Professional Documents
Culture Documents
Upgrading Your Skills To MCSA Windows Server 2012: Official Microsoft Learning Product
Upgrading Your Skills To MCSA Windows Server 2012: Official Microsoft Learning Product
20417A
Upgrading Your Skills to MCSA
Windows Server® 2012
MCT USE ONLY. STUDENT USE PROHIBITED
ii Upgrading Your Skills to MCSA Windows Server® 2012
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2012 Microsoft Corporation. All rights reserved.
Released: 08/2012
MCT USE ONLY. STUDENT USE PROHIBITED
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS
MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to
the Licensed Content named above, which includes the media on which you received it, if any. These license
terms also apply to any updates, supplements, internet based services and support services for the Licensed
Content, unless other terms accompany those items. If so, those terms apply.
BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT
THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft Learning Competency Member, Microsoft IT Academy
Program Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the Microsoft-authorized instructor-led training class using only
MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that you own or control that meets or
exceeds the hardware level specified for the particular MOC Course located at your training facilities or
primary business location.
d. “End User” means an individual who is (i) duly enrolled for an Authorized Training Session or Private
Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the MOC Course and any other content accompanying this agreement.
Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft
Certification in the technology that is the subject of the training session.
g. “Microsoft IT Academy Member” means a current, active member of the Microsoft IT Academy
Program.
h. “Microsoft Learning Competency Member” means a Microsoft Partner Network Program Member in
good standing that currently holds the Learning Competency status.
i. “Microsoft Official Course” or “MOC Course” means the Official Microsoft Learning Product instructor-
led courseware that educates IT professionals or developers on Microsoft technologies.
MCT USE ONLY. STUDENT USE PROHIBITED
j. “Microsoft Partner Network Member” or “MPN Member” means a silver or gold-level Microsoft Partner
Network program member in good standing.
k. “Personal Device” means one (1) device, workstation or other digital electronic device that you
personally own or control that meets or exceeds the hardware level specified for the particular MOC
Course.
l. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective. These classes are not advertised or
promoted to the general public and class attendance is restricted to individuals employed by or
contracted by the corporate customer.
m. “Trainer Content” means the trainer version of the MOC Course and additional content designated
solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include
Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta
feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not
include virtual hard disks or virtual machines.
2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is
licensed on a one copy per user basis, such that you must acquire a license for each individual that
accesses or uses the Licensed Content.
2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.
ii. Use of Instructional Components in Trainer Content. You may customize, in accordance with the
most recent version of the MCT Agreement, those portions of the Trainer Content that are logically
associated with instruction of a training session. If you elect to exercise the foregoing rights, you
agree: (a) that any of these customizations will only be used for providing a training session, (b) any
customizations will comply with the terms and conditions for Modified Training Sessions and
Supplemental Materials in the most recent version of the MCT agreement and with this agreement.
For clarity, any use of “customize” refers only to changing the order of slides and content, and/or
not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you
may not separate the components and install them on different devices.
2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These
license terms will apply to your use of those third party programs or services, unless other terms accompany
those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to that respective component and supplements the terms described in this Agreement.
3. PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (“beta”) version, in addition to the other
provisions in this agreement, then these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the
same information and/or work the way a final version of the Licensed Content will. We may change it
for the final version. We also may not release a final version. Microsoft is under no obligation to
provide you with any further content, including the final release version of the Licensed Content.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
MCT USE ONLY. STUDENT USE PROHIBITED
survive this agreement.
c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the
beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for
using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content,
whichever is earliest (“beta term”). Upon expiration or termination of the beta term, you will
irretrievably delete and destroy all copies of same in the possession or under your control.
4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content,
which may change or be canceled at any time.
a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an
Internet-based wireless network. In some cases, you will not receive a separate notice when they
connect. Using the Licensed Content operates as your consent to the transmission of standard device
information (including but not limited to technical information about your device, system and
application software, and peripherals) for internet-based services.
b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could
harm it or impair anyone else’s use of it. You may not use the service to try to gain unauthorized access
to any service, data, account or network by any means.
5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights
to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• install more copies of the Licensed Content on devices than the number of licenses you acquired;
• allow more individuals to access the Licensed Content than the number of licenses you acquired;
• publicly display, or make the Licensed Content available for others to access or use;
• install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend,
make available or distribute the Licensed Content to any third party, except as expressly permitted
by this Agreement.
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation;
• access or use any Licensed Content for which you are not providing a training session to End Users
using the Licensed Content;
• access or use any Licensed Content that you have not been authorized by Microsoft to access and
use; or
• transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.
6. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in
this agreement. The Licensed Content is protected by copyright and other intellectual property laws and
treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that
appear on the Licensed Content or any components thereof, as delivered to you.
MCT USE ONLY. STUDENT USE PROHIBITED
7. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You
must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, End Users and end use. For additional
information, see www.microsoft.com/exporting.
8. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or
sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement.
9. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
10. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you
agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed
Content in your possession or under your control.
11. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content.
The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the
contents of any third party sites, any links contained in third party sites, or any changes or updates to third
party sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any third party sites. Microsoft is providing these links to third party sites to you only as a convenience,
and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are
the entire agreement for the Licensed Content.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of
your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE
AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO
THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS
WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS,
MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR
CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NON-INFRINGEMENT.
MCT USE ONLY. STUDENT USE PROHIBITED
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY
LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT
DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING
CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT
CORPORATION AND ITS RESPECTIVE SUPPLIERS.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce
contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage.
Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects,
accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera
pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus
par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays
si celles-ci ne le permettent pas.
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Contents
Module 1: Installing and Configuring Servers Based on Windows Server 2012
Lesson 1: Installing Windows Server 2012 1-2
Lesson 2: Configuring Windows Server 2012 1-13
Lesson 3: Configuring Remote Management for Windows
Server 2012 Servers 1-21
Lab: Installing and Configuring Servers Based on Windows
Server 2012 1-25
Course Description
Note: This first release (“A”) Microsoft® Official Courses (MOC) version of course 20417A has
been developed on Windows Server® 2012 RC. Microsoft Learning will release a “B” version of
this course after the release-to-manufacturing (RTM) version of the software is available.
This course is designed primarily for people who want to upgrade their technical skills from Windows
Server 2008 and Windows Server 2008 R2 to Windows Server 2012. It presumes a high level of knowledge
about previous Windows Server versions. This course also serves as preparation for taking exam 70-417,
on the upgrade path to a new MCSA: Windows Server 2012 certification.
Audience
The primary audience for this course is Information Technology (IT) professionals who are experienced
Windows Server 2008 Server Administrators, and who carry out day-to-day management and
administrative tasks, and want to update their skills and knowledge to Windows Server 2012.
The secondary audience for this course includes candidates who hold existing credentials in Windows
Server 2008 at Technology Specialist (TS) or Professional (PRO) level, and who want to migrate their
current credentials to the new credential of Microsoft Certified Solutions Associate (MCSA) with Windows
Server 2012.
Student Prerequisites
In addition to their professional experience, students who attend this training should have the following
technical knowledge:
• Two or more years of experience deploying and managing Windows Server 2008
• Experience with Windows Server 2008 server virtualization technologies and implementation
Students attending this course are expected to have passed the following exams, or have equivalent
knowledge:
• Exam 70-640: Windows Server 2008 Active Directory, Configuring
Course Objectives
After completing this course, students will be able to:
• Provide high availability for network services and applications by implementing failover clustering.
• Configure Dynamic Access Control to manage and audit access to shared files.
• Implement the new features in Active Directory Domain Services (AD DS) for Windows Server 2012.
• Plan and implement an Active Directory Federation Services (AD FS) deployment.
Course Outline
This section provides an outline of the course:
Exam/Course Mapping
This course, 20417A: Upgrading Your Skills to MCSA Windows Server 2012, has a direct mapping of its
content to the objective domain for the Microsoft exam 70-417: Upgrading Your Skills to MCSA Windows
Server 2012.
The below table is provided as a study aid that will assist you in preparation for taking this exam and
to show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directly
covered in the examination and will use the unique experience and skills of your qualified Microsoft
Certified Trainer.
Note: The exam objectives are available online at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab2.
Important Attending this course in itself will not successfully prepare you to pass any
associated certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In
addition to attendance at this course, you should also have the following:
• Experience with implementing, managing and administering a Windows Server 2008 and Windows
Server 2008 R2 environment
• Minimum of one to two years real world, hands-on experience Installing and configuring a Windows
Server Infrastructure
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam is
available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab1
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to
change at any time and Microsoft bears no responsibility for any discrepancies between the version
published here and the version available online and will provide no notification of such changes.
MCT USE ONLY. STUDENT USE PROHIBITED
xxiv About This Course
Course Materials
The following materials are included with your kit:
• Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
• Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
• Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when it’s
needed.
• Course evaluation At the end of the course, you have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
Important At the end of each lab, you must revert the virtual machines to a snapshot.
You can find the instructions for this procedure at the end of each lab. For the Module 8
lab, you should leave the virtual machines running for the Module 9 lab.
The following table shows the role of each virtual machine used in this course:
Client computer running Windows® 8 and Office 2010 Service Pack 1 (SP1)
20417A-LON-CL1
in the Adatum.com domain
Software Configuration
The following software is installed on each virtual machine:
• Windows 8 RP
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Hardware Level 6
• Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
• Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better*
• DVD drive
• Network adapter
Module 1
Installing and Configuring Servers Based on
Windows Server 2012
Contents:
Module Overview 1-1
Lesson 3: Configuring Remote Management for Windows Server 2012 Servers 1-21
Lab: Installing and Configuring Servers Based on Windows Server 2012 1-25
Module Overview
Knowing the capabilities of the Windows Server® 2012 operating system enables you to use it effectively,
and to take complete advantage of what it can offer your organization. Some of the many improvements
to Windows Server 2012 include:
Objectives
After completing this module, you will be able to:
Lesson 1
Installiing Win
ndows Server
S 2012
2
Youu must have a firm
f understan
nding of your organization's
o s requirementss so that you can deploy the
e
app on of Windowss Server 2012. You must also
propriate editio o understand wwhich hardwarre configuratio
on
is apppropriate for Windows Servver 2012, whetther a virtual d
deployment mmight be more suitable than a
phyysical deployment, and whichh installation source enabless you to deployy Windows Server 2012
efficciently.
Thiss lesson provid
des an overvieww of the differeent Windows SServer 2012 ed
ditions, hardw
ware requireme
ents,
dep
ployment optio ons, and installlation process..
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
• Determine wh
hether a particcular hardware
e configuration
n is appropriatte for Window
ws Server 2012..
• Explain how to
t perform a physical
p or a virtual deploym
ment of Window
ws Server 2012
2.
• Select an app
propriate installlation source for a Windowss Server 2012 deployment.
• Perform post-installation co
onfiguration ta
asks.
Edittion Description
D
Win
ndows Server 2012 Standard
d edition • Provides alll roles and fea tures available
e on the Windows
Server 20122 platform.
p to 64 socketts and up to 4 terabytes (TB)) of
• Supports up
RAM.
• Includes 2 vvirtual machin
ne licenses.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 1-3
Edition Description
Windows Server 2012 Datacenter edition • Provides all roles and features that are available on the
Windows Server 2012 platform.
• Supports 64 sockets, up to 640 processor cores, and up
to 4 terabytes of RAM.
• Includes unlimited virtual machine licenses for virtual
machines run on the same hardware.
Windows Server 2012 Foundation • Allows only 15 users and cannot be joined to a domain.
edition
• Supports one processor core and up to 32 GB of RAM.
• Includes limited server roles.
Windows Server 2012 Essentials • Serves as the next edition of Small Business Server.
• Cannot function as a Hyper-V, failover clustering, server
core, or remote desktop services server.
• Supports up to 25 users, 50 devices.
• Supports 2 processor cores and 64 GB of RAM.
• Must be root server in domain.
Microsoft Hyper-V Server 2012 • Stand-alone Hyper-V platform for virtual machines with
no UI.
• No licensing cost for host OS, virtual machines to be
licensed normally.
• Supports 64 sockets and 4 TB of RAM.
• Supports domain join.
• Does not support other Windows Server 2012 roles other
than limited file services features.
Windows Storage Server 2012 Standard • Supports 64 sockets, but is licensed on a 2 socket
incrementing basis.
• Supports 4 TB of RAM.
• Includes 2 virtual machine licenses.
• Supports domain join.
• Supports some roles, including DNS and DHCP Server
roles, but does not support others, including Active
Directory® Domain Services (AD DS), Active Directory
Certificate Services (AD CS), and Active Directory
Federation Services (AD FS).
MCT USE ONLY. STUDENT USE PROHIBITED
1-4 Installing and Configuring Serveers Based on Window
ws Server 2012
Edittion Description
D
Winndows MultiPo
oint Server 201
12 • Supports mmultiple users aaccessing the ssame host
Standard computer ddirectly using sseparate mousse, keyboard, aand
monitors.
• Supports onne socket, 32 G
GB of RAM and a maximum of
12 sessions .
• Supports so ome roles, including DNS an nd DHCP Serveer
roles, but d
does not suppo ort others inclu
uding, AD DS, AD
CS, and AD D FS.
• Does not su
upport domain
n join.
Winndows MultiPo
oint Server 201
12 • Supports mmultiple users aaccessing the ssame host
Pre
emium computer ddirectly using sseparate mousse, keyboard, aand
monitors.
B of RAM and a maximum of 22
• Limited to 2 sockets, 4 TB
sessions.
• Supports so ome roles, including DNS an nd DHCP Serve
er
roles, but d
does not suppo ort others, including AD DS, AD
CS, and AD D FS.
• Supports do
omain join.
Ha
ardware Re
equiremen
nts for Insttalling Win
ndows Servver 2012
Hardware requirements define the t absolute
minnimum required to run the se erver software. The
actuual hardware requirements depend
d on the
e
servvices that the server
s is hostin
ng, the load on
n the
servver, and how reesponsive you want the servver to
be.
Th
he minimum hardware
h requirements for Windows
W Serveer 2012 are sho
own in the folllowing table.
Component Requirement
Processor
P architecture x86-64
4
Processor
P spee
ed 1.4 GH
Hz
Memory
M (RAM) 512 MB
M
Hard
H disk drive
e space 32 GB,, or more if thee server has m
more than 16 G
GB of RAM
Considerat
C ions for Deploying Physical
P orr Virtual M
Machines
With
W virtualization you can be e more efficien
nt in the
way
w that you allocate resourcces to servers. Instead
I
off allocating sep
parate hardwaare to a server that
minimally
m uses resources, you
u can virtualize
e that
se
erver and enab ble those minim
mally used harrdware
re
esources to be shared with other
o virtual machines.
When
W determinning whether to o deploy a serrver
ust determine how
physically or virrtually, you mu
th
hat server usess hardware resoources. Considder
th
hese points:
• Servers thatt put minimal pressure on hardware resouurces are good d candidates foor virtualization. These
servers are unlikely to mo
onopolize the host resourcess, ensuring thaat each virtual machine hosted on
the hyperviisor can accesss enough hard
dware resourcees to perform aadequately.
Fo
or example, a particular data abase server thhat heavily usees disk and nettwork resource es would be beetter
de
eployed on a physical
p compputer. If it were
e deployed as a virtual mach hine, other virtu
ual machines oon the
sa
ame hypervisor would have to t compete fo or access to tho
ose heavily-us ed disk and ne etwork resourcces.
Alternatively, allocating a phyysical platform to a server th at requires miinimal hardware resources, ssuch as
a server running ervices, meanss that powerfu l hardware is u
g Certificate Se underused.
Other
O things to consider when determining
g whether to d eploy a serverr virtually or ph
hysically are:
• Scalability. Moving
M a virtua
al machine witth its associateed applicationss and data to a new host plaatform
is significantlyy simpler than migrating a physically
p depl oyed server, itts applications, and data to a new
host platformm. If you must quickly
q scale-u
up capacity, yo ou can also mi grate a virtual machine to a cloud
provider, sommething that is far more difficult to do with deployed server.
h a physically d
Method Note
es
Optical
O media • Requires
R that th
he computer h
has access to a DVD drive.
• Optical
O media is
i usually sloweer than USB m
media.
• You
Y cannot upd
date the installlation image w
without replaccing the mediaa.
Y can only perform one insstallation per D
• You DVD at a time
e.
Mounted
M ISO im
mage • Virtualization
V so
oftware enablees you to direcctly mount the
e ISO image.
• Does
D not require writing the ISO image to optical media.
Windows
W Deplo
oyment • WDS
W let you de eploy Window ws Server 2012 from Window
ws Imaging Forrmat
Se
ervices (WDS) (W
WIM) image files or speciallyy prepared VH
HD files.
• You
Y can use thee Windows Au
utomated Instaallation Kit to cconfigure lite-
to
ouch deploym
ment.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 1-7
Method Notes
• Clients perform a Pre-Boot Execution Environment (PXE) boot to contact
the WDS server. The operating system image is then transmitted to the
server over the network.
• WDS supports multiple concurrent installations of Windows Server 2012
using multicast network transmissions.
System Center • Microsoft® System Center Configuration Manager enables you to fully
Configuration automate the deployment of Windows Server 2012 to “bare metal”
Manager servers.
• Enables Zero Touch deployment.
Microsoft distributes Windows Server 2012 either on optical media or in an .iso image format.
You can install Windows Server 2012 by using several methods, including those listed in the following
table.
Method Notes
Optical media • Requires that the computer has access to a DVD drive.
• Optical media is usually slower than USB media.
• You cannot update the installation image without replacing the media.
• You can only perform one installation per DVD at a time.
USB media • Requires the administrator to perform special steps to prepare USB
media from ISO file.
• All computers support booting from USB media.
• Image can be updated as new software updates and drivers become
available.
• Answer file can be stored on USB drive, reducing the interaction that the
administrator must perform.
Mounted ISO image • Virtualization software enables you to directly mount the ISO image.
• Does not require writing the ISO image to optical media.
Method No
otes
Windows
W Deplo
oyment • WDS let you deploy
d Window ws Server 2012 2 from Window ws Imaging
Se
ervices (WDS) Format (WIM)) image files o r specially pre pared VHD file
es.
• You can use th
he Windows A
Automated Insttallation Kit to
o configure lite
e-
touch deploymment.
• Clients perform a Pre-Boot Execution Envvironment (PXEE) boot to contact
the WDS serve er. The operat ing system im age is then traansmitted to th
he
server over the network.
• WDS supportss multiple conccurrent installaations of Wind
dows Server 20
012
using multicasst network tran
nsmissions.
Virtual Machine
e • Requires Virtu
ual Machine M
Manager (VMM
M) in System Ce
enter.
Manager
M templates
• Enables rapid deployment o
of Windows Seerver 2012 in p
private cloud
scenarios.
• Can be used to
t enable self-sservice deployyment of Wind
dows Server 20
012
virtual machin
nes.
Op
ptions for Upgrading
U g and Migrating to W
Windows SServer 201
12
Whe en considering
g whether to upgrade
u or mig
grate
a se
erver to Windoows Server 201 12, consider the
e
options describedd in the followiing table.
Insttallation optio
on Descrip
ption
In
nstallation opttion Desccription
Migration
M Use migration whe en you migratte from an x86 6 version of Wiindows Server 2003,
Windows Server 2003 R2, or Win ndows Server 2008. Use mig gration when yyou
want to replace th
he original servver with one ruunning an earlier edition, for
exammple replacing
g Windows Serrver 2008 R2 EEnterprise editiion with Windows
Servver 2012 Stand
dard edition. Yoou can use thee Windows Serrver Migration n Tools
feature in Windowws Server 20122 to transfer fil es and settings from compu uters
runnning the Windows Server 20 03, Windows SServer 2003 R2 2, Windows Seerver
2008 8, Windows Se
erver 2008 R2 aand Windows Server 2012 o operating systeems.
Choosing
C Between
B Se
erver Core
e and Full Installation
Se
erver Core is a minimal instaallation option for
Windows
W Server 2012. With Server Core, yo ou
pe
erform manag gement tasks lo ocally from the e
co
ommand-line or remotely fro om another
co
omputer. Serve er Core is the default
d installa
ation
op
ption for Winddows Server 20 012. Server Core has
th
he following addvantages ove er a traditional
de
eployment of Windows Servver 2012:
• Reduced haardware footprint. Server Coore computers require less RA AM and less h
hard disk space
e. This
means thatt when virtualizzed, more servvers can be deeployed on thee same host.
In
ncreasing numbers of Microssoft server app designed to ru n on compute
plications are d ers that have SServer
Core installation
ns. Microsoft SQL
S Server® 20012 can be insttalled on com puters running
g the Server Core
ve
ersion of Wind dows Server 20008 R2.
Th
here are two options
o for insttalling the Servver Core, as deescribed in thee following tab
ble.
Option
O Descripttion
Server
S Core This is the standard deployment of Server Core. B By default all g graphical
adminisstration compo onents are in a Removed staate. Simply statted, Removed
compon nents occupy no n disk space o on the server. Server Core syystems are managed
locally by
b using comm mand-line inte rface only, or can be manag ged by a remotte
system using graphica al administrati on tools. You can convert to the full versiion of
Window ws Server 2012 2 that includes the graphical administration componentss only
if you have access to an a installation source with aall server files, ssuch as a mou
unted
WIM im mage. Any Servver Core comp onent in a Rem moved state caan only be insttalled
by using g an installatio
on source.
Server
S Core witth This is also
a known as Server Core-Fu ull Server. Thiss works the samme as a deployyment
Management
M of Wind dows Server 20012 with the g raphical comp ponents. With this installation
option the
t graphical administration
a n components are not in a Removed state..
Instead,, these components are avai lable (they aree located on th he server’s diskk), but
not installed into the OS. You can c onvert betweeen Server Core e with Manage ement
and Win ndows Server 2012
2 with a grraphical interfaace by installin
ng the graphiccal
featuress, but without having to speccify an installaation source.
MCT USE ONLY. STUDENT USE PROHIBITED
1-10 Installing and Configuring Servers Based on Windows Server 2012
On a local connection, you can use the tools described in the following table to manage Server Core
installations of Windows Server 2012.
Tool Function
PowerShell.exe Enables you to start a Windows PowerShell session on the Server Core
deployment. You can then perform Windows PowerShell tasks as usual.
Sconfig.cmd Command-line menu driven administrative tool that enables you to perform
most common server administrative tasks.
Notepad.exe Enables you to use the Notepad.exe Text Editor in the Server Core environment.
Registry Editor Provides registry access within the Server Core environment.
Msinfo32.exe Enables you to view system information about the server core deployment.
Note: If you accidentally close the Command Prompt window on a computer running
Server Core, you can restore it using this procedure:
1. Press Ctrl+Alt+Delete.
Server Core supports most, but not all, Windows Server 2012 roles and features. You cannot install the
following roles on a computer running Server Core:
1. AD FS
2. Application Server
Even if a role is available to a computer running the Server Core installation option, a specific role service
associated with that role may not be.
Note: You can check which roles are not available on Server Core by running the following
query.
The Windows Server 2012 administration model focuses on managing many servers from one console
instead of the traditional method of managing each server separately. When you want to perform an
administrative task, you are more likely to manage multiple computers running the Server Core operating
system from one computer than you are to connect to each computer individually. You can enable
remote management of a computer running Server Core by using sconfig.cmd or by executing the
command:
o Inserting a DVD-ROM that has the Windows Server 2012 installation files and booting from the
DVD-ROM.
o Connecting a USB drive that is made bootable and contains a copy of the Windows Server 2012
installation files.
o Performing a PXE boot from the computer that Windows Server 2012 will be installed on to, and
connecting to a WDS server.
2. On the first page of the Windows Setup Wizard, select the following:
o Language to install
3. On the second page of the Windows Setup Wizard, click Install now. You can also use this page to
select Repair Your Computer. Use this option if an installation has become corrupted and you can
no longer boot into Windows Server 2012.
4. On the Select The Operating System You Want To Install page of the Windows Setup Wizard,
select from the available operating system installation options. The default option is Server Core
installation.
5. On the License Terms page of the Windows Setup Wizard, review the terms of the operating system
license. You must accept the license terms before you can continue with the installation process.
6. On the Which Type Of Installation Do You Want page of the Windows Setup Wizard, you have the
following options:
o Upgrade. Select this option if you have an existing Windows Server installation that you want to
upgrade to Windows Server 2012. You should start upgrades from the earlier version of Windows
Server instead of booting from the installation source.
7. On the Where do you want to install Windows page of the Windows Setup Wizard, select an
available disk on which to install Windows. You can also choose to repartition and reformat disks
from this page. When you click Next, the installation process will copy files and restart the computer
several times. This part of the installation can take several minutes, depending on the speed of the
platform on which you are installing Windows Server 2012.
MCT USE ONLY. STUDENT USE PROHIBITED
1-12 Installing and Configuring Serrvers Based on Windoows Server 2012
8. On the Settin
ngs page, provvide a passworrd for the loca l Administrato
or account. Aftter you have
u can log on to the server an
provided this password, you nd begin perfoorming post innstallation
configuration
n tasks.
Post-Installation Taskss
In earlier
e versions of Windows operating
o syste
ems,
the installation required you to configure network
connections, computer name, user u account, and
a
dommain membersship informatio on. The Windo ows
Servver 2012 installlation processs reduces the
nummber of questio ons that you have
h to answerr.
The only informattion that you provide
p during
g
installation is the password thatt is used by thee
defaault local Admministrator accoount.
• Configure the
e IP address
• e Directory domain
Join an Active
• Configure the
e time zone
• Enable autom
matic updates
Lesson 2
Configuring Windows Server 2012
By correctly configuring a server first, you can avoid significant problems later. When planning to
configure a server, you must determine what roles to deploy. You must also assess whether roles can be
co-located on the same server or if you deploy certain roles on separate servers.
Lesson Objectives
After completing this lesson you will be able to:
• Install roles and use the Best Practice Analyzer to check role configuration.
• Switch a computer between Server Core and the full GUI installation option.
Demonstration Steps
1. On LON-DC1, open the Add Roles and Features Wizard from the Server Manager Console.
2. Start the Add Roles and Features Wizard and select the following options:
o Role-based or feature-based installation
o LON-DC1
o BranchCache feature
5. Configure the
e DNS - Eventss Detail View with
w the follow
wing settings:
o Severity Levels:
L All
9. Open Window
ws PowerShell and then use the shutdown
n command to
o shut the serve
er down.
Role
e Fun
nction
AD
D DS Cenntralized storee of informatio
on about network objects
including user an nd computer aaccounts. Used
d for
autthentication annd authorization.
AD
D FS Pro
ovides web sin gle sign-on (SSSO) and securred identify
fed
deration suppo
ort.
Application Serve
er Sup
pports centraliized managem ment and hostiing of high-
perrformance disttributed business applicationns, such as tho
ose
buiilt with the .NEET Frameworkk 4.5 and Enterrprise Services.
DH
HCP Server Pro
ovisions client computers on
n the network w
with temporarry IP
add
dresses.
DN
NS Server Pro
ovides name reesolution for TTCP/IP networkks.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 1-15
Role Function
Fax Server Supports sending and receiving of faxes. Also enables you to
manage fax resource on the network.
File and Storage Services Supports the storage of management of shared folders,
Distributed File System, and network storage.
Network Policy and Access Services Authorization infrastructure for remote connections, including
Health Registration Authority for Network Access Protection.
Volume Activation Services New to Windows Server 2012. Enables you to automate and
simplify the management of volume license keys and volume
key activation. Also enables you to manage a Key
Management Service host or configure AD DS-based
activation for computers that are members of the domain.
Web Server (IIS) The Windows Server 2012 web server component.
Windows Deployment Services Enables you to deploy server operating systems to clients over
the network.
Windows Server Update Services Provides a method of deploying updates for Microsoft
products to computers on the network.
When you deploy a role, Windows Server 2012 automatically configures aspects of the server’s
configuration, such as firewall settings, to support the role. When you deploy a role, Windows Server 2012
automatically deploys role dependencies at the same time. For example, when you install the Windows
Server Update Services role, Windows Server 2012 installs the Web Server (IIS) role components that are
required to support the Web Server role.
You add and remove roles using the Add Roles and Features Wizard, available from the Server Manager
console. You can also add and remove roles using the Install-WindowsFeature and Remove-
WindowsFeature Windows PowerShell cmdlets.
MCT USE ONLY. STUDENT USE PROHIBITED
1-16 Installing and Configuring Serrvers Based on Windoows Server 2012
De
emonstration: Installing and Optimizing
O Server Ro
oles in
Wiindows Server 2012
In th
his demonstration you will see how to insttall and optimiize a server role in Windowss Server 2012.
Dem
monstration
n Steps
1. Use the Add Roles and Feattures Wizard to add the App
plication Serv
ver role to LON
N-DC1.
Co
onfiguring Server Core in Wind
dows Serveer 2012
Youu must perform m several aspeccts of post-
installation config
guration of servver core opera ating
systems from the command-line e. You can perrform
mosst post-installaation configura ation tasks usin
ng
the menu-driven command pro ompt utility
sconfig.cmd. By using
u this utilitty, you minimiize
the possibility of the
t Administra ator making syyntax
erro
ors when you useu more complex command d-line
utilities. You can use
u sconfig.cm md to perform m the
follo
owing tasks:
• Download an
nd install updates
• Perform Wind
dows Activatio
on
• Enable the Grraphic User Intterface
• Log off
• Restart the se
erver
• Shut down th
he server
Con
nfigure IP Address
A Info
ormation
Youu can configure
e the IP addresss and DNS infformation by u
using sconfig..cmd or netsh
h.exe. To confiigure
IP address information by using
g sconfig.cmd d, perform the following step
ps:
2. Select option
n 8 to configurre Network Settings.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 1-17
3. Select the index number of the network adapter to which you want to assign an IP address.
4. In the Network Adapter Settings area, select between one of the following options:
You can change a server name using sconfig.cmd by performing the following steps:
You must restart a server for the configuration change to take effect.
To join a server core computer to the domain using sconfig.cmd, perform the following steps:
4. Type the name of the domain to which you want to join the computer.
5. Provide the details of an account authorized to join the domain in domain\username format.
Note: Before joining the domain, verify that you can ping the DNS server by host name.
Install-WindowsFeature NLB
You
u can add a role or feature thhat is not available for instal lation by using
g the -Source parameter of the
Insttall-WindowsFeature cmdle et. You must specify
s a sourcce location that hosts a mounted installatio on
image that includes the full verssion of Window ws Server 20122. You can mo ount an installaation image ussing
the DISM.exe com mmand promp pt utility.
Sw
witching Be
etween Server Core, Full, and M
Minimal SServer Interface Optiions
Win ndows Server 2012
2 offers the
e option of
swittching between Server Core and the full
installation. Whenn you install Seerver Core, the e
necessary compon nents to conve ert to the full
verssion are not installed. You caan install thesee if
you have access to a mounted imagei of the full
verssion of the Winndows Server 2012
2 installatio
on
filess.
Impo
ort-Module ServerManager
r
Install-WindowsFeature -Inc
cludeAllSubFe
eature User-I
Interfaces-In
nfra -Source c:\mount
• Graphical Ma
anagement Too
ols and Infrastructure
Thhe Minimal Server interface differs from Se erver Core beccause it has alll components available and does
noot require you to provide acccess to a mounted directoryy that containss the full versio on of the Wind
dows
Se
erver 2012 insttallation files. You
Y can use th he Install-WinndowsFeature e command without specifying a
so
ource location when you con nvert the Minimmal Server inteerface to the ffull installation
n of Windows SServer
20012. The advan ntage of the Server Core installation optio
on over Minim al Server is thaat, even thoug gh they
lo
ook similar, Serrver Core requuires a smaller amount of harrd disk space aas it does not have all components
avvailable for insstallation.
Configuring
C g Network
king and Network
N In
nterface Te
eaming
Configuring the e network invoolves setting orr
ve
erifying the server’s IP addre
ess configuratioon. By
de
efault, a newlyy-deployed serrver tries to ob
btain IP
ad
ddress informa ation from a DHCP
D server. Yo
ou can
view a server’s IP address configuration by clicking
c
th
he Local Serve er node in Servver Manager.
Note: If you
y are using a purely IPv6 network,
n an IPvv4 address in tthis range is no
ot a problem,
an
nd IPv6 addresss information is still configu
ured automaticcally. You will learn more ab bout
mplementing IPv6 in Module
im e 8, “Implemen nting IPv6.”
Configuratio
C on Using Serrver Manag
ger
To dress information for a serve r, perform thee following step
o manually configure IP add ps:
1.. In the Serve onsole, click the address nextt to the netwo
er Manager co ork adapter thaat you want to
o
T will open the Network Connections
configure. This C w
window.
o IP addrress
o Subnett Mask
o Defaultt Gateway
o Alterna
ative DNS servver
MCT USE ONLY. STUDENT USE PROHIBITED
1-20 Installing and Configuring Servers Based on Windows Server 2012
Netsh interface ipv4 set address “Local Area Connection” static 10.10.10.10 255.255.255.0
You can use the same context of the netsh.exe command to configure DNS configuration. For example, to
configure the adapter named Local Area Connection to use the DNS server at IP address 10.10.10.5 as
the primary DNS server, type the following command:
Netsh interface ipv4 set dnsservers “Local Area Connection” static 10.10.10.5 primary
Windows Server 2012 supports up to 32 network adapters in a team. When a computer has separate
network adapters that are not part of a team, incoming and outgoing traffic may not be balanced across
those adapters. Network Card Teaming also provides bandwidth aggregation, ensuring that traffic is
balanced across network interfaces as a way to increase effective bandwidth.
1. Ensure that the server has more than one network adapter.
3. Click Disabled next to Network Adapter Teaming. This opens the NIC Teaming dialog box.
4. In the NIC Teaming dialog box, press the Ctrl key, and then click each network adapter that you
want to add to the team.
5. Right-click these selected network adapters, and then click Add to New Team.
6. In the New Team dialog box, enter a name for the team, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 1-21
Lesson
n3
Configuring Remote Manaagemen
nt for
Windows Server 2012 Serv
vers
When
W you wantt to perform an administratioon task, it is m
more efficient tto manage mu ultiple servers ffrom
a single consolee than to conn
nect to each seerver separatelyy. You should spend time en nsuring that ne ewly
deeployed serverrs are configurred so that you
u can managee them centrallly. This enables you to spend d more
time at your desk administering those serve ers, instead of having to trekk into the dataacenter to startt a
diirect connectio
on.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
• Configure Windows
W Serve pport Remote Management.
er 2012 to sup
• Collect servvers into Serve
er Groups.
• Deploy role
es and featuress remotely.
What
W Is Rem
mote Man
nagement??
With
W Windows Remote Management, you can c
usse Remote She ell, remote Win ndows PowerS Shell,
annd remote management too ols to remotelyy
manage
m a compputer. Remote Shell enables you
to
o run comman nd-line utilities against correcctly
coonfigured remote servers as long as the
coommand prom mpt utility is prresent on the remote
r
se
erver. Remote Windows Pow werShell lets yo
ou run
Windows
W PowerShell comman nds or scripts against
a
coorrectly config
gured remote servers
s when the
sccript is hosted on the local seerver. Remote
Windows
W PowerShell also letss you load Win ndows
PoowerShell mod dules, such as Server Manager locally and execute the cm
mdlets availab
ble in that mod
dule
aggainst suitablyy configured reemote servers. Remote Manaagement is enabled by default on computters
ru
unning Window ws Server 2012 2.
Yo
ou can enable and disable Remote
R Manag
gement from SServer Manageer by clicking tthe text next to o the
Re
emote Management item when
w you have the Local Servver node selec ted in the Servver Manager cconsole.
To
o enable remoote manageme ommand-line, type the com
ent from the co mmand WinRM M qc. The "qc" is an
ab
bbreviation of Quick Configu
uration. You ca
an disable Rem
mote Managemment by using
g the same metthod
th
hat you use to enable it.
Remmote Desktop is still a necesssary Windows Server 2012 reemote manageement technology because
som
me environmen nts have not uppgraded their administrator 's workstations from Window ws® XP and otther
environments may have Window ws Server 20122 deployed evven when the uusers in those environments
prim
marily use thirdd-party operatting systems. You
Y can config gure Remote D Desktop on a ccomputer runn ning
the full version off Windows Servver 2012 by peerforming the following stepps:
2. Click Disable
ed next to Rem
mote Desktop.
o Allow co
onnections fro
om computerrs running anyy version of R Remote Desktop. Enables
connectio
ons from Remote Desktop clients that do not support N Authentication
Network Level A n
o Allow Coonnections onnly from Com mputers runni ng Remote D Desktop with N
Network Leve el
Authentication. Enables secure conn nections from computers running Remote
e Desktop clien
nts
that supp evel authentication.
port network le
Youu can enable an mote Desktop on computerss running the SServer Core installation optio
nd disable Rem on by
usin
ng the sconfig
g.cmd menu-d driven comman
nd prompt uti lity.
Ho
ow Remote
e Managem
ment Worrks In Wind
dows Servver 2012
Winndows Remote e Managementt (WinRM) is
ollection of tecchnologies that enables
a co
admministrators to manage serve er hardware whhen
loggged on directlyy or over the network.
n Windows
Servver 2012 uses WinRM
W to enaable managem ment
of multiple
m compu uters concurreently through a
sing
gle Server Man nager console. Windows Rem mote
Man nagement includes the follow wing components:
You can enable Windows Remote Management by issuing the following command:
Winrm qc
4. Creates a firewall exception for WS-Management traffic using the HTTP protocol.
If you do not know whether a server is configured for Windows Remote Management, you can run the
following command to obtain Windows Remote Management configuration information:
Additional Reading: You can learn more about configuring Windows Remote
Management by reading the following Performance Team post: http://blogs.technet.com/b
/askperf/archive/2010/09/24/an-introduction-to-winrm-basics.aspx.
You can use Remote Windows PowerShell to run commands against a correctly configured remote server.
There are several methods that you can use to accomplish this. You can use the Invoke-Command
cmdlet to run a command or a script. For example, to view the list of installed roles and features on
LON-SVR1 and LON-SVR2 when the ServerManager module is loaded and both are configured for
Windows Remote Management, issue the command:
You can also start a remote Windows PowerShell session by using the Enter-PSSession cmdlet. To end
the session, run the Exit-PSSession cmdlet. For example, to start a remote Windows PowerShell session to
LON-SVR1, issue the command:
Additional Reading: You can learn more about Remote Windows PowerShell at:
http://msdn.microsoft.com/en-us/library/windows/desktop/ee706585(v=vs.85).aspx.
Demonstration Steps
1. Use Server Manger on LON-DC1 to disable Remote Management.
2. Use the winrm qc command from a Windows PowerShell prompt to re-enable remote management
on LON-DC1.
Ma
anaging Se
erver Grou
ups in Serv
ver Manag
ger
Servver Manager in n Windows Server 2012
autoomatically groups servers byy role. This enaables
you to perform ro ole-based tasks across all serrvers
thatt host that role
e in the organiization. For
exammple, rather thhan connecting to each DNS S
servver in the domain to performm a particular task,
t
you can select the e DNS node, seelect all servers that
hostt DNS that you u want to perfform the task on,
o
and then perform m the task againnst that selection of
servvers.
A be
enefit to administrators is th
hat servers in your
y
orga
anization are automatically
a grouped
g by ro
ole.
For example, all se
ervers that hosst the IIS or NAAP roles are au
utomatically grouped underr the category
nod
des for those rooles in the Servver Manager console.
c
De
emonstration: Mana
aging Rem
mote Serverrs by Using
g Server M
Manager
In th
his demonstration you will see how to creaate a server grroup. You will then perform a remote
man nagement task
k on both serve ers that are members of thee group using a single actionn.
Dem
monstration
n Steps
1. On LON-DC1
1, use Server Manager
M to create a server grroup named L ONDON-GRO
OUP that has
LON-DC1 and
d LON-SVR4 asa members.
As one of the experienced Windows Server 2008 administrators, you are responsible for implementing
many of the new features on Windows Server 2012. To become familiar with the new operating system,
you plan to install a new Windows Server 2012 server running the Server Core version and complete the
initial configuration tasks. You also plan to configure and explore the remote management features that
are available in Windows Server 2012.
Objectives
• Install Windows Server 2012 server core.
• Configure a Windows Server 2012 server core.
Lab Setup
Estimated time: 60 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
MCT USE ONLY. STUDENT USE PROHIBITED
1-26 Installing and Configuring Servers Based on Windows Server 2012
3. Start 20417A-LON-SVR5. On the Windows Server 2012 page of the Windows Setup Wizard, verify
the following settings, click Next, and then click Install Now:
4. Select to install the Windows Server 2012 Release Candidate Datacenter (Server Core
Installation) operating system.
5. Accept the license terms and then select Custom: Install Windows Only (Advanced).
o Depending on the speed of the host computer, the installation will take approximately 20
minutes.
o The virtual machine will restart several times during this process.
7. On the log on page, click OK and then enter Pa$$w0rd in both the Password and Confirm
password boxes.
X Task 2: Convert a Windows Server 2012 Server Core Installation to a Full Installation
1. On LON-SVR5 at the command prompt type:
mkdir c:\mount
PowerShell.exe
4. From Windows PowerShell issue the following commands, pressing Enter after each:
Import-Module ServerManager
5. When prompted, restart the server and then log on as Administrator with the password of
Pa$$w0rd to verify the presence of the full GUI components.
X Task 3: Convert a Windows Server 2012 Full Installation to a Server Core Installation
1. Log on to LON-SVR5 and attempt to start Internet Explorer.
Import-Module ServerManager
Uninstall-WindowsFeature User-Interfaces-Infra
Shutdown /r /t 5
3. Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify that it now
configured to use the Server Core configuration.
6. Select the index number of the network adapter that you want to configure.
MCT USE ONLY. STUDENT USE PROHIBITED
1-28 Installing and Configuring Servers Based on Windows Server 2012
o IP address: 172.16.0.111.
8. Set the preferred DNS server to 172.16.0.10. Do not configure an alternative DNS server address.
9. Exit sconfig and verify network connectivity to lon-dc1.adatum.com using the ping utility.
2. Join the domain adatum.com using account adatum\administrator and the password of
Pa$$w0rd.
3. Issue the following command to view the enabled Firewall rules that allow traffic:
5. Issue the following command to view all Windows PowerShell cmdlets related to NetFirewallRule:
6. View the status of the Remote Desktop inbound firewall rule by issuing the following command:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
7. Issue the following command to enable the Remote Desktop Inbound Firewall rule:
Enable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
8. Issue the following command to verify that the Remote Desktop Inbound Firewall rule is enabled:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
9. Issue the following command to disable the Remote Desktop Inbound Firewall Rule:
Disable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
10. Verify that the Remote Desktop Inbound Firewall Rule is disabled.
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 1-29
3. Open Windows PowerShell and issue the command winrm qc. When you are prompted, type Y and
press Enter.
4. Open the Server Manager console and verify that Remote Management is now enabled.
3. Scroll down to the Performance section, select both listed servers, right-click LON-DC1, and then
click Start Performance Counters.
4. Scroll up and verify that in the Manageability column, both LON-DC1 and LON-SVR5 are listed as
Online.
3. In Server Manager, click the Flag and verify that the remote installation of Windows Server Backup
has occurred.
• Use Windows Remote Management to manage multiple servers from a single server using the Server
Manager console.
• Use Windows PowerShell remoting to run remote Windows PowerShell sessions rather than logging
on locally to perform the same task.
Review Question
Why is the Server Core installation the default installation option for Windows Server 2012
installations?
You should plan to manage many servers from one console, rather than logging on to each server
individually.
MCT USE ONLY. STUDENT USE PROHIBITED
2-1
Module 2
Monitoring and Maintaining Windows Server 2012
Contents:
Module Overview 2-1
Module Overview
After you deploy Windows Server® 2012, you must ensure that it continues to run optimally by
maintaining a healthy and stable environment. As in earlier versions of Windows Server, to maintain
a healthy and stable environment, you must monitor Windows Server 2012 performance and make
adjustments as required. Additionally, you must identify your important data and create backup copies.
Finally, you must know how to restore your important data and servers by using the backup copies that
you have created.
Objectives
After completing this module, you will be able to:
• Monitor Windows Server 2012.
Lesson 1
Monito
oring Window
W ws Server 2012
Whe en a system fa
ailure or an eveent that affectss system perfo
ormance occurrs, you must bee able to repair the
problem or resolvve the issue qu o many variablles and possibilities in the m
uickly and efficciently. With so modern
netwwork environmment, the abilitty to determine the cause qu uickly frequenttly depends on
n having an
effe
ective performaance monitoring methodolo ogy and tool seet.
Youu can use perfoormance-moniitoring tools too identify commponents that rrequire additio
onal tuning annd
trou
ubleshooting. ByB identifying components that
t require ad
dditional tunin
ng, you can im
mprove the efficciency
of your
y servers. In
n addition to monitoring
m systtem performan nce, Windows Server 2012 p provides tools for
reso
ource management. In this le esson, you will learn about t ools in Windo
ows Server 2012 that you can n use
for performance and
a resource monitoring
m and
d managemen nt.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe the reasons for mo
onitoring serve
ers.
• Configure eve
ent subscriptio
ons.
• w to monitor a network.
Describe how
• To monitor th
he health of th
he IT infrastruccture.
• To monitor se
ervice-level ag
greements (SLA
As).
• To plan for fu
uture requirem
ments.
• To identify isssues.
IT Infrastructu
I ure Health
The effective operration of the server infrastructure
is frequently criticcal to your organization’s
business goals.
fa
ast response timmes. You can use
u these statistics to determ
mine which com mponent or co
omponents off the
se
erver infrastruccture may be the
t source of performance-r
p related issues.
SLA Monitorring
Many
M organizattions maintain SLAs that dicttate the requirred availabilityy for servers an
nd server-hoste
ed
ap
pplications. Th
hese SLAs may contain stipulations about sserver availability (for examp ple, the LON-D
DC1
erver must be available 99.99
se 95 percent of business hourss), or they mayy specify perfo ormance-relateed
re
equirements (for example, thhe average que ery time for th
his database seerver must be less than five sseconds
fo
or any given daay).
Frrequently, violation of an SLA duction of payyment for services or similar penalties. The
A results in red erefore,
yo
ou want to enssure that the SLAs
S imposed upon your envvironment are met on a continuing basis.
Yo
ou can use performance-mo onitoring toolss to monitor thhe specific areaas related to yyour SLAs and help
yo
ou identify issu
ues that could affect your SLLA before theyy become a pro oblem.
Planning
P forr Future Req
quirements
Thhe business an
nd technical ne
eeds of your organization arre subject to chhange. New innitiatives may rrequire
neew servers to host
h new applications or increased storagee within your eenvironment. Monitoring these
arreas over time enables you to
t assess effecttively how the server resourcces are being used currentlyy. Then,
yo
ou can make ana informed de ecision on howw the server ennvironment haas to grow or cchange to mee et future
re
equirements.
Id
dentifying Issues
Trroubleshootingg problems that arise in the server environ
nment can be tedious. Issuess that affect ussers
haave to be resolved as quicklyy as possible and with minim
mal effect on th
he business ne
eeds of your
orrganization.
Trroubleshootingg an issue onlyy on the symptoms provided d by users or aanecdotal evidence frequenttly leads
to
o misdiagnosiss and wasted tiime and resou urces. Monitoriing the server environment lets you take a more
in
nformed and proactive
p appro
oach to troubleshooting. Wh hen you have an effective mmonitoring soluution
im
mplemented, you
y can identiffy issues withinn your infrastru
ucture before they cause a pproblem for thhe end-
ussers. You can also
a have more dence of repo rted issues and
e concrete evid d narrow the ccause of problems,
sa
aving you inveestigative time..
Typical
T Perrformance Bottleneccks
Analysis of yourr monitoring data
d can reveal
problems such asa excessive deemand on certtain
ha
ardware resources that resullt in bottlenecks.
Causes
C of Bo
ottlenecks
Demand on cerrtain hardware resources may
be
ecome extrem me enough to cause
c resource
e
bo
ottlenecks for the following reasons:
• The resourcces are insufficcient, and addiitional
or upgrade
ed components are required..
• A resource is malfunction
ning and has to
o be replaced..
MCT USE ONLY. STUDENT USE PROHIBITED
2-4 Monitoring and Maintaining Windows Server 2012
• A program is monopolizing a particular resource. This might require substituting another program,
having a developer rewrite the program, adding or upgrading resources, or running the program
during periods of low demand.
• A security issue, such as viruses or Denial of Service attacks can be the reason for a bottleneck.
By monitoring the basic hardware components of your servers, you can determine the most likely
bottleneck that is affecting the performance of your servers. By adding additional capacity to
components, you can tune the servers to overcome initial limitations. The following table lists suggestions
for improving performance on various types of hardware.
Hardware Suggestion
Processors • You may be able to overcome performance bottlenecks that occur with
processors by:
• Adding processors.
• Increasing the speed of processors.
• Reducing or controlling process or affinity, or the number of processor cores an
application uses. Limiting an application to only some processor cores frees the
remaining cores for other applications to use.
Memory You can improve memory bottlenecks by adding additional physical memory. If
the memory requested exceeds the physical memory, information will be written
to virtual memory, which is slower than physical memory.
However, increasing a computer’s virtual memory could enable applications that
consume a large amount of memory to run on a computer that has limited
physical memory.
Or, you can reduce the load on the server by reducing the number of users on
the server or through application tuning.
Tools
T for Monitoring
M g in Windo
ows Serverr 2012
Se
everal tools are
e available to help you in
monitoring
m the server environnment, both historical
an T following is a list of toolss to
nd real time. The
he
elp you in mon nitoring the se
erver environm
ment.
Tool
T Description
n
Event Viewer Event Viewwer collects infformation thatt relates to servver operationss. This
informatioon can help ideentify perform mance issues on n a server. You
u
should seaarch for specifiic events in thee event log file
e to locate and
d
identify prroblems.
Resource Mon
nitor Resource Monitor
M helps you to look deeper into the e real-time
performannce of the servver. It provides performance information reelated
U, memory, ha rd disk, and neetwork compo
to the CPU onents of the sserver.
Performance Monitor Performan nce Monitor is the most robu ust monitoringg tool in Windoows
Server 20112. It enables b
both real-time and historicall monitoring o
of the
server’s pe
erformance an d configuratioon data.
Reliability Mo
onitor Reliability Monitor proviides a historicaal view of the sserver’s reliabiility-
related infformation such
h as event log errors and warnings.
Demonstra
D ation: Crea
ating Data
a Collectorr Sets
Th
he data collecttor set is a custom set of perrformance cou
unters, event trraces, and systtem configurattion
da
ata.
A data collectorr set organizess multiple dataa-collection po
oints into a single, portable ccomponent. Yo ou can
usse a data colle
ector set on its own, group itt with other daata collector seets, and incorp
porate it into lo
ogs, or
view it in the Pe
erformance Mo onitor. You can configure a data collector set to generatte alerts when n it
re
eaches thresho olds.
Yoou can also coonfigure a dataa collector set to run at a schheduled time, for a specific length of time,, or until
it reaches a predefined size. For
F example, yo ou can run thee data collecto or set for ten m hour
minutes every h
duuring your working hours to o create a perfo ormance base line. You can aalso set the daata collector to
o restart
when
w set limits are reached so
o that a separaate file is creatted for each in
nterval.
Dem
monstration
n Steps
Cre
eate a new data
d collector set name
ed Windowss Server Mo
onitoring
1. On LON-SVR1, open the Pe
erformance Mo
onitor, and creeate a data collector set nam
med Windowss
Server Monitoring.
2. Configure the
e data collecto
or set to includ
de the Perform
mance counter data logs for Processor/%
Processor Tim
me, Memory/ Available
A Mbyttes, and Logicaal Disk/% Freee Disk Space.
Mo
ost Common Perform
mance Cou
unters
Specific server roles install a ran
nge of perform
mance
obje
ects and associated counterss. The common n
perfformance coun nters include:
• Physical disk counters. Thesse counters moonitor the phyysical disks such ers or fixed driives.
h as hard drive
The drives thaat appear in th
he Disk Manag gement consolle are monitorred by these co ounters. Hardw ware
redundant array of indepen ndent disks (RA
AID) may not b be visible to th
hese counters.
Win
ndows Server 2012
2 uses serve
er roles to imp
prove server effficiency and ssecurity. Only tthe performan
nce
obje
ects and countters that are re
elevant to the installed serveer role are avaiilable to monittor.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 2-7
You can enable missing performance objects and counters by installing additional server roles or adding
features. Additional performance objects that are installed with each server role can help with server
monitoring. The following table identifies common server roles and the performance objects that can be
monitored to assess performance.
Active Directory® Domain If you notice slow write or read operations, under the Physical Disk
Services (AD DS) category, check the following disk I/O counters to see whether
many queued disk operations exist:
• Avg. Disk Queue Length
• Avg. Disk Read Queue Length
• Avg. Disk Write Queue Length
If Local Security Authority Subsystem or lsass.exe uses lots of physical
memory, under the Database category, check the following Database
counters to see how much memory is used to cache the database for
Active Directory Domain Services:
• Database Cache % Hit
• Database Cache Size (MB)
File Server File Servers are typically heavily dependent on their physical disk
systems for file read and write operations. You should measure the
following counters to ensure that the PhysicalDisk subsystem is keeping
up with server demand:
• % Disk Time
• Avg. Disk Queue Length
• Avg. Disk Bytes/Transfer
Network performance is also a primary component of file server
performance. You should monitor the following counters to ensure that
required network bandwidth is available to the file server:
• Bytes Received Per Second
• Bytes Sent Per Second
• Output Queue Length
Wh
hat Are Ale
erts?
Alerrt is a functionality in Windo ows Server 20112
thatt notifies you when
w certain events
e have
occuurred or when n certain perforrmance thresh holds
are reached. You can configure alerts in Wind dows
Servver 2012 as ne etwork messages or as events that
are logged in the application evvent log. You can c
also
o configure ale erts to start appplications and
perfformance logss.
You
u can configure e alerts when you
y create datta
colle
ectors, by selecting the Perfformance Cou
unter
Alerrt type of the data
d collector.
Wh
hat Are Ev
vent Subscriptions?
Event log subscrip ptions is a featture when it is
configured, enables a single serrver to collect
copies of events from
f multiple systems.
s Usingg
WinnRM and the Windows
W Eventt Collector servvice,
you can collect evvents in the evvent logs of a
centtralized serverr, where you ca an analyze theem
toge ether with the event logs of other computters
thatt are being colllected on the same central
servver.
• Source compu uter–initiated. In a source computer–initiatted subscriptio on, or push subbscription, sou
urce
computers pu ush events to the
t collector. In a source com mputer–initiat ed subscriptio
on, the subscrip
ption
definition is created
c and managed on the e source comp puter, which is the computerr that is sendinng
events to a ceentral source. You
Y can define e these subscr iptions manuaally, or by using Group Policyy. You
create push subscriptions when
w ng a different set of event th
each servver is forwardin han other servvers,
or when conttrol over the evvent forwardin ng process hass to be maintained at the source computer;
possibly when n frequent cha anges have to be made to th he subscriptionn.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 2-9
• You must enable and configure WinRM on both the source and the collector computers by using the
following command.
winrm qc
• You must start and configure the Windows Event Collector (Wecutil) service to receive events on the
collector computer. You can achieve this by running the following command.
Wecutil qc
Events that are collected by a subscription can be collected into any of the collector computer’s default
event logs, or they can be collected into an event log specifically created to host collected events.
Demonstration Steps
Configure the source computer
1. Switch to LON-SVR1.
2. At the command prompt, run the winrm quickconfig command to enable the administrative
changes that are required on a source computer.
2. At the command prompt, run the wecutil qc command to enable the administrative changes that are
required on a collector computer.
Mo
onitoring a Network
k
Because network infrastructure services are ann
impportant foundaation of many other server-bbased
servvices, you mustt make sure th
hat they are
configured correcctly and are running optimally.
Mo
onitoring Do
omain Nam
me System DNS
D
Dommain Name System (DNS) prrovides name resolution
r servvices on the neetwork. You caan monitor the
e DNS
Servver role of Win
ndows Server 2012
2 to determ
mine the followwing aspects oof your DNS infrastructure:
Mo
onitoring DH
HCP
The Dynamic Host Configuratioon Protocol (DH
HCP) service p
provides dynam
mic IP configuration servicess on
the network. You can monitor the Windows Server
S 2012 DHHCP Server rol e to determine the following
aspe
ects of your DHCP server:
• The Average Queue Length h indicates the current lengt h of the intern
nal message quueue of the DHHCP
server. This number represe ents the numb ber of unproce ssed messagess that are rece
eived by the se
erver.
A large numb ber might indiccate heavy server traffic.
• The Milliseconds per packet (Avg.) counte er is the avera ge time in milliseconds thatt is used by
the DHCP serrver to processs each packet iti receives. Thi s number varies, depending g on the serverr
hardware and d its I/O subsysstem. A spike could
c indicatee a problem, eiither with the I/O subsystem
m
becoming sloower or becausse of a processsing overhead on the server..
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 2-11
Lesson
n2
Imple
ementin
ng Wind
dows Se
erver Baackup
In
n order to prottect critical datta, every organ
nization must perform a bacckup regularly.. Having a well-
deefined and tessted backup strategy ensuress that compan nies can restoree data if there is any unexpe
ected
ailures or data loss. This lesso
fa on describes thhe Windows Seerver Backup ffeature in Windows Server 2 2012 and
th
he Microsoft Online
O Backup Service for Windows Server 2012.
Le
esson Objecctives
After completin y will be able to:
ng this lesson, you
• Describe th
he features of Windows
W Serve
er Backup.
• Describe th
he Microsoft Online
O Backup Service.
S
• Describe th
he methods forr backing up server roles run ws Server 2012.
nning Window
In
n addition, Win
ndows Server Backup
B 2012 le
ets you:
• Perform a bare-metal
b resstore. Bare-meetal restore inc ludes all volum equired for Windows
mes that are re
to run. You can use this backup
b type to
ogether with th he Windows R Recovery Enviro
onment to reccover
from a hard
d disk failure, or
o if you have to recover thee whole compu uter image to new hardwaree.
• Recover ind dividual files and folders. Thee Individual fil es and folderss option enable
es you to backk up
selected file
es and folders,, instead of jusst full volumes .
• Exclude sele
ected files or file
f types. For example,
e you ccan exclude .tm
mp files.
• Select from
m more storage
e locations. You can store baackups on rem
mote shares or non-dedicated
d
volumes.
• Use the Miccrosoft Online Backup Servicce. The Microssoft Online Bacckup Service iss a cloud-based
backup solu
ution for Winddows Server 20012 which ena bles files and ffolders to be b
backed up and d
recovered from
f the cloud
d to provide offf-site backup..
If there are disa
asters such as hard
h disk failurres, you can peerform system
m recovery by u
using a full servver
baackup and the e Windows Reccovery Environ nment—this w ill restore yourr complete sysstem onto the new
haard disk.
MCT USE ONLY. STUDENT USE PROHIBITED
2-12 Monitorinng and Maintaining Windows
W Server 20122
Wha
at Is Micro
osoft Onlin
ne Backup Service?
The Microsoft
M Onlinne Backup Servvice is a cloud--
based backup solutiion for Window ws Server 2012
2
managged by Microssoft. You can useu this service
e to
back up
u files and folders and reco over them fromm the
cloud to provide offf-site protectio
on against data
a loss
caused t service to back
d by disasters. You can use this
up and protect criticcal data from any
a location.
This se
ervice is built on
o the Window ws Azure® plattform
and uses Windows AzureA blob sto
orage for storin
ng
custommer data. Wind dows Server 2012 uses the
downloadable Micro osoft Online Backup Agent tot
transfe
er file and foldder data secure
ely to the Micrrosoft
Onlinee Backup Serviice. After you install
i the Microsoft Online Backup Agentt, the Microsofft Online Backu
up
Service Agent integrates its functionality throug gh the familiar Windows Servver Backup intterface.
Key Features
F
The ke
ey features tha erver 2012 provides through
at Windows Se h the Microsoftt Online Backu
up service inclu
ude:
o Integrate
ed recovery experience to recover files and
d folders from local disk or ffrom cloud
• Block-level incremental bacckups. The Microsoft Online B Backup Agentt performs incrremental backups
by tracking file and block-le a only trans ferring the chaanged blocks, therefore, red
evel changes and ducing
the storage and bandwidth h usage. Differe
ent point-in-ti me versions o
of the backups use storage
efficiently by only storing th
he changed bllocks between n these versionns.
• Data compresssion, encryptio osoft Online Baackup Agent ensures that daata is
on and throttliing. The Micro
compressed and
a encrypted on the serverr before it is seent to the Micrrosoft Online B Backup Service e on
the network. Therefore, thee Microsoft On nline Backup Seervice only stoores encrypted d data in the cloud
storage. The encryption
e passsphrase is nott available to tthe Microsoft OOnline Backup p Service, and
therefore, the
e data is neverr decrypted in the service. Al so, users can sset up throttlin
ng and configu ure
how the Micrrosoft Online Backup
B service
e uses the netwwork bandwidtth when backin ng up or restooring
information.
• Configurable retention po
olicies for storin
ng data in the cloud. The Miccrosoft Online
e Backup Servicce
accepts and
d implements retention policcies to recycle backups that exceed the de esired retentio
on
range, thereby meeting business
b policie
es and manag ging backup coosts.
Methods
M to
o Back Up Server Ro
oles
Yoou can back up most servicees on compute ers
ru
unning Window ws Server 2012
2 by performin ng a
syystem state backup. Some seervices also ena
able
coonfiguration and data backuup from their
re
espective mana agement console.
Th
he following taable lists the methods
m that you
y can
usse to back up specific roles on
o computers
ru
unning Window ws Server 2012 2.
Role Method
M
File and Print Services • System state backs up sharred folder perm
missions and ssettings.
• Volume back kup enables a back up of all files and folde
ers that are loccated
on that volum
me.
• File and folde
er backup baccks up contentt of shared fold
ders.
MCT USE ONLY. STUDENT USE PROHIBITED
2-14 Monitoring and Maintaining Windows Server 2012
Demonstration Steps
1. On LON-SVR1, start Windows Server Backup.
2. Run the Backup Once Wizard to back up the C:\HR Data folder to the remote folder,
\\LON-DC1\Backup.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 2-15
Lesson
n3
Imple
ementin
ng Serve
er and Data
D Re
ecovery
Evvery organization might exp perience losing
g some of its daata, because oof reasons, such as hardware e
fa
ailures, file systtem corruption
n, or when a user unintentioonally deletes ccritical data. Th
herefore,
orrganizations must
m have well-defined and tested
t hat will help them to bring th
recoverry strategies th heir
se
ervers and data a back to a healthy and operational state, in the fastest time possible. This lesson de
escribes
hoow to restore datad and serveers by using Windows
W Serverr Backup featu ure in Window ws Server 2012 and
Microsoft
M Onlin
ne Backup Servvice in Window ws Server 20122.
Le
esson Objecctives
• Describe th
he options for server
s recoverry.
• Describe th
he option for se
erver restore.
• Perform a restore
r with Windows
W Serverr Backup.
• Describe ho
ow to perform a restore with
h online backu
up.
Options
O forr Server Re
ecovery
Windows
W Server Backup in Windows
W Serverr 2012
provides the folllowing recove
ery options:
• Operating system.
s an recover the operating systtem through W
You ca Windows Reco
overy Environm
ment
(WinRE).
o Origina
al location. The
e original locattion restores t he data to thee location it waas backed up
origina
ally.
Op
ptions for Server
S Resstore
Youu perform serveer restore by starting
s the
commputer from thhe Windows Se erver 2012
installation media
a, selecting the
e computer rep
pair
option, and then selecting the full
f server resto
ore
option.
Whe en you perform
m full server re
estore, conside
er the
follo
owing aspects::
• Same or largeer disk drives. TheT server hard dware that yo u are restoring g to must have e disk drives th
hat
are the same size or larger than the drive es of the origin
nal host server . If this is not tthe case, the re
estore
will fail. It is possible,
p althou
ugh not advise
ed, to successffully restore to
o hosts that havve slower
processors an nd less RAM.
• Importing to Hyper-V.
H Because server bacckup data is wrritten to the V VHD format, whhich is also thee
format that iss used for virtu
ual machine ha
ard disks, it is p
possible, with some care, to use full serverr
backup data as the basis off creating a virtual machine. Doing this givves you the op ption of ensurin ng
business conttinuity while soourcing the ap
ppropriate repllacement hard dware.
Co
onsideratio
ons for Datta Recoverry
There are several strategies thatt you can purssue in
developing a data a recovery procedure. Data is the
mosst frequently re
ecovered component of an IT
infra
astructure.
From a planning perspective, you should consider increasing the frequency at which snapshots for
previous versions of files are generated. This gives users more options when they try to recover files that
have recently become deleted or corrupted.
When you perform a recovery to an alternative location, always ensure that permissions are also restored.
A common problem is administrators recovering data that includes restricted material to a location where
important permissions are not applied, enabling unintended access to data for those that should not have
it.
Recovering Volumes
If a disk fails, the quickest way to recover the data sometimes is to do a volume recovery, instead of a
selective recovery of files and folders. When you do a volume recovery, you must check whether any
shared folders are configured for the disks, and if the quotas and File Server Resource Manager
management policies are still in effect.
Demonstration Steps
1. On LON-SVR1, delete the C:\HR Data folder.
2. In the Windows Server Backup MMC, run Recovery Wizard and specify the following information:
o Select Ite
ems to Recover: LON-SVR1\\Local Disk (C
C:)\HR Data
o Specify Recovery
R Optio
ons: Another Location
L (C:)
3. Locate C:\ an
nd ensure that the files are re
estored.
3. After you loca elect them for recovery, and select a locat ion where the files will be
ate the files, se
restored.
4. When restorin
ng files, select from the follo
owing options::
o Create co
opies so that you
y have both the restored ffile and originaal file in the saame location. T
The
restored file has its nam
me in the following format: R
Recovery Datee+Copy of+Orriginal File Nam me
o Overwrite
e the existing versions with the
t recovered version
Afte
er you complette the restore procedure, the
e files will be rrestored on W
Windows Serverr 2012 located in
your site.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 2-19
Much of the data that is stored on the A. Datum network is very valuable to the organization. Losing this
data permanently would be a very significant loss to the organization. Also, several servers that run on the
network provide very valuable services for the organization; losing these servers for a significant time
would also result in losses to the organization. Because of the significance of the data and services, it is
important that they can be restored even if there is any disaster.
One of the options that A. Datum is considering is backing up some critical data to a cloud-based service.
A. Datum is considering this as an option for small branch offices that do not have a full data center
infrastructure.
As one of the senior network administrators at A. Datum, you are responsible for planning and
implementing a monitoring and system recovery solution that will meet the management and business
requirements.
Objectives
After completing this lab, you will be able to:
• Configure centralized monitoring for Windows 2012 servers.
Lab Setup
Password Pa$$w0rd
Password Pa$$w0rd
MCT USE ONLY. STUDENT USE PROHIBITED
2-20 Monitoring and Maintaining Windows Server 2012
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
b. Password: Pa$$w0rd
6. Repeat steps 2-3 for MSL-TMG1. Log on as Administrator with the password of Pa$$w0rd.
4. In the Actions pane, start the performance counters for both LON-SVR1 and LON-DC1.
2. Configure the data collector set to include the Performance counter data logs for
Processor/% Processor Time, Memory/ Available MBytes and Logical Disk/% Free Disk Space.
3. Start the Windows Server Monitoring data collector set, and let it run for one minute.
4. Stop the Windows Server Monitoring data collector set, and then review the latest report.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 2-21
2. At the command prompt, run the winrm quickconfig command to enable the administrative
changes that are required on a source computer.
4. Switch to LON-DC1.
5. At the command prompt, run the wecutil qc command to enable the administrative changes that are
required on a collector computer.
o Computers: LON-SVR1
8. Expand Event Viewer, expand Windows Logs, and then click Forwarded Events. Verify that events are
forwarded from LON-SVR1.
Results: After completing this exercise, you will have configured Server Manager to monitor multiple
servers, configured a data collector set, and configured an event subscription.
2. Open Server Manager and install the Windows Server Backup role.
3. Install the role on LON-SVR1 and then accept the default values on the Add Role wizard.
MCT USE ONLY. STUDENT USE PROHIBITED
2-22 Monitoring and Maintaining Windows Server 2012
2. Run the Backup Once Wizard to back up the C:\Financial Data folder to the remote folder,
\\LON-DC1\Backup.
Results: After completing this exercise, you will have installed the Windows Server Backup feature,
configured a scheduled backup, and ran an on demand backup.
2. At the Windows PowerShell prompt, run Vssadmin list shadows command to list existing volume
shadow copies.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 2-23
Results: After completing this exercise, you will have deleted a folder to simulate data loss, viewed
available resources, and then restored the folder the backup that you created.
2. On LON-SVR1, in drive E, locate the installation file of the Microsoft Online Backup Agent,
OBSInstaller.exe.
3. Start the installation of Microsoft Online Backup Agent by double-clicking the installation file
OBSInstaller.exe.
5. Verify the installation; ensure you receive the following message: Microsoft Online Backup Service
Agent installation has completed successfully. Clear the Check for newer updates check box, and
then click Finish.
6. On the Start screen, verify the installation by clicking Microsoft Online Backup Service and
Microsoft Online Backup Service Shell.
1. In the Server Manager window, rename LON-SVR1 as YOURCITYNAME-YOURNAME, and then restart
YOURCITYNAME-YOURNAME.
1. In the Microsoft Online Backup Service console, register LON-SVR1 by specifying the following
information:
o Account Credentials:
Username: holuser@onlinebackupservice.onmicrosoft.com,
Password: Pa$$w0rd
Note: In real-life scenario, you would type username and password of your Microsoft Online
Backup Service subscription account.
o Encryption Settings:
Enter passphrase: Pa$$w0rdPa$$w0rd
Confirm passphrase: Pa$$w0rdPa$$w0rd
2. Verify that you receive the following message: Microsoft Online Backup Service is now available
for this server.
3. In the Microsoft Online Backup Service console, start the backup by clicking Backup Now.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 2-25
2. Restore files and folders by using the Recover Data option and specify the following information:
o Identify the server on which the backup was originally created: This server
o Select Volume and Date: C:\ and date and time of the latest backup.
o Specify Recovery Options: Original location and Create copies so that you have both versions
X Task 5: Unregister the server from the Microsoft Online Backup Service
1. Switch to the Microsoft Online Backup Service console.
2. Unregister the server from the Microsoft Online Backup Service using the following credentials:
o Username: holuser@onlinebackupservice.onmicrosoft.com,
o Password: Pa$$w0rd
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.
Question: You want to create a strategy on how to back up different technologies that are
used in your organization such as DHCP, DNS, Active Directory, and SQL Server. What should
you do?
Best Practices
• Create an end-to-end monitoring strategy for your IT infrastructure. Monitoring should focus on
proactively detecting potential failures or performance issues.
• When monitoring, estimate the baseline of system utilizations for each server. This will help you
determine whether the system is performing well or is overused.
• Analyze your important infrastructure resources and mission-critical and business-critical data. Based
on that analysis, create a backup strategy that will protect the company's critical infrastructure
resources and business data.
• Identify with the organization’s business managers the minimum recovery time for business-critical
data. Based on that information, create an optimal restore strategy.
• Always test backup and restore procedures regularly, even if data loss or system failures never occur.
Perform testing in a non-production and isolated environment.
Tools
Tool Use for Where to find it
Resource Monitor Controlling how your system resources are Server Manager/Tools
being used by processes and services
Module 3
Managing Windows Server 2012 by Using Windows
PowerShell 3.0
Contents:
Module Overview 3-1
Module Overview
Windows PowerShell is a core feature of Windows Server® 2012 that enables command line management
and configuration of the operating system. It is a standardized, task-based command-line shell and
scripting language that offers administrators more flexibility and choice in how they manage computers
running Windows®.
Windows PowerShell 3.0, included in Windows Server 2012, has more functionality and features than
earlier versions. You can now use Windows PowerShell® to manage all the Windows Server roles and
features. This enables administrators to quickly automate configuration tasks with a single tool, instead of
having to use multiple tools, such as batch scripts, Microsoft Visual Basic® Script Edition scripts (VBScript),
and manual configuration steps.
In this module, you will learn key Windows PowerShell concepts and new Windows PowerShell 3.0
features. This module will also describe how to practically use Windows PowerShell in your daily activities.
Objectives
After completing this module, you will be able to:
• Use Windows PowerShell to manage Active Directory® Domain Service (AD DS).
Lesson 1
Overviiew of Window
W ws Powe
erShell 3
3.0
As a Windows Serrver administra ator, you can use
u Windows P PowerShell to install and con nfigure native
Winndows Server 2012
2 roles and features and to administer software such as Microsoft EExchange Servver
and Microsoft Sysstem Center 20 012. Although you can use a graphical useer interface (GUI) for
admministration, ussing Windows PowerShell wiith these appli cations enablees bulk adminiistration. This
provvides the abilitty to create au
utomation scrippts for admini stration and a ccess to config
guration optio
ons
thatt are not availa
able when you u use a GUI. Soome tasks thatt you can perfoorm in Windows PowerShelll will
already be familiaar to you, such as listing the contents of a ddirectory. To u
use Windows P PowerShell
ectively, you must have a bassic understand
effe ding of Window ws PowerShell.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe cmd
dlet aliases.
Wh
hat Is Wind
dows Pow
werShell?
Win ndows PowerSh hell is a comm
mand-line
man nagement inteerface that you
u can use to
configure Window ws Server 20122 and productss
suchh as System Ce
enter 2012, Excchange Serverr
2010, and Microsooft SharePointt® Server 2010. This
man nagement inteerface providess an alternative
e to
the GUI managem ment that enabbles administra ators
to:
• Create autom
mation scripts.
• Perform batch modification
ns.
• Access setting
gs that might be unavailablee or
more difficultt to configure in the GUI.
A GUI can guide you
y through co omplex operattions, and can help you und derstand your cchoices and.
How an be inefficient for tasks that you have to
wever, a GUI ca o perform repeeatedly, such aas creating new
w user
acco
ounts. By build
ding administrrative functionality in the forrm of Window
ws PowerShell ccommands,
u select the right method forr a given task.
Microsoft lets you
As you
y become more m comfortable with Windows PowerSheell, you may usse it in place o of other low-levvel
adm ols that you may have used. For example, W
ministrative too Windows Pow werShell has access to the sam
me
feattures that VBSccript does, butt in many cases provides eassier ways to peerform the sam
me tasks.
MCT USE ONLY. STUDENT USE PROHIBITED
Upg
grading Your Ski lls to MCSA Win
ndows Server® 2
2012 3-3
Windows
W PowerShell may alsoo change the way
w you use W Windows Manaagement Instru umentation (W WMI).
Windows
W PowerShell can wrap task-specificc commands a round the und derlying WMI functionality. W
When
yo
ou use Window ws PowerShell with WMI, your work is sim plified becausse Windows Po
owerShell provvides
ea
asy to use, task
k-based comm
mands.
Windows
W PowerShell
P l Syntax
Windows
W PowerShell has rules for naming anda
im
mplementing functions.
f For example,
e Wind
dows
Po
owerShell com mmands, known as cmdlets, use u a
aming convention of verb or action, follow
na wed by
a hyphen and a noun or subje ect. For examp
ple, to
re
etrieve a list off virtual machin
nes (VMs), you
u would
usse the cmdlet Get-VM. This standardizatio on
he
elps you more e easily learn how to performm
ad
dministrative tasks.
t mple, to change
For exam
se
ettings of a VM M, you would useu the cmdlett
Se
et-VM.
Optionally,
O one or more parameters can be e used
with
w a cmdlet to o modify its beehavior or specify settings. P
Parameters aree written after the cmdlet.
ach parameterr that is used iss separated byy a space, and begins with a hyphen. Not aall cmdlets use
Ea e the
sa
ame parameters. Some cmdllets have param meters that ar e unique to itss functionality. For example, the
Move-Item
M cm
mdlet has the Destination
D parrameter to speecify the locatio
on to move th he object; whereas the
Get-ChildItem has the -Recu urse switch parameter. Theree are several k inds of parameters, including the
fo
ollowing:
• Named. Na amed parameters are most common. Theyy are parameteers that can be e specified and
d require
a value or modifier.
m For example,
e by using the Movee-Item cmdlet,, you would sp
pecify the -Desstination
parameter along with the e exact destina
ation to move the item.
• Positional. Positional
P para
ameters are pa arameters thatt can be omitteed and can still accept value es based
on where th he informationn is specified in
n the comman nd. For example, you could rrun Get-EventtLog
-EventLog System to rettrieve information from the System event log. However,, because the
-EventLog positional
p ameter acceptss values for thee first position
para n, you can also
o run Get-Even ntLog
System to get the same results. When the -EventLog g parameter iss not present, tthe cmdlet still
accepts the em because it is the first item
e value of Syste m after the cm mdlet name.
• -Verbose. This
T parameter displays detaiiled informatio on about the p performed commmand. You sh
hould
use this parrameter to obttain more info
ormation aboutt the executio n of the comm
mand.
• -WhatIf. Th
his parameter displays
d utcome of run ning the comm
the ou mand without running it. This is
helpful whe
en testing a ne
ew cmdlet or script
s and you do not want tthe cmdlet to rrun.
• -Confirm. This
T parameterr displays a con ompt before exxecuting the command. Thiss is
nfirmation pro
helpful wheen you are run
nning scripts an
nd you want too prompt the user before exxecuting a spe
ecific
step in the script.
MCT USE ONLY. STUDENT USE PROHIBITED
3-4 Managing Windows
W Server 2012 by Using Windows PowerShell 3.0
Additional Reading: Cm
mdlet Verbs
http
p://msdn.micro
osoft.com/en-u
us/library/wind
dows/desktop
p/ms714428(v=
=vs.85).aspx
Cm
mdlet Aliasses
Alth
hough the stan ndard naming convention
usedd by cmdlets facilitate
f learniing, the namess
themmselves can be e very long, annd sometimes do
not match commo on terminolog gy associated with
w
perfforming a taskk. For example,, you may be
fam
miliar with the dir
d command which lists the e
contents of a dire
ectory (or folde er). The Windo ows
PowwerShell cmdle et for this task, however, is
Gett-ChildItem. To make using cmdlets easier,
Winndows PowerSh hell enables aliases to be cre
eated
for cmdlets.
c Theree is an alias cre
eated by defauult for
dir that points to Get-ChildItem m.
You
u can create neew aliases for your
y common cmdlets, scrip
pts, and prograams by using the New-Aliass
cmd
dlet. Default alliases include:
• cd -> Set-Location
• move -> Mo
ove-Item
• rm -> Remov
ve-Item
• type -> Get-Content
De
emonstration: Using
g the Wind
dows PoweerShell ISEE
The Windows Pow werShell ISE ap pplication is a graphical
g tool that enables yyou to write an
nd test Windoows
PowwerShell scriptss similar to the
e way a develo oper would wriite an applicattion by using MMicrosoft Visuaal
Studdio®. The Wind dows PowerSh ndows PowerS hell 3.0 includ
hell ISE for Win des IntelliSense
e to provide
instance suggestio ons on the corrrect script synntax and availaable cmdlet paarameters. Winndows PowerSh hell
ISE is divided into
o two main parrts: the Script pane
p and the CConsole pane.
Dem
monstration
n Steps
1. Logon to LON
N-DC1 as the domain
d admin
nistrator.
2. Open Window
ws PowerShell ISE as an adm
ministrator and
d review the Sccript pane and the Console p
pane.
3. Follow the ste
eps in the follo
owing demonsstration script: E:\ModXA\D
Democode\Ussing Windowss
PowerShell ISE.ps1.
I
MCT USE ONLY. STUDENT USE PROHIBITED
Upg
grading Your Ski lls to MCSA Win
ndows Server® 2
2012 3-5
Accessing
A Help
H in Wiindows Po
owerShell
Whether
W you arre an experienced professionnal or
neew to Window ws PowerShell, the cmdlet He elp
doocumentation is rich source of information n. To
acccess the Help documentatio on, use the Ge
et-Help
cm
mdlet or its alias help followe
ed by the cmddlet
naame. Get-Help p has parametters to adjust the
t
Help content thhat is displayedd. The parametters
arre:
• -Detailed. This
T parameterr displays more e
detailed heelp than the de
efault option.
Windows
W PowerShell 3.0 inclu d the latest hel p document from Microsoftt for
udes the abilityy to download
usse locally. To do
d this, use the
e Update-Help cmdlet. Also o, new in Wind dows PowerShe ell 3.0 is the
Sh
how-Comman nd cmdlet. Thiis helps PowerrShell beginnin
ng users interaact with the inp
put and outpu ut
opptions for a cmmdlet by usingg a graphical in
nterface.
