You are on page 1of 524

MCT USE ONLY.

STUDENT USE PROHIBITED

O F F I C I A L

M I C R O S O F T

L E A R N I N G

P R O D U C T

Configuring Advanced Windows Server 2012 Services

20412A

MCT USE ONLY. STUDENT USE PROHIBITED

ii

Configuring Advanced Windows Server 2012 Services

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners

Product Number: 20412A Part Number: X18-48644 Released: 09/2012

MCT USE ONLY. STUDENT USE PROHIBITED

MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions

These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. These license terms also apply to any updates, supplements, internet based services and support services for the Licensed Content, unless other terms accompany those items. If so, those terms apply. BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT. If you comply with these license terms, you have the rights below. 1. DEFINITIONS.

a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy Program Member, or such other entity as Microsoft may designate from time to time. b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.

c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or exceeds the hardware level specified for the particular MOC Course located at your training facilities or primary business location. d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee. e. Licensed Content means the MOC Course and any other content accompanying this agreement. Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media. f.

Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft Certification in the technology that is the subject of the training session.

g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy Program.

h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in good standing that currently holds the Learning Competency status. i.

Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructorled courseware that educates IT professionals or developers on Microsoft technologies.

MCT USE ONLY. STUDENT USE PROHIBITED

j.

Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner Network program member in good standing.

k. Personal Device means one (1) device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular MOC Course. l. Private Training Session means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer.

m. Trainer Content means the trainer version of the MOC Course and additional content designated solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not include virtual hard disks or virtual machines. 2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content. 2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.

a. If you are a Authorized Learning Center: i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure server located on your premises where the Authorized Training Session is held for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session, or 2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session. ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content, 3. for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session, 4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content,

5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of the Authorized Training Session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance with the applicable classroom set-up guide.

b. If you are a MPN Member. i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1) Classroom Device, or (B) one (1) dedicated, secure server located at your premises where the training session is held for use by one (1) of your employees attending a training session provided by you, or by one (1) MCT that is teaching the training session, or 2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for use by one (1) End User attending a Private Training Session, or one (1) MCT that is teaching the Private Training Session. ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content, 3. for all training sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session, 4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content, 5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of each training session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance with the applicable classroom set-up guide. c. If you are an End User: You may use the Licensed Content solely for your personal training use. If the Licensed Content is in digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install another copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1) copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control.

MCT USE ONLY. STUDENT USE PROHIBITED

d. If you are a MCT. i. For each license you acquire, you may use the Licensed Content solely to prepare and deliver an Authorized Training Session or Private Training Session. For each license you acquire, you may install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control. ii.

Use of Instructional Components in Trainer Content. You may customize, in accordance with the most recent version of the MCT Agreement, those portions of the Trainer Content that are logically associated with instruction of a training session. If you elect to exercise the foregoing rights, you agree: (a) that any of these customizations will only be used for providing a training session, (b) any customizations will comply with the terms and conditions for Modified Training Sessions and Supplemental Materials in the most recent version of the MCT agreement and with this agreement. For clarity, any use of customize refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you may not separate the components and install them on different devices.

2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft.

2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These license terms will apply to your use of those third party programs or services, unless other terms accompany those programs and services. 2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to that respective component and supplements the terms described in this Agreement. 3.

PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other provisions in this agreement, then these terms also apply: a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final version. We also may not release a final version. Microsoft is under no obligation to provide you with any further content, including the final release version of the Licensed Content.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software, technologies, or products to third parties because we include your feedback in them. These rights

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

survive this agreement.

c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content, whichever is earliest (beta term). Upon expiration or termination of the beta term, you will irretrievably delete and destroy all copies of same in the possession or under your control. 4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content, which may change or be canceled at any time.

a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an Internet-based wireless network. In some cases, you will not receive a separate notice when they connect. Using the Licensed Content operates as your consent to the transmission of standard device information (including but not limited to technical information about your device, system and application software, and peripherals) for internet-based services.

b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access to any service, data, account or network by any means. 5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: install more copies of the Licensed Content on devices than the number of licenses you acquired; allow more individuals to access the Licensed Content than the number of licenses you acquired; publicly display, or make the Licensed Content available for others to access or use; install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend, make available or distribute the Licensed Content to any third party, except as expressly permitted by this Agreement. reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation; access or use any Licensed Content for which you are not providing a training session to End Users using the Licensed Content; access or use any Licensed Content that you have not been authorized by Microsoft to access and use; or transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.

6.

RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that appear on the Licensed Content or any components thereof, as delivered to you.

MCT USE ONLY. STUDENT USE PROHIBITED

7.

EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, End Users and end use. For additional information, see www.microsoft.com/exporting. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.

8.

9. 10.

TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed Content in your possession or under your control.

11.

LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are the entire agreement for the Licensed Content.

12.

13.

APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.

14.

LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

15.

DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

MCT USE ONLY. STUDENT USE PROHIBITED

16.

LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT CORPORATION AND ITS RESPECTIVE SUPPLIERS.

This limitation applies to o anything related to the Licensed Content, services made available through the Licensed Content, or content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law. It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais.

EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.

Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard.

EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas. Revised December 2011

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Advanced Windows Server 2012 Services

MCT USE ONLY. STUDENT USE PROHIBITED


xi

Configuring Advanced Windows Server 2012 Services

Acknowledgments

Microsoft Learning wants to acknowledge and thank the following for their contribution toward developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.

Stan Reimer Content Developer

Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author. Stan has extensive experience consulting on Active Directory and Microsoft Exchange Server deployments for some of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft Press. For the last nine years, Stan has been writing courseware for Microsoft Learning, specializing in Active Directory and Exchange Server courses. Stan has been a Microsoft Certified Trainer (MCT) for 12 years.

Damir Dizdarevic Subject Matter Expert/Content Developer

Damir Dizdarevic is an MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology Specialist (MCTS), and a Microsoft Certified Information Technology Professional (MCITP). He is a manager and trainer of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir has more than 17 years of experience on Microsoft platforms, and he specializes in Windows Server, Exchange Server, security, and virtualization. He has worked as a subject matter expert and technical reviewer on many Microsoft Official Courses (MOC) courses, and has published more than 400 articles in various IT magazines, such as Windows ITPro and INFO Magazine. He's also a frequent and highly rated speaker on most of Microsoft conferences in Eastern Europe. Additionally, Damir is a Microsoft Most Valuable Professional (MVP) for Windows Server Infrastructure Management.

Orin Thomas Content Developer

Orin Thomas is an MVP, an MCT and has a string of Microsoft MCSE and MCITP certifications. He has written more than 20 books for Microsoft Press, and is a contributing editor at Windows IT Pro magazine. Orin has been working in IT since the early 1990s. He is a regular speaker at events such as TechED in Australia, and around the world on Windows Server, Windows Client, Microsoft System Center, and security topics. Orin founded and runs the Melbourne System Center Users Group.

Vladimir Meloski Content Developer

Vladimir Meloski is an MCT, an MVP on Exchange Server, and consultant providing unified communications and infrastructure solutions based on Microsoft Exchange Server, Microsoft Lync Server, and System Center. Vladimir has 16 years of professional IT experience, and has been involved in Microsoft conferences in Europe and the United States as a speaker, moderator, proctor for hands-on labs, and technical expert. He has also been involved as a subject matter expert and technical reviewer for several MOC courses.

Nick Portlock Author

Nick Portlock has been an MCT for 15 years. He is a self-employed IT trainer, consultant and author. Last year, Nick taught in more than 20 countries. He specializes in Active Directory, Group Policy, and Domain Name System, and has consulted with a variety of companies over the last decade. Nick has reviewed more than 100 Microsoft courses, and is a member of the Windows 7 STEP program.

MCT USE ONLY. STUDENT USE PROHIBITED

xii

Configuring Advanced Windows Server 2012 Services

Gary Dunlop Subject Matter Expert


Gary Dunlop is based in Winnipeg, Canada, and is a technical consultant and trainer for Broadview Networks. Gary has authored a number of Microsoft Learning titles, and has been an MCT since 1997.

Ulf B. Simon-Weidner Technical Reviewer

Ulf B. Simon-Weidner is a senior consultant with a European provider for infrastructure solutions in Germany. He also is an independent author, consultant, speaker and trainer. Ulf has been repeatedly awarded MVP for Windows Server Directory Services for the past decade, and has been an MCT for more than 10 years. Throughout his professional career, Ulf has had several consulting engagements with major European or Global corporations. He also published multiple books and magazine articles about Active Directory, Windows Server, Windows client operating systems, and security. Ulf is a frequently visiting speaker for conferences including Microsoft TechEd North America and Europe, or The Experts Conference. Ulf provides his technical and from-the-field experience in multiple Windows Server coursewares as a technical reviewer.

MCT USE ONLY. STUDENT USE PROHIBITED


xiii

Configuring Advanced Windows Server 2012 Services

Contents
Module 1: Implementing Advanced Network Services
Lesson 1: Configuring Advanced DHCP Features Lesson 2: Configuring Advanced DNS Settings Lesson 3: Implementing IPAM Lab: Implementing Advanced Network Services 1-2 1-11 1-21 1-31

Module 2: Implementing Advanced File Services


Lesson 1: Configuring iSCSI Storage Lesson 2: Configuring BranchCache Lesson 3: Optimizing Storage Usage Lab A: Implementing Advanced File Services Lab B: Implementing BranchCache 2-2 2-9 2-16 2-22 2-28

Module 3: Implementing Dynamic Access Control


Lesson 1: Overview of Dynamic Access Control Lesson 2: Planning for Dynamic Access Control Lesson 3: Deploying Dynamic Access Control Lab: Implementing Dynamic Access Control 3-2 3-8 3-13 3-22

Module 4: Implementing Network Load Balancing


Lesson 1: Overview of NLB Lesson 2: Configuring an NLB Cluster Lesson 3: Planning an NLB Implementation Lab: Implementing Network Load Balancing 4-2 4-5 4-10 4-16

Module 5: Implementing Failover Clustering


Lesson 1: Overview of Failover Clustering Lesson 2: Implementing a Failover Cluster Lesson 3: Configuring Highly Available Applications and Services on a Failover Cluster Lesson 4: Maintaining a Failover Cluster Lesson 5: Implementing a Multi-Site Failover Cluster Lab: Implementing Failover Clustering 5-2 5-14 5-20 5-25 5-30 5-36

Module 6: Implementing Failover Clustering with Hyper-V


Lesson 1: Overview of Integrating Hyper-V with Failover Clustering Lesson 2: Implementing Hyper-V Virtual Machines on Failover Clusters Lesson 3: Implementing Hyper-V Virtual Machine Movement Lesson 4: Managing Hyper-V Virtual Environments by Using VMM 6-2 6-7 6-15 6-21

MCT USE ONLY. STUDENT USE PROHIBITED

xiv

Configuring Advanced Windows Server 2012 Services

Lab: Implementing Failover Clustering with Hyper-V

6-31

Module 7: Implementing Disaster Recovery


Lesson 1: Overview of Disaster Recovery Lesson 2: Implementing Windows Server Backup Lesson 3: Implementing Server and Data Recovery Lab: Implementing Windows Server Backup and Restore 7-2 7-7 7-16 7-20

Module 8: Implementing Distributed Active Directory Domain Services Deployments


Lesson 1: Overview of Distributed AD DS Deployments Lesson 2: Deploying a Distributed AD DS Environment Lesson 3: Configuring AD DS Trusts Lab: Implementing Complex AD DS Deployments 8-2 8-9 8-18 8-23

Module 9: Implementing Active Directory Domain Services Sites and Replication


Lesson 1: Overview of AD DS Replication Lesson 2: Configuring AD DS Sites Lesson 3: Configuring and Monitoring AD DS Replication Lab: Implementing AD DS Sites and Replication 9-2 9-10 9-16 9-22

Module 10: Implementing Active Directory Certificate Services


Lesson 1: PKI Overview Lesson 2: Deploying CAs Lesson 3: Deploying and Managing Certificate Templates Lesson 4: Implementing Certificate Distribution and Revocation Lesson 5: Managing Certificate Recovery Lab: Implementing Active Directory Certificate Services 10-2 10-10 10-16 10-21 10-29 10-33

Module 11: Implementing Active Directory Rights Management Services


Lesson 1: AD RMS Overview Lesson 2: Deploying and Managing an AD RMS Infrastructure Lesson 3: Configuring AD RMS Content Protection Lesson 4: Configuring External Access to AD RMS Lab: Configuring AD RMS 11-2 11-7 11-13 11-19 11-24

Module 12: Implementing Active Directory Federation Services


Lesson 1: Overview of AD FS Lesson 2: Deploying AD FS Lesson 3: Implementing AD FS for a Single Organization Lesson 4: Deploying AD FS in a B2B Federation Scenario Lab: Implementing AD FS 12-2 12-11 12-17 12-23 12-28

MCT USE ONLY. STUDENT USE PROHIBITED


xv

Configuring Advanced Windows Server 2012 Services

Lab Answer Keys


Module 1 Lab: Implementing Advanced Network Services Module 2 Lab A: Implementing Advanced File Services Module 2 Lab B: Implementing BranchCache Module 3 Lab: Implementing Dynamic Access Control Module 4 Lab: Implementing Network Load Balancing Module 5 Lab: Implementing Failover Clustering Module 6 Lab: Implementing Failover Clustering with Hyper-V Module 7 Lab: Implementing Windows Server Backup and Restore Module 8 Lab: Implementing Complex AD DS Deployments Module 9 Lab: Implementing AD DS Sites and Replication Module 10 Lab: Implementing Active Directory Certificate Services Module 11 Lab: Configuring AD RMS Module 12 Lab: Implementing AD FS L1-1 L2-11 L2-18 L3-25 L4-35 L5-41 L6-49 L7-55 L8-61 L9-67 L10-71 L11-85 L12-95

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


xvii

About This Course

About This Course


Course Description

This section provides a brief description of the course, audience, suggested prerequisites, and course objectives.

Note: This first release (A) MOC version of course 20412A has been developed on prerelease software (Release Candidate (RC)). Microsoft Learning will release a B version of this course after the RTM version of the software is available.

This course will provide you with the knowledge and skills you need to provision advanced services in a Windows Server 2012 enterprise environment. This course will teach you how to configure and manage high availability features, file and storage solutions, and network services in Windows Server 2012. You will also learn about configuring the Active Directory Domain Services (AD DS) infrastructure, and implementing backups and disaster recovery.

Audience

This course is intended for IT Professionals who have real-world hands-on experience implementing, managing and maintaining a Windows Server 2012 infrastructure in an existing Enterprise environment, and wish to acquire the skills and knowledge necessary to carry out advanced management and provisioning of services within that Windows Server 2012 environment.

The secondary audience for this course will be candidates aspiring to acquire the Microsoft Certified Systems Administrator (MCSA) credential either in its own right or in order to proceed in acquiring the Microsoft Certified System Engineer (MCSE) credentials, for which this is a prerequisite. IT professionals seeking certification in the 70-412: Configuring Advanced Windows Server 2012 Services exam also may take this course.

Student Prerequisites
This course requires that you meet the following prerequisites:

At least two years hands-on experience working in a Windows Server 2008 or Windows Server 2012 environment Equivalent knowledge of 20410A: Installing and Configuring Windows Server 2012 course Installing and configuring Windows Server 2012 into existing enterprise environments, or as standalone installations Configuring local storage Configuring roles and features Configuring file and print services Configuring Windows Server 2012 servers for local and remote administration Configuring IPv4 and IPv6 addresses Configuring Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) services Installing domain controllers

MCT USE ONLY. STUDENT USE PROHIBITED

xviii

About This Course

Creating and configuring users, groups, computers and organizational units (OUs) Creating and managing group policies Configuring local security policies Configuring Windows Firewall Configuring Windows Server 2012 Hyper-V

Equivalent knowledge of 20411A: Administering Windows Server 2012 course Deploying and managing Windows Server images Installing and configuring Update Services Monitoring the Windows Server 2012 environment Installing and configuring Distributed Files System (DFS) Installing and configuring File Server Resource Manager (FSRM) Configuring file and disk access, and audit policies Configuring DNS security and integration with AD DS

Maintaining network integrity by configuring Network Access using Network Policy Server (NPS) and Network Access Protection (NAP) Configuring Remote Access using virtual private networks (VPNs) and Windows 7 DirectAccess Configuring Domain Controllers Managing and maintaining the Active Directory environment Managing and maintaining the Windows Server 2012 domain environment using Group Policy

Course Objectives
After completing this course, students will be able to: Configure advanced features for DHCP and DNS, and configure IP Address Management (IPAM). Configure file services to meet advanced business requirements. Configure Dynamic Access Control (DAC) to manage and audit access to shared files. Provide high availability and load balancing for web-based applications by implementing Network Load Balancing (NLB). Provide high availability for network services and applications by implementing failover clustering. Deploy and manage Hyper-V virtual machines in a failover cluster. Implement a backup and disaster recovery solution based on business and technical requirements. Plan and implement an AD DS deployment that includes multiple domains and forests. Plan and implement an AD DS deployment that includes multiple locations. Implement an Active Directory Certificate Services (AD CS) deployment. Implement an Active Directory Rights Management Services (AD RMS) deployment. Implement an Active Directory Federation Services (AD FS) deployment.

MCT USE ONLY. STUDENT USE PROHIBITED


xix

About This Course

Course Outline
The course outline is as follows: Module 1, Implementing Advanced Network Services" describes how to configure advanced DHCP features and DNS settings, and implement IPAM, which is a new Windows Server 2012 feature.

Module 2, Implementing Advanced File Services" describes how to configure Internet Small Computer System Interface (iSCSI) storage and Windows BranchCache. The module also describes how to implement Windows Server 2012 features that optimize storage utilization.

Module 3, Implementing Dynamic Access Control" describes DAC, which is a new Windows Server 2012 feature. It also explains how to plan for a DAC implementation, and how to configure DAC. Module 4, Implementing Network Load Balancing" describes the features and working of network load balancing (NLB). It also explains how to configure an NLB cluster and plan an NLB implementation. Module 5, Implementing Failover Clustering" describes failover clustering features in Windows Server 2012. The module also describes how to implement and maintain failover clusters, and how to configure highly available applications and services on a failover cluster. Module 6, Implementing Failover Clustering with Hyper-V" describes options to make virtual machines highly available, and covers the implementation of Hyper-V virtual machines on failover clusters and Hyper-V virtual machine movement. Module 7, Implementing Disaster Recovery" describes disaster recovery, server and data recovery, and the planning and implementation of a backup solution for Windows Server 2012. Module 8, Implementing Distributed Active Directory Domain Services Deployments" provides an overview of distributed AD DS deployments and the process of implementation for the same. It also describes how to configure AD DS trusts, and implement complex AD DS deployments.

Module 9, Implementing Active Directory Domain Services Sites and Replication" describes how replication works in AD DS in a Windows Server 2012 AD DS environment, and how to configure AD DS sites to optimize AD DS network traffic. It also shows how to configure and monitor AD DS replication.

Module 10, Implementing Active Directory Certificate Services" provides an overview of Public Key Infrastructure (PKI), and describes how to deploy certification authorities (CAs) and certificate templates. It also covers certificate distribution and revocation, and management of certificate recovery. Module 11, Implementing Active Directory Rights Management Services" describes AD RMS and how you can use it to achieve content protection. It also explains how to deploy and manage an AD RMS infrastructure, and configure AD RMS content protection and external access to AD RMS.

Module 12, Implementing Active Directory Federation Services" describes the identity federation business scenarios, and how you can use AD FS to address the scenarios. It also describes how to deploy AD FS, and how to implement it for a single organization, and in a business-to-business (B2B) scenario.

MCT USE ONLY. STUDENT USE PROHIBITED

xx

About This Course

Exam/Course Mapping
This course, 20412A: Configuring Advanced Windows Server 2012 Services, has a direct mapping of its content to the objective domain for the Microsoft exam 70-412: Configuring Advanced Windows Server 2012 Services.

The table below is provided as a study aid that will assist you in preparation for taking this exam, and to show you how the exam objectives and the course content fit together. The course is not designed exclusively to support the exam, but rather provides broader knowledge and skills to allow a real-world implementation of the particular technology. The course will also contain content that is not directly covered in the examination, and will utilize the unique experience and skills of your qualified Microsoft Certified Trainer.

Exam 70-412: Configuring Advanced Windows Server 2012 Services Exam Objective Domain Configure and Manage High Availability (16%) Configure This objective may include but is not limited to: Network Load Install NLB nodes; configure NLB prerequisites; Balancing configure affinity; configure port rules; configure (NLB). cluster operation mode; upgrade an NLB cluster This objective may include but is not limited to: Configure Configure Quorum; configure cluster networking; failover restore single node or cluster configuration; clustering. configure cluster storage; implement Cluster Aware Updating; upgrade a cluster This objective may include but is not limited to: Manage Configure role-specific settings including failover continuously available shares; configure VM clustering monitoring; configure failover and preference roles. settings Manage This objective may include but is not limited to: Virtual Perform Live Migration; perform quick migration; Machine perform storage migration; import, export, and copy (VM) VMs; migrate from other platforms (P2V and V2V) movement. Configure File and Storage Solutions (15%) This objective may include but is not limited to: Configure Configure NFS data store; configure BranchCache; advanced file configure File Classification Infrastructure (FCI) using services. File Server Resource Manager (FSRM); configure file access auditing Module Lesson Mod 4 Lesson 1/2/3

Course Content

Lab Mod 4 Ex 1/2/3

Mod 5

Lesson 2/5

Mod 5 Ex 2/4

Mod 5

Lesson 1/4

Mod 5 Ex 1

Mod 5

Lesson 3/4

Mod 5 Ex 3

Mod 2

Lesson 2/3

Mod 2 Ex 2/3

MCT USE ONLY. STUDENT USE PROHIBITED


xxi

About This Course

(continued)

Exam 70-412: Configuring Advanced Windows Server 2012 Services Exam Objective Domain Configure File and Storage Solutions (15%) Implement This objective may include but is not limited to: Dynamic Configure user and device claim types; implement Access policy changes and staging; perform access-denied Control remediation; configure file classification (DAC). This objective may include but is not limited to: Configure and Configure iSCSI Target and Initiator; configure optimize Internet Storage Name server (iSNS); implement storage. thin provisioning and trim; manage server free space using Features on Demand Implement Business Continuity and Disaster Recovery (18%) This objective may include but is not limited to: Configure and Configure Windows Server backups; configure manage Windows Online backups; configure role-specific backups. backups; manage VSS settings using VSSAdmin; create System Restore snapshots This objective may include but is not limited to: Restore from backups; perform a Bare Metal Recover Restore (BMR); recover servers using Windows servers. Recovery Environment (Win RE) and safe mode; apply System Restore snapshots; configure the Boot Configuration Data (BCD) store This objective may include but is not limited to: Configure Configure Hyper-V Replica including Hyper-V Replica site-level Broker and VMs; configure multi-site clustering fault including network settings, Quorum, and failover tolerance. settings Configure Network Services (17%) Implement an advanced This objective may include but is not limited to: Dynamic Host Create and configure superscopes and multicast Configuration scopes; implement DHCPv6; configure high Protocol availability for DHCP including DHCP failover and (DHCP) split scopes; configure DHCP Name Protection solution. Mod 3

Course Content Lesson 1/2/3

Mod 3 Ex 1/2/3/4/5/6

Mod 2

Lesson 1/3

Mod 2 Ex 1

Mod 7

Lesson 2/3

Mod 7 Ex 1/2/3/4

Mod 7

Lesson 2/3

Mod 7 Ex 1/2/3/4

Mod 6 Mod 5

Lessons 1/3 Lesson 1

Mod 6 Ex 1

Mod 1

Lesson 1

Mod 1 Ex 1

MCT USE ONLY. STUDENT USE PROHIBITED

xxii

About This Course

(continued)

Exam 70-412: Configuring Advanced Windows Server 2012 Services Exam Objective Domain Configure Network Services (17%) This objective may include but is not limited to: Configure security for DNS including DNSSEC, DNS Implement an Socket Pool, and cache locking; configure DNS advanced logging; configure delegated administration; DNS solution. configure recursion; configure netmask ordering; configure a GlobalNames zone This objective may include but is not limited to: Configure IPAM manually or by using Group Policy; Deploy and configure server discovery; create and manage IP manage blocks and ranges; monitor utilization of IP address IPAM. space; migrate to IPAM; delegate IPAM administration; manage IPAM collections Configure the Active Directory Infrastructure (18%) This objective may include but is not limited to: Implement multi-domain and multi-forest Active Configure a Directory environments including interoperability forest or a with previous versions of Active Directory; upgrade domain existing domains and forests including environment preparation and functional levels; configure multiple user principal name (UPN) suffixes This objective may include but is not limited to: Configure Configure external, forest, shortcut, and realm trusts. trusts; configure trust authentication; configure SID filtering; configure name suffix routing This objective may include but is not limited to: Configure sites and subnets; create and configure Configure site links; manage site coverage; manage sites. registration of SRV records; move domain controllers between sites This objective may include but is not limited to: Manage Configure replication to Read-Only Domain Active Controllers (RODCs); configure Password Replication Directory and Policy (PRP) for RODCs; monitor and manage SYSVOL replication; upgrade SYSVOL replication to replication. Distributed File System Replication (DFSR) Mod 1

Course Content Lesson 2

Mod 1 Ex 2

Mod 1

Lesson 3

Mod 1 Ex 3

Mod 8

Lesson 1/2

Mod 8 Ex 1

Mod 8

Lesson 3

Mod 8 Ex 2

Mod 9

Lesson 2/3

Mod Ex 1/2

Mod 9

Lesson 1/3

Mod 9 Ex 3

MCT USE ONLY. STUDENT USE PROHIBITED


xxiii

About This Course

(continued)

Exam 70-412: Configuring Advanced Windows Server 2012 Services Exam Objective Domain Configure Identity and Access Solutions (15%) This objective may include but is not limited to: Implement Implement claims-based authentication including Active Relying Party Trusts; configure Claims Provider Trust Directory rules; configure attribute stores including Active Federation Directory Lightweight Directory Services (AD LDS); Services 2.1 manage AD FS certificates; configure AD FS proxy; (AD FSv2.1). integrate with Cloud Services Install and This objective may include but is not limited to: configure Install an Enterprise Certificate Authority (CA); Active configure CRL distribution points; install and Directory configure Online Responder; implement Certificate administrative role separation; configure CA backup Services (AD and recovery CS). This objective may include but is not limited to: Manage certificate templates; implement and manage certificate deployment, validation, and Manage revocation; manage certificate renewal; manage certificates. certificate enrollment and renewal to computers and users using Group Policies; configure and manage key archival and recovery Install and This objective may include but is not limited to: configure Install a licensing or certificate AD RMS server; Active manage AD RMS Service Connection Point (SCP); Directory manage AD RMS client deployment; manage Rights Trusted User Domains; manage Trusted Publishing Management Domains; manage Federated Identity support; Services (AD manage RMS templates; configure Exclusion Policies RMS). Mod 12

Course Content Lesson 1/2/3/4

Mod 12 Ex 1/2/3/4

Mod 10

Lesson Mod 10 Ex 1/2/3/4/5 1/2/3/4/5/6

Mod 10

Lesson 3/4/5

Mod 10 EX 3/4/5/6

Mod 11

Lesson 1/2/3/4

Mod 11 Ex 1/2/3/4

Important: Attending this course in itself will not successfully prepare you to pass any associated certification exams.

The taking of this course does not guarantee that you will automatically pass any certification exam. In addition to attendance at this course, you should also have the following:

Real world, hands-on experience Implementing, Managing and Configuring Active Directory and Networking infrastructure, working in a Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012 Enterprise environment. Additional study outside of the content in this handbook

MCT USE ONLY. STUDENT USE PROHIBITED

xxiv

About This Course

There may also be additional study and preparation resources, such as practice tests, available for you to prepare for this exam. Details of these are available at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-412&locale=en-us#tab3 You should familiarize yourself with the audience profile and exam prerequisites to ensure you are sufficiently prepared before taking the certification exam. The complete audience profile for this exam is available at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-412&locale=en-us#tab1

The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to change at any time and Microsoft bears no responsibility for any discrepancies between the version published here and the version available online and will provide no notification of such changes.

Course Materials

The following materials are included with your kit: Course Handbook: a succinct classroom learning guide that provides the critical technical information in a crisp, tightly-focused format, which is essential for an effective in-class learning experience.

Lessons: guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: provide step-by-step lab solution guidance.

Course Companion Content: searchable, easy-to-browse digital content with integrated premium online resources that supplement the Course Handbook.

Modules: include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.

Resources: include well-categorized additional resources that give you immediate access to the most current premium content on TechNet, MSDN, or Microsoft Press.

Note: For this version of the Courseware on Prerelease Software (specify RC0/Beta etc.), Companion Content is not available. However, the Companion Content will be published when the next (B) version of this course is released, and students who have taken this course will be able to download the Companion Content at that time from the http://www.microsoft.com/learning/companionmoc site. Please check with your instructor when the B version of this course is scheduled to release to learn when you can access Companion Content for this course.

MCT USE ONLY. STUDENT USE PROHIBITED


xxv

About This Course

Student Course files: includes the Allfiles.exe, a self-extracting executable file that contains all required files for the labs and demonstrations. Note: For this version of the Courseware on Prerelease Software (specify RC0/Beta etc.), Allfiles.exe file is not available. However, this file will be published when the next (B) version of this course is released, and students who have taken this course will be able to download the Allfiles.exe at that time from the http://www.microsoft.com/learning/companionmoc site. Course evaluation: at the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.

To provide additional comments or feedback on the course, send an email to support@mscourseware.com. To inquire about the Microsoft Certification Program, send an email to mcphelp@microsoft.com.

MCT USE ONLY. STUDENT USE PROHIBITED

xxvi

About This Course

Virtual Machine Environment


Virtual Machine Configuration

This section provides the information for setting up the classroom environment to support the business scenario of the course.

In this course, you will use Microsoft Hyper-V to perform the labs. Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine (VM) without saving the changes, perform the following steps: 1. On the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK. The following table shows the role of each virtual machine that is used in this course: Virtual machine 20412A-LON-DC1/-B 20412A-LON-CA1 20412A-LON-CL1 20412A-LON-CL2 20412A-LON-CORE 20412A-LON-SVR1/-B 20412A-LON-SVR2 20412A-LON-SVR3 20412A-LON-SVR4 20412A-MUN-CL1 20412A-MUN-DC1 Role Windows Server 2012 Domain controller in the Adatum.com domain Windows Server 2012 Standalone server Windows 8 client computer Member of the Adatum.com domain Windows 8 client computer Member of the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain Windows 8 client computer Member of the Treyresearch.net domain Windows Server 2012 Domain controller in the TreyResearch.net domain

MCT USE ONLY. STUDENT USE PROHIBITED


xxvii

About This Course

(continued) Virtual machine 20412A-LON-HOST1 20412A-LON-HOST2 20412A-TOR-DC1 Role Windows Server 2012 Member server in the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain

Software Configuration
The following software is installed on the VMs:

Windows Server 2012 Datacenter Edition, Release Candidate Windows 8, Release Preview Office 2010, SP1

Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.

Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware is taught. Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better* 8 GB random access memory (RAM) DVD drive Network adapter Super VGA (SVGA) 17-inch monitor Microsoft Mouse or compatible pointing device Sound card with amplified speakers

*Striped

In addition, the instructor computer must be connected to a projection display device that supports SVGA 1024 x 768 pixels, 16-bit colors.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


1-1

Module 1
Implementing Advanced Network Services
Contents:
Module Overview Lesson 1: Configuring Advanced DHCP Features Lesson 2: Configuring Advanced DNS Settings Lesson 3: Implementing IPAM Lab: Implementing Advanced Network Services Module Review and Takeaways 1-1 1-2 1-11 1-21 1-31 1-36

Module Overview

In Windows Server 2012, network services such as Domain Name System (DNS) provide critical support for name resolution of network and Internet resources. Within DNS, DNS Security Extensions (DNSSEC) is an advanced feature that provides a means of securing DNS responses to client queries so that malicious users cannot tamper with them. With Dynamic Host Configuration Protocol (DHCP), you can manage and distribute IP addresses to client computers. DHCP is essential for managing IP-based networks. DHCP failover is an advanced feature that can prevent clients from losing access to the network in case of a DHCP server failure. IP Address Management (IPAM) provides a unified means of controlling IP addressing. This module introduces DNS and DHCP improvements, IP address management, and provides details about how to implement these features.

Objectives
After completing this module you will be able to: Configure advanced DHCP features. Configure advanced DNS settings. Implement IPAM.

MCT USE ONLY. STUDENT USE PROHIBITED

1-2

Implementing Advanced Netwo ork Services

Lesson 1

Config guring Advance A ed DHC CP Featu ures

DHC CP plays an im mportant role in n the Window ws Server 2012 operating syst tem infrastruct ture. It is the prim mary means of f distributing im mportant netw work configura ation information to network k clients, and it prov vides configur ration informat tion to other network-enabl n led services, in ncluding Windo ows Deployme ent Serv vices (WDS) an nd Network Ac ccess Protectio on (NAP). To su upport a Wind dows Server-ba ased network infra astructure, it is s important that you underst tand the DHC P server role. W Windows Server 2012 impro oves the functionality of o DHCP by pr roviding failover capabilities..

Les sson Objecti ives


Afte er completing this lesson you u will be able to: t CP component ts. Describe DHC Explain how to t configure DHCP D interactio on with DNS. Describe supe er scopes and multicast scop pes. Explain how DHCP D works with w IPv6. Describe DHC CP name prote ection. Describe DHC CP failover.

Ov verview of DHCP Com mponents s


DHC CP is a server role r that you can c install on Win ndows Server 2012. 2 With the e DHCP server role, you can ensure th hat all clients have h appropria ate IP add dresses and net twork configuration informa ation, which can help eliminate human error during g configuration. A DHCP D client is any device run nning DHC CP client softw ware that can request r and retrieve netw work settings from f a DHCP server s service. DHC CP clients may y be computers, mobile devices, prin nters, or switch hes. DHCP may y also provide IP add dress information to network k boot clients.

Whe en key networ rk configuratio on information n ss, you can up changes in the ne etwork, such as s the default gateway addres pdate the confi iguration using g the DHC CP server role without having to change th he information n directly on e each computer r. DHCP is also o a key serv vice for mobile e users who change network ks often. You ca an install the D DHCP server ro ole on a standalone serv ver, a domain member m serve er, or a domain n controller. DHC CP consists of the componen nts that are list ted in the follo owing table. Co omponent DHCP server service Description D After installing g the DHCP ro ole, the DHCP s server is imple emented as a service. This se ervice can dist tribute IP addr resses and othe er network configuration information to o clients who request it.

DHCP scopes

The DHCP adm ministrator co nfigures the ra ange of IP add dresses and related information allotted to the s server for distr ribution to req questing client ts. Each scope ca an only be asso ociated with a single IP subn net. A scope m must

Configuring Advanced Windows Server 2012 Services

MCT USE ONLY. STUDENT USE PROHIBITED


1-3

Component

Description consist of: A name and description A range of addresses that can be distributed A subnet mask A scope can also define: IP addresses that should be excluded from distribution The duration of the IP address lease DHCP options

You can configure a single DHCP server with multiple scopes, but the server must be either connected directly to each subnet that it serves, or have a DHCP relay agent in place. Scopes also provide the primary way for the server to manage and distribute any related configuration parameters (DHCP options) to clients on the network. DHCP options

When you assign the IP address inform, you can simultaneously assign many other network configuration parameters. The most common DHCP options include: Default Gateway IP address DNS server IP address DNS domain suffix Windows Internet Name Service (WINS) server IP address You can apply the options at different levels. They can be applied: Globally to all scopes Specifically to particular scopes To specific clients based on a Class ID value To clients that have specific IP address reservations configured

Note: IPv6 scopes are slightly different, and will be discussed later in this lesson. DHCP database The DHCP database contains configuration data about the DHCP server, and stores information about the IP addresses that have been distributed. By default, the DHCP database files are stored in the %systemroot%\System32\Dhcp folder.

DHCP console

The DHCP console is the main administrative tool for managing all aspects of the DHCP server. This management console is installed automatically on any server that has the DHCP role installed. However, you can also install it on a remote server or Windows 8 client by using the Remote Server Administration Tools (RSAT) and by connecting to the DHCP server for remote management.

How Clients Acquire IP Addresses

When you configure a Windows client to use the DHCP service, upon startup the client will use an IP broadcast in its subnet to request IP configuration from any DHCP server that may receive the request. Because DHCP uses IP broadcasts to initiate communications, DHCP servers are limited to communication within their IP subnets. This means that there must either be a DHCP server on each IP subnet, or a DHCP relay agent configured on the remote subnet. The DHCP relay service can relay DHCP broadcast packets as directed messages into other IP subnets across a router. The relay agent acquires an IP address

MCT USE ONLY. STUDENT USE PROHIBITED

1-4

Implementing Advanced Netwo ork Services

configuration on behalf of the requesting r clie ent on the rem mote subnet, an nd then forwards that configuration to the t client.

DH HCP Leases

DHC CP allocates IP P addresses on a dynamic ba asis. This is kno own as a lease. You can conf figure the dura ation of the lease. The default d lease ti ime for wired clients c is eight t days. se. en the DHCP lease has reach hed 50 percent of the lease t time, the clien nt attempts to renew the leas Whe This s automatic process occurs in n the background. Compute ers might have e the same IP a address for a lo ong peri iod of time if they t operate continually on a network with hout being shut down. Clien nt computers a also atte empt renewal during d the star rtup process.

DH HCP Server Authorizatio A on

If th he server is a domain membe er, you must authorize the W Windows Serve er 2012 DHCP server role in Acti ive Directory Domain D Service es (AD DS) bef fore it can beg gin leasing IP a addresses. You u must be an Ente erprise Admini istrator to auth horize the DHC CP server. Stan ndalone Micro osoft servers ve erify whether t there is a DHCP server on o the network, and do not start the DHC P service if this is the case.

Co onfiguring DHCP Inte eraction With W DNS


Dur ring dynamic IP address alloc cation, the DH HCP serv ver creates reso ource records automatically for DHC CP clients in th he DNS databa ase. However, those reco ords may not be b deleted aut tomatically wh hen the client DHCP le ease expires. You Y can configure DHC CP options to allow the DHC CP server to ow wn and fully control the t creation an nd deletion of thos se DNS resource records.

Con nfiguring DHCP D Option n 081

You u can configure e DHCP option n 081 to control the way that resource records are updated in the DNS S database. Th his option perm mits the client to prov vide its fully qualified domain name (FQDN) and instruc ctions to the D DHCP server ab bout how it wo ould like the server to process DNS dynamic d updat tes on its beha alf. You configure option 081 1 on the DNS tab of the Properties window w for the protocol nod de, or per scop pe in the DHC CP console. You u can also configure DHC CP to perform updates on behalf of its clie ents to any DN NS servers that t support dyna amic updates. By default, d the DH HCP server beh haves in the fo ollowing mann ner:

The DHCP server dynamically updates DN NS address ho st (A) resource e records and pointer (PTR) resource reco ords only if req quested by the e DHCP clients . By default, th he client reque ests that the DHCP server registe er the DNS PTR R resource reco ord, while the client register rs its own DNS A resource record. The DHCP server discards the A and PTR resource reco rds when the c clients lease is s deleted.

You u can modify th his option so that it instructs s the DHCP ser rver to always dynamically u update DNS A reso ource records and a PTR resou urce records no o matter what the client requests. In this w way, the DHCP P serv ver becomes th he owner of th he resource rec cord because t the DHCP serv ver performed the registratio on of lient computers A and PTR the resource records. Once the DHCP server becomes b the o owner of the cl reso ource records, only that DHC CP server can update u the DN NS resource rec cords for the c client compute er base ed on the dura ation and rene ewal of the DH HCP lease.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


1-5

Configuring C g Advance ed DHCP Scope S Desi igns


Yo ou can configu ure advanced DHCP scope designs d ca alled superscop pes. A supersco ope is a collection of in ndividual scope es that are gro ouped togethe er for ad dministrative purposes. p This allows client co omputers to re eceive an IP ad ddress from multiple lo ogical subnets even when the e clients are lo ocated on n the same ph hysical subnet. You can only create a superscope if you have two or more IP sco opes already created in DHCP. You u can use the New N Su uperscope Wiz zard to select the t scopes tha at you wish w to combine together to create a super rscope.

Benefits B of Superscopes S s

A superscope is s useful in seve eral situations. For example, if a scope runs s out of addresses and you c cannot ad dd more addre esses from the e subnet, you can c instead ad d a new subne et to the DHCP P server. This s scope will w lease addresses to clients in the same physical networ rk, but the clie ents will be in a separate net twork lo ogically. This is known as mu ultinetting. Onc ce you add a n new subnet, yo ou must config gure routers to o re ecognize the new n subnet so that you ensure local comm munications in the physical network.

A superscope is s also useful wh hen you need to move clien nts gradually in nto a new IP nu umbering sche eme. Having both nu umbering schemes coexist fo or the original leases duratio on means that you can move e clients in nto the new subnet transpare ently. When yo ou have renew wed all client le eases in the ne ew subnet, you u can re etire the old su ubnet.

Multicast M Sco opes

A multicast scop pe is a collection of multicas st addresses fro om the class D IP address ra ange of 224.0.0 0.0 to 23 39.255.255.255 5 (224.0.0.0/3) ). These addres sses are used w when applicati ions need to c communicate w with nu umerous clients efficiently and simultaneo ously. This is ac ccomplished w with multiple h hosts that listen n to tr raffic for the sa ame IP address s.

A multicast scop pe is commonly known as a Multicast Add dress Dynamic Client Allocat tion Protocol (M MADCAP) scop pe. Application ns that request t addresses fro om these scope es need to sup pport the MAD DCAP ap pplication prog gramming inte erface (API). Windows W Deplo oyment Service es is an examp ple of an applic cation th hat supports multicast m transm missions. Multicast M scope es allow applica ations to reser rve a multicast t IP address for r data and con ntent delivery.

DHCP D Integ gration With IPv6


IP Pv6 can configure itself witho out DHCP. IPv6 6 en nabled clients have a self-assigned link-loc cal IPv6 ad ddress. A link-local address is i intended only for co ommunication ns within the lo ocal network. It is eq quivalent to th he 169.254.0.0 self-assigned ad ddresses used by IPv4. IPv6-enabled netwo ork in nterfaces can, and a often do, have more tha an one IP Pv6 address. Fo or example, ad ddresses might t in nclude a self-as ssigned link-lo ocal address an nd a DHCP-assigned global addres ss. By using DH HCP for IP Pv6 (DHCPv6), an IPv6 host can c obtain sub bnet prefixes, global addresses, and d other IPv6

MCT USE ONLY. STUDENT USE PROHIBITED

1-6

Implementing Advanced Network Services

configuration settings. Note: You should obtain a block of IPv6 addresses from a Regional Internet Registry. There are five regional internet registries in the world. They are: African Network Information Centre (AfriNIC) for Africa

Asia-Pacific Network Information Centre (APNIC) for Asia, Australia, New Zealand, and neighboring countries American Registry for Internet Numbers (ARIN) for Canada, many Caribbean and North Atlantic islands, and the United States Latin America and Caribbean Network Information Centre (LACNIC) for Latin America and parts of the Caribbean region

Rseaux IP Europens Network Coordination Centre (RIPE NCC) for Europe, Russia, the Middle East, and Central Asia

Stateful and Stateless Configuration

Whenever you add the DHCP server role to a Windows Server 2012 computer, you also automatically install a DHCPv6 server. Windows Server 2012 supports both DHCPv6 stateful and stateless configurations: Stateful configuration. Occurs when the DHCPv6 server assigns the IPv6 address to the client along with additional DHCP data.

Stateless configuration. Occurs when the subnet router assigns IPv6 automatically, and the DHCPv6 server only assigns other IPv6 configuration settings.

DHCPv6 Scopes for IPv6

DHCPv6 scopes for IPv6 must be created separately from IPv4 scopes. IPv6 scopes have an enhanced lease mechanism and several different options. When configuring a DHCPv6 scope, you must define the properties listed in the following table. Property Name and description Prefix Preference Exclusions Valid and Preferred lifetimes DHCP options Use This property identifies the scope.

The IPv6 address prefix is analogous to the IPv4 address range. It defines the network portion of the IP address. This property informs DHCPv6 clients as to which server to use if you have multiple DHCPv6 servers. This property defines single addresses or blocks of addresses that fall within the IPv6 prefix but will not be offered for lease. This property defines how long leased addresses are valid. As with IPv4, there are many available options.

Configuring an IPv6 Scope


You can use the New Scope Wizard to create IPv6 scopes: 1. In the DHCP console, right-click the IPv6 node, and then click New Scope.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


1-7

2. . 3. . 4. . 5. .

Configure a scope prefix and preferenc ce. Define the starting and ending IP addre esses, and any y exclusions. Configure the t Preferred and Valid life etime propertie es. Activate the e scope to ena able it.

What W Is DH HCP Name Protection?


Yo ou must prote ect the names that t DHCP reg gisters in n DNS on beha alf of systems from f being ov verwritten by non-Microsoft n t systems that use the sa ame names. In addition, you must protect the na ames from bei ing overwritten by systems that t use st tatic addresses s that conflict with w DHCP-ass signed ad ddresses when n they use unse ecure DNS and d DHCP is not configure ed for conflict detections. For ex xample, a UNIX X-based system m named Client1 co ould potentially overwrite th he DNS addres ss that was w assigned an nd registered by b DHCP on behalf of a Windows-based system also o named Client1. A ne ew feature in Windows W Serve er 2012, DHCP P Name Protec ction, addresse es this issue.

Name N squatting g is the term used to describe the conflict t that occurs wh hen one client registers a na ame with DNS but that na ame is already y used by another client. This s problem cau uses the origina al machine to become in naccessible, and it typically occurs o with syst tems that have e the same na mes as Windo ows operating sy ystems. DHCP Name Protect tion addresses this by using a resource rec cord known as a Dynamic Ho ost Configuration Id dentifier (DHC CID) to track which machines s originally req quested which names. The D DHCP se erver provides the DHCID record, which is stored in DNS S. When the DHCP server rec ceives a request by a machine m with an existing nam me for an IP ad ddress, the DHC CP server can refer to the DHCID in DNS t to verify th hat the machin ne that is reque esting the nam me is the origin nal machine th hat used the name. If it is no ot the sa ame machine, then the DNS resource reco ord is not upda ated. Yo ou can implem ment name pro otection for bo oth IPv4 and IP Pv6. You can c configure DHC CP Name Prote ection at th he server level and the scope e level. Implem mentation at th he server level will only apply y for newly cre eated sc copes. To o enable DHCP Name Protection for an IP Pv4 or IPv6 nod de: 1. . 2. . 3. . Open the DHCP D console. Right-click the IPv4 or IP Pv6 node, and then open the e Property pa age. Click DNS, click Advance ed, and then se elect the Enab ble Name Pro otection check k box.

To o enable DHCP Name Protection for a sco ope: 1. . 2. . 3. . MC). Open the DHCP D Microsof ft Managemen nt Console (MM Expand the e IPv4 or IPv6 node, right-click the scope, and the open n the Property y page. Click DNS, click Advance ed, and then se elect the Enab ble Name Pro otection check k box.

MCT USE ONLY. STUDENT USE PROHIBITED

1-8

Implementing Advanced Netwo ork Services

Wh hat Is DHC CP Failover r?


DHC CP manages th he distribution n of IP addresses in TCP P/IP networks of o all sizes. Wh hen this service e fails s, clients lose connectivity c to the network and a all of o its resources s. A new featur re in Windows s Serv ver 2012, DHC CP failover, add dresses this issu ue.

DH HCP Failover r

DHC CP clients rene ew their leases on their IP add dresses at regular, configurab ble intervals. When W the DHCP service fails, the lease es time out and d clien nts no longer have IP addres sses. In the pas st, DHC CP failover was not possible because DHCP serv vers were independent and unaware u of eac ch othe er. Therefore, configuring c tw wo separate DH HCP servers to o distribute the e same pool of f addresses could lead d to duplicate addresses. Add ditionally, prov viding redund ant DHCP serv vices required you to configure clus stering, and pe erform a significant amount of manual con nfiguration and d monitoring. The new DHCP failover feature enables two DHCP D servers t o provide IP a addresses and optional configurations to the same subn nets or scopes s. Therefore, yo ou can now co onfigure two D DHCP servers to o repl licate lease information. If on ne of the serve ers fails, the ot ther server serv vices the clients for the entir re subnet. Note: In Windows Server 2012, you can n only configu ure two DHCP servers for failover and only y for IPv4 scop pes and subnet ts.

Con nfiguring DHCP D Failove er

To configure c DHC CP failover, you u need to establish a failove r relationship between the t two DHCP serv vers serv vices. You must also give this s relationship a unique name e. The failover r partners exch hange this nam me during configurat tion. This enab bles a single DH HCP server to have multiple failover relatio onships with o other DHC CP servers so long as they all have unique names. To co nfigure failove er, use the Con nfiguration Fai ilover wiza ard that you ca an launch by right-clicking r the t IP node or r the scope nod de. Note: DHCP failover is tim me sensitive. You Y must synch hronize time b between the pa artners in the relationship. If f the time diffe erence is great ter than one m minute, the fail lover process w will halt with h a critical erro or. You u can configure e failover in on ne of the two following f mod des. Mode Hot Standby Characteristic cs

In this mode, , one server is the primary se erver and the o other is the secondary se erver. The prim mary server acti ively assigns IP P configuration ns for the scope or subnet. The se econdary DHC CP server only assumes this r role if s become es unavailable. A DHCP serve er can the primary server simultaneous sly act as the p primary for one e scope or sub bnet, and be th he secondary for another. Adm ministrators m must configure a percentage of the sses to be assig gned to the standby server. These address ses are scope addres supplied duri ing the Maxim mum Client Lea ad Time (MCLT T) interval if th he primary serve er is down. The e default MCL LT value is 5 pe ercent of the sc cope. The secondar ry server takes s control of the e whole IP ran nge after the M MCLT

Configuring Advanced Windows Server 2012 Services

MCT USE ONLY. STUDENT USE PROHIBITED


1-9

Mode

Characteristics

interval has passed. Hot Standby mode is best suited to deployments in which a disaster recovery site is located at a different location. That way the DHCP server will not service clients unless there is a main server outage. Load Sharing

This is the default mode. In this mode both servers simultaneously supply IP configuration to clients. The server that responds to IP configuration requests depends on how the administrator configures the load distribution ratio. The default ratio is 50:50.

MCLT

The administrator configures the MCLT parameter to determine the amount of time a DHCP server should wait when a partner is unavailable, before assuming control of the address range. This value cannot be zero, and the default is one hour.

Auto State Switchover Interval

A communication interrupted state occurs when a server loses contact with its partner. Because the server has no way of knowing what is causing the communication loss, it remains in this state until the administrator manually changes it to a partner down state. The administrator can also enable automatic transition to partner down state by configuring the auto state switchover interval. The default value for this interval is 10 minutes.

Message Authentication

Windows Server 2012 enables you to authenticate the failover message traffic between the replication partners. The administrator can establish a shared secretmuch like a passwordin the Configuration Failover Wizard for DHCP failover. This validates that the failover message comes from the failover partner.

Firewall Considerations

DHCP uses TCP port 647 to listen for failover traffic. The DHCP installation creates the following inbound and outbound firewall rules: Microsoft-Windows-DHCP-Failover-TCP-In Microsoft-Windows-DHCP-Failover-TCP-Out

Demonstration: Configuring DHCP Failover


In this demonstration, you will see how to configure a DHCP failover relationship.

Demonstration Steps Configure a DHCP failover relationship


1. 2. 3. 4. Log on to LON-SVR1 as Adatum\Administrator. Note that the server is authorized, but that no scopes are configured. Switch to LON-DC1. In Server Manager, click Tools, and then on the drop-down list, click DHCP. In the DHCP console, launch the Configure Failover Wizard. Configure failover replication with the following settings: o Partner server: 172.16.0.21

MCT USE ONLY. STUDENT USE PROHIBITED

1-10 Implementing Advanced Network Services

o o o o o o 5. 6.

Relationship Name: Adatum Maximum Client Lead Time: 15 minutes Mode: Load balance Load Balance Percentage: 50% State Switchover Interval: 60 minutes Message authentication shared secret: Pa$$w0rd

Complete the Configure Failover Wizard.

Switch back to LON-SVR1, and note that the IPv4 node is active and the Adatum scope is configured.

MCT USE ONLY. STUDENT USE PROHIBITED


1-11

Configuring g Advanced Windows s Server 2012 Serviices

Lesson n2

Configuring Advanc ced DNS Settin ngs

In n TCP/IP netwo orks of any size e, certain servi ices are essent tial. DNS is one e of the most c critical networ rk se ervices for any network, beca ause many oth her application ns and services sincluding A AD DSrely on n DNS to o resolve resou urce names to IP addresses. Without W DNS, user authentic cations fail, an nd network-based re esources and applications a may become ina accessible. For this reasons, y you need to m manage and pr rotect DNS. This lesson n discusses ma anagement tec chniques and o options for op ptimizing DNS resolution. Wi indows Se erver 2012 imp plements DNSSEC to protect t DNS respons ses. Windows S Server 2012 also supports global na ame zones to provide single e-label name re esolution.

Le esson Objec ctives


After completin ng this lesson you y will be able to: Manage DN NS services. Optimize DNS D name reso olution. Describe global name zones. Describe op ptions for implementing DNS security. Explain how w DNSSEC wor rks. Describe th he new DNSSEC C features for Windows Serv ver 2012.

Managing M DNS Services


Like other impo ortant network k services, you must manage m DNS. DNS D managem ment consists of the fo ollowing tasks: Delegating DNS administ tration, Configuring g logging for DNS, D Aging and scavenging, Backing up the DNS data abase,

Delegating D Administrat A ion of DNS

By y default, the Domain D Admins group has full f pe ermissions to manage m all asp pects of the DNS se erver in its hom me domain, an nd the Enterpri ise Admins gro oup has full pe ermissions to m manage all asp pects of all DNS servers in any domain n in the forest. If you need to o delegate the e administratio on of a DNS se erver to a different user or group, then you can add d that user or g global group t o the DNS Admins group fo or a gi iven domain in n the forest. Members M of the e DNS Admins group can vie ew and modify y all DNS data, , se ettings, and co onfigurations of o DNS servers in their home e domain. Th he DNS Admin ns group is a Domain D Local security s group p, and by defau ult has no mem mbers in it.

Configuring C DNS Loggin ng

By y default, DNS S maintains a DNS D server log g, which you ca an view in the Event Viewer. This event log g is lo ocated in the Applications A an nd Services Log gs folder in Ev vent Viewer. It records comm mon events suc ch as: Starting and stopping of the DNS service.

MCT USE ONLY. STUDENT USE PROHIBITED

1-12 Implementing Advanced Network Services

Background loading and zone signing events. Changes to DNS configuration settings. Various warnings and error events.

For more verbose logging, you can enable debug logging. Debug logging options are disabled by default, but can be selectively enabled. Debug logging options include the following: Direction of packets Contents of packets Transport protocol Type of request Filtering based on IP address Specifying the name and location of the log file, which is located in the %windir%\System32\DNS directory Log file maximum size limit

Debug logging can be resourceintensive. It can affect overall server performance and consume disk space. Therefore, you should only enable it temporarily when you require more detailed information about server performance. To enable debug logging on the DNS server, do the following: 1. 2. 3. 4. Open the DNS console. Right-click the applicable DNS server, and then click Properties. Click the Debug Logging tab.

Select Log packets for debugging, and then select the events for which you want the DNS server to record debug logging.

Aging and Scavenging

DNS dynamic updates add resource records to the zone automatically, but in some cases those records are not deleted automatically when they are no longer required. For example, if a computer registers its own A resource record and is improperly disconnected from the network, the A resource record might not be deleted. These records, known as stale records, take up space in the DNS database and may result in an incorrect query response being returned. Windows Server 2012 can search for those stale records and, based on the aging of the record, scavenge them from the DNS database. Aging and scavenging is disabled by default. You can enable aging and scavenging in the Advanced properties of the DNS server, or you can enable it for selected zones in the zones Properties window.

Aging is determined by using parameters known as the Refresh interval and the No-refresh interval. The Refresh interval is the date and time that the record is eligible to be refreshed by the client. The default is seven days. The No-refresh interval is the period of time that the record is not eligible to be refreshed. By default, this is seven days. In the normal course of events, a client host record cannot be refreshed in the database for seven days after it is first registered or refreshed. However, it then must be refreshed within the next seven days after the No-refresh interval, or the record becomes eligible to be scavenged out of the database. A client will attempt to refresh its DNS record at startup, and every 24 hours while the system is running. Note: Records that are added dynamically added to the database are time stamped. Static records that are you entered manually have a time stamp value of zero 0, and will not be affected by aging and therefore will not be scavenged out of the database.

MCT USE ONLY. STUDENT USE PROHIBITED


1-13

Configuring g Advanced Windows s Server 2012 Serviices

Backing B Up the t DNS Database

How you back up u the DNS da atabase depends on how DN NS was implem mented into yo our organizatio on. If yo our DNS zone was implemen nted as an Act tive Directory i integrated zon ne, then your D DNS zone is in ncluded in n the Active Directory databa ase ntds.dit file e. If the DNS z zone is a prima ary zone and is s not stored in n AD DS, th hen the file is stored s as a .dns file in the %S SystemRoot%\ \System32\Dn ns folder.

Backing Up Active A Directo ory Integrate ed Zones

up as part of a System State Active Directory y integrated zo ones are stored d in AD DS an d are backed u e or a fu ull server backu up. Additionally, you can back up just the Active Directo ory integrated zone by using g the dnscmd command-line tool. To o back up an Active A Director ry integrated zone, z perform the following steps: 1. . 2. . Launch an elevated e comm mand prompt. . Run the following comma and:
dnscmd /Z ZoneExport <z zone name> <zone file na ame>

where <zon ne name> is th he name of your DNS zone, and <zone file e name> is the e file that you w want to create to ho old the backup p information. Th he dnscmd to ool exports the zone data to the file name that you desig gnate in the co ommand, to th he %windir%\Syste % em32\DNS dire ectory.

Backing Up Primary Zone es

Ba acking up a pr rimary zone th hat is not store ed in AD DS is simply a matte er of copying or backing up the in ndividual zone file, zonename.dns, which is s located in the e %windir%\Sy ystem32\DNS directory. For ex xample, if your DNS primary y zone is name ed Adatum.com m, then the DN NS zone file will be named Adatum.com.dn ns.

Optimizing O g DNS Nam me Resolut tion

In n a typical DNS S query event, a client comp puter at ttempts to reso olve a FQDN to t an IP addres ss. For ex xample, if a user tries to go to t the FQDN www.microsoft. w com, the clien nt computer wi ill pe erform a recur rsive query to the t DNS serve er that it is configured to discover the IP address as ssociated with that FQDN. The local DNS server s must m then respo ond with an au uthoritative response. If the local DNS S server has no o copy of the DNS D na amespace for which it was queried, q it will re espond with an n authoritative e answer to the e client co omputer. If the e local DNS server does not have th hat information n, it will perfor rm recursion. Recursion R refer rs to the proce ess of having t the local DNS s server its self make a rec cursive query to t another DN NS server until it finds the au uthoritative ans swer and retur rns that an nswer to the client that mad de the original request. By de efault, this serv ver will be one e of the servers s on the In nternet that is listed as a root hint. When the local DNS s server receives s a response, it t will return that in nformation to the t original requesting client computer.

MCT USE ONLY. STUDENT USE PROHIBITED

1-14 Implementing Advanced Network Services

There are a number of options available for optimizing DNS name resolution. They include features such as: Forwarding Conditional forwarding Stub zones Netmask ordering

Forwarding
A forwarder is a network DNS server that you configure to forward DNS queries for host names that it cannot resolve to other DNS servers for resolution. In a typical environment, the internal DNS server forwards queries for external DNS host names to DNS servers on the Internet. For example, if the local network DNS server cannot authoritatively resolve a query for www.microsoft.com, then the local DNS server can forward the query to the internet service providers (ISPs) DNS server for resolution.

Conditional Forwarding

You also can use conditional forwarders to forward queries according to specific domain names. A conditional forwarder is a DNS server on a network that forwards DNS queries according to the querys DNS domain name. For example, you can configure a DNS server to forward all queries that it receives for names ending with corp.adatum.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. This can be useful when you have multiple DNS namespaces in a forest. For example, suppose Contoso.com and Adatum.com are merged. Rather than each domain having to host a complete replica of the other domains DNS database, you could create conditional forwarders so that they point to each others specific DNS servers for resolution of internal DNS names.

Stub Zones

A stub zone is a copy of a zone that contains only those resource records necessary to identify that zones authoritative DNS servers. A stub zone resolves names between separate DNS namespaces, which might be necessary when you want a DNS server that is hosting a parent zone to remain aware of all the authoritative DNS servers for one of its child zones. A stub zone that is hosted on a parent domain DNS server will receive a list of all new DNS servers for the child zone, when it requests an update from the stub zone's master server. By using this method, the DNS server that is hosting the parent zone maintains a current list of the authoritative DNS servers for the child zone as they are added and removed. A stub zone consists of the following:

The delegated zones start of authority (SOA) resource record, name server (NS) resource records, and A resource records The IP address of one or more master servers that you can use to update the stub zone

Stub zones have the following characteristics: Stub zones are created using the New Zone Wizard. Stub zones can be stored in AD DS. Stub zones can be replicated either in the domain only, or throughout the entire forest.

Stub zone master servers are one or more DNS servers that are responsible for the initial copy of the zone information, and are usually the DNS server that is hosting the primary zone for the delegated domain name.

MCT USE ONLY. STUDENT USE PROHIBITED


1-15

Configuring g Advanced Windows s Server 2012 Serviices

Netmask N Ord dering

Netmask ordering returns add dresses for typ pe A (address r records) DNS q queries that pr rioritize resour rces on th he client comp puters local subnet to the cli ient. In other w words, address ses of hosts tha at are on the s same su ubnet as the re equesting clien nt will have a higher h priority y in the DNS re esponse to the e client computer.

Lo ocalization is based b on IP ad ddresses. For ex xample, if ther re are multiple e A records tha at are associate ed with th he same DNS name, n and eac ch of the A records are locate ed on a differe ent IP subnet, netmask orde ering re eturns an A rec cord that is on the same IP subnet as the c client compute er that made the request.

What W Is the e GlobalNa ame Zone? ?


Th he DNS Server r Service in Windows Server 2012 provides the Glo obalName zon ne, which you can use to o contain single-label names s that are unique ac cross an entire e forest. This el liminates the need n to us se the NetBIOS-based WINS S to provide su upport fo or single-label names. GlobalName zones provide p single-label nam me resolution for f large enter rprise ne etworks that do d not deploy WINS and that have multiple m DNS domain environ nments. GlobalName zo ones are create ed manually and do not sup pport dy ynamic record d registration.

When W clients try y to resolve sh hort names, the ey au utomatically append their DNS domain na ame. Dependin ng on the conf figuration, the ey also try to find the na ame in upper-level domain name, or work k through thei r name suffix l list. Therefore, short names a are re esolved in the same domain. .

Yo ou use a Globa alName zone to t maintain a list of DNS sea arch suffixes fo or resolving na ames among m multiple DNS domain en nvironments. For F example, if an organizatio on supports tw wo DNS doma ains, such as ad datum.com an nd contoso.com m, users in the adatum.com DNS domain n need to use a FQDN such as s da ata.contoso.co om to locate th he servers in co ontoso.com. O Otherwise, the domain admin nistrator needs to add a DNS search su uffix for contos so.com on all the t systems in n the adatum.c com domain. If f the clients just se earch for the server name d data, then the search would fail.

Global names are based on cr reating alias (C CNAME) resou urce records in n a special forw ward lookup zo one that us ses single nam mes to point to FQDNs. For example, e Globa alName zones would enable e clients in both the ad datum.com do omain and the contoso.com domain to use e a single labe el name, such a as data, to loca ate a se erver whose FQ QDN is data.co ontoso.com without having t to use the FQD DN.

Creating C a GlobalName Zone


To o create a GlobalName zone e, do the follow wing: 1. . 2. . 3. . Use the dnscmd tool to enable e GlobalN Name zones s upport.

Create a ne ew forward loo okup zone nam med GlobalNam me (not case s sensitive). Do n not allow dyna amic updates for r this zone.

Manually create CNAME records that point p to record ds that already y exist in the ot ther zones tha at are hosted on your y DNS serv vers.

to Fo or example, yo ou could create e a CNAME record in the Glo obalName zon ne named Data, that points t ganization to find this server by the Data.contoso.co om. This enables clients from m any DNS dom main in the org single label nam me of Data.

MCT USE ONLY. STUDENT USE PROHIBITED

1-16 Implemen nting Advanced Netw work Services

Op ptions for Implemen I ting DNS Security


Because DNS is a critical networ rk service, you mus st protect it as much as poss sible. A numbe er of options are available for protecting the DNS serv ver, including: DNS cache lo ocking DNS socket pool p DNSSEC

DN NS Cache Loc cking

Cache locking is a security featu ure available with w Win ndows Server 2012 2 that allow ws you to cont trol whe en information n in the DNS ca ache can be ov verwritten. Wh hen a recursive e DNS server r responds to a q query, it ca aches the results so that it ca an respond quickly if it receiv ves another qu uery requestin ng the same info ormation. The period p of time e the DNS serv ver keeps infor mation in its c cache is determ mined by the T Time to Live L (TTL) value e for a resource record. Infor rmation in the e cache can be overwritten b before the TTL expires if updated d information about a that resource record i is received. If a an attacker suc ccessfully over rwrites info ormation in the e cache, the at ttacker might be b able to red irect your netw work traffic to a malicious site. Whe en you enable e cache locking g, the DNS serv ver prohibits c cached records s from being o overwritten for r the dura ation of the TT TL value. You u configure cac che locking as a percentage value. For exa ample, if the ca ache locking value is set to 5 50, then n the DNS serv ver will not ove erwrite a cached entry for ha alf of the dura ation of the TT TL. By default, t the cach he locking per rcentage value e is 100. This means m that cach hed entries will not be overw written for the e enti ire duration of f the TTL. You u can configure e cache locking g with the dns scmd tool as f follows: 1. 2. Launch an ele evated comma and prompt. Run the follow wing comman nd:
dnscmd /Config /CacheLockingPercen nt <percent>

3.

Restart the DNS service to apply a the chan nges.

DN NS Socket Po ool

The DNS socket pool p enables a DNS server to o use source po ort randomiza tion when issu uing DNS quer ries. Whe en the DNS se ervice starts, the server choos ses a source po ort from a poo ol of sockets th hat are availab ble for issuing queries. In nstead of using g a predicable source port, th he DNS server r uses a random m port numbe er that it se elects from the e DNS socket pool. p The DNS socket pool m makes cache-ta ampering attacks more diffic cult because an attack ker must correctly guess both the source p port of a DNS q query and a ra andom transac ction ID to successfully run the attack k. The DNS soc cket pool is en abled by default in Window ws Server 2012. .

The default size of o the DNS socket pool is 2,500. When you u configure the e DNS socket p pool, you can choose a size valu ue from 0 to 10 0,000. The larg ger the value, t the greater the e protection y you will have against DNS S spoofing atta acks. If the DN NS server is run nning Window ws Server 2012,, you can also configure a DNS sock ket pool exclus sion list. You u can configure e the DNS socket pool size by b using the dn nscmd tool as s follows: 1. Launch an ele evated comma and prompt.

MCT USE ONLY. STUDENT USE PROHIBITED


1-17

Configuring g Advanced Windows s Server 2012 Serviices

2. .

Run the following comma and:


dnscmd /C Config /Socke etPoolSize <value>

3. .

Restart the DNS service to o apply the ch hanges

DNSSEC D

DNSSEC enable es a DNS zone and all record ds in the zone t to be signed c cryptographica ally such that c client co omputers can validate the DNS D response. DNS is often s subject to vario ous attacks, su uch as spoofing g and ca ache-tamperin ng. DNSSEC he elps protect ag gainst these th reats and prov vides a more secure DNS in nfrastructure.

How H DNSSEC Works


In ntercepting and tampering with w an organiz zations DNS query resp ponse is a common attack method. If attackers can alter response es from DNS se ervers, or r send spoofed d responses to o point client co omputers to th heir own serve ers, they can ga ain ac ccess to sensitive information. Any service that re elies on DNS fo or the initial co onnectionsu uch as e-commerce we eb servers and email servers are vu ulnerable. DNS SSEC protects clients that are e making m DNS qu ueries from acc cepting false DNS D re esponses.

When W a DNS se erver that is ho osting a digitally signed zone rec ceives a query, it returns the digital signatu ures along wit h the requeste ed records. A r resolver or r another serve er can obtain the t public key y of the public/ /private key pa air from a trus st anchor, and then va alidate that the e responses ar re authentic an nd have not be een tampered with. To do th his, the resolve er or se erver must be configured wit th a trust anch hor for the sign ned zone or fo or a parent of t the signed zon ne.

Trust Anchor rs

A trust anchor is an authoritative entity that is represente ed by a public key. The Trust tAnchors zone stores preconfigured public p keys tha at are associate ed with a spec cific zone. In D DNS, the trust a anchor is the D DNSKEY or r DS resource record. Client computers use e these record ds to build trus st chains. You m must configure a trust an nchor from the e zone on every domain DNS server to val lidate responses from that signed zone. If the DNS server is a domain contro oller, then Act tive Directory i integrated zon nes can distribute the trust a anchors.

Name N Resolu ution Policy y Table

Th he Name Reso olution Policy Table T (NRPT) contains c rules t that control th he DNS client b behavior for se ending DNS queries and processing the t responses from those qu ueries. For exam mple, a DNSSE EC rule promp pts the client computer r to check for validation v of the response fo or a particular DNS domain suffix. As a bes st practice, Group Policy is the preferred p meth hod of configu uring the NRPT T. If there is no o NRPT presen nt, the client computer r accepts respo onses without validating the em.

Deploying D DNSSEC D
To o deploy DNSS SEC: 1. . 2. .

Install Wind dows Server 20 012 and assign n the DNS role e to the server.. Typically, a domain control ller also acts as the DNS server. However, this is s not a require ment. Sign the DN NS zone by using the DNSSE EC Configurati on Wizard, wh hich is located in the DNS co onsole.

MCT USE ONLY. STUDENT USE PROHIBITED

1-18 Implementing Advanced Network Services

3. 4.

Configure trust anchor distribution points. Configure the NRPT on the client computers.

Assigning the DNS Server Role

To assign the DNS server role, in the Server Manager Dashboard, use the Add Roles and Features Wizard. You can also add this role can when you add the AD DS role. Configure the primary zones on the DNS server. After a zone is signed, any new DNS servers in Windows Server 2012 automatically receive the DNSSEC parameters.

Signing the Zone


The following signing options are available:

Configure the zone signing parameters. This option guides you through the steps and enables you to set all values for the key signing key (KSK) and the zone signing key (ZSK). Sign the zone with parameters of an existing zone. This option enables you to keep the same values and options as another signed zone. Use recommended settings. This option signs the zone by using the default values.

Note: Zones can also be unsigned by using the DNSSEC management user interface to remove zone signatures.

Configuring Trust Anchor Distribution Points


If the zone is Active Directoryintegrated, you should select to distribute the trust anchors to all the servers in the forest. If trust anchors are required on computers that are not joined to the domainfor example, a DNS server in the perimeter network (also known as DMZ, demilitarized zone, and screened subnetthen you should enable automated key rollover. Note: A key rollover is the act of replacing one key pair with another at the end of a keys effective period.

Configuring NRPT on Client Computers


The DNS client computer only performs DNSSEC validation on domain names where the DNS client computer is configured to do so by the NRPT. A client computer running Windows 7 is DNSSECaware, but it does not perform validation. Instead, it relies on the security-aware DNS server to perform validation on its behalf.

MCT USE ONLY. STUDENT USE PROHIBITED


1-19

Configuring g Advanced Windows s Server 2012 Serviices

New N DNSSEC Feature es for Windows Serv ver 2012


DNSSEC implem mentation was simplified for Windows W Server 2012. Althou ugh DNSSEC was w su upported in Windows W Server r 2008 R2, mos st of th he configuratio on and administration tasks were pe erformed man nually, and zon nes were signed when th hey were offlin ne.

DNSSEC D Zon ne Signing Wizard W

Windows W Server 2012 include es a DNSSEC Zone Si igning Wizard to simplify the e configuration and signing process, and to enable online signin ng. The wizard w allows yo ou to choose the t zone signin ng pa arameters as in ndicated in the e previous top pic. If yo ou choose to configure c the zone z signing settings s rather than using pa arameters from m an existing z zone or us sing default va alues, you can use the wizard d to configure e settings such as: KSK options ZSK options Trust ancho or distribution options Signing and d polling param meters

New N Resourc ce Records

DNS response validation v is ac chieved by asso ociating a priv vate/public key y pair (as gene erated by the ad dministrator) with w a DNS zon ne, and then defining d additi onal DNS reso ource records t to sign and pu ublish ke eys. Resource records r distrib bute the public c key while the e private key re emains on the e server. When the client requests validation, v DNSSEC adds dat ta to the respo onse that enab bles the client t to authenticat te the re esponse. Th he following ta able describes the new resou urce records in n Windows Ser rver 2012. Resource reco ord DNSKEY Purp pose This s record publis shes the public c key for the zo one. It checks the auth hority of a resp ponse against the private ke ey held by the DNS serv ver. These keys s require perio odic replaceme ent through ke ey rollo overs. Window ws Server 2012 2 supports auto omated key ro ollovers. This s record is a de elegation reco ord that contai ns the hash of f the pub blic key of a ch hild zone. This record is signe ed by the pare ent zones private key y. If a child zon ne of a signed parent is also signed, om the child m must be manua ally added to t the the DS records fro ent so that a chain c of trust c can be created d. pare This s record holds a signature fo or a set of DNS S records. It is used to check the authority of a respon se. Whe en the DNS re esponse has no o data to provi ide to the clien nt, this reco ord authentica ates that the ho ost does not e exist.

DS

RRSIG NSEC

Other O New Enhancemen E nts


Other O enhancem ments for Windows Server 2012 include: Support for r DNS dynamic c updates in DNSSEC D signed d zones.

MCT USE ONLY. STUDENT USE PROHIBITED

1-20 Implementing Advanced Network Services

Automated trust anchor distribution through AD DS. Windows PowerShellbased command-line interface for management and scripting.

Demonstration: Configuring DNSSEC

In this demonstration, you will see how to use the Zone Signing Wizard in the DNS console to configure DNSSEC

Demonstration Steps Configure DNSSEC


1. 2. 3. 4. 5. Log on to LON-DC1 as Adatum\Administrator. Start the DNS console. Use the DNSSEC Zone Signing Wizard to sign the Adatum.com zone. Accept all default settings. Verify that the DNSKEY resource records were created in the Trust Points zone.

Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for the Adatum.com suffix and that requires DNS client computers to verify that the name and address data is validated.

MCT USE ONLY. STUDENT USE PROHIBITED


1-21

Configuring g Advanced Windows s Server 2012 Serviices

Lesson n3

Imple ementin ng IPAM M

With W the develo opment of IPv6 6 and more an nd more device es requiring IP P addresses, ne etworks have b become co omplex and difficult to mana age. Maintaining an updated d list of static IP addresses th hat have been n issued ha as often been a manual task k, which can lea ad to errors. T To help organiz zations manag ge IP addresses, Windows W Server 2012 provide es the IPAM to ool.

Le esson Objec ctives


After completin ng this lesson you y will be able to: Describe IP PAM. Describe IP PAM architectu ure. Describe th he requirement ts for IPAM im mplementation s. Manage IP addressing us sing IPAM. Install and configure c IPAM M. Describe co onsiderations for f implementing IPAM.

What W Is IPA AM?


IP P address mana agement is a difficult d task in n large ne etworks, becau use tracking IP P address usage is la argely a manua al operation. Windows W Serve er 2012 in ntroduces IPAM M, which is a fr ramework for di iscovering, mo onitoring utilization, auditing g, and managing m the IP address spac ce in a network. IP PAM enables th he administrat tion and monit toring of f DHCP and DNS, and provid des a compreh hensive view of where IP addresses ar re used. IPAM collects in nformation from domain con ntrollers and Network N Po olicy Servers (N NPSs) and stor res that inform mation in n the Windows s Internal Database. IP PAM assists in the t areas of IP P administratio on as shown in the following g table. IP administrat tion area Planning Managing Tracking Auditing IPAM capab bilities

Provides a tool t set that ca an reduce the time and expe ense of the pla anning process whe en changes oc ccur in the netw work. Provides a single s point of f management t and assists in n optimizing utilization and a capacity p lanning for DH HCP and DNS. Enables trac cking and fore ecasting of IP a address utilizat tion.

Assists with compliance re equirements, s such as HIPAA A and Sarbanes s-Oxley , and provides s reporting for r forensics and change act of 2002, management.

MCT USE ONLY. STUDENT USE PROHIBITED

1-22 Implemen nting Advanced Netw work Services

Cha aracteristics s of IPAM


Cha aracteristics of IPAM include: : M server can su upport up to 150 1 DHCP serv vers and 500 D DNS servers. A single IPAM A single IPAM M server can su upport up to 6,000 6 DHCP sco opes and 150 DNS zones.

