DC1, start the update process for Cluster1.
2. After the process is complete, configure self-updating for Cluster1, to be performed weekly, on
Sundays at 4A.M.
Results: After this exercise, you will have configured Cluster-Aware Updating.

steps:
4. Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-SVR3, MSL-TMG1 and 20417A-LON-

SVR4.

Review Questions
Question: Why is using a Disk-Only quorum configuration generally not a good idea?
Question: What is the purpose of Cluster-Aware Updating?
Question: What is the main difference between synchronous and asynchronous replication
in a multi-site cluster scenario?
Question: What is an enhanced feature in multi-site clusters in Windows Server 2012?
Best Practices
• Try to avoid using quorum model that depends just on disk
• Use Cluster Shared Volumes for Hyper-V high availability or Scale Out File server
• Do regular backups of cluster configuration
• Be sure that, in case of one node failure, other nodes can handle the load
• Carefully plan multi-site clusters

Cluster Validation wizard reports and error
Create cluster wizard reports that not all

nodes support desired clustered role
You can’t create Print Server cluster

Your organization is considering the use of a geographically-dispersed cluster that includes an alternative
data center. Your organization has only a single physical location together with an alternative data center.
Can you provide an automatic failover in this configuration?
Tools
The tools for implementing fail-over clustering include:
• Failover Cluster Manager console
• Cluster-Aware Updating console
• Windows PowerShell
• Server Manager
• iSCSI initiator
• Disk Management
8-1
Module 8
Implementing Hyper-V
Contents:
Module Overview 8-1
Lesson 1: Configuring Hyper-V Servers 8-2
Lesson 2: Configuring Hyper-V Storage 8-8
Lesson 3: Configuring Hyper-V Networking 8-16
Lesson 4: Configuring Hyper-V Virtual Machines 8-21
Lab: Implementing Server Virtualization with Hyper-V 8-27
Module Overview
Although server virtualization was deployed rarely on corporate networks only a decade ago, today it is a
core networking technology. Server administrators must be able to distinguish which server workloads
might run effectively in virtual machines and which need to remain in a traditional, physical deployment.
This module introduces you to the new features of the Hyper-V® role, the components of the role, and
the best practices for deploying the role.
Objectives
• Configure Hyper-V servers.
• Configure Hyper-V storage.
• Configure Hyper-V networking.
• Configure Hyper-V virtual machines.

8-2 Implementing Hyper-V
Lesson 1
Config
guring Hyper-V
H V Serverrs
The Hyper-V role has undergon ne a substantia al change in W
Windows Serverr® 2012. New ffeatures, such as
netwwork utilization and Resourcce Metering, provide you witth the ability tto manage virttual machines
effe n 3.0. In this lesson, you will learn about th
ectively with Hyyper-V version he new feature
es in Hyper-V, as
welll as Hyper-V Inntegration Servvices and the factors
f that yoou need to connsider when yo
ou are configu
uring
Hypper-V hosts.
Lessson Objectiives
Afte
ou will be able to:
• Describe the new features in Hyper-V 3.0

0.
• Describe the hardware requ

uirements for Hyper-V
H 3.0.
• Configure Hyyper-V settingss.
• Describe Hyp
per-V Integratio
on services.
• Describe the best practices for configurin
ng Hyper-V ho
osts.
Wh
hat's New in Hyper-V 3.0?
The Hyper-V role first became available
a after the
rele
ease of Window
ws Server 2008 8. New feature
es
were added to the
e role, both in Windows Servver
2008 R2 and Winddows Server 20 008 R2 Servicee
Pack 1 (SP1).
Hyp
per-V in Windo ows Server 20112, also known
n as
Hyp
per-V 3.0, inclu
udes the follow
wing major
imp
provements:
• Virtual machine replication
• Hyper-V Pow
werShell support
• Quality of Serrvice (QoS) bandwidth

managementt
• Non-Uniform
m Memory Acce
ess (NUMA) su
upport
• Memory improvements
Virtual Machin
ne Replication
Youu can use Hype er-V replica to perform contiinuous replicattion of importtant virtual maachines from a host
servver to a replica e host server faails, you can c onfigure failovver to the replica
a server. In the event that the
servver. For more information on n Hyper-V repllicas, visit Mod
dule 9: Implem menting Failove er Clustering wwith
Hypper-V.
Hyper-V Powe
erShell supp
port
2 introduce
es extensive Windows
W PowerrShell® supporrt for Hyper-V through the
Hypper-V PowerSh hell module. Yo
ou can manage all aspects o
of Hyper-V, inccluding creatin
ng virtual hard disks,
virtu
ual switches, and virtual macchines.
Quality of Service (QoS) Bandwidth Management

Hyper-V administrators can use Quality of Service (QoS) bandwidth management to converge multiple
traffic types through a virtual-machine network adapter, which allows a predictable service level for each
traffic type. You also can allocate minimum and maximum bandwidth allocations on a per-virtual machine
basis.
Non-Uniform Memory Access (NUMA) Support

Hyper-V 3.0 includes NUMA support. NUMA is a multiprocessor architecture that automatically groups
RAM and processors. This leads to performance improvements for virtual machines that are hosted on
servers that have multiple processors and large amounts of random access memory (RAM).
Memory Improvements
Dynamic memory is a feature that lets virtual machine memory to be allocated as necessary, rather than
as a fixed amount. For example, rather than setting a virtual machine with a fixed 4 gigabytes (GB) of
memory, which Hyper-V allocates to the virtual machine, an administrator can use dynamic memory to
allocate a minimum and maximum amount. In this scenario, the virtual machines requests only what it
needs. Although Windows Server 2008 R2 SP1 included the ability for virtual machines to use dynamic
memory, you had to make any adjustments to these settings after you shut down the server. Hyper-V 3.0
enables administrators to adjust dynamic memory settings on virtual machines that are running. You can
use smart paging to configure startup memory, which differs from the minimum and maximum memory
allocations. When you use smart paging, the Hyper-V host uses memory paging to ensure that a virtual
machine can start when there is not enough memory resources available to support startup, but enough
to support the virtual machine's minimum memory allocation.
Other improvements to Hyper-V include:
• Resource Metering. Resource Metering allows administrators to track resource utilization of individual
virtual machines. You can enable resource metering on a per-virtual machine basis. Use PowerShell to
perform resource-metering operations.
• Virtual Fibre Channel. Virtual Fibre Channel enables virtual machines to use a virtual Fibre Channel
host bus adapter (HBA) to connect to Fibre Channel resources on storage area networks (SANs). To
use Virtual Fibre Channel, the host Hyper-V server must have a compatible Fibre Channel HBA.
• Live migration without shared storage. Hyper-V 3.0 supports live migration of virtual machines
between Hyper-V hosts, without requiring access to shared storage. For more information on live
migration, visit Module 9: Implementing Failover Clustering with Hyper-V.
• New virtual hard disk format. Hyper-V 3.0 introduces the VHDX format. This disk format supports
larger virtual hard disks. It also includes a format that minimizes the chances of data loss during
unexpected power outages.
• Server message block 3.0 (SMB 3.0) storage. Hyper-V 3.0 virtual machines can use virtual hard disks
stored on normal shared folders, as long as the folders are hosted on a server that supports the SMB
3.0 protocol.
• Network virtualization. Network virtualization enables virtual machines to retain a static IP address
configuration when migrated to different Hyper-V hosts.
Pre
erequisitess for Installling Hype
er-V
Hypper-V on Windows Server 20 012 requires thhat
the host compute er has an x64 processor,
p whicch
supports Second Level Address Translation (SLAT).
SLA
AT is a special technology
t tha
at allows a
proccessor to addrress memory more
m efficientlyy.
The server that hoosts the Hyper-V role needs a
minnimum of 4 GB B of RAM. A virrtual machine
hostted on Hyper--V in Windowss Server 2012 can c
support a maximu um of 1 terabyyte of RAM and d up
to 32
3 virtual proce essors.
Wheen deciding on ardware in which

n the server ha
you plan to install the Hyper-V role, you need
d to
ensu
ure the following:
• The server mu
ust have enough memory to o support the m
memory requirements of all of the virtual
machines that must run con
ncurrently. The must have eno ugh memory tto run the host
e server also m
Windows Servver 2012 operating system.
• The storage subsystem

s perfformance musst meet the I/O O needs of thee guest virtual machines. It m
may be
necessary to place differentt virtual machiines on separaate physical dissks to deploy a high perform
mance
redundant array of indepen ndent disks (RA D), hybrid-SSD, or a combination
AID), Solid Statte Drives (SSD
of all three.
• The CPU capa

acity of the ho
ost server mustt meet the req uirements of tthe guest virtu
ual machines.
• The host servver's network adapters
a must be able to sup pport the netwwork throughpput requiremen nts of
the guest virttual machines. This may requ
uire installing m
multiple netwoork adapters aand using multtiple
network interrface card (NIC
C) teams for virtual machiness that have hig
gh network-usse requirementts.
De
emonstration: Configuring Hy
yper-V Setttings
It is necessary to start
s a traditionally deployed
d server to run
n this demonsttration because
e you cannot rrun
Hyp per-V from within a virtual machine.
m
Dem
monstration
n Steps
1. Log on to LON-HOST1.
2. Open the Hyp
per-V Manage
er console.
3. In the Hyper-V Settings dialog box, review the followiing settings:
o Virtual Hard Disks
o Virtual Machines
M
o Physical GPUs
G
o NUMA Spanning
Upg
ndows Server® 2
2012 8-5
Hyper-V
H Integration Services
Hyper-V Integra ation Services are a series off
se
ervices that you can use withh supported virtual-
machine
m guest operating systtems. Supporte ed
opperating systems can use Inttegration Services
coomponents an nd functionalityy like Small
Computer Syste em Interface (SSCSI) adapters and
syynthetic netwo
ork adapters.
Th
he virtual-macchine guest op
perating system
ms that
Hyper-V supports include:
• Windows Server 2012
• Windows Server 2008 R2 with SP1
• Windows Server 2008 witth Service Pack

k 2 (SP2)
• Windows Server 2003 R2 with SP2
• Windows Home
H Server 20
011
• Windows MultiPoint
M Servver 2011
• Windows Small Business Server 2011
• Windows Server 2003 witth Service Pack

k2
• CentOS 6.0
0-6.2
• CentOS 5.5-5.7
• Red Hat Enterprise Linux 6.0-6.2
• Red Hat Enterprise Linux 5.5-5.7

• SUSE Linux Enterprise Serrver 11 with Se
ervice Pack 1 o
or Service Packk 2
• SUSE Linux Enterprise Serrver 10 with Se

ervice Pack 4
• Windows 7 with Service Pack

P 1
• Windows Vista
V ® with Servvice Pack 2
• Windows XP
X with Service
e Pack 3
Addition nal Reading: Note

N that the Hyper-V
H suppoort for the Win ndows XP operrating system
en
nds in April 20
014, and suppo ort for Window ws Server 20033 and Window ws Server 2003 R2 expires in
Ju
uly 2015. When ovided here to the list of sup
n available, a link will be pro pported Hyperr-V virtual-
machine
m guest operating systtems on Windo ows Server 20112.
Yoou can install the

t Integration n Services com
mponents on a n operating syystem by clickiing the Insert
ntegration Servvices Setup Dissk item on the Action menu in the Virtual Machine Conn
In nection windo ow. After
th
his is done, youu can install th
he relevant ope
erating-system
m drivers either manually or automatically..
You
u can enable th
he following viirtual-machine
e integration c omponents:
• Operating sysstem shutdown n. The Hyper-V his componen

V server uses th nt to initiate a g
graceful shutd
down
of the guest virtual
v machine.
• Time synchronization. The virtual

v machine
e uses this com
mponent to usse the host serrver's processo
or to
conduct time
e synchronization.
• Data Exchang
ge. The Hyper--V host uses th
his componentt to write data to the virtual machine’s reg
gistry.
• Heartbeat. Hyyper-V uses this component to determine if the virtual m

machine has become
unresponsive.
• Backup (volumme snapshot). The provider of
o the Volumee Shadow Copyy Service (VSS)) uses this
component to o create virtua
al-machine sna
apshots for ba ckup operatio
ons, without intterrupting the
e
virtual machin
nes' normal opperation.
Best Practice
es for Conffiguring Hyper-V Ho
osts
There are several best practices that you shou
uld
consider when pro ovisioning Winndows Server 2012
2
to function as a Hyper-V
H host:
• Provision the host with ade

equate hardwa
are
• Deploy virtua
al machines on
n separate disk
ks
• Do not colloccate other servver roles
• Manage Hype
er-V remotely
• Run Hyper-V by using the Server
S Core
configuration
n
• Run the Best Practices Analyzer and Reso

ource
Metering
Pro
ovision the Host
H with Adequate
A Ha
ardware
Perh
haps the most important best practice is to o ensure that tthe Hyper-V h
host is provisiooned with adeq quate
hard
dware. You shoould ensure thhat there is apppropriate proccessing capacitty, an approprriate amount o of
RAMM, and fast and
d redundant sttorage. You sh hould ensure th hat the Hyper -V host is provvisioned with
mulltiple network cards that youu configure as a team. If the Hyper-V host is not provisio oned adequate ely
with ormance of all virtual machin
h hardware, this has an effecct on the perfo nes that are hoosted on the seerver.
Dep
ploy Virtuall Machines on Separate
e Disks
You u should use se eparate disks to host virtual-machine files rather than haaving virtual-mmachine files
storred on the sam me disk as the host
h operatingg-system files. This minimizees contention aand ensures thhat
readd/write operattions occurring g on virtual ma achine files do not conflict w
with read/write
e operations
occu urring at the host
h operating-system level. It also minimizzes the chancee that the virtuual-machine
hard d disks will gro
ow to consume e all available space on the o operating-systtem volume. Performance
considerations are e lessened if yo
ou deploy to a disk that use s striping, suchh as a RAID 1+
+0 array. If you
u are
usinng shared stora age, you can provision
p multiiple virtual maachines on the same Logical Unit Number (LUN)
if yo
ou utilize Clustter Shared Volumes. Howeve er, choosing beetween separaate LUNs for each virtual maachine
or a shared LUN depends
d heavily on virtual machine
m worklooad and SAN h hardware.
Do Not Colocate Other Server Roles

You should ensure that Hyper-V is the only server role deployed on the server. You should not colocate
the Hyper-V role with other roles, such as the Domain Controller or File Server role. Each role that you
deploy on a server requires resources, and when deploying Hyper-V, you want to ensure that the virtual
machines have access to as much of a host server's resources as possible. If it is necessary to locate these
roles on the same hardware, deploy these roles as virtual machines rather than installing them on the
physical host.
Manage Hyper-V Remotely

When you log on locally to a server, your logon session consumes server resources. By configuring a
Hyper-V server to be managed remotely and not performing administrative tasks by logging on locally,
you ensure that all possible resources on the Hyper-V host are available to the hosted virtual machines.
You also should restrict access to the Hyper-V server, so that only administrators responsible for the
management of virtual machines can make connections. A configuration error on a Hyper-V host can
cause downtime to all hosted virtual machines.
Run Hyper-V by Using the Server Core Configuration

There are two main reasons to run Hyper-V using the Server Core configuration. The first reason is that
running Windows Server 2012 in the server core configuration minimizes hardware-resource utilization for
the host operating-system. Running the server in server core configuration means that there are more
hardware resources for the hosted virtual machines.
The second reason to run the Hyper-V server in server core configuration is that server core requires fewer
software updates, which in turn means fewer reboots. When you restart a Hyper-V host, all virtual
machines that the server hosts become unavailable when it is unavailable. Because a Hyper-V host can
host many critical servers as virtual machines, you want to ensure that you minimize downtime.
Run the Best Practices Analyzer and Use Resource Metering

If you have enabled performance counters on the Hyper-V host, you can use the Best Practices Analyzer
to determine if there are any specific configuration issues that you should address. Enabling performance
counters does incur a slight cost to performance, so you should enable these only during periods when
you want to monitor server performance, rather than leaving them on permanently.
You can use Resource Metering, a new feature of Hyper-V 3.0, to monitor how hosted virtual machines
utilize server resources. You can use Resource Metering to determine if specific virtual machines are using
a disproportionate amount of a host server's resources. If the performance characteristics of one virtual
machine are having a deleterious effect on the performance of other virtual machines hosted on the same
server, you should consider migrating that virtual machine to another Hyper-V host.
Additional Reading: 7 Best Practices for Physical Servers Hosting Hyper-V Roles
http://technet.microsoft.com/en-us/magazine/dd744830.aspx
Lesson 2
Config
guring Hyper-V
H V Storag
ge
Hypper-V provides many differen nt virtual mach
hine storage o
options. If you know which o option is approopriate
for a given situation, you can ennsure that a virtual machine performs welll. But if you do
o not understaand
the different virtual-machine stoorage options,, you may endd up deploying g virtual hard ddisks that conssume
unnnecessary space e or that place
e an unnecessaary performan ce burden on the host Hype er-V server.
Thiss lesson describ erent virtual hard disk typess, different virtual hard disk fformats, and th
bes about diffe he
ben
nefits and limitations of usingg virtual machine snapshots..
Lessson Objectiives
Afte
ou will be able to:
• Describe the properties of virtual
v hard dissks in Hyper-V
V 3.0.
• Select a virtua
al hard disk type.
• ween virtual hard disk types.

Convert betw
• Maintain virtu
ual hard disks.
• Determine wh
here to deployy virtual hard disks.
d
• Describe the requirements for storing Hyyper-V data on

n SMB file sharres.
• Implement virtual machine snapshots.
• Describe the requirements of providing Fibre

F Channel ssupport within
n virtual machines.
Virrtual Hard Disks in Hyper-V

H 3.0
A virtual hard disk
k is a special file format that
reprresents a traditional hard-dissk drive. You can
c
configure a virtuaal hard disk witth partitions an nd an
opeerating system.. Additionally, you can use virtual
v
hardd disks with virrtual machiness and you also o can
mou unt virtual hard disks by usinng the Window ws
Servver 2008, Winddows Server 20 008 R2, Windo ows
Servver 2012, and Windows
W ® 8 and
a Windows 7
opeerating systemss. Windows Se erver 2012 supports
boooting to virtual hard disks. Yoou can use thiss
featture to configu
ure the compu uter to start intto a
2 g system or some
operating
edittions of the Wiindows Server 8 operating syystem that aree deployed on a virtual hard disk. You can
crea
ate a virtual ha
ard disk by usin ng:
• The Hyper-V manger conso

ole.
• The Disk Man

nagement console.
• The diskpart command-line

c e utility.
• The New-VH
HD Windows PowerShell cmd
dlet.
Note: Some e editions of Windows

W d the Windowss Server 2008 R2 operating ssystem also
7 and
support booting to
t virtual hard disk.
Upg
ndows Server® 2
2012 8-9
Comparing
C VHDX
V and VHD
V
Virtual hard disks use the .vhd
d extension. Windows
W Serverr 2012 introdu
uces the new V
VHDX format ffor
virtual hard disk
ks. In comparisson to the VHD
D format that was used in H yper-V on Win 2008
ndows Server 2
an
nd Windows Server 2008 R2, the VHDX format has the ffollowing beneefits:
• VHDX virtual hard disks can

c be as large
e as 64 terabyttes. VHD virtuaal hard disks w
were limited to
o 2 TB.
• The VHDX virtual

v hard disk file structurre minimizes th
he chance that the disk will become corru
upt if the
host server suffers an une
expected powe er outage.
• VHDX virtual hard disk fo

ormat supportss better alignm
ment when dep
ployed to large sector disk.
• VHDX allowws larger block

k size for dynamic and differrencing disks, w
which provides better perforrmance
for these workloads.
w
If you have upggraded a Windows Server 2008 or Window ws Server 2008 R2 Hyper-V server to Windows
Seerver 2012, you can convert an existing VH
HD file to VHD
DX format by u
using the Edit D
Disk tool. It alsso is
poossible to convvert from VHD
DX format to VHD.
V
Addition
nal Reading: Hyper-V
H Virtua
al Hard Disk Fo
ormat Overview
w
htttp://technet.m
microsoft.com//en-us/library//hh831446.asppx
Disk
D Types
When
W you configure a virtual hard disk, you
u can
ch
hoose one of the
t following disk
d types:
• Fixed
• Dynamic
• Pass-throug
gh
• Differencing
Fixed Virtuall Hard Disk

When
W you creatte a fixed virtu
ual hard disk, all
a
off the hard-diskk space is alloccated during thhe
crreation process. This has the advantage off
minimizing
m frag
gmentation, wh hich improves virtual hard d disk performan nce when they are hosted on n
age devices. However, a disa
trraditional stora advantage is th hat it requires all of the spacce that the virtual
ha ard disk potenntially can use to be allocatedd on the host partition. In mmany situationss, you will not know
precisely how much
m disk spacce a virtual machine needs. Iff you use fixedd hard disks, yo ou may end up
allocating space e to storage thhat is not actuaally required.
To
o create a fixed
d virtual hard disk, perform the following steps:
1.. Open the Hyper-V

H Manager console.
2.. In the Actio

ons pane, click
k New, and the
en click Hard D
Disk.
3.. On the Beffore You Begin page of the New Virtual H
Hard Disk Wizaard, click Nextt.
4.. oose Disk Format page, sele

On the Cho ect VHD or VH
HDX, and then
n click Next.
5.. On the Cho

oose Disk Typ
pe page, click Fixed
F d then click N ext.
size, and
6.. On the Spe ecify Name an nd Location page,
p name for the viirtual hard disk, and then sp
enter a n pecify a
folder to ho
ost the virtual hard-disk file.
7. On the Configure Disk page, select one of the following options:
o Create a new blank virtual hard disk of the specified size.
o Copy the contents of a specified physical disk. You can use this option to replicate an existing
physical disk on the server as a virtual hard disk. The fixed hard disk will be the same size as the
disk that you have replicated. Replicating an existing physical hard disk does not alter data on the
existing disk.
o Copy the contents of a specified virtual hard disk. You can use this option to create a new fixed
hard disk based on the contents of an existing virtual hard disk.
You can create a new fixed hard disk by using the New-VHD Windows PowerShell cmdlet with the -Fixed
parameter.
Note: Disk fragmentation is less of an issue when virtual hard disks are hosted on RAID
volumes or on SSDs. Hyper-V improvements, since it was first introduced in Windows Server
2008, also minimize performance differences between dynamic and fixed virtual hard disks.
Dynamic Disks
When you create a dynamic virtual hard disk, you specify a maximum size for the file. The disk itself only
uses the amount of space that needs to be allocated, and it grows as necessary. For example, if you create
a new virtual machine, and specify a dynamic disk, only a small amount of disk space is allocated to the
new disk.
This space is as follows:

• Approximately 260 kilobytes (KB) for a VHD format virtual hard disk
• Approximately 4096 KB for a VHDX format virtual hard disk
As storage is allocated, such as when you deploy the operating system, the dynamic hard disk grows. If
you delete files from a dynamically expanding virtual hard disk, the virtual hard-disk file does not shrink.
You can only shrink a dynamically expanding virtual hard-disk file by performing a shrink operation.
Creating a dynamically expanding virtual hard disk is similar to creating a fixed disk. In the New Virtual
Hard Disk Wizard, on the Choose Disk Type page, select Dynamically expanding size instead of Fixed.
You can create a new dynamic hard disk by using the New-VHD Windows PowerShell cmdlet with the -
Dynamic parameter.
Pass-Through Disks
Virtual machines use the pass-through disks to access a physical disk drive, rather than use a virtual hard
disk. You can use pass-through disks to connect a virtual machine directly to an Internet SCSI (iSCSI) LUN.
When you use pass-through disks, the virtual machine must have exclusive access to the target disk. To do
this, you must use the host’s disk management console to take the disk offline. After the disk is offline,
you can connect it to one of the virtual machine's disk controllers.
You can attach a pass-through disk by performing the following steps:
1. Ensure that the target hard disk is offline.
2. Use the Hyper-V Manager console to edit an existing virtual machine's properties.
3. Click an Integrated Drive Electronics (IDE) or SCSI controller, click Add, and then click Hard Drive.
4. In the Hard Drive dialog box, select Physical Hard Disk. In the drop-down list, select the disk that
you want to use as the pass-through disk.
dows Server® 20
012 8-11
Note: You do not have e to shut downn a virtual mac hine if you con
nnect the passs-through
diisk to a virtual machine's SCSI controller. However,
H u want to con nect to a virtual machine's
if you
DE controller, it is necessary to
ID t virtual ma chine.
t shut down the
Differencing
D g disks
Differencing dissks record the changes made e to a parent d
disk. You can u
use differencin
ng disks to reduce
th
he amount of hard
h disk space that virtual hard
h disks con
nsume, but thaat comes at thee cost of disk
pe
erformance. Differencing
D w SSD wherre there is limitted space available on the d
dissks work well with drive and
th
he performancce of the disk compensates
c fo mance drawbaccks of using a differencing d
or the perform disk.
Differencing dissks have the fo

ollowing prope
erties:
• You can link multiple diffferencing diskss to a single paarent disk.

• When you modify the parent disk, all linked differenccing disks fail.
Yo
ou can reconn nect a differenccing disk to the parent by ussing the Inspecct Disk tool, avvailable in the actions
pa
ane of the Hyp per-V Manage er console. Youu also can use the Inspect Disk tool to locaate a differencing
diisk’s parent dissk.
To erencing disk, follow these steps:

o create a diffe
1.. Open the Hyper-V

H Manager console.
2.. In the Actio
ons pane, click
k New, and the
en click Hard D
Disk.
3.. On the Beffore You Begin page of the New Virtual H

Hard Disk Wizaard, click Nextt.
4.. oose Disk Format page, sele

On the Cho ect VHD, and then click Nex
xt.
5.. On the Cho
oose Disk Typ
pe page, selectt Differencing
g, and then clicck Next.
6.. On the Spe ecify Name an

nd Location page,
p provide tthe location off the parent haard disk, and then
click Finish
h.
Yo
ou can create a differencing hard disk by using
u the New
w-VHD Windo ows PowerShell cmdlet. For e example,
to
o create a new
w differencing disk
d named c:\\diff-disk.vhd tthat uses the vvirtual hard dissk c:\parent.vh
hd, run
th
he following Windows
W PowerShell comman nd:
Ne
ew-VHD c:\dif
ff-disk.vhd -ParentPath C:\parent.vh
hd
Converting
C g Disks
Frrom time to tim
me, it is necesssary to perform
m
maintenance
m opperations on virtual hard disks.
Yoou can performm the following maintenance
opperations on virtual
v hard dissks:
• Convert the
e disk from fixed to dynamicc.
• Convert the
e disk from dyynamic to fixed
d.
• Convert a virtual
v hard dissk in VHD form
mat
to VHDX.
• Convert a virtual
v hard dissk in VHDX forrmat
to VHD.
When you convert a hard disk, the contents of the existing virtual hard disk are copied to a new virtual
hard disk that has the properties that you have chosen. To convert a virtual hard disk, perform the
following steps:
1. In the Actions pane of the Hyper-V Manager console, click Edit Disk.
2. On the Before You Begin page of the Edit Virtual Hard Disk Wizard, click Next.
3. On the Local Virtual Hard Disk page, click Browse. Select the virtual hard disk that you wish to
convert.
4. On the Choose Action page, select Convert, and then click Next.
5. On the Convert Virtual Hard Disk page, select VHD or VHDX format. By default, the current disk
format is selected. Click Next.
6. If you want to convert the disk from fixed to dynamic or dynamic to fixed, on the Convert Virtual
Hard Disk page, select Fixed Size or Dynamically Expanding. If you want to convert the hard disk
type, choose the appropriate type, and then click Next.
7. On the Configure Disk page, select the destination location for the disk, click Next, and then click
Finish.
You can shrink a dynamic virtual hard disk that is not taking up all the space that is allocated to it. For
example, a dynamic virtual hard disk might be 60 GB on the parent volume, but only use 20 GB of that
space. You shrink a virtual hard disk by choosing the Compact option in the Edit Virtual Hard Disk Wizard.
You cannot shrink fixed virtual hard disks. You must convert a fixed virtual hard disk to dynamic before
you can compact the disk. You can use the resize-partition and the resize-vhd Windows PowerShell
cmdlets to compact a dynamically expanding virtual hard disk.
You also can use the Edit Virtual Hard Disk Wizard to expand a disk. You can expand both dynamically
expanding and fixed virtual hard disks.
Demonstration: Managing Virtual Hard Disks in Hyper-V

In this demonstration, you create a differencing disk based on an existing disk by using both Hyper-V
Manager and PowerShell.
Demonstration Steps
1. Use Windows Explorer to create the following folders on the physical host drive:
o E:\Program Files\Microsoft Learning\Base \LON-GUEST1
Note: The drive letter may depend upon the number of drives on the physical host
machine)
2. In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o Disk Format: VHD
o Disk Type: Differencing
o Name: LON-GUEST1.vhd
o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
o Parent Location: E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd

dows Server® 20
012 8-13
3.. Open Wind

dows PowerShe
ell, import the
e Hyper-V mod
dule, and then run the follow
wing command
d:
New-VHD “E:\Program
“ Files\Microsoft Learning
g\Base\LON-GU
UEST2\LON-GUE
EST2.vhd”
-ParentPa
ath “E:\Program Files\Microsoft Lear
rning\Base\Ba
ase12A-WS2012
2-RC.vhd”
4.. Inspect disk

k E:\Program Files\Microso
oft Learning\\Base\LON-GU
UEST2\LON-G
GUEST2.vhd.
5.. Verify that LON-GUEST22.vhd is configured as a diffeerencing virtuaal hard disk with E:\Program
m Files
\Microsoftt Learning\Ba
ase\Base12A-W WS2012-RC.v vhd as a parennt.
Location Co
onsiderations of Virttual Hard Disks
A key factor wh hen provisioninng virtual mach
hines
is ensuring that virtual hard disks
d are placed
d
coorrectly. Virtua
al hard-disk peerformance cann affect
virtual machine performance dramatically. Servers
S
th
hat are otherw wise well provissioned with RA
AM and
processor capaccity can still exxperience bad
peerformance if the storage syystem is
ovverwhelmed.
Consider the following factors when planning the

lo
ocation of virtu
ual hard-disk fiiles:
• High-perfo
ormance conn
nection to the
e
storage
You can loccate virtual harrd-disk files on

n local or remoote storage. W
When you locatte them on rem mote
storage, you need to ensure that there is adequate b bandwidth and d minimal latenncy between the host
and the remmote storage. Slow network connections to o storage, or cconnections w
where there is laatency,
result in po
oor virtual-macchine performa ance.
• Redundantt storage
The volume e that the virtuual hard-disk files are stored on should be fault-tolerantt. This should aapply if
the virtual hard
h ored on a local disk or a rem
disk is sto mote SAN devicce. It is not uncommon for h hard
disks to fail. Therefore, th
he virtual machhine and the H Hyper-V host should remain in operation aafter a
disk failure.. Replacementt of failed diskss also should nnot affect the o
operation of th
he Hyper-V ho ost or
virtual machines.
• High-perfo
ormance storage
The storage
e device on wh hich you store virtual hard-d
disk files should
d have excelle
ent I/O charactteristics.
Many enterrprises use SSDD hybrid drivess in RAID 1+0 arrays to achieeve maximum performance and
redundancyy. Multiple virttual machines that are runni ng simultaneoously on the saame storage caan place
a tremendoous I/O burden n on a disk sub
bsystem. Thereefore, you nee d to ensure thhat you choosee high-
performancce storage. If you
y do not, virtual machine p performance ssuffers.
• Adequate growth space

e
If you have configured virtual hard disk ks to grow auttomatically, en nsure that theree is adequate space
into which the files can grow. Also, care efully monitor growth so thaat you are not shocked when na
virtual hard
d disk fills the volume
v that yoou allocated too host it. If youu configure virrtual hard diskks to
grow autom matically, place e each virtual machine's
m virtu
ual hard disk o on a separate vvolume. This w way, the
virtual hard
d disks of multiple virtual ma achines are nott affected if th he volume’s capacity is excee eded.
8-14 Implemennting Hyper-V
Sto
orage on SMB
S 3 File Shares
Hyp per-V supportss storing virtuaal machine datta,
suchh as virtual-maachine configu uration files,
snap pshots, and virrtual hard-disk
k files, on SMB 3
file shares.
The file share musst support SMB 3. This limitss

placcement of virtu
ual hard disks on file shares
thatt are hosted on
n file servers th
hat are running
Winndows Server 2012.
2 Earlier Windows
W Serverr
verssions do not su
upport SMB 3.
You u must ensure that
t network connectivity
c to
o the
file share is 1 GB or
o more.
SMBB file share pro

ovides an alterrnative to storing virtual-macchine files on iSCSI or Fibre Channel SAN
devices. When cre eating a virtual machine in Hyper-V
H on Wiindows Server 2012, you can n specify a netwwork
sharre when choossing the virtual machine loca ation and the vvirtual hard-diisk location. Yoou also can atttach
disk
ks stored on SMMB 3 file share
es. You can use e both VHD an nd VHDX diskss with SMB file e shares.
Additional Reading: Serrver Message Block

B overview
w
http
n-us/library/hh
h831795.aspx
Sna
apshot Ma
anagemen
nt in Hyperr-V
Snapshot is an important technology that
provvides administtrators with thee ability to maake
a re ual machine att a specific time.
eplica of a virtu
Youu can take snap pshots when a virtual machin ne is
shutt down or running. Howeverr, when you ta ake a
snappshot of a virtual machine thhat is running, the
snappshot includess the contents of the virtual
macchine’s memorry.
Tak
king a Snapshot
You
u can take a snapshot on thee Actions pane of
the Virtual Machin
ne Connectionn window or in
n the
Hyp h virtual machine
per-V Managerr console. Each
can have a maximmum of 50 snap pshots.
Whe pshots of multiple virtual ma

en taking snap achines, you shhould take theem at the same e time. This ensures
syncchronization of
o items such as computer-acccount passwo ords. Remember that when yyou revert to a
snappshot, you are
e reverting to a computer’s state at that sp
pecific time. If yyou take a com
mputer back to oa
poin
nt before it pe
erformed a com mputer-passwo ord change wiith a domain ccontroller, you will need to re ejoin
thatt computer to the domain.
dows Server® 20
012 8-15
Snapshots Do Not Repla

ace Backupss
Sn
napshots are notn a replacem ment for backups. Snapshot d data is stored o
on the same vvolume as the vvirtual
ha
ard disks. If thee volume hostting these files fails, both thee snapshot and d the virtual haard disk files are lost.
Yo
ou can perform m a virtual machine export ofo a snapshot. When you exp port the snapsshot, Hyper-V ccreates
ull virtual hard disks that represent the statte of the virtuaal machine at tthe time that yyou took the
fu
sn
napshot. If you u choose to export an entire virtual machin ots associated with the virtuaal
ne, all snapsho
machine
m also arre exported.
Avhd
A files
When
W you creatte a snapshot, Hyper-V writees avhd files th
hat store the data that differentiates the snnapshot
from either the previous snap pshot or the pa
arent virtual haard disk. When n you delete snapshots, this data is
diiscarded or meerged into the e previous snap
pshot or paren mple, if you delete the
nt virtual hard disk. For exam
most
m recent sna
apshot of a virttual machine, the data is disscarded. If you delete the seccond to last sn
napshot
ta
aken of a virtuaal machine, the data is mergged so that thee earlier and laatter snapshot states of the vvirtual
machine
m retain their integrity.
Managing
M Sn
napshots
When
W you applyy a snapshot, the
t virtual macchine reverts tto the configuration as it existed at the tim
me that
th
he snapshot waas taken. Reve pshot does no t delete any exxisting snapshots. If you reve
erting to a snap ert to a
sn
napshot after making
m a configuration channge, you are p rompted to taake a snapshott. It only is neccessary
to
o create a new
w snapshot if yoou want to return to that cu rrent configurration.
It is possible to create snapshot trees that have

h different bbranches. For example, if yo
ou took a snapshot of
a virtual machin ne on Mondayy, Tuesday, and d Wednesday, applied the Tu uesday snapsh hot, and then m
made
chhanges to the virtual machin ne’s configurattion, you creatte a new brancch that diverts from the original
Tuuesday snapsh hot. You can ha
ave multiple branches
b as lon
ng as you do nnot exceed thee 50-snapshot limit
peer virtual machhine.
Fibre Channel Suppo

ort in Hype
er-V
Hyper-V virtual Fibre Channel is a virtual ha
ardware
co
omponent that you can add to a virtual machine,
an
nd which enab bles the virtual machine to access
Fibre Channel storage on SAN Ns. To deploy a
virtual Fibre Cha
annel:
• You must configure

c the Hyper-V
H host with
w a
Fibre Chann
nel HBA.
• The Fibre Channel

C HBA must
m have a driver
that supports virtual Fibre
e Channel.
• The virtual machine mustt support virtual
machine exxtensions.
Virtual Fibre Chhannel adapterrs support portt virtualization

n by exposing HBA ports in tthe guest operrating
syystem. This allo
ows the virtuall machine to access the SAN N by using a staandard World Wide Name (W WWN)
asssociated with the virtual maachine.
Yo
ou can deployy up to four virrtual Fibre Cha
annel adapterss to each virtuaal machine.
Addition
H Virtua
al Fibre Channeel Overview
htttp://technet.m
microsoft.com//en-us/library//hh831413.asppx
Lesson 3
Config
guring Hyper-V
H V Netwo
orking
Hypper-V provides several differeent options for allowing netwwork commun nication betwe een virtual
macchines. You can use Hyper-V V to configure virtual machin
nes that comm municate with aan external nettwork
in a manner similaar to physical hosts
h that you deploy tradit ionally. You also can use Hyyper-V to confiigure
virtu
ual machines that
t o communicatte only with a limited numbeer of other virttual machines
are able to
hostted on the samme Windows Server
S 2012 Hyyper-V host. Thhis lesson desccribes the vario
ous options
avaiilable for Hype
er-V virtual networks, which you can leveraage to best meet your organ nization's need
ds.
Lessson Objectiives
Afte
ou will be able to:
• Describe the new features in Hyper-V nettworking.
• Describe virtu
ual switches.
• Configure a public
p and privvate switch.
• work virtualization.
Describe netw
• Describe the best practices for configurin

ng virtual netw
works.
Wh
hat's New in Hyper-V Network
king?
There are several new features ini Hyper-V 3.0
0
netw
working that immprove the ne etwork
perfformance of a large numberr of virtual
macchines in private and public cloud
environments. In most cases, yo ou should use the
t
defa
ault settings in
n small scale de
eployments.
The new features in Hyper-V 3.0

0 networking
include:
• ualization. This feature enables

Network virtu
IP addresses to
t be virtualize
ed in hosting
environmentss so that virtua
al machines
migrated to the
t host can ke eep their original IP
address rathe
er than being allocated
a an IP
P address on th
he Hyper-V server's networkk.
• Bandwidth management. Yo ou can use this feature to sp

pecify a minim
mum and a maxximum bandw width
to be allocate
ed to the adap
pter by Hyper-V V. Hyper-V resserves the min
nimum bandwiidth allocation
n for
the network adapter,
a even when other virtual network adapters on vvirtual machine
es hosted on thhe
Hyper-V hostt are functionin
ng at capacity..
• Dynamic Host Configuration n Protocol (DHHCP) guard. Th his feature drops DHCP messsages from virttual
machines that are functioning as unautho orized DHCP sservers. This m ay be necessary in scenarioss
where you are managing a Hyper-V serve er that hosts vvirtual machinees for others, b
but in which yo
ou do
not have dire
ect control ove
er the virtual machines’
m confiiguration.
• Router guard.. This feature drops

d router advertisement aand redirectioon messages from virtual
machines con nfigured as unauthorized rou uters. This mayy be necessaryy in scenarios w
where you do not
have direct co
ontrol over thee configuration of virtual maachines.
dows Server® 20
012 8-17
• Port mirroriing. You can use

u this feature
e to copy incom
ming and outg going packets from a netwo
ork
adapter to another virtuaal machine that you have co nfigured for m
monitoring.
• ng. You can use
NIC teamin e this feature to
t add the virttual network a dapter to an e
existing team o
on the
host Hyper-V server.
• Virtual Macchine Queue. This

T feature req quires that thee host computter has a netwo ork adapter th
hat
supports thhe feature. Virttual Machine Queue
Q uses ha rdware packett filtering to de
eliver networkk traffic
directly to the
t guest. Thiss improves perrformance beccause the packket does not ne eed to be copied
from the ho ost operating system
s to the virtual machin
ne. Only syntheetic network a adapters suppo ort these
feature.
• IP security (IPsec)
( task offfloading. This feature
f requirees that the gueest operating ssystem and network
adapter aree supported. This feature ena ables the host’’s network adaapter to perforrm calculation-
intensive se
ecurity-associa ation tasks. If sufficient hardwware resourcess are not availaable, the guestt
operating system
s performms these tasks.. You can conffigure a maxim mum number o of offloaded seecurity
associations between a ra ange of one an nd 4,096. This feature is suppported only on n synthetic nettwork
adapters.
• Single-root I/O virtualizattion (SR-IOV). This

T feature reequires specificc hardware and special drive ers to be
installed on
n the guest operating system m. SR-IOV enab bles multiple vvirtual machine
es to share the e same
Peripheral Component
C In
nterconnect Exxpress (PCIe) p hysical hardwaare resources. If sufficient re
esources
are not avaailable, network connectivity falls back so tthat the virtual switch provid
des it. This featture is
only supported on synthe etic network adapters.
What
W Is a Hyper-V
H Viirtual Switch?
Virtual switchess are virtual de
evices that you can
manage
m througgh the Virtual Switch
S Manage er,
which
w enables you
y to create three
t types of virtual
witches. The virtual switches control how the
sw
ne
etwork traffic flows
f between n virtual machines
ho
osted on the Hyper-V
H serverr, as well as ho
ow the
ne
etwork traffic flows
f between n virtual machines
an
nd the rest of the
t organizational network.
Hyper-V on Win ndows Server 2012

2 supportss the
th
hree types of virtual
v switchess that the follo
owing
ta
able details.
Type
T Descriptio
on
External You use thhis type of swittch to map a n

network to a specific networrk adapter or
network-a adapter team. Windows Servver 2012 suppo orts mapping an external neetwork
to a wirele
ess network addapter, if you h
have installed the Wireless LLAN Service on
n the
host Hype er-V server, and the Hyper-VV server has a ccompatible addapter.
Internal You use innternal virtual switches to co

ommunicate beetween the virrtual machiness on the
Hyper-V host
h and to communicate beetween the virttual machines and the Hype er-V
host itself.
Private You use private

p switches only to comm municate betw ween virtual m
machines on the
e
Hyper-V host.
h You cannnot use privatee switches to co
ommunicate b between the viirtual
machines and the Hyper-V host.
Wheen configuringg a virtual netw

work, you can also configuree a virtual LAN
N (VLAN) ID to be associated
with
h the network. You can use this
t to extend existing VLAN Ns on the exterrnal network to o VLANs within
the Hyper-V host''s network swittch. You can use
u VLANs to p partition netwo ANs function as
ork traffic. VLA
sepa
arate logical networks. Traffiic can pass only from one VLLAN to anotheer if it passes through a routter.
You
u can configure
e the following
g extensions fo
or each virtual switch type:
• nterface Specifiication (NDIS) Capture. This extension allo
Microsoft Nettwork Driver In ows the capture
e of
data travelling across the viirtual switch.
• Microsoft Win ndows Filtering

g Platform. This extension alllows filtering o
of data travelling across the
virtual switch.
Additional Reading: Hyp per-V Virtual Switch

S Overvieew
http n-us/library/hh
h831452.aspx
De
emonstration: Configuring Hy
yper-V Nettworking
In th
his demonstration, you will see
s how to cre
eate two types of virtual netw
work switches..
Dem
monstration
n Steps
1. In Hyper-V Manager,
M he Virtual Swiitch Managerr to create a neew External virtual networkk
use th
switch with th
he following properties:
o Name: Co
orporate Network
o External Network: Map

pped to the ho
ost computer's physical netw
work adapter. W
Will vary depen
nding
on host computer
c
2. In Hyper-V Manager,
M use th
he Virtual Swiitch Managerr to create a neew virtual swittch with the
following pro
operties.
o Name: Prrivate Network

o Connection type: Priva
ate network
Wh
hat Is Netw
work Virtu
ualization?
Youu can use netwwork virtualization to isolate
virtu
ual machines from
f different organizations,
even if they sharee the same Hyp per-V host. Forr
exammple, you mig ght be providin ng an Infrastru
ucture
as a Service (IaaS) to competing g businesses. You
Y
can use network virtualization
v to go beyond
assigning these virtual machines to separate
VLA o isolating network traffic.
ANs as a way of
Network virtualiza ation is a technnology that yo
ou
wou uld deploy prim
marily in scena arios where yoou use
Hypper-V to host virtual
v machine es for third-party
orgaanizations. Network virtualizzation has the
advantage that yo ou can configu ure all network
k isolation on tthe Hyper-V host. With VLANs, it also is
necessary to configure switchess with the apprropriate VLAN IDs.
dows Server® 20
012 8-19
When
W you configure network
k virtualization,, each guest viirtual machinee has two IP ad
ddresses, which
h work
ass follows:
• Customer IP P address. Thee customer assiigns this IP add
dress to the viirtual machine
e. You can conffigure
this IP addrress so that communication with the custo omer's internall network can occur even though
the virtual machine
m mighht be hosted on
n a Hyper-V seerver that is coonnected to a separate public IP
network. Ussing the ipcon nfig command d on the virtuaal machine shoows the custom mer IP address..
• Provider IP address. The hosting

h provider assigns thiss IP address, w
which is visible to the hosting
g
provider annd to other hosts on the phyysical network. This IP addresss is not visible
e from the virttual
machine.
Yoou can use nettwork virtualizzation to host multiple

m mach
hines that use tthe same custo omer address, such as
19
92.168.15.101,, on the same Hyper-V host. When you do ual machines are assigned diifferent
o this, the virtu
P addresses by the hosting provider, thoug
IP gh this addresss will not be ap
pparent from wwithin the virtual
machine.
m
Yo
ou manage ne etwork virtualizzation by using
g PowerShell ccmdlets. All Neetwork Virtualization cmdletts are in
th
he NetWNV Po owerShell mod dule. Tenants gain
g access to virtual machinnes that take aadvantage of n
network
virtualization th
hrough routingg and remote access.
a They mmake a tunneleed connection from their nettwork
th
hrough to the virtualized nettwork on the Hyper-V
H serverr.

Addition H Netwo ork Virtualizatiion Overview
htttp://technet.m
microsoft.com//en-us/library//hh831395.asp px
Best
B Practicces for Configuring Virtual Neetworks
Be
est practices with
w respect to configuring virtual
v
ne
etworks typicaally revolve aroound ensuring that
virtual machines are provision ned with adequate
ba
andwidth. You u do not want to have the
pe
erformance on n all virtual maachines affecteed if a
ba
andwidth-inte ensive operatio on, such as a la
arge file
co
opy or websitee traffic spike, occurs
o on one e virtual
machine
m on thee same host.
Th
he following general
g best prractices apply to
t
co
onfiguring virttual networks:
• Consideratiions for NIC te eaming. You sh hould

deploy mulltiple network adapters to th he
Hyper-V ho ost, and then configure
c thosee adapters as part of a team m. This ensures that network
connectivityy will be retain
ned if the indivvidual networkk cards fail. Co
onfigure multipple teams connnected
to differentt switches to ensure that connnectivity remaains if a hardw ware switch faills.
• Consideratiions for bandw width managem ment. You can n use bandwidtth manageme ent to allocate a
minimum anda a maximum m bandwidth allocation
a network adapter basis. You sshould
on a per-virtual-n
configure bandwidth
b allo
ocation to guarantee that ea ch virtual macchine has a minimum bandw width
allocation. This
T ensures th hat if another virtual machinne hosted on the same Hype er-V server
experiencess a traffic spike municate with the network
e, other virtuall machines aree able to comm
normally.
• Considerations for Virtual Machine Queue. You should provision the Hyper-V host with an adapter
that supports Virtual Machine Queue. Virtual Machine Queue uses hardware-packet filtering to
deliver network traffic directly to the virtual machine. This improves performance because the packet
does not need to be copied from the host operating system to the virtual machine. When you do not
configure virtual machines to support Virtual Machine Queue, the host operating system can become
a bottleneck when it processes large amounts of network traffic.
• Considerations for network virtualization. Network virtualization is complicated to configure, but

has an advantage over VLAN. That is, it is not necessary to configure VLANs on all of the switches that
are connected to the Hyper-V host. You can perform all necessary configurations when you need to
isolate servers on the Hyper-V host without needing to involve the network team. If you are hosting
large numbers of virtual machines, and need to isolate them, use Network Virtualization rather than
VLANs.
dows Server® 20
012 8-21
Lesson
n4
Configuring Hyper--V Virtu
ual Mach
hines
When
W planning a server-virtualization strate
egy, you need to know whatt you can and cannot accom
mplish
when
w you are using Windowss Server 2012 as a a virtual maachine host.
In
n this lesson, yo
ou will learn about Hyper-V,, the hardwaree requirementss required for deploying Hyp per-V
onn a computer running Windows Server 2012, the differeent components of a virtual machine, and the
be ual machine Integration Servvices. You also will learn how
enefits of virtu w to measure vvirtual machine
e
esource use with Windows PowerShell cmd
re dlets.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe th
he hardware an
nd manageme
ent options in vvirtual machin
ne settings.
• Describe ho
ow dynamic memory
m works in Hyper-V.
• Create a virrtual machine.

• Import, exp e virtual machines in Hyper--V.
port, and move
• Describe th es for configurring virtual nettworks.

he best practice
Overview
O of
o Virtual Machine
M Se
ettings
Virtual machinee settings are grouped
g into two
ge
eneral areas: Hardware
H and Management..
Hardware
H
Virtual machine es use simulateed hardware. TheT
hyypervisor uses this virtual ha
ardware to med diate
acccess to actuall hardware. For example, you u can
map
m a virtual ne etwork adapte er to a virtual network
n
th
hat, in turn, ma
aps to an actua al network inte erface.
Virtual machine
es have the following hardwa
are, by
de
efault:
• BIOS. This virtual

v hardware simulates thhe
computer'ss BIOS. You can n configure the virtual machhine so that Nu um Lock is switched on or offf. You
also can choose the boott order for the virtual machin ne's virtual harrdware. You caan start a machine
from a DVD D drive, integra
ated device ele
ectronics (IDE)) device, legacy network adaapter, or a flop
ppy disk.
• Memory. Yo ou can allocate

e memory reso
ources to the vvirtual machin
ne. An individual virtual mach
hine can
allocate as much as 1 tera
abyte of memory.
• Processor. You
Y can allocate processor re esources to th
he virtual mach
hine. You can aallocate up to 32
virtual proccessors to a sin
ngle virtual ma
achine.
• IDE Controlller. A virtual machine

m can suupport only twwo IDE controllers. By default, two IDE controllers
are allocate
ed to the virtua al machine. Th Controller 0 and IDE Controlller 1. Each IDEE
hese are: IDE C
controller can
c support tw wo devices. Youu can connect virtual disks o
or virtual DVD drives to an IDDE
controller. If
I starting fromm a hard disk drive
d or DVD-R ROM, the boott device must be connected to an
IDE controller. Use IDE co ontrollers to co
onnect virtual hard disks andd DVD-ROMS to virtual machines
that use opperating system ms that do not support Integ gration Servicees.
• SCSI Controller. You can use SCSI controllers only on virtual machines that you deploy with operating
systems that support Integration Services.
• Synthetic Network Adapter. Synthetic network adapters represent computer network adapters. You
can only use synthetic network adapters with supported virtual-machine guest operating systems.
• COM port.Com port enables connections to a simulated serial port on the virtual machine.
• Diskette Drive. You can map a .vhd floppy disk image to a virtual diskette drive.
You can add the following hardware to a virtual machine by editing the virtual machine's properties, and
clicking on Add Hardware:
• SCSI Controller. You can add up to four virtual SCSI devices. Each controller supports up to 64 disks.
• Network Adapter. A single virtual machine can have a maximum of eight synthetic network adapters.
• Legacy network adapter. Legacy network adapters allow network adapters to be used with operating
systems that do not support Integration Services. You also can use legacy network adapters to allow
network deployment of operating-system images. A single virtual machine can have up to four legacy
network adapters.
• Fibre Channel Adapter. Allows a virtual machine to connect directly to a Fibre Channel SAN. This
requires that the Hyper-V host have a Fibre Channel HBA that also has a Windows Server 2012 driver
that supports Virtual Fibre Channel.
• RemoteFX 3D Adapter. The RemoteFX 3D Adapter allows virtual machines to take advantage of
DirectX and graphics processing power on the host Windows Server 2012 server to display high
performance graphics.
Management
You can use Management settings to configure how the virtual machine behaves on the Hyper-V host.
You can configure the following virtual-machine management settings:
• Name. You can use this setting to configure the virtual machine's name on the Hyper-V host. This
does not alter the virtual machine's hostname.
• Integration Services. You can use this setting to configure which virtual-machine integration settings
are enabled.
• Snapshot File Location. You can use this setting to specify a location for storing virtual-machine
snapshots.
• Smart Paging File Location. The location used when smart paging is required to start the virtual
machine.
• Automatic Start Action. You can use this setting to handle how the virtual machine responds when the
Hyper-V host is powered on.
• Automatic Stop Action. You can use this setting to handle how the virtual machine responds when the
Hyper-V host is gracefully shut down.
dows Server® 20
012 8-23
How
H Dynam
mic Memo
ory Works in Hyper-V
In
n the first relea
ase of Hyper-V V with Window ws
Se
erver 2008, virtual machines only could be e
asssigned a staticc amount of memory.
m Unless you
to
ook special pre ecautions to measure
m the pre
ecise
am
mount of mem mory that a virttual machine
re
equires, you we ere likely to un
nder-allocate or
o
ovver-allocate memory.
m
Windows
W Server 2008 R2 SP1 introduced
dyynamic memo ory, which you can use to allo ocate
a minimum amo ount of memo ory to a virtual
machine.
m You thhen can allow the virtual ma achine
to
o use request additional
a mem mory, as necesssary.
Ra
ather than atte empting to gu uess how much h memory a vi rtual machine requires, dynaamic memory allows
yo
ou to configurre Hyper-V so that the virtua al machine is aallocated as muuch as it needss. You can cho
oose a
minimum
m valuee, which will alw
ways be allocaated to the virttual machine. Y
You can choosse a maximum m value,
which
w the virtua
al machine will not exceed, even
e if more m
memory is requ uested. Virtual machines mu ust
upport Hyper-V Integration Services to be able to use dyynamic memo
su ory.
W Windows Server 2012, you

With y can modifyy dynamic mem mory settings while the virtu
ual machine is
ru
unning. This wa e in Windows Server 2008 R 2 SP1.
as not possible
Smart Paging
g
Another new memory feature e available in Windows
W Serveer 2012 is sma rt paging. Smaart paging pro ovides
a solution to thee problem of minimum
m memmory allocationn, as it relates to virtual macchine startup. V
Virtual
machines
m can reequire more memory
m duringg startup than they would reequire during n normal operation.
In
n the past, it was necessary too allocate the minimum req uired for startup to ensure tthat startup occcurred
evven though that value could d be more than n the virtual m
machine needed d during norm mal operation.
Sm
mart paging uses disk paging for additional temporary m memory when n additional memory beyond d the
minimum
m allocaated is required to restart a virtual
v machin
ne. This providees you with the ability to alloocate
a minimum amo ount of memo ory based on th he amount ne eded when the virtual mach hine is operatinng
noormally, ratherr than the amo ount required during startup p. One drawbaack of smart paaging is a decrrease
in
n performance during virtuall-machine resttarts.
Yo
ou can configu
ure virtual macchine memoryy by using the Set-VMMemo
ory Windows PowerShell cm
mdlet.
Addition
H Dynammic Memory
htttp://technet.m
microsoft.com//en-us/library//hh831766.asp
px
Demonstra
D ation: Crea
ating a Virrtual Mach
hine
In
n this demonsttration, you will see how to create
c a virtuall machine by u
using the tradiitional method
d of
ussing the Hyperr-V Manager console.
c You also will see ho
ow you can auttomate the pro ocess by usingg
Windows
W PowerShell.
Dem
monstration
n Steps
1. Use the Hype
er-V Manager console
c to create a virtual m
machine with th
he following p
properties:
o Name: LO
ON-GUEST1
o Location:: E:\Program Files\Microso

oft Learning\B
Base\LON-GU
UEST1\
o Memory:: 1024 MB
o Use Dyna
amic Memory: Yes
o Networking: Private Network

N
o Connect Virtual Hard Disk:

D E:\Progra ng\Base\LON-GUEST1\lon
am Files\Micrrosoft Learnin n-
guest1.v
vhd
2. Open Window
ws PowerShell, import the Hyper-V
H modulle, and then ru
un the followin
ng command:
New-VM -Name LON-GUEST

T2 -MemorySta
artupBytes 10
024MB -VHDPat
th “E:\Progra
am
Files\Microsoft Learning\Base\LON-GUEST2\LON-G
GUEST2.vhd” -
-SwitchName "
"Private
Network"
3. Use the Hype

er-V Manager console
c and edit the setting
gs of LON-GUEEST2. Configurre the following:
o Automatic Start Action

n: Nothing
o Automatic Stop Action: Shut down the
t guest ope
erating system
m
Importing, Exporting,
E and Movin
ng Virtual Machiness in Hyper--V
Youu can use the im
mport and exp port functionalities
in Hyper-V
H nsfer virtual machines betwe
to tran een
Hypper-V hosts andd create pointt-in-time backuups
of virtual
v machinees.
Imp
porting Virttual Machin
nes
The virtual machin ne import featture in Window ws
Servver 2012 provides more deta ailed informatiion
thann previous Hyp per-V versions featured. You u
can use this informmation to idenntify configuration
problems such as missing hard disks or virtual
swittches. This wass more difficultt to determine
e in
2 and Wind dows Server 20 008
R2.
In Hyper-V
H 3.0, yo
ou can import virtual machin nes from copiees of virtual maachine configu uration, snapsh hot,
and virtual hard-ddisk files rather than speciallyy exported virttual machines. This is benefiicial in recoverry
t operating--system volume might have failed but the virtual machin
situations where the ne files remain n
intact.
To import a virtua
al machine by using Hyper-V
V Manager, peerform the follo
owing generall steps:
1. In the Actionss pane of the Hyper-V

H Mana
ager console, cclick Import V
Virtual Machin
ne.
2. On the Beforre You Begin page of the Im

mport Virtual M
Machine wizar d, click Next.
3. On the Locatte Folder page

e, specify the folder
f that hossts the virtual m
machine files, and then
click Next.
4. On the Select Virtual Machine page, select the virtual machine that you want to import, and then
click Next.
5. On the Choose Import Type page, choose from the following options:
o Register the virtual machine in-place (use the existing unique ID)
o Restore the virtual machine (use the existing unique ID)

o Copy the virtual machine (create a new unique ID)
You can import virtual machines by using the Import-VM cmdlet.
Exporting Virtual Machines

When performing an export, you can select one of the following options:
• Export a snapshot. You can do this by right-clicking the snapshot in the Hyper-V manager console,
and then selecting Export. This enables you to create an exported virtual machine as it existed at the
point that the snapshot was created. The exported virtual machine will have no snapshots.
• Export Virtual Machine with Snapshot. You can do this by selecting the virtual machine, and then
clicking Export. This exports the virtual machine and all snapshots associated with the virtual
machine.
Exporting a virtual machine does not affect the existing virtual machine. However, you cannot import
the virtual machine again unless you use the Copy the Virtual Machine option, which creates a new
unique ID.
You can export virtual machines by using the Export-VM cmdlet.
Moving Virtual Machines

You can perform two types of moves by using the Hyper-V move function: a live migration and a move of
the actual virtual machine.
You can move virtual machines from one Hyper-V 3.0 server to another if you have enabled live
migrations. Live migration of virtual machines occurs when you move a virtual machine from one host
to another while keeping the virtual machine online and available to clients. For more information on
migrating virtual machines, visit Module 9: Implementing Failover Clustering with Hyper-V.
You can use the move functionality to move some or all of the virtual-machine files to a different location.
For example, if you want to move the virtual machines from one volume to an SMB share, while keeping
the virtual machine hosted in the same location, you have the following options:
• Move all the virtual machine's data to a single location. This moves all configuration files, snapshots,
and virtual hard-disk files to the destination location.
• Move the virtual machine's data to different locations. This moves the virtual machine’s configuration
files, snapshots, and virtual hard disks to separate locations.
• Move the virtual machine's virtual hard disks. This moves the hard disks to a separate location, while
keeping the snapshot and configuration files in the same location.
You can move virtual machines in PowerShell by using the Move-VM cmdlet.
Best Practice
es for Conffiguring Virtual Macchines
Whe en creating ne
ew virtual machines, keep the
follo
owing best pra
actices in mind
d:
• Use dynamic memory. The only time you

should avoid dynamic mem mory is if you have
h
an application ot support it. For
n that does no
example, somme Microsoft Exxchange 2010 roles
keep requesting memory, iff it is availablee. In
such cases, se
et static memoory limits. You
should monittor memory uttilization, and
set the minim
mum memory to t the server's
minimum me emory utilizatio
on. Also, set a
maximum am mount of memory. The defau ult
maximum is more
m memoryy than most ho ost servers havee available.
• Avoid differen
ncing disks. Diffferencing disk
ks reduce the aamount of spaace required, b
but decrease
performance as multiple virrtual machiness access the saame parent virttual hard disk file.
• Use multiple synthetic
s netw work adapters connected
c to di al virtual switcches. Configure
different externa e
virtual machin nes to use multiple virtual network adapteers that are connected to ho ost NICs, which
h in
turn are conn nected to separate physical switches.
s This m
means that neetwork connecttivity is retaine ed if a
NIC fails or a switch fails.
• Store virtual machine

m files on
o its own volu
ume. This minim
mizes the channce that one vvirtual machine
e's
virtual hard disk
d growth afffects the otherr virtual machi nes on the sam
me server.
Lab: Implementing Server Virtualization with Hyper-V

Scenario
IT management at A. Datum is concerned about the low utilization for many of the physical servers
deployed in the London data center. Also, A. Datum is exploring options for expanding into multiple
branch offices, and deploying servers in public and private clouds. For this purpose, the company is
exploring the use of virtual machines.
As one of the senior network administrators at A. Datum, you are responsible for implementing Hyper-V
in the London data center. You will deploy the Hyper-V server role, configure virtual machine storage and
networking, and deploy the virtual machines.
Objectives
After performing this lab you will be able to:
• Install the Hyper-V Server role.
• Configure virtual networking.

• Configure a virtual machine.
Lab Setup
Virtual Machine(s) 20417A-LON-HOST1

Or
20417A-LON-HOST2
Password Pa$$w0rd
Lab Setup Instructions

1. Restart the classroom computer and in Windows Boot Manager, select 20417A-LON-HOST1 or
20417A-LON-HOST2. Your instructor will specify which host to log on to.
2. Log on to LON-HOST1 or LON-HOST2 server with the following credentials:
o Account: Adatum\Administrator
Exercise 1: Install the Hyper-V Server Role

Scenario
The first step in migrating to a virtualized environment is to install the Hyper-V server role on a new
server.
1. Configure network settings on LON-HOST1 and LON-HOST2.
2. Install the Hyper-V server role.
3. Complete Hyper-V role installation and verify settings.

X Task 1: Configure network settings on LON-HOST1 and LON-HOST2

1. Restart the classroom computer, and in the Windows Boot Manager, select either
20417A-LON-HOST1 or 20417A-LON-HOST2.
If you start LON-HOST1, your partner must start LON-HOST2.
2. Log on to the server by using the following credentials:
o Account: Adatum\Administrator
3. In Server Manager, click Local Server, and then configure the following network settings:
o LON-HOST1: 172.16.0.31
o LON-HOST2: 172.16.0.32

o Preferred DNS server: 172.16.0.10
X Task 2: Install the Hyper-V server role

1. In Server Manager, use the Add Roles and Features Wizard to add the Hyper-V role to LON-HOST1
or LON-HOST2 with the following options:
o Do not create a virtual switch
o Use the Default stores locations
o Allow the server to restart automatically if required.
2. After a few minutes, the server will automatically restart. Ensure that you restart the machine by using
the Boot menu, and then selecting 20417-LON-HOST1 or 20417-LON-HOST2. The computer will
restart several times.
X Task 3: Complete Hyper-V role installation and verify settings

1. Log on to LON-HOST1 or LON-HOST2 by using Adatum\Administrator with the password
Pa$$w0rd.
2. When the installation of the Hyper-V tools completes, click Close.

3. Open the Hyper-V Manager console, and then click LON-HOST1 or LON-HOST2.
4. Open the Hyper-V settings, and then configure or verify the following settings:
o Keyboard: Use on the virtual machine
o Virtual Hard Disks: C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks
5. Question: What additional features are required to support the Hyper-V role?
Results: After completing this exercise, you will have deployed the Hyper-V role to a physical server.
Exercise 2: Configuring Virtual Networking

Scenario
After installing the Hyper-V server role on the new server, you need to configure the virtual networks you
are your manager specifies. You need to create a network that connects to the physical network and a
private network that you can use only for communication between virtual machines. The private network
is used when virtual machines are configured for high availability. You also need to configure a specific
range of media access control (MAC) addresses for the virtual machines.
1. Configure the external network.
2. Create a private network.
3. Create an internal network.
X Task 1: Configure the external network

1. In Hyper-V Manager, use the Virtual Switch Manager to create a new External virtual network
switch with the following properties:
o Name: Corporate Network
2. External Network: Mapped to the host computer's physical network adapter. Will vary depending on
host computer.
X Task 2: Create a private network

• In Hyper-V Manager, use the Virtual Switch Manager to create a new virtual switch with the
following properties.
o Name: Private Network

o Connection type: Private network
X Task 3: Create an internal network

• In Hyper-V Manager, use the Virtual Switch Manager to create a new virtual switch with the
following properties:
o Name: Internal Network
o Connection type: Internal network
Results: After completing this exercise, you will have configured virtual switch options on a physically
deployed Windows Server 2012 server that is running the Hyper-V role.
Exercise 3: Creating and Configuring a Virtual Machine

Scenario
You have been asked to deploy two virtual machines and to import a third virtual machine. You have
copied a sysprepped VHD file that hosts a Windows Server 2012 Hyper-V host.
To minimize disk space use at the cost of performance, you are going to create two differencing files
based on the sysprepped VHD. You use these differencing files as the hard-disk files for the new virtual
machines.
You also will import a specially prepared virtual machine.

1. Configure virtual machine storage.
2. Create virtual machines.
3. Configure VLANs and network bandwidth settings.
4. Import a virtual machine.
5. Configure virtual machine dynamic memory.
6. Configure and test virtual machine snapshots.
X Task 1: Configure virtual machine storage

1. Use Windows Explorer to create the following folders on the physical host drive:
Note: The drive letter may depend upon the number of drives on the physical host
machine)
2. In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o Disk Format: VHD
o Disk Type: Differencing
o Name: LON-GUEST1.vhd

o Parent Location: E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd
3. Open Windows PowerShell, import the Hyper-V module, and then run the following command:
New-VHD “E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd”

-ParentPath “E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd”
4. Inspect disk E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd.
5. Verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files
\Microsoft Learning\Base\Base12A-WS2012-RC.vhd as a parent.
X Task 2: Create virtual machines

1. Use the Hyper-V Manager console to create a virtual machine with the following properties:
o Name: LON-GUEST1
o Memory: 1024 MB
o Use Dynamic Memory: Yes
o Networking: Private Network

o Connect Virtual Hard Disk: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-
guest1.vhd
2. Open Windows PowerShell, import the Hyper-V module, and then run the following command:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath “E:\Program

Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd” -SwitchName "Private
Network"
3. Use the Hyper-V Manager console, and then edit the settings of LON-GUEST2. Configure the
following:
o Automatic Start Action: Nothing
o Automatic Stop Action: Shut down the guest operating system
X Task 3: Configure VLANs and network bandwidth settings

1. In Hyper-V Manager, use Virtual Switch Manager to configure the Internal Network virtual switch
to use a VLAN ID of 4.
2. Configure the following properties for the network adapter on LON-GUEST2:

o Virtual Switch: Internal Network
o VLAN ID: 4
o Enable DHCP guard
o Enable router advertisement guard
Question: What kind of switch would you create if you added a new physical network
adapter to the Hyper-V host and wanted to keep this separate from the existing networks
you create during this exercise?
X Task 4: Import a virtual machine

1. Perform the following task:
o If you are using LON-HOST1, use the Hyper-V Manager console to import the virtual machine
E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-DC1-B.
o If you are using LON-HOST2, use the Hyper-V Manager console to import the virtual machine
E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-SVR1-B.
2. When importing, select the Register the virtual machine in-place option.
X Task 5: Configure virtual machine dynamic memory.