Using
U Wind
dows Powe
erShell Mo
odules
Windows
W PowerShell is designned to be exte
ensible.
Adding new cmmdlets and funcctions in Winddows
Po
owerShell 3.0 is performed in part throughh
modules.
m
Windows
W PowerShell uses the e
Microsoft.Powe
M rShell.Manage ement modulee which provid es basic functiionality. Whenn you install ad
dditional
ro
oles on a serveer, additional Windows
W PoweerShell modulees are installed
d and registere
ed. For examplle, you
in
nstall the Micro
osoft Hyper-V® Role and also o choose to in
nstall the Hypeer-V module foor Windows
PoowerShell. To manage Hyper-V from Wind dows PowerSh hell, you must iimport the Hyyper-V module e into
th
he Windows Po owerShell session. To importt the Hyper-V module, run tthe following ccommand:
Im
mport-Module Hyper-V
MCT USE ONLY. STUDENT USE PROHIBITED
3-6 Managing Windows
W Server 2012 by Using Windows PowerShell 3.0
Run
n the following
g command to list all module
es that are imp
ported:
Get-Module
It is not always neecessary to manually import modules. For example, the W Windows Pow werShell module for
Exch hange Server 2010
2 is automatically importted during prooduct installatiion. However, if you cannot run
cmd dlets for a speccific Windows Role or appliccation, it may i ndicate that yyou have to import the
app propriate Winddows PowerShe ell module.
There are two bassic module typ
pes:
• Binary. A bina
ary module is created
c by using the .NET Frramework and d is frequently provided withh
a product to provide Windo ows PowerShe ell support. Bin
nary modules mmany times ad dd cmdlets thaat
consists of no
oun or subject types that are
e newly created d in the AD DSS schema to suupport the prooduct.
An example is the New-Ma ailbox cmdlet of Exchange SServer 2010.
• Script. A scrip
pt module is co
omposed of Windows
W PowerrShell cmdlets that already eexist in the
environment.. These scripts can provide additional funcctions and variables to autommate repetitive e or
tedious tasks.. You may wan nt to create your own modu le that includees functions orr variables speccific
to your enviro onment as a tiimesaving or configuration
c m
management m measure.
Wh
hat Is Wind
dows Pow
werShell Re
emoting?
The purpose of Windows
W PowerrShell remoting
is to
o connect to reemote computters, to run
commmands on tho ose computerss, and to directt the
resuults back to your local computer. This enab bles
singgle-seat adminnistration, or th
he ability to
man nage the comp puters on the network
n from the
cliennt computer, instead of haviing to physically
visitt each computter. A key goal of Windows
Pow werShell remotting is to enable batch
adm ministration, which lets you run commandss on a
who ole set of remoote computers concurrently.
• One-to-One remoting.
r In th
his scenario, yo
ou connect to a single remotte computer and run shell
commands on it, exactly as if you had log
gged into the cconsole and o
opened a Winddows PowerShe ell
window.
• One-to-Manyy remoting, or Fan-Out remo oting. In this sccenario, you isssue a comman
nd that will be
o or more remote computers in paralle l. You are not working with each remote
executed on one
mmands are isssued and exec uted in a batch and the resu
computer interactively. Insttead, your com ults
are returned to your compu uter for your use.
u
Reemoting requiires both Wind dows PowerShell and Windo ows Remote M anagement (W WinRM) utilitie
es on
yo
our local comp puter and on any
a remote computers to wh hich you want to connect. W WinRM is a Miccrosoft
im
mplementation n of Web Services for Manag gement, or WSS-MAN, which is a set of pro otocols that is w
widely-
dopted across different operrating systemss. As the name implies, WS-M
ad MAN and WinRM use web-b based
protocols. An ad dvantage to thhese protocolss is that they u se a single, deefinable port. T
This makes theem
ea
asier to pass thhrough firewallls than older protocols
p that randomly seleected a port. W WinRM commu unicates
byy using the Hyypertext Transffer Protocol (H
HTTP). By defau ult, WinRM an nd Windows Po owerShell remoting
usses TCP port 5985
5 for incom
ming connectio ons that are noot encrypted a nd TCP port 5986 for incom ming
en
ncrypted conn nections. Applications that usse WinRM, succh as Windowss PowerShell, ccan also apply their
owwn encryption n to the data th
hat is passed too the WinRM service. WinRM M supports authentication and, by
deefault, uses the
e Active Directtory native Kerrberos protocool in a domain n environment. Kerberos doe es not
paass credentialss over the netw
work and it suppports mutual authenticatio on to ensure th hat incoming
co
onnections are e coming fromm valid computters.
Esstablishing a One-to-One
O remoting session by using Winndows PowerSShell ISE is performed by cliccking
th
he New Remo ote PowerShelll tab on the File
F menu. You u can also establish a remote
e Windows Pow werShell
se
ession by usingg the Enter-PSSSession cmdllet. For examp
ple, to open a R
Remote PowerrShell session oon a
co
omputer name ed LON-SVR2, you would use the following g syntax:
En
nter-PSSessio
on –ComputerName LON-SVR
R2
One-to-Many
O re
emoting is primarily perform
med by using tthe Invoke-Co
ommand cmdlet. To run the e
Get-EventLog cmdlet against the compute ers named LONN-SVR1 and LOON-SVR2, use the following
co
ommand:
In
nvoke-Command
d -ScriptBlock { Get-EventLog System
m -Newest 5 } -Computerna
ame LON-SVR1, LON-
SV
VR2
Note: Un
nlike in earlier versions,
v Wind
dows Server 20012 has Windo
ows PowerShell remoting
an
nd WinRM ena
abled by defau ult.
What
W Is Ne
ew in Wind
dows Powe
erShell 3.0
0?
Windows
W PowerShell 3.0 has new features that
t
fa
acilitate manag
ging larger gro
oups of serverss
th
hrough better scaling, additional functiona
ality,
an
nd better man nagement. Win ndows PowerSh hell 3.0
in
ncludes the following new feeatures:
• Scheduled Jobs.
J This featu
ure enables schheduling of W
Windows PowerrShell comman
nds and scriptss to
automatica
ally run administrative tasks.
MCT USE ONLY. STUDENT USE PROHIBITED
3-8 Managing Windows Server 2012 by Using Windows PowerShell 3.0
• Enhanced Online Help. You can now download the latest Help files from Microsoft by using the
Update-Help cmdlet and view the latest help online. This guarantees you are getting the latest
information about how to use Windows PowerShell.
• Windows PowerShell ISE Autosense. Windows PowerShell ISE provides hints for cmdlets, including
valid parameters that make it easier than ever to use Windows PowerShell.
• Robust Session Connectivity. These connections enable you to connect to a remote server and if
connectivity is lost or you intentionally disconnect, you can resume the connection at the point it was
disconnected. Previously, if connection to a session was lost, all the session data, variables, and
command history would be lost.
MCT USE ONLY. STUDENT USE PROHIBITED
Upg
grading Your Ski lls to MCSA Win
ndows Server® 2
2012 3-9
Lesson
n2
Using
g Windo
ows Pow
werShelll 3.0 to
o Manag
ge AD D
DS
Active Directoryy is the technoology that man ny administratoors spend mosst of their time
e using, complleting
daay-to-day adm ministrative tassks such as add
ding users andd updating direectory objects.. With the num
mber
off Active Directory–focused cmdlets in Windows Server 22012, those ad ministrators caan save time aand
en
nergy by using g Windows Pow utomate many of their more time-consuming or repetitive tasks.
werShell to au
Automation can n also help imp prove security and consistenncy because it is less prone to repeated huuman
errror than manu ual administration. If you aree already comffortable performing commo on Active Direcctory
ad
dministrative tasks
t in other tools,
t uld quickly be able to learn tto perform eq
you shou quivalent tasks in
Windows
W PowerShell.
Th
his lesson will help you unde erstand the approach used b by the Active DDirectory cmdllets. It will help
p
yo
ou develop the e skills that you must have too discover, exp nd use other add-in commands,
plore, learn, an
whether
w they arre included witth Windows Se erver 2012 or wwith another MMicrosoft or th
hird-party softtware
product.
Le
esson Objecctives
After completin
ng this lesson, students
s will be
b able to:
• he Active Direcctory modules for Windows P
Describe th PowerShell.
• Describe ho
ow to use varia
ables.
• Describe ho
ow to use pipe
elines and scrip
pts.
• Describe ho
ow to format output
o from a Windows Pow
werShell comm
mand.
• Describe ho
ow to obtain the Windows PowerShell
P histtory informatio
on from Active
e Directory
Administrattive Center.
Using
U the Active
A Dire
ectory Module for W
Windows P
PowerShelll
Yoou may be commfortable mannaging AD DS by
mon graphical tools such as Active
ussing the comm A
Directory Users and Compute ers. Another opption
th
hat you may noot be as comfoortable with is the
Windows
W PowerShell cmdlets. Using the ADD DS
cm
mdlets to perfo
orm common tasks will help p you
earn how to use Windows Po
le owerShell.
Using Windo
ows PowerrShell Variables
Win ndows PowerSh hell enables yo ou to retrieve,
mod dify, and filter data from many different
sources. In some cases,
c you mayy want to store e
data a for comparisson or use. Forr example, you u
mayy want to retrie eve a list of the members off a
partticular securityy group and th hen modify the e
desccription field of
o each of the users. Variable es are
used d to store and retrieve data in memory du uring
a Windows
W PowerrShell session. A variable alw ways
beg gins with a dolllar ($) sign and d can then be
nammed with descrriptive text or numbers,
n such
h
as $Variable1,
$ $x, and $MemberList. Windowss
Pow werShell variab bles are typed. This means th hat they are creeated to store a specific type
e of data whetther it
is te
ext, numbers, objects,
o time, arrays,
a or other defined objeect.
Youu will notice yoou do not speccify the $ symbbol when you u use the Set-Va ariable cmdlett to declare
variables. The seco ond way to creeate a variable
e is by declarin
ng it, and then
n assigning a vaalue to it. To d
do
this,, start the com
mmand with the name of the e variable followwed by an equ ual sign and th
hen the comm mand,
com
mmands, or vallue to assign. For
F example to o declare a varriable named $ $ADDS and assign it the object
retu
urned from Ge et-ADDomain use the follow wing command d:
$ADDS = Get-ADDomain
The $ADDS variab ble now holds a copy of the object outputt by the Get-A ADDomain cm mdlet. The outp put
obje he type that is defined in the
ect takes on th e relevant classs and the variaable maintains that structure
e.
Youu can now readd and manipulate the variable as similar to o how you wou uld a .NET obje
ect. To obtain
ormation about the propertie
info es or to run methods, you caan use dotted notation on th he variable.
For example, to determine the domain
d functio
onal level repo
orted by the DDomainMode property of
Gett-ADDomain, you can use th he following coommand:
> $A
ADDS.DomainMode
Windows2008R2Domain
You
u can also acce
ess methods orr actions from a variable. Forr example, to d
determine the
e BaseType of
$AD
DDS, you can use
u the GetTyp pe() method byy running the following com mmand:
> $A
ADDS.GetType().BaseType
Microsoft.ActiveDirecto
ory.Managemen
nt.ADPartitio
on
Whe en you use me ethods, you must follow the method with () to distinguissh that it is a m
method and no
ot a
property. You cann also use varia
ables in calcula
ations, for exam
mple, you can add the conte ents of two
variables. To decla
are two variab
bles and then add
a them togeether, use the ffollowing com mmands:
> $A
A = 1
> $B = 2
> $A
A + $B
3
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 3-11
When
W you use variables
v in callculations, mak
ke sure that th
hey are typed ccorrectly because typing the em
ncorrectly could lead to unexxpected resultss. For examplee, notice when variables are ttyped as string
in g data
in
nstead of numbbers:
> $C = “3”
> $D = “4”
> $C + $D
34
4
In
nstead of addin
ng the two values numerically, they are cooncatenated to ogether. When n you mix typees
ogether, there is more poten
to ntial for unexpe
ected results b
because Windo ows PowerShe ell will automattically
ca
ast or convert some data typ
pes. For exampple, see how thhe data is cast in the followin
ng example:
> $A + $C
4
> $C + $A
31
1
In
n these examples, the type of the first varia able is used to cast the other variables for the calculation. To
beetter control how
h data is casst, you can spe
ecify the data ttype for each vvariable. To co
ontrol how eacch
va
ariable is cast, see the follow
wing example:
> [string] $A + $C
13
3
> [int] $C + $A
$
2
Addition
nal Reading: about_Variable es
htttp://technet.m
microsoft.com//en-us/library//dd347604.asp
px
The
T Windo
ows PowerS
Shell Pipeline
Windows
W PowerShell is an objject-based
ennvironment. Th his means thatt the input and d
ouutputs of the cmdlets
c bjects that can be
are ob
manipulated.
m In
n some instancces, you may want
w
to
o take the outp put of one cmd dlet and pass it
to
o another cmd dlet for additional actions. Foor
exxample, when you have to enable all disab bled
AD DS accountss in the domain, you could
manually
m list each user by using the Get-AD DUser
cm
mdlet. Then byy using Windo ows PowerShell, you
ca
an use the Ena able-ADAccou unt cmdlet forr each
lo
ocked user account. To make e this easier, yo
ou can
diirectly pass the e output data from one cmd dlet into anoth her cmdlet, whhich is called piping. Piping iss
peerformed by putting
p the pip
pe (|) characterr between cmd dlets. Each cmddlet is execute
ed from the lefft to the
rig
ght, each passsing its output to the next cm mdlet in line. FFor example, yoou can get a liist of all users in the
doomain and the en pipe the listt to the Enable e-ADAccountt cmdlet, by ru unning the following commaand:
Ge
et-ADUser –Fi
ilter * | Enable-ADAccount
MCT USE ONLY. STUDENT USE PROHIBITED
3-12 Managingg Windows Server 20012 by Using Window
ws PowerShell 3.0
Piping can be use ed extensively in Windows Po owerShell as itt is in other sheells. Windows PowerShell differs
from
m typical shellss because the data in the pip
peline is an objbject instead off just simple te
ext. Having an
obje
ect in the pipeeline enables you to easily pe
ersist all the prroperties of the returned datta. The data in n the
pipe
eline is assigne
ed to a special variable name ed $_ which on nly exists whilee the pipeline is executing. FFor
mple, if you want to enable accounts that are disabled, yyou can use th
exam he Where-Objject cmdlet to o
urn only accounts are disable
retu ed. To do this, run the followwing command d:
By piping
p an obje
ect with a list of
o all the users, you can use tthe Where-Ob
bject cmdlet to
o filter the acccounts
thatt are disabled based on the Enabled prope erty of the acc ount.
Op
ptions for Formatting
F g Window
ws PowerSh
hell Outpu
ut
Whe en you work with
w AD DS datta, you may ha ave
to retrieve lists of users, computters, or groupss and
have to visualize the
t data by using a tool such h as
Microsoft Office Excel
E ® or you may
m have to viiew
onlyy the specific properties
p on screen.
s Window ws
PowwerShell enable es both such scenarios. First
form
matting data fo or viewing on screen. There are
seveeral default cmmdlets available
e to control hoow
dataa is formatted.. These cmdletts are describeed in
the following tablle.
Cm
mdlet Descriptio
on
Fo
ormat-List This cmdlet outputs datta in a list form
mat with each property on itts
own line. You can speciify the propertties that you wwant displayed by
using the –Property parrameter. You ccan call this cm
mdlet by using the
alias of FLL. This cmdlet is useful when
n you view a sm
mall number oof
objects with
w a large num mber of propeerties.
Fo
ormat-Table This cmdlet outputs datta in a table fo
ormat with eacch property as its
own colum mn. You can s pecify the prooperties that yoou want displaayed
by using the
t –Property parameter. Yo ou can call thiss cmdlet by usiing
the alias of
o FT. This cmd
dlet is useful w
when you view a large numb ber of
objects with
w a small num mber of propeerties.
Fo
ormat-Wide This cmdlet outputs datta in a table foormat with onlly one propertty for
each objeect. You can sppecify the propperty that you want displayeed by
using the –Property parrameter and th he number of columns to dissplay
the data by
b using the ––column param meter. You can call this cmdleet by
using the alias of FW. TThis cmdlet is u
useful when yoou view a large
e
number ofo objects and you only need d to see one property for each
object succh as the namee.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 3-13
Cmdlet
C Descripttion
Format-Custtom This cm
mdlet outputs d data in a formaat previously d defined by usin ng a
PS1XML file. The settiings in this filee can specify w
which propertie es to
show annd how to arraange and grou up them. You ccan call this cm
mdlet
by using
g the alias of FFC. This cmdleet is useful wheen you view daata
that you access frequuently and hav e to customize e which prope erties
are shown.
Cmdlet
C Description
Measure-Objject Th
his cmdlet take es the input obbject from the pipelines or vvariable and
peerforms calculaations on spec ified propertiees and on text in strings and files.
Caalculations incllude counting objects, deterrmining the avverage, minimu um,
ma aximum, and sum
s of properrty values. It caan also count tthe number orr
occcurrences of words
w and cha racters in a filee or string. It is used when yyou
ha
ave to quickly calculate
c the n
number of useers selected as part of a querry or
deetermining thee memory a sett of processes is using.
Sort-Object Th
his cmdlet take
es the input ob bject from the pipeline or vaariable and sorrts the
da he selected pr operties. This is helpful when you have to
ata based on th
provide a sorted
d list of data.
Where-Objecct Thhis cmdlet take es the input obbject from the pipeline or vaariable and the
en
appplies a filter th
hat is based on n a specified q
query. The que
eries used for
filttering are encllosed in brace s and include a comparison.. This is helpfuul when
yoou have to sele ect specific typ
pes of data.
Yo
ou can use all these cmdletss together to create customizzed output to the screen. Yo ou can also use
e the
Out-File
O to write the output to a text file, orr Export-Csv to
o export the d
data as a comm
ma separated vvalues
(C
CSV) file.
Creating
C an
nd Running Window
ws PowerSh
hell Scriptts
Yoou can perform m complicated d multi-step taasks
byy using a pipeline and multiple cmdlets. There
may
m be times wherew you havee to run multip ple
fu
unctions, make e choices, wait for tasks to
coomplete, or run the same co ode repeatedlyy. In
th
hese cases, you u can use a Windows PowerS Shell
sccript to put all the steps toge ether. A script is a
te
ext-based file that
t includes at
a least one Wiindows
PoowerShell com mmand and savved with a .PS1 1 file
naame extension b created to take
n. Scripts can be
in
nput from the command
c line
e letting you
cuustomize how the script execcutes.
MCT USE ONLY. STUDENT USE PROHIBITED
3-14 Managing Windows Server 2012 by Using Windows PowerShell 3.0
Execution Policy
By default, the execution policy does not enable Windows PowerShell scripts to be executed
automatically. This safeguards the computer from enabling unattended scripts to run without the
administrator from knowing. There are four execution policies that can be set and are as follows:
• Restricted. This is the default policy for Windows Server 2012 and does not enable configuration
files to load, nor does it enable scripts to be run. The Restricted execution policy is perfect for any
computer for which you do not run scripts or for which you run scripts only rarely. (Be Aware That
you could always manually open the shell with a less-restrictive execution policy.)
• AllSigned. This policy requires that all scripts and configuration files be signed by a trusted publisher,
including scripts created on your local computer. This execution policy is useful for environments
where you do not want to accidentally run any script unless is has an intact, trusted digital signature.
This policy is less convenient because it requires you to digitally sign every script that you write, and
re-sign each script every time that you make any changes to it.
• RemoteSigned. This policy requires that all scripts and configuration files downloaded from the
Internet be signed by a trusted publisher. This execution policy is useful because it assumes that local
scripts are ones that you create yourself, and you trust them. It does not require those scripts to be
signed. Scripts that are downloaded from the Internet or received through e-mail, however, are
not trusted unless they carry an intact, trusted digital signature. You could definitely still run those
scripts—by running the shell under a lesser execution policy, for example, or even by signing the
script yourself—but those are additional steps that you have to take, so it is unlikely that you would
be able to run such a script accidentally or unknowingly.
• Unrestricted. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, you are warned about potential dangers and must grant permission
for the script to run. The Unrestricted execution policy is not usually appropriate for production
environments because it provides little protection against accidentally or unknowingly running
untrusted scripts.
• Bypass. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, the script will run without any warnings. This execution policy is not
usually appropriate for production environments because it provides no protection against
accidentally or unknowingly running untrusted scripts.
You can view the execution policy for the computer by using the Get-ExecutionPolicy cmdlet. To
configure the execution policy, you must open an elevated Windows PowerShell window and run the
Set-ExecutionPolicy cmdlet. After the execution policy is configured, you can run a script by typing in
the name of the script.
Simple Scripts
Scripts are text files that have a .PS1 file name extension. These files contain one or more commands
that you want the shell to execute in a particular order. You can edit scripts by using Notepad, but the
Windows PowerShell ISE provides a better editing experience. In it, you can type commands interactively,
obtain hints on the correct command syntax, and immediately see the results. You can then paste those
results into a script for long-term use. Or you can type your commands directly into a script, highlight
each command, and press F8 to execute only the highlighted command. If you are pleased with the
results, you save the script and you are finished. Generally, there are very few differences between what
you can do in a script and what you would do on the command line. Commands work in the same
manner in a script. This means that a script can just be created by pasting commands that you have
already tested at the command line. The following is a simple script in a text file that is named
Get-LatestLogon.ps1.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 3-15
# This script will return the last user who has l ogged on to the domain.
Ge
et-ADUser -Fi
ilter * -Properties lastLogon | `
So
ort-Object -P
Property lastLogon -Descending| `
Se
elect-Object -first 5 | `
Fo
ormat-Table name,
n `
@{
{Label="LastL
Logon";Expression={[datetime]::FromF
FileTime($_.llastLogon)}}``
-AutoSize
-
Although this sccript contains a single pipeline statement it is broken up p by using the backtick (`) ch haracter.
Yoou can break up
u long lines of o code by usin ng the backtic k character to make the script easier to re ead.
mark (#). A line that begins w
Notice that the first line of this script starts with a hash m with a hash mark will
noot be processe
ed. Therefore, you
y can use sttart a line with h a hash mark aand write note es and comme ents
ab
bout the scriptt. To run a script, you must type
t either thee full or the relative path of tthe script. For
exxample, to run
n the Get-Late estLogon.ps1 script, you can n use either off the followingg options if the e script
in
n your current directory or se earch path:
.\
\Get-LatestLo
ogon.ps1
E:\ModXA\Democ
code\Get-LatestLogon.ps1
Using
U Wind
dows Powe
erShell Loo
ops and Conditional Expressio
ons
Advanced Wind dows PowerShell scripts mayy
re
equire repeatinng commands a certain num mber of
times, until a sp
pecific conditio
on is met, or on
nly if a
sp
pecific conditio
on is met. Thesse test conditio
ons are
deefined by using comparison statements.
Boolean
B Com
mparisons
Te
est, or comparrison statemen nts, are used ass test
co
onditions for lo
oops and cond ditional constructs.
Th
hese typically compare,
c eithe
er of two or more
m
ob
bjects or two or
o more prope erty values, andd are
de
esigned to result in a True or
o False value. These
T
co
omparisons are e frequently known as Booleean
co
omparisons, be ecause they caan only result in one of the tw
wo Boolean vaalues, True or False. As part o
of
de
esigning a Win ndows PowerS Shell script usin
ng Boolean coomparisons aree common eno ough task: Youu might
co
ompare two co omputer name es to see whether they are e qual, or comppare a performance counter vvalue to
a predetermined threshold va alue to see which of the two is greater. Thee comparison operators sit b
between
th
he two items thhat you want tot compare. Yo ou probably reemember simp ple comparisons from grade e school
math
m with comp parisons like 10 > 4, 5 < 10, and 15 = 15. WWindows Pow werShell performs compariso ons the
sa
ame way, althoough it has its own syntax. So ome common comparison o operators are aas follows:
• -eq. Equal to
t
• -ne. Not eq
qual to
• -le. Less tha
an or equal to
MCT USE ONLY. STUDENT USE PROHIBITED
3-16 Managing Windows Server 2012 by Using Windows PowerShell 3.0
Windows PowerShell defines two special variables for comparisons, $True, and $False, which represent
the Boolean values true and false. If a comparison is true, the expression is evaluated as $True and if the
comparison is not true, the expression is evaluated as $False. For example, the comparison 4 is greater
than 10 (4 –gt 10), will produce $False as its result, whereas, 10 is equal to 10 (10 –eq 10) would produce
$True. Windows PowerShell enables you to execute comparisons right on the command line. Type your
comparison and press Enter to see the result of the comparison. The real value of the Boolean
comparisons are shown when they are used in loops and conditional expressions.
There are several Windows PowerShell constructs that make use Boolean comparisons to control the
execution of code in a script. These constructs are if, switch, for, while, and foreach.
The if Statement
The if statement can be used to execute a block of code if the specified criteria are met. The basic
functionality of an if statement is shown in the following example:
if (Boolean comparison)
{
Code to complete if test expression is true
}
Another option available to allow for additional possibilities is using else and elseif statements. When you
want to execute special code if a condition exists or execute other code if it does not exist, you can use
the else. If there are additional conditions that you want to test for you could use the elseif statement
consider the following example:
$Today = Get-Date
$Admin = Get-ADUser –Identity Administrator –Properties StreetAddress
Write-Host $Admin.Name “has an address of” $Admin.StreetAddress
if ($Today.DayOfWeek –eq “Monday”)
{
Set-ADUser –Identity Administrator –StreetAddress “Headquarters”
}
elseif ($Today.DayOfWeek –eq “Thursday”)
{
Set-ADUser –Identity Administrator –StreetAddress “London Office”
}
else
{
Set-ADUser –Identity Administrator –StreetAddress “Out of the Office”
}
# Confirm Settings were made
$Admin = Get-ADUser –Identity Administrator –Properties StreetAddress
Write-Host “Today is” $Today.DayOfWeek “and “ $Admin.Name `
“is working from the” $Admin.StreetAddress
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 3-17
Using the previous example, you can achieve the same functionality with less work as shown in this
example:
$Today = Get-Date
$Admin = Get-ADUser –Identity Administrator –Properties StreetAddress
# Write current settings to console
Write-Host $Admin.Name “has an address of” $Admin.StreetAddress
switch ($Today.DayOfWeek)
{
“Monday” {Set-ADUser –Identity Administrator –StreetAddress “Headquarters”}
“Thursday” {Set-ADUser –Identity Administrator –StreetAddress `
“London Office”}
default {Set-ADUser –Identity Administrator –StreetAddress `
“Out of the office”}
}
# Confirm Settings were made
$Admin = Get-ADUser –Identity Administrator –Properties StreetAddress
Write-Host “Today is” $Today.DayOfWeek “and “ $Admin.Name `
“is working from the” $Admin.StreetAddress
If a larger number of false statements are needed, the switch statement may be an easier option to use
and debug.
for (setup loop variables ; Boolean comparison ; action after each loop)
{
Code to complete while Boolean comparison is true
}
The for loop begins with settings to configure variables, the Boolean comparison, and an action to
complete after each loop. Consider the following example that creates five new computer accounts with
unique names using a for statement:
This script prints a random number on the screen until one of the random numbers is less than
50,000,000. The $i variable’s value must be set before the while loop so that the while loop executes as
follows:
$i = 99999999999
while ($i -gt 50000000)
{
Write-Host “Random Value: “ $i
$i = Get-Random
}
Also available is the do/while loop which works just as while loop however the Boolean expression is
evaluated at the end of the loop instead of the beginning. This means that the code block in a do/while
loop will always be executed at least one time. The value of $i does not have to be set before the do/while
loop because it is evaluated at the end of the loop. The following example shows a do/while loop:
do {
Write-Host “Random Value: “ $i
$i = Get-Random
} while ($i -gt 50000000)
Using the foreach statement can make batch modifications easier. Consider, for example, setting a
description for all users who are members of a specific group, as shown in the following example:
Demonstra
D ation: Man
naging AD
D DS by Using Windo
ows PowerrShell
In
n this demonsttration, you will review how to
t manage useers and group in Windows P
PowerShell.
Demonstrati
D ion Steps
1.. Start and lo
og on to LON-DC1. Log on as
a the domain administratorr.
2.. Open Wind
dows PowerShe
ell ISE as an ad
dministrator.
Active
A Dire
ectory Adm
ministrative
e Center In
ntegration
n with Win
ndows
PowerShell
P l
Active Directoryy Administrativve Center is bu
uilt
on
n Windows Po owerShell technology. It provvides
ad
dministrators the
t ability to perform
p enhan nced
da
ata manageme ent by using a GUI. Using Acctive
Directory Administrative Centter, you can pe erform
th
he following ta
asks:
• Manage groups
• Manage organizational units
u (OUs)
Lesson 3
Manag
ging Serrvers by
y Using Windo
ows Pow
werShelll 3.0
As you
y become fa amiliar with Windows PowerrShell, you can perform admministrative and
d managementt tasks
withh more ease. There
T are advanced features in Windows PPowerShell 3.0 which let you manage a single
al console and to manage many servers fro
servver from a loca om a remote location. The aadvanced featu
ures
include Windows PowerShell Web W Access, Windows PowerSShell jobs, and d Windows Pow werShell workfflow.
Lessson Objectiives
Afte
er completing this lesson, stu
udents will be able to:
• Describe the need to use Windows
W PowerShell for man
naging servers..
Disscussion: The
T Need for
f Windo
ows PowerShell for SServer Man
nagement
Win ndows PowerSh hell has many features that make m
arge and smalll environments.
it usseful in both la
Freqquently the mo ost difficult pa
art of using
Win ndows PowerSh hell is the startting point. Using
Win ndows PowerSh hell to performm tasks that yo ou
perfform every dayy will help you u become more
commfortable and more proficien nt in using it.
Con nsider the follo
owing question ns:
Que
estion: What tasks
t will you use
u Windows
Pow
werShell to perrform?
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 3-21
What
W Is Windows PowerShell Web
W Accesss?
Windows
W PowerShell Web Access is a new feature
f
in
n Windows Serrver 2012 that provides a we eb-
baased gateway to Windows PowerShell.
P Thiis
nables authorized users to administer a server
en
without
w having management tools directly
nstalled on their client computer, or having
in g to use
Reemote Desktop to connect to t the server. The
T
dministrator only has to configure a Windows
ad
PoowerShell Web b Access gatewway, and use a web
browser to conn nect.
Windows
W PowerShell Web Access gateway
re
equires the We eb Server Interrnet Informatio
on
Se ET Framework 4.5 and Windo
ervices (IIS) rolle, and the .NE ows PowerSheell 3.0 to be insstalled. Many
client types are supported to access Window ws PowerShelll Web Access aand still otherss are tested to work
su
uccessfully. In order
o to work,, the web brow
wser must allow pport connecting to the gate
w cookies, sup eway by
ussing Secure So ockets Layer (SSL), and also support
s JavaSccript.
In
nstalling Wiindows Pow
werShell We
eb Access Ga
ateway
To
o install Windo
ows PowerShe
ell Web Access gateway:
2.. Install a SSLL certificate. An SSL certificatte is required. A self-signed certificate can
n be created ass part of
the configu uration processs, however a trrusted third-paarty certificatee is recommended.
Using
U Windo
ows PowerS
Shell Web Access
A
To
o use Window ws PowerShell Web
W Access, open a web bro owser and con nnect to the server by using
htttps://ServerName/pswa. The logon page lets you conneect directly to the gateway, tto another serrver on
he organization network, or to a custom URI.
th U Using the o optional conneection settingss on the logonn page
an specify one user account to log on to th
ca he gateway an
nd specify another account tto connect to tthe
MCT USE ONLY. STUDENT USE PROHIBITED
3-22 Managingg Windows Server 20012 by Using Window
ws PowerShell 3.0
Wh
hat Are Windows Po
owerShell Jobs?
J
A Windows
W PowerShell backgro ound job runs a
com
mmand or set of o commands without intera acting
withh the current Windows
W Powe erShell session. You
can start a backgrround job by using
u the Startt-Job
cmd dlet and then you
y can contin nue to work in the
sesssion. Using job
bs can be usefuul when you
perfform tasks that can take an extended
e time
e to
com
mplete. You can n also use jobss to perform th
he
sam
me task on seve eral computerss. The following
exammple shows crreating a new jobj on the local
com
mputer:
Start-J
Job -ScriptBl
lock {Get-ADUser –Filter
r *}
Youu can see the sttatus of the job by using thee Get-Job cmd dlet and use th
he Wait-Job to o be notified
wheen the job is co
omplete. If you u have to remoove a job that has not execu uted, you can ddo so with thee
Remmove-Job cmd dlet. These jobbs are run in th
he background d so they do no ot return results to your Win
ndows
PowwerShell session. If you outpu ut data to the console in a b
background job b, you can retuurn those resuults by
usin
ng the Receive e-Job cmdlet.
Win ndows PowerSh hell 3.0 introduced an impro ovement to baackground jobs, which are kn nown as sched duled
jobss. These jobs can be trigged to start autom matically or pe rformed on a recurring scheedule. When a
scheeduled job is created
c it is sto nd then registeered in Task S cheduler. Whe
ored on disk an en a scheduledd job
is ru
un, it creates an instance of thet job that ca an then be ma naged by usin ng the common job manage ement
cmd dlets. The onlyy difference between scheduled jobs and b background jobs is that sche eduled jobs savve
theiir results on disk.
Sche
eduled jobs arre created by using
u the Regiister-Schedule edJob cmdlett. You can speccify the ScriptB
Block
para
ameter to run a Windows Po owerShell com
mmand, or you can specify a script by usingg the FilePath
para
ameter. The fo
ollowing example shows how w to register a scheduled job
b to run the Geet-
Late
estLogon.ps1 1 script.
Register-ScheduledJob –Name
e LastLogonJo
ob –FilePath \\LON-SVR1\S
Scripts\Mod3\
\democode\Get-
LastLogon.ps1
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 3-23
To o enable the scheduled job tot run, a sched dule or triggerr must be defin ned. Triggers aare created byy using
th
he New-JobTrrigger cmdlet.. Using this cm mdlet, you can use the Add-JJobTrigger ccmdlet to add the
ed scheduled job or use it to
trrigger to an alrready registere o assign a triggger when a new w scheduled jo ob is
re
egistered. Trigg gers can be scheduled once,, daily, weekly,, at server starrtup, when you u log on. The
ollowing example shows crea
fo ating a triggerr that runs eve ry Monday an nd Friday at 9:000 am and the en
re
egisters the new scheduled jo ob together with
w the triggerr:
$T
Trigger = New
w-JobTrigger –Weekly –DaysOfWeek Mon
nday,Friday –
–At 9:00AM
Re
egister-Sched
duledJob –Name ScheduledLastLogonJob
b –FilePath `
\\
\LON-SVR1\Scripts\Mod3\democode\Get-LastLogon.ps
s1 -Trigger $
$Trigger
Yo
ou can also use the Add-Job
bTrigger cmd
dlet to modify an existing sch
heduled job ass shown in the
e
fo
ollowing example:
Ad
dd-JobTrigger -Name LastLogonJob -Trigger `
(N
New-JobTrigge
er -Daily -At 9:00AM)
Sccheduled jobs can be used to automatically run task for:: creating repo
orts, verifying cconfiguration
se
ettings, perform
ming user and
d group mainte
enance, and m many others.
In
ntroductio
on to Wind
dows Powe
erShell Wo
orkflow
Windows
W PowerShell Workflo ow is a new feaature
in
n Windows Pow werShell 3.0. Itt enables easy to use
workflows,
w ask sequences within the fam
or ta miliar
Windows
W PowerShell interface e. A workflow
ca
an include ind dividual Windo ows PowerShe ell
co
ommands or complete scriptts. The differen nce
beetween a work kflow and perh haps an intricaately
deesigned script is that a workkflow is designeed
to
o also be stoppped, paused, and resumed.
Thhe workflow ca an wait until stteps successfully
co
omplete to con ntinue to the next
n workflow step.
Fo
or example, yo ou can create a workflow tha at
makes
m changes to a multiple computers and waits for theem all to restarrt before continuing to the n
next
onfiguration sttep in the workflow.
co
Windows
W PowerShell workflowws can be creaated by using a Windows PoowerShell conssole, the Windo ows
PoowerShell ISE, or by using Microsoft
M Visual Studio® Worrkflow Designeer. Workflows ccreated in Visu
ual
Sttudio Workfloww Designer aree saved as with
h a XAML file n
name extensioon. These workkflows are impported
byy using the Im
mport-Module e cmdlet.
Workflows
W are run
r as Window ws PowerShell jobs.
j Thereforre, you can usee the same cmdlets to manage
ru
unning workflo
ows as you do jobs. A workflow is created by using the ffollowing syntaax:
Wo
orkflow Workf
flowName { Commands to execute as pa
art of the wo
orkflow }
MCT USE ONLY. STUDENT USE PROHIBITED
3-24 Managing Windows Server 2012 by Using Windows PowerShell 3.0
After a workflow is created, it is executed as a cmdlet is executed. Each workflow can be executed with the
parameters that are listed in the following table.
Parameter Description
-PSPersist Toggles the workflow to checkpoint data and state after each activity
In a workflow, commands can be performed in a parallel or sequential manner. Commands that can
be run in parallel are identified by using the parallel keyword. Commands that must be performed
sequentially are identified by using the sequence keyword. The following example shows a workflow
with both keywords being used:
Workflow Get-DomainServerStats
{
# The following are executed in any order
Parallel
{
Get-Process
Get-ADUser –Filter *
# The following are executed sequentially
Sequence
{
Set-AdUser Administrator –Description “Updated content”
Get-AdUser Administrator –Properties Description
}
}
}
Demonstration Steps
1. Start virtual machines LON-DC1, LON-SVR1, and LON-SVR2, and then log on to LON-DC1 as the
domain administrator.
o Password: Pa$$w0rd
o Computer: LON-DC1
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 3-25
3. Start a new job to list all Active Directory users, by using the Start-Job cmdlet.
5. Create a new scheduled job by running the following commands each followed by Enter:
To address these server and AD DS management issues, you have to gain familiarity with Windows
PowerShell. You have to understand how to run simple and complex commands and how to create scripts
that will automate many of the regular management tasks.
Objectives
After completing this lab, you will be able to:
Lab Setup
Password Pa$$w0rd
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
b. Password: Pa$$w0rd
X Task 1: Use Windows PowerShell ISE to retrieve basic information about LON-DC1
1. Start the following virtual machines: LON-DC1, LON-SVR1, and LON-SVR2.
5. Use tab completion to find the correct cmdlet that begins with Get-Ex to see the execution policy
setting on LON-DC1.
4. Use the Get-Help cmdlet to view the examples of how to use Where-Object.
5. Use a pipeline to pipe the $Services variable to the Where-Object cmdlet to show only services that
have a status of stopped.
5. Use command history to run Get-WindowsFeature and verify that XPS Viewer is installed.
6. Close the Remote PowerShell session.
Results: After this exercise, you will have explored the Windows PowerShell ISE interface and used
cmdlets, variables, and pipelining.
MCT USE ONLY. STUDENT USE PROHIBITED
3-28 Managing Windows Server 2012 by Using Windows PowerShell 3.0
1. Import the Active Directory PowerShell module and view the available cmdlets.
2. View options on how to create a report of users in the Active Directory domain.
3. Use a script to create new users in the domain by using a CSV-based file.
4. Create a script to modify the address of a user based on the day of the week.
X Task 1: Import the Active Directory PowerShell module and view the available
cmdlets
1. If it is necessary, open Windows PowerShell ISE as an administrator.
3. Use the Get-Command cmdlet to view the cmdlets available in the Active Directory module.
X Task 2: View options on how to create a report of users in the Active Directory
domain
1. If it is necessary, open Windows PowerShell ISE as an administrator and import the Active Directory
module.
2. Use the Get-Command cmdlet to view the cmdlets available in the ActiveDirectory module.
3. Use Windows PowerShell to view a list of all Users in the domain. Review how Format-List modifies
formatting by running the following commands by using:
4. Use Windows PowerShell to view a list of all Users in the domain. Review how Format-Table modifies
the formatting by running the following commands by using:
5. Use Windows PowerShell to view a list of all OUs in the domain. Review how Format-Wide modifies
the formatting by running the following commands:
6. Use Windows PowerShell to adjust the formatting of the users report. Review how the Sort-Object
cmdlet modified the output, by running the following:
7. Run the following commands to see how to use the Measure-Object cmdlet:
X Task 3: Use a script to create new users in the domain by using a CSV-based file
1. On LON-DC1, browse to the Start screen and then type Notepad.exe. Press Enter.
2. Use Notepad.exe to view E:\ModXA\Democode\LabUsers.csv. You will need to change the file type
to all files.
4. On line 13, modify the $OU variable to read: $OU = “ou=sales, dc=adatum,dc=com”
5. Run the LabUsers.ps1 script.
X Task 4: Create a script to modify the address of a user based on the day of the week
1. If it is necessary, open Windows PowerShell ISE as an administrator and import the Active Directory
module.
2. Use Windows Powershell ISE to open the script that is located at E:\ModXA\Democode
\Using If Statements.ps1
Results: After completing this lab, you will have explored the Active Directory Windows PowerShell
module, experienced formatting output in Windows PowerShell, used a Windows PowerShell script to
create users, and used Windows PowerShell conditional loops to modify Active Directory properties.
3. Create a Windows PowerShell Web Access Authorization Rule that only enables the administrator to
access the gateway by using the Add-PSWaAuthorizationRule.
o User: Administrator
o Password: Pa$$w0rd
o Computer: LON-DC1
3. Verify that you can retrieve information from LON-SVR1 by retrieving the five newest System events.
Run the following command:
4. Obtain the same information from LON-SVR2 and LON-DC1 by running the following command:
Results: After this exercise, you will have performed one to many management of remote servers by using
Windows PowerShell, installed and configured Windows PowerShell Web Access, and managed servers by
using Windows PowerShell Web Access.
2. In the Virtual Machines list, right-click 20417A-LON-SVR1, and then click Revert.
Question: Which cmdlet do you think would retrieve information from the event log?
Best Practices
• Make a goal to spend time learning how to use Windows PowerShell for your common tasks. This will
make you more comfortable with working with Windows PowerShell and will equip you for using it to
resolve more difficult problems.
• Save the commands that you have used to resolve problems in a script file for later reference.
• Use Windows PowerShell ISE to help write scripts and ensure you have the correct syntax.
Tools
You can use the tools in the following table to work with Windows PowerShell.
Tool Description
Windows PowerShell Integrated Windows PowerShell ISE provides a simple, yet powerful
Script Editor (ISE) interface to create and test scripts, and discover new
cmdlets.
Microsoft Visual Studio Workflow This is a development tool that is used to create
Designer Windows PowerShell workflows.
Active Directory Administrative This tool enables you to perform common Active
Center Directory management tasks such as creating and
modifying user and computer accounts. All the changes
that you made by using this management tool are
logged in the Windows PowerShell History pane.
ipconfig /a Get-NetIPConfiguration
Shutdown.exe Restart-Computer
Netstat Get-NetTCPConnection
Module 4
Managing Storage for Windows Server 2012
Contents:
Module Overview 4-1
Lab A: Managing Storage for Servers Based on Windows Server 2012 4-23
Module Overview
Storage space requirements have been increasing ever since the invention of server-based file shares. The
Windows Server® 2012 and Windows® 8 operating systems include two new features to reduce the disk
space that is required and to effectively manage physical disks: data deduplication and storage spaces.
This module provides an overview of these features and explains the steps required to configure them.
Another concern in storage is the connection between the storage and the remote disks. Internet small
computer system interface (iSCSI) storage in Windows Server 2012 is a cost-effective feature that helps
create a connection between the servers and the storage. To implement iSCSI storage in Windows Server
2012, you must be familiar with the iSCSI architecture and components. In addition, you must be
familiar with the tools that are provided in Windows Server to implement an iSCSI-based storage. Also,
in organizations that have branch offices, you have to consider slow links and how to use these links
efficiently when data is sent between your offices. The BranchCache feature in Windows Server 2012 helps
address the problem of slow connectivity. This module explains the BranchCache feature and the steps to
configure BranchCache.
Objectives
After completing this module, you will be able to:
• Configure BranchCache.
MCT USE ONLY. STUDENT USE PROHIBITED
4-2 Managing Storage for Windowss Server 2012
Lesson 1
New Featuress in Win
ndows Server
S 2
2012 Sto
orage
The storage demaand on serverss is ever-increa
asing, and storaage comprisess a larger part of an IT
dep
partment’s buddget. Larger vo
olumes are req ble disks that ccan be added or removed
quired on flexib
dynamically. Wind
dows Server 20012 includes changes to the storage area tthat will help aadministratorss to
ease
e the managemment of physiccal disks and provide
p technoologies to reduuce disk space consumption..
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
File
e and Storrage Servicces in Windows Servver 2012
File and Storage Services
S includes technologie es
thatt help you set up and manag ge one or morre file
servvers. File serverrs are servers that
t act as central
locaations on the network
n where e you can store
e files
and optionally, sh hare them with h users.
Win
ndows Server 2012
2 offers the
e following new
w file
and storage servicces features:
• Unified rem
mote managem
ment of File and d Storage Serviices in Server MManager. You can use this fe eature
to remotelyy manage multiple file servers, including th
heir role servicces and storag
ge, all from a siingle
window.
Addition
nal Reading: File
F and Storage Services oveerview
htttp://technet.m
microsoft.com//en-us/library//hh831487(d=
=lightweight,v=
=ws.11)
Question: Are
A you curren ntly implemen nting volumes that are 10 terrabytes or larg
ger? What are
the problem
ms with volum
mes of that size
e?
What
W Is Data Deduplication?
Data deduplicattion is a role seervice of Winddows
Se
erver 2012. Da ata deduplicatiion identifies and
a
re
emoves duplica ations within data
d without
co
ompromising its i integrity to achieve the ultimate
gooal of storing more data while concurrently
ussing less physical disk space..
Data integrity and recoverability are mainta ained
in
n a process thaat involves evaluating checkssum
re
esults and othe er algorithms. Data dedupliccation
is highly scalablle, resource effficient, and
noonintrusive. It can run on doozens of large
voolumes of primmary data conccurrently witho out
afffecting other workloads on the server. Low w impact on t he server workkloads is maintained by thro ottling
th
he CPU and me emory resourcces that are consumed. Using g data deduplication jobs, you can schedu ule
when
w data deduuplication should run, speciffy the resourcees to deduplicaate, and tune ffile selection.
When
W combined with BranchCache, the samme optimizatioon techniques are applied to o data that is
trransferred over the wide area
a network (WA
AN) to a brancch office. This rresults in faste
er file downloaad times
annd reduced baandwidth consumption.
Volume
V Requ
uirements for
f Data Ded
duplication
n
After the featurre is installed, you
y can enable
e data dedupl ication on a peer volume bassis. Each volum
me must
meet
m the follow
wing requireme ents:
• Volumes must
m not be a syystem or boott volume. Dedu
uplication is no on volumes where the
ot supported o
operating system
s is installled.
• Volumes may
m be partition ned by using master
m boot reecord (MBR) or GUID partitio on table (GPT) format,
and must be
b formatted byb using the NT m. The new Ressilient File Systtem (ReFS) file system
TFS file system
is not supported for use on
o a data deduuplication voluume.
• Volumes must
m be expose
ed to Windowss as non-removvable drives, that is, no USB or floppy drivves.
• Volumes ca an be on share
ed storage, succh as a Fibre C hannel or Serial Attached SC
CSI (SAS) arrayy, or an
iSCSI storag
ge area network (SAN).
• File shares. This includes group content publication or sharing, user home folders, and profile
redirection (offline files). You may be able to save approximately 30–50 percent disk space.
• Software deployment shares. This includes software binaries, images, and updates. You may be able to
save approximately 70–80 percent space.
• Virtual hard disk (VHD) libraries. This includes VHD file storage for provisioning to hypervisors. You
may be able to save approximately 80–95 percent space.
Note: Use the deduplication evaluation tool (DDPEval.exe) to analyze a volume about
expected savings that you would get when enabling deduplication. This utility is automatically
installed to \\Windows\System32\ of the local computer when data deduplication is enabled.
When data deduplication is enabled, and the data is optimized, the volume contains the following:
• Unoptimized files. These are skipped files. For example, system state files, encrypted files, files with
extended attributes, files smaller than 32KB, and reparse point files—previously optimized files that
contain pointers to the respective chunks in the chunk store needed to build the file.
• Optimized files. These are stored as reference points to the chunk store.
Additional Reading:
Data Deduplication Overview
http://technet.microsoft.com/en-us/library/hh831602
Introduction to Data Deduplication in Windows Server 2012
http://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-to-data-deduplication-in-
windows-server-2012.aspx
Demonstra
D ation: Configuring Data
D Dedu plication
In
n this demonsttration, you will see how to add
a the data d
deduplication rrole service an
nd enable dataa
deeduplication on
o drive E.
Demonstrati
D ion Steps
Add
A the Data Deduplication
D n role service
En eduplication on E: Drive
nable Data De
1.. On LON-DC C1, in Server Manager,
M in the
e navigation p e and Storage Services, and
pane, click File d then
click Volum
mes.
o Set Ded
duplication Schedule: Enablle throughputt optimizatio n
What
W Are Thin
T Provissioning an
nd Trim Sto
orage?
Windows
W Server 2012 introdu
uces two new storage
s
co
oncepts. They are:
Thin
n provisioning and trim stora
age are availab
ble by default in Windows S erver 2012; no
o feature or ro
ole has
to be
b installed.
Thin
n provisioning and trim stora
age in Window
ws Server 20122 provides thee following cap
pabilities:
• Identification. Windows Servver 2012 uses a standardized d method to d detect and identify thinly-
provisioned virtual
v hereby enabling additional ccapabilities delivered by the storage stack. The
disks, th
storage stackk is provided in g system and iis available thrrough storage management
n the operating
applications.
• Notification. When
W the conffigured physiccal storage usee thresholds are reached, Windows Server 2012
notifies the ad hrough eventss. This enables the administrator to take ap
dministrator th ppropriate acttion as
soon as possible. These eveents can also sttart automated d actions from
m sophisticated
d managementt
applications, such as Microssoft System Ceenter.
• Optimization.. Windows Server 2012 provvides a new AP PI that enables applications rreturn storage when
it is no longer needed. NTFFS issues trim notifications
n n real time, wh en appropriate. Additionallyy, trim
in
notifications are
a issued as part
p of storage e consolidationn (optimizationn), which is performed regularly
on a schedule ed basis.
Wh
hat’s New in File Serrver Resou
urce Manag
ger?
Youu can use the File
F Server Reso ource Manage er
to manage
m at is stored on file
and classify data tha
servvers. File Server Resource Ma anager include es the
follo
owing featuress:
• Quota management. You can use this feature to limit the space allowed for a volume or folder.
Quotas can be automatically applied to new folders that are created on a volume. You can also define
quota templates that you can apply to new volumes or folders.
• File screening management. You can use this feature to control the types of files that users can store
on a file server. You can limit the extension that can be stored on your file shares. For example, you
can create a file screen that does not enable files that have an MP3 extension to be stored in personal
shared folders on a file server.
• Storage reports. You can use this feature to identify trends in disk usage and how your data is
classified, and monitor attempts by a selected group of users to save unauthorized files.
You can configure and manage the File Server Resource Manager by using the File Server Resource
Manager Microsoft Management Console (MMC) console or by using Windows PowerShell.
The following features of the File Server Resource Manager are new and are added in Windows Server
2012:
• Dynamic Access Control. Dynamic Access Control uses file classification infrastructure to help you
centrally control and audit access to files on your file servers.
• Manual classification. Manual classification enables users to classify files and folders manually without
the need to create automatic classification rules.
• Access-denied assistance. You can use access-denied assistance to customize the access denied error
message that users see in Windows 8 Consumer Preview when they do not have access to a file or a
folder.
• File management tasks. The updates to file management tasks include Active Directory® Rights
Management Services (AD RMS) file management tasks, continuous file management tasks, and
dynamic namespace for file management tasks.
• Automatic classification. The updates to automatic classification enable you to get more precise
control on how data is classified on your file servers, including continuous classification, using
Windows PowerShell for custom classification, updates to the existing content classifier, and dynamic
namespace for classification rules.
Question: Are you currently using the File Server Resource Manager in Windows Server 2008
R2? If yes, what areas do you use it for?
MCT USE ONLY. STUDENT USE PROHIBITED
4-8 Managing Storage for Windowss Server 2012
Wh
hat Are Ba
asic and Dy
ynamic Dissks?
Winndows Server 2012
2 continuess to support basic
disk
ks and dynamicc disks.
Bassic Disk
Basiic storage usess typical partition tables
supported by MS--DOS, and all versions
v of thee
Winndows operatin ng system. A disk
d initialized
for basic storage is
i called a basiic disk. A basicc
disk
k contains basic partitions, suuch as primaryy
parttitions and an extended parttition. An extended
parttition can be subdivided into o logical drivess.
By default,
d when you
y initialize a disk in Windo ows,
the disk is configu
ured as a basicc disk. Basic dissks can easily b
be converted tto dynamic dissks without an ny loss
of data.
d However, when you con nvert a dynam mic disk to basi c disk, all dataa on the disk w
will be lost.
Dyn
namic Disk
Dynnamic storage is supported in n all Windows operating sysstems including
g the Window ws XP operating
g
systems and the Microsoft
M ® Winndows NT Servver 4.0 operatiing system. A d
disk initialized for dynamic
k. A dynamic disk contains dyynamic volum
storrage is called a dynamic disk mes. With dynamic storage, yyou
can perform disk and volume management
m without
w the neeed to restart W
Windows.
• Simple volummes. A simple vo ee space from a single disk. It can be a single region on a disk
olume uses fre
or consist of multiple,
m concatenated regio ons. A simple vvolume can bee extended witthin the same disk
or onto addittional disks. If a simple volum
me is extended
d across multipple disks, it beccomes a spann
ned
volume.
• Spanned voluumes. A spanne ed volume is created
c from frree disk space that is linked from multiple
disks. You can
n extend a spaanned volume onto a maxim mum of 32 diskks. A spanned vvolume canno ot be
mirrored and is not fault-to
olerant. Thereffore if you losee one disk, you
u lose all the sp
panned volum
me.
• Striped volum
mes. A striped volume
v is a volume whose d more physical disks.
data is spread aacross two or m
t type of volume is allocatted alternatelyy and evenly to
The data on this physical disks. A
o each of the p
striped volum
me cannot be mirrored
m or exttended and is not fault-tolerant, again meeaning the losss of
one disk will cause
c the loss of data immediately. Stripin
ng is also knowwn as redundant array of
independent disks (RAID)-0 0.
• Mirrored voluumes. A mirrored volume is a fault-tolerantt volume whose data is duplicated on two o
o one volume is copied to another disk tto provide data redundancy.. If
physical diskss. All the data on
one of the dissks fails, the da
ata can still be
e accessed from
m the remainin
ng disk. A mirrrored volume
cannot be exttended. Mirrorring is also kno own as RAID-11.
MCT USE ONLY. STUDENT USE PROHIBITED
Upg
grading Your Ski lls to MCSA Win
ndows Server® 2
2012 4-9
• RAID-5 volu umes. A RAID--5 volume is a fault-tolerant volume whosee data is stripe ed across a minimum
of three or more disks. Paarity (a calculated value thatt can be used tto reconstruct data after a faailure) is
also striped
d across the dissk array. If a physical disk faiils, the portion 5 volume that was on
n of the RAID-5
that failed disk
d can be re--created from the remaining g data and thee parity. A RAIDD-5 volume caannot be
mirrored orr extended.
Required
R Dissk Volumes
Re
egardless of which
w type of disk
d that you use, you must cconfigure a sysstem volume aand a boot volume on
on
ne of the hard
d disks in the se
erver:
• System volu
umes. The system volume co
ontains the harrdware-specific files that are
e needed to loaad
Windows (ffor example, Bootmgr, BOOT
TSECT.bak, and d BCD). The syystem volume can be, but do oes not
have to be, the same as the
t boot volum
me.
Addition
nal Reading:
How Basic Diskss and Volumess Work
htttp://go.microsoft.com/fwlin
nk/?LinkID=199648
Dynamic Disks and
a Volumes
htttp://go.microsoft.com/fwlin
nk/?LinkID=199649
What
W Is the
e Resilient File System?
Re
esilient File Sysstem (ReFS) is a new file systtem
provided in Win ndows Server 2012.
2 ReFS is based
b
on
n the NTFS file e system and provides
p the
fo
ollowing advan ntages:
• Metadata in
ntegrity with checksums
c
• Integrity strreams providin
ng optional usser data
integrity
• Allocation on
o write transaactional mode
el for
robust disk updates (also known as cop
py on
write)
• me, file, and diirectory sizes
Large volum
• Storage pooling and virtu
ualization mak
king file system
m creation and
d managementt easy
• ng for perform
Data stripin mance (bandwid
dth can be maanaged) and reedundancy forr fault tolerancce
• Disk scrubb
bing for protecction against la
atent disk erro
ors
• Resiliency to
t corruptions with salvage for
f maximum vvolume availab
bility in every case
• Shared storrage pools acro
oss computerss for additionaal failure toleraance and load balancing
MCT USE ONLY. STUDENT USE PROHIBITED
4-10 Managingg Storage for Window
ws Server 2012
Atttribute Limit
Maximum
M size of
o a single file 264-1 b
bytes (18.446.7
744.073.709.55
51.616 bytes)
Maximum
M size of
o a single volu
ume 278 byytes with 16KB cluster size (2
264 * 16 * 210)
Windo ows stack addressing allows 264 bytes
Maximum
M number of files in a directory 264
Maximum
M number of directorries in a volum
me 264
Maximum
M file name
n length 32K u nicode characcters
Maximum
M path length 32K
Maximum
M size of
o any storage
e pool 4 petaabyte
Maximum
M number of storage
e pools in a sysstem No lim
mit
Maximum
M number of spaces in a storage po
ool No lim
mit
• The Share and Storage Management snap-in is replaced by the File and Storage Services role in
Server Manager.
• The Shared Folders snap-in is replaced by the File and Storage Services role in Server Manager.
• The Virtual Disk Service (VDS) provider is replaced by the Storage Management APIs and storage
provider or the Storage Management Initiative – Specification (SMI-S) standard and a compliant
storage provider.
MCT USE ONLY. STUDENT USE PROHIBITED
4-12 Managingg Storage for Window
ws Server 2012
Lesson 2
Config
guring iSCSI Sto
orage
In th
his lesson, you
u will learn how
w to create a connection bettween servers and iSCSI storage. You will
perfform these tassks by using IP-based iSCSI storage. iSCSI sstorage is an in
nexpensive and d simple way tto
configure a conne ection to remoote disks. Manyy application rrequirements ddictate that remote storage
connections mustt be redundantt in nature for fault toleranc e or high availability. For this purpose, you will
also
o learn how to create both single and redu undant connecctions to an iSCCSI target. Youu will do so byy using
the iSCSI initiator software that is available in Windows Servver 2012.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• SI and its comp
Describe iSCS ponents.
• Connect to th
he iSCSI storag
ge.
Wh
hat Is iSCSI?
iSCS
SI is a protocol that supportss access to rem mote,
SCSI-based storag ge devices ove er a TCP/IP nettwork.
iSCS
SI carries stand
dard SCSI commands over IP P
netw
works to facilittate data transsfers over intra
anets
and to manage sttorage over lon ng distances. You
Y
can use iSCSI to trransmit data over
o LANs, WA ANs,
or even
e over the larger Internett.
iSCS
SI relies on standard Etherne et networking
arch
hitecture, and use of specialiized hardware such
as a host bus adap pter (HBA) or network switch hes is
optional. iSCSI usees TCP/IP (typiically, TCP porrt
3260). This meanss that, iSCSI sim
mply enables twot
hostts to negotiatee (session establishment, floww control, and or example) and then
d packet size, fo
exchhange SCSI commands by ussing an existin ng Ethernet nettwork. By doin ng this, iSCSI taakes a popularr,
high
h performance e, local storagee bus subsystem architecturee and emulatees it over LANs and WANs,
crea
ating a SAN. Unlike some SA AN protocols, iSCSI requires n no specialized cabling; it cann be run over
existing switchingg and IP infrasttructure. Howe ever, the perfo
ormance of an iSCSI SAN dep ployment can be
seve
erely decreased if not operatted on a dediccated networkk or subnet, as best practices recommend.
Note: Whilee you can use a standard Ethhernet networrk adapter to cconnect the server to the
iSCS
SI storage deviice, you can also use dedicatted HBAs.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 4-13
An iSCSI SAN de
eployment inccludes the follo
owing:
• iSCSI targetts. This is another way to refer to the netw work interface o of the storage device to gain n access
to the storaage. iSCSI targets present or advertise storrage, similar to o controllers fo
or hard disk drrives of
locally attacched storage. However, this storage is acccessed over a n network, insteaad of locally. M
Many
storage ven ndors impleme ent hardware level iSCSI targ gets as part of their storage ddevice’s hardw ware.
Other devicces or appliancces, such as Windows
W Storagge Server devicces, implemen nt iSCSI targetss by
using a softtware driver toogether with at least one Eth hernet adapterr. Windows Server 2012 provvides
the iSCSI ta
arget server—w which is effectiively a driver ffor the iSCSI prrotocol—as a role service.
iS
SCSI Targe
et Server and iSCSI In
nitiator
Thhe iSCSI initiattor service is a standard part ever
since Windows Server 2008. Before B Window ws
Se
erver 2012, the e iSCSI Software Target, how wever,
neeeded to be downloaded an nd installed
opptionally. Now w, it is integrate
ed as role servvice
in
nto Windows Server
S 2012. Thhe new feature es in
Windows
W Server 2012 include e:
The iSCSI target server included in Windows Server 2012 provides the following functionality:
• Network/diskless boot. By using boot-capable network adapters or a software loader, you can use
iSCSI targets to deploy diskless servers quickly. By using differencing virtual disks, you can save up to
90 percent of the storage space for the operating system images. This is ideal for large deployments
of identical operating system images, such as a Hyper-V server farm or High Performance Computing
(HPC) clusters.
• Server application storage. Some applications such as for example, Hyper-V and Exchange Server
require block storage. The iSCSI target server can provide these applications with continuously
available block storage. Because the storage is remotely accessible, it can also combine block storage
for central or branch office locations.
• Heterogeneous storage. iSCSI target server supports iSCSI initiators that are not based on Windows, so
you can share storage on Windows Servers in mixed environments.
• Lab environments. The iSCSI target server role enables your Windows Server 2012 computers to be a
network-accessible block storage device. This is useful in situations such as when you want to test
applications before deployment on SAN storage.
Enabling iSCSI target server to provide block storage takes advantage of your existing Ethernet network.
No additional hardware is needed. If high availability is an important criterion, consider setting up a high
availability cluster. With a high availability cluster, you will need shared storage for the cluster—either
hardware Fibre Channel storage or a serial attached SCSI (SAS) storage array. iSCSI target server is directly
integrated into the failover cluster feature as a cluster role.
iSCSI Initiator
The iSCSI Initiator is included in Windows Server 2012 and Windows 8 as a service and installed by default.
To connect your computer to an iSCSI target, you just have to start the service and configure it.
Question: When would you consider implementing diskless booting from iSCSI targets?
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 4-15
Advanced
A iSCSI
i Conffiguration Options
In
n addition to configuring the e basic iSCSI ta
arget
se
erver and iSCSI initiator settings, you can
ntegrate these services into more
in m advancedd
co
onfigurations.
Lo
ocating iSCSI Storage
Thhere are two common
c approoaches for loca
ating
sttorage that is exposed
e to a network
n by an iSCSI
Taarget.
Th
he second app arge networks. On large netw
proach is for la works, locating
g storage can b be more difficult. One
so
olution that can help you is the
t Internet Sttorage Name SService (iSNS), which is a Winndows Server 2012
fe
eature similar to
t Domain Name System (DNS) and lets yo ou locate a tarrget on severaal target device
es.
iS
SNS contains th
hree distinct se
ervices:
• Name Regisstration Service. This service enables initiattors and targets to register aand query the iSNS
server direcctory for inform
mation about initiator and taarget IDs and addresses.
• Network Zooning and Logo on Control Serrvice. You can uuse this servicee to restrict iSN
NS initiators to
o
zones so th
hat iSCSI initiattors do not disscover any targ
get devices outside their own zone or disccovery
domains. This prevents in nitiators from accessing
a storaage devices thhat are not inte ended for their use.
Logon conttrol enables targets to determine which in itiators can acccess them.
Configuring
C iSCSI for Hiigh Availability
Creating a singlle connection to iSCSI storag
ge makes that storage availaable. However,, it does not m make
th
hat storage hig
ghly available. Losing the con
nnection resullts in the serveer losing accesss to its storage
e.
Th
herefore, mostt iSCSI storage
e connections are
a made redu undant throug gh one of two high-availabiliity
te
echnologies: Multiple
M Conneections per Session (MCS) an d Multipath I//O (MPIO).
MCS
M is a feature
e of the iSCSI protocol
p that:
• Enables mu
ultiple TCP/IP connections
c from the initiato
or to the targeet for the same
e iSCSI session.
• Supports au
utomatic failovver. If a failure
e were to occurr, all outstandiing iSCSI comm
mands are reassigned
to another connection auutomatically.
• Requires exxplicit support by iSCSI SAN devices, altho ugh the iSCSI target server rrole supports iit.
MCT USE ONLY. STUDENT USE PROHIBITED
4-16 Managing Storage for Windows Server 2012
• Requires a device specific module (DSM) if you want to connect to a third SAN device such as HP’s
EVA SAN connected to the iSCSI initiator. Windows includes a default MPIO DSM, installed as the
Multipath I/O feature within Server Manager.
• Is widely supported. Many SANs can use the default DSM without any additional software, while
others require a specialized DSM from the manufacturer.
• Is more complex to configure and not as fully automated during failover as MCS.
Demonstration Steps
Add the iSCSI Target Server role service
o File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
1. On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click iSCSI.
2. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk. Create a virtual disk that has the following settings:
o Name: iSCSIDisk1
o Disk size: 5 GB
3. On the View results page, wait until the creation is completed, and then close the View Results
page.
4. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk. Create a virtual disk that has these settings:
o Name: iSCSIDisk2
o Disk size: 5 GB
5. On the View Results page, wait until the creation is completed, and then close the View Results
page.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 4-17
Demonstration Steps
Connect LON-SVR2 to the iSCSI target
Lesson 3
Config
guring Storage
S Spacess in Win
ndows SServer 2
2012
Mannaging physica
al disks attache
ed directly to a server proveed to be a tedious task for th
he administrato
ors.
To overcome
o this problem, man ny organizations used SANs that basically grouped physsically disks
toge
ether.
Howwever, SANs re
equire special configuration
c and sometimees special hard dware and are therefore
expensive. To ove
ercome these isssues, storage spaces in Win
ndows Server 2 2012 is a feature that pools d
disks
toge
ether and pressents them to the operating system as a siingle disk. Thiss lesson explains how to con
nfigure
and implement sttorage spaces.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Implement re
edundant stora
age spaces.
Wh
hat Are Sto
orage Spacces?
A sttorage space iss a storage virttualization
capability built intto Windows Se erver 2012 and d
Win ndows 8. You can
c use storage e spaces to addd
phyysical disks of any
a type and size to a storag ge
poo ol and create highly-available
h e virtual disks from
it. The primary advantage of sto orage spaces iss that
you do not manag ge single diskss any longer, but
b
man nage them as one
o unit.
To create
c a highlyy-available virttual disk, you must
m
have the followingg:
• Virtual disk (o
or storage spacce). This resem
mbles a physicaal disk from thee perspective oof users and
applications. However, virtu ual disks are more
m flexible beecause it inclu des thin provisioning or justt-in-
time allocatioons and resilien
ncy to physical disk failures w
with built-in fu
unctionality su
uch as mirrorin
ng.
o Three-w
way mirroring requires at lea
ast five physic al drives.
Feature Descrip
ption
Feature Description
Disk sector size A storage pool's sector size is set the moment it is created. If the list of drives
being used contains only 512 and 512e drives, the pool is defaulted to 512e.
However, if the list contains at least one 4-KB drive, the pool sector size is
defaulted to 4 KB. Optionally, an administrator can explicitly define the sector size
that all contained spaces in the pool will inherit. After an administrator defines
this, Windows will only enable addition of drives that have a compliant sector size,
that is: 512 or 512e for a 512e storage pool and 512, 512e, or 4 KB for a 4-KB
pool.
Drive allocation This defines how the drive is allocated to the pool. Options are:
• Data-store. This is the default allocation when any drive is added to a pool.
Storage spaces can automatically select available capacity on data-store drives
for both storage space creation and just-in-time allocation.
• Manual. Administrators can choose to specify manual as the usage type for
drives added to a pool. A manual drive is not automatically used as part of a
storage space unless it is specifically selected at the creation of that storage
space. This usage property lets administrators specify particular types of drives
for use by only certain storage spaces.
• Hot-Spare. Drives added as “Hot-Spares” to a pool are reserve drives that are
not used in the creation of a storage space. If a failure occurs on a drive that is
hosting columns of a storage space, a reserve drive is called on to replace the
failed drive.
Note: Storage spaces allows for the creation of both thin and fixed provisioning virtual
disks within the same storage pool. Having both provisioned types in the same storage pool is
very convenient especially when they are related to the same workload. For example, you can
choose to have a thin provisioning space to host a database and a fixed provisioning space to
host its log.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 4-21
Demonstration Steps
Create a storage pool
1. On LON-SVR2, in Server Manager, navigate to File and Storage Services, and Storage Pools.
2. In the STORAGE POOLS pane, create a New Storage Pool named StoragePool1, and then add all
available disks.
1. In the VIRTUAL DISKS pane, create a New Virtual Disk with these settings:
2. On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.
3. In the New Volume Wizard, create a volume with these settings:
Demonstration Steps
Create a redundant virtual disk and a volume
1. On LON-SVR2, in Server Manager, in the VIRTUAL DISKS pane, click TASKS, and then in the TASKS
drop-down list, select New Virtual Disk and create a virtual disk with these settings:
o Storage pool: StoragePool1
o Disk name: Mirrored vDisk
o Storage layout: Mirror
o Provisioning type: Thin
o Size: 5 GB
2. On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.
MCT USE ONLY. STUDENT USE PROHIBITED
4-22 Managing Storage for Windows Server 2012
6. At the command prompt, type the following command and then press Enter:
7. In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select
Computer Management.
1. On LON-DC1, in Server Manager, in the left pane, click File and Storage Services.
3. In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, right-click iSCSIDisk1.vhd, and then click
Disable iSCSI Virtual Disk.
4. Switch to LON-SVR2.
5. In the Computer Management console, under Storage, right-click Disk Management, and then in
drop-down list, select Rescan Disks.
Notice that the Simple Volume (E:) is not available and the Mirrored Volume (F:) is available.
6. On the taskbar, open Windows Explorer and then click Mirrored Volume (F:). You should now see
write.exe in the file list.
7. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage
Pools” button. Notice the warning that appears right next to Mirrored vDisk.
8. In the VIRTUAL DISKS pane, in the drop-down list, right-click Simple vDisk, and then select
Properties.
9. In the Simple vDisk Properties dialog box, in the navigation pane, click Health.
Notice the Health Status that should indicate Unknown. The Operational Status should indicate
Detached. This means that the disk is not available on this computer any longer.
10. In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select
Properties.
11. In the Mirrored vDisk Properties window, in the navigation pane, click Health.
Notice the Health Status should indicate a Warning. The Operational Status should indicate
Incomplete or Degraded.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 4-23
As one of the senior network administrators at A. Datum, you are responsible for implementing some new
file storage technologies for the organization. You will implement iSCSI storage to provide a less complex
option for deploying large amounts of storage in the organization. You will also implement the storage
spaces on the Windows Server 2012 servers to simplify storage access and to provide redundancy at the
storage level.
Objectives
After completing this lab, you will be able to:
Lab Setup
Password Pa$$w0rd
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
b. Password: Pa$$w0rd
For this lab, on 20417A-LON-SVR2, disable Routing and Remote Access. In Server Manager, click Tools,
and then click Routing and Remote Access. In the Routing and Remote Access console, right-click
LON-SVR2 and then click Disable Routing and Remote Access.
MCT USE ONLY. STUDENT USE PROHIBITED
4-24 Managing Storage for Windows Server 2012
3. Configure MPIO.
2. In Server Manager, start the Add Roles and Features Wizard, install the following roles and features
to the local server and accept the default values:
o File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
o Storage location: C:
o Size: 5 GB
3. On the View results page, wait until the creation is completed, and then click Close.
o Size: 5 GB
o iSCSI target: lon-svr2
o Storage location: C:
o Size: 5 GB
3. In Server Manager, on the Tools menu, open iSCSI Initiator, and configure the following:
o Enable the iSCSI Initiator service
o Quick Connect to target: LON-DC1
4. In Server Manager, on the Tools menu, open MPIO, and configure the following:
5. After the computer restarts, log on to LON-SVR2, on the Tools menu in Server Manager, open MPIO
and verify that Device Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.
2. In the iSCSI Initiator Properties dialog box, perform the following steps:
a. Disconnect all Targets.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
MCT USE ONLY. STUDENT USE PROHIBITED
4-26 Managing Storage for Windows Server 2012
X Task 1: Create a storage pool by using the iSCSI disks attached to the server
1. On LON-SVR2, open Server Manager by clicking the icon on the taskbar.
2. In the navigation pane, click File and Storage Services, and then in the Servers pane, click Storage
Pools.
3. Create a storage pool with the following settings:
o Name: StoragePool1
4. On the View results page, wait until the creation is completed, then click Close.
2. On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.
o Drive letter: E
X Task 3: Copy a file to the volume and verify visibility in Windows Explorer
1. On the Start screen, type command prompt and then press ENTER.
3. Use Windows Explorer and access Mirrored Volume (E:). You should now see write.exe in the file list.
2. In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, disable the iSCSI Virtual Disk named
iSCSIDisk1.vhd.
X Task 5: Verify that the file is still accessible and check the health of the virtual disk
1. Switch to LON-SVR2.
2. Use Windows Explorer and open E:\write.exe to make sure access to the volume is still available.
3. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage
Pools” button. Notice the warning that appears right next to Mirrored vDisk.
4. In the VIRTUAL DISK pane, right-click Mirrored vDisk, in the drop-down list, select Properties.
5. In Mirrored vDisk Properties window, in the Health pane, notice that the Health Status indicates a
Warning. The Operational Status should indicate Degraded.
o Size: 5 GB
X Task 7: Add the new disk to the storage pool and extend the virtual disk
1. Switch to LON-SVR2.
2. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage
Pools” button.
3. In the STORAGE POOLS pane, right-click StoragePool1, and then in the drop-down list, select Add
Physical Disk, and add PhysicalDisk1 (LON-SVR2).
4. In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select Extend
Virtual Disk and extend the disk to 15 GB.
Results: After completing this exercise, you will have created a storage pool and added a new disk to the
storage pool and extended the disk.
MCT USE ONLY. STUDENT USE PROHIBITED
4-28 Managing Storage for Windows Server 2012
2. In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
Lesson
n4
Configuring Branch
hCache in
i Wind
dows Se
erver 20
012
Brranch offices have
h unique management
m ch
hallenges. A brranch office tyypically has slo
ow connectivityy to the
en
nterprise netwwork and limite
ed infrastructure for securingg servers. Ther efore, the challenge is being
g able to
es for users in branch officess. The BranchC
provide efficient access to nettwork resource Cache feature h
helps
yo
ou overcome these
t problemms by caching files
f so they doo not have to bbe transferred over the netw work
ag
gain.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• ow BranchCache works.
Describe ho
• he BranchCache requirementts.
Describe th
• Configure the
t BranchCacche server settiings.
• Configure the
t BranchCacche client settin
ngs.
• Configure BranchCache.
B
• ow to monitorr BranchCache.
Describe ho
How
H Does BranchCacche Work??
Th
he BranchCach he feature introduced with
Windows
W Server 2008 R2 and Windows 7 re educes
th
he network usee on WAN con nnections betw
ween
branch offices and
a the headquarters by loca ally
ca
aching frequenntly used files on computers in the
branch office.
• HTTP or HT
TTPS protocols.. These protoccols are
used by we
eb browsers an
nd other appliccations.
• Server messsage block (SM
MB), including signed
s SMB tra
affic protocol. TThis protocol iis used for accessing
shared fold
ders.
BrranchCache im
mproves the reesponsiveness ofo common neetwork applicaations that acccess intranet se ervers
accross slow WA
AN links. Because BranchCach he does not reequire addition
nal infrastructu
ure, you can im
mprove
th
he performancce of remote networks by de eploying Windo ows 7 or 8 to cclient computers and Windo ows
Se
erver 2012 to servers,
s and byy enabling the
e BranchCachee feature.
MCT USE ONLY. STUDENT USE PROHIBITED
4-30 Managing Storage for Windows Server 2012
BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL),
SMB Signing, and end-to-end Internet Protocol Security (IPsec). You can use BranchCache to reduce the
network bandwidth use and improve application performance, even if the content is encrypted.
You can configure BranchCache to use Hosted Cache mode or Distributed Cache mode:
• Hosted Cache. This mode operates by deploying a computer that is running Windows Server 2008 R2
or later versions as a hosted cache server in the branch office. Client computers are configured with
the fully qualified domain name (FQDN) of the host computer so that they can retrieve content from
the Hosted Cache when available. If the content is not available in the Hosted Cache, the content is
retrieved from the content server by using a WAN link and then provided to the Hosted Cache so that
the successive client requests can get it from there.
• Distributed Cache. You can configure BranchCache in the Distributed Cache mode for small remote
offices without requiring a server. In this mode, local client computers running Windows 7 or
Windows 8 keep a copy of the content and make it available to other authorized clients that request
the same data. This eliminates the need to have a server in the branch office. However, unlike the
Hosted Cache mode, this configuration works across a single subnet only. In addition, clients who
hibernate or disconnect from the network cannot provide content to other requesting clients.
• New underlying database that uses the Extensible Storage Engine (ESE) database technology from
Microsoft Exchange Server. This enables a hosted cache server to store significantly more data (in the
order of terabytes).
• The deployment is made much simpler such that you do not require a Group Policy Object (GPO) for
each location. A single GPO that contains the settings is all that is required to deploy BranchCache.
1. The client computer that is running Windows 7 connects to a content server that is running Windows
Server 2008 R2 in the head office and requests content similar to the way it would retrieve content
without using BranchCache.
2. The content server in the head office authenticates the user and verifies that the user is authorized to
access the data.
3. The content server in the head office returns identifiers or hashes of the requested content to the
client computer instead of sending the content itself. The content server sends that data over the
same connection that the content would have typically been sent.
o If you configure it to use Distributed Cache, the client computer multicasts on the local subnet to
find other client computers that have already downloaded the content.
o If you configure it to use Hosted Cache, the client computer searches for the content on the
configured Hosted Cache.
5. If the content is available in the branch office, either on one or more clients or on the Hosted Cache,
the client computer retrieves the data from the branch office and ensures that the data is updated
and has not been tampered with or corrupted.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 4-31
BranchCach
B he Require
ements
BrranchCache op ptimizes trafficc flow betweenn head
offfice and brancch offices. Winndows Server 2008
2
R2 2, Windows Se erver 2012, and d clients based
d on
client computerrs running Win ndows 7 or Windows
8 Enterprise Edition can only benefit from
BrranchCache. The earlier verssions of Windo ows
op perating systems do not ben nefit from this
fe
eature. You can n cache only th he content thaat is
sttored on file se
ervers or web servers
s runningg
Windows
W Server 2008 R2 or Windows
W Serve
er 2012
byy using Branch hCache.
Requirement
R ts for Using
g BranchCacche
To
o use BranchC
Cache, you musst perform the
e following tas ks:
• Configure client
c compute
ers either by using Group Po
olicy or the nettsh branchcacche set servicce
command.
If you want to use
u BranchCache for caching g content fromm the web servver, you must install the
BrranchCache fe eature on the web
w server. Ad dditional configgurations are n not needed. If you want to u
use
BrranchCache to o cache contennt from the file
e server, you m
must install thee BranchCache e for the Netwo
ork Files
ro
ole service on the
t file server, configure hassh publication for BranchCacche, and create e BranchCachee-
ennabled file sha
ares.
Requirement
R ts for Distributed Cach
he and Hoste
ed Cache M
Modes
In
n the Distributeed Cache mod de, BranchCach he works acrosss a single subnet only. If clie
ent computerss are
co
onfigured to use
u the Distribu uted Cache mo ode, any clientt computer ca n search locallly for the computer
th
hat has alreadyy downloaded and cached th he content by using a multiccast protocol ccalled WS-Disccovery.