C addresses, u ases, host MAC IPAM stores three t years of forensics data (IP address lea user login and logoff information) for 100,000 us sers in a Windo ows Internal D Database. There e is no databa ase purge polic cy provided, and d the administrator must purge the data m manually as ne eeded. IPAM supports only Windows Internal Da atabase. No ex xternal databas se is supported d. ilization trends s are provided d only for IPv4.. IP address uti IP address rec clamation support is provide ed only for IPv v4. IPAM does no ot check for IP P address consistency with ro outers and switches.

Ben nefits of IPA AM


IPAM M benefits include: IPv4 and IPv6 6 address space e planning and d allocation. IP address spa ace utilization statistics and trend monitor ring. Static IP inven ntory management, lifetime management t, and DHCP an nd DNS record d creation and deletion. Service and zone monitorin ng of DNS serv vices. IP address lea ase and logon event tracking g. Role based ac ccess control (RBAC). Remote admi inistration support through RSAT.

Note: IPAM M does not sup pport managem ment and conf figuration of n non-Microsoft network elem ments.

IPA AM Archite ecture


IPAM M architecture e consists of fo our main modu ules, which are listed in n the following g table.

MCT USE ONLY. STUDENT USE PROHIBITED


1-23

Configuring Advanced Windows Server 2012 Services

Module IPAM discovery

Description

You use AD DS to discover servers running Windows Server 2008 and newer that have DNS, DHCP, or AD DS installed. Administrators can define the scope of discovery to a subset of domains in the forest. They can also add servers manually. You can use this module to view, monitor, and manage the IP address space. You can dynamically issue or statically assign addresses. You can also track address utilization and detect overlapping DHCP scopes.

IP address space management (ASM) Multi-server management and monitoring

You can manage and monitor multiple DHCP servers. This enables tasks to execute across multiple servers. For example, you can configure and edit DHCP properties and scopes and track the status of DHCP and scope utilization. You can also monitor multiple DNS servers, and monitor the health and status of DNS zones across authoritative DNS servers.

Operational auditing and IP address tracking

You can use the auditing tools to track potential configuration problems. You can also collect, manage, and view details of configuration changes from managed DHCP servers. You can also collect address lease tracking from DHCP lease logs, and collect logon event information from NPS and domain controllers.

The IPAM server can only manage one Active Directory forest. IPAM is deployed in one of three topologies: Distributed. An IPAM server is deployed to every site in the forest. Centralized. Only one IPAM server is deployed in the forest. Hybrid. A central IPAM server is deployed together with a dedicated IPAM server in each site.

Note: IPAM servers do not communicate with one another or share database information. If you deploy multiple IPAM servers, you must customize each servers discovery scope. IPAM has two main components:

IPAM server. The IPAM server performs the data collection from the managed servers. It also manages the Windows Internal Database and provides RBAC. IPAM client. The IPAM client provides the client computer user interface, interacts with the IPAM server, and invokes Windows PowerShell to perform DHCP configuration tasks, DNS monitoring, and remote management.

IPAM Security Groups

The following table describes the local security groups that are created automatically when you install IPAM. Group IPAM Users Description

Members of this group can view all information that is located in server discovery, IP address space, and server management. They can view IPAM and DHCP server operational events, but they cannot view IP address tracking information. IPAM multi-server management (MSM) administrators have IPAM users privileges, and can perform IPAM common management tasks and server

IPAM MSM

MCT USE ONLY. STUDENT USE PROHIBITED

1-24 Implemen nting Advanced Netw work Services

Gr roup Administrators IP PAM ASM Administrators IP PAM IP Audit Administrators IP PAM Administr rators

Description management tasks.

IPA AM ASM admin nistrators have e IPAM users p privileges, and can perform IPAM com mmon manage ement tasks an nd IP address s space tasks. Me embers of this group have IP PAM users priv vileges, can perform IPAM com mmon manage ement tasks, a nd can view IP P address track king informatio on. IPA AM Administrators can view a all IPAM data and perform a all IPAM tasks. .

Requirement ts for IPAM M Implementation


To ensure e a succe essful IPAM implementation, you mus st meet several prerequisites s: The IPAM ser rver must be a domain member, but cannot be e a domain co ontroller. The IPAM ser rver should be a single purpo ose server. Do no ot install other network roles such as DHCP or DNS D on the sam me server. To manage th he IPv6 addres ss space, IPv6 must m be enabled on the IPAM se erver. Log on to the e IPAM server with w a domain n account, and not a local acc count. You must be a member of the t correct IPA AM local secur rity group on t the IPAM serve er.

Enable loggin ng of account logon events on o domain co ntroller and N NPS servers for IPAMs IP add dress tracking and auditing featu ure.

IPA AM Hardware and Softw ware Requirements


The IPAM hardwa are and software requiremen nts are as follow ws: Dual core pro ocessor of 2.0 gigahertz g (GHz) or higher Windows Serv ver 2012 operating system 4 or more gig gabytes (GB) of o random acce ess memory (R RAM) 80 GB of free hard disk space

In addition to the previously me entioned requirements, Win dows Server 2 2008 and 2008 8 R2 require the follo owing: Service Pack 2 (SP2) must be b installed on Windows Serv ver 2008. Microsoft .NE ET Framework 4.0 full installa ation must be installed. Windows Management Framework 3.0 Be eta must be in nstalled (KB250 06146).

For Windows Server 2008 SP2, S Windows Management Framework Co ore (KB968930 0) is also required. Windows Rem mote Managem ment (Window ws RM) must be e enabled. Verify that Se ervice principal names (SPNs) are written.

MCT USE ONLY. STUDENT USE PROHIBITED


1-25

Configuring g Advanced Windows s Server 2012 Serviices

Managing M IP Address sing Using g IPAM


IP P address space e managemen nt allows ad dministrators to t manage, tra ack, audit, and report on n an organizat tions IPv4 and d IPv6 address spaces. Th he IPAM IP address space co onsole provide es ad dministrators with w IP address utilization sta atistics an nd historical tr rend data so th hat they can make m in nformed planning decisions for f dynamic, static, an nd virtual addr ress spaces. IPA AM periodic ta asks au utomatically discover the address space an nd ut tilization data as configured on the DHCP servers th hat are managed in IPAM. Yo ou can also im mport IP ad ddress informa ation from com mma separated d va alues (.csv) files.

IP PAM also enab bles administra ators to detect overlapping I P address rang ges that are de efined on diffe erent DHCP servers, find free IP add dresses within a range, creat te DHCP reserv vations, and cr reate DNS reco ords.

IP PAM provides a number of ways w to filter th he view of the IP address spa ace. You can c customize how w you view and manag ge the IP addr ress space usin ng any of the fo ollowing views s: IP address blocks b IP address ranges r IP addresse es IP address inventory i IP address range r groups

IP P Address Blocks B

IP P address block ks are the high hest-level entit ties within an I IP address spa ace organizatio on. Conceptually, an IP P block is an IP P subnet marke ed by a start and an end IP a address, and it t is typically assigned to an or rganization by y various Regio onal Internet Registries R (RIRs s). Network ad ministrators use IP address b blocks an add, impor to o create and al llocate IP addr ress ranges to DHCP. They ca rt, edit, and de elete IP address blocks. IPAM au utomatically maps m IP address s ranges to the e appropriate IP address blo ock based on the bo ress blocks in t oundaries of the range. You can add and import i IP addr the IPAM cons sole.

IP P Address Ranges R

IP P address ranges are the nex xt hierarchical level l of IP add dress space ent tities after IP address blocks. . cally Conceptually, an IP address ra ange is an IP subnet marked d by a start and d end IP addre ess, and it typic co orresponds to a DHCP scope e, or a static IP Pv4 or IPv6 add dress range or address pool that is used to o assign ad ddresses to ho osts. An IP address range is uniquely u identi ifiable by the v value of the m mandatory Man naged By y Service and Service Insta ance options, which w help IPA AM manage an nd maintain ov verlapping or du uplicate IP add dress ranges fr rom the same console. You c can add or imp port IP addres ss ranges from within th he IPAM conso ole.

IP P Addresses s

IP P addresses are e the addresses that make up the IP addre ess range. IPAM M enables end d-to-end life cy ycle tion with DHC management m of IPv4 and IPv6 6 addresses, in ncluding record d synchronizat CP and DNS servers. IP PAM automatic cally maps an address to the e appropriate r range based o on the start and d end address of the ra ange. An IP address is unique ely identifiable e by the value of mandatory y Managed By y Service and Service In nstance option ns that help IP PAM manage and a maintain d duplicate IP ad ddresses from t the same cons sole. Yo ou can add or import IP add dresses from within w the IPAM M console.

MCT USE ONLY. STUDENT USE PROHIBITED

1-26 Implementing Advanced Network Services

IP Address Inventory

In this view, you can view a list of all IP addresses in the enterprise along with their device names and type. IP address inventory is a logical group defined by the Device Type option within the IP addresses view. These groups allow you to customize the way your address space displays for managing and tracking IP usage. You can add or import IP addresses from within the IPAM console. For example, you could add the IP addresses for printers or routers, assign IP address the appropriate device type of printer or router, and then view your IP inventory filtered by the device type you assigned.

IP Address Range Groups

IPAM enables you to organize IP address ranges into logical groups. For example, you might organize IP address ranges geographically or by business division. Logical groups are defined by selecting the grouping criteria from built-in or user-defined custom fields.

Monitoring and Managing


IPAM enables automated, periodic service monitoring of DHCP and DNS servers across a forest. Monitoring and managing is organized into the views listed in the following table. View DNS and DHCP Servers Description By default, managed DHCP and DNS servers are arranged by their network interface in /16 subnets for IPv4 and /48 subnets for IPv6. You can select the view to see just DHCP scope properties, just DNS server properties, or both. The DHCP scope view enables scope utilization monitoring. Utilization statistics are collected periodically and automatically from a managed DHCP server. You can track important scope properties such as Name, ID, Prefix Length, and Status. Zone monitoring is enabled for forward and reverse lookup zones. Zone status is based on events collected by IPAM. The status of each zone is summarized. You can organize your managed DHCP and DNS servers into logical groups. For example, you might organize servers by business unit or geography. Groups are defined by selecting the grouping criteria from built-in fields or user-defined fields.

DHCP scopes

DNS Zone Monitoring Server Groups

Demonstration: Installing and Configuring IPAM


In this demonstration, you will see how to install and configure IPAM management.

Demonstration Steps Install and Configure IPAM


1. 2. 3. 4. 5. 6. Log on to LON-SVR2 as Adatum\Administrator. In Server Manager, add the IPAM feature and all required supporting features. In the IPAM Overview pane, provision the IPAM server using Group Policy. Enter IPAM as the Group Policy Object (GPO) name prefix, and provision IPAM. In the IPAM Overview pane, configure server discovery for the Adatum domain. In the IPAM Overview pane, start the server discovery process.

MCT USE ONLY. STUDENT USE PROHIBITED


1-27

Configuring g Advanced Windows s Server 2012 Serviices

7. . 8. . 9. .

In the IPAM M Overview pane, add the se ervers to be ma anaged. Verify that IPAM access is s currently blo ocked. ermission to m Use Window ws PowerShell l to grant the IPAM I server pe manage LON-D DC1 by using t the following command:
Invoke-Ip pamGpoProvisi ioning Domain Adatum.co om GpoPrefix xName IPAM I IpamServerFqd dn LON-SVR2.adatum.com DelegatedGp oUser Admini strator

10 0. Set the man nageability sta atus to Manag ged. 11 1. Switch to LON-DC1. 12 2. Force the update u of Grou up Policy. 13 3. Switch back k to LON-SVR2 2 and refresh the t IPv4 view. 14 4. In the IPAM M Overview pane, retrieve da ata from the m managed serve er.

IP PAM Mana agement and a Monit toring


Th he IPAM ASM feature allows s you to efficie ently view, monitor, and a manage th he IP address space s on n the network. ASM support ts IPv4 public and a private addresse es, and IPv6 gl lobal and unic cast ad ddresses. Using g the DNS and d DHCP server view, yo ou can view an nd monitor health and co onfiguration of all the DNS and a DHCP serv vers th hat are being managed m by IP PAM. IPAM use es sc cheduled tasks s to periodicall ly collect data from managed m servers. You can als so retrieve data a on de emand by usin ng the Retriev ve All Server Data D op ption.

Utilization U Monitoring M

Utilization data is maintained for IP address s ranges, IP ad dress blocks, a and IP range g groups within I IPAM. Yo ou can configu ure thresholds for the percen ntage of the IP P address spac ce that is utilized, and then u use th hose threshold ds to determine e under-utiliza ation and over r-utilization. Yo ou can perform m utilization tr rend building and a reporting for IPv4 addre ess ranges, blo ocks, and range groups. The util lization trend window w allows s you to view t trends over tim me periods suc ch as daily, weekly, monthly m or annually, or you can c view trends over custom m date ranges. Utilization dat ta from manag ged DHCP scopes is auto-discover red, and you can c view this d ata.

Monitoring M DHCP D and DNS D

Using IPAM, you can monitor r DHCP and DN NS servers from m any physica l location of th he enterprise. One of th he primary ben nefits of IPAM is its ability to o simultaneous sly manage mu ultiple DHCP s servers or DHC CP sc copes that are spread across one or more DHCP servers.

and health of selected sets o Th he IPAM monitoring view allows you to vie ew the status a of Microsoft D DNS and DHCP servers fr rom a single co onsole. IPAMs s monitoring v view displays th he basic health h of servers an nd re ecent configuration events th hat occurred on o these server rs. The monito oring view also o allows you to o or rganize the ma anaged server rs into logical sever s groups.

Fo or DHCP serve ers, the server view v allows yo ou to track vari ious server set ttings, server o options, the nu umber of sc copes, and the e number of ac ctive leases tha at are configur red on the serv ver. For DNS servers, this vie ew

MCT USE ONLY. STUDENT USE PROHIBITED

1-28 Implemen nting Advanced Netw work Services

allows you to trac ck all zones tha at are configur red on the serv ver, along with h details of the e zone type. Th he view w also allows you y to see the total number of zones that a are configured d on the server, and the overall zone health status s as derived fro om the zone status s of indivi dual zones on n the server.

DH HCP Server Managemen M nt


From m the IPAM co onsole, you can manage DHCP servers and d perform the following actions: Edit DHCP server properties Edit DHCP server options Create DHCP scopes Configure pre edefined optio ons and values s Configure the e user class acr ross multiple servers s simulta aneously ultiple servers simultaneously Create and ed dit new and ex xisting user cla asses across mu Configure the e vendor class across multipl le servers simu ultaneously Start the man nagement cons sole for a selec cted DHCP ser rver Retrieve serve er data from multiple m servers s

DN NS Server Ma anagement t

You u can start the DNS managem ment console for f any manag ged DNS serve er from a centr ral console in the IPAM M server and retrieve r server data from the e selected set o of servers. The e DNS Zone Monitoring view w disp plays all the forward lookup and reverse lo ookup zones o n all the DNS servers that IP PAM is currently man naging. For the e forward look kup zones, IPA AM also display ys all the serve ers that are hosting the zone e, and the aggregate hea alth of the zon ne across all th hese servers an nd the zone pr roperties.

The e Event Cata alog

The IPAM event catalog c provide es a centralized repository fo or auditing all configuration n changes that are perf formed on DH HCP servers tha at are managed from a singl e IPAM manag gement conso ole. The IPAM configuration eve ents console ga athers all of the configuratio on events. Thes se configuratio on event catalo ogs allows you to view w, query, and generate g reports of the cons solidated confi iguration chan nges, along wit th deta ails specific to each record.

Co onsideratio ons for Imp plementing IPAM


IPAM M is an agentless technology that uses Win ndows remote management protocols to man nage, monitor, , and collect data from distributed servers in the enviro onment. As suc ch, you should be aw ware of some im mplementation n considerations.

Installation Co onsideration ns
Alth hough IPAM is relatively simple to install, there t are certain consid derations: IPAM should not be installe ed on a domai in controller, DH HCP server, or DNS server. The installatio on wizard in Se erver Manager r automatically y installs the fe eatures require ed to support IPAM. There are a no extra st teps required of o the adminis strator.

MCT USE ONLY. STUDENT USE PROHIBITED


1-29

Configuring Advanced Windows Server 2012 Services

The IPAM client is installed automatically on Windows Server 2012 along with the IPAM server, but you can uninstall the client separately. You can uninstall IPAM by using Server Manager. All dependencies, local security groups, and scheduled tasks will be deleted. The IPAM database will be detached from the Windows Internal Database.

Functional Considerations
Consider the following IPAM functional specifications: IPAM does not support multiple forest topologies. IPAM can only use Windows Internal Database; it cannot use any other type of database.

The IPAM server must collect DHCP lease information to enable address tracking. Ensure that the DHCP audit log file size is configured so that it is large enough to contain audit events for the entire day. For domain controllers and network policy servers, enable the required events for logging. You can use Group Policy security settings to perform this task.

Administrative Considerations

Domain and enterprise administrators have full access to IPAM administration. You can delegate administrative duties to other users or groups by using the IPAM security groups. The installation process creates local security groups (which have no members by default) on the IPAM server. The local security groups provide the permissions that are required for administering and using the multiple services that IPAM employs. IPAM installation automatically creates the local user groups listed it the following table. Group IPAM Users Description Members of this group can view all information in IPAM server inventory, IP address space, and IPAM server management consoles. They can view IPAM and DHCP server operational events, but they cannot view IP address tracking information. Members of this group have all the privileges of the IPAM Users group, and they can perform IPAM monitoring and management tasks. Members of this group have all the privileges of IPAM Users group, and they can perform IPAM IP address space tasks. Members of this group have all the privileges of IPAM Users group, and they can view IP address tracking information. Members of this group can view all IPAM information and perform all IPAM tasks.

IPAM MSM Administrators IPAM ASM Administrators IPAM IP Audit Administrators IPAM Administrators

Migrating Existing IP Data Into IPAM

Many organizations use Microsoft Office Excel spreadsheets to document the IP address space allocation for static addresses and network devices. Because these spreadsheets must be updated manually, they are prone to error. You can migrate the existing data from these spreadsheets into IPAM by converting the spreadsheets to .csv files, and then importing the information into IPAM.

MCT USE ONLY. STUDENT USE PROHIBITED

1-30 Implementing Advanced Network Services

Lab: Implementing Advanced Network Services


Scenario

A. Datum Corporation has grown rapidly over the last few years. The company has deployed several new branch offices, and it has significantly increased the number of users in the organization. Additionally, it has expanded the number of partner organizations and customers that are accessing A. Datum websites and applications. Because of this expansion, the complexity of the network infrastructure has increased, and the organization now needs to be much more aware of network level security.

As one of the senior network administrators at A. Datum, you are responsible for implementing some of the advanced networking features in Windows Server 2012 to manage the networking infrastructure. You need to implement new features in DHCP and DNS, with the primary goal of providing higher levels of availability while increasing the security of these services. You also need to implement IPAM so that you can simplify and centralize the management of the IP address usage and configuration in an increasing complex network.

Objectives
Configure advanced DHCP settings. Configure advanced DNS settings. Configure IP address management.

Lab Setup
20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-SVR2 20412A-LON-CL1 Estimated time: 60 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-SVR2 20412A-LON-CL1 Adatum\Administrator Pa$$w0rd

Virtual Machine(s)

User Name Password

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd

5.

Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-LON-SVR2. Do not start 20412A-LON-CL1 until directed to do so.

MCT USE ONLY. STUDENT USE PROHIBITED


1-31

Configuring Advanced Windows Server 2012 Services

Exercise 1: Configuring Advanced DHCP Settings


Scenario

With the expansion of the network, and the increased availability and security requirements at A. Datum Corporation, you need to implement some additional DHCP features. Because of the recent business expansion, the main office DHCP scope is almost completely utilized, which means you need to configure a superscope. Additionally, you need to configure DHCP name protection and DHCP failover. The main tasks for this exercise are as follows: 1. 2. 3. Configure a superscope Configure DHCP name protection Configure and verify DHCP failover

Task 1: Configure a superscope


1.

On LON-DC1, configure a scope named Scope1, with a range of 192.168.0.50 192.168.0.100, and with the following settings: o o o o Subnet mask: 255.255.255.0 Router: 192.168.0.1 DNS Suffix: Adatum.com Choose to activate the scope later

2.

Configure a second scope named Scope2 with a range of 192.168.1.50 192.168.1.100, and with the following settings: o o o o Subnet mask: 255.255.255.0 Router: 192.168.1.1 DNS Suffix: Adatum.com Choose to activate the scope later

3.

Create a superscope called AdatumSuper that has Scope1 and Scope2 as members.

Task 2: Configure DHCP name protection

Switch to the DHCP console on LON-DC1, and enable DHCP Name Protection for the IPv4 node.

Task 3: Configure and verify DHCP failover


1. 2. 3.

On LON-SVR1, start the DHCP console, and observe the current state of DHCP. Note that the server is authorized, but no scopes are configured. On LON-DC1, in the DHCP console, launch the Configure Failover Wizard. Configure failover replication with the following settings: o o o o o o Partner server: 172.16.0.21 Relationship Name: Adatum Maximum Client Lead Time: 15 minutes Mode: Load balance Load Balance Percentage: 50% State Switchover Interval: 60 minutes

MCT USE ONLY. STUDENT USE PROHIBITED

1-32 Implementing Advanced Network Services

o 4. 5. 6. 7. 8. 9.

Message authentication shared secret: Pa$$w0rd

Complete the Configure Failover Wizard. On LON-SVR1, refresh the IPv4 node, and then note that the IPv4 node is active, and that Scope Adatum is configured. Start 20412A-LON-CL1, and log on as Adatum\Administrator. Configure LON-CL1 to obtain an IP address from the DHCP server. Open a command prompt window, and record the IP address. Switch to LON-DC1, and stop the DHCP server service.

10. Switch back to LON-CL1 and renew the IP address. 11. Shut down the LON-SVR1 server. 12. On LON-DC1, in the Services console, start the DHCP server service. 13. Close the Services console.

Results: After completing this exercise, you will have configured a superscope, DHCP Name Protection, and configured and verified DHCP failover.

Exercise 2: Configuring Advanced DNS Settings


Scenario

To increase the level of security for the DNS zones at A. Datum, you need configure DNS security settings such as DNSSEC, DNS socket pool, and cache locking. A. Datum has a business relationship with Contoso, Ltd, and will host the Contoso.com DNS zone. A. Datum clients use an application that accesses a server named App1 in the Contoso.com zone by using its NetBIOS name. You need to ensure that these applications can resolve the names of the required servers correctly. You will employ a GlobalNames zone to achieve this. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure DNSSEC. Configure the DNS socket pool. Configure DNS cache locking. Configure a GlobalName Zone.

Task 1: Configure DNSSEC


1. 2. 3. 4. 5. On LON-DC1, start the DNS Manager.

Use the DNSSEC Zone Signing Wizard to sign the Adatum.com zone. Accept all the default settings. Verify that the DNSKEY resource records have been created in the Trust Points zone. Minimize the DNS console.

Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for the Adatum.com suffix, and that requires DNS clients to verify that the name and address data were validated.

Task 2: Configure the DNS socket pool


1. On LON-DC1, start a command prompt with elevated credentials.

MCT USE ONLY. STUDENT USE PROHIBITED


1-33

Configuring Advanced Windows Server 2012 Services

2.

Run the following command to view the current size of the socket pool.
dnscmd /info /socketpoolsize

3.

Run the following command to change the socket pool size to 3,000.
dnscmd /config /socketpoolsize 3000

4. 5.

Restart the DNS service. Run dnscmd to confirm the new socket pool size.

Task 3: Configure DNS cache locking


1. Run the following command to view the current cache lock size.
dnscmd /info /CacheLockingPercent

2.

Run the following command to change the cache lock value to 75 percent.
dnscmd /config /CacheLockingPercent 75

3. 4.

Restart the DNS service. Run dnscmd to confirm the new cache lock value.

Task 4: Configure a GlobalName Zone


1.

Create an Active Directory integrated forward lookup zone named Contoso.com, by running the following command:
Dnscmd LON-DC1 /ZoneAdd Contoso.com /DsPrimary /DP /forest

2.

Run the following command to enable support for GlobalName zones:


dnscmd lon-dc1 /config /enableglobalnamessupport 1

3.

Create an Active Directory integrated forward lookup zone named GlobalNames by running the following command:
Dnscmd LON-DC1 /ZoneAdd GlobalNames /DsPrimary /DP /forest

4. 5. 6.

Open the DNS Manager console and add a new host record to the Contoso.com domain named App1 with the IP address of 192.168.1.200.

In the GlobalNames zone, create a new alias named App1 using the FQDN of App1.Contoso.com. Close DNS Manager and close the command prompt.

Results: After completing this exercise, you will have configured DNSSEC, the DNS socket pool, DNS cache locking, and the GlobalName zone.

Exercise 3: Configuring IP Address Management


Scenario
A. Datum Corporation is evaluating solutions for simplifying IP management. Since implementing Windows Server 2012, you have decided to implement IPAM.

MCT USE ONLY. STUDENT USE PROHIBITED

1-34 Implementing Advanced Network Services

The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Install the IPAM feature. Configure IPAMrelated GPOs. Configure IP management server discovery. Configure managed servers. Configure and verify a new DHCP scope with IPAM.. Configure IP address blocks, record IP addresses, and create DHCP reservations and DNS records

Task 1: Install the IPAM feature


On LON-SVR2, install the IP Address Management (IPAM) Server feature.

Task 2: Configure IPAMrelated GPOs


1. 2. In Server Manager, in the IPAM Overview pane, provision the IPAM server using Group Policy. Enter IPAM as the GPO name prefix, and provision IPAM using the Provision IPAM Wizard.

Task 3: Configure IP management server discovery


1. 2. In the IPAM Overview pane, configure server discovery for the Adatum domain. In the IPAM Overview pane, start the server discovery process.

Task 4: Configure managed servers


1. 2. In the IPAM Overview pane, add the servers that you need to manage. Verify that IPAM access is currently blocked.

Use Windows PowerShell to grant the IPAM server permission to manage LON-DC1 by running the following command:
Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn LON-SVR2.adatum.com DelegatedGpoUser Administrator

3. 4. 5.

Set the manageability status to Managed. Switch to LON-DC1, and force the update of Group Policy using the gpupdate /force.

Return to LON-SVR2 and refresh the server access status for LON-DC1 and the IPv4 console view. It may take up to 10 minutes for the status to change. If necessary, repeat both refresh tasks as needed until a green check mark displays next to LON-DC1 and the IPAM Access Status shows Unblocked. In the IPAM Overview pane, retrieve data from the managed server.

6.

Task 5: Configure and verify a new DHCP scope with IPAM


1. On LON-SVR2, use IPAM to create a new DHCP scope with the following parameters: o o o o 2. Scope start address: 10.0.0.50 Scope end address: 10.0.0.100 Subnet mask: 255.0.0.0 Default gateway: 10.0.0.1

On LON-DC1, verify the scope in the DHCP MMC.

MCT USE ONLY. STUDENT USE PROHIBITED


1-35

Configuring Advanced Windows Server 2012 Services

Task 6: Configure IP address blocks, record IP addresses, and create DHCP reservations and DNS records
1. On LON-SVR2, add an IP address block in the IPAM console with the following parameters: o o o 2. Network ID: 172.16.0.0 Prefix length: 16 Description: Head Office

Add IP addresses for the network router by adding to the IP Address Inventory with the following parameters: o o o o IP address: 172.16.0.1 MAC address: 112233445566 Device type: Routers Description: Head Office Router

3.

Use the IPAM console to create a DHCP reservation as follows: o o o o o o IP address: 172.16.0.10 MAC address: 223344556677 Device type: Host Reservation server name: LON-DC1.Adatum.com Reservation name: Webserver Reservation type: Both

4.

Use the IPAM console to create the DNS host record as follows: o o o Device name: Webserver Forward lookup zone: Adatum.com Forward lookup primary server: LON-DC1.adatum.com

5. 6. 7.

Right-click the IPv4 entry and create the DHCP reservation and create the DNS Host record.

On LON-DC1, open the DHCP console and confirm that the reservation was created in the 172.16.0.0 scope. On LON-DC1, open the DNS Manager console. Confirm that the DNS host record was created.

Results: After completing this exercise, you will have installed IPAM and configured IPAM with IPAMrelated GPOs, IP management server discovery, managed servers, a new DHCP scope, IP address blocks, IP addresses, DHCP reservations, and DNS records.

To prepare for the next module


1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR2 and 20412A-LON-CL1.

MCT USE ONLY. STUDENT USE PROHIBITED

1-36 Implementing Advanced Network Services

Module Review and Takeaways


Question: What is one of the drawbacks to using IPAM?

Common Issues and Troubleshooting Tips


Common Issue Users can no longer access a vendors website that they have always been able to access in the past. Troubleshooting Tip

Managed servers are unable to connect to the IPAM server.

Real-world Issues and Scenarios


Some network clients are receiving incorrect DHCP configuration. What tool should you use to start troubleshooting?

Answer: The IPConfig /All command will tell you if the client is receiving DHCP configuration and the IP address of the DHCP server from which the configuration came. What are some possible causes of the incorrect configurations?

Answer: There may be a rogue DHCP server on the network. Common things to look for will be gateway devicessuch as cable modems or PBX boxesthat have a DHCP component enabled. Another possibility is that someone has manually configured the IP address on the client.

Best Practice
Implement DHCP failover to ensure that client computers can continue to receive IP configuration information in the event of a server failure. Ensure that there are at least two DNS servers hosting each zone. Use IPAM to control IP address distribution and static address assignments.

Tools
Tool Dnscmd DHCP console Use Configure all aspects of DNS management Control all aspects of DHCP management from a user interface Control all aspects of DNS management from a user interface Control all aspects of IPAM management Location %systemroot%\System32\dnscmd.exe %systemroot%\System32\dhcpmgmt.msc

DNS console

%systemroot%\System32\dnsmgmt.msc

IPAM Management console

Server Manager

MCT USE ONLY. STUDENT USE PROHIBITED


2-1

Module 2
Implementing Advanced File Services
Contents:
Module Overview Lesson 1: Configuring iSCSI Storage Lesson 2: Configuring BranchCache Lesson 3: Optimizing Storage Usage Lab A: Implementing Advanced File Services Lab B: Implementing BranchCache Module Review and Takeaways 2-1 2-2 2-9 2-16 2-22 2-28 2-33

Module Overview

Storage space requirements have been increasing since the inception of server-based file shares. The Windows Server 2012 and Windows 8 operating systems include two new features to reduce the disk space that is required, and to manage physical disks effectively: Data deduplication, and Storage Spaces. This module provides an overview of these features, and explains the steps required to configure them.

In addition to minimizing disk space, another storage concern is the connection between the storage and the remote disks. Internet SCSI (iSCSI) storage in Windows Server 2012 is a cost-effective feature that helps create a connection between the servers and the storage. To implement iSCSI storage in Windows Server 2012, you must be familiar with the iSCSI architecture and components. In addition, you must be familiar with the tools that are provided in Windows Server to implement an iSCSI-based storage. In organizations with branch offices, you have to consider slow links and how to use these links efficiently when sending data between your offices. The Windows BranchCache feature in Windows Server 2012 helps address the problem of slow connectivity. This module explains the BranchCache, feature, and the steps to configure it.

Objectives
After completing this module, you will be able to: Configure iSCSI storage. Configure BranchCache. Optimize storage usage. Implement advanced file services.

MCT USE ONLY. STUDENT USE PROHIBITED

2-2

Implementing Advanced File Se ervices

Lesson 1

Config guring iSCSI Sto orage

iSCS SI storage is an n inexpensive and a simple wa ay to configure e a connection n to remote dis sks. Many app plication requir rements dictate that remote storage conne ections must b be redundant in nature for fa ault tole erance or high availability. In addition, man ny companies already have f fault tolerant n networks, in w which the networks are cheap to keep p redundant as s opposed to u using storage a area networks (SANs). In this s lesson, you will lea arn how to cre eate a connect tion between s servers and iSC CSI storage. Yo ou will perform m thes se tasks by using IP-based iS SCSI storage. You Y will also lea arn how to cre eate both single and redund dant connections to an n iSCSI target. You Y will practi ice this by usin ng the iSCSI in itiator softwar re that is availa able in Win ndows Server 2012. 2

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe iSCS SI and its comp ponents. Describe the iSCSI target se erver and the iSCSI initiator. Describe options for implem menting high availability a for r iSCSI. Describe iSCS SI security options. Configure the e iSCSI target. Connect to iS SCSI storage. Describe cons siderations for r implementing g the iSCSI sto orage solution..

Wh hat Is iSCSI?
iSCS SI is a protocol that supports s access to rem mote, SCSI-based storag ge devices ove er a TCP/IP net twork. iSCS SI carries stand dard SCSI commands over IP P netw works to facilit tate data trans sfers over intra anets, and to manage st torage over lon ng distances. You Y can use iSCSI to tr ransmit data over o local area netw works (LANs), wide w area netw works (WANs), , or even over the Inte ernet.

iSCS SI relies on standard Etherne et networking arch hitecture. Spec cialized hardwa are such as ho ost bus adapters (HBA A) or network switches are optional. iSCSI use es TCP/IP (typi ically, TCP por rt 3260). This means s that iSCSI sim mply enables tw wo hosts to ne egotiate tasks (for example, session esta ablishment, flo ow control, and d packet size,), and then exc hange SCSI co ommands by u using an existin ng Ethe ernet network. . By doing this s, iSCSI uses a popular, p high performance, local storage b bus subsystem m arch hitecture, and emulates it ov ver LANs and WANs, W creating g a SAN. Unlik ke some SAN t technologies, iSCSI requ uires no specia alized cabling. You can run it over the exis sting switching g and IP infrast tructure. Howe ever, you can increase the t performan nce of an iSCSI SAN deploym ment by operat ting it on a de edicated netwo ork or subnet, as best pr ractices recommend. Note: Altho ough you can use a standard d Ethernet netw work adapter to connect the e server to the iSCSI storage device, you ca an also use ded dicated iSCSI H HBAs.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


2-3

An iSCSI SAN de eployment inc cludes the follo owing:

TCP/IP netw work. You can use standard network interf face adapters and standard Ethernet proto ocol network sw witches to conn nect the server rs to the storag ge device. To p provide sufficient performan nce, the network should provide speeds s of at le east 1 gigabit p per second (Gb bps), and shou uld provide mu ultiple paths to the e iSCSI target. As a best prac ctice, use a ded dicated physic cal and logical network to ac chieve fast, reliable e throughput.

iSCSI target ts. This is another method of f gaining acce ess to storage. iSCSI targets p present or adv vertise storage, sim milar to contro ollers for hard disk d drives of llocally attache ed storage. However, this sto orage is accessed ov ver a network, instead of loc cally. Many sto orage vendors implement ha ardware-level i iSCSI such as Windo targets as part p of their sto orage devices s hardware. Ot her devices or r appliancess ows Storage Ser rver 2012 devicesimpleme ent iSCSI targe ets by using a s software driver together with at SI target serve least one Et thernet adapte er. Windows Server 2012 pro ovides the iSCS erwhich is ef ffectively a driver for the iSCSI prot tocolas a rol le service. iSCSI initiat tors. The iSCSI target display ys storage to th he iSCSI initiator (also known n as the client) ), which acts as a loc cal disk contro oller for the rem mote disks. Al l versions of W Windows Serve er starting from m Windows Server 2008 inc clude the iSCSI I initiator, and can connect t to iSCSI targets.

iSCSI Qualif fied Name (IQN). IQNs are unique u identifie ers that are us sed to address initiators and targets on an iSCSI network. Whe en you configu ure an iSCSI ta arget, you mus st configure th he IQN for the iSCSI initiators th hat will be connecting to the e target. iSCSI i initiators also use IQNs to co onnect to the iSCSI targets. However, if name e resolution on n the iSCSI net twork is a poss sible issue, iSCSI endpoints (both target and initiator) can always a be iden ntified by their r IP addresses. Question: Can you use your y organizati ions internal T TCP/IP networ rk to provide iS SCSI?

iS SCSI Targe et Server and iSCSI In nitiator


Th he iSCSI target t server and th he iSCSI initiato or are de escribed below w.

iS SCSI Target Server


Th he iSCSI target t server role se ervice provides s for so oftware-based and hardware e-independent t iSCSI di isk subsystems s. You can use the iSCSI target se erver to create e iSCSI targets and iSCSI virtu ual di isks. You can then use Server Manager to manage m these iSCSI targets an nd virtual disks. Th he iSCSI target t server included in Window ws Se erver 2012 pro ovides the follo owing function nality:

Network/di iskless boot. By y using boot-c capable netwo ork adapters or a software lo oader, you can use ing differencin iSCSI target ts to deploy di iskless servers quickly. By usi ng virtual disks s, you can save e up to 90 percent of the storage e space for the e operating sys stem images. T This is ideal for large deploy yments of identical operating sys stem images, such s as a Hype er-V server farm, or high-pe erformance computing (HPC) clusters s.

Server application storage. Some applic cations such a s Hyper-V and d Microsoft Exchange Serve er require block storage. The iSCSI target server can pro ovide these ap pplications with h continuously y available bl lock storage. Because B the sto orage is remot tely accessible, it can also co ombine block s storage for central or branch offic ce locations.

MCT USE ONLY. STUDENT USE PROHIBITED

2-4

Implementing Advanced File Se ervices

Heterogeneo ous storage. iSC CSI target server supports iSC CSI initiators that are not ba ased on the Windows op perating system m, so you can share storage on Windows s servers in mixe ed environmen nts. Lab environm ments. The iSCS SI target server role enables your Window ws Server 2012 computers to be network-acce essible block st torage devices s. This is useful l in situations i in which you w want to test applications before b deployi ing them on SAN storage.

iSCS SI target servers that provide e block storage e utilize your e existing Ethern net network; no additional hard dware is required. If high ava ailability is an important crit terion, conside er setting up a high availability clus ster. With a hig gh availability cluster, you wi ill need shared d storage for the clustereit ther hardware e Fibre Cha annel storage, or a Serial Atta ached SCSI (SA AS) storage arr ray. The iSCSI t target server integrates directly into o the failover cluster feature as a cluster role.

iSC CSI Initiator

The iSCSI initiator r service has be een a standard d component i installed by de efault since Wi indows Server 2008 and Windows Vist ta. To connect your compute er to an iSCSI t target, you sim mply start the Microsoft iSCS SI Initi iator Service and configure it. The new features in Windows Server 2012 inc clude:

Authenticatio on. You can enable Challenge Handshake A Authentication n Protocol (CH HAP) to authen nticate initiator conn nections, or you can enable reverse r CHAP t to allow the in nitiator to auth henticate the iS SCSI target. Query initiato or computer fo or ID. This is on nly supported with Windows s 8 or Window ws Server 2012.

Additional Reading: For r more informa ation about th e introduction n of iSCSI targe ets in Win ndows Server 2012, 2 refer to: http p://blogs.techn net.com/b/filec cab/archive/20 012/05/21/intr roduction-of-i iscsi-target-in-windowsserv ver-2012.aspx Question: When would you u consider imp plementing dis skless booting g from iSCSI targets?

Op ptions for Implemen I ting High Availabilit ty for iSCS SI


In addition to con nfiguring the basic b iSCSI targ get serv ver and iSCSI in nitiator setting gs, you can inte egrate these se ervices into mo ore advanced configurations.

Con nfiguring iS SCSI for High Availabili ity


Crea ating a single connection to iSCSI storage mak kes that storag ge available. However, it doe es not mak ke that storage e highly available. Losing the e connection results s in the server losing access to its stor rage. Therefore e, most iSCSI storage s connections are made m redundant through one of two o high availability technologies: Multiple Con nnection Sessio on (MCS) and Multipath I/O (MPIO).

Alth hough similar in i results they achieve, these e two technolo ogies use diffe rent approach hes to achieve high avai ilability for iSC CSI storage con nnections.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


2-5

MCS M is a feature e of the iSCSI protocol p that: Enables mu ultiple TCP/IP connections c from the initiato or to the targe et for the same e iSCSI session.

Supports au utomatic failov ver. If a failure e occurs, all ou tstanding iSCS SI commands a are reassigned d to another connection automatically.

Requires ex xplicit support by iSCSI SAN devices, altho ugh the Wind ows Server 2012 iSCSI target server role suppor rts it.

MPIO M provides redundancy differently. MPI IO:

If you have have multiple e network interface cards (N ICs) in your iSC CSI initiator an nd iSCSI target t server, you can use e MPIO to pro ovide failover redundancy du uring network outages. Requires a device-specific c module (DSM M) if you want t to connect to o a third-party SAN device th hat is connected to the iSCSI in cludes a defau nitiator. The Windows operat ting system inc ult MPIO DSM that is installed as the MPIO feature within Server Manager.. Is widely su upported. Man ny SANs can us se the default DSM without any additional software, while others requ uire a specialized DSM from the manufactu urer. Is more com mplex to configure, and is no ot as fully auto omated during g failover as M MCS.

iS SCSI Secur rity Option ns


Be ecause iSCSI is s a protocol that provides ac ccess to st torage devices over a TCP/IP P network, it is crucial th hat you secure your iSCSI sol lution to prote ect it from malicious users or attack ks. You can mitigate ris sks to your iSC CSI solution by y providing sec curity at va arious infrastru ucture layers. The T term defen nse-inde epth is often used to describ be the use of multiple m se ecurity technologies at differ rent points th hroughout you ur organization n. Defense-in-Dep pth security str rategy includes s:

Policies, pro ocedures, and awareness. As sa security bes st practice, sec curity policy measures need n to operat te within the co ontext of orga anizational pol licies. For exam mple, consider enforcing a strong user password p policy throughout the organizati ion, but having g an even stro onger administrat tor password policy p for accessing iSCSI sto orage devices a and computers that have iSC CSI manageme ent software installed.

Physical sec curity. If any unauthorized person p can gain n physical acce ess to iSCSI sto orage devices or a computer on o your netwo ork, then most other security y measures are e not useful. Yo ou must ensure e that iSCSI storag ge devices, the e computers th hat manage th hem, and the servers to which they are con nnected are physically secure, and d that access is s granted to au uthorized pers sonnel only. Perimeter. Perimeter netw works mark the boundary be etween public and private networks. Provi iding firewalls and reverse prox xy servers in th he perimeter n network enable es you to prov vide more secu ure corporate services s across the public net twork, and to prevent possib ble attacks on the iSCSI stora age devices from m the Internet t.

Networks. Once O you conn nect iSCSI stor rage devices to o a network, th hey are suscep ptible to a num mber of threats. The ese threats include eavesdro opping, spoofin ng, denial of se ervice, and rep play attacks. Yo ou should use authentication n such as CHA AP, to protect c communication between iSC CSI initiators an nd iSCSI

MCT USE ONLY. STUDENT USE PROHIBITED

2-6

Implementing Advanced File Services

targets. You might also consider implementing Internet Protocol security (IPsec) for encrypting the traffic between iSCSI initiators and iSCSI targets. Isolating iSCSI traffic to its own virtual LAN (VLAN) also strengthens security by not allowing malicious users that are connected on corporate VLAN network to attack iSCSI storage devices that are connected to a different VLAN. You should also protect network equipment such as routers and switches that are used by iSCSI storage devices, from unauthorized access. Host. The next layer of defense is the protection layer for the host computers that are connected to iSCSI storage devices. You must maintain secure computers by using the latest security updates. You should consistently use the Windows Update feature in Windows operating systems to keep your operating system up-to-date. You also have to configure security policies such as password complexity, configure the host firewall, and install antivirus software. Application. Applications are only as secure as their latest security update. For applications that run on your servers but do not integrate in Windows Update, you should regularly check for security updates issued by the application vendor. You should also update the iSCSI management software according to vendor recommendations and best practices.

Data. This is the final layer of security. To help protect your network, ensure that you are using file user permissions properly. Do this by using BitLocker, Access Control Lists (ACLs), implementing the encryption of confidential data with Encrypting File System (EFS), and performing regular backups of data.

Demonstration: Configuring an iSCSI Target


In this demonstration. you will see how to: Add the iSCSI target server role service. Create two iSCSI virtual disks and an iSCSI target.

Demonstration Steps Add the iSCSI Target Server Role Service


1. 2. On LON-DC1, open Server Manager.

In the Add Roles and Features Wizard, install the following roles and features to the local server, and accept the default values: o File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server

Create two iSCSI virtual disks and an iSCSI target


1. 2.

On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then click iSCSI.

In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New iSCSI Virtual Disk. Create a virtual disk with the following settings: o o o o o Name: iSCSIDisk1 Disk size: 5 GB iSCSI target: New Target name: LON-SVR2 Access servers: 172.16.0.22

3.

On the View results page, wait until creation completes, and then close the View Results page.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


2-7

4. .

In the iSCSI I VIRTUAL DISK KS pane, click TASKS, and th hen in the TAS SKS drop-dow wn list, click Ne ew iSCSI Virtual Dis sk. Create a vir rtual disk that has these setti ings: o o o Name: iSCSIDisk2 Disk siz ze: 5 GB iSCSI ta arget: LON-SV VR2

5. .

On the View w results page, wait until cr reation comple etes, and then n close the View w Results pag ge.

Demonstra D ation: Conn necting to the iSCSI Storage


In n this demonst tration, you will see how to: Connect to the iSCSI targ get Verify the presence p of the e iSCSI drive

Demonstrati D ion Steps Connect C to the iSCSI tar rget


1. . 2. . 3. . Log on to LON-SVR2 L with h username of f Adatum\Adm ministrator a nd password P Pa$$w0rd. Open Serve er Manager, an nd on the Too ols menu, open n iSCSI Initiato or. ng: In the iSCSI Initiator Pro operties dialog g box, configu ure the followin o o Quick Connect: C LON-DC1 Discove er targets: iqn n.1991-05.com m.microsoft:lo on-dc1-lon-sv vr2-target

Verify V the pr resence of the iSCSI dri ive


1. . 2. . 3. . In Server Manager, M on the Tools menu, open Compu uter Managem ment.

In the Computer Manage ement console e, under Storag ge node, acce ess Disk Mana agement. Noti ice that the new dis sks are added. However, they y all are curren ntly offline and d not formatte ed. Close the Computer C Man nagement cons sole.

Considerat C ions for Im mplementi ing iSCSI S Storage


When W designing g your iSCSI st torage solution n, co onsider following best practi ices: Deploy the iSCSI solution n on at least 1 Gbps networks. High availability design fo or network infrastructu ure is crucial be ecause data fro om servers to iS SCSI storage is s transferred th hrough network de evices and com mponents. (Hig gh availability considerations were explain ned earlier in th his module.)

Design an appropriate a se ecurity strategy y for the iSCSI storage solution n. (Security con nsiderations an nd recommen dations were e explained earlier in this module e.)

MCT USE ONLY. STUDENT USE PROHIBITED

2-8

Implementing Advanced File Services

Read the vendor-specific best practices for different types of deployments and applications that will use iSCSI storage solution, such as Exchange Server and Microsoft SQL Server.

IT personnel who will be designing, configuring, and administering the iSCSI storage solution must include IT administrators from different areas of specialization, such as Windows Server 2012 administrators, network administrators, storage administrators, and security administrators. This is necessary so that the iSCSI storage solution has optimal performance and security, and has consistent management and operations procedures.

When designing an iSCSI storage solution, the design team should also include application-specific administrators, such as Exchange Server administrators and SQL server administrators, so that you can implement the optimal configuration for the specific technology or solution.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


2-9

Lesson n2

Configuring Branch hCache

Br ranch offices have h unique management m ch hallenges. A br ranch office ty ypically has slo ow connectivity y to the en nterprise netw work and limite ed infrastructure for securing g servers. Also,, you need to b back up data t that you maintain m in you ur remote bran nch offices, which is why org anizations pre efer to centraliz ze data where e po ossible. Theref fore, the challe enge is being able a to provide e efficient acce ess to network k resources for r users in n branch office es. The BranchC Cache helps yo ou overcome t these problem ms by caching f files so they do o not ha ave to be transferred repeat tedly over the network.

Le esson Objec ctives


After completin ng this lesson, you y will be able to: Describe ho ow BranchCache works. Describe Br ranchCache requirements. Explain how w to configure e BranchCache server setting gs. Explain how w to configure e BranchCache client settings s. Explain how w to configure e BranchCache. Explain how w to monitor BranchCache. B

How H Does BranchCac che Work? ?


Th he BranchCach he feature introduced with Windows W Server 2008 R2 and Windows 7 re educes th he network use e on WAN con nnections betw ween branch offices and a headquart ters by locally ca aching frequen ntly used files on computers in the branch office. Br ranchCache im mproves the pe erformance of ap pplications tha at use one of the following protocols: HTTP or HT TTPS protocols s. These protoc cols are used by we eb browsers an nd other applic cations.

raffic protocol Server mess sage block (SM MB), including signed SMB tr l. This protocol is used for ac ccessing shared fold ders. Background d Intelligent Tr ransfer Service e (BITS). A Win ndows compon nent that distri ibutes content t from a server to clients by using only idle netw work bandwidt th. BITS is also a component t used by Syste em Center Con nfiguration Manager.

Br ranchCache re etrieves data fr rom a server when w the client t requests the data. Because BranchCache is a pa assive cache, it t will not incre ease WAN use. . BranchCache only caches the read reque ests, and will no ot in nterfere when a user saves a file.

Br ranchCache im mproves the re esponsiveness of o common ne etwork applica ations that acc cess intranet se ervers ac cross slow WA AN links. Because BranchCach he does not re equire addition nal infrastructu ure, you can im mprove th he performanc ce of remote networks by de eploying Windo ows 7 or Wind dows 8 to clien nt computers, and by de eploying Wind dows Server 20 008 R2 and Wi indows Server 2012 to serve ers, and then enabling the Br ranchCache fe eature.

MCT USE ONLY. STUDENT USE PROHIBITED

2-10 Implementing Advanced File Services

BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL), SMB Signing, and end-to-end IPsec. You can use BranchCache to reduce network bandwidth use and to improve application performance, even if the content is encrypted. You can configure BranchCache to use hosted cache mode or distributed cache mode:

Hosted cache. This mode operates by deploying a computer that is running Windows Server 2008 R2 or newer versions as a hosted cache server in the branch office. Client computers are locating the host computer so that they can retrieve content from the hosted cache when available. If the content is not available in the hosted cache, the content is retrieved from the content server by using a WAN link and then provided to the hosted cache so that the successive client requests can get it from there. Distributed cache. For smaller remote offices, you can configure BranchCache in the distributed cache mode without requiring a server. In this mode, local client computers running Windows 7 or Windows 8 maintain a copy of the content and make it available to other authorized clients that request the same data. This eliminates the need to have a server in the branch office. However, unlike the Hosted Cache mode, this configuration works per subnet only. In addition, clients who hibernate or disconnect from the network cannot provide content to other requesting clients.

Note: When using BranchCache, you may use both modes in your organization, but you can configure only one mode per branch office. BranchCache functionality in Windows Server 2012 has improved in the following ways: BranchCache allows for more than one hosted cache server per location to allow for scale. A new underlying database uses the Extensible Storage Engine (ESE) database technology from Exchange Server. This enables a hosted cache server to store significantly more data (even up to terabytes).

A simpler deployment means that you do not need a Group Policy Object (GPO) for each location. To deploy BranchCache, you only need a single GPO that contains the settings. This also enables clients to switch between hosted cache mode and distributed mode when they are traveling between locations without the need to use site-specific GPOs, which should be avoided in multiple scenarios.

How Client Computers Retrieve Data by Using BranchCache


When BranchCache is enabled on a client computer and a server, the client computer performs the following process to retrieve data when using the HTTP, HTTPS, or SMB protocol: 1.

The client computer that is running Windows 8 connects to a content server that is running Windows Server 2012 in the head office, and requests content similar to how it would retrieve content without using BranchCache. The content server in the head office authenticates the user and verifies that the user is authorized to access the data.

2. 3.

Instead of sending the content itself, the content server in the head office returns identifiers or hashes of the requested content to the client computer. The content server sends that data over the same connection that the content would have typically been sent. Using retrieved identifiers, the client computer does the following: o

4.

If you configure it to use distributed cache, the client computer multicasts on the local subnet to find other client computers that have already downloaded the content. If you configure it to use hosted cache, the client computer searches for the content on the configured hosted cache.

MCT USE ONLY. STUDENT USE PROHIBITED


2-11

Configuring g Advanced Windows s Server 2012 Serviices

5. .

If the conte ent is available e in the branch h office, either on one or mo ore clients or o on the hosted c cache, the client computer retrie eves the data from f the branc ch office. The client comput ter also ensure es that the data is updated and has h not been tampered t with h or corrupted . If the conte ent is not available in the rem mote office, th hen the client c computer retri ieves the conte ent directly from the server across a the WAN N link. The clie ent computer t then either ma akes it availabl le on the local ne etwork to othe er requesting client c compute ers (distributed d cache mode) ) or sends it to o the hosted cach he, where it is made availabl le to other clie ent computers .

6. .

BranchCach B he Require ements


Br ranchCache op ptimizes traffic c flow between n head of ffices and bran nch offices. Windows Server 2008 R2 2, Windows Se erver 2012, and d client compu uters ru unning Window ws 7 and Wind dows 8 can benefit from using Bran nchCache. (Ear rlier versions of o Windows W opera ating systems do d not benefit from th his feature.) Yo ou can use BranchCache to cache c on nly the conten nt that is stored d on file servers or web w servers that are running Windows Serv ver 20 008 R2 or Windows Server 2012. 2

Requirement R ts for Using g BranchCac che


To o use BranchC Cache for file se ervices, you must pe erform the following tasks:

Install the BranchCache B fe eature or the BranchCache B f for Network Fi iles role service e on the host s server that is runn ning Windows Server 2012. Configure client c compute ers either by using Group Po olicy or the net tsh branchcac che set servic ce command.

If you want to use u BranchCache to cache co ontent from th he file server, y you must perfo orm following tasks: Install BranchCache for th he Network Fil les role service e on the file se erver. Configure hash h publicatio on for BranchC Cache. Create Bran nchCacheenabled file share es.

If you want to use u BranchCache for caching g content from m the web serv ver, you must install the Br ranchCache fe eature on the web w server. You do not need d additional co onfigurations.

Br ranchCache is supported on the full install lation and Serv ver Core installation of Wind dows Server 20 012. By de efault, BranchC Cache is not in nstalled on Windows Server 2012.

Requirement R ts for Distributed Cach he Mode and d Hosted Ca ache Mode

In n the Distribute ed Cache mod de, BranchCach he works acros ss a single subnet only. If clie ent computers s are alled co onfigured to use u the Distribu uted Cache mo ode, any client t computer ca n use a multicast protocol ca WS-Discovery W to o search locall ly for the computer that has s already down nloaded and ca ached the con ntent. Yo ou should con nfigure the clie ent firewall to enable e incomin ng traffic, HTT TP, and WS-Dis scovery.

In n clients, however, they will search s for a ho osted cache se rver, and if on ne is discovered d, clients au utomatically se elf-configure as a hosted cach he mode client ts. In the Hoste ed Cache mod de, the client co omputers auto omatically self-configure as hosted h cache m mode clients, a and they will s search for the host se erver so that th hey can retriev ve content from m the Hosted Cache. Furthermore, you can use Group P Policy so

MCT USE ONLY. STUDENT USE PROHIBITED

2-12 Implemen nting Advanced File Services S

that t you can use the t FQDN of the hosted cache servers or e enable automa atic Hosted Ca ache discovery y by Serv vice Connectio on Points (SCPs s). You must co onfigure a fire ewall to enable e incoming HT TTP traffic from m the Hos sted Cache serv ver. In both b cache mo odes, BranchCa ache uses the HTTP H protocol for data trans sfer between c client compute ers and the computer that is hostin ng the cached data.

Co onfiguring BranchCache Server r Settings


You u can use Branc chCache to cache web conte ent, which is delivered d by HTTP or HTTPS. H You can n also use BranchCache to cache share ed folder content, which is delivered d by the SMB protocol. p The following table lists the serv vers that you can c configure for Bran nchCache.

Se erver Web W server or BITS B server

Description To configure a Windo ws Server 2012 web server o or an application server that t uses the BITS S protocol, inst tall nchCache featu ure. Ensure tha at the BranchC Cache the Bran service has h started. Th hen, configure clients who will use the Bran nchCache featu ure. No additio onal web serve er configur ration is requir red. You mus st install the B ranchCache fo or the Network k Files role serv vice of the File e Services serve er role before y you enable BranchCache B fo for any file sha ares. After you install the Bran nchCache for t he Network Fi iles role service e, use Group Policy P to enabl e BranchCache e on the serve er. You must the en configure e each file share to enable BranchC Cache. For the Hosted H Cache mode, you m ust add the BranchC Cache feature t to the Window ws Server 2012 2 server th hat you are co nfiguring as a Hosted Cache e server. unication, clien nt computers use To help secure commu ity (TLS) when communicating Transport Layer Securi e Hosted Cache e server. with the By defau ult, BranchCac he allocates fiv ve percent of the disk space on the activ ve partition fo or hosting cach he owever, you ca an change this value by using data. Ho Group Policy P or the ne etsh tool by ru unning netsh branchc cache set cach hesize comma and.

File server

Hosted cache se erver

MCT USE ONLY. STUDENT USE PROHIBITED


2-13

Configuring g Advanced Windows s Server 2012 Serviices

Configuring C g BranchC Cache Clien nt Settings s


Yo ou do not hav ve to install the e BranchCache e fe eature on clien nt computers, because b Branc chCache is already includ ded if the clien nt is running Windows W 7 or Windows W 8. Ho owever, Branch hCache is disabled by default on clien nt computers. To T en nable and configure BranchC Cache, you mu ust pe erform the following steps: 1. . 2. . Enable Bran nchCache. Enable the Distributed Ca ache mode or the Hosted Cac che mode. Win ndows 8 clients can use either mode m dynamic cally. Configure the t client firew wall to enable BranchCache B p protocols.

3. .

Enabling Bra anchCache


Yo ou can enable the BranchCa ache feature on n client compu uters by using Group Policy, or by using th he ne etsh branchca ache set servi ice command.

To o enable Branc chCache settin ngs by using Group G Policy, p perform the fol llowing steps f for a domain-b based GPO: 1. . 2. . 3. . Open the Group G Policy Management M Console. C Create a GP PO that will be e linked to the organizationa al unit where c client compute ers are located d. In a GPO, browse b to Com mputer Config guration, Polic cies, Adminis strative Temp plates: Policy definitions s (ADMX files s) retrieved fr rom the local computer, N etwork, and t then click BranchCac che. Enable Turn on BranchC Cache setting in i GPO.

4. .

Enabling the e Distributed d Cache Mo ode or Hoste ed Cache M Mode

Yo ou can configu ure the Branch hCache mode on o client comp puters by usin g Group Policy y, or by using the ne etsh branchca ache set servi ice command.

To o configure Br ranchCache mo ode by using Group G Policy, p perform the fo ollowing steps for a domain-based GPO: 1. . 2. . 3. . Open the Group G Policy Management M Console. C Create a GP PO that will be e linked to the organizationa al unit where c client compute ers are located d. In a GPO, browse b to Com mputer Config guration, Polic cies, Adminis strative Temp plates: Policy definitions s (ADMX files s) retrieved fr rom the local computer, N etwork, and t then click BranchCac che.

4. .

Choose eith her the Distributed Cache or r the Hosted C Cache mode. Y You may also e enable both the Distributed Cache mode and Automatic Hosted Cach he Discovery b by Service Connection Point policy settings. Th he client computers will oper rate in distribu uted cache mo ode unless they y find a hosted d cache server in the branch office. If they find a hosted cach e server in the e branch office e, they will wor rk in hosted cach he mode.

MCT USE ONLY. STUDENT USE PROHIBITED

2-14 Implementing Advanced File Services

To configure BranchCache settings by using the netsh branchcache set service command, open a command-line interface window, and perform the following steps: 1. Use the following netsh syntax for the Distributed Cache mode:
netsh branchcache set service mode=distributed

2.

Use the following netsh syntax for the hosted mode:


netsh branchcache set service mode=hostedclient location=<Hosted Cache server>

Configuring the Client Firewall to Enable BranchCache Protocols

In the Distributed Cache mode, BranchCache clients use the HTTP protocol for data transfer between client computers, and the WS-Discovery protocol for cached content discovery. You should configure the client firewall to enable the following incoming rules: BranchCacheContent Retrieval (Uses HTTP) BranchCachePeer Discovery (Uses WSDiscovery)

In Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between client computers, but this mode does not use the WS-Discovery protocol. In the Hosted Cache mode, you should configure the client firewall to enable the incoming rule, BranchCacheContent Retrieval (Uses HTTP).

Additional Configuration Tasks for BranchCache

After you configure BranchCache, clients can access the cached data in BranchCacheenabled content servers, which are available locally in the branch office. You can modify BranchCache settings and perform additional configuration tasks, such as: Setting the cache size. Setting the location of the Hosted Cache server. Clearing the cache. Creating and replicating a shared key for using in a server cluster.

Demonstration: Configuring BranchCache


In this demonstration, you will see how to: Add BranchCache for the Network Files role service. Configure BranchCache in Local Group Policy Editor. Enable BranchCache for a file share.

Demonstration Steps Add BranchCache for the Network Files role service
1. 2. Log on to LON-DC1 and open Server Manager. In the Add Roles and Features Wizard, install the following roles and features to the local server: o

File And Storage Services (Installed)\File and iSCSI Services\BranchCache for Network Files

MCT USE ONLY. STUDENT USE PROHIBITED


2-15

Configuring g Advanced Windows s Server 2012 Serviices

Enable Branc chCache for r the server


1. . 2. . On the Star rt screen, type gpedit.msc, and a then press s Enter.

Browse to Computer C Configuration\A Administrativ ve Templates\ \Network\Lan nman Server, and do the followin ng: o o Enable Hash Publica ation for Bran nchCache A hash publication on nly for shared folder on wh hich BranchCa ache is enable ed Select Allow

Enable Branc chCache for r a file share e


1. . 2. . Open Wind dows Explorer, and on drive C, create a fold der named Sh hare\. Configure the t Share folder properties as a follows: o o Enable Share this fo older Check Enable Branc chCache in Off fline Settings s

Monitoring M g BranchCa ache


After the initial configuration, , you want to verify v th hat BranchCache is configure ed correctly an nd fu unctioning correctly. You can n use the netsh branchcache sh how status all command to o di isplay the Bran nchCache service status. The e client an nd Hosted Cac che servers display additiona al in nformation, suc ch as the locat tion of the loca al ca ache, the size of o the local cache, and the st tatus of th he firewall rule es for HTTP and d WS-Discover ry protocols that BranchCache B uses. u Yo ou can also use the following tools to mon nitor Br ranchCache:

Event Viewer. Use this too ol to monitor BranchCache e events reporte ed in the Appli ication log loc cated in the Window ws Logs folder r, and in the Operational Log g located in the Application and Service Logs\Micro osoft\Windows s\BranchCache e folder.

Performanc ce counters. Us se this tool to monitor Branc chCache perfo ormance monit tor counters. BranchCach he performanc ce monitor cou unters are usef ful debugging g tools for mon nitoring BranchCache effectiveness and health. You can also use u BranchCac che performan nce monitoring g to determine e the bandwidth savings in the e Distributed Cache mode or r in the Hosted d Cache mode e. If you have implemente in the environment, you can ed Microsoft System S Center Operations M Manager 2012 i n use the Windows BranchCache B Management M Pack P for Opera tions Manager 2012.

MCT USE ONLY. STUDENT USE PROHIBITED

2-16 Implemen nting Advanced File Services S

Lesson 3

Optimizing St torage Usage U

Every organization stores data on o different sto orage systems s. As storage sy ystems process s more and more data a at higher spe eeds, the dema and for disk sp pace for storin g the data has s increased. Th he large amount of files s, folders, and information, and the way they are stored, organized, ma anaged, and m maintained, becomes a challen nge for organi izations. Furthermore, organ nizations must satisfy require ements for sec curity, com mpliance, and data d leakage prevention p for company con fidential inform mation. Win ndows Server 2012 2 introduce es many technologies that ca an help organizations respond to the challenges of man naging, mainta aining, securing, and optimiz zing data that is stored on d different storag ge devices. The techn nologies includ de the File Server Resource M Manager, file c classification in nfrastructure, a and Data deduplicatio on, each of which provides new features as s compared to o Windows Ser rver 2008 R2.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe the File Server Res source Manager. Describe file classification. c Describe class sification rules s. Explain how to t configure file classification n. Describe storage optimization options in Windows Serv ver 2012. Explain how to t configure Data D deduplication.

Wh hat Is File Server Res source Manager?


You u can use the File F Server Reso ource Manage er (FSR RM) to manage e and classify data d that is sto ored on file f servers. FSR RM includes th he following feat tures:

File classificat tion infrastruct ture. This featu ure automates the data classific cation process. You can dynamica ally apply acce ess policies to files f based on their classification n. Example pol licies include Dynamic Access Co ontrol for restri icting access to files s, file encryptio on, and file expiration. Yo ou can classify files automati ically by using file classification c ru ules, or manua ally by modifying the propertie es of a selected d file or folder.. We can modi ify file propert ties automatica ally based on the application, ty ype or content t of the file, or r by manually setting option ns on the serve er that will trigger file classification n.

File managem ment tasks. You u can use this feature to app ply a condition nal policy or ac ction to files, b based on their classification. The conditions c of a file managem ment task inclu ude the file loc cation, the classification properties, the e date the file was created, t the last modifi ed date of the e file, and the l last time that the file was accessed. The actions that a file m management t task can take in nclude the abi ility to expire files, encrypt files, an nd run a custom command.

MCT USE ONLY. STUDENT USE PROHIBITED


2-17

Configuring Advanced Windows Server 2012 Services

Quota management. You can use this feature to limit the space that is allowed for a volume or folder. You can apply quotas automatically to new folders that are created on a volume. You can also define quota templates that you can apply to new volumes or folders. File screening management. You can use this feature to control the types of files that users can store on a file server. You can limit the extension that can be stored on your file shares. For example, you can create a file screen that disallows files with an .mp3 extension from being stored in personal shared folders on a file server. Storage reports. You can use this feature to identify trends in disk usage, and identify how your data is classified. You can also monitor attempts by users to save unauthorized files.

You can configure and manage the FSRM by using the File Server Resource Manager Microsoft Management Console (MMC) snap-in, or by using the Windows PowerShell command-line interface. The following FSRM features are new with Windows Server 2012: Integration with Dynamic Access Control. Dynamic Access Control can use a file classification infrastructure to help you centrally control and audit access to files on your file servers.

Manual classification. Manual classification enables users to classify files and folders manually without the need to create automatic classification rules.

Access Denied Assistance. You can use Access Denied Assistance to customize the access denied error message that displays for users in Windows 8 Consumer Preview when they do not have access to a file or a folder. File management tasks. The updates to file management tasks include Active Directory Domain Services (AD DS) and Active Directory Rights Management Services (AD RMS) file management tasks, continuous file management tasks, and dynamic namespace for file management tasks.

Automatic classification. The updates to automatic classification increase the level of control you have over how data is classified on your file servers, including continuous classification, Windows PowerShell for custom classification, updates to the existing content classifier, and dynamic namespace for classification rules.

Additional Reading: For more information about FSRM, see: http://technet.microsoft.com/en-us/library/hh831746.aspx Question: Are you currently using the FSRM in Windows Server 2008 R2? If yes, for what areas do you use it?

MCT USE ONLY. STUDENT USE PROHIBITED

2-18 Implemen nting Advanced File Services S

Wh hat Is File Classification?


File classifications enable admin nistrators to configure automa atic procedures for defining a desi ired property on o a file, based d on condition ns spec cified in classif fication rules. For F example, you y can set the Confid dentiality pro operty to High h on all documents d wh hose content co ontains the wo ord sec cret.

In Windows W Serve er 2008 R2 and d Windows Ser rver 2012, classification managemen nt and file man nagement task ks enable administrators to man nage groups of o files based on o various file and a fold der attributes. You Y can autom mate file and fo older maintenance task ks, such as cleaning up stale data, d or protec cting sensitive e information. For this reason n, file and folder mainte enance tasks are more efficie ent as compare ed to maintain ning the file sy ystem by navig gating thro ough its hierarchical view. Clas ssification man nagement is de esigned to eas se the burden and managem ment of data th hat is spread across the organization. You can classify files in a variety of ways. I In most scenar rios, classification is perform med man nually. The file e classification infrastructure in Windows S erver 2012 enables organiza ations to conve ert s thes se manual processes into automated polic cies. Administra ators can spec cify file management policies base ed on a files classification, c and a apply corp porate requirem ments for man naging data ba ased on busine ess valu ue. You u can use file classification to o perform the following f actio ons: 1. 2. 3.

Define classification proper rties and value es, which you c can assign to fi iles by running g classification n rules. Create, updat te, and run classification rule es. Each rule as ssigns a single e predefined property and va alue to files within n a specified di irectory, based d on installed c classification p plug-ins. When running a classificatio on rule, reeval luate files that t are already cl lassified. You c can choose to overwrite exis sting classification values, or r add the value e to properties s that support multiple value es. You can also use classificati ion rules to de eclassify files th hat are not in t the classificatio on criterion anymore.

Wh hat Are Cla assification n Rules?


The file classification infrastructure uses classification rules s to scan files automatically, a and then n to classify them according to the conten nts of a file. You configu ure file classific cations in the File F Serv ver Resource Manager M conso ole. Classification properties are def fined centrally y in AD DS so that thes se definitions can c be shared across file serv vers with hin the organiz zation. You can create classification rules s that scan files for a standar rd strin ng, or for a string that match hes a pattern (reg gular expressio on). When a co onfigured classification para ameter is found d in a file, that t file is classified as con nfigured in the e classification rule.

MCT USE ONLY. STUDENT USE PROHIBITED


2-19

Configuring Advanced Windows Server 2012 Services

When planning for file classifications, you should do following: 1. 2. 3. 4. Identify which classification or classifications that you want to apply on documents. Determine the method you to want to use to identify documents for classification. Determine the schedule for automatic classifications. Establish a review of classification success.

After you have a defined the classifications, you can plan the Dynamic Access Control implementation by defining conditional expressions that enable you to control access to highly confidential documents based on particular user attributes.

Demonstration: Configuring File Classification


In this demonstration, you will see how to: Create a classification property. Create a classification rule.

Demonstration Steps Create a classification property


1. 2.

On LON-SVR1, the Server Manager console should open automatically. From Server Manager, start the File Server Resource Manager. In File Server Resource Manager, create a local property with the following settings: o o Name: Corporate Documentation Property Type: Yes/No

3.

In File Server Resource Manager, create a classification rule with the following settings: o o o o o o General tab, Rule name: Corporate Documents Rule, and ensure that the rule is enabled. Scope tab: E:\Labfiles\Corporate Documentation Classification tab, Classification method: Folder Classifier Property-Choose a property to assign to files: Corporate Documentation Property-Specify a value: Yes. Evaluation type tab, Re-evaluate existing property values, and Aggregate the values.

4. 5.

Run the classification with all rules, and select Wait for classification to complete.

Review the Automatic classification report that displays in Windows Internet Explorer, and ensure that report lists the same number of files classified as in the Corporate Documentation folder.

MCT USE ONLY. STUDENT USE PROHIBITED

2-20 Implemen nting Advanced File Services S

Op ptions for Storage S Optimizatio on in Wind dows Serve er 2012


Win ndows Server 2012 2 includes new n options fo or stor rage optimizat tion that provid de you with an n effic cient way to de eploy, adminis ster, and secur re your storage solut tions. Storage optimization feat tures include: File access au uditing. File acc cess auditing in Windows Serv ver 2012 creat tes an audit ev vent whenever file es are accessed d by users. As compared to previous Wind dows Server versions, this audit event da ata contains additional inf formation about the attribut tes of the file that was w accessed.

Features on Demand. D Featu ures on Deman nd enables you u to save on d isk space by allowing you to o remove role and a feature file es from the op perating system m. If these role es and features s need to be installed on the server, the installation file es will be retrie eved from rem mote locations, installation m media, or Windows Update. U You ca an remove fea ature files from m both physica al and virtual computers, Win ndows image (.wim) files, and offline virtual hard d disks (VHDs) . Data deduplic cation. Data deduplication id dentifies and r removes duplications within data without compromising the integrity y of the data. Data D deduplica ation is highly scalable, resource efficient, and nonintrusive. It can run con ncurrently on la arge volumes of primary data without affe ecting other workloads on n the server. Lo ow impact on the t server wor rkloads is main ntained by thro ottling the CPU U and memory resources that are consumed. Us sing Data ded uplication jobs, you can schedule when Data deduplication n should run, specify s the reso ources to dedu uplicate, and f fine-tune file s selection. When combined wit th BranchCach he, the same optimization te echniques are a applied to dat ta that is transf ferred over the WAN N to a branch office. This res sults in faster f file download t times, and red duced bandwid dth consumption. NFS Data Store. The Netwo ork file system (NFS) Data Sto ore is the NFS server implem mentation in Windows Serv ver 2012 operating systems. In Windows S Server 2012, th he NFS server s supports high availability, which w means th hat you can de eploy the serve er in a failover clustering con nfiguration. When a client connec cts to a NFS ser rver in the failo over cluster, a nd if that serv ver fails, the NF FS server will fa ail over to anoth her node in the e cluster, so th hat the client c an still connec ct to the NFS s server.

De emonstration: Config guring Dat ta Dedupli ication


In th his demonstration, you will see s how to: Add the Data a deduplication n role service. Enable Data deduplication. d

Dem monstration n Steps Add the Data deduplicati d on role serv vice
1. 2. Log on to LO ON-SVR1 as Ad datum\Admin nistrator using g the password d Pa$$w0rd. Open Server Manager.

MCT USE ONLY. STUDENT USE PROHIBITED


2-21

Configuring Advanced Windows Server 2012 Services

3.

In the Add Roles and Features Wizard, install the following roles and features to the local server, and accept the default values: o File And Storage Services (Installed)\File and iSCSI Services\Data Deduplication

Enable Data deduplication


1. 2. 3. In the Volumes pane, right-click E:, and select Configure Data Deduplication. Configure Data deduplication with the following settings: o o o o Enable Data deduplication: Enabled Deduplicate files older than (in days): 3 Set Deduplication Schedule: Enable throughput optimization Start time: current time

In Server Manager, in the navigation pane, click File and Storage Services, and then click Volumes.

MCT USE ONLY. STUDENT USE PROHIBITED

2-22 Implementing Advanced File Services

Lab A: Implementing Advanced File Services


Scenario

As A. Datum Corporation has expanded, the requirements for managing storage and shared file access has also expanded. Although the cost of storage has decreased significantly over the last few years, the amount of data produced by the A. Datum business groups has increased even faster. The organization is considering alternate ways to decrease the cost of storing data on the network, and is considering options for optimizing data access in the new branch offices. The organization would also like to ensure that data that is stored on the shared folders is limited to company data, and that it does not include unapproved file types. As a senior server administrator at A. Datum, you are responsible for implementing the new file storage technologies for the organization. You will implement iSCSI storage to provide a less complicated option for deploying large amounts of storage.

Objectives
Configure iSCSI storage. Configure the file classification infrastructure.

Lab Setup
Estimated Time: 75 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-SVR2 Estimated time: 75 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-SVR2 Adatum\Administrator Pa$$w0rd

Virtual Machine(s) User Name Password

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd

5.

Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-LON-SVR2.

MCT USE ONLY. STUDENT USE PROHIBITED


2-23

Configuring Advanced Windows Server 2012 Services

Exercise 1: Configuring iSCSI Storage


Scenario
To decrease the cost and complexity of configuring centralized storage, A. Datum has decided to use iSCSI to provide storage. To get started, you will install and configure the iSCSI target, and configure access to the target by configuring the iSCSI initiators. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install the iSCSI target feature. Configure the iSCSI targets. Configure MPIO. Connect to and configure the iSCSI targets.

Task 1: Install the iSCSI target feature


1. 2. 3. Log on to LON-DC1 with username of Adatum\Administrator and the password Pa$$w0rd. Open Server Manager.

In the Add Roles and Features Wizard, install the following roles and features to the local server, and accept the default values: o File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server

Task 2: Configure the iSCSI targets


1. 2.

On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then click iSCSI. Create a virtual disk with the following settings: o o o o o o Storage location: C: Disk name: iSCSIDisk1 Size: 5 GB iSCSI target: New Target name: lon-dc1 Access servers: 172.16.0.22 and 131.107.0.2

3. 4.

On the View results page, wait until the creation completes, and then click Close. Create a New iSCSI virtual disk with these settings: o o o o Storage location: C: Disk name: iSCSIDisk2 Size: 5 GB iSCSI target: lon-dc1

5.

Create a New iSCSI virtual disk with these settings: o o o o Storage location: C: Disk name: iSCSIDisk3 Size: 5 GB iSCSI target: lon-dc1

MCT USE ONLY. STUDENT USE PROHIBITED

2-24 Implementing Advanced File Services

6.

Create a New iSCSI virtual disk with these settings: o o o o Storage location: C: Disk name: iSCSIDisk4 Size: 5 GB iSCSI target: lon-dc1

7.

Create a New iSCSI virtual disk with these settings: o o o o Storage location: C: Disk name: iSCSIDisk5 Size: 5 GB iSCSI target: lon-dc1

Task 3: Configure MPIO


1. 2. 3. 4. 5. On LON-SVR2, from Server Manager, open the Routing and Remote access console. On the Enable DirectAccess Wizard, click Cancel.