• Edit the properties of virtual machine LON-GUEST2, and then configure the following settings:
o Startup RAM: 1024 MB
o Enable Dynamic Memory
o Minimum RAM: 512 MB
o Maximum RAM: 2048 MB
X Task 6: Configure and test virtual machine snapshots

1. If you are using LON-HOST1, start and then log on to 20417A-LON-DC1-B. If you are using LON-
HOST2, log on to virtual machine 20417A-LON-SVR1-B.
2. On the desktop of the virtual machine, create the following folders:

o Sydney
o Melbourne
o Brisbane
3. Create a snapshot of the virtual machine named Before Change.
4. Delete the following folders on the desktop:
o Sydney
o Brisbane
5. Revert the virtual machine.
6. Verify that the following folders are present on the desktop:
o Sydney
o Melbourne
o Brisbane
7. Delete all three folders from the desktop.
Question: What state must the virtual machine be in to configure dynamic memory when
using Windows Server 2008 R2 as a host? How is this different to Windows Server 2012 as a
host?
Results: After completing this exercise, you will have deployed two separate virtual machines by using a
sysprepped virtual hard-disk file to act as a parent disk for two differencing disks. You also will have
imported a specially prepared virtual machine.

• When you are finished the lab, leave the virtual machines running, as they are needed for the lab in
Module 9.

Review Questions
Question: In which situations, should you use a fixed-memory allocation rather than
dynamic memory?
Question: In which situations must you use virtual hard disks in VHDX format as opposed to
virtual hard disks in VHD format?
Question: You want to deploy a Windows Server 2012 Hyper-V virtual machine's virtual hard
disk on a file share. What operating system must the file server be running to support this
configuration?

Cannot deploy Hyper-V on x64 processor
Virtual machine does not use dynamic

memory

You have 10 servers that run Windows Server 2008 with Hyper-V. You are planning to upgrade these
servers to Windows Server 2012 and want them to continue to run the Hyper-V role. What technology
should you verify that the processor supports before performing the upgrade?
Tools
Tool Used for Where to find it?
The Sysinternals disk2vhd Convert physical hard disks Microsoft TechNet website
tool to VHD format http://technet.microsoft.com/en-us
/sysinternals/bb842062
Virtual Machine Manager • Manage virtual machines Microsoft TechNet website

2012 across multiple Hyper-V http://technet.microsoft.com/en-us
servers /library/gg610610.aspx
• Perform online physical
to virtual conversions
9-1
Module 9
Implementing Failover Clustering with Hyper-V
Contents:
Module Overview 9-1
Lesson 1: Overview of the Integration of Hyper-V with Failover Clustering 9-2
Lesson 2: Implementing Hyper-V Virtual Machines on Failover Clusters 9-7
Lesson 3: Implementing Hyper-V Virtual Machine Movement 9-14
Lesson 4: Managing Hyper-V Virtual Environments by Using

System Center Virtual Machine Manager 9-19
Lab: Implementing Failover Clustering with Hyper-V 9-29

Module Overview
One benefit of implementing server virtualization is the opportunity to provide high availability, both
for applications or services that have built-in high availability functionality, and for applications or
services that do not provide high availability in any other way. With the Windows Server® 2012 Hyper-V®
technology, failover clustering, and Microsoft® System Center 2012 Virtual Machine Manager (VMM), you
can configure high availability by using several different options.
In this module, you will learn about how to implement failover clustering in a Hyper-V scenario to achieve
high availability for virtual environment. You will also learn about basic features of virtual machine.
Objectives
• Describe how Hyper-V integrates with failover clustering.
• Implement Hyper-V virtual machines on failover clusters.
• Implement Hyper-V virtual machine movement.
• Manage a Hyper-V virtual environment by using VMM.

9-2 Implementing Failover Clusterinng with Hyper-V
Lesson 1
Overviiew of the
t Inte
egration
n of Hyp
per-V w
with Failover
Clustering
Failo
over clusteringg is a Windowss Server 2012 feature
f that en
nables you to make applicattions or service
es
highhly available. To
T make virtuaal machines higghly available in Hyper-V en
nvironment, yo
ou must implem ment
failo
over clusteringg on the Hyperr-V host computers.
Thiss lesson summarizes the high h availability options
o for Hyp es, and then focuses
per-V based viirtual machine
on how
h failover cllustering work
ks, and how to design and im over clustering for Hyper-V.
mplement failo
Lessson Objectiives
Afte
ou will be able to:
• Describe options for making virtual mach

hines highly avvailable.
• Describe how
w failover cluste
ering works with Hyper-V no
odes.
• Describe new
w features of fa
ailover clusterin
ng for Hyper-V
V.
• g high availabillity in a virtuall environment..

Describe bestt practices for implementing
Op
ptions for Making
M Viirtual Machines High
hly Availab
ble
Mosst organizationns have some applications th hat
are business critical and must be highly availa able.
To make
m an appliccation highly available,
a you
musst deploy it in an environment that provides
undancy for alll components that the
redu
plication requirres. For virtual machines to
app
be highly
h available, you can chooose between
seve
eral options. You can implem ment virtual
macchine as a clustered role (hosst clustering), you
y
can implement clu ustering inside
e virtual machiines
(gue
est clustering) or you can use Network Loa ad
Bala
ancing (NLB) in nside virtual machines.
m
Host Clusterin
ng
Hosst clustering ennables you to configure
c a faiilover cluster b
by using the Hyper-V host se ervers. When yyou
configure host clu ustering for Hyyper-V, you co onfigure the virrtual machine as a highly avvailable resourcce.
Failo
over protection is implemen nted at the hosst server level. This means th hat the guest o
operating syste em
and applications that
t are runninng within the virtual
v machin e do not havee to be cluster--aware. Howevver,
the virtual machin ne is still highlyy available. Soome examples of non-clusteer-aware appliccations are a
File Server or Print Server, or pe erhaps a proprietary networkk-based appliccation, such as an accounting g
appplication. Should the host node that contro ols the virtual mmachine unexpectedly beco ome unavailablle, the
secoondary host no ode takes conttrol and restarts the virtual m machine as quickly as possib ble. You can alsso
movve the virtual machine
m from one node in the cluster to aanother in a co ontrolled mann ner. For example,
you could move the t virtual macchine from one e node to anotther while pattching the Hosst operating syystem.
, and the applications or service es that are runn ning in the virt
rtual machine, do not have to be compatib ble
withh failover clustering nor are they
t aware tha at virtual mach hine is clustereed. Because the failover is att the
virtu
ual machine le evel, there are no dependenccies on softwa re that is instaalled inside the e virtual machiine.
Guest Clustering
Guest failover clustering is configured very similarly to physical server failover clustering, except that
the cluster nodes must include multiple virtual machines. In this scenario, you create two or more virtual
machines, and enable failover clustering within the guest operating system. The application or service is
then enabled for high availability between the virtual machines by using failover clustering in each virtual
machine. Because failover clustering is implemented within each virtual machine node’s guest operating
system, you can locate the virtual machines on a single host. This can be a quick and cost-effective
configuration in a test or staging environment.
For production environments however, you can more robustly protect the application or service if
you deploy the virtual machines on separate failover clustering enabled Hyper-V host computers. With
failover clustering implemented both at the host and virtual machine levels, the resource can be restarted
regardless of whether the node that fails is a virtual machine or a host. This configuration is also known as
a “Guest Cluster Across Hosts.” It is considered an optimal high availability configuration for virtual
machines running mission-critical applications in a production environment.
You should consider several factors when you implement guest clustering:
• The application or service must be failover cluster-aware. This includes any of the Windows Server
2012 services that are cluster-aware, and any applications, such as clustered Microsoft SQL Server and
Microsoft Exchange Server.
• Hyper-V virtual machines can use fiber channel-based connections to shared storage (this is specific
only to Microsoft Hyper-V Server 2012), or you can implement iSCSI connections from the virtual
machines to the shared storage.
You should deploy multiple network adapters on the host computers and the virtual machines. Ideally,
you should dedicate a network connection to the iSCSI connection (if you are using this method to
connect to storage), to the private network between the hosts, and to the network connection that the
client computers use.
Network Load Balancing

NLB works with virtual machines in the same manner that it works with physical hosts. It distributes IP
traffic to multiple instances of a TCP/IP service, such as a web server that is running on a host within the
NLB cluster. NLB transparently distributes client requests among the hosts, and it enables the clients to
access the cluster by using a virtual Host Name or a virtual IP addresses. From the client computer’s point
of view, the cluster seems to be a single server that answers these client requests. As enterprise traffic
increases, you can add another server into the cluster.
Therefore, NLB is an appropriate solution for resources that do not have to accommodate exclusive read
or write requests. Examples of NLB-appropriate applications would be web-based front ends to database
applications or Exchange Server Client Access Servers.
When you configure an NLB cluster, you must install and configure the application on all virtual machines.
After you configure the application, you install the network load balancing feature in Windows Server
2012 within each virtual machine’s guest operating system (not on the Hyper-V hosts), and then
configure an NLB cluster for the application. Earlier versions of Windows Server also support NLB, so that
the Guest operating system is not limited to only Windows Server 2012. Similar to a “Guest Cluster Across
Hosts”, the NLB resource typically benefits from overall increased I/O performance when the virtual
machine nodes are located on different Hyper-V hosts.
Note: As with earlier versions of Windows Server, you should not implement NLB and
failover clustering within the same operating system because the two technologies conflict with
one another.
9-4 Implementing Failover Clustering with Hyper-V
How Does a Failover Cluster Work with Hyper-V Nodes?

When you implement failover clustering and configure virtual machines as highly available resources, the
failover cluster treats the virtual machines like any other application or service. Namely, if there is host
failure, failover clustering will act to restore access to the virtual machine as quickly as possible on another
host in the cluster. Only one node at a time runs the virtual machine. However, you can also move the
virtual machine to any other node in the same cluster.
The failover process transfers the responsibility of providing access to resources in a cluster from one node
to another. Failover can occur when an administrator intentionally moves resources to another node for
maintenance or other reasons, or when unplanned downtime of one node occurs because of hardware
failure or other reasons.
The failover process consists of the following steps:
1. The node where the virtual machine is running owns the clustered instance of the virtual machine,
controls access to the shared bus or iSCSI connection to the cluster storage, and has ownership of any
disks, or Logical Unit Numbers (LUNs), assigned to the virtual machine. All the nodes in the cluster use
a private network to send regular signals, known as heartbeat signals, to one another. The heartbeat
signals that a node is functioning and communicating on the network. The default heartbeat
configuration specifies that each node send a heartbeat over TCP/UDP port 3343 each second (or
1000 milliseconds).
2. Failover starts when the node hosting the virtual machine does not send regular heartbeat signals
over the network to the other nodes. By default, this is five consecutively missed heartbeats (or 5000
milliseconds elapses). Failover may occur because of a node failure or network failure.
3. When heartbeat signals stop arriving from the failed node, one of the other nodes in the cluster
begins taking over the resources that the virtual machines use. You define the node(s) that could take
over by configuring the Preferred and Possible Owners properties. The Preferred Owner specifies
the hierarchy of ownership if there is more than one possible failover node for a resource. By default
all nodes are members of Possible Owners. Therefore, removing a node as a Possible Owner
absolutely excludes it from taking over the resource in a failure situation. Suppose that a failover
cluster is implemented by using four nodes. However, only two nodes are configured as Possible
Owners. In a failover event, the resource might still be taken over by the third node if neither of the
Preferred Owners is online. Although the fourth node is not configured as a Preferred Owner, as
long as it remains a member of Possible Owners, the failover cluster uses it to restore access to the
resource if necessary. Resources are brought online in order of dependency. For example, if the virtual
machine references an iSCSI LUN, access to the appropriate host bus adapters (HBAs), network(s) and
LUNs will be stored in that order. Failover is complete when all the resources are online on the new
node. For clients interacting with the resource, there is a short service interruption, which most users
might not notice.
4. You can also configure the cluster service to fail back to the offline node after it again becomes
active. When the cluster service fails back, it uses the same procedures that it performs during
failover. This means that the cluster service takes all the resources associated with that instance
offline, moves the instance, and then brings all the resources in the instance back online.
What’s
W New
w in Failov
ver Clusterring for Hyyper-V in W
Windows S
Server 201
12?
In
n Windows Serrver 2012, failo
over clustering is
much
m d with respect to Hyper-V clu
improved usters.
So
ome of the moost important improvementss are:
• Failover clu
ustering now suupports up to 4,000
virtual machines, and thee improved Failover
Cluster Man nager snap-in simplifies man
naging
many virtua al machines.
• Administrattors can now perform

p multisselect
actions to queue
q grations of multiple
live mig
virtual machines, instead of doing it on
ne by
one, as in earlier
e versionss.
• Administrattors can also configure

c virtual machine priiority attributee to control the order in which
virtual machines are startted. Priority is also used to e nsure that low
wer-priority virrtual machines
automatica ources if they are needed byy higher prioritty virtual mach
ally release reso hines.
• The Clusterr Shared Volum me (CSV) featuure, which simp

plifies the conffiguration and
d operation of virtual
machines, is improved for more securitty and perform mance. It now ssupports scalable file-based server
application storage, incre eased backup and
a restore an nd single consiistent file namespace. Also, yyou can
now protecct CSV volumes by using BitLLocker® Drive Encryption and configuring them to make e
storage visiible to only a subset
s of node
es.
• Virtual macchine application monitoringg. You can now on clustered viirtual

w monitor servvices running o
machines. In clusters runnning Windowss Server 2012, administratorss can configuree monitoring oof
services on clustered virtu
ual machines that
t are also ru
unning Windo ows Server 2012. This functio
onality
extends thee high-level monitoring of virtual machinees that is impleemented in Wiindows Server 2008
R2 failover clusters.
• It is now po e virtual machiines on SMB fiile shares in a file server clusster. This is a new way
ossible to store
to provide high availability for virtual machines.
m Insteead of making a cluster betw ween Hyper-V nodes,
you can now have Hyper-V nodes out of o cluster but w n a highly available
with virtual machine files on
file share. To
T make this work,
w you should deploy a filee server clusteer in a scale-ouut file server mmode.
Scale-out fiile servers can also use Clustter Shared Volu umes for storaage.
Best
B Practicces for Imp
plementin
ng High Avvailability in a Virtuaal Environm
ment
After you determine which ap pplications
arre deployed on n highly availa
able failover
an and deploy the failover
clusters, you pla
clustering environment. Applyy the following g
re
ecommendatio ons when you implement the e
fa
ailover cluster:
• Use Window ws Server 2012 2 as the Hyperr-V

host. Windo ows Server 20112 provides
enhanceme ents such as Hyyper-V 3.0, improved
CSVs, virtuaal machine miggrations, and other
o
features thaat improve flexxibility and
performancce when you im mplement hosst
failover clustering.
• Plan for failover scenarios. When you design the hardware requirements for the Hyper-V hosts, make
sure that you include the hardware capacity required when hosts fail. For example, if you deploy a six-
node cluster, you must determine the number of host failures that you want to accommodate. If you
decide that the cluster must sustain the failure of two nodes, then the four remaining nodes must
have the capacity to run all the virtual machines in the cluster.
• Plan the network design for failover clustering. To optimize the failover cluster performance and
failover, you should dedicate a fast network connection for internode communication. As with earlier
versions, this network should be logically and physically separate from the network segment(s) used
for clients to communicate with the cluster. You can also use this network connection to transfer
virtual machine memory during a Live Migration. If you are using iSCSI for any virtual machines,
dedicate a network connection to the iSCSI network connection also.
• Plan the shared storage for failover clustering. When you implement failover clustering for Hyper-V,
the shared storage must be highly available. If the shared storage fails, the virtual machines will all
fail, even if the physical nodes are functional. To ensure the storage availability, plan for redundant
connections to the shared storage and redundant array of independent disks (RAID) redundancy on
the storage device.
• Use the recommended failover cluster quorum mode. If you deploy a cluster with an even number
of nodes, and shared storage is available to the cluster, the Failover Cluster Manager automatically
selects Node and Disk Majority quorum mode. If you deploy a cluster with an odd number of nodes,
the Failover Cluster Manager selects the Node Majority quorum mode. You should not modify the
default configuration unless you understand the implications of doing this.
• Deploy standardized Hyper-V hosts. To simplify the deployment and management of the failover
cluster and Hyper-V nodes, develop a standard server hardware and software platform for all nodes.
• Develop standard management practices. When you deploy multiple virtual machines in a
failover cluster, you increase the risk that a single mistake may shut down a large part of the server
deployment. For example, if an administrator accidentally configures the failover cluster incorrectly,
and the cluster fails, all virtual machines in the cluster will be offline. To avoid this, develop and
thoroughly test standardized instructions for all administrative tasks.
Lesson
n2
Imple
ementin
ng Hype
er-V Virrtual Maachiness on Faillover
Cluste
ers
Im
mplementation n of highly ava ailable virtual machines
m is so mewhat differrent from implementing other roles
in
n a failover clusster. Failover clustering
c in Windows
W Serverr 2012 providees many featurres for Hyper-VV
clustering in addition to toolss for virtual ma his lesson, you will
achine high avvailability manaagement. In th
le
earn about how w to implemen nt highly availaable virtual maachines.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe co
omponents of Hyper-V cluster.
• Describe prrerequisites for Hyper-V failo

over cluster im
mplementation
n.
• Implement Hyper-V virtu

ual machines in
n a cluster.
• Configure CSVs.
C
• ble virtual machines on SMB 3.0 file sharess

Implement highly availab
• Describe co f implementing Hyper-V vvirtual machinees in a cluster.

onsiderations for
Componen
C nts of Hype
er-V Cluste
ers
Hyper-V as a roole has some sp pecific require
ements
fo
or cluster compponents. To foorm a Hyper-V V cluster,
yo
ou must have at least two ph hysical nodes.
Whereas
W other clustered roless (such as DHCCP, file
se
erver, and so on)
o allow for no odes to be virttual
machines,
m Hypeer-V nodes mu ust be compose ed of
physical hosts. You
Y cannot run Hyper-V as a virtual
machine
m on a Hyper-V
H host.
In
n addition to having
h nodes, you
y must also
haave physical an
nd virtual netwworks. Failoverr
clustering requiires a network for internal cluster
co
ommunication n, and also a neetwork for clie
ents.
Yoou can also im
mplement a sto orage network separately, deepending of tyype of storage being used. A Again,
sp
pecific to Hypeer-V role, you should also coonsider virtual networks for cclustered virtual machines. Itt is very
im
mportant to cre eate the same virtual networks on all physsical hosts thatt participate in
n one cluster. FFailing
to
o do this causees a virtual macchine to lose network
n conneectivity when mmoved from one host to ano other.
Sttorage is an im
mportant comp ponent of virtu ustering. You ccan use any tyype of storage that is
ual machine clu
su
upported by Windows
W Server 2012 failover clustering. W
We recommend ded that you cconfigure storaage as a
CSV. This is disccussed in a following topic.
Virtual machine es are components of a Hype n Failover Clustter Manager yyou can create new
er-V cluster. In
hiighly availablee virtual machines, or you can make existin ng virtual mach hines highly avvailable. In botth cases,
th
he virtual mach hine storage lo
ocation must beb on shared sstorage that caan be accessed d to both node es. You
might
m not wantt to make all viirtual machine nager you can select
es highly availaable. In Failoveer Cluster Man
which
w virtual machines are paart of a cluster configuration n.
Prerequisites for Implementing Hyper-V Clusters

To deploy Hyper-V on a failover cluster, you must make sure that you meet the hardware, software,
account, and network infrastructure requirements that the following sections detail.
Hardware Requirements for Failover Clustering with Hyper-V

You must have the following hardware for a two-node failover cluster:
• Server hardware: Hyper-V requires an x64-based processor, hardware-assisted virtualization, and

hardware-enforced Data Execution Prevention (DEP). As a best practice, the servers should have very
similar hardware. If you are using Windows Server 2008, the processors on the servers must be the
same version. If you are using Windows Server 2008 R2 or Windows Server 2012, the processors must
use the same architecture.
Note: Microsoft supports a failover cluster solution only if all the hardware features are
marked as “Certified for Windows Server.” Additionally, the complete configuration (servers,
network, and storage) must pass all tests in the Validate This Configuration wizard, which is
included in the Failover Cluster Manager snap-in.
• Network adapters: The network hardware, just as other features in the failover cluster solution, must
be marked as “Certified for Windows Server”. To provide network redundancy, you can connect
cluster nodes to multiple, distinct networks, or you can connect the nodes to one network that uses
teamed network adapters, redundant switches, redundant routers, or similar hardware to remove
single points of failure. We recommended that you configure multiple network adapters on the host
computer that you configure as a cluster node. One network adapter should be connected to the
private network that the inter-host communications uses.
• Storage adapters: If you use Serial Attached SCSI (SAS) or fiber channel, the mass-storage device
controllers in all clustered servers should be identical and should use the same firmware version.
If you are using iSCSI, each clustered server should have one or more network adapters that are
dedicated to the cluster storage. The network adapters that you use to connect to the iSCSI storage
target should be identical, and you should use Gigabit Ethernet or a faster network adapter.
• Storage: You must use shared storage that is compatible with Windows Server 2008 R2. If you deploy
a failover cluster that uses a witness disk, the storage must contain at least two separate volumes
(LUNs). One volume functions as the witness disk, and additional volumes contain the virtual machine
files that are shared between the cluster nodes. Storage considerations and recommendations include
the following:
o Use basic disks, not dynamic disks. Format the disks with the NTFS file system.
o Use either master boot record (MBR) or GUID partition table (GPT).
o If you are using a storage area network (SAN), the miniport driver that the storage uses must
work with the Microsoft Storport storage driver.
o Consider using multipath input/output (I/O) software: If your SAN uses a highly available network
design with redundant components, you can deploy failover clusters with multiple host bus
adapters by using multipath I/O software. This provides the highest level of redundancy and
availability. For Windows Server 2008 R2 and 2012, your multipath solution must be based on
Microsoft Multipath I/O (MPIO).
Software Req
quirements for Using Hyper-V
H and
d Failover C
Clustering
Th
he following are the softwarre requirementts for using Hyyper-V and faillover clustering:
• All the servvers in a failove
er cluster mustt run the x64-b
based version of Windows Server 2012 Entterprise
or Datacenter Edition. The nodes in a single failover ccluster cannott run different versions.
• All the servvers should havve the same so

oftware updatees and service packs.
• All servers must

m be eitherr a full installattion or a Serveer Core installaation. You cann
not mix the full
installation and Server Co
ore installation n.
Network
N Infrrastructure Requirements
Th
he following network
n infrasttructure is requ
uired for a failo
over cluster an
nd an administtrative account with
th
he following do
omain permisssions:
• Network seettings and IP addresses.

a Use
e identical com
mmunication seettings on all n
network adaptters,
including th
he speed, duplex mode, floww control, and media type seettings. Ensure
e that all netwo
ork
hardware supports the saame settings.
• If you use private

p networrks that are nott routed to yo
our whole netw
work infrastruccture for
communica ation between cluster nodes, ensure that eeach of these p
private networrks uses a uniq
que
subnet.
• DNS. The se
ervers in the cluster must use Domain Nam
me System (DN
NS) for name rresolution. You
u should
use the DNS dynamic upd date protocol..
• Domain rolle. All servers in the cluster must

m be in the same Active D
Directory® dom
main. As a bestt
practice, alll clustered servvers should ha
ave the same ddomain role (either member server or dommain
controller). The recomme ended role is member
m serverr.
• Account for administering the cluster. When W you firstt create a clustter or add servvers to it, you must be
logged on to the domain n with an accou unt that has addministrator riights and perm missions on all the
cluster’s serrvers. Addition
nally, if the acccount is not a D
Domain Admin ns account, the account musst have
the Create Computer Objjects permissio on in the domaain.
Im
mplementting Hyperr-V Virtual Machiness on Failovver Clusterr
To
o implement failover clustering for Hyper--V, you
must
m complete the following high-level steps:
1.. Install and configure

c the required versions of
Windows Server 2012. Affter you compllete the
installation,, configure the
e network settings,
join the commputers to an Active Directo ory
domain, an nd configure th he connection to the
shared storrage.
2.. t shared storage. You musst use

Configure the
Disk Manag d partitions on the
ger to create disk
shared storrage.
3.. Install the Hyper-V
H and fa
ailover clusteriing features on
n the host servvers. You can u
use Server Manager in
MMC or Windows PowerrShell for this.
®
9-10 Implemennting Failover Clusterring with Hyper-V
4. Validate the cluster

c configu
uration. Validatte This Clusterr wizard checkks all the prereq
quisite compo
onents
that are required to create a cluster, and provides warn nings or errors if any components do not m meet
the cluster requirements. Beefore you conttinue, resolve any issues tha t the Validate This Cluster W
Wizard
identifies.
5. Create the cluuster. When th

he components pass the Valiidate This Clusster wizard, you can create a
cluster. Whenn you configurre the cluster, assign
a n IP address. A computer account
a clusteer name and an
for the cluster name is created in Active Directory
D dommain and the IP gistered in DNS.
P address is reg
Note: You can

c enable Clu ustered Shared
d Storage for th
he cluster onlyy after you con
nfigure the
clusster. If you wan
nt to use Cluster Shared Volu
umes (CSV), yoou should conffigure CSV beffore you
movve to the next step.
6. Create a virtu ual machine onn one of the cluster nodes. WWhen you creaate the virtual machine, ensu ure
that all files associated with
h the virtual machine, includ ing both the vvirtual hard dissk and virtual
machine conffiguration filess, are stored onn the shared sttorage. You caan create and manage virtuaal
machines in either
e Hyper-VV Manager or Failover
F When you creatte a virtual machine
Clusteer Manager. W
by using Failo over Cluster Manager, the virtual machine is automaticaally made highly available.
7. Make the virttual machine highly

h e. To make thee virtual mach ine highly available, in the
available
Failover Clustter Manager, select to make a new service or application n highly available. Failover CCluster
Manager then n presents a lisst of services and
a application ns that can be made highly available. Whe en
you select thee option to ma ake virtual macchines highly aavailable, you can select the
e virtual machine
that you created on shared storage.
Note: When n you make a virtual

v machinne highly availaable, you see a list of all virtu
ual
macchines hosted on all cluster nodes,
n includin
ng virtual macchines that are not stored on n the
sharred storage. If you make a virtual machinee that is not loccated on shareed storage hig ghly
avaiilable, you rece
eive a warning
g, but Hyper-VV adds the virtuual machine too the services aand
app
plications list. However,
H whenn you try to migrate the virtuual machine too a different host, the
mig
gration will fail.
8. Test virtual machine

m failove
er. After you make
m the virtuaal machine hig hly available, yyou can migraate the
computer to another node in the cluster. If you are runnning Window ws Server 2008 R2 or Window ws
Server 2012, you
y can selectt to perform a Quick Migrati on or a Live MMigration.
Co
onfiguring Clustered Shared Vo
olumes
Youu do not have to
t configure and use CSV wh hen
you implement hiigh availabilityy for virtual
macchines in Hype
er-V. You can cluster
c Hyper-VV by
usin
ng the regular approach. How wever, we
recoommend that you
y use CSV because
b of the
follo
owing advantaages:
• Reduced LUN Ns for the diskss. You can use CSV

to reduce thee number of LU UNs that your
virtual machinnes require. When
W you confiigure
a CSV, you caan store multip
ple virtual macchines
on a single LU
UN and multip ple host compu uters
can access the same LUN co oncurrently.
• Better use of
o disk space. Instead of placcing each .vhd
d file on a sepaarate disk with empty space so that
e can expand, you can overssubscribe disk space by storing multiple .vhd files on the
the .vhd file e same
LUN.
• i a single logical location. Y

Virtual macchine files are in You can track tthe paths of .vvhd files and other
files that virrtual machiness use. Instead of
o using drive letters or Globbally Unique Id dentifiers (GUIIDs)
to identify disks,
d you can specify the pa ath names. Wh hen you implement CSV, all added storage e
appears in the \ClusterSto orage folder. The
T \ClusterSto orage folder iss created on thhe cluster node e’s
system fold der, and you caannot move it.. This means th hat all Hyper-VV hosts that arre members off the
cluster musst use the same e drive letter as
a their system
m drive, or virtu
ual machine faailovers will faill.
• No specific hardware requirements. There are no speecific hardwaree requirementss to implemennt CSV.
You can implement CSV ono any supporrted disk confiiguration, and on either fibe
er channel or iSSCSI
SANs.
• Increased resiliency. CSV increases resiliency becausee the cluster caan respond corrrectly even if
connectivityy between one e node and the SAN is interrrupted, or partt of a networkk is down. The cluster
reroutes the CSV traffic th
hrough an intaact part of thee SAN or netwo ork.
Im
mplementin
ng CSV
Yo
ou can configuure CSV only when
w you create a failover clluster that hossts highly available virtual machines.
After you create
e the failover cluster,
c you can enable CSV for the clusterr, and then add d storage to thhe CSV.
Be
efore you can add storage to o the CSV, the
e LUN must bee available as s hared storage e to the clusterr. When
yo
ou create a failover cluster, all
a the shared disks
d configureed in Server M
Manager are ad dded to the clu uster,
an
nd you can add them to a CSV. If you add more LUNs to o the shared sttorage, you must first createe
vo
olumes on the e LUN, add the e storage to the
e cluster, and tthen add the sstorage to the
e CSV.
As a best practice, you should

d configure CSV before you make any virtu ual machines h
highly availablle.
However, you can convert fro om regular disk
k access to CSV
V after deployyment. The folllowing consideerations
ap
pply:
• The LUN’s drive

d letter or mount point is removed wh hen you convert from regulaar disk access tto CSV.
This means that you must re-create all virtual machinnes that are sto hared storage. If you
ored on the sh
must keep the same virtu ual machine se he virtual machines, switchin
ettings, consideer exporting th ng to
CSV, and th
hen importing the virtual maachines in Hypper-V.
• unning virtual machine that is using

You cannott add shared sttorage to CSV if it is used. Iff you have a ru
a cluster dissk, you must shut down the virtual machin ne, and then a dd the disk to
o CSV.
Im
mplementting Highly
y Available
e Virtual M
Machines o
on an SMB
B 3.0 File Share
In
n Windows Serrver 2012, it is possible to use one
more
m technique es to make virttual machines highly
avvailable. Instea ad of using host or guest clustering,
virtual machine files can now be stored on a
hiighly available e SMB 3.0 file share.
s By using
g this
ap
pproach, high availability is achieved
a not by
b
clustering Hype er-V nodes, but by file serverrs that
hoost virtual macchine files on their
t file shares. With
th
his new capability, Hyper-V can c store all virtual
machine
m files, in
ncluding configguration, virtu
ual hard
diisk (VHD) files,, and snapshotts, on highly avvailable
SM
MB file shares..
To implement thiss technology, the

t following requirements must be met:
• One or more computers running Window

ws Server 20122 with the Hyp
per-V role instaalled.
• One or more computers running Window
ws Server 20122 with the File and Storage SServices role
installed.
• A common Active
A Directoryy infrastructure
e. The servers running Activee Directory Do
omain Servicess (AD
DS) do not ne
eed to run Win
ndows Server 2012.
2
Befoore you implem ment virtual machines

m on ann SMB file sharre, you should set up a file seerver cluster. T
To do
thatt, you should have
h at least tw
wo cluster nod
des with File Seervices and Faiilover Clusterinng installed. In
n the
failo
over clustering
g console, you should create a scale-out fille server clusteer. After you coonfigure the cluster,
you deploy the ne ew SMB file shhare for applica
ations. This shaare is used to store virtual m
machine files. WWhen
the share is createed, you can use Hyper-V Ma anager consolee to deploy new virtual mach hines on the SMB
file share, or you can
c migrate exxisting VMs to the SMB file sshare by using g the storage mmigration meth hod.
Co
onsideratio
ons for Imp
plementing Hyper-V
V Clusters
By implementing host failover clustering,
c you can
mak ke virtual mach
hines highly avvailable. Howeever,
impplementing hosst failover clusstering also adds
sign nd complexity to a Hyper-V
nificant cost an
depployment. You must invest in n additional server
harddware to provide redundanccy, and you should
impplement or havve access to a shared
s storagee
infra
astructure.
Use the following recommendations to ensure

thatt the failover clustering
c strategy meets the
e
orgaanization’s reqquirements:
• Identify the applications or services that

require high availability.
a If you
y were to assk the people w who use the oorganization’s aapplications, m
most
of them woulld probably say that they wa ant all applicattions to be hig
ghly available. However, unle ess
you have the option of mak king all virtual machines hig hly available, yyou must deve elop priorities for
which applicaations will be made
m highly avvailable.
• Identify the components thhat must be higghly available to make the aapplications highly available.. In
some cases, the application
n might run on n a single serveer, and making g that server highly available
e is all
that you havee to do. Other applications may
m require th hat several servvers, and otherr components,, such
as storage or the network, be
b highly available.
• Identify the application cha

aracteristics. Yo
ou must underrstand several things about tthe application
n:
o Is virtualizing the serve

er that is running the applicaation an option
n? Some applications are no
ot
supporte ed or recomme ended in a virtual environmeent.
o What opttions are availaable for makin

ng the applicattion highly avaailable? You caan make some e
applicatio
ons highly avaailable through
h options otheer than host clu
ustering. If oth
her options are
e
available, evaluate the benefits and disadvantages
d of each optio n.
o What aree the performaance requireme ents for each aapplication? C ollect perform
mance informattion
on the se
ervers currentlyy running the applications too gain an understanding of the hardware
requirem
ments that are required
r whenn you virtualizee the server.
• What capacity is required to make the Hyper-V virtual machines highly available? As soon as you
identify all the applications that must be highly available by using host clustering, you can start to
design the actual Hyper-V deployment. By identifying the performance requirements, and network
and storage requirements, for applications, you can define the hardware that you have to implement
all the applications in a highly available environment.
Live Migration is one of the most important aspects of Hyper-V clustering. When you implement Live
Migration, consider the following:
• Verify basic requirements. The basic requirements for Live Migration are that all hosts must be part of
a Windows Server 2008 R2 failover cluster, and host processors must be from the same manufacturer.
All hosts in the cluster must have access to shared storage.
• Configure a dedicated network adapter for the private virtual network. When you implement failover
clustering, you should configure a private network for the cluster heartbeat traffic. You use this
network to transfer the virtual machine memory during a failover. To optimize this configuration,
configure a network adapter for this network that has a capacity of one gigabits per second (Gbps) or
higher.
Note: You must enable the Client for Microsoft Networks and File and Printer Sharing for
Microsoft Networks components for the network adapter that you want to use for the private
network.
• Use similar host hardware. All failover cluster nodes must use the same hardware for connecting to
shared storage, and all cluster nodes must have processors from the same manufacturer. Whereas you
can enable failover for virtual machines on a host with different processor versions by configuring
processor compatibility settings, the failover experience and performance is more consistent if all
servers have very similar hardware.
• Verify network configuration. All nodes in the failover cluster must connect through the same IP
subnet so that the virtual machine can keep the same IP address after Live Migration. Also, the IP
addresses assigned to the private network on all nodes must be on the same logical subnet, which
means that multisite clusters must use a stretched virtual local area network (VLAN), which is a subnet
that spans a wide area network (WAN) connection.
• Manage Live Migrations. Each node in the failover cluster can perform only one Live Migration at a
time. If you try to start a second Live Migration before the first one finishes, the migration fails. If you
start additional Live Migrations from Virtual Machine Manager (VMM), it queues the Live Migration,
and retries it for 15 minutes. If the migration cannot be initiated in 15 minutes, the migration is
canceled.
Lesson 3
Implem
menting
g Hyperr-V Virtual Macchine M
Moveme
ent
Movving virtual maachines from one
o location to o another is a ffairly common
n procedure inn the administrration
of Hyper-V
H onments. Mostt of the moving techniques iin previous Wiindows Server versions required
enviro
dowwntime. Windo ows Server 201 12 introduces new
n technologgies to enable seamless virtu
ual machine
w learn aboutt virtual machiine movementt and migratio
movvement. In thiss lesson, you will on options.
Lessson Objectiives
Afte
ou will be able to:
• Describe migration optionss for virtual ma

achines.
• Describe Storrage Migration

n.
• Describe Live Migration.
• Describe and configure a Hyper-V

H replica
a.
Virrtual Mach
hine Migra
ation Optio
ons
There are several scenarios whe ere you would want
to migrate
m virtual machine fromm one location to
anoother. For exammple, you migh ht want to movve a
virtu k from one physical
ual machine viirtual hard disk
drivve to another on
o the same ho ost. Another
exam mple is moving a virtual macchine from one
nod t another, or just moving a
de in a cluster to
commputer from on ne host server to another hoost
servver without thee hosts being members
m of a
clusster. Compared d with Window ws Server 20088 R2,
2 provides significant
enhancements in addition to sim mplified proceedures
for this
t process.
In Windows
W Serve
er 2012, you ca
an perform migration of virt ual machines by using these
e methods:
• Virtual machhine and storaage migrationn. With this meethod, you mo ove a poweredd on virtual maachine
from one loca
ation to anoth
her (or from on
ne host to anotther) by using a wizard in Hyper-V Manag ger.
Virtual machine and storage migration doo not require ffailover clustering or any other high availaability
technology to
o work. Shared ot required wh en you move jjust the virtual machine.
d storage is no
• Quick Migration. This metthod is also available in Wind 008. It require

dows Server 20 es failover clusttering
to be installed
d and configured. It.
• Live Migratioon. This impro
ovement over Quick
Q Migratio
on is also availlable in Windo
ows Server 200
08 R2.
It enables you
u to migrate a virtual machin
ne from one h
host to anothe r without dow wntime.
• Hyper-V rep plica. This new feature in Win

ndows Server 22012 enables yyou to replicatte a virtual maachine
to another ho
ost, instead of move the virtu onize all virtual machine changes
ual machine, aand to synchro
from the prim
mary host to thhe host that ho
olds the replicaa.
• Exporting an nd importing virtual machine. This is an established m method of movving virtual

machines without using a cluster.
c You export a virtual m
machine on onne host, and th hen physically move
exported filess to another ho
ost by perform
ming an importt operation. Thhis is a very tim
me-consuming g
operation. It requires
r that a virtual machine is turned o
off during expo
ort and importt. In Windows
Server 2012
2 this migratio
on method is im
mproved. You can import a vvirtual machin
ne to a Hyper-VV host
without exp
porting it befo
ore import. Win
ndows Server 22012 Hyper-V
V is now capable of configuriing all
the necessa
ary settings du
uring the impo
ort operation.
How
H Does Virtual Ma
achine and
d Storage Migration
n Work?
Th
here are manyy cases in which an administrrator
might
m want to move
m the virtu
ual machine filees to
an
nother location. For example e, if the disk where
w a
virtual machine hard disk resides runs out ofo
sp
pace, you mustt move the virrtual machine to t
an
nother drive or volume. Also o, moving a virrtual
machine
m to ano
other host is a very
v common
procedure.
In
n earlier versions of Windowss Server, such as
Windows
W Server 2008 or Winddows Server 2008 R2,
moving
m a virtuaal machine resu
ulted in downttime
beecause it had to o If you moved a
t be turned off.
virtual machine between two hosts, then yo ou also had to perform expo
ort and import operations foor that
sp
pecific virtual machine.
m Expoort operations can
c be time-co onsuming, deppending on th
he size of the vvirtual
machine
m hard disks.
d
In
n Windows Serrver 2012, Virtuual Machine and Storage Miigration enables you to movve a virtual maachine
o another locattion on the same host or on another host computer wit hout turning o
to off the virtual
machine.
m
et's examine how storage migration actually works.

Le
Too copy a virtua

al hard disk, ann administrato or starts live sto
orage migratio on by using the Hyper-C con nsole or
Windows
W PowerShell, and com mpletes the wiizard (or speci fies parameterrs in Windows PowerShell). A new
virtual hard disk
k is created on n destination loocation and th he copy processs starts. During the copy pro ocess,
th
he virtual machhine is fully funnctional. Howe ever, all changges that occur during copyin ng are written tto both
th
he source and destination location. Read operations
o are performed on nly from the soource location.. As
so
oon as the diskk copy processs is complete, Hyper-V
H switc hes virtual maachines to run on the destinaation
virtual hard disk
k. Also, if the virtual
v machine e is moved to aanother host, the computer configuration n
is copied and thhe virtual mach hine is associatted with anoth her host. If a faailure were to occur on the
deestination side
e, there is always a fail back option
o to run back again on n the source directory. After the
virtual machine is successfullyy migrated and d associated to o a new locatio on, the process deletes the ssource
VHDs.
Th
he time that iss required to move
m a virtual machine depeends on the source and destination locatio on, the
sp
peed of hard disks
d or storage e of the virtual hard disks. Th
e, and the size he moving pro
ocess is speede ed up if
so ons are on storage, and storrage supports O
ource and desttination locatio Offloaded Datta Transfer (OD
DX).
When
W you move a virtual macchine’s vhds to
o another loca tion, a wizard presents three
e available opttions:
• Move all th
he virtual mach hine’s data to a single locatio
on: You specifyy one single destination locaation,
such as disk
k file, configurration, snapsho
ot, and smart ppaging.
• Move the virtual
v machine
e’s data to a different locatio
on: You specifyy individual loccations for eacch
virtual machine item.
• Move only the virtual ma

achine’s virtual hard disk: You
u move only the virtual hard
d disk file.
How Live Migration Works?

Live Migration enables you to move running virtual machines from one failover cluster node to another
node in the same cluster. With Live Migration, users who are connected to the virtual machine should
experience almost no server outage.
Note: Whereas you can also do live migration of virtual machine by using Virtual Machine
and Storage migration described in previous topic, you should be aware that live migration is
based on a different technology (failover clustering). Unlike the storage migration scenario, Live
Migration can be performed only if a virtual machine is highly available.
You can start a Live Migration through one of the following:
• The Failover Cluster Management console.
• The VMM Administrator console, if you use VMM to manage your physical hosts.
• A Windows Management Instrumentation (WMI) or Windows PowerShell script.
Note: Live Migration enables you to reduce the perceived outage of a virtual machine
significantly during a planned failover. During a planned failover, you start the failover manually.
Live Migration does not apply during an unplanned failover, such as when the node hosting the
virtual machine fails.
Live Migration Process

The Live Migration process consists of four steps:
1. Migration setup. When the administrator starts the failover of the virtual machine, the source node
creates a TCP connection with the target physical host. This connection is used to transfer the virtual
machine configuration data to the target physical host. Live Migration creates a temporary virtual
machine on the target physical host, and allocates memory to the destination virtual machine. The
migration preparation also checks to determine whether a virtual machine can be migrated.
2. Guest-memory transfer. The guest memory is transferred iteratively to the target host while the
virtual machine is still running on the source host. Hyper-V on the source physical host monitors the
pages in the working set. As the system modifies memory pages, it tracks and marks them as being
modified. During this phase of the migration, the migrating virtual machine continues to run. Hyper-
V iterates the memory copy process several times, and every time that a smaller number of modified
pages are copied to the destination physical computer. A final memory copy process copies the
remaining modified memory pages to the destination physical host. Copying stops as soon as the
number of dirty pages drops below a threshold or after 10 iterations are complete.
3. State transfer. To actually migrate the virtual machine to the target host, Hyper-V stops the source
partition, transfers the state of the virtual machine (including the remaining dirty memory pages) to
the target host, and then restores the virtual machine on the target host. The virtual machine has to
be paused during the final state transfer.
4. Clean up. The cleanup stage finishes the migration by tearing down the virtual machine on the
source host, terminating the worker threads, and signaling the completion of the migration.
How
H Does Hyper-V Replica
R Wo
ork?
In
n some cases, youy might wan nt to have a sppare
co
opy of one virttual machine that t you can ru
un if
th
he original virtual machine fa ails. By implem
menting
hiigh availabilityy, you have one instance of a virtual
machine.
m High availability
a doe es not preventt
co
orruption of so oftware runnin ng inside the VM.
V One
way
w to address the issue of co orruption is to copy
th
he VM. You can also back up p the virtual machine
an
nd its storage. Although thiss solution achie eves
th
he desired resu ult it is resourcce intensive and time
co
onsuming.
Too resolve this problem,

p and to
t enable
ad
dministrators tot have an up--to-date copy of a single virttual machine, Microsoft has implemented
Hyper-V replica a technology in n Windows Server 2012. Thiss technology eenables virtual machines run nning
att a primary site
e (can also be location or ho dary site (location
ost) to be efficiiently replicateed to a second
orr host) across a WAN or LAN N link. Hyper-VV replica enablles you to havee two instance es of a single vvirtual
machine
m residin
ng on differentt hosts, one as the primary (llive) copy and the other as a replica (offlin ne)
co
opy. These cop pies are synchrronized, and you can failoveer at any time. In the event o of a failure at a
primary site (e.gg. fire, natural disaster, powe
er outage, servver failure etc… …), an administtrator can use
Hyper-V Replica a to execute a failover of prooduction workkloads to replicca servers at a secondary loccation
within
w minutes, thus incurring g minimal dow wntime.
Th
he site configuurations do not have to use the
t same serveer or storage h hardware. Hyp
per-V Replica e
enables
an
n administrato or to restore virtualized work
kloads to a poiint in time dep
pending on the
e Recovery Hisstory
se
elections for th
he virtual machhine.
a technology consists of seve

Hyper-V replica eral componen
nts:
• Replicationn Engine: This component is the core of Hyper-V Repliica. It manage es the replication
on details and handles initia
configuratio al replication, d
delta replicatio
on, failover, an
nd test-failoverr
operations. It also tracks virtual
v machin
ne and storagee mobility even nts and takes aappropriate acctions as
needed (i.e. it pauses replication eventss until migratio
on events com mplete and the en resumes where they
left off).
• Change Tracking: This component
c tra
acks changes tthat are happeening on primaary copy of virrtual
machine. It is designed to
o make the sce here the virtuaal machine VHD file(s)
enario work reegardless of wh
resides.
• Network Module:
M The Networking
N Mo odule providess a secure andd efficient way to transfer virtual
machine re
eplicas between n primary hostt and replica h
host. Data com mpression is ennabled by default. This
communicaation is also se
ecure as it relie
es on HTTPS annd certification
n-based authe entication.
• Hyper-V Replica
R Brokerr role: This is new role impleemented in W Windows Serverr 2012. It is
configured in Failover Clu
ustering, and it enables you to have Hyper-V replica fun nctionality even
when the virtual machine e being replicaated is highly aavailable and ccan move from m one cluster n node to
another. Th
he Hyper-V Replica Broker re edirects all virttual machine sspecific events to the approp priate
node in the
e replica cluste
er. The Broker queries the clu uster databasee to determinee which node sshould
handle which events. Thiss ensures all evvents are redirrected to the ccorrect node inn the cluster in
n the
event that a Quick Migration, Live Migration, or Storaage Migration n process was e executed.
Co
onfiguring Hyper-V Replica
R
Befo
ore you implemment Hyper-V V replica
tech
hnology, ensurre that these prerequisites
p arre
mett:
• ardware suppo
The server ha orts the Hyper--V
role on Windows Server 2012.
• Sufficient storage exists on both the prim

mary
and replica seervers to host the
t files that are
a
used by repliccated virtual machines.
m
• Network conn nectivity existss between the

locations hosting the prima ary and replica
a
servers. This can
c be a WAN or LAN link.
• Firewall rules are correctly configured

c to enable replicaation between the Primary and Replica site
es
(default traffic is going over TCP port 80 or 443).
• An X.509v3 ce
ertificate exists to support Mutual
M Authen tication with ccertificates (if yyou want).
Youu do not have tot install Hypeer-V replica sepparately becau use it is not a W
Windows Serve er role or featu
ure.
Hypper-V Replica is implemented d as part of the Hyper-V Rolle. It can be ussed on Hyper-V V servers that are
nd-alone or servers that are part of a Failovver Cluster (in which case, yo
stan ou should con nfigure Hyper-V
Repplica Broker). Unlike
U failover clustering,
c a Hyper-V
H role is not dependen nt on Active DDirectory Domaain
Servvices (AD DS). You can use itt with Hyper-V V servers that aare stand-alone, or that are m members of
diffe
erent Active Directory doma ains (except in case when serrvers are part o of a failover cluster).
To enable
e Hyper-V replica technology, you sh hould first con figure Hyper-VV server settinngs. In the
Rep plication Configguration group p of options, you
y should enaable Hyper-V sserver as a rep plica server, and you
should also selectt authentication and port op ptions. You shoould also confi gure authorizaation options. You
can choose to ena able replication from any serrver that succeessfully authen
nticates (which h is convenientt in
scen narios where all
a servers are part
p of same domain), or you u can type fullly qualified doomain names
(FQDNs) of serverrs that you acccept as replica servers. Also, yyou must conffigure the locaation for replicca
filess. These setting
gs should be configured on each server th hat will serve ass replica server.
er you configure options on server level, yo

Afte ou should enaable replication
n on a virtual m
machine. Durin
ng
this configuration
n, you must speecify replica se ns for connection. You can select
erver name, as well as option
which virtual hard
d disk drives yo
ou replicate (inn case when viirtual machinee has more than one VHD), aand
you can also conffigure Recoveryy History as well as initial rep
plication meth
hod. After you have configurred
thesse options then you can starrt replication.
Lesson
n4
Manaaging Hyper-V Virtual Environmentss by Using Systtem
Cente
er Virtual Mach
hine Ma
anager
Syystem Center Virtual
V Machinne Manager 20 012 is a part off the System C
Center 2012 family of produccts. It is
a successor of Virtual
V Machine Manager 2008 R2. Its main n purpose is to
o extend manaagement functtionality
fo
or Hyper-V hossts and virtual machines and d to provide deeployment and d provisioning
g for virtual maachines
nd services. In this lesson, yo
an ou will learn th
he basics of VM
MM.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe Syystem Center VMM.

V
• Describe Prrerequisites forr Installing VM

MM.
• Describe prrivate cloud infrastructure co

omponents.
• Describe ho
ow VMM Manage Hosts and
d Host Clusterss with VMM.
• Describe ho
ow to manage
e Virtual Machiines with VMM
M.
• Describe Se
ervices and Serrvice Template
es.
• Describe Ph ual and Virtual to Virtual Mig
hysical to Virtu grations.
• Describe co
onsiderations for
f deploying a highly availaable VMM Servver.
What
W Is VM
MM?
VMM is a mana agement solutiion for a virtua
alized
da
ata center. VMMM enables yo ou to create an nd
de
eploy virtual machines
m and services
s to privvate
clouds by config guring and maanaging your
virtualization ho
ost, networking
g, and storage e
re
esources.
VMM is a comp ponent of Micrrosoft System Center

C
20
012 that discovers, captures,, and aggregattes
kn
nowledge of th he virtualizatio
on infrastructu
ure.
VMM also mana ages policies, and
a processes,, and
be
est practices with
w automatio ons by discovering,
ca
apturing and aggregating
a kn
nowledge of
virtualization infrastructure.
VMM succeeds VMM 2008 R2 2 and is a key component inn enabling privvate cloud infraastructure, wh
hich
he
elps transition enterprise IT from
f an infrastructure-focussed deploymen nt model into a service-oriented,
usser-centric envvironment.
VMM architectu
ure consists of several interre
elated compon
nents. These components arre:
• VMM server. The VMM server is the co omputer on w which the VMMM service runs. The VMM server
processes commands
c andd controls com
mmunications w with the VMM
M database, thee library serverr, and
the virtual machine
m hostss. The VMM se b of a VMM deeployment thrrough which all other
erver is the hub
VMM comp ponents intera
act and commu VMM server alsso connects to a Microsoft
unicate. The V
SQL Server database (VM MM database) that
t VMM configuration informaation.
stores all V
• Database. VM MM uses a SQL Server datab base to store th he informationn that you vieww in the VMM
managementt console, such h as managed virtual
v machin nes, virtual macchine hosts, virtual machine
libraries, jobs, and other virrtual machine--related data.
• Managemen nt console. The managemen nt console is a program that you use to coonnect to a VMMM
managementt server, to view w and manage e physical and virtual resources, including virtual machin
ne
hosts, virtual machines, servvices, and libra
ary resources. V
Virtual Machin
ne Manager lib brary
• Library. A lib
brary is a catalo
og of resourcees (for examplee, virtual hard disks, templates, and profilees),
that are used to deploy virttual machines and services. A library server also hosts sh hared folders th hat
store file-base
ed resources. The
T VMM man nagement servver is always th he default libraary server, butt you
can add addittional library servers
s later.
• Command sh hell. Windowss PowerShell is the command d-line interfacee in which you
u execute cmdlets
that perform all available VMM
V functionss. You can use these VMM–sspecific cmdletts to manage aall the
actions in a VMM
V environm
ment.
• Self-Service Portal. The Seelf-Service Porrtal is a web sitte that users w

who are assigne
ed to a self-service
user role can use to deployy and manage their own virtu ual machines.
Pre
erequisitess for Installling VMM
M
Befoore you deployy VMM and itss components,,
you should be cerrtain that yourr system meetss
harddware and softtware requiremments. While
softtware requirem
ments do not change
c based
on the
t number off hosts that VM MM manages,
harddware prerequuisites may varry. In addition, not
all VMM
V components have the same hardwarre
and software requuirements. How wever, Window ws
Servver 2008 R2 an
nd Windows Se erver 2012 aree the
onlyy supported op
perating systems for VMM 2012.2
VM
MM Server
In addition to havving Windows Server 2008 R2 R or
2 installed, you have to ensure
e that thee following sofftware is installed on the servver
thatt will run the VMM
V server:
• Microsoft .NE
ET Framework 3.5 Service Pack 1 (SP1) or laater versions
• Windows Auttomated Installation Kit (AIK
K)
• werShell 2.0 (iff the VMM management con

Windows Pow nsole will run o
on the same se
erver)
• Windows Rem mote Managem ment 2.0 (this is installed by default in Win
ndows Server 2
2008 R2, so yo
ou
erify that the service is running)
should just ve
• SQL Server 20
008 SP2 (Stand
dard or Enterp
prise) or SQL Seerver 2008 R2 SP1 Standard,, Enterprise, orr
Datacenter. This y install the VMM manageement server aand SQL Server on
T is necessarry only when you
same computter.
Hardware requirements vary, de

epending on number
n of hossts, and have th
he following liimits:
• CPU: Single core CPU 2 gigahertz (GHz), Dual core CPU

U 2.8 GHz
• Random acce
ess memory (RAM): 4 – 8 gig
gabytes (GB)
• Disk space: 40 GB – 150 GB G (depending g on whether a SQL Server d database is insttalled on the ssame
server. In ad
ddition, if the library is on th
he same serverr, then disk spaace will also de
epend on libraary
content.)
VMM
V Databa
ase
Th
he VMM datab base stores all VMM configuuration informaation, which yoou can access and modify
byy using the VM
MM management console. The T VMM data base requires SQL Server 20 008 SP2 or late
er.
ecause of this, the base hard
Be dware requirem
ments for the V VMM databasee are equal to the minimum m system
re
equirements foor installing SQ
QL Server. Additionally, if you
u are managin
ng more than 1 150 hosts, you
u should
ha G of RAM on the database server. Softwaare requiremen
ave at least 4 GB nts for the VM
MM Database aare the
sa
ame as for SQLL Server.
VMM
V Library
y
Th
he VMM librarry is the serverr that hosts ressources for buiilding virtual m
machines, services and businness unit
clouds. In smaller environmen MM library on the VMM Maanagement Serrver. If
nts, you usuallyy install the VM
th
his is the case, the hardware and software requirements are the same aas for the VMM M Management
erver. In largerr and more complex environ
Se nments, we reccommend thatt you have VM MM library on sseparate
erver in highly available conffiguration. If you want to deeploy another V
se VMM library sserver, the servver
sh
hould fulfill following require
ements:
• Supported operating systtem: Windows Server 2008 o

or Windows Seerver 2008 R2
• Hardware management:
m Windows Rem
mote Managem
ment 2.0
• CPU: at leasst 2.8 GHz

• RAM: at lea
ast 2 GB
• Hard disk space: varies ba

ased on the nu
umber and sizee of files that aare stored
Private
P Cloud Infrastructure Co
omponentts in VMM
Thhe key architecctural conceptt in VMM is private
cloud infrastruccture. Similar to
o public cloud
so
olutions, such as
a in Windowss Azure™, priva ate
cloud infrastruccture in VMM is i an abstractio
on layer
th
hat shields the underlying technical complexities,
an
nd lets you ma anage defined resource pools of
se
ervers, networkking, and stora age in the ente
erprise
in
nfrastructure.
his concept is presented exxplicitly in the VMM

Th
management
m co
onsole user intterface. With VMM,
V
yo
ou can create a private cloud
d from Hyper--V,
VMware ESX, an nd Citrix XenSeerver hosts, annd
be
enefit from clo
oud computing g attributes, in
ncluding self-seervicing, resou
urce pooling, aand elasticity.
Yo
ou can configu
ure the followiing resources from
f the VMM nt console Fabrric workspace:
M managemen
• Servers. In the Servers no ode, you can configure
c and manage severral types of serrvers. Host gro
oups
contain virttualization hossts, which are the
t destination ns for where you can deployy virtual machiines.
Library servvers are the rep
positories of building
b blockss—such as imaages, .iso files, and templatess—for
creating virrtual machiness.
• Networkin ng. In the VMM M managemen nt console, thee Networking n

node is where you can definne
logical netw
works, assign pools
p of static IPs and mediaa access contro
ol (MAC) addre
esses, and inte
egrate
load balancerrs. Logical netw

works are userr-defined grou upings of IP subnets and virtual local area
networks (VLAANs) to organize and simplify network asssignments. Log gical networkss provide an
abstraction of the underlyinng physical inffrastructure, an
nd enable an aadministrator tto provision annd
isolate netwo
ork traffic based on selected criteria such aas connectivityy properties an
nd service levell
agreements (SLAs).
• Storage. Usin ng the VMM 2012
2 admin console, an adm ministrator can discover, classsify, and provission
remote storag ge on supported storage arrrays. VMM 20112 uses the Miicrosoft Storag ge Management
Service (whichh is enabled by default durin
ng the installattion of VMM 2
2012), to comm municate with
external arrayys.
Ma
anaging Hosts and Host
H Group
ps with VM
MM
In addition to virtual machine management,
m VMM
V
can also manage and deploy Hyyper-V hosts. In
VMM you can use e technologiess such as Windows
Depployment Serviices to deploy Hyper-V hosts on
baree metal machines and then manage
m it with
h
VMM. When hosts are associate ed with VMM,
you can configure e several optio
ons, such as hoost
rese
erves, quotas, permissions,
p clloud membersship,
and so on VMM can c also manag ge Hyper-V failover
clussters.
VMM provides tw wo new featurees that help

optimize power and resource usage on hosts
man naged by VMM M: dynamic op ptimization and mization. Dynamic optimization balances the
d power optim
virtu
ual machine looad within a hoost cluster, while power optiimization enab
bles VMM to e
evacuate balan
nced
clusster hosts, and then turn them off to save power.
p
The recommende ed way to orga anize hosts in VMM

V is to creaate host group
ps. This greatlyy simplifies
mannagement task ks. A host grou
up enables you u to apply sett ings to multip
ple hosts with a single action. By
defa
ault, there is a single host grroup in VMM named
n All Hossts. However, i f necessary, yo
ou can create
add
ditional groupss for your environment.
Hosst groups are hierarchical.

h When
W you create a new child host group, it inherits the se
ettings from th
he
pareent host groupp. When a child d host group moves
m to a neww parent host group, the chhild host group
p
maintains its origiinal settings exxcept for Perfo
ormance and R Resource Optimmization (PROO) settings, whiich
are managed sepa arately. When the settings in n a parent hos t group chang
ge, you can appply those channges
to child
c host grouups.
You ost groups in the following scenarios:

u would use ho
• on when you are managing l ots of hosts an

Providing bassic organizatio nd virtual macchines. You can
n
m views within the Hosts view
create custom w and Virtual M
Machines vieww to provide eaasy monitoring g
and access to
o a host. For exxample, you might
m create a h
host group forr each branch office in your
organization.
• Reserving resources for usee by hosts. Hosst reserves are useful when p placing virtual machines on a
host. Host resserves determiine the CPU, memory,
m disk s pace, disk I/O capacity, and network capaacity
that are contiinuously availa
able to the hosst operating syystem.
• Use the Host group properties action for the root host group All Hossts, to set default host reservves for
all hosts that VMM managees. If you wantt to use more o osts instead of on
of the resourcees on some ho
other hosts, you
y can set host reserves diffferently for ea ch host group
p.
• Designating g hosts on whiich users can create

c and opeerate their own n virtual mach hines. When a VVMM
administrattor adds self-se
ervice user role
es, one part off role creation is to identify tthe hosts on w
which
self-service users or groups in that role can create, op
perate, and maanage their ow wn virtual macchines.
We recomm mend that you u designate a specific host grroup for this ppurpose.
Deploying
D Virtual Ma
achines wiith VMM
One
O of the adva antages of usinng a virtualized
ennvironment that is managed d by VMM is th he
fle
exibility that itt provides to create and dep ploy new
virtual machines quickly.
Using VMM, you can manuallly create a new w virtual

machine
m with new configuration settings an
nd a
ne
ew hard disk. You
Y can then deploy
d the new
w
virtual machine from one of following
f sourcces:
• An existing virtual hard disk
d (.vhd) file (blank
(
or preconfigured)
• ate
A virtual machine templa
• A VMM librrary
Yo achines either by converting
ou can create new virtual ma g an existing p
physical compu
uter, or by clon
ning an
exxisting virtual machine.
m
Creating
C a New
N Virtual Machine fro
om an Existting VHD
Yo
ou can create a new virtual machine
m based
d on either a b
blank VHD, or on a preconfiggured VHD thaat
ontains a guesst operating syystem. VMM prrovides two bl ank VHD temp
co plates that you
u can use to crreate
ne
ew disks:
• Blank Disk – Small
• Blank Disk – Large
Yoou can also use a blank VHD D when you wa ant to use an o
operating systeem with a PXEE. Or, you can p place an
IS
SO image on a virtual DVD-R ROM, and then n install an opeerating systemm from scratch.. This is an effe
ective
way
w to build a virtual
v machine e’s source image, which youu can then use as a future temmplate. To insttall the
opperating system on such a virtual machine e, you can use an ISO image file from the llibrary or from m local
diisk, then map a physical drivve from the hoost computer, o uest operating system setup through
or start the gu
a network servicce boot.
brary of VHDs that you wantt to use in you r VMM enviro nment, you caan create a virttual
If you have a lib
machine
m from ana existing VHD. You can also select existin
ng VHDs when n you deploy aany operating system
from which VMM cannot crea ate a template
e, such as an opperating system that is not W
Windows base ed.
When
W you creatte a new virtua
al machine using an existing
g VHD, you aree basically creaating a new virrtual
machine
m configuration that iss associated with the VHD fil e. VMM will crreate a copy o
of the source V
VHD so
th
hat you do nott have to move e or modify the original.
In
n this scenario, the source VH
HD must meett the following
g requirementss:
• Leave the Administrator
A password
p blan
nk on the VHD
D as part of thee System Prepaaration Tool (SSysprep)
process.
• Install the Virtual
V Machine Additions on
n the virtual m
machine.
• Use Sysprep
p to prepare th
he operating system
s for dup
plication.
Dep
ploying from a Templa
ate
Thiss method creattes a new virtu
ual machine ba ased on a tem plate from thee VMM library. The template e is a
libra
ary resource, which
w links to a virtual hard disk
d drives thaat has a generaalized operatinng system, hardware
settings, and guesst operating syystem settings. You use the gguest operatinng system settiings to configu
ure
opeerating system settings such as computer name,
n local ad ministrator paassword, and d
domain
mem mbership.
The deployment process

p does not
n modify the e template, wh
hich you can reeuse multiple ttimes. If you arre
crea
ating virtual machines in the
e Self-Service Portal,
P you mu st use a templlate.
The following requirements app
ply if you wantt to deploy a n
new virtual maachine from a ttemplate:
• You must insttall a supporte

ed operating syystem on the V
VHD.
• You must leavve the Administrator passwo he VHD as parrt of the Sysprep process.
ord blank on th
However, youu do not have to leave blank
k the Administ rator password
d for the guest operating syystem
profile.
• For customize
ed templates, you must prep pare the operaating system o
on the VHD by removing
computer ide
entity informattion. For Windows operatingg systems, you can prepare tthe VHD by using
Sysprep.
Dep
ploying from the VMM
M Library
If yo
ou deploy a virrtual machine from the libra
ary, the virtual machine is rem
moved from th he library, and
d then
placced on the sele
ected host. Whhen you use thhis method, yo ou must provid de the followin
ng details in th
he
Dep ploy Virtual Ma
achine wizard:
• The host for deployment.

d The
T template that you use prrovides a list o
of potential hosts and their
ratings.
• The path of the virtual macchine files on the host.
The virtual networks used for th

he virtual mach
hine. You are p h a list of existing virtual networks
presented with
on the
t host.
Wh
hat Are Services and
d Service Templates??
Servvices are a new
w concept in VMM.
V You musst
undderstand servicces fully before
e you deploy a
privvate cloud infra
astructure.
Tra
aditional Serrvices Scena
ario
Whe en we think abbout services, we
w usually refe er to
an application
a or set of applicattions that provvide
som
me service to end-users. For example,
e we can
dep
ploy various typpes of web-based services, butb
we can
c also imple ement a service e such as email. In a
nonn-cloud compu uting scenario, deployment of o any
type
e of service usually requires users, develop pers,
and administratorrs to work toge ether through the
phases of creatingg a service, depploying a service, testing thee service, and maintaining th
he service.
A service frequently includes several computers that must work together to provide a service to end-users.
For example, a web-based service is usually an application that deploys on a web server, connects to a
database server (which can be hosted on another computer), and performs authentication on an Active
Directory domain controller. Enabling this application requires three roles, and possibly three computers:
a web server, a database server, and a domain controller. Deploying a test environment for a service such
as this can be time and resource consuming. Ideally, developers work with IT administrators to create an
environment where they can deploy and test their web application.
Concept of a Service in a Private Cloud Scenario

With the concept of a private cloud, how you deal with services can change significantly. You can prepare
the environment for a service, and then let developers deploy it by using a self-service application such as
App Controller.
In VMM, a service is a set of one or more virtual machines that you deploy and manage together as
a single entity. You configure these machines to run together to provide a service. In VMM in Windows
Server 2008, users were able to deploy new virtual machines by using Self Service Portal. In VMM,
end-users can deploy new services. By deploying a service, users are actually deploying the whole
infrastructure, including the virtual machines, network connections, and applications that are required
to make the service work.
However, you can use services to deploy only a single virtual machine without any specific purpose.
Instead of deploying virtual machines in the historic way, you can now create a service that will deploy
a virtual machine with—for example—Windows Server 2008 R2, and with several roles and features
preinstalled and joined to domain. This simplifies the process of creating and later updating new virtual
machines.
Deploying a new service requires a high level of automation and predefined components, and requires
management software support. This is why VMM provides service templates. A service template is a
template that encapsulates everything required to deploy and run a new instance of an application.
Just as a private cloud user can create new virtual machines on demand, the user can also use service
templates to install and start new applications on demand.
Process for Deploying a New Service

Follow this procedure when you use service templates in VMM to deploy a new service/application:
1. The system administrator creates and configures service templates in VMM by using Service Template
Designer.
2. The end-user application owner (for example, a developer who has to deploy the application
environment) opens the App Controller console, and requests a new service deployment based
on available service templates that he or she can access. The developer can deploy the service to a
private cloud where a user has access. As an alternative to App Controller, the user can also use the
VMM Manager console.
3. A request is submitted and evaluated by the VMM Server. VMM searches for available resources in
the private cloud, then calculates the user quota and verifies that the cloud is capable for the
requested service deployment.
4. Whereas the service is created automatically, the virtual machines and applications (if any) are
deployed on the host selected by VMM.
5. The user application owner gains control over service virtual machines through the App Controller
console, or by RDP.
6. If you need manual approval for resource creation, you can use Microsoft System Center 2012 -
Service Manager to create workflows for this purpose.
Info
ormation In
ncluded in the
t Service Template
T
The service template includes in nformation abo out the virtuall machines thaat are deployedd as part of th
he
servvice, which app
plications to in
nstall on the virtual machiness, and the netwworking configguration needed
for the
t service (inccluding the usse of a load balancer). The seervice templat e can use existting virtual maachine
tem
mplates. You ca an define the service withoutt using any exiisting virtual m
machine templates. Howeverr, it is
mucch easier to buuild a templatee if you have already created d virtual machine templates. After you create
the service templaate, you configgure it for deployment using g the Configurre Deploymentt option.
Physical to Virtual
V and
d Virtual to
o Virtual M
Migrations
Man ny organizatioons have physiccal servers that
theyy do not use fu ully. VMM can convert existing
phyysical computers into virtual machines thro ough
a prrocess known as a physical-to--virtual (P2V)
conversion. VMM simplifies P2V V by providing
a task-based wizard to automatte much of the e
conversion processs. Because the e P2V process
is sccriptable, you can
c start large
e-scale P2V
conversions throu ugh the Windo ows PowerShell
(Pow wershell.exe) command
c line..
VMM converts an n operating sysstem that is running

on physical
p hardwware to an opeerating system that
unning in a virttual machine in Hyper-V envvironment. VM
is ru MM provides a conversion w
wizard, which
autoomates much of the converssion process.
Durring a P2V conversion processs, VMM make es disk images of the hard disks on the physical computer. It
ates VHD files for the new virtual machine,, using the dis k images as a basis. Also, it ccreates a hardware
crea
configuration for the virtual ma
achine similar to,
t or the samee as, the hardw ware in the physical computer.
The new virtual machine
m has the
e same compu uter identity ass the physical computer on w which it is based.
Because of that, we
w do not reco ommend that you y use both a physical com mputer and its virtual replica
concurrently. Afte
er the P2V conversion is finisshed, you typiccally disconnecct the physicall computer froom
the network and decommission
d n it.
P2V V conversion is finished in On

nline or Offline
e mode. In On line mode, thee source operaating system
is ru
unning during the conversion process. In Offline
O mode, tthe operating system is not running, and
conversion occurss through the Windows
W Preinnstallation Envvironment (Windows PE). Latter topics in th
his
lesson describe thhese modes an nd their specifics.
In addition to connverting underrused physical computers, VM MM supports the managem ment, migration
n
and conversions ofo other virtual machines thaat you create inn VMware envvironment. Youu can convert
thesse virtual mach hem on Hyperr-V hosts, and then manage them
hines to Hyperr-V virtual macchines, place th
undder the VMM Administrator
A Console.
C Also, VMM and Hy per-V supportt migrating virtual machines from
onee host to anothher with minim
mal or zero dowwntime.
VMM 2012 allowss you to conve ert existing VM machines to virrtual machiness running on the
Mware virtual m
Hypper-V platformm. This process is known as a V2V conversio on. With V2V cconversion, addministrators can
easiily and quicklyy consolidate a virtual enviro
onment that is running various virtual platfforms without
rebuuilding virtual machines fromm scratch or moving
m data.
VMM allows you to copy existing VMware virtualv machin es and create Hyper-V virtual machines. Y You can
co
opy VMware virtual
v machinees that are on an ESX Server host, in the VMMM library, orr on a Window ws share.
Although V2V is called a convversion, V2V iss a read-only o
operation that does not dele ete or affect th
he
orriginal source virtual machin
ne. Also, the te n is dedicated only to the process of conve
erm conversion erting
VMware virtual machines. The e term migration is used for Virtual Serverr machines.
During the convversion processs, the VMM coonverts the VM

Mware .vmdk ffiles to .vhd file es, and makes the
op
perating system on the virtu
ual machine coompatible withh Microsoft virttualization tecchnologies. The
e virtual
machine
m that th
he wizard creattes matches VMware virtual machine prop perties, including name, desccription,
memory,
m and disk-to-bus assiignment.
Considerat
C ions for Deploying a Highly A
Available V
VMM Serve
er
MM
M now suppo orts a highly avvailable VMM Server.
Yoou can use faillover clustering to achieve high
h
avvailability for VMM,
V because e VMM is now a
cluster-aware application. However, you sho ould
co
onsider several things before e you deploy a VMM
cluster.
Beefore you begin the installattion of a highlyy
avvailable VMM management server, ensure e the
fo
ollowing:
• You have in nstalled and co

onfigured a faiilover
cluster thatt is running Wiindows Server 2008
R2, Window ws Server 2008 8 R2 SP1, or Windows
W
Server 2012 2.
• y install the highly availab

All computers on which you ble VMM manaagement serve er meet the miinimum
hardware re
equirements, and
a all prerequuisite softwaree is installed on
n all computerrs.
• You have created a doma ain account to be used by th
he VMM servicce. You must u
use a domain u
user
account forr a highly availlable VMM ma anagement serrver.
• You are preepared to use distributed keyy managemennt to store encryption keys in
n AD DS. You must
use distribu
uted key manaagement for a highly availab
ble VMM manaagement serve er.
• You have a computer witth a supported d SQL Server veersion installed g. Unlike VMM 2008
d and running
R2, VMM will
w not automa atically install a SQL Server EExpress editionn.
Highly
H Availa
able Databa
ases and Lib
brary Serverrs
Too achieve full redundancy,
r we
w recommend d that you use a highly availaable SQL Serveer. You should
d install
a highly availabble SQL Server on a separate failover clusteer from the fai lover cluster o
on which you aare
in
nstalling the highly available VMM manage ement server. Similarly, we aalso recommen nd that you usse a
e file server forr hosting your library shares.
hiighly available
Self Service Portal

P and Clustered
C VMM Server
Fo
or best practices, do not insttall the VMM Self-Service
S Po
ortal on the samme computer as the highly
avvailable VMM management server. If yourr VMM Self-Se rvice Portal cu urrently residess on the same
co
omputer as the e VMM server,, we recomme end that you u ninstall the VM
MM Self-Servicce Portal for VMM
20008 R2 SP1 beefore upgrading to VMM. We e also recommmend that you install the VM MM Self-Servicee Portal
onn a highly available web servver to achieve redundancy aand load balan ncing.
Failover Cluster Manager

You cannot perform a planned failover (for example, to install a security update or do maintenance on a
cluster node) by using the VMM console. Instead, to perform a planned failover, use the Failover Cluster
Manager console.
During a planned failover, ensure that there are no tasks actively running on the VMM management
server. Any tasks that are executing during a failover will be stopped and will not restart automatically.
Any connections to a highly available VMM management server from the VMM console or the VMM Self-
Service Portal will also be lost during a failover. However, the VMM console can reconnect automatically
to the highly available VMM management server after a failover if it was opened before you performed
failover to another VMM server.
Lab: Implementing Failover Clustering with Hyper-V

Scenario
The initial deployment of virtual machines on Hyper-V is very successful for A. Datum. As a next step in
the deployment, A. Datum is now considering ways to ensure that the services and applications deployed
on the virtual machines are highly available. As part of the implementation of high availability for most
network services and applications, A. Datum is also considering options for making the virtual machines
that run on Hyper-V highly available.
As one of the senior network administrators at A. Datum, you are responsible for integrating Hyper-V with
failover clustering in order to ensure that the virtual machines deployed on Hyper-V are highly available.
You are responsible for planning the virtual machine and storage configuration, and for implementing the
virtual machines as highly available services on the Failover Cluster. Also, you are considering some other
techniques for virtual machines high availability such as Hyper-V replica.
Lab Setup

20417A-LON-SVR1
Password Pa$$w0rd
This lab should be performed with a partner. To perform this lab, you must boot the host computers
to Windows Server 2012. The host computers should be in this state from the previous lab in Module 8.
Make sure that you and your partner have booted into different hosts (one should boot to LON-Host1
and the other should boot to LON-Host2). Also, make sure that LON-DC1 is imported on LON-Host1 and
LON-SVR1 is imported on LON-Host2, and that these VMs are started.
Exercise 1: Configuring Hyper-V Replicas

Scenario
Before you start with cluster deployment, you decided to evaluate new technology in Hyper-V 3.0, for
replicating virtual machines between hosts. You want to be able to manually mount a copy of virtual
machine on another host if active copy (or host) fails.
1. Import LON-CORE virtual machine on LON-HOST1.
2. Configure a replica on both host machines.
3. Configure replication for LON-CORE virtual machine.
4. Validate a planned failover to the replica site.