In
n the Distributeed Cache mod de, content serrvers across thee WAN link m ust run Windo ows Server 20008 R2 or
la
ater versions, and the clients in the branch must run at leeast Windows 7 or Windowss Server 2008 R R2. You
sh
hould configurre the client firrewall to enable incoming trraffic, HTTP, an
nd WS-Discove ery.
In
n the Hosted Cache
C mode, thhe client compputers are conffigured with th
he FQDN of th he host server to
re
etrieve contentt from the Hossted Cache. Th BranchCache h ost server musst have a digital
herefore, the B
ce
ertificate, whicch is used to en
ncrypt commu unication with client computters. In the Hossted Cache mo ode,
co
ontent servers across the WA AN link must run Windows SServer 2008 R2 2 or later versio
ons. Hosted Caache in
th
he branch musst run Window ws Server 2008 R2 or later verrsions and thee client in the b
branch must ruun at
le
east Windows 7. 7 You must co onfigure a firew
wall to enable incoming HTTTP traffic from m the Hosted CCache
se
erver. In both cache
c modes, BranchCache uses the HTTP P protocol for ddata transfer bbetween clientt
omputers and the computerr that is hosting
co g the cached ddata.
MCT USE ONLY. STUDENT USE PROHIBITED
4-32 Managingg Storage for Window
ws Server 2012
Co
onfiguring BranchCache Serverr Settings
You
u can use BrancchCache to cache web conte ent,
which is delivered
d by HTTP or HTTPS.
H You can
n also
use BranchCache to cache share ed folder content,
which is delivered
d by the SMB protocol.
p By
defaault, BranchCa
ache is not insttalled on Winddows
Servver 2012.
Se
erver Desccription
Web
W server or Background
B To configure
c a W indows Serverr 2012 web serrver or an
In
ntelligent Transsfer Service (BITS) appplication serverr that uses the BITS protocoll, install the
se
erver Bran nchCache featture. Ensure thhat the BranchC Cache service has
nfigure clients who will use tthe BranchCache
starrted. Then, con
featture; no additio
onal configuraation of the weeb server is
needed.
File server The BranchCache for the Netwo ork Files role service of the FFile
Servvices server ro le has to be in
nstalled before e you can enab ble
BrannchCache for aany file sharess. After you insstall the
BrannchCache for tthe Network FFiles role servicce, use Group
Policy to enable B BranchCache o on the server. FFinally, you mu ust
configure each fil e share to enaable BranchCacche. You also h have
to configure
c clien
nts who will usee the BranchCache feature.
Hosted Cache server For the Hosted Caache mode, yo ou must add th he BranchCach he
featture to the Win ndows Server 2012 server th hat you are
configuring as a H Hosted Cache server.
To help
h ommunication,, client computers use Transport
secure co
Layeer Security (TLLS) when comm municating witth the Hosted
Cache server. To ssupport authentication, the Hosted Cache e
servver must be prrovisioned with h a certificate tthat is trusted by
clien
nts and is suitaable for serverr authenticatioon.
By default,
d BranchhCache allocattes five percen nt of disk space e on
the active partitio
on for hosting cache data. Ho owever, you caan
change this valuee by using Grou up Policy or thhe netsh tool.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 4-33
Configuring
C g BranchC
Cache Clien
nt Settingss
Yoou do not havve to install the
e BranchCache e
fe
eature because e BranchCache e is already included
if the client runss Windows 7 or
o Windows 8.
However, BrancchCache is disa abled by defau ult on
client computerrs. To enable and
a configure
BrranchCache, you must perfo orm the following
stteps:
Enabling Bra
anchCache
If you enable th
he Distributed Cache or Hostted Cache mod de without enabling the ove erall BranchCache
fe
eature, the BranchCache featture will still be
e disabled on the client com
mputers. However, you can e enable
th
he BranchCach he feature on a client compu nabling the Distributed Cach
uter without en he mode or the
Hosted Cache mode.
m In this configuration, the
t client commputer uses only the local cache and does not
atttempt to dowwnload from otther BranchCache clients on the same sub net or from a Hosted Cache e server.
Thherefore, multiple users of a single compu uter can benefiit from a shareed local cache in this local caaching
mode.
m
Enabling the
e Distributed
d Cache Mo
ode or Hoste
ed Cache M
Mode
Yo
ou can enable the BranchCaache feature on
n client compu
uters by using Group Policy or the netsh
branchcache seet service com
mmand.
To
o configure BrranchCache setttings by using
g Group Policyy, perform the following step
ps for a domaiin-
ba
ased GPO:
To
o configure BrranchCache setttings by using
g the netsh braanchcache sett service comm
mand, perform the
fo
ollowing steps::
netsh bra
anchcache set
t service mode=distribut
ted
netsh bra
anchcache set
t service mode=hostedcli ent location
n=<Hosted Cac
che server>
MCT USE ONLY. STUDENT USE PROHIBITED
4-34 Managing Storage for Windows Server 2012
In the Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between client
computers, but it does not use the WS-Discovery protocol. In the Hosted Cache mode, you should
configure the client firewall to enable the incoming rule, BranchCache–Content Retrieval (Uses HTTP).
Demonstration Steps
Add BranchCache for the Network Files role service
1. Log on to LON-DC1 and open Server Manager.
2. In the Add Roles and Features Wizard, install the following roles and features to the local server:
o File And Storage Services (Installed)\File and iSCSI Services\BranchCache for Network Files
o Select Allow hash publication only for shared folder on which BranchCache is enabled
Enable BranchCache for a file share
Monitoring
M g BranchCa
ache
After the initial configuration,, you might wa ant to
ve
erify that BranchCache is con nfigured corre ectly
an
nd functioning g correctly. You u can use the netsh
branchcache sh how status all command to o
diisplay the BrannchCache service status. On client
an
nd Hosted Cacche servers, ad dditional informmation
su
uch as the loca ation of the loccal cache, the size of
he local cache, and the status of the firewa
th all rules
fo
or HTTP and WS-Discovery
W protocols
p that
BrranchCache usses is shown.
• Performancce counters. Yoou can use thiss tool to monittor BranchCac he work and pperformance b by using
the BranchC Cache performmance monitorr counters. BraanchCache perrformance monitor counterss are
useful debu or monitoring BranchCache effectiveness and health. Yo
ugging tools fo ou can also usee
BranchCach he performancce monitor for determining tthe bandwidth h savings in the Distributed C
Cache
mode or in the Hosted Cache mode. If you have Systtem Center Op perations Manager 2007 SP2 2 or
later versions implemente ed in the envirronment, you can use Windo ows BranchCache Managem ment
Pack for Op perations Manager 2007
MCT USE ONLY. STUDENT USE PROHIBITED
4-36 Managing Storage for Windows Server 2012
Objectives
After completing this lab, you will be able to:
Lab Setup
Password Pa$$w0rd
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
b. Password: Pa$$w0rd
Note: This task is required to simulate a slow network connection in a test environment
where all the computers are connected by a fast network connection.
o Action: Allow
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.
The main task for this exercise is to configure client computers to use BranchCache in the Hosted Cache
mode.
X Task: Configure client computers to use BranchCache in the Hosted Cache mode
1. On LON-DC1, in Group Policy Management Editor, and configure the following at Computer
Configuration\Policies\Administrative Templates\Network\BranchCache:
o Type the maximum round trip network latency value (milliseconds) after which caching begins: 0
2. Start the 20417A-LON-CL1, open a Command Prompt window, and refresh the Group Policy settings
(gpupdate /force).
3. At the command prompt, type netsh branchcache show status all, and then press Enter.
4. Start the 20417A-LON-CL2, open the Command Prompt window, and refresh the Group Policy
settings (gpupdate /force).
5. At the command prompt, type netsh branchcache show status all, and then press Enter.
Note: To test BranchCache in a test lab, you should deploy two client computers. This
enables you to request a file from one of the client computers, and then verify that the file is
retrieved from the local cache on the second client computer.
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 4-39
2. Open Server Manager and add the BranchCache for Network Files role service.
2. Open Group Policy Management and block GPO inheritance on the BranchCacheHost OU.
3. Switch to LON-SVR1 and restart the computer. Log on as Adatum\Administrator with the password
of Pa$$w0rd
4. Open Windows PowerShell by clicking the icon on the taskbar and run the following cmdlets:
Enable-BCHostedServer –RegisterSCP
Get-BCStatus
Note: BranchCache is only available on Windows 8 Enterprise edition. This edition was not
available when this course was created, so the BranchCache verification steps are not included in
this lab.
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
2. In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
Question: Why would you want to implement BranchCache in Hosted Cache mode instead
of the Distributed Cache mode?
Tools
Tool Use Where to find it
iSCSI target server Configure iSCSI targets In Server Manager, under File
and Storage Servers
Module 5
Implementing Network Services
Contents:
Module Overview 5-1
Module Overview
As seasoned administrators are aware, network services such as Domain Name System (DNS) provide
critical support for name resolution of network and Internet resources. With Dynamic Host Configuration
Protocol (DHCP) you can manage and distribute IP addresses to client computers. DHCP is essential in
managing IP-based networks. DHCP failover can prevent client computers from losing access to the
network if there is a DHCP server failure. IP Address Management provides a unified means of controlling
IP addressing. With Network Access Protection (NAP), administrators can control which computers have
access to corporate networks based on the computer’s adherence to corporate security policies.
This module introduces DNS and DHCP improvements, what is new in IP address management, and
describes how to implement these features. It also provides an overview and implementation guidance for
NAP.
Objectives
After completing this module, you will be able to:
• Describe NAP.
• Implement NAP.
MCT USE ONLY. STUDENT USE PROHIBITED
5-2 Implementing Network Servicess
Lesson 1
Implem
menting
g DNS and
a DHCP Enhanceme
ents
In TCP/IP
T networkks of any size, certain service
es are required
d. DNS is one o of the most im
mportant netwo ork
servvices. Many othher applicationns and servicess, including Acctive Directoryy® Domain Services (AD DS), rely
on DNS
D to resolve
e resource nam mes to IP addre esses. Withoutt DNS availability user authe
entications cann fail,
and network base ed resources an nd applicationns can becomee inaccessible. TTo prevent thiis, DNS has to be
prottected. Windo ows Server® 2012 implementts DNS Securityy Extensions (D DNSSEC) to prrotect the
authhenticity of DNNS responses.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Configure DN
NSSEC.
Wh
hat's New in DNS in Windowss Server 20
012
DNS SSEC and Glob bal Name Zone es are two feattures
thatt continue to be
b available in Windows Servver
2012. However, th he DNSSEC implementation has
been simplified inn Windows Serrver 2012.
DN
NSSEC
Inteercepting and tampering
t with an organizattion’s
DNS S query respon nse is a common attack method.
n attacker can alter the respo
If an onse from a DNS
D
servver, or send a spoofed
s response to point client
commputers to theiir own servers,, they can gain n
acce e information. This is known as a
ess to sensitive
man n-in-the-middle attack. Any service that re elies
on DNS
D for the initial connectioon, such as e-commerce web b servers and eemail servers aare vulnerable.
DNS SSEC is intended to protect clients
c that are
e making DNSS queries from accepting falsse DNS respon nses.
New
w Resource
e Records
Validation of DNS S responses is achieved
a by asssociating a prrivate/public kkey pair (generrated by the
admministrator) witth a DNS zone and defining additional DN NS resource reccords to sign aand publish keeys.
ource records distribute the public key wh
Reso hile the privatee key remains o on the server. When the clie
ent
uests validation, DNSSEC adds data to the response thatt enables the cclient to authe
requ enticate the
resp
ponse.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 5-3
Windows Server 2012 defines the new resource records in the following table.
DNSKEY This record publishes the public key for the zone. It checks the
authority of a response against the private key held by the DNS
server. These keys require periodic replacement. This is known as
key rollovers. Windows Server 2012 supports automated key
rollovers.
DS This is a delegation record that contains the hash of the public key
of a child zone. This record is signed by the parent zone’s private
key. If a child zone of a signed parent is also signed, the DS records
from the child must be manually added to the parent so a chain of
trust can be created.
RRSIG This record holds a signature for a set of DNS records. It is used to
check the authority of a response.
NSEC When the DNS response has no data to provide to the client this
record authenticates that the host does not exist.
Trust Anchors
A trust anchor is an authoritative entity represented by a public key. The TrustAnchors zone stores
preconfigured public keys that are associated with a specific zone. In DNS the trust anchor is the DNSKEY
or DS resource record. Client computers use these records to build trust chains. A trust anchor from the
zone must be configured on every domain DNS server in order to validate responses from that signed
zone. If the DNS server is a domain controller then Active Directory integrated zones can distribute the
trust anchors.
• The zone replication scope or type cannot be changed while a zone is signed.
GlobalNames Zones
GlobalNames zones address a problem in multiple DNS domain environments. GlobalName zones are
used when you must maintain a list of DNS search suffixes on client computers to resolve names among
these multiple DNS domains. For example, if an organization supports two DNS domains, such as
Widgets.com and Corp.com, users in the Widgets.com DNS domain have to use the fully qualified domain
name (FQDN) to locate the servers in corp or the domain administrator has to add a DNS search suffix for
Corp.com on all the systems in the Widgets.com domain. In other words, if users in the Widgets.com
MCT USE ONLY. STUDENT USE PROHIBITED
5-4 Implementing Network Servicess
dom
main want to lo
ocate a server named Data in the Corp.com m domain, theey would have e to search for the
DN of Data.Corp.com to loca
FQD ate that server. If they just seearch for the s erver name Daata, then the search
wou
uld fail.
Global names are based on crea ating Canonicaal Name (CNA AME) records (oor aliases) in a special forward
look
kup zone that use single nam mes to point to
o FQDNs. Glob balNames zones enables clie ents in any DNNS
dommain to use a single
s label name, such as Daata, to locate a server whosee FQDN is Dataa.corp.com witthout
having to use the FQDN.
Cre
eating Globa
alNames Zo
ones
To create
c GlobalN
Names zones:
• Manually crea
ate CNAME re
ecords that poiint to records tthat already exxist in the othe
er zones hoste
ed on
your DNS servers.
For example, you could create a CNAME reco ord in the Glob
balNames zonee for Data thatt points to
Data.corp.com. Th
his enables clie
ents from any DNS domain iin the organizaation to find th
his server by th
he
sing
gle label name of Data.
Ho
ow to Conffigure DNS
SSEC
Alth
hough DNSSEC C was supporte ed in Windowss
Servver 2008 R2, most
m of the con
nfigurations annd
admministration weere performed manually, and d
zones were signed d when they were
w offline.
Winndows Server 2012
2 includes a DNSSEC wiza ard
to simplify the configuration annd signing proccess,
and enables onlinne signing.
Dep
ploying DNSSEC
To deploy
d DNSSEC:
Asssign the DN
NS Server Ro
ole
To add
a the DNS server role, from m the Server Manager
M Dash board, use thee Add Roles annd Features WWizard.
Youu can also add this role can when
w you add the AD DS rolle. Configure tthe primary zo
ones on the DN NS
servver. After a zon
ne is signed, an
ny new DNS seervers on Wind
dows Server 20 012 automaticcally receives the
DNS SSEC paramete ers.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 5-5
• The Configure the zone signing parameters option guides you through the steps and enables you
to set all values for the Key Signing Key (KSK) and the Zone Signing Key (ZSK).
• The Sign the zone with parameters of an existing zone option enables you to keep the same
values and options as another signed zone.
• The Use recommended settings option signs the zone by using the default values.
Note: Zones can also be unsigned by using the DNSSEC management user interface.
Demonstration Steps
1. Log on to LON-DC1 as Adatum\Administrator.
3. Use the DNSSEC zone signing wizard to sign the Adatum.com zone. Accept all the default settings.
4. Verify the DNSKEY resource records were created in the Trust Points zone.
5. Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix and requires DNS client computers to check that the name and address data is
validated.
6. Close all open Windows.
MCT USE ONLY. STUDENT USE PROHIBITED
5-6 Implementing Network Servicess
Wh
hat’s New in DHCP in
i Window
ws Server 2
2012
DHC CP failover is a new feature for
f Windows Server
S
2012. It addressess the issue of client
c compute ers
losin
ng connectivitty to the netwoork and all its
reso
ources if there is DHCP serve er failure.
DH
HCP Failoverr
DHC CP client comp puters renew their
t lease on their
t IP addresss at regular, configurable in
ntervals. If the DHCP
servver service failss, then leases time-out,
t and eventually clieent computers no longer havve IP addresses. In
the past, DHCP failover was nott possible beca ause DHCP serrvers were indeependent and unaware of one
anoother. Configuring two separate DHCP servers to distribu ute IP addressses within the ssame pool cou uld
d to duplicate address assign
lead nment if the addministrator inncorrectly conffigured overlapping ranges. The
DHC CP server failover feature enables an altern native DHCP s erver to distrib bute IP addressses and associated
option configurattion to the sam me subnet or sccope. Lease in formation is reeplicated betw ween the two D DHCP
servvers. If one of the
t DHCP servvers fails, then the other DHC CP server serviices the client computers forr the
who ole subnet. In Windows
W Serveer 2012 you caan configure o one alternativee DHCP server for failover.
Addditionally, only IPv4 scopes and subnets are e supported b because IPv6 uses a differentt IP address
assignment schem me.
DH
HCP Name Protection
P
“Name squatting”” describes the e problem whe ere a DHCP clieent computer registers a nam me with DNS, but
thatt name is activvely being used d by another computer.
c The original comp puter then beccomes inaccesssible.
Thiss problem typically occurs be etween non-W Windows system ms that have dduplicate name es of Windowss
systems. DHCP Na ame Protection uses a resource record kno own as a DHC ID to keep track of which
commputer originally requested the t name. Thiss record is provvided by the D DHCP server an nd stored in D
DNS.
Whe en the DHCP server
s receivess a request to update
u a host record that is currently asso
ociated with a
diffe
erent compute er, the DHCP server
s can veriffy the DHCID iin DNS to che ck whether the e requester is the
orig
ginal owner of the name. If itt is not the samme computer, the record in DNS is not updated. To reso olve
this issue, either the current hosst name ownerr must release the IP address, or the reque ester must useea
diffe
erent host nam me. You can im mplement nam me protection for both IPv4 and IPv6. Configuration is se et in
the properties pag ddress level or the scope leveel.
ge at the IP ad
MCT USE ONLY. STUDENT USE PROHIBITED
Upgradingg Your Skills to MCSAA Windows Server® 2012 5-7
How
H to Configure Fa
ailover for DHCP
To
o configure failover of DHCP P you must esttablish
a failover relatio
onship betwee en the two servvers.
Yo
ou must give this
t relationshiip a unique na ame.
Th
his name is excchanged with the failover pa artner
uring the conffiguration. Thiss enables a single
du
DHCP server to have multiple e failover relationships
with
w other DHC CP servers, as lo
ong as they alll have
un
nique names. Failover is con nfigured throug gh a
wizard
w that you can start on the
t shortcut menu
m of
th
he IP node or the
t scope node.
Configure
C Maximum
M Cliient Lead Tiime
Th
he administrattor configures the Maximum m Client Lead TTime (MCLT) parameter to determine the ttime
th
hat a DHCP serrver waits if the partner is un ore assuming ccontrol of the whole addresss range.
navailable befo
his value cannot be zero and
Th d the default iss one hour.
Configure
C Fa
ailover Mod
de
Fa
ailover can be configured in one of two modes:
m
Mode
M Characteristics
Hot
H Standby Mode
M In this mode one server is the p primary server and the otherr is a secondarry.
Thee primary serve er actively dist ributes IP conffigurations forr the scope or
subbnet. The otherr DHCP server will only take over this role if the primaryy server
beccomes unavaila able. A DHCP sserver can act as the primaryy for one scop pe or
subbnet while it is the secondaryy for another. A Administratorss must configu ure a
percentage of the e scope addressses to be assig gned to the sttandby server. These
adddresses are disttributed during g the MCLT in nterval if the prrimary server iis
dow wn. The default value is 5 peercent of the sccope. The seco ondary takes control
of the whole rang ge after the MC CLT has passed d. Hot Standby mode is bestt
suitted to deploymments where a data recoveryy (DR) site is lo ocated at a diffferent
locaation. Then, the DHCP serve r does not servvice client com mputers unlesss there
is an outage of th he main serverr.
Load
L Sharing Mode
M Thiss is the defaultt mode. In thiss mode both seervers concurrrently distributte IP
connfiguration to client
c computeers. Which serrver responds to IP configuration
requests dependss on how the aadministrator cconfigures the e load distributtion
ratio. The default ratio is 50:50.
Configure
C Au
uto State Sw
witchover In
nterval
When
W a server loses contact with
w its partnerr it goes into a communicatiion interrupted d state. Because
th
he server cannot determine what
w is causing
g the commun nication loss, itt stays in this sstate until the
addministrator manually
m changges it to a parttner down statte. The administrator can also enable auto omatic
trransition to partner down staate by configuring the auto state switchovver interval. Th he default value for
th
his interval is 10
1 minutes.
MCT USE ONLY. STUDENT USE PROHIBITED
5-8 Implementing Network Services
Firewall Considerations
DHCP uses TCP port 647 to listen for failover traffic. The DHCP installation creates the following incoming
and outgoing firewall rules:
• Microsoft-Windows-DHCP-Failover-TCP-In
• Microsoft-Windows-DHCP-Failover-TCP-Out
• The MCLT
• The Mode
The failover relationship can then be modified as required through the Failover tab in the properties
of IPv4.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 5-9
Demonstration Steps
1. Log on to LON-SVR1 as the Adatum\administrator.
2. Start the DHCP console and view the current state of DHCP. Note the server is authorized but no
scopes are configured.
3. Switch to LON-DC1.
4. Open the DHCP Management console and start the Configure Failover Wizard.
Lesson 2
Implem
menting
g IP Add
dress Managem
M ment
With the development of IPv6 and a more and more devices requiring IP aaddresses, netw
works have beccome
veryy complex andd difficult to manage. Windows Server 201 2 has implemeented IP Addre
ess Manageme ent
(IPA
AM) as a tool to
o manage IP addresses.
a
Lessson Objectiives
Afte ou will be able to:
er completing this lesson, yo
• M.
Describe IPAM
Wh
hat is IP Ad
ddress Ma
anagementt?
IP management
m iss difficult in larrge networks
because tracking IP address usa age is largely a
man nual operation n. IPAM is a fra amework for
disccovering, utilization monitoring, auditing, and a
man naging the IP address
a space in a network. IPAM
enables the admin nistration and monitoring off
DHC CP and DNS. IP PAM provides a comprehensive
vieww of where IP addresses
a are used. IPAM co ollects
ormation from domain contrrollers and Nettwork
info
Policy Servers (NP PS) and stores that information in
the Windows Inte ernal Database.
IP Administration
A n Area IPAM Capab
bilities
Ma
anaging Provides a single
s point off managementt and assists in optimizing
utilization and capacity pllanning for DH
HCP and DNS.
Tra
acking Enables traccking and foreecasting of IP aaddress utilizattion.
Aud
diting Assists with compliance reequirements, ssuch as HIPAA and Sarbaness-
Oxley, and provides
p reporrting for foren
nsics and chang
ge manageme ent.
Ben
nefits of IPA
AM
IPAM
M benefits include:
• Service and
d zone monitoring of DNS se
ervices.
• IP address lease
l and logo
on event trackiing.
• Role-based access contro
ol.
AM does not su
Note: IPA upport management and co
onfiguration off non-Microsoft network
ellements.
IP
PAM Architecture
IP
PAM consists of
o four main modules,
m as sho
own in
th
he following ta
able:
Module
M Desccription
IPAM discoveryy Youu use Active Directory to disccover servers rrunning Windoows Server 200 08 and
late
er versions thatt have DNS, D HCP, or AD DSS installed. Administrators caan
defiine the scope of
o discovery too a subset of d
domains in the
e forest. They ccan also
man nually add servvers.
Multi-server
M You
u can manage and monitor m multiple DHCP P servers. This e
enables tasks tto be
management
m and
a execcuted across multiple
m serverrs. For examplee, you can connfigure and edit DHCP
monitoring
m properties and scoopes and trackk the status off DHCP and sco ope utilization
n. You
can also monitor Multiple DNS servers, and m monitor the he ealth and statuus of
DNSS zones acrosss authoritative DNS servers.
Operational
O au
uditing Youu can track usee the auditing ttools to track potential conffiguration probblems.
and
a IP address Youu can also colle
ect, manage, a nd view detaills of configuraation changes from
tracking man naged DHCP servers.
s You caan also collect address lease tracking from DHCP
leasse logs, and co
ollect logon evvent informatioon from Netwo ork Policy Servvers
(NPPS) and domain n controllers.
MCT USE ONLY. STUDENT USE PROHIBITED
5-12 Implemennting Network Services
• Hybrid – A ce
entral IPAM se with a dedicateed IPAM server in each site.
erver is deployyed together w
Note: IPAM
M servers do noot communicatte with one an nother or sharee database information.
If yo
ou deploy multiple IPAM serrvers, you musst customize th
he discovery sccope of each sserver.
IPAM
M has two main componentts:
• 4 GB of RAM or more
• 80 GB of free hard disk space
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 5-13
Demonstration Steps
1. Log on to LON-SVR1 as Adatum\Administrator.
2. In Server Manager add the IPAM feature and all required supporting features.
3. From the IPAM Overview pane provision the IPAM server by using Group Policy.
4. Enter IPAM as the GPO name prefix and provision IPAM.
5. From the IPAM Overview pane configure server discovery for the Adatum domain.
6. From the IPAM Overview pane start the server discovery process.
MCT USE ONLY. STUDENT USE PROHIBITED
5-14 Implemennting Network Services
Lesson 3
NAP Overview
O w
NAP P is a policy-en
nforcement pla atform that is built into the W
Windows XP w with Service Paack 3 (SP3) and
d
later operating syystems, and intto Windows Se erver 2008 and d later operatin ng systems. NAAP enables you
to protect
p networrk assets by enforcing complliance with sysstem-health reequirements. N NAP provides tthe
necessary softwarre componentss to help ensurre that compu uters that are cconnected or cconnecting to the
netwwork remain manageable
m o that they do not become a security risk tto the networkk and other
so
atta
ached compute ers.
Lessson Objecctives
Afte
er completing this lesson, yo
ou will be able to:
• Describe NAP
P.
• Describe NAP
P architecture.
• Describe scen
narios for using
g NAP.
Wh
hat is NAP
P?
NAP P enforces client computer health
h before it
enables client commputers to acccess the netwo ork.
Client health can be based on characteristics
c such
as antivirus
a softwaare status, Winndows Firewall
status, or the insta urity updates. The
allation of secu
mon nitored characcteristics are baased on which
system health age ents are installed.
Youu can integratee NAP’s enforcement feature es with softwarre from other vvendors or witth custom
prog grams. You can customize th he health-mainntenance soluttion that deveelopers within your organization
migght develop an nd deploy, whe ether for monitoring the commputers accesssing the netwoork for health policy
com
mpliance, autom matically upda ating computeers with softwaare updates to meet health ppolicy requirem
ments,
or liimiting the acccess to a restricted network of computers that do not m meet health policy requireme ents.
Also
o, unless config gured specifica
ally, NAP cann
not determine whether a clieent computer iis free of viruse
es,
trojaans, rootkits or malware. Default behaviorr is to check fo
or compliance in having current antivirus
softtware and conffigurations.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 5-15
Fe
eatures of NAP
N
NAP has three important and
d distinct features:
• Health statte validation: When a clientt computer tri es to connect to the networrk, NAP validattes the
computer’ss health state against
a the heaalth-requiremeent policies that the adminisstrator definess. You
can also de efine what to do
d if a computer is not comp pliant. In a mo nitoring-only environment, all
computers have their hea uated and the compliance sttate of each co
alth state evalu omputer is log gged for
analysis. In a limited acceess environmen nt, computers that comply w h-requirement policies
with the health
have unlimited network access.
a Compu not comply witth health-requirement policies
uters that do n
could find their
t mited to a restricted networkk.
access lim
• Health pollicy compliance: You can he elp ensure commpliance with health-require ement policiess
by choosing g to update no
oncompliant computers
c autoomatically with missing software updates
or configurration changess through mannagement softw Microsoft Systtem Center
ware, such as M
Configuratiion Manager. In
I a monitorinng-only environ nment, compu uters have netwwork access beefore
they are up
pdated with req quired update
es or configuraation changes. In a limited acccess environm
ment,
noncomplia ant computerss have limited access until th
he updates and d configuration changes are
completed.. In both enviroonments, com
mputers that arre compatible w with NAP can become comp pliant
automaticaally and you ca
an define excepptions for com
mputers that arre not NAP compatible.
• Limited Acccess: You can protect your networks by li miting the acccess of noncom mpliant compu uters.
You can base limited netw
work access on me, or on the rresources that the noncompliant
n a specific tim
computer can
c access. In the
t latter case,, you define a restricted netw work that conttains health up
pdate
resources, and
a the limitedd access lasts until
u the nonco ompliant computer comes into compliancce. You
can also configure excepttions so that computers thatt are incompattible with NAP P do not have limited
network access.
What’s
W New
w for NAP in Windows Server 2012
Removed
R Functionality
n Windows Serrver 2008 R2 and Windows Server
In S
008, Network Policy and Acccess Services in
20 ncluded
th
he Routing andd Remote Acceess Service role
e
se
ervice. In Wind
dows Server 20
012, RRAS is noow a role servi ce in the Rem ote Access serrver role
MCT USE ONLY. STUDENT USE PROHIBITED
5-16 Implemennting Network Services
NA
AP Architecture
The following table describes th
he NAP
com
mponents.
Com
mponents Desccription
NA
AP Clients Com
mputers that su upport the NA
AP platform forr system healthh-validated
netw
work access or communicatio hitecture consists of:
on. Client arch
• NAP enforcement client (EC C): ECs monito or attempts to connect to thee
neetwork. Differe
ent EC componnents exist for different type
es of network
acccess.
• Syystem health agents (SHA)): SHAs report on one or mo ore elements oof
syystem health. For
F example, th here might bee an SHA for ch
hecking antivirrus
deefinitions and another for chhecking Windo ows updates. TThe SHA return ns a
staatement of heealth (SoH) to tthe NAP agentt which passess that to the NAP
heealth policy server for evaluaation.
• NAP agent: Collects and storres SoHs from the SHAs and supplies it to tthe
Cs when reque
EC ested.
NA
AP enforcemen
nt NAPP enforcement points are com mputers or neetwork-access devices that use
poiints NAPP to evaluate a NAP client co omputer’s hea lth state. NAP enforcement
poin
nts rely on poliicies from a Neetwork Policy Server (NPS) to perform that
evaluation and determine wheth her network acccess or comm munication is
enab
bled, and the set
s of remediaation actions th hat a noncomp pliant NAP clieent
com
mputer must pe erform.
NAPP enforcement points can incclude:
• Health Registra ation Authoriity (HRA) is a server running g Windows Se erver
20
012 with Intern net Informatioon Services (IIS)) installed thatt obtains healtth
ce
ertificates from
m a certification
n authority (CAA) for compliaant computers..
• VPPN server is a Windows 20112 server that runs Routing aand Remote
Acccess, and thatt enables remo N intranet connections throu
ote access VPN ugh
re
emote access.
• DHCP server is a Windows 20012 server tha t runs the DHC
CP Server servvice.
• Network access devices are Ethernet switcches or wirelesss access pointts
hat support IEE
th EE 802.1X auth
hentication.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 5-17
Components De
escription
NAP
N health policy Windows
W 2012 servers
s run thee NPS service aand store health-requiremennt
servers poolicies and pro
ovide health-sttate validation for NAP. NPS replaces the
Intternet Authentication Servicce (IAS), and th
he Remote Autthentication D
Dial-In
Usser Service (RA
ADIUS) server aand proxy thatt Windows Serrver 2003 provvides.
Th
he NAP health policy server has the follow wing componen nts:
• NPS service: Receives RADIIUS requests aand extracts the System State e of
Health (SSoH)) and passes it to the NAP ad dministration sserver compon
nent.
• NAP Adminisstration Serve er: Makes Com
mmunication EEasier between
n the
NPS service an
nd the SHVs.
• System Healtth Validators (SHV): You deefine SHVs forr system health h
elements and match them tto an SHA. An example of th hese would be a SHV
for an antiviruus software thaat tracks the laatest version of the antivirus
definition file..
NPPS also acts as an authenticaation, authorizzation, and acccounting (AAAA)
se
erver for netwoork access. Wh en acting as an AAA server or NAP health h policy
se
erver, NPS typiccally runs on a separate servver for centralized configuration of
ne
etwork access anda health-req quirement pollicies. The NPSS service also runs on
Windows
W Serverr 2012-based NNAP enforcem ment points thaat do not have ea
bu
uilt-in RADIUS client computter, such as an n HRA or DHCP P server. Howe
ever, in
these configurattions, the NPS service acts ass a RADIUS proxy to exchange
RA
ADIUS messages with a NAP P health policy server.
AD
A DS ADD DS stores account credenttials and propeerties, and storres Group Policy
se
ettings. Althoug
gh not requireed for health-sstate validation
n, Active Direcctory is
required for IPSe
ec-protected ccommunicatio ons, 802.1X-autthenticated
co
onnections, andd remote acceess VPN conneections.
Restricted
R netw
work Th
his is a separate logical or ph
hysical networkk that has the following
co
omponents:
• Remediation servers
s that co
ontain health u
update resourcces, such as anntivirus
definition disttribution pointts and Windowws software up pdate servers, w
which
NAP client computers can aaccess to remeedy their nonco ompliant statee.
• NAP client computers that hhave limited a ccess are adde
ed on the restrricted
network when n they do not ccomply with h
health-requiremment policies.
Roaming
R Porrtable comp
puters
Po
ortability and flexibility are two
t primary poortable
co
omputer advan ntages, but the ese features allso
present a systemm health threa at. Users frequeently
co
onnect their po ortable compu uters to other
ne
etworks. When n users are awa ay from your
heir portable computers mig
orrganization, th ght not
re
eceive the mosst recent softw ware updates or
o
MCT USE ONLY. STUDENT USE PROHIBITED
5-18 Implemennting Network Services
configuration changes. Addition nally, exposuree to unprotectted networks, ssuch as the Intternet, could
intro
oduce securityy-related threa
ats to the porta
able computerrs. NAP lets yo
ou check any p portable comp puter’s
health state whenn it reconnects to the organizzation’s netwo
ork, whether thhrough a VPN,, DirectAccess
connection, or thee workplace neetwork connecction.
Dessktop Comp
puters
Althhough desktop p computers arre usually not taken out of t he company b building, they sstill can presen
nt a
threeat to the netw
work. To minimmize this threatt, you must maaintain these ccomputers with the most reccent
upd dates and requuired software. Otherwise, these computerss are at risk off infection fromm websites, em mail,
filess from shared folders,
f and otther publicly available resou rces. NAP enaables you to auutomate health h
state checks to ve ktop computerr’s compliance with health-reequirement po
erify each desk olicies. You cann
check log files to determine which computerss do not comp ply. Additionallly, by using maanagement
softtware enables you
y to generate automatic reports
r and au
utomatically up pdate noncom mpliant computers.
Whe en you change e health-requirement policie es, computers can be provisiioned automattically with the e
mosst recent upda ates.
Visiting Portab
ble Computters
Orgganizations freq
quently have to t enable conssultants, busineess partners, aand guests to cconnect to theeir
privvate networks. The portable computers
c tha
at these visitorrs bring into yo on might not meet
our organizatio
system health reqquirements and d can present health risks. N AP enables yo ou to determin
ne which visitin
ng
porttable compute ers are noncommpliant and lim mit their accesss to restricted networks. Typ
pically, you wo
ould
not require or pro
ovide any upda ates or configuuration changees for visiting portable comp puters. You can
configure Internett access for vissiting portable
e computers, b but not for other organizatioonal computerss that
have limited access.
Unmanaged Home
H Comp
puters
Unmmanaged home computers thatt are not a member
m of thee company’s AActive Directorry domain can
connect to a managed company network thro ough VPN. Un nmanaged hom me computers provide an
add
ditional challen
nge because yo
ou cannot phyysically access tthese computeers. Lack of phhysical access m
makes
enfo
orcing compliaance with health requiremennts—such as th —more difficult.
he use of antivvirus software—
Co
onsideratio
ons for NA
AP
Befoore you implemment NAP, you
u must conside
er the
follo
owing points.
Con
nsiderations for NAP Client
C Comp
puter
Dep
ployment
Befoore you can usse NAP on client computers, you
musst configure thhe NAP setting gs. Although yoou
can use the Netsh h commands to o configure alll
aspeects of the NA
AP client computer, Group Po olicy
is th
he preferred method
m of deplloying client
commputer settingss. The NAP Clie ent Configurattion
console and NAP client computter configuration
settings in the Grooup Policy Management Console
provvide a graphiccal user interface for configuring NAP clien
nt computer seettings.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 5-19
• VPN: The VPN server relays the policy from the Network Policy Server (NPS) to the requesting client
computer and performs the validation. This method requires a computer certificate to perform PEAP-
based user or computer authentication.
• DHCP: The DHCP server interacts with the policies from the NPS to determine the client computer's
compliance.
• IPsec: enforces the policy and configures the systems out of compliance with a limited access local IP
security policy for remediation. This method requires a computer certificate to perform PEAP-based
user or computer authentication.
• 802.1X: authenticates over an 802.1X authenticated network and is the best solution when
integrating hardware from other vendors.
Lesson 4
Implem
menting
g NAP
There are differen
nt NAP procedures, depending on the typee of enforcement you are im
mplementing. T
This
lesson describes the main requirements for ea
ach of the NAP
P enforcementt methods.
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
Systtem Health Validators (SHVs) are required to determine what the systeem health poliicy checks for. SHVs
ndows Firewall settings, antivvirus and spyw
can check for Win ware protection
n, Windows Uppdates, and so o on.
Heaalth policies co
ompare the sta
ate of a client computer’s
c he alth according
g to SHVs that are defined b
by
corp
porate requirements and determine wheth her the client ccomputer is co
ompliant or no
oncompliant w with
the corporate policy. A health policy
p can be defined
d to checck one of the ffollowing:
• Client passes all SHV checks
Re
emediation ne etworks are noot an absolute requirement, bbut can providde a means forr a client comp
puter
to
o become com mpliant. For exa
ample, a netwoork policy can direct a nonco
ompliant clien
nt computer to oa
ne
etwork segment that contain ns a Web site from
f which th e client computer can obtain current viruss
de
efinitions or Windows
W Updates.
NAP
N with VPN
V
NAP enforceme ent for VPN me ethod works by b using
a set of remote access IP pack ket filters to lim
mit the
trraffic of a nonccompliant VPNN client compu uter
soo that it can onnly reach the resources
r on thhe
re
estricted netwo ork. Compliantt client compu uters will
be e granted full access. VPN seervers can enfo orce the
he ealth policy fo
or computers th hat are considered to
be e noncomplian nt by applying
g the filters.
Note: Site
e–to-site VPN connections do
d not
su
upport NAP heealth evaluatio
on.
To
o deploy NAP with VPN you
u must:
• Install RRAS
S as a VPN servver and config
gure the NPS aas the primary RADIUS serve
er.
• Configure the
t VPN servers as RADIUS client
c computeers in the NPS..
• Issue comp
puter certificate
es to use PEAP
P authenticatio
on.
MCT USE ONLY. STUDENT USE PROHIBITED
5-22 Implemennting Network Services
NA
AP with IPssec
NAPP IP security (IPsec) enforcem
ment provides
the strongest and most flexible method for
maintaining clientt computer co ompliance with
h
netw
work health re equirements.
To implement NA
AP with IPsec you
y must:
• Configure a certification
c au
uthority (CA) to
o
issue health certificates:
c the
e System Healtth
Authenticatio on template must be issued anda
the HRA must be granted permission
p to enroll
e
the certificate
e.
• Configure NA
AP client comp
puters for IPsecc NAP enforceement: NAP ag
gent must be rrunning and th he
NAP IPsec EC
C must be runn
ning. You can do
d this throug h Group Polic y or local policcy or Netsh
commands.
o Secure ne
etwork - Comp
puters on the secure networrk have health certificates an
nd require thatt
incomingg communication is authentiicated by using
g these certificcates.
o Restricted
d network - Co
omputers on the
t restricted n
network do no
ot have health certificates.
NA
AP with DH
HCP
NAP P enforcementt can be integrrated with DHCP
so that NAP policies can be enfo orced when a client
com
mputer tries to lease or renew w its DHCP add
dress.
The NPS server usses health policies and SHVs to
evaluate client computer health h. Based on the
e
evaluation the NP PS tells the DHCP server to
provvide full access to compliantt computers an
nd
to restrict access to
t noncomplia ant computers.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 5-23
Th
he componentts listed in the following table must be deffined on the N
NPS.
Component
C Description
Connection re
equest Source
S is set to
o DHCP server.. The policy au
uthenticates re
equests on thiss
policy server.
Health policie
es Must
M be config
gures to pass SSHVs in the com
mpliant policyy and fail SHVss in the
noncompliant
n policy.
p
SHVs Health
H checks are
a configured
d on the NPS sserver.
IP address Must
M be config
gured to use D
DHCP. Clients t hat have staticc IP address caannot
configuration
n be
b evaluated.
Demonstra
D ation: Imp
plementing
g NAP with
h DHCP
Be
ecause you aree configuring NPS on the DH
HCP server you
u do not have to designate the DHCP servver as a
RA
ADIUS client computer.
c
Yo
ou will configu
ure the policy for all scopes.
Demonstrati
D ion Steps
1.. work Policy and Access Serrvices on LON
Install Netw N-DC1.
Network
N Access Prottection witth 802.1X
Yo
ou can provide e NAP enforce ement to an IEEE
80
02.1X-capablee device, such asa a wireless acccess
po
oint, authenticcating switch, or
o other netwo ork
de
evice. NAP enfforcement occcurs when clien nt
co
omputers try to access the network
n throug gh these
de
evices.
• Radius clien
nt computers must
m be added
d in the
NPS console and are idenntified by host name
or IP address.
• A shared se
ecret must be configured
c in the
NPS server and the device to identify th
he radius clien
nt computer.
MCT USE ONLY. STUDENT USE PROHIBITED
5-24 Implementing Network Services
• Server certificates must be installed and client computers must trust these certificates.
• Network authentication must use EAP authentication methods – secure passwords, smart cards or
other certificates.
• If your access points support VLANs, you can configure that information for NPS. For example, the
restricted network may be a VLAN.
• When you create network policies and connection request policies, the type of network access server
should be set to Unspecified.
• Connection request policies must be configured to use PEAP authentication in the policy.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 5-25
Objectives
• Configure new features in DNS and DHCP.
• Configure IP Address Management.
Lab Setup
Estimated time: 75 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
b. Password: Pa$$w0rd
1. Configure DNSSEC.
3. Verify the DNSKEY resource records were created in the Trust Points zone.
Results: After completing this exercise you will be able to configure DNSSEC, configure DHCP name
protection, and configure and verify DHCP failover.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 5-27
2. From the IPAM Overview pane, start the server discovery process.
3. In the yellow banner, click the More link to determine the discovery status.
2. Start Windows PowerShell and grant the IPAM server permission. Use the following command:
3. In the IPAM console, for LON-SVR1 and LON-DC1, set the manageability status to be Managed.
7. Switch back to LON-SVR2, and in the IPAM console, configure LON-SVR1 to be Managed.
8. Refresh the Server Access Status and refresh the console view until LON-DC1 and LON-SVR1 shows an
IPAM Access Status Unblocked. This may take 10-15 minutes to complete.
9. From the IPAM Overview pane retrieve data from the managed server.
MCT USE ONLY. STUDENT USE PROHIBITED
5-28 Implementing Network Services
Results: After completing this exercise you will be able to install and configure the IPAM feature,
configure IPAM related GPOs, configure IP Management server discovery, configure managed servers, and
configure and verify a new DHCP scope with IPAM.
2. Configure the Windows Security Health Validator to only validate that the Windows Firewall is
enabled.
3. Create two new Health Policies. One for compliant computers that pass all SHV checks and one for
noncompliant computers that fail one or more SHV checks.
2. Configure a network policy for noncompliant computers in such a way that the health policy enables
them to exchange packets with LON-DC1 at 172.16.0.10 only. Name the policy Noncompliant-
Restricted.
3. Add conditions for Point to Point Tunneling Protocol (PPTP), Secure Socket Tunneling Protocol (SSTP),
and Layer 2 Tunneling Protocol (L2TP).
4. Ensure requests are authenticated on this server and will override network policy authentication.
5. Add Protected Extensible Authentication Protocol (PEAP) and edit it to enforce network access
protection.
Results: After completing this exercise you will be able to configure server and client computer certificate
requirements, install the NPS server role, configure health policies, configure network policies, and
configure connection request policies for VPN.
2. Use gpedit.msc to open Local Group Policy and turn on the Security Center.
MCT USE ONLY. STUDENT USE PROHIBITED
5-30 Implementing Network Services
• Configure a new inbound rule that allows ICMPv4 echo packets through the firewall.
X Task 4: Move the Client to the Internet and Establish a VPN Connection
1. Configure LON-CL1 with the following IP address settings:
o IP address: 131.107.0.20
3. Click Legacy Network Adapter and then under Network select Private Network 2, click OK.
8. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft:
Protected EAP (PEAP) (encryption enabled) and then click Properties.
9. Ensure that the Verify the server’s identity by validating the certificate check box is already
selected. Clear the Connect to these servers check box, and then ensure that Secured password
(EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast
Reconnect check box and then select the Enforce Network Access Protection check box.
Results: After completing this exercise you will be able to configure Security Center, enable a client
computer NAP enforcement method, allow Ping on LON-SVR2, and move the client computer to the
Internet and establish a VPN connection.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 5-31
• Use Group Policy to configure NRPT tables for DNSSEC client computers.
• Document the NPS configuration by using the NetshNps Show Config>Path\File.txt to save the
configuration to a text file.
Review Question
Question: What is a major drawback of IPAM?
Scenario: You have implemented DNSSEC, but now you have to disable DNSSEC. How will you disable
DNSSEC?
Tools
Tool Use Where to find it
DNS Management Console Configure all aspects of DNS In Server Manager under the Tools
drop-down list.
DHCP Management Configure all aspects of DHCP In Server Manager under the Tools
Console drop-down list.
Remote Access Configure remote access such In Server Manager under the Tools
Management Console as VPN drop-down list.
NAP configuration wizard Configure the NAP Open the NPS (Local) console. In
Enforcement Point Getting Started, under Standard
Configuration, select Network Access
Protection (NAP), and then click
Configure NAP.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
6-1
Module 6
Implementing DirectAccess
Contents:
Module Overview 6-1
Module Overview
Introduced in Windows Server® 2008 R2, the DirectAccess feature is a technology that enables users to
securely connect to data and resources in corporate networks without using traditional virtual private
network (VPN) technology. In Windows Server 2012, DirectAccess is now one of three component
technologies (DirectAccess, Routing, and Remote Access) that is integrated with a single, unified server
role called Windows Server 2012 Remote Access. DirectAccess seamlessly integrates and coexists with
what was formerly called Routing and Remote Access service (RRAS). Direct Access itself is expanded to
add features such as integrated accounting, express setup for small and medium deployments, and
multiple domain support.
In this module, you will learn how DirectAccess works for internal and external clients. You will also learn
the new DirectAccess features introduced in Windows Server 2012 and Windows® 8. In addition, you will
learn how to install and configure DirectAccess in different scenarios.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of DirectAc
D ccess
Dire
ectAccess enab bles remote ussers to securelyy access corpo
orate resourcess, such as email servers,
sharred folders, or internal websites without co onnecting to a VPN. Also, D irectAccess pro
ovides increased
prodductivity for a mobile workfo orce by offerin
ng the same co perience both inside and ou
onnectivity exp utside
the office. With thhe new unified
d managementt experience, yyou can config gure DirectAccess and older VPN
connections from one location. Other enhanccements in DireectAccess inclu d deployment, and
ude simplified
imp
proved perform mance and scalability. This le esson providess an overview of the DirectA
Access architeccture
and components.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe how
w DirectAccess works for exte
ernal clients.
Pro
oblems with Remote
e Connections
Org
ganizations often rely on trad ditional VPN
connections to prrovide remote users with seccure
acce
ess to data andd resources on n the corporate e
netw
work. VPN con nnections need d to be configu
ured
mosst of the time manually. Thiss sometimes
pressent interoperability issues in
n situations wh
hen
the users are using multiple diffferent VPN clieents.
Addditionally, VPN connections face
f the follow
wing
problems:
• on could require additional configuration on the corporrate firewall. Iff not properly
The connectio
configured on
n the firewall, VPN connectio nable remote aaccess to the entire corporatte
ons usually en
network.
DirectAccess
D s Extends th
he Network to the Rem
motely-Conn
nected Computers and Users
To
o overcome th hese limitations in traditional VPN connecttions, organizaations can imp
plement DirectAccess
to
o provide a sea
amless connecction between the internal neetwork and the remote com mputer on the IInternet.
With
W DirectAcce ons can effortlessly manage remote comp
ess, organizatio puters becausee they are alwaays
co
onnected.
What
W Is DirrectAccesss?
Thhe DirectAccesss feature in Windows
W Server 2012
en
nables seamlesss remote acce ess to intranet
re
esources withoout first establishing a user-in
nitiated
VPN connection n. The DirectAccess feature also
a
en
nsures seamlesss connectivityy to the applicaation
in
nfrastructure fo
or internal users and remote e users.
Organizations
O benefit
b from DirectAccess beecause remote computers caan be managed d as if they are
e local
co
omputers. Usinng the same management
m and update serv
rvers, you can eensure they arre always up-too-date
an
nd in complian nce with security and system
m health policiees. You can alsso define more
e detailed acceess
ontrol policies for remote acccess when com
co mpared with ddefining accesss control policies in VPN soluutions.
• Uses variou ncluding HTTPS, to establish IPv6 connectiivity—HTTPS iss typically allowed
us protocols, in
through fire
ewalls and prooxy servers
• Supports seelected server access and end-to-end Interrnet Protocol SSecurity (IPsecc) authenticatio
on with
intranet nettwork servers
• Supports en
nd-to-end autthentication an
nd encryption with intranet network serve
ers
• Supports management
m of remote client computers
• Seamless connectivity. DirecctAccess provides a consiste nt connectivityy experience w whether the cliient
computer is local or remote e. This allows users
u to focus more on prod ductivity and le
ess on connecttivity
options and process.
p This co
onsistency can n reduce traini ng costs for users, with fewe
er support inciidents.
• Bidirectional access.
a You can configure DiirectAccess in a way that thee DirectAccess clients have aaccess
to intranet resources and yo ou can also ha m the intranet to those DirecctAccess clientts.
ave access from
Therefore, DirectAccess can n be bidirectional. This ensurres that the client computers are always
updated with h recent securitty updates, the
e domain Grou up Policy is en
nforced, and th
here is no diffe
erence
whether the users
u are on th
he corporate in ntranet or on tthe public netwwork. This bidirectional acce
ess
also results in
n:
o Decrease
ed update time
e
o Increased
d security
o Decrease
ed update misss rate
o Improved
d compliance monitoring
• Manage-out Support.
S This feature
f is new in Windows Seerver 2012 and d provides the e ability to
enable only remote management functio DirectAccess cl ient. This new sub-option off
onality in the D
the DirectAcccess client conffiguration wizaard automatess the deploym ent of policiess that are usedd for
managing the e client compu uter. Manage-out support do oes not implemment any policcy options thaat
allow users to
o connect to thhe network forr file or applicaation access. M
Manage-out su upport is
unidirectional, incoming on nly access for administration
a purposes onlyy.
• Improved secu urity. Unlike trraditional VPNs, DirectAcces s offers many levels of accesss control to
network resources. This tigh hter degree off control allow
ws security arch
hitects to preciisely control re
emote
users who acccess specified resources. You u can use a graanular policy to specifically d
define which u user
can use DirecctAccess, and the location fro om which the user can accesss it. IPsec encryption is used d for
protecting DirectAccess traffic so that use ers can ensuree that their com
mmunication is safe.
Wh
hat’s New in DirectA
Access in Windows
W SServer 2012
In Windows
W Serve
er 2012, DirectAccess has
seve ments, especially in regards to
eral enhancem o
byppassing some common
c techn
nology issues such
s
as re
equirements foor public key infrastructure (PKI)
(
and public IP addresses.
Imp
proved Dire
ectAccess Management
M t
Dire
ectAccess in Windows
W Serverr 2012 has bee
en
imp
proved in the fo
ollowing wayss:
• DirectAccess and
a RRAS coexxistence.
Windows Servver 2012 DirecctAccess and RRASR
unified serverr role solve the
e problems of
interoperabiliity of Denial of Service Prote
ection (DoSP) aand Internet K
Key Exchange vversion 2 (IKEvv2).
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 6-5
• Rich monitoring of clients. You can view the health of user computers and servers along with
deployment monitoring and diagnostics in a single console in DirectAccess. Using the dashboard,
you can have top-level information about Remote Access servers and client activity. User and client
computer monitoring can provide you with information on which resources are accessed by the
clients.
• Integrated accounting and reporting. Accounting and reporting is now integrated in the console and
provides the ability to measure specific metrics. It also enables administrators to generate rich usage
reports on various user and server statistics.
• Windows PowerShell® and Server Core support. Windows Server 2012 provides full Windows
PowerShell support for the setup, configuration, management, monitoring, and troubleshooting of
the Remote Access Server Role.
• Unified management wizard and tools. You can use a single wizard and console for DirectAccess
configuration, management, and monitoring.
• Works with existing infrastructure. You do not need to upgrade your existing domain controllers to
Windows Server 2012.
• IPv6 for internal network is no longer required. This is because transition technologies such as network
address translation 64 (NAT64) and Domain Name System 64 (DNS64) allow access to internal
resources that are run only on IPv4 computers. Previously, this functionality was only possible to
achieve with deployments that included Microsoft Unified Access Gateway Server.
• Single network adapter. You can implement your DirectAccess server behind a NAT with a single
network adapter.
• Single IP address. In certain deployment scenarios, you can even use a single IP address for the
DirectAccess server. This makes deployment easier in comparison to the DirectAccess deployment
in Windows Server 2008.
• PKI deployment is optional, because the wizard creates a self-signed certificate without the need
for certificate revocation lists (CRL) lists. This functionality is achieved by the using the HTTPS-based
Kerberos proxy (built into Windows Server 2012) which accepts client authentication requests and
sends them to domain controllers on behalf of the client.
• Single factor authentication only; no support for smart card integration or using one-time
password (OTP).
• Support for high availability and external load balancers. Windows Server 2012 supports network load
balancing (NLB) to achieve high availability and scalability for both DirectAccess and RRAS. The setup
process also provides integrated support for third party external hardware-based load balancer
solutions.
MCT USE ONLY. STUDENT USE PROHIBITED
6-6 Implementing DirectAccess
New
w Deploym
ment Scenariios
The new DirectAcccess deployme
ent scenarios in
i Windows Seerver 2012 incllude:
• Deploy a servver behind a NA AT. You can de eploy Window ws Server 2012 DirectAccess behind a NAT T
device, with the
t support for a single or multiple
m interfa ces, removing the prerequissite for a public
address. In th
his configuratio
on, only IP ove
er HTTPS (IP-H HTTPS) is deplo
oyed which alloows secure IP
tunnel to be established
e byy using a securre HTTP conneection.
• Support for OTP
O and virtuall smart cards. This
T feature reequires a PKI d deployment. If the option is
selected in th
he DirectAccesss Setup Wizard d, the Use com mputer certificaates option is automatically
selected. Also
o, DirectAccesss can use the Trusted
T Platforrm Module (TP PM)–based virttual smart cardd
which use TPM of a client computer
c to acct as a virtual ssmart card forr two-factor au
uthentication.
DirrectAccesss Compone
ents
To deploy
d and configure DirectA
Access, your
orgaanization must support the following
f
infra
astructure com
mponents:
• DirectAccess server
• DirectAccess clients
• Network loca
ation server
• Internal resou
urces
• Active Directo
ory domain
• Group Policy
• nal network)
PKI (Optional for the intern
• DNS server
• NAP server
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 6-7
DirectAccess Server
DirectAccess server can be any Windows Server 2012 joined in a domain, which accepts connections
from DirectAccess clients and establishes communication with intranet resources. This server provides
authentication services for DirectAccess clients and acts as an IPsec tunnel mode endpoint for external
traffic. The new Remote Access server role allows centralized administration, configuration, and
monitoring for both DirectAccess and VPN connectivity.
Compared with previous implementation in Windows Server 2008 R2, the new wizard-based setup
simplifies DirectAccess management for small and medium organizations, by removing the need for
full PKI deployment and removing the requirement for two consecutive public IPv4 addresses for the
physical adapter that is connected to the Internet. In Windows Server 2012, the wizard detects the actual
implementation state of the DirectAccess server, and automatically selects the best deployment; thereby,
hiding from the administrator the complexity of configuring manually IPv6 transition technologies.
DirectAccess Clients
DirectAccess clients can be any domain-joined computer running Windows 8, Windows 7 Enterprise
Edition, or Windows 7 Ultimate Edition.
Note: With off-premise provisioning, you can join the client computer in a domain without
connecting the client computer in your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Note that the user does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client computer using 6to4 or Teredo from connecting to the
DirectAccess server, the client computer automatically attempts to connect by using the IP-HTTPS
protocol, which uses a Secure Sockets Layer (SSL) connection to ensure connectivity.
Internal Resources
You can configure any IPv6-capable application which is running on internal servers or client computers
to be available for DirectAccess clients. For older applications and servers not based on Windows and
have no IPv6 support, Windows Server 2012 now includes native support for protocol translation (NAT64)
and name resolution (DNS64) gateway to convert IPv6 communication from DirectAccess client to IPv4 for
the internal servers.
Note: As done in the past, this functionality can also be achieved with Microsoft®
Forefront® Unified Access Gateway Server. Likewise, as in past versions, these translation services
do not support sessions initiated by internal devices; rather they support requests originating
from ipv6 DirectAccess clients only.
MCT USE ONLY. STUDENT USE PROHIBITED
6-8 Implementing DirectAccess
Group Policy
Group Policy is required for the centralized administration and deployment of DirectAccess settings. The
DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess
server, and selected servers.
PKI
PKI deployment is optional for simplified configuration and management. Windows Server 2012
DirectAccess enables client authentication requests to be sent over a HTTPS based Kerberos proxy
service running on the DirectAccess server. This eliminates the need for establishing a second IPsec
tunnel between clients and domain controllers. The Kerberos proxy will send Kerberos requests to
domain controllers on behalf of the client.
However, for a full DirectAccess configuration, that allows NAP integration, two-factor authentication,
and force tunneling, you still need to implement certificates for authentication for every client that will
participate in DirectAccess communication.
DNS Server
When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use at least Windows
Server 2008 R2, Windows Server 2008 with the Q958194 hotfix, Windows Server 2008 SP2 or later, or a
third-party DNS server that supports DNS message exchanges over the ISATAP.
NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance
checking and enforce security policy for DirectAccess clients over the Internet. Windows Server 2012
DirectAccess provides the ability to configure NAP health check directly from the setup user interface
instead of manual editing of GPO as it was in Windows Server 2008 R2 DirectAccess.
Additional Reading: The DNS server does not listen on the ISATAP interface on a
Windows Server 2008-based computer
http://go.microsoft.com/fwlink/?LinkID=159951
IPv6 - Technology Overview
http://technet.microsoft.com/en-us/library/hh831730.aspx
MCT USE ONLY. STUDENT USE PROHIBITED
Upg
grading Your Ski lls to MCSA Win
ndows Server® 2
2012 6-9
Name
N Reso
olution Pollicy Table
Too separate Inte
ernet traffic fro
om intranet tra
affic in
DirectAccess, Windows
W Serverr 2012 and Windows
8 include the Name Resolutio on Policy Tablee
(N
NRPT), a featurre that allows DNS
D servers to
o be
deefined per DNS namespace, rather than pe er
in
nterface.
he NRPT stores a list of ruless. Each rule defines a
Th
DNS namespace e and configurration settingss that
de
escribe the DN
NS client’s behavior for that
na
amespace.
When
W Access client is on the Interne
a DirectA et, each
na
ame query req
quest is compa ared against thhe
na
amespace rule
es stored in thee NRPT:
• If a name query
q request does
d not matcch a namespacce listed in the NRPT, the req quest is sent to
o the
DNS servers configured in the TCP/IP settings for thee specified network interface
e.
Namespaces, fo or example, intternal.adatum.com, are ente red into the N NRPT, followed by the DNS servers
to
o which requessts matching that namespace should be diirected. If an IP ntered for the DNS
P address is en
se
erver, all DNS requests
r are se
ent directly to the DNS serveer over the DirrectAccess con nnection. You nneed
no
ot specify any additional seccurity for such configuration s. However, if a name is specified for the DDNS
se
erver, such as dns.adatum.co
d om in the NRPT T, the name m must be publiclly resolvable w
when the clientt
qu
ueries the DNS S servers specified in its TCP//IP settings.
Th
he NRPT allowws DirectAccesss clients to use
e intranet DNSS servers for naame resolution
n of internal re
esources
an
nd Internet DNNS for name re
esolution of otther resources.. Dedicated DN NS servers are not required ffor
naame resolution
n. DirectAccesss is designed to
t prevent the exposure of yyour intranet n namespace to tthe
In
nternet.
So
ome names ne eed to be treatted differently with regards tto name resol ution; these naames should n
not be
re
esolved by usinng intranet DNNS servers. To ensure
e that th ese names aree resolved with
h the DNS servvers
sp P settings, you must add theem as NRPT exxemptions.
pecified in the client’s TCP/IP
• The local na
ame cache
ow can you be
Question: Ho enefit from NR
RPT?
Ho
ow DirectA
Access Worrks for Inte
ernal Clien
nt Computters
An NLS is an interrnal network se erver that hostts
an HTTPS-based
H URL.
U DirectAcccess clients try to
acceess a NLS URL to determine if they are located
on the
t intranet orr on a public network.
n The
DireectAccess serve er can also be the NLS. In so ome
orgaanizations whe ere DirectAcce ess is a businesss-
critical service, the
e NLS should be b highly available.
Gennerally, the web server on the e NLS does no ot
have to be dedica ated just for su
upporting
DireectAccess clien nts.
It is critical that th
he NLS is availa
able from each
h
com mpany location n, because the behavior of th
he
DireectAccess clien nt depends on the response from the NLS. Branch locatio
ons may need a separate NLLS at
each h branch locattion to ensure that the NLS remains
r accesssible even wheen there is a lin
nk failure betw
ween
bran nches.
4. Based on an HTTP
H 200 Succcess of the NLS URL (successsful access and
d certificate au
uthentication aand
revocation ch
heck), the DirecctAccess clientt switches to d
domain firewall profile and ig
gnores the
DirectAccess rules in the NR
RPT for the remmainder of thee session.
How
H DirecttAccess Works for Ex
xternal Client Comp
puters
When
W a DirectA
Access client starts, the DirectAccess
client assumes that
t it is not co
onnected to th he
in
ntranet by tryin
ng to reach the e URL address
sp
pecified for NLLS. Because the e client compu uter
ca
annot commun nicate with NLLS, it starts to use
u
NRPT and conn nection securityy rules. The NR RPT
haas DirectAccesss-based rules for name reso olution,
an
nd connection n security rules define DirectA Access
IP
Psec tunnels foor communicattion with intranet
re
esources. Internet-connected d DirectAccess clients
usse the followin
ng process to connect
c to intrranet
re
esources.
he DirectAccesss client first atttempts to acccess the NLS. TThen, the client attempts to locate a domaain
Th
co
ontroller. Afterrwards, the clie
ent attempts to access intran net resources aand internet re
esources.
DirectAccess
D s Client Atte
empts To Acccess the Ne
etwork Loca
ation Server
Th
he DirectAccesss client attem
mpts to access the
t NLS as foll ows:
Thhe DirectAccesss client uses a combination of NRPT ruless and connection security rules to locate and
acccess intranet resources acro et through the DirectAccess sserver.
oss the Interne
MCT USE ONLY. STUDENT USE PROHIBITED
6-12 Implementing DirectAccess
1. The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which
specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS
name query that is addressed to the IPv6 address of the intranet DNS server and forwards it to the
DirectAccess client’s TCP/IP stack for sending.
2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3. Because the destination IPv6 address in the DNS name query matches a connection security rule that
corresponds with the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiate
and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client (both
the computer and the user) authenticates itself with its installed computer certificate and its NT LAN
Manager (NTLM) credentials, respectively.
4. The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the
DirectAccess server.
5. The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name
query response is sent back to the DirectAccess server and back through the IPsec infrastructure
tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When the user on the
DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel.
1. The application or process that attempts to communicate constructs a message or payload and hands
it off to the TCP/IP stack for sending.
2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3. Because the destination IPv6 address matches the connection security rule that corresponds with the
intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client
uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess
server. The DirectAccess client authenticates itself with its installed computer certificate and the user
account’s Kerberos credentials.
4. The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
5. The DirectAccess server forwards the packet to the intranet resources. The response is sent back to
the DirectAccess server and back through the intranet tunnel to the DirectAccess client.
Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure
tunnel connection security rule goes through the intranet tunnel.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 6-13
1. The DNS client service passes the DNS name for the Internet resource through the NRPT. There
are no matches. The DNS client service constructs the DNS name query that is addressed to the
IP address of an interface-configured Internet DNS server and hands it off to the TCP/IP stack for
sending.
2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3. Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query
normally.
4. The Internet DNS server responds with the IP address of the Internet resource.
5. The user application or process constructs the first packet to send to the Internet resource. Before
sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing
rules or connection security rules for the packet.
6. Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Any subsequent Internet resource traffic that does not match a destination in either the infrastructure
intranet tunnel or connection security rules is sent and received normally.
Like the connection process, accessing the domain controller and intranet resources is also a very similar
process, because both of these processes are using NRPT tables to locate appropriate DNS server to
resolve the name queries, with the differences of the IPsec tunnel that is established between the client
and DirectAccess server. When accessing the domain controller, all the DNS queries are sent through the
IPsec infrastructure tunnel, and when accessing intranet resources, a second IPsec tunnel is established
(intranet tunnel).
MCT USE ONLY. STUDENT USE PROHIBITED
6-14 Implemennting DirectAccess
Lesson 2
Installiing and
d Config
guring DirectAc
D ccess Co
omponents
In order
o to install and configure
e DirectAcess in your organizzation, you neeed to meet a n number of
requuirements perttaining to Active Directory configuration,
c DNS configuraation, and certtificate services.
Afte
er these requirrements are met, you then in nstall and conffigure the DireectAccess role. Finally, you
configure client coomputers, andd verify that DiirectAccess is ffunctional wheen connecting from both the e
inte
ernal network and
a the Internet.
In th
his lesson, you
u will learn abo
out DirectAccess requiremennts, how to pla n the DirectAcccess solution, and
the process of installation and deployment
d off DirectAccess.. You will also learn about th
he new feature
es for
impplementing DirrectAcess in Windows
W 8.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Configure AD
D DS services fo
or DirectAccesss.
• Install and co
onfigure DirecttAccess Server..
• Configure the
e DirectAccess clients.
Pre
erequisitess for Imple
ementing DirectAcceess
To deploy
d DirectA
Access, the DireectAccess servver,
the client computter, and infrasttructure shouldd
meeet certain requuirements.
Req
quirements for DirectA
Access Serve
er
In order
o to deployy DirectAccess, you need to
ensuure that the se
erver meets the
e hardware annd
netwwork requiremments:
• The server mu
ust be joined to
t an Active
Directory dom
main.
• The server mu
ust have Wind
dows Server 20012 or
Windows Servver 2008 R2 operating system
installed.
• Implementation of DirectAccess in Windows Server 2012 does not require two consecutive
static, public IPv4 addresses be assigned to the network adapter. However, to achieve two-factor
authentication with smart card or OTP deployment, DirectAccess server will still need two public
IP addresses.
• You can even deploy Windows Server 2012 DirectAccess behind a NAT device, with support for a
single or multiple interfaces, thereby circumnavigating the need for an additional public address. In
this configuration, only IP over HTTPS (IP-HTTPS) is deployed which allows a secure IP tunnel to be
established using a secure HTTP connection.
• On the DirectAccess server, you can install the Remote Access role to configure DirectAccess settings
for the DirectAccess server and clients, and monitor the status of the DirectAccess server. The Remote
Access wizard provides you with the option to configure only DirectAccess, only VPN, or both
scenarios on the same server running Windows Server 2012. This was not possible in Windows Server
2008 R2 deployment of DirectAccess.
• For Load Balancing Support, Windows Server 2012 has the ability to use NLB (up to 8 nodes) to
achieve high availability and scalability for both DirectAccess and RRAS.
• With the new 2012 DirectAccess scenario it is possible to offline provision computers for domain
membership without the need for the computer to be on premises.
• The client computer can be loaded with Windows 8, Windows 7 Enterprise Edition, Windows 7
Ultimate Edition, Windows Server 2012, or Windows Server 2008 R2 operating system.
You cannot deploy DirectAccess on clients running Windows Vista®, Windows Server 2008, or other earlier
versions of the Windows operating systems.
Infrastructure Requirements
The following are the infrastructure requirements to deploy DirectAccess:
• Active Directory. You must deploy at least one Active Directory domain. Workgroups are not
supported.
• Group Policy. You need Group Policy for centralized administration and deployment of DirectAccess
client settings. The DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess
clients, DirectAccess servers, and management servers.
• DNS and domain controller. You must have at least one domain controller and DNS server running
Windows Server 2012, or Windows Server 2008 SP2 or Windows Server 2008 R2.
• PKI. You need to use PKI to issue computer certificates for authentication and health certificates
only when NAP is deployed. You do not need external certificates. The SSL certificate installed on
the DirectAccess server must have a CRL distribution point that is reachable from the Internet. The
certificate Subject field must contain the FQDN that can be resolved to a public IPv4 address assigned
to the DirectAccess server by using the Internet DNS.
• IPsec policies. DirectAccess utilizes IPsec policies that are configured and administered as part of
Windows Firewall with Advanced Security.
MCT USE ONLY. STUDENT USE PROHIBITED
6-16 Implemennting DirectAccess
Pro
ocess of Co
onfiguring
g DirectAcccess
To configure
c DirectAccess, perfo
orm the follow
wing
step
ps:
2. Configure th
he PKI environ
nment
3. Configure DirectAccess Se
erver
o Install Windows Server 2012 on a serrver computer with one or tw
wo physical ne
etwork adapte
ers
(dependss on DirectAcccess design sce
enario).
o Install the
e Remote Acce
ess role and co
onfigure the D
DirectAccess seerver so that it is either one o
of the
following g:
The DirectAccess server
s is on thee perimeter neetwork with onne network adaapter connecteed to
the perimeter
p netwwork and at leaast one other network adapter connected to the intrane et. In
this deployment
d sccenario, DirecttAccess server is placed betw
ween a front-end firewall and
d
backk-end firewall.
The DirectAccess server
s is published by using IIPsec Gatewayy (TMG or UAG G). In this
deployment scenario, DirectAcce ess is placed b
behind a front--end firewall and it has one
work adapter connected to in
netw nternal networrk.
The DirectAccess server
s is installe
ed on an Edgee server (typicaally front end ffirewall) with o
one
work adapter connected to th
netw he Internet an
nd at least one other network adapter
conn
nected to the intranet.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 6-17
An alternative design is that the DirectAccess server has only one, and not two, network interface. For
this design, perform the following steps:
o Verify that the ports and protocols needed for DirectAccess and Internet Control Message
Protocol (ICMP) Echo Request are enabled in the firewall exceptions and opened on the
perimeter and Internet-facing firewalls.
o The DirectAccess server in simplified implementation can use a single public IP address in
combination with Kerberos Proxy services for client authentication against domain controllers.
For two-factor authentication and integration with NAP, you need to configure at least two
consecutive public static IPv4 addresses that are externally resolvable through DNS. Ensure that
you have an IPv4 address available and that you have the ability to publish that address in your
externally-facing DNS server.
o If you have disabled IPv6 on clients and servers, enable IPv6 because it is required for
DirectAccess.
o Install a web server on the DirectAccess server to enable DirectAccess clients and determine if
they are inside or outside the intranet. You can install this web server on a separate internal
server for determining the network location.
o Based on the deployment scenario, you need to designate one of the server network adapters as
the Internet-facing interface (in deployment with two network adapters) or publish the
DirectAccess server which is deployed behind NAT for Internet access.
o On the DirectAccess server, ensure that the Internet-facing interface is configured to be either a
Public or a Private interface, depending on your network design. Configure the intranet interfaces
as domain interfaces. If you have more than two interfaces, ensure that no more than two
classification types are selected.
4. Configure the DirectAccess clients and test intranet and Internet access
o Verify that DirectAccess group policy has been applied and certificates have been distributed to
client computers:
o Test whether you can connect to DirectAccess server from an intranet.
o Test whether you can connect to DirectAccess server from the Internet.
Demonstration Steps
2. In the console tree of the Group Policy Management Editor, navigate to Computer Configuration
\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security
\Windows Firewall with Advanced Security.
5. Close the Group Policy Management Editor and Group Policy Management consoles.
Question: What is the purpose of the nls.adatum.com DNS host record that you associated
with an internal IP address?
o Location: .crl
o Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP
extension of issued certificates
o Location: .crl
o Select Publish CRLs to this location and Publish Delta CRLs to this location
1. Right-click Certificate Template in the Certification Authority console and then click manage.
2. In the Certificate Template console, in Web Server template Properties, configure security settings
for Authenticated Users to be allowed to Enroll for a certificate.
3. Edit the Default Domain Policy and in the console tree of the Group Policy Management Editor, open
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
4. At Automatic Certificate Request Settings, configure Automatic Certificate Request with a
Computer.
5. On the Certificate Template page, click Computer, click Next, and then click Finish.
6. Close the Group Policy Management Editor and close the Group Policy.
• Configure DirectAccess.
Demonstration Steps
2. Open Microsoft Management Console by typing the mmc command, and then add the Certificates
snap-in for Local computer.
3. In the Certificates snap-in, in the Microsoft Management Console, request a new certificate with the
following settings:
• Certificate template: Web Server
• Common name: 131.107.0.2
4. Verify that a new certificate with the name 131.107.0.2 has been issued with Intended Purposes of
Server Authentication.
MCT USE ONLY. STUDENT USE PROHIBITED
6-20 Implementing DirectAccess
5. For the 131.107.0.2 certificate, in Properties, specify the Friendly Name as IP-HTTPS Certificate,
and then click OK.
6. In the Certificates console, right-click the certificate with the name lon-svr2.adatum.com, and then
click delete.
2. In the Server Manager console, open the Remote Access Management console.
3. Click Configuration; the Enable Direct Access Wizard will start automatically.
4. Click Next. Wait until the DirectAccess prerequisites page completes loading.
5. Complete the Enable Direct Access Wizard by using the following settings:
o DirectAccess Client Setup page; Enter the object names to select: DA_clients
Note: On this page, you might notice that you are using IP address of the Edge server
instead of FQDN. This is because in this lab environment there is no public DNS server, as it
would exist in real-life scenario.
GPUpdate /force
• Verify that DirectAccess clients have the computer certificate that is required for DirectAccess
authentication. This should have been distributed with Group Policy.
Demonstration Steps
2. Open the Command Prompt window and type gpupdate/force to force apply Group Policy on
LON-SVR3.
3. At command prompt, type gpresult /R to verify that the DirectAccess Client Settings GPO is
applied to the Computer Settings.
Note: If DirectAccess Client Settings GPO is not applied, restart LON-SVR3, and then
repeat step 2 on LON-SVR3.
4. Verify that DNS Effective Name Resolution Policy Table Settings is applied by typing the following
command at the command prompt:
5. Verify that DNS Effective Name Resolution Policy Table Settings is displayed in the Command
Prompt window.
6. Simulate moving the client computer LON-SVR3 out of the corporate network, that is to the Internet,
by changing the network adapter settings with external IP address to the following values:
o IP address: 131.107.0.10
7. Disable and then again enable the Local Area Connection network adapter.
8. In Hyper-V Manager, right-click 20417A-LON-SVR3 and then click Settings. Change the Legacy
Network Adapter to be on the Private Network 2 network.
2. In the Address bar, type http://lon-svr1.adatum.com and then press Enter. The default IIS 8 web
page for LON-SVR1 appears.
4. Click Start, type \\Lon-SVR1\Files, and then press Enter. A folder window with the contents of the
Files shared folder appears.
5. In the Files shared folder window, double-click the example.txt file. The content of the example.txt
file is displayed.
7. Move the mouse pointer to the lower-right corner of the screen, and in the notification area, click
search, and in the search box, type cmd.
Verify that DN
NS Effective Name
N Resoluttion Policy Taable Settings present two e
entries for
adatum.com m and Directacccess-NLS.Ada
atum.com.
Get-DAClientExperienceConfiguratio
on
Verrify client co
onnectivity on DirectA
Access Serve
er
1. Switch to LON
N-SVR2.
Question: Ho
ow will you configure IPv6 ad
ddress for Win
ndows 8 to usee DirectAccesss?
Wiindows 7 Client
C vs. Windows
W 8 Client Im
mplementaation
Users working witth DirectAccess in the Windo
ows 8
ope
erating system will have a be
etter user
experience than those working in Windows 7.
In Windows
W e DirectAccess solution is
8, the
commpletely transp parent for the user. Howeverr, in
Winndows 7, it is hard to troubleeshoot the netw work
connectivity problems. Usually, when problem ms
start, there are noo native tools that
t can easily track
the network beha avior and so addministrators often
o
use network monitoring tools to o get informattion
regaarding connecctivity issues.
Win
ndows 8 Cliient Implem
mentation
• Windows 8 in
ncludes an in-bbox user interfface for DirectAAccess clients that help userrs understand
network conn
nectivity experrience. Simplified user interfaace that run ab
bove the Wind dows PowerSh hell
commands provide basic innformation reg garding conne ctivity.
• Remediation options for actionable problems are presented clearly to the user. Instead of using other
tools, remediation and problem solving can be done in the same user interface for DirectAccess.
Typical problems that can be flagged for remediation are:
o NAP
• When using Windows 7 in a multi-site deployment, you need to create multiple GPOs with different
settings. However, in Windows 8, clients can easily select the closest DirectAccess server in a multisite
deployment.
• The receive side scaling concept for UDP traffic helps in improving performance in enterprise
deployment.
MCT USE ONLY. STUDENT USE PROHIBITED
6-24 Implementing DirectAccess
To address these issues, A. Datum has decided to implement DirectAccess on client computers running
Windows 8.
As a senior network administrator, you are required to deploy and validate the DirectAccess deployment.
You will configure the DirectAccess environment and validate that the client computers can connect to
the internal network when operating remotely.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated time: 90 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
b. Password: Pa$$w0rd
5. Repeat steps 2-4 for 20417A-LON-SVR1, 20417A-LON-SVR2, and 20417A-LON-SVR3.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 6-25
a. Switch to LON-DC1.
b. Open the Active Directory Users and Computers console, and create an Organizational Unit
named DA_Clients OU, and within that organizational unit, create a Global Security group
named DA_Clients.
2. Configure firewall rules for ICMPv6 traffic by performing the following steps:
a. Open the Group Policy Management console, and then open Default Domain Policy.
b. In the console tree of the Group Policy Management Editor, navigate to Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security.
a. Open the DNS Manager console, and then create new host records with the following settings:
Name: nls; IP Address: 172.16.0.21
Name: crl; IP Address: 172.16.0.22
b. Close the DNS Manager console.
4. Remove ISATAP from the DNS global query block list by performing the following steps:
a. Open the Command Prompt window, type the following command, and then press Enter:
a. In the Certificate Templates console, in the contents pane, duplicate the Web Server template by
using the following options:
Template display name: Adatum Web Server Certificate
Request Handling: Allow private key to be exported
Authenticated Users permissions: under Allow, click Enroll
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 6-27
c. In the Certification Authority console, choose to issue a New Certificate Template and select the
Adatum Web Server Certificate template.
c. Edit the Default Domain Policy and in the console tree of the Group Policy Management Editor,
navigate to Computer Configuration\Policies\Windows Settings\Security Settings
\Public Key Policies.
e. Close the Group Policy Management Editor and close the Group Policy Management console.
gpupdate /force
b. At the command prompt, type the following command, and then press Enter.
mmc
f. Close the console window. When you are prompted to save settings, click No.
b. In the console tree of Internet Information Services (IIS), navigate to and click Default Web site.
a. Switch to LON-SVR2.
b. Open a command prompt and refresh group policy by typing gpupdate /force.