Right-click LON-SVR2 and then click Disable Routing and Remote Access. Click Yes and then close the Routing and Remote Access console. In Server Manager, start the Add Roles and Features Wizard and install the Multipath I/O feature. In Server Manager, on the Tools menu, open iSCSI Initiator, and configure the following: o o Enable the iSCSI Initiator service Quick Connect to target: LON-DC1

6.

In Server Manager, on the Tools menu, open MPIO, and configure the following: o Enable Add support for iSCSI devices on Discover Multi-paths

7. 8.

After the computer restarts, log on to LON-SVR2, with username of Adatum\Administrator and password of Pa$$w0rd. In Server Manager, on the Tools menu, click MPIO and verify that Device Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.

Task 4: Connect to and configure the iSCSI targets


1. 2. On LON-SVR2, in Server Manager, on the Tools menu, open iSCSI Initiator. In the iSCSI Initiator Properties dialog box, perform the following steps: o o o Disconnect all Targets. Connect and Enable multi-path. Set Advanced options as follows: o Local Adapter: Microsoft iSCSI Initiator Initiator IP: 172.16.0.22 Target Portal IP: 172.16.0.10 / 3260

Connect to another target, enable multi-path, and configure the following Advanced settings: Local Adapter: Microsoft iSCSI Initiator Initiator IP: 131.107.0.2

MCT USE ONLY. STUDENT USE PROHIBITED


2-25

Configuring Advanced Windows Server 2012 Services

3.

Target Portal IP: 131.107.0.1 / 3260

In the Targets list, open Devices for iqn.1991-05.com.microsoft:lon-dc1-lon-dc1-target, access the MPIO information, and then verify that in Load balance policy, Round Robin is selected. Verify that two paths are listed by looking at the IP addresses of both network adapters.

Results: After completing this exercise, you will have configured and connected to iSCSI targets.

Exercise 2: Configuring the File Classification Infrastructure


Scenario

A. Datum has noticed that many users are copying corporate documentation to their mapped drives on the users or departmental file servers. As a result, there are many different versions of the same documents on the network. To ensure that only the latest version of the documentation is available for most users, you need to configure a file classification system that will delete specific files from user folders. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Create a classification property for corporate documentation. Create a classification rule for corporate documentation. Create a classification rule that applies to a shared folder. Create a file management task to expire corporate documents. Verify that corporate documents are expired.

Task 1: Create a classification property for corporate documentation


1. 2. On LON-SVR1, from Server Manager, start the File Server Resource Manager.

In File Server Resource Manager, under Classification Management, create a local property with the following settings: o o Name: Corporate Documentation Property Type: Yes/No

3.

Leave the File Server Resource Manager open.

Task 2: Create a classification rule for corporate documentation


1. In the File Server Resource Manager console, create a classification rule with following settings: o o o General tab, Rule name: Corporate Documents Rule, and ensure that the rule is enabled. Scope tab: E:\Labfiles\Corporate Documentation folder Classification tab: 2. 3. Classification method: Folder Classifier Property, Choose a property to assign to files: Corporate Documentation Property, Specify a value: Yes Evaluation type tab: Re-evaluate existing property values and Aggregate the values

Select both Run the classification with all rules and Wait for classification to complete. Review the Automatic classification report that displays in Internet Explorer, and ensure that the report lists the same number of classified files as in the Corporate Documentation folder.

MCT USE ONLY. STUDENT USE PROHIBITED

2-26 Implementing Advanced File Services

4.

Close Internet Explorer, but leave the File Server Resource Manager open.

Task 3: Create a classification rule that applies to a shared folder


1. In the File Server Resource Manager, create a local property with following settings: o o 2. Name: Expiration Date Property Type: Date-Time

In the File Server Resource Manager console, create a classification rule with the following settings: o o o o o General tab, Rule name: Expiration Rule, and ensure that the rule is enabled Scope tab: E:\Labfiles\Corporate Documentation Classification tab, Classification method: Folder Classifier Property, Choose a property to assign to files: Expiration Date Evaluation type tab: Re-evaluate existing property values and Aggregate the values

3. 4. 5.

Select both Run the classification with all rules and Wait for classification to complete. Review the Automatic classification report that appears in Internet Explorer, and ensure that report lists the same number of classified files as the Corporate Documentation folder. Close Internet Explorer, but leave the File Server Resource Manager open.

Task 4: Create a file management task to expire corporate documents


1. In File Server Resource Manager, create a file management task with following settings: o o o o o o General tab, Task name: Expired Corporate Documents and ensure that the task is enabled Scope tab: E:\Labfiles\Corporate Documentation Action tab, Type: File expiration is selected, Expiration directory: E:\Labfiles\Expired Notification tab: Event Log and Send warning to event log Condition tab, Days since the file was last modified: 1

Note: This value is for lab purposes only. In a real scenario, the value would be 365 days or more, depending on each companys policy o o Schedule tab: Weekly and Sunday Leave the File Server Resource Manager console open.

Task 5: Verify that corporate documents are expired


1. 2. 3. 4.

In File Server Resource Manager, click Run File Management Task Now, and then click Wait for the task to complete. Review the File management task report that displays in Internet Explorer, and ensure that the report lists the same number of classified files as the Corporate Documentation folder. Start Event Viewer, and in the Event Viewer console, open the Application event log. Review events with numbers 908 and 909. Notice that 908 FSRM started a file management job, and 909 FSRM finished a file management job.

MCT USE ONLY. STUDENT USE PROHIBITED


2-27

Configuring Advanced Windows Server 2012 Services

Results: After completing this exercise, you will have configured a file classification infrastructure so that the latest version of the documentation is always available to users.

To prepare for the next lab


When you finish the lab, revert 20417A-LON-SVR2. To do this, complete the following steps. 1. 2. 3. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20417A-LON-SVR2, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Keep all other virtual machines running for the next lab.

MCT USE ONLY. STUDENT USE PROHIBITED

2-28 Implementing Advanced File Services

Lab B: Implementing BranchCache


Scenario

A Datum Corporation has deployed a new branch office, which has a single server. To optimize file access in branch offices, you must configure BranchCache. To reduce WAN use out to the branch office, you must configure BranchCache to retrieve data from the head office. You will also implement FSRM to assist in optimizing file storage at A. Datum.

Objectives
Configure the main office servers for BranchCache. Configure the branch office servers for BranchCache. Configure client computers for BranchCache. Monitor and verify BranchCache.

Lab Setup
Estimated Time: 30 Minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-CL1 20412A-LON-CL2 Estimated time: 30 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-CL1 20412A-LON-CL2 Adatum\Administrator Pa$$w0rd

Virtual Machine(s)

User Name Password

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd

5.

Repeat steps 2-4 for 20412A-LON-SVR1, 20412A-LON-CL1, and 20412A-LON-CL2.

Exercise 1: Configuring the Main Office Servers for BranchCache


Scenario
Before you can configure the BranchCache feature for your branch offices, you must configure the network components.

MCT USE ONLY. STUDENT USE PROHIBITED


2-29

Configuring Advanced Windows Server 2012 Services

The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure LON-DC1 to use BranchCache. Simulate a slow link to the branch office. Enable a file share for BranchCache. Configure client firewall rules for BranchCache.

Task 1: Configure LON-DC1 to use BranchCache


1. 2. 3. 4. 5. Switch to LON-DC1. Open Server Manager, and install the BranchCache for network files role service. Open the Local Group Policy Editor (gpedit.msc).

Navigate to and open Computer Configuration/Administrative Templates/Network/Lanman Server/Hash Publication for BranchCache.

Enable the BranchCache setting, and then select Allow hash publication only for shared folders on which BranchCache is enabled.

Task 2: Simulate a slow link to the branch office


1. 2.

In the Local Group Policy Editor console, navigate to Computer Configuration\Windows Settings \Policy-based QoS. Create a new policy with the following settings: o o Name: Limit to 100 Kbps Specify Outbound Throttle Rate: 100

Task 3: Enable a file share for BranchCache


1. 2. In a Windows Explorer window, create a new folder named C:\Share. Share this folder with the following properties: o o o 3. Share name: Share Permissions: default Caching: Enable BranchCache

Copy C:\Windows\System32\write.exe to the C:\Share folder.

Task 4: Configure client firewall rules for BranchCache


1. 2. 3. 4. On LON-DC1, open Group Policy Management.

Navigate to Forest: Adatum.com\Domains\Adatum.com\Default Domain Policy, and then open the policy for editing. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules. Create a new inbound firewall rule with the following properties: a. b. c. Rule type: predefined Use BranchCache Content Retrieval (Uses HTTP) Action: Allow

5.

Create a new inbound firewall rule with the following properties:

MCT USE ONLY. STUDENT USE PROHIBITED

2-30 Implementing Advanced File Services

d. e. f. 6.

Rule type: predefined Use BranchCache Peer Discovery (Uses WSD) Action: Allow

Close the Group Policy Management Editor and Group Policy Management console.

Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and enabled BranchCache on a file share.

Exercise 2: Configuring the Branch Office Servers for BranchCache


Scenario
The next step you must perform is to configure a file server for the BranchCache feature. You will install the BranchCache feature, request a certificate, and then link it to BranchCache. The main tasks for this exercise are as follows: 1. 2. Install the BranchCache feature on LON-SVR1. Start the BranchCache host server.

Task 1: Install the BranchCache feature on LON-SVR1

On LON-SVR1, from Server Manager, add the BranchCache for Network Files role service and the BranchCache feature.

Task 2: Start the BranchCache host server


1. 2. 3. 4. 5.

On LON-DC1, open Active Directory Users and Computers, and create a new organizational unit (OU) called BranchCacheHost. Move LON-SVR1 into the BranchCacheHost OU. Open Group Policy Management, and block GPO inheritance on the BranchCacheHost OU. Restart LON-SVR1 and log on as Adatum\Administrator with the password Pa$$w0rd. On LON-SVR1, open Windows PowerShell, and run the following cmdlet:
Enable-BCHostedServer RegisterSCP

6.

On LON-SVR1, in Windows PowerShell, run the following cmdlet:


Get-BCStatus

Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.

Exercise 3: Configuring Client Computers for BranchCache


Scenario
After configuring the network components, you must ensure that the client computers are configured correctly. This is a preparatory task for using BranchCache.

MCT USE ONLY. STUDENT USE PROHIBITED


2-31

Configuring Advanced Windows Server 2012 Services

The main task for this exercise is as follows: 1. Configure client computers to use BranchCache in Hosted Cache mode

Task 1: Configure client computers to use BranchCache in Hosted Cache mode


1. 2. 3. On LON-DC1, open Server Manager, and then open Group Policy Management. Edit the Default Domain Policy. In the Group Policy Management Editor, browse to Computer Configuration\Policies \Administrative Templates\Network\BranchCache, and configure the following: o o o o 4. 5. 6. 7. Turn on BranchCache: Enabled Enable Automatic Hosted Cache Discovery by Service Connection Point: Enabled Configure BranchCache for network files: Enabled

Type the maximum round trip network latency (milliseconds) after which caching begins: 0

Start 20412A-LON-CL1, open a command prompt window, and refresh the Group Policy settings using the command gpupdate /force. At the command prompt, type netsh branchcache show status all, and then press Enter. Start the 20412A-LON-CL2, open the command prompt window, and refresh the Group Policy settings using the command gpupdate /force. At the command prompt, type netsh branchcache show status all, and then press Enter.

Results: At the end of this exercise, you will have configured the client computers for BranchCache.

Exercise 4: Monitoring BranchCache


Scenario
Finally, you must test and verify that the BranchCache feature is working as expected. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure Performance Monitor on LON-SVR1. View performance statistics on LON-CL1. View performance statistics on LON-CL2. Test BranchCache in the Hosted Cache mode.

Task 1: Configure Performance Monitor on LON-SVR1


1. 2. 3. On LON-SVR1, open Performance Monitor. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click Performance Monitor.

Remove existing counters, change to report view, and then add the BranchCache object counters to the report.

MCT USE ONLY. STUDENT USE PROHIBITED

2-32 Implementing Advanced File Services

Task 2: View performance statistics on LON-CL1


1. 2. 3. Switch to LON-CL1, and open the Performance Monitor. In the navigation pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor. In Performance Monitor, remove existing counters, change to a report view, and then add the BranchCache object to the report.

Task 3: View performance statistics on LON-CL2


1. 2. 3. Switch to LON-CL2, and open Performance Monitor. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click Performance Monitor. In the Performance Monitor, remove existing counters, change to a report view, and then add the BranchCache object to the report.

Task 4: Test BranchCache in the Hosted Cache mode


1. 2. 3. Switch to LON-CL1.

Open \\LON-DC1.adatum.com\share, and copy the executable file to the local desktop. This could take several minutes because of the simulated slow link. Read the performance statistics on LON-CL1. This file was retrieved from LON-DC1 (Retrieval: Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes Served). Switch to LON-CL2.

4. 5. 6. 7.

Open \\LON-DC1.adatum.com\share, and copy the executable file to the local desktop. This should not take as long, because the file is cached. Read the performance statistics on LON-CL2. This file was obtained from the hosted cache (Retrieval: Bytes from Cache). Read the performance statistics on LON-SVR1. This server has offered cached data to clients (Hosted Cache: Client file segment offers made).

Results: At the end of this exercise, you will have verified that BranchCache is working as expected.

To prepare for the next module


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-CL1, and 20412A-LON-CL2.

MCT USE ONLY. STUDENT USE PROHIBITED


2-33

Configuring Advanced Windows Server 2012 Services

Module Review and Takeaways


Question: How does BranchCache differ from the Distributed File System? Question: Why would you want to implement BranchCache in Hosted Cache mode instead of Distributed Cache mode? Question: Can you configure Data deduplication on a boot volume? Question: Why would you implement a file classification infrastructure?

Real-world Issues and Scenarios

Your organization is considering deploying an iSCSI solution. You are a Windows Server 2012 administrator who is responsible for designing and deploying the new solution. This new solution will be used by different type of technologies, such as Windows Server 2012 file server, Exchange Server, and SQL Server. You are facing a challenge of designing an optimal iSCSI solution, but at the same time you are not sure whether the solution you are going to propose to your organization will meet the requirements of all technologies that will be accessing the iSCSI storage. What should you do? Answer: You should include on the team that will design and deploy the iSCSI solution experts from different areas of specialization. Team members who will be involved in the project should include Windows Server 2012 administrators, network administrators, storage administrators, and security administrators. This is necessary so that the iSCSI storage solution has optimal performance and security, and has consistent management and operations procedures.

Your organization is considering deploying a BranchCache solution. You are a Windows Server 2012 administrator in your organization, and are responsible for designing and deploying the new solution. The organizations business managers are concerned about security of the data that will be stored in the branch offices. They are also concerned about how the organization will address security risks such as data tampering, information disclosure, and denial of service attacks. What should you do? Answer: You should include a security expert on your design team. You should also consider the defensein-depth model of analyzing security risks. BranchCache addresses the security risks as follows:

Data tampering. The BranchCache technology uses hashes to confirm that during the communication, the client and the server did not alter the data. Information disclosure. BranchCache sends encrypted content to clients, but they must have the encryption key to decrypt the content. Because potential malicious user would not have the encryption key, if an attacker attempts to monitor the network traffic to access the data while it is in transit between clients, the attempt will not be successful. Denial of service. If an attacker tries to overload the client with requests for data, BranchCache technology includes queue management counters and timers to prevent clients from being overloaded.

Your organization is using large amounts of disk space for data storage and is facing a challenge of organizing and managing the data. Furthermore, your organization must satisfy requirements for security, compliance, and data leakage prevention for company confidential information. What should you do? Answer: You should deploy the file classification infrastructure. Based on file classification, you can configure file management tasks that will enable you to manage groups of files based on various file and folder attributes. You can also automate file and folder maintenance tasks, such as cleaning up stale data or protecting sensitive information. Best Practice:

When considering an iSCSI storage solution for your organization, spend most of the time on the design process. The design process is crucial because it allows you to optimize the solution for all

MCT USE ONLY. STUDENT USE PROHIBITED

2-34 Implementing Advanced File Services

technologies that will be using iSCSI storage, such as file services, Exchange Server, and SQL Server. The design should also accommodate future growth of your organizations business data. Successful design processes guarantee a successful deployment of the solution that will meet your organizations business requirements. When planning for BranchCache deployment, ensure that you work closely with your network administrators so that you can optimize network traffic across the WAN.

When planning for file classifications, ensure that you start with your organizations business requirements. Identify the classifications that you will apply to documents, and then define a method that you will use to identify documents for classification. Before you deploy the file classification infrastructure, create a test environment and test the scenarios to ensure that your solution will result in a successful deployment and that your organizations business requirements will be met.

Tools
Tool iSCSI target server iSCSI initiator Deduplication Evaluation tool (DDPEval.exe) File Server Resource Manager Use Configure iSCSI targets Configure a client to connect to an iSCSI target virtual disk Analyze a volume to find out the potential savings when enabling data deduplication A set of features that allow you to manage and classify data that is stored on file servers Where to find it In Server Manager, under File and Storage Servers In Server Manager, in the Tools dropdown list box C:\windows\system32

Server Manager

MCT USE ONLY. STUDENT USE PROHIBITED


3-1

Module 3
Implementing Dynamic Access Control
Contents:
Module Overview Lesson 1: Overview of Dynamic Access Control Lesson 2: Planning for Dynamic Access Control Lesson 3: Deploying Dynamic Access Control Lab: Implementing Dynamic Access Control Module Review and Takeaways 3-1 3-2 3-8 3-13 3-22 3-30

Module Overview

The Windows Server 2012 operating system introduces a new feature for enhancing access control for file-based and folder-based resources. This feature, called Dynamic Access Control, extends regular NTFS file systembased access control by enabling administrators to use claims, resource properties, policies, and conditional expressions to manage access. In this module, you will learn about Dynamic Access Control, and how to plan for it and implement it.

Objectives
After completing this module, you will be able to: Describe Dynamic Access Control and its components. Plan for Dynamic Access Control implementation. Deploy Dynamic Access Control.

MCT USE ONLY. STUDENT USE PROHIBITED

3-2

Implementing Dynamic Access Control

Lesson 1

Overvi iew of Dynami D c Acces ss Contr rol

Dyn namic Access Control C is a new w Windows Se erver 2012 feat ture that you c can use for acc cess managem ment. Dyn namic Access Control C offers a new way of securing s and c controlling acc cess to resourc ces. Before you u imp plement this feature, you sho ould understan nd how it work ks and which c components it uses. This less son pres sents an overv view of Dynamic Access Cont trol.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Define Dynam mic Access Con ntrol. Describe the foundation tec chnologies for r Dynamic Acc cess Control.

namic Access Control C with alternative and similar techno ologies such as s NTFS permis ssions Compare Dyn and Active Di irectory Rights s Management t Services (AD RMS). Define identit ty. Define claim and claim type es. Define a cent tral access policy.

Wh hat Is Dyna amic Acce ess Control l?


Typically, most of an organizatio ons data is sto ored on file f servers. Therefore, IT adm ministrators must prov vide proper se ecurity and acc cess control to file serv ver resources. In I previous ver rsions of Wind dows Serv ver, IT administrators controlled most acce ess to file server resourc ces by using NT TFS permission ns and access contro ol lists.

Dyn namic Access Control C in Wind dows Server 2012 is a new access co ontrol mechanism for file sys stem reso ources. It enables administrators to define cent tral file access policies that can c apply to ev very file server in the organization. o Dynamic D Acces ss Con ntrol implemen nts a safety net over file serv vers, and over a hare and NTFS S permissions. It also any existing sh ensu ures that regardless of how the t share and NTFS permiss ions might cha ange, this cent tral overriding g policy is still enfor rced. Dynamic c Access Contro ol combines m multiple criteria a into the acce ess decision; th his is som mething that NTFS permissions cannot do. Dyn namic Access Control C provide es a flexible way to apply an nd manage acc cess and audit ting to domain nbase ed file servers. Dynamic Acce ess Control uses claims in th he authenticati ion token, reso ource properties on the resource, and conditional ex xpressions with hin permission n and auditing g entries. With this combinat tion of feat tures, you can now grant acc cess to files and folders base ed on Active D Directory Dom main Services (A AD DS) attributes. Dyn namic Access Control C provide es: Data identific cation. You can n use automatic and manual l file classificat tion to tag dat ta in file server rs across the org ganization.

Configurin ng Advanced Window ws Server 2012 Ser rvices

Access cont trol to files. Ce entral access policies enable organizations s to define, for example, who o can access health information n within an org ganization. f file access. Yo ou can use cen ntral audit poli icies for compliance reportin ng and forensic Auditing of analysis. Fo or example, you u can identify who accessed highly sensitiv ve information n.

Optional RM MS protection integration. You Y can use Rig ghts Managem ment Services (RMS) encrypt tion for sensitive Microsoft Office documents s. For example,, you can conf figure RMS to encrypt all documents s containing He ealth Insurance Portability a nd Accountab bility Act (HIPA AA) information.

MCT USE ONLY. STUDENT USE PROHIBITED


3-3

Dynamic Access s Control is de esigned for fou ur main end-to o-end scenario os:

Central access policy for access a to files. Enables organ nizations to se et safety net po olicies that reflect business an nd regulatory compliance. c Auditing fo or compliance and analysis. Enables E targete ed auditing ac cross file servers for compliance reporting and forensic an nalysis.

Protecting sensitive information. Identifies and prote ects sensitive in nformation wit thin a Window ws Server 2012 enviro onment, and when w it leaves the Windows Server 2012 en nvironment. Access denied remediatio on. Improves the access-den nied experience e to reduce he elp desk load a and incident tim me for troubles shooting.

Foundation n Technolo ogies for Dynamic D A Access Con ntrol


Dynamic Access s Control combines many Windows W Se erver 2012 technologies to provide p a flexib ble and granular author rization and au uditing experie ence. Dynamic Access s Control uses the following te echnologies: Network pr rotocols, such as TCP/IP, Rem mote Procedure Call C (RPC), Server Message Block B (SMB), and Lightweight Directory D Acces ss Protocol (LDAP), for netw work communications between ho osts, and intera action with file e system and d directory lookups. Domain Na ame System (D DNS) for host name n resolution. AD DS and its dependent t technologies for enterprise e network man nagement. The Kerberos version 5 protocol, includ ding FAST Sear rch and Comp pound Identity for secure authenticat tion.

Windows Security (local security s authority (LSA), Net Logon service e) for secure lo ogon transactio ons. File classific cations for file categorization n. Auditing fo or secure monitoring and acc countability.

everal compon nents and tech hnologies are updated u in Wi ndows Server 2012 to suppo ort Dynamic A Access Se Control. The mo ost important updates are:

A new Wind dows authoriz zation and aud dit engine that can process c conditional exp pressions and c central policies. Kerberos au uthentication support s for user claims and device claims.

MCT USE ONLY. STUDENT USE PROHIBITED

3-4

Implementing Dynamic Access Control

Improvement ts to the file classification inf frastructure.

Optional RMS S extensibility support so tha at partners can n provide solut tions for encry ypting files tha at are not Microsoft t Office files.

Dy ynamic Acc cess Contr rol vs. Alternative Pe ermissions Technologies


Dyn namic Access Control C controls access to file ebase ed resources. It I does not ove erlap with olde er, well l-known techn nologies that provide p similar func ctionality. Inste ead, Dynamic Access Contro ol exte ends the functionality of older technologie es for controlling file-ba ased resource access. a p versions of Window ws Server, the basic b In previous mec chanism for file e and folder access control was w NTF FS permissions. By using NTF FS permissions s and thei ir access control lists (ACLs), administrators s can control access to resources base ed on user nam me secu urity identifiers s (SIDs) or group membership SIDs s, and the leve el of access suc ch as Read-onl ly, Change, an d Full Control.. However, onc ce you provide e som meone with, for example, Rea ad Only access s to a docume nt, you cannot t prevent that person from copying the conte ent of that doc cument into a new documen nt or printing t the document t.

By implementing AD RMS, you can establish an a additional l level of file control. Unlike, N NTFS permissio ons, which are not app plication-aware e, AD RMS sets a policy that t can control d document acce ess inside the app plication that th he user uses to o open it. By im mplementing A AD RMS, you e enable users to o protect doc cuments within n applications.

How wever, you can nnot set condit tional access to o files by using g NTFS and AD D RMS. For exa ample, you cannot set NTFS permissions so that users can access documents if f they are mem mbers of specif fic groups and have thei ir EmployeeTy ype attributes set to Full Tim me Employee e (FTE). Additio onally, you can nnot set perm missions so tha at only users who w have a department attri ibute populate ed with the sam me value as th he dep partment attrib bute for the res source can acc cess the conte nt. However, y you can use co onditional expressions to acc complish these e tasks. You ca an use Dynami c Access Control to count at ttribute values s on user rs or resource objects when providing or denying d access s.

Wh hat Is Iden ntity?


Iden ntity is usually defined as a set of data that t uniq quely describe es a person or a thing (somet times refe erred to as subj ject or entity) and a contains info ormation about the subject's relationships to othe er entities. Identity is usually y verified by us sing a trus sted source of information. For example, whe en you go to th he airport, you u show w your passpo ort. Your passp port contains your y nam me, address, da ate of birth, an nd photograph h. Each h item of perso onal informati ion is a claim that t is mad de about you by b the country y issuing your pass sport. Your country ensures that the

Configurin ng Advanced Window ws Server 2012 Ser rvices

in nformation tha at is published in a passport is accurate for r the passport owner. Becaus se you usually use the pa assport outside of your coun ntry of residen nce, other coun ntries must also trust the info ormation in yo our pa assport. They must m trust the organization that issued yo ur passport an nd consider it reliable. Based d on th hat trust, other r countries gra ant you access to their territo ories (which ca an be consider red resources). . Th herefore, in this example, to access resourc ces in other co ountries, each person is requ uired to have a ed source and do ocument (pass sport) that is is ssued by a relia able and truste d that contains s critical claims s that de escribe the person. Th he Windows Server operatin ng system uses s a similar conc cept of identity y. An administ trator creates a user ac ccount in AD DS D for a person n. The domain n controller pu blishes user ac ccount information, such as a se ecurity identifier and group membership attributes. a Whe en a user accesses a resource e, Windows Se erver cr reates an authorization token.

To o continue the e foreign trave el analogy, you u are the user, and the autho orization token n is the passpo ort. Each un nique piece of f information in the authoriz zation token is a claim made e about your user account. D Domain co ontrollers publish these claim ms. Domain-joined compute ers and domain n users trust domain control llers to provide authoritative informa ation. We W can then say that identity y, with respect to authenticat tion and autho orization, is inf formation pub blished ab bout an entity from a trusted d source. Furth hermore, the i nformation is considered au uthoritative because th he source is tru usted.

tifier (SID) to r Ea arlier versions of Windows Server used the e security ident represent the i identity of a user or co omputer. Users authenticate e to the domain with a specif fic user name and password. The unique logon na ame translates s into the SID. The domain controller valid ates the passw word and publishes the SID o of the se ecurity principa al and the SIDs of all the gro oups within wh hich the princi pal is a memb ber. The domai in co ontroller claim ms the user's SID is valid and should be use ed as the ident tity of the user r. All domain m members tr rust their doma ain controller; therefore, the e response is tr reated as authoritative. Id dentity is not limited to the user's u SID. App plications can u use any inform mation about the user as a fo orm of id dentity, if the application a trusts that the source of the inf formation is au uthoritative. Fo or example, m many ap pplications implement role based b access control (RBAC).. RBAC limits a access to resou urces based on n whether w the use er is a member of a specific role. Microsoft t SharePoint Server is a goo od example of f so oftware that im mplements role e-based securi ity. Windows S Server 2012 ca an also take ad dvantage of the ese op ptions to exten nd and enhanc ce the way ide entity is determ mined for a sec curity principa al.

MCT USE ONLY. STUDENT USE PROHIBITED


3-5

What W Is a Claim? C

Windows W Server 2008 and Wi indows Server 2003 us se claims in Ac ctive Directory y Federation Se ervices (A AD FS). In this context, c claims s are statemen nts made m about use ersfor example, name, identity, ke ey, group, priv vilege, or capab bilitywhich are a un nderstood by the t partners in n an AD FS fe ederation. AD FS also provides AD DSbase ed claims, and the ability to conv vert the data from th hese claims into Security Assertions Markup La anguage (SAM ML) format. In previous p versio ons of AD FS, the only attributes that could be retrieved from AD DS and d incorporated d directly into a claim was w SID informa ation for user and a group acc counts. All oth er claim inform mation was de efined within and re eferenced from m a separate da atabase, know wn as an attribu ute store. Wind dows Server 20 012 now allow ws you to o read and use e any attribute directly from AD DS. You do o not need to use a separate e AD FS attribu ute st tore to hold th his type of information for Ac ctive Directory ybased comp puter or user ac ccounts.

MCT USE ONLY. STUDENT USE PROHIBITED

3-6

Implementing Dynamic Access Control

By definition, d a cla aim is somethi ing that AD DS S states about a specific obje ect (usually a u user or compu uter). A claim provides information i fro om the trusted d source abou t an entity. So ome examples of claims are t the SID of a user or co omputer, the department d cla assification of a file, and the e health state o of a computer. . All thes se claims state e something ab bout a specific object.

An entity e normally y contains mo ore than one claim. When co onfiguring reso ource access, any combinatio on of claim ms can be used to authorize e access to reso ources.

In Windows W Serve er 2012, the au uthorization mechanism is ex xtended. You c can now use u user claims and d device claims for file f and folder r authorization n in addition to o NTFS permis ssions that are based on user rs SID or group g SIDs. By using claims, you can now base b your acce ess control dec cision on SID a and other attribute valu ues. Note that Windows Serv ver 2012 still su upports using group membe ership for auth horization decisions.

Use er Claim
A us ser claim is inf formation that is provided by y a Windows S Server 2012 do omain controll ler about a use er. Win ndows Server 2012 2 domain controllers c can use most AD DS user attrib butes as claim i information. T This prov vides administ trators with a wide w range of possibilities fo or configuring and using clai ims for access control.

Dev vice Claim


A de evice claimw which is often called c a compu uter claimis information th hat is provided d by a Window ws Serv ver 2012 doma ain controller about a a device e that is repres sented by a co omputer accou unt in AD DS. A As with h user claims, device d claims can c use most of o the AD DS a attributes that are applicable e to computer r obje ects.

Wh hat Is a Ce entral Acce ess Policy?


One e of the fundam mental compo onents of Dyna amic Access Control is the t central acc cess policy. This Win ndows Server 2012 2 feature enables adm ministrators to create policies s that they can n app ply to one or more m file server rs. You create policies in the Act tive Directory Administrative A e Cen nter, which then stores them in AD DS, and d you then n apply them by b using Group Policy. The cent tral access policy contains one or more central acce ess policy rules s. Each rule co ontains settings s that dete ermine applica ability and per rmissions.

Befo ore you create e a central acce ess policy, you mus st create at lea ast one central access rule. Central access r rules define al l parameters a and conditions s that control access to specific resour rces. A ce entral access ru ule has three configurable c parts: p Name. For ea ach central acc cess rule, you should s configu ure a descriptiv ve name.

Target resour rce. This is a co ondition that defines d to whic ch data the po olicy applies. Yo ou define a condition by specifying an attribute and its value. For e example, a par rticular central policy rule might apply to any data that you classify as sensitive. You can n also apply th e rule to all re esources to wh hich the central ac ccess policy ap pplies.

Configuring Advanced Windows Server 2012 Services

Permissions. This is a list of one or more access control entries (ACEs) that define who can access data. For example, you can specify Full Control Access to a user with attribute EmployeeType set to FTE (full-time employee). This is the key component of each central access rule. You can combine and group conditions that you place in the central access rule. You can set permissions either to proposed (for staging purposes) or current.

After you configure one or more central access rules, you then add these rules to the central access policy, which is then applied to the resources. The central access policy enhances, but does not replace, the local access policies or discretionary access control lists (DACLs) that are applied to files and folders on a specific server. For example, if a DACL on a file allows access to a specific user, but a central access policy that is applied to the file restricts access to the same user, the user will not be able to obtain access to the file. Likewise, if the central access policy allows access but the DACL does not allow access, then the user will not be able to access the file. Before implementing the central access policy, perform these steps: 1. 2. 3. 4. 5. 6. Create a claim, and then connect it to users or computer objects by using attributes. Create file property definitions. Create one or more central access rules. Create a Central Access Policy object and define its settings.

Use Group Policy to deploy the policy to file servers. By doing this, you make file servers aware that a central access policy exists in AD DS. On the file server, apply that policy to a specific shared folder.

MCT USE ONLY. STUDENT USE PROHIBITED


3-7

MCT USE ONLY. STUDENT USE PROHIBITED

3-8

Implementing Dynamic Access Control

Lesson 2

Planning for Dynami D ic Acces ss Contr rol

Dyn namic Access Control C require es detailed planning prior to o implementation. You shoul ld identify reas sons ting, for implementing Dynamic Acce ess Control, an nd plan for cen ntral access po olicy, file classifications, audit and access-denied d assistance. In n this lesson, you y will learn a about planning g Dynamic Acc cess Control.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: sons for implem menting Dynamic Access Co ontrol. Describe reas Plan for centr ral access polic cy. Plan for file classifications. g. Plan for file access auditing Plan for acces ss-denied assis stance.

Reasons for Implemen nting Dyna amic Acces ss Control


Befo ore you implem ment Dynamic c Access Contr rol, you should clearly y identify the reasons r for using this feature. Dynamic Access Co ontrol should be b well l designed bef fore you imple ement it. An imp properly planne ed implementation can caus se som me users to be denied access to required data, and other users to o be granted access a to restricted data a.

The most common reason to im mplement Dyna amic Access Control is to t extend func ctionality of an n existing access control model. Most M organizat tions use NTFS and share permissions s to implemen nt acce ess control for file and folder resources. In most cases, N NFTS is sufficient, but in some scenarios, it does not work. For example, you cannot use NFTS ACL to protec ct a resource o on a file server, , which means that a us ser must simultaneously be a member of two groups to access the res source. You mu ust use Dynam mic Access Control ins stead of traditional methods s for implemen nting access co ontrol when yo ou want to use e mor re specific info ormation for au uthorization purposes. NTFS S and share pe ermissions use only user or group obje ects.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


3-9

Planning P fo or Central Access Po olicy


Im mplementing central c access policy is not mandatory m for Dynamic D Access Control. Ho owever, fo or consistent co onfiguration of o access contr rol on all file servers, you y should imp plement at least one ce entral access policy. p By doing g so, you enab ble all fil le servers within a specific sc cope to use a central c ac ccess policy wh hen protecting g content in sh hared fo olders. Be efore you implement a central access polic cy, cr reate a detailed plan as follo ows: 1. .

Identify the e resources tha at you want to o protect. If all a these resources are on on ne file server or in just one folde er, then you might m not have to implement t a central acce ess policy. Inst tead, you can configure condit tional access on the folders ACL. However r, if resources a are distributed d across several serv vers or folders, , then you may y benefit from m deploying a c central access policy. Data th hat might require additional protection ma ay include pay yroll records, m medical history y data, employ yee personal information, and d company customer lists. Y You can also us se targeting within central ac ccess rules to ide entify resources to which you u want to appl y central access policy.

2. .

Define the authorization policies. These e policies are u usually defined d from your bu usiness require ements. Some exam mples are: o o All doc cuments that have h property confidentiality y set to high m must be availab ble only to managers. Market ting document ts from each country c should d be writable o only by market ting people fro om the same country. c Only fu ull time employees should be able to acce ss technical do ocumentation from previous s project ts.

o 3. .

Translate th he authorizatio on policies that you require into expressions. In the case e of Dynamic A Access Control, expressions are attributes a that are associated d with both th he resources (fi iles and folder rs) and the user or device that se eeks access to the resources. These express sions state add ditional identif fication requiremen nts that must be b met to acce ess protected d data. Values th hat are associated with any expressions s on the resource obligate th he user or devi ice to produce e the same value.

4. .

Next, you should break down d the expre essions that yo ou have create ed, and determ mine what claim m types, resource pr roperties, and device claims that you must t create to dep ploy your polic cies. In other w words, you must id dentify the attributes for acc cess filtering.

Note: You must use use er claims to de eploy central a access policies . You can use security groups to repre esent user iden ntities.

MCT USE ONLY. STUDENT USE PROHIBITED

3-10 Implemen nting Dynamic Access Control

Pla anning File e Classifica ations


Whe en planning yo our Dynamic Access A Control imp plementation, you y should inc clude file classifications. Although file clas ssifications are e not man ndatory for Dy ynamic Access Control, they can enhance the automation of the entire process s. For exam mple, if you re equire that all documents d that are classified Conf fidentiality: High be accessib ble to top management only, regardle ess of the serve er on which the documents exist, you should ask yourself how you identify these documents, and a how w to classify the em appropriat tely.

The file classification infrastructure uses classification rules s to scan files automatically, a sify them acco ording to the c contents of the e file. and then class Clas ssification and d Resource pr roperties are defined d centra lly in AD DS so o that these de efinitions can b be shar red across file servers in the organization. You can creat te classification n rules that sca an files for a stan ndard string or r for a string th hat matches a pattern (regul lar expression) ). When a conf figured classification para ameter is found d in a file, that t file is classifie ed as configure ed in the classification rule. Whe en planning fo or file classifica ations, do the following: f Identify which h classification n or classificatio ons that you w want to apply t to documents. Determine the method that t you will use to t identify doc cuments for classification. Define the schedule for aut tomatic classifi ications. Establish periodic reviews to o determine th he success of t the classificatio ons.

You u configure file e classifications s in the File Server Resource Manager console.

Onc ce you have a defined the cla assifications, you y can plan th he implementa ation of Dynam mic Access Control by defining d conditional expressions which will enable you t o control acce ess to high con nfidential doc cuments based d on particular user attributes.

Pla anning File e Access Auditing A


In Windows W Serve er 2008 R2 and d Windows Ser rver 2012, you can use e advanced audit policies to imp plement detaile ed and more precise p file syst tem auditing. In Windo ows Server 2012, you can als so imp plement auditin ng together with w Dynamic Access A Con ntrol to utilize the new Windows security auditing capabilities. By using conditional expressions, you can c configure auditing so that it only y occurs in spe ecific cases. For example, you u may y want to audit attempts to open o shared fold ders by users in n countries oth her than the country where the e shared folder is located. Yo ou achieve this by im mplementing proposed p perm missions in the central access rules. With Global Object Access auditing, administrators can defi ine computer system access s control lists (SAC CLs) according g to the object t type for eithe er the file syste em or registry. The specified SACL is then app plied automatic cally to every object o of that type. You can use a Global O Object Access Audit policy to

MCT USE ONLY. STUDENT USE PROHIBITED


3-11

Configuring Advanced Windows Server 2012 Services

enforce the Object Access Audit policy for a computer, file share, or registry without configuring and propagating conventional SACLs. Configuring and propagating a SACL is a complex administrative task that is difficult to verify, particularly if you must verify to an auditor that a security policy is being enforced. Note: Auditors can verify that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy setting.

Resource SACLs are also useful for diagnostic scenarios. For example, setting a Global Object Access Audit policy to log all activity for a specific user and enabling the Access Failures audit policies in a resource such as a file system or registry can help administrators quickly identify which object in a system is denying a user access. Before you implement auditing you should prepare an audit plan. In the auditing plan, you should identify resources, users, and activities that you want to track. You can implement auditing for several scenarios, such as:

Tracking changes to user and machine attributes. As with files, users and machine objects can have attributes, and changes to these can affect whether users can access files. Therefore, tracking changes to user or machine attributes can be valuable. Users and machine objects are stored in AD DS, which means that you can track their attributes using Directory Service Access auditing. Obtaining more information from user logon events. In Windows Server 2012, a user logon event (4624) contains information about the attributes of the file that was accessed. You can view this additional information by using audit log management tools to correlate user logon events with object access events, and by enabling event filtering based on both file attributes and user attributes.

Providing more information from object access auditing. In Windows Server 2008 R2 and Windows Server 2012, file access events 4656 and 4663 now contain information about the attributes of the file that was accessed. Event log filtering tools can use this additional information to help you identify the most relevant audit events. Tracking changes to central access policies, central access rules, and claims. Because theseobjects are stored in AD DS, you can audit them just as you would any other securable object in AD DS by using Directory Service Access auditing.

Tracking changes to file attributes. File attributes determine which central access policy applies to the file. A change to the file attributes can potentially affect the access restrictions on the file. You can track changes to file attributes on any machine by configuring Authorization Policy Change auditing and Object Access auditing for file systems. Event 4911 is introduced in Windows Server 2012 to differentiate this event from other Authorization policy change events.

MCT USE ONLY. STUDENT USE PROHIBITED

3-12 Implemen nting Dynamic Access Control

Pla anning Acc cess Denie ed Assistan nce

Access Denied Assistance helps end users dete ermine why th hey cannot acc cess a resource e. It also o allows IT staff f to properly diagnose d a problem, and then direct the re esolution. Wind dows Serv ver 2012 enables you to cust tomize messag ges abo out denied acce ess and provid de users with the ability to request access without contacting th he help p desk or IT tea am. In combin nation with Dyn namic Access Control, C Access s Denied Assist tance can inform the file e administrato or of user and reso ource claims, enabling e the ad dministrator to o mak ke educated decisions about t how to adjust policies or fix user r attributes (fo or example,. if the t departmen nt is listed as H HR instead of H Human Resources). Whe en planning fo or Access Denied Assistance, you should in nclude the follo owing : Define messages that users will see when n they try to ac ccess resources s for which the ey do not have e access rights. The message should be info ormal and easy y to understan nd. Create the em mail text that users u use to req quest access. I f you allow us sers to request t access to resources, you can prepare text that is ad dded to their e email messages.

Determine the recipients fo or the Access Request R email messages. You u can choose t to send email t to folder owners s, file server ad dministrators, or o any other sp pecified recipi ent. Messages s should alway ys be tool or monito directed to th he proper pers son. If you have a help desk t oring solution that allows em mail messages, you can also dire ect those mess sages to gener rate user reque ests in your he elp desk solutio on automatically y. Decide on the e target opera ating systems. Access A Denied d Assistance on nly works with Windows 8 o or Windows Serv ver 2012.

MCT USE ONLY. STUDENT USE PROHIBITED


3-13

Configuring g Advanced Windows s Server 2012 Serviices

Lesson n3

Deplo oying Dynamic D c Access s Contro ol


Le esson Objec ctives
After completin ng this lesson, you y will be able to: Describe th he prerequisite es for impleme enting Dynamic c Access Control. Enable support in AD DS for Dynamic Access A Control l. Implement claims and resource proper rty objects. Implement central access s rules and policies. Implement file access aud diting. Implement Access Denied d assistance. Implement file classificati ions. Implement Dynamic Acce ess Control.

To o deploy Dyna amic Access Co ontrol, you mu ust perform sev veral steps and d configure se everal objects. In this le esson, you will learn about im mplementing and a configurin ng Dynamic Ac ccess Control.

Prerequisit P es for Imp plementing g Dynamic c Access Co ontrol


Be efore impleme enting Dynami ic Access Cont trol, yo ou must ensur re that your servers meet cer rtain prerequisites. Claims-based authorization re equires th he following in nfrastructure: Windows Server 2012 mu ust be installed d on the file serv ver that will ho ost the resourc ces that Dynamic Ac ccess Control will w be protect ting. The file serv ver that will ho ost the share must m be a Windows Server 2012 file server so th hat it can read cla aims and devic ce authorizatio on data from a Kerb beros v5 ticket t, translate tho ose SIDs and claims from the ticke et into an authenticat tion token, and d then compar re the authoriz zation data in the token aga ainst condition nal expressions s in the securit ty descriptor.

At least one e Windows Server 2012 dom main controller r must be acce essible by the W Windows clien nt computer in the user's do omain. The new w authorizatio on and auditing mechanism requires exten nsions to AD DS. These T extensio ons build the Windows W claim dictionary, wh hich is where W Windows oper rating systems sto ore claims for an a Active Direc ctory forest. Cl laims authoriz zation also relie es on the Kerb beros Key Distribu ution Center (KDC). The Win ndows Server 2 2012 KDC cont tains the Kerberos enhancem ments that are req quired to trans sport claims within a Kerbero os ticket and c compound ide entity. Window ws Server 2012 KDC also a includes an a enhancement to support Kerberos armo oring. Kerbero os armoring is an implementa ation of Flexib ble Authenticat tion Secure Tu unneling. It pro ovides a protec cted channel b between the Kerbero os client and th he KDC. Windows Server 2012 domain controlle ers must be in each domain if you are usin ng claims across a forest trust. .

MCT USE ONLY. STUDENT USE PROHIBITED

3-14 Implemen nting Dynamic Access Control

You must hav ve a Windows 8 client if you are using dev vice claims. Old der Windows o operating syste ems do not suppo ort device claim ms.

Alth hough a Windo ows Server 201 12 domain con ntroller is requ uired, there is n no requiremen nt for having a Win ndows Server 2012 2 domain and a forest func ctional level, u nless you wan nt to use claims across a fore est trus st. This means that t you can also a have domain controllers s on Windows Server 2008 a and Windows S Server 2008 R2 with the forest function nal level locate ed on Window ws Server 2008. ementing Dyn namic Access Control C in an e nvironment w with multiple fo orests has Note: Imple add ditional setup requirements. r

Ena abling Sup pport in AD DS for Dynamic D A Access Con ntrol


Afte er fulfilling the e software requ uirements for enabling Dynamic c Access Contr rol support, yo ou mus st enable claim m support for the t Windows Server S 2012 KDC. Kerber ros support for r Dynamic Acc cess Con ntrol provides a mechanism for f including user u claim m and device authorization information in na Win ndows authent tication token. Access checks s perf formed on resources (such as a files or folde ers), use this authorization information to verify iden ntity.

You u should first use Group Polic cy to enable AD A DS for Dynamic Acce ess Control. Bec cause this setting is spec cific to domain n controllers, you y can create e a new Group Policy Object (GPO) and then link the set tting to the Domain Co ontrollers organizational unit t (OU), or by e editing the Def fault Domain C Controllers GP PO that t is already link ked to that OU U. Whichever metho od you choose, , you should open o the Grou up Policy Obje ect Editor, exp pand Computer Con nfiguration, ex xpand Policies, expand Adm ministrative T Templates, expand System, and then expand KDC C. In this node e, open a settin ng called Supp port Dynamic Access Contr rol and Kerbe eros armoring g. To configure c the Support S Dynam mic Access Control and Kerb beros armoring g policy setting, choose one e of the four listed opt tions: Do not supp port Dynamic Access Contr rol and Kerbe eros armoring g Support Dyn namic Access Control and Kerberos K arm moring Always prov vide claims an nd FAST RFC behavior b Also fail una armored authentication req quests

Claims and Kerberos armoring support s are disabled by defa ault, which is e equivalent to t this policy setting not being configu ured, or being configured as Do not suppo ort Dynamic A ccess Control and Kerberos arm moring.

The Support Dyna amic Access Co ontrol and Ker rberos armorin ng policy settin ng configures Dynamic Acce ess Con ntrol and Kerbe eros armoring in a mix-mod de environmen ntwhen there e is a mixture o of Windows Se erver 2012 domain controllers and do omain controll lers running ea arlier versions of Windows S Server. You u use the remaining policy se ettings when all a the domain controllers are e Windows Server 2012 dom main controllers and th he domain func ctional level is configured to o Windows Ser rver 2012. The Always provid de claim ms and FAST RFC R behavior policy p setting and a the Also fa ail unarmored authenticatio on requests policy

MCT USE ONLY. STUDENT USE PROHIBITED


3-15

Configuring g Advanced Windows s Server 2012 Serviices

se etting enable Dynamic D Acces ss Control and d Kerberos arm moring for the domain. Howe ever, the latter r policy se etting requires s all Kerberos authentication a service and ti cket-granting service (TGS) communicatio on to us se Kerberos ar rmoring. Windows Server 2012 domain co ntrollers read this configuration while oth her do omain controllers ignore this setting.

Im mplement ting Claims s and Reso ource Prop perty Obje ects
After you enable support for Dynamic Acce ess Control in AD DS, D you must next n create and d co onfigure claims and resource e property objects.

Creating C and d Configurin ng Claim Ty ypes

To o create and configure claim ms, you primarily use th he Active Direc ctory Administ trative Center. You us se the Active Directory D Administrative Cen nter to cr reate attribute-based claims, , which are the e most co ommon type of o claim. Howe ever, you can also a use th he Active Direc ctory module for f Windows Po owerShell to create certificate-based claims. All claims are store ed within the configuration pa artition in AD DS. Because th his is a forest-w wide partition,, all domains w within the fore est share the claim di ictionary, and domain contro ollers from the e domains issu ue claim inform mation during user and computer au uthentication.

To o create attribute-based clai ims in Active Directory D Adm inistrative Cen nter, navigate t to the Dynami ic Access Control node, and then open the Cla aim Types con ntainer. By defa ault, no claim types are defined he ere. In the Actions pane, you u can click Cre eate Claim Typ pe to view the e list of attributes. These attr ributes ar re used to source values for claims. When you create a c claim, you asso ociate the claim m with the spe ecific at ttribute. The va alue of that at ttribute is popu ulated as a cla im value. Ther refore, it is crucial that the in nformation con ntained within the Active Dir rectory attribu utes that are us sed to source c claim types co ontain ac ccurate inform mation, or rema ain blank.

When W you selec ct the attribute e that you wan nt to use to cre eate a claim, yo ou also must p provide a nam me for th he claim. The suggested s nam me for the claim m is always the e same as the selected attrib bute name. Ho owever, yo ou can also pro ovide an altern nate or more meaningful m na ame for the cla aim. Optionally y, you can also o provide suggest ted values for a claim. This is s not mandato ory, but do this s can reduce the possibility f for making m mistake es. Note: Cla aim types are sourced s from AD A DS attribut tes. For this reason, you mus st configure at ttributes for yo our computer and user accounts in AD DS with the infor rmation that is s correct for th he respective user u or comput ter. Windows Server S 2012 do omain controllers do not iss sue a claim fo or an attribute-based claim type t when the attribute for t the authentica ating principal is empty. Depending on the t configuration of the data a files Resourc ce Property O bject attribute es, a null va alue in a claim may result in the user being g denied acces ss to Dynamic Access Contro ol-protected da ata.

Creating C and d Configurin ng Resource e Properties s

Although resource properties s are at the cor re of Dynamic Access Contro ol, you should implement th hem af fter you have defined d user and device claim ms. Remembe er that if a claim m does not ma atch the specif fied re esource proper rty value, then n access to the data might no ot be allowed.. Therefore, rev versing the ord der of

MCT USE ONLY. STUDENT USE PROHIBITED

3-16 Implementing Dynamic Access Control

implementation would risk inadvertently blocking users from data that they otherwise should be able to access.

When you use claims to control access to files and folders, you must also provide additional information for those resources. You do this by configuring the resource property objects. You manage resource properties in the Resource Properties container, which is located in the Dynamic Access Control node in the Active Directory Administrative Center. You can create your own resource properties, or you can use one of preconfigured properties, such as Project, Department, and Folder Usage. All predefined resource property objects are disabled by default. If you want to use any of them, you should first enable them. If you want to create your own resource property object, you can specify the property type, and the allowed or suggested values. When you create resource property objects, you can select properties to include in the files and folders. When evaluating file authorization and auditing, the Windows operating system uses the values in these properties along with the values from user and device claims.

After you have configured user and device claims and resource properties, you must then protect the files and folders by using conditional expressions that evaluate user and device claims against constant values, or values within resource properties. You can do this in any of the following three ways: If you want to include only specific folders, you can use the Advanced Security Settings Editor to create conditional expressions directly in the security descriptor.

To include several (or all) file servers, you can create central access policy rules, and then link those rules to the Central Policy objects. You can then use Group Policy to deploy the Central Policy objects to file servers, and then configure the share to use the Central Policy object. However, using central access policies is the most efficient and preferred method for securing files and folders. This is discussed further in the next topic. You can use file classifications to include certain files with a common set of properties across various folders or files.

You can use claims and resource property objects together in conditional expressions. Windows Server 2012 and Windows 8 support one or more conditional expressions within a permission entry. Conditional expressions simply add another applicable layer to the permission entry. The results of all conditional expressions must evaluate to True for Windows to grant the permission entry for authorization. For example, suppose that you define a claim called Department for a user (with a source attribute department), and that you define a resource property object called Dept. You can now define a conditional expression that says that the user can access a folder (with the applied resource property objects) only if the user attribute Department value is equal to the value of property Dept on the folder. Note that if the Dept resource property object has not been applied to the file(s) in question, or if Dept is a null value, then the user will be granted access to the data. Note: Access is controlled not by the claim, but by the resource property object. The claim must provide the correct value corresponding to the requirements set by the resource property object. If the resource property object does not involve a particular attribute, then additional or extra claim attributes associated with the user or device are ignored.

MCT USE ONLY. STUDENT USE PROHIBITED


3-17

Configuring g Advanced Windows s Server 2012 Serviices

Im mplement ting Centra al Access Rules R and Policies


Central access policies p enable e you manage and de eploy consiste ent authorizatio on throughout t the or rganization by y using central access rules and Central Access Policy P objects. Central access policies p act as security s nets that an or rganization ap pplies across its s servers. You use Group Policy to o deploy the po olicies, and you apply th he policies to all a Windows Se erver 2012 file servers th hat will use Dynamic Access Control. A cen ntral ac ccess policy en nables you to deploy d a consistent co onfiguration to o several file se ervers.

Th he main comp ponent of a cen ntral access po olicy is ce entral access ru ule. Central Ac ccess Policy ob bjects represen nt a collection of central acce ess rules. Befo ore you cr reate a central access policy, you should cr reate a centrall access rule be ecause polices s are comprised of ru ules. A central access s rule contains multiple criteria that the W Windows operat ting system us ses when evalu uating ac ccess. For exam mple, a central l access rule ca an use conditio onal expressio ns to target sp pecific files and d fo olders. Each ce entral access ru ule has multiple permission e entry lists that you use to ma anage the rule e's cu urrent or proposed permissio on entries. You u can also retu urn the rule's c current permission entry list to its la ast known list of o permission entries. e Each central access r rule can be a m member of one or more Cen ntral Access Policy ob bjects.

Configuring C Central Acc cess Rules


Yo ou typically cre eate and confi igure central access a rules in the Active Dir rectory Admini istrative Cente er. rm the same task. However, you can also use Windows Power rShell to perfor To o create a new w central access rule, do the following: f 1. . 2. . Provide a name n and desc cription for the e rule. You sho ould also choose to protect t the rule agains st accidental deletion. d

Configure the t target reso ources. Use the e Target Reso ources section to create a scope for the ac ccess rule. You cr reate the scope by using reso ource propert ies within one or more cond ditional expressions. ue (All resour To simplify the process, you y can keep the default valu rces) and apply resource filte ering. You can join the conditio onal expression ns by using log gical operators s, such as AND D and OR. Additionally y, you can gro oup conditiona al expressions t together to co ombine the res sults of two or r more joined cond ditional expres ssions. The Tar rget Resource es section disp plays the currently configure ed conditional l expression th hat is being use ed to control t the rule's applicability. Configure permissions p wi ith either of th he following op ptions: o

3. .

Use fo ollowing perm missions as pro oposed perm missions. Use th his option to a add the permis ssions entries in the permissions list to the list of propo osed permissio ns entries for t the newly crea ated central access rule. You Y can combine the propos sed permission ns list with file system auditin ng to model the effective access a that use ers have to the e resource, without having to o change the permissions entries in n the current permissions p lis st. Proposed pe ermissions gen nerate a specia al audit event to t the event lo og that describ bes the propos sed effective ac ccess for the u users. Note: Pro oposed permis ssions do not apply a to resou rces; they exis st for simulatio on purposes

on nly.

MCT USE ONLY. STUDENT USE PROHIBITED

3-18 Implemen nting Dynamic Access Control

Use follo owing permis ssions as curre ent permissio ons. Use this o ption to add t the permission ns entries in n the permissio ons list to the list of the curre ent permission ns entries for t the newly created central ac ccess rule. The e current perm missions list rep presents the ad dditional perm missions that th he Windows s operating sys stem considers s when you de eploy the central access rule to a file server. ization decisio Central access a rules do o not replace th he existing sec curity. When m making authori ons, Windows s evaluates per rmission entrie es from the ce ntral access ru ule's current pe ermissions list, NTFS, and share permissions lists.

Implementin ng File Acc cess Auditi ing


The Global Object t Access Auditing feature in Win ndows 8 and Windows W Serve er 2012 enables you to configure c objec ct access audit ting for every file and folder in a co omputers file system. s You us se this feature to cen ntrally manage e and configur re Win ndows operatin ng systems to monitor every y file and folder on the computer. To o enable object t acce ess auditing in n previous vers sions of Windo ows Serv ver, you had to o configure this option in ba asic audit policies (in GPOs), G and tur rn on auditing for a spec cific security principal p in the objects SACL L. Som metimes this ap pproach did no ot easily recon ncile with h company policiessuch as s Log all administrative writ te activity on s servers contain ning financial info ormationbec cause you can turn on object t access audit logging at the e object level, but not at the serv ver level. The new n audit category in Windo ows Server 200 08 R2 and Win ndows Server 2 2012 enables adm ministrators to manage objec ct access audit ting using a m uch wider scope.

Dyn namic Access Control C enable es you to create e targeted aud dit policies usi ng resource properties, and expressions based d on user and computer c claim ms. For examp ple, you could create an audit policy to tra ack all Rea ad and Write operations o on High Confiden ntial files perfo ormed by emp ployees who do not have a H High Security Clearance attribute po opulated with the appropria ate value. You can author expression-based audit policies dire ectly on a file or o folder, or ce entrally via Gro oup Policy usin ng Global Obje ect Access Aud diting. By using u this appr roach, you do not prevent unauthorized a ccess; instead,, you register a attempts to ac ccess the content by un nauthorized pe eople. You u configure Glo obal Object Ac ccess Auditing when you ena able object acc cess auditing a and global obj ject acce ess auditing. Enabling this fe eature turns on n auditing for the computer that applies the policy setting. e auditing eve How wever, enabling auditing alone does not always generate ents. The resou urcein this instance files and foldersmust t contain audit t entries.

You u should config gure Global Ob bject Access Auditing for yo ur enterprise b by using the se ecurity policy o of a dom main-based GP PO. The two se ecurity policy settings s that ar re required to enable global l object access s auditing are locat ted in the follo owing locations: Computer Co onfiguration\W Windows Settin ngs\Security Se ettings\Advanc ced Audit Polic cy\Audit Policies\Object Access\Audit File System cy\Audit onfiguration\W Windows Settin ngs\Security Se ettings\Advanc ced Audit Polic Computer Co Policy\Global Object Access s Auditing\File e System

Global Object Acc cess Auditing includes a subc category for fi ile system and registry.

MCT USE ONLY. STUDENT USE PROHIBITED


3-19

Configuring g Advanced Windows s Server 2012 Serviices

Note: If both b a file or fo older SACL and a Global Obj bject Access Au uditing policy (or a single onfigured on a computer, re egistry setting SACL and a Global Object Access A Auditing g policy) are co th he effective SA ACL is derived by b combining the file or fold der SACL and t the Global Obj bject Access Auditing policy. . This means th hat an audit ev vent is generat ted if an activi ity matches eit ther the file or r folder SACL or o the Global Object O Access Auditing polic cy.

Im mplement ting Access s Denied Assistance A


One O of the mos st common err rors that users receive when w they try to o access a file or folder on a re emote file serv ver is an access s denied error. Ty ypically, this er rror occurs wh hen a user tries s to ac ccess a resourc ce without hav ving proper pe ermissions to do d so, or because of incorrec ctly co onfigured perm missions or res source ACLs. Using U Dynamic Access s Control can create c further co omplications. For F example, users u with pe ermissions will l not be grante ed access if a relevant r at ttribute in thei ir account is misspelled. m When W users receive this error, , they usually try t to co ontact the adm ministrator to obtain o access. However, adm ministrators usu ually do not ap pprove access to re esources, so they redirect the e users to som meone else for approval.

In n Windows Ser rver 2012, ther re is a new feat ture to help bo oth users and administrators s in such situat tions. Th his feature is called Access Denied D Assistan nce. It helps us sers respond to o access denie ed issues witho out in nvolving IT staf ff. It does this by providing information ab bout the probl em and direct ting users to th he proper person.

Access A Denie ed Remediation

Th he Access Den nied Assistance e feature provides three way ys for troublesh hooting issues with access denied er rrors:

Self-remediation. Administrators can cr reate customiz zed access den nied messages that are autho ored by the server administrator. a By using the information in these messages, users can t try to self-reme ediate access deni ied cases. The message can also a include U RLs that direct t users to self-remediation w websites that are pro ovided by the organization. For example, t the URL might t direct the use er to change the password to o an applicatio on, or to down nload a refresh hed copy of the client-side software.

Remediatio on by the data owner. Admin nistrators can d define owners for shared fol lders. This enables users to sen nd email messages to the da ata owners to r request access s. For example, if a user is accidentally y left off a secu urity group me embership, or the users dep partment attrib bute is misspelled, the data owner r might be able e to add the user u to the gro oup. If the data a owner does n not know how w to grant acces ss to the user, the t data owne er can forward this informati ion to the app propriate IT administrat tor. This is help pful because th he number of user support r requests escala ated to the sup pport desk should d be limited to o specialized ca ases, or cases t that are difficu ult to resolve. Remediatio on by the help desk and file server s adminis strators. If user rs cannot self-remediate issu ues and data owner rs cannot resol lve the issue either, then adm ministrators ca an troubleshoo ot issues by accessing a user inter rface to view th he effective pe ermissions for the user. Exam mples of when an administra ator should be involved are ca ases where claims attributes or resource o bject attribute es are defined incorrectly or contain incorrect informa ation, or when the data itself f seems to be corrupted.

MCT USE ONLY. STUDENT USE PROHIBITED

3-20 Implemen nting Dynamic Access Control

You u use Group Po olicy to enable e the Access De enied Assistan ce feature. Op pen the Group Policy Object Edit tor and navigate to Compute er Configuratio on\Policies\Ad dministrative T Templates\Syst tem\Access-De enied Assi istance. In the Access-Denied d Assistance node, you can e enable Access Denied Assistance, and you u can also o provide custo omized messag ges for users. Alternatively, A y you can also use the File Ser rver Resource Man nager console to enable Acc cess Denied As ssistance. How wever, if this fea ature is enable ed in Group Po olicy, the appropriate se ettings in the File F Server Res source Manage er console are disabled for c configuration.

Implementin ng File Clas ssifications


To implement Dynamic Access Control effectively, you must have we ell-defined claims and resource properties. Althou ugh claims are defined by attributes for a us ser or a device, , resource properties are mo ost often manu ually created and defi ined. File classifications enab ble administrat tors to define d automat tic procedures s for defining a desi ired property on o the file, bas sed on conditions spec cified in a classification rule. For example, you can set the Confid dentiality pro operty to High h on all documents d wh hose content co ontains the wo ord sec cret. You could then use this property in Dyn namic Access Control C to spec cify that only employees e wit h their emplo oyeetype attrib butes set to Man nager can acc cess those docu uments.

In Windows W Serve er 2008 R2 and d Windows Ser rver 2012, class sification man nagement and file managem ment task ks enable administrators to manage m group ps of files based d on various fi ile and folder a attributes. Wit th thes se tasks, you can automate file f and folder maintenance tasks, such as cleaning up st tale data or prot tecting sensitiv ve information n.

Clas ssification man nagement is de esigned to eas se the burden and managem ment of data th hat is spread o out in the organization. You can classify files in a variety of ways. I In most scenar rios, you classify files manua ally. The file classification infrastructure in Window ws Server 2008 8 R2 enables organizations to o convert thes se man nual processes s into automated policies. Ad dministrators c can specify file e management t policies based on a files classificatio on, and then apply corporate e requirement ts for managin ng data based on a business value. You u can use file classification to o perform the following f actio ons:

iles by running Define classification proper rties and value es, which you c can assign to fi g classification n rules. Create, updat te, and run classification rule es. Each rule as ssigns a single e predefined property and va alue lug-ins. to files within n a specified di irectory based on installed c classification pl

When running a classificatio on rule, reeval luate files that t are already cl lassified. You c can choose to overwrite exis sting classification values or add the value e to properties that support multiple value es. You can also use this t to declassi ify files that ar re no longer in n the classificat tion criteria.

MCT USE ONLY. STUDENT USE PROHIBITED


3-21

Configuring g Advanced Windows s Server 2012 Serviices

Im mplement ting Centra al Access Policy P Changes


After you imple ement Dynamic Access Contr rol, you might m have to make m some changes. For exa ample, yo ou might have e to update conditional expressions, or r you might want to change claims. You must m ca arefully plan any change to Dynamic D Access Control compon nents. ntral access policy can drastic cally Changing a cen af ffect access. Fo or example, a change c could po otentially gran nt more access s than desired, or, it co ould restrict a policy too much, resulting in n an ex xcessive numb ber of help des sk calls. As a be est practice, you sh hould test chan nges before im mplementing a central access policy updat te.

Fo or this purpose e, Windows Se erver 2012 introduces the co oncept of stagi ing. Staging en nables users to o verify th heir proposed policy updates before enfor rcing them. To o use staging, y you deploy the e proposed po olicies along with the enforced e polic cies, but you do not actually grant or deny y permissions. Instead, the W Windows op perating system logs an aud dit event (4818 8) any time the e result of the access check t that is using th he st taged policy differs from the e result of an access check th hat is using the e enforced pol licy.

MCT USE ONLY. STUDENT USE PROHIBITED

3-22 Implementing Dynamic Access Control

Lab: Implementing Dynamic Access Control


Scenario

The Research team at A. Datum Corporation is involved in confidential work that provides a great deal of value to the business. Additionally, other groups at A. Datum, such as the Executive department, frequently store files containing business-critical information on the company file servers. The security department in the organization wants to ensure that these confidential files are only accessible to properly authorized personnel, and that all access to these files is audited.

As one of the senior network administrators at A. Datum, you are responsible for addressing these security requirements by implementing Dynamic Access Control on the file servers. You will work closely with the business groups and the security department to identify which files need to be secured, and who should have access to these files. You will then implement Dynamic Access Control based on the company requirements.

Objectives
Plan the Dynamic Access Control implementation. Configure user and device claims. Configure resource property definitions. Configure central access rules and central access policies. Validate and remediate Dynamic Access Control. Implement new resource policies.

Lab Setup
20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-CL1 20412A-LON-CL2 Estimated time: 90 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-CL1 20412A-LON-CL2 Adatum\Administrator Pa$$w0rd

Virtual Machine(s)

User Name Password

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd

MCT USE ONLY. STUDENT USE PROHIBITED


3-23

Configuring Advanced Windows Server 2012 Services

5. 6.

Repeat steps 2-4 for 20412A-LON-SVR1. Do not start 20412A-LON-CL1 and 20412A-LON-CL2 until directed to do so.

Exercise 1: Planning the Dynamic Access Control Implementation


Scenario

A. Datum Corporation must ensure that documents used by the Research team and the Executive department are secured. Most of the files used by these departments are currently stored in shared folders dedicated to these departments, but confidential documents sometimes appear in other shared folders. Only members of the Research team should be able to access Research team folders, and only Executive department managers should be able to access highly confidential documents.

The security department is also concerned that managers are accessing files using their home computers, which may not be highly secure. Therefore, you must create a plan for securing the documents regardless of where they are located, and ensure that the documents can only be accessed from authorized computers. Authorized computers for managers are members of the security group ManagersWks. The support department reports that a high number of calls are generated by users who cannot access resources. You must implement a feature that helps users understand error messages better, and that will enable them to request access automatically. The main tasks for this exercise are as follows: 1. 2. Plan the Dynamic Access Control deployment. Prepare AD DS to support Dynamic Access Control.

Task 1: Plan the Dynamic Access Control deployment


Based on the scenario, describe how you will design Dynamic Access Control to fulfill the requirements for access control.

Task 2: Prepare AD DS to support Dynamic Access Control


1. 2. 3. 4. 5. 6. 7. 8. 9. On the LON-DC1, in Server Manager, open Active Directory Users and Computers. Create a new OU named Test. Move LON-CL1, LON-CL2, and LON-SVR1 computer objects into the Test OU. On LON-DC1, from Server Manager, open the Group Policy Management Console. Remove the Block Inheritance setting that is applied to the Managers OU. This is to remove the block inheritance setting used in a later module in the course. Edit the Default Domain Controllers Policy GPO.

In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click KDC. Enable the KDC support for claims, compound authentication and Kerberos armoring policy setting. In the Options section, click Supported.

10. On LON-DC1, refresh Group Policy. 11. Open Active Directory Users and Computers, and in the Users container, create a security group named ManagersWKS. 12. Add LON-CL1 to the ManagersWKS group.

MCT USE ONLY. STUDENT USE PROHIBITED

3-24 Implementing Dynamic Access Control

13. Verify that user Aidan Delaney is a member of Managers department, and that Allie Bellew is the member of the Research department. Department entries should be filled into the appropriate attribute for each user profile.

Results: After completing this exercise, you will have planned for Dynamic Access Control deployment, and you will have prepared AD DS for Dynamic Access Control implementation.

Exercise 2: Configuring User and Device Claims


Scenario

The first step in implementing Dynamic Access Control is to configure the claims for the users and devices that access the files. In this exercise, you will review the default claims, and then create new claims based on the department and computer description attributes. For users, you will create a claim for a department attribute. For computers, you will create a claim for a description attribute. The main tasks for this exercise are as follows: 1. 2. 3. Review the default claim types. Configure claims for users. Configure claims for devices.

Task 1: Review the default claim types


1. 2. 3. 4. 5. 6. On LON-DC1, in Server Manager, open the Active Directory Administrative Center. In the Active Directory Administrative Center, click the Dynamic Access Control node. Open the Claim Types container, and verify that there are no default claims defined. Open the Resource Properties container, and note that all properties are disabled by default.

Open the Resource Property Lists container, and then open the properties of the Global Resource Property List. In the Resource Properties section, review available resource properties, and then click Cancel.

Task 2: Configure claims for users


1. 2. Open the Claim Types container, and create a new claim type for users and computers using the following settings: o o Source Attribute: Department Display name: Company Department

In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control.

Task 3: Configure claims for devices


1. 2. In the Active Directory Administrative Center, in the Tasks pane click New, and then select Claim Type. Create a new claim type for computers using the following settings: o o Source Attribute: description Display name: description

MCT USE ONLY. STUDENT USE PROHIBITED


3-25

Configuring Advanced Windows Server 2012 Services

Results: After completing this exercise, you will have reviewed the default claim types, configured claims for users, and configured claims for devices.

Exercise 3: Configuring Resource Property Definitions


Scenario

The second step in implementing Dynamic Access Control is to configure the resource property lists and resource property definitions. After you do this, you should make a new classification rule that classifies all files containing the word secret. These files should be assigned a value of High for the Confidentiality attribute. You should also assign the department property to the folder that belongs to the Research team. The main tasks for this exercise are as follows: 1. 2. 3. Configure resource property definitions. Classify files. Assign properties to a folder.

Task 1: Configure resource property definitions


1. 2. 3. 4. 5. 6. In the Active Directory Administrative Center, click Dynamic Access Control, and then open the Resource Properties container. Enable the Department and Confidentiality Resource properties. Open Properties for Department. Add Research as suggested value.

Open the Global Resource Property List, ensure that Department and Confidentiality are included in the list, and then click Cancel. Close the Active Directory Administrative Center.

Task 2: Classify files


1. 2. 3. On LON-SVR1, open File Server Resource Manager.

Refresh Classification Properties, and verify that Confidentiality and Department properties are listed. Create a Classification rule with following values: o o o o o o o Name: Set Confidentiality Scope: C:\Docs Classification method: Content Classifier Property: Confidentiality Value: High Classification Parameters: String secret

Evaluation Type: Re-evaluate existing property values, and then click Overwrite the existing value

4. 5.

Run the classification rule. Open a Windows Explorer window, browse to the C:\Docs folder, and then open the Properties window for files Doc1.txt, Doc2.txt, and Doc3.txt.

MCT USE ONLY. STUDENT USE PROHIBITED

3-26 Implementing Dynamic Access Control

6.

Verify values for Confidentiality. Doc1.txt and Doc2.txt should have confidentiality set to High.

Task 3: Assign properties to a folder


1. 2. 3. On LON-SVR1, open Windows Explorer. Browse to C:\Research, and open its properties. On the Classification tab, set the Department value to Research.

Results: After completing this exercise, you will have configured resource properties for files, classified files, and assigned properties to a folder.

Exercise 4: Configuring Central Access Rules and Central Access Policies


Scenario
Now that you have configured your resource property definitions, you need to configure the central access rules and policies that will link the claims and property definitions. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Configure central access rules. Create a central access policy. Publish a central access policy by using Group Policy. Apply the central access policy to resources. Configure access denied remediation settings.

Task 1: Configure central access rules


1. 2. 3. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center. Click Dynamic Access Control, and then open the Central Access Rules container. Create a new Central Access Rule with the following values: o o o 4. Name: Department Match Target Resource: use condition Resource-Department-Equals-Value-Research Permissions: Remove Administrators, and then add Authenticated Users, Modify, with condition User-Company Department-Equals-Resource-Department

Create another Central Access Rule with the following values: o o o o Name: Access Confidential Docs Target Resource: use condition Resource-Confidentiality-Equals-Value-High Permissions : Set first condition to: User-Group-Member of each-Value-Managers Permissions: Set second condition to: Device-Group-Member of each-Value-ManagersWKS

Task 2: Create a central access policy


1.

On LON-DC1, in the Active Directory Administrative Center, create a new Central Access Policy with following values: Name: Protect confidential docs Rules included: Access Confidential Docs

MCT USE ONLY. STUDENT USE PROHIBITED


3-27

Configuring Advanced Windows Server 2012 Services

2.

Create another Central Access Policy with following values: Name: Department Match Rules included: Department Match

3.

Close the Active Directory Administrative Center.

Task 3: Publish a central access policy by using Group Policy


1. 2. 3. 4. 5. 6. On LON-DC1, from the Server Manager, open the Group Policy Management Console. Create new GPO named DAC Policy, and in the Adatum.com domain, link it to Test OU. Edit the DAC Policy, browse to Configuration/Policies/Windows Settings/Security Settings /File System, and then right-click Central Access Policy. Click Manage Central Access Policies. Click both Department Match and Protect confidential docs, click Add, and then click OK. Close both the Group Policy Management Editor and the Group Policy Management Console.

Task 4: Apply the central access policy to resources


1. 2. 3. 4. 5. 6. On LON-SVR1, start Windows PowerShell. Refresh Group Policy on LON-SVR1. Open Windows Explorer, and browse to the C:\Docs folder. Apply the Protect confidential docs central policy to the C:\Docs folder. Browse to the C:\Research folder. Apply the Department Match Central Policy to the C:\Research folder.

Task 5: Configure access denied remediation settings


1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, open the Group Policy Management Console. In the Group Policy Management Console, browse to Group Policy objects. Edit the DAC Policy.

Under the Computer Configuration node, browse to Policies\Administrative Templates\System, and then click Access-Denied Assistance. In the right pane, double-click Customize Message for Access Denied errors. In the Customize Message for Access Denied errors window, click Enabled. In the Display the following message to users who are denied access text box, type You are denied access because of permission policy. Please request access. Select the Enable users to request assistance check box, and then click OK.

Double-click Enable access-denied assistance on client for all file types, enable it, and click OK.

10. Close both the Group Policy Management Editor and the Group Policy Management Console. 11. Switch to LON-SVR1, and refresh Group Policy.

Results: After completing this exercise, you will have configured central access rules and central access policies for Dynamic Access Control.

MCT USE ONLY. STUDENT USE PROHIBITED

3-28 Implementing Dynamic Access Control

Exercise 5: Validating and Remediating Dynamic Access Control


Scenario

To ensure that the Dynamic Access Control settings are configured correctly, you need to test various access scenarios. You will test both approved users and devices, and unapproved users and devices. You will also validate the access remediation configuration. The main task for this exercise is as follows: 1. Validate Dynamic Access Control functionality.

Task 1: Validate Dynamic Access Control functionality


1. 2. 3. 4. 5. 6. 7. 8. 9. Start and then log on to LON-CL1 as Adatum\April with the password Pa$$w0rd. Click the Desktop tile, and then open Windows Explorer. Browse to \\LON-SVR1\Docs, and verify that you can only open Doc3. Try to access \\LON-SVR1\Research. You should be unable to access it. Log off LON-CL1. Log on to LON-CL1 as Adatum\Allie with the password Pa$$w0rd. Open Windows Explorer, and try to access \\LON-SVR1\Research. You should be able to access it and open files in it. Log off LON-CL1. Log on to LON-CL1 as Adatum\Aidan with the password Pa$$w0rd.

10. Open Windows Explorer and try to access \\LON-SVR1\Docs. You should be able to open all files in this folder. 11. Log off LON-CL1. 12. Start and then log on to LON-CL2 as Adatum\Aidan with the password Pa$$w0rd.

13. Open Windows Explorer and try to access \\LON-SVR1\Docs. You should be unable to see Doc1 and Doc2, because the LON-CL2 is not permitted to view secret documents.

Results: After completing this exercise, you will have validated Dynamic Access Control functionality.