X Task 1: Import LON-CORE virtual machine on LON-HOST1

• On LON-HOST1, open Hyper-V Manager and import the 20417A-LON-CORE virtual machine.
o Use path E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-CORE
o Accept default values.
Note: The drive letter may be different based upon the number of drives on the physical
host machine.
X Task 2: Configure a replica on both host machines

1. On LON-HOST1 and LON-HOST2 configure each server to be Hyper-V replica server.
o Use Kerberos (HTTP) for authentication.
o Enable replication from any authenticated server.
o Create and use folder E:\VMReplica as a default location to store replica files.
2. Enable the firewall rule named Hyper-V Replica HTTP Listener (TCP-In) on both hosts.
X Task 3: Configure replication for LON-CORE virtual machine

1. On LON-HOST1 enable replication for the 20417A-LON-CORE virtual machine.
o Use Kerberos (HTTP)
o Select to have only latest recovery point available
o Start replication immediately.
2. Wait for initial replication to finish and make sure that 20417A-LON-CORE VM has appeared in
Hyper-V Manager console on LON-HOST2.
X Task 4: Validate a planned failover to the replica site

1. On LON-HOST2, view replication health for 20417A-LON-CORE.
2. On LON-HOST1, perform planned failover to LON-HOST2. Verify that 20417A-LON-CORE is running

on LON-HOST2.
3. On LON-HOST1, remove replication for 20417A-LON-CORE.
4. On LON-HOST2, shut down 20417A-LON-CORE.
Results: After completing this exercise you will have Hyper-V replica configured.
Exercise 2: Configuring a Failover Cluster for Hyper-V

Scenario
A. Datum has several virtual machines that are hosting important services that must be highly available.
Because these services are not cluster-aware, A. Datum decided to implement Failover cluster on the
Hyper-V host level. You plan to use iSCSI drives as storage for these virtual machines.
1. Connect to iSCSI target from both host machines.
2. Configure failover clustering on both host machines.

3. Configure disks for failover cluster.
X Task 1: Connect to iSCSI target from both host machines

1. On LON-HOST1, start iSCSI initiator.
2. Use 172.16.0.21 address to discover and connect to iSCSI target.
3. On LON-HOST2, start iSCSI initiator.
4. Use 172.16.0.21 address to discover and connect to iSCSI target.
5. On LON-HOST2, open Disk Management and initialize and bring online all iSCSI drives
o Format the first drive and name it ClusterDisk
o Format the second drive and name it ClusterVMs
o Format the third drive and name it Quorum

6. On LON-HOST1, open Disk Management and bring online all three iSCSI drives.
X Task 2: Configure failover clustering on both host machines

1. On LON-HOST1 and LON-HOST2, install the failover clustering feature.
2. On LON-HOST1, create a failover cluster:

o Add Lon-host1 and Lon-Host2
o Name it VMCluster
o Assign the 172.16.0.126 address

o Deselect the option to Add all eligible storage to the cluster
X Task 3: Configure disks for failover cluster

1. In Failover Cluster Manager on LON-HOST1, add all three iSCSI disks to the cluster.
2. Verify that all three iSCSI disks appear available for cluster storage.
3. Add the disk with the volume name of ClusterVMs to Cluster Shared Volumes.
4. From the VMCluster.adatum.com node, select More Actions and then configure the Cluster
Quorum Settings to use typical settings.
Exercise 3: Configuring a Highly Available Virtual Machine

Scenario
After you have configured the Hyper-V failover cluster, you want to add virtual machines as Highly
Available resources. Also, you want to evaluate Live migration as well as test storage migration.
1. Move Virtual Machine Storage to iSCSI Target.
2. Configure the Virtual Machine as Highly Available.
3. Perform a Live Migration for the Virtual Machine.

4. Perform a Storage Migration for the Virtual Machine.
5. To Prepare for Next Module.

X Task 1: Move Virtual Machine Storage to iSCSI Target

1. Make sure that LON-HOST1 is the owner of the ClusterVMs disk. If it is not, move the ClusterVMs disk
to LON-HOST1.
2. On LON-HOST1, open Windows Explorer and browse to E:\Program Files\Microsoft Learning

\20417\Drives\20410A-LON-CORE\Virtual Hard Disks and move the 20417A-LON-CORE.vhd
virtual hard drive file to the C:\ClusterStorage\Volume1 location.
X Task 2: Configure the Virtual Machine as Highly Available

1. In Failover Cluster Manager, click the Roles node, and then start the New Virtual Machine wizard.
o Select LON-Host2 as the cluster node.
o Name the computer as TestClusterVM.

o Store the file at C:\ClusterStorage\Volume1.
o Assign 1536MB of RAM to the TestClusterVM.
o Connect machine to existing virtual hard disk drive 20417A-LON-CORE.vhd located at

C:\ClusterStorage\Volume1.
2. From the Roles node, start the virtual machine.
X Task 3: Perform a Live Migration for the Virtual Machine

1. On LON-HOST2, in Failover Cluster Manager, start Live Migration failover of TestClusterVM from
Lon-Host2 to Lon-host1.
2. Connect to TestClusterVM and make sure that you can operate it.
X Task 4: Perform a Storage Migration for the Virtual Machine

1. On LON-HOST1, open Hyper-V Manager and start LON-GUEST1.
2. Perform a Move operation on LON-GUEST1. Move the VM from its current location to C:\GUEST1.
3. Check whether machine is operational during move process.
4. When complete, shut down all running virtual machines.
X To prepare for Next Module

• Restart both host machines, and select to boot to Windows Server 2008 R2. Log on to the host
machines as directed by your instructor.

Best Practices
• Develop standard configurations before you implement highly available virtual machines. The host
computers should be configured as close to identically as possible. To make sure that you have a
consistent Hyper-V platform, you should configure standard network names, and use consistent
naming standards for CSV volumes.
• Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster
Management that can block you from making mistakes when you manage highly available virtual
machines. For example, it blocks you from creating virtual machines on storage that is inaccessible
from all nodes in the cluster.

Virtual machine failover fails after I

implement CSV and migrate the shared
storage to CSV.
A virtual machine fails over to another

node in the host cluster, but loses all
network connectivity.
Four hours after restarting a Hyper-V host

that is a member of a host cluster, there
are still no virtual machines running on the
host.
Review Question
Do you have to implement CSV in order to provide high availability for virtual machines in VMM in
Windows Server 2008 R2?
10-1
Module 10
Implementing Dynamic Access Control
Contents:
Module Overview 10-1
Lesson 1: Overview of Dynamic Access Control 10-2
Lesson 2: Planning for a Dynamic Access Control Implementation 10-8
Lesson 3: Implementing and Configuring Dynamic Access Control 10-13
Lab: Implementing Dynamic Access Control 10-22
Module Overview
Windows Server 2012 introduces Dynamic Access Control for enhancing access control for file- and
folder-based resources. Dynamic Access Control extends regular New Technology File System (NTFS)-
based access control by enabling administrators to use claims, resource properties, rules and conditional
expressions to manage access. In this module you will learn about Dynamic Access Control and how to
plan for and implement it.
Objectives
• Describe Dynamic Access Control and its components.

• Plan for Dynamic Access Control implementation.
• Configure Dynamic Access Control.

10-2 Implemennting Dynamic Access Control
Lesson 1
Overviiew of Dynami
D c Accesss Contrrol
Dynnamic Access Control
C is a new
w technology for access man nagement in WWindows Serveer 2012. It offe
ers a
neww way of contro
olling access to
o resources. Be
efore you imp u should learn how
plement this teechnology, you
esson presentss an overview of Dynamic Acccess Control.
it works and which componentss it uses. This le
Lessson Objectiives
Afte
ou will be able to:
• mic Access Con
Define Dynam ntrol.
• Describe the foundation tecchnologies forr Dynamic Acccess Control.
• Compare Dyn namic Access Control

C ogies, such as NTFS permissions
with alternative or siimilar technolo
and Active Diirectory Rightss Managementt Services (AD RMS).
• Define identitty.
• Define claim and claim type

es.
• Define Centra
al Access Policy.
Wh
hat Is Dyna
amic Acce
ess Controll?
Because most of the t data in an organization is i
storred on file servvers, IT adminisstrators must help
h
provvide security and
a access con ntrol to file servver
reso
ources. In prevvious versions ofo Windows Se erver,
mosst access contrrol to file serve
er resources wa as
controlled by usin ng NTFS permiissions and acccess
control lists.
Dyn namic Access Control

C in Winddows Server 2012
is a new access co ontrol mechanism for file-sysstem
resoources. It enables administrators to define
centtral file-accesss policies that can
c apply to every
file server in the organization.
o Dynamic
D Accesss
Con ntrol helps impplement security over file serrvers, in additioon to any existting share and
d NTFS permisssions.
C ensures that regardle ess of how thee share and NTTFS permission ns might chang
ge,
this central overriding policy is still enforced. What Dynami c Access Control does is com mbining multip
ple
crite
eria into the acccess decision.. This is something that NTF S permissions can’t achieve.
Dyn
namic Access Control
C provide
es:
• Data identifiication. You can use automa

atic and manu
ual classificatio
on of files to taag data in file
servers acrosss the organizattion.
• Access contrrol to files. Ce

entral access policies enable organizationss to define (forr example, who
o can
access health information within
w the orgaanization).
• Auditing of access
a orensic analysis. For
to filess. Central audiit policies for ccompliance re porting and fo
example, you can identify who
w accessed highly
h sensitivve information.
• Optional RM MS protection integration. Automatic Rig ghts Managem ment Services (RMS) encryption for
sensitive Micrrosoft® Office documents. Fo or example, yo
ou can configu ure RMS to enccrypt all docum
ments
containing He ealth Insurance Portability and Accountab bility Act (HIPA
AA) information.
Dynamic Accesss Control focuses on four ma

ain end-to-end
d scenarios:
• Central acccess policy fo

or access to filles. Enable org
ganizations to set safety net policies that rreflect
the businesss and regulato
ory compliance.
• Auditing for compliance and analysiis. Enable targ eted auditing across file servvers for compliance
reporting and forensic an
nalysis.
• Protecting
g sensitive information. Ideentify and prottect sensitive information bo
oth in a Windo
ows
Server 2012
2 environmentt and when it leaves the Winndows Server 2 2012 environm
ment.
• Access den he helpdesk lo

nied remediattion. Improve the access de nied experiencce to reduce th oad and
incident tim
me for troublesshooting.
Dynamic Accesss Control provvides a flexible way to apply and manage aaccess and aud diting to domaain-
ba esource properties on
ased file servers. Dynamic Acccess Control uses claims in the authenticaation token, re
th
he resource, annd conditional expressions within
w permissi on and auditin
ng entries. Witth this combin
nation of
fe
eatures, you caan now grant access
a to files and
a folders baased on Active Directory attrributes.
Foundation
n Technolo
ogies for Dynamic
D A
Access Con
ntrol
Dynamic Accesss Control combines many Windows
W
Seerver 2012 technologies to provide
p a robuust,
fle
exible, and gra
anular authorizzation and audditing
exxperience. Dynnamic Access Control
C uses th
hese
fu
undamental technologies:
• Network protocols,
p succh as TCP/IP,
Remote Prrocedure Call (RPC), Serverr
Message Block
B (SMB), anda Lightweig ght
Directory Access
A Protoccol (LDAP). Fo or
network coommunicationss between hosts,
interaction with file system and directoory
lookups, respectively.
• Domain Na
ame System (DNS).
( For host name resolu
ution.
• Active Dire
ectory Domaiin Services (A
AD DS) and itss dependent ttechnologies.. For enterprise
e
network maanagement.
• The Microssoft Kerbeross v5 implementation includ

ding FAST Search and Com
mpound Identtity. For
secure auth
hentication.
• Windows Security
S al security autthority [LSA], Netlogon). FFor secure logo
(loca on transactions.
• f categorization.
File Classiffications. For file
• F secure monitoring and accountability.

Auditing. For a
Se
everal componnents and tech
hnologies were Windows Serveer 2012 to support Dynamic Access
e updated in W
Control. The mo
ost important updates are:
• A new Winddows authorizzation and aud

dit engine that can process cconditional exp
pressions and ccentral
policies.
• Kerberos au
uthentication support
s for user claims and device claims.
• Improved File
e Classification
n Infrastructure
e.
• Optional Righhts Manageme ent Services (RMS) extensibillity support so

o that partners can provide
solutions thatt encrypt non--Office files.
Dy
ynamic Acccess Contrrol Versus Alternativ
A ve Technologies
C is a new w technology for
controlling accesss to file based resources. It does
not overlap with older
o well-kno own technologies
with ose. Instead, Dynamic Accesss
h similar purpo
Conntrol extends the functionalitty of older
tech
hnologies for controlling
c file
e-based resourrce
acce
ess.
In previous
p versions of Window ws Server, the basic
b
mecchanism for filee and folder access control wasw
NTFFS permissions. By using NTFFS permissionss and
theiir Access Contrrol Lists (ACLs)), administrato
ors
can control accesss to resources, based on use er
namme or group membership,
m annd the level of access, such aas Read-only, C
Change, Full C
Control, etc.
Howwever, once yo ou provide som meone with, fo or example, Re ad-only acces s to a documeent, you cannoot
prevvent that persoon from copying the conten nt of that docu
ument into a new document or printing th he
doccument. By imp plementing AD D RMS, you can establish an additional levvel of control. U
Unlike, NTFS
permmissions, which are not appllication aware,, AD RMS sets a policy that ccan control do ocument accesss
insid
de the application that is being used to op pen it. By impl ementing AD RMS, you enaable users to
addditionally prote
ect documentss within applica ations.
Howwever, you can nnot set condittional access to

o files by using
g NTFS and AD D RMS. For exaample, you cannot
set NTFS permissions in a way that users can access
a a documment if they are a member o of some speciffic
group and have the attribute Em mployeeType set to FTE. Or, you might waant to set perm missions so thaat only
userrs that have a department atttribute populated with the same value ass the departme ent attribute fo
or the
reso
ource can acce ess the contentt. You can accoomplish this byy using condittional expressions.
For these scenario

os, in Windowss Server 2012, you can use D Dynamic Accesss Control. In ssimple terms,
Dyn
namic Access Control
C enable
es you to countt attribute valu
ues on users o
or resource objjects, when
provviding or denyying access.
Wh
hat Is an Id
dentity?
We usually define e identity as a set
s of data thaat
uniq
quely describe es a person or a thing (somettimes
refe
erred to as subjbject or entity) and contains
ormation about the subject's relationships to
info
otheer entities. Identity is usuallyy proved by ussing
som
me trusted sourrce of information. For exam mple,
wheen you go to th he airport, you u show your
passsport. Your passport contain ns your name,
adddress, date of birth,
b and phottograph. Each item
of personal
p mation is a claiim that is made
inform
aboout you by the country issuin ng your passpo ort.
Youur country ensu ures the informmation publishhed in
a passport is acccurate for the passport owner. Since you u usually use thee passport outsside of your
co
ountry of resid
dence, other co ountries must also trust the iinformation in
n your passporrt. They must trust the
on that trust, other countriess grant
orrganization that issued yourr passport and consider it relliable. Based o
yo
ou access theirr territory (whiich can be con
nsidered as a reesource).
In
n other words, to access reso
ources in otherr countries, eacch person is reequired to havve a documentt
(p
passport) that is
i issued by a reliable
r and trusted source aand that contaains some criticcal claims thatt
deescribe the person.
Thhe Windows operating

o syste
em uses a simillar concept of identity. An ad
dministrator creates a user
acccount for person in AD DS. The domain controller
c publlishes user account informattion, such as a
se
ecurity identifier, and group membership attributes.
a Winndows creates an authorization token whe en a
usser accesses a resource.
To
o continue the e analogy, you are the user. The he passport. Each unique pie
T authorizattion token is th ece
off information in
i the authorizzation token iss a claim madee about your u
user account. D
Domain contro ollers
pu
ublish these claims. Domain-joined compu uters and dom
main users trustt domain conttrollers to provvide
au
uthoritative infformation.
We
W can then say that Identityy, with respect to authenticattion and autho
orization, is sim
mply informatiion
ublished about an entity from a trusted so
pu ource. The infoormation is con
nsidered autho oritative becau
use the
so
ource is trusted
d.
Eaarlier versions of Windows Server used the e security identtifier (SID) to rrepresent iden
ntity of a user o
or
coomputer. Users authenticate e to the domain with a speciffic user name and password. The unique logon
naame translatess into the SID. The domain controller valid ates the passw word and publishes the SID o of the
seecurity principaal and the SIDs of all the grooup of which tthe principal iss a member. Th he domain con ntroller
"cclaims" the useer's SID is valid
d and should be
b used as the identity of thee user. All dom main members trust
th
he domain con ntroller; therefoore, the respon
nse is treated aas authoritativve.
Id
dentity is not limited to the user's
u SID. App plications can u
use any informmation about the user as a foorm
off identity, provvided that the application trusts the sourcee of the inform
mation to be authoritative. FFor
exxample, many applications im mplement role e-based accesss control. Rolee-based access control limits access
to
o resources based on whethe er the user is a member of a specific role. SharePoint Server is good exxample
off software thatt implements role-based
r seccurity. Window ws Server 2012 can also take advantage of these
opptions to exten nd and enhancce the way ide entity is determ
mined for a seccurity principaal.
What
W Is a Claim?
C
Windows
W Server 2008 and Wiindows Server 2003
usse claims in Acctive Directoryy Federation Se ervices
(A
AD FS). In this context,
c claimss are statemen nts
made
m about useers (for exampple, name, iden ntity,
keey, group, privvilege, or capabbility), which are
a
unnderstood by both partners in an AD FS
ederation. AD FS also introdu
fe uced AD DS-based
claims and the ability
a to convvert AD DS-bassed
claim data into Secure Application Markup
La
anguage (SAM ML) format. In previous
p versio
ons of
AD FS, the only attributes that could be retrieved
from AD DS and d directly incorporated into a claim
was
w SID informa ation for user and
a group acccounts. All oth er claim inform efined within and
mation was de
re
eferenced from m a separate da atabase, know wn as an attribu w in Windows SServer 2012 is the
ute store. New
capability to read and use any attribute

a directtly from AD DSS. It is not neccessary to use a separate AD FS
attribute store to hold this type of information for Active D irectory-based d computer orr user accountss.
By definition,
d a cla
aim is somethiing that AD DS S states about specific objecct (usually a user or compute er).
A claim provides some
s informattion from trustted source aboout an entity. SSome example es of claims are
e the
SID of a user or co omputer, the department
d cla
assification of a file, and thee health state o
of a computer.. All
thesse claims statee something ab bout a specific object. In moore technical laanguage, claim ms state the vallue of
a sp
pecific attributee of a user or computer
c objeect.
An entity
e can contain more than one claim. When
W configur ing resource aaccess, any com
mbination of those
ms can be used to authorize
claim e access to reso
ources.
In Windows
W Serve
er 2012, authorization mecha anism is exten ded so that yo
ou can use claiims for
auth
horization on files
f and folders, besides using just NTFS ppermissions, baased on user’s SID or group SIDs.
By using
u claims, you
y can now ba ase your accesss control not oonly on SID, b
but also on oth
her attribute vaalues.
Because SID is also an attribute of a user or co
omputer objecct, we can say that older autthorization
mecchanisms are, in
i a way, subseets of claims-b
based authorizzation.
Win
ndows Server 2012
2 introduce
es two new typ
pes of claims: u
user claims and device claim
ms. Windows Se
erver
2012 continues to
o enable you to
o use group membership
m fo
or authorization decisions.
Use
er Claim
A usser claim is infformation provvided by a Win
ndows Server 22012 domain ccontroller abo out a user. Windows
Servver 2012 doma on. This provides
ain controllers can use most AD DS user atttributes as claaim informatio
ministrators witth wide range of possibilitiess to configure and use claim
adm ms for access co
ontrol.
Dev
vice Claim
A deevice claim is information
i prrovided by a Windows
W Serveer 2012 domai n controller ab bout a device
reprresented by a computer acco ount in AD DSS. As with a useer claim, a devvice claim, ofte
en called a
com
mputer claim, can
c use most of o the AD DS attributes
a that are applicablee to computer objects.
Wh
hat is a Central Acce
ess Policy?
One e of the fundam mental compo onents in Dyna amic
Access Control tecchnology is Ce entral Access Policy.
P
It is a feature in Windows
W Server 2012 that en nables
adm ministrators to create a policyy that is applie
ed to
one e or more file servers.
s This po
olicy is createdd in
Actiive Directory Administrative
A Center, storedd in
AD DS, and applie ed by using Grroup Policy. Ce entral
Access Policy conttains one or more
m Central Access
Policy rules. Each rule contains settings
s that
dete ermine applicaability and perrmissions.
Befo
ore you create
e Central Accesss Policy, it is
manndatory that yo east one Central
ou create at le
Access Rule. Central Access Rule
e defines all pa arameters and hat control access to specific
d conditions th
reso
ource.
A central access rule has three configurable parts:
• Name: For each Central Access Rule you should configure descriptive name.
• Target resources: A condition that defines which data the policy applies to. This is defined by
specifying an attribute and its value. For example, a particular central policy might apply to any data
classified as Sensitive. You can also choose to apply rule to all resources where Central Access Policy
applies.
• Permissions: A list of one or more access control entries (ACEs) that define who can access the data.
For example, you can specify Full Control Access to a user with attribute EmployeeType populated
with FTE. This is the key component of each Central Access rule. You can combine and group
conditions that you place in central access rule. You can set permission as proposed (for staging
purposes) or current.
After you configure one or more central access rules, you then place these rules in Central Access Policy
which is applied to the resources.
Central Access Policy enhances, but does not replace, the local access policies or discretionary access
control lists (DACL) that are applied to files and folders on a specific server. For example, if a DACL on a
file allows access to a specific user, but a central policy that is applied to the file restricts access to the
same user, the user cannot obtain access to the file. Likewise, if the central access policy allows access but
the DACL does not allow access, then the user cannot obtain access to the file.
Before you implement Central Access Policy, you should perform these steps:
1. Create claims and connect it with attributes on user or computer objects.

2. Create file property definitions.
3. Create one or more Central Access Rules
4. Create a Central Access Policy object and place rules in it.
5. Use Group Policy to deploy the policy to file servers. By doing this, you make file servers aware that a
Central Access Policy exists in AD DS.
On the file server, apply that policy to a specific shared folder.

Lesson 2
Planning for a Dynam
mic Acccess Con
ntrol Im
mplemen
ntation
C is a tecchnology that requires detai led planning bbefore implem mentation. You
should identify reasons to imple ement Dynamic Access Conttrol, as well as plan for Centrral Access Policy,
file classifications, auditing and access denied d assistance. In this lesson, yo
ou will learn ab
bout planning
Dyn namic Access Control.
C
Lessson Objectiives
Afte
ou will be able to:
• Describe reassons for implem

menting Dynamic Access Co
ontrol.
• Plan for Central Access Poliicy.

• Plan for File Classifications.
C
• Plan for File Access

A Auditing.
• Plan for Access Denied Assiistance.

• Plan for policcy changes.
Reasons for Implemen

nting Dyna
amic Accesss Control
Befoore you implem ment Dynamicc Access Contrrol
you should clearlyy identify the reasons
r for
impplementation. This
T technolog gy should be well
w
desiigned before implementatio on, so it is very
impportant to havee business casee that requiress
impplementation ofo Dynamic Acccess Control. An A
impproperly planne ed implementation can resu ult in
me users being denied accesss to data they need,
som
while other users are inappropriately granted
acceess to data to which
w they shoould otherwise e be
restricted.
The most common reason to im mplement Dyna amic

Access Control is to
t extend funcctionality of an
n existing moddel for access ccontrol managgement. Most
com
mpanies use NT TFS and share permissions to o implement aaccess control for file and folder resourcess. In
mosst cases, NFTS is sufficient, but in some sce
enarios it doess not work. Forr example, you
u cannot use N
NFTS
ACLL to protect a resource
r f server so that a user musst be memberr of two groups at the same time
on a file
to access
a ource. This relatively simple scenario
the reso s requirres a new tech
hnology.
In general,
g you must use Dynam mic Access Con ntrol instead o
of traditional m
methods for im
mplementing acccess
control when you want to use more
m specific in
nformation fo r authorizationn purposes. NT
TFS and share
permmissions use only
o oup objects, but if you wantt to implementt more comple
user or gro ex access control
scen ould use Dynamic Access Co
narios, you sho ontrol.
Planning
P fo
or Central Access Po
olicy
Im
mplementing Central
C Access Policy is not
mandatory
m for Dynamic
D Access Control. Ho owever,
fo
or consistent co onfiguration of
o access contrrol on
all file servers, we
w recommend ded implemen nting
Central Access Policy.
P By doinng that, you ennable all
fille servers to usse Central Access Policy wheen
protecting conttent in shared folders.
If you decide too implement Central Access

Poolicy, you shou
uld make a dettailed plan beffore
im
mplementation n. When planning Central Acccess
Poolicy you mustt clearly identify and understtand
th
he business reqquirements forr implementing
Central Access Policy
P and Dynnamic Access Control.
C
Yo ou should firstt identify the resources that you want to p protect. If all th
hese resources are on one file
seerver or in just one folder, thhen you might not have to im mplement Cen ntral Access Po
olicy. Instead, yyou
caan configure conditional acccess on the fold der’s ACL. If reesources are distributed acro oss several servvers or
fo
olders, then yo ou can benefit from deployin ng Central Acccess Policy. Exaamples of dataa that might re equire
protecting are payroll
p recordss, medical histo
ory data, emp loyee personaal information, company custtomer
lissts, and so on. You can also use targeting within
w central access rules to o identify reso
ources where yyou want
to
o apply centrall access policy.
After you identiify resources, you

y should deffine criteria fo r protection. TThis is usually d
defined by bussiness
re
equirements. Some
S examples are:
• ents that have property conffidentiality set to high must be available only to manage
All docume ers.
• Marketing documents fro g people from the

om each counttry should be aaccessible onlyy to marketing
same counttry.
• Only full tim

me employees should be able to access te chnical docum
mentation from
m previous pro
ojects.
A central accesss policy is targeted to provid

de an easy inteerpretation from a business rrequirement laanguage
to
o an authorizattion language.
Th n the planning process is to translate

he next step in t the p
policies you reqquire into expressions. In thee case
off Dynamic Acccess Control, exxpressions are attributes ass ociated with b
both the resouurces (files and folders)
an eeks access to the resources. These expresssions state add
nd the user or device that se ditional identiffication
re
equirements thhat must be met in order to access protectted data. Valuees associated w with any expre essions
on
n the resourcee obligates the
e user or devicee to produce tthe same valuee
Next, you shoulld break down n the expressio

ons that you crreated and dettermine what cclaim types, re esource
properties, and device claims you must crea ate to deploy yyour policies. IIn other wordss, you must ide
entify
th
he attributes fo
or access filteriing.
Note: Youu are not required to use useer claims to deeploy central aaccess policies.. You can use
ecurity groups to represent user
se u identities.
10-10 Implementing Dynamic Acceess Control
Pla
anning File
e Classifica
ations
Whe en planning im mplementation n of Dynamic
Access Control, yo ou should incluude File
Classsifications in complete
c scenarios. Althouggh
file classifications are not mandatory for Dyna amic
Access Control, th hey can greatlyy enhance the
autoomation of the e entire processs. For example, if
you require that alla documents with classificattion
Con nfidentiality: High must be acccessible to to
op
man nagement onlyy, regardless ofo the server on n
which the documents exist, you should first assk
yourself how you identify these documents, and a
how w to classify theem appropriattely.
File Classification Infrastructure uses classification rules to aautomatically sscan files and cclassify them
accoording to the contents
c of the e file. Classifica
ation propertiees are defined d centrally in A
AD DS so that
thesse definitions can
c be shared across file servvers in the org ganization. You u can create cllassification ru
ules
thatt scan files for a standard strring or for a strring that matcches a pattern (regular expre ession). When a
configured classification parame eter is found in a file, that fille is classified as configured in the classificcation
rule
e.
Whe
en planning fo
or file classifica ould do follow ing:
ations, you sho
• Identify which
h classification ons you want to apply on do
n or classificatio ocuments.
• Determine the method to identify docum

ments for classiification.
• Determine the schedule forr automatic cla
assifications.
• Establish a revview of classifiication successs.
You e classificationss in the File Server Resource Manager console.

u configure file
Wheen you have a defined the classifications, you

y can plan tthe implementtation of Dynaamic Access Co ontrol
by defining
d conditional expressions that enab high confidenttial documents
ble you to conttrol access to h
base
ed on particula
ar user attributes.
Pla
anning File
e Access Auditing
A
In Windows
W Serveer 2008 R2 and d Windows Serrver
2012, you can use e new advance ed audit policie es
to im
mplement more detailed and more precise e
auditing on file syystem. In Winddows Server 20 012,
you can also implement auditin ng together witth
C to take
e advantage off the
neww Windows Seccurity auditing g capabilities. By
B
usin y can configure
ng conditional expressions, you
auditing to be implemented on nly in specific cases.
c
For example, you want to audit attempts to open o
sharred folders only by users located in countrries
otheer than the country where th he shared folder is
loca
ated.
With Global Object Access Auditing, administrators can define computer SACLs per object type for either
the file system or registry. The specified SACL is then automatically applied to every object of that type.
You can use a Global Object Access Audit Policy to enforce the object access audit policy for a computer,
file share, or registry without configuring and propagating conventional SACLs. Configuring and
propagating SACLs is a more complex administrative task and it is difficult to verify, particularly if you
must verify to an auditor that security policy is being enforced.
Auditors can prove that every resource in the system is protected by an audit policy by just viewing the
contents of the Global Object Access Auditing policy setting.
Resource SACLs are also useful for diagnostic scenarios. For example, setting a Global Object Access
Auditing policy to log all activity for a specific user and enabling the Access Failures audit policies in a
resource (file system, registry) can help administrators quickly identify which object in a system is denying
a user access.
You should make an audit plan before you implement any auditing. In the auditing plan you should
identify resources, users, and activities that you want to track. You can implement auditing for several
scenarios, such as:
• Tracking changes to user and machine attributes. As with files, users and machine objects can have
attributes, and changes to these can affect whether users can access files. Therefore it can be valuable
to track changes to user or machine attributes. Users and machine objects live in AD and therefore
changes to their attributes can be tracked using Directory Service Access Auditing.
• Get more information from user logon events. In Windows Server 2012, user logon event (4624)
contains information about the attributes of the file that was accessed. You can take advantage of this
additional information by using audit log management tools to correlate user logon events with
object access events, and enabling event filtering based on both file attributes and user attributes.
• Provide more information from object access auditing. In Windows Server 2008 R2 and Windows
Server 2012 File Access events (4656, 4663) now contain information about the attributes of the file
that was accessed. This additional information can be used by event log filtering tools to help you
identify the most relevant audit events.
• Track changes to Central Access Policies, Central Access Rules and Claims. These objects define the
central policy that you can use to control access to critical resources. Tracking changes to these could
be important for the organization. Since all of these objects are stored in AD DS you can audit them
just as any other securable object in Active Directory by using the Directory Service Access Auditing.
• Tracking changes to file attributes. File attributes determine which Central Access Policy applies to the
file. A change to the file attributes can potentially affect the access restrictions on the file. You can
track changes to file attributes on any machine by configuring Authorization Policy Change auditing
and Object Access auditing for File Systems. Event 4911 has been introduced to differentiate this
event from other Authorization policy change events.
Pla
anning Acccess Denie
ed Assistan
nce
Access Denied Assistance helps end users to
deteermine the rea ason why they cannot accesss a
ource. It also helps IT staff to
reso o properly diag gnose
a prroblem and prroperly direct the t resolution.
2 enables you
y to customiize
messsages about access
a denied asa well as to
provvide users withh ability to req
quest access wiithout
contacting help desk or IT team m. In combinatiion
with
h DAC, Access Denied Assista ance can inforrm
the file administraator of the useer and resource e
claim
ms, enabling him
h to make ed ducated decisions
to adjust
a policies or fix user attrributes (e.g. if
deppartment is written as HR insttead of Human Resources).
Whe or Access Denied Assistance, you should in

en planning fo nclude the follo
owing:
• Plan for messsage that userss see when theey try to accesss resource wheere they do no
ot have access
rights. It is im
mportant that the message is informal and easy to underrstand.
• Create the em
mail text that users
u use to req
quest access. I f you allow ussers to requestt access for
resources, you can prepare text that is ad
dded to the ennd of their emaail message.
• Determine the recipients fo or access requeest email messsages. You can n choose that e email is sent to
o
folder ownerss, file server ad
dministrators, or
o any other sp pecified recipi ent. It is important that messsages
are always dirrected to the proper
p person. If you have a help desk too ol or monitorin ng solution wh hich
allows emails, you can also direct those emails
e to autommatically geneerate user requ uests in your
helpdesk solu
ution.
• Plan the targe

et operating syystems. Accesss Denied Assisttance only wo
orks with Windows 8 or
Windows Servver 2012.
Pla
anning Pollicy Chang
ges
Afte
er you implement a Dynamicc Access Contrrol
infra
astructure you
u might have too implement
changes. For exammple, you migh ht have to chaange
som
me conditional expression, orr you might wa ant to
change claims. Yoou must carefuully plan any ch
hange
to Dynamic
D Accesss Control com
mponents.
Winndows Server 2012 2 enables you

y to stage po olicy
changes. A change to Central Access A Policy ca
an
seveerely affect acccess control. Fo or example, a
change could pottentially grant more access than
desiired, or, an ove erly restrictive change in pollicy
could generate an n excessive number of helpd desk
callss. It is thereforre important to o test changes before implem mentation. For this purpose,, Windows Serrver
2012 introduces the concept off staging. Stagiing enables ussers to verify th heir proposed policy change es
befoore enforcing them.t To use policy
p staging,, proposed po licies are deplo oyed along with the enforce ed
policies but do no ot actually gran nt or deny perrmissions. Insteead Windows logs an audit e event (4818) aany
timee the result of the access che eck using the staged
s policy iis different fro
om the result o
of an access ch
heck
usin
ng the enforced policy.
Upgrading Yoour Skills to MCSA W
Lesson
n3
Imple
ementin
ng and Configu
C uring Dyynamicc Accesss Contro
ol
To
o implement and
a configure Dynamic Acce ess Control you
u must perform
m several steps and configurre
everal objects. In this lesson, you will learn about implem
se onfiguring Dynamic Access Control.
menting and co
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe Prrerequisites forr Implementing Dynamic Acccess Control.

• Enable Support in AD DS for Dynamic Access
A Contro
ol.
• Implement claims and resource properrty objects.
• Implement Central Accesss Policy.

• Implement File Access Au
uditing.
• Implement Access Denied

d Assistance.
• Implement File Classificattions.

• Implement Dynamic Acce
ess Control.
Prerequisit
P es for Imp
plementing
g Dynamicc Access Co
ontrol
Be
ecause Dynam mic Access Control is a new
te
echnology in Windows
W Serve
er 2012, you must
m
en
nsure that certtain prerequisites are fulfilled
d
be
efore impleme entation.
To
o implement claims-based
c authorization
a for
re
esource access, you must impplement the
fo
ollowing:
• Windows Server 2012 insstalled on the

file server that hosts the resources
r beinng
protected with
w Dynamic AccessA Contro ol.
The file servver hosting thee share must be
b a
Windows Server 2012 file e server to read d claims
and device authorization data from a Kerberos
K tickett, translate tho
ose SIDs and claims from the
e ticket
into an authentication token, and comp pare the autho orization data in the token aagainst conditiional
expressionss in the securitty descriptor.
• At least onee Windows Server 2012 dom main controllerr accessible byy the Windows client computter in
the user's domain.
d The neew authorization and auditin ng mechanism ensions to AD DS.
m requires exte
These new extensions build the Window ws claim dictio ows stores claims for
onary, which iss where Windo
an Active Directory
D forestt. Claims autho
orization also rrelies on the K
Kerberos Key D
Distribution Ce
enter
(KDC). The Windows Servver 2012 KDC contains
c Kerbeeros enhancem d to transport claims
ments required
within a Kerberos ticket and
a Compound d Identity. Winndows Server 2 2012 KDC also
o includes an
enhanceme ent to support Kerberos arm moring. Kerbero os armoring is an implementation of Flexible
Authenticattion Secure Tuunneling (FAST T). It provides a protected chhannel between the LSA, Ne etlogon
KDC.
• Windows Server 2012 domain controlle main when using claims acro
ers in each dom oss a forest tru
ust.
• Windows 8 cllient (required when using device

d claims). Older desktop
p operating systems do not
support devicce claims.
Alth
hough Window ws Server 2012 2 domain controller is requirred, there is no
o requirement for having a
2 domain and
a forest funcctional level, u nless you wan nt to use claims across forestt trust.
Thiss means that you can also haave domain co
ontrollers on W Windows Serveer 2008 and Windows Serverr 2008
R2 with
w forest fun nctional level on
o Windows Seerver 2008.
Note: Imple
ementing Dyna
amic Access Control in a mu
ultiple forest sccenario has ad
dditional
setu
up requiremen
nts.
Ena
abling Sup
pport in AD DS for Dynamic
D A
Access Con
ntrol
Afte
er fulfilling softtware requiremments for enabbling
C supporrt, you must en nable
claim
m support for the Windows Server 2012 KDC. K
Kerbberos support for Dynamic Access
A Controll
provvides a mechanism for including user claim m and
device authorizatiion informatio on in a Windowws
authhentication tok ken. Access ch hecks on resources,
such ders, use this authorization
h as files a fold
ormation to verify identity.
info
Youu should first use Group Policcy to enable ADA DS

for Dynamic Acce ess Control. Beccause this setting is
speccific to domainn controllers, you
y can create ea
neww Group Policyy object (GPO) and link it to Domain Contrrollers Organizzational Unit (O
OU), or by editting
Defaault Domain Controllers
C GPO O that is alread
dy linked to th
hat OU.
Whichever methood you choose you should op pen Group Po licy Object Editor and navigate to Compu uter
Con
nfiguration\Policies\Administtrative Templa
ates\System\KD
DC. In this nod
de, open a settting called Suppport
Dyn
namic Access Control and Kerberos arm moring.
You
u can configure etting by choosing one of th
e this policy se he four listed o
options:
• ort Dynamic Access Control and Kerberos armoring

Do not suppo
• Support Dyna
amic Access Co
ontrol and Kerrberos armorin
ng
• Always provid
de claims and FAST RFC behavior
• Also fail unarmored authen

ntication reque
ests
Claims and Kerberos armoring support
s are disabled by defaault, which is tthe same as if tthis policy settting is
not configured, or configured as
a Do not suppport Dynamicc Access Conttrol and Kerberos armoring.
The policy setting

g Support Dyn namic Access Control and Kerberos arm moring configu ures Dynamic
Access Control annd Kerberos armoring in a mix-mode
m envirronment, when n there is a miixture of Windows
Servver 2012 doma ain controllers and domain controllers
c nning earlier veersions of Windows Server.
run
Youu use the remaining policy se a the domain controllers aree Windows Server 2012 dom
ettings when all main
controllers and th
he domain funcctional level is configured to o Windows Serrver 2012. The Always prov vide
claims and FAST RFC behavio or policy settin
ng and the Alsso fail unarmo ored authentiication reque ests
policy setting ena
able Dynamic Access
A Controll and Kerbeross armoring forr the domain. H However, the llatter
policy setting requires all Kerbe
eros Authentica ation Service (A
(AS) and Tickett-Granting Serrvice (TGS)
com
mmunication to o use Kerbeross armoring.
Windows
W Server 2012 domain
n controllers re
ead this config
guration while other domain
n controllers ig
gnore
th
his setting.
Im
mplementting Claimss and Reso
ource Prop
perty Obje
ects
After you enable support for Dynamic Acce
ess
Control in AD DS,
D you next crreate and conffigure
claims and resource property objects.
Creating
C and
d Configurin
ng Claim Ty
ypes
Thhe primary me ethod to create e and configurre
claims is to use the Active Dirrectory Adminiistrative
Center (ADAC) console. You use u ADAC to create
atttribute-based claims, which are the most
coommon. Howe ever, you can also
a use Active e
Directory Modu ule for Window ws PowerShell® to
crreate certificate-based claims. All claims arre
sttored in the coonfiguration pa artition of AD DS.
Be ecause this partition is forestt wide, all dom
mains within th
hat forest sharee the claim dicctionary, and d
domain
coontrollers from
m those respective domain isssue claim info ormation durinng user and computer
auuthentication.
If you want to create

c attribute
e based claimss in ADAC, youu should naviggate to the Dyn namic Access C
Control
noode, and then open the Claim Types conta ainer. By defau
ult, no claim tyypes are define
ed here.
In
n the Actions pane,
p when yoou click Createe Claim Type, you see the list of attributess. These attributes (for
usser or computer objects) aree used to sourcce values for c laims. When yyou create a claaim, you assocciate the
claim to the spe
ecific attribute. The value of that attribute is populated aas a claim valuue. It is therefo
ore
im
mportant that information co ontained in Acctive Directoryy attributes thaat are used to ssource claim tyypes
co
ontain accurate information,, or remain bla ank.
When
W you selecct the attribute
e that you wannt to use to creeate a claim, yo
ou also must pprovide a namme for
th
he claim. The suggested
s nam
me for the claim
m is always thee same as sele cted attribute name. Howevver, you
ca
an also providee an alternate or more mean ningful name ffor the claim. O Optionally, you can also proovide
su
uggested value es for a claim. This is not ma ou can reduce tthe possibility for
andatory, but iff you do it, yo
making
m mistakees.
Note: Claim types are sourced from ADA DS attributtes. That is whyy you must configure
atttributes for yo
our computer and user accounts in AD DS with the inforrmation that iss correct for
th
he respective user
u or computter. Windows Server
S 2012 doomain controllers do not isssue a claim
fo
or an attribute-based claim type
t when the attribute for tthe authenticaating principal is empty.
Depending on the t configuration of the dataa file’s Resourcce Property O bject attribute
es, a null
va
alue in a claim may result in the user being
g denied accesss to DAC-pro otected data.
Creating
C and
d Configurin
ng Resource
e Propertiess
Although evaluating resource e properties is the very core of Dynamic Acccess Control, you should
im
mplement it after user and device claims have been defin ned. Keep in m mind that if a claim does no ot
match
m the specified resource property valuee, then access to the data is denied. To revverse the orde er of
im
mplementation n, then, would risk inadvertently blocking uusers from datta that they ottherwise should
be
e able to accesss. When you use claims to control
c olders, you must also provide
access to files and fo e
dditional information on the
ad ese resources. You
Y do this byy configuring R Resource Prop perty objects. Y
You
mannage Resource e Property obje ects in the Resource Propertties container iin the Dynamic Access Control
nodde in ADAC. Yoou can create your
y own resource propertiees or you can u use one of pre econfigured
a Country, Department, Fold
properties, such as der Usage, etc.. All predefineed Resource Prroperty objectss are
disa
abled by defauult. If you wantt to use any of them, you shoould first enabble it. If you waant to create yyour
ownn Resource Prooperty object, you
y can speciffy the propertyy type and allo owed or sugge ested values.
Whe en you create Resource Prop perty objects you
y can select properties to include on the
e files and fold
ders.
Win ndows uses the w the value s from user an
e values in these properties with ms when evaluating
nd device claim
file authorization and auditing.
Afteer you have co onfigured user and device cla aims and resou urce propertiees, you must thhen protect the e
file and folders ussing conditiona al expressions that evaluate user and devicce claims against values with hin
resoource propertie es, or constantt values. You can
c do this in ttwo ways. If yo ou want to focus on specific
foldders, you can use
u the advancced security setttings editor to o create condiitional expresssions directly in
n the
secu ntral Policy rules
urity descriptor. Alternativelyy, to cover several (or all) filee servers, you ccan create Cen
and link those rules to Central Policy
P objects. You can then deploy Centraal Policy objeccts to file serve ers
usinng Group Policcy and configu ure the share to o use the Centtral Policy objeect. Using Central Access Policies
he most efficient and preferrred method for securing filess and folders. It is discussed in the next topic. If
is th
you want to cover certain files with
w a common set of propeerties across vaarious folders o or files, you can also
use file classification.
Youu can use claim m and resource e property obje ects together iin conditional expressions. W Windows Serve er
2012 and Window ws 8 support one
o or more co onditional exprressions within n a permission entry. Conditional
expressions simplyy add anotherr applicable layyer to the perm mission entry. The results of all conditional
expressions must evaluate to tru ue for Window ws to grant thee permission entry for autho orization. For
exammple, if you de efine claim Deepartment for a user (with a source attribu te department), and defined d
reso
ource propertyy object called Dept, you can n define condittional expressiion that says: U User can accesss a
fold
der (with applie ed resource prroperty objectss) only if user aattribute depaartment value is equal to value
of property
p Dept on the folder. Note, howeve er, that if the reesource propeerty of Dept haas not been ap pplied
to the file(s) in qu
uestion, or if Deept is a null va
alue, then the u user will be grranted access tto the data. To
o be
clea
ar – access is coontrolled not byb the claim, but
b by the Reso ource Object. The claim must provide the
corrrect value corrresponding to the requireme ents set by thee Resource Objject. If the Resource Object d does
not involve a partticular attribute e, then additioonal or extra c laim attributess associated w with the user orr
device are ignored d.
Implementin
ng Central Access Ru
ules and Po
olicy
Cen
ntral Access Po
olicy enables yo
ou manage an nd
dep n throughout the
ploy consistentt authorization
ente
erprise through Central Acceess Rules and
Cen
ntral Access Po
olicy objects.
Cenntral Access Po a a security net

olicy helps act as
thatt an organizatiion applies acrross its servers. You
use Group Policy to deploy Cen ntral Access Po
olicy,
and you apply Central Access Policy to all file
servvers that will use Dynamic Acccess Control.
Cenntral Access Po olicy is not man ndatory for usiing
Dynnamic Access Control.
C It just enables you too
depploy a consistent configuratio on to several file
servvers.
The main component of Central Access Policy is Central Access Rule. In fact, Central Access Policy objects
represent a collection of Central Access Rule objects that you apply to Windows Server 2012 file servers
using Group Policy. You should create a Central Access Rule before you create Central Access Policy
because a Central Access Rule contains multiple criteria that Windows uses when evaluating access. A
Central Access Rule can use conditional expressions to target specific files and folders. Each Central
Access Rule has multiple permission entry lists that you use to manage the rule's current permission
entries, or proposed permission entries, or return the rule's current permission entry list to its last known
list of permission entries. Each Central Access Rule can be a member of one or more Central Access Policy
objects.
Configuring Central Access Rules

You typically create and configure Central Access Rules in Active Directory Administrative Center.
However, you can also use PowerShell to do the same thing.
When you start to create a new Central Access rule, you must first provide a name and description for the
rule. You can also choose to protect the rule against accidental deletion.
Next, you configure Target Resources. You use the Target Resource section to create a scope of
applicability for the access rule. You create the scope by using resource properties within one or more
conditional expressions. To make it simple, you can keep the default value (All resources), but usually you
apply some resource filtering. You can join these conditional expressions using logical operators, such as
AND and OR. Additionally, you can group conditional expressions together to combine the result of two
or more joined conditional expression. The Targeted Resource box displays the currently configured
conditional expression that is used to control the rule's applicability.
Finally, you configure permissions. There are two choices for permissions:
• Use following permissions as proposed permissions
Use this option to add the permission entries in the permission list to the list of proposed permission
entries for the newly created Central Access Rule. You use the proposed permission list combined
with file system auditing, to model the effective access users have to the resource without changing
the permission entries in the current permissions list. Proposed permissions write a special audit event
to the event log that describes the proposed effective access for the user.
• Use following permissions as current permissions
Use this option to add the permission entries in the permission list to the list of current permissions
entries for the newly created Central Access Rule. The current permissions list represents the
additional permissions Windows considers when the Central Access Rule is deployed to a file server.
Central Access Rules do not replace the existing security. When making authorization decisions,
Windows evaluates permission entries from Central Access Rule's current permissions list, NTFS, and
share permissions lists.
Implementin
ng File Acccess Auditiing
The Global Objectt Access Auditing feature in
Winndows 8 and Windows
W Serve
er 2012 enables you
to configure
c objecct access auditting for every file
f system on the computerr. You
and folder in the file
use this policy settting to centrally manage and
configure Window ws to monitor every file and
fold
der on the com mputer. To enable object access
auditing in previo ous versions off Windows Servver,
you had to config gure this option in basic audit
policies (in GPOs), and also turn n on auditing for
f a
speccific security principal
p in the System Accesss
Conntrol List (SACLL) of the objectt. Sometimes this
t
appproach did not easily reconcile with compa any policies succh as “Log all administrative
e write activity on
servvers containingg Finance inforrmation,” beca ause you canno ot turn on objject access auddit logging on the
servver level but onnly on the objeect level.
The new audit cattegory in Wind 008 R2 and Wiindows Server 2012 enables administratorrs to
dows Server 20
mannage object acccess auditing using a much wider scope.

C enable es you to createe targeted auddit policies usi ng expressions based on use er,
commputer and ressource claims. For example, you y could creaate an audit po olicy to track aall Read and
Writte operations on files classifiied as High Co
onfidential by eemployees wh ho do not have e a High Securrity
Clea
arance attributte populated with
w the appro opriate value. Y
You can autho or expression-b based audit poolicies
dire
ectly on a file or
o folder or cenntrally via Group Policy usingg Global Objeect Access Auditing. By using g this
appproach you do not prevent unauthorized access, but reg ister attempts to access the content by
unauthorized peo ople.
Global Object Acccess Auditing includes the File system and registry subcaategory.
Youu configure Gloobal Object Acccess Auditing when you enaable Object Acccess auditing and Global Object
Access Auditing. Enabling
E Objecct Auditing turrns on auditing puter that app
g for the comp plies the policyy
setting. However, enabling auditing alone does not always generate audiiting events. The resource, in n this
instance files and folders, must contain audit entries.
We recommend configuring
c Gloobal Object Acccess Auditingg for the enterp
prise by using the security p
policy
of a domain-base ed GPO. The tw wo security policy settings reequired to enabled Global OObject Access
Audditing are locatted at these lo
ocations:
• Computer Coonfiguration\W Windows Settin

ngs\Security Seettings\Advancced Audit Policcy\Audit Policies
\Object Accesss\Audit File Syystem
• Computer Coonfiguration\WWindows Settin ngs\Security Seettings\Advancced Audit Policcy\Audit Policy

\Global Objecct Access Audiiting\File Syste
em
Note: If botth a file or fold

der SACL and a Global Objecct Access Auditing policy (orr a single
regiistry setting SA
ACL and a Glob bal Object Acccess Auditing p
policy) are con nfigured on a ccomputer,
the effective SACLL is derived fro om combining the file or foldder SACL and the Global Ob bject Access
Aud T means that an audit event is generated
diting policy. This d if an activityy matches eitheer the file
older SACL or the Global Ob
or fo bject Access Au
uditing policy..
Im
mplementting Accesss Denied Assistance
A
One
O of the mosst common errrors that users receive
when
w they try too access a file or folder on a remote
fille server is an access denied error. Usually,, this
errror occurs wh hen a user triess to access reso
ource
without
w having proper permisssion or becau use of
in
ncorrectly conffigured permisssions or resou urce
acccess control liist (ACL). If youu are using Dyynamic
Access Control, things can be even more
coomplicated. Ussers, who migh ht have permisssions,
bu ut for example e a relevant atttribute in theirr
acccount is missp pelled, will nott be granted access.
When
W users receive this kind of
o error, they usually
u
he administrattor to obtain access. Howeveer, administrat ors usually do not approve aaccess
trry to contact th
to
o resources, soo users are then o someone els e for approvall.
n redirected to
In
n Windows Serrver 2012 there e is a new tech
hnology to hellp both users aand administraators in such
sittuations. This technology
t is called Access Denied Assistaance. It helps u
users respond to access deniied
issues without involving IT staaff by providing information about the pro oblem and directing users to
o the
proper person.
Access-denie
A ed Remediation
Th he Access Den
nied Assistance
e technology in
n Windows Se rver 2012 provvides three waays for
trroubleshooting
g issues with access denied errors:
e
• Self-remed diation. Windo ows Server 20112 provides a way to create customized acccess-denied
messages that are authorred by the servver administrattor. By using tthe information in these messsages,
users can trry to self-reme
ediate access-ddenied cases. FFor example, the user may b be directed to ffirst
map to a co omputer using g a particular drive
d letter. Th e message can
n also include URLs to directt the
users to self-remediation websites that are provided by the organizzation. For exaample, the URL might
direct the user
u to changee their passworrd to an appliccation or downnload a refresh
hed copy of cliient-
side software.
• Remediatio on by the datta owner. In Windows

W Serveer 2012, admin
nistrators can ddefine owners for
shared fold
ders. This enables users to send an email to o the data own
ners to requestt access. . For
example, if the user was accidentally
a left off a securitty group mem bership, the data owner mayy be
able to add
d the user to th he data owner does not kno w how to help
he group. If th p the user get access,
an forward thiis information to the approp
he or she ca priate IT admin
nistrator. This iis helpful becaause the
number of user support requests
r escalaated to the sup pport desk sho
ould be limited d to special, diifficult-
to-resolve cases.
c
• Remediatio on by Help Desk

D and file server
s adminiistrators. If thee user cannot self-remediate e the
issue or the
e data owner cannot
c help, Windows
W Serve r 2012 providees a user interfface where
administrattors can view the
t effective pe ermission for u
users for a file or folder so th
hat it is easier to
troubleshoo ot access issue
es. An example e of when an aadministrator sshould be invo olved are casess where
attributes – either claims and/or resourrce objects – h have been inco orrectly definedd or contain in ncorrect
informationn, or when the e data itself see
ems to be corrrupted.
Youu enable Access Denied Assisstance by using g group policyy. You open Grroup Policy Obbject editor an nd
navigate to Comp puter Configurration\Policies\\Administrativve Templates\SSystem\Access-Denied Assisttance.
In th
his node, you can
c enable Access Denied Assistance,
A and also, you can provide custoomized messag ges
for users. Alternattively, you can also use File Server
S Resourcce Manager coonsole to enabble access-deniied
assistance. Howevver, if this featu
ure is enabled in Group Policcy, the approp
priate settings in File Server
Resoource Manage er console are disabled for co onfiguration.
Implementin
ng File Classsifications
To effectively
e impplement Dynam mic Access Con ntrol
techhnology, you must
m have welll-defined claimms
and resource prop perties. Althouugh claims are
defiined by attribuutes for user or a device, reso ource
properties are mo ost often manu ually created and
defiined. File Classsifications enab ble administrators
to define
d automattic proceduress for defining a
desiired property on o the file, bassed on condition
speccified in classiffication rule. For example, yoou
can set the property Confidentiality to High on o
all documents
d whhose content co ontains the woord
“seccret.” You can then use this property
p in
C to speccify, for examp
ple, that only eemployees with
h attribute em
mployeetype se
et to
Man nager can acce ess those docu uments that are classified witth high confid
dentiality.
In Windows
W Serve
er 2008 R2 andd Windows Serrver 2012, Classsification Man nagement and File Managem ment
task
ks enable administrators to manage
m group
ps of files basedd on various fiile and folder aattributes. Witth
Classsification Mannagement and File Managem ment tasks, you u can automatte file and foldder maintenance
task
ks, such as cleaaning up stale data or proteccting sensitive information.
Classsification Man
nagement is de esigned to easse the burden and managem ment of data th hat is spread oout in
the organization. Files can be classified in a vaariety of ways.. In most scenaarios, classificaation is perform
med
mannually. The File
e Classification
n infrastructuree in Windows SServer 2008 R2 2 enables orgaanizations to
convert these manual processess into automatted policies. Ad dministrators ccan specify file e management
policies based on a file’s classificcation and app
ply corporate requirements for managing data based on n
business value.
You
u can use file classification to
o perform the following
f actio
ons:
1. Define classification properrties and value

es, which can b
be assigned to files by runnin
ng classificatio
on
rules.
2. Create, updatte, and run classification rulees. Each rule asssigns a singlee predefined property and vaalue
n a specified diirectory based on installed cclassification pllug-ins.
to files within
3. When running a classificatio on rule, reevalluate files thatt are already cllassified. You ccan choose to
overwrite exissting classification values or add the valuee to properties that support multiple value es. You
can also use this
t to de-classsify files that are not in classsification criterria anymore.
Demonstration: Implementing Central Access Rules and Policies

Demonstration Steps
1. In the Active Directory Administrative Center, create claims for department and employeetype
attributes.
2. Enable Resource Type for department.
3. Create Central Access rule to enable members of IT group to access resources if user department
attribute matches resource department.
4. Create a Central Access Policy.

10-22 Implementing Dynamic Access Control
Lab: Implementing Dynamic Access Control

Scenario
The Research team at A. Datum performs some highly confidential work that provides much value to the
business. Managers and Research departments at A. Datum frequently store files that contain business-
critical information on the company file servers. The security department wants to ensure that these
confidential files are only accessible to suitably authorized personnel and that all access to these files be
audited.
As one of the senior network administrators at A. Datum, you are responsible for addressing these security
requirements by implementing Dynamic Access Control on the file servers. You plan to work closely with
the business groups and the security department in identifying which files must be secured, and who
should have access to these files. Then you plan to implement Dynamic Access Control based on the
company requirements.
Objectives
• Plan Dynamic Access Control Deployment and prepare AD DS for Dynamic Access Control.
• Configure user and device claims.
• Configure resource properties and file classifications.
• Configure central access rules and policies.
• Configure and validate access remediation.
Lab Setup
Virtual machines 20417A-LON-DC1

20417A-LON-SVR1
20417A-LON-CL1
20417A-LON-CL2
Password Pa$$w0rd
5. Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-CL1 and 20417A-LON-CL2.
6. Log on to LON-SVR1 as Adatum\Administrator with the password of Pa$$w0rd. Do not log on to

LON-CL1 or LON-CL2 until instructed to do so.
Exercise 1: Planning the Dynamic Access Control Implementation and

Preparing AD DS for Dynamic Access Control
Scenario
A. Datum must ensure that documents used by the Research department and managers are secured.
Most of the files used by these departments are stored in shared folders dedicated to these departments,
but sometimes confidential documents appear in other shared folders. Folders that belong to Research
department should be accessed and modified only by members of Research department. Also, documents
that are classified as highly confidential should only be accessed by Managers. The security department
is also concerned that users in the Managers department are accessing the files using their home
computers, which may not be highly secure. You must create a plan for securing the documents
regardless of where they are located and ensure that the documents can only be accessed from
authorized computers. Authorized computers for Managers are members of the security group
ManagersWks.
The support department reports that a high number of calls are generated by users who cannot access
resources. You must implement a technology that helps users to better understand error messages as well
as enable them to automatically request access.
First, you will plan for Dynamic Access Control deployment. Then you must prepare your AD DS to
support Dynamic Access Control.
1. Plan the Dynamic Access Control Deployment Based on the Security and Business Requirements.
2. Prepare AD DS to support Dynamic Access Control.
X Task 1: Plan the Dynamic Access Control Deployment Based on the Security and
Business Requirements
• Describe how you will design Dynamic Access Control to fulfill requirements for access control,
described in the scenario.
X Task 2: Prepare AD DS to support Dynamic Access Control

1. On the LON-DC1, from Server Manager open Active Directory Users and Computers.
2. Make new organizational unit named Test.
3. Move LON-CL1, LON-CL2 and LON-SVR1 computer objects into Test OU.
4. On LON-DC1, from Server Manager, open the Group Policy Management console.
5. Remove the Block Inheritance setting applied to the Managers OU. (This setting has been applied and
used in a later module of the course.)
6. Edit the Default Domain Controllers Policy GPO.
7. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, and then click KDC.
8. Enable the KDC support for claims, compound authentication and Kerberos armoring policy setting.
9. Select Supported in Options section.
10. On LON-DC1, refresh Group Policy.
11. Open Active Directory Users and Computers and create a security group called ManagersWKS in
Users container.
12. Add LON-CL1 to ManagersWKS group.
13. Verify that user Aidan Delaney is a member of Managers department and Allie Bellew is the
member of the Research department.
Results: After completing this exercise you will have design for Dynamic Access Control and you will have
prepared AD DS for Dynamic Access Control implementation.
Exercise 2: Configuring User and Device Claims

Scenario
The first step in implementing Dynamic Access Control is to configure the claims for the users and devices
that access the files. In this exercise, you will review the default claims and create new claims based on the
department and computer description attributes. For users, you will create a claim for department
attribute. For computers, you will create claim for description attribute.
1. Review the Default Claim Types.
2. Configure Claims for Users.
3. Configure Claims for Devices.
X Task 1: Review the Default Claim Types

1. On LON-DC1, in Server Manager, open the Active Directory Administrative Center.
2. Click the Dynamic Access Control node in Active Directory Administrative Center.
3. Open the Claim Types container and verify that there is no default claims defined.
4. Open the Resource Properties container and note that all properties are disabled by default.
5. Open Resource Property Lists container and then open the properties of the Global Resource
Property List.
6. In the Resource Properties section review available resource properties.
7. Click Cancel.
X Task 2: Configure Claims for Users

1. In the Active Directory Administrative Center, in the navigation pane click Dynamic Access
Control.
2. Open the Claim Types container, and create a new claim type for users and computers using the
following settings:
o Source Attribute: Department
o Display name: Company Department

X Task 3: Configure Claims for Devices

1. In the Active Directory Administrative Center, in the Tasks pane click New and select Claim Type.
2. Create a new claim type for computers using the following settings:
o Source Attribute: description
o Display name: description
Results: After completing this exercise you will have configured user and device claims.
Exercise 3: Configuring Resource Properties and File Classifications

Scenario
The second step in implementing Dynamic Access Control is to configure the resource property lists and
resource property definitions. After you do this, you should make a new classification rule that classify all
files that contain the word secret in the body. These files should be assigned a value of High for attribute
Confidentiality. You should also assign department property to the folder that belongs to Research
department.