MCT USE ONLY. STUDENT USE PROHIBITED
6-28 Implementing DirectAccess
c. Open Microsoft Management Console by typing mmc command, and then add the Certificates
snap in for Local computer.
d. In the Certificates snap-in, in the mmc console, request a new certificate with the following
settings:
Certificate template: Adatum Web Server Certificate
Common name: 131.107.0.2
Friendly name: IP-HTTPS Certificate
e. Close the console.
b. In Internet Information Services (IIS) Manager, create new virtual directory CRLD and assign
c:\crldist as a home directory.
3. Share and secure the CRL distribution point by performing the following step:
Note: You perform this step to assign permissions to the CRL distribution point.
In the details pane of Windows Explorer, right-click the CRLDist folder, and then click
Properties, and grant Full Share and NTFS permission.
Note: This step makes the CRL available on the edge server for Internet-based
DirectAccess clients.
a. Switch to LON-DC1.
c. In the console tree, open ADATUMCA, right-click Revoked Certificates, point to All Tasks, and
then click Publish.
b. In the Server Manager console, start the Remote Access Management console, click
Configuration, and start the Enable Direct Access Wizard with following settings:
Select Groups: DA_Clients
Network Topology: Edge is selected, and verify that 131.107.0.2 is used by clients to
connect to the Remote Access server.
Infrastructure Server Setup page, click Next
Configure Remote Access page, click Next
In Summary, click Finish, to apply DirectAccess Settings
Note: Since the server you already configured is a VPN server, you can only
use the getting started wizard which generates self-signed certificate for DirectAccess
communication. Next steps will modify default DirectAccess settings to include already
deployed certificates from the internal Certification Authority.
c. In the details pane of the Remote Access Management console, under Step 2, click Edit.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 6-29
d. On the Network Topology page, verify that Edge is selected, and type 131.107.0.2.
f. On the Authentication page, select Use computer certificates, click Browse, and then select
Adatum Lon-Dc1 CA.
h. In details pane of the Remote Access Management console, under Step 3, click Edit.
i. On the Network Location Server page, select the The network location server is deployed on
a remote web server (recommended) and in the URL of the NLS, type
https://nls.adatum.com, and then click Validate.
gpupdate /force
Ipconfig
Note: Verify that LON-SVR2 has an IPv6 address for Tunnel adapter
IPHTTPSInterface starting with 2002.
Results: After completing this exercise, you will have configured the DirectAccess infrastructure.
2. Restart LON-SVR3 and then log back on as Adatum\Administrator with the password of Pa$$w0rd.
Open the Command Prompt window and then type the following commands:
gpupdate /force
gpresult /R
3. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for
the Computer Settings.
2. Verify that a certificate with the name LON-SVR3.adatum.com is present with Intended Purposes
of Client Authentication and Server Authentication.
2. In Internet Explorer, go to https://nls.adatum.com/. The default IIS 8 web page for LON-SVR1
appears.
3. Open Windows Explorer, and type \\Lon-SVR1\Files, and then press Enter. You should see a folder
window with the contents of the Files shared folder.
4. Close all open windows.
Results: After completing this exercise, you will have configured the DirectAccess clients.
Note: To verify the DirectAccess functionality, you must move the client computer to the
Internet.
1. Switch to LON-SVR3.
o IP address: 131.107.0.10
3. Disable and then again enable the Local Area Network network adapter.
5. In Hyper-V Manager, right-click 20417A-LON-SVR3 and then click Settings. Change the Legacy
Network Adapter to be on the Private Network 2 network. Click OK.
ipconfig
2. Notice the IP address that starts with 2002. This is IP-HTTPS address.
3. At the command prompt, type the following command, and then press Enter.
4. At the command prompt, type the following command, and then press Enter.
powershell
5. At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration
3. You should see a folder window with the contents of the Files shared folder.
ping lon-dc1.adatum.com
5. At the command prompt, type the following command, and then press Enter.
gpupdate /force
7. Switch to LON-SVR2.
8. Start the Remote Access Management console and review the information on Remote Client
Status.
Note: Notice that LON-SVR3 is connected via IPHttps. In the Connection Details pane, in
the bottom-right of the screen, note the use of Kerberos for the Machine and the User.
Results: After completing this exercise, you will have verified the DirectAccess configuration.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Question: How does the DirectAccess client determine if it is connected to the intranet or
the Internet?
Best Practices
Although DirectAccess was present in previous Windows 7 and Windows 2008 R2 edition, Windows 8
introduces new features for improved manageability, ease of deployment, and improved scale and
performance.
Monitoring of the environment is now much easier with support of PowerShell, Windows Management
Instrumentation (WMI), GUI monitoring, along with Network Connectivity Assistant on the client side.
One of the best enhancements is that DirectAccess can now access IP4 servers on your network and your
servers do not need to have IP6 addresses to be exposed through DirectAccess, because your DirectAccess
server acts as a proxy.
For ease of deployment you do not need to have IP addresses on the Internet-facing network. Therefore,
this is a good scenario for proof of concept. However, if you are concerned about security and if you want
to integrate with NAP, you still need two public addresses.
Consider integrating DirectAccess with your existing Remote Access solution because Windows Server
2012 can implement DirectAccess server behind the NAT device which is the most common Remote
Access Server (RAS) solution for companies.
Tools
Tool Use for Where to find it
Express Setup, Remote Access A graphical tool that simplifies Server Manager/Tools
Configuration the configuration of DirectAccess
Module 7
Implementing Failover Clustering
Contents:
Module Overview 7-1
Module Overview
Providing high availability is very important for any organization that wants to provide continuous
services to its users. Failover Clustering is one of the main technologies in Windows Server® 2012 that can
provide high availability for various applications and services. In this module, you will learn about Failover
Clustering, Failover Clustering components, and implementation techniques.
Objectives
After completing this module, you will be able to:
• Describe Failover Clustering.
Lesson 1
Overviiew of Failover
F r Clusterring
Failo
over clusters in
n Windows Server 2012 provvide a high-avvailability soluttion for many sserver roles an nd
appplications. By im
mplementing failover
f e availability if one
clusterrs, you can maaintain applicattion or service
or more
m compute ers in the failovver cluster fail. Before you im
mplement Failo over Clusteringg, you should b be
fam
miliar with gene eral high-availaability conceptts. You must u understand cluustering termin nology and also
howw failover clusters work.
Also
o, it is important to be familiiar with new cllustering featu
ures in Window
ws Server 2012
2.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe availability.
• Describe Failo
over Clustering
g improvemen
nts in Windowss Server 2012.
• Describe failo
over cluster components.
• Define failove
er and failback
k.
• Describe failo
over cluster sto
orage.
• Describe a qu
uorum.
Wh
hat Is Avaiilability?
Availability refers to a level of seervice that
appplications, serviices, or system
ms provide, and d is
expressed as the percentage
p of time that a se
ervice
or system is availaable. Highly-avvailable system ms
have minimal dow wntime—whetther planned or o
unpplanned—and are available more m than 99
me, depending on the needs and
perccent of the tim
the budget of the e organization.. For example, a
system that is una available for 8.75 hours per year
y
wouuld have a 99.9 9 percent availlability rating.
Th
he availability measurement period can alsso have a signnificant effect o
on the definitio
on of availability.
or example, a requirement fo
Fo or 99.9 percen
nt availability o
over a one-yeaar period allow ws for 8.75 houurs of
do
owntime, whereas a requiremment for 99.9 percent availaability over a roolling four-weeek window allows for
on
nly 40 minutess of downtime
e per period.
Yo
ou also have too identify and negotiate planned outages maintenance activities, servvice pack updaates,
an
nd software up a scheduled outages, and typically are n
pdates. These are not included as downtime w
when
ca
alculating the system’s availa
ability. You typ
pically calculatte availability b
based on unplaanned outage
es only.
However, you have
h ate exactly which planned o utages you co
to negotia onsider as dowwntime.
Failover Clu
ustering Im
mproveme
ents in Win
ndows Serrver 2012
Fa
ailover Clustering has not siggnificantly changed
since Windows Server 2008 R2. However, th here are
so
ome new featu ures and techn nologies in Win ndows
Se
erver 2012 thaat help increase e scalability an
nd
nd provide better and
cluster storage availability, an
ea
asier managem ment and faste er failover.
Th
he important new
n features in
n Windows Server
20
012 Failover Clustering inclu
ude:
Rem
moved and Deprecated
d Features
In Windows
W Serve oved or depreccated. If you are moving from an
er 2012 clusterring, some feattures are remo
olde
er version of Failover Clusterring, you should be aware off these featurees:
• The Cluster.exxe command-line tool is dep wever, it can bee optionally insstalled with th
precated. How he
Failover Clusttering Tools. Fa
ailover Clusterring Windows PowerShell cm mdlets provide e a functionalitty that
is generally th
he same as Clu uster.exe commmands.
• The Print Servver role is removed from the bility Wizard, and it cannot b
e High Availab be configured iin
Failover Clustter Manager.
• The Add-ClussterPrintServerrRole cmdlet iss deprecated, aand it is not su
upported in W
Windows Serverr
2012.
• Clients. The
ese are computers (or users) that are using
g the Cluster seervice.
• Service or application.
a e entity that is presented to clients and use
Thiis is a software ed by clients.
• Witness. Th
his can be a file
e share or disk
k which is used
d to maintain q quorum. Ideallyy the witness sshould
be located a network that is both logically and physiccally separate from those ussed by the failo over
cluster. Ho
owever, the wittness must rem main accessiblee by all clusterr node membe ers. The conceepts of
quorum and how the witness comes into play will bee examined mo ore closely in tthe coming lesssons of
this modulee.
• Is aware wh
hen another no
ode joins or le
eaves the clusteer.
A failover cluste
er typically deffines at least tw
wo data comm
munications neetworks: one network enable es the
cluster to commmunicate with clients, and the second, isolaated network eenables the cluuster node meembers
to
o communicate e directly with one another. If a directly-co
onnected sharred storage is n
not being used
d, then
a third network segment (for iSCSI or Fibre Channel) can exist between n the cluster noodes and a datta
sttorage networkk.
Most
M clustered applications and their associated resourcees are assigned d to one clusteer node at a timme. The
ode that proviides access to those cluster resources
no r is thee active node. If the nodes d
detect the failuure of
th
he active nodee for a clustered application, or if the activee node is taken offline for m
maintenance, th he
clustered appliccation is started on another cluster
c node. TTo minimize th he impact of thhe failure, clien
nt
re
equests are immediately and d transparentlyy redirected too the new clustter node.
What
W Are Failover
F an
nd Failback
k?
Fa
ailover transfers the responsibility of providing
acccess to resourrces in a cluste
er from one noode to
an
nother. Failoveer can occur when
w an administrator
in
ntentionally mo oves resourcess to another no ode for
maintenance,
m or when unplan nned downtim me of
onne node happens because of o hardware faiilure or
otther reasons. Also,
A service failure on an acttive
noode can initiatte failover to another node.
MCT USE ONLY. STUDENT USE PROHIBITED
7-6 Implementing Failover Clusterinng
A fa
ailover attemptt consists of th
he following stteps:
1. The Cluster seervice takes alll the resourcess in the instancce offline in an
n order that is determined bby
the instance’ss dependency hierarchy. Tha at is, dependen nt resources firrst, followed b
by the resource
es on
which they de epend. For exaample, if an ap pplication depeends on a phyysical disk resource, the Clustter
service the Cluster service takes the application offline first, which en nables the application to writte
changes to thhe disk before the disk is takken offline.
Whe en you configu ure networks in failover clusters, you mustt also dedicatee a network to connect to th he
sharred storage. If you use iSCSI for the sharedd storage connnection, the neetwork will use
e an IP-based
Etheernet commun nications network. However, you should no ot use this nettwork for nodee or client
mmunication. Sharing the iSCSI network in
com n this manner may result in ccontention and d latency issue
es
for both users and d for the resou
urce that is beiing provided b
by the cluster.
Tho
ough not a besst practice, you
u can use the private
p and puublic networks for both client and
nod
de communications. Preferab bly, you should d dedicate an iisolated netwo ork for the privvate node
com
mmunication. The
T reasoning for this is similar using a sep parate Etherneet network for iSCSI – namelyy to
avoid issues resou
urce bottleneck and contention issues. Thee public netwo ork is configurred to allow client
connections to the failover clustter. Although the
t public nettwork can provvide backup fo or the private
netw
work, a better design practicce is to define alternative ne tworks for thee primary privaate and public
netw
works or at lea
ast team the neetwork interfaces used for th hese networkss.
MCT USE ONLY. STUDENT USE PROHIBITED
Upg
grading Your Ski lls to MCSA Win
ndows Server® 2
2012 7-7
Th
he networking
g features in Windows
W Serverr 2012–based clusters includ
de the followin
ng:
• Internet SCS SI is a type of storage area neetwork (SAN) tthat transmits SCSI comman
SI (iSCSI). iSCS nds
over IP netwworks. Perform mance is accep ptable for mostt scenarios whhen 1 gigabit pper second (Gb bps)
or 10 Gbps Ethernet is ussed as the physsical medium ffor data transm mission. This tyype of SAN is fairly
inexpensivee to implemen nt because no specialized
s nettworking harddware is requirred. In Window ws
Server 2012 2, you can imp plement iSCSI target
t softwaree on any serveer, and presentt local storage
e over
iSCSI interfa
ace to clients.
• Fibre chann
nel. Fibre channel SANs typiccally have bettter performancce than iSCSI SSANs, but are m
much
more expennsive. Specializzed knowledgee and hardwarre are requiredd to implemen nt a fibre channel SAN.
Sto
orage Requirements
Afte
er you choose the type of sto
orage, you sho
ould also be aw
ware of the following storag
ge requirementts:
• ative disk supp
To use the na port included in
n Failover Clusstering, use baasic disks and n
not dynamic d
disks.
• We recomme end that you fo ormat the parttitions with NTTFS. For the dissk witness, the
e partition musst be
NTFS, becausse FAT is not su
upported.
• For the partition style of the disk, you can
n use either m aster boot reccord (MBR) or GUID partition
n
table (GPT).
• The miniport driver used fo or the storage must work witth the Microsooft Storport sto
orage driver.
Storport offerrs a higher perrformance archhitecture and better Fiber C hannel compaatibility in Windows
systems.
• You must isollate storage de evices. That is, one cluster peer device. Servvers from diffe
erent clusters m
must
be unable to access the sam me storage devvices. In most cases, a logicaal unit numberr (LUN) that is used
for one set off cluster serverrs should be isolated from alll other serverss through LUN N masking or
zoning.
• Consider usinng multipath I//O software. In
n a highly-avaiilable storage ffabric, you can
n deploy failovver
clusters with multiple host bus adapters byb using multi path I/O softwware. This provvides the highe est
level of redun
ndancy and avvailability. For Windows
W Serveer 2012, your multipath solu ution must be based
on Microsoft Multipath I/OO (MPIO). Your hardware ven ndor usually suupplies an MPIO device-speccific
module (DSM M) for your harrdware, although Windows SServer 2012 inccludes one or more DSMs ass part
of the operating system.
Wh
hat Is Quo
orum?
Quoorum is the number of eleme ents that mustt be
online for a clusteer to continue running. In efffect,
eachh element can cast one votee to determine
wheether the cluste er continues to o run. Each clu
uster
nodde is an elemen nt that has one e vote. In case,
therre is an even number
n of nod
des, then an
addditional elemen nt, which is kno own as a witneess is
assigned to the cluster. The witn ness element canc
be either
e a disk orr a file share. Each
E voting
ment contains a copy of the cluster
elem
configuration; and d the Cluster service
s works to
keep all copies synchronized at all times.
network, or if data was accessed and written to a target from more than one source at a time. If the
application itself is not damaged, the data could easily become corrupted.
Because a given cluster has a specific set of nodes and a specific quorum configuration, the cluster can
calculate the number of votes that are required for the cluster to continue providing failover protection.
If the number of votes drops below the majority, the cluster stops running. That is, it will not provide
failover protection if there is a node failure. Nodes will still listen for the presence of other nodes, in case
another node appears again on the network, but the nodes will not function as a cluster until a majority
consensus or quorum is achieved.
Note: The full functioning of a cluster depends not just on quorum, but on the capacity of
each node to support the services and applications that fail over to that node. For example, a
cluster that has five nodes could still have quorum after two nodes fail, but each remaining
cluster node would continue serving clients only if it has enough capacity (such as disk space,
processing power, network bandwidth, RAM) to support the services and applications that failed
over to it. An important part of the design process is planning each node’s failover capacity. A
failover node must be able to run its own load and also the load of additional resources that
might failover to it.
There are several phases a cluster must complete to achieve quorum. As a given node comes up, it
determines whether there are other cluster members that can be communicated with. This process
may be in progress on multiple nodes at the same time. After communication is established with other
members, the members compare their membership “views” of the cluster until they agree on one view
(based on timestamps and other information). A determination is made whether this collection of
members “has quorum;” or has enough members the total of which creates sufficient votes so that a
“split” scenario cannot exist. A “split” scenario means that another set of nodes that are in this cluster are
running on a part of the network inaccessible to these nodes. Therefore, more than one node could be
actively trying to provide access to the same clustered resource. If there are not enough votes to achieve
quorum, the voters (the currently recognized members of the cluster) wait for more members to appear.
After at least the minimum vote total is attained, the Cluster service the Cluster service begins to bring
cluster resources and applications into service. With quorum attained, the cluster becomes fully functional.
MCT USE ONLY. STUDENT USE PROHIBITED
7-10 Implemennting Failover Clusterring
Qu
uorum Modes in Win
ndows Serrver 2012 FFailover Cllustering
Sam
me quorum mo odes from Win ndows Server 2008
2
are also present inn Windows Serrver 2012. As
befoore, a majorityy of votes deteermines whethe er
a clu
uster achieves quorum. Nod des can vote, and
wheere appropriate, either a disk k in cluster storage
(kno
own as a disk witness)
w or a file share (know wn
ness) can vote.. There is also a
as a file share witn
quoorum mode called No Majority: Disk Only,
which functions like the disk-ba ased quorum in n
Winndows Server 2003.
2 Other than that mode,,
therre is no single point of failurre with the quo orum
mod des, because only
o the number of votes is
impportant and no ot whether a pa articular elemeent is availablee to vote.
Be aware
a that, mo
ost of the time
e, it is best to use
u the quorum m mode selectted by the clusster software. IIf you
run the Quorum Configuration
C Wizard, the qu uorum mode tthat the wizard ommended” is the
d lists as “reco
quo
orum mode chosen by the cluster software e. We recomm end changing the quorum cconfiguration o only if
you have determined that the change
c is apprropriate for yo ur cluster.
There are four quorum modes:
• Node Majority
ty. Each node that
t is available and in commmunication can n vote. The clu
uster functionss only
with a majority of the votess. That is, more
e than half. Th is model is preeferred when tthe cluster connsists
of an odd number of serverr nodes (no wiitness is needeed to maintain n or achieve qu uorum).
• Node and Dissk Majority. Each node plus a designated d disk in the clusster storage, th
he disk witnesss, can
vote, when thhey are availabble and in commmunication. TThe cluster fun ctions only witth a majority o of the
alf. This model is based on a n even numbeer of server no
votes. That is,, more than ha odes being able e to
communicate e with one ano other in the clu
uster in additio
on to the disk witness.
• Node and Filee Share Majoriity. Each node plus a designaated file share created by the administrato or,
which is the file
f share witneess, can vote when
w they are aavailable and in communicaation. The clustter
functions onlyy with a majorrity of the vote
es. That is, morre than half. Th
his model is baased on an eve en
number of se erver nodes being able to communicate wiith one anotheer in the cluste er, in addition to the
file share witn
ness.
In th
he No Majorityy: Disk Only mode,
m the quorrum-shared dissk can veto alll other possible votes. In thiss
mod de, the cluster will continue to function as long as the q uorum-shared
d disk and at leeast one node are
avaiilable. This typ
pe of quorum also
a prevents more
m than onee node from asssuming the p primary role.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 7-11
Note: If the
t quorum-sh hared disk is no
ot available, th
he cluster will sstop functioning, even if all
no
odes are still available.
a In thiis mode, the quorum-shared d disk is a sing le point of faillure, so this
mode
m is not reccommended.
When
W you configure a failove
er cluster in Wiindows Server 2012, the Insttallation Wizarrd automatically
se
elects one of tw
wo default con
nfigurations. By
B default, Failo
over Clustering
g selects:
• Node Majo
ority if there is an odd number of nodes in the cluster.
Modify
M this settting only if you
u determine th
hat a change iss appropriate ffor your cluste
er, and ensure that
yo
ou understand d the implicatioons of making the change.
In
n addition to planning
p your quorum
q modee, you should aalso consider tthe capacity off the nodes in your
cluster, and their ability to sup
pport the services and appliccations that m
may fail over too that node. Foor
exxample, a clustter that has four nodes and a disk witness will still have quorum after two nodes fail.
However, if youu have several applications or services dep loyed on the ccluster, each re emaining clustter
noode may not have
h the capaccity to provide
e services.
What
W Are Cluster
C Sha
ared Volum
mes?
In
n a classic failover cluster dep
ployment, onlyy a
single node at a time controlss an LUN on th he
sh
hared storage. This means th hat the other nodes
n
caannot “see” shared storage, until each nod de
be ecomes an acttive node. CSV V is a technologgy
in
ntroduced in Windows
W er 2008 R2 which
Serve
ennables multiple nodes to con ncurrently share a
single LUN. Each node obtain ns exclusive acccess to
in
ndividual files on
o the LUN insstead of the whole
w
LUUN. In other words,
w CSVs proovide a distributed
fille access solution so that muultiple nodes in
n the
cluster can simu ultaneously acccess the same NTFS
fille system.
In
n Windows Serrver 2008 R2, CSVs C were designed only forr hosting virtuaal machines ru unning on a Hyyper-V
erver in a failovver cluster. This enabled adm
se ministrators to
o have a single LUN that hosts multiple virttual
machines
m in a fa
ailover cluster.. Multiple clustter nodes havee access to thee LUN, but eacch virtual mach hine
ru
uns only on on ne node at a tim me. If the node on which thee virtual mach hine was runnin ng fails, CSV le
ets
th
he virtual mach hine to be resttarted on a different node in n the failover ccluster. Additio
onally, this pro
ovides
simplified disk management
m for
f hosting virttual machines compared to each virtual m machine requirring a
se
eparate LUN.
In
n Windows Serrver 2012, CSV Vs have been additionally enh hanced. It is now possible to o use CSVs for other
ro
oles, and not juust Hyper-V. For example, yo ou can now co onfigure file seerver role in a ffailover clusterr in a
Sccale-Out File Server
S scenario
o. The Scale-Ou ut File Server i s designed to provide scale--out file sharess that
arre continuously available forr file-based serrver applicatio
on storage. Scaale-out file shaares provides th he
abbility to share the same foldeer from multipple nodes of th he same clusteer. In this conte ext, CSVs in WWindows
Seerver 2012 intrroduces suppo ort for a read cache,
c which caan significantl y improve perrformance in ccertain
sccenarios. Also, a CSV File System (CSVFS) can
c perform CH HKDSK withou ut affecting applications with h open
haandles on the file system.
MCT USE ONLY. STUDENT USE PROHIBITED
7-12 Implementing Failover Clustering
Other important improvements in Cluster Shared Volumes in Windows Server 2012 are:
• CSVFS benefits. In Disk Management, CSV volumes now appear as CSVFS. However, this is not a
new file system. The underlying technology is still the NTFS file system, and CSVFS volumes are still
formatted with NTFS. However, because volumes appear as CSVFS, applications can discover that they
are running on CSVs, which helps improves compatibility. And because of a single file namespace, all
files have the same name and path on any node in a cluster.
• Multisubnet support for CSVs. CSVs have been enhanced to integrate with SMB Multichannel to help
achieve faster throughput for CSV volumes.
• Support for BitLocker drive encryption. Windows Server 2012 support BitLocker volume encryption for
both traditional clustered disks and CSVs. Each node performs decryption by using the computer
account for the cluster itself.
• Support for SMB 3.0 storage. CSVs in Windows Server 2012 provide support for SMB 3.0 storage for
Hyper-V and applications such as Microsoft SQL Server.
• Integration with SMB Multichannel and SMB Direct. This allows CSV traffic to stream across multiple
networks in the cluster and to take advantage of network adapters that support Remote Direct
Memory Access (RDMA).
• Integration with the Storage Spaces feature in Windows Server 2012. This can provide virtualized
storage on clusters of inexpensive disks.
• Ability to scan and repair volumes. CSVs in Windows Server 2012 support the ability to scan and repair
volumes with zero offline time.
Before you can add storage to the CSV, the LUN must be available as shared storage to the cluster. When
you create a failover cluster, all the shared disks configured in Server Manager are added to the cluster,
and you can add them to a CSV. If you add more LUNs to the shared storage, you must first create
volumes on the LUN, add the storage to the cluster, and then add the storage to the CSV.
As a best practice, you should configure CSV before you make any virtual machines highly available.
However, you can convert from regular disk access to CSV after deployment. The following considerations
apply:
• When you convert from regular disk access to CSV, the LUN’s drive letter or mount point is removed.
This means that you must re-create all virtual machines that are stored on the shared storage. If you
must retain the same virtual machine settings, consider exporting the virtual machines, switching to
CSV, and then importing the virtual machines in Hyper-V.
• You cannot add shared storage to CSV if it is in use. If you have a running virtual machine that is
using a cluster disk, you must shut down the virtual machine, and then add the disk to CSV.
Additional Reading:
Server Message Block overview
http://technet.microsoft.com/en-us/library/hh831795.aspx
Storage Spaces Overview
http://technet.microsoft.com/en-us/library/hh831739.aspx
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 7-13
Lesson
n2
Imple
ementin
ng a Failover Cluster
Fa
ailover clusterss Windows Serrver 2012 havee specific recommmended harrdware and sofftware configu urations
th
hat enable Miccrosoft to supp
port the cluster. Failover clussters are intend
ded to provide
e a higher leveel of
se
ervice than stand-alone serveers. Therefore,, cluster hardw
ware requiremeents are frequeently stricter th
han
re
equirements fo or stand-alone
e servers.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• nd configure a cluster.
Validate an
Preparing
P for
f Implem
menting Fa
ailover Clu
ustering
Beefore you implement Failove er Clustering
te
echnology, you u must identifyy services and
appplications tha at you want to make highly
avvailable. Failovver clustering cannot
c be appplied to
all applications. Also, you should be aware that t
Faailover Clustering does not provide
p improvved
sccalability by ad
dding nodes. You Y can only obtain
o
sccalability by scaling up and using
u more poowerful
haardware for th he individual no odes. Thereforre, you
sh
hould only use e Failover Clusttering when yo our
gooal is high ava ad of scalability.
ailability, instea
Fa
ailover clusteriing uses only IP-based protoocols and is, th
herefore, suited
d only to IP-baased applicatio
ons.
oth IP version 4 (IPv4) and IP
Bo P version 6 (IPvv6) are supporrted.
Th
he best resultss for Failover Clustering
C occu
ur when the cliient can do recconnecting to the applicatio
on
au
utomatically affter failover. Iff the client doe
es not reconneect automaticaally, then the u
user must restaart the
client applicatio
on.
MCT USE ONLY. STUDENT USE PROHIBITED
7-14 Implemennting Failover Clusterring
Con
nsider the follo
owing guidelines when plann
ning node cap
pacity in a failo
over cluster:
• Ensure that each node has sufficient idle capacity to se rvice the highly-available se ervices or
applications that
t are allocatted to it when another nodee fails. This idlee capacity should be a sufficcient
buffer to avoid nodes running at near cap pacity after a ffailure event. FFailure to adeq
quately plan
resource utilizzation can resuult in decrease
e in performan nce following n node failure.
Ha
ardware Re
equiremen
nts for Failo
over Clustter Implem
mentation
It is very importan nt to make goo od decisions when
w
you select hardwa are for cluster nodes. Failoveer
clussters have to sa atisfy the following criteria to
mee et availability and
a support re equirements:
• You should in
nstall the same example, if you
e or similar harrdware on eac h failover clus ter node. For e
choose a speccific model of network adap pter, you shoul d install this adapter on eacch of the cluste
er
nodes.
• ng Serial Attacched SCSI or Fiber Channel sstorage conne ctions, the maass-storage devvice
If you are usin
controllers that are dedicatted to the clustter storage sho
ould be identical in all cluste
ered servers. T
They
should also use the same firmware versio on.
Network
N Re
equiremen
nts for Faillover Clustter Implem
mentation
Fa
ailover cluster network comp ponents must have
th
he Certified forr Windows Serrver 2012 logoo and
also pass the tests in the Valid
date a Configu
uration
Wizard.
W Additio
onally:
Note: If you
y connect cluster nodes with
w a single neetwork, the nettwork passes tthe
re
edundancy req quirement in th
he Validate a Configuration
C Wizard. Howeever, the reporrt from the
wizard
w ude a warning that the network should no
will inclu ot have single p
points of failurre.
In
nfrastructu
ure Requirrements fo
or Failoverr Cluster
Fa
ailover clusterss depend on in
nfrastructure services.
Ea
ach server nodde must be in the
t same Activve
Directory doma ain, and if you use Domain Name
N
Syystem (DNS), the
t nodes shou uld use the sam
me
DNS servers forr name resolution.
We
W recommend d that you install the same
Windows
W Server 2012 feature es and roles on
n each
no
ode. Inconsisteent configuration on cluster nodes
ca
an cause instabbility and perfo
ormance issuees. In
ad
ddition, you sh
hould not insta all the AD DS role
r on
an
ny of the cluster nodes because AD DS hass its
ow
wn fault-toleraance mechanissm. If you instaall the
AD DS role on one
o of the nod des, you must install it on all nodes.
MCT USE ONLY. STUDENT USE PROHIBITED
7-16 Implemennting Failover Clusterring
You
u must have the following ne
etwork infrastrructure for a faailover cluster:
• Network settings and IP add dresses. When you use identtical network aadapters for a network, also use
identical com
mmunication se duplex mode, fflow control, and
ettings on thosse adapters su ch as speed, d
media type. Also,
A compare the settings between the neetwork adapteer and the switch it connects to,
and ensure thhat no settingss are in conflict. Otherwise, n e loss might occur
network congeestion or frame
which could adversely
a affecct how the clusster nodes com mmunicate ammong themselvves, with clientts or
with storage systems.
• Unique subneets. If you havee private netwo orks that are n
not routed to tthe rest of the network
infrastructure
e, ensure that each
e of these private
p networrks uses a uniq
que subnet. Th his is necessaryy even
if you give ea
ach network ad dapter a uniquue IP address. FFor example, iff you have a ccluster node in a
central office that uses one physical netwwork, and anot her node in a branch office that uses a sep parate
physical netwwork; do not sppecify 10.0.0.0//24 for both n etworks, even if you give eaach adapter a
unique IP add ops and other network com munications p
dress. This avoids routing loo problems if, forr
example, the segments are accidentally configured
c into
o the same colllision domain because of
incorrect vLAN assignments.
• DNS. The servvers in the clusster typically use
u DNS for naame resolution
n. DNS dynamiic update prottocol
is a supported
d configuration.
• Domain role. All servers in the
t cluster mu ust be in the saame Active Dirrectory domainn. As a best
practice, all clustered servers should have
e the same dom main role (eith
her member seerver or domaiin
controller). Thhe recommend ded role is member server b because AD DSS inherently inccludes its own
failover proteection mechanism.
• Account for administering th he cluster. When you first crreate a cluster or add serverss to it, you must be
logged on to the domain withw an accoun nt that has admministrator righhts and permisssions on all se
ervers
in that clusterr. The accountt does not have to be a Dom main Admins acccount, but caan be a Domain
Users account that is in the Administrators group on eaach clustered sserver. In addittion, if the acccount
is not a Doma ain Admins acccount, the acccount (or the g group that the account is a m member of) mu ust be
given the Creeate Computerr Objects perm mission in the ddomain.
In Windows
W Serveer 2012, there is no cluster se
ervice accountt. Instead, the C Cluster service
e the Cluster se
ervice
autoomatically runs in a special context
c that prrovides the speecific permissions and crede entials that are
e
necessary for the service (similar to the local system
s contextt, but with redduced credentiials). When a
failo
over cluster is created
c and a corresponding g computer ob d in AD DS, that object is
bject is created
configured to pre event accidentaal deletion. Alsso, the cluster Network Nam me resource haas additional health
check logic, which h periodically checks
c the heaalth and propeerties of the co omputer objecct that represents
the Network Nam me resource.
Sofftware Req
quirementts for Failo
over Clusteer Impleme
entation
Failoover clusters re
equire that each cluster nod de
musst run the same edition of Windows
W Serverr
2012. The edition can be either Windows Servver
2012 Enterprise or Windows Server 2012
Datacenter. The nodes
n should also
a have the
sam
me software up pdates and servvice packs.
Deppending on the e role that will be clustered,
a Seerver Core installation may also
a meet the
softtware requirem ments. Howeve er, you cannot
install Server Coree and full editions in the samme
clusster.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 7-17
It is also very important that the same version of service packs or any operating system updates, exist on
all nodes that are parts of a cluster.
Note: Windows Server 2012 provides Cluster-Aware Updating technology that can help
you maintain updates on cluster nodes. This feature will be discussed in more detail in Lesson 4:
Maintaining a Failover Cluster.
Each node must run the same processor architecture. This means that each node must have the same
processor family, which might be the Intel Xeon processor family with Extended Memory 64Technology,
the AMD Opteron AMD64 family, or the Intel Itanium–based processor family.
Demonstration Steps
1. Start Failover Cluster Manager on the LON-SVR3 machine.
2. Start the Validate Configuration Wizard. Add LON-SVR3 and LON-SVR4 as cluster nodes.
Lesson 3
Configguring Highly-A
H Available Applicationss and Se
ervices on
a Failo
over Cluster
Afte
er you have co onfigured clusttering infrastruucture, you shoould configuree specific role o or service to b
be
high
hly available. Not
N all roles ca an be clustered d. Therefore, y ou should firstt identify the rresource that yyou
wannt to put in a cluster
c and cheeck whether it is supported. In this lesson, you will learn about configu uring
role
es and applicattions in clusterrs as well as ab
bout configurinng cluster settings.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe and identify cluste
er resources an
nd services.
• Configure a cluster
c role.
• Describe how
w to configure cluster properrties.
• Describe how
w to manage clluster nodes.
Ide
entifying Cluster
C Ressources an
nd Servicess
A clustered service that contains an IP address
reso
ource and a ne etwork name resource (and othero
ources) is published to a client on the netw
reso work
undder a unique se erver name. Be ecause this gro
oup
of re
esources is dissplayed as a sin ngle logical server
to clients,
c it is called a cluster in
nstance.
• It can be brou
ught online an
nd taken offline.
• It can be man
naged in a servver cluster.
To
o manage reso ources, the Clu
uster service co
ommunicates tto a resource D DLL through a resource monnitor.
When
W the Cluster service mak
kes a request of
o a resource, tthe resource m
monitor calls th
he appropriate
e entry-
po
oint function in the resource
e DLL to check k and control tthe resource sttate.
Dependent
D Resources
R
A dependent re esource is one that requires another
a resourrce to operatee. For example,, a network naame
must
m be associa
ated with an IP P address. Becaause of this req
quirement, a n network name resource depe ends
onn an IP addresss resource. De ependent resou urces are take n offline beforre the resource
es upon which h they
deepend are take en offline; similarly, they are
e brought onlinne after the reesources on wh hich they depeend
arre brought online. A resourcce can specify oneo or more reesources on w which it is depeendent. Resourrce
deependencies also
a determine e bindings. For example, clien nts will be bouund to the parrticular IP addrress that
a network name e resource dep pends on.
When
W you creatte resource deependencies, co onsider the facct that, althou gh some depe endencies are strictly
re ecommended. For example, a file share thaat is not a Disttributed
equired, otherss are not requiired but are re
File System (DFS S) root has no required depe endencies. How wever, if the d disk resource that holds the ffile
sh
hare fails, the file
f share will be
b inaccessible e to users. Therrefore, it is log
gical to make tthe file share
de
ependent on the t disk resourrce.
The
T Process for Clusttering Serv
ver Roles
Fa
ailover clusteriing supports th he clustering of
o
se
everal Window ws Server roles,, such as File Services,
DHCP, and Hyp per-V. To imple ement clusterin ng for
a server role, orr for external applications such as
SQ
QL Server or Exchange Serve er, perform thee
fo
ollowing proce edure:
De
emonstration: Cluste
ering a File
e Server Role
Dem
monstration
n Steps
1. Open Failover Cluster Mana
ager and verifyy that three Clluster Disks aree available.
• Configuring new
n services and application nt new services to
ns to work in a cluster – You can implemen
the cluster
• Removing a cluster
c
You
u can perform most of these administrative
e tasks by usin
ng the Failoverr Cluster Manaagement conso
ole.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 7-21
Managing
M Cluster No
odes
Cluster nodes are mandatory for each cluster.
After you create
e a cluster and
d put it into
production, youu might have to
t manage cluster
no
odes occasionally.
Configuring
C g Applicattion Failov
ver Setting
gs
Yo
ou can adjust the failover settings, includin ng
preferred owners and failback k settings, to control
c
ho
ow the cluster responds whe en the applicattion or
se
ervice fails. You
u can configurre these settinggs on
th
he property sheet for the cluustered service or
ap
pplication (on the General ta ab or on the Fa ailover
ta
ab). The followwing table provvides exampless that
sh
how how these e settings work
k.
Settiing Resu
ult
Exammple 2: In a six-hour perio od, if the appli cation or serviice fails no mo ore than two
Failo
over tab, Maximum failures in the timees, it will be resstarted or faileed over every ttime. If the application or
speccified period: 2 service fails a thirdd time in the s ix-hour period d, it will be leftt in the
faile
ed state.
Failo
over tab, Perio
od (hours): 6
The default value for the maxim mum number o of failures is n-1, where n
is th
he number of n nodes. You can n change the vvalue, but we rrecommend
ures occur, the application
a faiirly low value sso that if mult iple node failu
or seervice will not be moved bettween nodes indefinitely.
MCT USE ONLY. STUDENT USE PROHIBITED
7-22 Implemennting Failover Clusterring
Lesson 4
Mainta
aining a Failover Clustter
Whe en cluster infra
astructure is up and running g, it is very impportant to estaablish monitoriing to preventt
possible failures. Also,
A it is impo
ortant to have backup and reestore procedu ures for clusterr configuration
n. In
Winndows Server 2012,
2 there is a new technolo
ogy that lets yyou update clu uster nodes witthout downtim me. In
this lesson, you will learn about monitoring, backup,
b and reestore and abo out updating ccluster nodes.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe how
w to monitor fa
ailover clusterss.
• Describe how
w to back up an
nd restore clusster configurattion.
• Describe how
w to troublesho
oot failover clu
usters.
• uster-Aware Updating.
Configure Clu
Mo
onitoring Failover
F Cllusters
Man ny tools are avvailable to help
p you monitor
failo
over clusters. You
Y can use sta andard Windo ows
Servver tools, such as the Event Viewer
V and the
e
Perfformance and Reliability Mo onitor snap-in,
to review cluster event
e logs, and
d performance e
mettrics. You can also
a use Cluste er.exe and
Traccerpt.exe to exxport data for analysis.
Add ditionally, you can use the MHTML-format
M tted
clusster configuration reports annd the Validateea
Con nfiguration Wizzard to troubleeshoot problems
with onfiguration and hardware
h the cluster co
changes.
Eve
ent Viewer
Whe en problems arise
a in the clusster, use the Evvent Viewer to
o view events wwith a Critical, Error, or Warn
ning
seveerity level. Add
ditionally, inforrmational leveel events are lo
ogged to the FFailover Clusterring Operation ns log,
which can be foun nd in the Even nt Viewer in the e Applicationss and Services Logs\Microsofft\Windows fo older.
Info
ormational-leve el events are usually
u commo on cluster operrations, such aas cluster nodees leaving and
joining the clusterr, or resources going offline or coming on line.
In previous
p Windoows Server verrsions, event loogs were repliccated to each node in the cluster. This
simplified cluster troubleshootin ng, because yo ou could review w all event log
gs on a single cluster node.
Winndows Server 2012
2 does not replicate the event
e logs bettween nodes. H However, the FFailover Clusteer
Man nagement snap-in has a Cluster Events option that enab bles you to vieww and filter evvents across all
clusster nodes. This feature is helpful in correla
ating events accross cluster nodes.
The Failover Clustter Managemeent snap-in also provides a R Recent Cluster Events option
n that will querry all
the Error and Warrning events frrom all the cluster nodes in tthe last 24 hou
urs.
Youu can access addditional logs, such as the De
ebug and Ana lytic logs, in th
he Event Viewe
er. To display tthese
logss, modify the view
v on the top menu by selecting the Sho
ow Analytic an nd Debug Logss options.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 7-23
Windows
W Eve
ent Tracing
Windows
W event tracing is a ke
ernel compone ent that is avaiilable early aftter startup, and
d late into shutdown.
It is designed to
o allow for fastt tracing and delivery
d of eve nts to trace files and to conssumers. Because it is
deesigned to be fast, it enabless only basic in-process filteriing of events b based on even nt attributes.
Thhe event trace log contains a comprehensive accounting g of the failoveer cluster actio
ons. Depending on
hoow you want tot view the datta, use either Cluster.exe
C or TTracerpt.exe to
o access the innformation in tthe
evvent trace log.
Performance
P e and Reliab
bility Monito
or Snap-In
Th
he Performancce and Reliability Monitor sn
nap-in lets you
u:
• Trend application failuress and stability on each nodee. You can pinppoint when application failurres
occur and match
m the appplication failure node.
es with other eevents on the n
• Modify tracce log settings. You can startt, stop, and adj
djust trace logss, including the
eir size and loccation.
Backing
B Up
p and Restoring Failo
over Clusteer Configu
uration
Cluster configurration can be a time-consum ming
process with ma any details, and so backup of o
cluster configurration is very im
mportant. You u
ca
an perform backup and resto ore of cluster
co
onfiguration with
w Windows Server S Backup or
a third-party ba
ackup tool.
When
W you backk up the cluster configuration
n, be
aw
ware of the following:
Windows
W Server Backup is the
e built-in back
kup and recoveery software fo
or Windows Se
erver 2012. To
co
omplete a succcessful backup
p, consider the following:
• If applicatio
on data must be
b backed up, the disks that you store thee data on mustt be made available to
the backup p software. You
u can achieve this
t by running g the backup ssoftware from the cluster noode that
owns the disk resource, or
o by running a backup againnst the clusterred resource ovver the network.
MCT USE ONLY. STUDENT USE PROHIBITED
7-24 Implemennting Failover Clusterring
Resstoring a Cluster
There are two typ
pes of restore:
Tro
oubleshoo
oting Failov
ver Clusters
Alth
hough cluster validation
v imp
plemented in
Winndows Server 2012
2 Failover Clustering
C prevvents
miscconfigurationss and non-worrking clusters, in
som
me cases, you have
h to perform
m cluster
trou
ubleshooting.
To troubleshoot
t a failover cluste
er, follow these
guid
delines:
• Review cluste
er events and trace
t logs to
identify application or hard
dware issues th
hat might causse an unstable cluster.
• Review hardwware events an p pinpoint speccific hardware components tthat might cau
nd logs to help use an
unstable clustter.
• Review SAN components,
c switches,
s adaptters, and storaage controllerss to help identify any potenttial
problems.
Whe
en troubleshooting failover clusters, you must:
m
• Identify the scope of the prroblem so thatt you can undeerstand what is being affecte
ed by the prob
blem,
and what imp pact that effect has on the application and
d the clients.
• Collect informmation so that you can accurrately understaand and pinpo oint the possib ble problem. AAfter
you identify a list of possible problems, you can prioritiize them by prrobability, or tthe impact of a
repair. If the problem
p cannoot be pinpointted, you shoul d attempt to rre-create the p problem.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 7-25
Troubleshoo
oting Group and Resource Failuress
To
o troubleshoott group and re
esource failure
es:
What
W Is Clu
uster-Awarre Updatin
ng?
Applying operating system up pdates to node es in a
cluster requires special attention. If you wan nt to
provide zero doowntime for a clustered role,, you
must
m manually update clusterr nodes one affter
annother, and yo
ou must manua ally move reso ources
from the node being
b updated d to another node.
Thhis procedure can be very timme-consuming g. In
Windows
W Server 2012, Microssoft has implem mented
a new feature foor automatic update
u of clustter
noodes.
Cluster-Aware Updating
U (CAU U) is a feature that
t
le
ets administrators automatica ally update cluuster
no odes with little uring the upda te process. Du
e or no loss in availability du uring an updatte procedure, CCAU
trransparently taakes each clustter node offline, installs the u
updates and aany dependentt updates, perfforms a
re
estart if necessary, brings the e node back on nline, and then
n moves to uppdate the next node in a clusster.
• Remote-updating mode. In this mode, a computer that is running Windows Server 2012 or
Windows 8, is called and configured as an orchestrator. To configure a computer as a CAU
orchestrator, you must install Failover Clustering administrative tools on it. The orchestrator computer
is not a member of the cluster that is updated during the procedure. From the orchestrator computer,
the administrator triggers on-demand updating by using a default or custom Updating Run profile.
Remote-updating mode is useful for monitoring real-time progress during the Updating Run, and for
clusters that are running on Server Core installations of Windows Server 2012.
• Self-updating mode. In this mode, the CAU clustered role is configured as a workload on the failover
cluster that is to be updated, and an associated update schedule is defined. In this scenario, CAU does
not have a dedicated orchestrator computer. The cluster updates itself at scheduled times by using a
default or custom Updating Run profile. During the Updating Run, the CAU orchestrator process
starts on the node that currently owns the CAU clustered role, and the process sequentially performs
updates on each cluster node. In the self-updating mode, CAU can update the failover cluster by
using a fully automated, end-to-end updating process. An administrator can also trigger updates on-
demand in this mode, or use the remote-updating approach if desired. In the self-updating mode, an
administrator can access summary information about an Updating Run in progress by connecting to
the cluster and running the Get-CauRun Windows PowerShell cmdlet.
To use CAU, you must install the Failover Clustering feature in Windows Server 2012 and create a failover
cluster. The components that support CAU functionality are automatically installed on each cluster node.
You must also install the CAU tools, which are included in the Failover Clustering Tools (which are also
part of the Remote Server Administration Tools, or RSAT). The CAU tools consist of the CAU UI and the
CAU Windows PowerShell cmdlets. The Failover Clustering Tools are installed by default on each cluster
node when you install the Failover Clustering feature. You can also install these tools on a local or a
remote computer that is running Windows Server 2012 or Windows 8 and that has network connectivity
to the failover cluster.
4. Preview updates that are available for nodes LON-SVR3 and LON-SVR4.
Lesson
n5
Imple
ementin
ng a Mu
ulti-Site
e Failove
er Clustter
In
n some scenarios, you have to t deploy clustter nodes on d different sites. Usually, you d
do this when yo
ou build
diisaster-recoverry solutions. In ou will learn a bout deployin
n this lesson, yo ng multi-site cllusters.
Le
esson Objecctives
After completin y will be able to:
ng this lesson, you
• Describe ho
ow to choose a quorum mod
de for multi-si te clusters.
What
W Is a Multi-Site
M Cluster?
C
A multi-site clusster provides highly-availabl
h le
se
ervices in moree than one location. Multi-site
clusters can solvve several speccific problems..
However, they also
a present sp pecific challeng
ges.
In
n a multi-site cluster,
c each sitte usually has a
eparate storage system with replication be
se etween
he sites. Multi-site cluster sto
th orage replicatioon
ennables each sitte to be independent, and provides
p
fa
ast access to th
he local disk. With
W separate storage
s
syystems, you cannot share a single
s disk betwween
sittes.
Be
ecause of incre eased cost and d complexity ofo a multi-site ffailover cluster, it might not be an ideal so olution
fo
or every appliccation or business. When you u are consideriing whether to o deploy a mu ulti-site cluster,, you
sh
hould evaluate e the importan nce of the appllications to thee business, thee type of applications, and any
alternative soluttions. Some ap pplications cann provide multti-site redundaancy easily with log shipping g or
otther processess, and can still achieve sufficient availabilityy with only a m
modest increasse in cost and
co
omplexity.
Th
he complexity of a multi-site
e cluster requirres better arch
hitectural and hardware plan
nning. It also re
equires
yo
ou to develop business processes to routinnely test the clluster function
nality.
MCT USE ONLY. STUDENT USE PROHIBITED
7-28 Implemennting Failover Clusterring
Syn
nchronouss and Asyn
nchronouss Replicatio
on
It is not possible for
f a geograph hically-disperse
ed
failo
over cluster to use shared sto orage between n
phyysical locations. Wide area ne etwork (WAN)
links are too slow and have too much latencyy to
support shared storage. Geogra aphically-dispeersed
failo
over clusters must
m synchronize data betwe een
locaations by usingg specialized hardware.
h Multti-site
data a replication caan be either syynchronous orr
asyn nchronous:
• When you use synchronouss replication, the
host receives a “write comp
plete” responsee
from the prim
mary storage after the data iss
written successfully on both
h storage syste
ems. If the dat a is not written successfully to both storag
ge
systems, the application
a muust attempt to write to the d
disk again. With synchronouss replication, b both
storage systems are identical.
• When you use asynchronou us replication, the node receeives a write co omplete respo onse from the
storage after the data is written successfuully on the prim
mary storage. The data is wrritten to the
secondary stoorage on a diffferent schedule, depending on the hardwaare or software e vendor’s
implementatiion. Asynchron nous replicatioon can be storaage-based, ho ost-based, or evven applicatio on-
based. Howevver, not all forms of asynchro onous replicattion are sufficieent for a multi-site cluster. FFor
example, Disttributed File Syystem Replicattions (DFS-R) pprovides file-leevel asynchronnous replication.
However, it does not suppo ort multi-site Failover
F on. This is because DFS-R
Cluste ring replicatio
replicates sma
aller documen nts that are nott held open coontinuously. Th herefore, it waas not designed d for
high-speed, open-file
o repliccation.
Wh
hen to Use Synchronou
S us or Asynch
hronous Rep
plication
Use synchronous replication wh hen data loss cannot
c be tolerrated. Synchro onous replication solutions
requuire low-disk write
w latency, because
b the appplication waitts for both storage solutionss to acknowled dge
the data writes. Th
he requiremen nt for low laten
ncy disk writess also limits thee distance betwween the storaage
systems because increased
i dista
ance can cause e higher latenccy. If the disk l atency is high, the performaance
and even the stab bility of the application can be
b affected.
Asynchronous rep plication overccomes latency and distance l imitations by acknowledging local disk wrrites
onlyy, and by reprooducing the disk write on the remote storaage system in a separate traansaction. Becaause
asyn
nchronous rep plication writess to the remote e storage systeem after it writtes to the locaal storage syste
em,
the possibility of data
d loss durin
ng a failure is increased.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 7-29
Choosing
C a Quorum Mode for Multi-Sitee Clusters
Fo
or a geographically-disperse ed cluster, you cannot
usse quorum con nfigurations th
hat require a sh
hared
diisk, because geeographically--dispersed clussters do
no
ot use shared disks. Both the e Node and Diisk
Majority,
M and No
N Majority: Disk Only quoru um
modes
m require a shared witneess disk to provvide a
vo
ote for determmining quorum m. You should only
o
usse these two quorum
q modess if the hardwaare
ve
endor specifica ally recommen nds and suppo orts
th
hem.
To
o use the Node and Disk Ma ajority and No
Majority:
M Disk Only
O modes in a multi-site cluster,
he shared disk requires that:
th
• You preservve the semantics of the SCSI commands accross the sites,, even if a com
mplete communication
failure occu
urs between sittes.
• You replicate the witness disk in real-time synchrono
ous mode acro
oss all sites.
o number of nodes, then use the Node Majority quorrum. If there is an even number of
If there are an odd
noodes, which is typical in a ge dispersed clus ter, you can use the Node M
eographically-d Majority with FFile
Shhare quorum.
If you are using Node Majoritty and the sites lose commu nication, you n need a mechanism to determ mine
which
w nodes sta
ay up, and whiich nodes drop p out of clusteer membershipp. The second ssite requires another
voote to obtain quorum
q after a failure. To ob
btain another vvote for quoru
um, you must jjoin another n node to
th
he cluster, or create a file sha
are witness.
Th
he Node and File F Share Majo ority mode can n help maintaiin quorum witthout adding aanother node tto the
cluster. To provvide for a singlee-site failure and enable auttomatic failoveer, the file sharre witness mig ght have
to ulti-site clusterr, a single serveer can host thee file share wittness. However, you
o exist at a thirrd site. In a mu
must
m create a se eparate file shaare for each clluster.
Th
here must be direct
d network
k connectivity between all th
hree locations. In this manne
er, if one site b
becomes
un
navailable, the
e two remainin
ng sites can still communicatte and have en
nough nodes ffor a quorum.
Note: In Windows
W Servver 2008 R2, ad
dministrators ccould configurre the quorum m to include
noodes. However, if the quorum configuratio on included no odes, all nodess were treated equally
acccording to their votes. In Windows
W Serverr 2012, clusterr quorum settinngs can be adjjusted so
th
hat when the cluster
c determines whether it has quorum,, some nodes h have a vote annd some do
noot. This adjustm
ment, can be useful,
u when so mplemented accross multiple sites.
olutions are im
MCT USE ONLY. STUDENT USE PROHIBITED
7-30 Implemennting Failover Clusterring
Challenges fo
or Implem
menting a Multi-Site
M Cluster
Impplementation ofo multi-site clu
usters is more
commplex than imp plementation ofo single-site
clussters, and can also
a present se everal challengges
to the administrattor. Most impoortant challengges
whe en you implem ment multi-site
e clusters are
related to storagee and network..
De
eploying Consideratiions for a Multi-Sitee Cluster
Mullti-site clusterss are not appro
opriate for eveery
appplication or eve ery business. When
W you desiggn
a multi-site solutio on with a hard
dware vendor,
clea
arly identify the e business requirements and d
expectations. Nott every scenario o that involvess
morre than one location is appro opriate for mu
ulti-
site cluster.
Multi-site clusters do require some more overhead than local clusters. Instead of a local cluster, in which
each node of the cluster is attached to the mass storage device, each site of a multi-site cluster must have
comparable storage. In addition, you will also have to consider vendors to set up your data replication
schemes between cluster sites, possibly pay for additional network bandwidth between sites, and develop
the management resources within your organization to efficiently administer your multi-site cluster.
Additionally, carefully consider the quorum mode that you will use, and the location of the available
cluster votes.
MCT USE ONLY. STUDENT USE PROHIBITED
7-32 Implementing Failover Clustering
Objectives
After completing this lab, you will be able to:
• Configure a failover cluster.
Lab Setup
Password Pa$$w0rd
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 7-33
b. Password: Pa$$w0rd
6. Repeat steps 2-3 for MSL-TMG1. Log on as Administrator with the password of Pa$$w0rd.
7. On LON-SVR4, open Disk Management, and bring online and initialize the three new disks.
4. Review report.
Results: After this exercise, you will have installed and configured the Failover Clustering feature.
3. In the Storage node, click Disks and verify that three cluster disks are online.
2. Start the New Share Wizard and add a new shared folder to the AdatumFS cluster role.
Results: After this exercise, you will have configured a highly-available file server.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 7-35
2. Validate the failover and quorum configuration for the File Server role.
3. On LON-SVR3, in the Failover Cluster Manager, move AdatumFS to the second node.
4. On LON-DC1, in Windows Explorer, verify that you can still access \\AdatumFS\ location.
X Task 2: Validate the failover and quorum configuration for the File Server role
1. On LON-SVR3, determine the current owner for the AdatumFS role.
2. Stop the Cluster service on the node that is the current owner of the AdatumFS role.
3. Verify that AdatumFS has moved to another node and that the \\AdatumFS\ location is still
available.
4. Start the Cluster service on the node in which you stopped it in step 2.
5. Browse to the Disks node, and take the disk witness offline.
Results: After this exercise, you will have tested the failover scenarios.
3. Connect to Cluster1.
2. After the process is complete, configure self-updating for Cluster1, to be performed weekly, on
Sundays at 4A.M.
Results: After this exercise, you will have configured Cluster-Aware Updating.
2. In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Question: What is the main difference between synchronous and asynchronous replication
in a multi-site cluster scenario?
Best Practices
• Try to avoid using quorum model that depends just on disk
• Use Cluster Shared Volumes for Hyper-V high availability or Scale Out File server
• Be sure that, in case of one node failure, other nodes can handle the load
Tools
The tools for implementing fail-over clustering include:
• Windows PowerShell
• Server Manager
• iSCSI initiator
• Disk Management
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
8-1
Module 8
Implementing Hyper-V
Contents:
Module Overview 8-1
Module Overview
Although server virtualization was deployed rarely on corporate networks only a decade ago, today it is a
core networking technology. Server administrators must be able to distinguish which server workloads
might run effectively in virtual machines and which need to remain in a traditional, physical deployment.
This module introduces you to the new features of the Hyper-V® role, the components of the role, and
the best practices for deploying the role.
Objectives
After completing this module, you will be able to:
• Configure Hyper-V servers.
Lesson 1
Config
guring Hyper-V
H V Serverrs
The Hyper-V role has undergon ne a substantia al change in W
Windows Serverr® 2012. New ffeatures, such as
netwwork utilization and Resourcce Metering, provide you witth the ability tto manage virttual machines
effe n 3.0. In this lesson, you will learn about th
ectively with Hyyper-V version he new feature
es in Hyper-V, as
welll as Hyper-V Inntegration Servvices and the factors
f that yoou need to connsider when yo
ou are configu
uring
Hypper-V hosts.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe Hyp
per-V Integratio
on services.
• Describe the best practices for configurin
ng Hyper-V ho
osts.
Wh
hat's New in Hyper-V 3.0?
The Hyper-V role first became available
a after the
rele
ease of Window
ws Server 2008 8. New feature
es
were added to the
e role, both in Windows Servver
2008 R2 and Winddows Server 20 008 R2 Servicee
Pack 1 (SP1).
Hyp
per-V in Windo ows Server 20112, also known
n as
Hyp
per-V 3.0, inclu
udes the follow
wing major
imp
provements:
• Hyper-V Pow
werShell support
• Memory improvements
Virtual Machin
ne Replication
Youu can use Hype er-V replica to perform contiinuous replicattion of importtant virtual maachines from a host
servver to a replica e host server faails, you can c onfigure failovver to the replica
a server. In the event that the
servver. For more information on n Hyper-V repllicas, visit Mod
dule 9: Implem menting Failove er Clustering wwith
Hypper-V.
Hyper-V Powe
erShell supp
port
Winndows Server 2012
2 introduce
es extensive Windows
W PowerrShell® supporrt for Hyper-V through the
Hypper-V PowerSh hell module. Yo
ou can manage all aspects o
of Hyper-V, inccluding creatin
ng virtual hard disks,
virtu
ual switches, and virtual macchines.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 8-3
Memory Improvements
Dynamic memory is a feature that lets virtual machine memory to be allocated as necessary, rather than
as a fixed amount. For example, rather than setting a virtual machine with a fixed 4 gigabytes (GB) of
memory, which Hyper-V allocates to the virtual machine, an administrator can use dynamic memory to
allocate a minimum and maximum amount. In this scenario, the virtual machines requests only what it
needs. Although Windows Server 2008 R2 SP1 included the ability for virtual machines to use dynamic
memory, you had to make any adjustments to these settings after you shut down the server. Hyper-V 3.0
enables administrators to adjust dynamic memory settings on virtual machines that are running. You can
use smart paging to configure startup memory, which differs from the minimum and maximum memory
allocations. When you use smart paging, the Hyper-V host uses memory paging to ensure that a virtual
machine can start when there is not enough memory resources available to support startup, but enough
to support the virtual machine's minimum memory allocation.
• Resource Metering. Resource Metering allows administrators to track resource utilization of individual
virtual machines. You can enable resource metering on a per-virtual machine basis. Use PowerShell to
perform resource-metering operations.
• Virtual Fibre Channel. Virtual Fibre Channel enables virtual machines to use a virtual Fibre Channel
host bus adapter (HBA) to connect to Fibre Channel resources on storage area networks (SANs). To
use Virtual Fibre Channel, the host Hyper-V server must have a compatible Fibre Channel HBA.
• Live migration without shared storage. Hyper-V 3.0 supports live migration of virtual machines
between Hyper-V hosts, without requiring access to shared storage. For more information on live
migration, visit Module 9: Implementing Failover Clustering with Hyper-V.
• New virtual hard disk format. Hyper-V 3.0 introduces the VHDX format. This disk format supports
larger virtual hard disks. It also includes a format that minimizes the chances of data loss during
unexpected power outages.
• Server message block 3.0 (SMB 3.0) storage. Hyper-V 3.0 virtual machines can use virtual hard disks
stored on normal shared folders, as long as the folders are hosted on a server that supports the SMB
3.0 protocol.
• Network virtualization. Network virtualization enables virtual machines to retain a static IP address
configuration when migrated to different Hyper-V hosts.
MCT USE ONLY. STUDENT USE PROHIBITED
8-4 Implementing Hyper-V
Pre
erequisitess for Installling Hype
er-V
Hypper-V on Windows Server 20 012 requires thhat
the host compute er has an x64 processor,
p whicch
supports Second Level Address Translation (SLAT).
SLA
AT is a special technology
t tha
at allows a
proccessor to addrress memory more
m efficientlyy.
The server that hoosts the Hyper-V role needs a
minnimum of 4 GB B of RAM. A virrtual machine
hostted on Hyper--V in Windowss Server 2012 can c
support a maximu um of 1 terabyyte of RAM and d up
to 32
3 virtual proce essors.
• The server mu
ust have enough memory to o support the m
memory requirements of all of the virtual
machines that must run con
ncurrently. The must have eno ugh memory tto run the host
e server also m
Windows Servver 2012 operating system.
De
emonstration: Configuring Hy
yper-V Setttings
It is necessary to start
s a traditionally deployed
d server to run
n this demonsttration because
e you cannot rrun
Hyp per-V from within a virtual machine.
m
Dem
monstration
n Steps
1. Log on to LON-HOST1.
2. Open the Hyp
per-V Manage
er console.
o Virtual Machines
M
o Physical GPUs
G
o NUMA Spanning
MCT USE ONLY. STUDENT USE PROHIBITED
Upg
grading Your Ski lls to MCSA Win
ndows Server® 2
2012 8-5
Hyper-V
H Integration Services
Hyper-V Integra ation Services are a series off
se
ervices that you can use withh supported virtual-
machine
m guest operating systtems. Supporte ed
opperating systems can use Inttegration Services
coomponents an nd functionalityy like Small
Computer Syste em Interface (SSCSI) adapters and
syynthetic netwo
ork adapters.
Th
he virtual-macchine guest op
perating system
ms that
Hyper-V supports include:
• Windows Home
H Server 20
011
• Windows MultiPoint
M Servver 2011
• Windows Small Business Server 2011
• CentOS 6.0
0-6.2
• CentOS 5.5-5.7
• Windows XP
X with Service
e Pack 3
You
u can enable th
he following viirtual-machine
e integration c omponents:
Best Practice
es for Conffiguring Hyper-V Ho
osts
There are several best practices that you shou
uld
consider when pro ovisioning Winndows Server 2012
2
to function as a Hyper-V
H host:
• Manage Hype
er-V remotely
• Run Hyper-V by using the Server
S Core
configuration
n
Pro
ovision the Host
H with Adequate
A Ha
ardware
Perh
haps the most important best practice is to o ensure that tthe Hyper-V h
host is provisiooned with adeq quate
hard
dware. You shoould ensure thhat there is apppropriate proccessing capacitty, an approprriate amount o of
RAMM, and fast and
d redundant sttorage. You sh hould ensure th hat the Hyper -V host is provvisioned with
mulltiple network cards that youu configure as a team. If the Hyper-V host is not provisio oned adequate ely
with ormance of all virtual machin
h hardware, this has an effecct on the perfo nes that are hoosted on the seerver.
Dep
ploy Virtuall Machines on Separate
e Disks
You u should use se eparate disks to host virtual-machine files rather than haaving virtual-mmachine files
storred on the sam me disk as the host
h operatingg-system files. This minimizees contention aand ensures thhat
readd/write operattions occurring g on virtual ma achine files do not conflict w
with read/write
e operations
occu urring at the host
h operating-system level. It also minimizzes the chancee that the virtuual-machine
hard d disks will gro
ow to consume e all available space on the o operating-systtem volume. Performance
considerations are e lessened if yo
ou deploy to a disk that use s striping, suchh as a RAID 1+
+0 array. If you
u are
usinng shared stora age, you can provision
p multiiple virtual maachines on the same Logical Unit Number (LUN)
if yo
ou utilize Clustter Shared Volumes. Howeve er, choosing beetween separaate LUNs for each virtual maachine
or a shared LUN depends
d heavily on virtual machine
m worklooad and SAN h hardware.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 8-7
The second reason to run the Hyper-V server in server core configuration is that server core requires fewer
software updates, which in turn means fewer reboots. When you restart a Hyper-V host, all virtual
machines that the server hosts become unavailable when it is unavailable. Because a Hyper-V host can
host many critical servers as virtual machines, you want to ensure that you minimize downtime.
You can use Resource Metering, a new feature of Hyper-V 3.0, to monitor how hosted virtual machines
utilize server resources. You can use Resource Metering to determine if specific virtual machines are using
a disproportionate amount of a host server's resources. If the performance characteristics of one virtual
machine are having a deleterious effect on the performance of other virtual machines hosted on the same
server, you should consider migrating that virtual machine to another Hyper-V host.
Additional Reading: 7 Best Practices for Physical Servers Hosting Hyper-V Roles
http://technet.microsoft.com/en-us/magazine/dd744830.aspx
MCT USE ONLY. STUDENT USE PROHIBITED
8-8 Implementing Hyper-V
Lesson 2
Config
guring Hyper-V
H V Storag
ge
Hypper-V provides many differen nt virtual mach
hine storage o
options. If you know which o option is approopriate
for a given situation, you can ennsure that a virtual machine performs welll. But if you do
o not understaand
the different virtual-machine stoorage options,, you may endd up deploying g virtual hard ddisks that conssume
unnnecessary space e or that place
e an unnecessaary performan ce burden on the host Hype er-V server.
Thiss lesson describ erent virtual hard disk typess, different virtual hard disk fformats, and th
bes about diffe he
ben
nefits and limitations of usingg virtual machine snapshots..
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe the properties of virtual
v hard dissks in Hyper-V
V 3.0.
• Select a virtua
al hard disk type.
• Determine wh
here to deployy virtual hard disks.
d
Comparing
C VHDX
V and VHD
V
Virtual hard disks use the .vhd
d extension. Windows
W Serverr 2012 introdu
uces the new V
VHDX format ffor
virtual hard disk
ks. In comparisson to the VHD
D format that was used in H yper-V on Win 2008
ndows Server 2
an
nd Windows Server 2008 R2, the VHDX format has the ffollowing beneefits:
If you have upggraded a Windows Server 2008 or Window ws Server 2008 R2 Hyper-V server to Windows
Seerver 2012, you can convert an existing VH
HD file to VHD
DX format by u
using the Edit D
Disk tool. It alsso is
poossible to convvert from VHD
DX format to VHD.
V
Addition
nal Reading: Hyper-V
H Virtua
al Hard Disk Fo
ormat Overview
w
htttp://technet.m
microsoft.com//en-us/library//hh831446.asppx
Disk
D Types
When
W you configure a virtual hard disk, you
u can
ch
hoose one of the
t following disk
d types:
• Fixed
• Dynamic
• Pass-throug
gh
• Differencing
o Copy the contents of a specified physical disk. You can use this option to replicate an existing
physical disk on the server as a virtual hard disk. The fixed hard disk will be the same size as the
disk that you have replicated. Replicating an existing physical hard disk does not alter data on the
existing disk.
o Copy the contents of a specified virtual hard disk. You can use this option to create a new fixed
hard disk based on the contents of an existing virtual hard disk.
You can create a new fixed hard disk by using the New-VHD Windows PowerShell cmdlet with the -Fixed
parameter.
Note: Disk fragmentation is less of an issue when virtual hard disks are hosted on RAID
volumes or on SSDs. Hyper-V improvements, since it was first introduced in Windows Server
2008, also minimize performance differences between dynamic and fixed virtual hard disks.
Dynamic Disks
When you create a dynamic virtual hard disk, you specify a maximum size for the file. The disk itself only
uses the amount of space that needs to be allocated, and it grows as necessary. For example, if you create
a new virtual machine, and specify a dynamic disk, only a small amount of disk space is allocated to the
new disk.
As storage is allocated, such as when you deploy the operating system, the dynamic hard disk grows. If
you delete files from a dynamically expanding virtual hard disk, the virtual hard-disk file does not shrink.
You can only shrink a dynamically expanding virtual hard-disk file by performing a shrink operation.
Creating a dynamically expanding virtual hard disk is similar to creating a fixed disk. In the New Virtual
Hard Disk Wizard, on the Choose Disk Type page, select Dynamically expanding size instead of Fixed.
You can create a new dynamic hard disk by using the New-VHD Windows PowerShell cmdlet with the -
Dynamic parameter.
Pass-Through Disks
Virtual machines use the pass-through disks to access a physical disk drive, rather than use a virtual hard
disk. You can use pass-through disks to connect a virtual machine directly to an Internet SCSI (iSCSI) LUN.
When you use pass-through disks, the virtual machine must have exclusive access to the target disk. To do
this, you must use the host’s disk management console to take the disk offline. After the disk is offline,
you can connect it to one of the virtual machine's disk controllers.
2. Use the Hyper-V Manager console to edit an existing virtual machine's properties.
3. Click an Integrated Drive Electronics (IDE) or SCSI controller, click Add, and then click Hard Drive.
4. In the Hard Drive dialog box, select Physical Hard Disk. In the drop-down list, select the disk that
you want to use as the pass-through disk.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 8-11
Note: You do not have e to shut downn a virtual mac hine if you con
nnect the passs-through
diisk to a virtual machine's SCSI controller. However,
H u want to con nect to a virtual machine's
if you
DE controller, it is necessary to
ID t virtual ma chine.
t shut down the
Differencing
D g disks
Differencing dissks record the changes made e to a parent d
disk. You can u
use differencin
ng disks to reduce
th
he amount of hard
h disk space that virtual hard
h disks con
nsume, but thaat comes at thee cost of disk
pe
erformance. Differencing
D w SSD wherre there is limitted space available on the d
dissks work well with drive and
th
he performancce of the disk compensates
c fo mance drawbaccks of using a differencing d
or the perform disk.
Yo
ou can reconn nect a differenccing disk to the parent by ussing the Inspecct Disk tool, avvailable in the actions
pa
ane of the Hyp per-V Manage er console. Youu also can use the Inspect Disk tool to locaate a differencing
diisk’s parent dissk.
Ne
ew-VHD c:\dif
ff-disk.vhd -ParentPath C:\parent.vh
hd
Converting
C g Disks
Frrom time to tim
me, it is necesssary to perform
m
maintenance
m opperations on virtual hard disks.
Yoou can performm the following maintenance
opperations on virtual
v hard dissks:
• Convert the
e disk from fixed to dynamicc.
• Convert the
e disk from dyynamic to fixed
d.
• Convert a virtual
v hard dissk in VHD form
mat
to VHDX.
• Convert a virtual
v hard dissk in VHDX forrmat
to VHD.
MCT USE ONLY. STUDENT USE PROHIBITED
8-12 Implementing Hyper-V
When you convert a hard disk, the contents of the existing virtual hard disk are copied to a new virtual
hard disk that has the properties that you have chosen. To convert a virtual hard disk, perform the
following steps:
1. In the Actions pane of the Hyper-V Manager console, click Edit Disk.
2. On the Before You Begin page of the Edit Virtual Hard Disk Wizard, click Next.
3. On the Local Virtual Hard Disk page, click Browse. Select the virtual hard disk that you wish to
convert.
4. On the Choose Action page, select Convert, and then click Next.
5. On the Convert Virtual Hard Disk page, select VHD or VHDX format. By default, the current disk
format is selected. Click Next.
6. If you want to convert the disk from fixed to dynamic or dynamic to fixed, on the Convert Virtual
Hard Disk page, select Fixed Size or Dynamically Expanding. If you want to convert the hard disk
type, choose the appropriate type, and then click Next.
7. On the Configure Disk page, select the destination location for the disk, click Next, and then click
Finish.
You can shrink a dynamic virtual hard disk that is not taking up all the space that is allocated to it. For
example, a dynamic virtual hard disk might be 60 GB on the parent volume, but only use 20 GB of that
space. You shrink a virtual hard disk by choosing the Compact option in the Edit Virtual Hard Disk Wizard.
You cannot shrink fixed virtual hard disks. You must convert a fixed virtual hard disk to dynamic before
you can compact the disk. You can use the resize-partition and the resize-vhd Windows PowerShell
cmdlets to compact a dynamically expanding virtual hard disk.
You also can use the Edit Virtual Hard Disk Wizard to expand a disk. You can expand both dynamically
expanding and fixed virtual hard disks.
Demonstration Steps
1. Use Windows Explorer to create the following folders on the physical host drive:
Note: The drive letter may depend upon the number of drives on the physical host
machine)
2. In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o Name: LON-GUEST1.vhd
New-VHD “E:\Program
“ Files\Microsoft Learning
g\Base\LON-GU
UEST2\LON-GUE
EST2.vhd”
-ParentPa
ath “E:\Program Files\Microsoft Lear
rning\Base\Ba
ase12A-WS2012
2-RC.vhd”
5.. Verify that LON-GUEST22.vhd is configured as a diffeerencing virtuaal hard disk with E:\Program
m Files
\Microsoftt Learning\Ba
ase\Base12A-W WS2012-RC.v vhd as a parennt.
Location Co
onsiderations of Virttual Hard Disks
A key factor wh hen provisioninng virtual mach
hines
is ensuring that virtual hard disks
d are placed
d
coorrectly. Virtua
al hard-disk peerformance cann affect
virtual machine performance dramatically. Servers
S
th
hat are otherw wise well provissioned with RA
AM and
processor capaccity can still exxperience bad
peerformance if the storage syystem is
ovverwhelmed.
• High-perfo
ormance conn
nection to the
e
storage
• Redundantt storage
The volume e that the virtuual hard-disk files are stored on should be fault-tolerantt. This should aapply if
the virtual hard
h ored on a local disk or a rem
disk is sto mote SAN devicce. It is not uncommon for h hard
disks to fail. Therefore, th
he virtual machhine and the H Hyper-V host should remain in operation aafter a
disk failure.. Replacementt of failed diskss also should nnot affect the o
operation of th
he Hyper-V ho ost or
virtual machines.
• High-perfo
ormance storage
The storage
e device on wh hich you store virtual hard-d
disk files should
d have excelle
ent I/O charactteristics.
Many enterrprises use SSDD hybrid drivess in RAID 1+0 arrays to achieeve maximum performance and
redundancyy. Multiple virttual machines that are runni ng simultaneoously on the saame storage caan place
a tremendoous I/O burden n on a disk sub
bsystem. Thereefore, you nee d to ensure thhat you choosee high-
performancce storage. If you
y do not, virtual machine p performance ssuffers.
If you have configured virtual hard disk ks to grow auttomatically, en nsure that theree is adequate space
into which the files can grow. Also, care efully monitor growth so thaat you are not shocked when na
virtual hard
d disk fills the volume
v that yoou allocated too host it. If youu configure virrtual hard diskks to
grow autom matically, place e each virtual machine's
m virtu
ual hard disk o on a separate vvolume. This w way, the
virtual hard
d disks of multiple virtual ma achines are nott affected if th he volume’s capacity is excee eded.
MCT USE ONLY. STUDENT USE PROHIBITED
8-14 Implemennting Hyper-V
Sto
orage on SMB
S 3 File Shares
Hyp per-V supportss storing virtuaal machine datta,
suchh as virtual-maachine configu uration files,
snap pshots, and virrtual hard-disk
k files, on SMB 3
file shares.
Sna
apshot Ma
anagemen
nt in Hyperr-V
Snapshot is an important technology that
provvides administtrators with thee ability to maake
a re ual machine att a specific time.
eplica of a virtu
Youu can take snap pshots when a virtual machin ne is
shutt down or running. Howeverr, when you ta ake a
snappshot of a virtual machine thhat is running, the
snappshot includess the contents of the virtual
macchine’s memorry.
Tak
king a Snapshot
You
u can take a snapshot on thee Actions pane of
the Virtual Machin
ne Connectionn window or in
n the
Hyp h virtual machine
per-V Managerr console. Each
can have a maximmum of 50 snap pshots.
Avhd
A files
When
W you creatte a snapshot, Hyper-V writees avhd files th
hat store the data that differentiates the snnapshot
from either the previous snap pshot or the pa
arent virtual haard disk. When n you delete snapshots, this data is
diiscarded or meerged into the e previous snap
pshot or paren mple, if you delete the
nt virtual hard disk. For exam
most
m recent sna
apshot of a virttual machine, the data is disscarded. If you delete the seccond to last sn
napshot
ta
aken of a virtuaal machine, the data is mergged so that thee earlier and laatter snapshot states of the vvirtual
machine
m retain their integrity.
Managing
M Sn
napshots
When
W you applyy a snapshot, the
t virtual macchine reverts tto the configuration as it existed at the tim
me that
th
he snapshot waas taken. Reve pshot does no t delete any exxisting snapshots. If you reve
erting to a snap ert to a
sn
napshot after making
m a configuration channge, you are p rompted to taake a snapshott. It only is neccessary
to
o create a new
w snapshot if yoou want to return to that cu rrent configurration.
Yo
ou can deployy up to four virrtual Fibre Cha
annel adapterss to each virtuaal machine.
Addition
nal Reading: Hyper-V
H Virtua
al Fibre Channeel Overview
htttp://technet.m
microsoft.com//en-us/library//hh831413.asppx
MCT USE ONLY. STUDENT USE PROHIBITED
8-16 Implemennting Hyper-V
Lesson 3
Config
guring Hyper-V
H V Netwo
orking
Hypper-V provides several differeent options for allowing netwwork commun nication betwe een virtual
macchines. You can use Hyper-V V to configure virtual machin
nes that comm municate with aan external nettwork
in a manner similaar to physical hosts
h that you deploy tradit ionally. You also can use Hyyper-V to confiigure
virtu
ual machines that
t o communicatte only with a limited numbeer of other virttual machines
are able to
hostted on the samme Windows Server
S 2012 Hyyper-V host. Thhis lesson desccribes the vario
ous options
avaiilable for Hype
er-V virtual networks, which you can leveraage to best meet your organ nization's need
ds.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe the new features in Hyper-V nettworking.
• Describe virtu
ual switches.
• Configure a public
p and privvate switch.
• work virtualization.
Describe netw
Wh
hat's New in Hyper-V Network
king?
There are several new features ini Hyper-V 3.0
0
netw
working that immprove the ne etwork
perfformance of a large numberr of virtual
macchines in private and public cloud
environments. In most cases, yo ou should use the
t
defa
ault settings in
n small scale de
eployments.
• IP security (IPsec)
( task offfloading. This feature
f requirees that the gueest operating ssystem and network
adapter aree supported. This feature ena ables the host’’s network adaapter to perforrm calculation-
intensive se
ecurity-associa ation tasks. If sufficient hardwware resourcess are not availaable, the guestt
operating system
s performms these tasks.. You can conffigure a maxim mum number o of offloaded seecurity
associations between a ra ange of one an nd 4,096. This feature is suppported only on n synthetic nettwork
adapters.
What
W Is a Hyper-V
H Viirtual Switch?
Virtual switchess are virtual de
evices that you can
manage
m througgh the Virtual Switch
S Manage er,
which
w enables you
y to create three
t types of virtual
witches. The virtual switches control how the
sw
ne
etwork traffic flows
f between n virtual machines
ho
osted on the Hyper-V
H serverr, as well as ho
ow the
ne
etwork traffic flows
f between n virtual machines
an
nd the rest of the
t organizational network.
Type
T Descriptio
on
You
u can configure
e the following
g extensions fo
or each virtual switch type:
• nterface Specifiication (NDIS) Capture. This extension allo
Microsoft Nettwork Driver In ows the capture
e of
data travelling across the viirtual switch.
De
emonstration: Configuring Hy
yper-V Nettworking
In th
his demonstration, you will see
s how to cre
eate two types of virtual netw
work switches..
Dem
monstration
n Steps
1. In Hyper-V Manager,
M he Virtual Swiitch Managerr to create a neew External virtual networkk
use th
switch with th
he following properties:
o Name: Co
orporate Network
Wh
hat Is Netw
work Virtu
ualization?