Exercise 6: Implementing New Resource Policies


Scenario
As a final step in implementing Dynamic Access Control, you will test the effect of implementing a new resource policy. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure staging for a central access policy. Configure staging permissions. Verify staging. Use effective permissions to test Dynamic Access Control.

Task 1: Configure staging for a central access policy


1. On LON-DC1, open Group Policy Management.

MCT USE ONLY. STUDENT USE PROHIBITED


3-29

Configuring Advanced Windows Server 2012 Services

2. 3.

Open the Group Policy Management Editor for DAC Policy.

Browse to Computer Configuration\Policies\Windows Settings \Security Settings Advanced Audit Policy Configuration\Audit Policies, and then select Object Access. Double-click Audit Central Access Policy Staging, select all three check boxes, and then click OK. Double-click Audit File System, select all three check boxes, and then click OK. Close the Group Policy Management Editor and the Group Policy Management console.

4. 5. 6.

Task 2: Configure staging permissions


1. 2. On LON-DC1, open Active Directory Administrative Center, and then open the properties for the Department Match central access rule.

In the Proposed permissions section, configure the condition for Authenticated Users as follows: User-Company Department-Equals-Value-Marketing.

Task 3: Verify staging


1. 2. 3. 4. Log on to LON-CL1 as Adatum\Adam with the password Pa$$w0rd. In Windows Explorer, try to access \\LON-SVR1\Research, and the files within it. Switch to LON-SVR1. Open Event Viewer, open Security Log, and then look for events with Event ID 4818.

Task 4: Use effective permissions to test Dynamic Access Control


1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, open the properties for the C:\Research folder. Open the Advanced options for Security, and then click Effective Access. Click select a user.

In the Select User, Computer, Service Account, or Group window, type April, click Check Names, and then click OK. Click View effective access. Review the results. The user should not have access to this folder. Click Include a user claim. On the drop-down list, select Company Department. In the Value text box, type Research.

10. Click View Effective access. The user should now have access. 11. Close all open windows.

Results: After completing this exercise, you will have implemented new resource policies.

To prepare for the next module


1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-CL1, and 20412A-LON-CL2.

MCT USE ONLY. STUDENT USE PROHIBITED

3-30 Implementing Dynamic Access Control

Module Review and Takeaways


Question: What is a claim? Question: What is the purpose of a central access policy? Question: What is Access Denied Assistance?

Common Issues and Troubleshooting Tips


Common Issue Claims are not populated with the appropriate values. Troubleshooting Tip

A conditional expression does not allow access.

Best Practices
Use central access policies instead of configuring conditional expressions on resources. Enable Access Denied Assistance settings. Always test changes that you have made to central access rules and central access policies before implementing them. Use file classifications to assign properties to files.

Tools
Tool Active Directory Administrative Center Group Policy Management Console Group Policy Management Editor Use For administering and creating claims, resource properties, rules and policies Managing group policy Editing Group Policy Objects Location Administrative tools

Administrative tools Group Policy Management Console

MCT USE ONLY. STUDENT USE PROHIBITED


4-1

Module 4
Implementing Network Load Balancing
Contents:
Module Overview Lesson 1: Overview of NLB Lesson 2: Configuring an NLB Cluster Lesson 3: Planning an NLB Implementation Lab: Implementing Network Load Balancing Module Review and Takeaways 4-1 4-2 4-5 4-10 4-16 4-21

Module Overview

Network Load Balancing (NLB) is a Windows Server network component. NLB uses a distributed algorithm to balance IP traffic load across multiple hosts. It helps to improve the scalability and availability of business-critical, IP-based services. NLB also provides high availability, because it detects host failures and automatically redistributes traffic to surviving hosts. To effectively deploy NLB, you must understand its functionality and the scenarios where its deployment is appropriate. The main change to NLB in Windows Server 2012 is the inclusion of a comprehensive set of Windows PowerShell cmdlets. These cmdlets enhance your ability to automate the management of Windows Server 2012 NLB clusters. The Network Load Balancing console, which is also available in Windows Server 2008 and Windows Server 2008 R2, is also present in Windows Server 2012 This module introduces you to NLB, and shows you how to deploy this technology, the situations for which NLB is appropriate, how to configure and manage NLB clusters, and how to perform maintenance tasks on NLB clusters.

Objectives
After completing this module, you will be able to: Describe NLB. Explain how to configure an NLB cluster. Explain how to plan an NLB implementation.

MCT USE ONLY. STUDENT USE PROHIBITED

4-2

Implementing Network Load Ba alancing

Lesson 1

Overvi iew of NLB N

Befo ore you deploy y NLB, you nee ed to have a fi irm understan ding of the types of server w workloads for w which this high availability technology y is appropriate. If you do no ot understand the functionality of NLB, it i is possible that you will deploy it in a manner th hat does not a ccomplish you ur overall objectives. For exa ample, you need to unde erstand why NLB is appropria ate for web ap pplications, but not for Micro osoft SQL Ser rver data abases. o This s lesson provid des an overview w of NLB, and the features n new to NLB in Windows Serv ver 2012. It also desc cribes how NL LB works normally, and durin ng server failur re and server r recovery.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe NLB B technology. Describe how w NLB works. Explain how NLB N accommo odates server fa ailures and rec covery. Describe new w NLB features in Windows Server 2012.

Wh hat Is NLB?
NLB B is a scalable, high availability feature that t you can install on all editions e of Win ndows Server 2012. 2 A sc calable technol logy is one wh here you can ad dd add ditional compo onents (in this case c additiona al clus ster nodes) to meet increasin ng demand. A node in a Windows Serv ver 2012 NLB cluster is a com mputer, either physical or virt tual, that is run nning the Windows Serv ver 2012 opera ating system.

Win ndows Server 2012 2 NLB clust ters can have betw ween two and 32 nodes. Wh hen you create e an NLB B cluster, it creates a virtual network n addre ess and virtual network adapter. Th he virtual network adapter has an IP address and a media access s control (MAC C) address. Net twork traffic to o this address is evenly distributed d across the no odes in the cluster. In a basic c NLB configur ration, each no ode in an NLB clus ster will service e requests at a rate that is ap pproximately e equal to that o of all other nod des in the clust ter. Whe en an NLB clus ster receives a request, it will forward that request to the e node that is currently least t utilized. You can configure c NLB to preference e some nodes o over others.

NLB B is failure-awa are. This means that if one of the nodes in the NLB clust ter goes offline e, requests will l no long ger be forward ded to that node, but other nodes in the c cluster will con ntinue to accep pt requests. When the failed node re eturns to servic ce, incoming re equests will be e redirected un ntil traffic is ba alanced across s all nod des in the clust ter.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


4-3

How H NLB Works W


When W you configure an application to use NLB, N clients address the t application n using the NL LB cluster address rather than the address of nodes n th hat participate in the NLB clu uster. The NLB B cluster ad ddress is a virtual address that is shared be etween th he hosts in the NLB cluster. NLB directs traf ffic in the following manner: All ho osts in the NLB B cluster receiv ve the incomin ng tr raffic, but only one node in the t cluster, which is de etermined thro ough the NLB process, will accept a th hat traffic. All other o nodes in the NLB clust ter will drop the traffic. .

Which W node in the t NLB cluste er accepts the traffic depend ds on the confi iguration of po ort rules and a affinity se ettings. Throug gh these settin ngs, you can de etermine if tra ffic that uses a particular po ort and protoco ol will be e accepted by a particular node, or whether any node in n the cluster w will be able to a accept and res spond.

NLB also sends traffic to node es based on cu urrent node ut tilization. New traffic is directed to nodes t that are be eing least utiliz zed. For example, if you hav ve a four node cluster where e three of the n nodes are resp ponding to o requests from m 10 clients an nd one node is s responding to o requests fro m 5 clients, th he node that has fewer . clients will recei ive more incom ming traffic un ntil utilization i is more evenly y balanced across the nodes.

How H NLB Works W with h Server Fa ailures and d Recovery y


NLB is able to detect d the failu ure of cluster nodes. n When W a cluster node is in a fa ailed state, it is re emoved from the t cluster, and d the cluster does d not di irect new traffic to the node. Failure is detected by y using heartb beats. NLB clus ster heartbeats s are tr ransmitted eve ery second between nodes in na cluster. A node is automatical lly removed fro om a NLB cluster if it misses five co onsecutive heartbeats. When W a node is s added or rem moved from a cluster, c a process known as convergence occurs. Convergence allows the cluste er to determin ne its cu urrent configuration. Conver rgence can only occur if each node is configured c wit th the same po ort rules.

Nodes can be configured to rejoin r a cluster r automatically y by setting th e Initial host s state setting on n the no odes properties using the Network N Load Balancing B Man nager. By defa ult, a host that is a member of a cluster will attem mpt to rejoin that t cluster automatically. Fo or example, if you reboot a s server that is a member m of an NLB N cluster aft ter applying a software upda ate, the server will rejoin the e cluster autom matically af fter the reboot t process comp pletes. Administrators can manually add or remove e nodes from NLB clusters. W When an admi inistrator remo oves a no ode, they can choose to perform a Stop or a Drainstop a action. The Sto op action term minates all exist ting co onnections to the cluster node and stops the t NLB servic e. The Drainstop action bloc cks all new co onnections wit thout terminat ting existing se essions. Once a all current sess sions end, the NLB service is s st topped.

MCT USE ONLY. STUDENT USE PROHIBITED

4-4

Implementing Network Load Ba alancing

NLB B can only dete ect server failu ure; it cannot detect d applicat tion failure. Th his means that if a web applic cation l continue to f fails s but the serve er remains operational, the NLB N cluster will forward traffic to the cluster node that t hosts the faile ed application n. One method d of managing this problem is to implement a monitorin ng solu ution such as Microsoft M Syste em Center 201 12 - Operation s Manager. W With Operations s Manager, you can mon nitor functiona ality of applica ations. You can n also configur re Operations Manager to generate an ale ert in the event that an application on n a cluster nod de fails. An ale rt in turn can c configure a remediation action, such h as restarting services, resta arting the serve er, or withdraw wing the node e from the NLB B cluster so tha at it doe es not receive further f incoming traffic.

NL LB Features in Windo ows Server r 2012


The most substantial change to NLB features in Win ndows Server 2012 2 is the inclusion of Wind dows Pow werShell suppo ort. The NetworkLoadBala ancingClusters module conta ains 35 NLBrelated N cm mdlets. This module become es avai ilable on a serv ver when the NLB N Remote Server S Adm ministration To ools (RSAT) are e installed. The e Win ndows PowerSh hell cmdlets ha ave the follow wing nou uns: NlbClusterNode. Lets you manage a cluster node. Include es the Add, Ge et, Remove, Resume, Set, Start, Stop, and a Suspend verbs. v

NlbClusterNodeDip. Lets you y configure the cluster no odes dedicated d managemen nt IP. Includes the Add, Get, Remove, and Se et verbs.

NlbClusterPo ortRule. Lets you y manage port p rules. Inclu udes the Add, Disable, Enab ble, Get, Remo ove, and Set verbs s.

NlbClusterVi ip. Lets you manage the NLB B clusters virtu ual IP. Includes the Add, Ge et, Remove, an nd Set verbs. NlbCluster. Lets L you manage the NLB clu uster. Includes s the Get, New w, Remove, Re esume, Set, St tart, Stop, and Suspend verbs. NlbClusterDriverInfo. Provides informat tion about the e NLB cluster d driver. Includes s the Get verb. NlbClusterNodeNetworkI Interface. Lets s you retrieve information ab bout a cluster nodes network interface driver. Includes th he Get verb. ss. Includes the New verb. NlbClusterIp pv6Address. Lets you config gure the cluste ers IPv6 addres

NlbClusterPo ortRuleNodeH HandlingPrio ority. Lets you set priority on n a per-port ru ule basis. Supports the Set ver., NlbClusterPo ortRuleNodeW Weight. Lets you y set node w weight on a pe er-port rule ba asis. Supports t the Set verb.

ee the list of Windows W Power rShell cmdlets for NLB, you c can use the ge etNote: To se com mmand module NetworkL LoadBalancingClusters com mmand.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


4-5

Lesson n2

Configuring an NLB B Cluste er

To o deploy NLB successfully, you must first have h a firm un derstanding o of its deployme ent requirements. You must m also have planned the manner m in whic ch you are goi ng to use port t rules and affi inity settings t to en nsure that traf ffic to the application that is being hosted on the NLB cl luster is handle ed appropriate ely. Th his lesson prov vides you with information about a the infra astructure requ uirements that t you must con nsider clusters prior to deployi ing NLB. It also o provides you u with importa ant information n on how to co onfigure NLB c an nd nodes to be est suit your objectives. o

Le esson Objec ctives


After completin ng this lesson you y will be able to: Describe NLB deploymen nt requirement ts. Describe ho ow to impleme ent NLB. Explain con nfiguration opt tions for NLB. Explain how w to configure e NLB affinity and a port rules. Describe ne etwork conside erations for NL LB.

Deploymen D nt Require ements for r NLB


NLB requires that all hosts in the NLB cluste er re eside on the sa ame TCP/IP subnet. Although TC CP/IP subnets can be configured to span multiple m ge eographic loca ations, NLB clu usters are unlik kely to ac chieve converg gence successf fully if the late ency be etween nodes exceeds 250 milliseconds m (m ms). When W you are designing d geog graphically dis spersed NLB clusters, yo ou should inste ead choose to deploy an n NLB cluster at a each site, an nd then use Do omain Name System (D DNS) round ro obin to distribu ute tr raffic between sites.

All network ada apters within an NLB cluster must be e configured as a either unicast or multicast t. You cannot c configure an N NLB cluster wh here there is a mixture of f unicast and multicast m adap pters. When using unicast mo ode, the netwo ork adapter must support ch hanging its s MAC address s. Yo ou can only us se TCP/IP protocol with netw work adapters that participat te in NLB clust ters. NLB supp ports IP Pv4 and IPv6. The T IP addresses of servers th hat participate e in an NLB clu uster must be s static and mus st not be e dynamically allocated. When you install NLB, Dynamic c Host Configu uration Protoco ol (DHCP) is disabled on n each interfac ce that you configure to par rticipate in the e cluster.

All editions of Windows W Serve er 2012 support NLB. Micros soft supports N NLB clusters with nodes that t are ru unning differen nt editions of Windows W Server 2012. Howe ever, as a best practice, NLB cluster nodes should be e computers with w similar har rdware specific cations, and th hat are running g the same ed dition of the W Windows Se erver 2012 ope erating system m.

MCT USE ONLY. STUDENT USE PROHIBITED

4-6

Implementing Network Load Ba alancing

De emonstration: Deplo oying NLB


This s demonstratio on shows how to create a Windows Server r 2012 NLB cluster.

Dem monstration n Steps Cre eate a Windows Server 2012 NLB Cluster C
1. 2. 3. Log on to LO ON-SVR1 using g the Adatum\ \Administrat or account. From the Too ols menu, open n the Windows s PowerShell In ntegrated Scri pting Environm ment (ISE). Enter the follo owing comma ands, and then press Enter:
Invoke-Command -Computername LON-S SVR1,LON-SVR2 2 -command {I Install-Windo owsFeature NLB,RSAT-NLB} New-NlbCluster -Interf faceName "Loc cal Area Conn nection" -Ope erationMode M Multicast ClusterPrimaryIP 172.16.0.42 -Clus sterName LON-NLB Add-NlbClusterNode -InterfaceName "Local Area Connection" -NewNodeName e "LON-SVR2" NewNodeInterface "Local Area Conne ection"

4.

Open Networ rk Load Balanc cing Manager from the Tool s menu and vi iew the cluster r.

Co onfiguratio on Options s for NLB


Con nfiguring NLB clusters c involv ves specifying how h host ts in the cluste er will respond d to incoming netw work traffic. How NLB direct ts traffic depen nds on the t port and protocol p that it t is using, and whe ether the client t has an existin ng network session with h a host in the cluster. You can configure these t settings by using port rules and affinity settings.

Por rt Rules
With port rules, yo ou can configu ure how reque ests to spec cific IP address ses and ports are a directed by y the NLB B cluster. You can c load balan nce traffic on Tran nsmission Control Protocol (TCP) ( port 80 across a all nodes n in an NL LB cluster, whil le directing all requests to TC CP port 25 to a specific host t.

To specify s how yo ou want to dist tribute request ts across node es in the cluste er, you configu ure a filtering m mode whe en creating a port p rule. You can c do this in the Add/Edit Port Rule dia alog box, which h you can use to configure one of the t following filtering f mode es: Multiple hos sts. When you configure this s mode, all NL B nodes respo ond according to the weight assigned to each e node. Nod de weight is ca alculated auto omatically, base ed on the perf formance characteristics of the host. If I a node fails, other nodes in n the cluster c continue to res spond to incom ming requests. Mul ltiple host filte ering increases availability an nd scalability, a as you can increase capacity y by adding nodes s, and the cluster continues to t function in the event of n node failure. Single host. When W you con nfigure this mo ode, the NLB c cluster directs traffic to the n node that is assigned the highest priorit ty. In the event that the nod e assigned the e highest prior rity is unavailable, the host assig gned the next highest priorit ty handles the incoming traf ffic. Single hos st rules increase availability, but do not incre ease scalability y.

Configuring Advanced Windows Server 2012 Services

MCT USE ONLY. STUDENT USE PROHIBITED


4-7

Note: Highest priority is the lowest number, with a priority of 1 being higher priority than a priority of 10.

Disable this port range. When you configure this option, all packets for this port range are dropped, without being forwarded to any cluster nodes. If you do not disable a port range and there is no existing port rule, the traffic is forwarded to the host with the lowest priority number.

You can use the following Windows PowerShell cmdlets to manipulate port rules: Add-NlbClusterPortRule. Use this cmdlet to add a new port rule. Disable-NlbClusterPortRule. Use this cmdlet to disable an existing port rule. Enable-NlbClusterPortRule. Use this cmdlet to enable a disabled port rule. Set-NlbClusterPortRule. Use this cmdlet to modify the properties of an existing port rule. Remove-NlbClusterPortRule. Use this cmdlet to remove an existing port rule.

Note: Each node in a cluster must have identical port rules. The exception to this is the load weight (in multiple-hosts filter mode) and handling priority (in single-host filter mode). Otherwise, if the port rules are not identical, the cluster will not converge.

Affinity

Affinity determines how the NLB cluster distributes requests from a specific client. Affinity settings only come into effect when you are using the multiple hosts filtering mode. You can select from the following affinity modes: None. In this mode, any cluster node responds to any client request, even if the client is reconnecting after an interruption. For example, the first webpage on a web application might be retrieved from the third node, the second web page from the first node, and the third web page from the second node. This affinity mode is suitable for stateless applications.

Single. When you use this affinity mode, a single cluster node handles all requests from a single client. For example, if the third node in a cluster handles a clients first request, then all subsequent requests are also handled by that node. This affinity mode is useful for stateful applications. Class C. When you set this mode, a single node will respond to all requests from a class C network (one that uses the 255.255.255.0 subnet mask). This mode is useful for stateful applications where the client is accessing the NLB cluster through load-balanced proxy servers. These proxy servers will have different IP addresses, but will be within the same class C (24 bit) subnet block.

Host Parameters

You configure the host parameters for a host by clicking the host in the Network Load Balancing Manager console, and then from the Host menu, clicking Properties. You can configure the following host settings for each NLB node:

Priority. Each NLB node is assigned a unique priority value. If no existing port rule matches the traffic that is addressed to the cluster, traffic will be assigned to the NLB node that is assigned the lowest priority value. Dedicated IP address. You can use this parameter to specify an address the host uses for remote management tasks. When you configure a dedicated IP address, NLB configures port rules so that they do not affect traffic to that address.

MCT USE ONLY. STUDENT USE PROHIBITED

4-8

Implementing Network Load Balancing

Subnet Mask. When you are selecting a subnet mask, ensure that there are enough host bits to support the number of servers in the NLB cluster, and any routers that connect the NLB cluster to the rest of the organizational network. For example, if you plan to have a cluster that has 32 nodes and supports two routes to the NLB cluster, you will need to set a subnet mask that supports 34 host bits or moresuch as 255.255.255.192. Initial host state. You can use this parameter to specify the actions the host will take after a reboot. The default Started state will have the host rejoin the NLB cluster automatically. The Suspended state pauses the host, allowing you to perform operations that require multiple reboots without triggering cluster convergence. The Stopped state stops the node.

Demonstration: Configuring NLB Affinity and Port Rules

This demonstration shows how to configure affinity for NLB cluster nodes, and how to configure NLB port rules.

Demonstration Steps Configure Affinity for NLB Cluster Nodes


1. 2. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.

In Windows PowerShell, enter each of the following commands, pressing Enter after each command:
Cmd.exe Mkdir c:\porttest Xcopy /s c:\inetpub\wwwroot c:\porttest Exit New-Website Name PortTest PhysicalPath C:\porttest Port 5678 New-NetFirewallRule DisplayName PortTest Protocol TCP LocalPort 5678

Configure NLB Port Rules


1. 2. 3. 4. On LON-SVR1, open the Network Load Balancing Manager. Remove the All port rule. In Network Load Balancing Manager, edit the properties of the LON-NLB cluster. Add a port rule with the following properties: o o o o 5. Port range: 80 to 80 Protocols: Both Filtering mode: Multiple Host Affinity: None

Create a port rule with the following properties: o o o Port range: 5678 to 5678 Protocols: Both Filtering mode: Single Host

6. 7.

Edit the host properties of LON-SVR1. Configure the port rule for port 5678 and set handling priority to 10.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


4-9

Network N Co onsiderations for NL LB


Yo ou must consid der several fac ctors when you u are de esigning a net twork to suppo ort an NLB cluster. Th he primary dec cision is wheth her you want to co onfigure the NLB N cluster to use u Unicast or Multicast M cluste er operation mode.

Unicast U Mod de
When W you configure a NLB cluster to use unicast mode, m all cluste er hosts use the e same unicast t MAC ad ddress. Outgoing traffic uses s a modified MAC M ad ddress that is determined d by y the cluster ho osts priority setting. This prevents the switch tha at ha andles outbou und traffic from m having problems with w all cluster hosts h using the e same MAC address. a

When W you use unicast u mode with w a single network n adapt er on each node, only comp puters that use e the sa ame subnet can communicat te with the node using the n nodes assigne ed IP address. I If you have to pe erform any no ode manageme ent tasks, such h as connecting g using Remot te Desktop to apply software e up pdates, you wi ill need to perf form these tas sks from a com mputer that is o on the same T TCP/IP subnet as the no ode.

When W you use unicast u mode with w two or more network a adapters, one a adapter will be e used for dedicated cluster commun nication, and the other adap pter or adapter rs can be used d for managem ment tasks. When you us se unicast mod de with multip ple network ad dapters, you ca an perform clu ster managem ment tasks such h as co onnecting usin ng Remote Pow werShell to add or remove r oles and featu ures.

Unicast mode can also minim mize problems that t occur whe en cluster nod des also host o other non-NLB related ro oles or services s. For example, using unicast t mode means s that a server that participat tes in a web se erver cluster on port 80 may also host another se ervice such as D DNS or DHCP.. Although this s is possible, M Microsoft re ecommends th hat all cluster nodes n have the e same configu uration.

Multicast M Mo ode

When W you configure an NLB cluster c to use multicast mod de, each cluster host keeps it ts original MAC C ad ddress, but also is assigned an a additional multicast m MAC C address. Each h node in the c cluster is assigned the sa ame additional MAC multica ast address. Mu ulticast mode requires netwo ork switches and routers tha at su upport multica ast MAC addre esses.

In nternet Group Manage ement Proto ocol Multica ast

In nternet Group Management Protocol (IGM MP) multicast m mode is a spec cial form of mu ulticast mode t that prevents the ne etwork switch from f being flo ooded with traf ffic. When you u deploy IGMP P multicast mo ode, tr raffic is forward ded only throu ugh switch por rts that particip pate in the NL LB cluster. IGM MP multicast m mode re equires switch hardware that t supports this functionality.

Network N Con nsiderations s

Yo ou can improv ve NLB cluster performance when w using un nicast mode by y using separa ate virtual loca al area ne etworks (VLAN Ns) for cluster traffic t and management traf ffic. Using VLA ANs segments traffic, thereby y preventing man nagement traff fic from affecting cluster traf ffic. When you u host NLB nod des on virtual machines m using Windows Serv ver 2012, you can also use n network virtual lization to segment manage ement tr raffic from clus ster traffic.

MCT USE ONLY. STUDENT USE PROHIBITED

4-10 Implemen nting Network Load Balancing B

Lesson 3

Planning an NLB N Imp plement tation

Whe en you are pla anning an NLB implementati ion, you must ensure that th he applications s that you dep ploy are appropriate fo or NLB. Not all l applications are a suitable fo or deployment on NLB cluste ers, and it is imp portant for you u to be able to identify which h ones can ben nefit from this s technology. Y You also need to kno ow what steps you y can take to t secure NLB, and be familia ar with the op ptions that you u have to scale NLB, should the applica ation hosted on o the NLB cluster require gr reater capacity y.

Les sson Objecti ives


Afte er completing this lesson you u will be able to: t Explain how to t design application and sto orage support t for NLB. Describe the special considerations for de eploying NLB c clusters on vir tual machines. Describe the options that you y can implem ment to secure e NLB. Describe the options for sca aling NLB.

Describe the meth hod you can use to upgrade e an NLB cluste er to Windows s Server 2012.

De esigning Application ns and Stor rage Supp ort for NL LB


Because clients ca an be redirecte ed to any node e in an NLB N cluster, ea ach node in the e cluster must be able e to provide a consistent exp perience. There efore, whe en you are des signing applica ations and stor rage support for NLB applications, a yo ou must ensur re that you configure eac ch node in the e same way, an nd that t each node ha as access to the same data. Whe en a highly available applica ation has multi iple tiers ssuch as a web w application n that includes s an SQL L Server databa ase tierthe web w application tier is ho osted on an NLB cluster. SQL Server, as a stateful applicatio on, is not made e highly available usin ng NLB. Instead d, you use tech hnologies such h as failover cl ustering, mirro oring, or Alway lity ysOn Availabil Groups, to make the t SQL Server r database tier r highly availab ble.

All hosts s and be confi h in an NLB cluster should run the sam me applications igured in the s same way. Whe en you are using web b applications, , you can use Internet Inform mation Services (IIS) 8.0s sha ared configura ation func ctionality to en nsure that all nodes n in the NLB N cluster are configured in n the same manner. Reference Links: L You can n find out mor re about IIS 8.0 0s shared conf h Windows figuration with Serv ver 2012 at htt tp://learn.iis.ne et/page.aspx/2 264/shared-co onfiguration/

You u can also use technologies t such s as file sha ares that are ho osted on Clust ter Shared Volumes (CSV) to o host app plication config guration inform mation. File shares hosted on n CSVs allow m multiple hosts to have access s to app plication data and a configurat tion informatio on. File shares that are hoste ed on CSVs are e a feature of Win ndows Server 2012. 2

MCT USE ONLY. STUDENT USE PROHIBITED


4-11

Configuring g Advanced Windows s Server 2012 Serviices

Considerat C ions for Deploying an a NLB Clu uster on V Virtual Mac chines
As organization ns transition fro om physical to o virtual de eployments, administrators must consider r several fa actors when de etermining the e placement of f NLB cluster nodes on Hyper-V hos sts. This includes the ne etwork configu uration of virtu ual machines, the co onfiguration of the Hyper-V hosts, and the e be enefits of using Hyper-V's hi igh availability y fe eatures in conjunction with NLB. N

Virtual V Mach hine Placem ment

Yo ou should plac ce NLB cluster nodes on separate ha ard disks on th he Hyper-V host. h That way, should a disk or disk ar rray fail, even if i one node be ecomes unavai ilable, other N NLB cluster nod des that are ho osted on th he same Hyper r-V host will re emain online. As A a best pract tice, you should configure th he Hyper-V ho ost with re edundant hard dware, includin ng redundant disks, d network k adapters, and d power suppli ies. This will m minimize th he chance that t hardware failure on the Hyper-V host wil ll lead to all no odes in an NLB B cluster becom ming un navailable. Wh hen you are us sing multiple network n adapte ers, configure network team ming to ensure that virtual machines are able to maintain m access to the netwo ork even in the e event that individual netwo ork ad dapter hardwa are suffers a failure. Where W possible, deploy NLB virtual v machine e nodes on se parate hyper-V V hosts. When n you are plann ning th his type of con nfiguration, ens sure that the virtual v machine es that particip pate in the NL LB cluster are lo ocated on n the same TC CP/IP subnet. This T protects th he NLB cluster from other ty ypes of server f failure, such as s the fa ailure of a motherboard or any other single e point of failu ure.

Virtual V Mach hine Networ rk Configur ration

traightforward Be ecause adding g additional vir rtual network adapters a is a st d process, you can configure e the NLB cluster to use u unicast mo ode, and then deploy d each v virtual machine e with multiple e network adapters. Yo ou should crea ate separate vi irtual switches for cluster tra affic and node management traffic, becaus se se egmenting traf ffic can improv ve performanc ce. You can als so use network k virtualization n to partition c cluster tr raffic from nod de managemen nt traffic. You can use VLAN tags as a met thod of partitio oning cluster t traffic from node man nagement traff fic.

When W you are using u unicast mode, m ensure that t you enabl le MAC addres ss spoofing for the virtual ne etwork ad dapter on the Hyper-V host. . You can do th his by editing the virtual net twork adapter s settings on t the Virtual Machin ne Settings dia alog box, whic ch is available through the H Hyper-V Manag ger. Enabling MAC ad ddress spoofin ng allows unica ast mode to co onfigure MAC address assign nment on the virtual networ rk ad dapter.

NLB N Cluster vs. v Virtual Machine M Hig gh Availabi lity

Virtual machine e high availability is the proc cess of placing virtual machin nes on failover r clusters. Whe en a fa ailover cluster node fails, the virtual machin ne fails over, s o that it is hos sted on anothe er node. Though fa ailover clusterin ng and NLB ar re both high availability tech hnologies, they y serve different purposes. F Failover clustering suppo orts stateful ap pplications suc ch as SQL Serv ver, whereas N LB is suited to o stateless appl lications su uch as websites. Highly available virtual ma achines do no t allow an app plication to sca ale, because yo ou ca annot add nod des to increase e capacity. How wever, it is pos ssible to deplo oy NLB cluster nodes as high hly av vailable virtual l machines. In this scenario, the t NLB cluste er nodes fail ov ver to a new H Hyper-V host in n the ev vent that the original o Hyper-V host fails.

MCT USE ONLY. STUDENT USE PROHIBITED

4-12 Implemen nting Network Load Balancing B

The degree of ava ailability and re edundancy req quired will fluc ctuate, depend ding on the ap pplication. A business-critical application that costs an orga anization milli ons of dollars when it is dow wn requires an n avai ilability that di iffers from that of an applica ation that caus ses minimal inconvenience if f it is offline.

Co onsideratio ons for Sec curing NLB B


NLB B clusters are almost a always used u to host web w app plications that are a important to the orga anization. Beca ause of this im mportance, you u should take steps to secure NLB B, both by restricting the traf ffic that can ad ddress the clus ster, and by ensuring that t appropriate permissions s are app plied.

Con nfigure Port Rules

Whe en securing NLB clusters, you must first en nsure that t you create po ort rules to blo ock traffic to all port ts other than those t used by applications hosted h on the t NLB cluste er. When you do d this, all inco oming traff fic that is not specifically s add dressed to app plications that are running o on the NLB cluster will be dropped, before being b forwarde ed to cluster nodes. n If you d o not do this f first step, all in ncoming traffic c that is no ot managed by a port rule will w be forward ded to the clus ter node with the lowest clu uster priority va alue.

Con nfigure Fire ewall Rules

ed Security is c You u should also ensure e that Win ndows Firewall with Advance configured on n each NLB cluster nod de. When you enable e NLB on n a cluster nod de, the followin ng firewall rule es are created and enabled auto omatically. Thi is allows NLB to t function and d communicat te with other n nodes in the cl luster: Network Load d Balancing (D DCOM-In) Network Load d Balancing (IC CMP4-ERQ-In) ) Network Load d Balancing (IC CMP6-ERQ-In) ) Network Load d Balancing (R RPCSS) Network Load d Balancing (W WinMgmt-In) Network Load d Balancing (IC CMP4-DU-In) Network Load d Balancing (IC CMP4-ER-In) Network Load d Balancing (IC CMP6-DU-In) Network Load d Balancing (IC CMP6-EU-In)

Whe en created, the ese firewall rul les do not include scope sett tings. In high-security enviro onments, you would configure an appr ropriate local IP I address or IP address rang ge, and a remo ote IP address for each of th hese rule es. The remote IP address or address range e should includ de the address ses that are use ed by other ho osts in the cluster. Whe en you are con nfiguring additional firewall rules, rememb ber the followi ing:

When you are e using multip ple network adapters in unica ast mode, con nfigure differen nt firewall rules for each network k interface. For r the interface used for mana agement tasks s, you should c configure the firewall rules to allow inbou und managem ment traffic only y. For example e, enabling the e use of remot te Windows Pow werShell, Wind dows Remote Manager M (Win dows RM), and d Remote Desktop for

MCT USE ONLY. STUDENT USE PROHIBITED


4-13

Configuring Advanced Windows Server 2012 Services

management tasks. You should configure the firewall rules on the network interface the cluster node uses, to provide an application to the cluster, and to allow access to that application. For example, allow incoming traffic on TCP ports 80 and 443 on an application that uses the HTTP and HTTPS protocols. When you are using multiple network adapters in multicast mode, configure firewall rules that allow access to applications that are hosted on the cluster, but block access to other ports.

Configure Applications to Respond Only to Traffic Addressed to the Cluster

You should configure applications on each node to respond only to traffic that is addressed to the cluster, and to ignore application traffic that is addressed to the individual node. For example, if you deploy a web application that is designed to respond to traffic addressed to www.adatum.com, there will be a website on each node that will accept traffic on port 80. Depending on the NLB cluster configuration, it is possible that traffic that is addressed to the node on port 80 will generate a direct response. For example, getting the Adatum web application by entering the address http://nlb-node-3.adatum.com in a browser instead of entering the address http://www.adatum.com. You can secure applications from this type of direct traffic by configuring them to respond only to traffic that uses the NLB cluster address. For web applications, you can do this by configuring the website to use a host header. Each application that runs on an NLB cluster will have its own unique method of allowing you to configure the application to respond only to traffic directed at the cluster, rather than at the individual cluster node.

Securing Traffic with SSL

NLB websites must all use the same website name. When you are securing websites that you make highly available using NLB, you need to ensure that each website has an SSL certificate that matches the website name. You can use host headers on each node. In most cases, you will install the same website certificate on each node in the NLB cluster, because this is simpler than procuring separate certificates for each cluster node. In some cases, you will need to procure certificates that support subject alternative names (SANs). Certificates that support SANs allow a server to be identified by multiple names, such as the name used by the clustered application and the name of the cluster node. For example, a certificate with a SAN might support the names www.adatum.com, node1.adatum.com, node2.adatum.com, node3.adatum.com, and node4.adatum.internal.

Principle of Least Privilege

Ensure that users are only delegated permissions for tasks that they need to perform on the NLB node. Members of the local Administrators group on any single node are able to add and remove cluster nodes, even if they are not members of the local Administrators group on those nodes. Applications that run on NLB clusters should be configured in such a way that they do not require application administrators to have local Administrator privileges on the servers that host the application. Only users whose job role requires them to be able to make remote management connections to NLB cluster nodes should be able to make those connections.

MCT USE ONLY. STUDENT USE PROHIBITED

4-14 Implemen nting Network Load Balancing B

Co onsideratio ons for Sca aling NLB


Scal ling is the proc cess of increas sing the capaci ity of an NLB N cluster. Fo or example, if you y have a fou urnod de NLB cluster and each node in the cluste er is bein ng heavily utili ized to the point where the clus ster cannot ma anage more tra affic, you can add a add ditional nodes. Adding nodes s will spread th he sam me load across more computers, reducing the t load d on each curr rent cluster node. Capacity incr reases because e a larger number of similarly y configured compu uters can manage a higher wor rkload than a smaller s numbe er of similarly configured compu uters.

3 nodes. This means that yo ou can scale-o out a single NL LB cluster so th hat 32 An NLB cluster supports up to 32 sepa arate nodes pa articipate in th hat cluster. Wh hen you consid der scaling an a application so that it is hoste ed on a 32 2-node NLB cluster, rememb ber that each node n in the clu uster must be o on the same T TCP/IP subnet. An alternative a to building single e NLB clusters is to build mu ultiple NLB clu sters, and then n to use DNS r round robin to share traffic between th hem. DNS round robin is a t technology tha at allows a DN NS server to pro ovide requ uesting clients s with different t IP addresses to the same h ostname in se equential order. For example e, if ther re are three ad ddresses associated with a ho ostname, the f first requesting g host receives s the first addr ress, the second receives the second address, the third t receives t the third, and so forth. When n you use DNS S round robin with NLB, you asso ociate the IP ad ddresses of eac ch cluster with h the hostname e that is used by the application.

Dist tributing traffic c between NLB B clusters using g DNS round r robin also allo ows you to dep ploy NLB cluste ers acro oss multiple sit tes. DNS round d robin supports netmask or rdering. This te echnology ens sures that clien nts on a su ubnet are prov vided with an IP address of a host on the sa ame network, if one is availa able. For exam mple, you might deploy y three four-no ode NLB cluste ers in the cities s of Sydney, M Melbourne, and d Canberra, and use DNS S round robin to distribute traffic t between n them. With n netmask ordering, a client th hat is accessing g the app plication in Syd dney will be dir rected to the NLB N cluster ho osted in Sydney y. A client that t is not on the same subnet as the NLB B cluster nodes s, such as a clie ent in the city of Brisbane, w would be direc cted by DNS ro ound robin to the Sydney, Melbourne e, or Canberra NLB cluster.

Co onsideratio ons for Upg grading NLB N Cluster rs


Upg grading NLB cl lusters involves moving clust ter nod des from one host h operating systemfor exam mple Windows Server 2003 or Windows Server 2008to Window ws Server 2012 2. Upgrading th he clus ster might not involve perfor rming an oper rating system upgrade on o each node, because in som me case es the original host operating system migh ht not support a direct upgrade u to Win ndows Server 2012. In cases where the e original host t operating sys stem doe es not support a direct upgra ade to Window ws Serv ver 2012, you can c perform a migration.

A ke ey consideratio on when you are a upgrading NLB clus sters is to reme ember that NL LB supports having clusters t hat are runnin ng a mixture of operating systems. This s means that you can have a cluster runnin ng a mixture o of Windows Server 2003, Win ndows Server 2 2008,

MCT USE ONLY. STUDENT USE PROHIBITED


4-15

Configuring Advanced Windows Server 2012 Services

and Windows Server 2012. Keep in mind that while mixed operating system NLB clusters are supported, they are not recommended. You should configure the NLB cluster so that all hosts are running the same operating system as soon as possible. Note: In some situations, it will not be possible to upgrade the operating system of a cluster node. When you are performing an upgrade, you can use one of the following strategies:

Piecemeal Upgrade. During this type of upgrade, you add new Windows Server 2012 nodes to an existing cluster, and then remove the nodes that are running earlier versions of the Windows Server operating system. This type of upgrade is appropriate when the original hardware and operating system does not support a direct upgrade to Windows Server 2012.

Rolling upgrade. During this type of upgrade, you upgrade one node in the cluster at a time. You do this by taking the node offline, performing the upgrade, and then rejoining the node back to the cluster.

Reference Links: You can learn more about upgrading NLB clusters at the following link: http://technet.microsoft.com/en-us/library/cc731691(WS.10).aspx

MCT USE ONLY. STUDENT USE PROHIBITED

4-16 Implementing Network Load Balancing

Lab: Implementing Network Load Balancing


Scenario

A. Datum Corporation is an engineering and manufacturing company. The organization is based in London, England, and is quickly expanding into Australia. As the company expands, the need for scalable web applications has increased. With this in mind, you are developing a pilot program to test the deployment of Windows NLB on hosts running the Windows Server 2012 operating system. As you intend to automate the process of deploying Windows NLB clusters, you will use Windows PowerShell to perform many of the cluster setup and configuration tasks. You will also configure port rules and affinity, which will allow you to deploy multiple load-balanced web applications on the same Windows NLB clusters.

Objectives
Create a Windows NLB cluster. Configure and manage an NLB cluster. Validate high availability for the NLB cluster.

Lab Setup
Estimated Time: 45 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-SVR2 Username: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd

5.

Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-LON-SVR2.

Exercise 1: Implementing an NLB Cluster


Scenario

You eventually want to automate the process of deploying Windows Server 2012 NLB clusters. With this in mind, you will be using Windows PowerShell to perform the majority of the NLB cluster deployment tasks. The main tasks for this exercise are as follows: 1. 2. 3. Verify website functionality for standalone servers. Install the Windows Network Load Balancing feature. Create a new Windows Server 2012 NLB cluster.

MCT USE ONLY. STUDENT USE PROHIBITED


4-17

Configuring Advanced Windows Server 2012 Services

4. 5.

Add a second host to the cluster. Validate the NLB cluster.

Task 1: Verify website functionality for standalone servers


1. 2. 3. 4. 5. 6. 7. 8. On LON-SVR1, navigate to the folder c:\inetpub\wwwroot.

Open iis-8.png in Microsoft Paint, and use the Paint Brush tool and the color red to mark the IIS Logo in a distinctive manner. Close Windows Explorer. Switch to LON-DC1 and then click to the Start screen. Open Internet Explorer.

Navigate to http://LON-SVR1. Verify that the web page is marked in a distinctive manner with the color red. Navigate to http://LON-SVR2. Verify that the website is not marked in a distinctive manner. Close Internet Explorer.

Task 2: Install the Windows Network Load Balancing feature


1. 2. On LON-SVR1, open Windows PowerShell ISE. Type the following command, and then press Enter:
Invoke-Command -Computername LON-SVR1,LON-SVR2 -command {Install-WindowsFeature NLB,RSAT-NLB}

Task 3: Create a new Windows Server 2012 NLB cluster


1. On LON-SVR1, in Windows PowerShell ISE, type the following command, and then press Enter:
New-NlbCluster -InterfaceName "Local Area Connection" -OperationMode Multicast ClusterPrimaryIP 172.16.0.42 -ClusterName LON-NLB

2.

In Windows PowerShell ISE, type the following command, and then press Enter:
Invoke-Command -Computername LON-DC1 -command {Add-DNSServerResourceRecordA zonename adatum.com name LON-NLB Ipv4Address 172.16.0.42}

Task 4: Add a second host to the cluster

On LON-SVR1, in the Windows PowerShell ISE window, type the following command, and then press Enter:
Add-NlbClusterNode -InterfaceName "Local Area Connection" -NewNodeName "LON-SVR2" NewNodeInterface "Local Area Connection"

Task 5: Validate the NLB cluster


1. 2.

On LON-SVR1, open the Network Load Balancing Manager, and verify that nodes LON-SVR1 and LON-SVR2 display with the status of Converged. View the properties of the LON-NLB cluster, and verify the following: o o The cluster is set to use the Multicast operations mode.

There is a single port rule named All that starts at port 0 and ends at port 65535 for both TCP and UDP protocols, and that it uses Single affinity.

MCT USE ONLY. STUDENT USE PROHIBITED

4-18 Implementing Network Load Balancing

Results: After this exercise, you should have successfully implemented an NLB cluster.

Exercise 2: Configuring and Managing the NLB Cluster


Scenario

As you will want to deploy multiple separate websites to the NLB cluster and differentiate these websites based on port address, you want to ensure that you are able to configure and validate port rules. You also want to experiment with affinity settings to ensure that requests are distributed evenly across hosts. The main tasks for this exercise are as follows: 1. 2. 3. Configure port rules and affinity. Validate port rules. Manage host availability in the NLB Cluster.

Task 1: Configure port rules and affinity


1. 2. On LON-SVR2, open Windows PowerShell. In Windows PowerShell, enter the following commands, pressing Enter after each command:
Cmd.exe Mkdir c:\porttest Xcopy /s c:\inetpub\wwwroot c:\porttest Exit New-Website -Name PortTest -PhysicalPath "C:\porttest" -Port 5678 New-NetFirewallRule -DisplayName PortTest -Protocol TCP -LocalPort 5678

3. 4. 5. 6. 7. 8. 9.

Open Windows Explorer and then browse to and open c:\porttest\iis-8.png in Microsoft Paint. Use the Blue paintbrush to mark the IIS Logo in a distinctive manner. Switch to LON-DC1. Open Internet Explorer and navigate to http://LON-SVR2:5678. Verify that the IIS Start page with the image marked with blue displays. Switch to LON-SVR1.

On LON-SVR1, open Network Load Balancing Manager, and view the cluster properties of LON-NLB.

10. Remove the All port rule. 11. Add a port rule with the following properties: o o o o Port range: 80 to 80 Protocols: Both Filtering mode: Multiple Host Affinity: None

12. Create a new port rule with the following properties: o o o Port range: 5678 to 5678 Protocols: Both Filtering mode: Single Host

13. Click OK to close the Cluster Properties dialog box.

MCT USE ONLY. STUDENT USE PROHIBITED


4-19

Configuring Advanced Windows Server 2012 Services

14. Edit the host properties of LON-SVR1. 15. Configure the Handling Priority value of the port rule for port 5678 as 10.

Task 2: Validate port rules


1. 2. 3. Switch to LON-DC1.

Using Internet Explorer, navigate to http://lon-nlb, refresh the Web page 20 times, and verify that web pages with and without the distinctive red marking display.

On LON-DC1, navigate to address http://LON-NLB:5678, refresh the web page 20 times, and verify that only the web page with the distinctive blue marking displays.

Task 3: Manage host availability in the NLB Cluster


1. 2. 3. 4. 5. Switch to LON-SVR1. Use the Network Load Balancing Manager on LON-SVR1 to suspend LON-SVR1.

Verify that node LON-SVR1 displays as Suspended, and that node LON-SVR2 displays as Converged. Resume and then start LON-SVR1. Verify that both node LON-SVR1 and LON-SVR2 now display as Converged.

Results: After this exercise, you should have successfully configured and managed an NLB cluster.

Exercise 3: Validating High Availability for the NLB Cluster


Scenario

As part of preparing for the deployment of NLB in your organizations environment, you want to ensure that it is possible to perform maintenance tasks such as reboot operations, without affecting the availability of the websites that are hosted on the cluster. With this in mind, you will verify availability by rebooting one of the hosts while attempting to access the clustered website. You will also explore the Drainstop functionality. The main tasks for this exercise are as follows: 1. 2. Validate website availability when the host is unavailable. Configure and validate Drainstop.

Task 1: Validate website availability when the host is unavailable


1. 2. 3. 4. Restart LON-SVR1. Switch to LON-DC1. On LON-DC1, open Internet Explorer, and navigate to http://LON-NLB. Refresh the website 20 times. Verify that the website is available, but that it does not display the distinctive red mark on the IIS logo until LON-SVR1 has restarted.

Task 2: Configure and validate Drainstop


1. 2. On LON-SVR1, open Network Load Balancing Manager and initiate a Drainstop on LON-SVR2.

On LON-DC1, navigate to http://lon-nlb and verify that only the welcome page with the red IIS logo displays.

Results: After this exercise, you should have successfully validated high availability for the NLB cluster.

MCT USE ONLY. STUDENT USE PROHIBITED

4-20 Implementing Network Load Balancing

To prepare for the next module


When you finish the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412-LON-SVR1 and 20412-LON-SVR2.

Lab Review
Question: How many additional nodes can you add to the LON-NLB cluster? Question: What steps would you take to ensure that LON-SVR1 always manages requests for web traffic on port 5678, given the port rules that exist at the end of this exercise? Question: What is the difference between a Stop and a Drainstop action?

MCT USE ONLY. STUDENT USE PROHIBITED


4-21

Configuring Advanced Windows Server 2012 Services

Module Review and Takeaways


Question: You have created a four-node Windows Server 2012 NLB cluster. The cluster hosts a website that is hosted on IIS. What happens to the cluster if you shut down the World Wide Web publishing service on one of the nodes? Question: You want to host the www.contoso.com, www.adatum.com, and www.fabrikam.com websites on a four-node NLB cluster. The cluster IP address will be a public IP address, and each fully qualified domain name (FQDN) is mapped in DNS to the cluster's public IP address. What steps should you take on each node to ensure that traffic is directed to the appropriate site? Question: You have an eight-node Windows NLB cluster that hosts a web application. You want to ensure that traffic from a client that uses the cluster remains with the same node throughout their session, but that traffic from separate clients is distributed equitably across all nodes. Which option do you configure to accomplish this goal?

Real-world Issues and Scenarios


To become a true high availability solution, use a monitoring solution with NLB that will detect application failure. This is because NLB clusters will continue to direct traffic to nodes with failed applications as long as NLBwhich is independent of the applicationcontinues to send heartbeat traffic.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


5-1

Module 5
Implementing Failover Clustering
Contents:
Module Overview Lesson 1: Overview of Failover Clustering Lesson 2: Implementing a Failover Cluster Lesson 3: Configuring Highly Available Applications and Services on a Failover Cluster Lesson 4: Maintaining a Failover Cluster Lesson 5: Implementing a Multi-Site Failover Cluster Lab: Implementing Failover Clustering Module Review and Takeaways 5-1 5-2 5-14 5-20 5-25 5-30 5-36 5-41

Module Overview

Providing high availability is important for any organization that wants to provide continuous services to its users. High availability is a term that denotes the capability of a system or device to be usable when it is required. You can express high availability as a percentage, which is calculated by dividing the actual service time by the required service time. High availability does not mean that the system will be free of any downtime. However, a network that has an uptime of 99.999 percent often is considered highly available. Failover clustering is one of the main technologies in Windows Server 2012 that can provide high availability for various applications and services. In this module, you will learn about failover clustering, its components, and implementation techniques.

Objectives
After completing this module, you will be able to: Describe failover clustering. Implement a failover cluster. Configure highly available applications and services. Maintain a failover cluster. Implement multi-site failover clustering.

MCT USE ONLY. STUDENT USE PROHIBITED

5-2

Implementing Failover Clusterin ng

Lesson 1

Overvi iew of Failover F r Cluster ring

Failo over clustering g is a high availability proces ss, wherein an instance of a service or app plication that is s runn ning over one machine can fail-over onto a different ma achine in the f failover cluster r if the first ma achine fails s. Failover clust ters in Window ws Server 2012 2 provide a hig gh availability solution for m many server roles and applications. By implement ting failover clu usters, you can n maintain app plication or service availabili ity if one e or more computers in the failover f cluster r fail. Befo ore you implem ment failover clustering, c you u should be fam miliar with gen neral high availability concepts. You u must also und derstand clustering terminology, and how w failover cluste ers work. Final lly, you must b be fam miliar with new clustering feat tures in Windo ows Server 201 12.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe high h availability. Describe failo over clustering improvement ts in Windows Server 2012. Describe failo over cluster components. Describe Clus ster Shared Vo olumes (CSV). Define failove er and failback k. Describe a qu uorum. Describe quorum modes in n Windows Serv ver 2012 failov ver clusters. Describe failo over cluster networks. Describe failo over cluster sto orage.

Wh hat Is High h Availability?


Availability refers to a level of se ervice that app plications, servi ices, or system ms provide. Availability is expr ressed as the percentage p of time that t a service or system is availa able. Highly avai ilable systems have minimal downtime whe ether planned or unplanned and are available mor re than 99 percent of the tim me, depending g on an organizations o needs and budget. For exam mple, a sy ystem that is unavailable for 8.75 hours per year wou uld have a 99.9 9 percent avail lability rating, and wou uld be conside ered highly ava ailable.

To improve availa ability, you must implement faulttole erance mechan nisms that mas sk or minimize e how failures o of the services s components and depende encies affe ect the system. You can achie eve fault tolera ance by implem menting redun ndancy to sing gle points of fa ailure. Mis scommunicatio on about servi ice-level expec ctations betwe een the custom mer and the IT organization can resu ult in poor bus siness decisions, such as unsu uitable investm ment levels and d customer dis ssatisfaction. B Be sure e to express av vailability requirements clear rly, so that the re are no misu understandings about the imp plications.

Configurin ng Advanced Window ws Server 2012 Ser rvices

Th he availability measurement period can als so have a sign nificant effect o on the definitio on of availability. For ex xample, a requ uirement for 99.9 percent av vailability over a one-year pe eriod allows fo or 8.75 hours o of do owntime, whereas a requirem ment for 99.9 percent availa ability over a ro olling four-we eek window allows for on nly 40 minutes s of downtime e per period. Fo or high availab bility, you also should identif fy and negotia ate planned ou utages, service e and support h hours, maintenance m ac ctivities, service e pack updates, and softwar re updates. The ese are schedu uled outages, a and ty ypically not inc cluded as downtime; you typ pically calculat te availability b based on unpla anned outages only. However, you have h to negotia ate exactly which planned o utages you wi ill consider as d downtime.

MCT USE ONLY. STUDENT USE PROHIBITED


5-3

Failover Clu ustering in n Windows s Server 20 012


While W most of the failover clu ustering feature es and ad dministration techniques t fro om Windows Server 20 008 R2 are pre esent in Windo ows Server 201 12, so ome new featu ures and techn nologies in Win ndows Se erver 2012 increase scalabilit ty and cluster storage av vailability, and provide bette er and easier management m an nd faster failov ver. Th he important new n features in n Windows Server 20 012 failover clustering includ de:

Increased scalability. In Windows W Serve er 2012, a failover cluster can have e 64 physical nodes n and can run n 4,000 virtual machines on each cluster. This s is a significan nt improvemen nt over Windo ows Server 200 08 R2, which su upports only 1 16 physical no odes and 1,000 0 virtual machines per cluste r. Each cluster you create is now available from the Server Manager M console. Server Ma anager in Wind dows Server 20 012 can discov ver and manag ge all clusters tha at are created in i an Active Directory Dom main Services ( (AD DS) doma ain. If you deploy the cluster in a multi-site scenario, the adm ministrator can now control w which nodes in n a cluster hav ve votes for establishing quorum. Failover cluste ering scalabilit ty is also impro oved for virtua al machines tha at are running on clusters. This will be discuss sed in more de etail in Module 6: Implemen nting Hyper-V V Availability. Improved CSVs C . This tech hnology was in ntroduced in W Windows Serve er 2008 R2, and d it became ve ery popular for r providing virt tual machine storage. s In Win ndows Server 2 2012, CSVs ap ppear as CSV file systems, an nd they suppor rt server messa age block (SM B) version 3.0 storage for Hy yper-V and o other applications. In addition, CSV can use the Server Mes ssage Block (SM MB) Multichan nnel and SMB Direct features to enable traffic to stream acro oss multiple ne etworks in a cl luster. It is also o possible to implement file server on CSVs, in scale-out mode. Fo or additional se ecurity, you can use Window ws BitLocker drive encrypt tion for CSV di isks, and you c can make CSV storage visible e only to a sub bset of nodes in a cluster. For reliability, you ca an scan and re epair CSV volumes with zero offline time.

Cluster-Aware Updating. In earlier versions of Windo ows Server, upd dating cluster nodes to mini imize or avoid down addition, upda ntime required d significant pr reparation and d planning. In a ating cluster nodes was a most tly manual procedure, which caused additi ional administ rative effort. W Windows Serve er 2012 introduces Cluster-Aware e Updating, a new n technolog gy for this purp pose. Cluster-A Aware Updatin ng automatica ally updates clu uster nodes with the Window ws Update hot tfix, while keep ping the cluste er online and minimi izing downtim me. This techno ology will be ex xplained in mo ore detail in L Lesson 4: Main ntaining a Failover Cluster. C

MCT USE ONLY. STUDENT USE PROHIBITED

5-4

Implementing Failover Clusterin ng

Active Directo ory integration n improvemen nts. In Window ws Server 2008,, failover cluste ering is integra ated in AD DS. Win ndows Server 2012 2 improves s on this integ gration. Administrators can n now create clus ster computer obj jects in targete ed organizatio onal units (OUs s), or by defau ult in the same OUs as the clu uster nodes. This al ligns failover cluster c depend dencies on AD DS with the d elegated dom main administra ation model that is used in many y IT organizatio ons. In additio n, you can now w deploy failover clusters wi ith access only to o read-only do omain controllers.

Management t improvement ts. Although fa ailover clusteriing in Window ws Server 2012 still uses almo ost the same man nagement con nsole and the same s administ trative techniques, Windows Server 2012 b brings some importa ant manageme ent improvements. In the Va alidation wizar rd, the validation speed for large failover cluste ers is improved d and new test ts for CSVs, the e Hyper-V role e, and virtual m machines are added. In add dition, new Windows PowerS Shell cmdlet ts are available e for managing g clusters, monitoring clustered virtua al machine app plications, and creating high hly available Internet Small Computer System Interface e (iSCSI) targets.

Rem moved and Deprecated d Features


In Windows W Serve er 2012 cluster ring, some of the features fro om older failov ver clustering versions are rem moved or depre ecated. If you are a upgrading g from an olde r version, you should be awa are of these changes:

The Cluster.ex xe command-line tool is dep precated. How wever, you can still optionally y install it with the failover cluste ering tools. Fai ilover clusterin ng Windows Po owerShell cmd dlets provide a functionality that is generally th he same as clu uster.exe commands. The Cluster Automation A Server (MSClus) Component O Object Model ( (COM) interfac ce is deprecate ed, but you can optionally o insta all it with the failover f cluster ring tools. The Support for f 32-bit cluster resource dynamic-link lib braries (DLLs) is deprecated, but you can optionally ins stall 32-bit DLL Ls. Cluster reso ource DLLs sho ould be update ed to 64-bit.

The Print Serv ver role is removed from the e High Availab bility Wizard, and it cannot b be configured i in the Failover Clust ter Manager. The Add-ClusterPrintServ verRole cmdlet is deprecated d, and it is not t supported in Windows Serv ver 2012.

Fai ilover Clus ster Components


As a failover cluster, a group of independent com mputers work together t to inc crease the avai ilability of app plications and services. s Physic cal cables and softwa are connect the e clustered ser rvers. Serv vers that partic cipate in the cluster are also kno own as nodes. If one of the cl luster nodes fa ails, ano other node beg gins to provide e services. This s proc cess is known as failover. With failover, use ers experience minim mal to no servic ce disruptions. A fa ailover clusterin ng solution co onsists of sever ral com mponents, whic ch include:

Nodes. These are computer rs that are mem mbers of a failover cluster. c These computers c run n Cluster servic ce, and resourc ces and applic cations associated to cluster.

Configuring Advanced Windows Server 2012 Services

Network. This is a network across which cluster nodes can communicate with one another, and with clients. There are three types of networks that can be used in a cluster: public, private, and publicand-private. These networks are discussed in more detail in the Failover Cluster Networks topic. Resource. This is an entity that is hosted by a node. It is managed by the Cluster service, and can be started, stopped, and moved to another node. Cluster storage. This is a storage system that is usually shared between cluster nodes. In some scenarios, such as clusters of servers running Microsoft Exchange Server, shared storage is not required. Clients. These are computers (or users) that are using the Cluster service. Service or application. This is a software entity that is presented to clients and used by clients.

MCT USE ONLY. STUDENT USE PROHIBITED


5-5

In a failover cluster, each node in the cluster: Has full connectivity and communication with the other nodes in the cluster.

Is aware when another node joins or leaves the cluster. In addition, each node is aware when a node or resource is failing, and has the ability to take those services over. Is connected to a network through which client computers can access the cluster. Is usually connected through a shared bus or iSCSI connection to shared storage.

Is aware of the services or applications that are running locally, and the resources that are running on all other cluster nodes.

Cluster storage usually refers to logical devicestypically hard disk drives or logical unit numbers (LUNs)to which all the cluster nodes attach through a shared bus. This bus is separate from the bus that contains the system and boot disks. The shared disks store resources such as applications and file shares that the cluster will manage. A failover cluster typically defines at least two data communications networks: one network enables the cluster to communicate with clients, and the second isolated network enables the cluster node members to communicate directly with one another. If a directly-connected shared storage is not being used, then a third network segment (for iSCSI or Fibre Channel) can exist between the cluster nodes and a data storage network.

Most clustered applications and their associated resources are assigned to one cluster node at a time. The node that provides access to those cluster resources is the active node. If the nodes detect the failure of the active node for a clustered application, or if the active node is taken offline for maintenance, the clustered application is started on another cluster node. To minimize the impact of the failure, client requests are immediately and transparently redirected to the new cluster node.

MCT USE ONLY. STUDENT USE PROHIBITED

5-6

Implementing Failover Clusterin ng

Wh hat Are CS SVs?


In classic failover cluster deploy yment, only a single s nod de at a time co ontrols a LUN on o the shared stor rage. This means that anothe er node canno ot see shar red storage, un ntil it becomes s an active nod de. CSV V is a new technology introduced in Windo ows Serv ver 2008 R2, which w enables multiple m nodes s to shar re a single LUN N concurrently y. Each node obta ains exclusive access to indiv vidual files on the LUN N instead of to o the entire LUN. In other wo ords, CSV V provides a so olution so that multiple node es in the cluster can access the same NTFS file syste em simu ultaneously.

In th he first version n in Windows Server S 2008 R2 2, CSV was des signed only for hosting virtu ual machines th hat nabled administrators to hav are running on a Hyper-V serve er in a failover cluster. This en ve a single LUN that t hosts multiple virtual mach hines in a failov ver cluster. Mu ultiple cluster n nodes have ac ccess to the LU UN, but each virtual machine m runs only o on one no ode at a time. I If the node on n which a virtual machine is runn ning fails, CSV V enables the virtual v machine e to restart on a different no ode in the failo over cluster. Add ditionally, this provides simplified disk man nagement for hosting virtual machines, as compared to each virtu ual machine re equiring a sepa arate LUN. In Windows W Serve er 2012, CSV has additional improvements s. It is now pos sible to use CS SV for other ro oles, and not just Hype er-V. For example, you can now n configure the file server r role in failove er clustering in n the Scal le-Out File Ser rver scenario. Scale-Out S File Server is desig gned to provid de scale-out file shares that a are continuously available for file-b based server ap pplication stor rage. Scale-out t file shares provide the abili ity to shar re the same fo older from mul ltiple nodes in the same clus ster. In this con ntext, CSV in W Windows Serve er 2012 introduces support s for a read cache, wh hich can impro ove performanc ce in certain sc cenarios. In add dition, a CSV fil le system (CSV VFS) can perfor rm Chkdsk wit thout impactin ng application ns with open handles on the file e system. Oth her important improvements s in CSV in Win ndows Server 2 2012 are:

CSV proxy file e system (CSVF FS): In the Disk k Managemen t console, CSV V volumes now w appear as CS SVFS. However, this s is not a new file f system. The underlying t technology is s still the NTFS f file system, and s CSVFS, CSVFS volumes are still form matted with NTFS. However,, because volu umes appear as applications can c discover th hat they are ru unning on CSV Vs, which helps s improve com mpatibility. Additionally, because of the e single file na amespace, all f files have the s same name and path on any y node in a cluster. Multisubnet support s for CS SVs: CSVs have been enhance ed to integrate e with SMB Multichannel to help achieve faster r throughput for f CSV volumes.

Support for BitLocker B volum me encryption: Windows Ser rver 2012 supp ports BitLocker volume encryption fo or both traditio onal clustered disks and CSV Vs. Each node p performs decry yption by usin ng the computer acc count for the cluster c itself.

Support for SMB S 3.0 storag ge: SMB 3.0 sto orage is suppo orted for Hyper r-V and applic cations such as s Microsoft SQL Server. Thi is means that, for example, y you can host H Hyper-V virtual machine files s on a shared folder r. Integration with w SMB Multichannel and SMB S Direct: Th his integration allows CSV tra affic to stream across multip ple networks in n the cluster an nd to leverage network adap pters that supp port Remote D Direct Memory Acce ess (RDMA).

Configurin ng Advanced Window ws Server 2012 Ser rvices

Integration with the Stora age Spaces fea ature in Windo ows Server 201 12: This integra ation can prov vide virtualized storage on clu usters of inexpe ensive disks.

Reduced do owntime: CSV in Windows Server 2012 let s you scan and d repair volum mes with zero o offline time.

MCT USE ONLY. STUDENT USE PROHIBITED


5-7

Im mplementin ng CSV

Yo ou can configu ure CSV only when w you create a failover cl luster. After yo ou create the f failover cluster r, you ca an enable CSV V for the cluster, and then ad dd storage to t the CSV.

However, before you can add d storage to the CSV, you mu ust make the L LUN available as shared storage to th he cluster. Whe en you create a failover clust ter, all of the s shared disks th hat you configured in Server r Manager M are ad dded to the clu uster, and you can then add them to a CSV V. If you add m more LUNs to the sh hared storage, you must first t create volum mes on the LUN N, add the stor rage to the clu uster, and then n add th he storage to the t CSV.

As a best practice, you should d configure CSV before you make any virtu ual machines h highly availabl le. However, you can convert fro om regular disk k access to CSV V after deploy yment. The foll lowing conside erations ap pply: When you convert from regular r disk ac ccess to CSV, t his removes th he LUNs drive e letter or mou unt point. This means that yo ou must recrea ate all virtual m machines that a are stored on t the shared sto orage. If you must re etain the same e virtual machi ine settings, co onsider export ting the virtual machines, sw witching to CSV, and d then importing the virtual machines in H Hyper-V. If you have a r You cannot t add shared st torage to CSV if it is in use. I running virtual machine that t is using a clus ster disk, you must m shut dow wn the virtual m machine, and t then add the d disk to CSV.

What W Are Failover F an nd Failback k?


Fa ailover transfers from one no ode to another the re esponsibility fo or providing ac ccess to resour rces in a cluster. Failover r can occur when an adminis strator in ntentionally mo oves resources s to another no ode for maintenance, m or due to unpla anned downtim me of a no ode due to hardware failure or other reaso ons. In ad ddition, service e failure on an n active node can c in nitiate failover to another no ode. A failover attem mpt consists of the following steps: 1. .

The Cluster r service takes all the resourc ces in the instance offline, in an n order that is determined d by the instan nces dependen ncy hierarchy. This T means tha at dependent resources r are t taken offline fi irst, followed b by the resources on source, the Clu which they depend. For example, e if an application de epends on a physical disk res uster service take es the applicat tion offline first, which enabl les the applica ation to write c changes to the e disk before the disk is taken offline. o After all the e resources are e offline, the Cluster C service attempts to tr ransfer the inst tance to the no ode that is listed d next on the instances list of o preferred ow wners.

2. . 3. .

If the Cluste er service succ cessfully moves s the instance to another no ode, it attempt ts to bring all t the resources online. o This tim me, it starts at the t lowermost part of the de ependency hie erarchy. Failove er is complete when w all the resources are on nline on the ne ew node.

MCT USE ONLY. STUDENT USE PROHIBITED

5-8

Implementing Failover Clusterin ng

Onc ce the offline node n becomes s active again, the Cluster ser rvice can fail b back instances that were orig ginally host ted on the offline node. When the Cluster r service fails b back an instanc ce, it uses the s same procedu ures that t it performs during failover. The Cluster se ervice takes al l the resources s in the instanc ce offline, mov ves the instance, and then brings all the resources in the instan ce back online e.

Wh hat Is a Qu uorum?
A qu uorum is the number n of elem ments that must be online for a cluste er to continue running. Each clus ster node is an element, and in effect, each h elem ment can cast one vote to de etermine whet ther the cluster continues to run. If there t is an even num mber of nodes, , then an addit tional element t which is known as s a witnessis assigned to th he clus ster. The witness element can n be either a disk d or a file share. Each voting v elemen nt contains a co opy of the cluster configuration, and d the Cluster serv vice works to keep k all copies synchronized at all time es.

The cluster will sto op providing failover f protection if most of f the nodes fai il, or if there is s a problem wi ith com mmunication between b the clu uster nodes. Without W a quor rum mechanism m, each set of f nodes could continue to opera ate as a failove er cluster. This results in a pa artition within t the cluster. Qu uorum prevent ts two or more m nodes fro om concurrent tly operating a failover cluste er resource. If a clear majority is not achie eved betw ween the node e members, th hen the vote of f the witness b becomes crucia al to maintain the validity of f the clus ster.

Con ncurrent opera ation could occ cur when netw work problems prevent one s set of nodes fr rom communic cating with h another set of o nodes. That is, a situation might occur w where more th han one node t tries to contro ol acce ess to a resour rce. If that reso ource is, for example, a datab base applicatio on, damage su uch as corruption of the database coul ld result. Imagine the conseq quence if two or more instan nces of the sam me database a are mad de available on n the network, , or if data was s accessed and d written to a t target from mo ore than one s source at a time. If the ap pplication itsel lf is not damag ged, the data c could easily be ecome corrupt ted. Because a given cluster c has a sp pecific set of no odes and a spe ecific quorum configuration n, the cluster ca an calc culate the num mber of votes that are require ed for it to con ntinue providing failover pro otection. If the e s running, whi num mber of votes drops d below th he majority, th he cluster stops ich means it w will not provide e failo over protection n if there is a node n failure. Nodes N will still listen for the p presence of ot ther nodes, in c case ano other node app pears again on n the network. However, the nodes will not t function as a cluster until a majority consensu us or quorum is i achieved. Note: A fully functioning cluster depends not just on quorum, but also on the capacity of each h node to support the servic ces and applica ations that fail l over to that n node. For exam mple, a clus ster that has fiv ve nodes could d still have quo orum after two o nodes fail, but each remaining clus ster node woul ld continue serving clients only o if it has en nough capacity y (such as disk space, proc cessing power r, random acce ess memory (R RAM), or netwo ork bandwidth h) to support t the services and applications that t failed ove er to it. An imp portant part of f the design pr rocess is planning each nod des failover capacity. A failov ver node must t be able to ru n its own load d and the load of add ditional resourc ces that might fail over to it.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


5-9

The Process of Achievin ng Quorum

Be ecause a given n cluster has a specific set of f nodes and a s specific quoru m configuratio on, the cluster r so oftware on eac ch node stores s information about a how ma any votes const titute a quorum for that clus ster. If th he number of votes v drops be elow the majority, the cluste er stops providing services. N Nodes will cont tinue to lis sten for incom ming connections from other nodes on por rt 3343, in case e they appear again on the n network, hieved. bu ut the nodes will w not begin to t function as a cluster until quorum is ach Th here are severa al phases a clu uster must com mplete to achie eve a quorum.. As a given no ode comes online, it de etermines whe ether there are e other cluster members, wit th which it can n communicate e. This process s may be in n progress on multiple m nodes s simultaneous sly. After estab blishing comm munication with h other memb bers, the members m comp pare their mem mbership views s of the cluster r until they agr ree on one vie ew (based on timestamps and d other information). A deter rmination is m made whether t this collection of members h has a qu uorum, or has enough mem mbers the total of which creat tes sufficient v votes so that a split scenario cannot ex xist. A split sce enario means that another se et of nodes tha at are in this cluster are runn ning on a part of the ne etwork that is inaccessible to o these nodes. Therefore, mo ore than one n node could be e actively trying g to provide access to t the same clustered resour rce. If there are e not enough votes to achie eve quorum, th he vo oters (the curre ently recogniz zed members of o the cluster) wait for more members to a appear. After a at least th he minimum vo ote total is attained, the Cluster service be egins to bring cluster resourc ces and applic cations in nto service. Wit th quorum attained, the clus ster becomes f fully functiona al.

Quorum Q Modes M in Windows W Se erver 2012 2 Failover C Clustering g

Th he quorum mo odes in Windo ows Server 201 12 fa ailover clusterin ng are the sam me modes that t are present in Wind dows Server 20 008. As before, ,a majority m of vote es determines whether a clus ster ac chieves quorum m. Nodes can vote, and whe ere ap ppropriate, either a disk in cluster storage (known as s a disk witness s) or a file shar re (known as a file sh hare witness) can c vote. There e is also a quor rum mode m called No o Majority: Disk Only, which fu unctions like th he disk-based quorum in Windows Se erver 2003. Other than the No N Majority: Disk Only O mode, the ere is no single e point of failur re with th he quorum mo odes, because only the numb ber of votes is important and d not whether r a particular element is available to vote.

Th he Windows Server 2012 fail lover clustering quorum mo ode is flexible. Y You can choos se the mode b best su uited to your cluster. c Be aware that most of o the time it is s best to use th he quorum mo ode that the cluster so oftware selects s. If you run the Quorum Configuration W izard, the quo orum mode tha at the wizard lists as re ecommended is the quorum mode that the cluster softw ware will choos se. You should d change the q quorum co onfiguration only if you have e determined that t the chang ge is appropria ate for your clu uster. Windows W Server 2012 failover r clustering has four quorum m modes:

Node Majo ority. Each node that is availa able and in com mmunication w with other nod des can vote. T The cluster func ctions only wit th a majority (m more than half f) of the votes. This model is s preferred wh hen the cluster cons sists of an odd d number of se erver nodes, an nd no witness is needed to m maintain or achieve quorum.

MCT USE ONLY. STUDENT USE PROHIBITED

5-10 Implementing Failover Clustering

Node and Disk Majority. Each node plus the disk witness, which is a designated disk in the cluster storage, can vote when they are available and in communication. The cluster functions only with a majority (more than half) of the votes. This model is based on an even number of server nodes being able to communicate with one another in the cluster, in addition to the disk witness. Node and File Share Majority. Each node plus the file share witness, which is a designated file share created by the administrator, can vote when they are available and in communication. The cluster functions only with a majority (more than half) of the votes. This model is based on an even number of server nodes being able to communicate with one another in the cluster, in addition to the file share witness.

No Majority: Disk Only. The cluster has quorum if one node is available and in communication with a specific disk in the cluster storage. Only the nodes that are also in communication with that disk can join the cluster.

Except for the No Majority: Disk Only mode, all quorum modes in Windows Server 2012 failover clusters are based on a simple majority vote model. As long as a majority of the votes are available, the cluster continues to function. For example, if there are five votes in the cluster, the cluster continues to function as long as there are at least three available votes. The source of the votes is not relevantthe vote could be a node, a disk witness, or a file share witness. The cluster will stop functioning if a majority of votes is not available. In the No Majority: Disk Only mode, the quorum-shared disk can veto all other possible votes. In this mode, the cluster will continue to function as long as the quorum-shared disk and at least one node are available. This type of quorum also prevents more than one node from assuming the primary role. Note: If the quorum-shared disk is not available, the cluster will stop functioning, even if all nodes are still available. In the No Majority: Disk Only mode, the quorum-shared disk is a single point of failure, so this mode is not recommended. When you configure a failover cluster in Windows Server 2012, the Installation Wizard automatically selects one of two default configurations. By default, failover clustering selects: Node Majority configuration if there is an odd number of nodes in the cluster. Node and Disk Majority configuration if there is an even number of nodes in the cluster.

Note: You should modify this setting only if you determine that a change is appropriate for your cluster, and only once you understand the implications of making the change.

In addition to planning your quorum mode, you should also consider the capacity of the nodes in your cluster, and their ability to support the services and applications that may fail over to that node. For example, a cluster that has four nodes and a disk witness will still have quorum after two nodes fail. However, if you have several applications or services deployed on the cluster, each remaining cluster node may not have the capacity to provide services.

MCT USE ONLY. STUDENT USE PROHIBITED


5-11

Configuring g Advanced Windows s Server 2012 Serviices

Failover Clu uster Netw works


Networks and network n adapters are import tant pa arts of each cluster impleme entation. You cannot c co onfigure a clus ster without co onfiguring the ne etworks that th he cluster will use. A network can pe erform one of the following roles in a clus ster: Private netw work. A private e network carr ries internal cluster communication. By usin ng this network, cluster nodes ex xchange heartbeats and check for f another no ode or nodes. The T failover cluster authentica ates all interna al communica ation. However, administrato ors who are especially concerned about security y may want to restrict internal communication c n to physically y secure netwo orks.

Public netw work. A public network n provid des client syste ems with acce ess to cluster ap pplication serv vices. IP address resources are cre eated on netwo orks that prov ide clients with h access to the e Cluster servic ce. Public-and-private netwo ork. A public-an nd-private net twork (also kno own as a mixe ed network) car rries internal cluster communication and connects clients to cluster app plication service es.

When W you configure network ks in failover clusters, you sho ould also dete ermine which n network to con nnect to th he shared stora age. If you use e iSCSI for the shared storage e connection, the network w will use an IP-b based Et thernet communications net twork. Howeve er, you should not use this n network for node or client co ommunication n. Sharing the iSCSI i network in this manne r may result in n contention and latency issu ues for bo oth users and for the resource that is being provided by y the cluster.

Although not a best practice, you can use the private and d public netwo orks for both c client and node e co ommunication ns. Preferably, you y should de edicate an isola ated network f for the private e node co ommunication n. The reasonin ng for this is sim milar to using a separate Eth hernet network for iSCSI, wh hich is to av void resource bottleneck and d contention issues. The pub blic network is s configured to o enable client t co onnections to the failover clu uster. Although the public n network can pr rovide backup for the private e ne etwork, a bette er design prac ctice is to defin ne alternative n networks for t he primary pri ivate and publ lic ne etworks, or at least team the e network interfaces that are e used for thes se networks. Th he networking g features in Windows W Server r 2012based clusters includ de the followin ng:

The nodes transmit and receive r heartbe eats by using U User Datagram m Protocol (UD DP) unicast, ins stead of UDP broadcast (which wa as used in lega acy clusters). T he messages a are sent on po ort 3343. You can inc clude clustered d servers on di ifferent IP subn nets, which red duces the com mplexity of sett ting up multi-site clusters. c The Failove er Cluster Virtu ual Adapter is a hidden devic ce that is adde d to each nod de when you in nstall the failover r clustering fea ature. The adapter is assigne ed a media acc cess control (M MAC) address b based on the MAC C address that t is associated with the first e enumerated ph hysical networ rk adapter in the node. Failover clu usters fully support IPv6 for both b node-to-node and nod de-to-client co ommunication. .