1. Configure Resource Property Definitions.
2. Classify files.
3. Assign properties to folder.
X Task 1: Configure Resource Property Definitions

1. In the Active Directory Administrative Center, click Dynamic Access Control and then open the
Resource Properties container.
2. Enable the Department and Confidentiality Resource Properties.

3. Open Properties for Department property.
4. Add Research as suggested value.
5. Open the Global Resource Property List and make sure that Department and Confidentiality are
included in the list.
6. Click Cancel.
7. Close the Active Directory Administrative Center.
X Task 2: Classify files

1. On LON-SVR1, in Server Manager, add the File Server Resource Manager.
2. Open File Server Resource Manager.
3. Refresh Classification Properties. Verify that Confidentiality and Department properties are in the
list.
4. Create a Classification rule with following values:
o Name: Set Confidentiality

o Scope: C:\Docs
o Classification method: Content Classifier

o Property: Confidentiality
o Value: High
o Classification Parameters: String “secret”
o Select Re-evaluate existing property values, and then click Overwrite the existing value.
5. Run the classification rule.
6. Open Windows Explorer and open Properties for files Doc1.txt, Doc2.txt and Doc3.txt in C:\Docs
folder.
7. Verify values for Confidentiality. Doc1.txt and Doc2.txt should have confidentiality set to High.
X Task 3: Assign properties to folder

1. On LON-SVR1 open Windows Explorer.
2. Browse to C:\Research and open its properties.
3. On the Classification tab, set the Department value to Research.
Results: After this exercise, you will have configured resource properties and file classifications.
Exercise 4: Configuring Central Access Rules and Policies

Scenario
Now that you have configured claims, resource properties, and file classifications, you want to create and
configure central access rules and policies.
1. Configure Central Access Policy Rules.
2. Create Central Access Policy.
3. Publish Central Access Policy with Group Policy.
4. Apply Central Access Policy to resources.
5. Configure access denied remediation settings.
X Task 1: Configure Central Access Policy Rules

1. On LON-DC1, in Server Manager, click Tools and then click Active Directory Administrative
Center.
2. Click Dynamic Access Control and then open the Central Access Rules container.
3. Create a new Central Access Rule with following values :
o Name: Department Match
o Target Resource: use condition Resource-Department-Equals-Value-Research

o Permissions: Remove Administrators, and then add Authenticated Users, Modify, with condition
User-Company Department-Equals-Resource-Department
4. Create another Central Access Rule with following values :
o Name: Access Confidential Docs
o Target Resource: use condition Resource-Confidentiality-Equals-Value-High
o Permissions:
Set first condition to be: User-Group-Member of each-Value-Managers
Set second condition to be: Device-Group-Member of each-Value-ManagersWKS
X Task 2: Create Central Access Policy

1. On LON-DC1 in Active Directory Administrative Center, create a new Central Access Policy with
following values:
o Name: Protect confidential docs
o Rules included: Access Confidential Docs
2. Create another Central Access Policy with following values:

o Name: Department Match
o Rules included: Department Match
X Task 3: Publish Central Access Policy with Group Policy

1. On LON-DC1, from the Server Manager, open the Group Policy Management console.
2. Create new GPO named DAC Policy and link it to organizational unit Test.
3. Edit the DAC Policy and browse to Computer Configuration/Policies/Windows Settings

/Security Settings/File System, and then right-click Central Access Policy.
4. Click Manage Central Access Policies.
5. Click both Department Match and Protect confidential docs, and then click Add. Click OK.
6. Close the Group Policy Management Editor and the Group Policy Management console.
X Task 4: Apply Central Access Policy to resources

1. On LON-SVR1, start Windows PowerShell.
2. Refresh Group Policy on LON-SVR1.
3. Open Windows Explorer, and browse to the C:\Docs folder.
4. Apply the Protect confidential docs Central Policy to the C:\Docs folder.
5. Browse to the C:\Research folder.

6. Apply the Department Match Central Policy to the C:\Research folder.
X Task 5: Configure access denied remediation settings

1. On LON-DC1, open the Group Policy Management console.
2. Edit the DAC Policy.

3. Under Computer Configuration node, expand Policies, expand Administrative Templates, expand
System, and then click Access-Denied Assistance.
4. In the right pane double-click Customize Message for Access Denied errors.
5. In the Customize Message for Access Denied errors window click Enabled.
6. In the Display the following message to users who are denied access text box type: You are denied
access because of permission policy. Please request access.
7. Select check box Enable users to request assistance. Click OK.
8. Double-click Enable access-denied assistance on client for all file types and enable it.
9. Click OK and close the Group Policy Management Editor and the Group Policy Management console.
10. Switch to LON-SVR1, and refresh Group Policy.
Results: After completing this exercise you will have configured central access rules and policies.
Exercise 5: Validating and Remediating Access Control

Scenario
To ensure that the Dynamic Access Control settings are configured correctly, you plan to test various
scenarios for users to access the files. You plan to try both approved users and devices and unapproved
users and devices. You also plan to validate the access remediation configuration.
1. Verify Dynamic Access Control functionality.
2. Configure staging for Dynamic Access Policy.
3. Configure staging permissions.
4. Verify staging.
5. Use effective permissions to test Dynamic Access Control.
X Task 1: Verify Dynamic Access Control functionality

1. Log on to LON-CL1 as Adatum\April with password Pa$$w0rd.
2. Click the Desktop tile and then open Windows Explorer.
3. Browse to \\LON-SVR1\Docs. Verify that you can only open Doc3.
4. Try to access \\LON-SVR1\Research. You should be unable to access it.
5. Log off of LON-CL1.
6. Log on to LON-CL1 Adatum\Allie with the password of Pa$$w0rd.
7. Open Windows Explorer and try to access \\LON-SVR1\Research.
Note: You should be able to access it as well as open files in it.
9. Log on to LON-CL1 as Adatum\Aidan with the password of Pa$$w0rd.
10. Open Windows Explorer and try to access \\LON-SVR1\Docs.
Note: You should be able to open all files in this folder.

12. Log on to LON-CL2, as Adatum\Aidan with the password of Pa$$w0rd.
13. Open Windows Explorer and try to access \\LON-SVR1\Docs.
Note: You should be unable to see Doc1 and Doc2 since LON-CL2 is not permitted to view
secret documents.
X Task 2: Configure staging for Dynamic Access Policy

1. On LON-DC1, open Group Policy Management.
2. Edit the DAC Policy GPO.
3. In the Group Policy Management Editor, browse to Computer Configuration/Policies

/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies.
4. Select Object Access.
5. Double-click Audit Central Access Policy Staging. Select all three check boxes, and then click OK.
6. Double-click Audit File System. Select all three check boxes then click OK.
X Task 3: Configure staging permissions

1. On LON-DC1, open Server Manager, and then open Active Directory Administrative Center.
2. Open the Properties for the Department Match Central Access Rule
3. In the Proposed permissions section, configure a condition for Authenticated users as follows:
User-Company Department-Equals-Value-Marketing.
4. Switch to LON-SVR1 and refresh Group Policy.
X Task 4: Verify staging

1. Log on to LON-CL1 as Adatum\Adam with the password of Pa$$w0rd.
2. Open Windows Explorer and attempt to access \\LON-SVR1\Research. You will be unsuccessful.
Click Close.
4. From Server Manager, open Event Viewer and select the Security log. Look for events with Event
ID 4818.
X Task 5: Use effective permissions to test Dynamic Access Control

1. On LON-SVR1, open properties for C:\Research.
2. Open Advanced options for Security.

3. Click the Effective access tab.
4. Click select a user.
5. In Select User, Computer, Service Account, or Group window type April, and then click Check
Names, and then click OK.
6. Click View effective access.
7. Review results. April should not have access to this folder.

8. Click Include a user claim.
9. Select Company Department from the drop-down list.
10. Type Research in Value text box.
11. Click View Effective access. April should have access now.

• When you are finished the lab, revert the virtual machines to their initial state.
Results: After this exercises you will have validated Dynamic Access Control functionality.

Best Practices
• Use Central Access Policies instead of configuring conditional expressions on resources.
• Enable Access Denied Assistance settings.
• Always stage changes to Central Access Rules and Policies before implementation.
• Use file classifications to assign properties to files.

Claims are not populated with appropriate

values
Conditional expression does not enable

access
Review Questions
What is a claim?
What is the purpose of Central Access Policy?
What is Access Denied Assistance?
Tools
Active Directory Administrative Center
11-1
Module 11
Implementing Active Directory Domain Services
Contents:
Lesson 1: Deploying AD DS Domain Controllers 11-2
Lesson 2: Configuring AD DS Domain Controllers 11-11
Lesson 3: Implementing Service Accounts 11-16
Lesson 4: Implementing Group Policy in AD DS 11-19
Lesson 5: Maintaining AD DS 11-28
Lab: Implementing AD DS 11-35

Module Overview
Active Directory® Domain Services (AD DS) is the central location for configuration information,
authentication requests, and information about all the objects that are stored in an Active Directory forest.
Using AD DS, you can efficiently manage users, computers, groups, printers, and other directory-enabled
objects from one secure, central location. Windows PowerShell® has become the single engine for
configuration and maintenance from both graphical and command-line interfaces. This module discusses
deployment and configuration of domain controllers, service accounts in AD DS, Group Policy, and
maintenance of AD DS.
Objectives
After completing this module you will be able to:
• Deploy domain controllers.
• Configure domain controllers.
• Implement service accounts.
• Implement Group Policy.
• Maintain AD DS.
11-2 Implemennting Active Directoryy Domain Services
Lesson 1
Deploy
ying AD
D DS Do
omain Controll
C lers
To establish
e the Active
A Directoryy forest and th
he first domainn in the forest,, you must create at least on
ne
dom
main controllerr. In this lesson
n, you will learn about the neew features off AD DS in Win ndows Server® 2012
and the various methods
m for de
eploying doma ain controllers..
Lessson Objectiives
Afte
u will be able to:
t
• at’s new in AD DS in Window
Describe wha ws Server 2012 .
• Deploy doma
ain controllers..
• ain controllers on a Server Co

Deploy doma ore installation
n of Windows Server 2012.
• Deploy doma
ain controllers using the Install From Medi a feature.
• Clone virtual domain contro

ollers.
• Upgrade to AD
A DS in Windows Server 2012.
• Troubleshoott domain contrroller deploym
ment.
Wh
hat’s New in AD DS in Window
ws Server 2
2012?
2 has severral new feature es
for AD
A DS. Windo ows PowerShell command-lin ne
inte
erface is the un
nderlying comp ponent behind d
installations and configurations
c . It enables full
scrip
pting and autoomation and new
n graphical user
inte
erfaces for prevvious comman nd-line-only
activvities.
Som
me new feature
es are describe
ed in the follow
wing
tablle.
Fe
eature Im
mprovement
Deployment • Server Manager now enab bles installation

n of the AD DSS role on remoote as
he Active Direcctory Domain Services
well as local computers. Th
Configuration Wizard replaaces Active Di rectory Installaation Wizard (also
called DCProomo).
• Deployment now uses Win
ndows PowerS hell in the bacckground.
• When you in nstall Active Di rectory on thee member servver, Windows
Server 2012 performs prereequisite checkks that validatee domain and
forest readiness.
Siimplified Im
mprovements to configure aand monitor A AD DS through h the Server
ad
dministration Manager
M consoole include:
• A graphical user
u interface ffor the Active Directory Recyycle Bin.
• A graphical user
u interface tto implement fine-grained p
passwords.
Feature Improvementt
• Group Poliicy health mon
nitoring.
• AD DS-spe
ecific performaance monitorin
ng and best prractice analysiss.
• Active Dire
ectory manageement tools, w
which you can o
open from the
e
Server Mannager console..
Support for Virtualized

V • Improveme
ents in the virttual environmeent include:
Domain Conttrollers
• Cloning do
omain controlllers is now a su
upported option to enable
automatedd deployment and rollback p protection
• Restoration ontroller snapshots does no
n of domain co ot disrupt the A
AD DS
environme ent.
Active Directo
ory Module The Active Directory modu ule has new cm mdlets for repliication topology
for Windows PowerShell managementt, Dynamic Acccess Control, aand other operations. It is no o
longer necessary to use Acctive Directory Installation W Wizard (also callled
DCPromo) to o create a dommain controllerr. When you usse Windows
PowerShell too install AD DSS, Active Direcctory Installatio
on Wizard
functionality is now includeed in the cmdlet.
Windows Pow werShell When admin nistrators use th

he Active Direectory Adminisstrative Center, they
History Viewe
er can now view
w the underlyin ng Windows P PowerShell commmands that aare
executed. This helps reducee the time reqquired to learn the Windows
PowerShell commands.
Active Directo
ory AD FS is now w included as a server role wiith Windows SServer 2012. Th his
Federated Serrvices (AD version proviides a less com
mplex trust setu up and manag gement processs, an
FS) ability to exte
end the claimss attribute storre and a broad
der scope for
defining claimms. AD FS servvices are frequently requiredd for hybrid clo
oud
deploymentss.
Active Directo
ory Based Key Managem ment Servers ((KMS) are no longer required to activate
Activation (AD
D BA) computers ru unning Window ws Server 201 2 and Windowws® 8 Activatin
ng the
initial custom
mer-specific vo
olume license kkey (CSVLK) re
equires a one-ttime
contact with Microsoft actiivation over th
he Internet.
Deploying
D AD DS Do
omain Controllers
With
W Windows Server 2008, you y could deploy a
doomain controller by installing the AD DS role
r
o add the binary files and the
to en using Activve
Directory Installlation Wizard to
t install AD DS.
D
In
n Windows Serrver 2012 you deploy a domain
co
ontroller by ussing Server Maanager to add the
AD DS role. Youu use a separatte wizard to
co
onfigure AD DS
D within Serve er Manager.
Yo
ou can add the
e AD DS role binaries
b using these
fo
our methods:
• The graphiccal Server Man
nager.
• The Server Manager mod

dule.
• Dism.exe.
• Active Directo
ory Installation
n Wizard (also called DCProm
mo)
Usiing Server Manager

M
You
u can use the graphical
g anager to instaall the binary ffiles and perfo
wizarrd in Server Ma orm all the required
configuration of a domain controller. The depployment wizaard uses a sing le expanding d dialog box andd can
do the
t following:
• Install AD DS remotely.
• Install DNS byy default.
• Configure the
e domain conttroller as a global catalog byy default.
• Display advan
nced mode setttings.
• Prepare schem
ma extension and
a domain preparation auttomatically in the backgroun
nd.
Note: These e new featuress are not backw

ward compatib ble with Windoows Server 200
08 R2 or
earlier versions off Windows Servver. For more information, rrefer to “Underrstand and Tro
oubleshoot
AD DS Simplified Administration in Windows Server 8 Beta..docx” from
http
p://www.micro osoft.com/en-uus/download/d details.aspx?id =29019.
Usiing Window
ws PowerShe
ell
You D binaries using the Active Directory mod
u can add AD DS dule for local o
or remote installations.
Usiing DISM
The Deployment Image Servicin ng and Management (DISM)) tool is part off the Windowss Automated
Adm
ministration Kitt (WAIK). It is more
m complexx than, and nott as flexible as,, Windows Pow
werShell. DISM
M is
usua
ally associated
d with creating g deployment images
i for Wi ndows Deployyment Servicess.
Usiing Active Directory

D Installation Wizard
W
Actiive Directory In
nstallation Wizzard (also calle
ed DCPromo) n
no longer has a GUI and is o
only supported
d with
the Unattend option. It is no lon nger recomme ended.
Note: System requiremen

nts to install Windows
W Serverr 2012 are uncchanged from Windows
Servver 2008 R2.
De
eploying AD
A DS Dom
main Contrrollers on SServer Corre
Servver Core is a ve ersion of Winddows Server 20012
thatt has no graph hical interface. Server Core
provvides a minima al environmen nt for running
servver roles. It red
duces disk spacce usage and
maintenance, and d presents a smmaller attack
surfface.
Youu can now instaall AD DS on Server

S Core by
usin
ng Windows Po owerShell for a local or remo
ote
installation. Or yo
ou can use the
e GUI in Serverr
Man nager on a remmote system too perform the
installation.
In
nstalling the
e AD DS Role Locally
To
o Install the AD
D DS Role loca
ally:
1.. Install the AD
A DS binary files.
f At the loccal Windows P
PowerShell com
mmand promp pt, type the cm
mdlet
Install Win ndowsfeature
e -name AD-D Domain-Servicces, and then press Enter.
2.. Configure AD
A DS. At the Windows Pow werShell comm
mand prompt, ttype the cmdle
et
Install-ADD
DSDomainCo ontroller –dom
mainname “Ad datum.com”, with other argguments as re
equired,
and then press Enter.
Windows
W Po
owerShell Re
emote Insta
allation
Yoou can run Windows PowerS Shell cmdlets against
a remotee servers. Startt by installing tthe AD DS bin
nary
filles. Then use the invoke-com
mmand cmdlett. For examplee:
in
nvoke-comma and {install-ad
ddsdomainco
ontroller –dom
mainname Ad
datum.com –ccredential (ge
et-
crredential) –co
omputername e NYC-DC3
Note: Guidance for usin

ng Windows PowerShell to eestablish a Winndow Server 2012 AD DS
en
nvironment ca
an be found he ere: http://technet.microsoftt.com/en-us/liibrary
/h
hh472162#BKM MK_PSForest.
Server Mana
ager Remote
e Installatio
on
To
o use Server Manager
M to insttall AD DS Role remotely, peerform these h
high-level step
ps:
1.. Add the Server Core com

mputer as anoth
her computer to manage.
2.. Create a server group con

ntaining the Se
erver Core com
mputer.
3.. Use the Add Roles and Fe
eatures Wizard
d to install AD DS.
4.. Complete the g the Active Diirectory Domaain Services Co

t configuratiion by running onfiguration W
Wizard.
Deploying
D AD DS Do
omain Controllers byy using Insstall From Media (IFM
M)
Another method for installing g AD DS is to install
from an installation media cre eated by using g the
Ntdsutil.exe utillity. Installation n media is creaated
from an existing g domain conttroller in the foorm
off a backup. The advantage of o installing fro
om
media
m is that it reduces the directory replica ation
trraffic required to synchronize e the new dom main
coontroller. By de efault, a new domain
d controoller
re
eplicates all the e data for all Directory
D partittions
th
hat it hosts from other doma ain controllers.. When
yoou use IFM the e new domain controller hass most
off the AD DS da ata. It only rep
plicates updatees that
ha ave occurred since
s the backup media was created.
11-6 Implementing Active Directory Domain Services
Creating the IFM media

Windows Server 2012 has two new options that enable you to create IFM media without first performing
an online defrag of the exported NTDS.DIT database file. The Ntdsutil.exe can now create six types of
installation media as described in the following table.
Type of installation
Parameter Description
media
Full (or writable) Create Full PathToMediaFolder Creates installation media for a writable
domain controller domain controller instance in the folder
that is identified in the path.
Read-only domain Create RODC Creates installation media for an RODC in

controller (RODC) PathToMediaFolder the folder that is identified in the path.
Full (or writable) Create Sysvol Full Creates installation media for a writable
domain controller PathToMediaFolder domain controller with SYSVOL in the folder
with SYSVOL that is identified in the path.
Note: Does not work on Windows

Server 2012
RODC with SYSVOL Create Sysvol RODC Creates installation media for an RODC with
PathToMediaFolder SYSVOL in the folder that is identified in the
path.
Note: Does not work on Windows

Server 2012
Create Full Create Full NoDefrag %s Create installation media without

NoDefrag defragmenting for a full Active Directory
domain controller or an Active Directory
Lightweight Directory Services (AD LDS)
instance into folder %s.
Create Sysvol Full Create Sysvol Full NoDefrag %s Create installation media with SYSVOL
NoDefrag without defragmenting for a full Active
Directory domain controller or an AD/LDS
instance into folder %s.
Steps to Create IFM Media

To create IFM media, perform the following steps on an existing domain controller that is running the
same operating system as the destination computer:
1. Enter the ntdsutil context. At the Windows command prompt type NTDSUTIL, and then press Enter.
2. At the NTDSUTIL: prompt type Activate instance NTDS, and then press Enter.
3. Type IFM.
4. At the IFM: prompt, type the command for the type of installation media you want to create. For
example, to create media for a writable domain controller with SYSVOL to a folder named Media,
type Create Sysvol Full C:\Media.
To use IFM to create additional domain controllers in the domain, you can refer to a shared folder or
removable media where you store the installation media on the Install from Media page in the Active
Directory Domain Services Installation Wizard or by using the /ReplicationSourcePath parameter during
an unattended installation.
In
nstall From Media Charracteristics
IFFM has the following charactteristics:
• Installation from media does
d not work across differen
nt operating syystem versionss. You must ge
enerate
media from m an existing Windows
W Serve
er 2012 domain n controller to
o install AD DSS on a compute
er
running Wiindows Server 2012.
• When the Active

A Directorry Recycle Bin is enabled, an
ny installation mmedia that waas created befo
ore the
Active Directory Recycle Bin was enableed is no longeer valid. Createe new installation media while
Active Directory Recycle Bin is enabled.
• To create th ust have permissions to makke a backup on

he IFM you mu n a domain co
ontroller.
Deploying
D AD DS Rea
ad-Only Domain
D Co
ontrollers
Thhe read-only domain
d contro
oller (RODC) was
in
ntroduced with h Windows Serrver 2008. An RODC
R
hoosts read-onlyy partitions of the
t AD DS dattabase.
Thhis means thatt no AD DS cha ange requests are
made
m directly to
o the databasee copy stored by
ROODC. Instead, AD DS modifications are forrwarded
to
o RODCs throu ugh replication
n with a writab
ble
doomain controller. All RODC AD A DS replicattion
usses a one-way, in-coming on nly connection
n from
a domain controller that has a writable AD DS
daatabase copy.
ROODCs are primmarily designedd for branch office

deeployments where you cann not guarantee the physical seecurity of the A
AD DS compu uters. By deployying
an
n RODC in a branch office, you
y can give users a local do omain controlleer to facilitate efficient AD D
DS log
onn and Group Policy
P application, even if the
e WAN link to the main officce (where read d/write domainn
ontrollers are located) is not available. A lo
co ODC configureed to cache paasswords of local
ocally based RO
ussers ensures fa
aster logons co
ompared to log gging on acrooss a slow netw
work connectio on to authenticcate
with
w a remote domain
d contro
oller.
Characteristi
C ics of RODC
C
RO
ODCs have the
e following characteristics:
• Server Core
e installations support
s RODC
Cs.
• An RODC cannot
c hold an
n operations master
m role.
• An RODC cannot
c be a site bridgehead server.
• RODCs onlyy support inco

oming replicatiion.
• Caching of credentials off users and com
mputers can b e explicitly enaabled or denieed. This can be
e
configured in the Active Directory Conffiguration Wizzard. By defaullt, no user cred
dentials are cached.
• Users can be
b delegated administrative
a granted rights tto AD
rights to a speecific RODC wiithout being g
DS. This can
n be configure
ed in the Active Directory Coonfiguration W
Wizard.
• RODCs support read-onlyy Domain Nam

me System (DN
NS).
• RODC can use the IFM fe

eature for deployment.
Pre
eparing to In
nstall RODC
C
Seve
eral prerequisiites must be in
n place before you install and
d RODC. Theyy are:
• Forest functio
onal level mustt be at least 20
003. The Wind dows Server 20
012 Active Dire
ectory
Configurationn Wizard does not let you co ontinue if the d
domain is not able to suppo
ort an RODC.
• There must be a writable do

omain controller running W
Windows 2008 o
or later version
ns in the same
e
domain.
• The domain must

m be prepa
ared with the Adprep.exe
A /rrodcprep commmand. Windo ows Server 201
12
performs this step automattically when yo
ou install a writtable domain controller.
Installing the RODC

R
You
u can install an RODC throug gh the Active Directory
D Conffiguration Wizaard. On the Ad
dditional Dom
main
Con
ntroller Optio ons page, selecct the check bo
ox for Read-o nly domain controller (RO ODC).
Clo
oning Virtu
ual AD DS Domain Controllers
C s
2 introduce
es virtualized
dommain controllerr cloning. Clonning a virtualizzed
dommain controllerr presents challlenges. For
exammple, two dommain controllers cannot coexxist in
the same forest with
w the same name,n invocatiion
ID, and
a security iddentifier. In verrsions of Winddows
earlier than Windows Server 2012, you create ed
virtu
ualized domain controllers byb deploying a
Syspprepped base server image and a manually
promoting it to be a domain co ontroller. Winddows
Servver 2012 provides specific virtualization
capabilities to AD
D DS Virtualized d Domain
Conntrollers (VDCss) to resolve those issues.
Win
ndows Server 2012
2 VDCs havve two new capabilities:
• Domain controllers can be safely cloned to

t deploy add
ditional capacitty and save co
onfiguration tim
me.
• Accidental restoration of do
omain controller snapshots d
does not disru
upt the AD DS environment.
Saffe Cloning
A cloned domain controller automatically syspreps (based o on settings in DefaultDCClon
neAllowList.xm
ml)
and promotes witth the existing local AD DS data
d as installattion media.
Saffe Backup and Restore

Rolling back to a previous snapshot of a VDC is problematicc because Act ive Directory u uses multi-masster
repllication that re
elies on transacctions being assigned numeeric values calleed Update Seq quence Numbe ers
(USNs). The VDC tries
t to assign USNs to prior transactions tthat have alreaady been assig gned to valid
nsactions. This causes inconsistencies in the
tran e Active Directtory database.. Windows Servver 2012
impplements a pro ocess that is known as USN ro ollback protecction. With thiss in place the V
VDC does replicate
and must be forcibly demoted or o manually re estored non-au uthoritatively.

2 now dete ects rollbacks and
a non-autho oritatively syncchronizes the d
delta of chang
ges
betwween a domain controller an nd its partners for AD DS and
d SYSVOL. You u can now usee snapshots witthout
risk of permanenttly disabling do
omain controllers and requirring manually forced demottion, metadataa
clea
anup, and re-p
promotion.
Creating
C a VDC Clone
To
o create a VDC
C clone in Windows Server 2012,
2 perform the following high level step
ps:
1.. Create a DccCloneConfig.xxml file that co
ontains the un ique server co
onfiguration.
2.. Copy this fiile into the loccation of the AD

A Ds databasee (C:\Windowss\NTDS by deffault).
3.. Take the VD

DC offline and
d export or cop
py it.
4.. Create a ne
ew virtual machine by imporrting the exporrted one. This virtual machin
ne is automaticcally
promoted as
a a unique doomain controller.
Note: The
ere is no graphhical interface to create the ccloning xml filles. However, tthere is a
Windows
W PowerShell script in developmentt for out of ban nd release, and d the XML schhema is
in
ncluded.
Upgrading
U to Windo
ows Server 2012 AD DS
Yo
ou can upgradde an existing domain contro
oller
o Windows Serrver 2012. You can only upgrade a
to
omain controller created in Windows Servver 2008
do
x6
64 or Windowss Server 2008 R2. You cannoot
pe
erform an in-p
place upgrade on Windows Server
S
20
003.
To
o perform an in-place
i upgraade of a computer
th D DS role installed, you must first
hat has the AD
usse Adprep.exe /forestprep and Adprep.exe e
/d
domainprep too prepare the forest
f and dommain.
An in-place opeerating system upgrade doess not
peerform automatic schema an nd domain
preparation. Ad
dprep.exe is inccluded on the installation m edia in the \Suupport\Adprepp folder. There
e are no
ad
dditional confiiguration stepss after that point and you caan continue to
o running the O
OS upgrade.
Note: We
e recommend a clean installa
ation.
Troublesho
T ooting AD DS Domain Controlller Deployyments
If you encounte er errors when you create a domain
d
coontroller, you can
c use troublleshooting too ols and
methodologies
m to resolve thee problem. The
ere are
also logs and uttilities available.
Logging Options
The built-in logs are the most important tool for troubleshooting issues with domain controller promotion
and demotion. There are many logs created during the installation and promotion of a domain controller,
as shown in the following table.
Phase Log
Server Manager or AD DS • %systemroot%\debug\dcpromoui.log

Deployment Windows
• %systemroot%\debug\dcpromoui*.log
PowerShell operations
Installation/Promotion of the • %systemroot%\debug\dcpromo.log

domain controller
• %systemroot%\debug\dcpromo*.log
• Event viewer\Windows logs\System
• Event viewer\Windows logs\Application
• Event viewer\Applications and services logs\Directory Service
• Event viewer\Applications and services logs\File Replication Service
• Event viewer\Applications and services logs\DFS Replication
Tools and Commands for Troubleshooting Domain Controller Configuration

If the logs do not provide enough information, you can use the following tools for troubleshooting:
• Dcdiag.exe. Runs multiple tests to assess the overall health of AD DS.
• Repadmin.exe – Assists administrators in diagnosing replication problems between Windows domain

controllers.
• AutoRuns.exe –Shows you what programs are configured to run during system bootup or logon, and
shows you the entries in the order Windows processes them.
• Task Manager –Provides detailed information about how to run applications, processes, and services
and provides performance and networking statistics.
• MSInfo32.exe –Displays a comprehensive view of your hardware, system components, and software
environment.
• Network Monitor – Enables capturing and protocol analysis of network traffic.
Methodology for Troubleshooting

Many errors are easy to correct. Check these items first:
• Is this a syntax error? Check the naming, credentials, and syntax of Windows PowerShell.
• Did the prerequisite check fail? Resolve the issue and try again.
• Did the error occur during the promotion phase? Examine the logs. Use Dcdiag and Repadmin to
validate Active Directory health.
• Check for third-party software that may be preventing the promotion and remove it.
Lesson
n2
Configuring AD DS Domain Contrrollers
After you install AD DS and crreate new dom
main controllerrs, you must address several Active Directo ory
co
onfiguration isssues. You can address some
e of these issuees, such as creaating a global catalog, durin
ng or
affter the promo
otion. You address others aftter the promottion.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
• Configure the
t global cata
alog.
• Configure universal
u group membership
p caching.
• Configure operations
o masters.
Manage
M unctional levels.
domain and forest fu
Configuring
C g the Glob
bal Catalog
g
Thhe global catalog is a special partition of Active
A
Directory that stores informattion about all Active
A
Directory objectts. It does not contain all atttributes
off all objects, bu ntains a subset of
ut instead con
atttributes that are
a useful for searching.
s The
global catalog mainly
m occurs in a multi-dom
main
ennvironment. It enables searches across dom main
booundaries to find objects in Active Directo ory. The
global catalog acts
a as an inde ex of Active Directory.
Certain applicattions rely on thhe global catalog,
su
uch as Exchang ge Server.
Global
G Catalo
og Characte
eristics
Global catalogs are unique to
o Active Directo
ory and have tthe following ccharacteristics:
• The global catalog can only exist on a domain

d contro
oller.
• At least one
e global catalo
og must exist in every forest..
• It is possible and frequen o have multip le global catal ogs. For exam
ntly desirable to mple, have a glo
obal
catalog in each
e AD DS sitte so that user authenticatio n occurs in a ttimely, efficien
nt manner.
• alogs can be crreated during the promotion

Global cata n process or att any time afte
er.
• Global cata
alogs can affecct replication trraffic.
• Global cata
alogs listen on ports 3268/32
269 by default .
Creating
C a Global Catalo
og
Thhe first domainn controller in the forest is a global catalo g because at l east one global catalog is reequired
peer forest. You can remove th he domain con ntroller’s desig nation as a glo
obal catalog laater after you have
crreated other global catalogss.
Fo
or each additioonal domain controller, you can create a g hat you select the
global catalog by ensuring th
ch
heck box in thee Active Directtory Configura
ation Wizard d
during the pro motion. By deefault, all domain
co
ontrollers are assumed
a to be
e global catalo
ogs.
11-12 Implementing Active Directoory Domain Services
You
u can also add or remove the
e global catalo
og from a dom
main controllerr by using Activve Directory Sites
and Services MMC t propertiess of the NTDS Settings node of the domain
C and editing the n controller.
Alte
ernatively, you can use the Active
A Directoryy module of W
Windows PoweerShell to enab
ble a global cattalog.
Co
onfiguring Universal Group Me
embership
p Caching
Univversal groups include users anda groups fro om
mulltiple domains in a forest. Th he membership p of
univversal groups is n the global catalog.
i replicated in
Whe en a user logs on, the user’s universal grou up
mem mbership is ob btained from a global catalog
servver. If a global catalog is not available thenn
univversal group membership
m is not available.
Connfiguring unive ersal group me embership cacching
add
dresses this pro oblem.
Note: This problem

p does not arise whenn
every domain conntroller is a glo
obal catalog.
Youu can alleviate denial of authentication by enabling Univversal Group M Membership Caaching on
the local AD DS siite. With this enabled,
e by default all doma in controllers in that site ob btain universal
group membership information n from a global catalog for a user when the user first log gs on to the sitte.
The domain contrroller caches th hat informatio on indefinitely, as long as it ccan update universal group
memmbership inforrmation every eight hours. Iff the local dom main controllerr cannot contaact a global catalog,
thenn the cached group
g membership informattion is conside red invalid after seven days.. This value is ccalled
the ‘staleness inte
erval’ and is sett in the registrry. If a networkk outage of lesss than seven d days prevents the
loca
al domain conttroller from co ontacting the global
g catalog,, the user is stiill authenticate
ed successfullyy by
usin
ng the cached group informa ation.
Ena
abling Unive
ersal Group
p Membersh
hip Caching
Youu can also enabble Universal Group
G Membership Caching on a domain controller by u using Active
Dire
ectory Sites and Services MM g the propertiees of the NTD S Settings nod
MC, and editing de of the domaain
controller.
u can also use the
You t Active Dire e for Windows PowerShell to
ectory module o enable Unive
ersal Group
Mem
mbership Cach hing.
Configuring
C g Operatio
ons Masters
In
n any replicated database, su uch as AD DS, some
s
ta
asks must be performed
p by only
o one AD DSD
re
eplica holder because
b they are impractical to
peerform in a muulti-master ma anner. For exam mple,
onnly one domaiin controller caan be in charg ge of
syynchronizing the time acrosss the domain. In an
Active Directoryy domain, operations masterrs, also
knnown as flexible single maste er operations, or
FSSMO, are dommain controllerss that addition nally
provide a speciffic function. Th
here are five sppecific
opperations master roles that must
m be filled. Any
doomain controller that meets the prerequissites can
peerform these roles.
r
Note: A RODC
R cannot host
h any opera ation master ro
oles because, b
by design, it caannot
diirectly modify the copy of AD DS it holds.
Tw
wo of the operations masterr roles only exist one time fo
or the whole fo
orest. These tw
wo roles exist o
only in
th
he Forest Root Domain and are
a shown in the t following ttable.
Ro
ole Descripttion
Domain
D Namin
ng Operations You usee the domain nnaming role wh hen you add oor remove dom
mains
Master
M in the fo
orest. When yo
ou add or rem ove a domain,, the domain
naming master must b be available, o
or the operatio
on fails.
Schema
S Operations Master The dom main controlle r holding the sschema maste er role is responsible
for making any chang ges to the forest’s schema. AAll other domain
controllers hold read--only replicas o of the schema. If you want to o
modify the
t schema orr install an app plication that m
modifies the scchema,
try to do
o it directly on
n the domain ccontroller hold ding the schem ma
master role.
r Otherwisee, the changess that you requ uest must be ssent
to the scchema masterr to be written into the schem ma. If the Sche ema
Master is
i inaccessible,, all attempts tto modify the schema will faail.
Th
hese roles can be transferred
d to other dom main controllerrs if required. If a domain co
ontroller that iss
cu
urrently holdin oning, the role can be forcib ly seized by an
ng a role shoulld stop functio nother domain n
co
ontroller.
The other three roles exist in every domain in the forest. They are shown in the following table.
Role Description
Relative Identifier (RID) The SID of a security principal must be unique. Any read/write domain
Operations Master controller in a domain can create accounts, and therefore, issue SIDs.
Active Directory domain controllers generate SIDs by incorporating a
unique RID into the domain SID. The RID master for the domain allocates
pools of unique RIDs to each domain controller in its domain. In the past
it was possible to for a domain to reach the limit of the RID issuance
(maximum possible of 230 or 1,073,741,823). New safeguards were put
into place for Windows Server 2012 RID Masters, which include issuing
warnings in Event logs when overall RIDs allocated are approaching 10%
of usage. You can also increment the number of RIDs allocated to 231
(grand total of 2,147,483,648 SIDs).
Note: This is the only one of the five FSMO roles that was improved
in Windows Server 2012. All other roles retain same functionality as earlier
versions.
Infrastructure In a multi-domain environment, it is common for a local object to

Operations Master reference security principals in other domains. For example, a group can
include members from another domain. If the security principal in the
other domain is moved or renamed, the infrastructure master in the same
domain as the local group updates each remote group member’s attribute
accordingly.
PDC Emulator Emulates a Primary Domain Controller (PDC) and is probably the most
Operations Master important FSMO role for day-to-day functionality.
Password handling. When passwords are changed, the PDC emulator is
updated immediately.
Focus of Group Policy. When Group Policy objects (GPOs) are being
created or edited the action is being performed, by default, on the PDC
emulator.
Time source for the domain. The PDC emulator provides the time
source for all computers joined to AD DS to synchronize to.
Domain Master Browser. When you open the Network window and see
the list of computers, you are seeing a list that is created by the browser
service.
These roles can be transferred to any domain controller in the domain. They do not all have to run on the
same domain controller. For example, one domain controller might hold the PDC Emulator role while
another holds the RID Master role. If a domain controller that is currently holding a role should stop
functioning, the role can be forcibly seized by another domain controller.
Managing
M Domain an
nd Forest Functionaal Levels
Byy raising the fu
unctional levells, you can ena
able
fu
unctionality offfered by new versions
v of Windows.
New features arre not backward-compatible e with
ollder version off Windows Serrver. Similarly, until all
do
omain controllers are runnin ng Windows Se erver
20
008, or 2008 R2R or Windowss Server 2012 you y
ca
annot impleme ent its improveements to AD DS.
Th
here are two major
m requirem
ments for raisin
ng the
fu
unctional level:
• ust run the correct
All domain controllers mu
version of Windows
W Serve
er.
• aise functional levels manua

You must ra ally.
Note: Thee operating system version of

o the domain controller dettermines the fu
unctional
evels. Member servers can be
le e running any version of Winndows Server eexcept for Win
ndows NT
4..0. If you raise the functional level to Wind
dows Server 20008, Windows NT 4.0 can noo longer be a
doomain membe er.
Ra
aising the funcctional level off either the do
omain or the fo
orest is a one-wway operationn. You can neve
er lower
a functional level. Therefore, after
a you havee raised the do
omain function nal level to Win
ndows Server 2
2008,
fo
or example, yoou cannot at a later date add d a domain con ntroller runnin
ng at Windowss Server 2003 tto the
sa
ame domain.
A forest can havve domains that run at different functionaal levels, but affter the forest functional leve
el is
ra
aised, you cann
not add a dommain controllerr running a lowwer version of Windows to any domain in the
fo
orest.
Windows
W Server 2012 forest functional
f el and domain functional levvel do not implement new fe
leve eatures
from Windows 2008 R2 functional level.
Lesson 3
Implem
menting
g Servicce Accounts
Onee common issu ue that most organizations
o fa
ace is how to ssecurely manaage accounts that are used for
work services. Many applicattions use services that requirre an account for service staartup and
netw
auth
hentication. Ass with typical user
u accounts, you must also manage service accounts to e
o effectively m ensure
secu
urity and reliab
bility.
Lessson Objectiives
Afte
u will be able to:
t
• Describe man
naged service accounts.
a
• up managed service accountts.

Describe grou
• Configure ma
anaged service
e accounts.
• Manage serviice principle na

ames.
Wh
hat Are Ma
anaged Se
ervice Acco
ounts
Appplications are frequently
f configured to exe ecute
nonn-interactively on servers tha at use the security
authhentication context of the Lo ocal Service,
Network Service, or Local System m accounts.
Because these acccounts are typically shared by b
man ny applicationss and processe es, you cannott
isola entials. That is to say, you cannot
ate their crede
custtomize the seccurity settings of these accou unts
with
hout also affeccting all applications and
proccesses that are
e mapped to th hem. A Manag ged
Servvice Account provides
p an application with its
ownn unique servicce account. In Windows Servver
2012, administrators no longer have to manually administeer the credentiaals for this acccount.
naged service accounts in Windows

Man W Serverr 2012 offer th
he following beenefits:
• Automatic pa
assword manag gement. A managed service account automatically main ntains its own
password including passwo his can better isolate servicees from other sservices on the
ord changes. Th e
computer.
• Simplified Serrvice Principal Name (SPN) management.

m SPN managem ment can be automatically
managed if thhe AD DS dom main is configured at the Win ndows Server 22008 R2 domaain functional level.
For example, if the samAccountName pro operty of the ccomputer is ch
hanged, or if th
he DNS host n
name
property is modified,
m the managed
m servicce account SPNN automaticallly changes from the old namme to
the new name for all managed service acccounts on thee computer.
Req
quirements for Using Managed
M Se
ervice Accou
unts
To use
u a managed d service accou unt, the serverr that runs the service or app
plication must run Windows
Servver 2008 R2 orr later versionss. You must alsso ensure that the .NET Fram mework 3.5.x, aand the Active
Dire
ectory Module e for Windows PowerShell are both installeed on the serveer.
Note: In versions
v of Winndows earlier than Windowss Server 2012, Managed servvice accounts
co
ould not be shhared between multiple computers. Each M Managed Serviice Account haad to be
unnique to the computer wherre the applicattion was run. TThis type of serrvice account iis known as a
Sttandalone Man naged Service Account. New w in Windows SServer 2012 is the ability to create
Managed
M Servicce Accounts th
hat can be shared with moree than one com mputer (for exaample, for a
clustered set of servers). These types of Mannaged Service Accounts are called Group Managed
Se
ervice accountts. They are disscussed in the next lesson.
Managing
M Service Principle Na
ames
Se
ervice Principle e Names (SPNs) represent th he
acccounts in who ose security co
ontext a servicee
exxecutes. SPNs support mutual authenticatiion
beetween a clien a a service. SPNs
nt application and
arre built either from informattion that a client
co
omputer know ws about a servvice or from a trusted
th
hird-party, such as Active Dirrectory. SPNs are
a
asssociated with accounts and an account ca an have
a different SPN for each servicce it is used to
o
au
uthenticate an nd execute.
Th
he basic syntaxx of a SPN is as follows.
< service type

e >/< instance name >:< port number >/< service name >
Th
he elements of the syntax ha
ave the meanings described in the following table.
Ellement De
escription
Service
S type Th
he type of servvice, such as ww
ww for World Wide Web serrvice.
In
nstance name Th
he name of the e instance of thhe service. Eith
her the host naame or IP address of
the server that iss running the service.
Port
P number Po
ort number tha
at is used by th
he host for thee service if it differs from the
e default.
Service
S name Th
his may be the DNS name off the host, or o of a replicated service, or of a domain;
orr it can be the distinguished name of a serrvice connectio on point objecct or of a
remote procedu ure call (RPC) sservice object.
If service name and instance name

n are the same,
s as they are for most h
host-based servvices, then you
u can
abbbreviate a serrvice principal name to two components, aas follows.
< service type

e >/< instance name>
Service Names in Active

e Directory
Th
he syntax for service
s names in Active Direcctory includes the distinguis hed name of tthe instance off the
ervice. The syntax is as follow
se ws.
< service type

e >/< host name >:< port number >/< distinguishe
ed name >
Wh
hat Are Grroup Mana
aged Service Accoun
nts?
As discussed
d in th
he previous lesson, Standalon ne
Man naged Service Accounts are managed dom main-
baseed accounts (that now includ de automatic
passsword manage ement and sim mplified SPN
man nagement for the service acccount) for sing gle
servvers. Group Ma anaged Service e Accounts proovide
the same function nality but for multiple
m serverrs.
Whe en you connecct to a service hosted on a se erver
m, such as the Network Load
farm d Balance (NLBB)
servvice, all compu uters that are running an insttance
of that service mu ust use the samme security
prin
ncipal. When a Group Manag ged Service
Account is used as the service principal,
p the Window
W Serverr 2012 AD DS m
manages the p
password for the
accoount instead of o relying on thhe administrator to manage the password.
Note: Group Managed Se ervice Accountts can only be configured an

nd administere
ed on
com
mputers that arre running Win
ndows Server 2012.
2
The group Manag ged Service Acccount has feattures to deal ccorrectly with h
hosts that are kept offline fo
or an
exte
ended time pe eriod. This mea
ans that you ca an deploy a seerver farm thatt uses a single Group Manag ged
Secuurity Account identity to which existing cliient computerrs can authentiicate without kknowing the
instance of the service to which they are connnecting.
Note: For Windows

W er 2012, the Windows PowerrShell cmdlets default to managing the
Serve
group Managed Service
S Accoun
nts instead of the naged Service Accounts.
t original staandalone Man
De
emonstration: Configuring Group Manaaged Service Accoun
nts
In th
his demonstration you will see how to crea
ate a group m
managed servicce account and
d associate the
e
accoount with a server.
Dem
monstration
n Steps
1. Log on to LON-DC1 as Adm
ministrator.
2. Create the KDDS root key using the New-K

KdsRootKey cm
mdlet. Make th
he effective tim
me minus 10 hours
so the key is effective
e imme
ediately.
3. Create the ne
ew service acco
ount named Webservice
W for the host LON-DC1.
4. Associate the Webservice managed

m accou
unt with Lon-D
DC1.
5. Verify the gro

oup managed service accoun d by using the Get-ADService
nt was created eAccount cmd
dlet.
Lesson
n4
Imple
ementin
ng Grou
up Policcy in AD
D DS
Group Policy haas become the e major tool for controlling tthe computing
g environment in an organization.
Th
his lesson poin
nts out the new
w features for Windows Servver 2012 and d e management
describes some
te
echniques for controlling
c use
ers and compu uters.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
• Describe th
he new feature
es in Group Policy.
• Manage Grroup Policy obj

bjects (GPOs).
• Configure Group
G Policy processing.
p
• Describe Grroup Policy client-side exten
nsions.
• Troublesho
oot Group Policcy.
• Describe be
est practices fo
or Group Policy implementa tion.
What’s
W New
w in Group
p Policy in Windowss Server 20
012?
Group Policy waas introduced in Windows 2000.
Ea
ach successive Windows verssion has introd
duced
ne
ew tools or maanagement feaatures, such ass the
Group Policy Management Co onsole (GPMC C).
Group Policy in Windows Servver 2012 includes
th
he following ne
ew features.
Graphical
G Usser Interface
e for Manag
ging
Fine-Grained
d Password Policy
New in Window ws Server 2012 is the ability to
t
manage
m this GP
PO object set from
f the conso ole
off the Active Directory Adminnistrative Center.
Managing
M domain user accou unt password policy
p
byy group memb bership was ann option since the initial releease of Window ws Server 2008 8. When it is enabled,
an
ny password policy
p associate
ed with the use er’s group me mbership takees precedence over the default of
th
he domain account policy. However,
H in earrlier versions o
of Windows Seerver there wass no single inte erface
fo
or implementin ng and manag ging type of GP PO. The new G GUI simplifies u
using this featu
ure.
Group
G Policy
y Infrastructture Status
Th
he Group Policcy Infrastructure Status tool is a new tab in
n the GPMC. Itt displays the sstatus of Active
e
Directory and SYSVOL replication as it relates to Group Po olicy. This featture enables yo
ou to detect th
he
cu
urrent status by
b comparing thet replicationn status of all d
domain contro ollers.
Remote
R Policcy Refresh
Yo
ou can now usse GPMC to target an organizational unit ((OU) and forcee Group Policyy refresh on all its
omputers and their currentlyy logged-on users. Right-clicck any organizzational unit in
co n the GPMC, an
nd then
click Group Pollicy Update. The
T update occcurs within 10 minutes (rand domized on eaach targeted
co
omputer) to prrevent overwhhelming a dommain controller .
Also
o, a new Windo
ows PowerShe ell cmdlet, nam
med Invoke-G pUpdate, funcctions in the same manner aas the
com
mmand line GppUpdate utilityy.
New
w RSOP Log
gging Data
Wheen you use the e Group Policyy Results wizard or GpResult /H command line tool to geenerate an HMMTL
Resu
ultant Set of Policy
P (RSOP) re
eport, you now w see an updaated Summary section that p
provides inform
mation
such
h as network speed
s and whe i functioning correctly or no
ether a policy is ot.
Note: Remo ote RSOP logging and Group

p Policy refres h require you to open firewaall ports on
the targeted computers. This means enabling incoming com mmunication ffor RPC, WMI//DCOM,
event logs, and sccheduled taskss.
Ma
anaging GPOs
Youu must manage e group policie
es as any other
obje
ect in Active Directory.
D Group Policy must be
crea
ated, edited, applied to conttainers, and ba
acked
up. The GPMC is the
t main tool for managing
Group Policy.
Cre
eating, Editiing, and Lin
nking Policie
es
Group Policy man nagement has the following
characteristics:
• Create GPOs in the Group Policy

P Objects
folder in the GPMC.
G You must have
administrativee rights in the domain or
membership in the Group Policy
P Creator Owners group
p to create GP
POs.
• Edit GPOs by using the Gro nagement Edittor. You can usse policies to cconfigure and apply
oup Policy Man
thousands of settings.
• You can link GPOs
G to conta
ainers by using ou can link a ssingle GPO to multiple contaainers.
g the GPMC. Yo
Baccking Up an
nd Restoring
g GPOs
Youu should back up
u Group Policcies regularly. The first time that you backk up a GPO, yo
ou must specifyy the
loca
ation of the ba
ackup folder.
To back
b up GPOs in the GPMC, use the follow
wing procedurees:
• To back up in
ndividual GPOss, right-click th
he GPO, and th
hen click Back
k Up.
• To back up alll GPOs, right-click the GPO folder, and th en click Back Up All.
To restore
r an existing GPO to an earlier versio
on of the GPO :
1. Open the Gro

oup Policy Objjects folder.
2. Right-click the GPO that yo
ou want to resttore.
3. Click Restore
e from Backup
p.
To restore
r a deletted GPO:
1. Right-click the Group Policcy Objects folder.
2. Click Manage
e Backups.
3.. Click the po

olicy that you want
w to restorre from the ba ckup folder.
4.. Click Resto

ore.
Copy
C or Import GPOs
Byy using the import and copyy operations in n the GPMC, yo ou can transfeer GPOs across domains and across
fo
orests. This is useful
u if you maintain separate test and pro oduction envirronments and want to repliccate the
co
ontent from on ne environmen nt to the other. The GPMC eenables you to o modify certaiin settings as ppart of
th
he import or co opy operation. Specifically, you
y can modiffy references to o security prin
ncipals, such ass users,
groups, and com mputers, and tot Universal Naming Conven ntion (UNC) paaths that exist in the GPO. You can
modify
m security principals andd UNC paths in n the destinatiion GPO by ussing a migratio on table with the
im
mport or copy operation. Forr example, the e test environm
ment might usee a different U UNC path for fo older
re
edirection than n the productioon environment. You can usse a migration table to map the test enviro onment
UNC path of the production UNC U path.
A copy operatioon uses an exissting GPO as itts source and ccreates a new GPO as the de
estination. The
e
ad
dministrator ca
an choose to preserve
p the exxisting permisssions or use th O permissions. To
he default GPO
co
opy an existing
g GPO:
1.. Right-click the GPO.
2.. Click Copy..
3.. Paste the GPO

G into the Group
G Policy Object folder.
Thhe import ope eration transferrs settings into

o an existing G
GPO in Active DDirectory usingg a backed up GPO
ass the source. Im
mporting doess not modify th he permissionss or links assocciated with the
e destination G
GPO.
Im
mporting does not merge wiith any existing g settings in th
he destination GPO, but will overwrite all ssettings.
Too import a GPO O:
1.. Right-click the GPO you are

a importing settings into.
2.. Click Import Settings.
3.. mport Settings Wizard.

Follow the steps in the Im
Configuring
C g Group Policy
P Proccessing
When
W you link a Group Policyy to a containe er, the
se
ettings affect all
a users, group ps, or compute ers in
th
hat container and
a all child co ontainers unde er that
paarent. For exam mple, a GPO linked to the do omain
co
ontainer inherits down to all child containe ers in
th
he domain. Beccause you can link GPOs dire ectly
to
o the site, dommain, or OU con ntainers, there
e is the
pootential for setttings in differrent GPOs to conflict.
Fo
or example, a setting
s in a GPPO at the dom main
le
evel might be enabled
e while the same setting in
a GPO linked to o an OU may be b disabled. Th his
co
onflict is resolvved through precedence. GP PO
se
ettings are app plied in the following order:
1.. Local policies

2.. Site linked GPOs
3.. Domain linked GPOs

4. OU linked GPOs
5. Child OU linked GPOs
Policy settings inherit down and merge so that objects receive the cumulative effect of all GPOs. If you
link multiple GPOs to the same container then they are applied in the order in which they were linked.
However, you can set precedence to control the order of application to that container. If there is a conflict
in GPO settings, the last GPO applied has precedence and is the effective one. In other words, the user or
computer receives all the GPO settings in the path of their container and linked directly to their container,
but if there is a conflict, the latest setting is the one in effect.
Group Policy provides mechanisms to modify the way GPO settings are processed. You can block
inheritance and enforce policies.
Blocking Inheritance
You can configure a domain or OU to prevent the inheritance of policy settings. This option blocks all
inherited Group Policy settings from GPOs linked to parents in the Group Policy hierarchy. You cannot use
it to block only selected inherited policies. It does not block GPOs that are linked directly to the container.
You should use the Block Inheritance option sparingly. When you block inheritance, you make it more
difficult to evaluate Group Policy precedence and inheritance.
Enforcing a GPO Link

You can set a GPO link to be Enforced. When you set a GPO link to Enforced, that GPO takes the highest
level of precedence. Policy settings in that GPO then prevail over any conflicting policy settings in other
GPOs. In addition, a link that is enforced applies to child containers even when those containers are set
to Block Inheritance. The Enforced option causes the policy to apply to all objects within its scope. The
Enforced setting causes policies to override any conflicting policies and applies regardless of any other
settings.
Loopback Processing
By default a user receives the settings from GPOs inherited by, and linked to, the OU where their user
account resides. There are situations, however, in which you might want to configure a user differently,
depending on the computer that is being used. For example, you might want to lock down and
standardize user desktops when users log on to computers in closely managed environments, such as
conference rooms, reception areas, laboratories, classrooms, and kiosks. You might also want to apply
specific settings for virtual desktop infrastructure (VDI) scenarios. This includes remote virtual machines
and Remote Desktop Services (RDS), known as Terminal Services in earlier versions.
The loopback setting a user’s typical GPO settings to be disregarded and applies the user settings
associated with the GPO instead.
The loopback setting is located in the Computer Configuration\Policies\Administrative Templates\System

\Group Policy folder in the GPO.
Note: There is an option in the loopback setting to merge the loopback user settings with
their typical settings. But the default is to replace their typical settings with the settings in the
loopback GPO.
Security Filte
ering
Ea
ach GPO has a Discretionaryy Access Contro ol List (DACL) that defines p permissions to the GPO. You must
ap
pply two perm missions, Allow Read and Allo ow Apply Grou up Policy, to a user or compu
uter. By default,
Authenticated Users
U have the
e Allow Apply Group
G Policy p
permission on each new GPO O. This means that by
de
efault, all userss and computeers are affected by the GPOss settings. Therefore, by adju usting the perm
missions
on
n the GPO you w receives them. There aree two approacches to do thiss.
u can control who
• To apply th
he GPO to onlyy some users, groups
g or com
mputers:
1. Removve the Authentticated Users group

g from thee DACL.
2. Add th
he users, group
ps or computers you want to
o receive the p
policies.
3. Grant them
t Read and
d Apply Group
p Policy permisssions.
• To prevent some users, groups or comp

puters from reeceiving the GP
PO settings:
4. hem to the DAC

Add th CL.
5. Deny them the Applyy Group Policyy permission.
ou access the DACL from the

Yo e Delegation,, Advanced taab of the GPO..
WMI
W Filterin
ng
Yo
ou can also use Windows Management Instrumentation n (WMI) to con e of GPO application,
ntrol the scope
de
epending on attributes
a of th
he destination computer. Yo u can use WM MI queries to ch
heck for hardw
ware or
oftware condittions that mustt exist for settings to be app
so plied. For exam
mple, a WMI qu uery may checck for an
perating system version, make or model, or
op o the RAM in the system to determine wh hether GPO seettings
hould be applied. WMI filters can query fo
sh or hundreds off different paraameters.
Group
G Policcy Client Side
S Extensions
Thhe Group Policcy Client servicce determines
which
w GPOs to apply to the client. This servvice
doownloads any GPOs that are e not already cached.
c
Thhen, a series of processes called client-side e
exxtensions interrpret the settin
ngs in a GPO and
a
make
m appropriaate changes too the local com mputer
orr to the currenntly logged-onn user. There are
client-side exten nsions for eachh major catego ory of
poolicy setting. For
F example, th here is a security
client-side exten nsion that appplies security ch
hanges,
a client-side exttension that exxecutes startup p and
lo
ogon scripts, a client-side exttension that innstalls
so
oftware, and a client-side exttension that makes
m changes to registry keeys and values. Each new version of
Windows
W has ad
dded client-sidde extensions tot extend the functional reaach of Group P Policy. There arre
se
everal dozen client-side exte ensions now in Windows.
Note: Forr client computers running Windows

W XP to
o accept Group
p Policy Preferrences the
client-side exten
nsions for Win
ndows XP prefeerences must b
be downloadeed and installed d on each
client computerr.
Group Policy is applied at the client computer side at startup for computer settings and when users log on
for user settings. Group Policy is also refreshed on the client computer at regular, configurable intervals.
The default interval is 90 minutes. The Group Policy client pulls the GPOs from the domain, triggering the
client-side extensions to apply settings locally. Group Policy is not a push technology.
Note: You can manually refresh Group Policy from the GPMC in Windows Server 2012 or
by using the GpUpdate command prompt utility on the client workstation.
Policies remain in force on the client even if the client is not connected to the corporate LAN. For
example, mobile laptop users continue to have the GPO settings enforced because those settings are
cached on the client. But mobile laptop users receive no changes to policy settings until they reconnect to
the LAN.
Note: If client computers use cached credentials to speed up the logon process, then the
user does not see the effect of several GPO settings until after two logons.
Policies are not re-applied on the client systems unless a change in a policy setting is detected. An
important exception to the default policy processing settings is settings managed by the security client-
side extension. Security settings are reapplied every 16 hours even if a GPO has not changed.
Note: You can configure client-side extensions to reapply policy settings at background
refresh even if the GPO has not changed. To do this, define the settings in the
Computer Configuration\Policies\Administrative Templates\System\ Group Policy node. To
configure a client-side extension:
1. Open its policy processing policy setting, such as Registry Policy Processing for the Registry client-side
extension.
2. Click Enabled.
3. Select the Process even if the Group Policy objects have not changed check box.
Group Policies over Slow Links

If a slow network connection is detected then certain client-side extensions do not process GPO settings.
For example, installing software is not practical across a slow network. By default, a slow connection is
defined as 500 KBPS. However, you can configure this value in Group Policy. Also, you can configure each
client-side extension in Group Policy to process even if a slow connection is detected.
These settings are always applied, even across a slow connection:
• Security settings
• Administrative Templates
• IPsec
• Encrypting File System (EFS)
These settings are not applied across a slow connection:
• Quotas
• Internet Explorer Maintenance
• Folder Redirection
• Scripts
• Wireless Ne
etwork settings
• Software in
nstallations
Note: Oldder clients, succh as Windowss XP, use Ping tto determine n network speedd. If you
block Internet Control
C Messag ge Protocol (IC he connection always appears as a slow
CMP) traffic, th
co
onnection. Clie
ents that are ru unning Windo ows Vista or latter versions us e Network Loccation
Aw
wareness to deetermine conn nection speed.
Troublesho
T ooting Gro
oup Policy
Th
here may be tiimes when you u must troubleeshoot
Group Policy. There are two main
m issues tha
at can
occcur with Grou
up Policy proce
essing:
• e not being applied to the client

Policies are
computer.
• Policies are
e applied, but the
t results are
inconsistent or incorrect.
Th
hese two issue
es might arise for
f the following
re
easons:
• AD DS replication issues may prevent all

a
domain conntrollers from receiving policcies or
policy upda
ates.
• GPOs may be linked inco

orrectly to conttainers.
• Slow netwo
ork conditions may exist.
• Policy filterring may be se

et.
• Inheritance
e or enforceme
ent settings ma
ay be applied.
• The loopba
ack setting mayy be turned on
n.
• Local comp m affect the results.

puter policies may
Sttart to troubleshoot by determining the sccope of the iss ue. For examp ple, is the issue
e widespread, o or only
afffecting a single client? If the
e issue affects a single clientt, you should ccheck for physical issues, succh as
in
ncorrect configgurations. Thesse issues are ussually easy to d diagnose.
Check Event Vieewer entries, Windows

W logs, and applicatio
on and service logs. These caan provide valuable
in
nformation abo o issues. Log entries freque ntly direct you
out the cause of u to the area in
n which to beg
gin an
in
nvestigation.
Most
M Group Policy issues are caused by:
• Inheritance
e
• Filtering
• Replication
Troubleshooting Inheritance
If none of the users or computers in an OU or child OUs receive policies that were linked to higher levels,
it may be because of inheritance blocking. The GPMC displays a blue exclamation mark when inheritance
is blocked. RSOP lists the GPOs that are being applied, and the GPOs that are being blocked. You can
generate Group Policy results at the destination computer or from the GPMC through the Group Policy
Results Wizard.
Troubleshooting Filtering
GPO filtering may result from:
• Security filtering
• WMI filtering
Symptoms of filtering issues may appear as inconsistent application of policies in an OU. If some users,
groups, or computers have filtering applied, they do not receive policies that other users in the same OU
receive.
Note: If a WMI filter is deleted, the links to the WMI filter are not automatically deleted. If
there is a link to a non-existent WMI filter, the GPO with that link is not processed until the link is
removed or the filter is restored.
Troubleshooting Replication
Group Policy information takes time to propagate or replicate from one domain controller to another.
Replication issues are most noticeable in remote sites with slow connections and long replication latency.
You can use the new Status tab in the GPMC on Windows Server 2012 to determine the replication health
of the GPO. If replication is an issue, you must determine whether the problem is with the File Replication
Service (FRS) or with AD DS replication. There are two simple tests that you can use to determine the
issue:
• For SYSVOL replication, put a small test file into the SYSVOL directory. See whether it replicates to
other domain controllers.
• For AD DS replication, create a test object, such as an OU. See whether it replicates to other domain
controllers.
Troubleshooting Policy Refresh

Some users rarely restart or even log off their systems. Several Group Policy settings cannot be refreshed
during a typical refresh cycle. Some settings require a logoff or a restart to be applied. In fact, because of
cached credentials, many settings require two logons for the user to see the effect of the setting. If some
users do not receive the policy settings, ensure that they restart or log off and on two times to rule out
the effect of cached credentials.
Best
B Practicces for Imp
plementin
ng Group P
Policy
Group Policy is a very powerfful tool, but yoou must
ap
pply it correctlly. Implementing a Group Po olicy
so
olution involve
es planning, deesigning, deplo oying,
an
nd maintaining g the solution.. There are som
me best
practices that yoou should follo
ow.
Plan
P Your De
eployment
Define the scoppe of applicatio
on of Group Po olicy.
Define what typpes of settings are global to all
ussers and compputers and design or modify the
OU
O structure to o accommodatte Group Policyy
ap
pplication. You
u should desiggn the OU structure
w Group Poliicy in mind and enhance the
with e
in
nherited naturee of Group Policy settings byy grouping obj
bjects in a hieraarchy that enables that flow of
Group Policy seettings.
Create
C Stand
dard Deskto
op Configura
ations
One
O of the goals of controllin ng the computting environmeent is to provid de consistencyy. Standard de
esktop
co
onfigurations for
f various useer types or deppartments can make system repair or replaacement a sim mpler
ask if many of the configurattion settings are delivered byy using Group
ta p Policy.
Do
D Not Use the
t Default Domain Po
olicy or Defa
ault Domain
n Controllerrs Policy forr
Other
O Purposes
Th
hese two default policies pro
ovide basic setttings for the d
domain, such aas password po olicies, and forr
do
omain controllers, such as au
uditing setting
gs. If you wantt to apply otheer configuratioon settings to tthe
do
omain or to do omain controllers, create new policies. Usee the default p
policies for passsword, auditinng and
se
ecurity settingss only.
Use
U Inheritan
nce Modificcations and Filtering Sp
paringly
Heavy use of blocking and ennforcing of pollicies make tro
oubleshooting more difficultt. Also try to avvoid
se
ecurity and WM
MI filtering unless it is requirred.
Use
U Loopbacck Processin
ng for Special Case Scen
narios
Lo
oopback can solve issues witth desktop standardization ffor scenarios w
where the syste
em users log o
on to
sp
pecial purpose
e systems, such
h as Remote De esktop Servicees or kiosk com
mputers.
Im
mplement a Change Re
equest Process
Limit changes to
o Group Policyy settings to a small group o
of administrato
ors. All change
es should be ap
pproved
an
nd documente ed. Consider ussing the Advan nced Group Poolicy Managem ment (AGPM) ttool available with the
Microsoft
M Deskttop Optimizatiion Pack (MDO OP).
Lesson 5
Mainta
aining AD
A DS
Maintaining the health
h of the AD
A DS is an imp portant aspectt of an administrator’s job. In
n this lesson,
you will learn how
w to use Windo ows Server Bacckup to effectiively backup aand restore AD D DS and domaain
controllers. You will
w also learn how
h to optimizze and protectt your directorry service so th
hat if a domain n
controller does fail, you can resttore it as quick
kly as possiblee.
Lessson Objectiives
Afte y will be able to:
er completing this module, you
• Describe options for backin

ng up AD DS.
• Describe options for restoriing AD DS.
• Describe the Active Directo

ory Recycle Bin
n.
• Describe AD DS snapshots.
• Optimize the AD DS databa

ase.
Op
ptions for AD
A DS Bacckup
Win
ndows Server Backup
B was inttroduced in
Win
ndows Server 2008.
2 It enable es you to back
up and
a restore a server,
s its roless, and its data.
Win
ndows Server Backup
B is installed as a feature in
Servver Manager.
Note: The Windows

W Serveer Backup MM MC
app ools list in Servver Manager even
pears on the To
ugh the featurre is not actually installed un
thou ntil
you manually addd the feature.
Winndows Server Backup

B providees a snap-in ad
dministrative ttool and the W
WBAdmin command line too ol
(Wbbadmin.exe). Both the snap-iin and the commmand line en nable you to perform manuaal or automaticc
backups to an inte
ernal or extern hare, or optica l media. Backing up to tape is no
nal disk volume, a remote sh
long
ger supported by Windows Server
S Backup.
In earlier
e versions of Windows, backing
b up Acctive Directory involved crea ting a backup of the System mState.
In Windows
W Server 2012, the SystemState
S still
s exists, but it is physicallly larger in sizze. Because off
inte
erdependencie es between servver roles, physsical configura tion, and Activve Directory, the SystemStatte is
noww a subset of a Full Server ba
ackup and, in some
s configurrations, might be just as large as a full servver
backup. To back up u a domain controller, you must back up p all critical volumes fully.
Win
ndows Server Backup
B enables you to perfo
orm one of thee following typ
pes of backupss:
• Full server
• Selected volu
umes
• System State
• Individual file
es or folders
When
W you use Windows
W Serve
er Backup to back
b up the criitical volumes on a domain ccontroller, the
e backup
in
ncludes all data
a that resides on
o the volume es that host thee:
• Boot files, which
w consist of
o the Bootmg
gr file and the Boot Configurration Data (BC
CD) store.
• Windows operating
o syste
em and the reg
gistry.
• SYSVOL tre
ee.
• Active Directory database
e (Ntds.dit).
• Active Directory database

e log files.
Too perform a baackup, you mu ust first install the

t Windows SServer Backup p feature. You ccan then use tthe
Windows
W Server Backup console to create backupb jobs. T he Actions pa ne in the Wind
dows Server Baackup
coonsole enabless you to start a wizard to perform a schedu uled backup oor a one-time bbackup job. Th he
wizard
w promptss for a backup type, backup selection, backkup destinatio on and schedule (if performin ng a
sccheduled job).
Options
O forr AD DS Re
estore
When
W a domainn controller or its directory iss
coorrupted, damaged, or failed
d, you can resttore the
syystem by using
g several optio
ons.
Th
he first option is called typiccal restore or
onauthoritativve restore. In a normal restorre
no
peration, you restore a back
op kup of Active
Directory as of a known good d date. Effectivvely,
yo
ou roll the dommain controller back in time. When
AD DS restarts on
o the domain n controller, th
he
do
omain controller contacts itss replication partners
an
nd requests alll subsequent updates.
u The domain
d
ontroller “catches up" with the rest of the domain
co
ard replication mechanisms. Normal restorre is useful when the directo
byy using standa ory on a domaiin
co
ontroller was damaged
d or coorrupted, but the
t problem h has not spread to other domain controllerss. This is
no
ot a method th hat works if yo ou are trying to o restore a delleted object an
nd the deletion has replicate
ed to
th
he other doma ain controllers.
If the typical resstore does nott work, you can n perform an aauthoritative rrestore. In an aauthoritative reestore,
yoou restore the known good versionv of Active Directory j ust as you do in a typical resstore. Howeve er,
beefore restarting the domain controller, you u mark the objbjects that you want to recovver (the deleted
obbjects) as auth horitative so th
hat they replicaate from the reestored domaiin controller to o its replication
paartners. Behind d the scenes, when
w you mark objects as au uthoritative, W
Windows increm ments the verssion
nuumber of all object attribute es to be so high that the verssion is guarantteed to be hig gher than the vversion
nuumber of the deleted
d objectt on all other domain
d contro ollers. When yoou restart the rrestored domaain
coontroller, it rep
plicates from itts replication partners
p all chaanges that aree made to the directory. It also
nootifies its partn
ners that it hass changes, and d the version nnumbers of thee changes ensu ure that partne ers take
th
he changes and em throughout the directoryy service.
d replicate the
Thhe third optionn for restoring g the directory service is to reestore the who
ole domain coontroller. You ddo this
byy booting to the Windows Recovery
R Enviro
onment and reestoring a full server backupp of the domain
co efault, this is a typical restore. If you must also mark objjects as authorritative, you must
ontroller. By de
re
estart the serveer in the Directtory Services Restore
R Mode and set those objects as autthoritative befo ore
sttarting the dommain controller into typical operation.
o
Fina
ally, you can re
estore a backup of the SystemState to an aalternative locaation. This enaables you to
exam
mine files and,, potentially, to
o mount the NTDS.dit
N file ass described in the previous lesson. You sho
ould
not copy the files from an altern native restore location over the production versions of tthose files. Do not
do a piecemeal re estore of Active his option is al so used if you want to use the Install From
e Directory. Th m
Meddia option for creating a new w domain conttroller.
Ho
ow does th
he Active Directory
D Recycle
R Bin
n Work?
The Active Directoory Recycle Bin
n was introducced
in Windows
W 2008 R2. You couldd only access thhis
featture by using Windows
W PoweerShell cmdletts and
the Ldp.exe LDAP P utility.
In Windows
W Serveer 2012 you can now access
the Active Directo ory Recycle Binn from the Active
Dire
ectory Adminisstrative Centerr. This simplifie
es
the recovery of Acctive Directoryy objects that were
w
erro
oneously deleted. It lets adm ministrators enaable
the Recycle Bin an nd locate or reestore deleted
objeects in the dommain. It is no lo
onger requiredd to
use Windows Pow werShell or Ldp p.exe to enable
e the
recyycle bin or resttore objects in domain partittions.
Acttive Directo
ory Recycle Bin
B Charactteristics
The Active Directo
ory Recycle Bin
n has the following characteeristics:
• It must be ma
anually enable
ed. As soon as it is enabled, yyou cannot dissable it.
• The Active Directory Recyclle Bin cannot restore
r sub-treees of objects in a single action. For examp
ple, if
you delete ann OU with nestted OUs, users, groups, and computers, restoring the baase OU does no ot
restore the ch
hild objects. Th
hat must be do
one in a subseequent operation.
• Active Directo
ory Recycle Bin east Windows Server 2008 R
n requires at le R2 Forest Functtional Level.
• t Enterprise Admin group

You must be a member of the p to use the Acctive Directory Recycle Bin.
• The recycle bin increases th

he size of the Active
A Directorry database (NNTDS.DIT) on eevery domain
controller in the
t forest. Diskk space that is used by the reecycle bin con
ntinues to incre
ease over time
e as it
preserves objects and all atttribute data.
• Objects are preserved

p in the recycle bin for
f an amount of time to maatch the tombsstone lifetime of the
forest. This is 180 days by default.
d
• After the Actiive Directory Recycle

R Bin is enabled,
e deleteed restorable o
objects can be
e viewed in the
e
Deleted Objeects folder.
Ena
abling the Active
A Direcctory Recycle Bin
To enable
e the Acttive Directory Recycle
R Bin:
1. From the Servver Manager Tools

T menu access the Activee Directory Ad
dministrative C
Center.
2. In the navigattion pane sele
ect the domain
n that you wan
nt to manage.
3. In the Tasks (right side) pan

ne click Enable
e Recycle Bin..
4. Acknowledge
e the warning dialog
d boxes to
t complete th
he action.
Restoring Active Directory Objects

Because many objects are intentionally deleted in typical Active Directory operations, the Active Directory
Administrative Center has advanced filtering criteria, making targeted restoration easier in large
environments that have many deleted objects. The restore operation supports all the standard filter
criteria options as any other search. Multiple search criteria can be combined. Common search criteria
include:
• Object is user/inetorgperson/computer/group/organization unit
• Name
• When deleted
• Employee ID
• First name
• Last name
• Job title
• City
As soon as you locate the object to be restored, right-click the object, and then click Restore.
• To restore the object to its original location, in the Tasks pane, click Restore.
• To restore an object to a different location, click Restore To….