Youu can use netwwork virtualization to isolate
virtu
ual machines from
f different organizations,
even if they sharee the same Hyp per-V host. Forr
exammple, you mig ght be providin ng an Infrastru
ucture
as a Service (IaaS) to competing g businesses. You
Y
can use network virtualization
v to go beyond
assigning these virtual machines to separate
VLA o isolating network traffic.
ANs as a way of
Network virtualiza ation is a technnology that yo
ou
wou uld deploy prim
marily in scena arios where yoou use
Hypper-V to host virtual
v machine es for third-party
orgaanizations. Network virtualizzation has the
advantage that yo ou can configu ure all network
k isolation on tthe Hyper-V host. With VLANs, it also is
necessary to configure switchess with the apprropriate VLAN IDs.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 8-19
When
W you configure network
k virtualization,, each guest viirtual machinee has two IP ad
ddresses, which
h work
ass follows:
• Customer IP P address. Thee customer assiigns this IP add
dress to the viirtual machine
e. You can conffigure
this IP addrress so that communication with the custo omer's internall network can occur even though
the virtual machine
m mighht be hosted on
n a Hyper-V seerver that is coonnected to a separate public IP
network. Ussing the ipcon nfig command d on the virtuaal machine shoows the custom mer IP address..
Yo
ou manage ne etwork virtualizzation by using
g PowerShell ccmdlets. All Neetwork Virtualization cmdletts are in
th
he NetWNV Po owerShell mod dule. Tenants gain
g access to virtual machinnes that take aadvantage of n
network
virtualization th
hrough routingg and remote access.
a They mmake a tunneleed connection from their nettwork
th
hrough to the virtualized nettwork on the Hyper-V
H serverr.
Best
B Practicces for Configuring Virtual Neetworks
Be
est practices with
w respect to configuring virtual
v
ne
etworks typicaally revolve aroound ensuring that
virtual machines are provision ned with adequate
ba
andwidth. You u do not want to have the
pe
erformance on n all virtual maachines affecteed if a
ba
andwidth-inte ensive operatio on, such as a la
arge file
co
opy or websitee traffic spike, occurs
o on one e virtual
machine
m on thee same host.
Th
he following general
g best prractices apply to
t
co
onfiguring virttual networks:
• Consideratiions for bandw width managem ment. You can n use bandwidtth manageme ent to allocate a
minimum anda a maximum m bandwidth allocation
a network adapter basis. You sshould
on a per-virtual-n
configure bandwidth
b allo
ocation to guarantee that ea ch virtual macchine has a minimum bandw width
allocation. This
T ensures th hat if another virtual machinne hosted on the same Hype er-V server
experiencess a traffic spike municate with the network
e, other virtuall machines aree able to comm
normally.
MCT USE ONLY. STUDENT USE PROHIBITED
8-20 Implementing Hyper-V
• Considerations for Virtual Machine Queue. You should provision the Hyper-V host with an adapter
that supports Virtual Machine Queue. Virtual Machine Queue uses hardware-packet filtering to
deliver network traffic directly to the virtual machine. This improves performance because the packet
does not need to be copied from the host operating system to the virtual machine. When you do not
configure virtual machines to support Virtual Machine Queue, the host operating system can become
a bottleneck when it processes large amounts of network traffic.
Lesson
n4
Configuring Hyper--V Virtu
ual Mach
hines
When
W planning a server-virtualization strate
egy, you need to know whatt you can and cannot accom
mplish
when
w you are using Windowss Server 2012 as a a virtual maachine host.
In
n this lesson, yo
ou will learn about Hyper-V,, the hardwaree requirementss required for deploying Hyp per-V
onn a computer running Windows Server 2012, the differeent components of a virtual machine, and the
be ual machine Integration Servvices. You also will learn how
enefits of virtu w to measure vvirtual machine
e
esource use with Windows PowerShell cmd
re dlets.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe th
he hardware an
nd manageme
ent options in vvirtual machin
ne settings.
• Describe ho
ow dynamic memory
m works in Hyper-V.
Overview
O of
o Virtual Machine
M Se
ettings
Virtual machinee settings are grouped
g into two
ge
eneral areas: Hardware
H and Management..
Hardware
H
Virtual machine es use simulateed hardware. TheT
hyypervisor uses this virtual ha
ardware to med diate
acccess to actuall hardware. For example, you u can
map
m a virtual ne etwork adapte er to a virtual network
n
th
hat, in turn, ma
aps to an actua al network inte erface.
Virtual machine
es have the following hardwa
are, by
de
efault:
• Processor. You
Y can allocate processor re esources to th
he virtual mach
hine. You can aallocate up to 32
virtual proccessors to a sin
ngle virtual ma
achine.
• SCSI Controller. You can use SCSI controllers only on virtual machines that you deploy with operating
systems that support Integration Services.
• Synthetic Network Adapter. Synthetic network adapters represent computer network adapters. You
can only use synthetic network adapters with supported virtual-machine guest operating systems.
• COM port.Com port enables connections to a simulated serial port on the virtual machine.
• Diskette Drive. You can map a .vhd floppy disk image to a virtual diskette drive.
You can add the following hardware to a virtual machine by editing the virtual machine's properties, and
clicking on Add Hardware:
• SCSI Controller. You can add up to four virtual SCSI devices. Each controller supports up to 64 disks.
• Network Adapter. A single virtual machine can have a maximum of eight synthetic network adapters.
• Legacy network adapter. Legacy network adapters allow network adapters to be used with operating
systems that do not support Integration Services. You also can use legacy network adapters to allow
network deployment of operating-system images. A single virtual machine can have up to four legacy
network adapters.
• Fibre Channel Adapter. Allows a virtual machine to connect directly to a Fibre Channel SAN. This
requires that the Hyper-V host have a Fibre Channel HBA that also has a Windows Server 2012 driver
that supports Virtual Fibre Channel.
• RemoteFX 3D Adapter. The RemoteFX 3D Adapter allows virtual machines to take advantage of
DirectX and graphics processing power on the host Windows Server 2012 server to display high
performance graphics.
Management
You can use Management settings to configure how the virtual machine behaves on the Hyper-V host.
You can configure the following virtual-machine management settings:
• Name. You can use this setting to configure the virtual machine's name on the Hyper-V host. This
does not alter the virtual machine's hostname.
• Integration Services. You can use this setting to configure which virtual-machine integration settings
are enabled.
• Snapshot File Location. You can use this setting to specify a location for storing virtual-machine
snapshots.
• Smart Paging File Location. The location used when smart paging is required to start the virtual
machine.
• Automatic Start Action. You can use this setting to handle how the virtual machine responds when the
Hyper-V host is powered on.
• Automatic Stop Action. You can use this setting to handle how the virtual machine responds when the
Hyper-V host is gracefully shut down.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrrading Your Skillss to MCSA Wind
dows Server® 20
012 8-23
How
H Dynam
mic Memo
ory Works in Hyper-V
In
n the first relea
ase of Hyper-V V with Window ws
Se
erver 2008, virtual machines only could be e
asssigned a staticc amount of memory.
m Unless you
to
ook special pre ecautions to measure
m the pre
ecise
am
mount of mem mory that a virttual machine
re
equires, you we ere likely to un
nder-allocate or
o
ovver-allocate memory.
m
Windows
W Server 2008 R2 SP1 introduced
dyynamic memo ory, which you can use to allo ocate
a minimum amo ount of memo ory to a virtual
machine.
m You thhen can allow the virtual ma achine
to
o use request additional
a mem mory, as necesssary.
Ra
ather than atte empting to gu uess how much h memory a vi rtual machine requires, dynaamic memory allows
yo
ou to configurre Hyper-V so that the virtua al machine is aallocated as muuch as it needss. You can cho
oose a
minimum
m valuee, which will alw
ways be allocaated to the virttual machine. Y
You can choosse a maximum m value,
which
w the virtua
al machine will not exceed, even
e if more m
memory is requ uested. Virtual machines mu ust
upport Hyper-V Integration Services to be able to use dyynamic memo
su ory.
Smart Paging
g
Another new memory feature e available in Windows
W Serveer 2012 is sma rt paging. Smaart paging pro ovides
a solution to thee problem of minimum
m memmory allocationn, as it relates to virtual macchine startup. V
Virtual
machines
m can reequire more memory
m duringg startup than they would reequire during n normal operation.
In
n the past, it was necessary too allocate the minimum req uired for startup to ensure tthat startup occcurred
evven though that value could d be more than n the virtual m
machine needed d during norm mal operation.
Sm
mart paging uses disk paging for additional temporary m memory when n additional memory beyond d the
minimum
m allocaated is required to restart a virtual
v machin
ne. This providees you with the ability to alloocate
a minimum amo ount of memo ory based on th he amount ne eded when the virtual mach hine is operatinng
noormally, ratherr than the amo ount required during startup p. One drawbaack of smart paaging is a decrrease
in
n performance during virtuall-machine resttarts.
Yo
ou can configu
ure virtual macchine memoryy by using the Set-VMMemo
ory Windows PowerShell cm
mdlet.
Addition
nal Reading: Hyper-V
H Dynammic Memory
htttp://technet.m
microsoft.com//en-us/library//hh831766.asp
px
Demonstra
D ation: Crea
ating a Virrtual Mach
hine
In
n this demonsttration, you will see how to create
c a virtuall machine by u
using the tradiitional method
d of
ussing the Hyperr-V Manager console.
c You also will see ho
ow you can auttomate the pro ocess by usingg
Windows
W PowerShell.
MCT USE ONLY. STUDENT USE PROHIBITED
8-24 Implemennting Hyper-V
Dem
monstration
n Steps
1. Use the Hype
er-V Manager console
c to create a virtual m
machine with th
he following p
properties:
o Name: LO
ON-GUEST1
o Memory:: 1024 MB
o Use Dyna
amic Memory: Yes
2. Open Window
ws PowerShell, import the Hyper-V
H modulle, and then ru
un the followin
ng command:
Importing, Exporting,
E and Movin
ng Virtual Machiness in Hyper--V
Youu can use the im
mport and exp port functionalities
in Hyper-V
H nsfer virtual machines betwe
to tran een
Hypper-V hosts andd create pointt-in-time backuups
of virtual
v machinees.
Imp
porting Virttual Machin
nes
The virtual machin ne import featture in Window ws
Servver 2012 provides more deta ailed informatiion
thann previous Hyp per-V versions featured. You u
can use this informmation to idenntify configuration
problems such as missing hard disks or virtual
swittches. This wass more difficultt to determine
e in
Winndows Server 2008
2 and Wind dows Server 20 008
R2.
In Hyper-V
H 3.0, yo
ou can import virtual machin nes from copiees of virtual maachine configu uration, snapsh hot,
and virtual hard-ddisk files rather than speciallyy exported virttual machines. This is benefiicial in recoverry
t operating--system volume might have failed but the virtual machin
situations where the ne files remain n
intact.
To import a virtua
al machine by using Hyper-V
V Manager, peerform the follo
owing generall steps:
4. On the Select Virtual Machine page, select the virtual machine that you want to import, and then
click Next.
5. On the Choose Import Type page, choose from the following options:
o Register the virtual machine in-place (use the existing unique ID)
• Export a snapshot. You can do this by right-clicking the snapshot in the Hyper-V manager console,
and then selecting Export. This enables you to create an exported virtual machine as it existed at the
point that the snapshot was created. The exported virtual machine will have no snapshots.
• Export Virtual Machine with Snapshot. You can do this by selecting the virtual machine, and then
clicking Export. This exports the virtual machine and all snapshots associated with the virtual
machine.
Exporting a virtual machine does not affect the existing virtual machine. However, you cannot import
the virtual machine again unless you use the Copy the Virtual Machine option, which creates a new
unique ID.
You can move virtual machines from one Hyper-V 3.0 server to another if you have enabled live
migrations. Live migration of virtual machines occurs when you move a virtual machine from one host
to another while keeping the virtual machine online and available to clients. For more information on
migrating virtual machines, visit Module 9: Implementing Failover Clustering with Hyper-V.
You can use the move functionality to move some or all of the virtual-machine files to a different location.
For example, if you want to move the virtual machines from one volume to an SMB share, while keeping
the virtual machine hosted in the same location, you have the following options:
• Move all the virtual machine's data to a single location. This moves all configuration files, snapshots,
and virtual hard-disk files to the destination location.
• Move the virtual machine's data to different locations. This moves the virtual machine’s configuration
files, snapshots, and virtual hard disks to separate locations.
• Move the virtual machine's virtual hard disks. This moves the hard disks to a separate location, while
keeping the snapshot and configuration files in the same location.
You can move virtual machines in PowerShell by using the Move-VM cmdlet.
MCT USE ONLY. STUDENT USE PROHIBITED
8-26 Implemennting Hyper-V
Best Practice
es for Conffiguring Virtual Macchines
Whe en creating ne
ew virtual machines, keep the
follo
owing best pra
actices in mind
d:
• Avoid differen
ncing disks. Diffferencing disk
ks reduce the aamount of spaace required, b
but decrease
performance as multiple virrtual machiness access the saame parent virttual hard disk file.
• Use multiple synthetic
s netw work adapters connected
c to di al virtual switcches. Configure
different externa e
virtual machin nes to use multiple virtual network adapteers that are connected to ho ost NICs, which
h in
turn are conn nected to separate physical switches.
s This m
means that neetwork connecttivity is retaine ed if a
NIC fails or a switch fails.
As one of the senior network administrators at A. Datum, you are responsible for implementing Hyper-V
in the London data center. You will deploy the Hyper-V server role, configure virtual machine storage and
networking, and deploy the virtual machines.
Objectives
After performing this lab you will be able to:
Lab Setup
Password Pa$$w0rd
o Account: Adatum\Administrator
o Password: Pa$$w0rd
o Account: Adatum\Administrator
o Password: Pa$$w0rd
3. In Server Manager, click Local Server, and then configure the following network settings:
o LON-HOST1: 172.16.0.31
o LON-HOST2: 172.16.0.32
2. After a few minutes, the server will automatically restart. Ensure that you restart the machine by using
the Boot menu, and then selecting 20417-LON-HOST1 or 20417-LON-HOST2. The computer will
restart several times.
4. Open the Hyper-V settings, and then configure or verify the following settings:
5. Question: What additional features are required to support the Hyper-V role?
Results: After completing this exercise, you will have deployed the Hyper-V role to a physical server.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 8-29
2. External Network: Mapped to the host computer's physical network adapter. Will vary depending on
host computer.
Results: After completing this exercise, you will have configured virtual switch options on a physically
deployed Windows Server 2012 server that is running the Hyper-V role.
To minimize disk space use at the cost of performance, you are going to create two differencing files
based on the sysprepped VHD. You use these differencing files as the hard-disk files for the new virtual
machines.
Note: The drive letter may depend upon the number of drives on the physical host
machine)
2. In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o Name: LON-GUEST1.vhd
3. Open Windows PowerShell, import the Hyper-V module, and then run the following command:
5. Verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files
\Microsoft Learning\Base\Base12A-WS2012-RC.vhd as a parent.
o Name: LON-GUEST1
o Memory: 1024 MB
2. Open Windows PowerShell, import the Hyper-V module, and then run the following command:
3. Use the Hyper-V Manager console, and then edit the settings of LON-GUEST2. Configure the
following:
o Automatic Start Action: Nothing
o Automatic Stop Action: Shut down the guest operating system
o If you are using LON-HOST1, use the Hyper-V Manager console to import the virtual machine
E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-DC1-B.
o If you are using LON-HOST2, use the Hyper-V Manager console to import the virtual machine
E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-SVR1-B.
2. When importing, select the Register the virtual machine in-place option.
o Sydney
o Brisbane
o Sydney
o Melbourne
o Brisbane
Question: What state must the virtual machine be in to configure dynamic memory when
using Windows Server 2008 R2 as a host? How is this different to Windows Server 2012 as a
host?
Results: After completing this exercise, you will have deployed two separate virtual machines by using a
sysprepped virtual hard-disk file to act as a parent disk for two differencing disks. You also will have
imported a specially prepared virtual machine.
Question: In which situations must you use virtual hard disks in VHDX format as opposed to
virtual hard disks in VHD format?
Question: You want to deploy a Windows Server 2012 Hyper-V virtual machine's virtual hard
disk on a file share. What operating system must the file server be running to support this
configuration?
Tools
Tool Used for Where to find it?
The Sysinternals disk2vhd Convert physical hard disks Microsoft TechNet website
tool to VHD format http://technet.microsoft.com/en-us
/sysinternals/bb842062
Module 9
Implementing Failover Clustering with Hyper-V
Contents:
Module Overview 9-1
Module Overview
One benefit of implementing server virtualization is the opportunity to provide high availability, both
for applications or services that have built-in high availability functionality, and for applications or
services that do not provide high availability in any other way. With the Windows Server® 2012 Hyper-V®
technology, failover clustering, and Microsoft® System Center 2012 Virtual Machine Manager (VMM), you
can configure high availability by using several different options.
In this module, you will learn about how to implement failover clustering in a Hyper-V scenario to achieve
high availability for virtual environment. You will also learn about basic features of virtual machine.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of the
t Inte
egration
n of Hyp
per-V w
with Failover
Clustering
Failo
over clusteringg is a Windowss Server 2012 feature
f that en
nables you to make applicattions or service
es
highhly available. To
T make virtuaal machines higghly available in Hyper-V en
nvironment, yo
ou must implem ment
failo
over clusteringg on the Hyperr-V host computers.
Thiss lesson summarizes the high h availability options
o for Hyp es, and then focuses
per-V based viirtual machine
on how
h failover cllustering work
ks, and how to design and im over clustering for Hyper-V.
mplement failo
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe how
w failover cluste
ering works with Hyper-V no
odes.
• Describe new
w features of fa
ailover clusterin
ng for Hyper-V
V.
Op
ptions for Making
M Viirtual Machines High
hly Availab
ble
Mosst organizationns have some applications th hat
are business critical and must be highly availa able.
To make
m an appliccation highly available,
a you
musst deploy it in an environment that provides
undancy for alll components that the
redu
plication requirres. For virtual machines to
app
be highly
h available, you can chooose between
seve
eral options. You can implem ment virtual
macchine as a clustered role (hosst clustering), you
y
can implement clu ustering inside
e virtual machiines
(gue
est clustering) or you can use Network Loa ad
Bala
ancing (NLB) in nside virtual machines.
m
Host Clusterin
ng
Hosst clustering ennables you to configure
c a faiilover cluster b
by using the Hyper-V host se ervers. When yyou
configure host clu ustering for Hyyper-V, you co onfigure the virrtual machine as a highly avvailable resourcce.
Failo
over protection is implemen nted at the hosst server level. This means th hat the guest o
operating syste em
and applications that
t are runninng within the virtual
v machin e do not havee to be cluster--aware. Howevver,
the virtual machin ne is still highlyy available. Soome examples of non-clusteer-aware appliccations are a
File Server or Print Server, or pe erhaps a proprietary networkk-based appliccation, such as an accounting g
appplication. Should the host node that contro ols the virtual mmachine unexpectedly beco ome unavailablle, the
secoondary host no ode takes conttrol and restarts the virtual m machine as quickly as possib ble. You can alsso
movve the virtual machine
m from one node in the cluster to aanother in a co ontrolled mann ner. For example,
you could move the t virtual macchine from one e node to anotther while pattching the Hosst operating syystem.
, and the applications or service es that are runn ning in the virt
rtual machine, do not have to be compatib ble
withh failover clustering nor are they
t aware tha at virtual mach hine is clustereed. Because the failover is att the
virtu
ual machine le evel, there are no dependenccies on softwa re that is instaalled inside the e virtual machiine.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 9-3
Guest Clustering
Guest failover clustering is configured very similarly to physical server failover clustering, except that
the cluster nodes must include multiple virtual machines. In this scenario, you create two or more virtual
machines, and enable failover clustering within the guest operating system. The application or service is
then enabled for high availability between the virtual machines by using failover clustering in each virtual
machine. Because failover clustering is implemented within each virtual machine node’s guest operating
system, you can locate the virtual machines on a single host. This can be a quick and cost-effective
configuration in a test or staging environment.
For production environments however, you can more robustly protect the application or service if
you deploy the virtual machines on separate failover clustering enabled Hyper-V host computers. With
failover clustering implemented both at the host and virtual machine levels, the resource can be restarted
regardless of whether the node that fails is a virtual machine or a host. This configuration is also known as
a “Guest Cluster Across Hosts.” It is considered an optimal high availability configuration for virtual
machines running mission-critical applications in a production environment.
You should consider several factors when you implement guest clustering:
• The application or service must be failover cluster-aware. This includes any of the Windows Server
2012 services that are cluster-aware, and any applications, such as clustered Microsoft SQL Server and
Microsoft Exchange Server.
• Hyper-V virtual machines can use fiber channel-based connections to shared storage (this is specific
only to Microsoft Hyper-V Server 2012), or you can implement iSCSI connections from the virtual
machines to the shared storage.
You should deploy multiple network adapters on the host computers and the virtual machines. Ideally,
you should dedicate a network connection to the iSCSI connection (if you are using this method to
connect to storage), to the private network between the hosts, and to the network connection that the
client computers use.
Therefore, NLB is an appropriate solution for resources that do not have to accommodate exclusive read
or write requests. Examples of NLB-appropriate applications would be web-based front ends to database
applications or Exchange Server Client Access Servers.
When you configure an NLB cluster, you must install and configure the application on all virtual machines.
After you configure the application, you install the network load balancing feature in Windows Server
2012 within each virtual machine’s guest operating system (not on the Hyper-V hosts), and then
configure an NLB cluster for the application. Earlier versions of Windows Server also support NLB, so that
the Guest operating system is not limited to only Windows Server 2012. Similar to a “Guest Cluster Across
Hosts”, the NLB resource typically benefits from overall increased I/O performance when the virtual
machine nodes are located on different Hyper-V hosts.
Note: As with earlier versions of Windows Server, you should not implement NLB and
failover clustering within the same operating system because the two technologies conflict with
one another.
MCT USE ONLY. STUDENT USE PROHIBITED
9-4 Implementing Failover Clustering with Hyper-V
The failover process transfers the responsibility of providing access to resources in a cluster from one node
to another. Failover can occur when an administrator intentionally moves resources to another node for
maintenance or other reasons, or when unplanned downtime of one node occurs because of hardware
failure or other reasons.
The failover process consists of the following steps:
1. The node where the virtual machine is running owns the clustered instance of the virtual machine,
controls access to the shared bus or iSCSI connection to the cluster storage, and has ownership of any
disks, or Logical Unit Numbers (LUNs), assigned to the virtual machine. All the nodes in the cluster use
a private network to send regular signals, known as heartbeat signals, to one another. The heartbeat
signals that a node is functioning and communicating on the network. The default heartbeat
configuration specifies that each node send a heartbeat over TCP/UDP port 3343 each second (or
1000 milliseconds).
2. Failover starts when the node hosting the virtual machine does not send regular heartbeat signals
over the network to the other nodes. By default, this is five consecutively missed heartbeats (or 5000
milliseconds elapses). Failover may occur because of a node failure or network failure.
3. When heartbeat signals stop arriving from the failed node, one of the other nodes in the cluster
begins taking over the resources that the virtual machines use. You define the node(s) that could take
over by configuring the Preferred and Possible Owners properties. The Preferred Owner specifies
the hierarchy of ownership if there is more than one possible failover node for a resource. By default
all nodes are members of Possible Owners. Therefore, removing a node as a Possible Owner
absolutely excludes it from taking over the resource in a failure situation. Suppose that a failover
cluster is implemented by using four nodes. However, only two nodes are configured as Possible
Owners. In a failover event, the resource might still be taken over by the third node if neither of the
Preferred Owners is online. Although the fourth node is not configured as a Preferred Owner, as
long as it remains a member of Possible Owners, the failover cluster uses it to restore access to the
resource if necessary. Resources are brought online in order of dependency. For example, if the virtual
machine references an iSCSI LUN, access to the appropriate host bus adapters (HBAs), network(s) and
LUNs will be stored in that order. Failover is complete when all the resources are online on the new
node. For clients interacting with the resource, there is a short service interruption, which most users
might not notice.
4. You can also configure the cluster service to fail back to the offline node after it again becomes
active. When the cluster service fails back, it uses the same procedures that it performs during
failover. This means that the cluster service takes all the resources associated with that instance
offline, moves the instance, and then brings all the resources in the instance back online.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgradingg Your Skills to MCSAA Windows Server® 2012 9-5
What’s
W New
w in Failov
ver Clusterring for Hyyper-V in W
Windows S
Server 201
12?
In
n Windows Serrver 2012, failo
over clustering is
much
m d with respect to Hyper-V clu
improved usters.
So
ome of the moost important improvementss are:
• Failover clu
ustering now suupports up to 4,000
virtual machines, and thee improved Failover
Cluster Man nager snap-in simplifies man
naging
many virtua al machines.
Best
B Practicces for Imp
plementin
ng High Avvailability in a Virtuaal Environm
ment
After you determine which ap pplications
arre deployed on n highly availa
able failover
an and deploy the failover
clusters, you pla
clustering environment. Applyy the following g
re
ecommendatio ons when you implement the e
fa
ailover cluster:
• Plan for failover scenarios. When you design the hardware requirements for the Hyper-V hosts, make
sure that you include the hardware capacity required when hosts fail. For example, if you deploy a six-
node cluster, you must determine the number of host failures that you want to accommodate. If you
decide that the cluster must sustain the failure of two nodes, then the four remaining nodes must
have the capacity to run all the virtual machines in the cluster.
• Plan the network design for failover clustering. To optimize the failover cluster performance and
failover, you should dedicate a fast network connection for internode communication. As with earlier
versions, this network should be logically and physically separate from the network segment(s) used
for clients to communicate with the cluster. You can also use this network connection to transfer
virtual machine memory during a Live Migration. If you are using iSCSI for any virtual machines,
dedicate a network connection to the iSCSI network connection also.
• Plan the shared storage for failover clustering. When you implement failover clustering for Hyper-V,
the shared storage must be highly available. If the shared storage fails, the virtual machines will all
fail, even if the physical nodes are functional. To ensure the storage availability, plan for redundant
connections to the shared storage and redundant array of independent disks (RAID) redundancy on
the storage device.
• Use the recommended failover cluster quorum mode. If you deploy a cluster with an even number
of nodes, and shared storage is available to the cluster, the Failover Cluster Manager automatically
selects Node and Disk Majority quorum mode. If you deploy a cluster with an odd number of nodes,
the Failover Cluster Manager selects the Node Majority quorum mode. You should not modify the
default configuration unless you understand the implications of doing this.
• Deploy standardized Hyper-V hosts. To simplify the deployment and management of the failover
cluster and Hyper-V nodes, develop a standard server hardware and software platform for all nodes.
• Develop standard management practices. When you deploy multiple virtual machines in a
failover cluster, you increase the risk that a single mistake may shut down a large part of the server
deployment. For example, if an administrator accidentally configures the failover cluster incorrectly,
and the cluster fails, all virtual machines in the cluster will be offline. To avoid this, develop and
thoroughly test standardized instructions for all administrative tasks.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgradingg Your Skills to MCSAA Windows Server® 2012 9-7
Lesson
n2
Imple
ementin
ng Hype
er-V Virrtual Maachiness on Faillover
Cluste
ers
Im
mplementation n of highly ava ailable virtual machines
m is so mewhat differrent from implementing other roles
in
n a failover clusster. Failover clustering
c in Windows
W Serverr 2012 providees many featurres for Hyper-VV
clustering in addition to toolss for virtual ma his lesson, you will
achine high avvailability manaagement. In th
le
earn about how w to implemen nt highly availaable virtual maachines.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe co
omponents of Hyper-V cluster.
Componen
C nts of Hype
er-V Cluste
ers
Hyper-V as a roole has some sp pecific require
ements
fo
or cluster compponents. To foorm a Hyper-V V cluster,
yo
ou must have at least two ph hysical nodes.
Whereas
W other clustered roless (such as DHCCP, file
se
erver, and so on)
o allow for no odes to be virttual
machines,
m Hypeer-V nodes mu ust be compose ed of
physical hosts. You
Y cannot run Hyper-V as a virtual
machine
m on a Hyper-V
H host.
In
n addition to having
h nodes, you
y must also
haave physical an
nd virtual netwworks. Failoverr
clustering requiires a network for internal cluster
co
ommunication n, and also a neetwork for clie
ents.
Yoou can also im
mplement a sto orage network separately, deepending of tyype of storage being used. A Again,
sp
pecific to Hypeer-V role, you should also coonsider virtual networks for cclustered virtual machines. Itt is very
im
mportant to cre eate the same virtual networks on all physsical hosts thatt participate in
n one cluster. FFailing
to
o do this causees a virtual macchine to lose network
n conneectivity when mmoved from one host to ano other.
Sttorage is an im
mportant comp ponent of virtu ustering. You ccan use any tyype of storage that is
ual machine clu
su
upported by Windows
W Server 2012 failover clustering. W
We recommend ded that you cconfigure storaage as a
CSV. This is disccussed in a following topic.
Virtual machine es are components of a Hype n Failover Clustter Manager yyou can create new
er-V cluster. In
hiighly availablee virtual machines, or you can make existin ng virtual mach hines highly avvailable. In botth cases,
th
he virtual mach hine storage lo
ocation must beb on shared sstorage that caan be accessed d to both node es. You
might
m not wantt to make all viirtual machine nager you can select
es highly availaable. In Failoveer Cluster Man
which
w virtual machines are paart of a cluster configuration n.
MCT USE ONLY. STUDENT USE PROHIBITED
9-8 Implementing Failover Clustering with Hyper-V
Note: Microsoft supports a failover cluster solution only if all the hardware features are
marked as “Certified for Windows Server.” Additionally, the complete configuration (servers,
network, and storage) must pass all tests in the Validate This Configuration wizard, which is
included in the Failover Cluster Manager snap-in.
• Network adapters: The network hardware, just as other features in the failover cluster solution, must
be marked as “Certified for Windows Server”. To provide network redundancy, you can connect
cluster nodes to multiple, distinct networks, or you can connect the nodes to one network that uses
teamed network adapters, redundant switches, redundant routers, or similar hardware to remove
single points of failure. We recommended that you configure multiple network adapters on the host
computer that you configure as a cluster node. One network adapter should be connected to the
private network that the inter-host communications uses.
• Storage adapters: If you use Serial Attached SCSI (SAS) or fiber channel, the mass-storage device
controllers in all clustered servers should be identical and should use the same firmware version.
If you are using iSCSI, each clustered server should have one or more network adapters that are
dedicated to the cluster storage. The network adapters that you use to connect to the iSCSI storage
target should be identical, and you should use Gigabit Ethernet or a faster network adapter.
• Storage: You must use shared storage that is compatible with Windows Server 2008 R2. If you deploy
a failover cluster that uses a witness disk, the storage must contain at least two separate volumes
(LUNs). One volume functions as the witness disk, and additional volumes contain the virtual machine
files that are shared between the cluster nodes. Storage considerations and recommendations include
the following:
o Use basic disks, not dynamic disks. Format the disks with the NTFS file system.
o Use either master boot record (MBR) or GUID partition table (GPT).
o If you are using a storage area network (SAN), the miniport driver that the storage uses must
work with the Microsoft Storport storage driver.
o Consider using multipath input/output (I/O) software: If your SAN uses a highly available network
design with redundant components, you can deploy failover clusters with multiple host bus
adapters by using multipath I/O software. This provides the highest level of redundancy and
availability. For Windows Server 2008 R2 and 2012, your multipath solution must be based on
Microsoft Multipath I/O (MPIO).
MCT USE ONLY. STUDENT USE PROHIBITED
Upgradingg Your Skills to MCSAA Windows Server® 2012 9-9
Software Req
quirements for Using Hyper-V
H and
d Failover C
Clustering
Th
he following are the softwarre requirementts for using Hyyper-V and faillover clustering:
• All the servvers in a failove
er cluster mustt run the x64-b
based version of Windows Server 2012 Entterprise
or Datacenter Edition. The nodes in a single failover ccluster cannott run different versions.
Network
N Infrrastructure Requirements
Th
he following network
n infrasttructure is requ
uired for a failo
over cluster an
nd an administtrative account with
th
he following do
omain permisssions:
• DNS. The se
ervers in the cluster must use Domain Nam
me System (DN
NS) for name rresolution. You
u should
use the DNS dynamic upd date protocol..
• Account for administering the cluster. When W you firstt create a clustter or add servvers to it, you must be
logged on to the domain n with an accou unt that has addministrator riights and perm missions on all the
cluster’s serrvers. Addition
nally, if the acccount is not a D
Domain Admin ns account, the account musst have
the Create Computer Objjects permissio on in the domaain.
Im
mplementting Hyperr-V Virtual Machiness on Failovver Clusterr
To
o implement failover clustering for Hyper--V, you
must
m complete the following high-level steps:
6. Create a virtu ual machine onn one of the cluster nodes. WWhen you creaate the virtual machine, ensu ure
that all files associated with
h the virtual machine, includ ing both the vvirtual hard dissk and virtual
machine conffiguration filess, are stored onn the shared sttorage. You caan create and manage virtuaal
machines in either
e Hyper-VV Manager or Failover
F When you creatte a virtual machine
Clusteer Manager. W
by using Failo over Cluster Manager, the virtual machine is automaticaally made highly available.
Co
onfiguring Clustered Shared Vo
olumes
Youu do not have to
t configure and use CSV wh hen
you implement hiigh availabilityy for virtual
macchines in Hype
er-V. You can cluster
c Hyper-VV by
usin
ng the regular approach. How wever, we
recoommend that you
y use CSV because
b of the
follo
owing advantaages:
• Better use of
o disk space. Instead of placcing each .vhd
d file on a sepaarate disk with empty space so that
e can expand, you can overssubscribe disk space by storing multiple .vhd files on the
the .vhd file e same
LUN.
• No specific hardware requirements. There are no speecific hardwaree requirementss to implemennt CSV.
You can implement CSV ono any supporrted disk confiiguration, and on either fibe
er channel or iSSCSI
SANs.
• Increased resiliency. CSV increases resiliency becausee the cluster caan respond corrrectly even if
connectivityy between one e node and the SAN is interrrupted, or partt of a networkk is down. The cluster
reroutes the CSV traffic th
hrough an intaact part of thee SAN or netwo ork.
Im
mplementin
ng CSV
Yo
ou can configuure CSV only when
w you create a failover clluster that hossts highly available virtual machines.
After you create
e the failover cluster,
c you can enable CSV for the clusterr, and then add d storage to thhe CSV.
Be
efore you can add storage to o the CSV, the
e LUN must bee available as s hared storage e to the clusterr. When
yo
ou create a failover cluster, all
a the shared disks
d configureed in Server M
Manager are ad dded to the clu uster,
an
nd you can add them to a CSV. If you add more LUNs to o the shared sttorage, you must first createe
vo
olumes on the e LUN, add the e storage to the
e cluster, and tthen add the sstorage to the
e CSV.
Im
mplementting Highly
y Available
e Virtual M
Machines o
on an SMB
B 3.0 File Share
In
n Windows Serrver 2012, it is possible to use one
more
m technique es to make virttual machines highly
avvailable. Instea ad of using host or guest clustering,
virtual machine files can now be stored on a
hiighly available e SMB 3.0 file share.
s By using
g this
ap
pproach, high availability is achieved
a not by
b
clustering Hype er-V nodes, but by file serverrs that
hoost virtual macchine files on their
t file shares. With
th
his new capability, Hyper-V can c store all virtual
machine
m files, in
ncluding configguration, virtu
ual hard
diisk (VHD) files,, and snapshotts, on highly avvailable
SM
MB file shares..
MCT USE ONLY. STUDENT USE PROHIBITED
9-12 Implemennting Failover Clusterring with Hyper-V
• A common Active
A Directoryy infrastructure
e. The servers running Activee Directory Do
omain Servicess (AD
DS) do not ne
eed to run Win
ndows Server 2012.
2
Co
onsideratio
ons for Imp
plementing Hyper-V
V Clusters
By implementing host failover clustering,
c you can
mak ke virtual mach
hines highly avvailable. Howeever,
impplementing hosst failover clusstering also adds
sign nd complexity to a Hyper-V
nificant cost an
depployment. You must invest in n additional server
harddware to provide redundanccy, and you should
impplement or havve access to a shared
s storagee
infra
astructure.
• Identify the components thhat must be higghly available to make the aapplications highly available.. In
some cases, the application
n might run on n a single serveer, and making g that server highly available
e is all
that you havee to do. Other applications may
m require th hat several servvers, and otherr components,, such
as storage or the network, be
b highly available.
o What aree the performaance requireme ents for each aapplication? C ollect perform
mance informattion
on the se
ervers currentlyy running the applications too gain an understanding of the hardware
requirem
ments that are required
r whenn you virtualizee the server.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 9-13
• What capacity is required to make the Hyper-V virtual machines highly available? As soon as you
identify all the applications that must be highly available by using host clustering, you can start to
design the actual Hyper-V deployment. By identifying the performance requirements, and network
and storage requirements, for applications, you can define the hardware that you have to implement
all the applications in a highly available environment.
Live Migration is one of the most important aspects of Hyper-V clustering. When you implement Live
Migration, consider the following:
• Verify basic requirements. The basic requirements for Live Migration are that all hosts must be part of
a Windows Server 2008 R2 failover cluster, and host processors must be from the same manufacturer.
All hosts in the cluster must have access to shared storage.
• Configure a dedicated network adapter for the private virtual network. When you implement failover
clustering, you should configure a private network for the cluster heartbeat traffic. You use this
network to transfer the virtual machine memory during a failover. To optimize this configuration,
configure a network adapter for this network that has a capacity of one gigabits per second (Gbps) or
higher.
Note: You must enable the Client for Microsoft Networks and File and Printer Sharing for
Microsoft Networks components for the network adapter that you want to use for the private
network.
• Use similar host hardware. All failover cluster nodes must use the same hardware for connecting to
shared storage, and all cluster nodes must have processors from the same manufacturer. Whereas you
can enable failover for virtual machines on a host with different processor versions by configuring
processor compatibility settings, the failover experience and performance is more consistent if all
servers have very similar hardware.
• Verify network configuration. All nodes in the failover cluster must connect through the same IP
subnet so that the virtual machine can keep the same IP address after Live Migration. Also, the IP
addresses assigned to the private network on all nodes must be on the same logical subnet, which
means that multisite clusters must use a stretched virtual local area network (VLAN), which is a subnet
that spans a wide area network (WAN) connection.
• Manage Live Migrations. Each node in the failover cluster can perform only one Live Migration at a
time. If you try to start a second Live Migration before the first one finishes, the migration fails. If you
start additional Live Migrations from Virtual Machine Manager (VMM), it queues the Live Migration,
and retries it for 15 minutes. If the migration cannot be initiated in 15 minutes, the migration is
canceled.
MCT USE ONLY. STUDENT USE PROHIBITED
9-14 Implemennting Failover Clusterring with Hyper-V
Lesson 3
Implem
menting
g Hyperr-V Virtual Macchine M
Moveme
ent
Movving virtual maachines from one
o location to o another is a ffairly common
n procedure inn the administrration
of Hyper-V
H onments. Mostt of the moving techniques iin previous Wiindows Server versions required
enviro
dowwntime. Windo ows Server 201 12 introduces new
n technologgies to enable seamless virtu
ual machine
w learn aboutt virtual machiine movementt and migratio
movvement. In thiss lesson, you will on options.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Virrtual Mach
hine Migra
ation Optio
ons
There are several scenarios whe ere you would want
to migrate
m virtual machine fromm one location to
anoother. For exammple, you migh ht want to movve a
virtu k from one physical
ual machine viirtual hard disk
drivve to another on
o the same ho ost. Another
exam mple is moving a virtual macchine from one
nod t another, or just moving a
de in a cluster to
commputer from on ne host server to another hoost
servver without thee hosts being members
m of a
clusster. Compared d with Window ws Server 20088 R2,
Winndows Server 2012
2 provides significant
enhancements in addition to sim mplified proceedures
for this
t process.
In Windows
W Serve
er 2012, you ca
an perform migration of virt ual machines by using these
e methods:
• Virtual machhine and storaage migrationn. With this meethod, you mo ove a poweredd on virtual maachine
from one loca
ation to anoth
her (or from on
ne host to anotther) by using a wizard in Hyper-V Manag ger.
Virtual machine and storage migration doo not require ffailover clustering or any other high availaability
technology to
o work. Shared ot required wh en you move jjust the virtual machine.
d storage is no
Server 2012
2 this migratio
on method is im
mproved. You can import a vvirtual machin
ne to a Hyper-VV host
without exp
porting it befo
ore import. Win
ndows Server 22012 Hyper-V
V is now capable of configuriing all
the necessa
ary settings du
uring the impo
ort operation.
How
H Does Virtual Ma
achine and
d Storage Migration
n Work?
Th
here are manyy cases in which an administrrator
might
m want to move
m the virtu
ual machine filees to
an
nother location. For example e, if the disk where
w a
virtual machine hard disk resides runs out ofo
sp
pace, you mustt move the virrtual machine to t
an
nother drive or volume. Also o, moving a virrtual
machine
m to ano
other host is a very
v common
procedure.
In
n earlier versions of Windowss Server, such as
Windows
W Server 2008 or Winddows Server 2008 R2,
moving
m a virtuaal machine resu
ulted in downttime
beecause it had to o If you moved a
t be turned off.
virtual machine between two hosts, then yo ou also had to perform expo
ort and import operations foor that
sp
pecific virtual machine.
m Expoort operations can
c be time-co onsuming, deppending on th
he size of the vvirtual
machine
m hard disks.
d
In
n Windows Serrver 2012, Virtuual Machine and Storage Miigration enables you to movve a virtual maachine
o another locattion on the same host or on another host computer wit hout turning o
to off the virtual
machine.
m
When
W you move a virtual macchine’s vhds to
o another loca tion, a wizard presents three
e available opttions:
• Move all th
he virtual mach hine’s data to a single locatio
on: You specifyy one single destination locaation,
such as disk
k file, configurration, snapsho
ot, and smart ppaging.
• Move the virtual
v machine
e’s data to a different locatio
on: You specifyy individual loccations for eacch
virtual machine item.
Note: Whereas you can also do live migration of virtual machine by using Virtual Machine
and Storage migration described in previous topic, you should be aware that live migration is
based on a different technology (failover clustering). Unlike the storage migration scenario, Live
Migration can be performed only if a virtual machine is highly available.
• The VMM Administrator console, if you use VMM to manage your physical hosts.
Note: Live Migration enables you to reduce the perceived outage of a virtual machine
significantly during a planned failover. During a planned failover, you start the failover manually.
Live Migration does not apply during an unplanned failover, such as when the node hosting the
virtual machine fails.
1. Migration setup. When the administrator starts the failover of the virtual machine, the source node
creates a TCP connection with the target physical host. This connection is used to transfer the virtual
machine configuration data to the target physical host. Live Migration creates a temporary virtual
machine on the target physical host, and allocates memory to the destination virtual machine. The
migration preparation also checks to determine whether a virtual machine can be migrated.
2. Guest-memory transfer. The guest memory is transferred iteratively to the target host while the
virtual machine is still running on the source host. Hyper-V on the source physical host monitors the
pages in the working set. As the system modifies memory pages, it tracks and marks them as being
modified. During this phase of the migration, the migrating virtual machine continues to run. Hyper-
V iterates the memory copy process several times, and every time that a smaller number of modified
pages are copied to the destination physical computer. A final memory copy process copies the
remaining modified memory pages to the destination physical host. Copying stops as soon as the
number of dirty pages drops below a threshold or after 10 iterations are complete.
3. State transfer. To actually migrate the virtual machine to the target host, Hyper-V stops the source
partition, transfers the state of the virtual machine (including the remaining dirty memory pages) to
the target host, and then restores the virtual machine on the target host. The virtual machine has to
be paused during the final state transfer.
4. Clean up. The cleanup stage finishes the migration by tearing down the virtual machine on the
source host, terminating the worker threads, and signaling the completion of the migration.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 9-17
How
H Does Hyper-V Replica
R Wo
ork?
In
n some cases, youy might wan nt to have a sppare
co
opy of one virttual machine that t you can ru
un if
th
he original virtual machine fa ails. By implem
menting
hiigh availabilityy, you have one instance of a virtual
machine.
m High availability
a doe es not preventt
co
orruption of so oftware runnin ng inside the VM.
V One
way
w to address the issue of co orruption is to copy
th
he VM. You can also back up p the virtual machine
an
nd its storage. Although thiss solution achie eves
th
he desired resu ult it is resourcce intensive and time
co
onsuming.
Th
he site configuurations do not have to use the
t same serveer or storage h hardware. Hyp
per-V Replica e
enables
an
n administrato or to restore virtualized work
kloads to a poiint in time dep
pending on the
e Recovery Hisstory
se
elections for th
he virtual machhine.
• Replicationn Engine: This component is the core of Hyper-V Repliica. It manage es the replication
on details and handles initia
configuratio al replication, d
delta replicatio
on, failover, an
nd test-failoverr
operations. It also tracks virtual
v machin
ne and storagee mobility even nts and takes aappropriate acctions as
needed (i.e. it pauses replication eventss until migratio
on events com mplete and the en resumes where they
left off).
• Change Tracking: This component
c tra
acks changes tthat are happeening on primaary copy of virrtual
machine. It is designed to
o make the sce here the virtuaal machine VHD file(s)
enario work reegardless of wh
resides.
• Network Module:
M The Networking
N Mo odule providess a secure andd efficient way to transfer virtual
machine re
eplicas between n primary hostt and replica h
host. Data com mpression is ennabled by default. This
communicaation is also se
ecure as it relie
es on HTTPS annd certification
n-based authe entication.
• Hyper-V Replica
R Brokerr role: This is new role impleemented in W Windows Serverr 2012. It is
configured in Failover Clu
ustering, and it enables you to have Hyper-V replica fun nctionality even
when the virtual machine e being replicaated is highly aavailable and ccan move from m one cluster n node to
another. Th
he Hyper-V Replica Broker re edirects all virttual machine sspecific events to the approp priate
node in the
e replica cluste
er. The Broker queries the clu uster databasee to determinee which node sshould
handle which events. Thiss ensures all evvents are redirrected to the ccorrect node inn the cluster in
n the
event that a Quick Migration, Live Migration, or Storaage Migration n process was e executed.
MCT USE ONLY. STUDENT USE PROHIBITED
9-18 Implemennting Failover Clusterring with Hyper-V
Co
onfiguring Hyper-V Replica
R
Befo
ore you implemment Hyper-V V replica
tech
hnology, ensurre that these prerequisites
p arre
mett:
• ardware suppo
The server ha orts the Hyper--V
role on Windows Server 2012.
• An X.509v3 ce
ertificate exists to support Mutual
M Authen tication with ccertificates (if yyou want).
Youu do not have tot install Hypeer-V replica sepparately becau use it is not a W
Windows Serve er role or featu
ure.
Hypper-V Replica is implemented d as part of the Hyper-V Rolle. It can be ussed on Hyper-V V servers that are
nd-alone or servers that are part of a Failovver Cluster (in which case, yo
stan ou should con nfigure Hyper-V
Repplica Broker). Unlike
U failover clustering,
c a Hyper-V
H role is not dependen nt on Active DDirectory Domaain
Servvices (AD DS). You can use itt with Hyper-V V servers that aare stand-alone, or that are m members of
diffe
erent Active Directory doma ains (except in case when serrvers are part o of a failover cluster).
To enable
e Hyper-V replica technology, you sh hould first con figure Hyper-VV server settinngs. In the
Rep plication Configguration group p of options, you
y should enaable Hyper-V sserver as a rep plica server, and you
should also selectt authentication and port op ptions. You shoould also confi gure authorizaation options. You
can choose to ena able replication from any serrver that succeessfully authen
nticates (which h is convenientt in
scen narios where all
a servers are part
p of same domain), or you u can type fullly qualified doomain names
(FQDNs) of serverrs that you acccept as replica servers. Also, yyou must conffigure the locaation for replicca
filess. These setting
gs should be configured on each server th hat will serve ass replica server.
Lesson
n4
Manaaging Hyper-V Virtual Environmentss by Using Systtem
Cente
er Virtual Mach
hine Ma
anager
Syystem Center Virtual
V Machinne Manager 20 012 is a part off the System C
Center 2012 family of produccts. It is
a successor of Virtual
V Machine Manager 2008 R2. Its main n purpose is to
o extend manaagement functtionality
fo
or Hyper-V hossts and virtual machines and d to provide deeployment and d provisioning
g for virtual maachines
nd services. In this lesson, yo
an ou will learn th
he basics of VM
MM.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe ho
ow to manage
e Virtual Machiines with VMM
M.
• Describe Se
ervices and Serrvice Template
es.
• Describe Ph ual and Virtual to Virtual Mig
hysical to Virtu grations.
• Describe co
onsiderations for
f deploying a highly availaable VMM Servver.
What
W Is VM
MM?
VMM is a mana agement solutiion for a virtua
alized
da
ata center. VMMM enables yo ou to create an nd
de
eploy virtual machines
m and services
s to privvate
clouds by config guring and maanaging your
virtualization ho
ost, networking
g, and storage e
re
esources.
VMM succeeds VMM 2008 R2 2 and is a key component inn enabling privvate cloud infraastructure, wh
hich
he
elps transition enterprise IT from
f an infrastructure-focussed deploymen nt model into a service-oriented,
usser-centric envvironment.
VMM architectu
ure consists of several interre
elated compon
nents. These components arre:
• VMM server. The VMM server is the co omputer on w which the VMMM service runs. The VMM server
processes commands
c andd controls com
mmunications w with the VMM
M database, thee library serverr, and
the virtual machine
m hostss. The VMM se b of a VMM deeployment thrrough which all other
erver is the hub
VMM comp ponents intera
act and commu VMM server alsso connects to a Microsoft
unicate. The V
SQL Server database (VM MM database) that
t VMM configuration informaation.
stores all V
MCT USE ONLY. STUDENT USE PROHIBITED
9-20 Implemennting Failover Clusterring with Hyper-V
• Database. VM MM uses a SQL Server datab base to store th he informationn that you vieww in the VMM
managementt console, such h as managed virtual
v machin nes, virtual macchine hosts, virtual machine
libraries, jobs, and other virrtual machine--related data.
• Managemen nt console. The managemen nt console is a program that you use to coonnect to a VMMM
managementt server, to view w and manage e physical and virtual resources, including virtual machin
ne
hosts, virtual machines, servvices, and libra
ary resources. V
Virtual Machin
ne Manager lib brary
• Library. A lib
brary is a catalo
og of resourcees (for examplee, virtual hard disks, templates, and profilees),
that are used to deploy virttual machines and services. A library server also hosts sh hared folders th hat
store file-base
ed resources. The
T VMM man nagement servver is always th he default libraary server, butt you
can add addittional library servers
s later.
• Command sh hell. Windowss PowerShell is the command d-line interfacee in which you
u execute cmdlets
that perform all available VMM
V functionss. You can use these VMM–sspecific cmdletts to manage aall the
actions in a VMM
V environm
ment.
Pre
erequisitess for Installling VMM
M
Befoore you deployy VMM and itss components,,
you should be cerrtain that yourr system meetss
harddware and softtware requiremments. While
softtware requirem
ments do not change
c based
on the
t number off hosts that VM MM manages,
harddware prerequuisites may varry. In addition, not
all VMM
V components have the same hardwarre
and software requuirements. How wever, Window ws
Servver 2008 R2 an
nd Windows Se erver 2012 aree the
onlyy supported op
perating systems for VMM 2012.2
VM
MM Server
In addition to havving Windows Server 2008 R2 R or
Winndows Server 2012
2 installed, you have to ensure
e that thee following sofftware is installed on the servver
thatt will run the VMM
V server:
• Microsoft .NE
ET Framework 3.5 Service Pack 1 (SP1) or laater versions
• Windows Auttomated Installation Kit (AIK
K)
• Windows Rem mote Managem ment 2.0 (this is installed by default in Win
ndows Server 2
2008 R2, so yo
ou
erify that the service is running)
should just ve
• SQL Server 20
008 SP2 (Stand
dard or Enterp
prise) or SQL Seerver 2008 R2 SP1 Standard,, Enterprise, orr
Datacenter. This y install the VMM manageement server aand SQL Server on
T is necessarry only when you
same computter.
• Disk space: 40 GB – 150 GB G (depending g on whether a SQL Server d database is insttalled on the ssame
server. In ad
ddition, if the library is on th
he same serverr, then disk spaace will also de
epend on libraary
content.)
VMM
V Databa
ase
Th
he VMM datab base stores all VMM configuuration informaation, which yoou can access and modify
byy using the VM
MM management console. The T VMM data base requires SQL Server 20 008 SP2 or late
er.
ecause of this, the base hard
Be dware requirem
ments for the V VMM databasee are equal to the minimum m system
re
equirements foor installing SQ
QL Server. Additionally, if you
u are managin
ng more than 1 150 hosts, you
u should
ha G of RAM on the database server. Softwaare requiremen
ave at least 4 GB nts for the VM
MM Database aare the
sa
ame as for SQLL Server.
VMM
V Library
y
Th
he VMM librarry is the serverr that hosts ressources for buiilding virtual m
machines, services and businness unit
clouds. In smaller environmen MM library on the VMM Maanagement Serrver. If
nts, you usuallyy install the VM
th
his is the case, the hardware and software requirements are the same aas for the VMM M Management
erver. In largerr and more complex environ
Se nments, we reccommend thatt you have VM MM library on sseparate
erver in highly available conffiguration. If you want to deeploy another V
se VMM library sserver, the servver
sh
hould fulfill following require
ements:
• Hardware management:
m Windows Rem
mote Managem
ment 2.0
Private
P Cloud Infrastructure Co
omponentts in VMM
Thhe key architecctural conceptt in VMM is private
cloud infrastruccture. Similar to
o public cloud
so
olutions, such as
a in Windowss Azure™, priva ate
cloud infrastruccture in VMM is i an abstractio
on layer
th
hat shields the underlying technical complexities,
an
nd lets you ma anage defined resource pools of
se
ervers, networkking, and stora age in the ente
erprise
in
nfrastructure.
Yo
ou can configu
ure the followiing resources from
f the VMM nt console Fabrric workspace:
M managemen
• Servers. In the Servers no ode, you can configure
c and manage severral types of serrvers. Host gro
oups
contain virttualization hossts, which are the
t destination ns for where you can deployy virtual machiines.
Library servvers are the rep
positories of building
b blockss—such as imaages, .iso files, and templatess—for
creating virrtual machiness.
Ma
anaging Hosts and Host
H Group
ps with VM
MM
In addition to virtual machine management,
m VMM
V
can also manage and deploy Hyyper-V hosts. In
VMM you can use e technologiess such as Windows
Depployment Serviices to deploy Hyper-V hosts on
baree metal machines and then manage
m it with
h
VMM. When hosts are associate ed with VMM,
you can configure e several optio
ons, such as hoost
rese
erves, quotas, permissions,
p clloud membersship,
and so on VMM can c also manag ge Hyper-V failover
clussters.
• Reserving resources for usee by hosts. Hosst reserves are useful when p placing virtual machines on a
host. Host resserves determiine the CPU, memory,
m disk s pace, disk I/O capacity, and network capaacity
that are contiinuously availa
able to the hosst operating syystem.
• Use the Host group properties action for the root host group All Hossts, to set default host reservves for
all hosts that VMM managees. If you wantt to use more o osts instead of on
of the resourcees on some ho
other hosts, you
y can set host reserves diffferently for ea ch host group
p.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 9-23
Deploying
D Virtual Ma
achines wiith VMM
One
O of the adva antages of usinng a virtualized
ennvironment that is managed d by VMM is th he
fle
exibility that itt provides to create and dep ploy new
virtual machines quickly.
Creating
C a New
N Virtual Machine fro
om an Existting VHD
Yo
ou can create a new virtual machine
m based
d on either a b
blank VHD, or on a preconfiggured VHD thaat
ontains a guesst operating syystem. VMM prrovides two bl ank VHD temp
co plates that you
u can use to crreate
ne
ew disks:
• Blank Disk – Small
• Blank Disk – Large
Yoou can also use a blank VHD D when you wa ant to use an o
operating systeem with a PXEE. Or, you can p place an
IS
SO image on a virtual DVD-R ROM, and then n install an opeerating systemm from scratch.. This is an effe
ective
way
w to build a virtual
v machine e’s source image, which youu can then use as a future temmplate. To insttall the
opperating system on such a virtual machine e, you can use an ISO image file from the llibrary or from m local
diisk, then map a physical drivve from the hoost computer, o uest operating system setup through
or start the gu
a network servicce boot.
brary of VHDs that you wantt to use in you r VMM enviro nment, you caan create a virttual
If you have a lib
machine
m from ana existing VHD. You can also select existin
ng VHDs when n you deploy aany operating system
from which VMM cannot crea ate a template
e, such as an opperating system that is not W
Windows base ed.
When
W you creatte a new virtua
al machine using an existing
g VHD, you aree basically creaating a new virrtual
machine
m configuration that iss associated with the VHD fil e. VMM will crreate a copy o
of the source V
VHD so
th
hat you do nott have to move e or modify the original.
In
n this scenario, the source VH
HD must meett the following
g requirementss:
• Leave the Administrator
A password
p blan
nk on the VHD
D as part of thee System Prepaaration Tool (SSysprep)
process.
• Install the Virtual
V Machine Additions on
n the virtual m
machine.
• Use Sysprep
p to prepare th
he operating system
s for dup
plication.
MCT USE ONLY. STUDENT USE PROHIBITED
9-24 Implemennting Failover Clusterring with Hyper-V
Dep
ploying from a Templa
ate
Thiss method creattes a new virtu
ual machine ba ased on a tem plate from thee VMM library. The template e is a
libra
ary resource, which
w links to a virtual hard disk
d drives thaat has a generaalized operatinng system, hardware
settings, and guesst operating syystem settings. You use the gguest operatinng system settiings to configu
ure
opeerating system settings such as computer name,
n local ad ministrator paassword, and d
domain
mem mbership.
• You must leavve the Administrator passwo he VHD as parrt of the Sysprep process.
ord blank on th
However, youu do not have to leave blank
k the Administ rator password
d for the guest operating syystem
profile.
• For customize
ed templates, you must prep pare the operaating system o
on the VHD by removing
computer ide
entity informattion. For Windows operatingg systems, you can prepare tthe VHD by using
Sysprep.
Dep
ploying from the VMM
M Library
If yo
ou deploy a virrtual machine from the libra
ary, the virtual machine is rem
moved from th he library, and
d then
placced on the sele
ected host. Whhen you use thhis method, yo ou must provid de the followin
ng details in th
he
Dep ploy Virtual Ma
achine wizard:
Wh
hat Are Services and
d Service Templates??
Servvices are a new
w concept in VMM.
V You musst
undderstand servicces fully before
e you deploy a
privvate cloud infra
astructure.
Tra
aditional Serrvices Scena
ario
Whe en we think abbout services, we
w usually refe er to
an application
a or set of applicattions that provvide
som
me service to end-users. For example,
e we can
dep
ploy various typpes of web-based services, butb
we can
c also imple ement a service e such as email. In a
nonn-cloud compu uting scenario, deployment of o any
type
e of service usually requires users, develop pers,
and administratorrs to work toge ether through the
phases of creatingg a service, depploying a service, testing thee service, and maintaining th
he service.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 9-25
A service frequently includes several computers that must work together to provide a service to end-users.
For example, a web-based service is usually an application that deploys on a web server, connects to a
database server (which can be hosted on another computer), and performs authentication on an Active
Directory domain controller. Enabling this application requires three roles, and possibly three computers:
a web server, a database server, and a domain controller. Deploying a test environment for a service such
as this can be time and resource consuming. Ideally, developers work with IT administrators to create an
environment where they can deploy and test their web application.
In VMM, a service is a set of one or more virtual machines that you deploy and manage together as
a single entity. You configure these machines to run together to provide a service. In VMM in Windows
Server 2008, users were able to deploy new virtual machines by using Self Service Portal. In VMM,
end-users can deploy new services. By deploying a service, users are actually deploying the whole
infrastructure, including the virtual machines, network connections, and applications that are required
to make the service work.
However, you can use services to deploy only a single virtual machine without any specific purpose.
Instead of deploying virtual machines in the historic way, you can now create a service that will deploy
a virtual machine with—for example—Windows Server 2008 R2, and with several roles and features
preinstalled and joined to domain. This simplifies the process of creating and later updating new virtual
machines.
Deploying a new service requires a high level of automation and predefined components, and requires
management software support. This is why VMM provides service templates. A service template is a
template that encapsulates everything required to deploy and run a new instance of an application.
Just as a private cloud user can create new virtual machines on demand, the user can also use service
templates to install and start new applications on demand.
2. The end-user application owner (for example, a developer who has to deploy the application
environment) opens the App Controller console, and requests a new service deployment based
on available service templates that he or she can access. The developer can deploy the service to a
private cloud where a user has access. As an alternative to App Controller, the user can also use the
VMM Manager console.
3. A request is submitted and evaluated by the VMM Server. VMM searches for available resources in
the private cloud, then calculates the user quota and verifies that the cloud is capable for the
requested service deployment.
4. Whereas the service is created automatically, the virtual machines and applications (if any) are
deployed on the host selected by VMM.
5. The user application owner gains control over service virtual machines through the App Controller
console, or by RDP.
6. If you need manual approval for resource creation, you can use Microsoft System Center 2012 -
Service Manager to create workflows for this purpose.
MCT USE ONLY. STUDENT USE PROHIBITED
9-26 Implemennting Failover Clusterring with Hyper-V
Info
ormation In
ncluded in the
t Service Template
T
The service template includes in nformation abo out the virtuall machines thaat are deployedd as part of th
he
servvice, which app
plications to in
nstall on the virtual machiness, and the netwworking configguration needed
for the
t service (inccluding the usse of a load balancer). The seervice templat e can use existting virtual maachine
tem
mplates. You ca an define the service withoutt using any exiisting virtual m
machine templates. Howeverr, it is
mucch easier to buuild a templatee if you have already created d virtual machine templates. After you create
the service templaate, you configgure it for deployment using g the Configurre Deploymentt option.
Physical to Virtual
V and
d Virtual to
o Virtual M
Migrations
Man ny organizatioons have physiccal servers that
theyy do not use fu ully. VMM can convert existing
phyysical computers into virtual machines thro ough
a prrocess known as a physical-to--virtual (P2V)
conversion. VMM simplifies P2V V by providing
a task-based wizard to automatte much of the e
conversion processs. Because the e P2V process
is sccriptable, you can
c start large
e-scale P2V
conversions throu ugh the Windo ows PowerShell
(Pow wershell.exe) command
c line..
Durring a P2V conversion processs, VMM make es disk images of the hard disks on the physical computer. It
ates VHD files for the new virtual machine,, using the dis k images as a basis. Also, it ccreates a hardware
crea
configuration for the virtual ma
achine similar to,
t or the samee as, the hardw ware in the physical computer.
The new virtual machine
m has the
e same compu uter identity ass the physical computer on w which it is based.
Because of that, we
w do not reco ommend that you y use both a physical com mputer and its virtual replica
concurrently. Afte
er the P2V conversion is finisshed, you typiccally disconnecct the physicall computer froom
the network and decommission
d n it.
In addition to connverting underrused physical computers, VM MM supports the managem ment, migration
n
and conversions ofo other virtual machines thaat you create inn VMware envvironment. Youu can convert
thesse virtual mach hem on Hyperr-V hosts, and then manage them
hines to Hyperr-V virtual macchines, place th
undder the VMM Administrator
A Console.
C Also, VMM and Hy per-V supportt migrating virtual machines from
onee host to anothher with minim
mal or zero dowwntime.
VMM 2012 allowss you to conve ert existing VM machines to virrtual machiness running on the
Mware virtual m
Hypper-V platformm. This process is known as a V2V conversio on. With V2V cconversion, addministrators can
easiily and quicklyy consolidate a virtual enviro
onment that is running various virtual platfforms without
rebuuilding virtual machines fromm scratch or moving
m data.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 9-27
VMM allows you to copy existing VMware virtualv machin es and create Hyper-V virtual machines. Y You can
co
opy VMware virtual
v machinees that are on an ESX Server host, in the VMMM library, orr on a Window ws share.
Although V2V is called a convversion, V2V iss a read-only o
operation that does not dele ete or affect th
he
orriginal source virtual machin
ne. Also, the te n is dedicated only to the process of conve
erm conversion erting
VMware virtual machines. The e term migration is used for Virtual Serverr machines.
Considerat
C ions for Deploying a Highly A
Available V
VMM Serve
er
MM
M now suppo orts a highly avvailable VMM Server.
Yoou can use faillover clustering to achieve high
h
avvailability for VMM,
V because e VMM is now a
cluster-aware application. However, you sho ould
co
onsider several things before e you deploy a VMM
cluster.
Beefore you begin the installattion of a highlyy
avvailable VMM management server, ensure e the
fo
ollowing:
• You are preepared to use distributed keyy managemennt to store encryption keys in
n AD DS. You must
use distribu
uted key manaagement for a highly availab
ble VMM manaagement serve er.
• You have a computer witth a supported d SQL Server veersion installed g. Unlike VMM 2008
d and running
R2, VMM will
w not automa atically install a SQL Server EExpress editionn.
Highly
H Availa
able Databa
ases and Lib
brary Serverrs
Too achieve full redundancy,
r we
w recommend d that you use a highly availaable SQL Serveer. You should
d install
a highly availabble SQL Server on a separate failover clusteer from the fai lover cluster o
on which you aare
in
nstalling the highly available VMM manage ement server. Similarly, we aalso recommen nd that you usse a
e file server forr hosting your library shares.
hiighly available
During a planned failover, ensure that there are no tasks actively running on the VMM management
server. Any tasks that are executing during a failover will be stopped and will not restart automatically.
Any connections to a highly available VMM management server from the VMM console or the VMM Self-
Service Portal will also be lost during a failover. However, the VMM console can reconnect automatically
to the highly available VMM management server after a failover if it was opened before you performed
failover to another VMM server.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 9-29
Lab Setup
Estimated time: 75 minutes
Password Pa$$w0rd
This lab should be performed with a partner. To perform this lab, you must boot the host computers
to Windows Server 2012. The host computers should be in this state from the previous lab in Module 8.
Make sure that you and your partner have booted into different hosts (one should boot to LON-Host1
and the other should boot to LON-Host2). Also, make sure that LON-DC1 is imported on LON-Host1 and
LON-SVR1 is imported on LON-Host2, and that these VMs are started.
Note: The drive letter may be different based upon the number of drives on the physical
host machine.
Results: After completing this exercise you will have Hyper-V replica configured.
5. On LON-HOST2, open Disk Management and initialize and bring online all iSCSI drives
o Name it VMCluster
2. Verify that all three iSCSI disks appear available for cluster storage.
3. Add the disk with the volume name of ClusterVMs to Cluster Shared Volumes.
4. From the VMCluster.adatum.com node, select More Actions and then configure the Cluster
Quorum Settings to use typical settings.
2. Connect to TestClusterVM and make sure that you can operate it.
• Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster
Management that can block you from making mistakes when you manage highly available virtual
machines. For example, it blocks you from creating virtual machines on storage that is inaccessible
from all nodes in the cluster.
Review Question
Do you have to implement CSV in order to provide high availability for virtual machines in VMM in
Windows Server 2008 R2?
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
10-1
Module 10
Implementing Dynamic Access Control
Contents:
Module Overview 10-1
Module Overview
Windows Server 2012 introduces Dynamic Access Control for enhancing access control for file- and
folder-based resources. Dynamic Access Control extends regular New Technology File System (NTFS)-
based access control by enabling administrators to use claims, resource properties, rules and conditional
expressions to manage access. In this module you will learn about Dynamic Access Control and how to
plan for and implement it.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of Dynami
D c Accesss Contrrol
Dynnamic Access Control
C is a new
w technology for access man nagement in WWindows Serveer 2012. It offe
ers a
neww way of contro
olling access to
o resources. Be
efore you imp u should learn how
plement this teechnology, you
esson presentss an overview of Dynamic Acccess Control.
it works and which componentss it uses. This le
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• mic Access Con
Define Dynam ntrol.
• Define identitty.
Wh
hat Is Dyna
amic Acce
ess Controll?
Because most of the t data in an organization is i
storred on file servvers, IT adminisstrators must help
h
provvide security and
a access con ntrol to file servver
reso
ources. In prevvious versions ofo Windows Se erver,
mosst access contrrol to file serve
er resources wa as
controlled by usin ng NTFS permiissions and acccess
control lists.
Dyn
namic Access Control
C provide
es:
• Optional RM MS protection integration. Automatic Rig ghts Managem ment Services (RMS) encryption for
sensitive Micrrosoft® Office documents. Fo or example, yo
ou can configu ure RMS to enccrypt all docum
ments
containing He ealth Insurance Portability and Accountab bility Act (HIPA
AA) information.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 10-3
• Auditing for compliance and analysiis. Enable targ eted auditing across file servvers for compliance
reporting and forensic an
nalysis.
• Protecting
g sensitive information. Ideentify and prottect sensitive information bo
oth in a Windo
ows
Server 2012
2 environmentt and when it leaves the Winndows Server 2 2012 environm
ment.
Dynamic Accesss Control provvides a flexible way to apply and manage aaccess and aud diting to domaain-
ba esource properties on
ased file servers. Dynamic Acccess Control uses claims in the authenticaation token, re
th
he resource, annd conditional expressions within
w permissi on and auditin
ng entries. Witth this combin
nation of
fe
eatures, you caan now grant access
a to files and
a folders baased on Active Directory attrributes.
Foundation
n Technolo
ogies for Dynamic
D A
Access Con
ntrol
Dynamic Accesss Control combines many Windows
W
Seerver 2012 technologies to provide
p a robuust,
fle
exible, and gra
anular authorizzation and audditing
exxperience. Dynnamic Access Control
C uses th
hese
fu
undamental technologies:
• Network protocols,
p succh as TCP/IP,
Remote Prrocedure Call (RPC), Serverr
Message Block
B (SMB), anda Lightweig ght
Directory Access
A Protoccol (LDAP). Fo or
network coommunicationss between hosts,
interaction with file system and directoory
lookups, respectively.
• Domain Na
ame System (DNS).
( For host name resolu
ution.
• Active Dire
ectory Domaiin Services (A
AD DS) and itss dependent ttechnologies.. For enterprise
e
network maanagement.
• f categorization.
File Classiffications. For file
• Kerberos au
uthentication support
s for user claims and device claims.
MCT USE ONLY. STUDENT USE PROHIBITED
10-4 Implemennting Dynamic Access Control
• Improved File
e Classification
n Infrastructure
e.
Dy
ynamic Acccess Contrrol Versus Alternativ
A ve Technologies
Dynnamic Access Control
C is a new w technology for
controlling accesss to file based resources. It does
not overlap with older
o well-kno own technologies
with ose. Instead, Dynamic Accesss
h similar purpo
Conntrol extends the functionalitty of older
tech
hnologies for controlling
c file
e-based resourrce
acce
ess.
In previous
p versions of Window ws Server, the basic
b
mecchanism for filee and folder access control wasw
NTFFS permissions. By using NTFFS permissionss and
theiir Access Contrrol Lists (ACLs)), administrato
ors
can control accesss to resources, based on use er
namme or group membership,
m annd the level of access, such aas Read-only, C
Change, Full C
Control, etc.
Howwever, once yo ou provide som meone with, fo or example, Re ad-only acces s to a documeent, you cannoot
prevvent that persoon from copying the conten nt of that docu
ument into a new document or printing th he
doccument. By imp plementing AD D RMS, you can establish an additional levvel of control. U
Unlike, NTFS
permmissions, which are not appllication aware,, AD RMS sets a policy that ccan control do ocument accesss
insid
de the application that is being used to op pen it. By impl ementing AD RMS, you enaable users to
addditionally prote
ect documentss within applica ations.
Wh
hat Is an Id
dentity?
We usually define e identity as a set
s of data thaat
uniq
quely describe es a person or a thing (somettimes
refe
erred to as subjbject or entity) and contains
ormation about the subject's relationships to
info
otheer entities. Identity is usuallyy proved by ussing
som
me trusted sourrce of information. For exam mple,
wheen you go to th he airport, you u show your
passsport. Your passport contain ns your name,
adddress, date of birth,
b and phottograph. Each item
of personal
p mation is a claiim that is made
inform
aboout you by the country issuin ng your passpo ort.
Youur country ensu ures the informmation publishhed in
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 10-5
a passport is acccurate for the passport owner. Since you u usually use thee passport outsside of your
co
ountry of resid
dence, other co ountries must also trust the iinformation in
n your passporrt. They must trust the
on that trust, other countriess grant
orrganization that issued yourr passport and consider it relliable. Based o
yo
ou access theirr territory (whiich can be con
nsidered as a reesource).
In
n other words, to access reso
ources in otherr countries, eacch person is reequired to havve a documentt
(p
passport) that is
i issued by a reliable
r and trusted source aand that contaains some criticcal claims thatt
deescribe the person.
We
W can then say that Identityy, with respect to authenticattion and autho
orization, is sim
mply informatiion
ublished about an entity from a trusted so
pu ource. The infoormation is con
nsidered autho oritative becau
use the
so
ource is trusted
d.
Eaarlier versions of Windows Server used the e security identtifier (SID) to rrepresent iden
ntity of a user o
or
coomputer. Users authenticate e to the domain with a speciffic user name and password. The unique logon
naame translatess into the SID. The domain controller valid ates the passw word and publishes the SID o of the
seecurity principaal and the SIDs of all the grooup of which tthe principal iss a member. Th he domain con ntroller
"cclaims" the useer's SID is valid
d and should be
b used as the identity of thee user. All dom main members trust
th
he domain con ntroller; therefoore, the respon
nse is treated aas authoritativve.
Id
dentity is not limited to the user's
u SID. App plications can u
use any informmation about the user as a foorm
off identity, provvided that the application trusts the sourcee of the inform
mation to be authoritative. FFor
exxample, many applications im mplement role e-based accesss control. Rolee-based access control limits access
to
o resources based on whethe er the user is a member of a specific role. SharePoint Server is good exxample
off software thatt implements role-based
r seccurity. Window ws Server 2012 can also take advantage of these
opptions to exten nd and enhancce the way ide entity is determ
mined for a seccurity principaal.
What
W Is a Claim?
C
Windows
W Server 2008 and Wiindows Server 2003
usse claims in Acctive Directoryy Federation Se ervices
(A
AD FS). In this context,
c claimss are statemen nts
made
m about useers (for exampple, name, iden ntity,
keey, group, privvilege, or capabbility), which are
a
unnderstood by both partners in an AD FS
ederation. AD FS also introdu
fe uced AD DS-based
claims and the ability
a to convvert AD DS-bassed
claim data into Secure Application Markup
La
anguage (SAM ML) format. In previous
p versio
ons of
AD FS, the only attributes that could be retrieved
from AD DS and d directly incorporated into a claim
was
w SID informa ation for user and
a group acccounts. All oth er claim inform efined within and
mation was de
re
eferenced from m a separate da atabase, know wn as an attribu w in Windows SServer 2012 is the
ute store. New
MCT USE ONLY. STUDENT USE PROHIBITED
10-6 Implemennting Dynamic Access Control
An entity
e can contain more than one claim. When
W configur ing resource aaccess, any com
mbination of those
ms can be used to authorize
claim e access to reso
ources.
In Windows
W Serve
er 2012, authorization mecha anism is exten ded so that yo
ou can use claiims for
auth
horization on files
f and folders, besides using just NTFS ppermissions, baased on user’s SID or group SIDs.
By using
u claims, you
y can now ba ase your accesss control not oonly on SID, b
but also on oth
her attribute vaalues.
Because SID is also an attribute of a user or co
omputer objecct, we can say that older autthorization
mecchanisms are, in
i a way, subseets of claims-b
based authorizzation.
Win
ndows Server 2012
2 introduce
es two new typ
pes of claims: u
user claims and device claim
ms. Windows Se
erver
2012 continues to
o enable you to
o use group membership
m fo
or authorization decisions.
Use
er Claim
A usser claim is infformation provvided by a Win
ndows Server 22012 domain ccontroller abo out a user. Windows
Servver 2012 doma on. This provides
ain controllers can use most AD DS user atttributes as claaim informatio
ministrators witth wide range of possibilitiess to configure and use claim
adm ms for access co
ontrol.
Dev
vice Claim
A deevice claim is information
i prrovided by a Windows
W Serveer 2012 domai n controller ab bout a device
reprresented by a computer acco ount in AD DSS. As with a useer claim, a devvice claim, ofte
en called a
com
mputer claim, can
c use most of o the AD DS attributes
a that are applicablee to computer objects.
Wh
hat is a Central Acce
ess Policy?
One e of the fundam mental compo onents in Dyna amic
Access Control tecchnology is Ce entral Access Policy.
P
It is a feature in Windows
W Server 2012 that en nables
adm ministrators to create a policyy that is applie
ed to
one e or more file servers.
s This po
olicy is createdd in
Actiive Directory Administrative
A Center, storedd in
AD DS, and applie ed by using Grroup Policy. Ce entral
Access Policy conttains one or more
m Central Access
Policy rules. Each rule contains settings
s that
dete ermine applicaability and perrmissions.
Befo
ore you create
e Central Accesss Policy, it is
manndatory that yo east one Central
ou create at le
Access Rule. Central Access Rule
e defines all pa arameters and hat control access to specific
d conditions th
reso
ource.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 10-7
• Name: For each Central Access Rule you should configure descriptive name.
• Target resources: A condition that defines which data the policy applies to. This is defined by
specifying an attribute and its value. For example, a particular central policy might apply to any data
classified as Sensitive. You can also choose to apply rule to all resources where Central Access Policy
applies.
• Permissions: A list of one or more access control entries (ACEs) that define who can access the data.
For example, you can specify Full Control Access to a user with attribute EmployeeType populated
with FTE. This is the key component of each Central Access rule. You can combine and group
conditions that you place in central access rule. You can set permission as proposed (for staging
purposes) or current.
After you configure one or more central access rules, you then place these rules in Central Access Policy
which is applied to the resources.
Central Access Policy enhances, but does not replace, the local access policies or discretionary access
control lists (DACL) that are applied to files and folders on a specific server. For example, if a DACL on a
file allows access to a specific user, but a central policy that is applied to the file restricts access to the
same user, the user cannot obtain access to the file. Likewise, if the central access policy allows access but
the DACL does not allow access, then the user cannot obtain access to the file.
Before you implement Central Access Policy, you should perform these steps:
5. Use Group Policy to deploy the policy to file servers. By doing this, you make file servers aware that a
Central Access Policy exists in AD DS.
Lesson 2
Planning for a Dynam
mic Acccess Con
ntrol Im
mplemen
ntation
Dyn namic Access Control
C is a tecchnology that requires detai led planning bbefore implem mentation. You
should identify reasons to imple ement Dynamic Access Conttrol, as well as plan for Centrral Access Policy,
file classifications, auditing and access denied d assistance. In this lesson, yo
ou will learn ab
bout planning
Dyn namic Access Control.
C
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
In general,
g you must use Dynam mic Access Con ntrol instead o
of traditional m
methods for im
mplementing acccess
control when you want to use more
m specific in
nformation fo r authorizationn purposes. NT
TFS and share
permmissions use only
o oup objects, but if you wantt to implementt more comple
user or gro ex access control
scen ould use Dynamic Access Co
narios, you sho ontrol.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 10-9
Planning
P fo
or Central Access Po
olicy
Im
mplementing Central
C Access Policy is not
mandatory
m for Dynamic
D Access Control. Ho owever,
fo
or consistent co onfiguration of
o access contrrol on
all file servers, we
w recommend ded implemen nting
Central Access Policy.
P By doinng that, you ennable all
fille servers to usse Central Access Policy wheen
protecting conttent in shared folders.
Yo ou should firstt identify the resources that you want to p protect. If all th
hese resources are on one file
seerver or in just one folder, thhen you might not have to im mplement Cen ntral Access Po
olicy. Instead, yyou
caan configure conditional acccess on the fold der’s ACL. If reesources are distributed acro oss several servvers or
fo
olders, then yo ou can benefit from deployin ng Central Acccess Policy. Exaamples of dataa that might re equire
protecting are payroll
p recordss, medical histo
ory data, emp loyee personaal information, company custtomer
lissts, and so on. You can also use targeting within
w central access rules to o identify reso
ources where yyou want
to
o apply centrall access policy.
• ents that have property conffidentiality set to high must be available only to manage
All docume ers.
Note: Youu are not required to use useer claims to deeploy central aaccess policies.. You can use
ecurity groups to represent user
se u identities.