You can use e Dynamic Ho ost Configuratio on Protocol (D DHCP) to assig gn IP addresses s, or you can a assign and you static IP add dresses to all nodes n in the cl luster. Howeve er, if some nod des have static c IP addresses a configure others o to use DHCP, D the Valid date a Configu uration Wizard d will respond with an error. The cluster IP ad ddress resourc ces are obtaine ed based on th he configuratio on of the netw work interface that is supporting that cluster ne etwork.

MCT USE ONLY. STUDENT USE PROHIBITED

5-12 Implemen nting Failover Cluster ring

Fai ilover Clus ster Storag ge


Mos st failover clustering scenario os require shared stor rage to provide e consistent da ata to a highly y avai ilable service or o application after failover. There T are three shared-s storage option ns for a failove er clus ster: Shared serial attached SCSI (SAS). Shared SAS is the lowest-cost option. However, H share ed SAS is not ver ry flexible for deployment d because the two t cluster nod des must be physically close together. In n addition, the e shared storag ge devices that t are supportin ng shared SAS ha ave a limited number n of connections for f cluster nod des.

iSCSI. iSCSI is a type of storage area netw work (SAN) tha t transmits sm mall computer s system interface (SCSI) comma ands over IP ne etworks. Perfo ormance is acce eptable for mo ost scenarios w when the phys sical medium for data d transmissi ion is between n 1 gigabit per r second (Gbps s) and 10 Gbps Ethernet. Thi is type of SAN is fairly inexpensive to imple ement, because e no specialize ed networking hardware is required. In Windows W Serve er 2012, you ca an implement iSCSI target so oftware on any y server, and present local storage over iSCSI interface to clients.

Fibre Channel. Fibre Channel SANs typica ally have bette er performance e than iSCSI SA ANs, but are m more expensive. Sp pecialized know wledge and ha ardware are re quired to imp lement a Fibre e Channel SAN N.

Note: The Microsoft M iSCSI Software Targ get is now an integrated fea ature in Windo ows Server 2012. This feature e can provide storage s from a server over a TCP/IP netwo ork, including s shared stor rage for applic cations that are e hosted in a failover cluster r. In addition, in Windows Se erver 2012, you can configure e a highly available iSCSI Tar rget Server as a clustered rol le by using Fai ilover Clus ster Manager or o Windows Po owerShell.

Sto orage Requirements


Befo ore choosing the t storage sol lution, you sho ould also be aw ware of the following storag ge requirements:

To use the na ative disk supp port that is included in failov ver clustering, u use basic disks s and not dyna amic disks.

You should fo ormat the part titions with NT TFS. For the dis sk witness, the e partition mus st be NTFS, because FAT is not sup pported. For the partition style of the disk, you can n use either m aster boot rec cord (MBR) or globally uniqu ue identifier (GU UID) partition table (GPT). Because impr rovements in failover f cluster ring require th at the storage e respond corre ectly to specifi ic SCSI comman nds, the storag ge must follow the SCSI Prim mary Command ds-3 (SPC-3) st tandard. In particular, the e storage must t support Persistent Reservat tions, as specif fied in the SPC C-3 standard.

The miniport driver used fo or the storage must work wit th the Storport t storage drive er. Storport off fers a higher perfor rmance archite ecture and bet tter Fiber Chan nnel compatib ility in Window ws operating systems.

MCT USE ONLY. STUDENT USE PROHIBITED


5-13

Configuring Advanced Windows Server 2012 Services

You must isolate storage devices (one cluster per device). You should not allow servers that belong to different clusters to access the same storage devices. You can achieve this by using LUN masking or zoning. This prevents LUNs used on one cluster from being seen on another cluster. Consider using multipath input/output (I/O) software. Cluster nodes commonly use multiple host bus adapters to access storage, and this lets you achieve additional high availability. To be able to use multiple host bus adapters, you must use multipath software. For Windows Server 2012, your multipath solution must be based on Microsoft Multipath I/O (MPIO). Your hardware vendor usually supplies an MPIO device-specific module (DSM) for your hardware, although Windows Server 2012 includes one or more DSMs as part of the operating system.

MCT USE ONLY. STUDENT USE PROHIBITED

5-14 Implemen nting Failover Cluster ring

Lesson 2

Implem menting g a Failo over Clu uster

Failo over clusters in n Windows Server 2012 have e specific reco ommended har rdware and so oftware configurations tha at enable Micr rosoft to suppo ort the cluster.. Failover clust ters are intend ded to provide a high her level of ser rvice than stan nd-alone serve ers. Therefore, cluster hardwa are requirements are frequently stric cter than requi irements for st tand-alone ser rvers.

This s lesson describ bes how to pre epare for clust ter implementa ation. In this le esson, you will l also discuss t the hard dware, networ rk, storage, infr rastructure, an nd software req quirements for Windows Ser rver 2012 failo over clus sters. Finally, th his lesson also outlines the st teps for using the Validate a Configuration n Wizard to en nsure corr rect cluster con nfiguration, an nd how to mig grate failover c clusters.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Explain how to t prepare for implementing g failover clust tering. Describe hard dware requirem ments for failo over clustering.. Describe netw work requirem ments for failov ver clustering. Describe infra astructure requ uirements for failover f cluste ring. Describe softw ware requirem ments for failov ver clustering. Explain how to t validate and d configure a failover f cluster r. Explain how to t migrate failo over clusters.

Pre eparing fo or Failover Cluster Im mplementa ation

Befo ore you implem ment failover clustering, c you u mus st identify serv vices and applications that yo ou wan nt to make highly available. Failover F cluste ering cannot be applied d to all applica ations, and som metimes, applic cations have th heir own redu undancy mech hanisms. In add dition, you sho ould be aware a that failover clustering g does not pro ovide imp proved scalability by adding nodes. You can only y obtain scalab bility by scaling g up and using g mor re powerful ha ardware for the e individual no odes. Therefore, you should only use failover cluste ering whe en your goal is s high availabil lity, and not scalability. In Windows Server 2012, there is one o exception to this: if you implement File e Services on C CSVs, you can also achie eve a level of scalability. s

Failo over clustering g is best suited d for stateful applications tha at are restricte ed to a single s set of data. On ne exam mple of such an a application is a database. Data is stored d in a single lo ocation and can n only be used d by sults one e database inst tance. You can n also use failov ver clustering for Hyper-V v virtual machine es. The best res for failover f clustering occur whe en the client can reconnect t to the applicat tion automatic cally after failo over. If the client does no ot reconnect au utomatically, then t the user m must restart th he client applic cation. Failo over clustering g uses only IP-based protoco ols and is, ther refore, suited o only to IP-base ed applications. Failo over clustering g now support ts both IPv4 an nd IPv6.

MCT USE ONLY. STUDENT USE PROHIBITED


5-15

Configuring g Advanced Windows s Server 2012 Serviices

Consider the following guidelines when pla anning node ca apacity in a fa ilover cluster:

Spread out the highly ava ailable applications from a fa ailed node. W hen all nodes in a failover cl luster are active, the t highly available services or application ns from a failed d node should d be spread ou ut among the remaining no odes to prevent a single node e from being o overloaded.

Ensure that t each node ha as sufficient idle capacity to service the hig ghly available services or applications that are alloc cated to it whe en another no ode fails. This id dle capacity sh hould be a suff ficient buffer to av void nodes run nning at near capacity c after a failure event t. Failure to pla an resource ut tilization adequately y can result in a decrease in performance p fo ollowing node e failure. ss for Use hardwa are with similar capacity for all nodes in a cluster. This simplifies the planning proces failover, because the failo over load will be b evenly distr ributed among g the surviving g nodes.

Use standby servers to sim mplify capacity y planning. W hen a passive node is includ ded in the clust ter, then all highly av vailable service es or applications from a fai led node can f fail over to the e passive node e. This avoids the need for comp plex capacity planning. p If thi s configuratio n is selected, it is important that the standby y server has su ufficient capaci ity to run the l load from mor re than one no ode failure.

ou should also o examine all cluster c configuration compo nents to ident tify single poin nts of failure. Y You can Yo re emedy many single points of f failure with simple solution ns, such as add ding storage co ontrollers to se eparate an nd stripe disks, or teaming network n adapte ers, and using multipathing software. Thes se solutions re educe th he probability that a failure of o a single dev vice will cause a failure in the e cluster. Typic cally, server cla ass co omputer hardw ware has optio ons for multiple power supp lies for power redundancy, a and for creatin ng re edundant array y of independe ent disk (RAID D) sets for disk data redundan ncy.

Hardware H Requireme R ents for Fa ailover Clus ster Imple ementation n


It is very import tant to make good g decisions s when yo ou select hardw ware for cluste er nodes. Failo over clusters have to o satisfy the fol llowing criteria a to meet m availability y and support requirements: All hardwar re that you select for a failov ver cluster shou uld meet the Certified C for Windows W Server 2012 2 logo requirements. Hardwa are that has this log go has been independently tested t to meet the e highest techn nical bar for reliability, availability, a stability, security, , and platform co ompatibility. This logo also means m that official l support optio ons exist in cas se malfunction ns arise.

You should d install the sam me or similar hardware h on ea ach failover cluster node. Fo or example, if y you choose a sp pecific model of o network ada apter, you sho ould install this s adapter on each of the clus ster nodes.

If you are using u SAS or Fiber Channel st torage connec ctions, the mas ss storage dev vice controllers s that are dedicat ted to the clust ter storage sho ould be identi cal in all cluste ered servers. T They should als so use the same firmware versio on. If you are using u iSCSI stor rage connectio ons, each clust tered server m must have one o or more netwo ork adapters or r host bus adapters dedicate ed to the cluste er storage. The e network that t you use for iS SCSI storage con nnections shou uld not be used for network communicatio on. In all cluste ered servers, the network ad dapters that yo ou use to connect to the iSCS SI storage targ get should be identical, and we recommend d that you use e 1 Gbps Ethernet or more.

MCT USE ONLY. STUDENT USE PROHIBITED

5-16 Implemen nting Failover Cluster ring

After you con nfigure the serv vers with the hardware, h all t ests provided in the Validate e a Configurat tion Wizard must be passed bef fore the cluster is considered d a configurati ion that will be e supported by y Microsoft.

Ne etwork Req quirement ts for Failo over Cluste er Impleme entation


One e of the netwo ork requiremen nts for failover clus ster implement tation is that failover cluster netw work compone ents must have e the Certified for Win ndows Server 2012 2 logo, and d must also pass the tests in the Valida ate a Configura ation Wizard. Add ditionally: ach node should be The network adapters in ea identical and have the same e IP protocol version, speed d, duplex, and flow control capabilities th hat are availab ble. The networks s and network equipment to o which you co onnect the nod des should be redundant so o that even a si ingle failure allows for the n odes to contin nue communic cating with one another. You can use netwo ork adapter teaming to prov vide single net twork redunda ancy. We recommend multiple m netwo orks to provide e multiple pat hs between no odes for inter-node communication. Otherwise, , a warning will generate du ring the valida ation process.

The network adapters in a cluster c networ rk must have th he same IP address assignment method, w which means either that they all use u static IP ad ddresses, or tha at they all use DHCP.

Note: If you u connect clust ter nodes with h a single netw work, the netwo ork passes the e redu undancy requi irement in the Validate a Co onfiguration W Wizard. Howeve er, the report f from the wiza ard will include e a warning th hat the network should not h have single po oints of failure.

Inf frastructur re Requirements for Failover C Cluster Imp plementat tion


Failo over clusters depend d on infr rastructure serv vices. Each h server node must be in the e same Active Dire ectory domain, and if you us se Domain Nam me Syst tem (DNS), the e nodes should d use the same e DNS serv vers for name resolution. r We recommend that you install l the same Win ndows Server 2012 2 features and a roles on each nod de. Inconsistent configuration n on cluster no odes can cause instability and performance issues. In add dition, you should not install the AD DS rol le on any of the cluster nodes, becaus se AD DS has its i own n fault-tolerance mechanism m. If you install the AD DS role on one of the nodes s, you must ins stall it on all no odes. Howeve er, this is not re ecommended.

MCT USE ONLY. STUDENT USE PROHIBITED


5-17

Configuring Advanced Windows Server 2012 Services

You must have the following network infrastructure for a failover cluster:

Network settings and IP addresses. When you use identical network adapters for a network, also use identical communication settings such as speed, duplex mode, flow control, and media type on those adapters. Also, compare the settings between the network adapter and the switch to which it connects, and ensure that no settings are in conflict. Otherwise, network congestion or frame loss might occur, which could adversely affect how the cluster nodes communicate among themselves, with clients or with storage systems.

Unique subnets. If you have private networks that are not routed to the rest of the network infrastructure, ensure that each of these private networks uses a unique subnet. This is necessary even if you give each network adapter a unique IP address. In addition, these private network addresses should not be registered in DNS. For example, if you have a cluster node in a central office that uses one physical network, and another node in a branch office that uses a separate physical network, do not specify 10.0.0.0/24 for both networks, even if you give each adapter a unique IP address. This avoids routing loops and other network communications problems if, for example, the segments are accidentally configured into the same collision domain because of incorrect virtual local area network (VLAN) assignments. DNS. The servers in the cluster typically use DNS for name resolution. DNS dynamic update protocol is a supported configuration. Domain role. All servers in the cluster must be in the same Active Directory domain. As a best practice, all clustered servers should have the same domain role (either member server or domain controller). The recommended role is member server because AD DS inherently includes its own failover protection mechanism.

Account for administering the cluster. To be able to administer the cluster, you must have an account with appropriate permissions. You must have local administrator rights on all nodes that participate in the cluster. In addition, when you create the cluster, you must have the right to create new objects in domains. You can do this with the Domain Admin account, or you can delegate these rights to another domain account.

In Windows Server 2012, there is no cluster service account. Instead, the Cluster service automatically runs in a special context that provides the specific permissions and credentials that are necessary for the service (similar to the local system context, but with reduced credentials). When a failover cluster is created and a corresponding computer object is created in AD DS, that object is configured to prevent accidental deletion. In addition, the cluster Network Name resource has an additional health check logic, which periodically verifies the health and properties of the computer object that represents the Network Name resource.

MCT USE ONLY. STUDENT USE PROHIBITED

5-18 Implemen nting Failover Cluster ring

Sof ftware Req quirement ts for Failo over Cluste er Impleme entation
Failo over clusters re equire that each cluster nod de mus st run the same edition of Windows W Server r 2012. The edition can be either Windows Serv ver 2012 Standard or Windows Serv ver 2012 Datacenter. The nodes n should also a have the same soft tware updates and service pa acks. Dependin ng on the role that will be b clustered, a Windows Server 2012 Server Core installation may also meet the t soft tware requirem ments. In Windows Server 20 012, Serv ver Core is the default install lation option, and ther refore you sho ould consider it t as a cluster node. n How wever, Failover r Clustering can also be insta alled on a full GUI versi ion. It is also importan nt that the sam me version of se ervice packs o or any operatin ng system updates exist on a all nod des that are parts of a cluster r. dows Server 20 012 provides Cluster-Aware C U Updating tech hnology that ca an help Note: Wind you maintain upd dates on cluste er nodes. This feature f will be discussed in m more detail in Lesson 4: Maintaining a Failover Cluster. Each h node must run the same processor p architecture. This m means that eac ch node must have the same e proc cessor family, which might be, b for example e, the Intel Xeo on processor f family with Ext tended Memo ory 64Technology, the AMD Optero on AMD64 fam mily, or the Inte el Itaniumbas sed processor family.

De emonstration: Valida ating and Configurin C ng a Failov ver Cluster r

The Validate a Co onfiguration Wizard W runs test ts that confirm m if the hardwa are and softwa are settings are e com mpatible with failover f cluster ring. Using the e wizard, you c can run the com mplete set of c configuration tests or a subset of the tests. You sho ould run the te ests on servers and storage d devices before you configure e the failo over cluster, an nd again after you make any y major change es to the clust ter. You can ac ccess the test r results in th he %windir%\c cluster\Report ts directory.

Dem monstration n Steps Val lidate and Configure C a Cluster


1. 2. 3. 4. 5. 6. Start the Failo over Cluster Manager M on the e LON-SVR3. Start the Valid date Configura ation Wizard. Review the re eport. Create a new cluster. Add LON-SVR3 L and d LON-SVR4 a as cluster node es. Name the clu uster Cluster1. Use 172.16.0 0.125 as the IP P address.

MCT USE ONLY. STUDENT USE PROHIBITED


5-19

Configuring g Advanced Windows s Server 2012 Serviices

Migrating M Failover F Cl lusters


In n some scenarios, such as rep placing cluster r nodes, or r upgrading to o a newer version of a Windo ows op perating system, you will need to migrate clustered roles or o services from m one cluster to an nother. In Windows Server 2012, 2 it is possi ible to migrate m clustere ed roles and cl luster configur ration from clusters ru unning Window ws Server 2012 2, Windows W Server 2008 R2, or Windows W Serve er 2008. Yo ou can migrate these roles and a configurat tions in on ne of two way ys: Migrate fro om an existing cluster to a ne ew cluster that t is running Wi indows Server 2012: In this scenario, you have e two new cluster nodes runn ning Windows s Server 2012, and you then perform mi ndows Server 2008 or later. igration from an a existing clu uster with node es running Win

Perform an in-place migr ration on a two o-node cluster r: This is a mor re complex sce enario, where y you want to mig grate a cluster r to a new vers sion of the Win ndows operating system. In this scenario, y you do not have ad dditional comp puters for new w cluster nodes s. For example e, you may wan nt to upgrade a cluster that t is currently ru unning on Win ndows Server 2 2008 R2 to a cluster running g Windows Ser rver 2012. To ac chieve this, you u must first rem move resource es from one no ode, and evict that node from a cluster. Nex xt, you perform m a clean insta allation of Win dows Server 2 2012 on that se erver. After Wi indows Server 2012 2 is installed, you y create a on ne-node failov ver cluster, mig grate the clustered services a and applications from the old d cluster node to that failove er cluster, and then remove t the old node f from cluster. The e last step is to o install Windows Server 201 2 on another c cluster node, t together with failover cluster feature, add the se erver to the fa ailover cluster, and run valida ation tests to c confirm that th he overall configuration wor rks correctly.

Th he Cluster Mig gration Wizard d is a tool that lets you perfo orm the migrat tion of clustere ed roles. Becau use the Cluster Migratio on Wizard doe es not copy data from one st torage locatio n to another, y you must copy y or move m data or fo olders (includin ng shared fold der settings) du uring a migrat tion. In additio on, the Cluster Migration M Wizard does not migrate m mount-point informa ation (informat tion about har rd disk drives t that do no ot use drive letters, and are mounted in a folder on ano ther hard disk k drive). Howev ver, it can migrate physical disk res source settings to and from disks that use mount points s.

MCT USE ONLY. STUDENT USE PROHIBITED

5-20 Implemen nting Failover Cluster ring

Lesson 3

Config guring Highly H Availabl A le Appli ications s and Se ervices on a Failo over Cluster

Afte er you have co onfigured your r clustering infrastructure, yo ou should conf figure specific roles or servic ces to first identify th be highly h available. Not all roles s can be cluste ered. Therefore e, you should f he resource that you want to put in n a cluster, and d then verify whether w that re esource is sup ported. In this s lesson, you w will lear rn about config guring roles an nd application ns in clusters, a and you will lea arn about configuring cluste er settings.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe and identify cluste er resources an nd services. Describe the process for clu ustering server r roles. Cluster a file server s role. Explain how to t configure fa ailover cluster properties. Explain how to t manage cluster nodes. Explain how to t configure application failo over settings.

Ide entifying Cluster C Res sources an nd Services s


Clus stered services are services or applications that are made highly available a by ins stalling them on o a failo over cluster. Cl lustered services are active on o one e node, but can n be moved to o another node e. A clus stered service that t contains an a IP address reso ource and a ne etwork name resource (and other o reso ources) is published to a client on the netw work und der a unique se erver name. Be ecause this gro oup of reso ources displays s as a single logical server to o clien nts, it is called a clustered ins stance. Users access appli ications or serv vices on an instance in the same manner as s they would if f the app plications or services were on n a non-cluster red server. Usu ually, applications or users do not know th hat they y are connecting to a cluster r, or the node to which they are connected d.

Reso ources are phy ysical or logical entitiessuc ch as a file sha re, disk, or IP a addressthat the failover cluster man nages. Resourc ces are the mo ost basic and sm mallest config urable units th hat may provid de a service to o clien nts, or may be e important parts of the clust ter. At any tim me, a resource c can run only o on a single nod de in a clus ster, and is online on a node when it provid des its service to that specifi ic node.

Ser rver Cluster Resources


A cl luster resource is any physica al or logical co omponent that t has the follow wing character ristics: It can be brou ught online an nd taken offline. It can be man naged in a serv ver cluster. It can be host ted (owned) by only one nod de at a time.

MCT USE ONLY. STUDENT USE PROHIBITED


5-21

Configuring g Advanced Windows s Server 2012 Serviices

To o manage reso ources, the Clu uster service co ommunicates t to a resource D DLL through a resource mon nitor. When W the Cluster service mak kes a request for a resource, the resource m monitor calls t the appropriat te entry po oint function in the resource e DLL to check k and control t the resource st tate.

Dependent D Resources R

A dependent res source is one that t requires another resourc ce to operate. For example, because a net twork na ame must be associated a with h an IP addres ss, a network n name is consid ered a depend dent resource. Be ecause of this requirement, a network nam me resource de epends on an IP address resource. Depend dent re esources are ta aken offline be efore the resou urces upon wh hich they depend are taken o offline. Similarly, they ar re brought online after the resources r on which w they dep pend are broug ght online. A r resource can sp pecify on ne or more res sources on wh hich it is depen ndent. Resourc ce dependencie es also determ mine bindings. For ex xample, clients s will be bound d to the partic cular IP addres s on which a n network name resource depe ends.

When W you creat te resource de ependencies, co onsider the fac ct that althoug gh some depe endencies are s strictly re equired, others s are not requi ired but are re ecommended. For example, a file share tha at is not a Dist tributed wever, if the d File System (DFS S) root has no required depe endencies. How disk resource that holds the f file sh hare fails, the file f share will be b inaccessible e to users. Ther refore, it is log gical to make t the file share de ependent on the t disk resour rce. A resource can also specify a list of nodes on o which it can n run. Possible nodes and de ependencies ar re im mportant considerations whe en administrat tors organize r resources into groups.

Process P for r Clustering g Server Roles R


Fa ailover clusteri ing supports th he clustering of o se everal Window ws Server roles, , such as File Services, DHCP, and Hyp per-V. To imple ement clusterin ng for a se erver role, or fo or external app plications such h as Microsoft M SQL Server S or Excha ange Server, perform p th he following procedure: 1. . Install the failover f cluster ring feature. Use Server Man nager, dism.exe e, or Windows PowerShell to install the failover f cluster ring feature on all computers that will be cluster members. In Windows Se erver 2012, you u can install roles s and features on multiple se ervers simultaneously from single Server Manager console. Verify confi iguration and create a cluste er with the app propriate node es. Use the Failover Cluster Manager sn nap-in to first validate v a configuration, and d then create a cluster with selected node es.

2. . 3. . 4. . 5. . 6. .

Install the role r on all cluster nodes. Use e Server Manag ger, dism.exe, or Windows P PowerShell to i install the server role r that you want w to use in the cluster. Create a clu ustered applica ation by using the Failover C Cluster Manag ger snap-in. Configure the t application n. Configure options on the application th hat is being use ed in the cluster.

Test failove er. Use the Failover Cluster Management M sn nap-in to test failover by int tentionally mo oving the service from one nod de to another.

After you create e the cluster, you y can monito or its status by y using the Failover Cluster M Management c console, an nd manage av vailable options.

MCT USE ONLY. STUDENT USE PROHIBITED

5-22 Implemen nting Failover Cluster ring

De emonstration: Cluste ering a File e Server Ro ole


Dem monstration n Steps Clu uster a File Server S Role
1. 2. 3. 4. On LON-SVR3, add Cluster r Disk 2 as cluster storage fo or Cluster1. c role. Configure a F File Server for r general use. Configure File Server as a clustered For the Client Access Poin nt name, type AdatumFS A wit th the address s of 172.16.0.5 55. Use Cluster Disk D 2 for the storage for Ad datumFS.

Co onfiguring Failover Cluster C Pro operties


Onc ce you create a cluster, the newly n created clus ster has many properties that you can configure. Whe en you open Cluster C Propert ties, you can configure cluster name or change the name, you y can add various ty ypes of resources such as IP add dress and netw work name to the cluster, and d you can also configure e cluster permissions. By configuring permissions, you de etermine who can have full control over o that speci ific cluster and d who can just read the cluster c configu uration. In addition, you can perform so ome standard man nagement task ks on each clus ster periodically, or on dema and. These tasks range from adding and rem moving cluster nodes, to mod difying the quo orum settings. Some of the m most frequent tly used configuration task ks include: Managing clu uster nodes: Fo or each node in a cluster, yo u can stop clu uster service temporarily, pau use the service, in nitiate remote desktop to the e node, or evic ct the node fro om the cluster r.

Managing clu uster networks s: You can add or remove clu uster networks s, and configur re networks th hat will be dedicated to inter-cluste er communication. Managing pe ermissions: By managing m per rmissions, you can delegate rights to admi inister a cluster. Configuring cluster c quorum m settings: By configuring c qu uorum settings s, you determi ine the way in which quorum m is achieved, as well as who o can have vot te in a cluster. Migrating ser rvices and app plications to a cluster: c You ca an implement existing services to the clust ter and make the em highly avai ilable. Configuring new n services and application ns to work in a cluster: You c can implement t new services to the cluster.

Removing a cluster: c You can remove a clu uster if you de ecide to stop u using clustering g, or if you want to move the cluster to anothe er set of nodes.

You u can perform most of these administrative e tasks by usin ng the Failover r Cluster Mana agement conso ole, or by using u Windows PowerShell. However, H Clus ster.exe, which h was used for r some of thes se tasks in prev vious Win ndows Server operating o syste em versions, is no longer sup pported in Win ndows Server 2012, and is not part t of the default installation.

MCT USE ONLY. STUDENT USE PROHIBITED


5-23

Configuring g Advanced Windows s Server 2012 Serviices

Managing M Cluster No odes


Cluster nodes are mandatory for each cluster. After you create e a cluster and d put it into production, you u might have to t manage cluster no odes occasionally. Yo ou can manag ge cluster node es by using the e Fa ailover Cluster Management t console or Windows W Po owerShell. The ere are three aspects to managing cluster nodes: You can add a node to an n established failover f cluster by selecting s Add Node in the Failover F Cluster Man nagement Act tions pane in the Failover Clu uster Manager r console. The Add Node Wizard prompts yo ou for informat tion about the e additional no ode.

You can pause a node to prevent resou urces from bei ng failed over or moved to t the node. You typically pa ause a node wh hen it is under rgoing mainte nance or troub bleshooting. W When you are pausing a node, you u can choose to t drain roles from f that node e. You can evict a node, which is an irreve ersible process s for a cluster n node. After yo ou evict the node, it must be re-added to the cluster. You ev vict nodes whe en a node is d damaged beyo ond repair, or is no longer need ded in the clus ster. If you evic ct a damaged node, you can n repair or rep place it, and then add it back to th he cluster by using u the Add Node Wizard..

Configuring C g Applicat tion Failov ver Setting gs


Yo ou can adjust failover setting gs, including preferred owners and failback k settings, to control c ho ow the cluster responds whe en the applicat tion or se ervice fails. You u can configur re these setting gs on th he property sheet for the clu ustered service or ap pplication (eith her on the Gen neral tab or on the Fa ailover tab).

MCT USE ONLY. STUDENT USE PROHIBITED

5-24 Implementing Failover Clustering

The following table provides examples that show how these settings work. Setting Example 1: General tab, Preferred owner: Node1 Failover tab, Failback setting: Allow failback (Immediately) Example 2: Failover tab, Maximum failures in the specified period: 2 Failover tab, Period (hours): 6 Result

If the service or application fails over from Node1 to Node2, when Node1 is once again available, the service or application will fail back to Node1.

In a six-hour period, if the application or service fails no more than two times, it will be restarted or failed over every time. If the application or service fails a third time in the six-hour period, it will be left in the failed state. The default value for the maximum number of failures is n-1, where n is the number of nodes. You can change the value, but we recommend a fairly low value so that if multiple node failures occur, the application or service will not be moved between nodes indefinitely.

MCT USE ONLY. STUDENT USE PROHIBITED


5-25

Configuring g Advanced Windows s Server 2012 Serviices

Lesson n4

Maint taining a Failov ver Clus ster

Once O your clust ter infrastructu ure running, it is important t hat you establ lish monitoring g to prevent p possible fa ailures. In addit tion, it is impo ortant that you u have backup and restore p procedures for cluster configuration. Windows W Server 2012 has new w technology that t allows yo u to update cl luster nodes w without downti ime. In th his lesson, you will learn about monitoring failover cluste ers, backing up p and restoring g cluster co onfigurations, and updating cluster nodes.

Le esson Objec ctives


After completin ng this lesson, you y will be able to: Explain how w to monitor failover clusters. Explain how w to back up and a restore a fa ailover cluster configuration n. Explain how w to maintain and troubleshoot failover cl usters. Describe Cluster-Aware Updating. U Updating. Configure Cluster-Aware C

Monitoring M g Failover Clusters

Many M tools are available in Windows W Server r 2012 to o help you monitor failover clusters. c You can use st tandard Windo ows Server too ols such as the Event Viewer and the Performance and Reliability y Monitor M snap-in n to review clu uster event log gs and pe erformance metrics. You can n also use Tr racerpt.exe to export data fo or analysis. Additionally, yo ou can use the Multipurpose In nternet Mail Ex xtension Hyper rtext Markup La anguage (MHT TML)formatte ed cluster co onfiguration re eports and the e Validate a Configuration Wizard W to troubleshoot prob blems with w the cluster configuration n and hardware e changes. Sin nce the cluster..exe command d-line tool is de eprecated in Windows W Serve er 2012, you ca an use Window ws PowerShell instead to perform similar t tasks.

Ev vent Viewer

When W problems s arise in the cluster, use the e Event Viewer to view event ts with a Critica al, Error, or Wa arning se everity level. Additionally, inf formational-le evel events are e logged to the e failover clust tering Operatio ons log, which w can be fo ound in the Eve ent Viewer in the t Applicatio ns and Service es Logs\Micros soft\Windows folder. In nformational-le evel events are e usually comm mon cluster op perations, such h as cluster nodes leaving an nd jo oining the clust ter, or resources going offlin ne or coming o online. In n previous Win ndows Server versions, v event logs were rep plicated to each node in the cluster. This simplified cluste er troubleshoo oting, because you could rev view all event l logs on a singl le cluster node e. Windows W Server 2012 does no ot replicate the event logs b between nodes s. However, the e Failover Clus ster Management M sn nap-in has a Cluster C Events option that e nables you to view and filter events across s all cluster nodes. This T feature is helpful h in corre elating events across cluster r nodes. The Fa ailover Cluster r Management M sn nap-in also pro ovides a Recen nt Cluster Eve ents option th hat will query a all the Error an nd Warning W events s from all the cluster c nodes in the last 24 h hours. You can access additio onal logs, such h as the

MCT USE ONLY. STUDENT USE PROHIBITED

5-26 Implemen nting Failover Cluster ring

Ana alytic and Debu ug logs, in the e Event Viewer. To display th ese logs, modify the view on n the top men nu by sele ecting the Show w Analytic an nd Debug Log gs option.

Win ndows Even nt Tracing

Win ndows event tr racing is a kern nel component that is availa ble early after r startup, and late into shutd down. It is designed to allow a for fast tr racing and delivery of event s, to trace files s and to consu umers. Because e it is desi igned to be fast, Windows event tracing enables only ba asic in-process s filtering of ev vents based on n event attributes. The event trace lo og contains a comprehensive c e accounting o of the failover cluster actions s. Depending o on how w you want to view the data, , use Windows s PowerShell o r Tracerpt.exe to access the information in n the event trace log. Trac cerpt.exe will parse p the event trace logs on nly on the nod de on which it is run. All the individual logs s are colle ected in a central location. To T transform th he XML file int to a text file or an HTML file e that can be ope ened in Windows Internet Ex xplorer, you can parse the XM ML-based file by using the M Microsoft XSL pars sing command d prompt msxs sl.exe tool, and d an XSL style sheet.

Per rformance and a Reliability Monitor r Snap-In


The Performance and Reliability y Monitor snap p-in lets you: Trend applica ation performa ance on each node. n To deter rmine how an application is performing, y you can view and trend specific c information on o system reso ources that are e being used o on each node. Trend applica ation failures and a stability on n each node. Y You can pinpo int when appli ication failures s occur, and match the applic cation failures with other ev vents on the no ode.

Modify trace log settings. You Y can start, stop, s and adjus st trace logs, including their r size and locat tion.

Backing Up and a Restoring Failov ver Cluster r Configur ration


Clus ster configurat tion can be a time-consumin t ng proc cess with many details. Therefore, backing g up your cluster config guration is imp portant. You can c perf form cluster co onfiguration backup b and res store usin ng Windows Se erver Backup or o a non-Micro osoft backup tool. be Whe en you back up the cluster configuration, c awa are of the follo owing: You must test t your backup and recovery process befor re putting a clu uster into production. You must first add the Wind dows Server Backup feature , if you decide e to use it. You u can do this by using Server Manager, M by using u the dism.exe utility, or by using Wind dows PowerSh hell.

Win ndows Server Backup B is the built-in b backup p and recovery y software for Windows Serv ver 2012. To com mplete a succes ssful backup, consider c the fo ollowing:

For a backup to succeed in a failover clus ster, the cluste er must be run ning and must t have quorum m. In other words, enough nodes s must be runn ning and comm municating (pe erhaps with a witness disk o or witness file sh haredepending on the quo orum configur ration,) that th he cluster has a achieved quorum. You must bac ck up all cluste ered applicatio ons. If you clus ter a SQL Serv ver database, y you must have ea backup plan for f the databa ases and config guration outsid de the cluster configuration.

MCT USE ONLY. STUDENT USE PROHIBITED


5-27

Configuring g Advanced Windows s Server 2012 Serviices

If applicatio on data must be b backed up, the disks on w which you stor re the data mu ust be made av vailable to the back kup software. You Y can achiev ve this by runn ning the backu up software fro om the cluster node that owns the t disk resour rce, or by runn ning a backup against the clu ustered resour rce over the ne etwork. If you are using u CSVs, you u can run back kup from any n node that is at ttached to the e CSV volume. The cluster service tracks which cluster configuration is the most re ecent, and it re eplicates that configuratio on to all cluste er nodes. If the e cluster has a witness disk, t the Cluster ser rvice also replicates the configu uration to the witness w disk.

Restoring R a Cluster C
Th here are two ty ypes of restore e:

Non-authoritative restore e. Use a non-authoritative re estore when a single node in n the cluster is damaged or o rebuilt, and the rest of the e cluster is ope erating correct tly. Perform a n non-authoritat tive restore by restoring r the system s recover ry (system stat te) information n to the damag ged node. Wh hen you restart that node, it will jo oin the cluster and receive th he latest cluste er configuratio on automatically.

Authoritativ ve restore. Use e an authoritat tive restore wh hen the cluster r configuration n must be rolle ed back to a previou us point in tim me. For example, use an auth horitative resto ore if an admin nistrator accide entally removed clustered resources or modifie ed other cluste er settings. Perform the auth horitative resto ore by stopping th n performing a system recov he cluster resource on each node, n and then very (system st tate) on a single nod de by using Windows W Server r Backup interf face. After the e restored node restarts the c cluster service, the e remaining clu uster nodes can also start the e cluster servic ce.

Maintainin M g and Trou ubleshoot ting Failov ver Clusters


Cluster validatio on functionalit ty implemente ed in Windows W Server 2012 failover r clustering, pr revents misconfiguratio m ons and non-w working clusters. However, in som me cases you may m still have to t pe erform mainte enance or clust ter troubleshooting. So ome common maintenance tasks can help p you prevent problem ms in cluster co onfiguration: Use the Val lidate a Config guration Wizar rd to highlight co onfiguration is ssues that might cause cluste er problems. Review clus ster events and d trace logs to identify app plication or ha ardware issues that might ca use an unstab ble cluster.

Review hard dware events and a logs to he elp pinpoint sp pecific hardware component ts that might c cause an unstable clu uster. Review SAN N components s, switches, ada apters, and sto orage controlle ers to help identify any pote ential problems.

When W troublesh hooting failove er clusters: Identify the e perceived pro oblem by colle ecting and doc cumenting the e symptoms of f the problem. .

Identify the e scope of the problem so th hat you can un nderstand wha at is being affected by the pr roblem, and the impact of that ef ffect on the ap pplication and the clients.

MCT USE ONLY. STUDENT USE PROHIBITED

5-28 Implemen nting Failover Cluster ring

Collect inform mation so that you can accur rately understa and and pinpo oint the possib ble problem. A After you identify a list of possible problems, you can prioriti ize them by pr robability, or b by the impact of a repair. If you cannot pinpoi int the problem m, you should attempt to re e-create the pr roblem.

Create a sche edule for repairing the problem. For examp ple, if the prob blem only affects a small sub bset of users, you can n delay the rep pair to an off-p peak time so t that you can sc chedule downtime. Complete and d test each rep pair one at a ti ime so that yo ou can identify y the fix.

To troubleshoot t SAN S issues, start by checking g physical conn nections and b by checking ea ach of the hard dware com mponent logs. Additionally, run r the Validat te a Configura ation Wizard to o verify that th he current cluster configuration is st till supportable e. Note: When n you run the Validate V a Con nfiguration Wi izard, ensure that the storage tests that you select can be run on an online failover clu uster. Several o of the storage tests cause loss of serv vice on the clustered disk wh hen the tests are run.

Tro oubleshooting Group and a Resourc ce Failures


To troubleshoot t group g and reso ource failures: Use the Depe endency Viewe er in the Failov ver Cluster Man ap-in to identif fy dependent nagement sna resources. Check the Eve ent Viewer and d trace logs fo or errors from t the dependent resources.

Determine wh hether the pro oblem only hap ppens on a spe ecific node or nodes, by trying to re-creat te the problem on different d nodes s.

Wh hat Is Cluster-Aware e Updating g?


App plying Window ws operating sy ystem updates s to nod des in a cluster r requires extra a attention. If you y wan nt to provide zero z downtime e for a clustere ed role e, you must update cluster no odes manually y one afte er another, and d you must mo ove resources man nually from the e node that yo ou are updatin ng to ano other node. Thi is procedure can be very tim meconsuming. In Windows Server 2012, Microso oft has imp plemented a ne ew feature for automatic update of cluster c nodes. Clus ster-Aware Up pdating (CAU) is a Windows Serv ver 2012 feature that lets administrators update lity during the clus ster nodes auto omatically, wit th little or no lo oss in availabil e update proce ess. During an upd date procedure e, CAU transpa arently takes each cluster no ode offline, inst talls the updat tes and any dep pendent updates, performs a restart if nece essary, brings t the node back k online, and th hen moves to upd date the next node n in a cluster.

For many clustere ed roles, this au utomatic upda ate process trig ggers a planne ed failover, and d it can cause a tran nsient service interruption fo or connected clients. Howeve er, for continuo ously available e workloads in n Win ndows Server 2012such 2 as Hyper-V with live migration n or file server with SMB Transparent Failo over CAU U can orchestrate cluster upd dates with no effect on servi ice availability.

MCT USE ONLY. STUDENT USE PROHIBITED


5-29

Configuring Advanced Windows Server 2012 Services

Cluster Updating Modes


CAU can orchestrate the complete cluster updating operation in two modes:

Remote-updating mode. In this mode, a computer that is running Windows Server 2012 or Windows 8 is called and configured as an orchestrator. To configure a computer as a CAU orchestrator, you must install failover clustering administrative tools on it. The orchestrator computer is not a member of the cluster that is updated during the procedure. From the orchestrator computer, the administrator triggers on-demand updating by using a default or custom Updating Run profile. Remote-updating mode is useful for monitoring real-time progress during the Updating Run, and for clusters that are running on Server Core installations of Windows Server 2012.

Self-updating mode. In this mode, the CAU clustered role is configured as a workload on the failover cluster that is to be updated, and an associated update schedule is defined. In this scenario, CAU does not have a dedicated orchestrator computer. The cluster updates itself at scheduled times by using a default or custom Updating Run profile. During the Updating Run, the CAU orchestrator process starts on the node that currently owns the CAU clustered role, and the process sequentially performs updates on each cluster node. In the self-updating mode, CAU can update the failover cluster by using a fully automated, end-to-end updating process. An administrator can also trigger updates on demand in this mode, or use the remote-updating approach, if desired. In the self-updating mode, an administrator can access summary information about an Updating Run in progress by connecting to the cluster and running the Get-CauRun Windows PowerShell cmdlet.

To use CAU, you must install the failover clustering feature in Windows Server 2012, and you must create a failover cluster. The components that support CAU functionality are installed automatically on each cluster node.

You must also install the CAU tools, which are included in the failover clustering Tools (which are also part of the Remote Server Administration Tools (RSAT)). The CAU tools consist of the CAU user interface (UI) and the CAU Windows PowerShell cmdlets. The failover clustering Tools are installed by default on each cluster node when you install the failover clustering feature. You can also install these tools on a local or a remote computer that is running Windows Server 2012 or Windows 8, and that has network connectivity to the failover cluster.

Demonstration: Configuring CAU


Demonstration Steps Configure CAU
1. 2. 3. 4. 5. 6. 7. Make sure that the failover cluster is configured and running on LON-SVR3 and LON-SVR4. Add failover clustering Feature to LON-DC1. Run Cluster-Aware Updating on LON-DC1, and configure it to connect to Cluster1. Preview updates that are available for nodes LON-SVR3 and LON-SVR4. Review available options for the Updating Run profile. Apply available updates to Cluster1 from LON-DC1. After updates are applied, configure Add CAU Clustered Role with Self-Updating Enabled on LON-SVR3.

MCT USE ONLY. STUDENT USE PROHIBITED

5-30 Implemen nting Failover Cluster ring

Lesson 5

Implem menting g a Multi-Site Failover F r Cluste er

In so ome scenarios s, you may hav ve to deploy cluster nodes o n different site es. Usually, you u do this when n you build disaster reco overy solutions s. In this lesson n, you will lear rn about multi i-site failover c clusters, and th he prer requisites for implementing them. You will also learn ab bout synchrono ous and asynchronous replic cation, and the process of o choosing a quorum q mode for multi-site clusters.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe a multi-site failove er cluster. Describe prer requisites for im mplementing a multi-site clu uster. Describe sync chronous and asynchronous replication. Explain how to t choose a qu uorum mode for multi-site c clusters. Describe the process for de eploying multi-site clusters. Describe the challenges for r implementing g multi-site clu usters.

Wh hat Is a Mu ulti-Site Fa ailover Clu uster?


A multi-site m failov ver cluster is a cluster that ha as been extended so o that different t nodes in the same clus ster reside in se eparate physic cal locations. A mul lti-site failover r cluster thereb by provides hig ghly avai ilable services in more than one location. Mul lti-site failover r clusters can solve several sp pecific problems, but the ey also present t specific challenges. In a multi-site failover cluster, each site usually has a se eparate storage e system with replication betw ween the sites. Multi-site clu uster storage repl lication enable es each site to be independe ent, and provides fast access to the local disk. With separate sto orage systems, you cannot sh hare a single d disk betw ween sites.

A multi-site m failov ver cluster has three main ad dvantages in a failover site, a as compared to o a remote ser rver: When a site fails, f a multi-sit te cluster auto omatically fails over the clust tered service o or application t to another site. Because the cluster c configu uration is replic cated automat tically to each cluster node i in a multi-site d standby serv cluster, there is less adminis strative overhe ead than a cold ver, which requ uires you to replicate chan nges manually y.

The automate ed processes in n a multi-site cluster c reduce the possibility y of human error, which is present in manual pro ocesses.

c of a multi-site fai ilover cluster, i it might not be an ideal solu ution Because of increased cost and complexity for every e application or busines ss. When you are a considering g whether to d deploy a multi-site cluster, you should evaluate th he importance e of the applica ations to the b business, the ty ype of applications, and any y alternative solutio ons. Some applications can easily e provide m multi-site redu undancy with l log shipping o or

MCT USE ONLY. STUDENT USE PROHIBITED


5-31

Configuring g Advanced Windows s Server 2012 Serviices

ot ther processes s, and can still achieve sufficient availability y with only a m modest increas se in cost and co omplexity. Examples for this are SQL Serve er log shipping g, Exchange Se erver continuous replication, , and DFS replication. .

Th he complexity of a multi-site e cluster requir res more archi itectural and h hardware plann ning. It also re equires yo ou to develop business processes to test th he cluster func ctionality routi inely.

Prerequisit P es for Imp plementing g a Multi-S Site Failov ver Cluster r


Pr rerequisites for implementat tion of multi-site cluster are diffe erent from thos se for single-si ite cluster impleme entation. It is im mportant to un nderstand wha at you must pr repare before you st tart implement tation of multi i-site cluster. Pr rior to implem menting multi-s site failover clu uster, yo ou must ensur re the following: You must have h enough nodes n and vote es on each site, so o that the clus ster can be onl line even if one site is down. This T setup requires additional hardware, h and can come wit th significant financial f costs. All nodes must m have the same s operatin ng system and service pack v version.

You must provide p at least t one low-latency and reliab ble network co onnection betw ween sites. This s is important for f cluster heartbeats. By def fault, regardle ess of subnet co onfiguration, h heartbeat freq quency (also known n as subnet de elay) is once ev very second (1 1,000 milliseco nds). The rang ge for heartbea at frequency is once every 250-2000 2 millis seconds on a c common subn net, and 250-4,000 millisecon nds across subn nets. By default, when a node misses a seriies of 5 heartb beats, another node will initia ate failover. The range for this value (also known k as subn net threshold) is from 3 through 10.

You must provide p a stora age replication n mechanism. F Failover clustering does not provide any st torage replication mechanism, so o you must provide another r solution. This s also requires that you have e multiple sto orage solutions, one for each h cluster you c create. You must ensure e that all other necessary services for cluster, such a as AD DS and DNS are also available on n a second site e. You must ensure e that clie ent connection ns can be redir rected to a new w cluster node e when failover happens.

MCT USE ONLY. STUDENT USE PROHIBITED

5-32 Implemen nting Failover Cluster ring

Syn nchronous s and Asyn nchronous s Replicatio on


It is not possible for f a geograph hically disperse ed failo over cluster to use shared sto orage between n phy ysical locations. Wide area ne etwork (WAN) links are too slow and have too much h latency to support shared storage. This me eans that you must have separate inst tances of data. To have exac ct copies of data on both sides, ge eographically disp persed failover r clusters must synchronize data d betw ween locations s by using specialized hardw ware. Mul lti-site data rep plication can be b either sync chronous or as synchronous:

When you use synchronous s replication, the host receives a write comple ete response from the prima ary storage aft ter the data is written succes ssfully on both stora age systems. If the data is no ot written succ essfully to bot th storage syst tems, the application must m attempt to o write to the disk again. Wi ith synchronou us replication, both storage systems are id dentical. When you use asynchronou us replication, the node rece eives a write co omplete respo onse from the storage after the data is written successfu ully on the prim mary storage. The data is wr ritten to the secondary sto orage on a diff ferent schedule, depending on the hardwa are or software e vendors implementati ion. Asynchron nous replicatio on can be stora age-based, ho ost-based, or ev ven applicatio onbased. Howev ver, not all forms of asynchro onous replicat tion are sufficie ent for a multi-site cluster. F For example, DFS S Replication provides p file-lev vel asynchrono ous replication n. However, it does not supp port multi-site failover clustering g replication. This T is because e DFS Replicati ion replicates smaller docum ments that are not held h open continuously, and was not desig gned for high-speed, open-f file replication.

Wh hen to Use Synchronou S us or Asynch hronous Rep plication

Use synchronous replication wh hen data loss is s not acceptab ble. Synchrono ous replication solutions requ uire low-disk write late ency, because the applicatio on waits for bo oth storage solutions to ackn nowledge the d data writ tes. The require ement for low w latency disk writes w also limi ts the distance e between the e storage systems, because increased d distance can cause higher latency. If the disk latency is s high, the per rformance and d even the stability of the e application can c be affected d. Asynchronous rep plication overc comes latency and distance l imitations by acknowledging local disk wr rites only y, and by repro oducing the disk write on the remote stora age system in a separate tra ansaction. Beca ause asyn nchronous rep plication writes s to the remote e storage syste em after it writ tes to the loca al storage syste em, the possibility of data d loss durin ng a failure inc creases.

MCT USE ONLY. STUDENT USE PROHIBITED


5-33

Configuring g Advanced Windows s Server 2012 Serviices

Selecting a Quorum Mode for Multi-Site e Clusters


Ea ach failover clu uster must hav ve quorum mo ode de efined, so that t a majority vo ote can be easily de etermined at any a time. For a geographically di ispersed cluste er, you cannot use quorum co onfigurations that t require a shared disk, because ge eographically dispersed clus sters do not us se sh hared disks. Bo oth the Node and a Disk Majority and No Majority: Disk Only quorum modes requ uire a sh hared witness disk d to provide e a vote for de etermining qu uorum. You sho ould only use these t tw wo quorum mo odes if the har rdware vendor r sp pecifically reco ommends and supports them m.

To o use the Node and Disk Ma ajority and No Majority: Disk k Only modes in a multi-site cluster, the sh hared di isk requires that:

You preserv ve the semantics of the SCSI commands ac cross the sites,, even if a com mplete communication failure occu urs between sit tes. You replicate the witness disk in real-time synchrono ous mode acro oss all sites.

Be ecause multi-s site clusters can have WAN failures f in addi ition to node a and local netw work failures, N Node Majority M and No ode and File Share Majority are better solu utions for multi-site clusters. If there is a W WAN fa ailure that caus ses the primary y and seconda ary sites to lose e communicat tion, a majority y must still be av vailable to con ntinue operatio ons.

If there are an odd o number of nodes, then use the Node Majority quor rum. If there is an even number of no odes, which is typical in a ge eographically-d dispersed clus ter, you can use the Node M Majority with F File Sh hare Majority quorum. q

If you are using Node Majorit ty and the sites lose commu nication, you n need a mechanism to determ mine which w nodes rem main in the clu uster, and whic ch nodes leave e the cluster. T The second site e requires ano other vo ote to obtain quorum q after a failure. To ob btain another v vote for quoru um, you must j join another n node to th he cluster, or create a file sha are witness.

Th he Node and File F Share Majo ority mode can n help maintai in quorum wit thout adding a another node t to the cluster. To prov vide for a single e-site failure and enable aut tomatic failove er, the file shar re witness mig ght have to o exist at a thir rd site. In a mu ulti-site cluster r, a single serve er can host the e file share wit tness. However, you must m create a se eparate file sha are for each cl luster. Yo ou must use th hree locations to enable auto omatic failove er of a highly a available servic ce or applicatio on. Lo ocate one nod de in the prima ary location tha at runs the hig ghly available s service or app plication. Locat te a se econd node in a disaster-rec covery site, and d locate the th hird node for t he file share w witness in a diff ferent lo ocation.

Th here must be direct d network k connectivity between all th hree locations. In this manne er, if one site b becomes un navailable, the e two remainin ng sites can still communicat te and have en nough nodes f for a quorum. Note: In Windows W Serve er 2008 R2, ad dministrators c could configure e the quorum to include no odes. However, if the quorum configuratio on included no odes, all nodes s were treated equally ac ccording to their votes. In Windows W Server r 2012, you ca n adjust cluste er quorum sett tings so that when w the cluste er determines whether w it has quorum, som me nodes have a vote and some do not. Th his adjustment t can be useful when you im mplement solut tions across multiple sites.

MCT USE ONLY. STUDENT USE PROHIBITED

5-34 Implemen nting Failover Cluster ring

Pro ocess for Configurin C ng a Multi-Site Failov ver Cluster r


Con nfiguration of multi-site m clust ter is somewha at diffe erent from con nfiguring a single-site cluster. Mul lti-site clusters s are more com mplex to config gure and maintain, and d require more e administrativ ve effo ort to support. High-level ste eps to configur re a mul lti-site cluster are a as follows: 1. Ensure that you have enoug gh cluster nod des on each site. In addition, a ensur re that cluster nodes have similar hardwar re configuratio ons, and have the same version of operating system and se ervice pack.

2.

Ensure that networking bet tween sites is operational, and a that netwo ork latency is acceptable a for r configuring t he cluster. (Yo ou can validate e this by using Valid date Configura ation Wizard in Failover Clus ster Manager.) )

3. 4. 5. 6. 7. 8. 9.

Ensure that you have deplo oyed reliable st torage replicat tion mechanism between sit tes. Also, choo ose the type of replication for use. Ensure that key infrastructu ure services suc ch as AD DS, D DNS, and DHC CP, are present on each site.

Run the Valid date a Configuration Wizard on all of the c cluster nodes t to determine if f your configu uration is acceptable for creating a cluster. Determine the role that you u will configur re in a cluster. Determine the cluster quor rum mode that t you will use. Create a clust tered role. Configure failover/failback settings.

10. Validate failover and failbac ck. You u should be aw ware that multi-site clusters require r more a administrative effort during f failover and failb back. While sin ngle-site cluste er failover/failb back is mostly automatic, wit th multi-site clusters this is n not the case.

Challenges fo or Implem menting a Multi-Site M Cluster


Imp plementing mu ulti-site cluster rs is more complex than n implementin ng single-site clusters, c and ca an also o present sever ral challenges to the adm ministrator. Sto orage and netw work issues are e the mos st challenging aspects of imp plementing multisite clusters. In a multi-site cluster, there is no shared stora age that t the cluster no ode uses. This means that ev very nod de on each site e must have its s own storage instance. On the other o hand, fai ilover clusterin ng doe es not include any a built-in functionality to repl licate data bet tween sites. Th here are three

MCT USE ONLY. STUDENT USE PROHIBITED


5-35

Configuring Advanced Windows Server 2012 Services

options for replicating data: block level hardware-based replication, software-based file replication installed on the host, or application-based replication.

Multi-site data replication can be either synchronous or asynchronous. Synchronous replication does not acknowledge data changes that are made in, for example, Site A until the data successfully writes to Site B. With asynchronous replication, data changes that are made in Site A are eventually written to Site B. When you deploy a multi-site cluster and run the Validate a Configuration Wizard, the disk tests will not find any shared storage, and will therefore not run. However, you can still create a failover cluster. If you follow the hardware manufacturers recommendations for Windows Server failover clustering hardware, Microsoft will support the solution.

Windows Server 2012 enables cluster nodes to exist on different IP subnets, which enables a clustered application or service to change its IP address based on that IP subnet. DNS updates the clustered applications DNS record so that clients can locate the IP address change. Because clients rely on DNS to find a service or application after a failover, you might have to adjust the DNS records Time to Live setting, and the speed at which DNS data replicates. Additionally, when cluster nodes are in multiple sites, network latency might require you to modify the inter-node communication (heartbeat) delay and timeout thresholds.

MCT USE ONLY. STUDENT USE PROHIBITED

5-36 Implementing Failover Clustering

Lab: Implementing Failover Clustering


Scenario
As A. Datum Corporations business grows, it is becoming increasingly important that many of the applications and services on the network be available at all times. A. Datum has many services and applications that need to be available to their internal and external users who are working in different time zones around the world. Because many of these applications cannot be made highly available by using Network Load Balancing, you will need to use a different technology.

As one of the senior network administrators at A. Datum Corporation, you are responsible for implementing failover clustering on the Windows Server 2012 servers, to provide high availability for network services and applications. You will be responsible for planning the Failover Cluster configuration, and deploying applications and services on the Failover Cluster.

Objectives
Configure a failover cluster with CSV storage. Deploy and configure a highly available file server on the failover cluster. Validate the high availability of the failover cluster and storage. Configure Cluster-Aware Updating on the failover cluster.

Lab Setup
Estimated Time: 60 minutes 20412-LON-DC1 20412-LON-SVR1 20412-LON-SVR3 20412-LON-SVR4 MSL-TMG1

Username: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Adatum\Administrator Password: Pa$$w0rd

5. 6.

Repeat steps 2-4 for 20412A-LON-SVR1, 20412A-LON-SVR3 and 20412A-LON-SVR4. For MSL-TMG1, just repeat step 2.

MCT USE ONLY. STUDENT USE PROHIBITED


5-37

Configuring Advanced Windows Server 2012 Services

Exercise 1: Configuring a Failover Cluster


Scenario

A. Datum Corporation has some critical applications and services that they want to make highly available. Some of these services cannot use Network Load Balancing. Therefore, you have decided to implement failover clustering with the use of iSCSI storage, which is already in place. To start this process, you need to implement the core components for failover clustering, validate the cluster, and then create the failover cluster. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Connect cluster nodes to the iSCSI targets. Install the failover clustering feature. Validate the servers for failover clustering. Create the failover cluster. Configure Cluster Shared Volumes.

Task 1: Connect cluster nodes to the iSCSI targets


1. 2. 3. 4. 5. 6. 7. On LON-SVR3, start iSCSI Initiator, and configure Discover Portal with IP address 172.16.0.21. Connect to the discovered target in the Targets list. Repeat steps 1 and 2 on LON-SVR4. Open Disk Management on LON-SVR3. Bring online and initialize the three new disks. Make a simple volume on each disk and format it with NTFS.

On LON-SVR4, open Disk Management, refresh the console and bring online the three new disks.

Task 2: Install the failover clustering feature


1. 2. On LON-SVR3, install the failover clustering feature by using Server Manager. On LON-SVR4, install the failover clustering feature by using Server Manager.

Task 3: Validate the servers for failover clustering


1. 2. 3. 4. 5. On LON-SVR3, open the Failover Cluster Manager console. Start the Validate a Configuration Wizard. Use LON-SVR3 and LON-SVR4 as nodes for test. Review the report and then close the report.

On the Summary page, remove the check mark next to Create the cluster now using the validated nodes, click Finish.

Task 4: Create the failover cluster


1. 2. 3. 4. On LON-SVR3, in the Failover Cluster Manager, start the Create Cluster Wizard. Use LON-SVR3 and LON-SVR4 as cluster nodes. Specify Cluster1 as the Access Point name. Specify the IP address as 172.16.0.125.

MCT USE ONLY. STUDENT USE PROHIBITED

5-38 Implementing Failover Clustering

Task 5: Configure Cluster Shared Volumes


1. 2. 3. In the Failover Cluster Manager console on LON-SVR3, navigate to Storage->Disks. Locate a disk that is assigned to Available Storage. (If possible use Cluster Disk 2). Add this to Cluster Shared Volumes.

Results: After this exercise, you will have installed and configured the failover clustering feature.

Exercise 2: Deploying and Configuring a Highly Available File Server


Scenario
In A. Datum Corporation, File Services is one of the important services that must be highly available, because it hosts very important data that is being used all the time. After you have created a cluster infrastructure, you decide to configure a highly available file server and implement settings for failover and failback. The main tasks for this exercise are as follows: 1. 2. 3. 4. Add the File Server application to the failover cluster. Add a shared folder to a highly available file server. Configure failover and failback settings. Validate cluster quorum settings.

Task 1: Add the File Server application to the failover cluster


1. 2. 3. 4. 5. Add the File Server role service to LON-SVR3 and LON-SVR4. On LON-SVR3, open the Failover Cluster Manager console. Add File Server as a cluster role. Choose to implement Scale-Out File Server for application data. Specify AdatumFS as Client Access Name.

Task 2: Add a shared folder to a highly available file server


1. 2. 3. 4.

On LON-SVR3, in the Failover Cluster Manager, start a New Share Wizard to add a new shared folder to the AdatumFS cluster role. Specify the profile for the share as SMB Share Quick. Name the shared folder as Data. Enable continuous availability.

Task 3: Configure failover and failback settings


1. 2. 3. 4. Enable failback between 4 and 5 hours. Select both LON-SVR3 and LON-SVR4 as the preferred owners. Move LON-SVR4 to be first in the Preferred Owners list.

On LON-SVR3, in the Failover Cluster Manager, open the Properties for the AdatumFS cluster role.

MCT USE ONLY. STUDENT USE PROHIBITED


5-39

Configuring Advanced Windows Server 2012 Services

Task 4: Validate cluster quorum settings

In the Failover Cluster Manager console, review settings for Quorum Configuration. It should be set to Node and Disk Majority.

Results: After this exercise, you will have deployed and configured a highly available file server.

Exercise 3: Validating the Deployment of the Highly Available File Server


Scenario

In the process of implementing a failover cluster, you want to ensure that cluster s performing correctly, by performing failover and failback tests. The main tasks for this exercise are as follows: 1. 2. Validate the highly available file server deployment. Validate the failover and quorum configuration for the file server role.

Task 1: Validate the highly available file server deployment


1. 2. 3. 4.

On LON-DC1, open Windows Explorer, and attempt to access the \\AdatumFS\ location. Make sure that you can access the Data folder. Create a test text document inside this folder. On LON-SVR3, in the Failover Cluster Manager, move AdatumFS to the second node. On LON-DC1, in Windows Explorer, verify that you can still access \\AdatumFS\ location.

Task 2: Validate the failover and quorum configuration for the file server role
1. 2. 3. 4. 5. 6. 7. On LON-SVR3, determine the current owner for the AdatumFS role. Stop the Cluster service on the node that is the current owner of the AdatumFS role. Verify that AdatumFS has moved to another node, and that the \\AdatumFS\ location is still available from the LON-DC1 computer. Start the Cluster service on the node in which you stopped it in step 2. From the Disks node, take the disk witness offline. Verify that the \\AdatumFS\ location is still available from LON-DC1. Bring the disk witness back online.

Results: After this exercise, you will have tested the failover and failback scenarios.

Exercise 4: Configuring Cluster-Aware Updating on the Failover Cluster


Scenario

Earlier, implementing updates to servers with critical service was causing unwanted downtime. To enable seamless and zero-downtime cluster updating, you want to implement the Cluster-Aware Updating feature and test updates for cluster nodes. The main tasks for this exercise are as follows: 1. Configure Cluster-Aware Updating.

MCT USE ONLY. STUDENT USE PROHIBITED

5-40 Implementing Failover Clustering

2.

Update the failover cluster and configure self-updating.

Task 1: Configure Cluster-Aware Updating


1. 2. 3. 4. On LON-DC1, install the Failover Clustering feature. From Server Manager, open Cluster-Aware Updating. Connect to Cluster1. Preview the updates available for nodes in Cluster1.

Task 2: Update the failover cluster and configure self-updating


1. 2. 3. On LON-DC1, start the update process for Cluster1. After the process is complete, log on to LON-SVR3 with the username as Adatum\Administrator and password as Pa$$w0rd. On LON-SVR3, open Cluster-Aware Updating and configure self-updating for Cluster1, to be performed weekly, on Sundays at 4:00A.M.

Results: After this exercise, you will have configured Cluster-Aware Updating on the Failover Cluster.

To prepare for the next module


When you finish the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR3, 20412A-LON-SVR4 and MSL-TMG1.

Lab Review
Question: What information will you have to collect as you plan a failover cluster implementation and choose a quorum mode? Question: After running the Validate a Configuration Wizard, how can you resolve the network communication single point of failure? Question: In which situations might it be important to enable failback of a clustered application only during a specific time?

MCT USE ONLY. STUDENT USE PROHIBITED


5-41

Configuring Advanced Windows Server 2012 Services

Module Review and Takeaways


Question: Why is using a No Majority: Disk-Only quorum configuration generally not a good idea? Question: What is the purpose of CAU? Question: What is the main difference between synchronous and asynchronous replication in a multi-site cluster scenario? Question: What is the multi-site clusters enhanced feature in Windows Server 2012?

Real-world Issues and Scenarios

Question: Your organization is considering the use of a geographically dispersed cluster that includes an alternative data center. Your organization has only a single physical location together with an alternative data center. Can you provide an automatic failover in this configuration?

Tools
The tools for implementing failover clustering include: Failover Cluster Manager console Cluster-Aware Updating console Windows PowerShell Server Manager iSCSI initiator Disk Management

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


6-1

Module 6
Implementing Failover Clustering with Hyper-V
Contents:
Module Overview Lesson 1: Overview of Integrating Hyper-V with Failover Clustering Lesson 2: Implementing Hyper-V Virtual Machines on Failover Clusters Lesson 3: Implementing Hyper-V Virtual Machine Movement Lesson 4: Managing Hyper-V Virtual Environments by Using VMM Lab: Implementing Failover Clustering with Hyper-V Module Review and Takeaways 6-1 6-2 6-7 6-15 6-21 6-31 6-36

Module Overview

One benefit of implementing server virtualization is that it allows you to provide high availability, both for applications or services that have built-in high availability functionality, and for applications or services that do not provide high availability in any other way. With the Windows Server 2012 Hyper-V technology, failover clustering, and Microsoft System Center 2012 - Virtual Machine Manager (VMM), you can configure high availability by using several different options.

In this module, you will learn about how to implement failover clustering in a Hyper-V scenario to achieve high availability for a virtual environment. You will also learn about basic virtual machine features.

Objectives
After completing this module, you will be able to: Describe how Hyper-V integrates with failover clustering. Implement Hyper-V virtual machines on failover clusters. Implement Hyper-V virtual machine movement. Manage a Hyper-V virtual environment by using VMM.

MCT USE ONLY. STUDENT USE PROHIBITED

6-2

Implementing Failover Clusterin ng with Hyper-V

Lesson 1

Overvi iew of Integrat ting Hyper-V w with Failover Clusterin ng


Failo over clustering g is a Windows s Server 2012 feature f that en nables you to make applicat tions or service es high hly available. To T make virtua al machines hig ghly available in a Hyper-V e environment, y you must imp plement failove er clustering on Hyper-V hos st machines.

This s lesson summarizes the high h availability options o for Hyp per-Vbased v virtual machine es, and then fo ocuses on how h failover cl lustering work ks, and how to design and im mplement failo over clustering for Hyper-V.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe options for making virtual mach hines highly av vailable. Explain how failover f cluster ring works with h Hyper-V nod des. Describe new w failover cluste ering features for Hyper-V in n Windows Server 2012. lity in a virtual Describe best t practices for implementing g high availabil l environment. .

Op ptions for Making M Vi irtual Machines High hly Availab ble


Mos st organization ns have some applications th hat are business critical and must be highly availa able. To make m an applic cation highly available, a you must dep ploy it in an environment tha at provides redu undancy for al ll components that the app plication requir res. For virtual machines to be b high hly available, you y can choose e between sev veral options: Host clusterin ng, in which yo ou implement virtualization hosts as a clus stered role Guest clusteri ing, in which you y implement t clustering inside virtual machines Network Load d Balancing (N NLB) inside virt tual machines

Host Clusterin ng

Hos st clustering en nables you to configure c a fai ilover cluster b by using the Hyper-V host se ervers. When y you configure host clu ustering for Hy yper-V, you co onfigure the vir rtual machine as a highly av vailable resourc ce. Failo over protection is implemen nted at the hos st server level. This means th hat the guest o operating syste em and applications that t are runnin ng within the virtual v machin e do not have e to be cluster-aware. Howev ver, the virtual machin ne is still highly y available. Some examples of non-cluster r-aware applications are prin nt serv ver, or proprie etary network-based applications such as a an accounting application. S Should the hos st nod de that controls the virtual machine m unexpectedly becom me unavailable e, the secondary host node assu umes control and a restarts the e virtual machine as quickly as possible.

nother in a controlled mann You u can also mov ve the virtual machine m from one o node in th he cluster to an ner. For example, you could move th he virtual machine from one e node to anot ther while patc ching the host t ope erating system. . The applicatio ons or services s that are runn ning in the virt tual machine d do not have to o be com mpatible with failover f cluster ring, and they do not need t o be aware th at the virtual m machine is

Configuring Advanced Windows Server 2012 Services

clustered. Because the failover is at the virtual machine level, there are no dependencies on software that is installed inside the virtual machine.

MCT USE ONLY. STUDENT USE PROHIBITED


6-3

Guest Clustering

You configure guest failover clustering very similarly to physical server failover clustering, except that the cluster nodes are multiple virtual machines. In this scenario, you create two or more virtual machines, and enable failover clustering within the guest operating system. The application or service is then enabled for high availability between the virtual machines by using failover clustering in each virtual machine. Because you implement failover clustering within each virtual machine nodes guest operating system, you can locate the virtual machines on a single host. This can be a quick and cost-effective configuration in a test or staging environment.

For production environments, however, you can more robustly protect the application or service if you deploy the virtual machines on separate failover clusteringenabled Hyper-V host computers. With failover clustering implemented at both the host and virtual machine levels, you can restart the resource regardless of whether the node that fails is a virtual machine or a host. This configuration is also known as a Guest Cluster Across Hosts. It is considered an optimal high availability configuration for virtual machines that are running critical applications in a production environment. You should consider several factors when you implement guest clustering:

The application or service must be failover clusteraware. This includes any of the Windows Server 2012 services that are cluster-aware, and any applications, such as clustered Microsoft SQL Server and Microsoft Exchange Server.

Hyper-V virtual machines can use Fibre Channelbased connections to shared storage (this is specific only to Microsoft Hyper-V Server 2012), or you can implement internet small computer system interface (iSCSI) connections from the virtual machines to the shared storage.

You should deploy multiple network adapters on the host computers and the virtual machines. Ideally, when using an iSCSI connection you should dedicate a network connection to the iSCSI connection, to the private network between the hosts, and to the network connection used by the client computers.

Network Load Balancing

NLB works with virtual machines in the same manner with which it works with physical hosts. It distributes IP traffic to multiple instances of a TCP/IP service, such as a web server that is running on a host within the NLB cluster. NLB transparently distributes client requests among the hosts, and it enables the clients to access the cluster by using a virtual host name or a virtual IP addresses. From the client computers point of view, the cluster seems to be a single server that answers these client requests. As enterprise traffic increases, you can add another server to the cluster. Therefore, NLB is an appropriate solution for resources that do not have to accommodate exclusive read or write requests. Examples of NLB-appropriate applications are web-based front ends to database applications, or Exchange Server Client Access servers.

When you configure an NLB cluster, you must install and configure the application on all virtual machines. After you configure the application, you install the NLB feature in Windows Server 2012 within each virtual machines guest operating system (not on the Hyper-V hosts), and then configure an NLB cluster for the application. Earlier versions of Windows Server also support NLB, which means that the guest operating system is not limited to only Windows Server 2012. Similar to a Guest Cluster Across Host, the NLB resource typically benefits from overall increased input/output (I/O) performance when the virtual machine nodes are located on different Hyper-V hosts.

MCT USE ONLY. STUDENT USE PROHIBITED

6-4

Implementing Failover Clusterin ng with Hyper-V

Note: As with earlier vers sions of Windo ows Server, you u should not im mplement NLB B and failo over clustering g within the same guest oper rating system because the tw wo technologi ies conflict with h one another. .

Ho ow Does a Failover Cluster C Wo ork with Hy yper-V No odes?


Whe en you implem ment failover clustering c and configure virtual machines m as hi ighly available e reso ources, the failover cluster treats the virtua al mac chines like any y other applica ation or service e. Nam mely, if a host fails, failover clustering c will act a to restore access to the t virtual mac chine as quick kly as possible on anoth her host within n the cluster. Only O one e node at a tim me runs the virt tual machine. How wever, you can n also move the virtual mach hine to any a other node e within the same cluster. The failover proce ess transfers th he responsibilit ty of prov viding access to t resources within w a cluster from one e node to another. Failover can c occur when n an administr rator moves re esources to ano other node for r maintenance or other o reasons, or o when unpla anned downtim me of one nod de occurs beca ause of hardwa are failu ure or for othe er reasons. The failover proce ess consists of the following steps: 1.

The node where the virtual machine is running owns th he clustered in nstance of the virtual machin ne, controls access to the share ed bus or iSCSI connection to o the cluster storage, and ha as ownership o of any disks, or logic cal unit numbe ers (LUNs), assi igned to the v virtual machine e. All the node es in the cluste er use a private netw work to send regular r signals, , known as hea artbeat signals s, to one anoth her. The heartb beat signals that a node is functi ioning and com mmunicating o on the networ rk. The default t heartbeat configuration n specifies that t each node se end a heartbea at over TCP/UD DP port 3343 e each second (o or 1,000 millisec conds). Failover starts s when the node hosting the e virtual mach ine does not s send regular he eartbeat signa als over the netw work to the oth her nodes. By default, d this co orresponds to five consecutively missed heartbeats (or 5,000 milliseconds). Failove er may occur b because of a n node failure or r network failure.

2.

3.

When heartbeat signals sto op arriving from m the failed no ode, one of th e other nodes s in the cluster begins taking g over the reso ources that the e virtual machi nes use. You d define the nod de(s) that could d take over by configuring the Pre eferred and Possible P Owne ers properties.. The preferred d owner specif fies the hierarchy y of ownership if there is mor re than one po ossible failover r node for a re esource. By default, all nodes are po ossible owners. . Therefore, rem moving a node as a possible e owner absolu utely excludes it fro om taking ove er the resource e in a failure sit tuation. For ex xample, suppo ose that you implement a failover cluste er by using thre ee nodes. How wever, only two o nodes are co onfigured as preferred owners. During a failover event t, the resource e could still be taken over by y the third nod de if neither of the e preferred ow wners are online. Although th he third node is not configured as a prefer rred owner, as long as it is a pos ssible owner, the failover clu ster can use it t if necessary to o restore access to the resource. Resources are e brought online in order of dependency. For example, i if the virtual m machine references an iSCSI LUN, , access to the appropriate host h bus adapt ters (HBAs), ne etwork(s), and LUNs will be s stored in that order. Failover is com mplete when all a the resource es are online o on the new no ode. For clients s interacting with the resourc ce, there is a sh hort service in terruption, wh hich most user rs will not notic ce.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


6-5

4. .

You can als so configure th he cluster servi ice to fail back k to the offline e node after it again become es active. Whe en the cluster service s fails ba ack, it uses the same procedu ures that it performs during failover. This means that the cluster ser rvice takes offl ine all the reso ources associated with that instance, moves m the instance, and then brings all the resources in t the instance ba ack online.

What W Is Ne ew in Failov ver Clustering for Hyper-V in Windows Server 2012


In n Windows Ser rver 2012, failo over clustering is much m improved d with respect to Hyper-V clu usters. So ome of the mo ost important improvements s are: Failover clu ustering now su upports up to 4,000 virtual machines, and the e improved Failover Cluster Man nager snap-in simplifies man naging many virtua al machines. Administrat tors can now perform p multis select actions to queue q live mig grations of multiple virtual machines, instead of one by one e as in earlier versi ions.

Administrat tors can also configure c the virtual v machine e priority attrib bute to contro ol the order in which virtual machines are start ted. Priority is also used to e nsure that low wer-priority vir rtual machines automatica ally release reso ources to high her priority virt tual machines as needed.

The Cluster r Shared Volum me (CSV) featu ure, which simp plifies the conf figuration and d operation of virtual machines, can c help impro ove security an nd performanc ce. It now supp ports scalable file-based serv ver application storage, incre eased backup and a restore an nd single consi istent file namespace. In add dition, you can now protect CSV V volumes by using u Windows s BitLocker Drive Encrypti ion, and by configuring g the CSV volumes to make storage s visible e to only a sub bset of nodes.

Virtual mac chine application monitoring g. You can now w monitor serv vices that are r running on clu ustered toring virtual machines. In cluste ers running Windows Server r 2012, administrators can co onfigure monit of services on clustered virtual v machine es that are also o running Win ndows Server 2 2012. This functionalit ty extends the high-level mo onitoring of vir rtual machines s that is implem mented in Win ndows Server 2008 8 R2 failover cl lusters. You can no ow store virtual machines on server messag ge block (SMB B) file shares in n a file server cluster. cluster This is a new w method for providing highly available v virtual machine es. Instead of c configuring a c between Hy yper-V nodes, you can now have Hyper-V V nodes out of cluster, but w with virtual mac chine files on a highly available e file share. To make this wor rk, you should d deploy a file server cluster in a scale-out file server mode e. Scale-out file servers can a also use CSV f for storage.

MCT USE ONLY. STUDENT USE PROHIBITED

6-6

Implementing Failover Clusterin ng with Hyper-V

Best Practice es for Impl lementing High Ava ailability in n a Virtual Environment
Afte er you determi ine which applications you want w to deploy d on high hly available fa ailover clusters, you can plan and deploy the failove er clustering environment. Con nsider the follo owing reco ommendations s when you im mplement the failo over cluster: s Server 2012 as a the Hyper-V V Use Windows host. Window ws Server 2012 provides enhancement ts such as Hyp per-V 3.0, impr roved CSVs, virtual machine m migra ations, and oth her features that improve flexib bility and performance when you imp plement host failover cluste ering.