You can restore multiple objects as long as they are all restored to the same location.
Demonstration: Restoring AD DS Objects Using the Active Directory

Recycle Bin
In this demonstration you will see how to:
• Enable the Active Directory Recycle Bin
• Use the recycle bin to restore a deleted object
Demonstration Steps
1. Enable the Active Directory Recycle Bin.
2. Delete a current user.
3. Restore the user.

Wh
hat are AD
D DS Snapsshots?
A sn
napshot captures the exact state
s of the
dire
ectory service at
a the time of thet snapshot.
y cannot use a snapshot
Unliike a backup, you
to restore data. However, you can use tools to o
explore the conteents of the snapshot to exam mine
the state of the diirectory service
e at the time the
snappshot was mad de.
Cre
eating a Sna
apshot
You
u use the NTDS SUtil to create and mount
snap
pshots for view
wing. To createe a snapshot:
1. Open an elevvated comman

nd prompt.
2. Type ntdsutil, and then pre

ess Enter.
3. Type activate
e instance ntd
ds, and then press
p Enter.
4. Type snapsho
ot, and then press
p Enter.
5. Type create, and

a then presss Enter.
6. The command returns a me essage indicatiing that the sn
napshot set waas generated successfully.
The GUID tha or commands in later tasks. Note the GUID
at is displayed is important fo D or, alternativvely,
copy it to the
e Clipboard.
7. Type quit and
d then press Enter.
Usiing the Data

abase Moun
nting Tool to
t Mount a Snapshot
The Active Directo ory database mounting
m tool (Dsamain.exee) can improve recovery proccesses for the
orgaanization. It en
nables you to compare
c data as it exists in ssnapshots or b
backups that aare taken at
erent times so that you can better decide which data to restore after d
diffe data loss. This eliminates the
e need
to restore multiple backups to compare
c Activve Directory daata.
To view
v the conte napshot as a neew instance off AD DS. This is also
ents of a snapsshot, you mustt mount the sn
acco
omplished with NTDSUtil. To o mount a snapshot:
1. Open an elevvated comman

nd prompt.
2. Type ntdsutil, and then pre
ess Enter.
3. Type activate
e instance ntd
ds, and then press
p Enter.
4. Type snapsho
ot, and then press
p Enter.
5. a then press Enter.
Type list all, and
The command returns a listt of all snapsho
ots.
6. Type mount {GUID}, where GUID is the GUID

G returned mmand, and then
d by the createe snapshot com
press Enter.
7. Type quit, an
nd then press Enter.
E
8. Type quit, an
nd then press Enter.
E
9. Type dsamain -dbpath c:\\$snap_datetime_volumec$ $\windows\n
ntds \ntds.dit -ldapport 50
0000,
and then presss Enter (you can
c use any avvailable port nu
umber).
10. Do not close the Command d Prompt wind dow and leave the command
d that you justt ran, Dsamain.exe,
running while
e you continue
e to the next sttep.
Viewing
V the Snapshot
After you have mounted the snapshot,
s you can use tools to connect to and explore tthe snapshot,
in
ncluding Active ers and Computers.
e Directory Use
To
o connect to a snapshot with
h Active Directtory Users and
d Computers:
1.. Open Activ

ve Directory Users
U and Com
mputers.
2.. Right-click the root node
e, and then click Change Do
omain Contro
oller.
3.. Click <Type a Directory Server name > and enter thee name of the domain contrroller
e[:port] here>
and the port number that was used in the
t previous sttep. For example, LON-DC1 1:50000 and thhen
press Enter.
4.. Click OK.
To
o unmount the
e snapshot:
1.. Switch to th
he command prompt
p in which the snapsh ot is mounted
d.
2.. Press Ctrl+C

C to stop DSA
AMain.exe.
3.. Type ntdsu

util, and then press
p Enter.
4.. Type activa

ate instance ntds,
n and then
n press Enter.
5.. Type snapsshot, and then

n press Enter.
6.. Type unmo

ount GUID, wh
here GUID is th
he GUID of thee snapshot, an
nd then press EEnter.
7.. Type quit, and then press Enter.
8.. Type quit, and then press Enter.
AD
A DS Data
abase Maintenance
Th
he Active Direcctory database e is stored as a file
amed NTDS.diit. When you install and configure
na
AD DS, you can specify the lo ocation of the file.
f
Th
he default loca emroot%\NTDS. In
ation is %syste
th
he NTDS folder, there are oth her files that support
th
he Active Direcctory databasee. They are:
• EDB.log fille. The Edb.log g file is the

transaction log for Active e Directory. Whhen
you must makem a change e to the directo
ory, it
is first written to the log file.
f The chang ge is
committed to the directo ory as a transacction.
If the transa action fails, it can
c be rolled back.
b
• EDB.chk. The
T EDB.chk file e functions like a bookmarkk into the log files, marking tthe location be
efore
which transsactions are su
uccessfully commmitted to thee database, andd after which ttransactions re
emain to
be committted.
• Edbres000 01.jrs and Edbbres0002.jrs. These

T two filess are empty filees of 10MB each. If the disk the
database reesides on shou
uld run out of space,
s these fi les provide thee domain conttroller with the
e space
to write pending transacttions before sa
afely shutdown n AD DS servicces and dismou unting the dattabase.
The Active Directory database is self-maintaining. Every 12 hours, by default, each domain controller
runs a process that is known as garbage collection. Garbage collection does two things. First, it removes
deleted objects that have outlived their tombstone lifetime, which is 180 days by default. Second, the
garbage collection process performs online defragmentation. Online defragmentation reorganizes the
sectors rows of the database so that the blank rows are contiguous, very much like disk fragmentation
reorganizes sectors of a disk so that free space is contiguous. However, this process does not reduce the
file size of the database. It optimizes the internal order of the database. In most organizations, this will be
sufficient.
To reduce the physical size of the NTDS.dit, perform offline defragmentation. To perform an offline
defragmentation you must stop the AD DS. Then use the NTDSUtil to compact the database to a different
location. Then replace the original NTDS.dit with the compacted version.
Note: Do not delete the original NTDS.dit, you only have to rename it.
Lab: Implementing AD DS
Scenario
A. Datum is an engineering and manufacturing company. The organization is based in London, England,
but is quickly expanding the London location as well as internationally. As the company has expanded,
some business requirements are changing as well. To address some business requirements, A. Datum had
decided to deploy Windows Server 2012.
As the company expands, they must also expand their Active Directory infrastructure. You are assigned to
implement new domain controllers and also to consider implementation of RODCs, where appropriate.
Also, there are reports that Group Policies are not being applied on some computers, so you must
troubleshoot. The company also wants to centralize management of all accounts that are being used for
services, and to stop usage of local accounts for that purpose. Also, you must evaluate available
techniques for AD DS maintenance.
Objectives
• Deploy an RODC
• Implement Group Policy
• Configure and validate service accounts
• Maintain AD DS
Lab Setup
20417A-LON-DC1
Virtual machines 20417A-LON-SVR3
20417A-LON-CL1
Password Pa$$w0rd
5. Repeat steps 2 and 3 for 20417A-LON-SVR3, and 20417A-LON-CL1. Do not log on to LON-SVR3 or
LON-CL1 until instructed to do so.
Exercise 1: Deploying a Read-Only Domain Controller

Scenario
As company business expands, you must add domain controllers to new locations. Some locations do not
have required physical security for server rooms so you decide to implement read-only domain controllers
for these locations. Those servers are already in place at the branch location performing local file and print
duties. You plan to install the RODC role remotely by using Server Manager from head office. You also
plan to configure the RODC to cache passwords locally for members of the Managers group and assign
administrative access to the server to the IT group.
1. Add LON-SVR3 as a Server to Manage.

2. Create a New Server Group.
3. Install the RODC Role Remotely.
4. Configure the Password Replication Policy and Administrative Access.
X Task 1: Add LON-SVR3 as a Server to Manage

1. Log on to LON-DC1 as Administrator with a password of Pa$$w0rd.
2. Use the Server Manager Dashboard to add LON-SVR3 as a server to manage.
X Task 2: Create a New Server Group

1. Use the Server Manager Dashboard to create a server group named DCs.
2. Add both LON-SVR3 and LON-DC1 to the group.
X Task 3: Install the RODC Role Remotely

1. Use the Server Manager Dashboard to Add the Active Directory Domain Services role to
LON-SVR3.
2. Open the notifications and complete the Post-deployment Configuration to promote LON-SVR3 to
be a Read only domain controller (RODC) in the existing domain.
3. Set the Directory Services Restore Mode (DSRM) password to be Pa$$w0rd.
4. Accept the defaults for all other settings.
X Task 4: Configure the Password Replication Policy and Administrative Access

1. Use Active Directory Users and Computers to configure the password caching options of LON-SVR3
in such a way that passwords are cached on the RODC for members of the Managers group.
2. Configure the IT group to have administrative access to LON-SVR3.
Results: After completing this exercise, you will have added LON-SVR3 as a server to manage, created a
server group, deployed an RODC remotely, and configured the password replication policy and
administrative assignments for the RODC.
Exercise 2: Troubleshooting Group Policy

Scenario
Support technicians report that some Group Policy settings are not being applied as they should.
Company Policy requires that:
• All domain users should not have access to change their desktop background.
• All domain users except the IT group should be unable to access Registry Editor.
Currently, there are some problems in the way the GPOs that deliver those settings are being applied.
You have to investigate, troubleshoot and resolve this problem.
1. Troubleshoot Group Policy Issues.
2. Correct Issues with Group Policy Application.
3. Verify Policies Are Being Applied.
X Task 1: Troubleshoot Group Policy Issues

Determine the issue by logging on to LON-CL1 as an IT group user and a Manager group user. Check
whether the policies are being applied correctly.
1. Log on as Brad with the password of Pa$$w0rd. Attempt to change the desktop background and
attempt to start the Registry Editor.
2. Use GPResult to determine the RSOP and then log off of LON-CL1.
3. Log on as Bill with the password of Pa$$w0rd. Attempt to change the desktop background and
attempt to start the Registry Editor.
4. Use GPResult to determine the RSOP.
5. Analyze the RSOP results to determine the problem.
X Task 2: Correct Issues with Group Policy Application

2. Use the Group Policy Management console to investigate and correct the issues.
3. Check the current status of the Managers OU.
4. Remove the block inheritance setting from the Managers OU to resolve the issue.
5. Think of a way to ensure that the Prohibit Registry Tools GPO will not be applied to IT group users.
6. Use Security Filtering to deny access to the policy to the IT security group.
7. Close the Group Policy Management console.
X Task 3: Verify Policies Are Being Applied

1. Log on to LON-CL1 as Bill with a password of Pa$$w0rd and run the GPResults utility.

3. Log on to LON-CL1 as Brad with a password of Pa$$w0rd and run the GPResult utility.
Results: After completing this exercise, you will be able to troubleshoot Group Policy issues, correct issues
to apply Group Policy, and verify policies are being applied.
Exercise 3: Implementing Service Accounts in AD DS

Scenario
To this point, there was no consistent policy about accounts that were used for services. On some servers,
local accounts were used, while others were using domain accounts. Also, password management for
these accounts was not consistent. Some of them were having non-expiring passwords, while others were
updated with new passwords manually. You decide to implement Managed Service Accounts to replace
all these techniques. You will create the account and assign the account to the Web service
DefaultAppPool.

1. Create and Associate a Managed Service Account.
2. Configure the Web Server Application Pool to Use the Group Managed Service Account.
X Task 1: Create and Associate a Managed Service Account

2. Create the KDS root key using the New-KdsRootKey cmdlet. Make the effective time minus 10 hours
so the key will be effective immediately.
3. Create the new service account named Webservice for the host LON-DC1.
4. Associate the Webservice managed account with Lon-DC1.
5. Verify the group managed service account was created by using the Get-ADServiceAccount cmdlet.
6. Install the Webservice service account.
X Task 2: Configure the Web Server Application Pool to Use the Group Managed
Service Account
1. On LON-DC1, configure the DefaultAppPool to use the Webservice$ account as the identity.
2. Stop and start the application pool.
Results: After completing this exercise, you will have created and associated a managed service account,
installed a managed service account on a web server, and verified password change for am managed
service account.
Exercise 4: Maintaining AD DS
Scenario
As a part of maintenance plan, you are assigned with task to evaluate possibilities to quickly restore
accidentally deleted objects. You decided to enable and test Active Directory snapshots and the AD DS
Recycle Bin.

1. Create and View Active Directory Snapshots.
2. Enable the Active Directory Recycle Bin.
3. Delete a test user.
4. Restore the Deleted User.
5. To Prepare for the Next Module.
X Task 1: Create and View Active Directory Snapshots

2. Start a command prompt using elevated credentials.

3. Run the following commands:
o Ntdsutil
o Snapshot
o Activate instance ntds
o Create
4. Mount the snapshot as a new instance of AD DS by running the Mount {GUID} command.
5. Close ntdsutil.
6. Use the dsamain command to expose the snapshot to LDAP port 50000.
7. Use Active Directory Users and Computers to delete Allie Bellew from the Research OU.
8. Use Active Directory Users and Computers to connect LON-DC1 to the snapshot instance at port
50000.
X Task 2: Enable the Active Directory Recycle Bin

• Use the Active Directory Administration Center to enable the Recycle Bin.
X Task 3: Delete a test user

• Delete Aidan Delaney from the Managers OU.
X Task 4: Restore the Deleted User

• Restore the deleted user from the Deleted Object folder.

Results: After completing this exercise, you will have created and viewed Active Directory snapshots,
enabled the Active Directory Recycle Bin, deleted a user as a test, and used the Active Directory
Administrative Center to restore a deleted user account.

Best Practices
• When cloning VDCs, delete snapshots before copying or exporting VDCs.
• When cloning VDCs, we recommend copying disks manually if there is only one drive. We
recommend Export for VMs with more than one drive or other complex customizations such as
multiple NICs.
• At least one global catalog should exist in every site.
• AD DS should be at the minimum Windows Server 2008 R2 level to provide fully automatic password
and SPN management for managed service accounts.
• GPOs should be backed up after any changes are made.

• Do not use volumes that contain backups of GPOs or AD DS data for other uses.

Domain controller promotion fails
Group Policy is not being applied correctly
You have to restore a version of AD DS

and do not know which backup to restore
from
Review Question
You have a mixture of client computers running Windows XP and Windows 8. After you configure several
settings in the Administrative Templates and Preferences of a GPO, Windows XP users report that some
settings are being applied while others are not.

You have a large company with multiple branch offices. Some branch offices have fast, redundant
connections while others have slow, unreliable connections.
When you have branch offices across WAN links, what solutions are available to facilitate client logons in
the branch offices?
What if security is a concern?
What can you do to help prevent network interruptions from preventing users from logging on?
Tools
Tool Use Location
Server Manager A central location for all aspects Open by default on logon or
of server management can be accessed from the task
bar
Active Directory Users and Control all aspects of Active Can be accessed from the Tools
Computers Directory management drop-down menu in Server
Active Directory Sites and Manager
Services
Active Directory Domains and
Trusts
GPMC Control all aspects of Group Can be accessed from the Tools
Policy management drop-down menu in Server
Manager
Active Directory Best Practices Can detect best practices Server Manager Dashboard
Analyzer violations and provide help
implement best practices.
Active Directory Recycle Bin Restore object that were Can be accessed from the Active
deleted in error from AD DS. Directory Administration Center
12-1
Module 12
Implementing Active Directory Federation Services
Contents:
Lesson 1: Overview of Active Directory Federation Services 12-2
Lesson 2: Deploying Active Directory Federation Services 12-11
Lesson 3: Implementing AD FS for a Single Organization 12-17
Lesson 4: Deploying AD FS in a Business to Business Federation Scenario 12-23
Lab: Implementing AD FS 12-28
Module Overview
Active Directory® Federation Services (AD FS) in Windows Server® 2012 provides flexibility for
organizations that want to enable their users to log on to applications that may be located on a local
network, at a partner company, or in an online service. AD FS enables an organization to manage its own
user accounts, and users only have to remember one set of credentials. However, those credentials can be
used to provide access to a variety of applications, located in a variety of locations.
This module provides an overview of AD FS, and details how to configure AD FS in both a single
organization scenario and in a partner organization scenario.
Objectives
• Describe the identity-federation business scenarios, and how you can use AD FS to address
the scenarios.
• Configure the AD FS prerequisites, and deploy the AD FS services.
• Implement AD FS to enable SSO in a single organization.
• Implement AD FS to enable SSO between federated partners.

12-2 Implemennting Active Directoryy Federation Servicess
Lesson 1
Overviiew of Active
A Director
D ry Federration SServicess
AD FS is the Microosoft® implemmentation of an
n identity fedeeration framewwork that enab bles organizatio
ons to
esta
ablish federatio
on trusts and share
s resource
es across organnizational boun with
ndaries. AD FSS is compliant w
com
mmon web-serrvices standard ds to enable interoperability with other ideentity federatio
on
impplementations.
AD FS is designed d to address a variety

v of busiiness scenarioss, where the tyypical authentiication mechanisms
usedd in a single organization do
o not work. This lesson proviides an overvieew of the conccepts and stan ndards
thatt are implemen nted in AD FS, and also provvides an overviiew of the bussiness scenarioos that you can
n
add
dress with AD FS.F
Lessson Objectiives
Afte
ou will be able to:
• Describe iden
ntify federation
n.
• Describe claim
ms-based auth
hentication.
• Describe web
b services.
• Describe AD FS.
• Explain how AD
A FS enables SSO within a single organizzation.
• A FS enables SSO between business part ners.

Explain how AD
• A FS enables SSO between on-premises aand cloud-bassed services.

Explain how AD
Wh
hat Is Iden
ntity Federration?
Iden
ntity federation enables the distribution off
ntification, authentication, an
iden nd authorization
acro
oss organizatio onal and platfoorm boundarie es.
Youu can implement identity fed deration within
na
sing
gle organizatioon to enable acccess to diversse
webb applications, or between tw wo organizatioons
thatt have a relatio
onship of trustt between themm.
To establish
e an identity federatiion partnership
p,
both partners agrree to create a federated trust
relationship. This federated trusst is based on an
a
onggoing business relationship, and
a enables th he
orgaanizations to implement bussiness processe es
iden
ntified in the business
b relatio
onship.
Note: A fedderated trust iss not the same as a forest tru

ust that organiizations can coonfigure
betwween forests in
n Active Directtory Domain Services (AD D
® DS). In a federaated trust, the AD FS
servvers in two org
ganizations nevver have to communicate di rectly with eacch other.
As a part of the fe
ederated trust, each partner defines what rresources are aaccessible to tthe other
orgaanization, and how to enable access to the e resources. Fo
or example, too update a sale es forecast, a saales
reprresentative maay need to colllect informatio
on from a suppplier's databasse that is hoste
ed on the supp plier's
ne
etwork. The doomain adminisstrator for the sales represen
ntative is respo
onsible for ensuring that thee
ap es representatives are memb
ppropriate sale bers of the gro
oup that requirres access to the supplier’s
da
atabase. The administrator
a of
o the organizaation in which the database is located is reesponsible for
en
nsuring that th mployees only have access to
he partner’s em o the data tha t they require.
In ederation soluttion, user identities and thei r associated crredentials are stored, owned
n an identity fe d, and
managed
m by thee organizationn in which the user is located d. As part of th
he identity federation trust, e
each
orrganization alsso defines howw the user idenntities are sharred securely too restrict access to resources.. Each
paartner must deefine the servicces that it mak
kes available too trusted partnners and custo omers, and alsoo define
which
w other orgganizations and users it trustts, what types of credentials and requests it accepts, and d its
at private inforrmation is not accessible acrross the trust.
privacy policies,, to ensure tha
What
W is Cla
aims-Based
d Identity??
Claims-based authentication addresses issues with
exxtending typiccal authentication and autho orization
mechanisms
m outside the boun ndaries associaated
with
w that mecha anism. For example, in most
orrganizations, users
u are autheenticated by an
AD DS domain controller whe en they log onn to the
ne etwork. If the user
u provides the
t right crede entials
to
o the domain controller,
c the user is granted a
seecurity token. Applications
A hat are running
th
on n servers in the same AD DS S environment
trrust the securitty tokens that the AD DS domain
coontrollers provvide. This is because the servvers can
coommunicate withw the same domain
d contro he users authe nticated.
ollers where th
Th
he problem wiith this authen ntication is that it does not eextend easily o
outside the bouundaries of thee AD DS
fo h it is possible to implementt Kerberos or N
orest. Although NTLM-based trrusts between two AD DS fo orests,
ervers on both sides of the trrust must com
se mmunicate with h domain conttrollers in the o
other forest to
o make
au
uthentication and
a authorizattion decisions.. The problem becomes even n more complicated when u users
ha
ave to access resources
r hostted in cloud-baased systems, such as Microsoft Azure™ or Microsoft Offfice
36
65.
Claims-based authentication provides a me echanism for seeparating userr authenticatio on and authoriization
from individual applications. With
W claims-ba ased authenticcation, users caan authenticatte to a directoory
se
ervice in their organization,
o and
a be granted a claim baseed on that auth he claim then can
hentication. Th
bee presented too an applicatio
on that is runniing in a differeent organizatio
on. The applicaation is design
ned to
ennable user access to the info
ormation or feaatures based o on the claims ppresented.
Thhe claim used in claims base

ed authenticatiion is just a staatement aboutt a user that iss defined in on
ne
orrganization or technology and trusted in another
a organ ization or techhnology. The cclaim could incclude a
va
ariety of inform ample, the claim could defin
mation. For exa ne the user’s e-mail address,, user principal name
(U oups to which tthe user belon
UPN), and information aboutt all of the gro ngs. This informmation is colle
ected
from the authen ntication mechhanism when the
t user autheenticates succeessfully.
he organizatio
Th what types of c laims the appllication will accept.
on that manages the applicattion defines w
or example, the application may require th
Fo dentity, and also use
he user’s emai l address to veerify the user id
th
he group memmbership presented inside the claim to deteermine what leevel of access the user should have
within
w the appliication.
We
eb Services Overview
w
For claims-based authentication n to work,
orgaanizations havve to agree on the format for
exchhanging claims. Rather than have each business
defiine this formatt, a set of specifications have e
been developed that t any organnization can usse if it
wannts to impleme ent a federated d identity soluttion.
Thiss set of specificcations is identtified broadly as
webb services.
Web b services are the

t set of speccifications
thatt an enterprise
e uses for build
ding connected d
appplications and services,
s whose e functionalityy and
inte
erfaces are expposed to poten ntial users through
webb-technology standards.
s Theese standards can
c include Exttensible Markuup Language ((XML), Simple
Object Access Pro otocol (SOAP), Web Services Description Laanguage (WSD DL), and HTTP.. The goal for
crea
ating web applications by ussing web servicces is to simpliify interoperab
bility for appliccations across
mulltiple developmment platforms, technologie es, and networ ks.
To enhance
e operability, a set of industry standards deffines web serviices, which are
intero e based on the
e
follo
owing standards:
• Most web serrvices use XMLL to transmit data through HHTTP. XML enaables develope ers to create th
heir
own customizzed tags, enab
bling the definition, transmisssion, validation, and interpre
etation of dataa
between applications and organizations.
o
• Web services expose usefull functionality to web users tthrough a stan ndard web pro otocol. In mostt
cases, the prootocol used is SOAP.
S SOAP iss the commun ications protoocol for XML w web services. SO OAP
is a specification that define
es the XML forrmat for messaages. Essentially, it describess what a valid X
XML
document loo oks like.
• Web services provide a wayy to describe their interfacess in enough deetail to enable a user to build
da
client application to communicate with thhe service. Thi s description is usually provided in an XML
document called a WSDL document. In other
o words, a WSDL file is an n XML document that descrribes
a set of SOAP d how the messages are excchanged.
P messages and
• Web services are registered ntial users can find them eassily. This is don
d so that poten ne with Universal
Discovery Description and Integration
I (UDDI). A UDDI directory entryy is an XML file that describe es a
business and the services it offers.
WS
S-* Security Specificatio
ons
There are many co omponents inccluded in web b-services spec ifications (also
o known as “W
WS-* specifications).
How
wever, the mosst relevant spe ecifications for an AD FS envvironment are tthe WS-Securiity specificatio
ons.
The specificationss that are part of the Web Se ervice Security specificationss include the fo
ollowing:
• WS-Security. WS-Security describes
d enhancements to SSOAP messagin ng to provide quality of
protection through messagge integrity, me
essage confideentiality, and ssingle message e authenticatioon.
WS-Security also
a provides a general-purp pose, but exten
nsible, mechan nism for associating securityy
tokens with messages
m and how
h to encodee binary secur ity tokens—sp pecifically X.50
09 certificates aand
Kerberos tickets—in SOAP messages.
• WS-Trust. WS
S-Trust definess extensions th
hat build on W
WS-Security to rrequest and issue security to
okens
and manage trust relationships.
• WS-Federatio on. WS-Federation defines mechanisms

m thaat WS Securityy can use to en
nable identity,
attribute, authentication, an
nd authorizatio
on federation across differennt trust realmss.
• WS-Federation Passive Re equestor Profile. This WS-Seecurity extensio on describes h

how passive clients,
such as webb browsers, can be authenticcated and auth horized, and h how the clientss can submit claims in
a federation scenario. Passsive requestors of this profi le are limited to the HTTP o
or HTTPS proto ocol.
• WS-Federation Active Requestor Profile e. This WS-Seccurity extension describes ho

ow active clien
nts, such
as SOAP-ba
ased mobile de evice applicatiions, can be au
uthenticated aand authorized
d, and how thee clients
can submit claims in a fed
deration scenaario.
Security Asse
ertion Mark
kup Languag
ge
Th
he Security Asssertion Markup Language (S SAML) is an XMML-based standard for exchaanging claims
beetween an identity provider and a service or application n provider. SAMML assumes th hat a user has b
been
au
uthenticated by
b an identity provider,
p and that
t the identiity provider haas populated tthe appropriate
claim informatioon in the security token. Whhen the user is authenticated d, the Identity Provider passees
a SAML assertioon to the servicce provider. On the basis of this assertion, the service prrovider can maake
au
uthorization annd personalizaation decisionss within an app
plication. The communicatio on between fed derated
se
ervers is based around an XMML document storing the X.5509 certificate for token-sign ning, and the SAML
1..1 token.
What
W Is AD
D FS?
AD FS is the Miccrosoft implemmentation of an
id
dentity-federattion solution th
hat can use cla
aims
baased authenticcation. AD FS provides
p the
mechanisms
m to implement bo oth the identifyy-
provider and seervice-providerr components in
an
n identity-fede
eration deployyment.
AD FS provides the following features:
• Enterprise claims
c provideer for claims-baased
applications: You can con nfigure an AD FS
server as a claims provideer, which mean ns
that the serrver can issue claims
c about
authenticatted users. This enables an
organizatioon to provide its users with access
a ms-aware appliccations in another organizattion by
to claim
using SSO.
• Federation Service for ide

entity federatio
on across dom
mains: This servvice offers fede
erated web SSO
across dom
mains. This enhances security and reduces o overhead for IT administrato ors.
e Windows Serrver 2012 version of AD FS iss built on AD FFS version 2.0, which was
Note: The
th on, AD FS 1.0, required
he second generation of AD FS that Microssoft released. TThe first versio
AD FS web agennts to be installed on all web
b servers that w
were using AD D FS, and provided both
claims aware an
nd NT token-b based authenticcation. AD FS 1.0 did not support active clients or
SA
AML.
AD
A FS Featurres
Th
he following are some of the
e key AD FS fe
eatures:
• Web SSO. Many

M ations have deployed AD DSS. After authen
organiza nticating to AD
D DS through
authenticattion that integrates with Win
ndows users caan access all otther resourcess that they havve
permission to access withhin the AD DS forest boundaaries. AD FS exxtends this cappability to Interrnet-
facing applications, enabling customerss, partners, an d suppliers to have a similarr, streamlined user
experience when they acccess an organiization’s web-b based applicattions.
• Web Services interoperabiliity. AD FS is co

ompatible with
h the web servvices specifications. AD FS
employs the federation
f spe
ecification of WS-*,
W called W S-Federation. WS-Federation makes it posssible
for environments that do not use the Win ndows identityy model to fed
derate with Windows
environmentss.
• Passive and smart client suppport. Becausee AD FS is baseed on the WS--* architecture, it supports
federated commmunications between any WS-enabled eendpoints, including commu unications betw
ween
servers and passive
p clients, such as browssers. AD FS on Windows Servver 2012 also e enables accesss for
SOAP–based smart clients, such as serverrs, mobile phon nes, personal d
digital assistan
nts (PDAs), and
d
desktop applications. AD FS S implements the WS-Federaation Passive R Requestor Profile and WS-
Federation Acctive Requestoor Profile stand
dards for clientt support.
• Extensible arcchitecture. AD FS provides an extensible arrchitecture thaat supports various security ttoken
types, including SAML and Kerberos auth hentication, as well as the ab
bility to perform
m custom claim ms
transformatioons. For examp ple, AD FS can convert from one token typ pe to another o or add customm
business logicc as a variable in an access re
equest. Organ nizations can use this extensiibility to modiffy
AD FS to coexxist with their current securitty infrastructu re and businesss policies.
• Enhanced seccurity. AD FS also increases the security of federated solu utions by delegating
responsibilityy of account management to o the organizattion closest to the user. Each
h individual
organization in a federation n continues to
o manage its owwn identities, and is capablee of securely sh
haring
and accepting g identities and credentials from
f other meembers’ sourcees.
Additional Reading: For information on

o the differennt identity fedeeration produccts that can
inte
eroperate with AD FS, and foor step by step guides on howw to configuree the productss, see the
AD FS 2.0 Step-byy-Step and How To Guides, located
l p://technet.miccrosoft.com/en-us
at http
/librrary/adfs2-step
p-by-step-guid
des%28v=ws.1 10%29.aspx.
Ho
ow AD FS Enables
E SS
SO in a Sing
gle Organ
nization
For many organizzations, configu uring access to
o
appplications and services
s may not
n require an
AD FS deploymen nt. If all users are
a members of o
the same AD DS forest,
f and if all applications are
runnning on serverrs that are mem mbers of the same
est, you typicallly can use AD DS authentica
fore ation
to provide
p applicaation access. However,
H there
e are
seveeral scenarios in which you canc use AD FS, and
enable SSO, to op ptimize the use er experience,
including:
• The applicatio
ons may not be
b running on
Windows servvers or on any servers that
D authentication. The appliccations may reequire SAML o
support AD DS or web servicess for authentication
and authorizaation.
• Large organizzations frequently have multtiple domains and forests that may be the e results of mergers
and acquisitio
ons. Users in multiple
m forestss might requiree access to thee same applicaations.
• Users from ouutside the officce might require access to a pplications thaat are running
g on internal se
ervers.
The external users may be logging
l on to the applicatio
ons from comp puters that are not part of th
he
internal domaain.
Note: Implementing AD FS does not necessarily mean that users are not prompted
for authentication when they access applications. Depending on the scenario, users may be
prompted for their credentials. However, the key point is that users always authenticate by using
their internal credentials. They never have to remember alternate credentials for the application.
Organizations can use AD FS to enable SSO in these scenarios. Because all users and the application are
in the same organization, the organization only has to deploy a single federation server. This server can
operate as the claims provider so that it authenticates user requests and issues the claims. The same server
also is the relying provider, or the consumer of the claims to provide authorization for application access.
Note: The slide and the following description use the terms Federation Server and
Federation Service Proxy to describe AD FS server roles. The Federation Server is responsible for
issuing claims, and in this scenario, also is responsible for consuming the claims. The Federation
Service Proxy is a proxy component that we recommend is used in a deployment where users
outside the network need to access the AD FS environment. The next lesson covers these
components in more detail.
The following steps describe the communication flow in this scenario:
1. The client computer, which is located outside the network, must access a web-based application on
the web server. The client computer sends an HTTPS request to the web server.
2. The web server receives the request, and identifies that the client computer does not have a claim.
The web server redirects the client computer to the Federation Service proxy.
3. The client computer sends an HTTPS request to the Federation Service proxy. Depending on the
scenario, the Federation Service proxy may prompt the user for authentication or use Windows
Integrated authentication to collect the user credentials.
4. The Federation Service proxy passes the request and the credentials to Federation Server.
5. The Federation Server uses AD DS to authenticate the user.
6. If authentication is successful, the federation server collects AD DS information about the user, which
is used to generate the user’s claims.
7. If the authentication is successful, the authentication information and other information is collected in
a security token and passed back to the client computer, through the Federation Service proxy.
8. The client presents the token to the web server. The web resource receives the request, validates the
signed tokens, and uses the claims in the user’s token to provide access to the application.
Ho
ow AD FS Enables
E SS
SO in a Bussiness-to B
Business-Fe
ederation
One e of the most common
c scena
arios for deplooying
AD FS is to provid de SSO in a business-to-business
(B2BB) federation. In the scenarioo, the organizaation
thatt requires acceess to another organization’ss
appplication or servvice can mana age their own user
accoounts, and deffine their own authentication n
mecchanisms. The other organization can define
wha at applications and services are
a exposed to o
userrs outside the organization and
a what claim ms it
acceepts to provide e application access.
a To enable
appplication or servvice sharing in
n this scenario,, the
orga blish a federation
anizations justt have to estab
trusst, and then deefine the rules for exchange claims betweeen the two org
ganizations.
The slide above shhows the flow of traffic in a federated

f B2BB scenario usin
ng a claims-aw
ware web
app
plication. In this scenario, use earch have to access a web--based applicaation at A. Datu
ers at Trey Rese um.
The AD FS authen ntication proceess follows these steps:
1. A user at Treyy Research, usiing a web brow

wser, establish
hes an HTTPS cconnection to the web serve
er at A.
Datum.
2. The web application receivees the request, and then verrifies that the u
user does not have a valid to
oken
stored in a weeb browser cookie. Because the user is nott authenticateed, the web application redirrects
t federation server at A. Datum, by using
the client to the g an HTTP 302 2 redirect message.
3. The client com
mputer sends an HTTPS requuest to the A. Datum’s federration server. T The federation
n
server determ
mines the user’s home realm.. In this case, tthe home realm
m is Trey Research.
4. The client com

mputer is redirrected again to
o the federatio
on server in th
he user’s home
e realm, Trey
Research.
5. The client com

mputer sends an HTTPS requ
uest to the Treey Research fed
deration serve
er.
6. If the client co
omputer is loggged on to the
e domain alreaady, the federaation server caan take the use
er’s
Kerberos ticket, and then re equest authentication from A
AD DS on the user’s behalf, by using Wind dows
Integrated Au uthentication.
7. The AD DS do omain controller authenticattes the user, an

nd sends the ssuccess messag ge back to thee
federation server, along witth other inform
mation about tthe user that tthe federation server can use
e to
generate the user’s claims.
8. The federatio
on server createes the claim foor the user bassed on the rulees defined for the federationn
partner. The claims
c data is placed
p in a dig
gitally signed ssecurity token,, and then sen
nt to the client
computer. Thhe client computer then postts it back to th he A. Datum’s ffederation servver.
9. A. Datum’s fe
ederation serve at the securityy token came ffrom a trusted federation partner.
er validates tha
10. A. Datum’s fe
ederation serveer creates and signs a new tooken, which it sends to the cclient compute
er. The
client computter then sendss the token bacck to the origi nal URL requeested.
11. The applicatioon on the webb server receivees the request,, and validatess the signed to
okens. The web b
server issues the
t client a sesssion cookie th
hat indicates t hat it has auth
henticated succcessfully. The
federation server issues a file-based persiistent cookie (g
good for 30 days by defaultt) to eliminate the
home-realm discovery step p during the coookie lifetime. The applicatioon then provid des access to th
he
application, based
b on the claims that the user providess.
How
H AD FS
S Enables SSO
S with Online
O Servvices
As organization ns move service es and applica
ations to
cloud-based serrvices, it is incrreasingly impo
ortant
th
hat these organizations have e some way to
simplify the autthentication an nd authorizatioon
exxperience for their
t users as they
t consume the
cloud-based serrvices. Cloud-b based services add
an
nother level off complexity to o the IT enviro
onment,
ass those service
es are located outside
o the dirrect
ad
dministrative control
c of the IT administrato ors, and
th
he services mayy be running on o many differrent
platforms.
Yoou can use ADD FS to providee an SSO experrience

to
o users across the
t various clo oud-based plattforms availab ble. For example, once users are authenticaated
with
w AD DS cred dentials, they then
t could acccess Microsoft Online Servicees, such as hossted Microsoftt
Exxchange Onlinne or Microsoftt SharePoint® Online, by usin ng those dom ain credentialss. AD FS also p
provides
single sign-on to
t non-Microso oft cloud provviders. Becausee AD FS is baseed on open staandards, AD FSS can
in
nteroperate witth any complia ant claims-bassed system
Thhe process for accessing a cloud-based appplication is qu

uite similar to tthe B2B scenario. One example
off a cloud-base on is a hybrid Exchange Online deployment. In
ed service that uses AD FS for authenticatio
th
his type of dep
ployment, an organization
o ha
as deployed soome or all of t heir mailboxess in an Office 3
365
Exxchange Onlinne environmen nt. However, thhe organizationn manages all of their user aaccounts in theeir
onn-premises ADD DS environm ment. The deplooyment uses t he Microsoft O Online Services Directory
Syynchronization
n tool to synchhronize user-acccount inform ation from thee on-premises deployment tto
th
he Exchange Online
O deploymment.
When
W heir Exchange Online mailbo
users try to log on to th ox, the user m ust be authenticated by usin ng their
nternal AD DS credentials. If the user tries to
in t logon direcctly to the Exch
hange Online e environment, tthey are
re
edirected backk to the internaal AD FS deplooyment to authhenticate befo ore the user is g
given access.
Th
he following stteps describe how
h a user trie heir online maiilbox by using a web browse
es to access th er:
1.. The user op

pens a web bro
owser, and the
en sends an HTTTPS request tto the Exchang
ge Online Outllook
Web App server.
2.. The Outloook Web App seerver receives the

t request, annd then verifiees that the user is part of a h
hybrid
Exchange Server
S deploym
ment. If this is the
t case, the s erver redirectss the client com
mputer to the
Microsoft Online
O federatiion server.
3.. The client computer

c send
ds an HTTPS re Microsoft Online federation server.
equest to the M

c is redirected again
n to the on-preemises federattion server.

c send
ds an HTTPS re
equest to the o
on-premises feederation serve
er.
6.. If the clientt computer is logged on to thet domain alrready, the fedeeration server can take the u user’s
Kerberos ticcket, and thenn request authe entication from
m AD DS on th he user’s behalf, by using Wiindows
Integrated Authentication he network, orr from a computer
n. If the user iss logging on frrom outside th
that is not a member of thet internal do omain, the use r is prompted for credentials.
7.. The AD DS domain contrroller authenticcates the user,, and sends thee success messsage back to the
federation server, along with
w other info
ormation abou ut the user thatt can be used to generate thhe user’s
claims.
12-10 Implementing Active Directory Federation Services
8. The federation server creates the claim for the user, based on the rules that are defined during the
AD FS server setup. The claims data is placed in a digitally signed security token, and then sent to the
client computer. The client computer then posts it back to the Microsoft Online federation server.
9. The Microsoft Online federation server validates that the security token came from a trusted
federation partner. This trust is configured when you configure the hybrid Exchange environment.
10. The Microsoft Online federation server creates and signs a new token, which it sends to the client
computer. The client computer then sends the token back to the Outlook Web App server.
11. The Outlook Web App server receives the request and validates the signed tokens. The server issues
the client a session cookie, which indicates that it has successfully authenticated. The user then is
granted access to their Exchange server mailbox.
Lesson
n2
Deplo
oying Active
A Directory
y Federaation Se
ervices
Now that you have
h an undersstanding of ho ow AD FS workks, the next steep is deploying g the service. B
Before
de
eploying AD FS,
F you must understand the components tthat you deplo oy, and the pre
erequisites thaat you
must
m meet, espe gards to certificates. This lessson provides aan overview off deploying the AD FS
ecially with reg
se
erver role in Windows
W Serverr 2012.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe th
he componentss that an AD FS
F deploymentt can include.
• List the pre

erequisites for an
a AD FS deployment.
• Describe th
he Public Key Infrastructure (PKI)
( and certifficate requirem
ments for an A
AD FS deploym
ment.
• Describe th
he AD FS federration server ro
oles.
• Install the AD
A FS server ro
ole.
AD
A FS Com
mponents
AD FS is installe
ed as a server role
r in Windowws
Se
erver 2012. Ho owever, there are
a many diffe erent
co
omponents tha at you can insttall and config
gure in
an
n AD FS deployment. The following table lists l the
AD FS compone ents.
Component What does it do?
Federation
F Servver The fe
ederation servver issues, man
nages, and validdates requestss that involve iidentity
claims. All impleme
entations of ADD FS require att least one Fed
deration Servicce.
Federation
F Servver The Federation Servver proxy is ann optional commponent that typically is dep ployed
Proxy
P in a perimeter
p netw
work. The Fedeeration Server p ot add any
proxy does no
functiionality to the AD FS deployyment, but is ddeployed just tto provide a layer of
security for connecttions from thee Internet to th
he Federation SServer.
Claims
C A claim is a stateme
ent that one o bject makes about another object, such ass a user.
The claim could incclude the user’ s name, job tittle, or any othe
er factor that m
might
be used in an autheentication scen
nario.
Claim
C Rules Claim
m rules determiine how federaation servers pprocess claims.. For example, a claim
rule may
m state that an email addrress is accepted d as a valid claaim, or that a g
group
name e from one org
ganization is trranslated into aan applicationn-specific role in the
other organization. The rules usu ally are processsed in real tim
me, as claims aare
made e.
12-12 Implementing Active Directoory Federation Services
Com
mponent What do
oes it do?
Atttribute Store An attribute store is used

u by AD FS to look up claaim values. AD D DS is a comm
mon
attribute store, and is available by d
default if AD FS is installed o
on a domain-jo
oined
server.
Cla
aims Providers A claims provider enaables one side of the AD FS aauthenticationn and authorizaation
process. The claims prrovider manag ges the user auuthentication, and then issue
es the
claims that
t the user presents
p to a reelying party.
Relying Parties The relyying party enables the secon nd side of the A
AD FS authenttication and
authorizzation processs. The relying p
party is a web service that co
onsumes claim
ms
from the claims provider. The relyin ng party serverr must have thhe Windows Identity
Foundation (WIF) insttalled or use AAD FS 1.0’s clai ms-aware age ent.
Cla
aims Provider This is configuration
c data
d that definnes rules under which a cliennt may requestt
Tru
ust claims from
f a claims provider
p and ssubsequently ssubmit them to o a relying parrty.
The trusst consists of various
v identifiiers, such as naames, groups aand various ru
ules.
Relying Party Tru

ust This is the AD FS conffiguration dataa that is used tto provide claiims about a usser or
o a relying parrty. It consists o
client to of various iden
ntifiers, such ass names, groups,
and various rules.
Cerrtificates AD FS uses
u digital cerrtificates when
n communicating over SSL or as part of the
e
token-isssuing processs, the token-reeceiving processs, and the me
etadata-publishing
process.
End
dpoints Endpoinnts are mechan nisms that enaable access to the AD FS tech
hnologies,
includin
ng token issuan nce and metad data publishinng. AD FS comees with built-in
n
endpoinnts that are ressponsible for a specific functtionality.
Note: Manyy of these com

mponents are described
d in m ore detail in th
he remainder of this
mod
dule.
AD
D FS Prereq
quisites
Befo
ore deploying AD FS, you must ensure
thatt your internal network meetts some basic
prerrequisites. The
e configuration n of the following
netw
work services isi critical for a successful AD FS
dep
ployment:
• Network conn nectivity: TCP//IP connectivity

must exist between:
o The clien
nt computer
o A domain
n controller
o Federatio
on Service servver
o Federatio
on Service Proxxy server (whe
en applicable)
o An appliccation server that is integrated with AD FSS

o Web servver running the
e AD FS Web Agent
A (AD FS vv1 only)
• AD DS: AD DS is a criticall piece of AD FS.

F Domain co ntrollers shoulld be running Windows Servver 2003
Service Pacck 1 (SP1) at a minimum. In both
b ers must be joined to
AD FS v1 and AD FS, feederation serve
an AD DS domain.
d The Fe
ederation Servvice proxy doess not have to b
be domain-joiined. In fact, w
we
recommend d that this com
mponent be installed on a wworkgroup-join ned computer as a security b best
practice. Although you ca an install AD FS
F on a domain we do not recommend this due to
n controller, w
security implications.
• Attribute sttores. AD FS usses an attribute store to buil d claim inform

mation. The atttribute store co
ontains
informationn about users – this informattion is extracteed from the stoore by the AD FS server afte er the
user has beeen authenticated. AD FS sup pports the folloowing attributte stores:
o Active Directory App

plication Mode
e (ADAM) in W
Windows Serverr 2003
o Active Directory Ligh

htweight Directory Services ((AD LDS) in Wiindows Server 2008, Window
ws
Server 2008 R2, and Windows Servver 2012
o Microsoft SQL Serverr 2005 (all edittions)
o Microsoft SQL Serverr 2008 (all edittions)
o A custo
om attribute sttore
Note: AD
D DS can be use ed both as thee authenticatio
on provider annd as an attribu
ute store.
AD FS also can use AD LDS as a an attributte store. In ADD FS v1, you caan use AD LDSS as an
auuthentication store,
s but in th
he current verssion of AD FS, you only can use AD LDS ass an attribute
sttore.
• Domain Na ame System (D DNS): Name ressolution allow ws clients to find federation servers. The clie
ent
computers must resolve the t DNS name es for all federaation servers t hat they connect to, as well as the
web applica ations that the
e client compu o use. If the cli ent computer is external to the
uter is trying to
network, thhe client computer must reso olve the DNS n name for the ffederation servvice proxy, nott the
internal fed
deration serverr. The Federation Service pro oxy must resol ve the name o of the internal
nal users have to access the internal federration server directly, and external
federation server. If intern
users have to connect thrrough the Federation Serverr proxy, you reequire a split D DNS.
• Operating-system prereq quisites: You ca

an only deployy the Windowss Server 2012 vversion of AD FS as a
server role on a Windowss Server 2012 server.
s AD FS 22.0, which is allmost identical to the Windo
ows
Server 20122 version, can be installed on
n Windows Se rver 2008 Servvice Pack 2 (SP P2) or Windowws Server
2008 R2.
PKI
P and Certificate Re
equiremen
nts
AD FS is designed to enable computers
c to
co
ommunicate se ecurely, even though
t they may
m be
lo
ocated in differrent locations. In this scenariio, most
off the communications betwe een computerss passes
th
hrough the Internet. To provvide security fo or the
neetwork traffic, all communications are protected
byy using SSL. Th
his factor mean ns that it is important
to
o choose and assign
a SSL certtificates correcctly to
th
he AD FS serve ers. To provide SSL security, AD A FS
ervers use certificates in the following thre
se ee ways.
Service Communication Certificates

This certificate is used to secure SSL communications to the websites running on the AD FS server and is
bound to the default web site on the AD FS server. You can choose which certificate to use when you
configure the AD FS server role on the server, and can change the assigned certificate after deployment
by using the AD FS management console. This certificate also is called a server authentication certificate.
Token-Signing Certificates
The token-signing certificate is used to sign every token issued a federation server. This certificate is
critical in an AD FS deployment, because the token signature indicates which federation server issued the
token. The claims provider uses this certificate to identify itself, and also by the Replying Party to verify
that the token is coming from a trusted Federation partner.
The relying party also requires a token-signing certificate to sign the tokens that it prepares for other
AD FS components, such as web applications and clients. These tokens must be signed by the relying
party’s token-signing certificate in order for the destination applications to validate them.
When you configure a Federation Server, the server assigns a self-signed certificate as the token-signing
certificate. Because no other parties trust the self-signed certificate, it is important that you replace the
self-signed certificate with a trusted certificate. You can configure multiple token-signing certificates on
the federation server, but only the primary certificate is used to sign tokens.
Token-Decrypting Certificates
Token-decrypting certificates encrypt the entire user token before transmitting the token across the
network. To provide this functionality, the relying party federation server sends the certificate to the
claims provider federation server. The certificate is sent without the private key. The claims provider
server uses the public key from the certificate to encrypt the user token. When the token is returned to
the relying party federation server, it uses the private key from the certificate to decrypt the token. This
provides an extra layer of security when transmitting the certificates across the Internet.
When you configure a Federation Server, the server assigns a self-signed certificate as the token-
decrypting certificate. Because no other parties have to trust this certificate, it is possible to continue to
use this certificate without replacing it with a trusted certificate.
Note: Federation server proxies only require a service communication certificate. The
certificate is used to enable SSL communication for all client connection. Since the federation
server proxy does not issue any tokens, it does not need the other two types of certificates. Web
servers that are deployed as part of an AD FS deployment also should be configured with SSL
server certificates to enable secure communications with client computers.
Choosing a Certification Authority

AD FS federation servers can use self-signed certificates, certificates from an internal, private certification
authority (CA), or certificates that have been purchased from an external public CA.
The most important factor when choosing the certificates in most AD FS deployments is that the
certificates be trusted by all parties involved. This means that if you are configuring an AD FS deployment
that interacts with other organizations, you are almost certainly going to use a public CA, because all
partners trust the certificates issued by the public CA automatically.
If you are deploying AD FS just for your organization, and all servers and client computers are under
your control, you can consider using a certificate from an internal private CA. If you deploy an enterprise
CA on Windows Server 2012, you can use Group Policy to ensure that all computers in the organization
automatically trust the certificates that the internal CA issues. Using an internal CA can decrease the cost
of the certificates significantly.
Note: Deploying an inte ernal CA using

g Active Directtory Certificatee Services is ve
ery easy, but
it is critical that you plan and implement the deploymentt carefully.
When
W you insta
all the AD FS se
erver role, the server is confi gured with self-signed certificates. These
ce n trusted byy any other systems, so you m
ertificates are not must replace t he server com mmunications
ce
ertificate and the
t token-sign es with a trusteed certificate. I t is not criticall that you replace
ning certificate
th
he token-decryypting certificaate with a trustted certificate..
Federation Server Ro
oles
When
W you deploy the AD FS server
s role, and
co
onfigure the seerver, you can choose whichh role
th
he server playss in an AD FS deployment.
d Yo
ou can
co
onfigure an AD D FS server in one
o of three rooles:
• Claims Provvider. A claimss provider is a

federation server that pro ovides signed
tokens conttaining claims to users. Claim ms
provider federation serve ers are deployeed
in organizations where usser accounts are
located. Wh hen a user requests a token, the
claims provvider federation server verifiees the
user authen ntication by ussing AD DS, annd then
collects info
ormation from m an attribute store,
s such as AAD DS or AD LLDS, to populaate the user claaim with
the attributtes required byy the partner organization.
o TThe server issu he Security Assertion
ues tokens in th
Markup Lan nguage (SAMLL) format. The claims provideer federation sserver also pro otects the conttents of
security tokkens in transit by signing andd optionally en ncrypting themm.
• Relying Parrty. A relying party

p is a federration server th
hat receives seecurity tokens ffrom a trusted
d claims
provider. Th
he relying partty federation servers
s are depployed in orgaanizations thatt provide application
access to claims provider organizationss. The relying p party accepts aand validates tthe claim, and then
issues new security token ns that the web b server can usse to provide aappropriate acccess to the
application.
Note: A single AD FS seerver can operate as both a cclaims provideer and a relyingg party, even
with
w the same partner
p organizzations. The AD
A FS server fu nctions as a cllaims providerr when it is
auuthenticating users
u and provviding tokens for
f another orrganization, bu ut also can acccept tokens
from the same oro another orgganization in a relying party role.
• Federation Server Proxy. A federation server

s proxy prrovides an ext ra level of secu
urity for AD FSS traffic
coming from the Internett to the internal AD FS federration servers. Federation server proxies caan be
deployed in n both the claiims provider and relying parrty organizatio ons. On the claaims provider sside,
the proxy collects
c the autthentication in
nformation fro m client comp puters and passses it to the cllaims
provider federation serve er for processinng. The federaation server issues a security token to the p proxy,
which sends it to the relyying party proxxy. The relying party federation server proxy accepts the ese
tokens, and d then passes them
t on to thee internal fedeeration server. The relying paarty federationn server
issues a seccurity token for the web app plication, and t hen sends thee token to the proxy, which tthen
forwards th he token to the ederation serveer proxy does not provide an
e client. The fe ny tokens or create
claims. It on
nly forwards reequests from clients
c to internnal AD FS servvers.
Note: You cannot configure a federation server proxy as a claims provider or a Relying
Provider. The claims provider and Relying Provider must be members of an AD DS domain. You
must configure the federation server proxy as a member of a workgroup, and then deploy it in a
perimeter network.
Demonstration: Installing the AD FS Server Role

In this demonstration, you will see how to install and complete the initial configuration of the AD FS
server role in Windows Server 2012. The instructor will install the server role, and then run the AD FS
Federation Server Configuration Wizard to configure the server as a standalone federation server.
Demonstration Steps
1. On LON-DC1, in Server Manager, add the Active Directory Federation Services server role.
2. Run the AD FS Federation Server Configuration Wizard by using the following parameters:
a. Create a new federation services
b. Create a stand-alone deployment
c. Use the LON-DC1.Adatum certificate

d. Choose a service name of LON-DC1.Adatum.com
3. Open Windows Internet Explorer®, and then connect to

https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml.
Lesson
n3
Imple
ementin
ng AD FS
F for a Single O
Organizzation
Thhe simplest de
eployment scen nario for AD FS is within a si ngle organization. In this scenario, a single AD FS
erver can operate both as the claims provider and as thee Relying Prov ider. All users in this scenario
se o are
in
nternal to the organization,
o as
a is the appliccation that thee users are acceessing.
Th n the components that are rrequired to co nfigure in a sin

his lesson provvides details on ngle organizattion
de
eployment of AD FS. These components
c in
nclude configuuring claims, c laim rules, claiims provider trrusts,
an
nd relying partty trusts.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe AD
D FS claims.
• Describe AD
D FS claim rule
es.
• aims provider trusts.

Describe cla
• Describe re
elying providerr trusts.
• Configure claims
c provide
er and relying provider
p trustss.
What
W are AD
A FS Claim
ms?
AD FS claims prrovide the link between the claims
c
provider and Re elying Provider roles in an AD FS
deeployment. Thhe claims proviider creates the
claims and the Relying
R Provid
der consumes the
t
claims. AD FS claims provide a standards-ba ased
an
nd flexible wayy for claims provider organizzations
o provide very specific inform
to mation about users
u
in
n their organizaations, and a way
w for Relying g
hat information they
Prroviders to deffine exactly wh
re
equire to proviide applicationn access.
An AD FS claim is a statementt made about a

pa
articular subject (such as a user)
u by a trustted
en
ntity (such as a claims provid
der). The claim
m information p
provides the d
details that the
e application re
equires
to
o enable access to claims-aw ware applicatio
ons.
Claim
C Types
ach AD FS claim has a claim type, such as Email Addresss, UPN, or Last Name. Users ccan be issued claims
Ea
ased on any defined claim tyype. So a user might be issu ed a claim witth a type of Last Name and a value
ba
off Weber. AD FS provides sevveral built-in cllaim types, or yyou can createe new ones baased on the
orrganization req
quirements.
Note: In AD
A FS 1.0, you could configu dentity claims,, group claims or custom
ure claims as id
claims. These claim types do not
n apply to AD
A FS 2.0 or latter. Essentially,, all claims are
e now
co
onsidered custtom claims.
Eachh AD FS claim type is identiffied by a Unifo

orm Resource IIdentifier (URI)) that uniquelyy identifies
the claim type. Th
his informationn is provided as part of the A
AD FS server mmetadata. For e example, if the
e
claim
ms provider orrganization an
nd the Relying Provider orgaanization decid de to use a claim type of
AccountNumber, both organiza ations must configure a claimm type with thhis name. The cclaim type is
pubblished, and the claim type URI
U must be ide entical on bot h AD FS servers.
How Claim Values are Pop

pulated
The claims issued by a claims prrovider contain n the informattion that is req
quired by the rrelying party to
o
enable appropriatte application access. One off the first step s in planning aan AD FS deployment is to d define
exacctly what inforrmation the appplications must have about each user to p provide that application access.
Oncce this informa d, the claims are defined on the claims pro
ation is defined ovider federatiion server. Thee
ormation required to populate the claim ca
info an be obtainedd in several waays:
• The claim can n be retrieved from an attrib
bute store. Freqquently, the innformation req quired for the
claim is alread
dy stored in an
n attribute store that is avail able to the fed
deration serveer. For example e, an
organization might decide that the claim should includ de the user’s UUPN, email add dress, and grouup
membershipss. This information is alreadyy stored in AD DS, so the fed deration serverr can just retrie
eve
D when creating the claim. SSince AD FS caan use AD DS, AD LDS, Micro
this informatiion from AD DS osoft
SQL Server, a third-party Lightweight Directory Access Protocol (LDA AP) directory, oor a custom
attribute store to populate claims, you caan define almo ost any value w within the claim
m.
• The claim cann be calculatedd based on colllected informaation – claims provider fede eration servers can
also calculate
e information based
b on inforrmation gatherred from an atttribute store. For example, yyou
may want to provide inform mation about a person’s salaary within a claaim. This inform mation is likelyy
stored in a Huuman Resourcces database, but
b the actual vvalue may be considered co onfidential. You u
can define a claim
c that cate es within an orrganization, an
egorizes salarie nd then have tthe AD FS servver
calculate whicch category a specific user belongs
b to. In tthis way, the cclaim only inclu
udes the salaryy
category infoormation, not the
t actual userr salary.
• The claim can n be transform

med from one valuev to anothher. In some caases, the inform
mation stored in
an attribute store
s does not exactly match h the informatiion that the appplication requuires when maaking
authorizationn information. For example, the t application n may have diffferent user rooles defined that
do not directly match the attributes
a storeed in any attrib
bute store. Howwever, the appplication role m
may
correlate to AD
A DS group membership.
m For example, ussers in the Salees group may correlate to one
application roole, while userss in the Sales Management
M group may correlate to a diffferent applicaation
g
role. To estab
blish the correlation in AD FS S, you can con figure a claimss transformatioon that takes tthe
value that thee claims provid
der provides, anda translates the value to a claim that is u useful to the re
elying
party’s appliccation.
Wh
hat Are AD
D FS Claim
m Rules?
Claims rules definne how AD FS servers
s send and
consume claims. Claims
C rules de
efine the busin
ness
logic that is applie
ed to claims th
hat claims provviders
provvide, and to claims that the relying partiess
ept. You can use claim rules to:
acce
• Define which incoming claims are accepted
from one or more
m claims prroviders.
• Define which outbound claims are provid

ded to
one or more relying partiess.
• Apply authorization ruless to enable acccess to a speciffic relying partty for one or m
more users or g
groups
of users.
Yo
ou can define two types of claim
c rules:
• Claim rules for a claims provider

p trust. A claims provi der trust is thee AD FS trust rrelationship
configured between an AD A FS server an ovider. You caan configure claim rules to define
nd a claims pro
how the cla
aims provider processes and issues claims.
• Claim rules for a relying party

p trust. A relying
r party trrust is the AD FS trust relatio
onship configu
ured
between an n AD FS serverr and a relying party. You can n configure claaim rules that define how thhe
relying partty accepts claims from the claims providerr.
Claims rules on an AD FS claim ms provider arre all considereed acceptancee transform rulles. These ruless
de etermine whatt types of claim
ms are accepte
ed from the claaims provider and then sent to a relying p party
trrust. When con
nfiguring AD FS within a singgle organizatio on, there is a d
default claims pprovider trust
coonfigured with
h the local AD DS domain, so o this rule set d
defines the claaims that are aaccepted from AD DS.
here are three types of claim

Th m rules for a relying party tru
ust:
• Issuance Transform Ruless: These rules define

d the claim
ms that are se nt to the relyin
ng party that h
has
been defineed in the relyin
ng party trust.
• Issuance Au uthorization Ru
ules: These rules define whicch users are peermitted or de enied access to o the
relying partty that has bee
en defined in the
t relying parrty trust. This rrule set can incclude rules thaat
explicitly pe
ermit access to
o a relying parrty, and/or rulees that explicittly deny accesss to a relying p
party.
• Delegation Authorization n Rules: These rules define thhe claims that specify which users can act on
behalf of otther users whe he relying partty. This rule set can include rrules that explicitly
en accessing th
permit deleegates for a relying party, or rules that exp
plicitly deny deelegates to a re
elying party.
A single claim rule associated with a single federated trusst relationship.. This means th
hat you canno
ot create
a set of rules for one trust and
d then reuse th
hose rules for other trusts th
hat you configure on your
ederation serve
fe er.
AD FS servers are preconfigurred with a set of

o default rulees, as well as seeveral default ttemplates thatt you
ca
an use to creatte the most co
ommon claims rules. You can n also create custom claim ru ules by using tthe AD
FS
S claim rule lan
nguage.
What
W Is a Claims
C Prov
vider Trust?
Yo ou configure a claims providder trust on thee
re
elying party fed deration serve
er. The claims provider
p
trrust identifies the
t claims provvider, and alsoo
de escribes how the
t relying parrty consumes the
t
claims that the claims provide er issues. You must
m
coonfigure a claims provider trrust for each claims
provider.
Byy default, an AD
A FS server is configured wiith a
claims provider trust named Active
A Directorry.
Thhis trust define ules, which are all
es the claim ru
accceptance tran nsform rules th
hat define how w the
AD FS server accepts AD DS credentials.
c Forr
exxample, the de efault claim rules on the claims provider trrust include rules that pass the user namess, SIDs,
nd group SIDs to the relying
an g party. In a sin
ngle-organizattion AD FS depployment, whe ere AD DS
au
uthenticates all users, the de may be the onlly required claims provider ttrust.
efault claims provider trust m
Whe en you expandd the AD FS de eployment to include

i other o
organizations,, you must create additional
claim
ms provider trusts for each federated
f orga
anization. You have three op
ptions when co onfiguring a cllaims
provvider trust:
• Import data about

a ms provider through the fed
the claim deration metad data. If the AD FS federation
server or fedeeration proxy server
s is accesssible through tthe network frrom your AD FFS federation sserver,
you can enter the host nam me or URL for the
t partner fed deration server. Your AD FS connects to th he
partner server, and downloads the federa ation metadataa from the servver. The federation metadatta
includes all in
nformation req quired to configure the claimms provider truust. As part of tthe federationn
metadata dow wnload, your federation
f servver also downlloads the SSL ccertificate thatt the partner
federation server uses.

a the claim
ms provider froom a file. Use tthis option if tthe partner fed
deration server is
not directly accessible from
m your federation server, butt where the partner organizaation has expo orted
its configuration, and then provided you the informatio on in a file. Th e configuratioon file must incclude
the configuraation informatiion for the parrtner organizattion, as well ass the SSL certifficate that the
partner federration server usses.
• Manually con nfigure the claiims provider trrust. Use this o want to configure all of the
option if you w
settings for th
he claims provvide trust direcctly. When youu choose this ooption, you muust provide thee
features that the claims proovider supports, as well as th he URL used too access the claaims provider AD FS
servers. Furthermore, you must
m add the SSL
S certificate tthat the partner organizatioon uses.
Wh
hat Is a Relying Party
y Trust?
A re
elying party tru ust is defined on
o the claims
provvider federatio on server. The relying party trust
t
idenntifies the relyiing party, and also defines the
claim
ms rules that define
d how thee relying partyy
acceepts and proce ess claims from
m the claims
provvider.
In a single-organization scenario, the relying party

trusst defines how the AD FS servver interacts with
w
the applications deployed
d within the application.
Whe en you configuure the relying
g party trust in
na
sing
gle organizatioon, you providee the URL for the
t
inte
ernal applicatio
on and configu ure settings such
whe ether the appliication supporrts SAML 2.0 or whether it reequires AD FS 1.0 tokens, the
e SSL certificatte and
w server, and the application’s issuance--authorization
URLL used by the web n rules.
The process for co onfiguring relyying party trust is very similaar to the claimss provider trusst. When you
expand the AD FS S deployment to t include other organizatio ons, you must ccreate additional relying parrty
trussts for each fed
derated organiization. You ha ave three optio ons when conffiguring a relyying party trustt:

a the relyiing party throu
ugh the federaation metadataa. If the AD FSS federation se erver
or federation proxy server is
i accessible thhrough the nettwork from yo our AD FS fedeeration server, you
can enter the
e host name orr URL for the partner
p federattion server. Yoour AD FS conn nects to the paartner
server, and do
ownloads the federation me etadata from th he server. The federation me etadata includes all
the information required to o configure the e relying partyy trust. As part of the federattion metadata
download, yo our federation server also do ownloads the SSSL certificate tthat the partner federation sserver
uses.
• Import data about the relying party from a file. Use this option if the partner federation server is not
directly accessible from your federation server, but where the partner organization has exported its
configuration and provided you the information in a file. The configuration file must include the
configuration information for the partner organization, as well as the SSL certificate that the partner
federation server uses.
Manually configure the claims provider trust. Use this option if you want to configure all of the settings
for the claims provide trust directly.
Demonstration: Configuring Claims Provider and Relying Party Trusts

In this demonstration, you will see how to configure claims provider trusts and relying party trusts. The
instructor will show how to edit the default Active Directory claims provider trust, and will create a new
relying party trust and show how to configure the trust.
Demonstration Steps
1. In the AD FS 2.0 Management console, go to the claims provider Trusts, highlight the Active
Directory store, and then go to Edit Claim Rules.
2. In the Edit Claim Rules for Active Directory dialog on the Acceptance Transform Rules tab, start
the Add Transform Claim Rule Wizard, and complete the wizard with the following settings:
o Under Claim rule template select Send LDAP Attributes as Claims.
o Name the claim rule Outbound LDAP Attribute Rule.
o Choose Active Directory as the Attribute Store.