MCT USE ONLY. STUDENT USE PROHIBITED
10-10 Implementing Dynamic Acceess Control
Pla
anning File
e Classifica
ations
Whe en planning im mplementation n of Dynamic
Access Control, yo ou should incluude File
Classsifications in complete
c scenarios. Althouggh
file classifications are not mandatory for Dyna amic
Access Control, th hey can greatlyy enhance the
autoomation of the e entire processs. For example, if
you require that alla documents with classificattion
Con nfidentiality: High must be acccessible to to
op
man nagement onlyy, regardless ofo the server on n
which the documents exist, you should first assk
yourself how you identify these documents, and a
how w to classify theem appropriattely.
File Classification Infrastructure uses classification rules to aautomatically sscan files and cclassify them
accoording to the contents
c of the e file. Classifica
ation propertiees are defined d centrally in A
AD DS so that
thesse definitions can
c be shared across file servvers in the org ganization. You u can create cllassification ru
ules
thatt scan files for a standard strring or for a strring that matcches a pattern (regular expre ession). When a
configured classification parame eter is found in a file, that fille is classified as configured in the classificcation
rule
e.
Whe
en planning fo
or file classifica ould do follow ing:
ations, you sho
• Identify which
h classification ons you want to apply on do
n or classificatio ocuments.
Pla
anning File
e Access Auditing
A
In Windows
W Serveer 2008 R2 and d Windows Serrver
2012, you can use e new advance ed audit policie es
to im
mplement more detailed and more precise e
auditing on file syystem. In Winddows Server 20 012,
you can also implement auditin ng together witth
Dynnamic Access Control
C to take
e advantage off the
neww Windows Seccurity auditing g capabilities. By
B
usin y can configure
ng conditional expressions, you
auditing to be implemented on nly in specific cases.
c
For example, you want to audit attempts to open o
sharred folders only by users located in countrries
otheer than the country where th he shared folder is
loca
ated.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 10-11
With Global Object Access Auditing, administrators can define computer SACLs per object type for either
the file system or registry. The specified SACL is then automatically applied to every object of that type.
You can use a Global Object Access Audit Policy to enforce the object access audit policy for a computer,
file share, or registry without configuring and propagating conventional SACLs. Configuring and
propagating SACLs is a more complex administrative task and it is difficult to verify, particularly if you
must verify to an auditor that security policy is being enforced.
Auditors can prove that every resource in the system is protected by an audit policy by just viewing the
contents of the Global Object Access Auditing policy setting.
Resource SACLs are also useful for diagnostic scenarios. For example, setting a Global Object Access
Auditing policy to log all activity for a specific user and enabling the Access Failures audit policies in a
resource (file system, registry) can help administrators quickly identify which object in a system is denying
a user access.
You should make an audit plan before you implement any auditing. In the auditing plan you should
identify resources, users, and activities that you want to track. You can implement auditing for several
scenarios, such as:
• Tracking changes to user and machine attributes. As with files, users and machine objects can have
attributes, and changes to these can affect whether users can access files. Therefore it can be valuable
to track changes to user or machine attributes. Users and machine objects live in AD and therefore
changes to their attributes can be tracked using Directory Service Access Auditing.
• Get more information from user logon events. In Windows Server 2012, user logon event (4624)
contains information about the attributes of the file that was accessed. You can take advantage of this
additional information by using audit log management tools to correlate user logon events with
object access events, and enabling event filtering based on both file attributes and user attributes.
• Provide more information from object access auditing. In Windows Server 2008 R2 and Windows
Server 2012 File Access events (4656, 4663) now contain information about the attributes of the file
that was accessed. This additional information can be used by event log filtering tools to help you
identify the most relevant audit events.
• Track changes to Central Access Policies, Central Access Rules and Claims. These objects define the
central policy that you can use to control access to critical resources. Tracking changes to these could
be important for the organization. Since all of these objects are stored in AD DS you can audit them
just as any other securable object in Active Directory by using the Directory Service Access Auditing.
• Tracking changes to file attributes. File attributes determine which Central Access Policy applies to the
file. A change to the file attributes can potentially affect the access restrictions on the file. You can
track changes to file attributes on any machine by configuring Authorization Policy Change auditing
and Object Access auditing for File Systems. Event 4911 has been introduced to differentiate this
event from other Authorization policy change events.
MCT USE ONLY. STUDENT USE PROHIBITED
10-12 Implementing Dynamic Acceess Control
Pla
anning Acccess Denie
ed Assistan
nce
Access Denied Assistance helps end users to
deteermine the rea ason why they cannot accesss a
ource. It also helps IT staff to
reso o properly diag gnose
a prroblem and prroperly direct the t resolution.
Winndows Server 2012
2 enables you
y to customiize
messsages about access
a denied asa well as to
provvide users withh ability to req
quest access wiithout
contacting help desk or IT team m. In combinatiion
with
h DAC, Access Denied Assista ance can inforrm
the file administraator of the useer and resource e
claim
ms, enabling him
h to make ed ducated decisions
to adjust
a policies or fix user attrributes (e.g. if
deppartment is written as HR insttead of Human Resources).
• Plan for messsage that userss see when theey try to accesss resource wheere they do no
ot have access
rights. It is im
mportant that the message is informal and easy to underrstand.
• Create the em
mail text that users
u use to req
quest access. I f you allow ussers to requestt access for
resources, you can prepare text that is ad
dded to the ennd of their emaail message.
• Determine the recipients fo or access requeest email messsages. You can n choose that e email is sent to
o
folder ownerss, file server ad
dministrators, or
o any other sp pecified recipi ent. It is important that messsages
are always dirrected to the proper
p person. If you have a help desk too ol or monitorin ng solution wh hich
allows emails, you can also direct those emails
e to autommatically geneerate user requ uests in your
helpdesk solu
ution.
Pla
anning Pollicy Chang
ges
Afte
er you implement a Dynamicc Access Contrrol
infra
astructure you
u might have too implement
changes. For exammple, you migh ht have to chaange
som
me conditional expression, orr you might wa ant to
change claims. Yoou must carefuully plan any ch
hange
to Dynamic
D Accesss Control com
mponents.
Lesson
n3
Imple
ementin
ng and Configu
C uring Dyynamicc Accesss Contro
ol
To
o implement and
a configure Dynamic Acce ess Control you
u must perform
m several steps and configurre
everal objects. In this lesson, you will learn about implem
se onfiguring Dynamic Access Control.
menting and co
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Prerequisit
P es for Imp
plementing
g Dynamicc Access Co
ontrol
Be
ecause Dynam mic Access Control is a new
te
echnology in Windows
W Serve
er 2012, you must
m
en
nsure that certtain prerequisites are fulfilled
d
be
efore impleme entation.
To
o implement claims-based
c authorization
a for
re
esource access, you must impplement the
fo
ollowing:
• At least onee Windows Server 2012 dom main controllerr accessible byy the Windows client computter in
the user's domain.
d The neew authorization and auditin ng mechanism ensions to AD DS.
m requires exte
These new extensions build the Window ws claim dictio ows stores claims for
onary, which iss where Windo
an Active Directory
D forestt. Claims autho
orization also rrelies on the K
Kerberos Key D
Distribution Ce
enter
(KDC). The Windows Servver 2012 KDC contains
c Kerbeeros enhancem d to transport claims
ments required
within a Kerberos ticket and
a Compound d Identity. Winndows Server 2 2012 KDC also
o includes an
enhanceme ent to support Kerberos arm moring. Kerbero os armoring is an implementation of Flexible
Authenticattion Secure Tuunneling (FAST T). It provides a protected chhannel between the LSA, Ne etlogon
KDC.
• Windows Server 2012 domain controlle main when using claims acro
ers in each dom oss a forest tru
ust.
MCT USE ONLY. STUDENT USE PROHIBITED
10-14 Implementing Dynamic Acceess Control
Note: Imple
ementing Dyna
amic Access Control in a mu
ultiple forest sccenario has ad
dditional
setu
up requiremen
nts.
Ena
abling Sup
pport in AD DS for Dynamic
D A
Access Con
ntrol
Afte
er fulfilling softtware requiremments for enabbling
Dynnamic Access Control
C supporrt, you must en nable
claim
m support for the Windows Server 2012 KDC. K
Kerbberos support for Dynamic Access
A Controll
provvides a mechanism for including user claim m and
device authorizatiion informatio on in a Windowws
authhentication tok ken. Access ch hecks on resources,
such ders, use this authorization
h as files a fold
ormation to verify identity.
info
Whichever methood you choose you should op pen Group Po licy Object Editor and navigate to Compu uter
Con
nfiguration\Policies\Administtrative Templa
ates\System\KD
DC. In this nod
de, open a settting called Suppport
Dyn
namic Access Control and Kerberos arm moring.
You
u can configure etting by choosing one of th
e this policy se he four listed o
options:
• Support Dyna
amic Access Co
ontrol and Kerrberos armorin
ng
• Always provid
de claims and FAST RFC behavior
Youu use the remaining policy se a the domain controllers aree Windows Server 2012 dom
ettings when all main
controllers and th
he domain funcctional level is configured to o Windows Serrver 2012. The Always prov vide
claims and FAST RFC behavio or policy settin
ng and the Alsso fail unarmo ored authentiication reque ests
policy setting ena
able Dynamic Access
A Controll and Kerbeross armoring forr the domain. H However, the llatter
policy setting requires all Kerbe
eros Authentica ation Service (A
(AS) and Tickett-Granting Serrvice (TGS)
com
mmunication to o use Kerbeross armoring.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 10-15
Windows
W Server 2012 domain
n controllers re
ead this config
guration while other domain
n controllers ig
gnore
th
his setting.
Im
mplementting Claimss and Reso
ource Prop
perty Obje
ects
After you enable support for Dynamic Acce
ess
Control in AD DS,
D you next crreate and conffigure
claims and resource property objects.
Creating
C and
d Configurin
ng Claim Ty
ypes
Thhe primary me ethod to create e and configurre
claims is to use the Active Dirrectory Adminiistrative
Center (ADAC) console. You use u ADAC to create
atttribute-based claims, which are the most
coommon. Howe ever, you can also
a use Active e
Directory Modu ule for Window ws PowerShell® to
crreate certificate-based claims. All claims arre
sttored in the coonfiguration pa artition of AD DS.
Be ecause this partition is forestt wide, all dom
mains within th
hat forest sharee the claim dicctionary, and d
domain
coontrollers from
m those respective domain isssue claim info ormation durinng user and computer
auuthentication.
In
n the Actions pane,
p when yoou click Createe Claim Type, you see the list of attributess. These attributes (for
usser or computer objects) aree used to sourcce values for c laims. When yyou create a claaim, you assocciate the
claim to the spe
ecific attribute. The value of that attribute is populated aas a claim valuue. It is therefo
ore
im
mportant that information co ontained in Acctive Directoryy attributes thaat are used to ssource claim tyypes
co
ontain accurate information,, or remain bla ank.
When
W you selecct the attribute
e that you wannt to use to creeate a claim, yo
ou also must pprovide a namme for
th
he claim. The suggested
s nam
me for the claim
m is always thee same as sele cted attribute name. Howevver, you
ca
an also providee an alternate or more mean ningful name ffor the claim. O Optionally, you can also proovide
su
uggested value es for a claim. This is not ma ou can reduce tthe possibility for
andatory, but iff you do it, yo
making
m mistakees.
Note: Claim types are sourced from ADA DS attributtes. That is whyy you must configure
atttributes for yo
our computer and user accounts in AD DS with the inforrmation that iss correct for
th
he respective user
u or computter. Windows Server
S 2012 doomain controllers do not isssue a claim
fo
or an attribute-based claim type
t when the attribute for tthe authenticaating principal is empty.
Depending on the t configuration of the dataa file’s Resourcce Property O bject attribute
es, a null
va
alue in a claim may result in the user being
g denied accesss to DAC-pro otected data.
Creating
C and
d Configurin
ng Resource
e Propertiess
Although evaluating resource e properties is the very core of Dynamic Acccess Control, you should
im
mplement it after user and device claims have been defin ned. Keep in m mind that if a claim does no ot
match
m the specified resource property valuee, then access to the data is denied. To revverse the orde er of
im
mplementation n, then, would risk inadvertently blocking uusers from datta that they ottherwise should
be
e able to accesss. When you use claims to control
c olders, you must also provide
access to files and fo e
dditional information on the
ad ese resources. You
Y do this byy configuring R Resource Prop perty objects. Y
You
MCT USE ONLY. STUDENT USE PROHIBITED
10-16 Implementing Dynamic Acceess Control
mannage Resource e Property obje ects in the Resource Propertties container iin the Dynamic Access Control
nodde in ADAC. Yoou can create your
y own resource propertiees or you can u use one of pre econfigured
a Country, Department, Fold
properties, such as der Usage, etc.. All predefineed Resource Prroperty objectss are
disa
abled by defauult. If you wantt to use any of them, you shoould first enabble it. If you waant to create yyour
ownn Resource Prooperty object, you
y can speciffy the propertyy type and allo owed or sugge ested values.
Whe en you create Resource Prop perty objects you
y can select properties to include on the
e files and fold
ders.
Win ndows uses the w the value s from user an
e values in these properties with ms when evaluating
nd device claim
file authorization and auditing.
Afteer you have co onfigured user and device cla aims and resou urce propertiees, you must thhen protect the e
file and folders ussing conditiona al expressions that evaluate user and devicce claims against values with hin
resoource propertie es, or constantt values. You can
c do this in ttwo ways. If yo ou want to focus on specific
foldders, you can use
u the advancced security setttings editor to o create condiitional expresssions directly in
n the
secu ntral Policy rules
urity descriptor. Alternativelyy, to cover several (or all) filee servers, you ccan create Cen
and link those rules to Central Policy
P objects. You can then deploy Centraal Policy objeccts to file serve ers
usinng Group Policcy and configu ure the share to o use the Centtral Policy objeect. Using Central Access Policies
he most efficient and preferrred method for securing filess and folders. It is discussed in the next topic. If
is th
you want to cover certain files with
w a common set of propeerties across vaarious folders o or files, you can also
use file classification.
Youu can use claim m and resource e property obje ects together iin conditional expressions. W Windows Serve er
2012 and Window ws 8 support one
o or more co onditional exprressions within n a permission entry. Conditional
expressions simplyy add anotherr applicable layyer to the perm mission entry. The results of all conditional
expressions must evaluate to tru ue for Window ws to grant thee permission entry for autho orization. For
exammple, if you de efine claim Deepartment for a user (with a source attribu te department), and defined d
reso
ource propertyy object called Dept, you can n define condittional expressiion that says: U User can accesss a
fold
der (with applie ed resource prroperty objectss) only if user aattribute depaartment value is equal to value
of property
p Dept on the folder. Note, howeve er, that if the reesource propeerty of Dept haas not been ap pplied
to the file(s) in qu
uestion, or if Deept is a null va
alue, then the u user will be grranted access tto the data. To
o be
clea
ar – access is coontrolled not byb the claim, but
b by the Reso ource Object. The claim must provide the
corrrect value corrresponding to the requireme ents set by thee Resource Objject. If the Resource Object d does
not involve a partticular attribute e, then additioonal or extra c laim attributess associated w with the user orr
device are ignored d.
Implementin
ng Central Access Ru
ules and Po
olicy
Cen
ntral Access Po
olicy enables yo
ou manage an nd
dep n throughout the
ploy consistentt authorization
ente
erprise through Central Acceess Rules and
Cen
ntral Access Po
olicy objects.
The main component of Central Access Policy is Central Access Rule. In fact, Central Access Policy objects
represent a collection of Central Access Rule objects that you apply to Windows Server 2012 file servers
using Group Policy. You should create a Central Access Rule before you create Central Access Policy
because a Central Access Rule contains multiple criteria that Windows uses when evaluating access. A
Central Access Rule can use conditional expressions to target specific files and folders. Each Central
Access Rule has multiple permission entry lists that you use to manage the rule's current permission
entries, or proposed permission entries, or return the rule's current permission entry list to its last known
list of permission entries. Each Central Access Rule can be a member of one or more Central Access Policy
objects.
When you start to create a new Central Access rule, you must first provide a name and description for the
rule. You can also choose to protect the rule against accidental deletion.
Next, you configure Target Resources. You use the Target Resource section to create a scope of
applicability for the access rule. You create the scope by using resource properties within one or more
conditional expressions. To make it simple, you can keep the default value (All resources), but usually you
apply some resource filtering. You can join these conditional expressions using logical operators, such as
AND and OR. Additionally, you can group conditional expressions together to combine the result of two
or more joined conditional expression. The Targeted Resource box displays the currently configured
conditional expression that is used to control the rule's applicability.
Finally, you configure permissions. There are two choices for permissions:
Use this option to add the permission entries in the permission list to the list of proposed permission
entries for the newly created Central Access Rule. You use the proposed permission list combined
with file system auditing, to model the effective access users have to the resource without changing
the permission entries in the current permissions list. Proposed permissions write a special audit event
to the event log that describes the proposed effective access for the user.
Use this option to add the permission entries in the permission list to the list of current permissions
entries for the newly created Central Access Rule. The current permissions list represents the
additional permissions Windows considers when the Central Access Rule is deployed to a file server.
Central Access Rules do not replace the existing security. When making authorization decisions,
Windows evaluates permission entries from Central Access Rule's current permissions list, NTFS, and
share permissions lists.
MCT USE ONLY. STUDENT USE PROHIBITED
10-18 Implementing Dynamic Acceess Control
Implementin
ng File Acccess Auditiing
The Global Objectt Access Auditing feature in
Winndows 8 and Windows
W Serve
er 2012 enables you
to configure
c objecct access auditting for every file
f system on the computerr. You
and folder in the file
use this policy settting to centrally manage and
configure Window ws to monitor every file and
fold
der on the com mputer. To enable object access
auditing in previo ous versions off Windows Servver,
you had to config gure this option in basic audit
policies (in GPOs), and also turn n on auditing for
f a
speccific security principal
p in the System Accesss
Conntrol List (SACLL) of the objectt. Sometimes this
t
appproach did not easily reconcile with compa any policies succh as “Log all administrative
e write activity on
servvers containingg Finance inforrmation,” beca ause you canno ot turn on objject access auddit logging on the
servver level but onnly on the objeect level.
The new audit cattegory in Wind 008 R2 and Wiindows Server 2012 enables administratorrs to
dows Server 20
mannage object acccess auditing using a much wider scope.
Youu configure Gloobal Object Acccess Auditing when you enaable Object Acccess auditing and Global Object
Access Auditing. Enabling
E Objecct Auditing turrns on auditing puter that app
g for the comp plies the policyy
setting. However, enabling auditing alone does not always generate audiiting events. The resource, in n this
instance files and folders, must contain audit entries.
We recommend configuring
c Gloobal Object Acccess Auditingg for the enterp
prise by using the security p
policy
of a domain-base ed GPO. The tw wo security policy settings reequired to enabled Global OObject Access
Audditing are locatted at these lo
ocations:
Im
mplementting Accesss Denied Assistance
A
One
O of the mosst common errrors that users receive
when
w they try too access a file or folder on a remote
fille server is an access denied error. Usually,, this
errror occurs wh hen a user triess to access reso
ource
without
w having proper permisssion or becau use of
in
ncorrectly conffigured permisssions or resou urce
acccess control liist (ACL). If youu are using Dyynamic
Access Control, things can be even more
coomplicated. Ussers, who migh ht have permisssions,
bu ut for example e a relevant atttribute in theirr
acccount is missp pelled, will nott be granted access.
When
W users receive this kind of
o error, they usually
u
he administrattor to obtain access. Howeveer, administrat ors usually do not approve aaccess
trry to contact th
to
o resources, soo users are then o someone els e for approvall.
n redirected to
In
n Windows Serrver 2012 there e is a new tech
hnology to hellp both users aand administraators in such
sittuations. This technology
t is called Access Denied Assistaance. It helps u
users respond to access deniied
issues without involving IT staaff by providing information about the pro oblem and directing users to
o the
proper person.
Access-denie
A ed Remediation
Th he Access Den
nied Assistance
e technology in
n Windows Se rver 2012 provvides three waays for
trroubleshooting
g issues with access denied errors:
e
• Self-remed diation. Windo ows Server 20112 provides a way to create customized acccess-denied
messages that are authorred by the servver administrattor. By using tthe information in these messsages,
users can trry to self-reme
ediate access-ddenied cases. FFor example, the user may b be directed to ffirst
map to a co omputer using g a particular drive
d letter. Th e message can
n also include URLs to directt the
users to self-remediation websites that are provided by the organizzation. For exaample, the URL might
direct the user
u to changee their passworrd to an appliccation or downnload a refresh
hed copy of cliient-
side software.
Youu enable Access Denied Assisstance by using g group policyy. You open Grroup Policy Obbject editor an nd
navigate to Comp puter Configurration\Policies\\Administrativve Templates\SSystem\Access-Denied Assisttance.
In th
his node, you can
c enable Access Denied Assistance,
A and also, you can provide custoomized messag ges
for users. Alternattively, you can also use File Server
S Resourcce Manager coonsole to enabble access-deniied
assistance. Howevver, if this featu
ure is enabled in Group Policcy, the approp
priate settings in File Server
Resoource Manage er console are disabled for co onfiguration.
Implementin
ng File Classsifications
To effectively
e impplement Dynam mic Access Con ntrol
techhnology, you must
m have welll-defined claimms
and resource prop perties. Althouugh claims are
defiined by attribuutes for user or a device, reso ource
properties are mo ost often manu ually created and
defiined. File Classsifications enab ble administrators
to define
d automattic proceduress for defining a
desiired property on o the file, bassed on condition
speccified in classiffication rule. For example, yoou
can set the property Confidentiality to High on o
all documents
d whhose content co ontains the woord
“seccret.” You can then use this property
p in
Dyn namic Access Control
C to speccify, for examp
ple, that only eemployees with
h attribute em
mployeetype se
et to
Man nager can acce ess those docu uments that are classified witth high confid
dentiality.
In Windows
W Serve
er 2008 R2 andd Windows Serrver 2012, Classsification Man nagement and File Managem ment
task
ks enable administrators to manage
m group
ps of files basedd on various fiile and folder aattributes. Witth
Classsification Mannagement and File Managem ment tasks, you u can automatte file and foldder maintenance
task
ks, such as cleaaning up stale data or proteccting sensitive information.
Classsification Man
nagement is de esigned to easse the burden and managem ment of data th hat is spread oout in
the organization. Files can be classified in a vaariety of ways.. In most scenaarios, classificaation is perform
med
mannually. The File
e Classification
n infrastructuree in Windows SServer 2008 R2 2 enables orgaanizations to
convert these manual processess into automatted policies. Ad dministrators ccan specify file e management
policies based on a file’s classificcation and app
ply corporate requirements for managing data based on n
business value.
You
u can use file classification to
o perform the following
f actio
ons:
2. Create, updatte, and run classification rulees. Each rule asssigns a singlee predefined property and vaalue
n a specified diirectory based on installed cclassification pllug-ins.
to files within
3. When running a classificatio on rule, reevalluate files thatt are already cllassified. You ccan choose to
overwrite exissting classification values or add the valuee to properties that support multiple value es. You
can also use this
t to de-classsify files that are not in classsification criterria anymore.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 10-21
3. Create Central Access rule to enable members of IT group to access resources if user department
attribute matches resource department.
Objectives
• Plan Dynamic Access Control Deployment and prepare AD DS for Dynamic Access Control.
Lab Setup
Estimated time: 90 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
b. Password: Pa$$w0rd
5. Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-CL1 and 20417A-LON-CL2.
The support department reports that a high number of calls are generated by users who cannot access
resources. You must implement a technology that helps users to better understand error messages as well
as enable them to automatically request access.
First, you will plan for Dynamic Access Control deployment. Then you must prepare your AD DS to
support Dynamic Access Control.
The main tasks for this exercise are as follows:
1. Plan the Dynamic Access Control Deployment Based on the Security and Business Requirements.
X Task 1: Plan the Dynamic Access Control Deployment Based on the Security and
Business Requirements
• Describe how you will design Dynamic Access Control to fulfill requirements for access control,
described in the scenario.
3. Move LON-CL1, LON-CL2 and LON-SVR1 computer objects into Test OU.
4. On LON-DC1, from Server Manager, open the Group Policy Management console.
5. Remove the Block Inheritance setting applied to the Managers OU. (This setting has been applied and
used in a later module of the course.)
7. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, and then click KDC.
8. Enable the KDC support for claims, compound authentication and Kerberos armoring policy setting.
11. Open Active Directory Users and Computers and create a security group called ManagersWKS in
Users container.
MCT USE ONLY. STUDENT USE PROHIBITED
10-24 Implementing Dynamic Access Control
13. Verify that user Aidan Delaney is a member of Managers department and Allie Bellew is the
member of the Research department.
Results: After completing this exercise you will have design for Dynamic Access Control and you will have
prepared AD DS for Dynamic Access Control implementation.
3. Open the Claim Types container and verify that there is no default claims defined.
4. Open the Resource Properties container and note that all properties are disabled by default.
5. Open Resource Property Lists container and then open the properties of the Global Resource
Property List.
7. Click Cancel.
2. Open the Claim Types container, and create a new claim type for users and computers using the
following settings:
2. Create a new claim type for computers using the following settings:
Results: After completing this exercise you will have configured user and device claims.
2. Classify files.
5. Open the Global Resource Property List and make sure that Department and Confidentiality are
included in the list.
6. Click Cancel.
3. Refresh Classification Properties. Verify that Confidentiality and Department properties are in the
list.
o Property: Confidentiality
o Value: High
o Select Re-evaluate existing property values, and then click Overwrite the existing value.
6. Open Windows Explorer and open Properties for files Doc1.txt, Doc2.txt and Doc3.txt in C:\Docs
folder.
7. Verify values for Confidentiality. Doc1.txt and Doc2.txt should have confidentiality set to High.
Results: After this exercise, you will have configured resource properties and file classifications.
2. Click Dynamic Access Control and then open the Central Access Rules container.
o Permissions:
Set first condition to be: User-Group-Member of each-Value-Managers
Set second condition to be: Device-Group-Member of each-Value-ManagersWKS
2. Create new GPO named DAC Policy and link it to organizational unit Test.
5. Click both Department Match and Protect confidential docs, and then click Add. Click OK.
6. Close the Group Policy Management Editor and the Group Policy Management console.
4. Apply the Protect confidential docs Central Policy to the C:\Docs folder.
4. In the right pane double-click Customize Message for Access Denied errors.
5. In the Customize Message for Access Denied errors window click Enabled.
MCT USE ONLY. STUDENT USE PROHIBITED
10-28 Implementing Dynamic Access Control
6. In the Display the following message to users who are denied access text box type: You are denied
access because of permission policy. Please request access.
8. Double-click Enable access-denied assistance on client for all file types and enable it.
9. Click OK and close the Group Policy Management Editor and the Group Policy Management console.
10. Switch to LON-SVR1, and refresh Group Policy.
Results: After completing this exercise you will have configured central access rules and policies.
4. Verify staging.
Note: You should be unable to see Doc1 and Doc2 since LON-CL2 is not permitted to view
secret documents.
5. Double-click Audit Central Access Policy Staging. Select all three check boxes, and then click OK.
6. Double-click Audit File System. Select all three check boxes then click OK.
7. Close the Group Policy Management Editor and the Group Policy Management console.
3. In the Proposed permissions section, configure a condition for Authenticated users as follows:
User-Company Department-Equals-Value-Marketing.
4. Switch to LON-SVR1 and refresh Group Policy.
2. Open Windows Explorer and attempt to access \\LON-SVR1\Research. You will be unsuccessful.
Click Close.
3. Switch to LON-SVR1.
4. From Server Manager, open Event Viewer and select the Security log. Look for events with Event
ID 4818.
5. In Select User, Computer, Service Account, or Group window type April, and then click Check
Names, and then click OK.
11. Click View Effective access. April should have access now.
Results: After this exercises you will have validated Dynamic Access Control functionality.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 10-31
• Always stage changes to Central Access Rules and Policies before implementation.
Review Questions
What is a claim?
What is the purpose of Central Access Policy?
Tools
Active Directory Administrative Center
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
11-1
Module 11
Implementing Active Directory Domain Services
Contents:
Module Overview 11-1
Module Overview
Active Directory® Domain Services (AD DS) is the central location for configuration information,
authentication requests, and information about all the objects that are stored in an Active Directory forest.
Using AD DS, you can efficiently manage users, computers, groups, printers, and other directory-enabled
objects from one secure, central location. Windows PowerShell® has become the single engine for
configuration and maintenance from both graphical and command-line interfaces. This module discusses
deployment and configuration of domain controllers, service accounts in AD DS, Group Policy, and
maintenance of AD DS.
Objectives
After completing this module you will be able to:
• Maintain AD DS.
MCT USE ONLY. STUDENT USE PROHIBITED
11-2 Implemennting Active Directoryy Domain Services
Lesson 1
Deploy
ying AD
D DS Do
omain Controll
C lers
To establish
e the Active
A Directoryy forest and th
he first domainn in the forest,, you must create at least on
ne
dom
main controllerr. In this lesson
n, you will learn about the neew features off AD DS in Win ndows Server® 2012
and the various methods
m for de
eploying doma ain controllers..
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
• at’s new in AD DS in Window
Describe wha ws Server 2012 .
• Deploy doma
ain controllers..
• Upgrade to AD
A DS in Windows Server 2012.
• Troubleshoott domain contrroller deploym
ment.
Wh
hat’s New in AD DS in Window
ws Server 2
2012?
Winndows Server 2012
2 has severral new feature es
for AD
A DS. Windo ows PowerShell command-lin ne
inte
erface is the un
nderlying comp ponent behind d
installations and configurations
c . It enables full
scrip
pting and autoomation and new
n graphical user
inte
erfaces for prevvious comman nd-line-only
activvities.
Som
me new feature
es are describe
ed in the follow
wing
tablle.
Fe
eature Im
mprovement
Siimplified Im
mprovements to configure aand monitor A AD DS through h the Server
ad
dministration Manager
M consoole include:
• A graphical user
u interface ffor the Active Directory Recyycle Bin.
• A graphical user
u interface tto implement fine-grained p
passwords.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 11-3
Feature Improvementt
• Group Poliicy health mon
nitoring.
• AD DS-spe
ecific performaance monitorin
ng and best prractice analysiss.
• Active Dire
ectory manageement tools, w
which you can o
open from the
e
Server Mannager console..
Active Directo
ory Module The Active Directory modu ule has new cm mdlets for repliication topology
for Windows PowerShell managementt, Dynamic Acccess Control, aand other operations. It is no o
longer necessary to use Acctive Directory Installation W Wizard (also callled
DCPromo) to o create a dommain controllerr. When you usse Windows
PowerShell too install AD DSS, Active Direcctory Installatio
on Wizard
functionality is now includeed in the cmdlet.
Active Directo
ory AD FS is now w included as a server role wiith Windows SServer 2012. Th his
Federated Serrvices (AD version proviides a less com
mplex trust setu up and manag gement processs, an
FS) ability to exte
end the claimss attribute storre and a broad
der scope for
defining claimms. AD FS servvices are frequently requiredd for hybrid clo
oud
deploymentss.
Active Directo
ory Based Key Managem ment Servers ((KMS) are no longer required to activate
Activation (AD
D BA) computers ru unning Window ws Server 201 2 and Windowws® 8 Activatin
ng the
initial custom
mer-specific vo
olume license kkey (CSVLK) re
equires a one-ttime
contact with Microsoft actiivation over th
he Internet.
Deploying
D AD DS Do
omain Controllers
With
W Windows Server 2008, you y could deploy a
doomain controller by installing the AD DS role
r
o add the binary files and the
to en using Activve
Directory Installlation Wizard to
t install AD DS.
D
In
n Windows Serrver 2012 you deploy a domain
co
ontroller by ussing Server Maanager to add the
AD DS role. Youu use a separatte wizard to
co
onfigure AD DS
D within Serve er Manager.
Yo
ou can add the
e AD DS role binaries
b using these
fo
our methods:
• The graphiccal Server Man
nager.
• Dism.exe.
• Active Directo
ory Installation
n Wizard (also called DCProm
mo)
• Install AD DS remotely.
• Configure the
e domain conttroller as a global catalog byy default.
• Display advan
nced mode setttings.
• Prepare schem
ma extension and
a domain preparation auttomatically in the backgroun
nd.
Usiing Window
ws PowerShe
ell
You D binaries using the Active Directory mod
u can add AD DS dule for local o
or remote installations.
Usiing DISM
The Deployment Image Servicin ng and Management (DISM)) tool is part off the Windowss Automated
Adm
ministration Kitt (WAIK). It is more
m complexx than, and nott as flexible as,, Windows Pow
werShell. DISM
M is
usua
ally associated
d with creating g deployment images
i for Wi ndows Deployyment Servicess.
De
eploying AD
A DS Dom
main Contrrollers on SServer Corre
Servver Core is a ve ersion of Winddows Server 20012
thatt has no graph hical interface. Server Core
provvides a minima al environmen nt for running
servver roles. It red
duces disk spacce usage and
maintenance, and d presents a smmaller attack
surfface.
In
nstalling the
e AD DS Role Locally
To
o Install the AD
D DS Role loca
ally:
1.. Install the AD
A DS binary files.
f At the loccal Windows P
PowerShell com
mmand promp pt, type the cm
mdlet
Install Win ndowsfeature
e -name AD-D Domain-Servicces, and then press Enter.
2.. Configure AD
A DS. At the Windows Pow werShell comm
mand prompt, ttype the cmdle
et
Install-ADD
DSDomainCo ontroller –dom
mainname “Ad datum.com”, with other argguments as re
equired,
and then press Enter.
Windows
W Po
owerShell Re
emote Insta
allation
Yoou can run Windows PowerS Shell cmdlets against
a remotee servers. Startt by installing tthe AD DS bin
nary
filles. Then use the invoke-com
mmand cmdlett. For examplee:
in
nvoke-comma and {install-ad
ddsdomainco
ontroller –dom
mainname Ad
datum.com –ccredential (ge
et-
crredential) –co
omputername e NYC-DC3
Server Mana
ager Remote
e Installatio
on
To
o use Server Manager
M to insttall AD DS Role remotely, peerform these h
high-level step
ps:
Deploying
D AD DS Do
omain Controllers byy using Insstall From Media (IFM
M)
Another method for installing g AD DS is to install
from an installation media cre eated by using g the
Ntdsutil.exe utillity. Installation n media is creaated
from an existing g domain conttroller in the foorm
off a backup. The advantage of o installing fro
om
media
m is that it reduces the directory replica ation
trraffic required to synchronize e the new dom main
coontroller. By de efault, a new domain
d controoller
re
eplicates all the e data for all Directory
D partittions
th
hat it hosts from other doma ain controllers.. When
yoou use IFM the e new domain controller hass most
off the AD DS da ata. It only rep
plicates updatees that
ha ave occurred since
s the backup media was created.
MCT USE ONLY. STUDENT USE PROHIBITED
11-6 Implementing Active Directory Domain Services
Type of installation
Parameter Description
media
Full (or writable) Create Full PathToMediaFolder Creates installation media for a writable
domain controller domain controller instance in the folder
that is identified in the path.
Full (or writable) Create Sysvol Full Creates installation media for a writable
domain controller PathToMediaFolder domain controller with SYSVOL in the folder
with SYSVOL that is identified in the path.
RODC with SYSVOL Create Sysvol RODC Creates installation media for an RODC with
PathToMediaFolder SYSVOL in the folder that is identified in the
path.
Create Sysvol Full Create Sysvol Full NoDefrag %s Create installation media with SYSVOL
NoDefrag without defragmenting for a full Active
Directory domain controller or an AD/LDS
instance into folder %s.
1. Enter the ntdsutil context. At the Windows command prompt type NTDSUTIL, and then press Enter.
2. At the NTDSUTIL: prompt type Activate instance NTDS, and then press Enter.
3. Type IFM.
4. At the IFM: prompt, type the command for the type of installation media you want to create. For
example, to create media for a writable domain controller with SYSVOL to a folder named Media,
type Create Sysvol Full C:\Media.
To use IFM to create additional domain controllers in the domain, you can refer to a shared folder or
removable media where you store the installation media on the Install from Media page in the Active
Directory Domain Services Installation Wizard or by using the /ReplicationSourcePath parameter during
an unattended installation.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 11-7
In
nstall From Media Charracteristics
IFFM has the following charactteristics:
• Installation from media does
d not work across differen
nt operating syystem versionss. You must ge
enerate
media from m an existing Windows
W Serve
er 2012 domain n controller to
o install AD DSS on a compute
er
running Wiindows Server 2012.
Deploying
D AD DS Rea
ad-Only Domain
D Co
ontrollers
Thhe read-only domain
d contro
oller (RODC) was
in
ntroduced with h Windows Serrver 2008. An RODC
R
hoosts read-onlyy partitions of the
t AD DS dattabase.
Thhis means thatt no AD DS cha ange requests are
made
m directly to
o the databasee copy stored by
ROODC. Instead, AD DS modifications are forrwarded
to
o RODCs throu ugh replication
n with a writab
ble
doomain controller. All RODC AD A DS replicattion
usses a one-way, in-coming on nly connection
n from
a domain controller that has a writable AD DS
daatabase copy.
Characteristi
C ics of RODC
C
RO
ODCs have the
e following characteristics:
• Server Core
e installations support
s RODC
Cs.
• An RODC cannot
c hold an
n operations master
m role.
• An RODC cannot
c be a site bridgehead server.
• Users can be
b delegated administrative
a granted rights tto AD
rights to a speecific RODC wiithout being g
DS. This can
n be configure
ed in the Active Directory Coonfiguration W
Wizard.
Pre
eparing to In
nstall RODC
C
Seve
eral prerequisiites must be in
n place before you install and
d RODC. Theyy are:
• Forest functio
onal level mustt be at least 20
003. The Wind dows Server 20
012 Active Dire
ectory
Configurationn Wizard does not let you co ontinue if the d
domain is not able to suppo
ort an RODC.
Clo
oning Virtu
ual AD DS Domain Controllers
C s
Winndows Server 2012
2 introduce
es virtualized
dommain controllerr cloning. Clonning a virtualizzed
dommain controllerr presents challlenges. For
exammple, two dommain controllers cannot coexxist in
the same forest with
w the same name,n invocatiion
ID, and
a security iddentifier. In verrsions of Winddows
earlier than Windows Server 2012, you create ed
virtu
ualized domain controllers byb deploying a
Syspprepped base server image and a manually
promoting it to be a domain co ontroller. Winddows
Servver 2012 provides specific virtualization
capabilities to AD
D DS Virtualized d Domain
Conntrollers (VDCss) to resolve those issues.
Win
ndows Server 2012
2 VDCs havve two new capabilities:
• Accidental restoration of do
omain controller snapshots d
does not disru
upt the AD DS environment.
Saffe Cloning
A cloned domain controller automatically syspreps (based o on settings in DefaultDCClon
neAllowList.xm
ml)
and promotes witth the existing local AD DS data
d as installattion media.
Creating
C a VDC Clone
To
o create a VDC
C clone in Windows Server 2012,
2 perform the following high level step
ps:
1.. Create a DccCloneConfig.xxml file that co
ontains the un ique server co
onfiguration.
Note: The
ere is no graphhical interface to create the ccloning xml filles. However, tthere is a
Windows
W PowerShell script in developmentt for out of ban nd release, and d the XML schhema is
in
ncluded.
Upgrading
U to Windo
ows Server 2012 AD DS
Yo
ou can upgradde an existing domain contro
oller
o Windows Serrver 2012. You can only upgrade a
to
omain controller created in Windows Servver 2008
do
x6
64 or Windowss Server 2008 R2. You cannoot
pe
erform an in-p
place upgrade on Windows Server
S
20
003.
To
o perform an in-place
i upgraade of a computer
th D DS role installed, you must first
hat has the AD
usse Adprep.exe /forestprep and Adprep.exe e
/d
domainprep too prepare the forest
f and dommain.
An in-place opeerating system upgrade doess not
peerform automatic schema an nd domain
preparation. Ad
dprep.exe is inccluded on the installation m edia in the \Suupport\Adprepp folder. There
e are no
ad
dditional confiiguration stepss after that point and you caan continue to
o running the O
OS upgrade.
Note: We
e recommend a clean installa
ation.
Troublesho
T ooting AD DS Domain Controlller Deployyments
If you encounte er errors when you create a domain
d
coontroller, you can
c use troublleshooting too ols and
methodologies
m to resolve thee problem. The
ere are
also logs and uttilities available.
MCT USE ONLY. STUDENT USE PROHIBITED
11-10 Implementing Active Directory Domain Services
Logging Options
The built-in logs are the most important tool for troubleshooting issues with domain controller promotion
and demotion. There are many logs created during the installation and promotion of a domain controller,
as shown in the following table.
Phase Log
• AutoRuns.exe –Shows you what programs are configured to run during system bootup or logon, and
shows you the entries in the order Windows processes them.
• Task Manager –Provides detailed information about how to run applications, processes, and services
and provides performance and networking statistics.
• MSInfo32.exe –Displays a comprehensive view of your hardware, system components, and software
environment.
• Is this a syntax error? Check the naming, credentials, and syntax of Windows PowerShell.
• Did the prerequisite check fail? Resolve the issue and try again.
• Did the error occur during the promotion phase? Examine the logs. Use Dcdiag and Repadmin to
validate Active Directory health.
• Check for third-party software that may be preventing the promotion and remove it.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 11-11
Lesson
n2
Configuring AD DS Domain Contrrollers
After you install AD DS and crreate new dom
main controllerrs, you must address several Active Directo ory
co
onfiguration isssues. You can address some
e of these issuees, such as creaating a global catalog, durin
ng or
affter the promo
otion. You address others aftter the promottion.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
• Configure the
t global cata
alog.
• Configure universal
u group membership
p caching.
• Configure operations
o masters.
Manage
M unctional levels.
domain and forest fu
Configuring
C g the Glob
bal Catalog
g
Thhe global catalog is a special partition of Active
A
Directory that stores informattion about all Active
A
Directory objectts. It does not contain all atttributes
off all objects, bu ntains a subset of
ut instead con
atttributes that are
a useful for searching.
s The
global catalog mainly
m occurs in a multi-dom
main
ennvironment. It enables searches across dom main
booundaries to find objects in Active Directo ory. The
global catalog acts
a as an inde ex of Active Directory.
Certain applicattions rely on thhe global catalog,
su
uch as Exchang ge Server.
Global
G Catalo
og Characte
eristics
Global catalogs are unique to
o Active Directo
ory and have tthe following ccharacteristics:
• At least one
e global catalo
og must exist in every forest..
• It is possible and frequen o have multip le global catal ogs. For exam
ntly desirable to mple, have a glo
obal
catalog in each
e AD DS sitte so that user authenticatio n occurs in a ttimely, efficien
nt manner.
• Global cata
alogs listen on ports 3268/32
269 by default .
Creating
C a Global Catalo
og
Thhe first domainn controller in the forest is a global catalo g because at l east one global catalog is reequired
peer forest. You can remove th he domain con ntroller’s desig nation as a glo
obal catalog laater after you have
crreated other global catalogss.
Fo
or each additioonal domain controller, you can create a g hat you select the
global catalog by ensuring th
ch
heck box in thee Active Directtory Configura
ation Wizard d
during the pro motion. By deefault, all domain
co
ontrollers are assumed
a to be
e global catalo
ogs.
MCT USE ONLY. STUDENT USE PROHIBITED
11-12 Implementing Active Directoory Domain Services
You
u can also add or remove the
e global catalo
og from a dom
main controllerr by using Activve Directory Sites
and Services MMC t propertiess of the NTDS Settings node of the domain
C and editing the n controller.
Alte
ernatively, you can use the Active
A Directoryy module of W
Windows PoweerShell to enab
ble a global cattalog.
Co
onfiguring Universal Group Me
embership
p Caching
Univversal groups include users anda groups fro om
mulltiple domains in a forest. Th he membership p of
univversal groups is n the global catalog.
i replicated in
Whe en a user logs on, the user’s universal grou up
mem mbership is ob btained from a global catalog
servver. If a global catalog is not available thenn
univversal group membership
m is not available.
Connfiguring unive ersal group me embership cacching
add
dresses this pro oblem.
Youu can alleviate denial of authentication by enabling Univversal Group M Membership Caaching on
the local AD DS siite. With this enabled,
e by default all doma in controllers in that site ob btain universal
group membership information n from a global catalog for a user when the user first log gs on to the sitte.
The domain contrroller caches th hat informatio on indefinitely, as long as it ccan update universal group
memmbership inforrmation every eight hours. Iff the local dom main controllerr cannot contaact a global catalog,
thenn the cached group
g membership informattion is conside red invalid after seven days.. This value is ccalled
the ‘staleness inte
erval’ and is sett in the registrry. If a networkk outage of lesss than seven d days prevents the
loca
al domain conttroller from co ontacting the global
g catalog,, the user is stiill authenticate
ed successfullyy by
usin
ng the cached group informa ation.
Ena
abling Unive
ersal Group
p Membersh
hip Caching
Youu can also enabble Universal Group
G Membership Caching on a domain controller by u using Active
Dire
ectory Sites and Services MM g the propertiees of the NTD S Settings nod
MC, and editing de of the domaain
controller.
u can also use the
You t Active Dire e for Windows PowerShell to
ectory module o enable Unive
ersal Group
Mem
mbership Cach hing.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 11-13
Configuring
C g Operatio
ons Masters
In
n any replicated database, su uch as AD DS, some
s
ta
asks must be performed
p by only
o one AD DSD
re
eplica holder because
b they are impractical to
peerform in a muulti-master ma anner. For exam mple,
onnly one domaiin controller caan be in charg ge of
syynchronizing the time acrosss the domain. In an
Active Directoryy domain, operations masterrs, also
knnown as flexible single maste er operations, or
FSSMO, are dommain controllerss that addition nally
provide a speciffic function. Th
here are five sppecific
opperations master roles that must
m be filled. Any
doomain controller that meets the prerequissites can
peerform these roles.
r
Note: A RODC
R cannot host
h any opera ation master ro
oles because, b
by design, it caannot
diirectly modify the copy of AD DS it holds.
Tw
wo of the operations masterr roles only exist one time fo
or the whole fo
orest. These tw
wo roles exist o
only in
th
he Forest Root Domain and are
a shown in the t following ttable.
Ro
ole Descripttion
Domain
D Namin
ng Operations You usee the domain nnaming role wh hen you add oor remove dom
mains
Master
M in the fo
orest. When yo
ou add or rem ove a domain,, the domain
naming master must b be available, o
or the operatio
on fails.
Schema
S Operations Master The dom main controlle r holding the sschema maste er role is responsible
for making any chang ges to the forest’s schema. AAll other domain
controllers hold read--only replicas o of the schema. If you want to o
modify the
t schema orr install an app plication that m
modifies the scchema,
try to do
o it directly on
n the domain ccontroller hold ding the schem ma
master role.
r Otherwisee, the changess that you requ uest must be ssent
to the scchema masterr to be written into the schem ma. If the Sche ema
Master is
i inaccessible,, all attempts tto modify the schema will faail.
Th
hese roles can be transferred
d to other dom main controllerrs if required. If a domain co
ontroller that iss
cu
urrently holdin oning, the role can be forcib ly seized by an
ng a role shoulld stop functio nother domain n
co
ontroller.
MCT USE ONLY. STUDENT USE PROHIBITED
11-14 Implementing Active Directory Domain Services
The other three roles exist in every domain in the forest. They are shown in the following table.
Role Description
Relative Identifier (RID) The SID of a security principal must be unique. Any read/write domain
Operations Master controller in a domain can create accounts, and therefore, issue SIDs.
Active Directory domain controllers generate SIDs by incorporating a
unique RID into the domain SID. The RID master for the domain allocates
pools of unique RIDs to each domain controller in its domain. In the past
it was possible to for a domain to reach the limit of the RID issuance
(maximum possible of 230 or 1,073,741,823). New safeguards were put
into place for Windows Server 2012 RID Masters, which include issuing
warnings in Event logs when overall RIDs allocated are approaching 10%
of usage. You can also increment the number of RIDs allocated to 231
(grand total of 2,147,483,648 SIDs).
Note: This is the only one of the five FSMO roles that was improved
in Windows Server 2012. All other roles retain same functionality as earlier
versions.
PDC Emulator Emulates a Primary Domain Controller (PDC) and is probably the most
Operations Master important FSMO role for day-to-day functionality.
Password handling. When passwords are changed, the PDC emulator is
updated immediately.
Focus of Group Policy. When Group Policy objects (GPOs) are being
created or edited the action is being performed, by default, on the PDC
emulator.
Time source for the domain. The PDC emulator provides the time
source for all computers joined to AD DS to synchronize to.
Domain Master Browser. When you open the Network window and see
the list of computers, you are seeing a list that is created by the browser
service.
These roles can be transferred to any domain controller in the domain. They do not all have to run on the
same domain controller. For example, one domain controller might hold the PDC Emulator role while
another holds the RID Master role. If a domain controller that is currently holding a role should stop
functioning, the role can be forcibly seized by another domain controller.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 11-15
Managing
M Domain an
nd Forest Functionaal Levels
Byy raising the fu
unctional levells, you can ena
able
fu
unctionality offfered by new versions
v of Windows.
New features arre not backward-compatible e with
ollder version off Windows Serrver. Similarly, until all
do
omain controllers are runnin ng Windows Se erver
20
008, or 2008 R2R or Windowss Server 2012 you y
ca
annot impleme ent its improveements to AD DS.
Th
here are two major
m requirem
ments for raisin
ng the
fu
unctional level:
• ust run the correct
All domain controllers mu
version of Windows
W Serve
er.
Ra
aising the funcctional level off either the do
omain or the fo
orest is a one-wway operationn. You can neve
er lower
a functional level. Therefore, after
a you havee raised the do
omain function nal level to Win
ndows Server 2
2008,
fo
or example, yoou cannot at a later date add d a domain con ntroller runnin
ng at Windowss Server 2003 tto the
sa
ame domain.
A forest can havve domains that run at different functionaal levels, but affter the forest functional leve
el is
ra
aised, you cann
not add a dommain controllerr running a lowwer version of Windows to any domain in the
fo
orest.
Windows
W Server 2012 forest functional
f el and domain functional levvel do not implement new fe
leve eatures
from Windows 2008 R2 functional level.
MCT USE ONLY. STUDENT USE PROHIBITED
11-16 Implementing Active Directoory Domain Services
Lesson 3
Implem
menting
g Servicce Accounts
Onee common issu ue that most organizations
o fa
ace is how to ssecurely manaage accounts that are used for
work services. Many applicattions use services that requirre an account for service staartup and
netw
auth
hentication. Ass with typical user
u accounts, you must also manage service accounts to e
o effectively m ensure
secu
urity and reliab
bility.
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
• Describe man
naged service accounts.
a
Wh
hat Are Ma
anaged Se
ervice Acco
ounts
Appplications are frequently
f configured to exe ecute
nonn-interactively on servers tha at use the security
authhentication context of the Lo ocal Service,
Network Service, or Local System m accounts.
Because these acccounts are typically shared by b
man ny applicationss and processe es, you cannott
isola entials. That is to say, you cannot
ate their crede
custtomize the seccurity settings of these accou unts
with
hout also affeccting all applications and
proccesses that are
e mapped to th hem. A Manag ged
Servvice Account provides
p an application with its
ownn unique servicce account. In Windows Servver
2012, administrators no longer have to manually administeer the credentiaals for this acccount.
Req
quirements for Using Managed
M Se
ervice Accou
unts
To use
u a managed d service accou unt, the serverr that runs the service or app
plication must run Windows
Servver 2008 R2 orr later versionss. You must alsso ensure that the .NET Fram mework 3.5.x, aand the Active
Dire
ectory Module e for Windows PowerShell are both installeed on the serveer.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 11-17
Note: In versions
v of Winndows earlier than Windowss Server 2012, Managed servvice accounts
co
ould not be shhared between multiple computers. Each M Managed Serviice Account haad to be
unnique to the computer wherre the applicattion was run. TThis type of serrvice account iis known as a
Sttandalone Man naged Service Account. New w in Windows SServer 2012 is the ability to create
Managed
M Servicce Accounts th
hat can be shared with moree than one com mputer (for exaample, for a
clustered set of servers). These types of Mannaged Service Accounts are called Group Managed
Se
ervice accountts. They are disscussed in the next lesson.
Managing
M Service Principle Na
ames
Se
ervice Principle e Names (SPNs) represent th he
acccounts in who ose security co
ontext a servicee
exxecutes. SPNs support mutual authenticatiion
beetween a clien a a service. SPNs
nt application and
arre built either from informattion that a client
co
omputer know ws about a servvice or from a trusted
th
hird-party, such as Active Dirrectory. SPNs are
a
asssociated with accounts and an account ca an have
a different SPN for each servicce it is used to
o
au
uthenticate an nd execute.
Th
he basic syntaxx of a SPN is as follows.
Th
he elements of the syntax ha
ave the meanings described in the following table.
Ellement De
escription
Service
S type Th
he type of servvice, such as ww
ww for World Wide Web serrvice.
In
nstance name Th
he name of the e instance of thhe service. Eith
her the host naame or IP address of
the server that iss running the service.
Port
P number Po
ort number tha
at is used by th
he host for thee service if it differs from the
e default.
Service
S name Th
his may be the DNS name off the host, or o of a replicated service, or of a domain;
orr it can be the distinguished name of a serrvice connectio on point objecct or of a
remote procedu ure call (RPC) sservice object.
Wh
hat Are Grroup Mana
aged Service Accoun
nts?
As discussed
d in th
he previous lesson, Standalon ne
Man naged Service Accounts are managed dom main-
baseed accounts (that now includ de automatic
passsword manage ement and sim mplified SPN
man nagement for the service acccount) for sing gle
servvers. Group Ma anaged Service e Accounts proovide
the same function nality but for multiple
m serverrs.
Whe en you connecct to a service hosted on a se erver
m, such as the Network Load
farm d Balance (NLBB)
servvice, all compu uters that are running an insttance
of that service mu ust use the samme security
prin
ncipal. When a Group Manag ged Service
Account is used as the service principal,
p the Window
W Serverr 2012 AD DS m
manages the p
password for the
accoount instead of o relying on thhe administrator to manage the password.
The group Manag ged Service Acccount has feattures to deal ccorrectly with h
hosts that are kept offline fo
or an
exte
ended time pe eriod. This mea
ans that you ca an deploy a seerver farm thatt uses a single Group Manag ged
Secuurity Account identity to which existing cliient computerrs can authentiicate without kknowing the
instance of the service to which they are connnecting.
De
emonstration: Configuring Group Manaaged Service Accoun
nts
In th
his demonstration you will see how to crea
ate a group m
managed servicce account and
d associate the
e
accoount with a server.
Dem
monstration
n Steps
1. Log on to LON-DC1 as Adm
ministrator.
3. Create the ne
ew service acco
ount named Webservice
W for the host LON-DC1.
Lesson
n4
Imple
ementin
ng Grou
up Policcy in AD
D DS
Group Policy haas become the e major tool for controlling tthe computing
g environment in an organization.
Th
his lesson poin
nts out the new
w features for Windows Servver 2012 and d e management
describes some
te
echniques for controlling
c use
ers and compu uters.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
• Describe th
he new feature
es in Group Policy.
• Configure Group
G Policy processing.
p
• Describe Grroup Policy client-side exten
nsions.
• Troublesho
oot Group Policcy.
• Describe be
est practices fo
or Group Policy implementa tion.
What’s
W New
w in Group
p Policy in Windowss Server 20
012?
Group Policy waas introduced in Windows 2000.
Ea
ach successive Windows verssion has introd
duced
ne
ew tools or maanagement feaatures, such ass the
Group Policy Management Co onsole (GPMC C).
Group Policy in Windows Servver 2012 includes
th
he following ne
ew features.
Graphical
G Usser Interface
e for Manag
ging
Fine-Grained
d Password Policy
New in Window ws Server 2012 is the ability to
t
manage
m this GP
PO object set from
f the conso ole
off the Active Directory Adminnistrative Center.
Managing
M domain user accou unt password policy
p
byy group memb bership was ann option since the initial releease of Window ws Server 2008 8. When it is enabled,
an
ny password policy
p associate
ed with the use er’s group me mbership takees precedence over the default of
th
he domain account policy. However,
H in earrlier versions o
of Windows Seerver there wass no single inte erface
fo
or implementin ng and manag ging type of GP PO. The new G GUI simplifies u
using this featu
ure.
Group
G Policy
y Infrastructture Status
Th
he Group Policcy Infrastructure Status tool is a new tab in
n the GPMC. Itt displays the sstatus of Active
e
Directory and SYSVOL replication as it relates to Group Po olicy. This featture enables yo
ou to detect th
he
cu
urrent status by
b comparing thet replicationn status of all d
domain contro ollers.
Remote
R Policcy Refresh
Yo
ou can now usse GPMC to target an organizational unit ((OU) and forcee Group Policyy refresh on all its
omputers and their currentlyy logged-on users. Right-clicck any organizzational unit in
co n the GPMC, an
nd then
click Group Pollicy Update. The
T update occcurs within 10 minutes (rand domized on eaach targeted
co
omputer) to prrevent overwhhelming a dommain controller .
MCT USE ONLY. STUDENT USE PROHIBITED
11-20 Implementing Active Directoory Domain Services
Also
o, a new Windo
ows PowerShe ell cmdlet, nam
med Invoke-G pUpdate, funcctions in the same manner aas the
com
mmand line GppUpdate utilityy.
New
w RSOP Log
gging Data
Wheen you use the e Group Policyy Results wizard or GpResult /H command line tool to geenerate an HMMTL
Resu
ultant Set of Policy
P (RSOP) re
eport, you now w see an updaated Summary section that p
provides inform
mation
such
h as network speed
s and whe i functioning correctly or no
ether a policy is ot.
Ma
anaging GPOs
Youu must manage e group policie
es as any other
obje
ect in Active Directory.
D Group Policy must be
crea
ated, edited, applied to conttainers, and ba
acked
up. The GPMC is the
t main tool for managing
Group Policy.
Cre
eating, Editiing, and Lin
nking Policie
es
Group Policy man nagement has the following
characteristics:
• Edit GPOs by using the Gro nagement Edittor. You can usse policies to cconfigure and apply
oup Policy Man
thousands of settings.
• You can link GPOs
G to conta
ainers by using ou can link a ssingle GPO to multiple contaainers.
g the GPMC. Yo
Baccking Up an
nd Restoring
g GPOs
Youu should back up
u Group Policcies regularly. The first time that you backk up a GPO, yo
ou must specifyy the
loca
ation of the ba
ackup folder.
To back
b up GPOs in the GPMC, use the follow
wing procedurees:
• To back up in
ndividual GPOss, right-click th
he GPO, and th
hen click Back
k Up.
• To back up alll GPOs, right-click the GPO folder, and th en click Back Up All.
To restore
r an existing GPO to an earlier versio
on of the GPO :
3. Click Restore
e from Backup
p.
To restore
r a deletted GPO:
2. Click Manage
e Backups.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 11-21
Copy
C or Import GPOs
Byy using the import and copyy operations in n the GPMC, yo ou can transfeer GPOs across domains and across
fo
orests. This is useful
u if you maintain separate test and pro oduction envirronments and want to repliccate the
co
ontent from on ne environmen nt to the other. The GPMC eenables you to o modify certaiin settings as ppart of
th
he import or co opy operation. Specifically, you
y can modiffy references to o security prin
ncipals, such ass users,
groups, and com mputers, and tot Universal Naming Conven ntion (UNC) paaths that exist in the GPO. You can
modify
m security principals andd UNC paths in n the destinatiion GPO by ussing a migratio on table with the
im
mport or copy operation. Forr example, the e test environm
ment might usee a different U UNC path for fo older
re
edirection than n the productioon environment. You can usse a migration table to map the test enviro onment
UNC path of the production UNC U path.
A copy operatioon uses an exissting GPO as itts source and ccreates a new GPO as the de
estination. The
e
ad
dministrator ca
an choose to preserve
p the exxisting permisssions or use th O permissions. To
he default GPO
co
opy an existing
g GPO:
Configuring
C g Group Policy
P Proccessing
When
W you link a Group Policyy to a containe er, the
se
ettings affect all
a users, group ps, or compute ers in
th
hat container and
a all child co ontainers unde er that
paarent. For exam mple, a GPO linked to the do omain
co
ontainer inherits down to all child containe ers in
th
he domain. Beccause you can link GPOs dire ectly
to
o the site, dommain, or OU con ntainers, there
e is the
pootential for setttings in differrent GPOs to conflict.
Fo
or example, a setting
s in a GPPO at the dom main
le
evel might be enabled
e while the same setting in
a GPO linked to o an OU may be b disabled. Th his
co
onflict is resolvved through precedence. GP PO
se
ettings are app plied in the following order:
4. OU linked GPOs
Policy settings inherit down and merge so that objects receive the cumulative effect of all GPOs. If you
link multiple GPOs to the same container then they are applied in the order in which they were linked.
However, you can set precedence to control the order of application to that container. If there is a conflict
in GPO settings, the last GPO applied has precedence and is the effective one. In other words, the user or
computer receives all the GPO settings in the path of their container and linked directly to their container,
but if there is a conflict, the latest setting is the one in effect.
Group Policy provides mechanisms to modify the way GPO settings are processed. You can block
inheritance and enforce policies.
Blocking Inheritance
You can configure a domain or OU to prevent the inheritance of policy settings. This option blocks all
inherited Group Policy settings from GPOs linked to parents in the Group Policy hierarchy. You cannot use
it to block only selected inherited policies. It does not block GPOs that are linked directly to the container.
You should use the Block Inheritance option sparingly. When you block inheritance, you make it more
difficult to evaluate Group Policy precedence and inheritance.
Loopback Processing
By default a user receives the settings from GPOs inherited by, and linked to, the OU where their user
account resides. There are situations, however, in which you might want to configure a user differently,
depending on the computer that is being used. For example, you might want to lock down and
standardize user desktops when users log on to computers in closely managed environments, such as
conference rooms, reception areas, laboratories, classrooms, and kiosks. You might also want to apply
specific settings for virtual desktop infrastructure (VDI) scenarios. This includes remote virtual machines
and Remote Desktop Services (RDS), known as Terminal Services in earlier versions.
The loopback setting a user’s typical GPO settings to be disregarded and applies the user settings
associated with the GPO instead.
Note: There is an option in the loopback setting to merge the loopback user settings with
their typical settings. But the default is to replace their typical settings with the settings in the
loopback GPO.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 11-23
Security Filte
ering
Ea
ach GPO has a Discretionaryy Access Contro ol List (DACL) that defines p permissions to the GPO. You must
ap
pply two perm missions, Allow Read and Allo ow Apply Grou up Policy, to a user or compu
uter. By default,
Authenticated Users
U have the
e Allow Apply Group
G Policy p
permission on each new GPO O. This means that by
de
efault, all userss and computeers are affected by the GPOss settings. Therefore, by adju usting the perm
missions
on
n the GPO you w receives them. There aree two approacches to do thiss.
u can control who
• To apply th
he GPO to onlyy some users, groups
g or com
mputers:
3. Grant them
t Read and
d Apply Group
p Policy permisssions.
WMI
W Filterin
ng
Yo
ou can also use Windows Management Instrumentation n (WMI) to con e of GPO application,
ntrol the scope
de
epending on attributes
a of th
he destination computer. Yo u can use WM MI queries to ch
heck for hardw
ware or
oftware condittions that mustt exist for settings to be app
so plied. For exam
mple, a WMI qu uery may checck for an
perating system version, make or model, or
op o the RAM in the system to determine wh hether GPO seettings
hould be applied. WMI filters can query fo
sh or hundreds off different paraameters.
Group
G Policcy Client Side
S Extensions
Thhe Group Policcy Client servicce determines
which
w GPOs to apply to the client. This servvice
doownloads any GPOs that are e not already cached.
c
Thhen, a series of processes called client-side e
exxtensions interrpret the settin
ngs in a GPO and
a
make
m appropriaate changes too the local com mputer
orr to the currenntly logged-onn user. There are
client-side exten nsions for eachh major catego ory of
poolicy setting. For
F example, th here is a security
client-side exten nsion that appplies security ch
hanges,
a client-side exttension that exxecutes startup p and
lo
ogon scripts, a client-side exttension that innstalls
so
oftware, and a client-side exttension that makes
m changes to registry keeys and values. Each new version of
Windows
W has ad
dded client-sidde extensions tot extend the functional reaach of Group P Policy. There arre
se
everal dozen client-side exte ensions now in Windows.
Group Policy is applied at the client computer side at startup for computer settings and when users log on
for user settings. Group Policy is also refreshed on the client computer at regular, configurable intervals.
The default interval is 90 minutes. The Group Policy client pulls the GPOs from the domain, triggering the
client-side extensions to apply settings locally. Group Policy is not a push technology.
Note: You can manually refresh Group Policy from the GPMC in Windows Server 2012 or
by using the GpUpdate command prompt utility on the client workstation.
Policies remain in force on the client even if the client is not connected to the corporate LAN. For
example, mobile laptop users continue to have the GPO settings enforced because those settings are
cached on the client. But mobile laptop users receive no changes to policy settings until they reconnect to
the LAN.
Note: If client computers use cached credentials to speed up the logon process, then the
user does not see the effect of several GPO settings until after two logons.
Policies are not re-applied on the client systems unless a change in a policy setting is detected. An
important exception to the default policy processing settings is settings managed by the security client-
side extension. Security settings are reapplied every 16 hours even if a GPO has not changed.
Note: You can configure client-side extensions to reapply policy settings at background
refresh even if the GPO has not changed. To do this, define the settings in the
Computer Configuration\Policies\Administrative Templates\System\ Group Policy node. To
configure a client-side extension:
1. Open its policy processing policy setting, such as Registry Policy Processing for the Registry client-side
extension.
2. Click Enabled.
3. Select the Process even if the Group Policy objects have not changed check box.
• Security settings
• Administrative Templates
• IPsec
• Encrypting File System (EFS)
• Quotas
• Internet Explorer Maintenance
• Folder Redirection
• Scripts
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 11-25
• Wireless Ne
etwork settings
• Software in
nstallations
Note: Oldder clients, succh as Windowss XP, use Ping tto determine n network speedd. If you
block Internet Control
C Messag ge Protocol (IC he connection always appears as a slow
CMP) traffic, th
co
onnection. Clie
ents that are ru unning Windo ows Vista or latter versions us e Network Loccation
Aw
wareness to deetermine conn nection speed.
Troublesho
T ooting Gro
oup Policy
Th
here may be tiimes when you u must troubleeshoot
Group Policy. There are two main
m issues tha
at can
occcur with Grou
up Policy proce
essing:
• Policies are
e applied, but the
t results are
inconsistent or incorrect.
Th
hese two issue
es might arise for
f the following
re
easons:
• Slow netwo
ork conditions may exist.
• Inheritance
e or enforceme
ent settings ma
ay be applied.
• The loopba
ack setting mayy be turned on
n.
Sttart to troubleshoot by determining the sccope of the iss ue. For examp ple, is the issue
e widespread, o or only
afffecting a single client? If the
e issue affects a single clientt, you should ccheck for physical issues, succh as
in
ncorrect configgurations. Thesse issues are ussually easy to d diagnose.
Most
M Group Policy issues are caused by:
• Inheritance
e
• Filtering
• Replication
MCT USE ONLY. STUDENT USE PROHIBITED
11-26 Implementing Active Directory Domain Services
Troubleshooting Inheritance
If none of the users or computers in an OU or child OUs receive policies that were linked to higher levels,
it may be because of inheritance blocking. The GPMC displays a blue exclamation mark when inheritance
is blocked. RSOP lists the GPOs that are being applied, and the GPOs that are being blocked. You can
generate Group Policy results at the destination computer or from the GPMC through the Group Policy
Results Wizard.
Troubleshooting Filtering
GPO filtering may result from:
• Security filtering
• WMI filtering
Symptoms of filtering issues may appear as inconsistent application of policies in an OU. If some users,
groups, or computers have filtering applied, they do not receive policies that other users in the same OU
receive.
Note: If a WMI filter is deleted, the links to the WMI filter are not automatically deleted. If
there is a link to a non-existent WMI filter, the GPO with that link is not processed until the link is
removed or the filter is restored.
Troubleshooting Replication
Group Policy information takes time to propagate or replicate from one domain controller to another.
Replication issues are most noticeable in remote sites with slow connections and long replication latency.
You can use the new Status tab in the GPMC on Windows Server 2012 to determine the replication health
of the GPO. If replication is an issue, you must determine whether the problem is with the File Replication
Service (FRS) or with AD DS replication. There are two simple tests that you can use to determine the
issue:
• For SYSVOL replication, put a small test file into the SYSVOL directory. See whether it replicates to
other domain controllers.
• For AD DS replication, create a test object, such as an OU. See whether it replicates to other domain
controllers.
Best
B Practicces for Imp
plementin
ng Group P
Policy
Group Policy is a very powerfful tool, but yoou must
ap
pply it correctlly. Implementing a Group Po olicy
so
olution involve
es planning, deesigning, deplo oying,
an
nd maintaining g the solution.. There are som
me best
practices that yoou should follo
ow.
Plan
P Your De
eployment
Define the scoppe of applicatio
on of Group Po olicy.
Define what typpes of settings are global to all
ussers and compputers and design or modify the
OU
O structure to o accommodatte Group Policyy
ap
pplication. You
u should desiggn the OU structure
w Group Poliicy in mind and enhance the
with e
in
nherited naturee of Group Policy settings byy grouping obj
bjects in a hieraarchy that enables that flow of
Group Policy seettings.
Create
C Stand
dard Deskto
op Configura
ations
One
O of the goals of controllin ng the computting environmeent is to provid de consistencyy. Standard de
esktop
co
onfigurations for
f various useer types or deppartments can make system repair or replaacement a sim mpler
ask if many of the configurattion settings are delivered byy using Group
ta p Policy.
Do
D Not Use the
t Default Domain Po
olicy or Defa
ault Domain
n Controllerrs Policy forr
Other
O Purposes
Th
hese two default policies pro
ovide basic setttings for the d
domain, such aas password po olicies, and forr
do
omain controllers, such as au
uditing setting
gs. If you wantt to apply otheer configuratioon settings to tthe
do
omain or to do omain controllers, create new policies. Usee the default p
policies for passsword, auditinng and
se
ecurity settingss only.
Use
U Inheritan
nce Modificcations and Filtering Sp
paringly
Heavy use of blocking and ennforcing of pollicies make tro
oubleshooting more difficultt. Also try to avvoid
se
ecurity and WM
MI filtering unless it is requirred.
Use
U Loopbacck Processin
ng for Special Case Scen
narios
Lo
oopback can solve issues witth desktop standardization ffor scenarios w
where the syste
em users log o
on to
sp
pecial purpose
e systems, such
h as Remote De esktop Servicees or kiosk com
mputers.
Im
mplement a Change Re
equest Process
Limit changes to
o Group Policyy settings to a small group o
of administrato
ors. All change
es should be ap
pproved
an
nd documente ed. Consider ussing the Advan nced Group Poolicy Managem ment (AGPM) ttool available with the
Microsoft
M Deskttop Optimizatiion Pack (MDO OP).
MCT USE ONLY. STUDENT USE PROHIBITED
11-28 Implementing Active Directoory Domain Services
Lesson 5
Mainta
aining AD
A DS
Maintaining the health
h of the AD
A DS is an imp portant aspectt of an administrator’s job. In
n this lesson,
you will learn how
w to use Windo ows Server Bacckup to effectiively backup aand restore AD D DS and domaain
controllers. You will
w also learn how
h to optimizze and protectt your directorry service so th
hat if a domain n
controller does fail, you can resttore it as quick
kly as possiblee.
Lessson Objectiives
Afte y will be able to:
er completing this module, you
• Describe AD DS snapshots.
Op
ptions for AD
A DS Bacckup
Win
ndows Server Backup
B was inttroduced in
Win
ndows Server 2008.
2 It enable es you to back
up and
a restore a server,
s its roless, and its data.
Win
ndows Server Backup
B is installed as a feature in
Servver Manager.
In earlier
e versions of Windows, backing
b up Acctive Directory involved crea ting a backup of the System mState.
In Windows
W Server 2012, the SystemState
S still
s exists, but it is physicallly larger in sizze. Because off
inte
erdependencie es between servver roles, physsical configura tion, and Activve Directory, the SystemStatte is
noww a subset of a Full Server ba
ackup and, in some
s configurrations, might be just as large as a full servver
backup. To back up u a domain controller, you must back up p all critical volumes fully.
Win
ndows Server Backup
B enables you to perfo
orm one of thee following typ
pes of backupss:
• Full server
• Selected volu
umes
• System State
• Individual file
es or folders
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 11-29
When
W you use Windows
W Serve
er Backup to back
b up the criitical volumes on a domain ccontroller, the
e backup
in
ncludes all data
a that resides on
o the volume es that host thee:
• Boot files, which
w consist of
o the Bootmg
gr file and the Boot Configurration Data (BC
CD) store.
• Windows operating
o syste
em and the reg
gistry.
• SYSVOL tre
ee.
• Active Directory database
e (Ntds.dit).
Options
O forr AD DS Re
estore
When
W a domainn controller or its directory iss
coorrupted, damaged, or failed
d, you can resttore the
syystem by using
g several optio
ons.
Th
he first option is called typiccal restore or
onauthoritativve restore. In a normal restorre
no
peration, you restore a back
op kup of Active
Directory as of a known good d date. Effectivvely,
yo
ou roll the dommain controller back in time. When
AD DS restarts on
o the domain n controller, th
he
do
omain controller contacts itss replication partners
an
nd requests alll subsequent updates.
u The domain
d
ontroller “catches up" with the rest of the domain
co
ard replication mechanisms. Normal restorre is useful when the directo
byy using standa ory on a domaiin
co
ontroller was damaged
d or coorrupted, but the
t problem h has not spread to other domain controllerss. This is
no
ot a method th hat works if yo ou are trying to o restore a delleted object an
nd the deletion has replicate
ed to
th
he other doma ain controllers.
If the typical resstore does nott work, you can n perform an aauthoritative rrestore. In an aauthoritative reestore,
yoou restore the known good versionv of Active Directory j ust as you do in a typical resstore. Howeve er,
beefore restarting the domain controller, you u mark the objbjects that you want to recovver (the deleted
obbjects) as auth horitative so th
hat they replicaate from the reestored domaiin controller to o its replication
paartners. Behind d the scenes, when
w you mark objects as au uthoritative, W
Windows increm ments the verssion
nuumber of all object attribute es to be so high that the verssion is guarantteed to be hig gher than the vversion
nuumber of the deleted
d objectt on all other domain
d contro ollers. When yoou restart the rrestored domaain
coontroller, it rep
plicates from itts replication partners
p all chaanges that aree made to the directory. It also
nootifies its partn
ners that it hass changes, and d the version nnumbers of thee changes ensu ure that partne ers take
th
he changes and em throughout the directoryy service.
d replicate the
Thhe third optionn for restoring g the directory service is to reestore the who
ole domain coontroller. You ddo this
byy booting to the Windows Recovery
R Enviro
onment and reestoring a full server backupp of the domain
co efault, this is a typical restore. If you must also mark objjects as authorritative, you must
ontroller. By de
re
estart the serveer in the Directtory Services Restore
R Mode and set those objects as autthoritative befo ore
sttarting the dommain controller into typical operation.
o
MCT USE ONLY. STUDENT USE PROHIBITED
11-30 Implementing Active Directoory Domain Services
Fina
ally, you can re
estore a backup of the SystemState to an aalternative locaation. This enaables you to
exam
mine files and,, potentially, to
o mount the NTDS.dit
N file ass described in the previous lesson. You sho
ould
not copy the files from an altern native restore location over the production versions of tthose files. Do not
do a piecemeal re estore of Active his option is al so used if you want to use the Install From
e Directory. Th m
Meddia option for creating a new w domain conttroller.
Ho
ow does th
he Active Directory
D Recycle
R Bin
n Work?
The Active Directoory Recycle Bin
n was introducced
in Windows
W 2008 R2. You couldd only access thhis
featture by using Windows
W PoweerShell cmdletts and
the Ldp.exe LDAP P utility.
In Windows
W Serveer 2012 you can now access
the Active Directo ory Recycle Binn from the Active
Dire
ectory Adminisstrative Centerr. This simplifie
es
the recovery of Acctive Directoryy objects that were
w
erro
oneously deleted. It lets adm ministrators enaable
the Recycle Bin an nd locate or reestore deleted
objeects in the dommain. It is no lo
onger requiredd to
use Windows Pow werShell or Ldp p.exe to enable
e the
recyycle bin or resttore objects in domain partittions.
Acttive Directo
ory Recycle Bin
B Charactteristics
The Active Directo
ory Recycle Bin
n has the following characteeristics:
• It must be ma
anually enable
ed. As soon as it is enabled, yyou cannot dissable it.
• The Active Directory Recyclle Bin cannot restore
r sub-treees of objects in a single action. For examp
ple, if
you delete ann OU with nestted OUs, users, groups, and computers, restoring the baase OU does no ot
restore the ch
hild objects. Th
hat must be do
one in a subseequent operation.
• Active Directo
ory Recycle Bin east Windows Server 2008 R
n requires at le R2 Forest Functtional Level.
Ena
abling the Active
A Direcctory Recycle Bin
To enable
e the Acttive Directory Recycle
R Bin:
4. Acknowledge
e the warning dialog
d boxes to
t complete th
he action.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 11-31
• Name
• When deleted
• Employee ID
• First name
• Last name
• Job title
• City
As soon as you locate the object to be restored, right-click the object, and then click Restore.
• To restore the object to its original location, in the Tasks pane, click Restore.
Demonstration Steps
1. Enable the Active Directory Recycle Bin.
Wh
hat are AD
D DS Snapsshots?
A sn
napshot captures the exact state
s of the
dire
ectory service at
a the time of thet snapshot.
y cannot use a snapshot
Unliike a backup, you
to restore data. However, you can use tools to o
explore the conteents of the snapshot to exam mine
the state of the diirectory service
e at the time the
snappshot was mad de.
Cre
eating a Sna
apshot
You
u use the NTDS SUtil to create and mount
snap
pshots for view
wing. To createe a snapshot:
4. Type snapsho
ot, and then press
p Enter.
3. Type activate
e instance ntd
ds, and then press
p Enter.
4. Type snapsho
ot, and then press
p Enter.
5. a then press Enter.
Type list all, and
The command returns a listt of all snapsho
ots.
7. Type quit, an
nd then press Enter.
E
8. Type quit, an
nd then press Enter.
E
9. Type dsamain -dbpath c:\\$snap_datetime_volumec$ $\windows\n
ntds \ntds.dit -ldapport 50
0000,
and then presss Enter (you can
c use any avvailable port nu
umber).
10. Do not close the Command d Prompt wind dow and leave the command
d that you justt ran, Dsamain.exe,
running while
e you continue
e to the next sttep.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 11-33
Viewing
V the Snapshot
After you have mounted the snapshot,
s you can use tools to connect to and explore tthe snapshot,
in
ncluding Active ers and Computers.
e Directory Use
To
o connect to a snapshot with
h Active Directtory Users and
d Computers:
3.. Click <Type a Directory Server name > and enter thee name of the domain contrroller
e[:port] here>
and the port number that was used in the
t previous sttep. For example, LON-DC1 1:50000 and thhen
press Enter.
To
o unmount the
e snapshot:
1.. Switch to th
he command prompt
p in which the snapsh ot is mounted
d.
AD
A DS Data
abase Maintenance
Th
he Active Direcctory database e is stored as a file
amed NTDS.diit. When you install and configure
na
AD DS, you can specify the lo ocation of the file.
f
Th
he default loca emroot%\NTDS. In
ation is %syste
th
he NTDS folder, there are oth her files that support
th
he Active Direcctory databasee. They are:
• EDB.chk. The
T EDB.chk file e functions like a bookmarkk into the log files, marking tthe location be
efore
which transsactions are su
uccessfully commmitted to thee database, andd after which ttransactions re
emain to
be committted.
The Active Directory database is self-maintaining. Every 12 hours, by default, each domain controller
runs a process that is known as garbage collection. Garbage collection does two things. First, it removes
deleted objects that have outlived their tombstone lifetime, which is 180 days by default. Second, the
garbage collection process performs online defragmentation. Online defragmentation reorganizes the
sectors rows of the database so that the blank rows are contiguous, very much like disk fragmentation
reorganizes sectors of a disk so that free space is contiguous. However, this process does not reduce the
file size of the database. It optimizes the internal order of the database. In most organizations, this will be
sufficient.