Plan for failov ver scenarios. When W you des sign the hardw ware requireme ents for the Hy yper-V hosts, m make sure that you include the hardware capac city that is req uired when ho osts fail. For ex xample, if you deploy a six-n node cluster, you y must deter rmine the num mber of host fa ailures that you want to accommodate. If you decid de that the clus ster must susta ain the failure of two nodes, , then the four r remaining no odes must have e the capacity to run all of th he virtual mac chines in the cluster. mize the failov Plan the netw work design for failover clust tering. To optim ver cluster per rformance and d failover, you should s dedicat te a fast netwo ork connection n for internode e communicat tion. As with ea arlier versions, this network should be logically y and physically y separate from the network k segment(s) u used by clients to communicate c with the cluste er. You can als so use this netw work connecti ion to transfer r virtual machin ne memory du uring a live mig gration. If you u are using iSC SI for any virtu ual machines, a also dedicate a ne etwork connection to the iSC CSI network co onnection. Plan the share ed storage for r failover cluste ering. When yo ou implement t failover cluste ering for Hype er-V, the shared sto orage must be e highly availab ble. If the shar red storage fails, the virtual m machines will a all fail, even if th he physical nod des are functio onal. To ensure e storage avail lability, plan fo or redundant connections to t the shared storage s and re edundant array y of independe ent disks (RAID D) redundancy y on the storage device. d

Use the recom mmended failo over cluster qu uorum mode. I If you deploy a cluster with an even numb ber of nodes, and sh hared storage is available to the cluster, th he Failover Cluster Manager automatically selects the No ode and Disk Majority M quoru um mode. If yo ou deploy a cluster with an o odd number o of nodes, the Fa ailover Cluster Manager auto omatically sele cts the Node M Majority quoru um mode. You u should not modify m the defa ault configurat tion unless you u understand t the implication ns of doing thi is. Deploy standardized Hyper r-V hosts. To simplify the de ployment and d management t of the failove er cluster and Hyper-V nodes, , develop a sta andard server h hardware and software platf form for all no odes. Develop standard managem eploy multiple ment practices s. When you de e virtual machi ines in a failov ver cluster, you in ncrease the risk that a single e mistake may shut down a large part of th he server deployment. For example, if i an administr rator accidenta ally configures s the failover c cluster incorrec ctly, and the cluste er fails, all virtu ual machines in the cluster w will be offline. To avoid this, develop and istrative tasks. thoroughly te est standardize ed instructions s for all admini

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


6-7

Lesson n2

Imple ementin ng Hype er-V Vir rtual Ma achines s on Fail lover Cluste ers

Im mplementing highly h available virtual mach hines is somew what different f from implementing other ro oles in a fa ailover cluster. Failover cluste ering in Windo ows Server 201 12 provides ma any features fo or Hyper-V clu ustering, in n addition to to ools for virtual l machine high h availability m management. In this lesson, y you will learn h how to im mplement high hly available virtual machines.

Le esson Objec ctives


After completin ng this lesson, you y will be able to: Describe co omponents of a Hyper-V cluster. lover clusters. Describe pr rerequisites for implementing Hyper-V fail Implement failover cluste ering for Hyper-V virtual ma chines. Configure CSVs. C Implement highly availab ble virtual machines on SMB 3.0 file shares s. Describe co onsiderations for f implementing Hyper-V v virtual machine es in a cluster.

Componen C nts of Hype er-V Cluste ers


Hyper-V as a ro ole has some sp pecific require ements fo or cluster comp ponents. To fo orm a Hyper-V V cluster, you must have at leas st two physical nodes. Whereas W other clustered roles s (such as Dynamic Host Configurat tion Protocol (DHCP) ( file ser rver) allow for nodes to be virtual machines, m Hyp per-V no odes must be composed of physical hosts. You ca annot run Hyp per-V inside a virtual v machine on a Hyper-V host.

In n addition to having h nodes, you y must also have physical and vir rtual networks. . Failover clust tering re equires a network for interna al cluster co ommunication n, and also a ne etwork for clie ents. You can a also implement a storage network separate ely, de epending on the t type of sto orage that you are using. Aga ain, specific to o the Hyper-V role, you shou uld also co onsider virtual networks for clustered virtu ual machines. I t is important that you creat te the same virtual ne etworks on all physical hosts s that participa ate in one clus ster. Failure to do this will ca ause a virtual m machine to o lose network k connectivity when w moved from f one host to another.

ustering. You c can use any ty St torage is an im mportant comp ponent of virtu ual machine clu ype of storage that is su upported by Windows W Server 2012 failover clustering. As s a best practic ce, you should d configure sto orage as a CSV. This is discussed furthe er in a followin ng topic within n this module. Virtual machine es are components of a Hype er-V cluster. In n the Failover C Cluster Manag ger, you can cr reate ne ew highly available virtual machines, m or yo ou can make e existing virtual machines high hly available. In both ca ases, the virtua al machine storage location must be on sh hared storage t that all nodes can access. Ho owever, yo ou might not want w to make all virtual mac chines highly a available. In Failover Cluster Manager, you can se elect which virt tual machines that you want t to be part of f a cluster conf figuration.

MCT USE ONLY. STUDENT USE PROHIBITED

6-8

Implementing Failover Clusterin ng with Hyper-V

Pre erequisites s for Imple ementing Hyper-V C Clusters


To deploy d Hyper-V on a failover cluster, you must m ensu ure that you meet m the hardw ware, software, , acco ount, and netw work infrastruc cture requirem ments as detailed d in the following sect tions.

Hardware Req quirements for f Failover r ustering with Hyper-V Clu


You u must have the following ha ardware for a twot nod de failover clus ster:

Server hardware. Hyper-V requires r an x64 4based processor, hardware-assisted virtualization, , and hardware e-enforced Da ata Execution Pre evention (DEP) ). As a best pra actice, the serv vers should hav ve similar hard dware. If you a are using Window ws Server 2008 8, the processo ors on the serv vers must be th he same versio on. If you are u using Windows Serv ver 2008 R2 or Windows Ser rver 2012, the processors mu ust use the sam me architectur re.

Note: Micro osoft supports s a failover clus ster solution o only if all the hardware featu ures are rked as Certifi ied for Window ws Server. Additionally, the complete con nfiguration (servers, mar netw work, and stor rage) must pas ss all tests in th he Validate Thi is Configuratio on wizard, which is included in the Fa ailover Cluster Manager snap p-in.

Network adap pters. As with the other features in the fail lover cluster so olution, the ne etwork hardwa are must be mark ked as Certifie ed for Window ws Server. To p provide netwo ork redundanc cy, you can con nnect cluster nodes s to multiple, distinct d networ rks, or you can n connect the n nodes to one n network that u uses teamed netw work adapters, redundant swi itches, redund ant routers, or r similar hardw ware to remove e single points of failure. As a best practice e, you should c configure mult tiple network a adapters on th he host compute er that you con nfigure as a clu uster node. Yo ou should conn nect one netw work adapter to o the private netwo ork that the int ter-host comm munications us ses. Storage adap pters. If you use e a Serial Attac ched SCSI (SAS S) or Fibre Cha annel, the mas ss-storage device controllers in all clustered servers s should be identical a nd should use e the same firm mware version. . If you are using g iSCSI, each clustered server r should have o one or more n network adapt ters that are dedicated to the cluster sto orage. The netw work adapters s that you use to connect to the iSCSI stora age target should d be identical, and a you should use a gigab it Ethernet or faster network k adapter.

Storage. You must use shar red storage tha at is compatib ble with Windo ows Server 201 12. If you deplo oy a failover cluste er that uses a witness w disk, th he storage mu ust contain at l east two separate volumes ( (or LUNs). One volume functions as the witness disk, and a additional volu umes contain t the virtual mac chine files that are shared s betwee en the cluster nodes. n Storage e consideratio ons and recommendations in nclude the following: o o o Use basic c disks, not dyn namic disks. Fo ormat the disk ks with the NTFS file system. Use eithe er master boot t record (MBR) ) or GUID part ition table (GP PT). If you are e using a stora age area netwo ork (SAN), the miniport drive er that the storage uses mus st work with h the Microsof ft Storport storage driver.

Configurin ng Advanced Window ws Server 2012 Ser rvices

Consider using multipath I/O softw ware: If your SA AN uses a high hly available network design n with redund dant compone ents, you can deploy d failover r clusters with multiple host bus adapters b by using t level of redundancy and av multipa ath I/O softwa are. This provid des the highest vailability. For Windows Server 2008 8 R2 and Wind dows Server 20 012, your mult tipath solution n must be base ed on Multipath I/O (MPIO O).

MCT USE ONLY. STUDENT USE PROHIBITED


6-9

Software Req quirements for Using Hyper-V H and d Failover C Clustering


Th he following are the softwar re requirement ts for using Hy yper-V and fail lover clustering:

All the serv vers in a failove er cluster must t run the x64-b based version of Windows Server 2012 Sta andard The nodes in a single failove Edition or Windows W Serve er 2012 Datace enter Edition. T er cluster cann not run different ve ersions. All the serv vers should hav ve the same so oftware update es and service packs. All the serv vers must be in nstalled as a Fu ull installations s or Server Cor re installations s.

Network N Infr rastructure Requirements

Th he following network n infrast tructure is requ uired for a failo over cluster an nd an administ trative account with th he following do omain permiss sions: Network se ettings and IP addresses. a Use e identical com mmunication se ettings on all n network adapt ters, including th he speed, duplex mode, flow w control, and media type se ettings. Ensure e that all netwo ork hardware supports the sa ame settings. If you use private p networ rks that are not t routed to yo our whole netw work infrastruc cture for communica ation between cluster nodes, ensure that e each of these p private networ rks uses a uniq que subnet.

DNS. The se ervers in the cluster must use Domain Nam me System (DN NS) for name r resolution. You u should use the DNS dynamic upd date protocol. . Domain rol le. All servers in the cluster must m be in the same Active D Directory Dom main Services (AD DS) domain. As s a best practic ce, all clustered d servers shou ld have the same domain ro ole, either mem mber server or do omain controller. The recom mmended role is member ser rver. You should avoid instal lling cluster nodes on domain controllers be ecause AD DS has its own hig gh availability mechanism. Account for administering the cluster. When W you first t create a clust ter or add serv vers to a cluste er, you must be log gged on to the e domain with h an administra ators account on all the clus sters servers. Additionally y, if the account is not a Dom main Admins a account, the a ccount must h have the Creat te Computer Objects perm mission in the domain. d

Im mplement ting Failov ver Clustering for Hy yper-V Virt tual Machi ines
To o implement failover clustering for Hyper-V virtual machines, you must co omplete the fo ollowing hi igh-level steps s: 1. . Install and configure c the required versions of Windows Server 2012. Af fter you compl lete the installation, , configure the e network settings, join the com mputers to an Active Directo ory domain, an nd configure th he connection to the shared stor rage.

MCT USE ONLY. STUDENT USE PROHIBITED

6-10 Implementing Failover Clustering with Hyper-V

2. 3. 4.

Configure the shared storage. You must use Disk Manager to create disk partitions on the shared storage.

Install the Hyper-V and failover clustering features on the host servers. You can use Server Manager in the Microsoft Management Console (MMC) or Windows PowerShell for this. Validate the cluster configuration. The Validate This Cluster wizard checks all the prerequisite components that are required to create a cluster, and provides warnings or errors if any components do not meet the cluster requirements. Before you continue, resolve any issues that the Validate This Cluster wizard identifies.

5.

Create the cluster. Once the components pass the Validate This Cluster wizard, you can create a cluster. When you configure the cluster, assign a cluster name and an IP address. A computer account for the cluster name is created in the Active Directory domain, and the IP address is registered in DNS.

Note: You can enable clustered shared storage for the cluster only after you configure the cluster. If you want to use CSV, you should configure CSV before you proceed to the next step. 6.

Create a virtual machine on one of the cluster nodes. When you create the virtual machine, ensure that all files that are associated with the virtual machineincluding both the virtual hard disk and virtual machine configuration filesare stored on the shared storage. You can create and manage virtual machines in either Hyper-V Manager or Failover Cluster Manager. When you create a virtual machine by using Failover Cluster Manager, the virtual machine is made highly available automatically.

7.

Make the virtual machine highly available. To make the virtual machine highly available, in the Failover Cluster Manager, select the option to make a new service or application highly available. The Failover Cluster Manager then displays a list of services and applications that you can make highly available. When you select the option to make virtual machines highly available, you can select the virtual machine that you created on shared storage.

Note: When you make a virtual machine highly available, a list displays of all virtual machines that are hosted on all cluster nodesincluding virtual machines that are not stored on the shared storage. If you make a virtual machine that is not located on shared storage highly available, you receive a warning, but Hyper-V will add the virtual machine to the services and applications list. However, when you try to migrate the virtual machine to a different host, the migration will fail. 8.

Test virtual machine failover. After you make the virtual machine highly available, you can migrate the computer to another node in the cluster. If you are running Windows Server 2008 R2 or Windows Server 2012, you can select to perform a quick migration or a live migration.

MCT USE ONLY. STUDENT USE PROHIBITED


6-11

Configuring g Advanced Windows s Server 2012 Serviices

Configuring C g CSVs
Yo ou do not hav ve to configure e and use CSV when yo ou implement high availability for virtual machines m in Hyper-V. In fact, you can config gure a Hyper-V cluster r without using g CSV. Howeve er as a be est practice, yo ou use CSV du ue to the follow wing ad dvantages: UNs for the dis sks. You can us se CSV Reduced LU to reduce the number of LUNs that you ur virtual machines require. When you con nfigure a CSV, you can store multiple virtual machines on a single LUN, and multiple host com mputers can access the same LUN N concurrently.

Better use of o disk space. Instead of plac cing each virtu ual hard disk (..vhdx) file on a separate disk k with empty spac ce so that the .vhdx . file can expand, e you ca an oversubscri ibe disk space by storing mu ultiple .vhdx files on o the same LU UN.

Virtual mac chine files store ed in a single logical locatio n. You can track the paths o of .vhdx files an nd other files that vir rtual machines s use. Instead of o using drive letters or GUIDs to identify disks, you can n specify ears in the \ClusterStorage f the path na ames. When yo ou implement CSV, all added d storage appe folder. The \Cluste erStorage folde er is created on the cluster n nodes system folder, and yo ou cannot mov ve it. This means that all Hyper r-V hosts that are members of the cluster must use the s same drive lett ter as their system m drive, or virtual machine fa ailovers will fa il. No specific hardware requirements. CSV V implementa ation does not have specific hardware requiremen nts. You can im mplement CSV on any suppo orted disk conf figuration, and d on either the e Fibre Channel or iSCSI SANs.

Increased resiliency. CSV increases resiliency because e the cluster ca an respond cor rrectly even if connectivity y between one e node and the SAN is interr rupted, or part t of a network k is down. The cluster reroutes the traffic to the e CSV through an intact part t of the SAN or network.

Im mplementin ng CSV

After you create e the failover cluster, c you can enable CSV for the cluster r, and then add d storage to th he CSV.

Be efore you can add storage to o the CSV, the e LUN must be e available as s hared storage e for the cluster. When yo ou create a failover cluster, all a the shared disks d that are c configured in Server Manager are added t to the cluster, and you u can then add d them to a CS SV. If you add m more LUNs to the shared sto orage, you mu ust first cr reate volumes on the LUN, add a the storage to the cluste er, and then ad dd the storage e to the CSV. As a best practice, you should d configure CSV before you make any virtu ual machines h highly availabl le. However, you can convert fro om regular disk k access to CSV V after deploy yment. When implementing CSV, th he following co onsiderations apply: a

The LUNs drive d letter or mount point is removed wh hen you convert from regula ar disk access t to CSV. This means that you must re-create all virtual machin nes that are sto ored on the sh hared storage. If you must keep the same virtu ual machine se ettings, conside er exporting th he virtual machines, switchin ng to CSV, and th hen importing the virtual ma achines in Hyp per-V. Addition nally, consider using the stor rage migration option o that is available a in the e Hyper-V role e in Windows S Server 2012.

You cannot t convert share ed storage to CSV. C If you hav ve any single r running virtual machine that t uses a cluster disk k, you must shu ut down the vi irtual machine e, and then add d the disk to C CSV.

MCT USE ONLY. STUDENT USE PROHIBITED

6-12 Implemen nting Failover Cluster ring with Hyper-V

Implementin ng Highly Available A Virtual V Ma achines on n an SMB 3 3.0 File Sha are
In Windows W Serve er 2012, you ca an use a new tech hnique to mak ke virtual mach hines highly avai ilable. Instead of using host or guest cluste ering, you can now store e virtual machine files on a high hly available SMB 3.0 file sha are. By using th his app proach, high av vailability is achieved not by clus stering Hyper-V V nodes, but by b file servers that t host t virtual machi ine files on the eir file shares. With W this new capability, Hyper-V can n store all virtu ual mac chine files, including configu uration, .vhdx files, f and snapshots, on n highly available SMB 3.0 fil le shar res. This s technology re equires the fol llowing infrast tructure: One or more computers that are running g Windows Ser rver 2012 with the Hyper-V r role installed.

One or more computers that are running g Windows Ser rver 2012 with the File and S Storage Service es role installed. Domain mem mbers in the Ac ctive Directory y infrastructure e. The servers r running AD DS S do not need to run Windows s Server 2012.

Befo ore you implem ment virtual machines m on an n SMB 3.0 file s share, configure a file server r cluster. To do o this, you should have at a least two clu uster nodes, bo oth with file se ervices and fai lover clusterin ng installed on them m. In the Failover Clustering console, creat te a scale-out file server clus ster. After you configure the e clus ster, deploy the e new SMB file e share for app plications. This s share stores v virtual machine files. When t the shar re is created, you y can use the Hyper-V Ma anager to depl oy new virtual l machines on the SMB 3.0 f file shar re, or you can migrate existing virtual mac chines to the S SMB file share by using the s storage migrat tion met thod.

De emonstration: Implem menting Virtual V Mac chines on Clusters (o optional)


In th his demonstration, you will see s how to imp plement virtua al machines on n a failover clu uster. s demonstratio on, ensure that t LON-HOST1 is the owner o of the Note: Before starting this Clus sterVMs disk. If it is not, then n move the Clu usterVMs reso urce to LON-H HOST1 before doing this proc cedure.

Dem monstration n Steps Mo ove virtual machine m sto orage to the e iSCSI targe et
On LON-HOS ST1, open Windows Explorer r, browse to E:\ \Program File es\Microsoft Learning \20412\2041 12A-LON-COR RE\Virtual Ha ard Disks, and then move 20 0412A-LON-C CORE.vhd to t the C:\ClusterSto orage\Volume1 location.

Con nfigure the machine as s highly ava ailable


1. 2. In Failover Cluster Manager r, click Roles, and a then start the New Virtu ual Machine W Wizard. In the New Virtual Machine e Wizard, use the t following s settings: o Cluster node: LON-HO OST2.

MCT USE ONLY. STUDENT USE PROHIBITED


6-13

Configuring g Advanced Windows s Server 2012 Serviices

o o o o 3. .

Compu uter name: Tes stClusterVM Store the file at C:\ClusterStorage e\Volume1. or TestClusterV VM: 1536 MB RAM fo Connec ct machine to existing virtua al hard disk dri ive 20412A-LO ON-CORE.vhd located at C:\Clus sterStorage\V Volume1.

From the Roles R node, sta art the virtual machine. m

Considerat C ions for Im mplementi ing Hyper-V Clusters


By y implementin ng host failover clustering, yo ou can make m virtual ma achines highly available. How wever, im mplementing host h failover clustering also adds a significant cost and complexit ty to a Hyper-V V de eployment. Yo ou must invest in additional server ha ardware to pro ovide redunda ancy, and you should s im mplement or have access to a shared stora age in nfrastructure. Consider the following recom mmendations to o en nsure that the failover cluste ering strategy meets th he organizations requiremen nts:

Identify the e applications or o services tha at require high availability. Unless U you hav ve the option of making all v virtual machin nes highly available, you must develop d priorities for which applications a yo ou will make highly available e.

Identify the e components that must be highly availab le to make the e applications highly availab ble. In some cases s, the applicatio on might run on o a single ser rver, and maki ing that server r highly availab ble is all that you ha ave to do. Othe er applications s may require that several se ervers and com mponents such h as storage or the t network, be b made highly y available. In addition, ensu ure that the do omain controll lers are highly avail lable, and that t you have at least one doma ain controller on separate hardware or virtualizatio on infrastructure. Identify the e application characteristics. You must und derstand sever ral aspects abo out the applica ation. o Is virtualizing the ser rver that is running the appli ication an opti ion? Some app plications are n not suppor rted in or recommended for a virtual envir ronment. What options o are ava ailable for mak king the applic cation highly a available? You can make som me applica ations highly available through options oth her than host clustering. If o other options a are availab ble, evaluate th he benefits and d disadvantage es of each opt tion.

What are a the perform mance requirements for each h application? ? Collect performance inform mation on the servers curren ntly running th he applications s to gain an un nderstanding o of the hardwar re require ements that are required when you virtual ize the server.

What capacity c is requ uired to make the Hyper-V v virtual machin nes highly available? As soon n as you identify y all the applic cations that yo ou must make highly availab ble by using ho ost clustering, y you can start to o design the ac ctual Hyper-V deployment. B By identifying the performan nce requireme ents and networ rk and storage e requirements s for applicatio ons, you can de efine the hardware that you have to implem ment for all the e applications in a highly ava ailable environ nment.

MCT USE ONLY. STUDENT USE PROHIBITED

6-14 Implementing Failover Clustering with Hyper-V

Live migration is one of the most important aspects of Hyper-V clustering. You use the Live Migration feature in Windows Server 2012 to perform live migrations of virtual machines. When implementing live migration, consider the following:

Verify basic requirements. Live migration requires that all hosts be part of a Windows Server 2012 failover cluster, and that the host processors have the same architecture. All hosts in the cluster must have access to shared storage, which meets the requirements for CSV.

Configure a dedicated network adapter for the private virtual network. When you implement failover clustering, you should configure a private network for the cluster heartbeat traffic. You use this network to transfer the virtual machine memory during a failover. To optimize this configuration, configure for this network a network adapter that has a capacity of one gigabit per second (Gbps) or higher.

Note: You must enable the Client for Microsoft Networks component, and the File and Printer Sharing for Microsoft Networks component, for the network adapter that you want to use for the private network.

Use similar host hardware. As a best practice, all failover cluster nodes should use the same hardware for connecting to shared storage, and all cluster nodes must have processors that have the same architecture. Whereas you can enable failover for virtual machines on a host with different processor versions by configuring processor compatibility settings, the failover experience and performance is more consistent if all servers have similar hardware. Verify network configuration. All nodes in the failover cluster must connect through the same IP subnet so that the virtual machine can continue communicating through the same IP address after live migration. In addition, the IP addresses that are assigned to the private network on all nodes must be on the same logical subnet. This means that multisite clusters must use a stretched virtual local area network (VLAN), which is a subnet that spans a wide area network (WAN) connection.

Manage live migrations. In Windows Server 2008 R2, each node in the failover cluster can perform only one live migration at a time. If you try to start a second live migration before the first migration finishes, the migration fails. In Windows Server 2012, you can now run multiple live migrations simultaneously.

MCT USE ONLY. STUDENT USE PROHIBITED


6-15

Configuring g Advanced Windows s Server 2012 Serviices

Lesson n3

Imple ementin ng Hype er-V Vir rtual Ma achine Movem ment

Moving M virtual machines from m one location to another is a common pr rocedure in Hy yper-V environ nments. While W moving virtual v machine es in previous Windows Serv ver versions req quired downti ime, Windows Server 20 012 introduces s new technolo ogies to enable seamless vir rtual machine m movement. In this lesson, yo ou will le earn about virtual machine movement m and d migration op ptions.

Le esson Objec ctives


After completin ng this lesson, you y will be able to: Describe migration m optio ons for virtual machines. m Describe storage migratio on. ve migration. Describe liv Explain how w Hyper-V rep plicas work. Configure a Hyper-V replica.

Virtual V Mac chine Migration Opt tions


Th here are severa al scenarios in which you wo ould want w to migrate e virtual machines from one lo ocation to anot ther. For exam mple, you migh ht want to o move a virtua al machine virtual hard disk from on ne physical dri ive to another on the same host. h Alternatively, yo ou may need to t move a virtu ual machine m from one o node in a cluster c to anot ther, or simply move a computer c from m one host ser rver to an nother host se erver without the hosts being g members m of a cluster. c Compared with Wind dows Se erver 2008 R2, Windows Serv ver 2012 provides significant enha ancements for this process in n ad ddition to simp plified procedures.

In n Windows Ser rver 2012, you can perform migration m of v irtual machine es by using the e following me ethods:

Virtual mac chine and stora age migration. With this me ethod, you mov ve a powered-on virtual machine from one lo ocation to ano other (or from one host to an nother) by usin ng a wizard in Hyper-V Man nager. Virtual mac chine and stora age migration do not requir re failover clus tering or any o other high ava ailability technology y. Additionally, you do not ne eed shared sto orage when yo ou move just the virtual mac chine. Quick Migr ration. This me ethod is also av vailable in Win ndows Server 2 2008. It require es you have fa ailover clustering e installed and configured. The T quick migr ration process saves the state e of the virtual machine be efore the failov ver, and then restarts r the vir rtual machine after failover c completes.

Live Migrat tion. This featu ure is an impro ovement over Q Quick Migratio on, and is also available in W Windows Server 2008 8 R2. The Live Migration feat ture enables y you to migrate e a virtual machine from one e host to another wit thout downtim me. Unlike the quick migratio on process, Liv ve Migration d does not save t the state of virtual machine; m instea ad, it synchronizes the state d during failover r. Hyper-V Re eplica. This new w feature in Windows W Server r 2012 enables s you to replicate rather than move a virtual ma achine to anot ther host, and to synchronize e all virtual ma achine change es from the primary host to the host that cont tains the replic ca.

MCT USE ONLY. STUDENT USE PROHIBITED

6-16 Implemen nting Failover Cluster ring with Hyper-V

Exporting and d importing virtual machine. This is an esta ablished meth hod of moving virtual machines without using g a cluster. You u export a virtu ual machine o n one host, an nd then physic cally move exp ported files to another host by per rforming an im mport operatio on. This is a tim me-consuming operation tha at requires you to t turn off the e virtual machines during exp port and impo ort. In Window ws Server 2012, , this migration me ethod is improved. You can import i a virtua al machine to a Hyper-V hos st without exporting it before b import. The Hyper-V role in Window ws Server 2012 2 is now capab ble of configur ring all the necess sary settings du uring the impo ort operation.

Ho ow Does Virtual Mac chine and Storage S M Migration W Work?


There are many ca ases in which an a administrat tor mig ght want to mo ove virtual mac chine files to ano other location. For example, if i the disk on which w a virtual machine hard disk resid des runs out of o spac ce, you must move m the virtual machine to ano other drive or volume. v Movin ng virtual mach hines to other o hosts is a common pro ocedure.

In Windows W Serve er 2008 and Windows W Server r 2008 R2, moving a virtual mach hine resulted in n dow wntime becaus se the virtual machine m had to o be turn ned off. If you moved a virtual machine betw ween two host ts, then you also had to perf form export and impor rt operations fo or that specific c virtual machi ine. Export operations can b be time-consum ming, dep pending on the e size of the virtual hard disk ks.

In Windows W Serve er 2012, virtual l machine and storage migra ation enables y you to move a virtual machi ine and its storage to another locat tion on the sam me host, or to another host computer, without having to o turn off the t virtual mac chine. Virtual machine and storage migration works as follows: 1. 2. 3.

To copy a virt tual hard disk, start live stora age migration by using the Hyper-V conso ole. Optionally y, you can use Wind dows PowerShe ell cmdlets. The migration n process creates a new virtu ual hard disk in n the destinati ion location an nd starts the copy process.

During the co opy process, th he virtual mach hine is fully fun nctional. Howe ever, all chang ges that occur during the co opy process are e written to bo oth the source e and destination locations. R Read operations are performed on nly from the so ource location. As soon as the disk copy pr rocess complet tes, Hyper-V sw witches virtual machines to run on the destination vi irtual hard disk k. In addition, if you are mov ving the virtua al machine to a another host, t the computer con nfiguration is copied c and the e virtual mach hine is associated with the ho ost. If a failure occurs on the e destination side, there is always a failbac k option to ru n back again o on the source directory. After the virtu ual machine co ompletes migr ration, the pro ocess deletes th he source virtu ual hard disks.

4.

5.

The time that is re equired to move a virtual ma achine depend ds on the sour rce and destina ation locations s, the spee ed of the hard d disks, storage e, or network, and a the size o f the virtual ha ard disks. The move process is faster if the source e and destinat tion locations are a on storage e, and the stor rage supports .odx files . Inst tead of using u buffered read and buff fered write ope erations, .the o odx file starts t the copy operation with an offlo oad read comm mand and retr rieves a token representing t the data from the storage device. It then u uses

MCT USE ONLY. STUDENT USE PROHIBITED


6-17

Configuring g Advanced Windows s Server 2012 Serviices

an n offload write e command wi ith the token to t request data a movement from the sourc ce disk to the de estination disk k. When W you move a virtual mac chines virtual hard disks to a another location, the Virtual Machine Mov ve wizard w presents s three available options:

Move all th he virtual machines data to t a single loc y a single dest tination locatio on, such cation. Specify as disk file, configuration, snapshot, and smart pagin g. Move the virtual v machines data to a different loc cation. Specify y individual lo ocations for eac ch virtual machine item. y the virtual machines m virt tual hard disk k. Move only th he virtual hard d disk file. Move only

How H Does Live Migra ation Work?


Live migration enables e you to o move running virtual machines from one failover cluster node n to an nother node in n the same cluster. With live migration, m users s who are conn nected to the virtual machine m should d experience almost no serve er ou utage. hereas you can n also perform m live Note: Wh migration m of vir rtual machines s by using the virtual v machine m and storage migratio on method de escribed in n the previous topic, you sho ould be aware that liv ve migration is s based on failover clustering g. Unlike the stora age migration scenario, you can only perfo orm live migra ation if the virt tual machines ar re highly availa able. Yo ou can initiate e live migration n through one e of the followi ing methods: The Failove er Cluster Manager console.

The Virtual Machine Man nager Administ trator Console e, if you use VM MM to manage your physica al hosts. A Windows s Management t Instrumentat tion (WMI) or W Windows Pow werShell script.

Note: Liv ve migration en nables you to significantly re educe the perc ceived outage of a virtual machine m during g a planned fai ilover. During a planned failo over, you start t the failover m manually. Live migration m does not apply dur ring an unplan nned failover, s such as when t the node hosti ing the virtual machine fails.

Li ive Migratio on Process


Th he live migration process consists of four steps s that occu ur in the backg ground: 1. .

Migration setup. s When you start the failover of the v virtual machine e, the source n node creates a Transmissio on Control Pro otocol (TCP) co onnection with h the target ph hysical host. Th his connection is used to transfer the virtual machine configur ration data to the target phy ysical host. Liv ve migration cr reates a temporary virtual machin ne on the targe et physical hos st, and allocate es memory to the destinatio on virtual machine. The migration prepara ation also verif fies that the vir rtual machine can be migrat ted.

MCT USE ONLY. STUDENT USE PROHIBITED

6-18 Implemen nting Failover Cluster ring with Hyper-V

2.

Guest memor ry transfer. The e guest memo ory is transferre ed iteratively t to the target host while the v virtual machine is sti ill running on the source host. Hyper-V on n the source physical host m monitors the pa ages in the working set. As the sy ystem modifie es memory pag ges, it tracks a nd marks them m as being modified. During this phase e of the migrat tion, the migra ating virtual m machine contin nues to run. Hy yperV iterates the e memory copy y process several times, and each time a sm maller number of modified pages are copied to o the destinatio on physical computer. A fina al memory cop py process cop pies the remain ning modified mem mory pages to o the destinatio on physical ho ost. Copying stops as soon as s the number o of t not yet rewri pages that ha ave been modified in physica al memory but itten to disk often called d dirty pagesdrops s below a threshold, or after r 10 iterations are complete. State transfer r. To actually migrate m the virt tual machine t to the target h host, Hyper-V s stops the sour rce partition, tran nsfers the state e of the virtual machine (incl luding the rem maining dirty m memory pages s) to the target host, and then re estores the virt tual machine o on the target h host. The virtual machine pa auses during the fin nal state transf fer. Clean up. The e cleanup stage finishes the migration by d dismantling th he virtual mach hine on the source host, terminating the worke er threads, and d signaling the e completion o of the migratio on.

3.

4.

Ho ow Does Hyper-V Re eplica Wor rk?


In so ome cases, you might want to have a spar re copy of one virtua al machine tha at you can run if the original virtua al machine fails s. However, wh hen you implement hi igh availability y, you have only one e instance of a virtual machin ne. High availa ability doe es not prevent corruption of software that is runn ning inside the e virtual machine. One way to t add dress the issue of corruption is to copy the virtu ual machine. You Y can also ba ack up the virt tual mac chine and its st torage. Althou ugh this solutio on achieves the desir red result, it is resource-inten nsive and time-consum ming.

To resolve r this pro oblem and to enable administrators to hav ve an up-to-date copy of a single virtual ature in Windo mac chine, Microso oft has implemented Hyper-V V Replica, a fea ows Server 2012. This featur re enables virtual ma achines that ar re running at a primary site location or ho ost to be replic cated to a seco ondary site location or ho ost across a WA AN or LAN link. Hyper-V rep plica enables y you to have tw wo instances of fa sing gle virtual machine residing on o different ho osts: one as th he primary (live e) copy, and th he other as a replica (offline) copy. The ese copies are synchronized, and you can p perform failov ver at any time e. In the event of a failu ure at a primar ry site, you can n use Hyper-V Replica to exe ecute a failove er of the produ uction workloa ads to repl lica servers at a secondary lo ocation within minutes, thus incurring min nimal downtim me. The site configura ations do not have h to use the e same server or storage har rdware. Hyper r-V Replica ena ables an administrator a to t restore virtu ualized worklo oads to a point t in time depen nding on the R Recovery Histo ory sele ections for the virtual machin ne. Hyp per-V Replica technology t consists of severa al components s:

Replication engine: The rep plication engin ne manages the configuration d details and e replication c manages initi ial replication, delta replicati ion, failover, a nd test-failove er operations. It also tracks v virtual machine and storage mobility events, and d takes approp priate actions as needed. Th hat is, it pauses s replication ev vents until mig gration events complete, and d then resume es where they left off.

Change track king: This comp ponent tracks changes that o occur on the p primary copy o of the virtual machine. It is designed to track t the chang ges regardless s of where the virtual machin ne .vhdx files r reside.

MCT USE ONLY. STUDENT USE PROHIBITED


6-19

Configuring g Advanced Windows s Server 2012 Serviices

Network module: The network module e provides a se ecure and efficient way to tra ansfer virtual m machine replicas bet tween primary y hosts and rep plica hosts. It u uses data comp pression, which is enabled b by default. The e transfer oper ration is secure e because it re elies on HTTPS S and certificat tion-based authenticat tion.

Hyper-V Re eplica Broker server role: This is a new serv ver role that is implemented in Windows S Server 2012, and you y configure it during failov ver clustering.. This server ro ole enables you u to have Hype er-V Replica functionality even n when the virtual machine b being replicate ed is highly av vailable and ca an move from one cluster node to another. The Hyper-V Repli ica Broker serv ver redirects all virtual mach hine specific eve ents to the app propriate node e in the replica a cluster. The B Broker queries the cluster da atabase to determin ne which node e should handl le which event ts. This ensures s that all event ts are redirecte ed to the correct node in the cluster in the ev vent that a qu ick migration, live migration n, or storage migration process p was ex xecuted.

Configuring C g Hyper-V V Replica


Be efore you implement Hyper-V Replica, ens sure th hat your infrast tructure meets s the following g prerequisites: The server hardware supp ports the Hype er-V role on Win ndows Server 2012. 2 Also, ens sure that the ser rver hardware has sufficient capacity to run all of the virtual machin nes to which you replicate it. Sufficient st torage exists on o both the primary and replica servers to hos st the files that t replicated virtual v machines use.

Network co onnectivity exis sts between th he locations th hat are hosting g the primary a and replica ser rvers. Connectivit ty can be throu ugh a WAN or r LAN link.

Firewall rule es are configured correctly to t enable repli ication betwee en the primary y and replica si ites. By default, traf ffic uses TCP port p 80 or port t 443.

If you want t to use certific cate-based aut thentication, e ensure that an X.509v3 certif ficate exists to support mutual authentication wi ith certificates. .

Yo ou do not hav ve to install Hyper-V Replica separately. Hy yper-V Replica is implemented as part of t the Hyper-V server role. You can use it on Hype er-V servers th hat are standal one or servers s that are part of a fa ailover cluster (in which case, you should configure the H Hyper-V Replic ca Broker serve er role). Unlike e fa ailover clusterin ng, a Hyper-V role is not dependent on AD D DS. You can n use it with Hy yper-V servers that ar re standalone, or that are me embers of diff ferent Active D Directory doma ains (except in case when servers ar re part of a failover cluster).

To o enable Hype er-V Replica, first configure the t Hyper-V se erver settings. In the Replica ation Configu uration group of option ns, enable the Hyper-V serve er as a replica s server, and sel lect the authen ntication and p port op ptions. You should also conf figure authoriz zation options . You can choo ose to enable replication fro om any se erver that succ cessfully authenticates, which h is convenient t in scenarios w where all serve ers are part of same do omain. Alterna atively, you can type fully qu ualified domain n names (FQD DNs) of servers that you acce ept as re eplica servers. In addition, yo ou must config gure the locatio on for replica files. You shou uld configure t these se ettings on each h server that will w serve as a replica r server. After you config gure options at a the server level, enable rep plication on a virtual machin ne. During this s co onfiguration, you y must specify the replica server name a and options fo or the connecti ion. If the virtu ual

MCT USE ONLY. STUDENT USE PROHIBITED

6-20 Implementing Failover Clustering with Hyper-V

machine has more than one virtual hard disk, you can select which virtual hard disk drives that you want to replicate. You can also configure the recovery history and the initial replication method. Start the replication process after you configure these options.

Demonstration: Implementing Hyper-V Replica (optional)


In this demonstration, you will see learn how to implement Hyper-V Replica.

Demonstration Steps Configure a replica


1. On LON-HOST1 and LON-HOST2, configure each server to be a Hyper-V Replica server. o o o 2. Authentication: Kerberos (HTTP) Allow replication from any authenticated server Create and use folder E:\VMReplica as a default location to store replica files.

Enable the firewall rule named Hyper-V Replica HTTP Listener (TCP-In) on both hosts.

Configure replication
1. On LON-HOST1, enable replication for the 20412A-LON-CORE virtual machine. o o o 2. Authentication: Kerberos (HTTP) Select to have only the latest recovery point available. Start replication immediately.

Wait for initial replication to finish and ensure that the 20412A-LON-CORE virtual machine appears in Hyper-V Manager on LON-HOST2.

MCT USE ONLY. STUDENT USE PROHIBITED


6-21

Configuring g Advanced Windows s Server 2012 Serviices

Lesson n4

Mana aging Hyper-V Virtual Environments s by Using VMM

VMM is membe er of the System m Center 2012 2 family of pro oducts. It is a s uccessor of Sy ystem Center V Virtual Machine M Manag ger 2008 R2. VMM V extends management m f functionality fo or Hyper-V ho osts and virtual machines, m and it provides dep ployment and provisioning f for virtual mac chines and serv vices. In this le esson, yo ou will learn th he basics of VM MM.

Le esson Objec ctives


After completin ng this lesson, you y will be able to: Describe VM MM. Describe th he prerequisite es for installing g VMM. Describe pr rivate cloud infrastructure co omponents. Describe ho ow to manage e hosts and hos st groups with h VMM. Describe ho ow to deploy virtual v machines with VMM. Describe se ervices and service templates s. Describe ph hysical-to-virtu ual (P2V) and virtual-to-virtu v ual (V2V) migr rations. Describe co onsiderations for f deploying a highly availa able VMM serv ver.

What W Is Sys stem Center 2012 - Virtual V Ma achine Manager?


VMM is a mana agement soluti ion for a virtua alized da ata center. VM MM enables yo ou to create an nd de eploy virtual machines m and services s to priv vate clouds by config guring and ma anaging your virtualization ho ost, networking g, and storage e re esources. You can c also use VMM to manag ge VMware ESX an nd Citrix XenSe erver hosts. VMM is a comp ponent of Syste em Center 201 12 that di iscovers, captu ures, and aggre egates knowle edge of th he virtualizatio on infrastructur re. VMM also manages m policie es, processes, and a best pract tices by di iscovering, cap pturing, and ag ggregating kn nowledge of th he virtualizatio on infrastructu ure.

VMM succeeds VMM 2008 R2 2, and is a key component in n enabling priv vate cloud infr rastructures, w which he elps transition enterprise IT from f an infrastructure-focus sed deploymen nt model into a service-oriented, us ser-centric env vironment. Th he VMM architecture consist ts of several in nterrelated com mponents. The ese componen nts are:

Virtual Mac chine Manager r server. The Virtual V Machine e Manager ser rver is the com mputer on whic ch the VMM servic ce runs. The Virtual Machine e Manager serv ver processes c commands an nd controls communica ations with the e Virtual Machine Manager d database, the library server, and the virtua al machine ho osts. The Virtua al Machine Ma anager server is the hub of a VMM deploy yment through h which all other VM MM componen nts interact an nd communica te. The Virtual l Machine Man nager server also connects to o a Microsoft SQL S Server da atabase that st tores all VMM configuration n information.

MCT USE ONLY. STUDENT USE PROHIBITED

6-22 Implemen nting Failover Cluster ring with Hyper-V

Virtual Machi ine Manager database. d VMM M uses a SQL S Server database to store the information th hat you view in th he VMM mana agement conso ole, such as m anaged virtua l machines, vir rtual machine hosts, virtual machin ne libraries, jobs, and other virtual v machin ne-related data a. VMM management console e. The manage ement console e is a program that you use t to connect to a VMM management server, to view and manage m physic al and virtual resources, including virtual machine host ts, virtual mach hines, services, , and library re esources.

of resources, s Virtual Machi ine Manager li ibrary. A library ry is a catalog o such as virtual hard disks, templates, an nd profiles, which are used to o deploy virtua al machines an nd services. A library server a also hosts shared folders that store file-based resources. The e VMM manag gement server r is always the default library y server, but you can add ad dditional librar ry servers later r.

Command sh hell. Windows PowerShell P is the t command-line interface that you use t to execute cmdlets that perform all available VMM V functions s. You can use these VMM-specific cmdlet ts to manage a all the actions in a VMM V environm ment. Self-Service Portal. P The Self f-Service Porta al is a website t that users who o are assigned to a self-service user role can use to deploy y and manage their own virtu ual machines.

Pre erequisites s for Instal lling VMM M 2012


Befo ore you deploy y VMM and its s components, , ensu ure that your system s meets the t hardware and soft tware requirem ments. While so oftware requ uirements do not n change ba ased on the num mber of hosts that t VMM man nages, hardwa are prer requisites may y vary. In addition, not all VM MM com mponents have e the same har rdware and soft tware requirem ments. Note: Wind dows Server 20 008 R2 and Win ndows Server 2012 2 are the only supported ope erating systems s for VMM 201 12.

Virtual Machin ne Manager r Server

In addition to hav ving Windows Server 2008 R2 R or Windows s Server 2012 i nstalled, the fo ollowing softw ware mus st be installed on the server that will run th he Virtual Mac chine Manager server: Microsoft .NE ET Framework 3.5 Service Pack 1 (SP1) or n newer Windows Aut tomated Installation Kit (AIK K) Windows Pow werShell 2.0, if the VMM management con nsole will run o on the same se erver

Windows Rem mote Managem ment 2.0. Note e that this is in nstalled by defa ault in Window ws Server 2008 8 R2, so you should d just verify that the service is running. SQL Server 20 008 Service Pack 2 (SP2) (Sta andard or Ente erprise) or SQL L Server 2008 R R2 SP1 Standard, Enterprise, or r Datacenter. This T is necessar ry only when y you install the VMM manage ement server a and SQL Server on n same compu uter.

Hardware requirements vary de epending on number of host ts, and have th he following lim mits: CPU: Single core CPU 2 gigahertz (GHz), Dual core CPU U 2.8 GHz

MCT USE ONLY. STUDENT USE PROHIBITED


6-23

Configuring g Advanced Windows s Server 2012 Serviices

Random ac ccess memory (RAM): 48 gig gabytes (GB)

Disk space: 40 GB 150 GB, G depending g on whether y you install a SQ QL Server data abase on the sa ame server. In ad ddition, if the library is on th he same server r, then disk spa ace will also de epend on libra ary content.

Virtual V Mach hine Manager Database e

Th he Virtual Mac chine Manager r database stores all VMM co onfiguration in nformation, which you can a access an nd modify by using u the VMM M managemen nt console. The e Virtual Mach hine Manager database requ uires SQ QL Server 2008 8 SP2 or newe er. Because of this, t the base h hardware requ uirements for t the Virtual Machine Manager M database are equal to the minimu um system req uirements for installing SQL L Server. Additionally, if you are mana aging more tha an 150 hosts, you y should hav ve at least 4 G GB of RAM on t the database s server. So oftware requirements for the e Virtual Mach hine Manager d database are t the same as fo or SQL Server.

Virtual V Mach hine Manager Library

Th he Virtual Mac chine Manager r library is the server that ho osts resources f for building virtual machines, se ervices, and private clouds. In n smaller envir ronments, you u usually install the Virtual M Machine Manag ger lib brary on the VMM V managem ment server. If this is the case e, the hardwar re and softwar re requirement ts are th he same as for the VMM management serv ver. In larger a and more com plex environm ments, we recommend th hat you mainta ain Virtual Mac chine Manager library on a s separate serve er in a highly available co onfiguration. If f you want to deploy anothe er Virtual Mach hine Manager r library server, , the server sho ould meet m the follow wing requireme ents: Supported operating syst tem: Windows Server 2008 o or Windows Se erver 2008 R2 Hardware management: m Windows Rem mote Managem ment 2.0 CPU: at leas st 2.8 GHz RAM: at lea ast 2 GB Hard disk space: varies ba ased on the nu umber and size are stored e of files that a

Private P Cloud Infrastructure Co omponent ts in VMM


Th he key architec ctural concept t in VMM is the private cloud in nfrastructure. Similar S to public cloud solutions, , such as in Windows Azure , the private cloud in nfrastructure in n VMM is an ab bstraction laye er that shields the underlying g te echnical complexities and allows you to manage de efined resourc ce pools that consist of serve ers, ne etworking, and d storage, in th he enterprise in nfrastructure. By y using the VM MM management console us ser in nterface (UI), yo ou can create a private cloud d from Hyper-V, VMwa are ESX, and Citrix XenServer r hosts. Yo ou can also be enefit from cloud computing g attributes, inc cluding self-se ervicing, resource pooling, and el lasticity.

Yo ou can configu ure the followi ing resources from f the Fabri ic workspace i n the VMM management co onsole:

Servers. In the t Servers no ode, you can co onfigure and m manage severa al types of serv vers. Host grou ups contain virt tualization hos sts, which are the t destination ns you can use e to deploy vir rtual machines. Library

MCT USE ONLY. STUDENT USE PROHIBITED

6-24 Implemen nting Failover Cluster ring with Hyper-V

servers are th he repositories of building blockssuch as s images, .iso f files, and temp platesfor crea ating virtual machin nes.

Networking. The T Networkin ng node is whe ere you can de efine logical ne etworks, assign pools of stat tic IPs and media ac ccess control (M MAC) addresse es, and integra ate load balan cers. Logical n networks are userdefined groupings of IP sub bnets and virtu ual local area n networks (VLA ANs) that organ nize and simpl lify network assig gnments. Logic cal networks provide p an abst traction of the e underlying physical infrastructure e, and they ena able you to pro ovision and iso olate network traffic based o on selected criteria such as conne ectivity proper rties and servic ce level agreem ments (SLAs).

Storage. You can discover, classify, and provision remot orage arrays. V VMM te storage on supported sto uses the Micr rosoft Storage Management Servicethat t is enabled by y default during the installati ion of VMM to co ommunicate with w external ar rrays.

Ma anaging Hosts, Host Clusters, and Host G Groups wi ith VMM


In addition to virtual machine management, m VMM V can also help you manage and deploy Hyper-V host ts. In VMM, yo ou can use tech hnologies such h as Win ndows Deploym ment Services (Windows DS) ) to dep ploy Hyper-V hosts h on bare-m metal machine es and then manage e them with VM MM. When hos sts are associated wit th VMM, you can c configure seve eral options, su uch as host res serves, quotas, , perm missions, and cloud c memberships. VMM can c also o manage Hyper-V failover clusters. c VMM provides tw wo new feature es that help optimize power and resource usage on hosts that are managed by VMM: V dynamic c optimization n and power op ptimization. D Dynamic optim mization balanc ces the virtual machin ne load within a host cluster, , while power optimization e enables VMM to evacuate bala anced cluster hosts, h and then n turn them of ff to save pow wer.

The recommende ed way to orga anize hosts in VMM V is to crea ate host group ps. This simplif fies manageme ent task ks. A host grou up enables you u to apply setti ings to multip le hosts or hos st clusters with h a single actio on. By defa ault, there is a single host gr roup in VMM named n All Hos sts. However, i f necessary, yo ou can create add ditional groups s for your environment. Hos st groups are hierarchical. h When W you create a new child host group, it inherits the se ettings from th he w parent host group, the ch pare ent host group p. When a child d host group moves m to a new hild host group p maintains its origi inal settings ex xcept for Perfo ormance and R Resource Optim mization (PRO O) settings, whi ich are managed sepa arately. When the settings in n a parent hos t group chang ge, you can ap pply those chan nges to child c host grou ups. You u use host grou ups in the follo owing scenario os:

Provide basic c organization when you are managing ma any hosts and virtual machin nes. You can cr reate custom views s within the Ho osts view and the t Virtual Ma chines view to o provide easy monitoring and access to a ho ost. For examp ple, you might create a host group for each branch offic ce in your organization. Reserving resources for use e by hosts. Hos st reserves are useful when p placing virtual machines on a host. Host res serves determi ine the CPU, memory, m disk s pace, disk I/O capacity, and network capa acity that are conti inuously availa able to the hos st operating sy ystem.

MCT USE ONLY. STUDENT USE PROHIBITED


6-25

Configuring g Advanced Windows s Server 2012 Serviices

Use the Host Group prop perties action for f the root ho ost group All H Hosts, to set de efault host rese erves for all hosts tha at VMM mana ages. If you want to use more e of the resources on some hosts instead of on other hosts s, you can set host h reserves differently d for e each host grou up. Designating g hosts on whi ich users can create c and ope erate their own n virtual mach hines. When a V VMM administrat tor adds self-se ervice user role es, one part of f role creation is to identify t the hosts on w which self-service users or groups in that role can create, op perate, and ma anage their ow wn virtual mac chines. As a best practice, you sh hould designat te a specific ho ost group for t this purpose.

Deploying D Virtual Ma achines wi ith VMM


One O of the adva antages of usin ng VMM to manage a virtualized env vironment is the flexibility th hat VMM provides to create and deploy new virtual machines m quick kly. Using VMM, you can manuall ly create a new w virtual machine with new con nfiguration sett tings an nd a new hard d disk. You can then deploy the t new virtual machine from one of following f sourc ces: An existing .vhd or .vhdx file, either blank or preconfigured A virtual machine templa ate A Virtual Machine M Manag ger library

Yo ou can create new virtual ma achines either by converting g an existing p physical compu uter, or by clon ning an ex xisting virtual machine. m

Creating C a New N Virtual Machine fro om an Exist ting VHD

Yo ou can create a new virtual machine m based d on either a b blank virtual ha ard disk (VHD) ) or a preconfi igured VHD that conta ains a guest op perating system m. VMM provid des two blank VHD template es that you can use to cr reate new disk ks: Blank Disk Small Blank Disk Large

Yo n ou can also use a blank VHD D when you wa ant to use an o operating syste em with a preb boot execution en nvironment (PXE). Alternativ vely, you can place p an .iso im mage on a virtu ual DVD-ROM, , and then inst tall an op perating system from scratch. This is an ef ffective way to o build a virtua al machines so ource image, w which yo ou can then us se as a future template. t To in nstall the oper rating system o on such a virtu ual machine, y you can us se an .iso imag ge file from the e library or fro om a local disk k, then map a p physical drive from the host . co omputer, or start the guest operating o syste em setup thro ough a network k service boot.

If you have a lib brary of VHDs that you want t to use in you r VMM enviro nment, you ca an create a virt tual machine m from an a existing VHD. You can also select existin ng VHDs when n you deploy a any operating system from which VMM cannot crea ate a template e, such as an op perating system that is not W Windows-base ed. When W you creat te a new virtua al machine using an existing g VHD, you are e essentially cre eating a new v virtual machine m configuration that is s associated with the VHD fil e. VMM will cr reate a copy o of the source V VHD so th hat you do not t have to move e or modify the original.

MCT USE ONLY. STUDENT USE PROHIBITED

6-26 Implementing Failover Clustering with Hyper-V

In this scenario, the source VHD must meet the following requirements:

Leave the Administrator password blank on the VHD as part of the System Preparation Tool (Sysprep) process. Install the Virtual Machine Additions on the virtual machine. Use Sysprep to prepare the operating system for duplication.

Note: VMM 2012 will support the .vhdx virtual hard drive format when VMM 2012 SP1 is released.

Deploying from a Template

You can create a new virtual machine based on a template from the Virtual Machine Manager library. The template is a library resource, which links to a virtual hard disk drive that has a generalized operating system, hardware settings, and guest operating system settings. You use the guest operating system settings to configure operating system settings such as the computer name, local administrator password, and domain membership. The deployment process does not modify the template, which you can reuse multiple times. If you are creating virtual machines in the Self-Service Portal, you must use a template. The following requirements apply if you want to deploy a new virtual machine from a template: You must install a supported operating system on the VHD.

You must leave the Administrator password blank on the VHD as part of the Sysprep process. However, you do not have to leave the Administrator password blank for the guest operating system profile. For customized templates, you must prepare the operating system on the VHD by removing the computer identity information. For Windows operating systems, you can prepare the VHD by using the Sysprep tool.

Deploying from the Virtual Machine Manager Library

If you deploy a virtual machine from the Virtual Machine Manager library, the virtual machine is removed from the library, and then placed on the selected host. When you use this method, you must provide the following details in the Deploy Virtual Machine wizard: The host for deployment. The template that you use provides a list of potential hosts and their ratings. The path of the virtual machine files on the host. The virtual networks used for the virtual machine. A list of existing virtual networks on the host will display.

MCT USE ONLY. STUDENT USE PROHIBITED


6-27

Configuring g Advanced Windows s Server 2012 Serviices

What W Are Services S an nd Service Templates s?


Se ervices are a new concept in n VMM. You must un nderstand serv vices fully befo ore you deploy ya private cloud in nfrastructure.

Traditional Services S Scenario


Se ervices usually y refer to applic cations or sets s of ap pplications tha at provide serv vices to end us sers. For ex xample, you ca an deploy various types of webw ba ased services, but you can also implement ta se ervice such as email. e In a non n-cloud computing sc cenario, deploy yment of any type t of service e us sually requires s users, developers, and ad dministrators to t work togeth her through th he phases of creati ing a service, deploying d a service, testing t the service, an d maintaining g the service.

A service freque t work togethe ently includes several compu uters that must er to provide a service to en nd users. Fo or example, a web-based w ser rvice is usually y an applicatio n that deploys s on a web ser rver, connects to a da atabase server r that might be e hosted on an nother comput ter, and performs authentica ation on an Ac ctive Directory doma ain controller. Enabling E this application a req quires three ro oles, and possib bly three comp puters: a web server, a database serve er, and a domain controller. Deploying a t test environme ent for a servic ce such as s this can be time consuming g and resource e consuming. Ideally, develo opers work wit th IT administr rators to cr reate an enviro onment where e they can deploy and test th heir web applic cation.

Concept C of a Service in a Private Cl loud Scenar rio

With W the concept of a private e cloud, how yo ou deal with se ervices can change significantly. You can p prepare th he environmen nt for a service e, and then let developers de eploy it by usin ng a self-servic ce application such as Sy ystem Center 2012 2 - App Co ontroller. In n VMM, a servi ice is a set of one o or more virtual machines s that you dep ploy and mana age together a as a single entity. Yo ou configure th hese machines s to run togeth her to provide a service. In W Windows Serve er 2008, us sers could dep ploy new virtua al machines by y using the Sel f-Service Porta al. In VMM, en nd users can deploy ne ew services. By y deploying a service, s users are a actually de eploying the e ntire infrastruc cture, including the virtual machines, network con nnections, and applications t that are requir red to make th he service work k. However, you can also use services to deplo oy only a singl e virtual mach hine without any specific pur rpose. In nstead of deplo oying virtual machines m in the e historic way, you can now create a servic ce that will deploy a virtual machine with, for exam mple, Windows s Server 2008 R2, and with s several roles an nd features preinstalled and d joined to dom main. This simplifies the pro ocess of creatin ng and later up pdating new v virtual machines. m

Deploying a new w service requ uires a high lev vel of automat tion and prede efined compon nents, and requires management m so oftware suppo ort. This is why VMM provide es service temp plates. A servic ce template is a te emplate that encapsulates ev verything that is required to o deploy and ru un a new insta ance of an app plication. Ju ust as a private e cloud user ca an create new virtual machin nes on demand d, the user can n also use service te emplates to ins stall and start new applicatio ons on demand d.

Process P for Deploying D a New Servic ce


Yo ou use the foll lowing proced dure when you use VMM ser rvice templates s to deploy a n new service or ap pplication: 1. . The system administrator r creates and configures c VM M service tem mplates by usin ng the Service Template Designer. D

MCT USE ONLY. STUDENT USE PROHIBITED

6-28 Implemen nting Failover Cluster ring with Hyper-V

2.

The end-user r application ownerfor exam mple, a develo oper who has t to deploy the a application environmentopens App Controller C and requests a new w service depl oyment based d on the available service templates that the developer d can access. The de eveloper can d deploy the serv vice to a private cloud where a user has acce ess. As an alternative to App p Controller, th he user can als so use the VMM M Manager con nsole. The Virtual Machine M Manag ger server evaluates the subm mitted request t. VMM search hes for available has resources in the t private cloud, then calculates the user quota and ver rifies that the private cloud h enough resou urces for the re equested servi ice deploymen nt. Whereas the new service is created autom matically, the v virtual machin es and applica ations (if any) a are deployed on the host that is i selected by VMM. V

3.

4. 5. 6.

The user application owner r gains control over service v virtual machine es through Ap pp Controller, o or by Remote Desk ktop Protocol (RDP). ( If you need manual m approv val for resource e creation, you u can use Micr rosoft System C Center 2012 Service Mana ager to create workflows w for this purpose.

Info ormation In ncluded in the t Service Template T

The service template includes in nformation abo out the virtual l machines tha at are deployed d as part of th he serv vice, which app plications to in nstall on the virtual machines s, and the netw working config guration needed for the service (includ ding the use of f an NLB). The service templ ate can use ex xisting virtual m machine temp plates. While you can define the service without usin ng any existing g virtual machi ine templates, it is easier to build a te emplate if you have already created c virtual machine tem plates. After y you create a se ervice template e, you configure it for de eployment usin ng the Config gure Deploym ment option.

P2V and V2V V Migratio ons


Man ny organizatio ons have physic cal servers that they y do not use fu ully. VMM can convert existing phy ysical computers into virtual machines thro ough a pr rocess known as a P2V conversion. VMM simplifies P2V by providing a ta ask-based wiza ard to auto omate much of o the conversion process. Because the P2V process p suppo orts scripts, you u can start large-scale P2V P conversion ns through the e Win ndows PowerSh hell command d line interface. VMM converts an n operating sys stem that is runn ning on physic cal hardware to o an operating g system that is running in a Hype er-V virtual mac chine environm ment. VMM pr rovides a conve ersion wizard, which automa ates much of t the conversion n proc cess.

Dur ring a P2V conversion proces ss, VMM generates disk ima ges of the har rd disks on the e physical computer. It cr reates VHD file es for the new virtual machin ne using the d isk images as a basis. In add dition, it create es a hard dware configuration for the virtual machin ne similar to, o or the same as,, the hardware e in the physica al com mputer. The new virtual machine m has the e same compu uter identity as s the physical computer on w which it is based. Because of this, as s a best practic ce you should not use both a physical com mputer and its virtual replica a concurrently. Afte er the P2V conversion compl letes, you typic cally disconne ect the physical computer fro om the network and decommission d n it.

MCT USE ONLY. STUDENT USE PROHIBITED


6-29

Configuring g Advanced Windows s Server 2012 Serviices

P2 2V conversion is finished in either e online or o offline mode e. In online mo ode, the sourc ce operating sy ystem ru uns during the conversion pr rocess. In offlin ne mode, the o operating syst tem does not r run and conversion oc ccurs through the Windows Preinstallation n Environment t (Windows PE E). Later topics in this lesson de escribe these modes m in furth her detail.

In n addition to converting und derused physic cal computers, VMM support ts the manage ement, migration, and co onversions of other o virtual machines m that were w created i n the VMware e environment. You can conv vert th hese virtual ma achines to Hyp per-V virtual machines, m place e them on Hyp per-V hosts, an nd then manag ge them un nder the Virtual Machine Ma anager Administrator Conso ole. In addition n, VMM and Hy yper-V suppor rt migrating m virtua al machines fro om one host to another with h minimal or z zero downtime e.

VMM allows you to convert existing e VMwar re virtual mach hines to virtua al machines run nning on the H Hyper-V platform. This process p is know wn as a V2V co onversion. With h V2V conversion, administra ators can cons solidate a virtual environ nment that is running r variou us virtual platfo orms without moving data o or rebuilding v virtual machines m from scratch. VMM allows you to copy existing VMware virtual v machin es and create Hyper-V virtual machines. Y You can co opy VMware virtual v machine es that are loca ated on ESX se erver hosts, in Virtual Machin ne Manager lib braries, s not or r on Windows shares. Althou ugh V2V is call led a conversio on, V2V is a re ead-only opera ation that does de elete or affect the original so ource virtual machine. m In add dition, the term m conversion is dedicated o only to th he process of converting c VM Mware virtual machines. m The t term migratio n is used for v virtual server machines. m

During the conv version proces ss, the VMM co onverts the VM Mware .vmdk f files to .vhd file es, and makes the op perating system on the virtu ual machine co ompatible with h Microsoft virt tualization tec chnologies. The e virtual machine m that th he wizard creat tes matches VMware virtual machine prop perties, including name, desc cription, memory, m and disk-to-bus assi ignments.

Considerat C ions for Deploying a Highly A Available V Virtual Mac chine Man nager Server
VMM now supp ports a highly available a Virtual Machine M Manag ger server. You u can use failov ver clustering to achieve high ava ailability for VM MM be ecause VMM is now a cluste er-aware applic cation. However, you should conside er several thing gs be efore you deploy a VMM clu uster. Be efore installing g a highly available VMM management m se erver, ensure that: You have in nstalled and co onfigured a fai ilover cluster that t is running Wi indows Server 2008 R2, Window ws Server 2008 8 R2 SP1, or Windows W Server 2012 2. All computers on which you y install the highly availab ble Virtual Mac chine Manager r server meet t the minimum hardware h requirements, and all prerequisit te software is i installed on all l computers.

You have created a doma ain account to be used by th he VMM servic ce. You must u use a domain u user account for r a highly avail lable Virtual Machine M Manag ger server.

You are pre epared to use distributed key y managemen nt to store encryption keys in n AD DS. You must use distribu uted key mana agement for a highly availab ble Virtual Mac chine Manager r server.

MCT USE ONLY. STUDENT USE PROHIBITED

6-30 Implementing Failover Clustering with Hyper-V

You have a computer with a supported SQL Server version installed and running. Unlike VMM 2008 R2, VMM will not install a SQL Server Express Edition automatically.

Highly Available Databases and Library Servers

To achieve full redundancy, you should use a highly available SQL Server. Install a highly available SQL Server on a separate failover cluster from the failover cluster on which you are installing the highly available Virtual Machine Manager server. Similarly, you should also use a highly available file server for hosting your library shares.

Self Service Portal and Clustered Virtual Machine Manager Server

As a best practice, do not install the Virtual Machine Manager Self-Service Portal on the same computer as the highly available Virtual Machine Manager server. If your Virtual Machine Manager Self-Service Portal currently resides on the same computer as the Virtual Machine Manager server, we recommend that you uninstall the Virtual Machine Manager Self-Service Portal for VMM 2008 R2 SP1 before upgrading to VMM. We also recommend that you install the Virtual Machine Manager Self-Service Portal on a highly available web server to achieve redundancy and NLB.

Failover Cluster Manager

You cannot perform a planned failoverfor example, to install a security update or perform maintenance on a cluster nodeby using the Virtual Machine Manager Administrator Console. Instead, to perform a planned failover, use the Failover Cluster Manager.

During a planned failover, ensure that there are no tasks actively running on the Virtual Machine Manager server. Any tasks that are executing during a failover will be stopped and will not restart automatically. Any connections to a highly available Virtual Machine Manager server from the Virtual Machine Manager Administrator Console or the Virtual Machine Manager Self-Service Portal will also be lost during a failover. However, the Virtual Machine Manager Administrator Console can reconnect automatically to the highly available Virtual Machine Manager server after a failover if the console was open before you performed the failover.

MCT USE ONLY. STUDENT USE PROHIBITED


6-31

Configuring Advanced Windows Server 2012 Services

Lab: Implementing Failover Clustering with Hyper-V


Scenario

The A. Datum Corporations initial virtual machine deployment on Hyper-V has been successful. As a next step in the deployment, A. Datum is now considering ways to ensure that the services and applications that are deployed on the virtual machines are highly available. As part of the implementation, A. Datum is also considering options for making the virtual machines that run on Hyper-V highly available.

As one of the senior network administrators at A. Datum, you are responsible for integrating Hyper-V with failover clustering to ensure that the virtual machines that are deployed on Hyper-V are highly available. You are responsible for planning the virtual machine and storage configuration, and for implementing the virtual machines as highly available services on the failover cluster. In addition, you are considering some other techniques for virtual machine high availability, such as Hyper-V Replica.

Objectives
Configure Hyper-V Replica. Configure a failover cluster for Hyper-V. Configure a highly available virtual machine.

Lab Setup
20412A-LON-DC1-B 20412A-LON-SVR1-B 20412A-LON-HOST1 20412A-LON-HOST2 Estimated time: 75 minutes 20412A-LON-DC1-B 20412A-LON-SVR1-B 20412A-LON-HOST1 20412A-LON-HOST2 Adatum\Administrator Pa$$w0rd

Virtual Machine(s)

User Name Password

You should perform this lab with a partner. To perform this lab, you must boot the host computers to Windows Server 2012. Ensure that you and your partner have booted into different hosts (one should boot to 20412A-LON-HOST1 and the other should boot to 20412A-LON-HOST2) and then log on as Adatum\Administrator with the password of Pa$$w0rd. Once you have booted into the Windows Server 2012 environment, perform the following setup tasks: 1. 2. On the host computer, in Server Manager, click Tools, and then click Hyper-V Manager. In Hyper-V Manager, click start the following virtual machines based upon your host: o o 3. 4. For LON-HOST1, start 20412A-LON-DC1-B. For LON-HOST2, start 20412A-LON-SVR1-B.

In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: a. User name: Adatum\Administrator

MCT USE ONLY. STUDENT USE PROHIBITED

6-32 Implementing Failover Clustering with Hyper-V

b.

Password: Pa$$w0rd

Note: For this lab, verify that the classroom is configured so that only LON-HOST1 and LON-HOST2 can communicate. Each pair of host computers must be isolated from the rest of the classroom.

Exercise 1: Configuring Hyper-V Replicas


Scenario

Before you begin cluster deployment, you need to evaluate the new technology in Hyper-V 3.0 for replicating virtual machines between hosts. You want to be able to mount a copy of a virtual machine on another host manually if the active copy (or host) fails. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Boot the physical host machines from VHD. Import the LON-CORE virtual machine on LON-HOST1. Configure a replica on both host machines. Configure replication for the LON-CORE virtual machine. Validate a planned failover to the replica site.

Task 1: Boot the physical host machines from VHD


1. Restart the classroom computer, and in the Windows Boot Manager, select either 20412A-LON-HOST1 or 20412A-LON-HOST2. Note: If you start LON-HOST1, your partner must start LON-HOST2. 2. 3. 4. Log on to the server as Adatum\Administrator with password Pa$$w0rd. On LON-HOST1, make sure that virtual machine 20412A-LON-DC1 is running. On LON-HOST2, make sure that virtual machine 20412A-LON-SVR1 is running.

Task 2: Import the LON-CORE virtual machine on LON-HOST1

On LON-HOST1, open Hyper-V Manager, and import the 20412A-LON-CORE virtual machine using the following settings: o o Path: E:\Program Files\Microsoft Learning\20412\Drives\20412A-LON-CORE Accept default values

Note: The drive letter may differ based on the number of drives on the physical host machine.

Task 3: Configure a replica on both host machines


1. On LON-HOST1 and LON-HOST2, configure each server to be a Hyper-V Replica server. o o o 2. Authentication: Kerberos (HTTP) Allow replication from any authenticated server Create and use folder E:\VMReplica as a default location to store replica files

Enable the firewall rule named Hyper-V Replica HTTP Listener (TCP-In) on both hosts.

MCT USE ONLY. STUDENT USE PROHIBITED


6-33

Configuring Advanced Windows Server 2012 Services

Task 4: Configure replication for the LON-CORE virtual machine


1. On LON-HOST1, enable replication for the 20412A-LON-CORE virtual machine. o o o o 2. Replica server: LON-HOST2 Authentication: Kerberos authentication (HTTP) Configure Recovery History: Only the latest recovery point Start replication immediately

Wait for initial replication to finish, and verify that the 20412A-LON-CORE virtual machine displays in the Hyper-V Manager console on LON-HOST2.

Task 5: Validate a planned failover to the replica site


1. 2. 3. 4. On LON-HOST2, view replication health for 20412A-LON-CORE.

On LON-HOST1, perform planned failover to LON-HOST2. Verify that 20412A-LON-CORE is running on LON-HOST2. On LON-HOST1, remove replication for 20412A-LON-CORE. On LON-HOST2, shut down 20412A-LON-CORE.

Results: After completing this exercise, you will have configured a Hyper-V Replica.

Exercise 2: Configuring a Failover Cluster for Hyper-V


Scenario

A. Datum has several virtual machines that are hosting important services that must be highly available. Because these services are not cluster-aware, A. Datum decided to implement Failover cluster on the Hyper-V host level. You plan to use iSCSI drives as storage for these virtual machines. The main tasks for this exercise are as follows: 1. 2. 3. Connect to the iSCSI target from both host machines. Configure failover clustering on both host machines. Configure disks for the failover cluster.

Task 1: Connect to the iSCSI target from both host machines


1. 2. 3. 4. 5. On LON-HOST1, start iSCSI initiator. Use 172.16.0.21 for the address that will be used to discover and connect to the iSCSI target. On LON-HOST2, start iSCSI initiator. Use 172.16.0.21 for the address that will be used to discover and connect to the iSCSI target. On LON-HOST2, navigate to Disk Management, and initialize and bring online all iSCSI drives: o o o 6. Format the first drive, and name it ClusterDisk. Format the second drive, and name it ClusterVMs. Format the third drive, and name it Quorum.

On LON-HOST1, navigate to Disk Management, and bring online all three iSCSI drives.

MCT USE ONLY. STUDENT USE PROHIBITED

6-34 Implementing Failover Clustering with Hyper-V

Task 2: Configure failover clustering on both host machines


1. 2. On LON-HOST1 and LON-HOST2, install the failover clustering feature. On LON-HOST1, create a failover cluster: o o o o Add LON-HOST1 and LON-HOST2 Name the cluster VMCluster Assign the 172.16.0.126 address Deselect the option to Add all eligible storage to the cluster

Task 3: Configure disks for the failover cluster


1. 2. 3. 4. On LON-HOST1, in the Failover Cluster Manager, add all three iSCSI disks to the cluster. Verify that all three iSCSI disks appear available for cluster storage. Add the disk named ClusterVMs to Cluster Shared Volumes. From the VMCluster.adatum.com node, select More Actions, and then configure the Cluster Quorum Settings to use typical settings.

Results: After completing this exercise, you will have configured a failover cluster for Hyper-V.

Exercise 3: Configuring a Highly Available Virtual Machine


Scenario
After you configuring the Hyper-V failover cluster, you want to add virtual machines as highly available resources. Additionally, you want to evaluate live migration and test storage migration. The main tasks for this exercise are as follows: 1. 2. 3. 4. Move virtual machine storage to the iSCSI target. Configure the virtual machine as highly available. Perform live migration for the virtual machine. Perform storage migration for the virtual machine.

Task 1: Move virtual machine storage to the iSCSI target


1. 2. 3.

In the Failover Cluster Manager, verify that LON-HOST1 is the owner of the ClusterVMs disk. If it is not, move the ClusterVMs disk to LON-HOST1. On LON-HOST1, open a Windows Explorer window, and browse to E:\Program Files \Microsoft Learning\20412\Drives\20412A-LON-CORE\Virtual Hard Disks. Move 20412A-LON-CORE.vhd to the C:\ClusterStorage\Volume1 location.

Task 2: Configure the virtual machine as highly available


1. 2. On LON-HOST1, in Failover Cluster Manager, click Roles, and then start the New Virtual Machine Wizard. Configure a virtual machine with the following settings: o o Cluster node: LON-HOST1. Computer name: TestClusterVM

MCT USE ONLY. STUDENT USE PROHIBITED


6-35

Configuring Advanced Windows Server 2012 Services

o o o 3.

Store the file at C:\ClusterStorage\Volume1 RAM for TestClusterVM: 1536 MB

Connect machine to existing virtual hard disk drive 20412A-LON-CORE.vhd, which is located at C:\ClusterStorage\Volume1.

From the Roles node, start the virtual machine.

Task 3: Perform live migration for the virtual machine


1. 2.

On LON-HOST1, in the Failover Cluster Manager, start Live Migration failover of TestClusterVM from LON-HOST1 to LON-HOST2.

Connect to TestClusterVM, and ensure that you can operate the virtual machine while it is migrating to another host.

Task 4: Perform storage migration for the virtual machine


1. 2. 3. 4. On LON-HOST2, open Hyper-V Manager. Move 20412A-LON-SVR1-B from its current location to C:\LON-SVR1. Determine whether machine is operational during move process. When the migration completes, shut down all running virtual machines.

Results: After completing this exercise, you will have configured a highly available virtual machine.

1. 2. 3. 4.

To prepare for next module


Restart LON-HOST1.

When you are prompted with the boot menu, select Windows Server 2008 R2, and then press Enter. Log on to the host machine as directed by your instructor. Repeat steps 1-3 on LON-HOST2.

MCT USE ONLY. STUDENT USE PROHIBITED

6-36 Implementing Failover Clustering with Hyper-V

Module Review and Takeaways


Common Issues and Troubleshooting Tips
Common Issue Virtual machine failover fails after implementing CSV and migrating the shared storage to CSV A virtual machine fails over to another node in the host cluster, but loses all network connectivity Four hours after restarting a Hyper-V host that is a member of a host cluster, there are still no virtual machines running on the host. Troubleshooting Tip

Question: In Windows Server 2008 R2, do you have to implement CSV in order to provide high availability for virtual machines in VMM?

Best Practice

Develop standard configurations before you implement highly available virtual machines. The host computers should be configured as close to identical as possible. To ensure that you have a consistent Hyper-V platform, configure standard network names, and use consistent naming standards for CSV volumes. Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster Manager that can block you from making mistakes when you manage highly available virtual machines. For example, it blocks you from creating virtual machines on storage that is inaccessible from all nodes in the cluster.

MCT USE ONLY. STUDENT USE PROHIBITED


7-1

Module 7
Implementing Disaster Recovery
Contents:
Module Overview Lesson 1: Overview of Disaster Recovery Lesson 2: Implementing Windows Server Backup Lesson 3: Implementing Server and Data Recovery Lab: Implementing Windows Server Backup and Restore Module Review and Takeaways 7-1 7-2 7-7 7-16 7-20 7-25

Module Overview

Organizations are vulnerable to losing some of their data for reasons such as unintentional deletion of critical data, file system corruption, hardware failures, malicious users, and natural disasters. Because of this, organizations must have well-defined and tested recovery strategies that will help them to bring their servers and data back to a healthy and operational state, and in the fastest time possible. In this module, you will learn how to identify security risks for your organization. You will also learn about disaster recovery, and disaster recovery requirements. You will also learn how to plan backup across your organization, and what steps you can take to recover data.

Objectives
After completing this module, you will be able to: Describe disaster recovery concepts. Implement Windows Server Backup. Implement server and data recovery.

MCT USE ONLY. STUDENT USE PROHIBITED

7-2

Implementing Disaster Recover ry

Lesson 1

Overvi iew of Disaster D r Recove ery

Disa aster recovery is a methodology that descr ribes all the ste eps that you n need to perform once a disaster tate. An effect has occurred, to bring b data, serv vices and serve ers back to an operational st tive disaster reco overy plan add dresses the org ganizations ne eeds without p providing an unnecessary lev vel of coverage e. While absolute pr rotection may seem desirable, it is unlikely y to be econom mically feasible e. In creating a disa aster recovery plan, you need d to balance th he cost to the organization o of a particular disaster, with the cost t to the organi ization of prot tection from th hat disaster.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: equirements. Identify disaster recovery re Describe serv vice level agree ements. Describe ente erprise disaster r recovery strategies. Describe disaster mitigation n strategies. Describe best t practices for implementing g a disaster rec covery.