3. In the Mapping of LDAP attributes to outgoing claim types, select the following values:
o E-Mail-Addresses to E-Mail Address
o User-Principal-Name to UPN
4. On LON-SVR1, from the Start screen, start the Windows Identity Foundation Federation Utility.
5. Complete the wizard with the following settings:
o Point to the web.config file of the WIF sample application by pointing to

C:\Inetpub\wwwroot\AdatumTestApp\web.config.
o Specify an Application URI box by typing

https://lon-svr1.adatum.com/AdatumTestApp/.
o Select Use an existing STS, and enter a path

o Disable certificate chain validation.
o Select No encryption.
6. In the AD FS 2.0 Management console, in the middle pane, click Required: Add a trusted relying
party.
7. Complete the Add relying party Wizard with the following settings:
o Select Import data about the relying party published online or on a local network, and type
https://lon-svr1.adatum.com/adatumtestapp.
o Specify a Display name of ADatum Test App.
o Select Permit all users to access this relying party.

o Select Permit access for all users.
o Select to open the Edit Claims Rules for WIF Sample Claims App check box when the wizard is
complete.
Lesson
n4
Deplo
oying AD
A FS in a Busin
ness to Businesss Federation
Scena
ario
A second comm mon scenario fo or implementiing AD FS is inn a B2B federattion scenario. In this scenario
o,
ussers in one org
ganization havve to be able to
o access an appplication in an
nother organizzation. AD FS iin this
sccenario enablees SSO. Users always
a log on to
t their home AD DS environ nment, but aree granted acceess to
th
he partner app plication based
d on the claimss acquired from
m their local AAD FS server.
Configuring AD D FS in a B2B fe
ederation scennario is quite siimilar to configuring AD FS in a single
orrganization sce
enario. The primary difference is that now w the claims pro ovider trusts aand the relying
g
provider trusts refer
r to extern
nal organizatio
ons rather thann internal AD D DS or application.
Th
his lesson desccribes how to configure
c AD FS
F in a B2B sceenario.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Configure the
t account pa
artner in a B2B
B federation sccenario.
• Configure the
t resource partner
p in a B2B
B federation sccenario.
• Describe ho
ow claims transformations work.
w
• Describe ho
ow home-realm
m discovery works.
w
• Configure claims
c rules.
Configuring
C g an Account Partne
er
In
n a B2B AD FS scenario, the terminology
t ussed
to
o describe the parties involveed in the AD FSF
deeployment cha anges slightly. In this scenario,
he claims provider organization is also called the
th
acccount partnerr organization. An account partner
p
orrganization is the organization in which th he user
acccounts are sto
ored in an attrribute store. Ann
acccount partnerr handles the following
f taskss:
• Gathering credentials
c from users by usiing a
web-based service, and then authentica ating
those crede
entials.
• Building up
p claims for useers, and then
packaging the claims intoo security tokeens. The token s can then be presented acrross a federatio
on trust
to gain access to federatiion resources located
l at the resource partner organization.
e account partner organization to prepare for federation

Configuring the n involves the following step
ps:
1.. Implement the physical topology for th

he account parrtner deploymment. This step could include
deciding on
n the number of federation servers and fe deration serveer proxies to deploy, the locaations
where these oyed and configuring the req
e will be deplo quired DNS reecords and cerrtificates.
2.. Add an attrribute store. Use the AD FS management

m d the attribute store. In mostt cases,
cconsole to add
you use the
e default Active Directory atttribute store, wwhich also must be used for authentication.
However, you
y also can ad dd other attrib
bute stores, if n
necessary, to b
build user claim
ms.
3. Connect to a resource partn ner organizatio

on by creatingg a relying parrty trust. The easiest way to d
do
this is to use the
t federationn metadata URRL that the reso ource partner organization p provides. With this
option, your ADA FS server automatically
a collects
c the infformation thatt the relying paarty trust requ
uires.
4. Add a claim description.

d Th
he claim description lists the claims that yo
our organizatio
on provides to
o the
relying partne mation may include user nam
er. This inform mes, email addrresses, group m
membership
o other identifying information about a u
information, or user.
5. Prepare clientt computers fo T may invollve two steps:

or federation. This
o Add the account partner federation server

s to the t rusted sites lisst in the browsser of client
compute ers. By adding the
t account pa artner federat ion server to tthe trusted site es list on the client
compute ers, you enable
e Windows Inte egrated Autheentication, which means thatt users are not
prompted for authentication if they are
a already log gged into the domain. You ccan use Group p
Policy ob U to the trustted site.
bjects (GPOs) to assign the URL
o Configure certificate trusts. This is an

n optional step p that is requireed only if one more of the servers
accessed by the clients do not have trusted
t certificcates. The clien
nt computer m may have to co onnect
to the account federatiion servers, ressource federattion servers or federation proxy servers, an nd the
destinatio
on web servers. If any of the ese certificates are not from a trusted publlic CA, you maay
have to add
a the appropriate certifica ate or root certtificate to the certificate storre on the clien
nts.
You can do this by usinng GPOs.
Co
onfiguring a Resourcce Partner
The resource parttner organizatiion is the relyin
ng
partty in a B2B fed
deration scenario. The resourrce
parttner organization is where th
he resources exist
and are made acccessible to accoount partner
orgaanizations. The
e resource parrtner handles
the following taskks:
• Accepts and validates
v securrity tokens tha
at the
account-partner federation
n server producces.
• Consumes the e claims from the security to

okens,
and then provvides new claims to its web
servers after making
m an autthorization deccision.
The web servers must

m have Winndows Identity Framework (W WIF) installed o or have the AD D FS 1.x Claimss-
Awaare Web Agent role services installed to exxternalize the iidentity logic aand accept claaims.
Note: Micro osoft offers WIIF to provide a set of consisttent developmment tools that enable
developers to inteegrate claims-bbased authenttication and au uthorization in
nto their appliccations.
WIFF also includes a Software Deevelopment Kit (SDK) and saample applicattions. You use a WIF
sam
mple application in the lab foor this module..
Con
nfiguring the reesource partne he account parrtner organization,
er organization is similar to cconfiguring th
and consists of the following ste
eps:
1. Implement th he physical top ner deployme nt. The planning and
pology for the resource partn
implementatiion steps are the same as thee account parttner, with the addition of plaanning the we
eb
server locatio
on and configuuration.
2.. Add an attrribute store. On

O the resource e partner, the aattribute storee is used to po
opulate the claims that
are offered to the client, which
w presentts them to the web server.
3.. Connect to an account pa
artner organizzation by creatting a claims p
provider trust.
4.. Create claim

m rule sets for the claims pro
ovider trust.
Configuring
C g Claims Rules
R for Business
B to
o Business Scenarios
In
n a single organization deplo oyment of AD FS, it
may
m be quite ea asy to design and
a implemen nt claims
ru
ules. In many cases,
c you mayy need to just provide
p
th
he user name or o group name e collected fro
om the
claim to the web server. In a B2B
B scenario, it i is
more
m likely thatt you have to configure
c more
co
omplicated cla aims rules to define user acceess
beetween widelyy varying systems.
Claim rules define how account partners (cllaims

providers) creatte claims, and how resource
pa
artners (relying
g parties) conssume claims. AD
A FS
provides several templates that you can use e when
co
onfiguring claiim rules:
• Send LDAP P Attribute ass Claims rule template.

t Use tthis template w
when you sele
ect specific attrributes
in an LDAP attribute store to populatte claims. You u can configu re multiple LDDAP attributes as
individual claims
c in a sing
gle claim rule created
c from tthis template. For example, yyou can create
e a rule
that extractts the displayNName and giv venName AD DS attributes from all authe enticated userss, and
then send these
t values ass outgoing claims to be sentt to a relying p
party.
• Send Grou up Membership as a Claim rule template . Use this temp plate to send a particular claaim type
and associa ated claim valuue based on th
he user’s AD D S security grou
up membership. For examplle, you
might use this
t template to e that sends a group claim tyype with a value of SalesAd
t create a rule dmin if
the user is a member of thet Sales Mana ager security g
group within th
heir AD DS do omain. This rulee only
issues a singgle claim, base
ed on the AD DS
D group thatt you select as a part of the ttemplate.
• Pass Throu ugh or Filter an
a Incoming Claim
C mplate. Use thiis template to set additional
rule tem
restrictions on which claim
ms are submitted to relying parties. For exxample, you m might want to uuse a
user email address
a as a cllaim, but only forward the e mail address iff the domain ssuffix on the email
address is adatum.com.
a When
W using this template, yo
ou can either p pass through w whatever claim
m you
extract from
m the attributee store, or you can configuree rules that filt er whether the
e claim passes
through ba ased on various criteria.
• Transform m an Incoming g Claim rule te emplate. Use th his template to o map the valu ue of an attrib
bute
in the claim
ms provider atttribute store to
o a different vaalue in the relyying party attribute store. Fo
or
example, yo ou may want tot provide all members
m of th
he Marketing d department att A. Datum limited
access to a purchasing appplication at Trey Research. A At Trey Researrch, the attribuute used to de efine
the limited access level may
m have an atttribute of Lim mitedPurchase er. To address this scenario, yyou can
configure a claims rule th
hat transforms an outgoing cclaim where th he Department value is Markketing
to an incomming claim whe ere the AppliccationAccess attribute is Lim mitedPurchasser. Rules created
emplate must have a one-to-one relationsship between tthe claim at th
from this te he claims provider and
the claim at the relying partner.
p
• Permit or De eny Users bassed on an Inco oming Claim rule template.. This template e is available o
only
when you are e configuring Issuance Autho orization Ruless or Delegationn Authorizatioon Rules on a rrelying
party Trust. Use
U this templa ate to create ru
ules that enab le or deny acccess by users too a relying parrty,
based on the type and valu ming claim. Thiss claim rule template allows you to perform
ue of an incom
an authorizattion check on the
t claims provider before cclaims are even n sent to a relyying party. Forr
example, you can use this rule
r template to om the Sales group
t create a rulee that only perrmits users fro
to access a re
elying party, au
uthentication requests
r from members of o other groups are not even se ent to
the relying pa
arty.
If no e templates prrovide the funcctionality that you are lookin
one of the built-in claim rule ng for, you cann
creaate more comp plex rules using the AD FS Claim Rule Lang guage. By creaating a customm rule, you cann
extrract claims info
ormation fromm multiple attribute stores annd also combin ne claim types into a single cclaim
rulee.
Ho
ow Home Realm
R Disccovery Wo
orks
Somme resource pa artner organizaations
hostting claims-aw ware applicatioons may want to t
enable multiple account partners to access th he
appplications. In th
his scenario, wh
hen users conn nect
to the web application, there must
m be some
mecchanism for directing the use ers to the AD FS
fedeeration server in their home domain rather
thann to another organization’s
o federation
f servver.
The process for diirecting clientss to the appropriate
accoount partner iss called home realm discove ery.
Hom me realm discoovery occurs after the client

connects to the reelying parties web
w site and the
clien edirected to the relying partyy’s federation sserver. At this point, the relyying party’s
nt has been re
fedeeration server must redirect the client to th
he Federation Server in the cclient’s home realm, so that the
userr can be authe ere are multiple claims provviders configurred on the relyying party
enticated. If the
fedeeration server, it has to knoww to which federation serverr to redirect the client.
At a high level, there are three main

m plement homee realm discoveery:
ways imp
1. Ask users to select

s their homme realm. With this option, when the userr is redirected to the relying
party’s federa
ation server, th
he federation server
s can dispplay a web pagge that requests that the use
er
identify the company they work for. Once priate compan
e the user seleects the approp ny, the federattion
server uses th
hat informationn to redirect th
he client comp puter to the ap
ppropriate hom
me federation
server for autthentication.
2. Modify the lin

nk for the webb application to
o include a “WWhr” string tha t specifies the user’s home
matically redirect the user to the
realm. The relying party’s Federation Servver uses this sttring to autom
appropriate home
h realm. This means thatt the user doe s not have to be prompted to select the h home
realm, becausse the “Whr” string in the URRL that the useer clicks relays the needed innformation to the
relying party’s Federation Server.
S The moodified link mig ght look someething like
https://www.aadatum.com/O OrderApp/?wh hr=urn:federattion:TreyResea rch.
3. If the remote application is SAML 2.0-compliant, users can use a SAML profile called IdPInitiated SSO.
This SAML profile configures users to access their local claims provider first, which can prepare the
user’s token with the claims required to access the partner web application. This process changes the
normal process for accessing the web application by having the users log on to the claims provider
federation server first, and then prompting them to select which application they want to access so
that their token can be created with the appropriate information.
Note: The home realm discovery process occurs the first time the user tries to access a web
application. After the user successfully authenticates, a home-realm discovery cookie is issued to
the client so that the user does not have to go through the process the next time. This home-
realm discovery cookie expires after a month, unless the cookie cache is cleared sooner.
Demonstration: Configuring Claims Rules

In this demonstration, you will see how to configure claims rules. You will see how to configure claims
rules on a relying party trust that forwards a group name as part of the claim. You will also see how to
configure a claims rule that limits access to the application only to members of a particular group.
Demonstration Steps
1. On LON-DC1, edit the Adatum Test App relying party trust by creating a new Issuance Transform Rule
that passes through or filters an incoming claim. Name the rule Send Group Name rule, and
configure the rule to use an incoming claim type of group.
2. Delete the Issuance Authorization Rule that grants access to all users.
3. Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Permit Production Group Rule, an Incoming claim type of
Group, an Incoming claim value of Production, and select the option to Permit access to users
with this incoming claim.
claim. Configure the rule with the name Allow A Datum Users, an Incoming claim type of UPN, an
Incoming claim value of @adatum.com, and select the option to Permit access to users with this
incoming claim, and then click Finish.
5. Open the Allow A Datum Users rule properties, and show the claims rule language to the students.
Lab: Implementing AD FS
Scenario
A. Datum has set up a variety of business relationships with other companies and customers. Some of
these partner companies and customers must access business applications that are running on the A.
Datum network. The business groups at A. Datum want to provide a maximum level of functionality and
access to these companies. The security and operations departments want to ensure that the partners and
customers can only access the resources to which they require access, and that implementing the solution
does not significantly increase the workload for the operations team.
A. Datum is also working on migrating some parts of their network infrastructure to online services,
including Windows Azure and Office 365.
To meet these business requirements, A. Datum plans to implement AD FS. In the initial deployment, the
company plans to use AD FS to implement single sign on for internal users accessing an application on a
web server. A. Datum also has entered into a partnership with another company, Trey Research. Trey
Research users must be able to access the same application.
As one of the senior network administrators at A. Datum, it is your responsibility to implement the AD FS
solution. As a proof of concept, you plan to deploy a sample claims aware application, and then configure
AD FS to enable both internal users and Trey Research users to access the same application.
Objectives
• Configure the AD FS prerequisites.
• Install and configure AD FS.
• Configure and validate SSO for single organization.
• Configure and validate SSO for a business federation scenario.
Lab Setup

20417A-LON-SVR1
20417A-LON-CL1
20417A-MUN-DC1
Password Pa$$w0rd
2. In Hyper-V® Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
5. Repeat steps 2 to 4 for 20417A-LON-SVR1, 20417A-LON-CL1, and 20417A-MUN-DC1.
a. Do not log on to 20417A-LON-CL1 at this point.
b. On 20417A-MUN-DC1, log in as TreyResearch\Administrator with the password Pa$$w0rd.
Exercise 1: Configuring AD FS Prerequisites

Scenario
To deploy AD FS at A. Datum, you must verify that all required components are configured. You plan to
verify that AD CS is deployed in the organization, and then configure the certificates required for AD FS
on the AD FS server and on the web servers. You also plan to configure the DNS forwarders to enable
communication between Adatum.com and TreyResearch.com.

1. Configure DNS forwarders.
2. Exchange root certificates to enable certificate trusts.
3. Request and install a certificate for the web server.

4. Bind the certificate to the claims aware application on the web server and verify application access.
X Task 1: Configure DNS forwarders

1. On LON-DC1, create a new conditional forwarder for the TreyResearch.com domain, by using the
DNS server IP address of 172.16.10.10.
2. On MUN-DC1, create a new conditional forwarder for the Adatum.com domain, by using the DNS
server IP address of 172.16.0.10.
X Task 2: Exchange root certificates to enable certificate trusts

1. On LON-DC1, copy the MUN-DC1.TreyResearch.com_TreyResearch-MUN-DC1-CA.crt from
\\MUN-DC1.treyresearch.com\certenroll to the Documents folder.
2. Create a new Microsoft Management Console (MMC), and then add the Group Policy Management
Editor.
3. Edit the Default Domain Policy Group Policy Object, and import the copied root certificate to the
Trusted Root Certification Authorities folder.
4. On MUN-DC1, copy the LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt from

\\LON-DC1.Adatum.com\certenroll to the Documents folder.
5. Create a new MMC, and then add the Certificates snap-in focused on the Local Computer.
6. Import the copied root certificate to the Trusted Root Certification Authorities folder.
X Task 3: Request and install a certificate for the web server

1. On LON-SVR1, open the Internet Information Services (IIS) Manager.
2. Request a new Domain Certificate for the server by using the following parameters:
o Common name: LON-SVR1.adatum.com

o Organization: A. Datum
o Organization unit: IT
o City/locality: London
o State/province: England
o Country/region: GB
3. Request the certificate from the default CA.
X Task 4: Bind the certificate to the claims aware application on the web server and
verify application access
1. On LON-SVR1, in Internet Information Services, create a new HTTPS site binding, and then select the
newly created certificate.
2. On LON-DC1, open Internet Explorer, and then connect to https://lon-svr1.adatum.com

/adatumtestapp.
3. Verify that you can connect to the site, but that you receive a 401 access denied error. This is
expected because you have not yet configured AD FS for authentication.
4. Close Internet Explorer.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum
and Trey Research, and you exchanged root certificates between the two organizations. You also installed
and configured a web certificate on the application server.
Exercise 2: Installing and Configuring AD FS

Scenario
To start the AD FS implementation, you plan to install AD FS on the A. Datum domain controller, and then
configure the server as a standalone federation server. You also plan to configure the server to use a CA-
signed token-signing certificate.
1. Install and configure AD FS 2.0.
2. Create a stand-alone Federation Server by using the AD FS Federation Server Configuration Wizard.
3. Verify that FederationMetaData.xml is present and contains valid data.
X Task 1: Install and configure AD FS 2.0

• On LON-DC1, in Server Manager, add the Active Directory Federation Services server role.
X Task 2: Create a stand-alone Federation Server by using the AD FS Federation Server

Configuration Wizard
• On LON-DC1, run the AD FS Federation Server Configuration Wizard using the following parameters:
a. Create a new federation service.
b. Create a standalone deployment.

c. Use the LON-DC1.Adatum certificate.
d. Choose a service name of LON-DC1.Adatum.com

X Task 3: Verify that FederationMetaData.xml is present and contains valid data

1. On LON-CL1, log on as Adatum\Brad, using the password Pa$$w0rd.
2. Open Internet Explorer.
3. Open Internet Options, and then add https://LON-DC1.Adatum.com and

https://LON-SVR1.adatum.com to the Local intranet zone.
4. Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06
/federationmetadata.xml.
5. Verify that the xml file opens successfully, and then scroll through its contents.
Results: In this exercise, you installed and configured the AD FS server role, and then verified a successful
installation by viewing the Federation Meta Data .xml contents.
Exercise 3: Configure AD FS for a Single Organization

Scenario
The first scenario for implementing the proof-of-concept AD FS application is to ensure that internal
users can use SSO to access the web application. You plan to configure the AD FS server and the web
application to enable this scenario. You also want to verify that internal users can access the application.
1. Configure a Token Signing Certificate for LON-DC1.Adatum.com.
2. Configure the Active Directory Claims Provider Trust.
3. Configure the claims application to trust incoming claims by running the WIF Federation Utility.
4. Configure a relying party trust for the claims aware application.
5. Configure claim rules for the relying party trust.
6. Test the access to the claims aware application.
X Task 1: Configure a Token Signing Certificate for LON-DC1.Adatum.com

1. On LON-DC1, use the set-ADFSProperties –AutoCertificateRollover $False command to enable
modification of the assigned certificates.
2. In the AD FS Management console, add the LON-DC1.Adatum.com certificate as a new token

signing certificate.
Verify that the certificate has a subject of CN=LON-DC1.Adatum.com. If no name is listed under the
Subject when you add the certificate, delete the certificate, and then add the next certificate in the
list.
3. Make the new certificate the primary certificate, and then remove the old certificate.
X Task 2: Configure the Active Directory Claims Provider Trust

1. In the AD FS 2.0 Management console, go to the claims provider Trusts, highlight the Active
Directory store, and then go to Edit Claim Rules.
2. In the Edit Claim Rules for Active Directory dialog box on the Acceptance Transform Rules tab,
launch the Add Transform Claim Rule Wizard, and then complete the wizard with the following
settings:
a. Select Send LDAP Attributes as Claims under Claim rule template.
b. Name the claim rule Outbound LDAP Attribute Rule.
c. Choose Active Directory as the Attribute Store.

d. In the Mapping of LDAP attributes to outgoing claim types, select the following values:
E-Mail-Addresses to E-Mail Address
User-Principal-Name to UPN
Display-Name to Name
X Task 3: Configure the claims application to trust incoming claims by running the WIF
Federation Utility
1. On LON-SVR1, launch the WIF Federation Utility from the Start screen.
2. Complete the wizard with the following settings:

o Point to the web.config file of the WIF sample application by pointing to C:\Inetpub\wwwroot\
AdatumTestApp \web.config.
o Specify an Application URI box by typing

https://lon-svr1.adatum.com/AdatumTestApp/.
o Select to Use an existing STS, and then enter a path

o Select No encryption.
X Task 4: Configure a relying party trust for the claims aware application
1. In the AD FS 2.0 Management console, click Required: Add a trusted relying party, in the middle
pane.
2. Complete the Add relying party Wizard with the following settings:
o Choose to Import data about the relying party published online or on a local network and
type https://lon-svr1.adatum.com/adatumtestapp.
o Specify a Display name of ADatum Test App.
o Choose to Permit all users to access this relying party.
o Choose to Permit access for all users.

o Select the option to open the Edit Claims Rules for WIF Sample Claims App when the wizard is
complete.
X Task 5: Configure claim rules for the relying party trust

1. In the Edit Claim Rules for WIF Sample Claims App properties dialog box, choose to Add a Rule
on the Issuance Transform Rules tab.
2. Complete the Add Transform Claim Rule Wizard with the following settings:
o Choose Pass through of Filter an Incoming Claim in the Claim rule template drop-down list.
o Name the claim rule Pass Through Windows Account Name.

o Select Windows account name in the incoming claim type drop-down list.
o Create three more rules to pass through E-Mail Address, UPN, and Name type claim.
X Task 6: Test the access to the claims aware application

1. On LON-CL1, open Internet Explorer, and then connect to https://lon-svr1.adatum.com
/AdatumTestApp/
2. Verify that you can access the application.
Results: After this exercise, you configured a token signing certificate and configured a claims provider
trust for Adatum.com. You also configured the sample application to trust incoming claims and
configured a relying party trust and associated claim rules. You also tested access to the sample WIF
application in a single organization scenario.
Exercise 4: Configure AD FS for Federated Business Partners

Scenario
The second deployment scenario is to enable Trey Research users to access the web application. You plan
to configure the integration of AD FS at Trey Research with AD FS at A. Datum, and then verify that Trey
Research users can access the application. You also want to confirm that you can configure access based
on user groups. You must ensure that all users at A. Datum, but only users in the Production group at Trey
Research, can access the application.

1. Add a claims provider trust for the TreyResearch.com AD FS server.
2. Configure a relying party trust on MUN-DC1 for A. Datum’s claim aware application.
3. Verify access to the A. Datum Test Application for Trey Research users.
4. Configure claim rules for the claim provider trust and the relying party trust to allow access only for a
certain group.
5. Verify restrictions and accessibility to the claims aware application.
6. To shut down the virtual machines.
X Task 1: Add a claims provider trust for the TreyResearch.com AD FS server

1. On LON-DC1, in the ASDFS 2.0 Management console, go to Trust Relationships, go to claims
provider Trusts, and then choose to Add claims provider Trust.
2. Complete the Add claims provider Trust Wizard with the following settings:
o Choose Import data about the claims provider published online or on a local network and
enter https://mun-dc1.treyresearch.com as the data source.
o In Display Name enter mun-dc1.treyresearch.com.
o Complete the wizard.
3. In the Edit Claim Rules for the mun-dc1.treyresearch.com properties dialog, use the following
values:
o Add a Rule to the Acceptance Transform Rules.
o Choose Pass Through or Filter an Incoming claim in the Claim rule template list.
o Use Pass through Windows account name rule as the claim rule name.
o Choose Windows account name as the incoming claim type, and then choose to Pass through
all claim values.
o Complete the rule.
4. On LON-DC1, run the following command in Windows PowerShell:
Set-ADFSClaimsProviderTrust –TargetName “nyc-dc1.contoso.com” –

SigningCertificateRevocationCheck None
X Task 2: Configure a relying party trust on MUN-DC1 for A. Datum’s claim aware
application
1. On MUN-DC1, in the AD FS Management console, open the Add relying party Trust Wizard, and then
complete it with the following settings:
o Choose to Import data about the relying party published online or on a local network and
type in https:// lon-dc1.adatum.com.
o Specify a Display name of Adatum TestApp.
o Choose to Permit all users to access this relying party.
o Select to open the Edit Claim Rules for lon-dc1.adatum.com when the wizard is complete
check box.
2. In the Edit Claim Rules for lon-dc1.adatum.com properties dialog box, on the Issuance Transform
Rules tab, click to add a rule with the following settings:
o Choose Pass Through or Filter an Incoming claim in claim rule template list.
o In the Claim rule name box, type Pass through Windows account name rule.
o Choose Windows account name in Incoming claim type.
o Choose to Pass through all claim values.
o Complete the wizard.
X Task 3: Verify access to the A. Datum Test Application for Trey Research users
1. On MUN-DC1, open Internet Explorer, and then connect to https://lon-svr1.adatum.com
/adatumtestapp/.
2. Select mun-dc1.treyresearch.com as the home realm, and then logon as TreyResearch\April, with
the password Pa$$w0rd.
3. Verify that you can access the application.
4. Close Internet Explorer, and then connect to the same web site. Verify that you are not prompted for
a home realm this time.
You are not prompted for a home realm again. Once users have selected a home realm and been
authenticated by a realm authority, they are issued with an _LSRealm cookie by the relying party
Federation Server. The default lifetime for the cookie is 30 days. Therefore, for us to log on multiple times,
we should delete that cookie after each logon attempt to return to a clean state.
X Task 4: Configure claim rules for the claim provider trust and the relying party trust
to allow access only for a certain group
1. On MUN-DC1, in the AD FS Management Console, access the lon-dc1.adatum.com relying party trust.
2. Add a new Issuance Transform Rule that sends the group membership as a claim. Name the rule
Permit Production Group Rule, configure the User’s Group as Production, configure the
Outgoing claim type as Group, and the Outgoing claim value as Production.
3. On LON-DC1, in the AD FS Management Console, edit the mun-dc1.treyresearch.com claims provider

Rule, creating a new rule that passes through or filters an incoming claim with the rule name of Send
Production Group Rule. Configure the rule with an incoming claim type of Group.
4. Edit the Adatum Test App relying party trust by creating a new Issuance Transform Rule that passes
through or filters an incoming claim. Name the rule Send TreyResearch Group Name rule, and
configure the rule to use an incoming claim type of group.
5. Delete the Issuance Authorization Rule that grants access to all users.
claim. Configure the rule with the name Permit TreyResearch Production Group Rule, an
Incoming claim type of Group, an Incoming claim value of Production, and select the option to
Permit access to users with this incoming claim.
claim. Configure the rule with the name Temp, an Incoming claim type of UPN, an Incoming claim
value of @adatum.com, and select the option to Permit access to users with this incoming claim,
and then click Finish.
8. Edit the Temp rule, and then copy the claim rule language into the clipboard.
9. Delete the Temp rule.
10. Create a new rule that sends claims using a custom rule named ADatum User Access Rule
11. Click in the Custom rule box, and then press Crtl+V to paste the clipboard contents into the box. Edit
the first URL to match the following text, and then click Finish:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~

"^(?i).+@adatum\.com$"]=> issue(Type =
“http://schemas.microsoft.com/authorization/claims/permit”, Value =
“PermitUsersWithClaim”);
X Task 5: Verify restrictions and accessibility to the claims aware application

1. On MUN-DC1, verify that TreyResearch\April no longer has access to the A. Datum test app.
2. Clear the browsing history in Internet Explorer.

3. Verify that TreyResearch\morgan does have access to the A. Datum test app. Morgan is a member of
the Production group.
X To shut down the virtual machines

Results: In this exercise, you configured a claims provider trust for Trey Research on Adatum.com and a
relying party trust for Adatum on TreyResearch.com. You verified access to the A. Datum claim-aware
application. Then you configured the application to restrict access from TreyResearc.com to specific
groups, and you verified appropriate access.

Certificate errors on the federation server
Certificate errors on the client
Client application failed to authenticate

with AD FS
Question: What are the benefits of deploying AD FS with a cloud-based application or service?
Question: Under what circumstances, would you choose to deploy a federation proxy server?
Under what circumstances, do you not have to deploy a federation proxy server?

1. Tailspin Toys is deploying a new claims-based web application. The web application needs to be
accessible to both Tailspin Toys users and to Trey Research users. What AD FS components will you
need to deploy at Tailspin Toys to enable this level of access?
2. Fabrikam is examining the requirements for AD FS. The company wants to use a federation proxy
server for maximum security. Currently, Fabrikam has an internal network with internal DNS servers.
Their internet-facing DNS is hosted by a hosting company. The perimeter network uses the hosting
company’s DNS servers for DNS resolution. What must the company do to prepare for the
deployment?
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
L1-1
Module 1: Installing and Configuring Servers Based on

Windows Server 2012
Lab: Installing and Configuring Servers
Based on Windows Server 2012
Exercise 1: Install Windows Server 2012 Server Core
X Task 1: Install Windows Server 2012
1. On the host machine, open the Hyper-V Manager console.
2. Click 20417A-LON-SVR5. In the Actions pane click Settings.
3. Under Hardware, click DVD Drive.
4. Click Image file, and then click Browse.

5. Browse to C:\Program Files\Microsoft Learning\20417\Drives, and then click Win2012_RC.ISO.
6. Click Open and then click OK.
7. In the Hyper-V Manager console, double-click 20417A-LON-SVR5; this will open the Virtual Machine
Connection window. From the Action menu, click Start.
8. On the Windows Server 2012 page of the Windows Setup Wizard, verify the following settings, and
then click Next:
o Language to install: English (United States)
o Time and currency format: English (United States)
o Keyboard or input method: US

9. On the Windows Server 2012 page of the Windows Setup Wizard, click Install now.
10. On the Select the operating system you want to install page of the Windows Setup Wizard, select
Windows Server 2012 Release Candidate Datacenter (Server Core Installation), and then click
Next.
11. On the License terms page of the Windows Setup Wizard, review the operating system license terms.
Select the I accept the license terms check box, and then click Next.
12. On the Which type of installation do you want? page of the Windows Setup Wizard, click Custom:
Install Windows Only (Advanced).
13. On the Where do you want to install Windows? page of the Windows Setup Wizard, verify that
Drive 0 Unallocated Space has sufficient space for the Windows Server 2012 operating system, and
then click Next:
o Depending on the speed of the host computer, the installation will take approximately 20
minutes.
o The virtual machine will restart several times during this process.
14. Click OK, and then in both the Password and Confirm password boxes type Pa$$w0rd, and then
click OK.
L1-2 Upgrading Your Skills to MCSA Windows Server® 2012
X Task 2: Convert a Windows Server 2012 Server Core installation to a full installation
1. If necessary, log on to LON-SVR5 using the Administrator account with the password Pa$$w0rd.
2. At the command prompt type and press Enter:
mkdir c:\mount
3. Issue the following command and press Enter to mount the Windows Server 2012 full installation
image:
dism.exe /mount-image /ImageFile:d:\sources\install.wim /Index:4 /Mountdir:c:\mount

/readonly
4. Start Windows PowerShell by issuing the command:
PowerShell.exe
5. Load the ServerManager module by issuing the command and pressing Enter:
6. Install the Windows Server 2012 GUI components of server core by issuing the following command
and pressing Enter:
Install-WindowsFeature -IncludeAllSubfeature User-Interfaces-Infra -

Source:c:\mount\windows
7. When prompted, restart the server by issuing the following command and pressing Enter.
Shutdown /r /t 5
8. Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify the presence of
the full GUI components.
X Task 3: Convert a Windows Server 2012 full installation to a Server Core installation
1. If necessary, log on to LON-SVR5 and verify that the full graphic environment is present.
2. Click Internet Explorer.
3. Click Close to close the message informing you that you cannot open Internet Explorer with the built-
in Administrator account.
4. On the Start screen, click Windows PowerShell.
5. Enter the following command and press Enter:
6. Enter the following command and press Enter:
Uninstall-WindowsFeature User-Interfaces-Infra
7. Enter the following command to restart LON-SVR5:
Shutdown /r /t 5
8. Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify that it now
configured to use the Server Core configuration.
Module 1: Installing and Configuring Servers Based on Windows Server 2012 L1-3
Exercise 2: Configure a Computer Running a Server Core Installation of

Windows Server 2012
X Task 1: Configure the network
1. If necessary, log on to LON-SVR5 using the account Administrator with password Pa$$w0rd.
2. At the command prompt, type sconfig.
3. Type 2 and press Enter to select Computer Name:
4. Enter the computer name LON-SVR5 and press Enter.
5. On the Restart dialog box, click Yes.
6. Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd.
7. At the command prompt, type hostname and press Enter to verify the computer’s name.
8. At the command prompt, type sconfig and press Enter.
9. To configure Network Settings, type 8 and press Enter.
10. Type the index number of the network adapter that you want to configure and press Enter.
11. To set the Network Adapter Address, on the Network Adapter Settings page, type 1 and
press Enter.
12. To select static IP address configuration, type S and press Enter.
13. At the Enter static IP address: prompt, type 172.16.0.111 and press Enter.
14. At the Enter subnet mask prompt, type 255.255.0.0 and press Enter.
15. At the Enter default gateway prompt, type 172.16.0.1 and press Enter.
16. To configure the DNS server address, on the Network Adapter Settings page, type 2 and press Enter.
17. At the Enter new preferred DNS server prompt, type 172.16.0.10 and press Enter.
18. In the Network Settings dialog box, click OK.

19. To not configure an alternative DNS server address, press Enter.
20. To return to the main menu, type 4 and press Enter.
21. To exit sconfig, type 15 and press Enter.

22. To verify connectivity to the domain controller from LON-SVR5, type ping lon-dc1.adatum.com and
press Enter.
X Task 2: Add the server to the domain

1. Ensure that you are logged on to LON-SVR5 using the account Administrator with password
Pa$$w0rd.
2. At the command prompt, type sconfig and press Enter.
3. To switch to configure Domain/Workgroup, type 1 and press Enter.
4. To join a domain, type D and press Enter.
5. At the Name of domain to join prompt, type adatum.com and press Enter.
6. At the Specify an authorized domain\user prompt, type adatum\administrator and press Enter.
7. At the Type the password associated with the domain user prompt, type Pa$$w0rd and
press Enter.
8. At the Change Computer Name prompt, click Yes.
9. At the Enter new computer name prompt, press Enter.
10. To restart the server, type 13 and press Enter.
11. In the Restart dialog box, click Yes.
12. Log on to LON-SVR5 with the adatum\administrator account and a password of Pa$$w0rd.
X Task 3: Configure Windows Firewall

1. Ensure that you are logged on to LON-SVR5 using the account Adatum\Administrator with
password Pa$$w0rd.
2. At the command prompt, type sconfig.cmd and press Enter.
3. To switch to Configure Remote Management, type 4 and press Enter.
4. To enable Remote Management, type 1 and press Enter.
5. On the Configure Remote Management dialog box, click OK.

6. To return to the main menu, type 4 and press Enter.
7. To return to the command prompt, type 15 and press Enter.
8. At the command prompt, type PowerShell.exe and then press Enter.

9. To view the enabled Firewall rules on LON-SVR5 that allow traffic, at the Windows PowerShell
prompt, type the following command:
Get-NetFirewallRule | Where-Object {$_.Action -eq "Allow"} | Format-Table -Property

DisplayName
10. To view all disabled Firewall rules on LON-SVR5, type the following command:
Get-NetFirewallRule | Where-Object {$_.Enabled -eq "False"} | Format-Table -Property

Displayname
11. To view all NetFirewallRule related Windows PowerShell cmdlets, type the following command:
Get-Command -Noun NetFirewallRule
12. To view the status of the Remote Desktop inbound firewall rule, type the following command:
13. To enable the Remote Desktop Inbound Firewall rule, type the following command:
Enable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
14. To verify that the Remote Desktop Inbound Firewall rule is enabled, type the following command:
15. To disable the Remote Desktop Inbound Firewall Rule, type the following command:
Disable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
16. To verify that the Remote Desktop Inbound Firewall Rule is disabled, type the following command:
Module 1: Installing and Configuring Servers Based on Windows Server 2012 L1-5
Exercise 3: Configure Remote Management for servers running Windows

Server 2012
X Task 1: Validate the WinRM configuration
1. Log on to LON-DC1 using the Adatum\Administrator account with the password Pa$$w0rd.
2. In the Server Manager console, click Local Server, and then click Enabled next to Remote
Management.
3. On the Configure Remote Management dialog box, clear the check next to Enable remote
management of this server from other computers, and then click OK.
5. Open Windows PowerShell from the Taskbar.
6. At the Windows PowerShell prompt issue the command winrm qc. When you are prompted, type Y
and press Enter.
7. Open the Server Manager console. Click Local Server. Verify that Remote Management is now
enabled.
X Task 2: Configure Server Manager for multiple server management

1. Log on to LON-DC1 using the Adatum\Administrator account with the password Pa$$w0rd.
2. In the Server Manager console, click Dashboard, and then click Create a server group.
3. On the Create Server Group dialog box, click the Active Directory tab, and then click Find Now.
4. Click LON-DC1 and then press and hold the Ctrl key, and then click LON-SVR5. To add them to a
server group click the Arrow.
5. Set the Server Group Name to LONDON-GROUP, and then click OK.
6. In Server Manager click LONDON-GROUP.
7. In the details pane, select both LON-DC1 and LON-SVR5.
8. Scroll down to the Performance section.
9. Click LON-DC1. Press and hold the Ctrl key, and then click LON-SVR5.
10. While both servers are selected, right-click LON-DC1, and then click Start Performance Counters.
11. Scroll up and verify that in the Manageability column, both LON-DC1 and LON-SVR5 are listed as
Online.
X Task 3: Deploy a feature to the Server Core server

1. On LON-DC1, in the Server Manager console, click LONDON-GROUP.
2. In the Servers list, right-click LON-SVR5, and then click Add Roles and Features.
3. On the Before You Begin page of the Add Roles and Features Wizard, click Next.
4. On the Select installation type page of the Add Roles and Features Wizard, select Role-based or
feature-based installation, and then click Next.
5. On the Select destination server page of the Add Roles and Features Wizard, ensure that
LON-SVR5.Adatum.com is selected, and then click Next.
6. On the Select server roles page of the Add Roles and Features Wizard, click Next.
7. On the Select features page of the Add Roles and Features Wizard, select Windows Server Backup,
and then click Next.
8. On the Confirm installation selections page of the Add Roles and Features Wizard, click Install.
9. To dismiss the Add Roles and Features Wizard, click Close.
10. In Server Manager, click the Flag and verify that the installation of the Windows Server Backup feature
succeeded on LON-SVR5.


L2-7
Module 2: Monitoring and Maintaining Windows Server

2012
Lab: Monitoring and Maintaining Windows
2012 Servers
Exercise 1: Configuring Centralized Monitoring for Windows Server 2012
Servers
X Task 1: Configure Server Manager to monitor multiple servers
2. In the Server Manager console, in the navigation pane, click All Servers.
3. In the Server Manager console, in the navigation pane, right-click All Servers, and then click Add
Servers.
4. In the Add Servers dialog box, click Find Now.
5. In the details pane of the Add Servers dialog box, click LON-DC1, click the right-arrow button, and
then click OK.
6. In Server Manager, hold down the Ctrl key, click LON-DC1, and then click LON-SVR1 to select both
the machines.
7. In Server Manager, scroll down to the Performance section; select both LON-DC1 and LON-SVR1.
Right-click the selected servers, and then click Start Performance Counters.
X Task 2: Configure a data collector set

1. On LON-SVR1, in Server Manager, click Tools, and then click Performance Monitor.
2. In the navigation pane, expand Data Collector Sets, and then click User Defined.
3. Click the Action menu, click New, and then click Data Collector Set.
4. In the Create new Data Collector Set Wizard, in the Name box, type Windows Server Monitoring,
select Create manually (Advanced), and then click Next.
5. On the What type of data do you want to include? page, ensure that the Create data logs option
button is selected, select the Performance Counter check box, and then click Finish.
6. In the Performance Monitor, in the navigation pane, expand Data Collector Sets, expand User
Defined, click Windows Server Monitoring, click the Action menu, click New, and then click Data
Collector.
7. In the Create New Data Collector Wizard, in the Name box, type Base Windows Server Monitoring,
select Performance counter data collector, click Next, and then click Add.
8. In the Available counters object list, expand Processor, and then click % Processor Time. Click
Add.
9. In the Available counters object list, expand Memory, and then click Available Mbytes. Click Add.
10. In the Available counters object list, expand Logical Disk, click % Free Space, click Add, and then
click OK.
11. In the Create New Data Collector Wizard, in the Sample interval box, accept the default values, and
then click Finish.
12. In the Performance Monitor, in the navigation pane, click Windows Server Monitoring, click the
Action menu, and then click Start.
13. Wait at least one minute, click the Action menu, and then click Stop.
14. In the navigation pane, expand Reports, expand User Defined, expand Windows Server
Monitoring, click LON-SVR1_DateTime, and then review the report.
15. Close the Performance Monitor.
X Task 3: Configure an event subscription

2. Move the mouse pointer on the lower-right corner on the screen, and then in Search box, type cmd
to open the Command Prompt.
3. At the command prompt, type winrm quickconfig and then press Enter.
4. In Server Manager, click Tools, and then click Computer Management.

5. In the Computer Management console, expand Local Users and Groups, and then click Groups.
6. In the details pane, double-click Administrators.
7. Click Add, and in the Select Users, Computers, Service Accounts or Groups dialog box, click
Object Types.
8. In the Object Types dialog box, select the Computers check box, and then click OK.
9. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object
names to select box, type LON-DC1, and then click OK.
10. In the Administrators Properties dialog box, click OK.

12. Move the mouse pointer on the lower-right corner on the screen, and then in Search box, type cmd
to open the Command Prompt.
13. At the command prompt, type wecutil qc and then press Enter.
14. When you are prompted, type Y and then press Enter.
15. In Server Manager, click Tools, and then click Event Viewer.
16. In the Event Viewer, in the navigation pane, click Subscriptions.

17. Right-click Subscriptions, and then click Create Subscription.
18. In the Subscription Properties dialog box, in the Subscription name box, type LON-SVR1 Events.
19. Click Collector Initiated, and then click Select Computers.

20. In the Computers dialog box, click Add Domain Computers.
21. In the Select Computer dialog box, in the Enter the object name to select box, type LON-SVR1,
and then click OK.
22. In the Computers dialog box, click OK.
23. In the Subscription Properties – LON-SVR1 Events dialog box, click Select Events.
24. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check
boxes.
25. In the Logged list, click Last 7 days.

Module 2: Monitoring and Maintaining Windows Server 2012 L2-9
26. In the Event logs list, select Windows Logs. Click inside the Query Filter dialog box, and then click
OK.
27. In the Subscription Properties – LON-SVR1 Events dialog box, click OK.
28. In Event Viewer, in the navigation pane, expand Windows Logs.
29. Click Forwarded Events, and check for events from LON-SVR1.
Results: After completing this exercise, you will have configured Server Manager to monitor multiple
servers, configured a data collector set, and configured an event subscription.
Exercise 2: Backing up Windows Server 2012

X Task 1: Install the Windows Server Backup feature
2. In Server Manager, on the Dashboard, click Add Roles and Features.

3. In the Add Roles and Features Wizard, click Next.
4. On the Select Installation Type page, click Next.
5. On the Select Destination Server page, select LON-SVR1 and then click Next.
6. On the Select server roles page, click Next.
7. On the Select features page, select Windows Server Backup, and then click Next.
8. On the Confirm installation selections page, click Install.

9. On the Installation progress page, wait until the Installation succeeded on
LON-SVR1.adatum.com text appears, and then click Close.
X Task 2: Configure a scheduled backup

2. On LON-SVR1, in Server Manager, click Tools, and then click Windows Server Backup.
3. Click Local Backup, and then in the Actions pane, click Backup Schedule.
4. On the Getting Started page of the Backup Schedule Wizard, click Next.
5. On the Select Backup Configuration page, click Full server (recommended), and then click Next.
6. On the Specify Backup Time page, next to Select time of day, select 1:00 AM, and then click Next.
7. On the Specify Destination Type page, click Backup to a shared network folder, and then click
Next. Review the warning, and then click OK.
8. On the Specify Remote Shared Folder page, in the Path box, type \\LON-DC1\Backup, and then
click Next.
9. In the Register Backup Schedule dialog box, in the Username box, type Administrator, in the
Password box, type Pa$$w0rd, and then click OK. Click Finish, and then click Close.
X Task 3: Complete an on-demand backup

To prepare for this task, you need to create a folder on LON-SVR1 with a name Financial Data on drive C:
and within Financial Data folder you need to create a text file with a name Financial Report.txt.
1. On LON-SVR1, on the Taskbar, click on Windows Explorer.
2. In the Windows Explorer window, in navigation pane, click on Local Disk (C:).
3. In the Windows Explorer window, in the menu, click Home, click New Folder, and then in the New
Folder icon in details pane, type Financial Data.
4. In the Windows Explorer window, double-click Financial Data folder, right click in details pane, click
New, click Text Document, and in New Text Document icon, type Financial Report.
To complete an on-demand backup, perform the following steps:
1. On LON-SVR1, in Server Manager, click Tools, and then click Windows Server Backup.
2. In the wbadmin – [Windows Server Backup (Local)] window, in the navigation pane, click Local
Backup, and then in the Actions pane, click Backup Once.
3. On the Backup Options page of the Backup Once Wizard, click Different options, and then click
Next.
4. On the Select Backup Configuration page, click Custom, and then click Next.
5. On the Select Items for Backup page, click Add Items.
6. Expand Local disk (C:), select the Financial Data check box, click OK, and then click Next.
7. On the Specify Destination Type page, click Remote shared folder, and then click Next.
8. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
9. On the Confirmation page, click Backup.

10. On the Backup Progress page, click Close after the backup is complete.
Results: After completing this exercise, you will have installed the Windows Server Backup feature,
configured a scheduled backup, and ran an on demand backup.
Exercise 3: Restoring files by using Windows Server Backup

X Task 1: Delete a file from the file server
1. On LON-SVR1, on the Taskbar, click on Windows Explorer, and then in navigation pane, click on
Local Disk (C:).
2. In Windows Explorer in details pane, right-click Financial Data folder, and then click Delete.
X Task 2: View the available restores by using the Vssadmin command

1. On LON-SVR1, on the Taskbar click Windows Powershell.
2. At the Windows Powershell prompt, run the following command:
vssadmin list shadows
The command should display the existing shadow copy from the backup performed previously.
X Task 3: Restore the file from backup

1. In the Windows Server Backup console, in the Actions pane, click Recover.
2. On the Getting Started page, click A backup stored on another location, and then click Next.
3. On the Specify Location type page, click Remote shared folder, and then click Next.
4. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
5. On the Select Backup Date page, click Next.
6. On the Select Recovery Type page, click Next.
7. On the Select Items to Recover page, expand LON-SVR1, click Local Disk (C:) drive, and on the
right pane, select Financial Data, and then click Next.
8. On the Specify Recovery Options page, under Another Location, type C:\, and then click Next.
9. On the Confirmation page, click Recover.
10. On the Recovery Progress page, click Close.

11. Locate C:\ and ensure that the Financial Data folder is restored to drive C.
Results: After completing this exercise, you will have deleted a folder to simulate data loss, viewed
available resources, and then restored the folder the backup that you created.
Exercise 4: Implementing Microsoft Online Backup and Restore

X Task 1: Install the Microsoft Online Backup Service component
1. On LON-SVR1, on the taskbar, click Windows Explorer.
2. In the Windows Explorer window, in the navigation pane, click Allfiles (E:), and in the details pane
double-click msoidcli.msi. Click Run.
3. On the Microsoft Software License Terms page, click I accept the terms in the License Agreement
and Privacy Statement, and then click Install. Click Finish.
4. In Allfiles (E:), in the details pane double-click OBSInstaller.exe. Click Run.
5. In the Microsoft Online Service Pre-Release Agreement dialog box, select I accept the Service
Agreement terms and conditions, and then click OK.
6. On the Prerequisites Check page, click Next.
7. On the Installation Settings page, specify the settings (if not default), and then click Next:
o Installation Folder: C:\Program Files
o Cache Location: C:\Program Files\Microsoft Online Backup Service Agent
8. On the Microsoft Update Opt-In page, select I don't want to use Microsoft Update, and then
click Install.
9. On the Installation page, ensure that the Microsoft Online Backup Service Agent installation has
completed successfully message is displayed. Clear the Check for newer updates check box, and
then click Finish.
10. On LON-SVR1, move the mouse pointer on the lower-left corner of the screen, click Start, and then
click Microsoft Online Backup Service.
11. On LON-SVR1, move the mouse pointer on the lower-left corner of the screen, click Start, and then
click Microsoft Online Backup Service Shell.
X Task 2: Register the server with Microsoft Online Backup

Before you start this task, you should rename LON-SVR1 to YOURCITYNAME-YOURNAME, for example
NEWYORK-ALICE. This is because this exercise will be performed online, and therefore the computer
names used in this lab should be unique. If there is more than one student in the classroom with a same
name, add a number at the end of the computer name, such as NEWYORK-ALICE-1.
To rename LON-SVR1, perform the following steps:
1. In the Server Manager window, on the Welcome to Server Manager page, click 1. Configure this
local server.
2. In the Server Manager window, on the Local Server page, click LON-SVR1.
3. In the System Properties window, click Change, in the Computer Name box, type YOURCITYNAME-
YOURNAME, click OK twice, and then click Close.
4. In a window that displays the message that you should restart your computer, click Restart Now.
5. Wait until YOURCITYNAME-YOURNAME is restarted, and then log on as Adatum\Administrator

with password Pa$$w0rd.
To register the server with Microsoft Online Backup, perform the following steps:
1. Start the Microsoft Online Backup Service console, and then click Register Server.
2. In the Register Server Wizard, on the Account Credentials page, in the Username box, type
holuser@onlinebackupservice.onmicrosoft.com, and in the Password box, type Pa$$w0rd. Click
Next.
Note: In real-life scenario, you would type username and password of your Microsoft
Online Backup Service subscription account.
3. On the Proxy Configuration page, click Next.
4. On the Encryption Settings page, in the Enter passphrase and Confirm passphrase boxes, type
Pa$$w0rdPa$$w0rd, and then click Register.
5. On the Server Registration page, ensure that the Microsoft Online Backup Service is now
available for this server message is displayed, and then click Close.
X Task 3: Configure an online backup

1. Switch to the Microsoft Online Backup Service console, and then click Schedule Backup.
2. On the Getting started page, click Next.
3. On the Select Items to back up page, click Add Items.
4. In the Select Items dialog box, expand C:, select Financial Data, click OK, and then click Next.
5. On the Specify Backup Time page, select Saturday, click 1:00AM, click Add, and then click Next.
6. On the Specify Retention Setting page, accept the default settings, and then click Next.
7. On the Confirmation page, click Finish.
8. On the Modify Backup Progress page, click Close.
9. In the Microsoft Online Backup Service console, click Back Up Now.
10. In the Back Up Now Wizard, on the Confirmation page, click Back Up.
11. On the Backup progress page, wait until Backup is successfully completed message appears, and
then click Close.
X Task 4: Restore files by using the online backup

1. On the taskbar, click Windows Explorer, and then in the navigation pane, click Local Disk (C:).
2. In the Local Disk (C:) window, right-click the Financial Data folder, and then click Delete.
3. Switch to the Microsoft Online Backup Service console, and then click Recover Data.
4. In the Recover Data Wizard, on the Getting Started page, select This server, and then click Next.
5. On the Select Recovery Mode page, select Browse for files, and then click Next.
6. On the Select Volume and Date page, in the Select the volume drop-down list, select C:\. In the
calendar, click the date when you performed the backup, in the Time drop-down list, click the time
when you performed backup, and then click Next.
7. On the Select Items to Recover page, expand C:\, click the Financial Data folder, and then click
Next.
8. On the Specify Recovery Options page, select Original location and Create copies so that you
have both versions, and then click Next.
9. On the Confirmation page, click Recover.
10. On the Recovery Progress page, ensure that File(s) recovery job succeeded status message
appears, and then click Close.
11. Locate C:\ and ensure that the Financial Data folder is restored to drive C.
X Task 5: Unregister the server from the Microsoft Online Backup Service
1. Switch to the Microsoft Online Backup Service console, and then click Unregister Server.
2. On the Getting started page, click Unregister this server, and then click Next.
3. On the Account Credentials page, provide the following credentials:
o Username: holuser@onlinebackupservice.onmicrosoft.com,
4. Click Unregister.
5. On the Server Unregistration page, click Close.
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.
X Task: To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps.

4. Repeat steps 2 and 3 for 20417A-LON-SVR1 and MSL-TMG1.
L3-15
Module 3: Managing Windows Server 2012 by Using

Windows PowerShell 3.0
Lab: Managing Servers Running
Windows Server 2012 by Using Windows
PowerShell 3.0
Exercise 1: Introduction to Windows PowerShell 3.0
X Task 1: Use Windows PowerShell ISE to retrieve basic information about LON-DC1
1. Start the following virtual machines: LON-DC1, LON-SVR1, and LON-SVR2.
2. On LON-DC1, browse to the Start screen, type Windows PowerShell ISE and then right-click
Windows PowerShell ISE. In the pop-up banner, click Run as administrator.
3. In the Console pane, type Get-WindowsFeature and then press Enter.

4. In the Console pane, type Get-ChildItem E:\ModXA\Democode, and then press Enter.
5. In the Console pane, type dir C:\Windows, and then press Enter.
6. In the Console pane, type Get-E, press the Tab key until Get-ExecutionPolicy is shown, and then
press the Enter key.
X Task 2: Use Windows PowerShell ISE to retrieve a list of stopped services on

LON-DC1
1. If necessary, open Windows PowerShell ISE as an administrator.
2. In the Console pane, type Get-Service and then press Enter.

3. In the Console pane, type $Services = Get-Service and then press Enter.
4. In the Console pane, type Get-Help Where-Object –examples and then press Enter. Click No to
update help.
5. In the Console pane, type $Services | Where-Object {$_.Status –eq “Stopped”} and then press
Enter.
X Task 3: Use a Remote Windows PowerShell session to install XPS Viewer on

LON-SVR1
1. In Windows PowerShell ISE, click File, and then click New Remote PowerShell Tab.
2. In the New Remote PowerShell Tab window, in the Computer box, type LON-SVR1 and then click
Connect.
3. In the Console pane, type Get-WindowsFeature and then press Enter.
4. In the Console pane, type Add-WindowsFeature XPS-Viewer and then press Enter.
5. Press the Up Arrow key two times or until Get-WindowsFeature appears. Press Enter to execute.
6. On the LON-SVR1 Remote PowerShell tab, click Close.
Results: After this exercise, you will have explored the Windows PowerShell ISE interface and used
cmdlets, variables, and pipelining.
Exercise 2: Managing AD DS by Using Windows PowerShell 3.0

X Task 1: Import the Active Directory PowerShell module and view the available
cmdlets
2. In the Console pane, type Import-Module ActiveDirectory and then press Enter.
3. In the Console pane, type Get-Command –Module ActiveDirectory and then press Enter.
X Task 2: View options on how to create a report of users in the Active Directory
domain
module.
2. Run the following command:
Get-Command –Module ActiveDirectory
Get-ADUser -Filter * | Format-List

Format-List -Property GivenName, Surname
Get-ADUser –Filter * -Properties * | Format-List *
Get-ADUser -Filter * | Format-Table

Format-Table -Property GivenName, Surname
Get-ADUser –Filter * -Properties * | Format-Table
Get-ADOrganizationalUnit -Filter * | Format-Wide

Get- ADOrganizationalUnit –Filter * |
Format-Wide –column 3
Get-ADUser -Filter * | Sort-Object| Format-Wide

Get-ADUser -Filter * | Sort-Object -Property ObjectGUID | Format-Wide -Property
ObjectGUID
7. Run the following command:
Get-ADUser -Filter * | Measure-Object
X Task 3: Use a script to create new users in the domain by using a CSV-based file
1. On LON-DC1, browse to the Start screen and then type Notepad.exe. Press Enter.
2. In the Notepad window, on the File menu, click Open. Locate E:\ModXA\Democode
\LabUsers.Csv. You will need to change the file type to All Files.
3. Close Notepad.
4. In Windows PowerShell ISE, click File and then click Open. Locate
E:\ModXA\Democode\LabUsers.ps1. Click Open.
Module 3: Managing Windows Server 2012 by Using Windows PowerShell 3.0 L3-17
5. On line 13, modify the $OU variable to read:

$OU = “ou=sales, dc=adatum,dc=com”
6. Press F5 to run the LabUsers.ps1 script.
7. In the Console pane, type the following to verify that Luka Abrus, Marcel Truempy, Andy Brauninger,
and Cynthia Cary were created:
Get-ADUser –Filter * –SearchBase “OU=Sales,DC=Adatum,DC=com”
X Task 4: Create a script to modify the address of a user based on the day of the week
module.
2. In Windows PowerShell ISE, on the File menu, click Open. Locate E:\ModXA\Democode
\Using If Statements.ps1. Click Open.
3. Verify that line 9 reads:

$Admin = Get-ADUser –identity Administrator –Properties StreetAddress
4. Press F5 to run the script. Run the script a second time to view the changes.
Results: After completing this lab, you will have explored the Active Directory Windows PowerShell
module, experienced formatting output in Windows PowerShell, used a Windows PowerShell script to
create users, and used Windows PowerShell conditional loops to modify Active Directory properties.
Exercise 3: Managing Servers by Using Windows PowerShell 3.0

X Task 1: Install and configure Windows PowerShell Web Access
1. On LON-DC1, open Windows PowerShell ISE, in the Console pane type the following, and then press
Enter.
Install-WindowsFeature –Name WindowsPowerShellWebAccess -ComputerName LON-DC1 -

IncludeManagementTools –Restart
2. In the Console pane, type Install-PswaWebApplication –UseTestCertificate and the press Enter.
3. In the Console pane, type Add-PswaAuthorizationRule –UserName Adatum

\Administrator -ComputerName * -ConfigurationName * and then press Enter.
X Task 2: Verify Windows PowerShell Web Access configuration

1. Browse to the Start screen and then click Internet Explorer.
2. In the Address bar, type the following URL and then press Enter:
https://LON-DC1/pswa
3. Click Continue to this website.
4. Sign in to Windows PowerShell Web Access by using the following information:
• User: Administrator
• Password: Pa$$w0rd
• Computer: LON-DC1
5. In the Windows PowerShell Web Access command shell, type Get-EventLog System –Newest 5 and
then press Enter.
6. Type the following in the Windows PowerShell Web Access command shell:
Invoke-Command -ScriptBlock { Get-Eventlog Security -Newest 20 } -ComputerName LON-

DC1,LON-SVR2
Results: After this exercise, you will have performed one to many management of remote servers by using
Windows PowerShell, installed and configured Windows PowerShell Web Access, and managed servers by
using Windows PowerShell Web Access.

When you are finished the lab, revert the virtual machines to their initial state. To do this, perform the
following steps:
2. In the Virtual Machines list, right-click 20417A-LON-SVR1, and then click Revert.
4. Repeat steps 2 and 3 for 20417A-LON-SVR2 and 20417A-LON-DC1.

L4-19
Module 4: Managing Storage for Windows Server 2012

Lab A: Managing Storage for Servers Based
on Windows Server 2012
Exercise 1: Configuring iSCSI Storage
X Task 1: Install the iSCSI Target feature
2. In Server Manager, click Add roles and features.
3. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
6. On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, select the iSCSI Target Server check box, and then click Next.
7. On the Select features page, click Next.
9. When installation is complete, click Close.
X Task 2: Configure the iSCSI targets

1. On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services.
3. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
4. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
5. On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk1, and then click
Next.
6. On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
7. On the Assign iSCSI target page, click New iSCSI target, and then click Next.
8. On the Specify target name page, in the Name box, type lon-svr2, and then click Next.
9. On the Specify access servers page, click Add.
10. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list, select IP Address, in the Value box, type 172.16.0.22, and then
click OK.
11. On the Specify access servers page, click Add.
12. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list, select IP Address, in the Value box, type 131.107.0.2, and then
click OK.
13. On the Specify access servers page, click Next.
14. On the Enable Authentication page, click Next.
15. On the Confirm selections page, click Create.
17. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
18. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
Next.
21. On the Assign iSCSI target page, click lon-svr2, and then click Next.
24. In the iSCSI VIRTUAL DISKS pane, click TASKS and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
25. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage,
click C:, and then click Next.
Next.
31. In the iSCSI VIRTUAL DISKS pane, click TASKS and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
Next.
38. In the iSCSI VIRTUAL DISKS pane, click TASKS and then in the TASKS drop-down list, click New iSCSI
Virtual Disk.
Module 4: Managing Storage for Windows Server 2012 L4-21
Next.

X Task 3: Configure MPIO

1. Log on to LON-SVR2 with username of Adatum\Administrator and the password of Pa$$w0rd.
2. In Server Manager, click Add roles and features.

7. On the Select features page, click Multipath I/O, and then click Next.
10. In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select iSCSI
Initiator.
11. In the Microsoft iSCSI dialog box, click Yes.
12. In the iSCSI Initiator Properties dialog box, on the Targets tab, in the Target box, type LON-DC1,
and then click Quick Connect. In the Quick Connect box, click Done.
13. Click OK to close the iSCSI Initiator Properties dialog box.
14. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO.
15. In MPIO Properties dialog box, click the Discover Multi-Paths tab.
16. Select the Add support for iSCSI devices check box, and then click Add. When you are prompted to
reboot the computer, click Yes.
17. After the computer restarts, log on to LON-SVR2 with username of Adatum\Administrator and
18. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO.
19. In the MPIO Properties dialog box, on the MPIO Devices tab, notice that additional Device
Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.
20. Click OK to close the MPIO Properties dialog box.

X Task 4: Connect to and configure the iSCSI targets

1. On LON-SVR2, in Server Manager, on the menu bar, click Tools and then in the Tools drop-down list,
select iSCSI Initiator.
2. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Disconnect.
3. In the Disconnect From All Sessions dialog box, click Yes.
4. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
5. In the Connect to Target window, click Enable multi-path, verify that the Add this connection to
the list of Favorite Targets check box is selected, and then click the Advanced button.
6. In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default
to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, click 172.16.0.22 and in the Target
Portal IP drop-down list, click 172.16.0.10 / 3260.
7. In the Advanced Settings dialog box, click OK.