To reduce the physical size of the NTDS.dit, perform offline defragmentation. To perform an offline
defragmentation you must stop the AD DS. Then use the NTDSUtil to compact the database to a different
location. Then replace the original NTDS.dit with the compacted version.
Note: Do not delete the original NTDS.dit, you only have to rename it.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 11-35
Lab: Implementing AD DS
Scenario
A. Datum is an engineering and manufacturing company. The organization is based in London, England,
but is quickly expanding the London location as well as internationally. As the company has expanded,
some business requirements are changing as well. To address some business requirements, A. Datum had
decided to deploy Windows Server 2012.
As the company expands, they must also expand their Active Directory infrastructure. You are assigned to
implement new domain controllers and also to consider implementation of RODCs, where appropriate.
Also, there are reports that Group Policies are not being applied on some computers, so you must
troubleshoot. The company also wants to centralize management of all accounts that are being used for
services, and to stop usage of local accounts for that purpose. Also, you must evaluate available
techniques for AD DS maintenance.
Objectives
• Deploy an RODC
• Maintain AD DS
Lab Setup
Estimated time: 60 minutes
20417A-LON-DC1
Virtual machines 20417A-LON-SVR3
20417A-LON-CL1
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
b. Password: Pa$$w0rd
5. Repeat steps 2 and 3 for 20417A-LON-SVR3, and 20417A-LON-CL1. Do not log on to LON-SVR3 or
LON-CL1 until instructed to do so.
MCT USE ONLY. STUDENT USE PROHIBITED
11-36 Implementing Active Directory Domain Services
2. Open the notifications and complete the Post-deployment Configuration to promote LON-SVR3 to
be a Read only domain controller (RODC) in the existing domain.
Results: After completing this exercise, you will have added LON-SVR3 as a server to manage, created a
server group, deployed an RODC remotely, and configured the password replication policy and
administrative assignments for the RODC.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 11-37
• All domain users should not have access to change their desktop background.
• All domain users except the IT group should be unable to access Registry Editor.
Currently, there are some problems in the way the GPOs that deliver those settings are being applied.
You have to investigate, troubleshoot and resolve this problem.
1. Log on as Brad with the password of Pa$$w0rd. Attempt to change the desktop background and
attempt to start the Registry Editor.
2. Use GPResult to determine the RSOP and then log off of LON-CL1.
3. Log on as Bill with the password of Pa$$w0rd. Attempt to change the desktop background and
attempt to start the Registry Editor.
4. Use GPResult to determine the RSOP.
2. Use the Group Policy Management console to investigate and correct the issues.
4. Remove the block inheritance setting from the Managers OU to resolve the issue.
5. Think of a way to ensure that the Prohibit Registry Tools GPO will not be applied to IT group users.
6. Use Security Filtering to deny access to the policy to the IT security group.
3. Log on to LON-CL1 as Brad with a password of Pa$$w0rd and run the GPResult utility.
Results: After completing this exercise, you will be able to troubleshoot Group Policy issues, correct issues
to apply Group Policy, and verify policies are being applied.
2. Configure the Web Server Application Pool to Use the Group Managed Service Account.
3. Create the new service account named Webservice for the host LON-DC1.
4. Associate the Webservice managed account with Lon-DC1.
5. Verify the group managed service account was created by using the Get-ADServiceAccount cmdlet.
X Task 2: Configure the Web Server Application Pool to Use the Group Managed
Service Account
1. On LON-DC1, configure the DefaultAppPool to use the Webservice$ account as the identity.
Results: After completing this exercise, you will have created and associated a managed service account,
installed a managed service account on a web server, and verified password change for am managed
service account.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 11-39
Exercise 4: Maintaining AD DS
Scenario
As a part of maintenance plan, you are assigned with task to evaluate possibilities to quickly restore
accidentally deleted objects. You decided to enable and test Active Directory snapshots and the AD DS
Recycle Bin.
o Ntdsutil
o Snapshot
o Activate instance ntds
o Create
4. Mount the snapshot as a new instance of AD DS by running the Mount {GUID} command.
5. Close ntdsutil.
6. Use the dsamain command to expose the snapshot to LDAP port 50000.
7. Use Active Directory Users and Computers to delete Allie Bellew from the Research OU.
8. Use Active Directory Users and Computers to connect LON-DC1 to the snapshot instance at port
50000.
Results: After completing this exercise, you will have created and viewed Active Directory snapshots,
enabled the Active Directory Recycle Bin, deleted a user as a test, and used the Active Directory
Administrative Center to restore a deleted user account.
MCT USE ONLY. STUDENT USE PROHIBITED
11-40 Implementing Active Directory Domain Services
• When cloning VDCs, we recommend copying disks manually if there is only one drive. We
recommend Export for VMs with more than one drive or other complex customizations such as
multiple NICs.
• AD DS should be at the minimum Windows Server 2008 R2 level to provide fully automatic password
and SPN management for managed service accounts.
Review Question
You have a mixture of client computers running Windows XP and Windows 8. After you configure several
settings in the Administrative Templates and Preferences of a GPO, Windows XP users report that some
settings are being applied while others are not.
When you have branch offices across WAN links, what solutions are available to facilitate client logons in
the branch offices?
What if security is a concern?
What can you do to help prevent network interruptions from preventing users from logging on?
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 11-41
Tools
Tool Use Location
Server Manager A central location for all aspects Open by default on logon or
of server management can be accessed from the task
bar
Active Directory Users and Control all aspects of Active Can be accessed from the Tools
Computers Directory management drop-down menu in Server
Active Directory Sites and Manager
Services
Active Directory Domains and
Trusts
GPMC Control all aspects of Group Can be accessed from the Tools
Policy management drop-down menu in Server
Manager
Active Directory Best Practices Can detect best practices Server Manager Dashboard
Analyzer violations and provide help
implement best practices.
Active Directory Recycle Bin Restore object that were Can be accessed from the Active
deleted in error from AD DS. Directory Administration Center
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
12-1
Module 12
Implementing Active Directory Federation Services
Contents:
Module Overview 12-1
Module Overview
Active Directory® Federation Services (AD FS) in Windows Server® 2012 provides flexibility for
organizations that want to enable their users to log on to applications that may be located on a local
network, at a partner company, or in an online service. AD FS enables an organization to manage its own
user accounts, and users only have to remember one set of credentials. However, those credentials can be
used to provide access to a variety of applications, located in a variety of locations.
This module provides an overview of AD FS, and details how to configure AD FS in both a single
organization scenario and in a partner organization scenario.
Objectives
• Describe the identity-federation business scenarios, and how you can use AD FS to address
the scenarios.
Lesson 1
Overviiew of Active
A Director
D ry Federration SServicess
AD FS is the Microosoft® implemmentation of an
n identity fedeeration framewwork that enab bles organizatio
ons to
esta
ablish federatio
on trusts and share
s resource
es across organnizational boun with
ndaries. AD FSS is compliant w
com
mmon web-serrvices standard ds to enable interoperability with other ideentity federatio
on
impplementations.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe iden
ntify federation
n.
• Describe claim
ms-based auth
hentication.
• Describe web
b services.
• Describe AD FS.
• Explain how AD
A FS enables SSO within a single organizzation.
Wh
hat Is Iden
ntity Federration?
Iden
ntity federation enables the distribution off
ntification, authentication, an
iden nd authorization
acro
oss organizatio onal and platfoorm boundarie es.
Youu can implement identity fed deration within
na
sing
gle organizatioon to enable acccess to diversse
webb applications, or between tw wo organizatioons
thatt have a relatio
onship of trustt between themm.
To establish
e an identity federatiion partnership
p,
both partners agrree to create a federated trust
relationship. This federated trusst is based on an
a
onggoing business relationship, and
a enables th he
orgaanizations to implement bussiness processe es
iden
ntified in the business
b relatio
onship.
As a part of the fe
ederated trust, each partner defines what rresources are aaccessible to tthe other
orgaanization, and how to enable access to the e resources. Fo
or example, too update a sale es forecast, a saales
reprresentative maay need to colllect informatio
on from a suppplier's databasse that is hoste
ed on the supp plier's
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 12-3
ne
etwork. The doomain adminisstrator for the sales represen
ntative is respo
onsible for ensuring that thee
ap es representatives are memb
ppropriate sale bers of the gro
oup that requirres access to the supplier’s
da
atabase. The administrator
a of
o the organizaation in which the database is located is reesponsible for
en
nsuring that th mployees only have access to
he partner’s em o the data tha t they require.
In ederation soluttion, user identities and thei r associated crredentials are stored, owned
n an identity fe d, and
managed
m by thee organizationn in which the user is located d. As part of th
he identity federation trust, e
each
orrganization alsso defines howw the user idenntities are sharred securely too restrict access to resources.. Each
paartner must deefine the servicces that it mak
kes available too trusted partnners and custo omers, and alsoo define
which
w other orgganizations and users it trustts, what types of credentials and requests it accepts, and d its
at private inforrmation is not accessible acrross the trust.
privacy policies,, to ensure tha
What
W is Cla
aims-Based
d Identity??
Claims-based authentication addresses issues with
exxtending typiccal authentication and autho orization
mechanisms
m outside the boun ndaries associaated
with
w that mecha anism. For example, in most
orrganizations, users
u are autheenticated by an
AD DS domain controller whe en they log onn to the
ne etwork. If the user
u provides the
t right crede entials
to
o the domain controller,
c the user is granted a
seecurity token. Applications
A hat are running
th
on n servers in the same AD DS S environment
trrust the securitty tokens that the AD DS domain
coontrollers provvide. This is because the servvers can
coommunicate withw the same domain
d contro he users authe nticated.
ollers where th
Th
he problem wiith this authen ntication is that it does not eextend easily o
outside the bouundaries of thee AD DS
fo h it is possible to implementt Kerberos or N
orest. Although NTLM-based trrusts between two AD DS fo orests,
ervers on both sides of the trrust must com
se mmunicate with h domain conttrollers in the o
other forest to
o make
au
uthentication and
a authorizattion decisions.. The problem becomes even n more complicated when u users
ha
ave to access resources
r hostted in cloud-baased systems, such as Microsoft Azure™ or Microsoft Offfice
36
65.
Claims-based authentication provides a me echanism for seeparating userr authenticatio on and authoriization
from individual applications. With
W claims-ba ased authenticcation, users caan authenticatte to a directoory
se
ervice in their organization,
o and
a be granted a claim baseed on that auth he claim then can
hentication. Th
bee presented too an applicatio
on that is runniing in a differeent organizatio
on. The applicaation is design
ned to
ennable user access to the info
ormation or feaatures based o on the claims ppresented.
We
eb Services Overview
w
For claims-based authentication n to work,
orgaanizations havve to agree on the format for
exchhanging claims. Rather than have each business
defiine this formatt, a set of specifications have e
been developed that t any organnization can usse if it
wannts to impleme ent a federated d identity soluttion.
Thiss set of specificcations is identtified broadly as
webb services.
To enhance
e operability, a set of industry standards deffines web serviices, which are
intero e based on the
e
follo
owing standards:
• Most web serrvices use XMLL to transmit data through HHTTP. XML enaables develope ers to create th
heir
own customizzed tags, enab
bling the definition, transmisssion, validation, and interpre
etation of dataa
between applications and organizations.
o
• Web services expose usefull functionality to web users tthrough a stan ndard web pro otocol. In mostt
cases, the prootocol used is SOAP.
S SOAP iss the commun ications protoocol for XML w web services. SO OAP
is a specification that define
es the XML forrmat for messaages. Essentially, it describess what a valid X
XML
document loo oks like.
• Web services provide a wayy to describe their interfacess in enough deetail to enable a user to build
da
client application to communicate with thhe service. Thi s description is usually provided in an XML
document called a WSDL document. In other
o words, a WSDL file is an n XML document that descrribes
a set of SOAP d how the messages are excchanged.
P messages and
• Web services are registered ntial users can find them eassily. This is don
d so that poten ne with Universal
Discovery Description and Integration
I (UDDI). A UDDI directory entryy is an XML file that describe es a
business and the services it offers.
WS
S-* Security Specificatio
ons
There are many co omponents inccluded in web b-services spec ifications (also
o known as “W
WS-* specifications).
How
wever, the mosst relevant spe ecifications for an AD FS envvironment are tthe WS-Securiity specificatio
ons.
The specificationss that are part of the Web Se ervice Security specificationss include the fo
ollowing:
• WS-Security. WS-Security describes
d enhancements to SSOAP messagin ng to provide quality of
protection through messagge integrity, me
essage confideentiality, and ssingle message e authenticatioon.
WS-Security also
a provides a general-purp pose, but exten
nsible, mechan nism for associating securityy
tokens with messages
m and how
h to encodee binary secur ity tokens—sp pecifically X.50
09 certificates aand
Kerberos tickets—in SOAP messages.
• WS-Trust. WS
S-Trust definess extensions th
hat build on W
WS-Security to rrequest and issue security to
okens
and manage trust relationships.
Security Asse
ertion Mark
kup Languag
ge
Th
he Security Asssertion Markup Language (S SAML) is an XMML-based standard for exchaanging claims
beetween an identity provider and a service or application n provider. SAMML assumes th hat a user has b
been
au
uthenticated by
b an identity provider,
p and that
t the identiity provider haas populated tthe appropriate
claim informatioon in the security token. Whhen the user is authenticated d, the Identity Provider passees
a SAML assertioon to the servicce provider. On the basis of this assertion, the service prrovider can maake
au
uthorization annd personalizaation decisionss within an app
plication. The communicatio on between fed derated
se
ervers is based around an XMML document storing the X.5509 certificate for token-sign ning, and the SAML
1..1 token.
What
W Is AD
D FS?
AD FS is the Miccrosoft implemmentation of an
id
dentity-federattion solution th
hat can use cla
aims
baased authenticcation. AD FS provides
p the
mechanisms
m to implement bo oth the identifyy-
provider and seervice-providerr components in
an
n identity-fede
eration deployyment.
• Enterprise claims
c provideer for claims-baased
applications: You can con nfigure an AD FS
server as a claims provideer, which mean ns
that the serrver can issue claims
c about
authenticatted users. This enables an
organizatioon to provide its users with access
a ms-aware appliccations in another organizattion by
to claim
using SSO.
e Windows Serrver 2012 version of AD FS iss built on AD FFS version 2.0, which was
Note: The
th on, AD FS 1.0, required
he second generation of AD FS that Microssoft released. TThe first versio
AD FS web agennts to be installed on all web
b servers that w
were using AD D FS, and provided both
claims aware an
nd NT token-b based authenticcation. AD FS 1.0 did not support active clients or
SA
AML.
AD
A FS Featurres
Th
he following are some of the
e key AD FS fe
eatures:
• Passive and smart client suppport. Becausee AD FS is baseed on the WS--* architecture, it supports
federated commmunications between any WS-enabled eendpoints, including commu unications betw
ween
servers and passive
p clients, such as browssers. AD FS on Windows Servver 2012 also e enables accesss for
SOAP–based smart clients, such as serverrs, mobile phon nes, personal d
digital assistan
nts (PDAs), and
d
desktop applications. AD FS S implements the WS-Federaation Passive R Requestor Profile and WS-
Federation Acctive Requestoor Profile stand
dards for clientt support.
• Extensible arcchitecture. AD FS provides an extensible arrchitecture thaat supports various security ttoken
types, including SAML and Kerberos auth hentication, as well as the ab
bility to perform
m custom claim ms
transformatioons. For examp ple, AD FS can convert from one token typ pe to another o or add customm
business logicc as a variable in an access re
equest. Organ nizations can use this extensiibility to modiffy
AD FS to coexxist with their current securitty infrastructu re and businesss policies.
• Enhanced seccurity. AD FS also increases the security of federated solu utions by delegating
responsibilityy of account management to o the organizattion closest to the user. Each
h individual
organization in a federation n continues to
o manage its owwn identities, and is capablee of securely sh
haring
and accepting g identities and credentials from
f other meembers’ sourcees.
Ho
ow AD FS Enables
E SS
SO in a Sing
gle Organ
nization
For many organizzations, configu uring access to
o
appplications and services
s may not
n require an
AD FS deploymen nt. If all users are
a members of o
the same AD DS forest,
f and if all applications are
runnning on serverrs that are mem mbers of the same
est, you typicallly can use AD DS authentica
fore ation
to provide
p applicaation access. However,
H there
e are
seveeral scenarios in which you canc use AD FS, and
enable SSO, to op ptimize the use er experience,
including:
• The applicatio
ons may not be
b running on
Windows servvers or on any servers that
D authentication. The appliccations may reequire SAML o
support AD DS or web servicess for authentication
and authorizaation.
• Large organizzations frequently have multtiple domains and forests that may be the e results of mergers
and acquisitio
ons. Users in multiple
m forestss might requiree access to thee same applicaations.
• Users from ouutside the officce might require access to a pplications thaat are running
g on internal se
ervers.
The external users may be logging
l on to the applicatio
ons from comp puters that are not part of th
he
internal domaain.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 12-7
Note: Implementing AD FS does not necessarily mean that users are not prompted
for authentication when they access applications. Depending on the scenario, users may be
prompted for their credentials. However, the key point is that users always authenticate by using
their internal credentials. They never have to remember alternate credentials for the application.
Organizations can use AD FS to enable SSO in these scenarios. Because all users and the application are
in the same organization, the organization only has to deploy a single federation server. This server can
operate as the claims provider so that it authenticates user requests and issues the claims. The same server
also is the relying provider, or the consumer of the claims to provide authorization for application access.
Note: The slide and the following description use the terms Federation Server and
Federation Service Proxy to describe AD FS server roles. The Federation Server is responsible for
issuing claims, and in this scenario, also is responsible for consuming the claims. The Federation
Service Proxy is a proxy component that we recommend is used in a deployment where users
outside the network need to access the AD FS environment. The next lesson covers these
components in more detail.
1. The client computer, which is located outside the network, must access a web-based application on
the web server. The client computer sends an HTTPS request to the web server.
2. The web server receives the request, and identifies that the client computer does not have a claim.
The web server redirects the client computer to the Federation Service proxy.
3. The client computer sends an HTTPS request to the Federation Service proxy. Depending on the
scenario, the Federation Service proxy may prompt the user for authentication or use Windows
Integrated authentication to collect the user credentials.
4. The Federation Service proxy passes the request and the credentials to Federation Server.
6. If authentication is successful, the federation server collects AD DS information about the user, which
is used to generate the user’s claims.
7. If the authentication is successful, the authentication information and other information is collected in
a security token and passed back to the client computer, through the Federation Service proxy.
8. The client presents the token to the web server. The web resource receives the request, validates the
signed tokens, and uses the claims in the user’s token to provide access to the application.
MCT USE ONLY. STUDENT USE PROHIBITED
12-8 Implemennting Active Directoryy Federation Servicess
Ho
ow AD FS Enables
E SS
SO in a Bussiness-to B
Business-Fe
ederation
One e of the most common
c scena
arios for deplooying
AD FS is to provid de SSO in a business-to-business
(B2BB) federation. In the scenarioo, the organizaation
thatt requires acceess to another organization’ss
appplication or servvice can mana age their own user
accoounts, and deffine their own authentication n
mecchanisms. The other organization can define
wha at applications and services are
a exposed to o
userrs outside the organization and
a what claim ms it
acceepts to provide e application access.
a To enable
appplication or servvice sharing in
n this scenario,, the
orga blish a federation
anizations justt have to estab
trusst, and then deefine the rules for exchange claims betweeen the two org
ganizations.
6. If the client co
omputer is loggged on to the
e domain alreaady, the federaation server caan take the use
er’s
Kerberos ticket, and then re equest authentication from A
AD DS on the user’s behalf, by using Wind dows
Integrated Au uthentication.
8. The federatio
on server createes the claim foor the user bassed on the rulees defined for the federationn
partner. The claims
c data is placed
p in a dig
gitally signed ssecurity token,, and then sen
nt to the client
computer. Thhe client computer then postts it back to th he A. Datum’s ffederation servver.
9. A. Datum’s fe
ederation serve at the securityy token came ffrom a trusted federation partner.
er validates tha
10. A. Datum’s fe
ederation serveer creates and signs a new tooken, which it sends to the cclient compute
er. The
client computter then sendss the token bacck to the origi nal URL requeested.
11. The applicatioon on the webb server receivees the request,, and validatess the signed to
okens. The web b
server issues the
t client a sesssion cookie th
hat indicates t hat it has auth
henticated succcessfully. The
federation server issues a file-based persiistent cookie (g
good for 30 days by defaultt) to eliminate the
home-realm discovery step p during the coookie lifetime. The applicatioon then provid des access to th
he
application, based
b on the claims that the user providess.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading YYour Skills to MCSA W
Windows Server® 20012 12-9
How
H AD FS
S Enables SSO
S with Online
O Servvices
As organization ns move service es and applica
ations to
cloud-based serrvices, it is incrreasingly impo
ortant
th
hat these organizations have e some way to
simplify the autthentication an nd authorizatioon
exxperience for their
t users as they
t consume the
cloud-based serrvices. Cloud-b based services add
an
nother level off complexity to o the IT enviro
onment,
ass those service
es are located outside
o the dirrect
ad
dministrative control
c of the IT administrato ors, and
th
he services mayy be running on o many differrent
platforms.
When
W heir Exchange Online mailbo
users try to log on to th ox, the user m ust be authenticated by usin ng their
nternal AD DS credentials. If the user tries to
in t logon direcctly to the Exch
hange Online e environment, tthey are
re
edirected backk to the internaal AD FS deplooyment to authhenticate befo ore the user is g
given access.
Th
he following stteps describe how
h a user trie heir online maiilbox by using a web browse
es to access th er:
6.. If the clientt computer is logged on to thet domain alrready, the fedeeration server can take the u user’s
Kerberos ticcket, and thenn request authe entication from
m AD DS on th he user’s behalf, by using Wiindows
Integrated Authentication he network, orr from a computer
n. If the user iss logging on frrom outside th
that is not a member of thet internal do omain, the use r is prompted for credentials.
7.. The AD DS domain contrroller authenticcates the user,, and sends thee success messsage back to the
federation server, along with
w other info
ormation abou ut the user thatt can be used to generate thhe user’s
claims.
MCT USE ONLY. STUDENT USE PROHIBITED
12-10 Implementing Active Directory Federation Services
8. The federation server creates the claim for the user, based on the rules that are defined during the
AD FS server setup. The claims data is placed in a digitally signed security token, and then sent to the
client computer. The client computer then posts it back to the Microsoft Online federation server.
9. The Microsoft Online federation server validates that the security token came from a trusted
federation partner. This trust is configured when you configure the hybrid Exchange environment.
10. The Microsoft Online federation server creates and signs a new token, which it sends to the client
computer. The client computer then sends the token back to the Outlook Web App server.
11. The Outlook Web App server receives the request and validates the signed tokens. The server issues
the client a session cookie, which indicates that it has successfully authenticated. The user then is
granted access to their Exchange server mailbox.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 12-11
Lesson
n2
Deplo
oying Active
A Directory
y Federaation Se
ervices
Now that you have
h an undersstanding of ho ow AD FS workks, the next steep is deploying g the service. B
Before
de
eploying AD FS,
F you must understand the components tthat you deplo oy, and the pre
erequisites thaat you
must
m meet, espe gards to certificates. This lessson provides aan overview off deploying the AD FS
ecially with reg
se
erver role in Windows
W Serverr 2012.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe th
he componentss that an AD FS
F deploymentt can include.
• Describe th
he AD FS federration server ro
oles.
• Install the AD
A FS server ro
ole.
AD
A FS Com
mponents
AD FS is installe
ed as a server role
r in Windowws
Se
erver 2012. Ho owever, there are
a many diffe erent
co
omponents tha at you can insttall and config
gure in
an
n AD FS deployment. The following table lists l the
AD FS compone ents.
Federation
F Servver The fe
ederation servver issues, man
nages, and validdates requestss that involve iidentity
claims. All impleme
entations of ADD FS require att least one Fed
deration Servicce.
Federation
F Servver The Federation Servver proxy is ann optional commponent that typically is dep ployed
Proxy
P in a perimeter
p netw
work. The Fedeeration Server p ot add any
proxy does no
functiionality to the AD FS deployyment, but is ddeployed just tto provide a layer of
security for connecttions from thee Internet to th
he Federation SServer.
Claims
C A claim is a stateme
ent that one o bject makes about another object, such ass a user.
The claim could incclude the user’ s name, job tittle, or any othe
er factor that m
might
be used in an autheentication scen
nario.
Claim
C Rules Claim
m rules determiine how federaation servers pprocess claims.. For example, a claim
rule may
m state that an email addrress is accepted d as a valid claaim, or that a g
group
name e from one org
ganization is trranslated into aan applicationn-specific role in the
other organization. The rules usu ally are processsed in real tim
me, as claims aare
made e.
MCT USE ONLY. STUDENT USE PROHIBITED
12-12 Implementing Active Directoory Federation Services
Com
mponent What do
oes it do?
Cla
aims Providers A claims provider enaables one side of the AD FS aauthenticationn and authorizaation
process. The claims prrovider manag ges the user auuthentication, and then issue
es the
claims that
t the user presents
p to a reelying party.
Relying Parties The relyying party enables the secon nd side of the A
AD FS authenttication and
authorizzation processs. The relying p
party is a web service that co
onsumes claim
ms
from the claims provider. The relyin ng party serverr must have thhe Windows Identity
Foundation (WIF) insttalled or use AAD FS 1.0’s clai ms-aware age ent.
Cla
aims Provider This is configuration
c data
d that definnes rules under which a cliennt may requestt
Tru
ust claims from
f a claims provider
p and ssubsequently ssubmit them to o a relying parrty.
The trusst consists of various
v identifiiers, such as naames, groups aand various ru
ules.
Cerrtificates AD FS uses
u digital cerrtificates when
n communicating over SSL or as part of the
e
token-isssuing processs, the token-reeceiving processs, and the me
etadata-publishing
process.
End
dpoints Endpoinnts are mechan nisms that enaable access to the AD FS tech
hnologies,
includin
ng token issuan nce and metad data publishinng. AD FS comees with built-in
n
endpoinnts that are ressponsible for a specific functtionality.
AD
D FS Prereq
quisites
Befo
ore deploying AD FS, you must ensure
thatt your internal network meetts some basic
prerrequisites. The
e configuration n of the following
netw
work services isi critical for a successful AD FS
dep
ployment:
o The clien
nt computer
o A domain
n controller
o Federatio
on Service servver
o Federatio
on Service Proxxy server (whe
en applicable)
o A custo
om attribute sttore
Note: AD
D DS can be use ed both as thee authenticatio
on provider annd as an attribu
ute store.
AD FS also can use AD LDS as a an attributte store. In ADD FS v1, you caan use AD LDSS as an
auuthentication store,
s but in th
he current verssion of AD FS, you only can use AD LDS ass an attribute
sttore.
• Domain Na ame System (D DNS): Name ressolution allow ws clients to find federation servers. The clie
ent
computers must resolve the t DNS name es for all federaation servers t hat they connect to, as well as the
web applica ations that the
e client compu o use. If the cli ent computer is external to the
uter is trying to
network, thhe client computer must reso olve the DNS n name for the ffederation servvice proxy, nott the
internal fed
deration serverr. The Federation Service pro oxy must resol ve the name o of the internal
nal users have to access the internal federration server directly, and external
federation server. If intern
users have to connect thrrough the Federation Serverr proxy, you reequire a split D DNS.
PKI
P and Certificate Re
equiremen
nts
AD FS is designed to enable computers
c to
co
ommunicate se ecurely, even though
t they may
m be
lo
ocated in differrent locations. In this scenariio, most
off the communications betwe een computerss passes
th
hrough the Internet. To provvide security fo or the
neetwork traffic, all communications are protected
byy using SSL. Th
his factor mean ns that it is important
to
o choose and assign
a SSL certtificates correcctly to
th
he AD FS serve ers. To provide SSL security, AD A FS
ervers use certificates in the following thre
se ee ways.
MCT USE ONLY. STUDENT USE PROHIBITED
12-14 Implementing Active Directory Federation Services
Token-Signing Certificates
The token-signing certificate is used to sign every token issued a federation server. This certificate is
critical in an AD FS deployment, because the token signature indicates which federation server issued the
token. The claims provider uses this certificate to identify itself, and also by the Replying Party to verify
that the token is coming from a trusted Federation partner.
The relying party also requires a token-signing certificate to sign the tokens that it prepares for other
AD FS components, such as web applications and clients. These tokens must be signed by the relying
party’s token-signing certificate in order for the destination applications to validate them.
When you configure a Federation Server, the server assigns a self-signed certificate as the token-signing
certificate. Because no other parties trust the self-signed certificate, it is important that you replace the
self-signed certificate with a trusted certificate. You can configure multiple token-signing certificates on
the federation server, but only the primary certificate is used to sign tokens.
Token-Decrypting Certificates
Token-decrypting certificates encrypt the entire user token before transmitting the token across the
network. To provide this functionality, the relying party federation server sends the certificate to the
claims provider federation server. The certificate is sent without the private key. The claims provider
server uses the public key from the certificate to encrypt the user token. When the token is returned to
the relying party federation server, it uses the private key from the certificate to decrypt the token. This
provides an extra layer of security when transmitting the certificates across the Internet.
When you configure a Federation Server, the server assigns a self-signed certificate as the token-
decrypting certificate. Because no other parties have to trust this certificate, it is possible to continue to
use this certificate without replacing it with a trusted certificate.
Note: Federation server proxies only require a service communication certificate. The
certificate is used to enable SSL communication for all client connection. Since the federation
server proxy does not issue any tokens, it does not need the other two types of certificates. Web
servers that are deployed as part of an AD FS deployment also should be configured with SSL
server certificates to enable secure communications with client computers.
The most important factor when choosing the certificates in most AD FS deployments is that the
certificates be trusted by all parties involved. This means that if you are configuring an AD FS deployment
that interacts with other organizations, you are almost certainly going to use a public CA, because all
partners trust the certificates issued by the public CA automatically.
If you are deploying AD FS just for your organization, and all servers and client computers are under
your control, you can consider using a certificate from an internal private CA. If you deploy an enterprise
CA on Windows Server 2012, you can use Group Policy to ensure that all computers in the organization
automatically trust the certificates that the internal CA issues. Using an internal CA can decrease the cost
of the certificates significantly.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 12-15
When
W you insta
all the AD FS se
erver role, the server is confi gured with self-signed certificates. These
ce n trusted byy any other systems, so you m
ertificates are not must replace t he server com mmunications
ce
ertificate and the
t token-sign es with a trusteed certificate. I t is not criticall that you replace
ning certificate
th
he token-decryypting certificaate with a trustted certificate..
Federation Server Ro
oles
When
W you deploy the AD FS server
s role, and
co
onfigure the seerver, you can choose whichh role
th
he server playss in an AD FS deployment.
d Yo
ou can
co
onfigure an AD D FS server in one
o of three rooles:
Note: A single AD FS seerver can operate as both a cclaims provideer and a relyingg party, even
with
w the same partner
p organizzations. The AD
A FS server fu nctions as a cllaims providerr when it is
auuthenticating users
u and provviding tokens for
f another orrganization, bu ut also can acccept tokens
from the same oro another orgganization in a relying party role.
Note: You cannot configure a federation server proxy as a claims provider or a Relying
Provider. The claims provider and Relying Provider must be members of an AD DS domain. You
must configure the federation server proxy as a member of a workgroup, and then deploy it in a
perimeter network.
Demonstration Steps
1. On LON-DC1, in Server Manager, add the Active Directory Federation Services server role.
2. Run the AD FS Federation Server Configuration Wizard by using the following parameters:
a. Create a new federation services
Lesson
n3
Imple
ementin
ng AD FS
F for a Single O
Organizzation
Thhe simplest de
eployment scen nario for AD FS is within a si ngle organization. In this scenario, a single AD FS
erver can operate both as the claims provider and as thee Relying Prov ider. All users in this scenario
se o are
in
nternal to the organization,
o as
a is the appliccation that thee users are acceessing.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe AD
D FS claims.
• Describe AD
D FS claim rule
es.
• Configure claims
c provide
er and relying provider
p trustss.
What
W are AD
A FS Claim
ms?
AD FS claims prrovide the link between the claims
c
provider and Re elying Provider roles in an AD FS
deeployment. Thhe claims proviider creates the
claims and the Relying
R Provid
der consumes the
t
claims. AD FS claims provide a standards-ba ased
an
nd flexible wayy for claims provider organizzations
o provide very specific inform
to mation about users
u
in
n their organizaations, and a way
w for Relying g
hat information they
Prroviders to deffine exactly wh
re
equire to proviide applicationn access.
Claim
C Types
ach AD FS claim has a claim type, such as Email Addresss, UPN, or Last Name. Users ccan be issued claims
Ea
ased on any defined claim tyype. So a user might be issu ed a claim witth a type of Last Name and a value
ba
off Weber. AD FS provides sevveral built-in cllaim types, or yyou can createe new ones baased on the
orrganization req
quirements.
Note: In AD
A FS 1.0, you could configu dentity claims,, group claims or custom
ure claims as id
claims. These claim types do not
n apply to AD
A FS 2.0 or latter. Essentially,, all claims are
e now
co
onsidered custtom claims.
MCT USE ONLY. STUDENT USE PROHIBITED
12-18 Implementing Active Directoory Federation Services
• The claim cann be calculatedd based on colllected informaation – claims provider fede eration servers can
also calculate
e information based
b on inforrmation gatherred from an atttribute store. For example, yyou
may want to provide inform mation about a person’s salaary within a claaim. This inform mation is likelyy
stored in a Huuman Resourcces database, but
b the actual vvalue may be considered co onfidential. You u
can define a claim
c that cate es within an orrganization, an
egorizes salarie nd then have tthe AD FS servver
calculate whicch category a specific user belongs
b to. In tthis way, the cclaim only inclu
udes the salaryy
category infoormation, not the
t actual userr salary.
Wh
hat Are AD
D FS Claim
m Rules?
Claims rules definne how AD FS servers
s send and
consume claims. Claims
C rules de
efine the busin
ness
logic that is applie
ed to claims th
hat claims provviders
provvide, and to claims that the relying partiess
ept. You can use claim rules to:
acce
• Define which incoming claims are accepted
from one or more
m claims prroviders.
• Apply authorization ruless to enable acccess to a speciffic relying partty for one or m
more users or g
groups
of users.
Yo
ou can define two types of claim
c rules:
Claims rules on an AD FS claim ms provider arre all considereed acceptancee transform rulles. These ruless
de etermine whatt types of claim
ms are accepte
ed from the claaims provider and then sent to a relying p party
trrust. When con
nfiguring AD FS within a singgle organizatio on, there is a d
default claims pprovider trust
coonfigured with
h the local AD DS domain, so o this rule set d
defines the claaims that are aaccepted from AD DS.
• Issuance Au uthorization Ru
ules: These rules define whicch users are peermitted or de enied access to o the
relying partty that has bee
en defined in the
t relying parrty trust. This rrule set can incclude rules thaat
explicitly pe
ermit access to
o a relying parrty, and/or rulees that explicittly deny accesss to a relying p
party.
• Delegation Authorization n Rules: These rules define thhe claims that specify which users can act on
behalf of otther users whe he relying partty. This rule set can include rrules that explicitly
en accessing th
permit deleegates for a relying party, or rules that exp
plicitly deny deelegates to a re
elying party.
A single claim rule associated with a single federated trusst relationship.. This means th
hat you canno
ot create
a set of rules for one trust and
d then reuse th
hose rules for other trusts th
hat you configure on your
ederation serve
fe er.
What
W Is a Claims
C Prov
vider Trust?
Yo ou configure a claims providder trust on thee
re
elying party fed deration serve
er. The claims provider
p
trrust identifies the
t claims provvider, and alsoo
de escribes how the
t relying parrty consumes the
t
claims that the claims provide er issues. You must
m
coonfigure a claims provider trrust for each claims
provider.
Byy default, an AD
A FS server is configured wiith a
claims provider trust named Active
A Directorry.
Thhis trust define ules, which are all
es the claim ru
accceptance tran nsform rules th
hat define how w the
AD FS server accepts AD DS credentials.
c Forr
exxample, the de efault claim rules on the claims provider trrust include rules that pass the user namess, SIDs,
nd group SIDs to the relying
an g party. In a sin
ngle-organizattion AD FS depployment, whe ere AD DS
au
uthenticates all users, the de may be the onlly required claims provider ttrust.
efault claims provider trust m
MCT USE ONLY. STUDENT USE PROHIBITED
12-20 Implementing Active Directoory Federation Services
• Manually con nfigure the claiims provider trrust. Use this o want to configure all of the
option if you w
settings for th
he claims provvide trust direcctly. When youu choose this ooption, you muust provide thee
features that the claims proovider supports, as well as th he URL used too access the claaims provider AD FS
servers. Furthermore, you must
m add the SSL
S certificate tthat the partner organizatioon uses.
Wh
hat Is a Relying Party
y Trust?
A re
elying party tru ust is defined on
o the claims
provvider federatio on server. The relying party trust
t
idenntifies the relyiing party, and also defines the
claim
ms rules that define
d how thee relying partyy
acceepts and proce ess claims from
m the claims
provvider.
The process for co onfiguring relyying party trust is very similaar to the claimss provider trusst. When you
expand the AD FS S deployment to t include other organizatio ons, you must ccreate additional relying parrty
trussts for each fed
derated organiization. You ha ave three optio ons when conffiguring a relyying party trustt:
• Import data about the relying party from a file. Use this option if the partner federation server is not
directly accessible from your federation server, but where the partner organization has exported its
configuration and provided you the information in a file. The configuration file must include the
configuration information for the partner organization, as well as the SSL certificate that the partner
federation server uses.
Manually configure the claims provider trust. Use this option if you want to configure all of the settings
for the claims provide trust directly.
Demonstration Steps
1. In the AD FS 2.0 Management console, go to the claims provider Trusts, highlight the Active
Directory store, and then go to Edit Claim Rules.
2. In the Edit Claim Rules for Active Directory dialog on the Acceptance Transform Rules tab, start
the Add Transform Claim Rule Wizard, and complete the wizard with the following settings:
o User-Principal-Name to UPN
4. On LON-SVR1, from the Start screen, start the Windows Identity Foundation Federation Utility.
o Select No encryption.
6. In the AD FS 2.0 Management console, in the middle pane, click Required: Add a trusted relying
party.
MCT USE ONLY. STUDENT USE PROHIBITED
12-22 Implementing Active Directory Federation Services
7. Complete the Add relying party Wizard with the following settings:
o Select Import data about the relying party published online or on a local network, and type
https://lon-svr1.adatum.com/adatumtestapp.
o Select to open the Edit Claims Rules for WIF Sample Claims App check box when the wizard is
complete.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 12-23
Lesson
n4
Deplo
oying AD
A FS in a Busin
ness to Businesss Federation
Scena
ario
A second comm mon scenario fo or implementiing AD FS is inn a B2B federattion scenario. In this scenario
o,
ussers in one org
ganization havve to be able to
o access an appplication in an
nother organizzation. AD FS iin this
sccenario enablees SSO. Users always
a log on to
t their home AD DS environ nment, but aree granted acceess to
th
he partner app plication based
d on the claimss acquired from
m their local AAD FS server.
Configuring AD D FS in a B2B fe
ederation scennario is quite siimilar to configuring AD FS in a single
orrganization sce
enario. The primary difference is that now w the claims pro ovider trusts aand the relying
g
provider trusts refer
r to extern
nal organizatio
ons rather thann internal AD D DS or application.
Th
his lesson desccribes how to configure
c AD FS
F in a B2B sceenario.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Configure the
t account pa
artner in a B2B
B federation sccenario.
• Configure the
t resource partner
p in a B2B
B federation sccenario.
• Describe ho
ow claims transformations work.
w
• Describe ho
ow home-realm
m discovery works.
w
• Configure claims
c rules.
Configuring
C g an Account Partne
er
In
n a B2B AD FS scenario, the terminology
t ussed
to
o describe the parties involveed in the AD FSF
deeployment cha anges slightly. In this scenario,
he claims provider organization is also called the
th
acccount partnerr organization. An account partner
p
orrganization is the organization in which th he user
acccounts are sto
ored in an attrribute store. Ann
acccount partnerr handles the following
f taskss:
• Gathering credentials
c from users by usiing a
web-based service, and then authentica ating
those crede
entials.
• Building up
p claims for useers, and then
packaging the claims intoo security tokeens. The token s can then be presented acrross a federatio
on trust
to gain access to federatiion resources located
l at the resource partner organization.
Co
onfiguring a Resourcce Partner
The resource parttner organizatiion is the relyin
ng
partty in a B2B fed
deration scenario. The resourrce
parttner organization is where th
he resources exist
and are made acccessible to accoount partner
orgaanizations. The
e resource parrtner handles
the following taskks:
• Accepts and validates
v securrity tokens tha
at the
account-partner federation
n server producces.
Note: Micro osoft offers WIIF to provide a set of consisttent developmment tools that enable
developers to inteegrate claims-bbased authenttication and au uthorization in
nto their appliccations.
WIFF also includes a Software Deevelopment Kit (SDK) and saample applicattions. You use a WIF
sam
mple application in the lab foor this module..
Con
nfiguring the reesource partne he account parrtner organization,
er organization is similar to cconfiguring th
and consists of the following ste
eps:
1. Implement th he physical top ner deployme nt. The planning and
pology for the resource partn
implementatiion steps are the same as thee account parttner, with the addition of plaanning the we
eb
server locatio
on and configuuration.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Yoour Skills to MCSA W
Windows Server® 20112 12-25
Configuring
C g Claims Rules
R for Business
B to
o Business Scenarios
In
n a single organization deplo oyment of AD FS, it
may
m be quite ea asy to design and
a implemen nt claims
ru
ules. In many cases,
c you mayy need to just provide
p
th
he user name or o group name e collected fro
om the
claim to the web server. In a B2B
B scenario, it i is
more
m likely thatt you have to configure
c more
co
omplicated cla aims rules to define user acceess
beetween widelyy varying systems.
• Send Grou up Membership as a Claim rule template . Use this temp plate to send a particular claaim type
and associa ated claim valuue based on th
he user’s AD D S security grou
up membership. For examplle, you
might use this
t template to e that sends a group claim tyype with a value of SalesAd
t create a rule dmin if
the user is a member of thet Sales Mana ager security g
group within th
heir AD DS do omain. This rulee only
issues a singgle claim, base
ed on the AD DS
D group thatt you select as a part of the ttemplate.
• Pass Throu ugh or Filter an
a Incoming Claim
C mplate. Use thiis template to set additional
rule tem
restrictions on which claim
ms are submitted to relying parties. For exxample, you m might want to uuse a
user email address
a as a cllaim, but only forward the e mail address iff the domain ssuffix on the email
address is adatum.com.
a When
W using this template, yo
ou can either p pass through w whatever claim
m you
extract from
m the attributee store, or you can configuree rules that filt er whether the
e claim passes
through ba ased on various criteria.
• Transform m an Incoming g Claim rule te emplate. Use th his template to o map the valu ue of an attrib
bute
in the claim
ms provider atttribute store to
o a different vaalue in the relyying party attribute store. Fo
or
example, yo ou may want tot provide all members
m of th
he Marketing d department att A. Datum limited
access to a purchasing appplication at Trey Research. A At Trey Researrch, the attribuute used to de efine
the limited access level may
m have an atttribute of Lim mitedPurchase er. To address this scenario, yyou can
configure a claims rule th
hat transforms an outgoing cclaim where th he Department value is Markketing
to an incomming claim whe ere the AppliccationAccess attribute is Lim mitedPurchasser. Rules created
emplate must have a one-to-one relationsship between tthe claim at th
from this te he claims provider and
the claim at the relying partner.
p
MCT USE ONLY. STUDENT USE PROHIBITED
12-26 Implementing Active Directoory Federation Services
• Permit or De eny Users bassed on an Inco oming Claim rule template.. This template e is available o
only
when you are e configuring Issuance Autho orization Ruless or Delegationn Authorizatioon Rules on a rrelying
party Trust. Use
U this templa ate to create ru
ules that enab le or deny acccess by users too a relying parrty,
based on the type and valu ming claim. Thiss claim rule template allows you to perform
ue of an incom
an authorizattion check on the
t claims provider before cclaims are even n sent to a relyying party. Forr
example, you can use this rule
r template to om the Sales group
t create a rulee that only perrmits users fro
to access a re
elying party, au
uthentication requests
r from members of o other groups are not even se ent to
the relying pa
arty.
If no e templates prrovide the funcctionality that you are lookin
one of the built-in claim rule ng for, you cann
creaate more comp plex rules using the AD FS Claim Rule Lang guage. By creaating a customm rule, you cann
extrract claims info
ormation fromm multiple attribute stores annd also combin ne claim types into a single cclaim
rulee.
Ho
ow Home Realm
R Disccovery Wo
orks
Somme resource pa artner organizaations
hostting claims-aw ware applicatioons may want to t
enable multiple account partners to access th he
appplications. In th
his scenario, wh
hen users conn nect
to the web application, there must
m be some
mecchanism for directing the use ers to the AD FS
fedeeration server in their home domain rather
thann to another organization’s
o federation
f servver.
The process for diirecting clientss to the appropriate
accoount partner iss called home realm discove ery.
3. If the remote application is SAML 2.0-compliant, users can use a SAML profile called IdPInitiated SSO.
This SAML profile configures users to access their local claims provider first, which can prepare the
user’s token with the claims required to access the partner web application. This process changes the
normal process for accessing the web application by having the users log on to the claims provider
federation server first, and then prompting them to select which application they want to access so
that their token can be created with the appropriate information.
Note: The home realm discovery process occurs the first time the user tries to access a web
application. After the user successfully authenticates, a home-realm discovery cookie is issued to
the client so that the user does not have to go through the process the next time. This home-
realm discovery cookie expires after a month, unless the cookie cache is cleared sooner.
Demonstration Steps
1. On LON-DC1, edit the Adatum Test App relying party trust by creating a new Issuance Transform Rule
that passes through or filters an incoming claim. Name the rule Send Group Name rule, and
configure the rule to use an incoming claim type of group.
2. Delete the Issuance Authorization Rule that grants access to all users.
3. Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Permit Production Group Rule, an Incoming claim type of
Group, an Incoming claim value of Production, and select the option to Permit access to users
with this incoming claim.
4. Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Allow A Datum Users, an Incoming claim type of UPN, an
Incoming claim value of @adatum.com, and select the option to Permit access to users with this
incoming claim, and then click Finish.
5. Open the Allow A Datum Users rule properties, and show the claims rule language to the students.
MCT USE ONLY. STUDENT USE PROHIBITED
12-28 Implementing Active Directory Federation Services
Lab: Implementing AD FS
Scenario
A. Datum has set up a variety of business relationships with other companies and customers. Some of
these partner companies and customers must access business applications that are running on the A.
Datum network. The business groups at A. Datum want to provide a maximum level of functionality and
access to these companies. The security and operations departments want to ensure that the partners and
customers can only access the resources to which they require access, and that implementing the solution
does not significantly increase the workload for the operations team.
A. Datum is also working on migrating some parts of their network infrastructure to online services,
including Windows Azure and Office 365.
To meet these business requirements, A. Datum plans to implement AD FS. In the initial deployment, the
company plans to use AD FS to implement single sign on for internal users accessing an application on a
web server. A. Datum also has entered into a partnership with another company, Trey Research. Trey
Research users must be able to access the same application.
As one of the senior network administrators at A. Datum, it is your responsibility to implement the AD FS
solution. As a proof of concept, you plan to deploy a sample claims aware application, and then configure
AD FS to enable both internal users and Trey Research users to access the same application.
Objectives
• Configure the AD FS prerequisites.
• Install and configure AD FS.
Lab Setup
Estimated time: 90 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 12-29
b. Password: Pa$$w0rd
2. On MUN-DC1, create a new conditional forwarder for the Adatum.com domain, by using the DNS
server IP address of 172.16.0.10.
2. Create a new Microsoft Management Console (MMC), and then add the Group Policy Management
Editor.
3. Edit the Default Domain Policy Group Policy Object, and import the copied root certificate to the
Trusted Root Certification Authorities folder.
5. Create a new MMC, and then add the Certificates snap-in focused on the Local Computer.
6. Import the copied root certificate to the Trusted Root Certification Authorities folder.
2. Request a new Domain Certificate for the server by using the following parameters:
o Organization unit: IT
o City/locality: London
o State/province: England
o Country/region: GB
X Task 4: Bind the certificate to the claims aware application on the web server and
verify application access
1. On LON-SVR1, in Internet Information Services, create a new HTTPS site binding, and then select the
newly created certificate.
3. Verify that you can connect to the site, but that you receive a 401 access denied error. This is
expected because you have not yet configured AD FS for authentication.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum
and Trey Research, and you exchanged root certificates between the two organizations. You also installed
and configured a web certificate on the application server.
2. Create a stand-alone Federation Server by using the AD FS Federation Server Configuration Wizard.
4. Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06
/federationmetadata.xml.
5. Verify that the xml file opens successfully, and then scroll through its contents.
Results: In this exercise, you installed and configured the AD FS server role, and then verified a successful
installation by viewing the Federation Meta Data .xml contents.
3. Configure the claims application to trust incoming claims by running the WIF Federation Utility.
Verify that the certificate has a subject of CN=LON-DC1.Adatum.com. If no name is listed under the
Subject when you add the certificate, delete the certificate, and then add the next certificate in the
list.
3. Make the new certificate the primary certificate, and then remove the old certificate.
MCT USE ONLY. STUDENT USE PROHIBITED
12-32 Implementing Active Directory Federation Services
2. In the Edit Claim Rules for Active Directory dialog box on the Acceptance Transform Rules tab,
launch the Add Transform Claim Rule Wizard, and then complete the wizard with the following
settings:
X Task 3: Configure the claims application to trust incoming claims by running the WIF
Federation Utility
1. On LON-SVR1, launch the WIF Federation Utility from the Start screen.
X Task 4: Configure a relying party trust for the claims aware application
1. In the AD FS 2.0 Management console, click Required: Add a trusted relying party, in the middle
pane.
2. Complete the Add relying party Wizard with the following settings:
o Choose to Import data about the relying party published online or on a local network and
type https://lon-svr1.adatum.com/adatumtestapp.
2. Complete the Add Transform Claim Rule Wizard with the following settings:
o Choose Pass through of Filter an Incoming Claim in the Claim rule template drop-down list.
o Create three more rules to pass through E-Mail Address, UPN, and Name type claim.
Results: After this exercise, you configured a token signing certificate and configured a claims provider
trust for Adatum.com. You also configured the sample application to trust incoming claims and
configured a relying party trust and associated claim rules. You also tested access to the sample WIF
application in a single organization scenario.
2. Complete the Add claims provider Trust Wizard with the following settings:
o Choose Import data about the claims provider published online or on a local network and
enter https://mun-dc1.treyresearch.com as the data source.
o In Display Name enter mun-dc1.treyresearch.com.
o Complete the wizard.
MCT USE ONLY. STUDENT USE PROHIBITED
12-34 Implementing Active Directory Federation Services
3. In the Edit Claim Rules for the mun-dc1.treyresearch.com properties dialog, use the following
values:
o Choose Pass Through or Filter an Incoming claim in the Claim rule template list.
o Use Pass through Windows account name rule as the claim rule name.
o Choose Windows account name as the incoming claim type, and then choose to Pass through
all claim values.
X Task 2: Configure a relying party trust on MUN-DC1 for A. Datum’s claim aware
application
1. On MUN-DC1, in the AD FS Management console, open the Add relying party Trust Wizard, and then
complete it with the following settings:
o Choose to Import data about the relying party published online or on a local network and
type in https:// lon-dc1.adatum.com.
o Select to open the Edit Claim Rules for lon-dc1.adatum.com when the wizard is complete
check box.
2. In the Edit Claim Rules for lon-dc1.adatum.com properties dialog box, on the Issuance Transform
Rules tab, click to add a rule with the following settings:
o Choose Pass Through or Filter an Incoming claim in claim rule template list.
o In the Claim rule name box, type Pass through Windows account name rule.
X Task 3: Verify access to the A. Datum Test Application for Trey Research users
1. On MUN-DC1, open Internet Explorer, and then connect to https://lon-svr1.adatum.com
/adatumtestapp/.
2. Select mun-dc1.treyresearch.com as the home realm, and then logon as TreyResearch\April, with
the password Pa$$w0rd.
4. Close Internet Explorer, and then connect to the same web site. Verify that you are not prompted for
a home realm this time.
You are not prompted for a home realm again. Once users have selected a home realm and been
authenticated by a realm authority, they are issued with an _LSRealm cookie by the relying party
Federation Server. The default lifetime for the cookie is 30 days. Therefore, for us to log on multiple times,
we should delete that cookie after each logon attempt to return to a clean state.
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 12-35
X Task 4: Configure claim rules for the claim provider trust and the relying party trust
to allow access only for a certain group
1. On MUN-DC1, in the AD FS Management Console, access the lon-dc1.adatum.com relying party trust.
2. Add a new Issuance Transform Rule that sends the group membership as a claim. Name the rule
Permit Production Group Rule, configure the User’s Group as Production, configure the
Outgoing claim type as Group, and the Outgoing claim value as Production.
4. Edit the Adatum Test App relying party trust by creating a new Issuance Transform Rule that passes
through or filters an incoming claim. Name the rule Send TreyResearch Group Name rule, and
configure the rule to use an incoming claim type of group.
5. Delete the Issuance Authorization Rule that grants access to all users.
6. Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Permit TreyResearch Production Group Rule, an
Incoming claim type of Group, an Incoming claim value of Production, and select the option to
Permit access to users with this incoming claim.
7. Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Temp, an Incoming claim type of UPN, an Incoming claim
value of @adatum.com, and select the option to Permit access to users with this incoming claim,
and then click Finish.
8. Edit the Temp rule, and then copy the claim rule language into the clipboard.
9. Delete the Temp rule.
10. Create a new rule that sends claims using a custom rule named ADatum User Access Rule
11. Click in the Custom rule box, and then press Crtl+V to paste the clipboard contents into the box. Edit
the first URL to match the following text, and then click Finish:
Results: In this exercise, you configured a claims provider trust for Trey Research on Adatum.com and a
relying party trust for Adatum on TreyResearch.com. You verified access to the A. Datum claim-aware
application. Then you configured the application to restrict access from TreyResearc.com to specific
groups, and you verified appropriate access.
MCT USE ONLY. STUDENT USE PROHIBITED
12-36 Implementing Active Directory Federation Services
Question: What are the benefits of deploying AD FS with a cloud-based application or service?
Question: Under what circumstances, would you choose to deploy a federation proxy server?
Under what circumstances, do you not have to deploy a federation proxy server?
2. Fabrikam is examining the requirements for AD FS. The company wants to use a federation proxy
server for maximum security. Currently, Fabrikam has an internal network with internal DNS servers.
Their internet-facing DNS is hosted by a hosting company. The perimeter network uses the hosting
company’s DNS servers for DNS resolution. What must the company do to prepare for the
deployment?
MCT USE ONLY. STUDENT USE PROHIBITED
Upgrading Your Skills to MCSA Windows Server® 2012 12-37
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L1-1
7. In the Hyper-V Manager console, double-click 20417A-LON-SVR5; this will open the Virtual Machine
Connection window. From the Action menu, click Start.
8. On the Windows Server 2012 page of the Windows Setup Wizard, verify the following settings, and
then click Next:
10. On the Select the operating system you want to install page of the Windows Setup Wizard, select
Windows Server 2012 Release Candidate Datacenter (Server Core Installation), and then click
Next.
11. On the License terms page of the Windows Setup Wizard, review the operating system license terms.
Select the I accept the license terms check box, and then click Next.
12. On the Which type of installation do you want? page of the Windows Setup Wizard, click Custom:
Install Windows Only (Advanced).
13. On the Where do you want to install Windows? page of the Windows Setup Wizard, verify that
Drive 0 Unallocated Space has sufficient space for the Windows Server 2012 operating system, and
then click Next:
o Depending on the speed of the host computer, the installation will take approximately 20
minutes.
o The virtual machine will restart several times during this process.
14. Click OK, and then in both the Password and Confirm password boxes type Pa$$w0rd, and then
click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-2 Upgrading Your Skills to MCSA Windows Server® 2012
X Task 2: Convert a Windows Server 2012 Server Core installation to a full installation
1. If necessary, log on to LON-SVR5 using the Administrator account with the password Pa$$w0rd.
mkdir c:\mount
3. Issue the following command and press Enter to mount the Windows Server 2012 full installation
image:
PowerShell.exe
5. Load the ServerManager module by issuing the command and pressing Enter:
Import-Module ServerManager
6. Install the Windows Server 2012 GUI components of server core by issuing the following command
and pressing Enter:
7. When prompted, restart the server by issuing the following command and pressing Enter.
Shutdown /r /t 5
8. Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify the presence of
the full GUI components.
X Task 3: Convert a Windows Server 2012 full installation to a Server Core installation
1. If necessary, log on to LON-SVR5 and verify that the full graphic environment is present.
2. Click Internet Explorer.
3. Click Close to close the message informing you that you cannot open Internet Explorer with the built-
in Administrator account.
Import-Module ServerManager
Uninstall-WindowsFeature User-Interfaces-Infra
Shutdown /r /t 5
8. Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify that it now
configured to use the Server Core configuration.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 1: Installing and Configuring Servers Based on Windows Server 2012 L1-3
7. At the command prompt, type hostname and press Enter to verify the computer’s name.
10. Type the index number of the network adapter that you want to configure and press Enter.
11. To set the Network Adapter Address, on the Network Adapter Settings page, type 1 and
press Enter.
13. At the Enter static IP address: prompt, type 172.16.0.111 and press Enter.
14. At the Enter subnet mask prompt, type 255.255.0.0 and press Enter.
15. At the Enter default gateway prompt, type 172.16.0.1 and press Enter.
16. To configure the DNS server address, on the Network Adapter Settings page, type 2 and press Enter.
17. At the Enter new preferred DNS server prompt, type 172.16.0.10 and press Enter.
5. At the Name of domain to join prompt, type adatum.com and press Enter.
6. At the Specify an authorized domain\user prompt, type adatum\administrator and press Enter.
7. At the Type the password associated with the domain user prompt, type Pa$$w0rd and
press Enter.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-4 Upgrading Your Skills to MCSA Windows Server® 2012
12. Log on to LON-SVR5 with the adatum\administrator account and a password of Pa$$w0rd.
10. To view all disabled Firewall rules on LON-SVR5, type the following command:
11. To view all NetFirewallRule related Windows PowerShell cmdlets, type the following command:
12. To view the status of the Remote Desktop inbound firewall rule, type the following command:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
13. To enable the Remote Desktop Inbound Firewall rule, type the following command:
Enable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
14. To verify that the Remote Desktop Inbound Firewall rule is enabled, type the following command:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
15. To disable the Remote Desktop Inbound Firewall Rule, type the following command:
Disable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
16. To verify that the Remote Desktop Inbound Firewall Rule is disabled, type the following command:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
MCT USE ONLY. STUDENT USE PROHIBITED
Module 1: Installing and Configuring Servers Based on Windows Server 2012 L1-5
2. In the Server Manager console, click Local Server, and then click Enabled next to Remote
Management.
3. On the Configure Remote Management dialog box, clear the check next to Enable remote
management of this server from other computers, and then click OK.
6. At the Windows PowerShell prompt issue the command winrm qc. When you are prompted, type Y
and press Enter.
7. Open the Server Manager console. Click Local Server. Verify that Remote Management is now
enabled.
2. In the Server Manager console, click Dashboard, and then click Create a server group.
3. On the Create Server Group dialog box, click the Active Directory tab, and then click Find Now.
4. Click LON-DC1 and then press and hold the Ctrl key, and then click LON-SVR5. To add them to a
server group click the Arrow.
5. Set the Server Group Name to LONDON-GROUP, and then click OK.
9. Click LON-DC1. Press and hold the Ctrl key, and then click LON-SVR5.
10. While both servers are selected, right-click LON-DC1, and then click Start Performance Counters.
11. Scroll up and verify that in the Manageability column, both LON-DC1 and LON-SVR5 are listed as
Online.
2. In the Servers list, right-click LON-SVR5, and then click Add Roles and Features.
3. On the Before You Begin page of the Add Roles and Features Wizard, click Next.
4. On the Select installation type page of the Add Roles and Features Wizard, select Role-based or
feature-based installation, and then click Next.
5. On the Select destination server page of the Add Roles and Features Wizard, ensure that
LON-SVR5.Adatum.com is selected, and then click Next.
6. On the Select server roles page of the Add Roles and Features Wizard, click Next.
7. On the Select features page of the Add Roles and Features Wizard, select Windows Server Backup,
and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-6 Upgrading Your Skills to MCSA Windows Server® 2012
8. On the Confirm installation selections page of the Add Roles and Features Wizard, click Install.
10. In Server Manager, click the Flag and verify that the installation of the Windows Server Backup feature
succeeded on LON-SVR5.
2. In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
2. In the Server Manager console, in the navigation pane, click All Servers.
3. In the Server Manager console, in the navigation pane, right-click All Servers, and then click Add
Servers.
5. In the details pane of the Add Servers dialog box, click LON-DC1, click the right-arrow button, and
then click OK.
6. In Server Manager, hold down the Ctrl key, click LON-DC1, and then click LON-SVR1 to select both
the machines.
7. In Server Manager, scroll down to the Performance section; select both LON-DC1 and LON-SVR1.
Right-click the selected servers, and then click Start Performance Counters.
2. In the navigation pane, expand Data Collector Sets, and then click User Defined.
3. Click the Action menu, click New, and then click Data Collector Set.
4. In the Create new Data Collector Set Wizard, in the Name box, type Windows Server Monitoring,
select Create manually (Advanced), and then click Next.
5. On the What type of data do you want to include? page, ensure that the Create data logs option
button is selected, select the Performance Counter check box, and then click Finish.
6. In the Performance Monitor, in the navigation pane, expand Data Collector Sets, expand User
Defined, click Windows Server Monitoring, click the Action menu, click New, and then click Data
Collector.
7. In the Create New Data Collector Wizard, in the Name box, type Base Windows Server Monitoring,
select Performance counter data collector, click Next, and then click Add.
8. In the Available counters object list, expand Processor, and then click % Processor Time. Click
Add.
9. In the Available counters object list, expand Memory, and then click Available Mbytes. Click Add.
10. In the Available counters object list, expand Logical Disk, click % Free Space, click Add, and then
click OK.
11. In the Create New Data Collector Wizard, in the Sample interval box, accept the default values, and
then click Finish.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-8 Upgrading Your Skills to MCSA Windows Server® 2012
12. In the Performance Monitor, in the navigation pane, click Windows Server Monitoring, click the
Action menu, and then click Start.
13. Wait at least one minute, click the Action menu, and then click Stop.
14. In the navigation pane, expand Reports, expand User Defined, expand Windows Server
Monitoring, click LON-SVR1_DateTime, and then review the report.
2. Move the mouse pointer on the lower-right corner on the screen, and then in Search box, type cmd
to open the Command Prompt.
3. At the command prompt, type winrm quickconfig and then press Enter.
7. Click Add, and in the Select Users, Computers, Service Accounts or Groups dialog box, click
Object Types.
8. In the Object Types dialog box, select the Computers check box, and then click OK.
9. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object
names to select box, type LON-DC1, and then click OK.
13. At the command prompt, type wecutil qc and then press Enter.
14. When you are prompted, type Y and then press Enter.
15. In Server Manager, click Tools, and then click Event Viewer.
18. In the Subscription Properties dialog box, in the Subscription name box, type LON-SVR1 Events.
21. In the Select Computer dialog box, in the Enter the object name to select box, type LON-SVR1,
and then click OK.
23. In the Subscription Properties – LON-SVR1 Events dialog box, click Select Events.
24. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check
boxes.
26. In the Event logs list, select Windows Logs. Click inside the Query Filter dialog box, and then click
OK.
27. In the Subscription Properties – LON-SVR1 Events dialog box, click OK.
29. Click Forwarded Events, and check for events from LON-SVR1.
Results: After completing this exercise, you will have configured Server Manager to monitor multiple
servers, configured a data collector set, and configured an event subscription.
5. On the Select Destination Server page, select LON-SVR1 and then click Next.
6. On the Select server roles page, click Next.
7. On the Select features page, select Windows Server Backup, and then click Next.
3. Click Local Backup, and then in the Actions pane, click Backup Schedule.
4. On the Getting Started page of the Backup Schedule Wizard, click Next.
5. On the Select Backup Configuration page, click Full server (recommended), and then click Next.
6. On the Specify Backup Time page, next to Select time of day, select 1:00 AM, and then click Next.
7. On the Specify Destination Type page, click Backup to a shared network folder, and then click
Next. Review the warning, and then click OK.
8. On the Specify Remote Shared Folder page, in the Path box, type \\LON-DC1\Backup, and then
click Next.
9. In the Register Backup Schedule dialog box, in the Username box, type Administrator, in the
Password box, type Pa$$w0rd, and then click OK. Click Finish, and then click Close.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-10 Upgrading Your Skills to MCSA Windows Server® 2012
2. In the Windows Explorer window, in navigation pane, click on Local Disk (C:).
3. In the Windows Explorer window, in the menu, click Home, click New Folder, and then in the New
Folder icon in details pane, type Financial Data.
4. In the Windows Explorer window, double-click Financial Data folder, right click in details pane, click
New, click Text Document, and in New Text Document icon, type Financial Report.
To complete an on-demand backup, perform the following steps:
1. On LON-SVR1, in Server Manager, click Tools, and then click Windows Server Backup.
2. In the wbadmin – [Windows Server Backup (Local)] window, in the navigation pane, click Local
Backup, and then in the Actions pane, click Backup Once.
3. On the Backup Options page of the Backup Once Wizard, click Different options, and then click
Next.
4. On the Select Backup Configuration page, click Custom, and then click Next.
6. Expand Local disk (C:), select the Financial Data check box, click OK, and then click Next.
7. On the Specify Destination Type page, click Remote shared folder, and then click Next.
8. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
Results: After completing this exercise, you will have installed the Windows Server Backup feature,
configured a scheduled backup, and ran an on demand backup.
2. In Windows Explorer in details pane, right-click Financial Data folder, and then click Delete.
The command should display the existing shadow copy from the backup performed previously.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 2: Monitoring and Maintaining Windows Server 2012 L2-11
2. On the Getting Started page, click A backup stored on another location, and then click Next.
3. On the Specify Location type page, click Remote shared folder, and then click Next.
4. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
7. On the Select Items to Recover page, expand LON-SVR1, click Local Disk (C:) drive, and on the
right pane, select Financial Data, and then click Next.
8. On the Specify Recovery Options page, under Another Location, type C:\, and then click Next.
Results: After completing this exercise, you will have deleted a folder to simulate data loss, viewed
available resources, and then restored the folder the backup that you created.
3. On the Microsoft Software License Terms page, click I accept the terms in the License Agreement
and Privacy Statement, and then click Install. Click Finish.
5. In the Microsoft Online Service Pre-Release Agreement dialog box, select I accept the Service
Agreement terms and conditions, and then click OK.
7. On the Installation Settings page, specify the settings (if not default), and then click Next:
o Installation Folder: C:\Program Files
8. On the Microsoft Update Opt-In page, select I don't want to use Microsoft Update, and then
click Install.
9. On the Installation page, ensure that the Microsoft Online Backup Service Agent installation has
completed successfully message is displayed. Clear the Check for newer updates check box, and
then click Finish.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-12 Upgrading Your Skills to MCSA Windows Server® 2012
10. On LON-SVR1, move the mouse pointer on the lower-left corner of the screen, click Start, and then
click Microsoft Online Backup Service.
11. On LON-SVR1, move the mouse pointer on the lower-left corner of the screen, click Start, and then
click Microsoft Online Backup Service Shell.
1. In the Server Manager window, on the Welcome to Server Manager page, click 1. Configure this
local server.
2. In the Server Manager window, on the Local Server page, click LON-SVR1.
3. In the System Properties window, click Change, in the Computer Name box, type YOURCITYNAME-
YOURNAME, click OK twice, and then click Close.
4. In a window that displays the message that you should restart your computer, click Restart Now.
1. Start the Microsoft Online Backup Service console, and then click Register Server.
2. In the Register Server Wizard, on the Account Credentials page, in the Username box, type
holuser@onlinebackupservice.onmicrosoft.com, and in the Password box, type Pa$$w0rd. Click
Next.
Note: In real-life scenario, you would type username and password of your Microsoft
Online Backup Service subscription account.
4. On the Encryption Settings page, in the Enter passphrase and Confirm passphrase boxes, type
Pa$$w0rdPa$$w0rd, and then click Register.
5. On the Server Registration page, ensure that the Microsoft Online Backup Service is now
available for this server message is displayed, and then click Close.
4. In the Select Items dialog box, expand C:, select Financial Data, click OK, and then click Next.
5. On the Specify Backup Time page, select Saturday, click 1:00AM, click Add, and then click Next.
6. On the Specify Retention Setting page, accept the default settings, and then click Next.
7. On the Confirmation page, click Finish.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 2: Monitoring and Maintaining Windows Server 2012 L2-13
10. In the Back Up Now Wizard, on the Confirmation page, click Back Up.
11. On the Backup progress page, wait until Backup is successfully completed message appears, and
then click Close.
2. In the Local Disk (C:) window, right-click the Financial Data folder, and then click Delete.
3. Switch to the Microsoft Online Backup Service console, and then click Recover Data.
4. In the Recover Data Wizard, on the Getting Started page, select This server, and then click Next.
5. On the Select Recovery Mode page, select Browse for files, and then click Next.
6. On the Select Volume and Date page, in the Select the volume drop-down list, select C:\. In the
calendar, click the date when you performed the backup, in the Time drop-down list, click the time
when you performed backup, and then click Next.
7. On the Select Items to Recover page, expand C:\, click the Financial Data folder, and then click
Next.
8. On the Specify Recovery Options page, select Original location and Create copies so that you
have both versions, and then click Next.
10. On the Recovery Progress page, ensure that File(s) recovery job succeeded status message
appears, and then click Close.
11. Locate C:\ and ensure that the Financial Data folder is restored to drive C.
X Task 5: Unregister the server from the Microsoft Online Backup Service
1. Switch to the Microsoft Online Backup Service console, and then click Unregister Server.
2. On the Getting started page, click Unregister this server, and then click Next.
o Username: holuser@onlinebackupservice.onmicrosoft.com,
o Password: Pa$$w0rd
4. Click Unregister.
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-14 Upgrading Your Skills to MCSA Windows Server® 2012
2. In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
2. On LON-DC1, browse to the Start screen, type Windows PowerShell ISE and then right-click
Windows PowerShell ISE. In the pop-up banner, click Run as administrator.
5. In the Console pane, type dir C:\Windows, and then press Enter.
6. In the Console pane, type Get-E, press the Tab key until Get-ExecutionPolicy is shown, and then
press the Enter key.
4. In the Console pane, type Get-Help Where-Object –examples and then press Enter. Click No to
update help.
5. In the Console pane, type $Services | Where-Object {$_.Status –eq “Stopped”} and then press
Enter.
2. In the New Remote PowerShell Tab window, in the Computer box, type LON-SVR1 and then click
Connect.
4. In the Console pane, type Add-WindowsFeature XPS-Viewer and then press Enter.
5. Press the Up Arrow key two times or until Get-WindowsFeature appears. Press Enter to execute.
Results: After this exercise, you will have explored the Windows PowerShell ISE interface and used
cmdlets, variables, and pipelining.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-16 Upgrading Your Skills to MCSA Windows Server® 2012
2. In the Console pane, type Import-Module ActiveDirectory and then press Enter.
3. In the Console pane, type Get-Command –Module ActiveDirectory and then press Enter.
X Task 2: View options on how to create a report of users in the Active Directory
domain
1. If it is necessary, open Windows PowerShell ISE as an administrator and import the Active Directory
module.
X Task 3: Use a script to create new users in the domain by using a CSV-based file
1. On LON-DC1, browse to the Start screen and then type Notepad.exe. Press Enter.
2. In the Notepad window, on the File menu, click Open. Locate E:\ModXA\Democode
\LabUsers.Csv. You will need to change the file type to All Files.
3. Close Notepad.
4. In Windows PowerShell ISE, click File and then click Open. Locate
E:\ModXA\Democode\LabUsers.ps1. Click Open.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 3: Managing Windows Server 2012 by Using Windows PowerShell 3.0 L3-17
7. In the Console pane, type the following to verify that Luka Abrus, Marcel Truempy, Andy Brauninger,
and Cynthia Cary were created:
X Task 4: Create a script to modify the address of a user based on the day of the week
1. If it is necessary, open Windows PowerShell ISE as an administrator and import the Active Directory
module.
2. In Windows PowerShell ISE, on the File menu, click Open. Locate E:\ModXA\Democode
\Using If Statements.ps1. Click Open.
4. Press F5 to run the script. Run the script a second time to view the changes.
Results: After completing this lab, you will have explored the Active Directory Windows PowerShell
module, experienced formatting output in Windows PowerShell, used a Windows PowerShell script to
create users, and used Windows PowerShell conditional loops to modify Active Directory properties.
2. In the Console pane, type Install-PswaWebApplication –UseTestCertificate and the press Enter.
2. In the Address bar, type the following URL and then press Enter:
https://LON-DC1/pswa
• User: Administrator
• Password: Pa$$w0rd
• Computer: LON-DC1
MCT USE ONLY. STUDENT USE PROHIBITED
L3-18 Upgrading Your Skills to MCSA Windows Server® 2012
5. In the Windows PowerShell Web Access command shell, type Get-EventLog System –Newest 5 and
then press Enter.
6. Type the following in the Windows PowerShell Web Access command shell:
Results: After this exercise, you will have performed one to many management of remote servers by using
Windows PowerShell, installed and configured Windows PowerShell Web Access, and managed servers by
using Windows PowerShell Web Access.
2. In the Virtual Machines list, right-click 20417A-LON-SVR1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
3. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
5. On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
6. On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, select the iSCSI Target Server check box, and then click Next.
7. On the Select features page, click Next.
3. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
4. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
5. On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk1, and then click
Next.
6. On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
7. On the Assign iSCSI target page, click New iSCSI target, and then click Next.
8. On the Specify target name page, in the Name box, type lon-svr2, and then click Next.
10. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list, select IP Address, in the Value box, type 172.16.0.22, and then
click OK.
12. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list, select IP Address, in the Value box, type 131.107.0.2, and then
click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-20 Upgrading Your Skills to MCSA Windows Server® 2012
16. On the View results page, wait until the creation is completed, and then click Close.
17. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
18. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
19. On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk2, and then click
Next.
20. On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
21. On the Assign iSCSI target page, click lon-svr2, and then click Next.
23. On the View results page, wait until the creation is completed, and then click Close.
24. In the iSCSI VIRTUAL DISKS pane, click TASKS and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
25. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage,
click C:, and then click Next.
26. On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk3, and then click
Next.
27. On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
28. On the Assign iSCSI target page, click lon-svr2, and then click Next.
30. On the View results page, wait until the creation is completed, and then click Close.
31. In the iSCSI VIRTUAL DISKS pane, click TASKS and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
32. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage,
click C:, and then click Next.
33. On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk4, and then click
Next.
34. On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
35. On the Assign iSCSI target page, click lon-svr2, and then click Next.
37. On the View results page, wait until the creation is completed, and then click Close.
38. In the iSCSI VIRTUAL DISKS pane, click TASKS and then in the TASKS drop-down list, click New iSCSI
Virtual Disk.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 4: Managing Storage for Windows Server 2012 L4-21
39. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage,
click C:, and then click Next.
40. On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk5, and then click
Next.
41. On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
42. On the Assign iSCSI target page, click lon-svr2, and then click Next.
5. On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
7. On the Select features page, click Multipath I/O, and then click Next.
10. In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select iSCSI
Initiator.
12. In the iSCSI Initiator Properties dialog box, on the Targets tab, in the Target box, type LON-DC1,
and then click Quick Connect. In the Quick Connect box, click Done.
14. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO.
15. In MPIO Properties dialog box, click the Discover Multi-Paths tab.
16. Select the Add support for iSCSI devices check box, and then click Add. When you are prompted to
reboot the computer, click Yes.
17. After the computer restarts, log on to LON-SVR2 with username of Adatum\Administrator and
password of Pa$$w0rd.
18. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO.
19. In the MPIO Properties dialog box, on the MPIO Devices tab, notice that additional Device
Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.
2. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Disconnect.
4. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
5. In the Connect to Target window, click Enable multi-path, verify that the Add this connection to
the list of Favorite Targets check box is selected, and then click the Advanced button.
6. In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default
to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, click 172.16.0.22 and in the Target
Portal IP drop-down list, click 172.16.0.10 / 3260.
9. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
10. In Connect to Target window, click Enable multi-path, verify that the Add this connection to the
list of Favorite Targets check box is selected, and then click the Advanced button.
11. In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default
to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, select 131.107.0.2 and in the Target
Portal IP drop-down list, select 131.107.0.1 / 3260.
14. In the iSCSI Initiator Properties dialog box, click the Volumes and Devices tab.
15. In the iSCSI Initiator Properties dialog box, on the Volumes and Devices tab, click Auto
Configure.
16. In the iSCSI Initiator Properties dialog box, click the Targets tab.
19. Verify that in Load balance policy, Round Robin is selected. Under This device has the following
paths, notice that two paths are listed. Select the first path and then click the Details button.
20. Note the IP address of the Source and Target portals, and then click OK.
21. Select the second path and then click the Details button.
22. Verify that the Source IP address is of the second network adapter, and then click OK.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 4: Managing Storage for Windows Server 2012 L4-23
2. In the navigation pane, click File and Storage Services, and then in the Servers pane, click Storage
Pools.
3. In the STORAGE POOLS pane, click TASKS, and then in the TASKS drop-down list, click New Storage
Pool.
4. In the New Storage Pool Wizard window, on the Before you begin page, click Next.
5. On the Specify a storage pool name and subsystem page, in the Name box, type StoragePool1,
and then click Next.
6. On the Select physical disks for the storage pool page, click all five physical disks, and then click
Next.
8. On the View results page, wait until the creation is completed, then click Close.
2. In the VIRTUAL DISKS pane, click TASKS, and then from the TASKS drop-down list click New Virtual
Disk.
3. In the New Virtual Disk Wizard window, on the Before you begin page, click Next.
4. On the Select the server and storage pool page, click StoragePool1, and then click Next.
5. On the Specify the virtual disk name page, in the Name box, type Mirrored vDisk, and then click
Next.
6. On the Select the storage layout page, in the Layout list, select Mirror, and then click Next.
7. On the Configure the resiliency settings page, click Three-way mirror, and then click Next.
8. On the Specify the provisioning type page, click Thin, and then click Next.
9. On the Specify the size of the virtual disk page, in the Virtual disk size box, type 10, and then click
Next.
10. On the Confirm selections page, click Create.
11. On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.
12. In the New Volume Wizard window, on the Before you begin page, click Next.
13. On the Select the server and disk page, in the Disk pane, click the virtual disk that is called
Mirrored vDisk, and then click Next.
14. On the Specify the size of the volume page, click Next to confirm the default selection.
15. On the Assign to a drive letter or folder page, make sure E is selected in the Drive letter drop-
down list, and then click Next.
16. On the Select file system settings page, in the File system drop-down list, select ReFS, in the
Volume label box, type Mirrored Volume, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-24 Upgrading Your Skills to MCSA Windows Server® 2012
18. On the Completion page, wait until the creation is completed, and then click Close.
X Task 3: Copy a file to the volume and verify visibility in Windows Explorer
1. On the Start screen, type command prompt and then press Enter.
2. At the command prompt, type the following command and then press Enter:
4. On the taskbar, open Windows Explorer and then click Mirrored Volume (E:). You should now see
write.exe in the file list.
2. In Server Manager, in the navigation pane, click File and Storage Services.
4. In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, right-click iSCSIDisk1.vhd, and then click
Disable iSCSI Virtual Disk.
5. In the Disable iSCSI Virtual Disk warning message box, click Yes.
X Task 5: Verify that the file is still accessible and check the health of the virtual disk
1. Switch to LON-SVR2.
2. On the taskbar, open Windows Explorer, and then click Mirrored Volume (E:).
3. In the file list pane, double-click write.exe to make sure access to the volume is still available.
6. In Server Manager, in the STORAGE POOLS pane, on the menu bar click the Refresh “Storage Pools”
button. Wait until all panes are refreshed. Notice the warning that appears right next to Mirrored
vDisk.
7. In the VIRTUAL DISK pane, right-click Mirrored vDisk, in the drop-down list, select Properties.
8. In the Mirrored vDisk Properties window, in the navigation pane, click Health. Notice that the Health
Status indicates a Warning. The Operational Status should indicate Degraded.