Ide entifying Disaster D Re ecovery Re equiremen nts


Befo ore developing g a disaster rec covery strategy, orga anizations must identify their disaster reco overy requ uirements to ensure e that the ey will provide app propriate prote ection for critic cal resources. The following is a high-level list t of steps that you can use to identify y disaster reco overy requirem ments: 1. Define organization critical resources. The ese resources include data, serv vices, and the servers upon which the dat ta and services s run.

2.

Identify risks associated wit th those critica al resources. For example, dat ta can be accidentally or o intentionally y deleted, and a hard drive o or storage con ntroller where d data is stored might fail. Additiona ally, services th hat use critical data might fa ail due to many y reasons such h as network problems, and d servers migh ht fail because of hardware f failures. Major power outage es could also c cause entire sites to o shut down. Identify the ti ime needed to o perform the recovery. Base ed on their bus siness requirem ments, organizations s should decide how much time is accepta able for recove ering critical re esources. Scena arios may vary from m minutes to hours, h or even a day.

3.

4.

Develop a rec covery strategy y. Based on the previous ste eps, organizatio ons will define e a service leve el agreement th hat will include e information such s as service e levels and service hours. Organizations should develop a dis saster recovery y strategy that will help them m minimize the e risks, and at the same time e, recover their critical resourc ces within the minimum tim me acceptable f for their business requireme ents.

anization will have h differing disaster d recove ery requirements based on t their Note: Orga ments and goals. Disaster rec covery requirem ments should not be static, b but they business requirem

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


7-3

sh hould be evalu uated and updated on a regu ular basisfor example once e every few mo onths. It is also important that t administrators test the disaster recove ery strategies on a regular b basis. The te esting should be b performed in an isolated, non-producti ion environme ent by using a copy of the production data a.

What W Are Service S Lev vel Agreem ments?


A service level agreement a (SLA A) is a docume ent that de escribes the re esponsibilities of o the IT department or r IT service pro ovider, with res spect to a spec cific set of f objectives. In n terms of data a protection SL LAs, th hese agreemen nts usually spe ecify precisely which w pa arts of the IT in nfrastructure and a data will be b protected, and how quickly th hey will return to se ervice after a fa ailure.

In n some organiz zations, SLAs are a formalized, , and th he performanc ce of the IT dep partment is measured m again nst the objectiv ves that are sp pelled ou ut in the SLA. These T metrics form part of the IT de epartments pe erformance ev valuation, and have a direct influence on it tems such as b budgets and sa alaries. Fo or managed se ervices or cloud providers, SLAs are critical l for billing pu urposes. In other organizations, SLAs ar re guidelines and a are less for rmalized. The key to develop ping an SLA is that it needs to be realistic and ac chievable, rath her than an unachievable sta andard, which may be impos ssible to reach. So ome of the ele ements of an SLA S include:

Hours of op peration. Hour rs of operation n defines how much time the e data and ser rvices are available to users, and how h much planned downtim me there will b e due to syste em maintenanc ce. Service availability. Servic ce availability is defined as a percentage o f time per year that data and services will be available to t users. For example, e a serv vice availability y of 99.9 perce ent per year m means that data and services wil ll have unplanned downtime e not more tha an 0.1 percent t per year, or 8 8.75 hours per year y on a 24 ho ours a day, sev ven days a wee ek basis.

Recovery point objective (RPO). An RPO O sets a limit o on how much data can be lo ost due to failu ure, measured as a a unit of tim me. For exampl le, if an organi ization sets an RPO of six ho ours, it would b be necessary to take a backu up every six ho ours, or to crea ate a replicatio on copy on dif fferent location ns at six-hour int tervals. In the event e of a failu ure, it would b be necessary to o go back to th he most recent backup, wh hich, in the worst-case scenario, assuming that the failur e occurred jus st before (or du uring) the next ba ackup, would be b six hours ag go.

You can configure backup software to take backups every hour, of ffering a theor retical RPO of 6 60 minutes. When W calculatin ng RPO, it is als so important t to take into account the time e it takes to pe erform the backup p. For example, , suppose it takes 15 minute es to perform a backup and y you back up e every hour. If a fa ailure occurs during the back kup process, yo our best possible RPO will b be 1 hour and 15 minutes. A realistic RPO must m always ba alance the des sired recovery time with the realities of the e network inf frastructure. Yo ou should not aim for an RP PO of 2 hours w when a backup p itself takes th hree hours to co omplete. The RPO also depends on n the backup software s techn nology. For exa ample, when y you use the sna apshot feature in Windows W Serve er Backup, or other o backup s software that u uses volume sh hadow copy se ervice (VSS), you are a backing up p to the point in time when t the backup wa as started.

Recovery time objective (RTO). ( An RTO O is the amoun nt of time it tak kes to recover from failure. T The RTO will vary de epending on th he type of failu ure. The loss o f a motherboa ard on a critica al server will ha ave a

MCT USE ONLY. STUDENT USE PROHIBITED

7-4

Implementing Disaster Recover ry

different RTO O than the loss of a disk on a critical server r, because one of these comp ponents takes significantly longer to repla ace than the ot ther.

jectives. Reten ntion is a measure of the leng gth of time yo ou need to store backed-up data. Retention obj For example, you may need d to recover da ata quickly fro om up to a mo onth ago, but n need to store d data in some form m for several ye ears. The speed d at which you u agree to reco over data in yo our SLA will de epend on the age of f the data, with h some data being b quickly re ecoverable and other data n needing to be recovered fro om the archive es.

System performance. Altho ough not direct tly related to d disaster recove ery, system performance is a also an important component of SL LAs, because applications a th hat are included in an SLA sh hould be availa able, and they should also have acceptable o users reque a res sponse times to ests. If the syste em performan nce is slow, then bu usiness requirements will not t be met.

Note: Each organizations data protection SLA depen nds on the com mponents that t are portant to the organization. o imp

Ov verview of Enterprise e Disaster Recovery Strategies s


Whe en planning fo or backup for your y enterprise e, you need to develop strategies for recovering g data a, services, serv vers, and sites, , and you need d to mak ke some provis sion for offsite e backup.

Dat ta Recovery y Strategies


Data is the most commonly c reco overed catego ory in an enterprise e environment. This s is because it is mor re likely that users will delete e files accident tally, than n it is for serve er hardware to o fail or for app plications to cause data corru uption. Therefo ore, in developing d an enterprise disa aster recovery strategy, take into o account small disasters, suc ch as data a deletion, in addition a to big g disasters, suc ch as server or site failure.

Whe en considering g data recover ry strategies, backup is not th he only techno ology for data recovery. You u can add dress many file and folder rec covery scenarios by impleme enting previou us versions of f file functionali ity on file shares. You ca an also replicat te data in diffe erent physical locations, or to o a public or p private cloud. Y You could also use Microsoft System Center 2012 2 - Data Prote ection Manage er.

Ser rvice Recove ery Strategi ies

The functionality of the network k depends on the availability y of certain cri itical network services. Altho ough well l-designed net tworks build re edundancy int to core service s such as Dom main Name Sys stem (DNS) and Acti ive Directory Domain Services (AD DS), even those serv vices might ha ave issues, such h as when a major fault is replicated that requires a restore from m backup. In ad ddition, an ent terprise backup p solution mus st ensu ure that services such as Dyn namic Host Co onfiguration Pr rotocol (DHCP P) and Active D Directory Certif ficate Serv vices (AD CS), and a important t resources suc ch as file share es can be resto ored in a timely y and up-to-d date man nner.

Full Server Rec covery Strat tegies

Dev veloping a full-server recovery strategy inv volves determi ning which servers that you need to be ab ble to reco over, the RPO for critical serv vers, and the RTO R for critical l servers. Supp pose that you h have a site with two com mputers functio oning as doma ain controllers. . When develo oping your bac ckup strategy, should you aim to

Configurin ng Advanced Window ws Server 2012 Ser rvices

ha ave both serve ers capable of full server reco overy with a 1 5 minute RPO O? Or is it only necessary for one able to provid se erver to be rec covered quickly y if it fails, give en that either server will be a de the same ne etwork se ervice and ensure business continuity? In n developing the full server recovery r comp ponent of your r organization s enterprise b backup plan, de etermine whic ch servers are required r to ensure business continuity, and d ensure that they are regularly ba acked up.

MCT USE ONLY. STUDENT USE PROHIBITED


7-5

Site Recovery y Strategies s

Most M larger org ganizations hav ve branch offic ce sites. While it might be de esirable to bac ck up all the co omputers at th hose locations, , it may not be e economically y feasible to do o so. Developing a site recov very st trategy involve es determining g which data, services, s and se ervers at a spe ecific site must be recoverable to en nsure business s continuity.

Offsite O Backu up Strategie es

Many M organizat tions that do not n store offsite backups do not recover fr rom a primary site disaster. If f your or rganizations head h office site e has a fire, is subject s to a on nce-in-a-100-y year flood, a cyclone, or a to ornado, it will not matte er what backup ps strategies you have in pla ace if all those backups are stored at the lo ocation th hat was destroy yed by the dis saster. A comprehensiv ve enterprise data d protection n strategy invo olves moving b backed-up dat ta to a safe off fsite lo ocation so that t you can recov ver it no matte er what kind o of disaster occu urs. This does not need to ha appen ev very day. The RPO R for recove ery at the offsi ite locationo often called th he disaster reco overy siteis u usually di ifferent from the RPO at the e primary site.

Disaster D Mi itigation Strategies S


No matter how prepared organizations are, , they ca annot prevent disasters from m occurring. Th herefore, organizations must also develop p mitigation m strategies that will minimize the impact of f an unexpecte ed loss of data a, server, servic ce, or sit tes. To prepare e mitigation st trategies, or rganizations must m create risk k assessments that an nalyze all poss sible disaster sc cenarios, and how h to mitigate m each of o those scenar rios. Th he following ta able lists some e of the risks as ssociated with data or services loss, and th he ap ppropriate mit tigation strateg gies. Risk of disaste er The media wh here a copy of f the backup data is located becomes corrupted. An administra ator has accide entally deleted d an organizatio onal unit (OU) ) that contains many user and computer objects. A file server in n a branch offi ice where important file es are located has failed. Mitigation n strategy Have at le east two copie es of your back kup data, and validate y your backups o on a regular basis. Protect O OUs from accid dental deletion n, especially aft ter migration ns. Use Distri ibuted File Sys stem Replicatio on (DFS-R) to replicate files from bran nch offices to central data centers.

MCT USE ONLY. STUDENT USE PROHIBITED

7-6

Implementing Disaster Recover ry

Ris sk of disaster Th he virtualizatio on infrastructure where bu usiness servers s are located is s un navailable. A major outage e in a data cent ter has ccurred. oc

Mitigation s strategy Avoid deplo oying all critica al servers, such h as domain controllers, on the same v virtual infrastructure. Deploy a se econdary data center that will contain replicas of t the critical serv vers in your pr rimary data center.

Best Practice es for Impl lementing a Disaster r Recovery y


Whe en implementing a disaster recovery strate egy, orga anizations sho ould follow the ese best practic ces: Perform a risk k assessment plan p first. This will help you iden ntify all of the risks associate ed with the avail lability of your r organization data, servers, servic ces, and sites.

Discuss the risks you evalua ated with your r business man nagers, and tog gether decide which resourc ces should be protected with h the disaster recov very plan, and which resourc ces should be pro otected with disaster d mitigat tion, and at which level. The high her the requirements s for disaster re ecovery are, th he more expen nsive they are. You also want t to have a low w-level disaster recov very plan for re esources that are a protected with disaster m mitigation. Each organiza ation should have h its own di isaster recover ry plan. Document in detail all of th he steps that sh hould be perfo ormed in a dis saster scenario o. Test your disa aster recovery plan on a regular basis in an n isolated, non n-production e environment.

Evaluate your r disaster recov very plan on a regular basis,, and update y your disaster re ecovery plan b based on your evalu uation.

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


7-7

Lesson n2

Imple ementin ng Wind dows Se erver Ba ackup

To o protect critic cal data, every organization must perform regular backu ups. Having a w well-defined and te ested backup strategy s ensure es that companies can resto re data if unex xpected failure es or data loss occur. Th his lesson desc cribes the Windows Server Backup feature e in Windows S Server 2012 a and the Micros soft Online O Backup Service S for Win ndows Server 2012.

Le esson Objec ctives


After completin ng this lesson, you y will be able to:

Describe da ata and service e information that t needs to be backed up in a Windows s Server enviro onment. Describe th he backup type es. Describe ba ackup technolo ogies. Describe ba ackup capacity y. Describe ba ackup security. Describe Windows W Server r Backup. Explain how w to configure e a scheduled backup b using W Windows Serv ver Backup. Describe th he Windows Se erver 2012 online backup so lution. Describe th he consideratio ons for an ente erprise backup p solution. Summarize the features available a with System Center r 2012 Data Protection Ma anager.

What W Need ds to Be Ba acked Up?


When W planning backups across your organi ization, en nsure that you u protect resou urces that are co onsidered miss sion critical. Co onsider the fol llowing: Critical reso ources Backup verification Backup security Compliance e and regulato ory requiremen nts

Determining D g Critical Res sources to Back B Up U

In n an ideal scenario, you would back up ev verything and instantly resto ore data as it existed e at a par rticular point i n time from any point in the e last se everal years. In n reality, such a backup strate egy would pro oduce expensiv ve cost of own nership. Theref fore, the fir rst step in plan nning backup across the enterprise is to de etermine what t exactly needs s to be backed d up. Fo or example, sh hould you back k up every dom main controlle er in the doma in, given that A Active Directo ory in nformation will be replicated d back to a rep placement dom main controller r as soon as it is promoted? Is it ne ecessary to back up every file server in all file shares if ev very file is rep licated to multiple servers th hrough a distributed file e system?

MCT USE ONLY. STUDENT USE PROHIBITED

7-8

Implementing Disaster Recovery

You also need to distinguish between technical reasons and regulatory reasons for backing up data. Due to legal requirements, you may need to be able to provide your business with business-critical data for the past ten years or even longer. To determining what to back up, consider the following: If the data is only stored in one place, ensure that it is backed up.

If data is replicated, it may not be necessary to back up each replica. However, you must back up at least one location to ensure that the backup can be restored. Is the server or data a mission-critical component? If this server or disk failed, or if this data became corrupted, what steps would need to be taken to recover it?

Many organizations ensure the availability of critical services and data through redundancy. For example, Exchange Server 2010 provides continuous replication of mailbox databases to other servers through a technology called Database Availability Groups (DAGs). While DAGs do not mean that an organization should not back up its Exchange Server 2010 Mailbox servers, it does change how an organization should think about backing up its Mailbox servers or centralizing its backup strategies.

Verifying Your Backups

Performing a backup, and ensuring that the backup contains everything that you need, are two different tasks. You need to have a method for verifying that each backup has completed successfully. You also need to know when backups have failed. At a minimum, this will mean checking the logs on each server to determine whether a failure has occurred. If you have configured backups to occur on each server every six hours, how often should you check the logs? A better solution is to employ an alert mechanismsuch as that which is available in System Center 2012 - Operations Managerto alert you in the event that a backup fails. The point is to avoid discovering that your backups for a particular server have failed just when you need those backups to perform a recovery. One way of verifying backups is to perform regular testing of the recovery procedures, in which you simulate a particular failure. This allows you to verify not only the integrity of the data that you are using to perform a recovery, but also that the recovery procedures that you have in place effectively resolve the failure. It is better to discover that you need to add steps to your recovery procedure during a test, rather than during an actual failure.

Confirming That Backups Are Secure

By definition, a good set of backups contains all of your organizations critical data. This data needs to be protected from unauthorized access. Although data might be protected by permissions and access controls while it is hosted on servers in a production environment, anyone who has access to the media that hosts that backup data can restore it. For example, some products, such as Windows Server Backup, do not allow administrators to encrypt backup data. This means that physical security is the only way that you can ensure that critical data does not fall into the hands of unauthorized users. When developing an enterprise backup strategy, ensure that backup data is stored in a secure location.

You might also consider using backup software that allows you to split the backup and restore roles so that users who have permissions to back up data do not have permissions to restore that data, and users who have permissions to restore data do not have permissions to back it up.

Ensuring That Compliance and Regulatory Responsibilities Are Met


Systems administrators should be aware of what the organizations regulatory and compliance responsibilities are with respect to the archiving of data. For example, some jurisdictions require that business-relevant email message data be retained for a period of up to seven years. Unfortunately, regulatory requirements vary from country to country, and even from state to state. When developing

Configurin ng Advanced Window ws Server 2012 Ser rvices

yo our organizatio ons data protection strategy y, you should schedule a me eeting with your organizatio ons le egal team to de etermine precisely which data needs to be e stored, and f for how long.

MCT USE ONLY. STUDENT USE PROHIBITED


7-9

Backup B Typ pes


In n Windows Ser rver 2012, you can perform the t fo ollowing types of backups: Full backup p. A full backup p is a block-lev vel replica of all blocks on all the servers volumes. Ra ather than cop pying files and folders to backup media, m the und derlying block ks are copied acro oss to the back kup media.

Incrementa al backup. An incremental ba ackup is a copy of only o those bloc cks that have changed sin nce the last full or incremental backup. Du uring an increm mental backup p, these blocks are copied c across to the backup p media. When this process p compl letes, the block ks are then ma arked as backe ed up. During recovery, the o original set of block ks is restored. Then, T each set t of incrementa al blocks are a applied, bringing the recovered data back to the e appropriate state s in a consistent manner .

Backup B Tec chnologies s


Most M backup pr roducts in use today use the e VSS in nfrastructure th hat is present in i Windows Se erver 20 012. Some older applications, however, us se st treaming backup. It may be necessary to support su uch application ns in complex heterogeneou us en nvironments.

One O of the challenges of perf forming backups is en nsuring the co onsistency of th he data that yo ou are ba acking up. Bac ckups do not occur o instantly, they ca an take second ds, minutes, or r hours. Unfortunately, servers s are not t static and the e state of f a server at th he beginning of o a backup mi ight up completes.. If you do not take consisten no ot be the same e state that the e server is in when w the backu ncy ac ccount, this can cause proble ems during res storation beca ause the config guration of the e server may h have ch hanged during g the backup.

VSS V

VSSa technology that Micro osoft included with Window ws Server 2003 R2, and which h is present in all ne ewer server op perating system mssolves the e consistency p problem at the e disk-block le evel by creating g what is known as a sh hadow copy. A shadow copy y is a collection n of blocks on a volume that t is frozen at a specific po oint in time. Changes can still be made to the disk, but w when a backup p occurs, the c collection of fr rozen blocks are back ked up, which means m that any changes tha t might have o occurred since e the freeze are e not ba acked up. Creating a shad dow copy tells the operating system first to o put all files, s such as DHCP databases and d Active Directory datab urrent state of base files, in a consistent c state for a momen nt. Then the cu f the file system m is

MCT USE ONLY. STUDENT USE PROHIBITED

7-10 Implemen nting Disaster Recove ery

reco orded at that specific s point in time. After VSS V creates the e shadow copy y, all write accesses that wou uld overwrite data, sto ore the previous data blocks s first. Therefo re, a shadow c copy is small in n the beginnin ng, and it grows over the time as da ata changes. By B default, the operating syst tem is configu ured to reserve e 12 perc cent of the vol lume for VSS data, d and VSS automatically a deletes older snapshots whe en this limit is reac ched. You can change this default value, and you can ch hange the defa ault location of the VSS data a. This ensu ures that the backup b has a snapshot of the e system in a c consistent state, no matter h how long it act tually take es to write the backup data to t the backup storage devic ce.

Streaming Bac ckup

Stre eaming backup p is often used d by older appl lications that d do not use VSS S. You back up p applications that are not VSSaware by using a method m known n as a streamin ng backup. In c contrast to VSS S where the ope erating system ensures that data d is kept in a consistent st tate and at a c current point in time, when y you use streaming bac ckup, the application or the data protectio on application is responsible e for ensuring t that the data remains in a consistent t state. In addition, after stre eaming backup p completes, some files have e the state they had in the t beginning of the backup p, while other files have the state of the en nd of the back kup window.

Pla anning Bac ckup Capa acity


Whe en you develo op an enterpris se recovery strategy, you need d to determine e how much stor rage capacity your y organizat tion will requir re for backups. The follo owing factors affect a the amo ount of space that is re equired to store backup data a: Space require ements for a fu ull backup Space require ements for an incremental backup Amount of tim me required to o back up Backup frequency Backup retention

Full Backup Re equirements

To calculate c the space required for a full back kup, determine e how much sp pace from all v volumes you w will need to back up. If the server ha as a dedicated d drive for bac kups, you wou uld not perform m a backup on n that driv ve.

With products tha at perform ima age-based bac ckups, such as Windows Serv ver Backup, this data is not com mpressed. On some s types of servers, notab bly file servers, the amount o of space requir red for a full ba ackup grow ws over time. You Y can lessen n this tendency y by using file expiration policies such as t those found in n File Serv ver Resource Manager M (FSRM M).

Inc cremental Ba ackup Requ uirements


An incremental i ba ackup on Wind dows Server Backup stores a all of the hard disk blocks that have chang ged ntially faster th sinc ce the last full or o incremental backup. Incre emental backu ups are substan han full backups and require less space. The dow wnside of incre emental backu ps is that they y can require g greater recover ry time e.

MCT USE ONLY. STUDENT USE PROHIBITED


7-11

Configuring g Advanced Windows s Server 2012 Serviices

Amount A of Time T Requir red to Back up

Th he amount of time required to write data from the serve er being backe ed up to the b backup storage e device ca an have an imp pact on projec cted RPO, beca ause it is not re ecommended to begin a ne ew backup ope eration prior to the com mpletion of the e current one.

Backup B Frequency

Ba ackup frequency is a measur re of how often n backups are taken. With in ncremental blo ock-level backups, no su ubstantial diffe erence will exis st between the e amount of da ata written ov er the sum of four 30-minut te se essions and on ne 2-hour incre emental sessio ons on the sam me server. This is because ove er the two hou urs, the sa ame number of o blocks will have changed on o the server a as the four 30-minute sessio ons. However, t the four 30 0-minute sessi ions have brok ken it up into smaller s parts. W When backups s occur more f frequently, the ey re educe the time e required to perform p the ba ackup by splitt ting it into sma aller parts. The e overall total w will be ab bout the same e.

Backup B Rete ention

When W attemptin ng to determin ne the required backup capa acity, you shou uld determine precisely how w long yo ou need to ret tain backup da ata. For examp ple, if you need d to be able to o recover to an ny backup poin nt in the la ast 28 days, and d you have rec covery points generated g eve ery hour, you w will need more e space than if f you ha ave recovery points p generated once a day y and you only y need to resto ore from the la ast 14 days.

Planning P Backup Security


When W planning your backup security, consider the fo ollowing: Backups co ontain all organ nizational data a. By nature, bac ckups will contain all the data necessary to ensure your organizations s continued ability a to funct tion in the eve ent of failure. Because this data is likely to con ntain sensitive inf formation, you u should prote ect it with the same level of diligence as it is protected with w when hosted on the ser rver.

Access to backup b media means access to all data. If feas sible, use administrative role e separation to ensure that t the users who o back up the data are not t the users who can restore it. In high security env vironments, en nsure that backup and resto re operations are properly a audited so that t you can track backups, and re estore function n activity. Windows Server Backup does d not encry ypt backups. W Windows Serve er Backup writes backups in VHD format. This means that anyone a who ha as access to W Windows 8 or Windows Serv ver 2012 can m mount those backu ups as volume es, and then ex xtract data from m them. An ev ven more soph histicated attac ck might inclu ude booting into the backup p VHD to impe ersonate the ba acked up syste em on the organizatio onal network.

Keep backu up media in a secure s location. At a minimu um, backups should be kept t locked up in a secure location. If your organization is backing g up to disk dr rives that are a attached to servers by USB c cable, ensure that t those disk drives are locked d in place, eve n if they are lo ocated in a sec cure server roo om, and even if your organization ns server room m has a security y camera.

MCT USE ONLY. STUDENT USE PROHIBITED

7-12 Implemen nting Disaster Recove ery

Wh hat Is Wind dows Serv ver Backup p?


The Windows Serv ver Backup fea ature in Windo ows Serv ver 2012 consists of a Micros soft Managem ment Con nsole (MMC) sn nap-in, the com mmand wbadm min, and Windows Pow werShell com mmands. You ca an use wizards in the e Windows Ser rver Backup fea ature to guide g you thro ough running backups b and reco overies. You u can use Wind dows Server Ba ackup 2012 to back up: Full server (all volumes). Selected volu umes. Select specific c items for bac ckup, such as specific s folders s or the system m state.

In addition, Windows Server Backup 2012 allo ows you to:

Perform a bare-metal resto ore. A bare-me etal backup con ntains at least all critical volu umes, and allo ows you to restore e without first installing an operating o syste em. You do this by using the e product med dia on a DVD or USB B key, and the Windows Recovery Environ ment (Window ws RE). You can n use this back kup type together with the Win ndows RE to recover from a h hard disk failure, or if you ha ave to recover r the whole compu uter image to new n hardware. Use system st tate. The backu up contains all information t to roll back a s server to a spe ecific point in t time. However, you u need an operating system installed prior r to recovering g the system st tate.

Recover indiv vidual files and d folders or vol lumes. The Ind dividual files and folders o option enables s you to select to back up and res store specific files, f folders, o or volumes, or y you can add specific files, fo olders, or volumes to o the backup when w you use an option such h as critical vo olume or system m state. Exclude selected files or file e types. For exa ample, you ca n exclude tem mporary files fro om the backup p. Select from more m storage lo ocations. You can c store back kups on remot te shares or no on-dedicated volumes. Use the Micro osoft Online Backup Service. . The Microsof ft Online Backu up Service is a cloud-based backup soluti ion for Window ws Server 2012 2 that enables s files and folde ers to be back ked up and recovered fro om the public or o private clou ud to provide o off-site backup p.

If th here are disaste ers such as har rd disk failures s, you can perf form system re ecovery by using a full serve er backup and Wind dows REthis will w restore your complete sy ystem onto th he new hard disk.

De emonstration: Config guring a Sc cheduled Backup

In th his demonstration, you will see s how to con nfigure Windo ows Server 201 12 to perform a scheduled backup of specific folders, with a filter to exclude spec cific file types.

Dem monstration n Steps


1. 2. On LON-SVR1, start Windo ows Server Backup. Configure the e backup schedule with the following f opti ons: o

Backup Configuration: C Custom and C:\HR C Data fo older is backed d up, with the e exception of C C:\HR Data\Old d HR file.txt

MCT USE ONLY. STUDENT USE PROHIBITED


7-13

Configuring g Advanced Windows s Server 2012 Serviices

o o o

Backup p Time: Once a day, 1:00 AM M Destina ation Type: Ba ack up to a shared network k folder Remote Shared Folde er: \\LON-DC1\Backup: Re egister Backup Schedule: Use ername: Admi nistrator Password: Pa$$w w0rd

3. . 4. .

Run the Bac ckup Once Wizard using the e scheduled ba ackup options.. Close Wind dows Server Ba ackup.

What W Is On nline Backu up?


Th he Microsoft Online O Backup Service is a clo oudba ased backup solution for Windows Server 2012 th hat is managed d by Microsoft t. You can use this se ervice to back up files and fo olders, and to recover r th hem from the public or priva ate cloud to pr rovide of ff-site protection against dat ta loss caused by di isasters. You ca an use Microso oft Online Bac ckup Se ervice to back up and protec ct critical data from an ny location.

Microsoft M Onlin ne Backup Serv vice is built on the Windows W Azure e platform, an nd uses Windo ows Azure blob stor rage for storing g customer da ata. Windows W Server 2012 uses the downloadab ble Microsoft O Online Backup Service Agent t to transfer fil le and fo older data secu urely to the Mi icrosoft Online e Backup Servi ice. After you i install the Microsoft Online Backup Se ervice Agent, the t agent integ grates its funct tionality throu ugh the Windo ows Server Bac ckup interface.

Key K Features s
Th he key feature es that Window ws Server 2012 2 provides thro ough the Micro osoft Online B Backup Service in nclude:

Simple configuration and d management t. Integration w with the Windows Server Backup tool prov vides a seamless ba ackup and recovery experien nce to a local d disk, or to a clo es oud platform. Other feature include: o o Simple user interface e to configure and monitor b backups. Integra ated recovery experience e to recover files a nd folders fro m local disk or from a cloud d platform. Easy da ata recoverability for data th hat was backed d up onto any server of your r choice. Scriptin ng capability that is provided d by the Wind dows PowerShe ell command-line interface.

o o

Block-level incremental backups. b The Microsoft M Onlin ne Backup Age ent performs incremental ba ackups by tracking file and block k-level changes, and only tra ansferring the changed blocks, which redu uces the storage and d bandwidth usage. u Differen nt point-in-tim me versions of t the backups use storage efficiently by only storing the chang ged blocks bet tween these ve ersions.

Data compression, encryp ption, and thro ottling. The M icrosoft Online e Backup Service Agent ensu ures that data is s compressed and a encrypted d on the server r before it is se ent to the Micr rosoft Online B Backup Service on the t network. Therefore, T the Microsoft Onl ine Backup Se ervice only stor res encrypted data in cloud storage. The encryp ption passphra ase is not avail lable to the M icrosoft Online e Backup Service, and

MCT USE ONLY. STUDENT USE PROHIBITED

7-14 Implemen nting Disaster Recove ery

therefore, the e data is never r decrypted in the cloud. In a addition, users s can set up throttling and configure how w the Microsoft Online Back kup Service use es the network k bandwidth w when backing u up or restoring info ormation.

Data integrity y verified in the cloud. In add dition to the s ecure backups s, the backed u up data is also o checked auto omatically for integrity after the backup co ompletes. Ther refore, any cor rruptions that may arise because e of data transf fer can be easi ily identified. T These corrupti ons are fixed a automatically in the next backup. Configurable retention poli icies for storing g data in the c cloud. The Mic crosoft Online Backup Servic ce accepts and implements ret tention policie es to recycle ba ackups that ex xceed the desired retention range, thereb by meeting bus siness policies and managing g backup cost ts.

Reference Links: You can n find out mor re about Wind dows Azure at: p://www.windo owsazure.com/ /en-us/home/features/stora ge/ http

Co onsideratio ons for an Enterprise e Backup S Solution


Win ndows Server Backup B is a single-server bac ckup solu ution. When planning backup for an enterprise, consider the following points: Maximum am mount of data lost. What is th he theoretical RP PO of the prod duct? Products s that offer restoration closer to the point of the e failure are like ely to cost mo ore than produ ucts that offer 15 minute or 30 minute m RPOs. You need to deter rmine your org ganizations ne eeds. Does your org ganization nee ed to be able to t recover to the e last SQL Serv ver transaction n, or is a 15-minute recovery win ndow an acceptable co ompromise?

How quick is RTO recovery? ? How long do oes it take to g go from failure e to restored fu unctionality? B Being able to restor re to the last SQL Server tran nsaction is the optimal soluti ion, but if it ta akes two days t to recover to tha at point, the so olution is not looking l as goo od. Does the solu ution provide centralized c bac ckup? Does th he product allo ow you to cent tralize your backup solution on one o server, or must m backups be performed directly on ea ach server in th he organization? Is the solution n supported by vendors? Some vendors us se undocumen nted applicatio on programmi ing interfaces (AP PIs) to back up p and recover specific s produc cts, or to back k up files witho out ensuring th hat the service is at a consistent state. Is the backup p solution compatible with yo our applicatio ns? For examp ple, a new upd date to a produ uct makes the ba ackup solution incompatible. . Check with th he application vendor to det termine wheth her the enterprise e backup solut tion is support ted. Recovery point capacity. De etermine what t the recovery point capacity y of the product is. How man ny restore points s does the enterprise data protection solut tion offer, and d is this adequa ate for your organizations needs?

MCT USE ONLY. STUDENT USE PROHIBITED


7-15

Configuring g Advanced Windows s Server 2012 Serviices

What W Is Data Protect tion Manag ger?


DPM is a Micros soft enterprise e data protection and re ecovery product with the following feature es: Backup cen ntralization. DP PM uses a client/serve er architecture, where the client software is installed on al ll the compute ers that are to be backed up. Tho ose clients strea am backup dat ta to the DPM server. This allows each DPM server s to supp port entire sma all to medium-siz zed organizations. You can also a manage mu ultiple DPM se ervers from one centralized DPM console.

15-minute RPO. DPM allo ows 15-minute e snapshots of o supported products. p This includes most of the Micros soft enterprise suite of produ ucts, including Windows W Serve er with its roles s and services, Exchange Ser rver, Hyper-V , and SQL Ser rver.

Supports Microsoft M workl loads. DPM wa as designed sp pecifically by M Microsoft to su upport Microso oft applications such as Exch hange Server, SQL S Server, and d Hyper-V. Ho owever, DPM h has not been specifically designed to support non-M Microsoft serve r applications that do not ha ave consistent t states on disk, or that do not su upport VSS. Disk-based backup. DPM can perform scheduled bac ckups to disk a arrays and stor rage area netw works (SANs). You u can also conf figure DPM to o export specif ic backup data a to tape for re etention and compliance e related tasks. .

Remote site e backup. DPM M uses an architecture that a allows it to bac ck up clients th hat are located d in remote site es. This means that a DPM se erver that is loc cated in a head office site ca an perform backups of servers and a clients that t are located across a wide are ea network (W WAN) links.

Supports Ba ackup to Cloud strategies. DPM D supports backup of DPM M servers. This s means that a DPM server at a cloud-based hosting h facility can be used t to back up the e contents of a head office D DPM server. For disaster redun ndancy, you can also configu ure DPM servers to back up e each other.

MCT USE ONLY. STUDENT USE PROHIBITED

7-16 Implemen nting Disaster Recove ery

Lesson 3

Implem menting g Server and Data D Rec covery

Recovering server rs and data req quires well-def fined and docu umented proc cedures that ad dministrators c can follo ow when failur res occur. The recovery proc cess also requir res knowledge e of the backup and restore hard dware and soft tware, such as DPM, and tap pe library devic ces. ing the Windo This s lesson describ bes how to res store data and d servers by usi ows Server Bac ckup feature in n Win ndows Server 2012, 2 and Micr rosoft Online Backup B Service e in Windows S Server 2012.

Op ptions for Server S Rec covery


Win ndows Server Backup B in Wind dows Server 2012 prov vides the following recovery y options: Files and folders. You can back b up individ dual files or folder rs as long as th he backup is on n separate volu ume or in a rem mote shared fo older. Applications and a data. You can recover applications and a data if the e application has h a VSS writer, an nd is registered d with Window ws Server Backup p. Volumes. Restoring a volum me always resto ores all the conten nts of the volume. When you u ders. choose to res store a volume e, you cannot restore r individ ual files or fold

Operating sys stem. You can recover the operating syste em through W indows RE, the e product DVD D, or a USB flash driv ve. Full server. Yo ou can recover r the full server through Win ndows RE. System state. System state creates c a point t-in-time back kup that you ca an use to resto ore a server to oa previous work king state.

The Recovery Wiz zard in Window ws Server Back kup provides s everal options s for managing g file and folde er reco overy. They are e:

Recovery De estination. Under Recovery Destination, yo ou can select a any one of the e following opt tions: o Original location. The e original locat tion restores th he data to the location to wh hich it was bac cked up origin nally. Another r location. Ano other location restores the d data to a differ rent location.

Conflict Reso olution. Resto oring data from m a backup fre equently confli icts with existin ng versions of the data. Conflict t resolution allo ows you to de etermine how t to handle thos se conflicts. When these con nflicts occur, you ha ave the following options: o o o Create copies and ret tain both vers sions. Overwrit te existing ve ersion with recovered versi ion. Do not recover r items if they alread dy exist in the e recovery loc cation.

Security Sett tings. Use this option to rest tore permissio ons to the data a that is being recovered.

MCT USE ONLY. STUDENT USE PROHIBITED


7-17

Configuring g Advanced Windows s Server 2012 Serviices

Options O for r Server Re estore


Yo ou perform server restore by y starting the co omputer from the Windows Server 2012 in nstallation med dia, selecting the computer repair r op ption, and then selecting the e full server restore op ption. Alternat tively, you can use the installation media m on a USB B flash drive, or using Windo ows RE. When W you perfo orm full server r restore, consi ider the fo ollowing:

Bare-metal restore. Bare-metal restore is the process dur ring which you u restore an ex xisting server in its s entirety to ne ew or replacem ment hardware. When W you perf form a bare-m metal restore, the e restore proce eeds and the se erver restarts. Later, the serv ver becomes o operational. In some cases, you may m have to re eset the computers Active D Directory accou unt, because these accounts s can sometimes become desyn nchronized.

Same or lar rger disk drives. The server hardware h to wh hich you are re estoring must have disk driv ves that are the sam me size or large er than the drives of the orig ginal host serv ver. If this is no ot the case, the e restore will fail. It is s possible, alth hough not advisable, to succ cessfully restor e to hosts that t have slower processors and less rando om access mem mory (RAM). Importing to t Hyper-V. Be ecause server backup b data is s written to the e VHD format (which is also the format that t is used for vir rtual machine hard disks), if you are carefu ul it is possible e, to use full se erver backup dat ta as the basis for creating a virtual machin ne. Doing this ensures business continuity while sourcing th he appropriate replacement hardware.

Options O for r Data Rec covery


Data is the mos st frequently re ecovered comp ponent of f an IT infrastructure. This is due to users ac ccidently delet ting data, and needing you to t re ecover it. There e are several st trategies that you y ca an pursue whe en you are dev veloping a data a re ecovery proced dure. You can: Allow users s to recover their own data. Perform a recovery r to an alternative loc cation. Perform a recovery r to the e original locat tion. Perform a full f volume rec covery.

Users U Recove er Their Ow wn Data

Th he most comm mon form of da ata recovery performed p by I T departments is the recove ery of files and folders th hat users have deleted, lost, or o in some way corrupted. T The Previous V Versions of Fi iles functionality that was w introduced in Windows Server S 2003, (w which you can also enable on n all computer rs running Win ndows Se erver 2012,) lets users recove er their own fil les using the f ile or folder pr roperties right t from their workstation. w Aft ter end-users are a trained how to do this, t he IT departm ment spends les ss time recove ering us ser data, which h allows them to focus on more m valuable t tasks.

MCT USE ONLY. STUDENT USE PROHIBITED

7-18 Implementing Disaster Recovery

From a planning perspective, you should consider increasing the frequency at which snapshots for previous versions of files are generated. This gives users more options when they try to recover their files.

Recover Data to an Alternative Location

A common recovery problem is the unintentional replacement of important data when recovering from backup. This can occur when recovery is performed to a location with live data, instead of to a separate location where the necessary data can be retrieved and the unnecessary data discarded.

When you perform a recovery to an alternative location, always ensure that permissions are also restored. A common problem is administrators recovering data that includes restricted material, to a location where permissions are not applied, thereby enabling unintended access to data for users that should not have it.

Recover Data to the Original Location

During some types of failures, such as data corruption or deletion, you will have to restore data to the original location. This is the case when applications or users who access the data are preconfigured with information about where the data is located.

Recover a Volume

If a disk fails, the quickest way to recover the data could be to perform a volume recovery, instead of a selective recovery of files and folders. When you perform a volume recovery, you must check whether any shared folders are configured for the disks, and whether the quotas and FSRM management policies are still in effect. Note: During the restore process, you should copy event logs before you start the restore process. If you overwrite the event log filesfor example with a system recoveryyou will be not able to read event log information that occurred before the restore started. That event log data could lead you to information about what caused the issue.

Demonstration: Using Windows Server Backup to Restore a Folder


In this demonstration, you will see how to use the Recovery Wizard to restore a folder.

Demonstration Steps
1. 2. On LON-SVR1, delete the C:\HR Data folder. In Windows Server Backup, run Recovery Wizard and specify the following information: o o o o o o o 3. Getting Started: A backup stored on another location Specify Location type: Remote Shared Folder Specify Remote Folder: \\LON-DC1\Backup Select Backup Date: Default value, Today Select Recovery Type: Default value, Files and Folders Select Items to Recover: LON-SVR1\Local Disk (C:)\HR Data Specify Recovery Options: Another Location (C:)

In Windows Explorer, browse to C:\, and ensure that the HR Data folder is restored.

MCT USE ONLY. STUDENT USE PROHIBITED


7-19

Configuring g Advanced Windows s Server 2012 Serviices

Restoring R with w an On nline Backu up Solutio on


Yo ou can use the e Microsoft On nline Backup Service to o back up only y Windows Server 2012 serve ers. However, you do d not have to restore data on o to th he same server r from which you y backed it up. u Yo ou can recover files and fold ders by using both b Microsoft M Onlin ne Backup MM MC in Server Ma anager, or r by using the Windows Pow werShell comm mandlin ne interface. To use the Micr rosoft Online Backup B MMC, M perform the following steps: 1. . Select the server s on which backup data a was created orig ginally. This se erver could be a local server or an nother server. If you select th he option for another a server r, you must pro ovide your Mic crosoft Online e Backup Servic ce administrat tor credentials. .

2. . 3. . 4. .

Browse for files that have e to be restored, or you can s search for them in the Micro osoft Online Backup Service. After you lo ocate the files, select them fo or recovery, an nd select a loc cation to where e the files will be restored. When resto oring files, sele ect one of the following f opti ons: o

Create copies so that t you have bot th the restored d file and origi inal file in the same location n. The restore ed file has its name n in the fol llowing format t: Recovery Da ate+Copy of+Original File N Name. Overwr rite the existing versions with the recovere ed version. Do not t recover the it tems that alrea ady exist on th he recovery de estination.

o o

After you comp plete the restor re procedure, the t files will be e restored on to the Window ws Server 2012 2 server th hat is located in your site.

MCT USE ONLY. STUDENT USE PROHIBITED

7-20 Implementing Disaster Recovery

Lab: Implementing Windows Server Backup and Restore


Scenario

Much of the data that is stored on the A. Datum Corporations network is extremely valuable to the organization. Losing this data would be a significant loss to the organization. Additionally, many of the servers that are running on the network provide extremely valuable services for the organization, which means that losing these servers for a significant period of time would also result in losses to the organization. Because of the significance of the data and services, it is critical that they can be restored in the event of disaster.

A. Datum is considering backing up critical data to a cloud-based service. A. Datum is also considering this as an option for small branch offices that do not have a full data center infrastructure. As one of the senior network administrators at A. Datum, you are responsible for planning and implementing a disaster recovery solution that will ensure that critical data and services can be recovered in the event of any type of failure. You need to implement a backup and restore process that can recover lost data and services.

Objectives
Back up data on a Windows Server 2012 server. Restore files using Windows Server Backup. Implement Microsoft Online Backup and Restore.

Lab Setup
20412A-LON-DC1 20412A-LON-SVR1 MSL-TMG1 Estimated time: 60 minutes Virtual Machine(s) User Name Password 20412A-LON-DC1 20412A-LON-SVR1 MSL-TMG1 Adatum\Administrator Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd

5. 6.

Repeat steps 2-4 for 20412A-LON-SVR1. Repeat step 2 for MSL-TMG1.

MCT USE ONLY. STUDENT USE PROHIBITED


7-21

Configuring Advanced Windows Server 2012 Services

Exercise 1: Backing Up Data on a Windows Server 2012 Server


Scenario

The LON-SVR1 server contains financial data that must be backed up on a regular basis. This data is critical to the organization. You decided to use Windows Server Backup to back up critical data. You will to install this feature and configure scheduled backups. The main tasks for this exercise are as follows: 1. 2. 3. Install Windows Server Backup. Configure a scheduled backup. Complete an on-demand backup.

Task 1: Install Windows Server Backup


1. 2. Switch to LON-SVR1.

From Server Manager, install the Windows Server Backup feature. Accept the default values on the Add Roles and Features Wizard.

Task 2: Configure a scheduled backup


1. 2. On LON-SVR1, start Windows Server Backup. Configure the backup schedule with the following options: o o o o Backup Configuration: Full server (recommended) Backup Time: Once a day, 1:00 AM Destination Type: Back up to a shared network folder Remote Shared Folder: \\LON-DC1\Backup Register Backup Schedule: Username: Administrator Password: Pa$$w0rd

Task 3: Complete an on-demand backup


1. 2. On LON-SVR1, start Windows Server Backup.

Run the Backup Once Wizard to back up the C:\Financial Data folder to the remote folder, \\LONDC1\Backup.

Results: After completing this exercise, you will have configured the Windows Server Backup feature, scheduled a backup task, and completed an on-demand backup.

Exercise 2: Restoring Files Using Windows Server Backup


Scenario

To ensure that the financial data can be restored, you must validate the procedure for restoring the data to an alternate location. The main tasks for this exercise are as follows: 1. 2. Delete a file from the server. Restore a file from backup.

MCT USE ONLY. STUDENT USE PROHIBITED

7-22 Implementing Disaster Recovery

Task 1: Delete a file from the server


On LON-SVR1, open Windows Explorer and then delete the C:\Financial Data folder.

Task 2: Restore a file from backup


1. o o o o o o o 2. Getting Started: A backup stored on another location Specify Location type: Remote Shared Folder Specify Remote Folder: \\LON-DC1\Backup Select Backup Date: Default value, Today Select Recovery Type: Default value, Files and Folders Select Items to Recover: LON-SVR1\Local Disk (C:)\Financial Data Specify Recovery Options: Another Location (C:)

In the Windows Server Backup MMC, run the Recovery Wizard and specify the following information:

Open drive C:\, and ensure that the Financial Data folder is restored.

Results: After completing this exercise, you will have tested and validated the procedure for restoring a file from backup

Exercise 3: Implementing Microsoft Online Backup and Restore


Scenario

A. Datum has to protect critical data in small branch offices. These offices do not have backup hardware and full data center infrastructures. Therefore, A. Datum has decided to back up the critical data in branch offices to a cloud-based service by using Microsoft Online Backup Service in Windows Server 2012. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Install the Microsoft Online Backup Service component. Register the server with Microsoft Online Backup Service. Configure an online backup and start a backup. Restore files using the online backup. Unregister the server from the Microsoft Online Backup Service.

Task 1: Install the Microsoft Online Backup Service component


1. 2. 3. On LON-SVR1, in drive E, locate the installation file of the Microsoft Online Backup Agent, OBSInstaller.exe. Start installing Microsoft Online Backup Agent by double-clicking the installation file OBSInstaller.exe. Complete the setup by specifying the following information: o o o 4. Installation Folder: C:\Program Files Cache Location: C:\Program Files\Microsoft Online Backup Service Agent Microsoft Update Opt-In: I don't want to use Microsoft Update

Verify the installation and ensure that you receive the following message: Microsoft Online Backup Service Agent installation has completed successfully.

MCT USE ONLY. STUDENT USE PROHIBITED


7-23

Configuring Advanced Windows Server 2012 Services

5. 6.

Clear the Check for newer updates check box, and then click Finish. On the Start screen, verify the installation by clicking Microsoft Online Backup Service and Microsoft Online Backup Service Shell.

Task 2: Register the server with Microsoft Online Backup Service

Before you register the server, you must rename LON-SVR1 to YOURCITYNAME-YOURNAME. For example: NEWYORK-ALICE. This is because you will perform this exercise online, and therefore the computer names used in this lab should be unique. If there is more than one student in the classroom with the same name, add a number at the end of the computer name, such as NEWYORK-ALICE-1. 1. 2. 3.

In the Server Manager window, rename LON-SVR1 as YOURCITYNAME-YOURNAME, and then restart YOURCITYNAME-YOURNAME. Wait until YOURCITYNAME-YOURNAME has restarted, and then log on as Adatum\Administrator with password Pa$$w0rd. In the Microsoft Online Backup Service console, register LON-SVR1 by specifying the following information: o o Username: holuser@onlinebackupservice.onmicrosoft.com Password: Pa$$w0rd

Note: In a real-life scenario, you would type the username and password of your Microsoft Online Backup Service subscription account. o 4. Enter passphrase: Pa$$w0rdPa$$w0rd Confirm passphrase: Pa$$w0rdPa$$w0rd

Verify that you receive the following message: Microsoft Online Backup Service is now available for this server.

Task 3: Configure an online backup and start a backup


1. 2. Switch to the Microsoft Online Backup Service console. Configure an online backup by using the following options: o o o 3. Select Items to back up: C:\Financial Data Specify Backup Time: Saturday, 1:00AM Specify Retention Setting: Default values

In the Microsoft Online Backup Service console, click Backup Now.

Task 4: Restore files using the online backup


1. 2. 3. On LON-SVR1, open Windows Explorer and delete C:\Financial Data. Switch to the Microsoft Online Backup Service console.

Restore files and folders by using the Recover Data option, and specify the following information: o o o o o Identify the server on which the backup was originally created: This server Select Recovery Mode: Browse for files Select Volume and Date: C:\ and date and time of the latest backup Select Items to Recover: C:\Financial Data

Specify Recovery Options: Original location and Create copies so that you have both versions

4.

In Windows Explorer, expand drive C:\, and ensure that the Financial Data folder is restored to drive C.

MCT USE ONLY. STUDENT USE PROHIBITED

7-24 Implementing Disaster Recovery

Task 5: Unregister the server from the Microsoft Online Backup Service
1. 2. Switch to the Microsoft Online Backup Service console. Unregister the server from the Microsoft Online Backup Service using the following credentials: o o Username: holuser@onlinebackupservice.onmicrosoft.com Password: Pa$$w0rd

Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent, registered the server with Microsoft Online Backup Service, configured a scheduled backup, and performed a restore by using Microsoft Online Backup Service.

To prepare for the next module


1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, and MSL-TMG1.

MCT USE ONLY. STUDENT USE PROHIBITED


7-25

Configuring Advanced Windows Server 2012 Services

Module Review and Takeaways


Question: You want to create a strategy the covers how to back up different technologies that are used in your organization such as DHCP, DNS, AD DS, and SQL Server. What should you do? Question: How frequently should you perform backup on critical data?

Common Issues and Troubleshooting Tips


Common Issue The server has suffered a major failure on its components. Troubleshooting Tip

Real-world Issues and Scenarios

If a failure were to occur, your organization needs information about which data to back up, how frequently to back up different types of data and technologies, where to store backed up data (onsite or in the cloud), and how fast it can restore backed-up data. How would you improve your organizations ability to restore data efficiently when it is necessary?

Answer: Your company should develop backup and restore strategies based on multiple parameters, such as business continuity needs, risk assessment procedures, and resource and critical data identification. You must develop strategies that should be evaluated and tested. These strategies should take into consideration the dynamic changes occurring with new technologies, and changes that occur with the organizations growth.

Best Practice:

Analyze your important infrastructure resources and mission-critical and business-critical data. Based on that analysis, create a backup strategy that will protect the company's critical infrastructure resources and business data. Identify with the organizations business managers the minimum recovery time for business-critical data. Based on that information, create an optimal restore strategy. Always test backup and restore procedures regularly. Perform testing in a non-production and isolated environment.

Tools
Tool Windows Server Backup Microsoft Online Backup Service Use Performing on demand or scheduled backup and restoring data and servers Performing on-demand or scheduled backup to the cloud, and restoring data from the backup located in the cloud Where to find it Server Manager - Tools Server Manager - Tools

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


8-1

Module 8
Contents:
Module Overview Lesson 1: Overview of Distributed AD DS Deployments Lesson 2: Deploying a Distributed AD DS Environment Lesson 3: Configuring AD DS Trusts Lab: Implementing Complex AD DS Deployments Module Review and Takeaways 8-1 8-2 8-9 8-18 8-23 8-27

Implementing Distributed Active Directory Domain Services Deployments

Module Overview

For most organizations, the Active Directory Domain Services (AD DS) deployment may be the single most important component in the IT infrastructure. When organizations deploy AD DS or any of the other Active Directorylinked services within the Windows Server 2012 operating system, they are deploying a central authentication and authorization service that provides Single Sign On (SSO) access to many other network services in the organization. AD DS provides the primary security mechanism for authentication and authorization within most organizations, and enables policy-based management for user and computer accounts. With other AD DS services, you can extend some of this functionality to users who are external to the organization. This module will describe the key components of a complex AD DS environment, and how to install and configure a highly complex AD DS deployment.

Objectives
After completing this module, you will be able to: Describe the components of distributed AD DS deployments. Explain how to deploy a distributed AD DS deployment. Explain how to configure AD DS trusts. Explain how to implement complex AD DS deployments.

MCT USE ONLY. STUDENT USE PROHIBITED

8-2

Implementing Distributed Activ ve Directory Domain Services Deployment ts

Lesson 1

Overvi iew of Distribu D uted AD D DS Deployme ents

Befo ore starting to configure a co omplex AD DS S deployment, it is importan nt to know the components t that com mprise the AD DS structure, and a how they interact with e each other to h help provide a scalable and more secu ure IT environm ment. The lesson starts by ex xamining the v various compo onents of an A AD DS environm ment, in particular, p dom mains, trees and d forests.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe the components of o an AD DS en nvironment. Explain how AD A DS domain ns and forests form f boundar ries for security y and administ tration. Explain reasons for having more than one e domain in an n AD DS enviro onment. Explain reasons for having more than one e forest in an A AD DS environ nment. Explain the im mportance of Domain D Name e System (DNS) ) in a complex x AD DS structu ure. Outline the options o for upg grade and coex xistence with p previous AD D DS versions.

Dis scussion: Overview O of o AD DS Componen C nts


An AD A DS environ nment has vari ious components, and it is importan nt for you to un nderstand the purpose of each component, c an nd how they inte eract with each h other. Some of the AD DS environment com mponents are domains, d trees, , and fore ests. There is one global cata alog in each fo orest, and there are trus st relationships s. It is also imp portant to unde erstand the pu urpose and benefit of these compone ents. Question: What is an AD DS D domain? Question: What is an AD DS D domain tree e? Question: What is an AD DS D forest? Question: What are trust re elationships? Question: What is a global catalog?

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


8-3

Overview O of o Domain and Fores st Bounda ries in an A AD DS Stru ucture


As already discu ussed, domains and forests provide p bo oundaries with hin the AD DS namespace. An A un nderstanding of o the differen nt types of bou undaries is essential to managing m a com mplex AD DS en nvironment.

Boundaries B and a Limits in AD DS Domains D and d Forests


Th he AD DS dom main forms bou undaries and li imits fo or several items:

o that ex xist in a single domain d All AD DS objects are stored in i the AD DS database d on ea ach domain con ntroller in the domain. The replication r pro ocess ensures t that all origina ating updates a are replicated to t all of the other domain co ontrollers in th he same domain. In large org ganizations wh here there are a large number r of changes, th he replication traffic can hav ve a noticeable e effect on net twork bandwidth between the domain d contro ollers. This is o ne of many fa ctors that you u must conside er when designing an a AD DS dom main structure. The manag gement of acce ess to resource es is usually str raightforward within a single e AD DS doma ain. Although you y can grant users u access to o resources thr roughout the A AD DS forest, it is simpler to o manage pe ermission withi in the AD DS domain d bound dary. This way, the administrators for the d domain have the pe ermission to do this in their own AD DS do omain.

Auditing is centrally managed by using g GPOs. The m aximum scope e of these settings is at the A AD DS domain lev vel. It is possible to have the same audit se ttings in differ rent AD DS do omains, but the en they must be ma anaged separa ately in each domain.

Group Polic cies can be linked at the following levels: l ocal, site, dom main, and orga anizational unit t (OU). Apart from site-level Group Policies, the scope of Gro oup Policies is the AD DSd domainthere e is no inheritance in to another, even if one AD e of Group Poli icies from one AD DS domai D DS domain i is lower than another in the DNS namespace.

The DNS se ervices work be est to support an AD DS env vironment whe en it is Active D DirectoryInte egrated. This means that instead of o the DNS rec cords being sto ored locally on n each DNS Se erver in text file es, they are stored and a replicated d in the AD DS database. Bec cause it is the d database for the AD DS dom main, it becomes th he limit of repl lication of thos se records. The e administrato or can then decide whether t to replicate th he DNS information to all do omain controlle ers in the dom main (regardles ss of whether t they are DNS servers), to all doma ain controllers that are DNS s servers in the domain, or to all domain controllers that are DNS servers s in the forest. f For the e last two optio ons, separate r replication par rtitions (domainDn nsZones and fo orestDnsZones) exist. Alterna atively, it is pos ssible to create e a custom partition where the administrator a has to select manually m which h domain cont trollers particip pate in its replication, but this me ethod is not of ften used.

Th he AD DS forest acts as a bo oundary for cer rtain replicatio on and management areas:

The schema a partition con ntains the rules s and syntax fo or the AD DS d database. This is replicated t to all the domain con ntrollers in the e AD DS forest. Because the s schema may h have to be modified to supp port certain app plications that are a integrated d with the AD D DS database, t there will have e to be careful control over the schema modifica ations that are e allowed, part ticularly to make sure that none of the upd dates adversely affect the opera ation of other applications o or the AD DS d database itself. . The configu uration partitio on contains the details of the e AD DS doma ain layout, including: domains, domain con ntrollers, replic cation partners s, site and sub bnet informatio on, and Dynam mic Host Configurati ion Protocol (D DHCP) authorization or the c configuration of Dynamic Ac ccess Control. The

MCT USE ONLY. STUDENT USE PROHIBITED

8-4

Implementing Distributed Activ ve Directory Domain Services Deployment ts

configuration n partition also o contains information about t applications that are integrated with the e AD DS databa ase. An examp ple of one of th hese applicatio ons is Exchang ge Server 2010.

The global ca atalog is the re ead-only list co ontaining every y object in the e entire AD DS S forest. To kee ep it to a managea able size the global catalog contains c only some attribute es for each obj bject, but it can n still grow very large depending on the extent t of the organi ization. The siz ze of the globa al catalog and the number of on ngoing change es to it are imp portant factors s in the allocat tion of which A AD DS domain n controllers wi ill hold a copy of the global catalog. In ad dition, networ rk bandwidth i is also an impo ortant factor to take e into account. .

In an AD DS forest f with mu ultiple AD DS domains, d there e is a DNS zone e with forest-w wide replicatio on. This enables clients c to locat te records for AD A DS domain n controllers in n other AD DS S domains. The ere will be some DNS records that must be available to clie ents in every d domainfor ex xample, domain controllers that store a copy of the globa al catalog. Whe en AD DS dom main controller rs start up, they register sever ral server (SRV) ) resource reco ords in the DN NS database. So ome of these r records must b be replicated to every DNS ser rver in the AD DS forest, not t just restricted d to the AD DS S domainwh hich would be the e case if they were w added to a regular Activ ve Directoryin ntegrated DNS S zone. For thi is reason, a spec cial forest-leve el DNS zone na amed forestDn nsZones is crea ated, and the replication of this is to all DNS ser rvers in the AD D DS forest, rat ther than to ev very DNS serve er or AD DS do omain controller in the domain.

Wh hy Implem ment Multiple Domains?


Man ny organizatio ons can functio on adequately with a sin ngle AD DS do omain. Howeve er, some entiti ies requ uire multiple domains d for se everal reasons: The organizat tion is decentr ralized and can nnot support the numbers n of use ers by using a centralized AD DS model: In this case, AD D DS replication ov ver network lin nks may put an n undo strain on o the network k connections. For this reason, it t might be better to install a separate AD DS D domain for r the remote location. In practice, you wo ould not do th his unless there were w a large number of acco ounts that needed to t access the AD A DS domain n controllers. It may be nec cessary to divid de a large AD DS database i nto more man nageable sectio ons. By doing so, you can also reduce the impact of AD DS S replication tr affic on the ne etwork.

There is a req quirement for different d DNS namespaces: S Sometimes the ere is a require ement to have e more than one DNS S namespace in i an AD DS fo orest. This is ty ypically the cas se when one co ompany acqui ires another comp pany, or merges with anothe er organization n, and there is s need to prese erve the doma ain names from the t existing en nvironment. Security: Ther re may exist se ecurity or polit tical requireme ents to have different parts o of the AD DS database in different d doma ains. If a compa any is setting u up a facility in a foreign country and there e are political or leg gal reasons wh hy the new org ganization has s to have a ver ry distinct secu urity base, they y may need to imple ement separat te AD DS domains.

Dedicated roo ot domain: It is best practice e to separate t he AD DS fore est root domai in from the da ay-toicated day AD DS se erver usage. Th his model is sometimes refer rred to as an e mpty root dom main or a dedi root domain. Other variants are the peer-root domain, and the desig gnated domain n.

Configurin ng Advanced Window ws Server 2012 Ser rvices

The AD DS forest root do omain has two groupsthe Schema Admi ns group and the Enterprise e Admins gro oupthat do not n exist in any y other domai in in the AD D DS forest. Becau use these grou ups have far-reaching rights in the AD DS forest, , you may wan nt to restrict th he use of these e groups by on nly using the AD DS forest root domain to store them. In early y implementati ions of Active Directory, this s model was often referred r to as the t empty root domain mod del. Compliance e: It may be de esirable to hav ve all active do omains at the s same level in t the namespace e, so that your organization ca an utilize the empty e root dom main model. In n certain organizations, it may be unacceptab ble to have diff ferent division ns in the same AD DS domain. The reason for this is that t the Domain Ad dmins in any AD DS domain have full cont rol over every object in the domain, and t this may violate certain corporate security policies. For examp ple, different de epartments wi ithin an organization may be req quired for legal compliance reasons r to not t be in the sam me AD DS dom main. In that case, there is the e need to at lea ast to create a separate AD D DS domain for r each departm ment, if not a s separate AD DS forest. Resource domains: For co ompanies that have made th he decision to utilize multiple domains, it m might be more ap ppropriate to provide p separa ate resource do omains for res sources shared across the oth her domains.

MCT USE ONLY. STUDENT USE PROHIBITED


8-5

Why W Implement Multiple Fores sts?


Organizations O may m sometime es require that their AD DS design comprises more e than one for rest. Th here are severa al reasons why y one AD DS fo orest may m not be suff ficient: Security: If your organization requires isolated security, the en you should d implement a separate AD D DS forest. Th he AD DS fores st root domain has s the Schema Admins A and Enterprise Admins A groupswhich can affect all the dom mains in the AD D DS forest. Separate AD DS forests are often deployed d by governmen nt defense contractors and other o organizatio ons where the isolation of security is a requ uirement.

Schema mo odifications: Within W your ent terprise, there may be organ nizational grou ups that need s separate control of their t Active Dir rectory schema. Because the e schema is sha ared between the domains, multiple en ntities within a common fore est must agree to those chan nges, which mi ight take a larg ge amount tim me, or not be possible. p There efore, you may y need to deplo oy different fo orests for those e groups.

Security bo oundaries: If tw wo or more ind dependent org ganizations want to share res sources, but ar re not in a position where w they are e prepared to trust t the doma ain administra ators of the partners organiz zations, then separa ate forests are needed. Havin ng an AD DS s structure with multiple fores sts provides sec curity rces, they rely on manually boundaries s. Although do omains in different forests ca an share resour implemente ed trust relatio onships and ad dditional admi inistration. Eac ch forest maint tains its own is solated security dat tabases and ru ules. Politics: Som me countries have h strict controls over the ownership of enterprises within the count try. Having a se eparate AD DS S forest may pr rovide the adm ministrative iso olation to meet that need.

MCT USE ONLY. STUDENT USE PROHIBITED

8-6

Implementing Distributed Activ ve Directory Domain Services Deployment ts

Note: The global g catalog is available on nly within a sin ngle forest, so that when the ere is reso ource sharing between b more e than one fore est, there will b be directory lo ookups in two or more glob bal catalogs. ce: As a best practice, p choos se the simplest t design that a achieves the re equired Best Practic goa al, as it will be less l costly to im mplement and d more straigh htforward to ad dminister.

DN NS Require ements for r Complex x AD DS En nvironmen nts

For an AD DS dom main to functio on, it requires DNS. There are many operations that t rely on DNS look kups in order to t take place. Name resolution is one e of the origina al uses for Dom main Name System. With name resolu ution, clients ca an connect to serv vice points by using the DNS S name, which reso olves to an IP address. a Howe ever, because so s man ny operations involve connecting to an AD D DS dom main controller r that offers a particular serv vice. AD DS requires se ervice (SRV) res source records s. If a user r wants to log on to their AD D DS user acco ount, then n their system uses DNS look kups to find SR RV reco ords for a dom main controller that is running the Kerbero os service. Whe en AD DS dom main controllers s need to communicate with each h other, they use u SRV record ds in DNS. If th he AD DS fores st contains mo ore than n one domain, , then it is imp portant to ensu ure that DNS lo ookups are suc ccessful for res sources that are in a diffe erent domain from the DNS resolver (the client c perform ming the DNS lo ookup). There are several important con nfiguration are eas that you ne eed to address s when deploy ying a DNS stru ucture to support a complex AD DS en nvironment:

DNS Client co onfiguration: Configure C all co omputers in th he AD DS dom main with at lea ast two addres sses of functional DN NS servers. All computers mu ust have good network conn nectivity with D DNS servers. Servers will usually be e configured statically, thus you should mo onitor their ne etwork configu uration and reconfigure as a necessary to o meet any cha anges in the in nfrastructure. IP Address Management (IP PAM) monitoring: A recomm mended option n is to use IPAM M to monitor the IP addressing, and the correct in the AD DS f t functioning and a availability y of DNS and D DHCP servers i forest. IPAM is new in i Windows Se erver 2012, and d it allows the central monit toring, reportin ng, and administration of decentralized DHCP and DNS service es. When you a are installing IP PAM, you cann not install it on a domain controller, only on a domain mem mber server. Event escalati ion options: If you have a monitoring solu ution such as M Microsoft Syst tem Center 20 012 Operations Manager, M ensur re that the eve ents raised by I IPAM are esca alated in your g global monitoring tions as a mon solution. IPAM M will not prov vide the same escalation opt nitoring infrast tructure (for example, notifications).

Verification: Verify V that all of o your compu uters, including g domain cont trollers, are ab ble to perform successful DN NS lookups for key resources s. Apart from r routine name r resolution for host to IP resolutions, all computers must m be able to o locate the SR RV records for r domain contr rollers in the A AD DS domain and the t AD DS fore est.

Som me of the ways s to enable suc ccessful DNS lo ookups within a multi-doma ain AD DS envi ironment are:

CL1, the DNS resolver in the adatum.com m DNS domain can perform s successful que eries for DNS records in the e DNS domain n adatum.com by contacting DNS 1. This is s because DNS S 1 stores the z zone file for the ad datum.com DN NS domain. If DNS D 1 receives s a DNS query for a node ou utside of the lo ocal

Configuring Advanced Windows Server 2012 Services

DNS domain, and if DNS 1 does not have the answer already cached in memory, it will by default contact a DNS server from the Internet root DNS domain by using the root level hints configured by default on the DNS server.

In order to speed up this process, you can configure DNS 1 to forward any queries that it cannot resolve by itself to one or more specific DNS servers. In this case, it could forward any query that it cannot resolve by itself to the DNS server for the Internet Service Provider (ISP). DNS 1 will utilize the fact that DNS-ISP will have cached a large number of DNS lookup replies and can answer (nonauthoritatively) out of memory. In a multi domain setting, you can configure DNS servers that receive DNS queries that they are unable to resolve themselves, to forward these queries to other DNS server in the network. By using forwarding, DNS servers can forward all their Internet DNS queries through a central DNS server, which streamlines the process and speeds up the resolution time. This can greatly reduce the DNS resolution traffic through the firewall.

MCT USE ONLY. STUDENT USE PROHIBITED


8-7

If there are one or more separate DNS namespaces within your organization than can only be resolved by internal corporate DNS servers, you can facilitate this process by configuring conditional forwarders. The slide shows a separate DNS namespace for fabrikam.net, with its own DNS server, DNS 4. DNS 1 can be configured with a conditional forwarder so that queries for records in the fabrikam.net DNS namespace are directed to DNS 4, and all other queries are still forwarded to the ISP-DNS server. When there is a DNS domain that is lower in the DNS namespace (for instance the atl.adatum.com domain), you must configure the DNS servers for the parent DNS domain to enable DNS resolution for DNS records in the child domain. By default, DNS 1 has no knowledge of DNS 2. A delegated domain record in DNS creates a special subdomain in the adatum.com DNS domain that lists one or more DNS servers that store DNS records for the atl.adatum.com DNS domain. In this case, it will enable DNS 1 to pass DNS queries for atl.adatum.com to DNS 2

Another option to allow DNS resolution in a disjointed DNS domain environment is to use a secondary zone. In this example, DNS 1 will store a complete read-only copy of all the records in the unix.net DNS zone. Because the records in the unix.net zone are updated regularly, the secondary zone will contain an up-to-date copy of all of the records in the unix.net DNS zone. In a large organization, this may involve a large amount of replication traffic, and if that traffic has a detrimental effect on network connections, then it may not be the optimum solution. Note that in this scenario, there will be virtually no DNS lookup traffic over the network to DNS 3, but there will be regular zone transfer traffic.

The stub zone is another option for this case. The stub zone is a special type of secondary zone that only stores read-only records for the DNS servers in the remote DNS domain. However, like a standard secondary zone, the records are updated on a regular basis. The stub zone contains only the DNS records for the DNS server names and their IP addresses. This solution will often be the preferred option, because although there will be DNS lookup traffic over the network link, the stub zone update traffic will be low, and it may be a better solution.

Note: Forwarders, conditional forwarders, and delegation are set up by an administrator, and point to IP addresses of one or more DNS servers. These are entered manually, but the DNS servers to which they refer may have changes and these will not update the DNS records automatically. If you decide to use delegation, forwarding, or conditional forwarding, then there will need to be a system for regularly checking that the IP addresses entered for those server referrals are still valid. This would not be necessary if you use stub zones as the solution, because they are regularly updated with fresh information.

MCT USE ONLY. STUDENT USE PROHIBITED

8-8

Implementing Distributed Activ ve Directory Domain Services Deployment ts

Op ptions for Upgrading U g and Coex xistence w with Previo ous AD DS Versions
If yo our current AD D DS environm ment is running g on Win ndows Server 2003 2 or Windo ow Server 2008 8 leve el AD DS doma ain controllers, , you may wan nt to consider upgradin ng to Window Server 2012. AD DS has new fe eatures that are e available onl ly in AD DS domains ru unning at Window Server 20 012 leve el. If yo ou decide to upgrade your existing e AD DS S dom main controller rs, you can upg grade them in n plac ce if they are running Windo ows Server 200 08 or Win ndows Server 2008 2 R2. Howe ever, you cannot upg grade previous s versions in place. There are three op ptions for upg grading your Active A Directory y domain cont trollers: 1.

r 2012. This op Upgrading th he existing AD DS domain co ontrollers to W Windows Server ption involves performing an in-place upg grade. The exis sting AD DS do omain control llers will be up pgraded directly to Windows Serv ver 2012. If the e AD DS forest t functional lev vel is lower tha an Windows S Server 2012 lev vel then some schema upgrade es will need to o be made befo ore starting th he upgrade of the operating systems. The version of Serv ver Manager that t comes wit th Windows Se erver 2012 is able to detect t the schema upda ates that are ne ecessary, and will w update the e schema as pa art of the Serv ver Manager A AD DS Installation wizard. w Joining one or o more Windo ows Server 201 12 servers to th he AD DS dom main, and prom moting them to o be AD DS domai in controllers. The Windows Server 2012 s ervers will be able to join th he domain, but t before they can c be promoted to AD DS domain d contro ollers, there wil ll be some schema updates t that need to be pe erformed. Aga ain, the Server Manager AD D DS Installation n wizard will pe erform automatically y. The AD DS domain d and forest functiona l levels must b be at least Win ndows Server 2 2003 Native mode. .

2.

3.

This third opt tion does not immediately i ra aise the AD DS S domain to W Windows Server 2012, but rel lies on introducing one o or more AD DS domains s that are runn ning Windows Server 2012. In this scenario o, one or more AD DS D domains fro om another pa art of the fores st or even a different forest w will be connec cted l allow the diff to the origina al domain with h trust relationships. This will ferent AD DS d domains to coexist and share res sources. At som me point in the e future, they c can be consoli idated into on ne or more AD DS domains runn ning at the Windows Server 2012 level.

Configuring Advanced Windows Server 2012 Services

MCT USE ONLY. STUDENT USE PROHIBITED


8-9

Lesson 2

Deploying a Distributed AD DS Environment

This lesson outlines different ways to install an AD DS domain, and describes the different functional levels of AD DS domains and forests. In this lesson, you will learn about some of the important points that you must address when deploying a complex AD DS environment, and you will see how to upgrade from a previous version of AD DS.

Lesson Objectives
After completing this lesson, you will be able to: Explain how to install a domain controller in a new domain in a forest. Describe AD DS domain functional levels. Describe AD DS forest functional levels. Explain how to upgrade a previous version of AD DS to a Windows Server 2012 version. Explain how to migrate to Windows Server 2012 AD DS from a previous version. Describe some important considerations for implementing a complex AD DS environment.

Demonstration: Installing a Domain Controller in a New Domain in a Forest


In this demonstration, you will see how to install a domain controller in a new domain in a forest.

Demonstration Steps Configure LON-SVR1 as an AD DS Domain Controller in atl.adatum.com


1. 2. 3. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. On LON-DC1, in Server Manager, use the AD DS Installation Wizard to remotely install AD DS on LON-SVR1.

Use the AD DS Installation Wizard to install and configure LON-SVR1 as an AD DS domain controller in a new domain, atl.adatum.com.

Access LON-SVR1 as Adatum\Administrator


1. 2. Select options to install DNS and global catalog, and set the password for the Directory Services Restore Mode administrator account.

Reboot and log on as Adatum\Administrator with the password Pa$$w0rd, on the newly created AD DS domain controller LON-SVR1.

MCT USE ONLY. STUDENT USE PROHIBITED

8-10 Implemen nting Distributed Active Directory Domain n Services Deployments

AD D DS Doma ain Functio onal Levels


AD DS domains ca an run at diffe erent functiona al leve els. Generally, upgrading u the e domain to a high her functional level will intro oduce addition nal feat tures. Some of the domain fu unctional levels are liste ed in the follow wing table.

Do omain functio onal lev vels Windows W 2000 Server na ative

Fe eatures Universal gro oups Group nestin ng ntifier (SID) hist tory Security iden

nstall Domain n Controllers from Media In In nstall from Me edia allows the e installation of f an AD DS do omain controlle er without w impact ting the netwo ork connection n, because mos st of the new A AD DS database d is rest tored locally fr rom an ntdsut til backup on a USB drive or DVD. In nstall from Me edia could also o be accessed o over the netwo ork when the network n is not busy. Once the e new AD DS d domain contro oller is installed and re ebooted, it wil ll use the netw work to retrieve e AD DS origin nating updates s that were w made sinc ce the ntdsutil backup was m made. This will be a small am mount of o replication, unless u there ha ave been many updates to the e y originating u AD A DS database, which the n new AD DS dom main controlle er needs to bring up to o date. Note: Wi indows Server 2012 domain controllers cannot be installed in a domain running at Window ws 2000 Server r native level.

Windows W Server 2003

LastLogonTi imestamp att ribute remem bers time of la ast domain log gon for users, and d replicates thi ontrollers in th he is to other AD DS domain co AD DS doma ain.

akes it possible for applications to take Constrained Delegation ma f the secure de elegation of us ser credentials s by using Kerb berosadvantage of based authen ntication. lows you to sp pecify the users and groups t that Selective authentication all t authenticate e to specific re esource servers s in a trusting are allowed to forest.

e DNS zones in n application p partitions, which allows them m to You can store be replicated d on domain co ontrollers that t are also DNS servers in the domain, or even across the e forest.

utes and other r multi-valued attributes are e replicated at the Group attribu attribute leve el, instead of th el. In previous v versions of AD D DS, he object leve group memb bership was co onsidered part of the object, and the group p his meant that would be rep plicated as a si ngle object. Th t if two administrators changed the e membership p of the same g group in the same replication pe eriod, the last write would w win. The first ch hanges made w would be lost, because the new ve ersion of the g group would replace the pre evious

MCT USE ONLY. STUDENT USE PROHIBITED


8-11

Configuring Advanced Windows Server 2012 Services

Domain functional levels

Features

one entirely. With multivalued replication, group membership is treated at the attribute level, and therefore all originating updates are merged together. This also greatly reduces the replication traffic that would occur. An additional benefit from this is the removal of the previous group membership restriction that limited the maximum number of members to 5,000. Windows Server 2008 Distributed File System Replication (DFS-R) is available as a more efficient and robust file replication service for the SYSVOL folders. DFS-R can replace the file replication service NT File Replication Service (NTFRS). A large amount of interactive logon information is stored for each user, instead of just last logon time.

Fine-grained password settings allow account policies to be set for users and groups, which replaces the default domain settings for those users or group members. Personal virtual desktops are available for users to connect to, by using RemoteApp and Remote Desktop.

Advanced Encryption Services (AES 128 and 256) support for Kerberos is available. Read-only domain controllers (RODCs) provide a secure and economic way to provide AD DS logon services in remote sites, without storing confidential information such as passwords in untrusted environments.

Group and other multivalue attributes are replicated on a per-value level, instead of being replicated together (which removed the limit of 5,000 users per group). Windows Server 2008 R2 Authentication mechanism assurance, which packages information about a users logon method, can be used in conjunction with application authenticationfor example, with Active Directory Federation Services (AD FS). In another example, a user logging on by using a smart card can be granted access to more resources than when they log on with a username and password.