8. In the Connect to Target window, click OK.
9. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
10. In Connect to Target window, click Enable multi-path, verify that the Add this connection to the
list of Favorite Targets check box is selected, and then click the Advanced button.
11. In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default
to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, select 131.107.0.2 and in the Target
Portal IP drop-down list, select 131.107.0.1 / 3260.
12. In the Advanced Settings dialog box, click OK.
13. In the Connect to Target window, click OK.
14. In the iSCSI Initiator Properties dialog box, click the Volumes and Devices tab.
15. In the iSCSI Initiator Properties dialog box, on the Volumes and Devices tab, click Auto
Configure.
16. In the iSCSI Initiator Properties dialog box, click the Targets tab.
17. In the Targets list, select iqn.1991-05.com.microsoft:lon-dc1-lon-svr2-target, and then click

Devices.
18. In the Devices dialog box, click the MPIO button.
19. Verify that in Load balance policy, Round Robin is selected. Under This device has the following
paths, notice that two paths are listed. Select the first path and then click the Details button.
20. Note the IP address of the Source and Target portals, and then click OK.
21. Select the second path and then click the Details button.
22. Verify that the Source IP address is of the second network adapter, and then click OK.
23. Click OK to close the Device Details dialog box.
24. Click OK to close the Devices dialog box.
25. Close the iSCSI Initiator Properties dialog box.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
Exercise 2: Configuring a Redundant Storage Space

X Task 1: Create a storage pool by using the iSCSI disks attached to the server
1. On LON-SVR2, open Server Manager by clicking the icon on the taskbar.
2. In the navigation pane, click File and Storage Services, and then in the Servers pane, click Storage
Pools.
3. In the STORAGE POOLS pane, click TASKS, and then in the TASKS drop-down list, click New Storage
Pool.
4. In the New Storage Pool Wizard window, on the Before you begin page, click Next.
5. On the Specify a storage pool name and subsystem page, in the Name box, type StoragePool1,
6. On the Select physical disks for the storage pool page, click all five physical disks, and then click
Next.
8. On the View results page, wait until the creation is completed, then click Close.
X Task 2: Create a 3-way mirrored disk

1. On LON-SVR2, in Server Manager, in the STORAGE POOLS pane, click StoragePool1.
2. In the VIRTUAL DISKS pane, click TASKS, and then from the TASKS drop-down list click New Virtual
Disk.
3. In the New Virtual Disk Wizard window, on the Before you begin page, click Next.
4. On the Select the server and storage pool page, click StoragePool1, and then click Next.
5. On the Specify the virtual disk name page, in the Name box, type Mirrored vDisk, and then click
Next.
6. On the Select the storage layout page, in the Layout list, select Mirror, and then click Next.
7. On the Configure the resiliency settings page, click Three-way mirror, and then click Next.
8. On the Specify the provisioning type page, click Thin, and then click Next.
9. On the Specify the size of the virtual disk page, in the Virtual disk size box, type 10, and then click
Next.
12. In the New Volume Wizard window, on the Before you begin page, click Next.
13. On the Select the server and disk page, in the Disk pane, click the virtual disk that is called
Mirrored vDisk, and then click Next.
14. On the Specify the size of the volume page, click Next to confirm the default selection.
15. On the Assign to a drive letter or folder page, make sure E is selected in the Drive letter drop-
down list, and then click Next.
16. On the Select file system settings page, in the File system drop-down list, select ReFS, in the
Volume label box, type Mirrored Volume, and then click Next.
X Task 3: Copy a file to the volume and verify visibility in Windows Explorer
Copy C:\windows\system32\write.exe E:\
3. Close the command prompt.
4. On the taskbar, open Windows Explorer and then click Mirrored Volume (E:). You should now see
write.exe in the file list.
5. Close Windows Explorer.
X Task 4: Disconnect an iSCSI disk

2. In Server Manager, in the navigation pane, click File and Storage Services.
4. In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, right-click iSCSIDisk1.vhd, and then click
Disable iSCSI Virtual Disk.
5. In the Disable iSCSI Virtual Disk warning message box, click Yes.
X Task 5: Verify that the file is still accessible and check the health of the virtual disk
2. On the taskbar, open Windows Explorer, and then click Mirrored Volume (E:).
3. In the file list pane, double-click write.exe to make sure access to the volume is still available.
4. Close the Document - WordPad window.
6. In Server Manager, in the STORAGE POOLS pane, on the menu bar click the Refresh “Storage Pools”
button. Wait until all panes are refreshed. Notice the warning that appears right next to Mirrored
vDisk.
7. In the VIRTUAL DISK pane, right-click Mirrored vDisk, in the drop-down list, select Properties.
8. In the Mirrored vDisk Properties window, in the navigation pane, click Health. Notice that the Health
Status indicates a Warning. The Operational Status should indicate Degraded.
9. Click OK to close the window.
X Task 6: Add a new iSCSI virtual disk

2. In Server Manager, in the navigation pane, click File and Storage Services.

4. In the iSCSI Virtual VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, select
New iSCSI Virtual Disk.
5. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, in the Storage
location pane, click C:, and then click Next.
6. On the Specify iSCSI virtual disk name page, type iSCSIDisk6, and then click Next.
X Task 7: Add the new disk to the storage pool and extend the virtual disk
2. In Server Manager, in the STORAGE POOLS pane, on the menu bar click the Refresh “Storage Pools”
button.
3. In the STORAGE POOLS pane, right-click StoragePool1, and then in the drop-down list, select Add
Physical Disk.
4. In the Add Physical Disk window, click PhysicalDisk1 (LON-SVR2), and then click OK.
5. In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select Extend
Virtual Disk.
6. In the Extend Virtual Disk window, in the New size box, type 15, and then click OK.
Results: After completing this exercise, you will have created a storage pool and added a new disk to the
storage pool and extended the disk.
X To prepare for the next lab

steps:

Lab B: Implementing BranchCache

Exercise 1: Performing Initial Configuration Tasks for BranchCache
X Task 1: Configure LON-DC1 to use BranchCache
2. Open Server Manager by clicking the icon on the taskbar.
3. Click Add roles and features.

iSCSI Services, select the BranchCache for Network Files check box, and then click Next.
10. After the installation has succeeded, click Close.

11. Click to the Start screen, type gpedit.msc and then press Enter.
12. In the navigation pane of the Local Group Policy Editor console, under Computer Configuration,
expand Administrative Templates, expand Network, and then click Lanman Server.
13. In the Setting list in the Lanman Server result pane, right-click Hash Publication for BranchCache,
and then click Edit.
14. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication
actions list, select the Allow hash publication only for shared folders on which BranchCache is
enabled check box, and then click OK.
X Task 2: Simulate slow link to the branch office

1. In the navigation pane of the Local Group Policy Editor console, under Computer Configuration,
expand Windows Settings, right-click Policy-based QoS, and then click Create new policy.
2. On the Create a QoS policy page of the Policy-based QoS Wizard, in the Policy name box, type
Limit to 100 KBps, click Specify Outbound Throttle Rate check box, type 100, and then click Next.
3. On the This QoS policy applies to page, click Next.
4. On the Specify the source and destination IP addresses page, click Next.
5. On the Specify the protocol and port numbers page, click Finish.
6. Close the Local Group Policy Editor.
X Task 3: Enable a file share for BranchCache

1. Open Windows Explorer by clicking the icon on the taskbar.
2. In the Computer window, browse to Local Disk (C:).
3. On the menu, on the Home tab, click New Folder.
4. Type Share and then press Enter.

5. Right-click Share and then click Properties.
6. On the Sharing tab of the Share Properties dialog box, click Advanced Sharing.
7. Select the Share this folder check box and then click Caching.
8. In the Offline Settings dialog box, select the Enable BranchCache check box and then click OK.
9. In the Advanced Sharing dialog box, click OK.
10. In the Share Properties dialog box, click Close.
11. Click to the Start screen, type command prompt and then press Enter.
Copy C:\windows\system32\mspaint.exe c:\share
X Task 4: Configure client firewall rules for BranchCache

1. On LON-DC1, open Server Manager by clicking the icon on the taskbar.
2. In Server Manager, on the menu bar, click Tools and then select Group Policy Management from
the Tools drop-down list.
3. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand

Adatum.com, right-click Default Domain Policy, and then click Edit.
4. In the navigation pane of the Group Policy Management Editor console, under Computer
Configuration expand Policies, expand Windows Settings, expand Security Settings, and then
expand Windows Firewall with Advanced Security.
5. In the navigation pane, under Windows Firewall with Advanced Security, expand Windows
Firewall with Advanced Security, and then click Inbound Rules.
6. On the Action menu of the Group Policy Management Editor console, click New Rule.
7. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache –
Content Retrieval (Uses HTTP), and then click Next.
8. On the Predefined Rules page, click Next.
9. On the Action page, click Finish to create the firewall inbound rule.
10. Click Inbound Rules, and then on the Action menu of the Group Policy Management Editor console,
select New Rule.
11. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache –
Peer Discovery (Uses WSD), and then click Next.
12. On the Predefined Rules page, click Next.
13. On the Action page, click Finish.
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.
Exercise 2: Configuring BranchCache Client Computers

X Task 1: Configure client computers to use BranchCache in the Hosted Cache mode
1. On LON-DC1, in the navigation pane of the Group Policy Management Editor console, under
Computer Configuration, expand Policies, expand Administrative Templates, expand Network,
and then click BranchCache.
2. In the Setting list of the BranchCache result pane, right-click Turn on BranchCache and then click
Edit.
3. In the Turn on BranchCache dialog box, click Enabled and then click OK.
4. In the Setting list of the BranchCache result pane, right-click Set BranchCache Hosted Cache mode
and then click Edit.
5. In the Set BranchCache Hosted Cache mode dialog box, click Enabled, in the Type the name of
the hosted Cache server, type LON-SVR1.adatum.com, and then click OK.
6. In the Setting list of the BranchCache result pane, right-click Configure BranchCache for network
files and then click Edit.
7. In the Configure BranchCache for network files dialog box, click Enabled, in the Type the
maximum round trip network latency value (milliseconds) after which caching begins box, type
0, and then click OK. This setting is required to simulate access from a branch office and is not
typically required.
8. Close the Group Policy Management Editor console.

10. Start 20417A-LON-CL1. After the computer starts, log on as Adatum\Administrator with the
12. At the command prompt , type the following command and then press Enter:
gpupdate /force
netsh branchcache show status all
14. Start 20417A-LON-CL2. After the computer starts, log on as Adatum\Administrator with the
gpupdate /force
netsh branchcache show status all
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
Exercise 3: Configuring BranchCache on the Branch Server

X Task 1: Install the BranchCache feature on LON-SVR1
1. Start 20417A-LON-SVR1. After the computer starts, log on as Adatum\Administrator with the
2. Open Server Manager by clicking the icon on the taskbar.

iSCSI Services, click BranchCache for Network Files check box.
9. On the Select features page, click BranchCache, and then click Next.
11. Close Server Manager.
X Task 2: Start the BranchCache host server

2. In Server Manager, on the menu bar, click Tools and then select Active Directory Users and
Computers from the Tools drop-down list.
3. Right-click Adatum.com, point to New, and then click Organizational Unit.

4. In the New Object - Organization Unit window, type BranchCacheHost and then click OK.
5. Click the Computers container.
6. Click LON-SVR1 and drag it to BranchCacheHost.
7. Click Yes to clear the warning about moving objects.
8. Close Active Directory Users and Computers.
9. In Server Manager, on the menu bar, click Tools and then select Group Policy Management from
the Tools drop-down list.
10. Under Domains, expand Adatum.com, right-click BranchCacheHost, and then click Block
Inheritance.
11. On LON-DC1, close all open windows.
12. Restart LON-SVR1 and log on as Adatum\Administrator with the password of Pa$$w0rd.
13. Open Windows PowerShell by clicking the icon on the taskbar.
14. At the Windows PowerShell window, type the following cmdlet, and then press Enter:
Enable-BCHostedServer –RegisterSCP
15. At the Windows PowerShell window, type the following cmdlet, and then press Enter:
Get-BCStatus
16. Close the Windows PowerShell.
Note: BranchCache is only available on Windows 8 Enterprise edition. This edition was not
available when this course was created, so the BranchCache verification steps are not included in
this lab.
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.

steps:
4. Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-CL1, and 20417A-LON-CL2.

L5-31
Module 5: Implementing Network Services

Lab: Implementing Network Services
Exercise 1: Configure new features in DNS and DHCP
X Task 1: Configure DNSSEC
1. On LON-DC1, in Server Manager, click Tools, and then click DNS on the drop-down list.
2. Expand LON-DC1, expand Forward Lookup Zones, and then select and right-click Adatum.com.
3. On the shortcut menu, click DNSSEC > Sign the Zone.
4. In the Zone Signing Wizard, click Next.
5. Select Customize zone signing parameters, and then click Next.
6. On the Key Master screen, ensure that LON-DC1 is the Key Master. Click Next.
7. On the Key Signing Key (KSK) screen, click Next.
8. On the Key Signing Key (KSK) screen, click Add.

9. On the New Key Signing Key (KSK) screen, click OK.
10. On the Key Signing Key (KSK) screen, click Next.
11. On the Zone Signing Key (ZSK) screen, click Next.
12. On the Zone Signing Key (ZSK) screen, click Add.
13. On the New Zone Signing Key (ZSK) screen, click OK.
14. On the Zone Signing Key (ZSK) screen, click Next.

15. On the Next Secure (NSEC) screen, click Next.
16. On the Trust Anchors screen, check Enable the distribution of trust anchors for this zone.
Click Next.
17. On the Signing and Polling Parameters screen, click Next.
18. On the DNS Security Extensions (DNSSEC) screen, click Next.
19. Click Finish.
20. Expand Trust Points, expand com, and click Adatum. Ensure that the DNSKEY resource records exist
and that their status is valid.
21. Close the DNS Manager console.
22. In Server Manager, click Tools, and then on the drop-down list, click Group Policy Management.
23. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click the Default
Domain Policy, and then click Edit.
Windows Settings, and then click the Name Resolution Policy folder.
25. To apply the rule to the suffix of the namespace, in the Create Rules section, in the Suffix field, type
Adatum.com.
26. On the DNSSEC tab, click Enable DNSSEC in this rule.

27. Check Require DNS clients to check that the name and address data has been validated by the
DNS server, and then click Create.
X Task 2: Configure DHCP Name Protection

1. In Server Manager, click Tools, and then on the drop-down list, click DHCP.
2. Expand Lon-DC1.adatum.com.
3. Select and then right-click IPv4, and then click Properties.
4. Click the DNS tab.
5. In the Name Protection section, click Configure.
6. Check Enable Name Protection, and then click OK.
7. To close the Properties dialog box, click OK.
X Task 3: Configure DHCP Failover

1. On LON-SVR1, in Server Manager, click Tools, and then on the drop-down list, click DHCP. Note the
server is authorized but no scopes are configured.
3. In the DHCP Management console right-click the IPv4 node, and then click Configure Failover.
4. In the Configuration Failover Wizard, click Next.
5. On the Specify a partner server to use for failover screen, enter 172.16.0.21 in the Partner Server
field, and then click Next.
6. On the Create a new failover relationship screen, in the Relationship Name field, type Adatum.
7. In the Maximum Client Lead Time field, set the hours to zero, and set the minutes to 15.
8. Ensure the Mode field is set to Load balance.
9. Ensure the Load Balance Percentage is set to 50%.
10. Check State Switchover Interval.
11. In the Enable Message Authentication Shared Secret field, type Pa$$w0rd and then click Next
and then click Finish.
12. Click Close.
13. Switch to LON-SVR1. Notice that the IPv4 node is active.
14. Expand the IPv4 node and expand the Adatum Scope.
15. Click the Address Pool node. Notice that the address pool is configured.
16. Click the Scope Options node. Notice that the scope options are configured.
17. Close the DHCP console on both LON-DC1 and LON-SVR1.
Results: After completing this exercise you will be able to configure DNSSEC, configure DHCP name
protection, and configure and verify DHCP failover.
Module 5: Implementing Network Services L5-33
Exercise 2: Configuring IP Address Management

X Task 1: Install the IPAM Feature
1. On LON-SVR2, in Server Manager, click Add roles and features.
3. On the Select installation type screen, click Next.

4. On the Select destination server screen, click Next.
5. On the Select server roles screen, click Next.
6. On the Select features screen, check IP Address Management (IPAM) Server.
7. In the Add features that are required for IP Address Management (IPAM) Server pop-up, click
Add Features, and then click Next.
8. On the Confirm installation selections, click Install.

9. Close the wizard when completed.
X Task 2: Configure IPAM Related GPOs

1. On LON-SVR2, in the Server Manager, click IPAM.
2. In the IPAM Overview pane, after step 1 shows that LON-SVR2 is connected, click Provision the
IPAM server.
3. In the Provision IPAM Wizard, click Next.
4. On the Select provisioning method screen, select the Group Policy Based method, type IPAM in the
GPO name prefix field, and then click Next.
5. On the Confirm the Settings screen, click Apply.
6. When provisioning has completed, click Close.
X Task 3: Configure IP Management Server Discovery

1. On the IPAM Overview pane, click Configure server discovery.
2. To add the Adatum.com domain, in the Configure Server Discovery dialog box, click Add, and then
click OK.
3. On the IPAM Overview pane, click Start server discovery.
4. In the yellow banner, to determine the discovery status, click the More link. Discovery will take a few
minutes to complete.
5. To return to the IPAM pane, close the Overview Tasks Details dialog box.
X Task 4: Configure Managed Servers

1. From the IPAM Overview pane, click Select or add servers to manage and verify IPAM access.
Note: Notice that for LON-SVR1 and LON-DC1, the IPAM Access Status is Blocked. Scroll
down to the Details View and note the status report. This is because the IPAM server has not yet
been granted permission to manage LON-SVR1 or LON-DC1 by using Group Policy.
2. On the task bar click the Windows PowerShell icon.

3. Type the following command at the PowerShell prompt and then press Enter:
Invoke-IpamGpoProvisioning –Domain Adatum.com –GpoPrefixName IPAM –IpamServerFqdn

LON-SVR2.adatum.com
4. When you are prompted to confirm the action, press Enter. It will take a few moments to complete.
5. Return to Server Manager.
6. In the details pane of the IPAM Server Inventory, right-click LON-DC1, and then click Edit Server.
7. In the Add or Edit Server dialog box, set the Manageability status field to Managed, and then click
OK.
8. Repeat steps 6 and 7 to configure LON-SVR1 to be managed.

10. On the task bar click Windows PowerShell.
11. Type gpupdate /force, and then press Enter.

13. On the task bar click Windows PowerShell.
14. Type gpupdate /force, and then press Enter.
15. Switch back to LON-SVR2 and right-click LON-DC1, then click Refresh Server Access Status. This
may take a few minutes to complete.
16. Repeat step 15 to refresh the status for LON-SVR1.
17. Refresh the page by clicking the Refresh icon on the top menu bar until status shows an IPAM Access
Status Unblocked.
18. From the IPAM Overview pane, click retrieve data from managed servers. This action will take
several moments to complete.
X Task 5: Configure and Verify a New DHCP Scope with IPAM

1. In the IPAM navigation pane, under MONITOR AND MANAGE, click DNS and DHCP Servers.
Refresh the console pane until all objects show Running.
2. In the details pane, right-click the instance of LON-DC1.Adatum.com that holds the DHCP server
role.
3. On the shortcut menu, click Create DHCP Scope.
4. In the Create DHCP Scope dialog box, in the Scope Name field, type TestScope.
5. Type 10.0.0.10 in the Start IP address field.
6. Type 10.0.0.100 in the End IP address field.

7. In the Create details pane click Options.
8. In the Configure options pane, click the drop-down arrow of the Option field, and then select option
003 Router.
9. In the Values section click into the IP Address field and type 10.0.0.1, click Add to list, and then
click OK.
11. In the Server Manager toolbar, click Tools and then click DHCP.
12. In the DHCP console expand LON-DC1.Adatum.com and then expand IPv4 and confirm the
TestScope exists.
13. Right-click the TestScope and then click Deactivate. Click Yes.
14. Close the DHCP console.
15. On LON-SVR2, close all open windows.
Results: After completing this exercise you will be able to install and configure the IPAM feature,
configure IPAM related GPOs, configure IP Management server discovery, configure managed servers, and
configure and verify a new DHCP scope with IPAM.
Exercise 3: Configuring NAP

X Task 1: Configure Server and Client Certificate Requirements
1. On LON-SVR2, move the mouse to the lower right corner, click the Search icon on the flyout menu,
type MMC .EXE, and press Enter.
2. In the Console1 window, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Certificates and then click Add.
4. In the Certificates snap-in dialog box, select Computer account, and then click Next.
5. In the Select Computer dialog box, click Finish, and then click OK.
6. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate.
7. In the Certificate Enrollment dialog box, click Next.
8. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
9. Select the Computer check box and then click Enroll.
10. Verify the status of certificate installation as Succeeded and then click Finish.
11. Close the Console1 window. When you are prompted to save console settings, click No.
12. Log on to LON-CL1 as Adatum/Administrator with a password of Pa$$w0rd.
13. Move the mouse to the lower right corner and then click the Search icon on the flyout menu, type
MMC, and press Enter.
14. In the Console1 window click File and then click Add/Remove Snap-in.
15. In the Add or Remove Snap-ins dialog box click Certificates and then click Add.
16. In the Certificates snap-in dialog box select Computer account and then click Next.
17. In the Select Computer dialog box click Finish and then click OK.
Request New Certificate
19. In the Certificate Enrollment dialog box appears click Next.
then click Next.
then click Next.
26. Select the Computer check box, and then click Enroll.
29. Log on to LON-CL1 as Adatum/Administrator with a password of Pa$$w0rd.
30. On the Start screen, type MMC and press Enter.

31. In the Console1 window click File and then click Add/Remove Snap-in.
32. In the Add or Remove Snap-ins dialog box, click Certificates and then click Add.
33. In the Certificates snap-in dialog box, select Computer account and then click Next
34. In the Select Computer dialog box, click Finish and then click OK.
then click Next
X Task 2: Install the Network Policy Server Role

1. On LON-SVR2, switch to Server Manager.
5. On the Select destination server page, click Next.
6. On the Select server roles page, check Network Policy and Access Services.
7. In the Add Roles and Features Wizard dialog box, click Add Features and then click Next.
9. On the Network Policy and Access Services page, click Next.
10. On the Select role services page, check Network Policy Server. Click Next.
12. When the installation is succeeded click Close.

X Task 3: Configure Health Policies

1. On LON-SVR2, in Server Manager, click Tools and then click Network Policy Server.
2. Expand Network Access Protection, expand System Health Validators, expand Windows Security
Health Validator, and then click Settings.
3. In the right pane under Name, double-click Default Configuration.
4. On the Windows 8 Release Preview/Windows 7/Windows Vista selection, clear all check boxes
except the A firewall is enabled for all network connections check box, and then click OK.
5. Expand Policies.
6. Right-click Health Policies and then click New.
7. In the Create New Health Policy dialog box, under Policy name, type Compliant.
8. Under Client SHV checks, verify that Client passes all SHV checks is selected.
9. Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.
10. Right-click Health Policies, and then click New.
11. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
12. Under Client SHV checks, select Client fails one or more SHV checks.
13. Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.
X Task 4: Configure Network Policies for Compliant and Noncompliant Computers

1. Under Policies click Network Policies.
2. Disable the two default policies found under Policy Name by right-clicking the policies and then
clicking Disable.
3. Right-click Network Policies and then click New.
4. In the Specify Network Policy Name and Connection Type window, in the Policy name field, type
Compliant-Full-Access and then click Next.
5. In the Specify Conditions window, click Add.
6. In the Select condition dialog box, scroll down and double-click Health Policies.
7. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK.
8. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a
value of Compliant and then click Next.
9. In the Specify Access Permission window, verify that Access granted is selected.
10. Click Next three times.
11. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is
selected and then click Next.
12. In the Completing New Network Policy window, click Finish.
13. Right-click Network Policies and then click New.
14. In the Specify Network Policy Name and Connection Type window, in the Policy name field, type
Noncompliant-Restricted and then click Next.

16. In the Select condition dialog box, scroll down and double-click Health Policies.
17. In the Health Policies dialog box, under Health policies, select Noncompliant and then click OK.
18. In the Specify Conditions window, under Conditions, verify that Health Policy is specified with a
value of Noncompliant and then click Next.
19. In the Specify Access Permission window, verify that Access granted is selected.
Note: A setting of Access granted does not mean that noncompliant client computers are
granted full network access. It specifies that the policy should continue to evaluate the client
computers that match these conditions.
20. Click Next three times.

21. In the Configure Settings window, click NAP Enforcement. Select Allow limited access and clear the
Enable auto-remediation of client computers check box.
22. In the Configure Settings window, click IP Filters.
23. Under IPv4, click Input Filters and then click New.
24. In the Add IP Filter dialog box, select Destination network. Type 172.16.0.10 next to IP address
and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from
noncompliant client computers can reach only LON-DC1.
25. Click OK to close the Add IP Filter dialog box and then select Permit only the packets listed below
in the Inbound Filters dialog box and then click OK.
26. Under IPv4, click Output Filters and then click New.
27. In the Add IP Filter dialog box, select Source network. Type 172.16.0.10 next to IP address and
then type 255.255.255.255 next to Subnet mask.
28. Click OK to close the Add IP Filter dialog box and then in the Outbound Filters dialog box select
Permit only the packets listed below. This step ensures that only traffic from LON-DC1 can be sent
to noncompliant client computers.
29. To close the Outbound Filters dialog box, click OK.
30. In the Configure Settings window click Next and then click Finish.
X Task 5: Configure Connection Request Policies for VPN

1. Click Connection Request Policies.
2. Disable the default Connection Request policy named Use Windows authentication for all users by
right-clicking the policy and then clicking Disable.
3. Disable the default RRAS policy by right-clicking the Microsoft Routing and Remote Access Service
Policy and then click Disable.
4. Right-click Connection Request Policies and then click New.
5. In the Specify Connection Request Policy Name and Connection Type window, under Policy name,
type VPN Connections.
6. Under Type of network access server, select Remote Access Server (VPN-Dial up) and then click
Next.

8. In the Select Condition window, scroll down and double-click Tunnel Type, select PPTP, SSTP, and
L2TP. Click OK and then click Next.
9. In the Specify Connection Request Forwarding window, verify that Authenticate requests on this
server is selected and then click Next.
10. In the Specify Authentication Methods window, select Override network policy authentication
settings.
11. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click
Microsoft: Protected EAP (PEAP) and then click OK.
12. Under EAP Types, click Microsoft: Protected EAP (PEAP) and then click Edit.
13. Verify that Enforce Network Access Protection is selected and then click OK.
14. Click Next two times and then click Finish.

15. Close the Network Policy Server.
Results: After completing this exercise you will be able to configure server and client computer certificate
requirements, install the NPS server role, configure health policies, configure network policies, and
configure connection request policies for VPN.
Exercise 4: Verifying the NAP Deployment

X Task 1: Configure Security Center
1. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.
2. Move the mouse to the lower right corner and then click the Search icon on the flyout menu.
3. In the Search box, type gpedit.msc, click Apps, and press Enter.
4. In the Local Group Policy Editor console tree, expand Local Computer Policy
/Computer Configuration/Administrative Templates/Windows Components/Security Center.
5. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
6. Close the Local Group Policy Editor.
X Task 2: Enable a Client NAP enforcement method

1. ON LON-CL1, move the mouse to the lower right corner and then click the Search icon on the flyout
menu.
2. In the Search box type napclcfg.msc and press Enter.
3. In the console tree, click Enforcement Clients.
4. In the details pane, right-click EAP Quarantine Enforcement Client and then click Enable.
5. Close the NAP Client Configuration console.
6. Move the mouse to the lower right corner and then click the Search icon on the flyout menu.
7. In the Search box type Services.msc and press Enter.
8. In the Services list, double-click Network Access Protection Agent.
9. In the Network Access Protection Agent Properties dialog box, change the Startup type to
Automatic and then click Start.
10. Wait for the NAP Agent service to start and then click OK.
11. Close the Services console.
X Task 3: Allow ping on LON-SVR2

1. On LON-SVR2 click Tools in Server Manager, and then click Windows Firewall with Advanced
Security.
2. Click Inbound Rules, right-click Inbound Rules, and then click New Rule.
3. Select Custom and then click Next.
4. Select All programs and then click Next.
5. In the Protocol type field, click the drop-down arrow and select ICMPv4 and then click Customize.
6. Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next.
7. Click Next to accept the default scope.
8. In the Action window, verify that Allow the connection is selected and then click Next.
9. Click Next to accept the default profile.
10. In the Name windows, type Allow Ping and then click Finish.
11. Close the Windows Firewall with Advanced Security console.
X Task 4: Move the client to the Internet and establish a VPN connection
1. On LON-CL1, move the mouse to the lower right corner and then click the Search icon on the flyout
menu.
2. In the Search box type Control Panel and press Enter.

3. Click Network and Internet.
4. Click Network and Sharing Center.
5. Click Change Adapter Settings.
6. Right-click Local Area Connection and then click Properties.
7. Click Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
8. Click Use the following IP address. Next to IP address, type 131.107.0.20. Next to Subnet mask,
type 255.255.0.0. Remove the existing Default Gateway, and do not configure the Default gateway.
9. Click OK and then click Close to close the Local Area Connection Properties dialog box.
10. Close the Network Connections window.
11. In Hyper-V Manager, right-click 20417A-LON-CL1 and then click Settings.
12. Click Legacy Network Adapter and then under Network select Private Network 2, click OK.
13. On LON-CL1, move the mouse to the lower right corner and then click the Search icon on the
popout menu.
14. In the Search box type CMD and press Enter.
15. At the command prompt, type ping 131.107.0.1 and press Enter.
16. Verify that a response is received.
18. Return to Control Panel and then click Network and Internet.
20. Click Set up a new connection or network.
21. On the Choose a connection option page, click Connect to a workplace and then click Next.
22. On the How do you want to connect page, click Use my Internet connection (VPN).
23. Click I’ll set up an Internet connection later.
24. On the Type the Internet address to connect to page, next to Internet address, type 131.107.0.2.
Next to Destination name, type Adatum VPN.
25. Select the Allow other people to use this connection check box and then click Create.
26. In the Network And Sharing Center window, click Change adapter settings.
27. Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
28. Under Authentication, click Use Extensible Authentication Protocol (EAP).

29. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft:
Protected EAP (PEAP) (encryption enabled) and then click Properties.
30. Ensure that the Verify the server’s identity by validating the certificate check box is already
selected. Clear the Connect to these servers check box, and then ensure that Secured password
(EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast
Reconnect check box, and then select the Enforce Network Access Protection check box.
31. To accept these settings, click OK two times.
32. In the Network Connections window, right-click the Adatum VPN connection and then click
Connect/Disconnect.
33. In the Networks flyout menu, click Adatum VPN and then click Connect.
34. In the Network Authentication dialog box, type Administrator in the User Name field and type
Pa$$w0rd in the Password field.
35. Click OK and then click Connect.

4. Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-SVR2 and 20417A-LON-CL1.
Results: After completing this exercise you will be able to configure Security Center, enable a client
computer NAP enforcement method, allow Ping on LON-SVR2, and move the client computer to the
Internet and establish a VPN connection.
L6-43
Module 6: Implementing DirectAccess

Lab: Implementing DirectAccess
Exercise 1: Configuring the DirectAccess Infrastructure
X Task 1: Configure the AD DS and DNS requirements
1. Create a security group for DirectAccess client computers by performing the following steps:
b. In the Server Manager console, in the upper-right corner, click Tools, and then click Active
Directory Users and Computers.
c. In the Active Directory Users and Computers console tree, right-click Adatum.com, click New,
and then click Organizational Unit.
d. In New Object – Organizational Unit window, in the Name box, type DA_Clients OU, and then
click OK.
e. In the Active Directory Users and Computers console tree, expand Adatum.com, right-click
DA_Clients OU, click New, and then click Group.
f. In the New Object - Group dialog box, under Group name, type DA_Clients.
g. Under Group scope, select Global, under Group type, select Security, and then click OK.
h. In the details pane, double-click DA_Clients.
i. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
j. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click
Object Types, select the Computers check box, and then click OK.
k. Under Enter the object names to select (examples), type LON-SVR3, and then click OK.
l. Verify that LON-SVR3 is displayed below Members, and then click OK.
m. Close the Active Directory Users and Computers console.
2. Configure firewall rules for ICMPv6 traffic by performing the following steps:
Note: It is important to configure firewall rules for ICMPv6 traffic to enable subsequent
testing of DirectAccess in the lab environment.
a. In the Server Manager console, in the upper-right corner, click Tools, and then click Group
Policy Management.
b. In the console tree, expand Forest: Adatum.com\Domains\adatum.com.
c. In the console tree, right-click Default Domain Policy, and then click Edit.
d. In the console tree of the Group Policy Management Editor, navigate to
Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall
with Advanced Security\Windows Firewall with Advanced Security.
e. In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.
f. On the Rule Type page, click Custom, and then click Next.
g. On the Program page, click Next.

h. On the Protocols and Ports page, under Protocol type, click ICMPv6, and then click
Customize.
i. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request,
and then click OK.
j. Click Next.
k. On the Scope page, click Next.
l. On the Action page, click Next.
m. On the Profile page, click Next.

n. On the Name page, in the Name box, type Inbound ICMPv6 Echo Requests, and then click
Finish.
o. In the console tree, click Outbound Rules, right-click Outbound Rules, and then click New
Rule.
p. On the Rule Type page, click Custom, and then click Next.
q. On the Program page, click Next.
r. On the Protocols and Ports page, under Protocol type, click ICMPv6, and then click
Customize.
s. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request,
and then click OK.
t. Click Next.
u. On the Scope page, click Next.

v. On the Action page, click Allow the connection, and then click Next.
w. On the Profile page, click Next.
x. On the Name page, in the Name box, type Outbound ICMPv6 Echo Requests, and then click
Finish.
y. Close the Group Policy Management Editor and Group Policy Management consoles.
3. Create required DNS records by performing the following steps:
a. In the Server Manager console, click Tools, and then click DNS.
b. In the console tree of DNS Manager, expand LON-DC1\Forward Lookup Zones\adatum.com.
c. Right-click adatum.com and then click New Host (A or AAAA).

d. In the Name box, type nls. In the IP address box, type 172.16.0.21. Click Add Host and then
click OK.
e. In the New Host dialog box, in the Name box, type CRL. In the IP address box, type
172.16.0.22, and then click Add Host.
f. In the DNS dialog box informing you that the record was created, click OK.
g. In the New Host dialog box, click Done.

h. Close the DNS Manager console.
Module 6: Implementing DirectAccess L6-45
4. Remove ISATAP from the DNS global query block list by performing the following steps:
a. Move the mouse pointer to the lower-right corner, select search on the right menu, and then
type cmd.exe to launch the Command Prompt window.
b. In the Command Prompt window, type the following command and then press Enter:
dnscmd /config /globalqueryblocklist wpad
Ensure that Command completed successfully message appears.
c. Close the Command Prompt window.
5. Configure the DNS suffix on LON-SVR2 by performing the following steps:
b. Move the mouse to the lower right corner of the screen, click Settings, click Control Panel, and
then click View network status and tasks.
c. In the Network and Sharing Center window, click Change adapter settings.
d. In the Network Connection window, right-click Local Area Connection, and then click
Properties.
e. In the Local Area Network Properties window, double-click Internet Protocol Version 4
(TCP/IPv4).
f. In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click Advanced.
g. On the DNS tab, in the DNS suffix for this connection box, type Adatum.com, and then click
OK.
h. In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click OK.
i. In the Local Area Connection Properties dialog box, click OK.

j. Close the Network Connections window.
X Task 2: Configure certificate requirements

1. To configure the CRL distribution settings by performing the following steps:
a. On LON-DC1, in Server Manager, on the Tools menu, click Certification Authority.
b. In the details pane, right-click Adatum-LON-DC1-CA, and then click Properties.
c. In the Adatum-LON-DC1-CA Properties dialog box, click the Extensions tab.
d. On the Extensions tab, click Add. In the Location box, type http://crl.adatum.com/crld/.
e. Under Variable, click <CAName>, and then click Insert.
f. Under Variable, click <CRLNameSuffix>, and then click Insert.
g. Under Variable, click <DeltaCRLAllowed>, and then click Insert.

h. In the Location box, type .crl at the end of the Location string, and then click OK.
i. Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP
extension of issued certificates, and then click Apply. Click No in the dialog box asking you to
restart Active Directory Certificate Services.
j. Click Add.
k. In the Location box, type \\lon-svr2\crldist$\.

l. Under Variable, click <CaName>, and then click Insert.
m. Under Variable, click <CRLNameSuffix>, and then click Insert.
n. Under Variable, click <DeltaCRLAllowed>, and then click Insert.
o. In the Location box, type .crl at the end of the string, and then click OK.
p. Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click
OK.
q. Click Yes to restart Active Directory Certificate Services.
2. Duplicate the web certificate template and configure appropriate permission by performing the
following steps:
a. In the Certification Authority console, expand Adatum-LON-DC1-CA, right-click Certificate
Templates, and then select Manage.
Note: Users require the Enroll permission on the certificate.
b. In the Certificate Templates console, in the content pane, right-click the Web Server template,
and then click Duplicate Template.
c. Click the General tab and in the Template display name box, type Adatum Web Server
Certificate.
d. Click the Request Handling tab and select Allow private key to be exported.
e. Click the Security tab and then click Authenticated Users.
f. In the Permissions for Authenticated Users window, under Allow, click Enroll, and then click OK.
g. Close the Certificate Templates console.
h. In the Certification Authority console, right-click Certificate Templates, and navigate to

New/Certificate Template to Issue.
i. Select Adatum Web Server Certificate, and then click OK.
j. Close the Certification Authority console.
3. Configure computer certificate auto-enrollment by performing the following steps:
a. On LON-DC1, switch to Server Manager, click Tools on the upper-right side of the window, and
then click Group Policy Management.
b. In the console tree, expand Forest: Adatum.com, expand Domains, and then expand
Adatum.com.
c. In the console tree, right-click Default Domain Policy, and then click Edit.
d. In the console tree of the Group Policy Management Editor, navigate to

Computer Configuration\Policies\Windows Settings\Security Settings
\Public Key Policies.
e. In the details pane, right-click Automatic Certificate Request Settings, point to New, and then
click Automatic Certificate Request.
f. In the Automatic Certificate Request Setup Wizard, click Next.
g. On the Certificate Template page, click Computer, click Next, and then click Finish.
h. Close the Group Policy Management Editor and close the Group Policy Management console.
X Task 3: Configure the internal resources for DirectAccess

1. To request a certificate for LON-SVR1 by performing the following steps:
a. On LON-SVR1, move the mouse to the lower-right corner of the screen, select Search, type cmd,
b. At the command prompt, type the following command and then press Enter.
gpupdate /force
c. At the command prompt, type the following command and then press Enter.
mmc
d. Click File and then click Add/Remove Snap-in.
e. Click Certificates, click Add, select Computer account, click Next, select Local computer, click
Finish, and then click OK.
f. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
\Personal\Certificates.
g. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
h. Click Next twice.
i. On the Request Certificates page, click Adatum Web Server Certificate, and then click More
information is required to enroll for this certificate.
j. On the Subject tab of the Certificate Properties dialog box, under Subject name, under Type,
select Common name.
k. In the Value box, type nls.adatum.com, and then click Add.

l. Click OK, click Enroll, and then click Finish.
m. In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.adatum.com was enrolled with Intended Purposes of Server Authentication.
n. Close the console window. When you are prompted to save settings, click No.
2. To change the HTTPS bindings, perform the following steps:
a. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager. At
the Internet Information Services (IIS) Manager message box, click No.
b. In the console tree of Internet Information Services (IIS) Manager, navigate to LON-SVR1/Sites,
and then click Default Web site.
c. In the Actions pane, click Bindings. Click Add.
d. In the Add Site Bindings dialog box, click https, in the SSL Certificate, click the certificate with
the name nls.adatum.com, click OK, and then click Close.
e. Close the Internet Information Services (IIS) Manager console.

X Task 4: Configure DirectAccess server

1. Obtain required certificates for LON-SVR2 by performing the following steps:
b. Open a command prompt and type the following command, and then press Enter:
gpupdate /force
c. Move the mouse to the lower-right corner, select Search, type mmc.exe, and then press Enter.
d. Click File and then click Add/Remove Snap-in.
e. Click Certificates, click Add, click Computer account, click Next, select Local computer, click
f. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
g. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
h. Click Next twice.

i. On the Request Certificates page, click Adatum Web Server Certificate, and then click More
information is required to enroll for this certificate.
j. On the Subject tab of the Certificate Properties dialog box, under Subject name, under Type,
select Common name.
k. In the Value box, type 131.107.0.2, and then click Add.
l. Click OK, click Enroll, and then click Finish.
m. In the details pane of the Certificates snap-in, verify that a new certificate with the name
131.107.0.2 was issued with Intended Purposes of Server Authentication.
n. Right-click the certificate and then click Properties.
o. In the Friendly Name box, type IP-HTTPS Certificate, and then click OK.
p. Close the console window. If you are prompted to save settings, click No.
2. Create CRL distribution point on LON-SVR2 by performing the following steps:

a. Switch to Server Manager.
b. Click Tools, and then click Internet Information Services (IIS) Manager.
c. If the Internet Information Service Manager message box appears, click No.
d. In the console tree, browse to LON-SVR2\Sites\Default Web Site, right-click Default Web Site,
and then click Add Virtual Directory.
e. In the Add Virtual Directory dialog box, in the Alias box, type CRLD. Next to Physical path,
click the ellipsis button.
f. In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder.
g. Type CRLDist and then press Enter. In the Browse for Folder dialog box, click OK.
h. In the Add Virtual Directory dialog box, click OK.
i. In the middle pane of the console, double-click Directory Browsing, and in the Actions pane,
click Enable.
j. In the console tree, click the CRLD folder.
k. In the middle pane of the console, double-click the Configuration Editor icon.
l. Click the down-arrow of the Section drop-down list, and navigate to

system.webServer\security\requestFiltering.
m. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the
value from False to True.
n. In the details pane, click Apply.
o. Close Internet Information Services (IIS) Manager.
Question: Why do you make the CRL available on the Edge server?
Answer: You make the CRL available on the Edge Server so that the Internet DirectAccess clients
can access the CRL.
3. Share and secure the CRL distribution point by performing the following steps:
Note: You perform this step to assign permissions to the CRL distribution point.
a. On the taskbar, click Windows Explorer.

b. Double-click Local Disk (C:).
c. In the details pane of Windows Explorer, right-click the CRLDist folder, and then click Properties.
d. In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
e. In the Advanced Sharing dialog box, select Share this folder.
f. In the Share name box, add a dollar sign ($) to the end so that the share name is CRLDist$.
g. In the Advanced Sharing dialog box, click Permissions.
h. In the Permissions for CRLDist$ dialog box, click Add.
i. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
j. In the Object Types dialog box, select Computers, and then click OK.
k. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select box, type LON-DC1, and then click Check Names. Click OK.
l. In the Permissions for CRLDist$ dialog box, in the Group or user names list, select
LON-DC1 (ADATUM\NYC-DC1$). In the Permissions for LON-DC1 area, under Full control,
select Allow. Click OK.
m. In the Advanced Sharing dialog box, click OK.
n. In the CRLDist Properties dialog box, click the Security tab.
o. On the Security tab, click Edit.
p. In the Permissions for CRLDist dialog box, click Add.

q. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
r. In the Object Types dialog box, select Computers. Click OK.
s. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select box, type LON-DC1, click Check Names, and then click OK.
t. In the Permissions for CRLDist dialog box, in the Group or user names list, select
LON-DC1 (ADATUM\LON-DC1$). In the Permissions for LON-DC1 area, under Full control,
select Allow, and then click OK.
u. In the CRLDist Properties dialog box, click Close.
v. Close the Windows Explorer window.
4. Publish the CRL to LON-SVR2 by performing the following steps:
Note: This step makes the CRL available on the edge server for Internet-based DirectAccess
clients.
b. In Server Manager, click Tools, and then click Certification Authority.
c. In the console tree, expand ADATUM-LON-DC1-CA, right-click Revoked Certificates, point to

All Tasks, and then click Publish.
d. In the Publish CRL dialog box, click New CRL, and then click OK.
e. On the taskbar, click Windows Explorer, type \\LON-SVR2\CRLDist$, and then press Enter.
f. In the Windows Explorer window, notice the Adatum-LON-DC1-CA files.
g. Close the Windows Explorer window.
5. Complete DirectAccess setup wizard on LON-SVR2 by performing the following steps:
Note: This step configures LON-SVR2 as a DirectAccess server.
a. On LON-SVR2, in Server Manager, on the Tools menu, click Remote Access Management.
b. In the Remote Access Management console, click Configuration.
c. On the Enable DirectAccess Wizard, click Next.
d. Under Select Groups, in the details pane, click Add.

e. In the Select Group dialog box, type DA_Clients, click OK, and then click Next.
f. In the Network Topology, verify that Edge is selected, and verify that 131.107.0.2 is the public
name used by clients to connect to the Remote Access server. Click Next.
g. On Infrastructure Server Setup page, click Next.
h. On Configure Remote Access page, click Next.
i. In Summary, click Finish, to apply DirectAccess Settings.

j. When the configuration is complete, click Close.
Note: Because the server you already configured is a VPN server, you can only use getting
started wizard which generate self-signed certificate for DirectAccess communication. Next steps
will modify default DirectAccess settings to include already deployed certificates from the internal
Certification Authority
k. In the Remote Access Management console, under Step 2, click Edit.

l. On the Network Topology page, verify that Edge is selected, and then type 131.107.0.2
m. Click Next.
n. On the Network Adapters page, verify that CN=131.107.0.2 is used as a certificate to

authenticate IP-HTTPS connections, and then click Next.
o. On the Authentication page, select Use computer certificates, click Browse, select Adatum
LON-DC1 CA, click OK, and then Next.
p. On the VPN Configuration page, click Finish.
q. In the Remote Access Setup pane, under Step 3, click Edit.
r. On the Network Location Server page, select the The network location server is deployed on
a remote web server (recommended) and in the URL of the NLS, type
https://nls.adatum.com, and then click Validate.
s. Ensure that URL is validated.
t. Click Next, and then on the DNS page, examine the values, and then click Next.
u. In the DNS Suffix Search List, select Next.
v. On the Management page, click Finish.
w. Under Step 4, click Edit. On the DirectAccess Application Server Setup page, click Finish.
x. Click Finish to apply the changes.

y. In Remote Access Review, click Apply.
z. Under Applying Remote Access Setup Wizard Settings, click Close.
6. Update Group Policy settings on LON-SVR2 by performing the following steps:

a. Move the mouse pointer on the lower-right corner and on the menu bar, click Search, type cmd,
b. At the command prompt, type the following commands and then press Enter.
gpupdate /force
Ipconfig
Note: Verify that LON-SVR2 has an IPv6 address for Tunnel adapter IPHTTPSInterface
starting with 2002.
Results: After completing this exercise, you will have configured the DirectAccess infrastructure.
Exercise 2: Configuring the DirectAccess Clients

X Task 1: Configure Group Policy to configure client settings for DirectAccess
2. Restart LON-SVR3 and then log back on as Adatum\Administrator with the password of
Pa$$w0rd. This is to ensure that the LON-SVR3 computer connects to the domain as a member of
the DA_Clients security group.
3. Move the mouse pointer to the lower-right corner, select Search on the right menu, and then type
cmd to open the Command Prompt window.
gpupdate /force
5. At the command prompt, type the following command, and then press Enter:
gpresult /R
6. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for
the Computer Settings.
Note: If the policy is not being applied, run the gpupdate /force command again. If the
policy is still not being applied, restart the computer. After the computer restarts, log on as
Adatum\Administrator and run the Gpresult –R command again.
X Task 2: Verify client computer certificate distribution

1. On LON-SVR3, move the mouse pointer to the lower-right corner, select Search on the right menu,
type mmc.exe, and then press Enter
2. Click File and then click Add/Remove Snap-in.
3. Click Certificates, click Add, select Computer account, click Next, select Local computer, click
4. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
5. In the details pane, verify that a certificate with the name Lon-SVR3.adatum.com is present with
Intended Purposes of Client Authentication and Server Authentication.
6. Close the console window. When you are prompted to save settings, click No.
Question: Why did you install a certificate on the client computer?

Answer: Without a certificate, the client cannot identify and authenticate itself to the DirectAccess
server.
X Task 3: Verify IP address configuration

1. On LON-SVR3, switch to the Start screen and click the Internet Explorer tile.
2. In the Address bar, type http://lon-svr1.adatum.com/ and then press Enter. The default IIS 8 web
3. In the Address bar, type https://nls.adatum.com/ and then press Enter. The default IIS 8 web page
for LON-SVR1 appears.
5. On the taskbar, click Windows Explorer, type \\Lon-SVR1\Files, and then press Enter. A folder
window with the contents of the Files shared folder appears.
Results: After completing this exercise, you will have configured the DirectAccess clients.
Exercise 3: Verifying the DirectAccess Configuration

X Task 1: Move the client computer to the Internet virtual network
Note: To verify the DirectAccess functionality, you must move the client computer to the
Internet.
2. On LON-SVR3, move the mouse pointer to the lower-right end of the screen, click Settings, select
Control Panel, and then click Network and Internet.
4. Click Change Adapter Settings.
5. Right-click Local Area Connection and then click Properties.
6. In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4
(TCP/IPv4).
7. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP
address. Fill in the following information, and then click OK.
• IP address: 131.107.0.10
• Subnet mask: 255.255.0.0
• Default gateway: 131.107.0.2

8. In the Local Area Connection Properties dialog box, click OK.
9. In the Network Connections window, right-click Local Area Connection, and then click Disable.
10. In the Network Connections window, right-click Local Area Connection, and then click Enable.
Network Adapter to be on the Private Network 2 network. Click OK.
X Task 2: Verify connectivity to the DirectAccess server

1. On LON-SVR3, move the mouse pointer to the lower-right corner, select Search on the right menu,
and then type cmd and then press Enter to open the command prompt.
ipconfig
3. Notice the IP address that start with 2002. This is an IP-HTTPS address.
powershell
6. At the Windows PowerShell command prompt, type the following command, and then press Enter:
Get-DAClientExperienceConfiguration
Note: Notice the DirectAccess client settings.
X Task 3: Verify connectivity to the internal network resources

1. Switch to the Start screen and then click the Internet Explorer tile.
2. In the Address bar, type http://lon-svr1.adatum.com and then press Enter. The default IIS 8 web
4. On the taskbar, click Windows Explorer, type \\LON-SVR1\Files, and then press Enter. A folder
window with the contents of the Files shared folder appears
5. Switch to the Command Prompt window.
ping lon-dc1.adatum.com
Verify that you are receiving replies from lon-dc1.adatum.com.
gpupdate /force

10. On the Start screen, click Remote Access Management.
11. In the Console pane, click Remote Client Status.
Note: Notice that LON-SVR3 is connected via IPHttps. In the Connection Details pane, in
the bottom-right of the screen, note the use of Kerberos for the Machine and the User.
Results: After completing this exercise, you will have verified the DirectAccess configuration.

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the
following steps:
4. Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-SVR2, and 20410A-LON-SVR3.

L7-55
Module 7: Implementing Failover Clustering

Lab: Implementing Failover Clustering
Exercise 1: Configuring a Failover Cluster
X Task 1: Connect clients to the iSCSI targets
1. On LON-SVR3, in Server Manager, click Tools, and then click iSCSI Initiator.
3. Click the Discovery tab.
4. Click Discover Portal.
5. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
6. Click the Targets tab.
7. Click Refresh.
8. In the Targets list, select iqn.1991-05.com.microsoft:lon-svr1-target1-target, and then click

Connect.
9. Select Add this connection to the list of Favorite Targets, and then click OK two times.
10. On LON-SVR4, in Server Manager, click Tools, and then click iSCSI Initiator.
16. Click Refresh.

Connect.
18. Select Add this connection to the list of Favorite Targets, and then click OK two times.
19. On LON-SVR3, in Server Manager, click Tools, and then click Computer Management.
20. Expand Storage, and then click Disk Management.
21. Right-click Disk 1, and then click Online.
22. Right-click Disk 1, and then click Initialize disk. In the Initialize Disk dialog box, click OK.
23. Right-click the unallocated space next to Disk 1, and then click New Simple Volume.
24. On the Welcome page, click Next.
25. On the Specify Volume Size page, click Next.
26. On the Assign Drive Letter or Path page, click Next.
27. On the Format Partition page, in the Volume Label box, type Data. Select the Perform a quick
format check box, and then click Next.
28. Click Finish. (Note: If the Microsoft Windows window pops up with prompt to format the disk, click
Cancel.)
29. Repeat steps 22 through 28 for Disk 2 and Disk 3. (Note: Use Data2 and Data3 for Volume Labels).
30. Close the Computer Management window.
31. On LON-SVR4, in Server Manager, click Tools, and then click Computer Management.
33. Right-click Disk Management, and then click Refresh.

37. Close the Computer Management window.
X Task 2: Install the Failover Clustering feature

1. On LON-SVR3, if it is not opened, click the Server Manager icon to open Server Manager.

3. On the Before you begin page, click Next.
7. On the Select features page, in the Features list, click Failover Clustering. In the Add features that
are required for Failover Clustering? window, click Add Features. Click Next.
9. When installation is complete (you get the message Installation succeeded on LON-SVRx), click Close.
10. Repeat steps 1 through 9 on LON-SVR4.
X Task 3: Validate the servers for Failover Clustering

1. On LON-SVR3, in the Server Manager, click Tools, and then click Failover Cluster Manager.
2. In the Actions pane of the Failover Cluster Manager, click Validate Configuration.
3. In the Validate a Configuration Wizard, click Next.
4. In the Enter Name box, type LON-SVR3, and then click Add.
5. In the Enter Name box, type LON-SVR4.

6. Click Add, and then click Next.
7. Verify that Run all tests (recommended) is selected, and then click Next.
8. On the Confirmation page, click Next.

9. Wait for the validation tests to finish (it might take up to 5 minutes), and then on the Summary page,
click View Report.
10. Verify that all tests completed without errors. Some warnings are expected.
12. On the Summary page, remove the check mark next to Create the cluster now using the validated
nodes, click Finish.
Module 7: Implementing Failover Clustering L7-57
X Task 4: Create the Failover Cluster

1. On LON-SVR3, in Failover Cluster Manager, in the center pane, under Management, click Create
Cluster.
2. In the Create Cluster Wizard on the Before You Begin page, read the information.
3. Click Next, in the Enter server name box, type LON-SVR3, and then click Add. Type LON-SVR4,
and then click Add.
4. Verify the entries, and then click Next.
5. In Access Point for Administering the Cluster, in the Cluster Name box, type Cluster1.
6. Under Address, type 172.16.0.125, and then click Next.
7. In the Confirmation dialog box, verify the information, and then click Next.
8. On the Summary page, click Finish to return to the Failover Cluster Manager.
Results: After this exercise, you will have installed and configured the Failover Clustering feature.
Exercise 2: Deploying and Configuring a Highly-Available File Server

X Task 1: Add the File Server application to the failover cluster
1. On LON-SVR3, in Server Manager, click Dashboard and then click Add roles and features.
2. On the before your begin page click Next.
3. On the Select installation type page click Next.
4. On the Select destination server page click Next.

5. On the Select server roles page, expand File and Storage Services (Installed), expand File and
iSCSI services and select File Server.
6. Click Next two times.
7. On the Confirmation page, click Install.
8. When installation succeeded message appears click Close.
9. Repeat steps 1-8 on LON-SVR4.
10. On LON-SVR3, in the Failover Cluster Manager expand Cluster1.adatum.com.
11. Expand Storage, and click Disks.
12. Make sure that three disks are present and online (with names Cluster Disk 1, Cluster Disk 2 and
Cluster Disk 3).
13. Right-click Roles, and then select Configure Role.
14. On the Before You Begin page, click Next.

15. On the Select Role page, select File Server, and then click Next.
16. On the File Server Type page, click File Server for general use, and then click Next.
17. On the Client Access Point page, in the Client Access Name box, type AdatumFS, and in the
Address box, type 172.16.0.130, and then click Next.
18. On the Select Storage page, click Cluster Disk 2, and then click Next.
19. On the Confirmation page, click Next.
20. On the Summary page, click Finish.
X Task 2: Add a shared folder to a highly-available file server

1. On LON-SVR4, in the Server Manager console, click Tools and open Failover Cluster Manager.
2. Expand Cluster1.Adatum.com, and then click Roles.
3. Right-click AdatumFS, and then select Add File Share.

4. In the New Share Wizard, on the Select the profile for this share page, click SMB Share – Quick,
5. On the Select the server and the path for this share page, click Next.
6. On the Specify share name page, in the Share name box, type Docs, and then click Next.
7. On the Configure share settings page, review available options, and then click Next.
8. On the Specify permissions to control access page, click Next.

10. On the View results page click Close.
X Task 3: Configure failover and failback settings

1. On LON-SVR4, in the Failover Cluster Manager, click Roles, right-click AdatumFS, and then click
Properties.
2. Click the Failover tab and then click Allow failback.
3. Click Failback between, and set values to 4 and 5 hours.

4. Click the General tab.
5. Select both LON-SVR3 and LON-SVR4 as preferred owners.
6. Move LON-SVR4 up.
7. Click OK.
Results: After this exercise, you will have configured a highly-available file server.
Exercise 3: Validate the Deployment of the Highly-Available File Server

X Task 1: Validate the highly-available file server deployment
1. On LON-DC1, open Windows Explorer, and in the Address bar, type \\AdatumFS\, and then press
Enter.
2. Verify that you can access the location and that you can open the Docs folder. Create a test text
document inside this folder.
3. On LON-SVR3, open the Failover Cluster Manager.
4. Expand Cluster1.adatum.com, and then click Roles. Note the current owner of AdatumFS. (Note:
You can view the owner in the Owner node column. It will be either LON-SVR3 or LON-SVR4).
5. Right-click AdatumFS, and then click Move, and then click Select Node.
6. In the Move Clustered Role dialog box, click OK.
7. Verify that AdatumFS has moved to a new owner.
8. Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
X Task 2: Validate the failover and quorum configuration for the File Server role
1. On LON-SVR3, in the Failover Cluster Manager, click Roles.
2. Verify the current owner for the AdatumFS role. (Note: You can view the owner in the Owner node
column. It will be either LON-SVR3 or LON-SVR4).
3. Expand Nodes, and then select the node that is the current owner of the AdatumFS role.
4. Right-click the node, select More Actions, and then click Stop Cluster Service. Click Yes when
prompted.
5. Verify that AdatumFS has moved to another node. To do this, click the other node and verify that
AdatumFS is running.
6. Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
7. Switch to the LON-SVR3 computer, on the Failover Cluster Manager, and right-click the stopped
node, select More Actions, and then click Start Cluster Service.
8. Expand Storage and then click Disks. In the center pane, right-click the disk that is assigned to Disk
Witness in Quorum (Note: you can view this in the Assigned to column.)
9. Click Take Offline, and then click Yes.
10. Switch to LON-DC1 and verify that you can still access the \\AdatumFS\ location. By doing this, you
verified that the cluster is still running even if the witness disk is offline.
11. Switch to the LON-SVR3 computer and in Failover Cluster Manager, expand Storage, click Disks,
right-click the disk that is in Offline status, and then click Bring Online.
Results: After this exercise, you will have tested the failover scenarios.
Exercise 4: Configuring Cluster-Aware Updating on the Failover Cluster

X Task 1: Configure Cluster-Aware Updating
1. On LON-DC1, in Server Manager, click Add roles and features.
6. On the Select features page, in the list of features, click Failover Clustering. In Add features that
are required for Failover Clustering? dialog box, click Add Features. Click Next.
9. Switch to LON-SVR3. Open Server Manager, click Tools and then click Windows Firewall with
Advanced Security.
10. In Windows Firewall with Advanced Security window, click Inbound Rules.
11. In the rules list, find the rule Inbound Rule for Remote Shutdown (RPC-EP-In). Right click the rule
and select Enable Rule.
12. In the rules list, find the rule Inbound Rule for Remote Shutdown (TCP-In). Right click the rule and
select Enable Rule.
13. Close Windows Firewall with Advanced Security window.
14. Switch to LON-SVR4 and repeat steps 9 to 13.
15. On LON-DC1, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
16. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, select
Cluster1. Click Connect.
17. In the Cluster Actions pane, click Preview updates for this cluster.
18. In the Cluster1-Preview Updates window, click Generate Update Preview List. After several minutes,
updates will be shown in the list. Review updates and then click Close.
Note: An Internet connection is required for this step to complete successfully. Make sure
that MSL-TMG1 server is up and running and that you can access Internet from LON-DC1.
X Task 2: Update the failover cluster and configure self-updating

1. On LON-DC1, in the Cluster-Aware Updating console, click Apply updates to this cluster.
2. On the Getting Started page, click Next.

3. On the Advanced options page, review the options for updating, and then click Next.
4. On the Additional Update Options page, click Next.
5. On the Confirmation page, click Update, and then click Close.

6. In the Cluster nodes pane, you can review the progress of updating. (Note: Remember that one node
of the cluster is in Waiting state and the other node is restarting after it is updated).
7. Wait until the process is finished (Note: This may require a restart of both the nodes.). Process is
finished when both nodes have Succeeded in Last Run status column.
8. Log on to LON-SVR3 with the username as Adatum\Administrator and password as Pa$$w0rd.
9. On LON-SVR3, in the Server Manager, click Tools, and then click Cluster-Aware Updating.
10. In the Cluster-Aware Updating dialog box, in the Connect to a failover cluster drop-down list,
select Cluster1. Click Connect.
11. Click the Configure cluster self-updating options in the Cluster Actions pane.
12. On the Getting Started page, click Next.
13. On the Add CAU Clustered Role with Self-Updating Enabled page, click Add the CAU clustered
role, with self-updating mode enabled, to this cluster, and then click Next.
14. On the Specify self-updating schedule page, click Weekly, in the Time of day box, select 4:00 AM,
and then in the Day of the week box, select Sunday. Click Next.
15. On the Advanced Options page, click Next.
16. On the Additional Update Options page, click Next.

17. On the Confirmation page, click Apply.
18. After the clustered role is added successfully, click Close.
Results: After this exercise, you will have configured Cluster-Aware Updating.

steps:
4. Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-SVR3, MSL-TMG1, and

20417A-LON-SVR4.
L8-63
Module 8: Implementing Hyper-V

Lab: Implementing Server Virtualization
with Hyper-V
Exercise 1: Install the Hyper-V Server Role
X Task 1: Configure network settings on LON-HOST1 and LON-HOST2
1. Restart the classroom computer, and in the Windows Boot Manager, select either
20417A-LON-HOST1 or 20417A-LON-HOST2.
If you start LON-HOST1, your partner must start LON-HOST2.
2. Log onto the server with the Adatum\Administrator account and the password Pa$$w0rd.
3. In Server Manager, click Local Server.

4. In the Properties pane, click the IPv4 address assigned by DHCP link.
5. In the Network Connections dialog box, right-click the network object, and then click Properties.
6. In the Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) , and then click
Properties.
7. On the General tab, click Use the following IP address, and then configure the following:
• LON-HOST1: 172.16.0.31
• LON-HOST2: 172.16.0.32
• Subnet mask: 255.255.0.0
• Default gateway: 172.16.0.1
8. On the General tab, click Use the following DNS server addresses, and then configure the
following:
• Preferred DNS server: 172.16.0.10

9. Click OK to close the Properties dialog box.
10. Click OK on the Microsoft TCP/IP dialog box.
11. Click Close.
12. Close the Network Connections dialog box.
X Task 2: Install the Hyper-V server role

1. In the Server Manager console, on the Manage menu, click Add Roles and Features.
2. On the Before you begin page of the Add Roles and Features Wizard, click Next.
3. On the Select installation type page, select Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, ensure that LON-HOST1.Adatum.com or

LON-HOST2.Adatum.com is selected, and then click Next.
5. On the Server Roles page, select Hyper-V.
6. In the Add Roles and Features Wizard dialog box, click Add Features.
7. On the Select Server Roles page of the Add Roles and Features Wizard, click Next.
9. On the Hyper-V page, click Next.
10. On the Create Virtual Switches page, verify that no selections have been made, and then click Next.
11. On the Virtual Machine Migration page, click Next.
12. On the Default Stores page, review the location of Default Stores, and then click Next.
13. On the Confirm Installation Selections page, select Restart the destination server automatically
if required.
14. In the Add Roles and Features Wizard dialog box, review the message about automatic restarts, and
then click Yes.
15. On the Confirm Installation Selections page, click Install.
16. After a few minutes, the server will automatically restart. Ensure that you restart the machine by using
the Boot menu, and then selecting 20417-LON-HOST1 or 20417-LON-HOST2. The computer will
restart several times.
X Task 3: Complete Hyper-V role installation and verify settings

1. Log on to LON-HOST1 or LON-HOST2 by using the username Adatum\Administrator and the
password Pa$$w0rd.
2. When the installation of the Hyper-V tools complete, click Close to close the Add Roles and Features
Wizard.
3. Click the Tools menu, and then click Hyper-V Manager.
4. In the Hyper-V Manager console, click the Hyper-V host server name (LON-HOST1 or LON-HOST2).
5. In the Actions pane, click Hyper-V Settings.

6. In the Hyper-V Settings dialog box, click the Keyboard item. Verify that the Keyboard is set to use
the Use on the virtual machine option.
7. In the Hyper-V Settings dialog box, click the Virtual Hard Disks item. Verify the location of the
default folder is configured to use the Virtual Hard Disk folder, and then click OK.
Question: What additional features are required to support the Hyper-V role?
Answer: No additional features are required to support the Hyper-V role.
Results: After completing this exercise, you will have deployed the Hyper-V role to a physical server.
Exercise 2: Configuring Virtual Networking

X Task 1: Configure the external network
1. In Hyper-V Manager, on the Actions pane, click Virtual Switch Manager.
2. In the Virtual Switch Manager dialog box, select New virtual network switch. Ensure that External
is selected, and then click Create Virtual Switch.
Module 8: Implementing Hyper-V L8-65
3. In the Virtual Switch Properties area of the Virtual Switch Manager dialog box, specify the
following information, and then click OK:
o Name: Corporate Network
o External Network: Mapped to the host computer's physical network adapter. Will vary depending
on host computer
4. In the Apply Networking Changes dialog box, review the warning, and then click Yes.
X Task 2: Create a private network

2. Under Virtual Switches, select New virtual network switch.
3. Under Create virtual switch, select Private, and then click Create Virtual Switch.
4. In the Virtual Switch Properties section, configure the following settings, and then click OK:
o Name: Private Network

o Connection type: Private network
X Task 3: Create an internal network

2. Under Virtual Switches, select New virtual network switch.

3. Under Create virtual switch, select Internal, and then click Create Virtual Switch.
4. In the Virtual Switch Properties section, configure the following settings, and then click OK:
o Name: Internal Network

o Connection type: Internal network
Results: After completing this exercise, you will have configured virtual switch options on a physically
deployed Windows Server 2012 server that is running the Hyper-V role.
Exercise 3: Creating and Configuring a Virtual Machine

X Task 1: Configure virtual machine storage
1. On the taskbar, click Windows Explorer.
2. Click Computer, and then browse to the following location:

E:\Program Files\Microsoft Learning\Base. (Note: The drive letter may depend upon the number
of drives on the physical host machine)
3. Verify that the Base12A-WS2012-RC.vhd hard disk image file is present.
4. Click the Home tab, and then click the New Folder icon twice to create two new folders. Right-click
each folder, and then rename each folders to each name listed below:
a. LON-GUEST1
b. LON-GUEST2

6. Switch to the Hyper-V Manager.
7. In the Actions pane, click New, and then click Hard Disk.
8. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
9. On the Choose Disk Format page, select VHD, and then click Next.
10. On the Choose Disk Type page, select Differencing, and then click Next.
11. On the Specify Name and Location page, specify the following details, and then click Next:
a. Name: LON-GUEST1.vhd
b. Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
12. On the Configure Disk page, type the location: E:\Program Files\Microsoft Learning
\Base\Base12A-WS2012-RC.vhd, and then click Finish.
13. On the taskbar, click the PowerShell icon.
14. At the PowerShell prompt, type the following command to import the Hyper-V module, and then
press Enter:
Import-Module Hyper-V
15. At the PowerShell prompt, type the following command to create a new differencing disk to be used
with LON-GUEST2, and then press Enter:
New-VHD “E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd”

-ParentPath “E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd”
16. Close the PowerShell window.
17. In the Actions pane of the Hyper-V Manager console, click Inspect Disk.
18. In the Open dialog box, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\, click
LON-GUEST2.vhd, and then click Open.
19. In the Virtual Hard Disk Properties dialog box, verify that LON-GUEST2.vhd is configured as a
differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base
\Base12A-WS2012-RC.vhd as a parent, and then click Close.
X Task 2: Create virtual machines

1. In the Hyper-V Manager, on the Actions pane, click New and then click Virtual Machine.
2. On the Before You Begin page of the New Virtual Machine Wizard, click Next.
3. On the Specify Name and Location page of the New Virtual Machine Wizard, select Store the
virtual machine in a different location, enter the following values, and then click Next.
a. Name: LON-GUEST1
b. Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
4. On the Assign Memory page of the New Virtual Machine Wizard, enter a value of 1024 MB, select
the Use Dynamic Memory for this virtual machine option, and click Next.
5. On the Configure Networking page of the New Virtual Machine Wizard, choose Private Network
6. On the Connect Virtual Hard Disk page, choose Use an existing virtual hard disk. Click Browse
and browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1.vhd. Click
Open and then click Finish.
7. On the Taskbar, click the PowerShell icon.