2. In Server Manager, in the navigation pane, click File and Storage Services.
5. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, in the Storage
location pane, click C:, and then click Next.
6. On the Specify iSCSI virtual disk name page, type iSCSIDisk6, and then click Next.
7. On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
8. On the Assign iSCSI target page, click lon-svr2, and then click Next.
10. On the View results page, wait until the creation is completed, and then click Close.
X Task 7: Add the new disk to the storage pool and extend the virtual disk
1. Switch to LON-SVR2.
2. In Server Manager, in the STORAGE POOLS pane, on the menu bar click the Refresh “Storage Pools”
button.
3. In the STORAGE POOLS pane, right-click StoragePool1, and then in the drop-down list, select Add
Physical Disk.
4. In the Add Physical Disk window, click PhysicalDisk1 (LON-SVR2), and then click OK.
5. In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select Extend
Virtual Disk.
6. In the Extend Virtual Disk window, in the New size box, type 15, and then click OK.
Results: After completing this exercise, you will have created a storage pool and added a new disk to the
storage pool and extended the disk.
2. In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
6. On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
7. On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, select the BranchCache for Network Files check box, and then click Next.
12. In the navigation pane of the Local Group Policy Editor console, under Computer Configuration,
expand Administrative Templates, expand Network, and then click Lanman Server.
13. In the Setting list in the Lanman Server result pane, right-click Hash Publication for BranchCache,
and then click Edit.
14. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication
actions list, select the Allow hash publication only for shared folders on which BranchCache is
enabled check box, and then click OK.
2. On the Create a QoS policy page of the Policy-based QoS Wizard, in the Policy name box, type
Limit to 100 KBps, click Specify Outbound Throttle Rate check box, type 100, and then click Next.
4. On the Specify the source and destination IP addresses page, click Next.
5. On the Specify the protocol and port numbers page, click Finish.
6. On the Sharing tab of the Share Properties dialog box, click Advanced Sharing.
7. Select the Share this folder check box and then click Caching.
8. In the Offline Settings dialog box, select the Enable BranchCache check box and then click OK.
11. Click to the Start screen, type command prompt and then press Enter.
12. At the command prompt, type the following command and then press Enter:
4. In the navigation pane of the Group Policy Management Editor console, under Computer
Configuration expand Policies, expand Windows Settings, expand Security Settings, and then
expand Windows Firewall with Advanced Security.
5. In the navigation pane, under Windows Firewall with Advanced Security, expand Windows
Firewall with Advanced Security, and then click Inbound Rules.
6. On the Action menu of the Group Policy Management Editor console, click New Rule.
7. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache –
Content Retrieval (Uses HTTP), and then click Next.
9. On the Action page, click Finish to create the firewall inbound rule.
10. Click Inbound Rules, and then on the Action menu of the Group Policy Management Editor console,
select New Rule.
11. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache –
Peer Discovery (Uses WSD), and then click Next.
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-28 Upgrading Your Skills to MCSA Windows Server® 2012
2. In the Setting list of the BranchCache result pane, right-click Turn on BranchCache and then click
Edit.
3. In the Turn on BranchCache dialog box, click Enabled and then click OK.
4. In the Setting list of the BranchCache result pane, right-click Set BranchCache Hosted Cache mode
and then click Edit.
5. In the Set BranchCache Hosted Cache mode dialog box, click Enabled, in the Type the name of
the hosted Cache server, type LON-SVR1.adatum.com, and then click OK.
6. In the Setting list of the BranchCache result pane, right-click Configure BranchCache for network
files and then click Edit.
7. In the Configure BranchCache for network files dialog box, click Enabled, in the Type the
maximum round trip network latency value (milliseconds) after which caching begins box, type
0, and then click OK. This setting is required to simulate access from a branch office and is not
typically required.
11. On the Start screen, type command prompt and then press Enter.
12. At the command prompt , type the following command and then press Enter:
gpupdate /force
13. At the command prompt, type the following command and then press Enter:
14. Start 20417A-LON-CL2. After the computer starts, log on as Adatum\Administrator with the
password of Pa$$w0rd.
15. On the Start screen, type command prompt and then press Enter.
16. At the command prompt, type the following command and then press Enter:
gpupdate /force
17. At the command prompt, type the following command and then press Enter:
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 4: Managing Storage for Windows Server 2012 L4-29
4. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
7. On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, click BranchCache for Network Files check box.
9. On the Select features page, click BranchCache, and then click Next.
9. In Server Manager, on the menu bar, click Tools and then select Group Policy Management from
the Tools drop-down list.
10. Under Domains, expand Adatum.com, right-click BranchCacheHost, and then click Block
Inheritance.
11. On LON-DC1, close all open windows.
12. Restart LON-SVR1 and log on as Adatum\Administrator with the password of Pa$$w0rd.
14. At the Windows PowerShell window, type the following cmdlet, and then press Enter:
Enable-BCHostedServer –RegisterSCP
MCT USE ONLY. STUDENT USE PROHIBITED
L4-30 Upgrading Your Skills to MCSA Windows Server® 2012
15. At the Windows PowerShell window, type the following cmdlet, and then press Enter:
Get-BCStatus
Note: BranchCache is only available on Windows 8 Enterprise edition. This edition was not
available when this course was created, so the BranchCache verification steps are not included in
this lab.
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
2. In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
2. Expand LON-DC1, expand Forward Lookup Zones, and then select and right-click Adatum.com.
6. On the Key Master screen, ensure that LON-DC1 is the Key Master. Click Next.
13. On the New Zone Signing Key (ZSK) screen, click OK.
16. On the Trust Anchors screen, check Enable the distribution of trust anchors for this zone.
Click Next.
20. Expand Trust Points, expand com, and click Adatum. Ensure that the DNSKEY resource records exist
and that their status is valid.
22. In Server Manager, click Tools, and then on the drop-down list, click Group Policy Management.
23. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click the Default
Domain Policy, and then click Edit.
24. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, and then click the Name Resolution Policy folder.
25. To apply the rule to the suffix of the namespace, in the Create Rules section, in the Suffix field, type
Adatum.com.
27. Check Require DNS clients to check that the name and address data has been validated by the
DNS server, and then click Create.
28. Close the Group Policy Management Editor and Group Policy Management console.
2. Expand Lon-DC1.adatum.com.
2. Switch to LON-DC1.
3. In the DHCP Management console right-click the IPv4 node, and then click Configure Failover.
4. In the Configuration Failover Wizard, click Next.
5. On the Specify a partner server to use for failover screen, enter 172.16.0.21 in the Partner Server
field, and then click Next.
6. On the Create a new failover relationship screen, in the Relationship Name field, type Adatum.
7. In the Maximum Client Lead Time field, set the hours to zero, and set the minutes to 15.
11. In the Enable Message Authentication Shared Secret field, type Pa$$w0rd and then click Next
and then click Finish.
14. Expand the IPv4 node and expand the Adatum Scope.
15. Click the Address Pool node. Notice that the address pool is configured.
16. Click the Scope Options node. Notice that the scope options are configured.
17. Close the DHCP console on both LON-DC1 and LON-SVR1.
Results: After completing this exercise you will be able to configure DNSSEC, configure DHCP name
protection, and configure and verify DHCP failover.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 5: Implementing Network Services L5-33
7. In the Add features that are required for IP Address Management (IPAM) Server pop-up, click
Add Features, and then click Next.
2. In the IPAM Overview pane, after step 1 shows that LON-SVR2 is connected, click Provision the
IPAM server.
4. On the Select provisioning method screen, select the Group Policy Based method, type IPAM in the
GPO name prefix field, and then click Next.
2. To add the Adatum.com domain, in the Configure Server Discovery dialog box, click Add, and then
click OK.
3. On the IPAM Overview pane, click Start server discovery.
4. In the yellow banner, to determine the discovery status, click the More link. Discovery will take a few
minutes to complete.
5. To return to the IPAM pane, close the Overview Tasks Details dialog box.
Note: Notice that for LON-SVR1 and LON-DC1, the IPAM Access Status is Blocked. Scroll
down to the Details View and note the status report. This is because the IPAM server has not yet
been granted permission to manage LON-SVR1 or LON-DC1 by using Group Policy.
3. Type the following command at the PowerShell prompt and then press Enter:
4. When you are prompted to confirm the action, press Enter. It will take a few moments to complete.
6. In the details pane of the IPAM Server Inventory, right-click LON-DC1, and then click Edit Server.
7. In the Add or Edit Server dialog box, set the Manageability status field to Managed, and then click
OK.
15. Switch back to LON-SVR2 and right-click LON-DC1, then click Refresh Server Access Status. This
may take a few minutes to complete.
17. Refresh the page by clicking the Refresh icon on the top menu bar until status shows an IPAM Access
Status Unblocked.
18. From the IPAM Overview pane, click retrieve data from managed servers. This action will take
several moments to complete.
2. In the details pane, right-click the instance of LON-DC1.Adatum.com that holds the DHCP server
role.
4. In the Create DHCP Scope dialog box, in the Scope Name field, type TestScope.
8. In the Configure options pane, click the drop-down arrow of the Option field, and then select option
003 Router.
9. In the Values section click into the IP Address field and type 10.0.0.1, click Add to list, and then
click OK.
11. In the Server Manager toolbar, click Tools and then click DHCP.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 5: Implementing Network Services L5-35
12. In the DHCP console expand LON-DC1.Adatum.com and then expand IPv4 and confirm the
TestScope exists.
13. Right-click the TestScope and then click Deactivate. Click Yes.
Results: After completing this exercise you will be able to install and configure the IPAM feature,
configure IPAM related GPOs, configure IP Management server discovery, configure managed servers, and
configure and verify a new DHCP scope with IPAM.
2. In the Console1 window, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Certificates and then click Add.
4. In the Certificates snap-in dialog box, select Computer account, and then click Next.
5. In the Select Computer dialog box, click Finish, and then click OK.
6. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate.
8. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
10. Verify the status of certificate installation as Succeeded and then click Finish.
11. Close the Console1 window. When you are prompted to save console settings, click No.
13. Move the mouse to the lower right corner and then click the Search icon on the flyout menu, type
MMC, and press Enter.
14. In the Console1 window click File and then click Add/Remove Snap-in.
15. In the Add or Remove Snap-ins dialog box click Certificates and then click Add.
16. In the Certificates snap-in dialog box select Computer account and then click Next.
17. In the Select Computer dialog box click Finish and then click OK.
18. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate
20. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
21. Select the Computer check box and then click Enroll.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-36 Upgrading Your Skills to MCSA Windows Server® 2012
22. Verify the status of certificate installation as Succeeded and then click Finish.
23. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate.
25. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
26. Select the Computer check box, and then click Enroll.
27. Verify the status of certificate installation as Succeeded and then click Finish.
28. Close the Console1 window. When you are prompted to save console settings, click No.
32. In the Add or Remove Snap-ins dialog box, click Certificates and then click Add.
33. In the Certificates snap-in dialog box, select Computer account and then click Next
34. In the Select Computer dialog box, click Finish and then click OK.
35. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate.
36. In the Certificate Enrollment dialog box appears click Next.
37. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next
38. Select the Computer check box and then click Enroll.
39. Verify the status of certificate installation as Succeeded and then click Finish.
40. Close the Console1 window. When you are prompted to save console settings, click No.
6. On the Select server roles page, check Network Policy and Access Services.
7. In the Add Roles and Features Wizard dialog box, click Add Features and then click Next.
10. On the Select role services page, check Network Policy Server. Click Next.
2. Expand Network Access Protection, expand System Health Validators, expand Windows Security
Health Validator, and then click Settings.
4. On the Windows 8 Release Preview/Windows 7/Windows Vista selection, clear all check boxes
except the A firewall is enabled for all network connections check box, and then click OK.
5. Expand Policies.
7. In the Create New Health Policy dialog box, under Policy name, type Compliant.
8. Under Client SHV checks, verify that Client passes all SHV checks is selected.
9. Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.
11. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
12. Under Client SHV checks, select Client fails one or more SHV checks.
13. Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.
2. Disable the two default policies found under Policy Name by right-clicking the policies and then
clicking Disable.
3. Right-click Network Policies and then click New.
4. In the Specify Network Policy Name and Connection Type window, in the Policy name field, type
Compliant-Full-Access and then click Next.
5. In the Specify Conditions window, click Add.
6. In the Select condition dialog box, scroll down and double-click Health Policies.
7. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK.
8. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a
value of Compliant and then click Next.
9. In the Specify Access Permission window, verify that Access granted is selected.
10. Click Next three times.
11. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is
selected and then click Next.
14. In the Specify Network Policy Name and Connection Type window, in the Policy name field, type
Noncompliant-Restricted and then click Next.
16. In the Select condition dialog box, scroll down and double-click Health Policies.
17. In the Health Policies dialog box, under Health policies, select Noncompliant and then click OK.
18. In the Specify Conditions window, under Conditions, verify that Health Policy is specified with a
value of Noncompliant and then click Next.
19. In the Specify Access Permission window, verify that Access granted is selected.
Note: A setting of Access granted does not mean that noncompliant client computers are
granted full network access. It specifies that the policy should continue to evaluate the client
computers that match these conditions.
23. Under IPv4, click Input Filters and then click New.
24. In the Add IP Filter dialog box, select Destination network. Type 172.16.0.10 next to IP address
and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from
noncompliant client computers can reach only LON-DC1.
25. Click OK to close the Add IP Filter dialog box and then select Permit only the packets listed below
in the Inbound Filters dialog box and then click OK.
26. Under IPv4, click Output Filters and then click New.
27. In the Add IP Filter dialog box, select Source network. Type 172.16.0.10 next to IP address and
then type 255.255.255.255 next to Subnet mask.
28. Click OK to close the Add IP Filter dialog box and then in the Outbound Filters dialog box select
Permit only the packets listed below. This step ensures that only traffic from LON-DC1 can be sent
to noncompliant client computers.
29. To close the Outbound Filters dialog box, click OK.
30. In the Configure Settings window click Next and then click Finish.
2. Disable the default Connection Request policy named Use Windows authentication for all users by
right-clicking the policy and then clicking Disable.
3. Disable the default RRAS policy by right-clicking the Microsoft Routing and Remote Access Service
Policy and then click Disable.
5. In the Specify Connection Request Policy Name and Connection Type window, under Policy name,
type VPN Connections.
6. Under Type of network access server, select Remote Access Server (VPN-Dial up) and then click
Next.
8. In the Select Condition window, scroll down and double-click Tunnel Type, select PPTP, SSTP, and
L2TP. Click OK and then click Next.
9. In the Specify Connection Request Forwarding window, verify that Authenticate requests on this
server is selected and then click Next.
10. In the Specify Authentication Methods window, select Override network policy authentication
settings.
11. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click
Microsoft: Protected EAP (PEAP) and then click OK.
12. Under EAP Types, click Microsoft: Protected EAP (PEAP) and then click Edit.
13. Verify that Enforce Network Access Protection is selected and then click OK.
Results: After completing this exercise you will be able to configure server and client computer certificate
requirements, install the NPS server role, configure health policies, configure network policies, and
configure connection request policies for VPN.
2. Move the mouse to the lower right corner and then click the Search icon on the flyout menu.
3. In the Search box, type gpedit.msc, click Apps, and press Enter.
4. In the Local Group Policy Editor console tree, expand Local Computer Policy
/Computer Configuration/Administrative Templates/Windows Components/Security Center.
5. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
4. In the details pane, right-click EAP Quarantine Enforcement Client and then click Enable.
6. Move the mouse to the lower right corner and then click the Search icon on the flyout menu.
9. In the Network Access Protection Agent Properties dialog box, change the Startup type to
Automatic and then click Start.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-40 Upgrading Your Skills to MCSA Windows Server® 2012
10. Wait for the NAP Agent service to start and then click OK.
2. Click Inbound Rules, right-click Inbound Rules, and then click New Rule.
5. In the Protocol type field, click the drop-down arrow and select ICMPv4 and then click Customize.
6. Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next.
8. In the Action window, verify that Allow the connection is selected and then click Next.
9. Click Next to accept the default profile.
10. In the Name windows, type Allow Ping and then click Finish.
X Task 4: Move the client to the Internet and establish a VPN connection
1. On LON-CL1, move the mouse to the lower right corner and then click the Search icon on the flyout
menu.
8. Click Use the following IP address. Next to IP address, type 131.107.0.20. Next to Subnet mask,
type 255.255.0.0. Remove the existing Default Gateway, and do not configure the Default gateway.
9. Click OK and then click Close to close the Local Area Connection Properties dialog box.
12. Click Legacy Network Adapter and then under Network select Private Network 2, click OK.
13. On LON-CL1, move the mouse to the lower right corner and then click the Search icon on the
popout menu.
15. At the command prompt, type ping 131.107.0.1 and press Enter.
18. Return to Control Panel and then click Network and Internet.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 5: Implementing Network Services L5-41
21. On the Choose a connection option page, click Connect to a workplace and then click Next.
22. On the How do you want to connect page, click Use my Internet connection (VPN).
24. On the Type the Internet address to connect to page, next to Internet address, type 131.107.0.2.
Next to Destination name, type Adatum VPN.
25. Select the Allow other people to use this connection check box and then click Create.
26. In the Network And Sharing Center window, click Change adapter settings.
27. Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
30. Ensure that the Verify the server’s identity by validating the certificate check box is already
selected. Clear the Connect to these servers check box, and then ensure that Secured password
(EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast
Reconnect check box, and then select the Enforce Network Access Protection check box.
32. In the Network Connections window, right-click the Adatum VPN connection and then click
Connect/Disconnect.
33. In the Networks flyout menu, click Adatum VPN and then click Connect.
34. In the Network Authentication dialog box, type Administrator in the User Name field and type
Pa$$w0rd in the Password field.
35. Click OK and then click Connect.
2. In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
Results: After completing this exercise you will be able to configure Security Center, enable a client
computer NAP enforcement method, allow Ping on LON-SVR2, and move the client computer to the
Internet and establish a VPN connection.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L6-43
a. Switch to LON-DC1.
b. In the Server Manager console, in the upper-right corner, click Tools, and then click Active
Directory Users and Computers.
c. In the Active Directory Users and Computers console tree, right-click Adatum.com, click New,
and then click Organizational Unit.
d. In New Object – Organizational Unit window, in the Name box, type DA_Clients OU, and then
click OK.
e. In the Active Directory Users and Computers console tree, expand Adatum.com, right-click
DA_Clients OU, click New, and then click Group.
f. In the New Object - Group dialog box, under Group name, type DA_Clients.
g. Under Group scope, select Global, under Group type, select Security, and then click OK.
i. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
j. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click
Object Types, select the Computers check box, and then click OK.
k. Under Enter the object names to select (examples), type LON-SVR3, and then click OK.
l. Verify that LON-SVR3 is displayed below Members, and then click OK.
2. Configure firewall rules for ICMPv6 traffic by performing the following steps:
Note: It is important to configure firewall rules for ICMPv6 traffic to enable subsequent
testing of DirectAccess in the lab environment.
a. In the Server Manager console, in the upper-right corner, click Tools, and then click Group
Policy Management.
c. In the console tree, right-click Default Domain Policy, and then click Edit.
d. In the console tree of the Group Policy Management Editor, navigate to
Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall
with Advanced Security\Windows Firewall with Advanced Security.
e. In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.
f. On the Rule Type page, click Custom, and then click Next.
h. On the Protocols and Ports page, under Protocol type, click ICMPv6, and then click
Customize.
i. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request,
and then click OK.
j. Click Next.
o. In the console tree, click Outbound Rules, right-click Outbound Rules, and then click New
Rule.
p. On the Rule Type page, click Custom, and then click Next.
r. On the Protocols and Ports page, under Protocol type, click ICMPv6, and then click
Customize.
s. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request,
and then click OK.
t. Click Next.
x. On the Name page, in the Name box, type Outbound ICMPv6 Echo Requests, and then click
Finish.
y. Close the Group Policy Management Editor and Group Policy Management consoles.
a. In the Server Manager console, click Tools, and then click DNS.
e. In the New Host dialog box, in the Name box, type CRL. In the IP address box, type
172.16.0.22, and then click Add Host.
f. In the DNS dialog box informing you that the record was created, click OK.
4. Remove ISATAP from the DNS global query block list by performing the following steps:
a. Move the mouse pointer to the lower-right corner, select search on the right menu, and then
type cmd.exe to launch the Command Prompt window.
b. In the Command Prompt window, type the following command and then press Enter:
a. Switch to LON-SVR2.
b. Move the mouse to the lower right corner of the screen, click Settings, click Control Panel, and
then click View network status and tasks.
c. In the Network and Sharing Center window, click Change adapter settings.
d. In the Network Connection window, right-click Local Area Connection, and then click
Properties.
e. In the Local Area Network Properties window, double-click Internet Protocol Version 4
(TCP/IPv4).
g. On the DNS tab, in the DNS suffix for this connection box, type Adatum.com, and then click
OK.
d. On the Extensions tab, click Add. In the Location box, type http://crl.adatum.com/crld/.
e. Under Variable, click <CAName>, and then click Insert.
i. Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP
extension of issued certificates, and then click Apply. Click No in the dialog box asking you to
restart Active Directory Certificate Services.
j. Click Add.
o. In the Location box, type .crl at the end of the string, and then click OK.
p. Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click
OK.
q. Click Yes to restart Active Directory Certificate Services.
2. Duplicate the web certificate template and configure appropriate permission by performing the
following steps:
a. In the Certification Authority console, expand Adatum-LON-DC1-CA, right-click Certificate
Templates, and then select Manage.
b. In the Certificate Templates console, in the content pane, right-click the Web Server template,
and then click Duplicate Template.
c. Click the General tab and in the Template display name box, type Adatum Web Server
Certificate.
d. Click the Request Handling tab and select Allow private key to be exported.
f. In the Permissions for Authenticated Users window, under Allow, click Enroll, and then click OK.
a. On LON-DC1, switch to Server Manager, click Tools on the upper-right side of the window, and
then click Group Policy Management.
b. In the console tree, expand Forest: Adatum.com, expand Domains, and then expand
Adatum.com.
c. In the console tree, right-click Default Domain Policy, and then click Edit.
e. In the details pane, right-click Automatic Certificate Request Settings, point to New, and then
click Automatic Certificate Request.
f. In the Automatic Certificate Request Setup Wizard, click Next.
g. On the Certificate Template page, click Computer, click Next, and then click Finish.
h. Close the Group Policy Management Editor and close the Group Policy Management console.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 6: Implementing DirectAccess L6-47
a. On LON-SVR1, move the mouse to the lower-right corner of the screen, select Search, type cmd,
and then press Enter.
b. At the command prompt, type the following command and then press Enter.
gpupdate /force
c. At the command prompt, type the following command and then press Enter.
mmc
e. Click Certificates, click Add, select Computer account, click Next, select Local computer, click
Finish, and then click OK.
f. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
\Personal\Certificates.
g. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
h. Click Next twice.
i. On the Request Certificates page, click Adatum Web Server Certificate, and then click More
information is required to enroll for this certificate.
j. On the Subject tab of the Certificate Properties dialog box, under Subject name, under Type,
select Common name.
m. In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.adatum.com was enrolled with Intended Purposes of Server Authentication.
n. Close the console window. When you are prompted to save settings, click No.
a. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager. At
the Internet Information Services (IIS) Manager message box, click No.
b. In the console tree of Internet Information Services (IIS) Manager, navigate to LON-SVR1/Sites,
and then click Default Web site.
d. In the Add Site Bindings dialog box, click https, in the SSL Certificate, click the certificate with
the name nls.adatum.com, click OK, and then click Close.
a. Switch to LON-SVR2.
b. Open a command prompt and type the following command, and then press Enter:
gpupdate /force
c. Move the mouse to the lower-right corner, select Search, type mmc.exe, and then press Enter.
e. Click Certificates, click Add, click Computer account, click Next, select Local computer, click
Finish, and then click OK.
f. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
\Personal\Certificates.
g. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
j. On the Subject tab of the Certificate Properties dialog box, under Subject name, under Type,
select Common name.
m. In the details pane of the Certificates snap-in, verify that a new certificate with the name
131.107.0.2 was issued with Intended Purposes of Server Authentication.
o. In the Friendly Name box, type IP-HTTPS Certificate, and then click OK.
p. Close the console window. If you are prompted to save settings, click No.
b. Click Tools, and then click Internet Information Services (IIS) Manager.
c. If the Internet Information Service Manager message box appears, click No.
d. In the console tree, browse to LON-SVR2\Sites\Default Web Site, right-click Default Web Site,
and then click Add Virtual Directory.
e. In the Add Virtual Directory dialog box, in the Alias box, type CRLD. Next to Physical path,
click the ellipsis button.
f. In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder.
g. Type CRLDist and then press Enter. In the Browse for Folder dialog box, click OK.
h. In the Add Virtual Directory dialog box, click OK.
i. In the middle pane of the console, double-click Directory Browsing, and in the Actions pane,
click Enable.
j. In the console tree, click the CRLD folder.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 6: Implementing DirectAccess L6-49
k. In the middle pane of the console, double-click the Configuration Editor icon.
m. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the
value from False to True.
Question: Why do you make the CRL available on the Edge server?
Answer: You make the CRL available on the Edge Server so that the Internet DirectAccess clients
can access the CRL.
3. Share and secure the CRL distribution point by performing the following steps:
Note: You perform this step to assign permissions to the CRL distribution point.
c. In the details pane of Windows Explorer, right-click the CRLDist folder, and then click Properties.
d. In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
f. In the Share name box, add a dollar sign ($) to the end so that the share name is CRLDist$.
i. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
j. In the Object Types dialog box, select Computers, and then click OK.
k. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select box, type LON-DC1, and then click Check Names. Click OK.
l. In the Permissions for CRLDist$ dialog box, in the Group or user names list, select
LON-DC1 (ADATUM\NYC-DC1$). In the Permissions for LON-DC1 area, under Full control,
select Allow. Click OK.
s. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select box, type LON-DC1, click Check Names, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-50 Upgrading Your Skills to MCSA Windows Server® 2012
t. In the Permissions for CRLDist dialog box, in the Group or user names list, select
LON-DC1 (ADATUM\LON-DC1$). In the Permissions for LON-DC1 area, under Full control,
select Allow, and then click OK.
Note: This step makes the CRL available on the edge server for Internet-based DirectAccess
clients.
a. Switch to LON-DC1.
d. In the Publish CRL dialog box, click New CRL, and then click OK.
e. On the taskbar, click Windows Explorer, type \\LON-SVR2\CRLDist$, and then press Enter.
f. In the Windows Explorer window, notice the Adatum-LON-DC1-CA files.
a. On LON-SVR2, in Server Manager, on the Tools menu, click Remote Access Management.
f. In the Network Topology, verify that Edge is selected, and verify that 131.107.0.2 is the public
name used by clients to connect to the Remote Access server. Click Next.
Note: Because the server you already configured is a VPN server, you can only use getting
started wizard which generate self-signed certificate for DirectAccess communication. Next steps
will modify default DirectAccess settings to include already deployed certificates from the internal
Certification Authority
l. On the Network Topology page, verify that Edge is selected, and then type 131.107.0.2
m. Click Next.
o. On the Authentication page, select Use computer certificates, click Browse, select Adatum
LON-DC1 CA, click OK, and then Next.
r. On the Network Location Server page, select the The network location server is deployed on
a remote web server (recommended) and in the URL of the NLS, type
https://nls.adatum.com, and then click Validate.
t. Click Next, and then on the DNS page, examine the values, and then click Next.
w. Under Step 4, click Edit. On the DirectAccess Application Server Setup page, click Finish.
b. At the command prompt, type the following commands and then press Enter.
gpupdate /force
Ipconfig
Note: Verify that LON-SVR2 has an IPv6 address for Tunnel adapter IPHTTPSInterface
starting with 2002.
Results: After completing this exercise, you will have configured the DirectAccess infrastructure.
2. Restart LON-SVR3 and then log back on as Adatum\Administrator with the password of
Pa$$w0rd. This is to ensure that the LON-SVR3 computer connects to the domain as a member of
the DA_Clients security group.
3. Move the mouse pointer to the lower-right corner, select Search on the right menu, and then type
cmd to open the Command Prompt window.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-52 Upgrading Your Skills to MCSA Windows Server® 2012
4. At the command prompt, type the following command and then press Enter:
gpupdate /force
5. At the command prompt, type the following command, and then press Enter:
gpresult /R
6. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for
the Computer Settings.
Note: If the policy is not being applied, run the gpupdate /force command again. If the
policy is still not being applied, restart the computer. After the computer restarts, log on as
Adatum\Administrator and run the Gpresult –R command again.
3. Click Certificates, click Add, select Computer account, click Next, select Local computer, click
Finish, and then click OK.
4. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
\Personal\Certificates.
5. In the details pane, verify that a certificate with the name Lon-SVR3.adatum.com is present with
Intended Purposes of Client Authentication and Server Authentication.
6. Close the console window. When you are prompted to save settings, click No.
2. In the Address bar, type http://lon-svr1.adatum.com/ and then press Enter. The default IIS 8 web
page for LON-SVR1 appears.
3. In the Address bar, type https://nls.adatum.com/ and then press Enter. The default IIS 8 web page
for LON-SVR1 appears.
5. On the taskbar, click Windows Explorer, type \\Lon-SVR1\Files, and then press Enter. A folder
window with the contents of the Files shared folder appears.
Results: After completing this exercise, you will have configured the DirectAccess clients.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 6: Implementing DirectAccess L6-53
Note: To verify the DirectAccess functionality, you must move the client computer to the
Internet.
1. Switch to LON-SVR3.
2. On LON-SVR3, move the mouse pointer to the lower-right end of the screen, click Settings, select
Control Panel, and then click Network and Internet.
6. In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4
(TCP/IPv4).
7. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP
address. Fill in the following information, and then click OK.
• IP address: 131.107.0.10
9. In the Network Connections window, right-click Local Area Connection, and then click Disable.
10. In the Network Connections window, right-click Local Area Connection, and then click Enable.
11. In Hyper-V Manager, right-click 20417A-LON-SVR3 and then click Settings. Change the Legacy
Network Adapter to be on the Private Network 2 network. Click OK.
2. At the command prompt, type the following command, and then press Enter:
ipconfig
3. Notice the IP address that start with 2002. This is an IP-HTTPS address.
4. At the command prompt, type the following command, and then press Enter:
5. At the command prompt, type the following command, and then press Enter:
powershell
MCT USE ONLY. STUDENT USE PROHIBITED
L6-54 Upgrading Your Skills to MCSA Windows Server® 2012
6. At the Windows PowerShell command prompt, type the following command, and then press Enter:
Get-DAClientExperienceConfiguration
2. In the Address bar, type http://lon-svr1.adatum.com and then press Enter. The default IIS 8 web
page for LON-SVR1 appears.
4. On the taskbar, click Windows Explorer, type \\LON-SVR1\Files, and then press Enter. A folder
window with the contents of the Files shared folder appears
6. At the command prompt, type the following command and then press Enter:
ping lon-dc1.adatum.com
7. At the command prompt, type the following command, and then press Enter:
gpupdate /force
Note: Notice that LON-SVR3 is connected via IPHttps. In the Connection Details pane, in
the bottom-right of the screen, note the use of Kerberos for the Machine and the User.
Results: After completing this exercise, you will have verified the DirectAccess configuration.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
5. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
7. Click Refresh.
9. Select Add this connection to the list of Favorite Targets, and then click OK two times.
10. On LON-SVR4, in Server Manager, click Tools, and then click iSCSI Initiator.
11. In the Microsoft iSCSI dialog box, click Yes.
14. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
18. Select Add this connection to the list of Favorite Targets, and then click OK two times.
19. On LON-SVR3, in Server Manager, click Tools, and then click Computer Management.
22. Right-click Disk 1, and then click Initialize disk. In the Initialize Disk dialog box, click OK.
23. Right-click the unallocated space next to Disk 1, and then click New Simple Volume.
27. On the Format Partition page, in the Volume Label box, type Data. Select the Perform a quick
format check box, and then click Next.
28. Click Finish. (Note: If the Microsoft Windows window pops up with prompt to format the disk, click
Cancel.)
MCT USE ONLY. STUDENT USE PROHIBITED
L7-56 Upgrading Your Skills to MCSA Windows Server® 2012
29. Repeat steps 22 through 28 for Disk 2 and Disk 3. (Note: Use Data2 and Data3 for Volume Labels).
31. On LON-SVR4, in Server Manager, click Tools, and then click Computer Management.
5. On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
7. On the Select features page, in the Features list, click Failover Clustering. In the Add features that
are required for Failover Clustering? window, click Add Features. Click Next.
9. When installation is complete (you get the message Installation succeeded on LON-SVRx), click Close.
2. In the Actions pane of the Failover Cluster Manager, click Validate Configuration.
4. In the Enter Name box, type LON-SVR3, and then click Add.
7. Verify that Run all tests (recommended) is selected, and then click Next.
10. Verify that all tests completed without errors. Some warnings are expected.
12. On the Summary page, remove the check mark next to Create the cluster now using the validated
nodes, click Finish.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 7: Implementing Failover Clustering L7-57
2. In the Create Cluster Wizard on the Before You Begin page, read the information.
3. Click Next, in the Enter server name box, type LON-SVR3, and then click Add. Type LON-SVR4,
and then click Add.
5. In Access Point for Administering the Cluster, in the Cluster Name box, type Cluster1.
7. In the Confirmation dialog box, verify the information, and then click Next.
8. On the Summary page, click Finish to return to the Failover Cluster Manager.
Results: After this exercise, you will have installed and configured the Failover Clustering feature.
12. Make sure that three disks are present and online (with names Cluster Disk 1, Cluster Disk 2 and
Cluster Disk 3).
16. On the File Server Type page, click File Server for general use, and then click Next.
17. On the Client Access Point page, in the Client Access Name box, type AdatumFS, and in the
Address box, type 172.16.0.130, and then click Next.
18. On the Select Storage page, click Cluster Disk 2, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-58 Upgrading Your Skills to MCSA Windows Server® 2012
5. On the Select the server and the path for this share page, click Next.
6. On the Specify share name page, in the Share name box, type Docs, and then click Next.
7. On the Configure share settings page, review available options, and then click Next.
7. Click OK.
Results: After this exercise, you will have configured a highly-available file server.
2. Verify that you can access the location and that you can open the Docs folder. Create a test text
document inside this folder.
4. Expand Cluster1.adatum.com, and then click Roles. Note the current owner of AdatumFS. (Note:
You can view the owner in the Owner node column. It will be either LON-SVR3 or LON-SVR4).
5. Right-click AdatumFS, and then click Move, and then click Select Node.
6. In the Move Clustered Role dialog box, click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 7: Implementing Failover Clustering L7-59
8. Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
X Task 2: Validate the failover and quorum configuration for the File Server role
1. On LON-SVR3, in the Failover Cluster Manager, click Roles.
2. Verify the current owner for the AdatumFS role. (Note: You can view the owner in the Owner node
column. It will be either LON-SVR3 or LON-SVR4).
3. Expand Nodes, and then select the node that is the current owner of the AdatumFS role.
4. Right-click the node, select More Actions, and then click Stop Cluster Service. Click Yes when
prompted.
5. Verify that AdatumFS has moved to another node. To do this, click the other node and verify that
AdatumFS is running.
6. Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
7. Switch to the LON-SVR3 computer, on the Failover Cluster Manager, and right-click the stopped
node, select More Actions, and then click Start Cluster Service.
8. Expand Storage and then click Disks. In the center pane, right-click the disk that is assigned to Disk
Witness in Quorum (Note: you can view this in the Assigned to column.)
10. Switch to LON-DC1 and verify that you can still access the \\AdatumFS\ location. By doing this, you
verified that the cluster is still running even if the witness disk is offline.
11. Switch to the LON-SVR3 computer and in Failover Cluster Manager, expand Storage, click Disks,
right-click the disk that is in Offline status, and then click Bring Online.
Results: After this exercise, you will have tested the failover scenarios.
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
4. On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
6. On the Select features page, in the list of features, click Failover Clustering. In Add features that
are required for Failover Clustering? dialog box, click Add Features. Click Next.
9. Switch to LON-SVR3. Open Server Manager, click Tools and then click Windows Firewall with
Advanced Security.
10. In Windows Firewall with Advanced Security window, click Inbound Rules.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-60 Upgrading Your Skills to MCSA Windows Server® 2012
11. In the rules list, find the rule Inbound Rule for Remote Shutdown (RPC-EP-In). Right click the rule
and select Enable Rule.
12. In the rules list, find the rule Inbound Rule for Remote Shutdown (TCP-In). Right click the rule and
select Enable Rule.
15. On LON-DC1, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
16. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, select
Cluster1. Click Connect.
17. In the Cluster Actions pane, click Preview updates for this cluster.
18. In the Cluster1-Preview Updates window, click Generate Update Preview List. After several minutes,
updates will be shown in the list. Review updates and then click Close.
Note: An Internet connection is required for this step to complete successfully. Make sure
that MSL-TMG1 server is up and running and that you can access Internet from LON-DC1.
7. Wait until the process is finished (Note: This may require a restart of both the nodes.). Process is
finished when both nodes have Succeeded in Last Run status column.
9. On LON-SVR3, in the Server Manager, click Tools, and then click Cluster-Aware Updating.
10. In the Cluster-Aware Updating dialog box, in the Connect to a failover cluster drop-down list,
select Cluster1. Click Connect.
11. Click the Configure cluster self-updating options in the Cluster Actions pane.
13. On the Add CAU Clustered Role with Self-Updating Enabled page, click Add the CAU clustered
role, with self-updating mode enabled, to this cluster, and then click Next.
14. On the Specify self-updating schedule page, click Weekly, in the Time of day box, select 4:00 AM,
and then in the Day of the week box, select Sunday. Click Next.
Results: After this exercise, you will have configured Cluster-Aware Updating.
2. In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
2. Log onto the server with the Adatum\Administrator account and the password Pa$$w0rd.
5. In the Network Connections dialog box, right-click the network object, and then click Properties.
6. In the Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) , and then click
Properties.
7. On the General tab, click Use the following IP address, and then configure the following:
• LON-HOST1: 172.16.0.31
• LON-HOST2: 172.16.0.32
8. On the General tab, click Use the following DNS server addresses, and then configure the
following:
2. On the Before you begin page of the Add Roles and Features Wizard, click Next.
3. On the Select installation type page, select Role-based or feature-based installation, and then
click Next.
6. In the Add Roles and Features Wizard dialog box, click Add Features.
7. On the Select Server Roles page of the Add Roles and Features Wizard, click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-64 Upgrading Your Skills to MCSA Windows Server® 2012
10. On the Create Virtual Switches page, verify that no selections have been made, and then click Next.
12. On the Default Stores page, review the location of Default Stores, and then click Next.
13. On the Confirm Installation Selections page, select Restart the destination server automatically
if required.
14. In the Add Roles and Features Wizard dialog box, review the message about automatic restarts, and
then click Yes.
16. After a few minutes, the server will automatically restart. Ensure that you restart the machine by using
the Boot menu, and then selecting 20417-LON-HOST1 or 20417-LON-HOST2. The computer will
restart several times.
2. When the installation of the Hyper-V tools complete, click Close to close the Add Roles and Features
Wizard.
4. In the Hyper-V Manager console, click the Hyper-V host server name (LON-HOST1 or LON-HOST2).
7. In the Hyper-V Settings dialog box, click the Virtual Hard Disks item. Verify the location of the
default folder is configured to use the Virtual Hard Disk folder, and then click OK.
Question: What additional features are required to support the Hyper-V role?
Results: After completing this exercise, you will have deployed the Hyper-V role to a physical server.
2. In the Virtual Switch Manager dialog box, select New virtual network switch. Ensure that External
is selected, and then click Create Virtual Switch.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 8: Implementing Hyper-V L8-65
3. In the Virtual Switch Properties area of the Virtual Switch Manager dialog box, specify the
following information, and then click OK:
o External Network: Mapped to the host computer's physical network adapter. Will vary depending
on host computer
4. In the Apply Networking Changes dialog box, review the warning, and then click Yes.
3. Under Create virtual switch, select Private, and then click Create Virtual Switch.
4. In the Virtual Switch Properties section, configure the following settings, and then click OK:
4. In the Virtual Switch Properties section, configure the following settings, and then click OK:
Results: After completing this exercise, you will have configured virtual switch options on a physically
deployed Windows Server 2012 server that is running the Hyper-V role.
4. Click the Home tab, and then click the New Folder icon twice to create two new folders. Right-click
each folder, and then rename each folders to each name listed below:
a. LON-GUEST1
b. LON-GUEST2
7. In the Actions pane, click New, and then click Hard Disk.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-66 Upgrading Your Skills to MCSA Windows Server® 2012
8. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
9. On the Choose Disk Format page, select VHD, and then click Next.
10. On the Choose Disk Type page, select Differencing, and then click Next.
11. On the Specify Name and Location page, specify the following details, and then click Next:
a. Name: LON-GUEST1.vhd
12. On the Configure Disk page, type the location: E:\Program Files\Microsoft Learning
\Base\Base12A-WS2012-RC.vhd, and then click Finish.
14. At the PowerShell prompt, type the following command to import the Hyper-V module, and then
press Enter:
Import-Module Hyper-V
15. At the PowerShell prompt, type the following command to create a new differencing disk to be used
with LON-GUEST2, and then press Enter:
17. In the Actions pane of the Hyper-V Manager console, click Inspect Disk.
18. In the Open dialog box, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\, click
LON-GUEST2.vhd, and then click Open.
19. In the Virtual Hard Disk Properties dialog box, verify that LON-GUEST2.vhd is configured as a
differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base
\Base12A-WS2012-RC.vhd as a parent, and then click Close.
2. On the Before You Begin page of the New Virtual Machine Wizard, click Next.
3. On the Specify Name and Location page of the New Virtual Machine Wizard, select Store the
virtual machine in a different location, enter the following values, and then click Next.
a. Name: LON-GUEST1
4. On the Assign Memory page of the New Virtual Machine Wizard, enter a value of 1024 MB, select
the Use Dynamic Memory for this virtual machine option, and click Next.
5. On the Configure Networking page of the New Virtual Machine Wizard, choose Private Network
and then click Next.
6. On the Connect Virtual Hard Disk page, choose Use an existing virtual hard disk. Click Browse
and browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1.vhd. Click
Open and then click Finish.
8. At the PowerShell prompt, enter the following command to import the Hyper-V module:
Import-Module Hyper-V
9. At the PowerShell prompt, enter the following command to create a new virtual machine named
LON-GUEST2:
11. In the Hyper-V Manager console, click LON-GUEST2. In the Actions pane, under LON-GUEST2, click
Settings.
12. On the Settings for LON-GUEST2 dialog box, click Automatic Start Action, and then set the
Automatic Start Action to Nothing.
13. On the Settings for LON-GUEST2 dialog box, click Automatic Stop Action, and then set the
Automatic Stop Action to Shut down the guest operating system.
14. Click OK to close the Settings for the LON-GUEST2 dialog box.
3. Select the Enable virtual LAN identification for management operating system check box.
7. Change the Virtual switch to Internal Network, and click Enable virtual LAN identification.
9. Expand Network Adapter, click Advanced Features, enable the following options, and then click
OK:
o Enable DHCP guard
Question: What kind of switch would you create if you added a new physical network adapter to the
Hyper-V host and wanted to keep this separate from the existing networks you create during this
exercise?
Answer: You should create an external switch. External switches map to external network adapters.
2. On the Before You Begin page of the Import Virtual Machine wizard, click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-68 Upgrading Your Skills to MCSA Windows Server® 2012
3. On the Locate Folder page, perform the following task, and then click Next:
o If you are using LON-HOST1, type the path: E:\Program Files\Microsoft Learning
\20417\Drives\20417A-LON-DC1-B
o If you are using LON-HOST2, enter the path: E:\Program Files\Microsoft Learning
\20417\Drives\20417A-LON-SVR1-B
5. On the Choose Import Type page, select Register the virtual machine in-place (use the existing
unique ID), and then click Next.
6. Right-click the desktop of the virtual machine, click New, and then click Folder. Name the folder
Sydney.
9. On the Action menu of the Virtual Machine Connection window, click Snapshot.
10. In the Snapshot Name dialog box, in the Name box, type Before Change, and then click Yes.
13. Right-click the Recycle Bin, and then click Empty Recycle Bin.
15. On the Action menu of the Virtual Machine Connection window, click Revert.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 8: Implementing Hyper-V L8-69
17. Verify that the following folders are present on the desktop:
o Sydney
o Melbourne
o Brisbane
Question: What state must the virtual machine be in to configure dynamic memory when using
Windows Server 2008 R2 as a host? How is this different to Windows Server 2012 as a host?
Answer: The virtual machine must be powered off to configure dynamic memory. In Windows Server
2012, you can configure dynamic memory while the virtual machine is powered on.
Results: After completing this exercise, you will have deployed two separate virtual machines by using a
sysprepped virtual hard-disk file to act as a parent disk for two differencing disks. You also will have
imported a specially prepared virtual machine.
4. On the Before You Begin page in Import Virtual Machine Wizard, click Next.
Note: The drive letter may be different based upon the number of drives on the physical
host machine.
7. On Select Virtual Machine page, select 20417A-LON-CORE and then click Next.
6. In the Authorization and storage section click Allow replication from any authenticated server
and then click Browse.
7. Click on Computer, then double click Local Disk (E) and then click New folder. Type VMReplica for
folder name and press Enter. Select E:\VMReplica\ folder and then click Select Folder.
10. Click to the Start screen and then click Control Panel.
11. In the Control Panel, click System and Security, and then click Windows Firewall.
14. In the right pane, in the rule list, find the rule Hyper-V Replica HTTP Listener (TCP-In). Right-click
the rule and click Enable Rule.
15. Close the Windows Firewall with Advanced Security console and then close Windows Firewall.
5. In the Select Computer window type LON-HOST2 and then click Check Names and then click OK.
Click Next.
6. On the Specify Connection Parameters page, review settings, and make sure that Use Kerberos
authentication (HTTP) is selected. Click Next.
7. On the Choose Replication VHDs page, make sure that 20410A-LON-CORE.vhd is selected and
then click Next.
8. On the Configure Recovery History page, select Only the latest recovery point and then click
Next.
9. On the Choose Initial Replication Method page, click Send initial copy over the network and
select Start replication immediately, and then click Next.
10. On the Completing the Enable Replication wizard page, click Finish.
11. Wait 10-15 minutes. You can monitor the progress of initial replication in the Status column in
Hyper-V Manager console. When it completes (progress reaches 100%) make sure that
20417A-LON-CORE has appeared on LON-HOST2 in Hyper-V Manager.
3. Review content of the window that appears and make sure that there are not errors.
4. Click Close.
5. On LON-HOST1, open Hyper-V Manager and verify that 20417A-LON-CORE is turned off.
7. In the Planned Failover window, make sure that option Start the Replica virtual machine after
failover is selected and then click Fail Over.
10. On LON-HOST1, right-click 20417A-LON-CORE, point to Replication and then click Remove
replication.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 09: Implementing Failover Clustering with Hyper-V L9-73
12. On LON-HOST2, right-click 20417A-LON-CORE and select Shut Down. In the Shut Down Machine
dialog box, click Shut Down.
Results: After completing this exercise you will have Hyper-V replica configured.
4. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
6. Click Refresh.
8. Select Add this connection to the list of Favorite Targets, and then click OK.
14. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
18. Select Add this connection to the list of Favorite Targets, and then click OK. Click OK to close
iSCSI Initiator Properties.
19. On LON-HOST2, in the Server Manager window, click Tools, and then click Computer Management.
22. Right-click Disk 2, and then click Initialize Disk. In the Initialize Disk dialog box, click OK.
23. Right-click the unallocated space next to Disk 2, and then click New Simple Volume.
27. On the Format Partition page, in the Volume label box, type ClusterDisk. Select the Perform a
quick format check box, and then click Next.
29. Repeat steps 21 through 28 for Disk 3 and Disk 4. In step 27, provide name ClusterVMs for Disk 3
and Quorum for Disk 4.
30. On LON-HOST1 in Server Manager, click Tools, and then click Computer Management.
5. On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
6. On the Select server roles page, click Next.
7. On the Select features page, in the Features list, click Failover Clustering. In the Add features that
are required for failover clustering prompt, click Add Features, and then click Next.
8. On the Confirm installation selections page, click Install.
11. On LON-HOST1, in the Server Manager console, click Tools and then click Failover Cluster
Manager.
12. In Failover Cluster Manager, in the center pane, under Management, click Create Cluster.
13. In the Create Cluster Wizard on the Before You Begin page, read the information. Click Next.
14. In the Enter server name box, type LON-HOST1, and then click Add. Type LON-HOST2, and then
click Add.
16. On the Validation Warning page, click No. I don’t require support from Microsoft for this
cluster and click Next.
17. In the Access Point for Administering the Cluster page, in the Cluster Name box, type VMCluster.
18. Under Address, in the IP address name box, type 172.16.0.126, and then click Next.
19. In the Confirmation dialog box, verify the information, remove the checkmark next to Add all
eligible storage to the cluster, and then click Next.
3. In the Add Disks to Cluster dialog box, verify that all disks are selected, and then click OK.
4. Verify that all disks appear available for cluster storage in Failover Cluster Manager.
5. Select the disk that displays the Volume name of ClusterVMs. Right-click the ClusterVMs disk and
select Add to Cluster Shared Volumes.
6. Right-click VMCluster.adatum.com, select More Actions and then click Configure Cluster Quorum
Settings. Click Next.
7. On the Select Quorum Configuration Option page, click Use typical settings and then click Next.
Note: Make sure that LON-HOST1 is the owner of the ClusterVMs disk in Failover Cluster
Manager. If it is not, then move the ClusterVMs resource to LON-HOST1 before doing this
procedure.
5. On the Specify Name and Location page, type TestClusterVM for the Name and then click Store
the virtual machine in a different location and then click Browse.
7. Click Next.
8. On the Assign Memory page, type 1536 and then click Next.
9. On the Configure Networking page click select Corporate Network and then click Next.
10. On the Connect Virtual Hard Disk page click Use an existing virtual hard disk and then click
Browse.
11. Locate C:\ClusterStorage\Volume1 and select 20417A-LON-CORE.vhd and then click Open.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-76 Upgrading Your Skills to MCSA Windows Server® 2012
13. On the Summary page of the High Availability Wizard click Finish.
3. Right-click TestClusterVM and select Move, then select Live Migration and then click Select
Node….
6. Make sure that you can access and operate virtual machine while it is migrating to another host.
4. Switch back to Hyper-V Manager console, and in the Actions pane click Move.
7. On the Choose Options for Moving Storage page, select Move all of the virtual machine’s data
to a single location and then click Next.
8. On the Choose a new location for virtual machine page, click Browse.
9. Locate C:\ and then create a new folder called Guest1. Click Select Folder.
2. When you are prompted with the boot menu select Windows Server 2008 R2 and press Enter.
1. Folders that belong to Research department can be accessed and modified only by employees that
belong to Research department.
3. Managers should access confidential files only from workstations that belong to the ManagersWKS
security group.
Note: You can meet these requirements by implementing claims, resource properties, and
file classifications, used together in Dynamic Access Control. To implement this, you should first
create appropriate claims for users and devices. User claim uses department as its source
attribute, while device claim uses description as source attribute. After that, you should configure
resource property for Research department. When you have these objects prepared, you should
configure Central Access Rules and Central Access Policies to protect resources. At the same time,
you should configure file classification for confidential documents. Finally, you should apply
Central Access Policy to folders where files for Research and Managers are located.
4. As a solution for users that receive error messages, you should implemented Access Denied
Assistance.
3. In the New Object – Organizational Unit, in the Name field, type Test and then click OK.
4. Click the Computers container.
5. Press the Ctrl key and click the LON-SVR1, LON-CL1 and LON-CL2 computers. Right-click and select
Move….
8. On LON-DC1, in the Server Manager, click Tools, and then click Group Policy Management.
10. Right-click the Managers OU and then click Block Inheritance. This is to remove the block
inheritance setting used in a later module in the course.
11. Click the Group Policy Objects container.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-78 Upgrading Your Skills to MCSA Windows Server® 2012
12. In the results pane, right-click Default Domain Controllers Policy, and then click Edit.
13. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, and then click KDC.
14. In the right pane, double-click KDC support for claims, compound authentication and Kerberos
armoring.
15. In the KDC support for claims, compound authentication and Kerberos armoring window, select
Enabled, and in the Options section, click the drop-down list and select Supported. Click OK.
16. Close the Group Policy Management Editor and Group Policy Management console.
17. Open Windows Power Shell, by clicking its icon on the task bar, and type gpupdate /force and press
Enter. After Group Policy is updated, close Windows PowerShell.
18. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
19. Expand Adatum.com, right-click Users, click New, and then click Group.
20. Type ManagersWKS for the Group name, and then click OK.
24. In the Select Groups window, type ManagersWKS. click Check Names, click OK, and then click OK
again.
30. Click the Organization tab. Make sure that the Department field is populated with the value
Research. Click Cancel.
Results: After completing this exercise you will have design for Dynamic Access Control and you will have
prepared AD DS for Dynamic Access Control implementation.
2. In the Active Directory Administrative Center console, in navigation pane, click Dynamic Access
Control.
5. In the navigation pane, click Dynamic Access Control and then double-click Resource Properties.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 10: Implementing Dynamic Access Control L10-79
7. In the navigation pane, click Dynamic Access Control and then double-click Resource Property
Lists.
8. In the central pane right-click Global Resource Property List, and then click Properties.
9. In the Global Resource Property List, in the Resource Properties, section review available resource
properties.
3. In the Tasks pane, click New and then click Claim Type.
4. In the Create Claim Type window, in the Source Attribute section, select department.
7. Click OK.
2. In the Create Claim Type window, in the Source Attribute section, select description.
3. Clear the User check box and select the Computer check box.
4. Click OK.
Results: After completing this exercise you will have configured user and device claims.
7. Make sure that both Department and Confidentiality properties are enabled in the list.
8. Double-click Department.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-80 Upgrading Your Skills to MCSA Windows Server® 2012
9. Scroll down to the Suggested Values section, and then click Add.
10. In the Add a suggested value window, type Research in both Value and Display name text boxes,
and then click OK two times.
11. Click Dynamic Access Control and then double-click Resource Property Lists.
2. In the Add Roles and Features Wizard click Next three times.
3. On the Select server roles page, expand File and Storage Services (Installed), expand File and
iSCSI Service (Installed) and select File Server Resource Manager.
5. Click Next two times and then click Install. After installation finishes, click Close.
6. In Server Manager, click Tools, and then click File Server Resource Manager.
12. In the Create Classification Rule window, enter Set Confidentiality for the Rule name.
o Property: Confidentiality
o Value: High
18. In the Classification Parameters dialog box, click the Regular expression drop-down list and select
String.
19. In the Expression field (next to the word String) type secret.
23. In the File Server Resource Manager, in the Actions pane, click Run Classification with all rules now.
24. Select Wait for classification to complete, and then click OK.
25. After the classification is complete, you are presented with a report. Verify that two files were
classified.
29. Click the Classification tab. Verify that Confidentiality is set to High.
30. Repeat steps 28 and 29 on files Doc2.txt and Doc3.txt.
Note: Doc2.txt should have the same confidentiality as Doc1.txt while Doc3.txt should have
no value. This is because only Doc1 and Doc2 have the word secret in their content.
4. Click Department.
6. Click OK.
Results: After this exercise, you will have configured resource properties and file classifications.
2. In the Active Directory Administrative Center console, in the navigation pane, click Dynamic Access
Control.
4. In the Tasks pane, click New, and then click Central Access Rule.
5. In the Central Access Rule dialog box, type Department Match for the Name.
9. In the Permissions section, click Use the following permissions as current permissions.
14. In the Select User, Computer, Service Account or Group window, type Authenticated Users, click
Check Names, and then click OK.
15. In the Basic permissions section select Modify, Read and Execute, Read and Write.
17. Click the Group drop-down list, and select Company Department.
18. On the Value drop-down list, and select Resource.
21. In the Tasks pane, click New, and then click Central Access Rule.
27. In the Permissions section, click Use the following permissions as current permissions.
32. In the Select User, Computer, Service Account or Group window, type Authenticated Users, click
Check Names, and then click OK.
33. In the Basic permissions section, select Modify, Read and Execute, Read and Write.
34. Click Add a condition.
Note: If you can’t find ManagersWKS in the last drop-down box, click Add items. Then in
the Select User, Computer, Service Account or Group window, type ManagersWKS and click
Check Names. Click OK.
2. In the Tasks pane, click New, and then click Central Access Policy.
5. Click the Access Confidential Docs rule, and then click >>.
6. Click OK twice.
7. In the Tasks pane, click New, and then click Central Access Policy.
9. Click Add.
10. Click the Department Match rule and then click >>.
2. Under Domains, expand Adatum.com, and then right-click Test and click Create a GPO in this
domain, and link it here.
3. Type DAC Policy, and then click OK.
7. Click both Department Match and Protect confidential docs, and then click Add.
8. Click OK.
2. Type gpupdate /force and press Enter. Close the Command Prompt window.
3. Open Windows Explorer, browse to Drive C and right-click the Docs folder, and select Properties.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-84 Upgrading Your Skills to MCSA Windows Server® 2012
5. Click Advanced.
6. In the Advanced Security Settings for Docs window, click the Central Policy tab.
7. Click Change.
13. In the Advanced Security Settings for Research window, click the Central Policy tab.
6. In the right pane, double-click Customize Message for Access Denied errors.
7. In the Customize Message for Access Denied errors window, click Enabled.
8. In the Display the following message to users who are denied access text box, type: You are
denied access because of permission policy. Please request access.
10. Review other options, do not make any changes, and then click OK.
11. In the right pane of Group Policy Management Editor, double-click Enable access-denied assistance
on client for all file types.
13. Close the Group Policy Management Editor and close the Group Policy Management console.
14. Switch to LON-SVR1, open Windows PowerShell and type gpupdate /force and press Enter.
Results: After completing this exercise you will have configured central access rules and policies.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 10: Implementing Dynamic Access Control L10-85
2. Click Desktop and then open Windows Explorer by clicking its icon on the task bar.
5. In the address bar of Windows Explorer, type \\LON-SVR1\Research and press Enter.
6. Click Request assistance. Review options for sending messages, and then click Close.
Note: You should be able to access this folder and open documents inside because Allie is
in Research department.
Note: You should be unable to see Doc1 and Doc2 since LON-CL2 is not permitted to view
secret documents.
2. In the Group Policy Management console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy objects.
6. Double-click Audit Central Access Policy Staging. Select all three check boxes, and then click OK.
7. Double-click Audit File System. Select all three check boxes, then click OK.
8. Close the Group Policy Management Editor and the Group Policy Management console.
7. Click Edit.
2. Open Windows Explorer, and then in the address bar type \\LON-SVR1\Research. Attempt to open
the folder. You will be unsuccessful. Click Close.
3. Switch to LON-SVR1.
6. In the Select User, Computer, Service Account, or Group window type April, and then click Check
Names, and then click OK.
8. Review results. April should not have any access to this folder.
12. Click View Effective access. April should have access now.
2. In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
Results: After this exercises you will have validated Dynamic Access Control functionality.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L11-89
3. In the Add Servers dialog box, in the Name (CN) field, type LON-SVR3, and then click Find Now.
4. Select the LON-SVR3 server in the details pane, and then click the arrow to move it to the Selected
pane.
5. Click OK.
2. In the Create Server Group dialog box, in the Server group name field, type DCs.
3. Select both LON-SVR3 and LON-DC1, click the arrow to move them to the Selected pane, and then
click OK.
4. On the Select Destination Server page, select LON-SVR3.Adatum.com, and then click Next.
5. On the Select server role page, click the check box for Active Directory Domain Services, click
Add Features in the Add features that are required for Active Directory Domain Services dialog
box, and then click Next.
6. On the Select features page, click Next.
8. On the Confirm installation selections page, click the check box to Restart the destination server
automatically if required, and then click Install. The installation will take several minutes.
10. In Server Manager Dashboard, click the notification icon (the flag icon or yellow triangle) on the
menu bar.
11. Locate the Post-deployment Configuration task, and then click Promote this server to a domain
controller.
12. In the Active Directory Domain Services Configuration Wizard, ensure that Add a domain controller
to an existing domain is selected.
13. In the Supply the credentials to perform this operation section, click Change.
14. In the Windows Security dialog box, type Adatum\Administrator in the user name field and in the
password field type Pa$$w0rd.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-90 Upgrading Your Skills to MCSA Windows Server® 2012
16. On the Domain Controller Options page, select the check box for Read only domain controller
(RODC).
17. Type and confirm the Directory services Restore Mode (DSRM) password to be Pa$$w0rd, and then
click Next.
Note: The installation will take several minutes and LON-SVR3 will automatically restart to
complete the promotion.
23. When the promotion is completed click Close. Note that LON-SVR3 is restarting.
4. In the LON-SVR3 Properties dialog box, click the Password Replication Policy tab.
5. Click Add.
6. In the Add Groups, Users and Computers dialog box, click Allow passwords for the account to
replicate to this RODC, and then click OK.
7. In the Select Users, Computers, Services Accounts, or Groups dialog box, type Managers, and
then click OK.
9. In the Select User or Group dialog box, type IT, and then click OK.
Results: After completing this exercise, you will have added LON-SVR3 as a server to manage, created a
server group, deployed an RODC remotely, and configured the password replication policy and
administrative assignments for the RODC.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 11: Implementing Active Directory Domain Services L11-91
Answer: The Prohibit Desktop Background policy and the Prohibit Registry Tools GPOs are being
applied.
Answer: No, this is against company policy. The Prohibit Registry Tools policy should not be applied
to an IT group user.
14. Log on to LON-CL1 as Bill with a password of Pa$$word. Bill is a member of the Managers group.
17. In Control Panel under Appearance and Personalization, click Change desktop background.
Answer: The Desktop Background dialog box appears and provides access to change the desktop
background.
19. Point to the lower right corner of the desktop, click the Search charm, and then type Run.
21. In the Run box, type Regedit, and then click OK.
23. Point to the lower right corner of the desktop, click the Search charm, and type Command Prompt
in the Apps search field.
24. Click Command Prompt in the Apps results field.
25. In the Command Prompt window, type GPResult /R and examine the results.
Answer: Default Domain Policy, Prohibit Registry Tools and Prohibit Desktop Background. This
confirms the policies are linked to the correct container.
Answer: The Managers OU has blue circle with a white exclamation mark. This indicates the
inheritance is being blocked. You must remove the inheritance block to resolve the issue with the
Managers OU.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 11: Implementing Active Directory Domain Services L11-93
4. Right-click the Managers OU and clear the check mark next to Block Inheritance.
Question: How will you ensure that the Prohibit Registry Tools GPO will not be applied to the IT
group users?
Answer: There are multiple ways that you could resolve this. For example, you could create a GPO
that specifically reverses the Prevent access to registry editing tools setting and link it directly to the
IT OU.
8. Click Advanced.
9. In the Prohibit Registry Tools Security Settings dialog box, click Add.
10. In the Select Users, Computers, Service Accounts, or Groups dialog box type IT, and then click
OK.
12. In the Permissions for IT section, locate the Apply Group Policy permission, and then click Deny.
14. If the Windows Security dialog box appears, click Yes to acknowledge the message.
4. In the Command Prompt window, type GPResult /R and examine the results.
Answer: Yes. The system is now in line with the company policy.
5. Sign Out of LON-CL1.
9. In the Command Prompt window, type GPResult /R and examine the results.
Results: After completing this exercise, you will be able to troubleshoot Group Policy issues, correct issues
to apply Group Policy, and verify policies are being applied.
6. Type Get- ADServiceAccount -Filter * and press Enter to verify the account. Note the output of the
command.
7. Type Install-ADServiceAccount –Identity Webservice and press Enter.
X Task 2: Configure the Web Server Application Pool to use the Group Managed
Service account
1. On LON-DC1, in Server Manager, click the Tools menu and click Internet Information Services (IIS)
Manager.
3. In the details pane, right-click the DefaultAppPool and click Advanced Settings.
4. In the Advanced Settings dialog box, click Identity and click the ellipses.
5. In the Application Pool Identity dialog box, click Custom Account and click Set.
6. In the Set Credentials dialog box, type Adatum\Webservice$ in the User name: field and click OK
three times.
Results: After completing this exercise, you will have created and associated a managed service account,
installed a managed service account on a web server, and verified password change for am managed
service account.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 11: Implementing Active Directory Domain Services L11-95
Exercise 4: Maintaining AD DS
X Task 1: Create and view Active Directory snapshots
1. Switch to LON-DC1.
2. Move your mouse to the bottom right corner and click the Search charm.
Note: The GUID that is displayed is important for commands in later tasks. Make note of
the GUID or, alternatively, copy it to the clipboard.
Note: Hint: Copy and paste the $snap_datetime from the previous command. (The port
number can be any open, unique TCP port). Leave the Command Window open and the
command running while you perform the next tasks.
12. In Server Manager, click the Tools menu and then click Active Directory Users and Computers.
14. In the details pan,e right-click Allie Bellew and then click Delete. Click Yes to confirm in the message
box.
15. Right click the Active Directory Users and Computers root node and then click Change Domain
Controller.
16. Click <Type a Directory Server name[:port] here> and type LON-DC1:50000 and then press Enter.
Note: Notice that the user Allie Bellew exists in the snapshot because it was taken before
the user was deleted.
19. Close Active Directory Users and Computers and close the command window.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-96 Upgrading Your Skills to MCSA Windows Server® 2012
2. Ensure that the Aidan Delaney user account is selected, and then in the tasks pane, click Delete.
2. In the Tasks pane, click Restore. In the navigation pane under Adatum (local), click Managers.
Results: After completing this exercise, you will have created and viewed Active Directory snapshots,
enabled the Active Directory Recycle Bin, deleted a user as a test, and used the Active Directory
Administrative Center to restore a deleted user account.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-97
5. Click in the IP address column, and then type 172.16.10.10. Press Enter, and then click OK.
4. In the left pane, click Documents, and then paste the file into the Documents folder.
5. Open a Windows PowerShell® command prompt, type MMC and then press Enter.
11. Double-click Default Domain Policy. In the console tree, expand the following path:
Computer Configuration > Policies > Windows Settings > Security Settings >
Public Key Policies > Trusted Root Certification Authorities.
12. Right-click Trusted Root Certification Authorities, and then click Import.
13. On the Welcome to the Certificate Import Wizard page, click Next.
14. On the File to Import page, click Browse.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-98 Upgrading Your Skills to MCSA Windows Server® 2012
16. On the Certificate Store page, verify that Place all certificates in the following store is selected,
verify that the Trusted Root Certification Authorities store is listed, and then click Next.
17. On the Completing the Certificate Import Wizard page, click Finish, and then click OK.
18. Close the Group Policy Management Editor without saving changes.
20. In the Search box, type \\LON-DC1.adatum.com\certenroll, and then press Enter.
21. In the CertEnroll window, right-click the LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt file, and
then click Copy.
22. In the left pane, click Documents, and then paste the file into the Documents folder.
23. Open a Windows PowerShell command prompt, type MMC, and then press Enter.
24. In the Console1 window, click File, and then click Add/Remove Snap-in.
27. Verify that Local computer is selected, click Finish, and then click OK.
28. Expand Certificates, and then click Trusted Root Certification Authorities.
29. Right-click Trusted Root Certification Authorities, point to All Tasks, and then click Import.
30. On the Welcome to the Certificate Import Wizard page, click Next.
33. On the Certificate Store page, verify that Place all certificates in the following store is selected,
verify that the Trusted Root Certification Authorities store is listed, and then click Next.
34. On the Completing the Certificate Import Wizard page, click Finish, and then click OK.
2. In the console tree, click LON-SVR1 (Adatum\Administrator). Click No to dismiss the message.
5. On the Distinguished Name Properties page, enter the settings as listed below, and then click
Next:
o Organization: A. Datum
o Organization unit: IT
o City/locality: London
MCT USE ONLY. STUDENT USE PROHIBITED
Module 12: Implementing Active Directory Federation Services L12-99
o State/province: England
o Country/region: GB
6. On the Online Certification Authority page, in Specify Online Certification Authority, click Select
to search for a CA server in the domain.
X Task 4: Bind the certificate to the claims aware application on the web server and
verify application access
1. On LON-SVR1, in Internet Information Services (IIS) Manager, expand Sites, click Default Web Site,
and then in the Actions pane, click Bindings.
3. In the Add Site Binding dialog box, under Type select https, and under Port, verify that 443 is
selected
4. In the SSL Certificate drop-down list, click LON-SVR1.adatum.com, and then click OK.
5. Click Close, and then close Internet Information Services (IIS) Manager.
8. Verify that you can connect to the site, but that you receive a 401 access denied error. This is
expected because you have not yet configured AD FS for authentication.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum
and Trey Research, and you exchanged root certificates between the two organizations. You also installed
and configured a web certificate on the application server.
5. On the Select server roles page, select the Active Directory Federation Services check box, click
Add Features, and then click Next.
6. On the Select features page, click Next.
7. On the Active Directory Federation Services (AD FS) page, click Next.
2. In the Overview pane, click the AD FS Federation Server Configuration Wizard link.
3. On the Welcome page, ensure that Create a new Federation Service is selected, and then click
Next.
4. On the Select Stand-Alone or Farm Deployment page, click Stand-alone federation server, and
then click Next.
5. On the Specify the Federation Service Name page, ensure that the SSL certificate selected is LON-
DC1.Adatum.com, the Port is 443, and the Federation Service name is
LON-DC1.Adatum.com. Click Next.
6. On the Ready to Apply Settings page, verify that the correct configuration settings are listed, and
then click Next.
7. Wait for the configuration to finish, and then click Close.
5. Click Sites, and then clear the Automatically detect intranet network check box.
6. Click Advanced, and in the Add this website to the zone box, type
https://lon-dc1.adatum.com, and then click Add.
8. Click OK twice.
9. Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06
/federationmetadata.xml.
10. Verify that the xml file opens successfully, and then scroll through its contents.
Results: In this exercise, you installed and configured the AD FS server role, and then verified a successful
installation by viewing the Federation Meta Data .xml contents.
2. At the prompt, type set-ADFSProperties –AutoCertificateRollover $False, and then press Enter.
This step is required so that you can modify the certificates that AD FS uses.
5. In the AD FS console, in the left pane, expand Service, and then click Certificates.
7. In the Select a token signing certificate dialog box, click LON-DC1.Adatum.com, and then click
OK.
8. In the AD FS Management warning, click OK.
9. Right-click the newly added certificate, and then click Set as Primary. Note the warning message,
and then click Yes.
10. Select the certificate that has just been superseded, right-click the certificate, and then click Delete.
Click Yes to confirm the deletion.
2. In the middle pane, right-click Active Directory, and then click Edit Claim Rules.
3. In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.
5. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as
Claims, and then click Next.
6. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
7. In the Attribute store drop-down list, select Active Directory.
8. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type:
o User-Principal-Name = UPN
o Display-Name = Name
X Task 3: Configure the claims application to trust incoming claims by running the WIF
Federation Utility
1. On LON-SVR1, click to the Start screen, and then click Windows Identity Foundation Federation
Utility.
2. On the Welcome to the Federation Utility wizard page, in Application configuration location,
type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the web.config file of
the WIF sample application.
3. In Application URI, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the path to
the sample application that will trust the incoming claims from the federation server. Click Next to
continue.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-102 Upgrading Your Skills to MCSA Windows Server® 2012
4. On the Security Token Service page, select Use an existing STS, type
https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml for the STS
WS-Federation metadata document location, and then click Next to continue. In the warning, click
Yes.
5. On the Security token encryption page, select No encryption, and then click Next.
6. On the Offered claims page, review the claims that will be offered by the federation server, and then
click Next.
7. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and then
click Finish.
8. Click OK.
X Task 4: Configure a relying party trust for the claims aware application
1. On LON-DC1, in the AD FS Management console, click AD FS.
3. On the Welcome page of the Add relying party Trust Wizard, click Start.
4. On the Select Data Source page, select Import data about the relying party published online or
on a local network, and then type https://lon-svr1.adatum.com/adatumtestapp.
Note: This action prompts the wizard to check for the MetaData of the application that the
web server role hosts.
6. On the Specify Display Name page, in the Display name box, type ADatum Test App, and then
click Next.
7. On the Choose Issuance Authorization Rules page, ensure that the Permit all users to access this
relying party is selected, and then click Next.
8. On the Ready to Add Trust page, review the relying party trust settings, and then click Next.
9. On the Finish page, click Close. The Edit Claim Rules for ADatum Test App window opens.
2. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
Note: This action passes an incoming claim through to the user by means of Windows
Integrated Authentication.
3. On the Configure Rule page, in Claim rule name, type Pass through Windows Account name
rule. In the Incoming claim type drop-down list, select Windows account name, and then click
Finish.
5. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
6. On the Configure Rule page, in Claim rule name, type Pass through E-mail Address rule. In the
Incoming claim type drop-down list, select E-mail Address, and then click Finish.
8. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
9. On the Configure Rule page, in Claim rule name, type Pass through UPN rule. In the Incoming
claim type drop-down list, select UPN, and then click Finish.
11. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
12. On the Configure Rule page, in Claim rule name, type Pass through Name rule. In the Incoming
claim type drop-down list, select Name, and then click Finish.
2. Connect to https://lon-svr1.adatum.com/AdatumTestApp/.
3. If you are prompted for credentials, type Adatum\Brad with password Pa$$w0rd, and then press
Enter. The page renders, and then you see the claims that were processed to allow access to the web
site.
Results: After this exercise, you configured a token signing certificate and configured a claims provider
trust for Adatum.com. You also configured the sample application to trust incoming claims and
configured a relying party trust and associated claim rules. You also tested access to the sample WIF
application in a single organization scenario.
2. In the AD FS console, expand Trust Relationships, and then click claims provider Trusts.
7. On the Ready to Add Trust page, review the claims provider trust settings, and then click Next to
save the configuration.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-104 Upgrading Your Skills to MCSA Windows Server® 2012
8. On the Finish page, click Close to close the wizard. The Edit Claim Rules for
mun-dc1.treyresearch.com window appears.
10. In the Claim rule template list, select Pass Through or Filter an Incoming Claim, and then click
Next.
11. In the Claim rule name box, type Pass through Windows account name rule.
12. In the Incoming claim type drop-down list, select Windows account name.
13. Select Pass through all claim values, and then click Finish. Click Yes.
15. On LON-DC1, in Server Manager, click Tools, and then click Windows PowerShell.
16. At the prompt, type the following command, and then press Enter:
X Task 2: Configure a relying party trust on MUN-DC1 for A. Datum’s claim aware
application
1. On the MUN-DC1, in Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS console, on the Overview page, click Required: Add a trusted relying party.
4. On the Select Data Source page, select Import data about the relying party published online or
on a local network, type https://lon-dc1.adatum.com, and then click Next.
5. On the Specify Display Name page, in the Display name box, type Adatum TestApp, and then
click Next.
6. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying
party, and then click Next.
7. On the Ready to Add Trust page, review the relying party trust settings, and then click Next to save
the configuration.
8. On the Finish page, click Close to close the wizard. The Edit Claim Rules for Adatum TestApp window
appears.
9. On the Issuance Transform Rules tab, click Add Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming claim, and then click
Next.
11. In the Claim rule name box, type Pass through Windows account name rule.
12. In the Incoming Claim type drop-down list, select Windows account name.
13. Select Pass through all claim values, and then click Finish.
X Task 3: Verify access to the A. Datum Test Application for Trey Research users
1. On MUN-DC1, open Internet Explorer, and connect to https://lon-svr1.adatum.com
/adatumtestapp/.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 12: Implementing Active Directory Federation Services L12-105
Note: The logon process has changed, and you must now select an authority that can
authorize and validate the access request. The Home Realm Discovery page (the Sign In page)
appears, and you must select an authority.
2. On the Sign In page, select mun-dc1.treyresearch.com, and then click Continue to Sign in.
3. When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press
Enter. You should be able to access the application.
4. Close Internet Explorer.
6. When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press
Enter. You should be able to access the application.
Note: You are not prompted for a home realm again. Once users have selected a home
realm and been authenticated by a realm authority, they are issued with an _LSRealm cookie by
the relying party Federation Server. The default lifetime for the cookie is 30 days. Therefore, for
us to log on multiple times, we should delete that cookie after each logon attempt to return to a
clean state.
X Task 4: Configure claim rules for the claim provider trust and the relying party trust
to allow access only for a certain group
1. On MUN-DC1, in the AD FS console, expand Trust Relationships, and then click relying party Trusts.
2. Select Adatum TestApp, and in the Actions pane, click Edit Claim Rules.
3. On the Edit Claim Rules for Adatum TestApp window, on the Issuance Transform Rules tab, click
Add Rule.
4. On the Select Rule Template page, under Claim rule template, select Send Group Membership as
a Claim, and then click Next.
5. On the Configure Rule page, in Claim rule name, type Permit Production Group Rule.
6. Beside User’s Group, click Browse, type Production and click OK.
8. Under Outgoing claim value, type Production, click Finish and then click OK.
10. In the AD FS console, expand Trust Relationships, and then click Claim Provider Trusts.
11. Select mun-dc1.treyresearch.com, and in the Actions pane, click Edit Claim Rules.
13. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
14. On the Configure Rule page, in Claim rule name, type Send Production Group Rule.
15. In the Incoming claim type drop down list, click Group, and click Finish. Click Yes and then click
OK.
16. In the AD FS console, under Trust Relationships, click relying party Trusts.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-106 Upgrading Your Skills to MCSA Windows Server® 2012
17. Select the Adatum Test App, and in the Actions pane, click Edit Claim Rules.
19. Under Claim rule template, click Pass Through or Filter an Incoming Claim, and then click Next.
20. Under Claim rule name, type Send TreyResearch Group Name Rule.
21. In the Incoming claim type drop down list, click Group. Click Finish.
22. On the Edit Claim Rules for Adatum Test App window, on the Issuance Authorization Rules tab,
select the rule named Permit Access to All Users, and click Remove Rule. Click Yes to confirm. With
no rules, no users are permitted access.
24. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based
on an Incoming Claim, and then click Next.
25. On the Configure Rule page, in Claim rule name type Permit TreyResearch Production Group
Rule, in the Incoming claim type drop-down list, select Group. In Incoming claim value, type
Production, select the option to Permit access to users with this incoming claim, and then click
Finish.
27. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based
on an Incoming Claim, and then click Next.
28. On the Configure Rule page, in Claim rule name type Temp, in the Incoming claim type drop-
down list, select UPN. In Incoming claim value, type @adatum.com, select the option to Permit
access to users with this incoming claim, and then click Finish.
30. In the Edit Rule –Temp dialog box, click View Rule Language.
31. Press Ctrl + C to copy the rule language to the clipboard. Click OK.
33. Click the Temp rule, click Remove Rule, and then click Yes.
35. On the Select Rule Template page, under Claim rule template, select Send Claims Using a
Custom Rule, and then click Next.
36. On the Configure Rule page, type ADatum User Access Rule as the Claim rule name.
37. Click in the Custom rule box, and then press Crtl+V to paste the clipboard contents into the box. Edit
the first URL to match the following text, and then click Finish:
Note: This rule enables access to anyone who presents a claim that includes the UPN of
@adatum.com. The Value line in the first URL defines the attribute that much be matched in the
claim. In this line, ^ indicates the beginning of the string to match, (?i) means that the text is case
insensitive, .+ means that one or more characters will be added, and $ means the end of the
string.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 12: Implementing Active Directory Federation Services L12-107
38. Click OK to close the property page and save the changes to the relying party trust.
2. When prompted for credentials, type TreyResearch\April with the password Pa$$w0rd, and then
press Enter.
Note: April is not a member of the Production group, so she should not be able to access
the application.
4. Open Internet Explorer, click the Settings icon in the top-right corner, and then click Internet
options.
5. Under Browsing history, click Delete, click Delete again, and then click OK.
6. Connect to https://lon-svr1.adatum.com/adatumtestapp/.
7. Select mun-dc1.treyresearch.com on the Sign In page, and then click Continue to Sign in.
8. When prompted for credentials, type TreyResearch\Morgan with the password Pa$$w0rd, and then
press Enter.
Note: Morgan is a member of the Production group, so she should be able to access the
application.
2. In the Virtual Machines list, right-click 20417A-MUN-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: In this exercise, you configured a claims provider trust for Trey Research on Adatum.com and a
relying party trust for Adatum on TreyResearch.com. You verified access to the A. Datum claim-aware
application. Then you configured the application to restrict access from TreyResearc.com to specific
groups, and you verified appropriate access.
MCT USE ONLY. STUDENT USE PROHIBITED