8. At the PowerShell prompt, enter the following command to import the Hyper-V module:
Import-Module Hyper-V
9. At the PowerShell prompt, enter the following command to create a new virtual machine named
LON-GUEST2:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath “E:\Program

Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd” -SwitchName "Private
Network"
10. Close the PowerShell window.
11. In the Hyper-V Manager console, click LON-GUEST2. In the Actions pane, under LON-GUEST2, click
Settings.
12. On the Settings for LON-GUEST2 dialog box, click Automatic Start Action, and then set the
Automatic Start Action to Nothing.
13. On the Settings for LON-GUEST2 dialog box, click Automatic Stop Action, and then set the
Automatic Stop Action to Shut down the guest operating system.
14. Click OK to close the Settings for the LON-GUEST2 dialog box.
X Task 3: Configure VLANs and network bandwidth settings

1. In the Hyper-V Manager console, on the Actions pane, click Virtual Switch Manager.
2. Click Internal Network.
3. Select the Enable virtual LAN identification for management operating system check box.
4. In the VLAN ID box, type 4, and then click OK.

5. Click LON-GUEST2, and click Settings.
6. Click Network Adapter.
7. Change the Virtual switch to Internal Network, and click Enable virtual LAN identification.
8. In the VLAN identifier box, type 4.
9. Expand Network Adapter, click Advanced Features, enable the following options, and then click
OK:
o Enable DHCP guard
o Enable router advertisement guard
Question: What kind of switch would you create if you added a new physical network adapter to the
Hyper-V host and wanted to keep this separate from the existing networks you create during this
exercise?
Answer: You should create an external switch. External switches map to external network adapters.
X Task 4: Import a virtual machine

1. In the Actions pane of the Hyper-V Manager console, click Import Virtual Machine.
2. On the Before You Begin page of the Import Virtual Machine wizard, click Next.
3. On the Locate Folder page, perform the following task, and then click Next:
o If you are using LON-HOST1, type the path: E:\Program Files\Microsoft Learning
\20417\Drives\20417A-LON-DC1-B
o If you are using LON-HOST2, enter the path: E:\Program Files\Microsoft Learning
\20417\Drives\20417A-LON-SVR1-B
4. On the Select Virtual machine page:
o If you are using LON-HOST1, select 20417A-LON-DC1-B.
o If you are using LON-HOST2, select 20417A-LON-SVR1-B.
5. On the Choose Import Type page, select Register the virtual machine in-place (use the existing
unique ID), and then click Next.
X Task 5: Configure virtual machine dynamic memory

1. In the Hyper-V Manager console, right-click LON-GUEST2, and then click Settings.
2. In the Settings for LON-GUEST2 dialog box, click Memory.
3. In the Memory page, configure the Startup RAM as 1024 MB.
4. On the Memory page, select the Enable Dynamic Memory option.
5. Set the following dynamic memory settings:
o Minimum RAM: 512 MB
o Maximum RAM: 2048 MB
6. Click OK to close the Settings for LON-GUEST2 dialog box.
X Task 6: Configure and test virtual machine snapshots

1. If you are using LON-HOST1, start and connect to 20417A-LON-DC1-B.
2. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
3. If you are using LON-HOST2, start and connect to 20417A-LON-SVR1-B.
4. Log on to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
5. Minimize the Server Manager console.
6. Right-click the desktop of the virtual machine, click New, and then click Folder. Name the folder
Sydney.
7. Repeat step 6, and then create a second folder Melbourne.
8. Repeat step 6, and then create a third folder Brisbane.
9. On the Action menu of the Virtual Machine Connection window, click Snapshot.
10. In the Snapshot Name dialog box, in the Name box, type Before Change, and then click Yes.
11. Drag the Sydney folder to the Recycle Bin.
12. Drag the Brisbane folder to the Recycle Bin.
13. Right-click the Recycle Bin, and then click Empty Recycle Bin.
14. In the Delete Multiple Items dialog box, click Yes.
15. On the Action menu of the Virtual Machine Connection window, click Revert.
17. Verify that the following folders are present on the desktop:
o Sydney
o Melbourne
o Brisbane
18. Delete all three folders from the desktop.
Question: What state must the virtual machine be in to configure dynamic memory when using
Windows Server 2008 R2 as a host? How is this different to Windows Server 2012 as a host?
Answer: The virtual machine must be powered off to configure dynamic memory. In Windows Server
2012, you can configure dynamic memory while the virtual machine is powered on.
Results: After completing this exercise, you will have deployed two separate virtual machines by using a
sysprepped virtual hard-disk file to act as a parent disk for two differencing disks. You also will have
imported a specially prepared virtual machine.

When you are finished the lab, leave the virtual machines running, as they are needed for the lab in
Module 9.
L9-71
Module 9: Implementing Failover Clustering with Hyper-V

Lab: Implementing Failover Clustering with
Hyper-V
Exercise 1: Configuring Hyper-V Replicas
X Task 1: Import LON-CORE virtual machine on LON-HOST1
1. Log on to LON-HOST1 as Adatum\Administrator with the password Pa$$w0rd.
2. On LON-HOST1 open the Hyper-V Manager console.
3. In the Actions pane, click Import Virtual Machine.
4. On the Before You Begin page in Import Virtual Machine Wizard, click Next.
5. On Locate Folder page click Browse.

6. Browse to folder E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-CORE. Click
Select Folder and then click Next.
Note: The drive letter may be different based upon the number of drives on the physical
host machine.
7. On Select Virtual Machine page, select 20417A-LON-CORE and then click Next.
8. On the Choose Import Type page click Next.

9. On the Summary page click Finish.
X Task 2: Configure a replica on both host machines

1. On LON-HOST2, open the Hyper-V Manager console.
2. In Hyper-V Manager, right-click LON-HOST2 and select Hyper-V Settings…

3. In Hyper-V Settings for LON-HOST2, click Replication Configuration.
4. In Replication Configuration pane, click Enable this computer as a Replica server.
5. In the Authentication and ports section select Use Kerberos (HTTP).
6. In the Authorization and storage section click Allow replication from any authenticated server
and then click Browse.
7. Click on Computer, then double click Local Disk (E) and then click New folder. Type VMReplica for
folder name and press Enter. Select E:\VMReplica\ folder and then click Select Folder.
8. In Hyper-V Settings for LON-HOST2, click OK.
9. In the Settings window, read the notice and click OK.
10. Click to the Start screen and then click Control Panel.
11. In the Control Panel, click System and Security, and then click Windows Firewall.
12. Click Advanced settings.
13. Click Inbound Rules.

14. In the right pane, in the rule list, find the rule Hyper-V Replica HTTP Listener (TCP-In). Right-click
the rule and click Enable Rule.
15. Close the Windows Firewall with Advanced Security console and then close Windows Firewall.
16. Repeat steps 1-15 on LON-HOST1.
X Task 3: Configure replication for LON-CORE virtual machine

1. On LON-HOST1, open Hyper-V Manager. Click LON-HOST1, and then right-click
20417A-LON-CORE.
2. Click Enable Replication….
3. On the Before You Begin page, click Next.
4. On the Specify Replica Server page, click Browse.
5. In the Select Computer window type LON-HOST2 and then click Check Names and then click OK.
Click Next.
6. On the Specify Connection Parameters page, review settings, and make sure that Use Kerberos
authentication (HTTP) is selected. Click Next.
7. On the Choose Replication VHDs page, make sure that 20410A-LON-CORE.vhd is selected and
then click Next.
8. On the Configure Recovery History page, select Only the latest recovery point and then click
Next.
9. On the Choose Initial Replication Method page, click Send initial copy over the network and
select Start replication immediately, and then click Next.
10. On the Completing the Enable Replication wizard page, click Finish.
11. Wait 10-15 minutes. You can monitor the progress of initial replication in the Status column in
Hyper-V Manager console. When it completes (progress reaches 100%) make sure that
20417A-LON-CORE has appeared on LON-HOST2 in Hyper-V Manager.
X Task 4: Validate a planned failover to the replica site

1. On LON-HOST2 in Hyper-V Manager, right-click 20417A-LON-CORE.
2. Select Replication and then click View Replication Health.
3. Review content of the window that appears and make sure that there are not errors.
4. Click Close.
5. On LON-HOST1, open Hyper-V Manager and verify that 20417A-LON-CORE is turned off.
6. Right-click 20417A-LON-CORE, select Replication, and then click Planned Failover….
7. In the Planned Failover window, make sure that option Start the Replica virtual machine after
failover is selected and then click Fail Over.
8. In the Planned Failover window click Close.
9. On LON-HOST2, in Hyper-V Manager, make sure that 20417A-LON-CORE is running.
10. On LON-HOST1, right-click 20417A-LON-CORE, point to Replication and then click Remove
replication.
Module 09: Implementing Failover Clustering with Hyper-V L9-73
11. In the Remove replication dialog box, click Remove Replication.
12. On LON-HOST2, right-click 20417A-LON-CORE and select Shut Down. In the Shut Down Machine
dialog box, click Shut Down.
Results: After completing this exercise you will have Hyper-V replica configured.
Exercise 2: Configuring a Failover Cluster for Hyper-V

X Task 1: Connect to iSCSI target from both host machines
1. On LON-HOST1, open Server Manager, click Tools, and then click iSCSI Initiator. At the Microsoft
iSCSI prompt, click Yes.
6. Click Refresh.

Connect.
8. Select Add this connection to the list of Favorite Targets, and then click OK.
9. Click OK to close iSCSI Initiator Properties.

10. On LON-HOST2, open Server Manager, click Tools, and then click iSCSI Initiator.

16. Click Refresh.
17. In the Discovered targets list, select iqn.1991-05.com.microsoft:lon-svr1-target1-target, and

then click Connect.
18. Select Add this connection to the list of Favorite Targets, and then click OK. Click OK to close
iSCSI Initiator Properties.
19. On LON-HOST2, in the Server Manager window, click Tools, and then click Computer Management.
22. Right-click Disk 2, and then click Initialize Disk. In the Initialize Disk dialog box, click OK.
23. Right-click the unallocated space next to Disk 2, and then click New Simple Volume.
24. On the Welcome page, click Next.
25. On the Specify Volume Size page, click Next.

26. On the Assign Drive Letter or Path page, click Next.
27. On the Format Partition page, in the Volume label box, type ClusterDisk. Select the Perform a
quick format check box, and then click Next.
28. Click Finish.
29. Repeat steps 21 through 28 for Disk 3 and Disk 4. In step 27, provide name ClusterVMs for Disk 3
and Quorum for Disk 4.
30. On LON-HOST1 in Server Manager, click Tools, and then click Computer Management.
32. Right-click Disk Management, and then click Refresh.
X Task 2: Configure failover clustering on both host machines

1. On LON-HOST1, on the taskbar, click the Server Manager icon to open Server Manager.
2. From the Dashboard, click Add roles and features.
7. On the Select features page, in the Features list, click Failover Clustering. In the Add features that
are required for failover clustering prompt, click Add Features, and then click Next.
10. Repeat steps 1 through 9 on LON-HOST2.
11. On LON-HOST1, in the Server Manager console, click Tools and then click Failover Cluster
Manager.
12. In Failover Cluster Manager, in the center pane, under Management, click Create Cluster.
13. In the Create Cluster Wizard on the Before You Begin page, read the information. Click Next.
14. In the Enter server name box, type LON-HOST1, and then click Add. Type LON-HOST2, and then
click Add.
15. Verify the entries, and then click Next.
16. On the Validation Warning page, click No. I don’t require support from Microsoft for this
cluster and click Next.
17. In the Access Point for Administering the Cluster page, in the Cluster Name box, type VMCluster.
18. Under Address, in the IP address name box, type 172.16.0.126, and then click Next.
19. In the Confirmation dialog box, verify the information, remove the checkmark next to Add all
eligible storage to the cluster, and then click Next.
20. In the Create Cluster Wizard Summary page, click Finish.

Module 09: Implementing Failover Clustering with Hyper-V L9-75
X Task 3: Configure disks for failover cluster

1. On LON-HOST1, in the Failover Cluster Manager console, expand VMCluster.Adatum.com, expand
Storage and right-click Disks.
2. Click Add Disk.
3. In the Add Disks to Cluster dialog box, verify that all disks are selected, and then click OK.
4. Verify that all disks appear available for cluster storage in Failover Cluster Manager.
5. Select the disk that displays the Volume name of ClusterVMs. Right-click the ClusterVMs disk and
select Add to Cluster Shared Volumes.
6. Right-click VMCluster.adatum.com, select More Actions and then click Configure Cluster Quorum
Settings. Click Next.
7. On the Select Quorum Configuration Option page, click Use typical settings and then click Next.
8. On the Confirmation page click Next.
Exercise 3: Configuring a Highly Available Virtual Machine

X Task 1: Move virtual machine storage to iSCSI target
Note: Make sure that LON-HOST1 is the owner of the ClusterVMs disk in Failover Cluster
Manager. If it is not, then move the ClusterVMs resource to LON-HOST1 before doing this
procedure.
• On LON-HOST1, open Windows Explorer and browse to

E:\Program Files\Microsoft Learning\20417\Drives\20410A-LON-CORE\Virtual Hard Disks and
move the 20417A-LON-CORE.vhd virtual hard drive file to the C:\ClusterStorage\Volume1
location.
X Task 2: Configure the virtual machine as Highly Available

1. In the Failover Cluster Manager console click Roles and then in the Actions pane, click Virtual
Machines.
2. Click New Virtual Machine.
3. Select LON-Host2 as the cluster node and then click OK.
4. In the New Virtual Machine Wizard, click Next.
5. On the Specify Name and Location page, type TestClusterVM for the Name and then click Store
the virtual machine in a different location and then click Browse.
6. Browse to and select C:\ClusterStorage\Volume1 and then click Select Folder.
7. Click Next.
8. On the Assign Memory page, type 1536 and then click Next.
9. On the Configure Networking page click select Corporate Network and then click Next.
10. On the Connect Virtual Hard Disk page click Use an existing virtual hard disk and then click
Browse.
11. Locate C:\ClusterStorage\Volume1 and select 20417A-LON-CORE.vhd and then click Open.
12. Click Next and then click Finish.
13. On the Summary page of the High Availability Wizard click Finish.
14. Right-click the TestClusterVM and then click Start.
15. Make sure that the machine successfully starts.
X Task 3: Perform a Live Migration for the virtual machine

1. Open Failover Cluster Manager on LON-HOST2.
2. Expand VMCluster.Adatum.com, and then click Roles.
3. Right-click TestClusterVM and select Move, then select Live Migration and then click Select
Node….
4. Click LON-Host1 and then click OK.
5. Right-click TestClusterVM and then click Connect.
6. Make sure that you can access and operate virtual machine while it is migrating to another host.
7. Wait until migration is finished.
X Task 4: Perform a Storage Migration for the virtual machine

1. On Lon-host1, open Hyper-V Manager.
2. In the central pane click LON-GUEST1.

3. In the Actions pane, click Start. Wait until the virtual machine is fully started.
4. Switch back to Hyper-V Manager console, and in the Actions pane click Move.
5. On the Before You Begin page click Next.

6. On the Choose Move Type page select Move the virtual machine's storage and then click Next.
7. On the Choose Options for Moving Storage page, select Move all of the virtual machine’s data
to a single location and then click Next.
8. On the Choose a new location for virtual machine page, click Browse.
9. Locate C:\ and then create a new folder called Guest1. Click Select Folder.
10. Click Next.

11. On the Summary page click Finish. Wait for move process to finish. While virtual machine is moving
you can connect to it, and verify that it is fully operational.
12. Shut down all running virtual machines.

1. Restart LON-HOST1.
2. When you are prompted with the boot menu select Windows Server 2008 R2 and press Enter.
3. Log on to the host machine as directed by your instructor.

4. Repeat steps 1-3 on LON-HOST2.
L10-77
Module 10: Implementing Dynamic Access Control

Lab: Implementing Dynamic Access Control
Exercise 1: Planning the Dynamic Access Control Implementation and
Preparing AD DS for Dynamic Access Control
X Task 1: Plan the Dynamic Access Control Deployment Based on the Security and
Business Requirements
Scenario requires the following:
1. Folders that belong to Research department can be accessed and modified only by employees that
belong to Research department.
2. Files classified with classification High should be accessible only to Managers.
3. Managers should access confidential files only from workstations that belong to the ManagersWKS
security group.
Note: You can meet these requirements by implementing claims, resource properties, and
file classifications, used together in Dynamic Access Control. To implement this, you should first
create appropriate claims for users and devices. User claim uses department as its source
attribute, while device claim uses description as source attribute. After that, you should configure
resource property for Research department. When you have these objects prepared, you should
configure Central Access Rules and Central Access Policies to protect resources. At the same time,
you should configure file classification for confidential documents. Finally, you should apply
Central Access Policy to folders where files for Research and Managers are located.
4. As a solution for users that receive error messages, you should implemented Access Denied
Assistance.
X Task 2: Prepare AD DS to support Dynamic Access Control

1. On LON-DC1, in the Server Manager, click Tools and then click Active Directory Users and
Computers.
2. In the Active Directory Users and Computers console, right-click Adatum.com and select New, and
then click Organizational Unit.
3. In the New Object – Organizational Unit, in the Name field, type Test and then click OK.
4. Click the Computers container.
5. Press the Ctrl key and click the LON-SVR1, LON-CL1 and LON-CL2 computers. Right-click and select
Move….
6. In the Move window, click Test and then click OK.
7. Close the Active Directory Users and Computers console.
8. On LON-DC1, in the Server Manager, click Tools, and then click Group Policy Management.
9. Expand Forest: Adatum.com, expand Domains, expand Adatum.com.
10. Right-click the Managers OU and then click Block Inheritance. This is to remove the block
inheritance setting used in a later module in the course.
11. Click the Group Policy Objects container.
12. In the results pane, right-click Default Domain Controllers Policy, and then click Edit.
Administrative Templates, expand System, and then click KDC.
14. In the right pane, double-click KDC support for claims, compound authentication and Kerberos
armoring.
15. In the KDC support for claims, compound authentication and Kerberos armoring window, select
Enabled, and in the Options section, click the drop-down list and select Supported. Click OK.
17. Open Windows Power Shell, by clicking its icon on the task bar, and type gpupdate /force and press
Enter. After Group Policy is updated, close Windows PowerShell.
18. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
19. Expand Adatum.com, right-click Users, click New, and then click Group.
20. Type ManagersWKS for the Group name, and then click OK.
21. Click the Test container.

22. Right-click LON-CL1, and then click Properties.
23. Click the Member Of tab and then click Add.
24. In the Select Groups window, type ManagersWKS. click Check Names, click OK, and then click OK
again.
25. Click Managers organization unit.
26. Right-click Aidan Delaney and select Properties.

27. Click the Organization tab. Make sure that the Department field is populated with the value
Managers. Click Cancel.
28. Click the Research organization unit.

29. Right-click Allie Bellew and select Properties.
30. Click the Organization tab. Make sure that the Department field is populated with the value
Research. Click Cancel.
Results: After completing this exercise you will have design for Dynamic Access Control and you will have
prepared AD DS for Dynamic Access Control implementation.
Exercise 2: Configuring User and Device Claims

X Task 1: Review the Default Claim Types
Center.
2. In the Active Directory Administrative Center console, in navigation pane, click Dynamic Access
Control.
3. In the central pane double-click Claim Types.
4. Verify that there are no default claims defined.
5. In the navigation pane, click Dynamic Access Control and then double-click Resource Properties.
Module 10: Implementing Dynamic Access Control L10-79
6. Review the default resource properties.
Note: Note that all properties are disabled by default.
7. In the navigation pane, click Dynamic Access Control and then double-click Resource Property
Lists.
8. In the central pane right-click Global Resource Property List, and then click Properties.
9. In the Global Resource Property List, in the Resource Properties, section review available resource
properties.
10. Click Cancel.
X Task 2: Configure Claims for Users

1. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access
Control.
2. Double-click Claim Types.
3. In the Tasks pane, click New and then click Claim Type.
4. In the Create Claim Type window, in the Source Attribute section, select department.
5. In the Display name text box type Company Department.
6. Select both User and Computer check boxes.
7. Click OK.
X Task 3: Configure Claims for Devices

1. In the Active Directory Administrative Center, in the Tasks pane, click New and select Claim Type.
2. In the Create Claim Type window, in the Source Attribute section, select description.
3. Clear the User check box and select the Computer check box.
4. Click OK.
Results: After completing this exercise you will have configured user and device claims.
Exercise 3: Configuring Resource Properties and File Classifications

X Task 1: Configure Resource Property definitions
1. In the Active Directory Administrative Center, click Dynamic Access Control.
2. In the central pane, double-click Resource Properties.

3. In the Resource Properties list, locate Department.
4. Right-click Department, and then click Enable.
5. In the Resource Properties list, locate Confidentiality.
6. Right-click Confidentiality, and then click Enable.
7. Make sure that both Department and Confidentiality properties are enabled in the list.
8. Double-click Department.
9. Scroll down to the Suggested Values section, and then click Add.
10. In the Add a suggested value window, type Research in both Value and Display name text boxes,
and then click OK two times.
11. Click Dynamic Access Control and then double-click Resource Property Lists.
12. In the central pane, double-click Global Resource Property List.

13. Make sure that both Department and Confidentiality appear in Resource Properties list. If they do
not, then click Add and add these two properties, and then click OK (or Cancel if you did not make
any changes).
X Task 2: Classify files

1. On LON-SVR1, in Server Manager, click Add roles and features.
2. In the Add Roles and Features Wizard click Next three times.
3. On the Select server roles page, expand File and Storage Services (Installed), expand File and
iSCSI Service (Installed) and select File Server Resource Manager.
4. When prompted, click Add Features.
5. Click Next two times and then click Install. After installation finishes, click Close.
6. In Server Manager, click Tools, and then click File Server Resource Manager.
7. In the File Server Resource Manager console, expand Classification Management.
8. Select and then right-click Classification Properties and click Refresh.
9. Verify that Confidentiality and Department properties are in the list.
10. Click Classification Rules.

11. In the Actions pane, click Create Classification Rule.
12. In the Create Classification Rule window, enter Set Confidentiality for the Rule name.
13. Click the Scope tab. Click Add.

14. In the Browse For Folder dialog box, expand Local Disk (C:) and select the Docs folder, and then
click OK.
15. Click the Classification tab.
16. Make sure that following settings are set:
o Classification method: Content Classifier
o Property: Confidentiality
o Value: High
17. Click Configure.
18. In the Classification Parameters dialog box, click the Regular expression drop-down list and select
String.
19. In the Expression field (next to the word String) type secret.
20. Click OK.

21. Click the Evaluation Type tab. Select Re-evaluate existing property values, and then click
Overwrite the existing value.
22. Click OK.
23. In the File Server Resource Manager, in the Actions pane, click Run Classification with all rules now.
24. Select Wait for classification to complete, and then click OK.
25. After the classification is complete, you are presented with a report. Verify that two files were
classified.
Note: You can see this in the Report Totals section.
26. Close the report.
27. Open Windows Explorer, and browse to the C:\Docs folder.
28. Right-click Doc1.txt and select Properties.
29. Click the Classification tab. Verify that Confidentiality is set to High.
30. Repeat steps 28 and 29 on files Doc2.txt and Doc3.txt.
Note: Doc2.txt should have the same confidentiality as Doc1.txt while Doc3.txt should have
no value. This is because only Doc1 and Doc2 have the word secret in their content.
X Task 3: Assign properties to folder

1. On LON-SVR1, open Windows Explorer, and browse to Local Disk (C:).
2. Right-click the Research folder and then click Properties.
3. Click Classification tab.
4. Click Department.
5. In the Value section click Research. Click Apply.
6. Click OK.
Results: After this exercise, you will have configured resource properties and file classifications.
Exercise 4: Configuring Central Access Rules and Policies

X Task 1: Configure Central Access Policy Rules
Center.
2. In the Active Directory Administrative Center console, in the navigation pane, click Dynamic Access
Control.
3. Double-click Central Access Rules.
4. In the Tasks pane, click New, and then click Central Access Rule.
5. In the Central Access Rule dialog box, type Department Match for the Name.
6. In the Target Resources section click Edit.
7. In the Central Access Rule dialog box, click Add a condition.

8. Set a condition as follows: Resource-Department-Equals-Value-Research, and then click OK.
9. In the Permissions section, click Use the following permissions as current permissions.
10. In the Permissions section, click Edit.
11. Remove permission for Administrators.
12. In Advanced Security Settings for Permissions, click Add.
13. In Permission Entry for Permissions, click Select a principal.
14. In the Select User, Computer, Service Account or Group window, type Authenticated Users, click
Check Names, and then click OK.
15. In the Basic permissions section select Modify, Read and Execute, Read and Write.
16. Click Add a condition.
17. Click the Group drop-down list, and select Company Department.
18. On the Value drop-down list, and select Resource.
19. In the last drop-down box, select Department.
Note: As a result, you should have: User-Company Department-Equals-Resource-

Department.
20. Click OK three times.
21. In the Tasks pane, click New, and then click Central Access Rule.
22. For the name of rule type Access Confidential Docs.
23. In the Target Resources section click Edit.
24. In the Central Access Rule window click Add a condition.
25. In the last drop-down box select High.
Note: You should have this expression as a result: Resource-Confidentiality-Equals-Value-

High.
26. Click OK.
27. In the Permissions section, click Use the following permissions as current permissions.
28. In the Permissions section, click Edit.

29. Remove permission for Administrators.
30. In Advanced Security Settings for Permissions, click Add.
31. In the Permission Entry for Permissions, click Select a principal.
32. In the Select User, Computer, Service Account or Group window, type Authenticated Users, click
Check Names, and then click OK.
33. In the Basic permissions section, select Modify, Read and Execute, Read and Write.
34. Click Add a condition.
35. Set first condition to:

User-Group-Member of each-Value-Managers. Click Add a condition.
36. Set second condition to: Device-Group-Member of each-Value-ManagersWKS.
Note: If you can’t find ManagersWKS in the last drop-down box, click Add items. Then in
the Select User, Computer, Service Account or Group window, type ManagersWKS and click
Check Names. Click OK.
X Task 2: Create Central Access Policy

1. On LON-DC1, in Active Directory Administrative Center, click Dynamic Access Control, and then
double-click Central Access Policies.
2. In the Tasks pane, click New, and then click Central Access Policy.
3. For the Name, type Protect confidential docs.

4. Click Add.
5. Click the Access Confidential Docs rule, and then click >>.
6. Click OK twice.
7. In the Tasks pane, click New, and then click Central Access Policy.
8. For the Name, type Department Match.
9. Click Add.
10. Click the Department Match rule and then click >>.
11. Click OK twice.
X Task 3: Publish Central Access Policy with Group Policy

1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. Under Domains, expand Adatum.com, and then right-click Test and click Create a GPO in this
domain, and link it here.
3. Type DAC Policy, and then click OK.
4. Right-click DAC Policy, and then click Edit.
5. Browse to Computer Configuration/Policies/Windows Settings/Security Settings/File System,

and then right-click Central Access Policy.
6. Click Manage Central Access Policies.
7. Click both Department Match and Protect confidential docs, and then click Add.
8. Click OK.
9. Close the Group Policy Management Editor.
X Task 4: Apply Central Access Policy to resources

1. On LON-SVR1, start Windows PowerShell.
2. Type gpupdate /force and press Enter. Close the Command Prompt window.
3. Open Windows Explorer, browse to Drive C and right-click the Docs folder, and select Properties.
4. Click Security tab.
5. Click Advanced.
6. In the Advanced Security Settings for Docs window, click the Central Policy tab.
7. Click Change.
8. On the drop-down list, select Protect confidential docs.
9. Click OK two times.
10. Right-click the Research folder and select Properties.

12. Click Advanced.
13. In the Advanced Security Settings for Research window, click the Central Policy tab.
14. Click Change.
15. In drop-down box, select Department Match.
16. Click OK two times.
X Task 5: Configure access denied remediation settings

1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. Expand Forest: Adatum.com, expand Domains, expand Adatum.com.
3. Click Group Policy objects.
4. Right-click DAC Policy and select Edit.

5. Under Computer Configuration, expand Policies, expand Administrative Templates, expand
System, and then click Access-Denied Assistance.
6. In the right pane, double-click Customize Message for Access Denied errors.
7. In the Customize Message for Access Denied errors window, click Enabled.
8. In the Display the following message to users who are denied access text box, type: You are
denied access because of permission policy. Please request access.
9. Select the Enable users to request assistance check box.
10. Review other options, do not make any changes, and then click OK.
11. In the right pane of Group Policy Management Editor, double-click Enable access-denied assistance
on client for all file types.
12. Click Enabled, and then click OK.
13. Close the Group Policy Management Editor and close the Group Policy Management console.
14. Switch to LON-SVR1, open Windows PowerShell and type gpupdate /force and press Enter.
Results: After completing this exercise you will have configured central access rules and policies.
Exercise 5: Validating and Remediating Access Control

X Task 1: Verify Dynamic Access Control functionality
1. Log on to LON-CL1 as Adatum\April with password Pa$$w0rd.
2. Click Desktop and then open Windows Explorer by clicking its icon on the task bar.
3. In the address bar, type \\LON-SVR1\Docs, and then press Enter.

4. Try to open Doc3. You should be able to open that document.
5. In the address bar of Windows Explorer, type \\LON-SVR1\Research and press Enter.
Note: You should be unable to access folder.
6. Click Request assistance. Review options for sending messages, and then click Close.
8. Log on to LON-CL1 as Adatum\Allie with the password of Pa$$w0rd.
9. Open Windows Explorer.
10. In the address bar, type \\LON-SVR1\Research and press Enter.
Note: You should be able to access this folder and open documents inside because Allie is
in Research department.

13. Open Windows Explorer.
14. In the address bar, type \\LON-SVR1\Docs.
15. You should be able to open all files in this folder.
18. Open Windows Explorer
19. In the address bar, type \\LON-SVR1\Docs.
Note: You should be unable to see Doc1 and Doc2 since LON-CL2 is not permitted to view
secret documents.
X Task 2: Configure staging for Dynamic Access Policy

1. On LON-DC1, in Server Manager, click Tools and then click Group Policy Management.
2. In the Group Policy Management console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy objects.
3. Right-click DAC Policy and click Edit.
4. In the Group Policy Management Editor, browse to Computer Configuration/Policies

/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Polices.
5. Select Object Access.
6. Double-click Audit Central Access Policy Staging. Select all three check boxes, and then click OK.
7. Double-click Audit File System. Select all three check boxes, then click OK.
X Task 3: Configure staging permissions

1. On LON-DC1, open Server Manager, and then open Active Directory Administrative Center.
2. In the navigation pane, click Dynamic Access Control.
3. Double-click Central Access Rules.
4. Right-click Department Match and select Properties.
5. Scroll down to Proposed Permissions.
6. Click Enable permission staging configuration.
7. Click Edit.
8. Click Authenticated Users, and then click Edit.
9. Change the condition to: User-Company Department-Equals-Value-Marketing.

11. Switch to LON-SVR1 and open Windows PowerShell.
12. Type gpupdate /force and press Enter.
13. Close the Windows PowerShell window.
X Task 4: Verify staging

1. Log on to LON-CL1 as Adatum\Adam with the password of Pa$$w0rd.
2. Open Windows Explorer, and then in the address bar type \\LON-SVR1\Research. Attempt to open
the folder. You will be unsuccessful. Click Close.
4. In Server Manager, click Tools and select Event Viewer.
5. Expand Windows Logs, and then click Security.
6. Look for Events with ID 4818.
7. Read the content of these logs.
X Task 5: Use effective permissions to test Dynamic Access Control

1. On LON-SVR1, open Windows Explorer and locate the C:\Research folder.
2. Right-click the folder and click Properties.
4. Click Advanced, and then click Effective Access.
5. Click select a user.
6. In the Select User, Computer, Service Account, or Group window type April, and then click Check
Names, and then click OK.
7. Click View effective access.

8. Review results. April should not have any access to this folder.
9. Click Include a user claim.
10. On the drop-down list, select Company Department.
11. In the Value text box type Research.
12. Click View Effective access. April should have access now.
13. Close all windows.

4. Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-CL1 and 20417A-LON-CL2.
Results: After this exercises you will have validated Dynamic Access Control functionality.
L11-89
Module 11: Implementing Active Directory Domain Services

Lab: Implementing AD DS
Exercise 1: Deploying a Read-Only Domain Controller
X Task 1: Add LON-SVR3 as a server to manage
2. In Server Manager Dashboard, click Add other servers to manage.
3. In the Add Servers dialog box, in the Name (CN) field, type LON-SVR3, and then click Find Now.
4. Select the LON-SVR3 server in the details pane, and then click the arrow to move it to the Selected
pane.
5. Click OK.
X Task 2: Create a new Server Group

1. In the Server Manager Dashboard, click Create a server group.
2. In the Create Server Group dialog box, in the Server group name field, type DCs.
3. Select both LON-SVR3 and LON-DC1, click the arrow to move them to the Selected pane, and then
click OK.
X Task 3: Install the RODC role remotely

1. In the Server Manager Dashboard, click Add roles and features.
4. On the Select Destination Server page, select LON-SVR3.Adatum.com, and then click Next.
5. On the Select server role page, click the check box for Active Directory Domain Services, click
Add Features in the Add features that are required for Active Directory Domain Services dialog
box, and then click Next.
7. On the Active Directory Domain Services, page click Next.
8. On the Confirm installation selections page, click the check box to Restart the destination server
automatically if required, and then click Install. The installation will take several minutes.
9. When the installation is complete, click Close.
10. In Server Manager Dashboard, click the notification icon (the flag icon or yellow triangle) on the
menu bar.
11. Locate the Post-deployment Configuration task, and then click Promote this server to a domain
controller.
12. In the Active Directory Domain Services Configuration Wizard, ensure that Add a domain controller
to an existing domain is selected.
13. In the Supply the credentials to perform this operation section, click Change.
14. In the Windows Security dialog box, type Adatum\Administrator in the user name field and in the
password field type Pa$$w0rd.
15. Click OK, and then click Next.
16. On the Domain Controller Options page, select the check box for Read only domain controller
(RODC).
17. Type and confirm the Directory services Restore Mode (DSRM) password to be Pa$$w0rd, and then
click Next.
18. On the RODC Options page, click Next.
Note: You will configure these options in the next exercise.
19. On the Additional Options page click Next.
20. On the Paths page click Next.
21. On the Review Options page click Next.

22. On the Prerequisites Check page, click Install.
Note: The installation will take several minutes and LON-SVR3 will automatically restart to
complete the promotion.
23. When the promotion is completed click Close. Note that LON-SVR3 is restarting.
X Task 4: Configure the Password Replication policy and administrative access

1. On LON-DC1, in Server Manager, on the Tools menu, click Active Directory Users and Computers.
2. Expand Adatum.com, and then click the Domain Controllers OU.

3. In the details pane, right-click LON-SVR3, and then click Properties.
4. In the LON-SVR3 Properties dialog box, click the Password Replication Policy tab.
5. Click Add.
6. In the Add Groups, Users and Computers dialog box, click Allow passwords for the account to
replicate to this RODC, and then click OK.
7. In the Select Users, Computers, Services Accounts, or Groups dialog box, type Managers, and
then click OK.
8. Click the Managed By tab, and then click Change.
9. In the Select User or Group dialog box, type IT, and then click OK.
10. Click OK to close the LON-SVR3 Properties dialog box.
Results: After completing this exercise, you will have added LON-SVR3 as a server to manage, created a
server group, deployed an RODC remotely, and configured the password replication policy and
administrative assignments for the RODC.
Module 11: Implementing Active Directory Domain Services L11-91
Exercise 2: Troubleshooting Group Policy

X Task 1: Troubleshoot Group Policy issues
1. Log on to LON-CL1 as Brad with a password of Pa$$word. Brad is a member of the IT group.
2. At the Start screen, type Control Panel.
3. In the Apps results field click Control Panel.

4. In Control Panel under Appearance and Personalization, click Change desktop background.
Question: What is the result?
Answer: A message explains that this feature is disabled.
Question: Is this in line with company policy?
Answer: Yes, this is in line with company policy.
5. Close Control Panel.

6. Point to the lower right corner of the desktop, click the Search charm and in the Apps search field,
type Run.
7. In the Apps results field click Run.
8. In the Run box type Regedit, and then click OK.
Answer: A message explains that this feature is disabled.

Answer: No, this is against company policy.
9. To close the dialog box, click OK.

10. Point to the lower right corner of the desktop, click the Search charm and then in the Apps search
field, type Command Prompt.
11. In the Apps results field, click Command Prompt.

12. In the Command Prompt window, type GPResult /R and examine the results.
Question: What GPOs are being applied in User Settings?
Answer: The Prohibit Desktop Background policy and the Prohibit Registry Tools GPOs are being
applied.
Answer: No, this is against company policy. The Prohibit Registry Tools policy should not be applied
to an IT group user.
13. Sign out of LON-CL1.
14. Log on to LON-CL1 as Bill with a password of Pa$$word. Bill is a member of the Managers group.
15. On the Start screen, type Control Panel.
16. In the Apps results field, click Control Panel.

17. In Control Panel under Appearance and Personalization, click Change desktop background.
Answer: The Desktop Background dialog box appears and provides access to change the desktop
background.

18. Close Control Panel.
19. Point to the lower right corner of the desktop, click the Search charm, and then type Run.
20. In the Apps results field, click Run.
21. In the Run box, type Regedit, and then click OK.

Answer: The Registry Editor application starts.

22. Close the Registry Editor.
23. Point to the lower right corner of the desktop, click the Search charm, and type Command Prompt
in the Apps search field.
24. Click Command Prompt in the Apps results field.
Question: What GPOs are being applied?

Answer: No GPOs are being applied.
Question: Is this correct?
Answer: No, both GPOs are supposed to be applied.

26. Sign Out of LON-CL1.
X Task 2: Correct issues with Group Policy application

2. In Server Manager, on the Tools menu, click Group Policy Management.

3. If required, expand Forest: Adatum.com, expand Domains, expand Adatum.com.
Question: What GPOs are linked to the Adatum.com domain?
Answer: Default Domain Policy, Prohibit Registry Tools and Prohibit Desktop Background. This
confirms the policies are linked to the correct container.
Question: What is the current status of the Managers OU?
Answer: The Managers OU has blue circle with a white exclamation mark. This indicates the
inheritance is being blocked. You must remove the inheritance block to resolve the issue with the
Managers OU.
4. Right-click the Managers OU and clear the check mark next to Block Inheritance.
Question: How will you ensure that the Prohibit Registry Tools GPO will not be applied to the IT
group users?
Answer: There are multiple ways that you could resolve this. For example, you could create a GPO
that specifically reverses the Prevent access to registry editing tools setting and link it directly to the
IT OU.
5. Expand the Group Policy Objects folder.
6. Click the Prohibit Registry Tools GPO.

7. In the details pane, click the Delegation tab.
8. Click Advanced.
9. In the Prohibit Registry Tools Security Settings dialog box, click Add.
10. In the Select Users, Computers, Service Accounts, or Groups dialog box type IT, and then click
OK.
11. Click the IT (Adatum\IT) group in the Security list.
12. In the Permissions for IT section, locate the Apply Group Policy permission, and then click Deny.
13. Click OK.
14. If the Windows Security dialog box appears, click Yes to acknowledge the message.
X Task 3: Verify policies are being applied

1. Log on to LON-CL1 as Bill with a password of Pa$$w0rd.
2. On the Start screen, type Command Prompt.


Answer: The Prohibit Desktop Background and the Prohibit Registry Tools.
Question: Is this correct?
Answer: Yes. The system is now in line with the company policy.
6. Log on to LON-CL1 as Brad with a password of Pa$$w0rd.
7. On the Start screen, type Command Prompt.
Answer: The Prohibit Desktop Background GPO is being applied.
Question: What GPOs are being filtered out?
Answer: Prohibit Registry Tools is being denied.

Results: After completing this exercise, you will be able to troubleshoot Group Policy issues, correct issues
to apply Group Policy, and verify policies are being applied.
Exercise 3: Implementing Service Accounts in AD DS

X Task 1: Create and associate a Managed Service account
2. Right-click Windows PowerShell on the Taskbar and click Run as Administrator.
3. In the Windows PowerShell command window, type Add-KdsRootKey –EffectiveTime ((get-

date).addhours(-10)) at the prompt and press Enter.
4. Type New-ADServiceAccount –Name Webservice –DNSHostName LON-DC1 –

PrincipalsAllowedToRetrieveManagedPassword LON-DC1$ and press Enter.
5. Type Add-ADComputerServiceAccount –identity LON-DC1 –ServiceAccount Webservice and

press Enter.
6. Type Get- ADServiceAccount -Filter * and press Enter to verify the account. Note the output of the
command.
7. Type Install-ADServiceAccount –Identity Webservice and press Enter.
8. Minimize the Windows PowerShell command window.
X Task 2: Configure the Web Server Application Pool to use the Group Managed
Service account
1. On LON-DC1, in Server Manager, click the Tools menu and click Internet Information Services (IIS)
Manager.
2. In the Internet Information Services (IIS) Manager console, expand LON-DC1

(Adatum\Administrator) and click Application Pools.
3. In the details pane, right-click the DefaultAppPool and click Advanced Settings.
4. In the Advanced Settings dialog box, click Identity and click the ellipses.
5. In the Application Pool Identity dialog box, click Custom Account and click Set.
6. In the Set Credentials dialog box, type Adatum\Webservice$ in the User name: field and click OK
three times.
7. In the Actions pane, click Stop to stop the application pool.
8. Click Start to start the application pool.
9. Close the Internet Information Services (IIS) Manager.
Results: After completing this exercise, you will have created and associated a managed service account,
installed a managed service account on a web server, and verified password change for am managed
service account.
Exercise 4: Maintaining AD DS
X Task 1: Create and view Active Directory snapshots
2. Move your mouse to the bottom right corner and click the Search charm.
3. In the Apps search box, type CMD.

4. In the Apps Results for CMD pane, right-click Command Prompt and then click Run as
administrator.
5. In the command window, type Ntdsutil and then press Enter.

6. Type Snapshot and then press Enter.
7. Type Activate instance ntds and then press Enter.
8. Type Create and then press Enter.
Note: The GUID that is displayed is important for commands in later tasks. Make note of
the GUID or, alternatively, copy it to the clipboard.
9. Mount the snapshot as a new instance of AD DS by running the following command:

Mount {GUID} where {GUID} is the GUID returned by the create snapshot command.
10. Type Quit twice.
11. Expose the snapshot by typing dsamain –dbpath

c:\$snap_datetime_volumec$\windows\ntds\ntds.dit -ldapport 50000, and then press Enter.
Note: Hint: Copy and paste the $snap_datetime from the previous command. (The port
number can be any open, unique TCP port). Leave the Command Window open and the
command running while you perform the next tasks.
12. In Server Manager, click the Tools menu and then click Active Directory Users and Computers.
13. Expand Adatum.com and then click Research.
14. In the details pan,e right-click Allie Bellew and then click Delete. Click Yes to confirm in the message
box.
15. Right click the Active Directory Users and Computers root node and then click Change Domain
Controller.
16. Click <Type a Directory Server name[:port] here> and type LON-DC1:50000 and then press Enter.
17. Click OK.
18. Expand Adatum.com and click Research.
Note: Notice that the user Allie Bellew exists in the snapshot because it was taken before
the user was deleted.
19. Close Active Directory Users and Computers and close the command window.
X Task 2: Enable the Active Directory recycle bin

1. In Server Manager, on the Tools menu, click Active Directory Administrative Center.
2. In the navigation pane, click Adatum (local).
3. In the Tasks pane, click Enable Recycle Bin.
4. In the Enable Recycle Bin Confirmation dialog box, click OK.
5. In the Active Directory Administrative Center dialog box, click OK.
6. On the menu bar, click the Refresh icon.
Note: Notice a Deleted Object container now appears.
X Task 3: Delete a test user

1. In the center pane, double-click the Managers OU.
2. Ensure that the Aidan Delaney user account is selected, and then in the tasks pane, click Delete.
3. In the Delete Confirmation dialog box, click Yes.

4. Click Adtaum (local) in the navigation pane to return to the main tree.
X Task 4: Restore the deleted user

1. In the center pane, double-click the Deleted Objects folder.
2. In the Tasks pane, click Restore. In the navigation pane under Adatum (local), click Managers.
Note: Note that the Aidan Delaney account is restored.
X Task 5: To prepare for the next module

4. Repeat steps 2 and 3 for 20417A-LON-CL1 and 20417A-LON-SVR3.
Results: After completing this exercise, you will have created and viewed Active Directory snapshots,
enabled the Active Directory Recycle Bin, deleted a user as a test, and used the Active Directory
Administrative Center to restore a deleted user account.
L12-97
Module 12: Implementing Active Directory Federation

Services
Lab: Implementing AD FS
Exercise 1: Configuring AD FS Prerequisites
X Task 1: Configure DNS forwarders
1. On LON-DC1, in Server Manager, click Tools, and then click DNS.
2. Expand LON-DC1, and click Conditional Forwarders.
3. Right-click Conditional Forwarders, and click New Conditional Forwarder.
4. In the DNS Domain box, type TreyResearch.com.
5. Click in the IP address column, and then type 172.16.10.10. Press Enter, and then click OK.
6. Close the DNS Manager.
7. On MUN-DC1, in Server Manager, click Tools, and then click DNS.
8. Expand MUN-DC1, and then click Conditional Forwarders.
9. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
10. In the DNS Domain box, type Adatum.com.

11. Click in the IP address column, and then type 172.16.0.10. Press Enter, and then click OK.
12. Close the DNS Manager.
X Task 2: Exchange root certificates to enable certificate trusts

1. On LON-DC1, access the Search page.
2. In the Search box, type \\MUN-DC1.treyresearch.com\certenroll, and then press Enter.
3. In the CertEnroll window, right-click the MUN-DC1.TreyResearch.com_TreyResearch-MUN-DC1-

CA.crt file, and then click Copy.
4. In the left pane, click Documents, and then paste the file into the Documents folder.
5. Open a Windows PowerShell® command prompt, type MMC and then press Enter.
6. In the Console1 window, click File, and click Add/Remove Snap-in.

7. Click Group Policy Management Editor, and then click Add.
8. In Select Group Policy Object, click Browse.
9. Click Default Domain Policy, and then click OK.
10. Click Finish, and then click OK.
11. Double-click Default Domain Policy. In the console tree, expand the following path:
Computer Configuration > Policies > Windows Settings > Security Settings >
Public Key Policies > Trusted Root Certification Authorities.
12. Right-click Trusted Root Certification Authorities, and then click Import.
13. On the Welcome to the Certificate Import Wizard page, click Next.
14. On the File to Import page, click Browse.
15. In the Open window, click MUN-DC1.TreyResearch.com_TreyResearch-MUN-DC1-CA.crt, click

Open, and then click Next.
16. On the Certificate Store page, verify that Place all certificates in the following store is selected,
verify that the Trusted Root Certification Authorities store is listed, and then click Next.
17. On the Completing the Certificate Import Wizard page, click Finish, and then click OK.
18. Close the Group Policy Management Editor without saving changes.
19. On MUN-DC1, access the Search page.
20. In the Search box, type \\LON-DC1.adatum.com\certenroll, and then press Enter.
21. In the CertEnroll window, right-click the LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt file, and
then click Copy.
22. In the left pane, click Documents, and then paste the file into the Documents folder.
23. Open a Windows PowerShell command prompt, type MMC, and then press Enter.
24. In the Console1 window, click File, and then click Add/Remove Snap-in.
25. Click Certificates, and click Add.

26. Click Computer Account, and then click Next.
27. Verify that Local computer is selected, click Finish, and then click OK.
28. Expand Certificates, and then click Trusted Root Certification Authorities.
29. Right-click Trusted Root Certification Authorities, point to All Tasks, and then click Import.
30. On the Welcome to the Certificate Import Wizard page, click Next.
31. On the File to Import page, click Browse.

32. In the open window, click LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt, click Open, and then
click Next.
33. On the Certificate Store page, verify that Place all certificates in the following store is selected,
verify that the Trusted Root Certification Authorities store is listed, and then click Next.
34. On the Completing the Certificate Import Wizard page, click Finish, and then click OK.
35. Close Console1 without saving changes.
X Task 3: Request and install a certificate for the web server

1. On LON-SVR1, in Server Manager, click Tools, and then click Internet Information Services (IIS)
Manager.
2. In the console tree, click LON-SVR1 (Adatum\Administrator). Click No to dismiss the message.
3. In middle pane, double-click Server Certificates.
4. In the Actions pane, click Create Domain Certificate.
5. On the Distinguished Name Properties page, enter the settings as listed below, and then click
Next:
o Common name: LON-SVR1.adatum.com
o Organization: A. Datum
o Organization unit: IT
o City/locality: London
Module 12: Implementing Active Directory Federation Services L12-99
o State/province: England
o Country/region: GB
6. On the Online Certification Authority page, in Specify Online Certification Authority, click Select
to search for a CA server in the domain.
7. Select Adatum-LON-DC1-CA, and then click OK.

8. In Friendly name, type LON-SVR1.adatum.com, and then click Finish.
X Task 4: Bind the certificate to the claims aware application on the web server and
verify application access
1. On LON-SVR1, in Internet Information Services (IIS) Manager, expand Sites, click Default Web Site,
and then in the Actions pane, click Bindings.
2. In the Site Bindings dialog box, click Add.
3. In the Add Site Binding dialog box, under Type select https, and under Port, verify that 443 is
selected
4. In the SSL Certificate drop-down list, click LON-SVR1.adatum.com, and then click OK.
5. Click Close, and then close Internet Information Services (IIS) Manager.
6. On LON-DC1, open Internet Explorer.

7. Connect to https://lon-svr1.adatum.com/adatumtestapp.
8. Verify that you can connect to the site, but that you receive a 401 access denied error. This is
expected because you have not yet configured AD FS for authentication.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum
and Trey Research, and you exchanged root certificates between the two organizations. You also installed
and configured a web certificate on the application server.
Exercise 2: Installing and Configuring AD FS

X Task 1: Install and configure AD FS 2.0
1. On the LON-DC1, in Server Manager, click Manage, and then click Add Roles and Features.

4. On the Select destination server page, click Next.
5. On the Select server roles page, select the Active Directory Federation Services check box, click
Add Features, and then click Next.
7. On the Active Directory Federation Services (AD FS) page, click Next.
8. On the Select role services page, click Next.

9. On the Confirm installation selections page, click Install, and then wait for the installation to finish.
Do not close the window.
X Task 2: Create a stand-alone Federation Server by using the AD FS Federation Server

Configuration Wizard
1. On the Installation progress page, click Run the AD FS Management snap-in.
2. In the Overview pane, click the AD FS Federation Server Configuration Wizard link.
3. On the Welcome page, ensure that Create a new Federation Service is selected, and then click
Next.
4. On the Select Stand-Alone or Farm Deployment page, click Stand-alone federation server, and
then click Next.
5. On the Specify the Federation Service Name page, ensure that the SSL certificate selected is LON-
DC1.Adatum.com, the Port is 443, and the Federation Service name is
LON-DC1.Adatum.com. Click Next.
6. On the Ready to Apply Settings page, verify that the correct configuration settings are listed, and
then click Next.
7. Wait for the configuration to finish, and then click Close.
X Task 3: Verify that FederationMetaData.xml is present and contains valid data

1. Log on to the LON-CL1 virtual machine as Adatum\Brad using the password Pa$$w0rd.
2. Click the Desktop tile, and then open Internet Explorer.

3. Click the Settings icon in the top-right corner, and then click Internet options.
4. On the Security tab, click Local intranet.
5. Click Sites, and then clear the Automatically detect intranet network check box.
6. Click Advanced, and in the Add this website to the zone box, type
https://lon-dc1.adatum.com, and then click Add.
7. Type https://lon-svr1.adatum.com, click Add, and then click Close.
8. Click OK twice.
9. Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06
/federationmetadata.xml.
10. Verify that the xml file opens successfully, and then scroll through its contents.
Results: In this exercise, you installed and configured the AD FS server role, and then verified a successful
installation by viewing the Federation Meta Data .xml contents.
Exercise 3: Configure AD FS for a Single Organization

X Task 1: Configure a Token Signing Certificate for LON-DC1.Adatum.com
1. On the LON-DC1 virtual machine, in Server Manager, click Tools, and then click Windows
PowerShell.
2. At the prompt, type set-ADFSProperties –AutoCertificateRollover $False, and then press Enter.
This step is required so that you can modify the certificates that AD FS uses.

4. Click Tools, and click AD FS Management.
5. In the AD FS console, in the left pane, expand Service, and then click Certificates.
6. Right-click Certificates, and then click Add Token-Signing Certificate.
7. In the Select a token signing certificate dialog box, click LON-DC1.Adatum.com, and then click
OK.
8. In the AD FS Management warning, click OK.
Note: Verify that the certificate has a subject of CN=LON-DC1.Adatum.com. If no name is

listed under the Subject when you add the certificate, delete the certificate, and then add the
next certificate in the list.
9. Right-click the newly added certificate, and then click Set as Primary. Note the warning message,
and then click Yes.
10. Select the certificate that has just been superseded, right-click the certificate, and then click Delete.
Click Yes to confirm the deletion.
X Task 2: Configure the Active Directory Claims Provider Trust

1. In the AD FS console, expand Trust Relationships, and then click claims provider Trusts.
2. In the middle pane, right-click Active Directory, and then click Edit Claim Rules.
3. In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.
4. The Add Transform Claim Rule Wizard appears.
5. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as
Claims, and then click Next.
6. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
7. In the Attribute store drop-down list, select Active Directory.
8. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type:
o E-Mail-Addresses = E-Mail Address
o User-Principal-Name = UPN
o Display-Name = Name
9. Click Finish, and then click OK.
X Task 3: Configure the claims application to trust incoming claims by running the WIF
Federation Utility
1. On LON-SVR1, click to the Start screen, and then click Windows Identity Foundation Federation
Utility.
2. On the Welcome to the Federation Utility wizard page, in Application configuration location,
type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the web.config file of
the WIF sample application.
3. In Application URI, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the path to
the sample application that will trust the incoming claims from the federation server. Click Next to
continue.
4. On the Security Token Service page, select Use an existing STS, type
https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml for the STS
WS-Federation metadata document location, and then click Next to continue. In the warning, click
Yes.
5. On the Security token encryption page, select No encryption, and then click Next.
6. On the Offered claims page, review the claims that will be offered by the federation server, and then
click Next.
7. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and then
click Finish.
8. Click OK.
X Task 4: Configure a relying party trust for the claims aware application
1. On LON-DC1, in the AD FS Management console, click AD FS.
2. In the middle pane, click Required: Add a trusted relying party.
3. On the Welcome page of the Add relying party Trust Wizard, click Start.
4. On the Select Data Source page, select Import data about the relying party published online or
on a local network, and then type https://lon-svr1.adatum.com/adatumtestapp.
5. Click Next to continue.
Note: This action prompts the wizard to check for the MetaData of the application that the
web server role hosts.
6. On the Specify Display Name page, in the Display name box, type ADatum Test App, and then
click Next.
7. On the Choose Issuance Authorization Rules page, ensure that the Permit all users to access this
relying party is selected, and then click Next.
8. On the Ready to Add Trust page, review the relying party trust settings, and then click Next.
9. On the Finish page, click Close. The Edit Claim Rules for ADatum Test App window opens.
X Task 5: Configure claim rules for the relying party trust

1. In the Edit Claim Rules for WIF Sample Claims App window, on the Issuance Transform Rules tab,
click Add Rule. The Add Transform Claim Rule Wizard opens.
2. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
Note: This action passes an incoming claim through to the user by means of Windows
Integrated Authentication.
3. On the Configure Rule page, in Claim rule name, type Pass through Windows Account name
rule. In the Incoming claim type drop-down list, select Windows account name, and then click
Finish.
4. Click Add Rule.

6. On the Configure Rule page, in Claim rule name, type Pass through E-mail Address rule. In the
Incoming claim type drop-down list, select E-mail Address, and then click Finish.
7. Click Add Rule.
9. On the Configure Rule page, in Claim rule name, type Pass through UPN rule. In the Incoming
claim type drop-down list, select UPN, and then click Finish.
10. Click Add Rule.
12. On the Configure Rule page, in Claim rule name, type Pass through Name rule. In the Incoming
claim type drop-down list, select Name, and then click Finish.
13. Click Apply, and then click OK.
X Task 6: Test the access to the claims aware application

1. On LON-CL1, open Internet Explorer.
2. Connect to https://lon-svr1.adatum.com/AdatumTestApp/.
Note: Note: Ensure that you type the trailing “/”
3. If you are prompted for credentials, type Adatum\Brad with password Pa$$w0rd, and then press
Enter. The page renders, and then you see the claims that were processed to allow access to the web
site.
Results: After this exercise, you configured a token signing certificate and configured a claims provider
trust for Adatum.com. You also configured the sample application to trust incoming claims and
configured a relying party trust and associated claim rules. You also tested access to the sample WIF
application in a single organization scenario.
Exercise 4: Configure AD FS for Federated Business Partners

X Task 1: Add a claims provider trust for the TreyResearch.com AD FS server
1. On LON-DC1, if required, in Server Manager, click Tools, and click AD FS Management.
2. In the AD FS console, expand Trust Relationships, and then click claims provider Trusts.
3. In the Actions pane, click Add claims provider Trust.
4. On the Welcome page, click Start.

5. On the Select Data Source page, select Import data about the claims provider published online
or on a local network, type https://mun-dc1.treyresearch.com, and then click Next.
6. On the Specify Display Name page, click Next.
7. On the Ready to Add Trust page, review the claims provider trust settings, and then click Next to
save the configuration.
8. On the Finish page, click Close to close the wizard. The Edit Claim Rules for
mun-dc1.treyresearch.com window appears.
9. On the Acceptance Transform Rules tab, click Add Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming Claim, and then click
Next.
11. In the Claim rule name box, type Pass through Windows account name rule.
12. In the Incoming claim type drop-down list, select Windows account name.
13. Select Pass through all claim values, and then click Finish. Click Yes.
14. Click OK, and then close the AD FS console.
15. On LON-DC1, in Server Manager, click Tools, and then click Windows PowerShell.
16. At the prompt, type the following command, and then press Enter:
Set-ADFSClaimsProviderTrust –TargetName “mun-dc1.treyresearch.com” –

SigningCertificateRevocationCheck None
X Task 2: Configure a relying party trust on MUN-DC1 for A. Datum’s claim aware
application
1. On the MUN-DC1, in Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS console, on the Overview page, click Required: Add a trusted relying party.
3. On the Welcome page, click Start.
4. On the Select Data Source page, select Import data about the relying party published online or
on a local network, type https://lon-dc1.adatum.com, and then click Next.
5. On the Specify Display Name page, in the Display name box, type Adatum TestApp, and then
click Next.
6. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying
party, and then click Next.
7. On the Ready to Add Trust page, review the relying party trust settings, and then click Next to save
the configuration.
8. On the Finish page, click Close to close the wizard. The Edit Claim Rules for Adatum TestApp window
appears.
9. On the Issuance Transform Rules tab, click Add Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming claim, and then click
Next.
11. In the Claim rule name box, type Pass through Windows account name rule.
12. In the Incoming Claim type drop-down list, select Windows account name.
13. Select Pass through all claim values, and then click Finish.
14. Click OK, and then close the AD FS console.
X Task 3: Verify access to the A. Datum Test Application for Trey Research users
1. On MUN-DC1, open Internet Explorer, and connect to https://lon-svr1.adatum.com
/adatumtestapp/.
Note: The logon process has changed, and you must now select an authority that can
authorize and validate the access request. The Home Realm Discovery page (the Sign In page)
appears, and you must select an authority.
2. On the Sign In page, select mun-dc1.treyresearch.com, and then click Continue to Sign in.
3. When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press
Enter. You should be able to access the application.
5. Open Internet Explorer, and then connect to https://lon-svr1.adatum.com/adatumtestapp/ again.
6. When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press
Enter. You should be able to access the application.
Note: You are not prompted for a home realm again. Once users have selected a home
realm and been authenticated by a realm authority, they are issued with an _LSRealm cookie by
the relying party Federation Server. The default lifetime for the cookie is 30 days. Therefore, for
us to log on multiple times, we should delete that cookie after each logon attempt to return to a
clean state.
X Task 4: Configure claim rules for the claim provider trust and the relying party trust
to allow access only for a certain group
1. On MUN-DC1, in the AD FS console, expand Trust Relationships, and then click relying party Trusts.
2. Select Adatum TestApp, and in the Actions pane, click Edit Claim Rules.
3. On the Edit Claim Rules for Adatum TestApp window, on the Issuance Transform Rules tab, click
Add Rule.
4. On the Select Rule Template page, under Claim rule template, select Send Group Membership as
a Claim, and then click Next.
5. On the Configure Rule page, in Claim rule name, type Permit Production Group Rule.
6. Beside User’s Group, click Browse, type Production and click OK.
7. Under Outgoing claim type, click Group.
8. Under Outgoing claim value, type Production, click Finish and then click OK.
9. On LON-DC1, if required, open the AD FS Management console.
10. In the AD FS console, expand Trust Relationships, and then click Claim Provider Trusts.
11. Select mun-dc1.treyresearch.com, and in the Actions pane, click Edit Claim Rules.
12. On the Acceptance Transform Rules tab, click Add Rule.
14. On the Configure Rule page, in Claim rule name, type Send Production Group Rule.
15. In the Incoming claim type drop down list, click Group, and click Finish. Click Yes and then click
OK.
16. In the AD FS console, under Trust Relationships, click relying party Trusts.
17. Select the Adatum Test App, and in the Actions pane, click Edit Claim Rules.
18. On the Issuance Transform Rules tab, click Add Rule.
19. Under Claim rule template, click Pass Through or Filter an Incoming Claim, and then click Next.
20. Under Claim rule name, type Send TreyResearch Group Name Rule.
21. In the Incoming claim type drop down list, click Group. Click Finish.
22. On the Edit Claim Rules for Adatum Test App window, on the Issuance Authorization Rules tab,
select the rule named Permit Access to All Users, and click Remove Rule. Click Yes to confirm. With
no rules, no users are permitted access.
23. On the Issuance Authorization Rules tab, click Add Rule.
24. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based
on an Incoming Claim, and then click Next.
25. On the Configure Rule page, in Claim rule name type Permit TreyResearch Production Group
Rule, in the Incoming claim type drop-down list, select Group. In Incoming claim value, type
Production, select the option to Permit access to users with this incoming claim, and then click
Finish.
27. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based
on an Incoming Claim, and then click Next.
28. On the Configure Rule page, in Claim rule name type Temp, in the Incoming claim type drop-
down list, select UPN. In Incoming claim value, type @adatum.com, select the option to Permit
access to users with this incoming claim, and then click Finish.
29. Click the Temp rule, and click Edit Rule.
30. In the Edit Rule –Temp dialog box, click View Rule Language.
31. Press Ctrl + C to copy the rule language to the clipboard. Click OK.
32. Click Cancel.
33. Click the Temp rule, click Remove Rule, and then click Yes.
35. On the Select Rule Template page, under Claim rule template, select Send Claims Using a
Custom Rule, and then click Next.
36. On the Configure Rule page, type ADatum User Access Rule as the Claim rule name.
37. Click in the Custom rule box, and then press Crtl+V to paste the clipboard contents into the box. Edit
the first URL to match the following text, and then click Finish:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~

"^(?i).+@adatum\.com$"]=> issue(Type =
“http://schemas.microsoft.com/authorization/claims/permit”, Value = “PermitUsersWithClaim”);
Note: This rule enables access to anyone who presents a claim that includes the UPN of
@adatum.com. The Value line in the first URL defines the attribute that much be matched in the
claim. In this line, ^ indicates the beginning of the string to match, (?i) means that the text is case
insensitive, .+ means that one or more characters will be added, and $ means the end of the
string.
38. Click OK to close the property page and save the changes to the relying party trust.
X Task 5: Verify restrictions and accessibility to the claims aware application

1. On MUN-DC1, open Internet Explorer, connect to On MUN-DC1, launch Internet Explorer, and then
connect to https://lon-svr1.adatum.com/adatumtestapp/.
2. When prompted for credentials, type TreyResearch\April with the password Pa$$w0rd, and then
press Enter.
Note: April is not a member of the Production group, so she should not be able to access
the application.
4. Open Internet Explorer, click the Settings icon in the top-right corner, and then click Internet
options.
5. Under Browsing history, click Delete, click Delete again, and then click OK.
6. Connect to https://lon-svr1.adatum.com/adatumtestapp/.
7. Select mun-dc1.treyresearch.com on the Sign In page, and then click Continue to Sign in.
8. When prompted for credentials, type TreyResearch\Morgan with the password Pa$$w0rd, and then
press Enter.
Note: Morgan is a member of the Production group, so she should be able to access the
application.
X Task 6: To shut down the virtual machines

2. In the Virtual Machines list, right-click 20417A-MUN-DC1, and then click Revert.
4. Repeat steps 2 and 3 for 20417A-LON-CL1, 20417A-LON-SVR1 and 20417A-LON-DC1.
Results: In this exercise, you configured a claims provider trust for Trey Research on Adatum.com and a
relying party trust for Adatum on TreyResearch.com. You verified access to the A. Datum claim-aware
application. Then you configured the application to restrict access from TreyResearc.com to specific
groups, and you verified appropriate access.

Upgrading Your Skills To MCSA Windows Server 2012: Official Microsoft Learning Product

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Upgrading Your Skills To MCSA Windows Server 2012: Official Microsoft Learning Product

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty

Product Number: 20417A

Part Number: X18-48638

a. If you are a Authorized Learning Center:

b. If you are a MPN Member.

c. If you are an End User:

2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable

13. APPLICABLE LAW.

This limitation applies to

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous

Revised December 2011

Stan Reimer – Content Developer

Damir Dizdarevic – Subject Matter Expert/Content Developer

Gary Dunlop – Subject Matter Expert

Siegfried Jagott – Content Developer

Orin Thomas – Content Developer

Vladimir Meloski – Content Developer

Module 2: Monitoring and Maintaining Windows Server 2012

Module 3: Managing Windows Server 2012 by Using Windows PowerShell 3.0

Module 4: Managing Storage for Windows Server 2012

Module 5: Implementing Network Services

Module 6: Implementing DirectAccess

Module 7: Implementing Failover Clustering

Module 8: Implementing Hyper-V

Module 9: Implementing Failover Clustering with Hyper-V

Module 10: Implementing Dynamic Access Control

Module 11: Implementing Active Directory Domain Services

Module 12: Implementing Active Directory Federation Services

Lab Answer Keys

About This Course

• Experience with Windows networking technologies and implementation

• Experience with Active Directory® technologies and implementation

• Exam 70-642: Windows Server 2008 Network Infrastructure, Configuring

• Exam 70-646: Windows Server 2008, Server Administrator

• Install and configure Windows Server 2012 servers.

• Monitor and maintain Windows Server 2012 servers.

• Configure storage on Windows Server 2012 servers.

• Deploy and manage network services.

• Deploy and configure virtual machines on Hyper-V®.

• Deploy and manage Hyper-V virtual machines in a failover cluster.

Module 1, Installing and Configuring Servers Based on Windows Server 2012

Module 2, Monitoring and Maintaining Windows Server 2012

Module 3, Managing Windows Server 2012 by Using Windows PowerShell 3.0

Module 4, Managing Storage for Windows Server 2012

Module 5, Implementing Network Services

Module 6, Implementing DirectAccess

Module 7, Implementing Failover Clustering

Module 8, Implementing Hyper-V

Module 9, Implementing Failover Clustering with Hyper-V

Module 10, Implementing Dynamic Access Control

Module 11, Implementing Active Directory Domain Services

Module 12, Implementing Active Directory Federation Services

Exam Objective Domains Course Content

Exam Objective Domains Course Content

Exam Objective Domains Course Content

Exam Objective Domains Course Content

Exam Objective Domains Course Content

• Knowledge equivalent to the MCSA: Windows Server 2008 credential

• Additional study outside of the content in this handbook

• To provide additional comments or feedback on the course, send email to

Virtual Machine Environment