Managed services accounts allow account passwords to be managed by the Windows operating system, and provide service principal name (SPN) management. Windows Server 2012

Instead of the Windows PowerShell command-line interface, you can use Server Manager for setting up and managing the AD DS Recycle Bin. In Windows Server 2008, fine-grained password settings were complicated to set up and deploy. In Windows Server 2012, you can use Server Manager to deploy and manage these settings more conveniently. Support for Dynamic Access Control and Kerberos armoring

Note: Generally, you cannot roll back AD DS domain functional levels. However, in Windows Server 2012 and Windows Server 2008 R2, you are able to roll back to a minimum of Windows Server 2008, as long as you do not have optional features (such as the Recycle Bin) enabled. If you have implemented a feature that is only available in a higher domain functional level, you cannot rollback to an earlier state.

MCT USE ONLY. STUDENT USE PROHIBITED

8-12 Implemen nting Distributed Active Directory Domain n Services Deployments

Additional Reading: To learn l more about the AD DS S domain functional levels, refer to the follo owing link: http p://technet.mic crosoft.com/en n-us/library/un nderstanding- active-directo ory-functionalleve els(v=ws.10).as spx

AD D DS Forest Function nal Levels


The AD DS forest can run at diff ferent function nal leve els, and someti imes raising th he AD DS fores st func ctional level makes m additional features avai ilable. The most noticeable additional a feat tures com me with the up pgrade to a Windows Server 2003 fore est functional level. Additional features tha at are mad de available with Windows Server S 2003 inc clude: Forest Trusts: AD DS forests s can have trus sts set up between them, t which en nables resourc ce sharing. There e are full trusts and selective e trusts. Linked-value replication: Th his feature improved Windows 2000 Se erver replicatio on, and impro oved how grou up membership p was handled d.

Improved AD D DS replication n calculation algorithms: a Kno owledge Cons sistency Check ker (KCC) and intersite topo ology generato or (ISTG) use im mproved algor rithms to spee d up the calcu ulation of the A AD DS replication infrastructure, and provide mu uch faster site link calculatio ons. Support for Read R Only Dom main Controlle ers (RODCs). RO ODCs are supp ported at the W Windows Serve er 2003 forest fu unctional level l. The RODC must m be runnin g Windows Se erver 2008 or later. Conversion of inetOrgPerso on objects to user u objects. Yo ou can conver rt an instance o of an inetOrgPerson object, used d for compatibility with certa ain non-Micros soft directory s services, into a an instance of class user. You can c also conve ert a user objec ct to an inetOrgPerson obje ect. Deactivation and redefiniti ion of attribute es and object classes. Althou ugh you canno ot delete an attribute or object o class in the t schema at the Windows Server 2003 fu unctional level, you can deactivate or redefine attrib butes or objec ct classes.

The Windows Serv ver 2008 fores st functional le evel does not a add new forest t-wide feature es. The Window ws Serv ver 2008 R2 fo orest functional level adds the Active Direc ctory Recycle B Bin feature. This feature allow ws the ability to restore deleted d Active Directory objects. Alth hough the Win ndows Server 2008 2 R2 AD DS S forest functio onal level intro oduced AD DS S Recycle Bin, t the Recy ycle Bin had to o be managed d with Window ws PowerShell. However, the version of Rem mote Server Adm ministration To ools (RSAT) tha at comes with Windows Serv ver 2012 has th he ability to m manage the AD D DS Recy ycle Bin by usi ing GUI tools. Whe en you raise th he forest funct tional level, you limit possibl e domain func ctional levels f for domains th hat you add to the forest. For exam mple, if you rais se the forest fu unctional level to Window Se erver 2012, yo ou cannot add a new w domain runn ning at Window ws Server 2008 8 R2 domain fu unctional level.

MCT USE ONLY. STUDENT USE PROHIBITED


8-13

Configuring g Advanced Windows s Server 2012 Serviices

Upgrading U a Previous Version of AD DS t to Window ws Server 2012


To o upgrade a previous version ns of AD DS to o Windows W Server 2012 AD DS , you can use either of f the following g two methods s: Upgrade th he operating sy ystem on the existing e domain con ntrollers to Windows Server 2012. Introduce Windows W Serve er 2012 servers s as domain con ntrollers in the e existing domain. You can the en decommiss sion AD DS domain controllers running earlie er versions of AD A DS.

Of O these two methods, the se econd is prefer rred, be ecause there will w be no old or o disused cod de and fil les remaining. Instead, you will w have a clea an installation of the Window ws Server 2012 2 operating sy ystem an nd AD DS data abase.

Upgrading U to o Windows Server 2012

To o upgrade an AD DS domain n from Window ws Server 2008 8 functional le evel to Window ws Server 2012 2 fu unctional level, , you must first upgrade all the t domain co ontrollers from m the Window Server 2008 op perating system to the Wind dows Server 20 012 operating system. You c can achieve thi is by upgradin ng all of th he existing dom main controlle ers to Windows s Server 2012, or by introduc cing new dom main controllers s ru unning Window ws Server 2012 2, and then ph hasing out the existing doma ain controllers s. Th here is no reas son to prevent t Windows Serv ver 2012 serve ers from being g part of a Win ndows Server 2 2008 do omain. Howev ver, before you u can install the first domain controller tha at is running W Windows Serve er 2012, yo ou must upgra ade the schema. In versions of o AD DS prior r to Windows Server 2012, y you would run the ad dprep.exe tool l to perform th he schema upg grades. In a W Windows Server r 2012 environ nment, the Active Directory Doma ain Services Ins stallation Wiza ard that is inclu uded in Server r Manager inco orporates the co ommands nece essary to upgr rade the AD DS forest schem ma. Note: Win ndows Server 2012 still prov vides a 64-bit v version of ADP Prep, so you ca an run Adprep.exe separately. For ex xample, if the administrator a i installing the f first Windows Server 2012 do omain controller is not a me ember of the Enterprise E Adm mins group, the en you might need to run th he command separately. s You u only have to run adprep.ex xe if you are planning to do an in-place up pgrade for the e first Windows Server 2012 domain contro oller in the do omain.

The T Upgrade e Process


1. . 2. . 3. . Insert the in nstallation disk k for Windows s Server 2012, a and run Setup p. After the language select tion page, sele ect Install now w.

To o upgrade the e operating sys stem of a Wind dows Server 20 008 domain co ontroller to Windows Server 2012:

After the op perating system selection wi indow and the e license accep ptance page, o on the Which t type of installation do you want? ? window, choo ose Upgrade: Install Windo ows and keep p files, setting gs, and apps.

With W this type of o upgrade, AD D DS on the do omain controll ler is upgraded d to Windows Server 2012 A AD DS. . As a best practice, you should d check for har rdware and so ftware compa tibility before doing an upgrade. Fo ollowing the operating o syste em upgrade, re emember to u pdate your dr rivers and othe er services (suc ch as monitoring m age ents), and chec ck for updates for both Micro osoft applicati ions and non-Microsoft softw ware.

MCT USE ONLY. STUDENT USE PROHIBITED

8-14 Implemen nting Distributed Active Directory Domain n Services Deployments

The e Clean Inst tallation Pro ocess


To introduce a cle ean install of Windows W Serve er 2012 as a do omain membe er: 1. 2. Deploy and configure c a new w installation of o Windows Se erver 2012, and then join it t to the domain n. Promote the new server to be a domain controller c in th he domain by using Server M Manager.

c upgrade directly d from Windows W Serve r 2008 and Wi indows Server 2008 R2 Note: You can to Windows W Serve er 2012. To upgrade servers that are runni ng a version o of Windows Se erver that is olde er than Windo ows Server 2008, you must ei ither perform an interim upg grade to Wind dows Server 2008 or Windows Server 2008 R2, R or perform a clean install l. Note that W Windows Server r 2012 AD DS domain co ontrollers are able a to coexist as domain co ntrollers in the e same domain n as Win ndows Server 2003 2 domain controllers c or newer. n

Migrating to o Windows s Server 20 012 AD DS S from a Previous Ve ersion


As part p of deployi ing AD DS, you u might choos se to restructure your environment e fo or the followin ng reas sons: To optimize the t arrangeme ent of element ts within the log gical Active Directory structu ure. To assist in co ompleting a bu usiness merger, acquisition, or o divestiture.

Rest tructuring invo olves the migration of resources betw ween AD DS domains d in eith her the same fo orest or in n different fore ests. After you deploy AD DS S, you mig ght decide to further reduce the complexit ty of your environment t by either rest tructuring AD D S domains b between AD D DS forests or re estructuring dom mains within a single AD DS forest. You u can use the la atest version of o the Active Directory D Migra ation Tool to p perform object t migrations an nd secu urity translatio on as necessary y, so that users s can maintain n access to netw work resource es during the mig gration process s.

Pre e-Migration n Steps


Befo ore performing g the migratio on, you must perform severa l tasks to prep pare the source e and target dom mains. These ta asks include:

For domain member m computers that are pre-Windows Vista Service e Pack 1 (SP1) or Windows Server 2008 R2, conf figure a registry on the targe et AD DS dom main controller to allow crypt tography algorithms th hat are compat tible with the Microsoft M Win dows NT Ser rver 4.0 operat ting system.

Enable firewa alls rules on source and targe et AD DS dom ain controllers s to allow file a and printer sha aring.

Prepare the source and targ get AD DS dom mains to mana age how the users, groups and user profile es will be handled. Create a rollb back plan. Establish trust t relationships s that are required for the m igration. Configure sou urce and targe et AD DS doma ains to enable SID History m migration. Specify servic ce accounts for r the migration n.

MCT USE ONLY. STUDENT USE PROHIBITED


8-15

Configuring g Advanced Windows s Server 2012 Serviices

Perform a test t migration, , and fix any er rrors that are r reported.

Migration M St teps

When W you are confident c that all pre-migrat tion steps have e been comple eted, you can c complete the migration. m During this process, you will mig grate user acco ounts, group accounts and c computer acco ounts to th he new domain n. You will also o assign permissions to netw work resources using the accounts in the n new do omain.

Post-Migrati P ion Steps

Th he new accoun nts (SIDs) will still s have acces ss to resources s, because they y retain an attribute called S SID History H . For exa ample, a user uses u a new use er account to a attempt to acc cess a resource e to which the ey had ac ccess with thei ir old account. . Instead of the e user being d enied because e their SID is not referenced in the pe ermissions, the ey can present t their previous SID by using the SID Histo ory attribute. T The migration tools ca an re-permit th he resources so the new SIDs are entered into the perm issions on the resource, and the old SI ID can be remo oved. Once O you have tested everyth hing and verified that it is wo orking in the n new AD DS do omain, you can n de ecommission the t old domain controllers. Note: The e entire proces ss may involve e running the m migration seve eral times. For example, the ounts profile m us ser accounts would w be migra ated early in th he process, bu ut the user acco migration would w be accom mplished in another pass of the t migration tool. Additiona al Reading: Download D the Active A Directo ry Migration T Tool version 3.2 from ht ttp://www.mic crosoft.com/en n-us/download d/details.aspx? ?id=8377. Yo ou can downlo oad the Active e Directory Mig gration Tool G uide from ht ttp://www.mic crosoft.com/en n-us/download d/details.aspx? ?id=19188.

Considerat C ions for Im mplementi ing a Complex AD D DS Environment


Be efore impleme enting a complex AD DS en nvironment, it is important to t consider im mplications of the design if the deploymen nt is to be e successful. With W proper pla anning, you ca an de esign an AD DS D model to pr rovide the ad dministrative and a security re equirements fo or your or rganization.

MCT USE ONLY. STUDENT USE PROHIBITED

8-16 Implementing Distributed Active Directory Domain Services Deployments

Some of the key points for consideration are listed in the following table. Scenario More than one AD DS forest? More than one AD DS tree? Number of AD DS domains DNS namespace design DNS resolution for host records and SRV records OUs Number and location of AD DS domain controllers Sites and replication topology Key Points to Consider Security, politics, multiple schemas, administrative separation Multiple namespaces, acquisition, merger Security, politics, administrative separationfor example, different departments in a governmental organization Must support the proposed AD DS domain structure Must support resolution throughout the organization Structure to support administrative delegation and Group Policy deployment Number of active accounts, network bandwidth, AD DS services availability, AD DS replication traffic AD DS replication requirements, network bandwidth, slow links, application support

Note: Details are discussed earlier in this module, and more information is available in Module 9.

AD DS Forest Root Domain


Each new AD DS forest starts with an AD DS forest root domain. This root domain has some unique features that do not exist in any other AD DS domain in the AD DS forest, including the following: The Schema Operations Master The Domain Naming Master The Schema Admins group The Enterprise Admins group

For this reason, the AD DS forest root domain must be treated with extra caution, particularly as the Enterprise Admins group and the Domain Admins group in the AD DS forest root domain have full control over every AD DS domain and object in the entire AD DS forest.

DNS Services

You should configure DNS services at the beginning of the deployment process, as all subsequent operations will depend on DNS functioning correctly. This also means that all computers should be configured with the IP addresses of at least two DNS servers so that they can successfully perform DNS lookups. In a complex environment, it will be necessary to decide how to make DNS records accessible to DNS resolvers (client computers).

Trust Relationships
You will also need to consider trust relationships for several reasons, such as: Enabling authentication between AD DS domain and external domains or realms.

MCT USE ONLY. STUDENT USE PROHIBITED


8-17

Configuring Advanced Windows Server 2012 Services

Enabling authentication between AD DS forests (forest trustscomplete or selective). Facilitating fast and reliable authentication traffic between AD DS domains in the same forest (shortcut trusts).

Multiple UPN Suffixes

Multiple User Principal Name (UPN) suffixes may be required to allow users to log on to their user accounts using an email account name from a different DNS namespace. For example, a user named Holly in the adatum.com AD DS domain could log on to that user account by using a UPN such as holly@fabrikam.com.

MCT USE ONLY. STUDENT USE PROHIBITED

8-18 Implemen nting Distributed Active Directory Domain n Services Deployments

Lesson 3

Config guring AD A DS Trusts T

This s lesson examines trust relati ionships and how h they provi ide functionali ity for accessin ng resources and logg ging on to the e domain. Ther re are several types t of trust r relationships, a and this lesson n describes the em in turn n. Whe en an AD DS multi-domain m forest f is create ed, then trusts are automatic cally created to o link all of the e ide AD DS domains in n the AD DS fo orest. In additio on, there are o other trusts tha at you can esta ablish to provi add ditional functio onality. These trusts t include shortcut, s exter rnal, realm, and d forest trusts. .

Les sson Objecti ives


Afte er completing this lesson you u will be able to: t s that can be configured in a Windows Ser rver 2012 environment. Describe the types of trusts Explain how trusts t work wit thin an AD DS forest. Explain how trusts t work bet tween AD DS forests. f Describe how w to configure advanced trus st settings. Describe how w to configure a forest trust.

Ov verview of Different AD DS Tru ust Types


In a multi-domain n AD DS forest t, two-way tran nsitive trus st relationships s are generated d automaticall ly betw ween the AD DS D domains, so o that there is a path h of trust betw ween all of the AD DS domains. These trusts are ca alled parent-child trusts. The e trus sts that are aut tomatically cre eated in the forest are all transitive tr rusts. That mea ans that if A tr rusts B, and B trusts C, then A trusts C. C However, th his may y not be the most m efficient way w to provide an auth hentication connection betw ween all of the AD DS domains, and a you can im mprove perf formance by setting up shor rtcut trusts.

There are other ty ypes of trust th hat you can de eploy. For exam mple, you can set up a realm m trust with a n nonMicrosoft organiz zation that is ru unning Kerber ros V5 and Win ndows NT 4.0 domains can b be connected by usin ng an external trust. The follo owing table sh hows the main trust types. Trust type Pa arent and ch hild Tr ree-root Transitivity y Transitive Dire ection Two o-way Description n When a ne ew AD DS dom main is added to new parent and d an existing AD DS tree, n s are created. child trusts When a ne ew AD DS tree is created in a an D DS forest, a n new tree-root existing AD trust is crea ated. External tru usts enable res source access t to be granted d with a Windo ows NT 4.0 domain or an AD DS dom main in anothe er

Transitive

Two o-way

Ex xternal

Non-trans sitive

One e-way or two o-way

MCT USE ONLY. STUDENT USE PROHIBITED


8-19

Configuring g Advanced Windows s Server 2012 Serviices

Trust T type

Transitiv vity

Di irection

Descriptio on forest. Th hese may also be set up to provide a framework fo or a migration n.

Realm

Transitiv ve or non-transitive Transitiv ve

One-way O or tw wo-way One-way O or tw wo-way One-way O or tw wo-way

Realm tru usts establish a an authenticat tion path betw ween a Windo ows Server AD DS domain a and a Kerberos V5 realm. Trusts be etween AD DS forests allow t two forests to o share resourc ces. Shortcut trusts improve e authenticatio on times bet tween AD DS domains that are in differe ent parts of an AD DS forest.

Forest (Complete or Selective) Shortcut

Transitiv ve

How H Trusts s Work Within a Fore est


When W you set up u trusts betwe een domains either e within w the same e forest, across s forests, or wit th an ex xternal realm, information ab bout these trusts is st tored in AD DS S so you can re etrieve it when n ne ecessary. A tru usted domain object o stores this in nformation. Th he trusted dom main object sto ores informatio on ab bout the trust such as the tru ust transitivity and ty ype. Whenever r you create a trust, a new tr rusted do omain object is i created and stored in the System co ontainer in the e trusts domai in.

How H Trusts Enable E User rs to Access Resources in a Forest

When W a user att tempts to acce ess a resource in another do main, the Kerb beros authenti ication protocol must de etermine whet ther the trustin ng domain has s a trust relatio onship with th e trusted dom main. To o determine th his relationship p, the Kerberos V5 protocol travels the tru ust path, utilizin ng trust inform mation an nd DNS lookup ps to obtain a referral to the e target domai ins domain co ontroller. The t target domain co ontroller issues s a service tick ket for the requ uested service.. The trust pat h is the shorte est path in the trust hi ierarchy.

When W the user in the trusted domain attem mpts to access t the resource in n the other do omain, the users co omputer first contacts c the do omain controller in its doma ain to get auth hentication to the resource. I If the re esource is not in the users domain, the do omain controlle er uses the tru ust relationship p with its paren nt, and re efers the users s computer to a domain controller in its pa arent domain. This attempt to locate a res source ot domain, an co ontinues up th he trust hierarc chy, possibly to o the forest roo nd down the tr rust hierarchy, until co ontact occurs with w a domain n controller in the t domain w here the resou urce is located.

MCT USE ONLY. STUDENT USE PROHIBITED

8-20 Implemen nting Distributed Active Directory Domain n Services Deployments

Ho ow Trusts Work W Betw ween Fores sts


If th he AD DS envir ronment conta ains more than n one fore est, then it is possible to set up u trust relationships betw ween the AD DS D forest roots. . These forest trusts s can be either r complete tru usts or sele ective trusts. Fo orest trusts can n be one-way or two o-way. A single forest tru ust relationship p allows users who w are authenticated by a domain in one forest to t acce ess resources that t are in the other forest, as a long g as they have e been granted d access rights. . If the forest trust is one-way, dom main controller rs in the trusting forest t can authentic cate users in any dom main in the trusted forest. Fo orest trusts are significantly e easier to estab blish, maintain, and administe er than n separate trus st relationships between eac ch of the doma ains in the fore ests.

Fore est trusts are particularly p use eful in scenario os that involve e cross-organiz zation collabor ration or merg gers and acquisitions, or o within a single organization that has m ore than one f forest in which h to isolate Act tive Dire ectory data and services. For rest trusts are also a useful for application se ervice provider rs, for collabor rative business extranets s, and for com mpanies seeking g a solution fo or administrativ ve autonomy. Fore est trusts provide the followi ing benefits: Simplified ma anagement of resources acro oss two Windo ows Server 200 08 forests by re educing the number of ex xternal trusts necessary n to sh hare resources.. Complete two o-way trust relationships wit th every doma ain in each fore est. Use of UPN authentication a across two for rests. Use of both the Kerberos V5 V protocol and d NTLM authe entication prot tocols to impro ove the trustworthine ess of authoriza ation data that is transferred d between fore ests. Flexibility of administration a n. Administrativ ve tasks can be e unique to ea ach forest.

In AD A DS in Windows Server 2008, you can lin nk two Window ws Server 2003 3 or Windows Server 2008 fo orests toge ether to form a one-way or two-way trust relationship. Y You can use a two-way forest trust to form ma tran nsitive trust relationship betw ween every domain in both f forests.

You u can create a forest f trust only between tw wo AD DS fores sts, and you ca annot extend t the trust implic citly to a third forest. This T means tha at, if you create e a forest trust t between Fore est 1 and Fore est 2, and you c create a fo orest trust betw ween Forest 2 and a Forest 3, Forest F 1 does n not have an im mplicit trust with Forest 3. Fo orest trus sts are not tran nsitive. You u must address s several requir rements before you can imp plement a fore est trust, includ ding that the fo orest func ctional level must m be Windows Server 2003 or newer, an nd you must ha ave DNS name e resolution betw ween the fores sts.

MCT USE ONLY. STUDENT USE PROHIBITED


8-21

Configuring g Advanced Windows s Server 2012 Serviices

Configuring C g Advance ed AD DS Trust T Setti ings


In n some cases, trusts t can present security issues. Additionally, if you y do not configure a trust t properly, users who w belong to o another dom main can ga ain unwanted access to som me resources. There ar re several tech hnologies that you can use to o help co ontrol and manage security in a trust.

SID Filtering

By y default, when you establish h a forest or domain tr rust, you enabl le a domain qu uarantine, which is also known as SID S filtering. When W a user au uthenticates in n a trusted dom main, the user presents author rization data th hat includes th he SIDs of f all of the gro oups to which the t user belon ngs. Additional lly, the users a authorization d data includes S SIDs from other attributes of the user u and the us sers groups.

AD DS sets SID filtering by de efault to prevent malicious u users who have e access at the domain or en nterprise ad dministrator le evel in a trusted forest or domain, from gra anting (to the mselves or to other user acc counts in n their forest or domain) elev vated user righ hts to a trustin g forest or do omain. SID filte ering prevents misuse of f the attributes s that contain SIDs on securi ity principals ( (including Inet tOrgPerson obj bjects) in the tr rusted fo orest or domain. One commo on example of f an attribute t that contains a SID is the SID D history attrib bute (SIDHistory S ) on n a user account object. Dom main administr rators typically y use the SID h history attribut te to se eamlessly migr rate the user and group acco ounts that are held by a secu urity principal from one dom main to an nother. All SID D filtering activ vities occur in the t backgroun nd, and admini istrators do no ot need to exp plicitly co onfigure anyth hing unless the ey want to disa able SID filterin ng.

When W security principals p are created c in a do omain, the SID D of the princip pal includes th he domain SID, , so that yo ou can identify y in which dom main it was cre eated. The dom main SID is imp portant, becau use the Window ws se ecurity subsyst tem uses it to verify v the iden ntity of the sec urity principal, which in turn n determines w which do omain resourc ces the user can access.

Authenticati A on

When W you creat te an external trust or a fore est trust, you ca an manage the e scope of aut thentication of f trusted se ecurity principa als. There are two t modes of authenticatio n for an extern nal or forest tr rust: Selective au uthentication

Domain-wide authenticat tion (for an ex xternal trust) o r forest-wide a authentication n (for a forest t trust)

If you choose domain-wide or forest-wide authentication a n, this enables all trusted use ers to authenticate for se ervices and acc cess on all com mputers in the trusting doma ain. Trusted us sers can, theref fore, be given pe ermission to access resource es anywhere in n the trusting d domain. If you use this authe entication mod de, you must m have confidence in your r enterprises security s proced dures and in th he administrat tors who imple ement th hose procedure es that trusted d users will not t receive inapp propriate acces ss to services. Remember, fo or ex xample, that users from a tru usted domain or forest are c considered Aut thenticated Us sers in the trus sting do omain. Therefo ore, if you cho oose domain-w wide or forest- wide authentication, any res source that ha as pe ermissions gra anted to Authe enticated Users s is accessible immediately t to trusted dom main users.

If, , however, you u choose select tive authentica ation, all users s in the trusted d domain are t trusted identiti ies. However, they are a allowed to authenticate only for servic ces on comput ters that you specify. For exa ample, im magine that yo ou have an external trust with a partner or rganizations d omain. You want to ensure that on nly users from the partner organizations marketing m gro oup can access shared folder rs on only one of your many m file server rs. You can con nfigure selectiv ve authenticat tion for the tru ust relationship p, and then giv ve the tr rusted users the right to auth henticate only for that one f file server.

MCT USE ONLY. STUDENT USE PROHIBITED

8-22 Implementing Distributed Active Directory Domain Services Deployments

Name Suffix Routing

Name suffix routing is a mechanism for managing how authentication requests are routed across Windows Server 2008 forests and Windows Server 2003 forests that are joined by forest trusts. To simplify the administration of authentication requests, when you create a forest trust, AD DS routes all unique name suffixes by default. A unique name suffix is a name suffix within a forest, such as a UPN suffix, SPN suffix, or DNS forest or domain tree name that is not subordinate to any other name suffix. For example, the DNS forest name fabrikam.com is a unique name suffix within the fabrikam.com forest.

AD DS routes all names that are subordinate to unique name suffixes implicitly. For example, if your forest uses fabrikam.com as a unique name suffix, authentication requests for all child domains of fabrikam.com (childdomain.fabrikam.com) are routed, because the child domains are part of the fabrikam.com name suffix. Child names appear in the Active Directory Domains and Trusts snap-in. If you want to exclude members of a child domain from authenticating in the specified forest, you can disable name suffix routing for that name. You also can disable routing for the forest name itself.

Demonstration: Configuring a Forest Trust

In this demonstration, you will see how to configure DNS name resolution by using a conditional forward. You will also see how to configure a two-way selective forest trust.

Demonstration Steps Configure DNS name resolution by using a conditional forwarder

Configure DNS name resolution between adatum.com and treyresearch.net by creating a conditional forwarder so that LON-DC1 has a referral to MUN-DC1 as the DNS server for the DNS domain treyresearch.net.

Configure a two-way selective forest trust

On LON-DC1, in Active Directory Domains and Trusts, create a two-way selective forest trust between adatum.com and treyresearch.net, by supplying the credentials of the treyresearch.net domain Administrator account.

MCT USE ONLY. STUDENT USE PROHIBITED


8-23

Configuring Advanced Windows Server 2012 Services

Lab: Implementing Complex AD DS Deployments


Scenario

A. Datum Corporation has deployed a single AD DS domain with all the domain controllers located in its London data center. As the company has grown and added branch offices with large numbers of users, it is becoming increasingly apparent that the current AD DS environment is not meeting company requirements. The network team is concerned about the amount of AD DS-related network traffic that is crossing WAN links, which are becoming highly utilized. The company has also become increasingly integrated with partner organizations, some of whom need access to shared resources and applications that are located on the A. Datum internal network. The security department at A. Datum wants to ensure that the access for these external users is as secure as possible.

As one of the senior network administrators at A. Datum, you are responsible for implementing an AD DS infrastructure that will meet the company requirements. You are responsible for planning an AD DS domain and forest deployment that will provide optimal services for both internal and external users, while addressing the security requirements at A. Datum.

Objectives
Implement child domains in AD DS. Implement forest trusts in AD DS.

Lab Setup
Estimated Time: 45 minutes 20412A-LON-DC1 20412A-TOR-DC1 20412A-LON-SVR1 20412A-MUN-DC1

User name: Adatum\Administrator Password: Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Adatum\Administrator Password: Pa$$w0rd

5. 6.

Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-TOR-DC1. Start 20412A-MUN-DC1 and log on as Treyresearch\Administrator with the password of Pa$$w0rd.

MCT USE ONLY. STUDENT USE PROHIBITED

8-24 Implementing Distributed Active Directory Domain Services Deployments

Exercise 1: Implementing Child Domains in AD DS


Scenario

A. Datum has decided to deploy a new domain in the adatum.com forest for the North American region. The first domain controller will be deployed in Toronto, and the domain name will be na.adatum.com. You need to configure and install the new domain controller. The main tasks for this exercise are as follows: 1. 2. 3. Configure Domain Name System (DNS) for domain delegation. Install a domain controller in a child domain. Verify the default trust configuration.

Task 1: Configure Domain Name System (DNS) for domain delegation

On LON-DC1, open DNS Manager and configure a delegated zone record for na.adatum.com. Specify TOR-DC1 as the authoritative DNS server.

Task 2: Install a domain controller in a child domain


1. 2. On TOR-DC1, use Server Manager to install AD DS.

When the AD DS binaries have installed, use the Active Directory Domain Services Configuration Wizard to install and configure TOR-DC1 as an AD DS domain controller for a new child domain named na.adatum.com. When prompted, use Pa$$w0rd as the Directory Services Restore Mode (DSRM) password.

3.

Task 3: Verify the default trust configuration


1. 2. Log on to TOR-DC1 as NA\Administrator using the password Pa$$w0rd.

When Server Manager opens, click Local Server. Verify that Windows Firewall shows Domain: On. If it does not, then next to Local Area Connection click 172.16.0.25, IPv6 enabled. Right-click Local Area Connection and then click Disable. Right-click Local Area Connection and then click Enable. The Local Area Connection should now show Adatum.com. From Server Manager, launch the Active Directory Domains and Trusts management console and verify the parent child trusts.

3.

Note: If you receive a message that the trust cannot be validated, or that the secure channel (SC) verification has failed, ensure that you have completed step 2 and then wait for at least 10-15 minutes. You can continue with the lab and come back later to verify this step.

Results: After completing this exercise, you will have implemented child domains in AD DS.

Exercise 2: Implementing Forest Trusts


Scenario

A. Datum is working on several high-priority projects with a partner organization named Trey Research. To simplify the process of enabling access to resources located in the two organizations, they have deployed a dedicated wide area network (WAN) between London and Munich, where Trey Research is located. You now need to implement and validate a forest trust between the two forests, and configure the trust to allow access to only selected servers in London.

MCT USE ONLY. STUDENT USE PROHIBITED


8-25

Configuring Advanced Windows Server 2012 Services

The main tasks for this exercise are as follows: 1. 2. 3. Configure stub zones for DNS name resolution. Configure a forest trust with selective authentication. Configure a server for selective authentication.

Task 1: Configure stub zones for DNS name resolution


1. 2. 3. 4. 5. 6. 7. 8. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. Using the DNS management console, configure a DNS stub zone for treyresearch.net. Use 172.16.10.10 as the Master DNS server. Close DNS Manager. Log on to MUN-DC1 as TreyResearch\Administrator with the password Pa$$w0rd. Using the DNS management console, configure a DNS stub zone for adatum.com. Use 172.16.0.10 as the Master DNS server. Close DNS Manager.

Task 2: Configure a forest trust with selective authentication


1. 2. 3.

On LON-DC1, create a one-way: outgoing trust between the treyresearch.net AD DS forest and the adatum.com forest. Configure the trust to use Selective authentication. Confirm and validate the trust from treyresearch.net. Close Active Directory Domains and Trusts.

Task 3: Configure a server for selective authentication


1. 2. On LON-DC1, from Server Manager open Active Directory Users and Computers.

On LON-SVR1, configure the members of treyresearch.com\it group with the Allowed to authenticate permission. If you are prompted for credentials, type Treyresearch\administrator with the password of Pa$$w0rd. On LON-SVR1, create a shared folder IT-Data and grant access to members of the treyresearch.net\it group. If you are prompted for credentials, type Treyresearch\administrator with the password of Pa$$w0rd. Log off of MUN-DC1. Log on to MUN-DC1 as treyresearch\alice, and access the shared folder on LON-SVR1.

3.

4. 5.

Results: After completing this exercise, you will have implemented forest trusts.

To prepare for the next module


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-TOR-DC1, 20412-MUN-DC1, and 20412-LON-SVR1.

MCT USE ONLY. STUDENT USE PROHIBITED

8-26 Implementing Distributed Active Directory Domain Services Deployments

Lab Review
Question: Why did you configure a delegated subdomain record in DNS on LON-DC1 before adding the child domain na.adatum.com? Question: What are the alternatives to creating a delegated subdomain record in Q1? Question: When you are creating a forest trust, why would you create a selective trust instead of a complete trust?

MCT USE ONLY. STUDENT USE PROHIBITED


8-27

Configuring Advanced Windows Server 2012 Services

Module Review and Takeaways


To design and implement a reliable and efficient AD DS environment, it is important to have an understanding of which components are required and how they interact. This module covered the constituent parts of an AD DS design and also demonstrated the different ways to deploy AD DS in a complex scenario.

The Domain Name Service is crucial to the satisfactory functioning of an AD DS system, and students saw different ways to provide a robust DNS record resolution process in a multi-domain situation. The different DNS resolution methods were discussed, including forwarders, conditional forwarders, delegation, secondary zones, and stub zones. Students also saw how trust relationships can provide an effectual authentication mechanism in various environments.

Common Issues and Troubleshooting Tips


Common Issue You receive error messages such as: DNS lookup failure, RPC server unavailable, domain does not exist, domain controller could not be found. User cannot be authenticated to access resources on another AD DS domain or Kerberos realm. Troubleshooting Tip

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


9-1

Module 9
Implementing Active Directory Domain Services Sites and Replication
Contents:
Module Overview Lesson 1: Overview of AD DS Replication Lesson 2: Configuring AD DS Sites Lesson 3: Configuring and Monitoring AD DS Replication Lab: Implementing AD DS Sites and Replication Module Review and Takeaways 9-1 9-2 9-10 9-16 9-22 9-26

Module Overview

When you deploy Active Directory Domain Services (AD DS), it is important to provide an efficient logon infrastructure and a highly available directory service. Implementing multiple domain controllers throughout the infrastructure helps you meet both of these goals. However, you must ensure that AD DS replicates Active Directory information between each domain controller in the forest. In this module, you will learn how AD DS replicates information between domain controllers within a single site and throughout multiple sites. You also will learn how to create multiple sites and monitor replication to help optimize AD DS replication and authentication traffic.

Objectives
After completing this module, you will be able to: Describe how AD DS replication works. Configure AD DS sites to help optimize authentication and replication traffic. Configure and monitor AD DS replication.

MCT USE ONLY. STUDENT USE PROHIBITED

9-2

Implementing Active Directory Domain Services Site es and Replication

Lesson 1

Overvi iew of AD A DS Replicat R tion

Within an AD DS infrastructure, standard dom main controller rs replicate Active Directory information b by usin ng a multimast ter replication model. This means m that if a change is mad de on one dom main controlle er, that change then replicates to all oth her domain co ontrollers in th e domain, and d potentially to o all domain controllers throug ghout the entir re forest. This lesson provide es an overview w of how AD D DS replicates info ormation between both stand dard and read d-only domain controllers (RODC).

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe the AD DS partitio ons. Describe the characteristics s of AD DS replication. Describe the replication pro ocess within a single site. Describe how w AD DS resolv ves replication conflicts. Describe how w you generate e the replicatio on topology. Describe how w read-only do omain controlle er replication w works. Describe System Volume (S SYSVOL) replica ation.

Wh hat Are AD D DS Partit tions?


The Active Directo ory data store contains info ormation that AD A DS distribu utes to all dom main controllers throug ghout the forest infrastructure. Muc ch of the infor rmation that th he data store contains is distributed within a single s domain. How wever, some in nformation ma ay be related to o, and replicated thr roughout, the entire forest, rega ardless of the domain d bound daries. To help h provide re eplication effic ciency and scalability betwee en domain con ntrollers, the Ac ctive Dire ectory data is separated s logically into seve eral part titions. Each pa artition is a un nit of replicatio on, and each partition n has its own replication r top pology. The de efault partitions include the f following:

Configuration n partition. The e configuration partition is c created autom matically when you create the e first domain of a forest. f The con nfiguration par rtition contain ns information about the fore est-wide AD D DS which domain structure, incl luding which domains d and sites s exist and w n controllers ex xist in each do omain. The configura ation partition also stores inf formation abo out forest-wide e services such h as DHCP authorization n and certificat te templates. This T partition re eplicates to all domain cont trollers in the f forest. tions of all the Schema partition. The schema partition contains c definit e objects and a attributes that you can create in the data store e, and the rules s for creating a and manipulat ting them. Sch hema informat tion replicates to all a domain con ntrollers in the e forest. Theref fore, all object ts must comply y with the sche ema object and at ttribute definition rules. AD DS D contains a default set of classes and attributes that y you cannot modif fy. However, if f you have Schema Admins c credentials, yo u can extend t the schema by y adding new attributes a and classes to repr resent applicat tion-specific classes. Many a applications such as Microsoft Exc change Server and Microsoft t System Cente er Configuratio on Manager m may extend the e

Configurin ng Advanced Window ws Server 2012 Ser rvices

schema to provide applic cation-specific configuration n enhancements. These chan nges target the e domain con ntroller that co ontains the for rests schema m master role. O nly the schema master is pe ermitted to make ad dditions to clas sses and attributes. Domain partition. When you y create a new n domain, A AD DS automat tically creates and replicates s an instance of the domain partition p to all of o the domain ns domain con ntrollers. The d domain partitio on contains inf formation abo out all domain-specific objec cts, including u users, groups, c computers, organizatio onal units (OUs s), and domain n-related syste em settings. All objects in eve ery domain pa artition in a forest are a stored in th he global catalog, with only a subset of th heir attribute v values.

Application n partition. The e application partition p stores s nondomain, application-re elated information n is or have a spec that may ha ave a tendency y to be update ed frequently o cified lifetime. An application typically programed to determine how it stores, cate gorizes, and u uses application-specific info ormation stored in th he Active Direc ctory database e. To prevent u unnecessary re eplication of an n application partition, yo ou can designate which dom main controller rs in a forest w will host the sp pecific applications partition. Unlike U a domain partition, an n application p partition does n not store security principal o objects, such as use er accounts. Ad dditionally, the e global catalo ogue does not store data con ntained in app plication partitions. SI Edit to connect to and view w the partition ns. Note: You can use ADS

MCT USE ONLY. STUDENT USE PROHIBITED


9-3

Characteris C stics of AD D DS Replic cation


An effective AD D DS replication n design ensur res that ea ach partition on o a domain co ontroller is con nsistent with w the replicas of that partit tion hosted on n other do omain controllers. Typically, not all domain co ontrollers have e exactly the sa ame information in th heir replicas at any one mom ment because ch hanges are occ curring to the direction cons stantly. However, Active e Directory rep plication ensur res that all changes to a partition are transferred to all re eplicas of the partition. p Activ ve Directory re eplication balances accuracy (or integrity) and co onsistency (called convergen nce) with performance (k keeping replica ation traffic to a reasonable level). Th he key charact teristics of Acti ive Directory replication r are::

Multimaste er replication. Any A domain co ontroller excep pt RODCs can initiate and co ommit a chang ge to AD DS. This s provides faul lt tolerance, an nd eliminates d dependency o on a single dom main controller to maintain th he operations of o the director ry store.

Pull replication. A domain n controller requests, or pull ls, changes fro om other doma ain controllers. Even though a domain control ller can notify its replication partners that it has changes s to the directo ory, or poll its part tners to see if they t have changes to the di rectory, in the e end, the targe et domain con ntroller requests an nd pulls the changes themselves.

Store-and-f forward replication. A doma ain controller c can pull chang ges from one p partner, and th hen make those e changes available to anoth her partner. Fo or example, domain controlle er B can pull changes initiated by y domain contr roller A. Then, domain contr roller C can pu ull the changes s from domain n controller B. B This helps ba alance the rep plication load f for domains th hat contain sev veral domain controllers.

MCT USE ONLY. STUDENT USE PROHIBITED

9-4

Implementing Active Directory Domain Services Site es and Replication

Data store pa artitioning. A domains d doma ain controllers only host the domain-nami ing context for their domains, which helps minim mize replicatio on, particularly y in multidoma ain forests. By default, other data, including app plication direct tory partitions and the partia al attribute set t (global catalo og), do not replicate to every domain controller c in th he forest. Automatic ge eneration of an n efficient and robust replica ation topology y. By default, A AD DS configures an effective, two o-way replicatio on topology so that the loss s of one doma in controller d does not imped de replication. AD A DS automat tically updates s this topology y as domain co ontrollers are a added, remove ed, or moved betwe een sites. Attribute-leve el replication. When W an attrib bute of an obj ject changes, o only that attrib bute, and minimal metadata tha at describes tha at attribute, re eplicates. The e entire object d does not replic cate, except up pon its initial creation. rol of intrasite replication and intersite rep plication. You c can control rep plication within a Distinct contr single site and between site es.

Collision dete ection and management. On n rare occasion ns, you can mo odify an attribu ute on two dif fferent domain contr rollers during a single replica ation window. If this occurs, you must reco oncile the two o changes. AD DS has resolut tion algorithms that satisfy a almost all scenarios.

Ho ow AD DS Replicatio on Works Within W a Si ite


AD DS replication n within a singl le site is called d intra asite replicatio on, which takes s place auto omatically. However, you can configure it to occu ur manually, as necessary. Th he following concepts are relat ted to intrasite e replication: Connection objects o The knowledg ge consistency y checker (KCC C) Notification Polling

Con nnection Ob bjects

A do omain controller that replica ates changes from another d domain contro oller is called a replication pa artner. ct represents a replication p Rep plication partne ers are linked by b connection n objects. A con nnection objec path from m one domain controller to another. Conn nection objects s are one-way,, representing inbound-only y pull repl lication. To view v and confi igure connection objects, op pen Active Dire ectory Sites an nd Services, and then select t the NTD DS Settings container of a do omain controll lers server obj ject. You can f force replicatio on between tw wo dom main controller rs by right-clic cking the conn nection object, and then sele ecting Replicat te Now. Note that repl lication is inbo ound-only, so if i you want to replicate both h domain cont trollers, you ne eed to replicate the inbo ound connection object of each e domain controller.

The e Knowledg ge Consisten ncy Checker r

The replication pa aths built betw ween domain controllers c by c connection ob bjects create th he forests repl lication topolo ogy. You do no ot have to crea ate the replicat tion topology manually. By default, AD DS S crea ates a topology that ensures effective replication. The to opology is two o-way, which m means that if any one e domain contr roller fails, replication contin nues uninterru pted. The topo ology also ens sures that there are no more m than thre ee hops betwe een any two do omain control lers.

Configuring Advanced Windows Server 2012 Services

On each domain controller, a component of AD DS called the knowledge consistency checker (KCC) helps generate and optimize the replication automatically between domain controllers within a site. The KCC evaluates the domain controllers in a site, and then creates connection objects to build the two-way, three-hop topology described earlier. If you add or remove a domain controller, or if a domain controller is not responsive, the KCC rearranges the topology dynamically, adding and deleting connection objects to rebuild an effective replication topology. The KCC runs at specified intervals (every 15 minutes by default) and designates replication routes between domain controllers that are the most favorable connections available at the time. You can create connection objects manually to specify replication paths that should persist. However, creating a connection object manually is not typically required or recommended because the KCC does not verify or use the manual connection object for failover. The KCC will also not remove manual connection objects, which means that you must delete connection objects that you create manually.

MCT USE ONLY. STUDENT USE PROHIBITED


9-5

Notification

When a change is made to an Active Directory partition on a domain controller, the domain controller queues the change for replication to its partners. By default, the source server waits 15 seconds to notify its first replication partner of the change. Notification is the process by which an upstream partner informs its downstream partners that a change is available. By default, the source domain controller then waits three seconds between notifications to additional partners. These delays, called the initial notification delay and the subsequent notification delay, are designed to stagger the network traffic that intrasite replication can cause. Upon receiving the notification, the downstream partner requests the changes from the source domain controller, and the directory replication agent pulls the changes from the source domain controller. For example, suppose domain controller DC01 makes an initial change to AD DS. It is the originating domain controller, and the change that it makes, that originates the change. When DC02 receives the change from DC01, it makes the change to its directory. DC02 then queues the change for replication to its own downstream partners.

Then, suppose DC03 is a downstream replication partner of DC02. After 15 seconds, DC02 notifies DC03 that it has a change. DC03 makes the replicated change to its directory, and then notifies its downstream partners. The change has made two hops, from DC01 to DC02, and then from DC02 to DC03. The replication topology ensures that no more than three hops occur before all domain controllers in the site receive the change. At approximately 15 seconds per hop, the change fully replicates in the site within one minute.

Polling

At times, a domain controller may not make any changes to its replicas for an extended time, particularly during off hours. Suppose this is the case with DC01. This means that DC02, its downstream replication partner, will not receive notifications from DC01. DC01 also might be offline, which would prevent it from sending notifications to DC02. It is important for DC02 to know that its upstream partner is online and simply does not have any changes. This is achieved through a process called polling. During polling, the downstream replication partner contacts the upstream replication partner with queries as to whether any changes are queued for replication. By default, the polling interval for intrasite replication is once per hour. You can configure the polling frequency from a connection objects properties by clicking Change Schedule, although we do not recommend it If an upstream partner fails to respond to repeated polling queries, the downstream partner launches the KCC to check the replication topology. If the upstream server is indeed offline, the KCC rearranges the sites replication topology to accommodate the change.

MCT USE ONLY. STUDENT USE PROHIBITED

9-6

Implementing Active Directory Domain Services Site es and Replication

Resolving Re eplication Conflicts


Because AD DS su upports a mult timaster replica ation mod del, replication n conflicts may y occur. Typica ally, ther re are three types of replicat tion conflicts that may y occur in AD DS: D Simultaneous sly modifying the t same attrib bute value of the same s object on n two domain controllers. Adding or mo odifying the sa ame object on one domain contr roller at the same time that the t container obj ject for the obj ject is deleted on another domain controller. Adding objec cts with the sam me relative dis stinguished na ame into the sa ame container r.

To help h minimize conflicts, all domain d controllers in the for rest record and d replicate object changes at t the attribute level rath her than at the e object level. Therefore, cha anges to two d different attrib butes of an obj ject, such h as the users password and d postal code, do not cause a conflict even n if you change e them at the same time e from differen nt locations. Whe en an originating update is applied a to a domain control ller, a stamp is s created that t travels with the upd date as it replic cates to other domain contro ollers. The stam mp contains th he following co omponents:

Version numb ber. The versio on number starts at one for e each object at tribute, and in ncreases by one for each update. When perform ming an origin nating update, the version of f the updated attribute is on ne number higher than the version of the at ttribute that is being overwritten.

Timestamp. The time and date T timestamp p is the updates originating t e according to the system clo ock of the domain controller c wher re the change is made. Server globally unique iden ntifier (GUID). The T server GU ID identifies th he domain con ntroller that performed th he originating update.

Res solving Rep plication Con nflicts


The table below outlines o severa al conflicts and d how AD DS re esolves the iss sue: Co onflict Attribute value Resolution If the version n number value e is the same, but the attribu ute value is different, the en the timestam mp is evaluate ed. The update e operation that has the higher stamp v value replaces s the attribute value of the update opera ation with the lower stamp v value. After resoluti ion occurs at a all replicas, AD D DS deletes th he container object, and the leaf object is made a chil ld of the folde ers special nd container. S Stamps are not t involved in this LostAndFoun resolution. The object with w the larger stamp keeps t the relative dis stinguished name. AD DS S assigns the s ibling object a unique relativ ve distinguished d name by the e domain contr roller. The nam me assignment is the relative d distinguished n name + CNF: + a reserved character (the asterisk,) + t the objects GU UID. This name e assignment d name does n not conflict wit th any other ensures that the generated objects name.

Add or move un nder a de eleted contain ner object, or r the deletion of a co ontainer objec ct Adding objects with the sa ame relative di istinguished name

Configurin ng Advanced Window ws Server 2012 Ser rvices

MCT USE ONLY. STUDENT USE PROHIBITED


9-7

How H Replic cation Top pology Is Generated G

Re eplication topo ology is the ro oute by which replication dat ta travels thro ough a network k. To create a re eplication topo ology, AD DS must m determin ne which doma ain controllers replicate data a with other do omain co ontrollers. AD DS creates a re eplication topo ology based o on the informa ation that AD D DS contains. Be ecause ea ach AD DS par rtition may be replicated to different dom ain controllers s in a site, the replication top pology ca an differ for sc chema, configu uration, domai in, and applica ation partitions s.

Be ecause all dom main controller rs within a fore est share schem ma and config guration partiti ions, AD DS re eplicates sc chema and con nfiguration partitions to all domain d contro ollers. Domain controllers in the same dom main also replicate th he domain par rtition. Additionally, domain controllers tha at host an app plication partition also re eplicate the ap pplication parti ition. To optim mize replication n traffic, a dom main controller may have sev veral re eplication partners for differe ent partitions. In a single site e, the replication topology w will be fault tol lerant an nd redundant. This means th hat if the site contains c more than two dom main controller rs, each domai in co ontroller will have h at least tw wo replication partners for ea ach AD DS par rtition.

How H the Sch hema and Co onfiguration Partitions s Are Replic cated

Re eplication of the schema and d configuration partitions fo ollows the sam me process as a all other directo ory pa artitions. Howe ever, because these partition ns are forest-w wide rather tha an domain-wid de, connection n objects fo or these partitions may exist between any two t domain co ontrollers rega ardless of the d domain contro ollers do omain. Furthermore, the rep plication topolo ogy for these partitions inclu udes all domain controllers in the fo orest.

How H the Glo obal Catalog g Affects Re eplication

Th he configuratio on partition co ontains inform mation about th he site topolog gy and other g global data for r all do omains that ar re members of f the forest. AD D DS replicates s the configura ation partition n to all domain n co ontrollers through normal fo orest-wide replication. Each g global catalog g server obtain ns domain info ormation by y contacting a domain contr roller for that domain d and o obtaining the p partial replica i information. The co onfiguration partition also provides the do omain controll ers with a list of the forests global catalog g se ervers. Global catalog servers s registe er DNS service records in the e DNS zone tha at corresponds to the forest root do omain. These records, r which h are registered d only in the F Forest Root DN NS zone, help c clients and ser rvers lo ocate global ca atalog servers throughout t th he forest to pro ovide client log gon services.

How H RODC C Replicatio on Works


As previously mentioned, m dom main controllers re eplicate data by b pulling chan nges from othe er or riginating dom main controller rs. A RODC does not allow any non-r replicated chan nges to be wri itten to its s database and d never replica ates any inform mation ou ut to other domain controlle ers. Since chan nges are ne ever written to o an RODC dire ectly, other do omain co ontrollers do not n have to pull directory cha anges from an RODC. Restricting RO ODCs from or riginating chan nges prevents any changes or o co orruption that a malicious us ser or applicat tion might m make fro om replicating to the rest of the t fo orest.

MCT USE ONLY. STUDENT USE PROHIBITED

9-8

Implementing Active Directory Domain Services Site es and Replication

Whe en a user or ap pplication atte empts to perfo orm a write req quest to a ROD DC, one of the following acti ions typically occurs:

ite request to a writable dom main controller, which is then replicated back to The RODC forwards the wri the RODC. Ex xamples of this s type of reque est includes pa assword chang ges, service principal name (S SPN) updates, and computer\domain member r attribute chan nges. ovides a referra al to a writable e domain cont troller. The The RODC responds to the client and pro application ca an then comm municate direct tly with a writa able domain co ontroller. Lightweight Direct tory Access Protoc col (LDAP) and d DNS record updates u are ex xamples of acc ceptable RODC C referrals. The write ope eration fails be ecause it is not t referred or fo orwarded to a writable doma ain controller. communicatio Remote proce edure call (RPC C) writes are an example of c on that may be e prohibited fr rom referrals or fo orwarded to an nother domain n controller.

en you implem ment an RODC C, the KCC dete ects that the d domain controller is configur red with a read d-only Whe repl lica of all appli icable domain partitions. Because of this, t the KCC create es one-way on nly connection n obje ects from one or more sourc ce Windows Se erver 2008 or h higher domain n controllers to o the RODC. For some tasks, an n RODC perfor rms inbound replication r usin ng a replicate-single-object (RSO) operatio on. This s is initiated on n-demand outside of the sta andard replicat tion schedule. These tasks in nclude: Password cha anges. DNS updates when a client is referred to a writable DN NS server by the RODC. The R RODC then attempts to pull p the change es back using an RSO operat tion. This only y occurs for Active Directoryintegrated DN NS zones. Updates for various v client attributes a inclu uding client na ame, DnsHost tName, OsNa ame, OsVersionInf fo, supported encryption types, and the L LastLogontime eStamp attrib bute.

Ho ow SYSVOL L Replication Works


The SYSVOL is a collection c of files and folders s on each h domain cont troller that is linked to %Sy ystemRoot%\S SYSVOL locatio on. SYSVOL contains logon scripts and objects related to Group Policy such h as Group Po olicy templates s. The contents of the SY YSVOL folder replicate r to eve ery dom main controller r in the domain using the connection object t topology and d schedule tha at the KCC C creates.

Dep pending on the e domain cont troller operatin ng system version, do omains functio onal level, and d mig gration status of o SYSVOL, the e File Replicatio on Serv vice or Distribu uted File System Replication replicates SYS SVOL changes between dom main controller rs. The File Replication Se ervice was used d primarily in Windows Serv ver 2003 R2 an nd older doma ain structures. T The File Replication Se ervice has limit tations in both h capacity and performance which has led to the adoption of Dist tributed File Sy ystem Replicat tion. In Windows W Serve er 2008 and ne ewer domains, you can use D Distributed File e System Repli ication to repli icate the contents of SY YSVOL. Distributed File Syste em Replication n supports rep lication scheduling and ban ndwidth throttl ling, and it use es a compression algorithm known as Rem mote Differenti ial Compressio on (RDC). Using RDC, Distributed File F System Rep plication replic cates only the differences (or changes with hin files s) between the e two servers, resulting r in low wer bandwidth h use during re eplication.

Configuring Advanced Windows Server 2012 Services

MCT USE ONLY. STUDENT USE PROHIBITED


9-9

Note: You can use the dfsrmig.exe tool to migrate SYSVOL replication from the File Replication Service to Distributed File System Replication . For the migration to succeed, the domain functional level must be at least Windows Server 2008.

MCT USE ONLY. STUDENT USE PROHIBITED

9-10 Implemen nting Active Directory y Domain Services Sites and Replication

Lesson 2

Config guring AD A DS Sites S

Within a single sit te, AD DS repli ication occurs automatically y without regar rd for network k utilization. How wever, some organizations have h multiple lo ocations that a are connected d by wide area network (WAN) t network connections. If thi is is the case, you y must ensure that AD DS S replication do oes not impact utilization negativ vely between locations. You also may need d to localize ne etwork service es to a specific loca ation. For exam mple, you may want users at a branch offic ce to authentic cate to a doma ain controller loca ated in their lo ocal office, rath her than over the t WAN conn nection to a do omain controll ler located in t the main office. You can c implement t AD DS sites to t help manag ge bandwidth o over slow or unreliable netw work connections, and to assist in ser rvice localizatio on for authent tication as well as many othe er site-aware serv vices on the ne etwork.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe AD DS sites. Explain why organizations o might m implement additional l sites. Configure additional AD DS S sites. Describe how w AD DS replica ation works be etween sites. Describe the Inter-site Topo ology Generat tor. Describe how w Service Locat tor (SRV) recor rds are used to o locate doma in controllers. Describe how w client compu uters locate domain controlle ers.

Wh hat Are AD D DS Sites? ?


To most m administrators, a site is s a physical loca ation, an office e, or a city typically separated d by a WAN W connectio on. These sites are physically connected by network links that might be as basic as dial-up d connec ctions or as sop phisticated as fiber links. Together, th he physical locations and link ks mak ke up the phys sical network infrastructure. AD DS represents the physical network n infra astructure with h objects called sites. AD DS site obje ects are stored d in the Config guration container (CN=Sites, CN=Co onfiguration, DC= D forest root t dom main) and are used u to achiev ve two primary y serv vice management tasks:

Manage replication traffic. Typically, there are two type es of network LAN connectio ons within an enterprise environment: hig ghly connected d and less high hly connected. Conceptually y, a change ma ade to AD DS should d replicate imm mediately to other domain c controllers with hin the highly connected ne etwork in which the change c was made. m However r, you might no ot want the ch hange to replic cate immediately over a slower r, more expens sive, or less reliable link to an nother site. Ins stead, you mig ght want to optimize perf formance, redu uce costs, and manage band dwidth, you ca an manage rep plication over less highly connec cted segments s of your enter rprise. An Activ ve Directory si ite represents a highly conne ected portion of your enterprise. When you def fine a site, the domain contr rollers within the site replicate

MCT USE ONLY. STUDENT USE PROHIBITED


9-11

Configuring g Advanced Windows s Server 2012 Serviices

changes alm most instantly. . However, you u can manage and schedule replication be etween sites as s needed.

rvice localizatio on. Active Dire ectory sites hel lp you localize e services, inclu uding those pr rovided Provide ser by domain controllers. Du uring logon, Windows W client ts are automat tically directed d to domain controllers in their sites. If domain cont trollers are not t available in t their sites, they y are directed to domain con nticate the clie ntrollers in the e nearest site that can authen ent efficiently. Many other se ervices such as rep plicated Distributed File Syste em (DFS) resou urces are also site-aware to e ensure that us sers are directed to a local copy of o the resource e.

What W Are Su ubnet Objects?

Su ubnet objects identify the ne etwork addresses that map c computers to A AD DS sites. A subnet is a se egment of f a TCP/IP netw work to which a set of logica al IP addresses s are assigned.. Because the s subnet objects s map to th he physical net twork, so do th he sites. A site can consist of f one or more subnets. For e example, if you ur ne etwork has thr ree subnets in New York and d two in Londo on, you can cre eate a site in N New York and one in Lo ondon, respect tively, and the en add the sub bnets to the res spective sites. Note: Wh hen designing your AD DS site configurati on, it is critica l that you corr rectly map IP su ubnets to sites. Likewise, if th he underlying network confi guration chan nges, you must t ensure that th hese changes are a updated to o reflect the cu urrent IP subne et to site mapp ping. Domain controllers us se the IP subne et information n in AD DS to map m client com mputers and se ervers to the c correct AD DS sit te. If this mapp ping is not acc curate, AD DS operations suc ch as logon tra affic and apply ying Group Po olicies are likely to happen across a WAN lin nks and may b be disrupted.

Default D First Site

st domain con AD DS creates a default site when w you insta all a forests firs ntroller. By def fault, this site is called Default-First-Sit D te-Name. You can rename th his site to a mo ore descriptive e name. When you install the e fo orests first dom main controller, AD DS place es it in the defa ault site autom matically. If you u have a single e site, it is not necessary y to configure subnets or add ditional sites s ince all machines will be cov vered by the d defaultfir rst-site-name default d site. Ho owever, multip ple sites need to have subne ets associated t to them as nee eded.

Why W Implement Add ditional Sites?


Ev very Active Dir rectory forest includes i at least one sit te. You should d create additio onal sites when: A slow link separates part t of the netwo ork. As previously mentioned, m a site s is characte erized by a locatio on with fast, re eliable, inexpen nsive connectivity y. If two locations are conne ected by a slow link, you should d configure each location as a separate AD D DS site. A slo ow link typically is one that has a connection of o less than 512 ki ilobits per seco ond (Kbps).

A part of th he network has s enough users to warrant hos sting domain controllers c or other services in that t location. Concentration C ns of users can also influence e your site design. If a netwo ork location has a sufficient number n of users for whom th he inability to authenticate w would be problematic, place a dom main controller r in the locatio on to support a authentication n within the loc cation. After you place p a domain n controller or other distribu ted service in a location that will support those

MCT USE ONLY. STUDENT USE PROHIBITED

9-12 Implemen nting Active Directory y Domain Services Sites and Replication

users, you might want to manage m Active Directory repl ication to the location or loc calize service u use by configuring an a Active Direc ctory site to represent the lo cation. You want to control c service e localization. By B establishing g AD DS sites, you can ensur re that clients use domain contr rollers that are e nearest to the em for authen ntication, which h reduces auth hentication lat tency and traffic on n WAN connec ctions. In most scenarios, eac ch site will con ntain a domain n controller. such as Distrib However, you u might config gure sites to localize services other than au uthentication, s buted ured File System, BranchCache, B and a Exchange Server service es. In this case, some sites might be configu without a dom main controlle er present in th he site. You want to control c replica ation between domain contr rollers. There m may be scenari ios in which tw wo well-connecte ed domain con ntrollers are al llowed to com mmunicate only y at certain tim mes of the day. Creating sites s allows you to o control how and a when rep lication takes place between n domain controllers.

De emonstration: Config guring AD DS Sites


In th his demonstration, you will see s how to con nfigure AD DS S sites.

Dem monstration n Steps


1. 2. 3. 4. 5. 6. 7. From Server Manager, M open n Active Direct tory Sites and Services. Rename the Default-First-S D ite-Name site, , as needed.

Right-click the Sites node, and then click k New Site. Sp pecify a name, and then asso ociate the new site with the default site link. Create additio onal sites, as needed. n In the navigat tion pane, righ ht-click Subne ets, and then c click New Subnet. Provide the prefix, p and then n associate the e IP prefix to a an available site object. If required, move m a domain n controller to the new site.

Ho ow Replication Work ks Between n Sites


The main characte eristics or assu umptions abou ut repl lication within sites are: The network connections within w a site are e both reliable, cheap, and ha ave sufficient available bandwidth. Replication tr raffic within a site s is not compressed, because a site e assumes fast, highly reliable e network con nnections. Not compressing replication tra affic helps redu uce the processing load on the domain controllers. However, uncom mpressed traff fic may increase the network bandwidth. b A change not tification proce ess initiates rep plication withi in a site.

MCT USE ONLY. STUDENT USE PROHIBITED


9-13

Configuring g Advanced Windows s Server 2012 Serviices

Th he main characteristics or as ssumptions abo out replication n between site es are:

The networ rk links betwee en sites have li imited availab le bandwidth, may have a higher cost, and d may not be relia able. Replication traffic betwee en sites can be e designed to o optimize band dwidth by com mpressing all replication traffic. Replica ation traffic is compressed c to o 10 to 15 perc cent of its orig ginal size befor re it is transmitted d. Although co ompression opt timizes netwo rk bandwidth, it imposes an n additional processing load on doma ain controllers, , when it comp presses and de ecompresses re eplication data a.

Replication between sites s occurs autom matically after y you have defin ned configurable values, suc ch as a schedule or r a replication interval. You can c schedule r replication for inexpensive o or off-peak hou urs. By ing to a sched default, cha anges are repli icated between sites accordi dule that you d define, and not t according to t when chang ges occur. The schedule dete ermines when replication can occur. The in nterval specifies ho ow often doma ain controllers check for cha anges during the time that re eplication can occur.

What W Is the e Inter-Site e Topology Generator?


When W you configure multiple e sites, the KCC C on on ne domain con ntroller in each h site is design nated as s the sites Inte er-Site Topolog gy Generator (ISTG). ( Th here is only on ne ISTG per site e, regardless of o how many m domains or other direct tory partitions s the sit te has. ISTG is responsible fo or calculating the t sit tes ideal replication topolog gy.

When W you add a new site to the t forest, each h sites IS STG determines which directory partitions are present in the new n site. The IS STG then calcu ulates ho ow many new connection ob bjects are nece essary to o replicate the new sites req quired information. In so ome networks, , you might wa ant to specify that t only certa ain domain controllers are re esponsible for in ntersite replicat tion. You can do d this by specifying bridge head servers. T The bridgehea ad servers are re esponsible for all replication into, and out of, the site. IST TG creates the e required connection agreement in its s directory, and this information is then re eplicated to the e bridgehead server. The bri idgehead server then cr reates a replica ation connection with the br ridgehead serv ver in the remo ote site, and re eplication beg gins. If a re eplication partner becomes unavailable, u th he ITSG autom atically selects s another dom main controller, , if po ossible. If bridg gehead server rs have been manually m assign ned, and they become unavailable, ISTG w will not au utomatically se elect other ser rvers.

Th he ISTG selects s bridgehead servers s automa atically, and cr reates the inte ersite replicatio on topology to o ensure th hat changes re eplicate effectiv vely between bridgeheads b s haring a site li ink. Bridgeheads are selected d per he pa artition, so it is s possible that t one domain controller c in a site might be the bridgehea ad server for th sc chema, while another a is for the t configurati ion. However, you usually w will find that on ne domain con ntroller is the bridgehea ad server for all partitions in a site, unless t there are dom main controller rs from other d domains or r application directory d partit tions. In this sc cenario, bridge eheads will be chosen for tho ose partitions.

MCT USE ONLY. STUDENT USE PROHIBITED

9-14 Implemen nting Active Directory y Domain Services Sites and Replication

Ov verview of SRV Records for Do omain Con ntrollers


Whe en you add a domain d contro oller to a doma ain, the domain controller advertise es its services by b crea ating SRV reco ords (also know wn as locator reco ords) in DNS. Unlike U host A records, which map host t names to IP addresses, a SRV V records map serv vices to host na ames. For exam mple, to publis sh its ability to provide authentication n and directory acce ess, a domain controller regi isters Kerberos s vers sion 5 protoco ol and LDAP SR RV records. The ese SRV V records are added to severa al folders within the forests DNS zones. z

Und der the domain n zone, a folde er exists that is s nam med name_tcp. . This folder co ontains the SRV V records for a all domain con ntrollers in the e domain. Add ditionally, unde er the domain zone exists a folder called n name_sites, wh hich contains s subfolders for e each site configured in the domain. Each E site-speci ific folder cont tains SRV reco ords that represent services avai ilable in the sit te. For example, if a domain controller is lo ocated in a sit e, a SRV record will be locat ted at the path _sites\sitename\_tcp, where w sitename e is the name of the site. A ty ypical SRV reco ord contains th he following in nformation:

ord indicates a service with a fixed port. It The service na ame and port. . This portion of o the SRV reco t does not have to be b a well-know wn port. SRV re ecords in Wind dows Server 20 012 include LD DAP (port 389), Kerberos (por rt 88), Kerbero os Password pr rotocol (KPASS SWD, port 464 4), and global c catalog service es (port 3268).

Protocol. The e TCP or UDP is s indicated as a transport pr rotocol for the e service. The same service ca an use both protoco ols in separate SRV records. Kerberos K recor rds, for examp le, are register red for both TC CP nts can use bo and UDP. Mic crosoft clients use only TCP, but UNIX clien oth UDP and T TCP. Host name. The T host name corresponds to t the A record d for the serve er hosting the service. When a client queries s for a service, the DNS serve er returns the S SRV record and associated A records, so th he client does no ot need to sub bmit a separate e query to reso olve the IP add dress of a service.

ord follows the e standard DN NS hierarchy w with componen nts separated b by The service name in an SRV reco dots s. For example e, a domain controllers Kerb beros service is s registered as:: kerb beros._tcp.siten name._sites.do omainname, wh here: domainName e: The domain or zone, for ex xample contos so.com _sites: All sites registered with DNS sitename: The e site of the do omain controller registering the service _tcp: Any TCP P-based service es in the site kerberos: A Kerberos K Key Distribution D Center (KDC)that t uses TCP as i ts transport pr rotocol

MCT USE ONLY. STUDENT USE PROHIBITED


9-15

Configuring g Advanced Windows s Server 2012 Serviices

How H Client t Compute ers Locate Domain C Controllers s Within Si ites


When W you join a Windows clie ent to a doma ain and re estart it, it goes through a do omain controll ler lo ocation and reg gistration proc cess. The goal of this re egistration pro ocess is to locat te the domain n co ontroller with the t most effici ient and closes st lo ocation to the clients locatio on based on IP P subnet in nformation. Th he process for locating a domain controlle er is: 1. .

The new cli ient queries fo or all domain controllers in the domain n. As the new domain d client restarts, it receives an IP address from a DHCP serve er, and is ready y to authentica ate to the domain n. However, the client does not n know wher re to find a do omain controlle er. Therefore, the client queri ies for a domain controller by b querying th e _tcp folder, w which contains the SRV reco ords for all domain controllers in the domain. The client attempts a an LD DAP ping to all domain cont trollers in a seq quence . DNS returns a list o of all matching domain d controllers, and the client c attempt s to contact al ll of them on its first startup.

2. . 3. .

The first do omain controlle er responds. The first domai n controller th hat responds to the client ex xamines the clients IP address, cro oss-references s that address w with subnet ob bjects, and informs the clien nt of the site to whic ch the client be elongs. The client stores the site name in i its registry, and d then queries s for domain con ntrollers in the e site-specific _tcp _ folder. The client queries q for all domain d contro ollers in the sit te. DNS returns a list of all domain control llers in the site.

4. . 5. . 6. .

The client attempts a LDAP P ping sequent tially to all dom main controlle ers in the site. T The domain co ontroller that respon nds first authen nticates the client. The client forms f an affinit ty. The client forms f an affini ity with this do omain controll ler, and then a attempts to authenticate with the same s domain controller in t he future. If th he domain con ntroller is unav vailable, the client queries q the site es _tcp folder again, a and aga ain attempts to o bind with the first domain controller that responds in i the site.

If the client mov ves to another r site, such as the t case for a mobile compu uter, the client t attempts to au uthenticate to its preferred domain d contro oller. The dom ain controller notices that th he clients IP address is associated wit th a different site, s and then refers the clien nt to the new site. The client t then queries DNS fo or domain controllers in the local site

Automatic A Site Coverag ge

As mentioned previously, p you u can configure e sites to direc ct users to loca al copies of rep plicated resources, su uch as shared folders f replicated within a DFS D namespace e. There may b be scenarios in n which you on nly re equire service localization wi ith no need for a domain co ontroller locate ed within the site. In this case e, a ne earby domain controller will l register its SR RV records in t the site by usin ng a process ca alled site coverage. A site without a domain contr roller generally y is covered by y a domain co ontroller in a si ite with the low west sit te-link cost to the site that requires r covera age. You also c can configure site coverage and SRV record priority manually if you want to control aut thentication in sites without domain controllers. nal Reading: For more inform mation about how site coverage is evaluat ted see: Addition ht ttp://go.microsoft.com/fwlin nk/?LinkId=168 8550.

MCT USE ONLY. STUDENT USE PROHIBITED

9-16 Implemen nting Active Directory y Domain Services Sites and Replication

Lesson 3

Config guring and a Monitoring g AD DS S Replic cation

Afte er you configure the sites tha at represent yo our network in nfrastructure, t the next step is to determine e if any additional site e links are necessary to help control AD D S replication. A AD DS provide es several optio ons that t you can conf figure to contr rol how replica ation occurs ov ver site links. Y You also need to understand d the tools that you can n use to monitor and manag ge replication i in an AD DS ne etwork environ nment.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe AD DS site links. Explain the co oncept of site link bridging. Describe Univ versal Group Membership M ca aching. Describe how w to control int tersite replication. Configure AD D DS intersite replication. r Describe options for config guring passwor rd replication p policies for RO ODCs. Configure password replica ation policies. Describe tools used for monitoring and managing m repl ication.

Wh hat Are AD D DS Site Links? L


For two sites to ex xchange replic cation data, a site s link must connect t them. A site link is a logical l path h that the KCC C\ISTG uses to establish repl lication between sites. When n you create add ditional sites, yo ou must select t at least one site s link that will conn nect the new si ite to an existin ng site. . Unless a site link is in place e, the KCC cann not mak ke connections s between com mputers at diff ferent sites s, nor can replication occur between b sites.

The important thing to rememb ber about a sit te link is th hat it represent ts an available e path for repl lication. A sing gle site link doe es not control the netw work routes th hat are used. When W you create a site link a nd add sites to o it, you are te elling AD DS th hat it can replicate betw ween any of th he sites associa ated with the s site link. The IS STG creates connection objects, and those objects s will determine the actual re eplication path h. Although th e replication t topology that t the ISTG G builds doe re eplicate AD DS S effectively, it might not be efficient, give en your network topology.

To better b understand this conce ept, consider the following e example. When n you create a forest, one sit te link obje ect is created: DEFAULTIPSIT TELINK. By defa ault, each new w site that you add is associa ated with the DEF FAULTIPSITELIN NK. Consider an a organization with a data c center at the h headquarters a and three bran nch offic ces. The three branch offices s are each connected to the data center w with a dedicate ed link. You cre eate sites s for each bran nch office: Seattle (SEA), Amsterdam (AMS S), and Beijing (PEK). Each of f the sites, inclu uding headquarters, is associated with h the DEFAULT TIPSITELINK sit te link object Because all four si ites are on the e same site link k, you are instr ructing AD DS that all four sites can replicate with h each other. That T means tha at Seattle may y replicate chan nges from Am msterdam; Amsterdam may

MCT USE ONLY. STUDENT USE PROHIBITED


9-17

Configuring g Advanced Windows s Server 2012 Serviices

re eplicate changes from Beijing g; and Beijing may replicate changes from m the headquarters, which in n turn re eplicates chang ges from Seatt tle. In several of o these replica ation paths, th he replication t traffic on the n network ink, you flo ows from one branch throug gh the headqu uarters on its w way to another r branch. With h a single site li do o not create a hub-and-spoke replication topology even n though your r network topo ology is hub-andsp poke. To o align your ne etwork topolo ogy with Active e Directory rep plication, you m must create sp pecific site links s. That is, , you can manually create sit te links that re eflect your inte ended replication topology. Continuing th he preceding exam mple, you woul ld create three e site links as fo ollows: HQ-AMS in ncludes the He eadquarters an nd Amsterdam sites. HQ-SEA inc cludes the Hea adquarters and d Seattle sites. HQ-PEK inc cludes the Hea adquarters and d Beijing sites.

After you create e site links, the e ISTG will use the topology to build an int tersite replicat tion topology that co onnects each site, s and then creates c connec ction objects a automatically t to configure th he replication paths. As a best practice, you should d set up your site s topology c correctly and a avoid creating connection ob bjects manually. m

What W Is Site e Link Brid dging?


After you have created site lin nks and the IST TG ge enerates connection objects s to replicate pa artitions betwe een domain co ontrollers that share a sit te link, your work w might be complete. In many m en nvironments, particularly p tho ose with st traightforward network topo ologies, site links might m be sufficient to manage e intersite replication. In n more comple ex networks, ho owever, you ca an co onfigure additional components and replic cation properties.

Automatic A Site Link Brid dging

By y default, all si ite links are bridged. For exa ample, if the Amsterdam and Headquarters sites ar re linked, and the Headquar rters and Seatt tle sites are linked, Amsterdam and d Seattle are lin nked with a higher cost. This s means, theor retically, that t the ISTG could d create a connection ob bject directly between b a dom main controller r in Seattle and d a domain co ontroller in Amsterdam whe en a domain controller c is no ot available at t the headquart ters for replica ation, again wo orking ar round the hub b-and-spoke network topolo ogy.

Yo ou can disable e automatic site-link bridging g by opening t the properties s of the IP tran nsport in the In nter-Site Tr ransports cont tainer, and the en clearing the e Bridge All Si ite Links check box. Before y you do this in a production environment, read d the technical resources ab out replication n in the Windo ows Server technical lib braries on Microsoft TechNe et at http://technet.microsoft t.com.

Site Link Brid dges

A site link bridg ge connects tw wo or more site e links in a way y that creates a transitive link. Site link brid dges are ne ecessary only when w you have cleared the Bridge B All Sit e Links check box for the tr ransport proto ocol. y default, in w Re emember that t automatic site-link bridging g is enabled by which case, site e link bridges a are not re equired. Th he figure on th he slide illustra ates the use of f a site link brid dge in a forest t in which auto omatic site-link bridging has be een disabled. By B creating a si ite link bridge,, AMS-HQ-SEA A, that include es the HQ-AMS S and

MCT USE ONLY. STUDENT USE PROHIBITED

9-18 Implemen nting Active Directory y Domain Services Sites and Replication

HQ-SEA site links, , those two site e links become e transitive, so o a replication connection ca an be made controller in S betw ween a domain controller in n Amsterdam and a a domain c Seattle.

Wh hat Is Univ versal Grou up Membe ership Cac ching?


One e of the issues that you may need to addre ess whe en configuring g AD DS replica ation is whethe er to dep ploy global catalog servers in n each site. Bec cause glob bal catalog ser rvers are required when user rs log on to t the domain, deploying a global g catalog g serv ver in each site e optimizes the e user experien nce. How wever, deploying a global ca atalog server in na site might result in additional re eplication traff fic, which may be an issue if the network connect tion betw ween AD DS si ites has limited d bandwidth. In I thes se scenarios, you can deploy y domain controllers runnin ng Windows Se erver 2008 or new wer, and then enable e universal group mem mbership cachin ng for the site e.

How Universal Group Membership Caching C Wo rks

A do omain controller in a site tha at has enabled d universal gro oup membersh hip caching, sto ores the unive ersal group information n locally after a user attempts to log on fo or the first time e. The domain n controller obtains the users universa al group membership inform mation from a global catalog g server in ano other site, it then cach hes the inform mation indefinit tely and period dically refreshe es it. The next time that the user tries to lo og on, the domain controller obtains the universal group member rship informati ion from its local cache with hout contacting a glob bal catalog serv ver. By default, d the un niversal group membership information co ontained by ea ach domain co ontrollers cach he is refre eshed every ei ight hours. To refresh the ca ache, domain c controllers sen nd a universal g group membe ership confirmation requ uest to a designated global catalog c server.. You u can configure e universal gro oup membersh hip caching fro om the proper rties of the NT TDS Site Settin ngs nod de.

Co ontrolling Intersite I Replication n


Whe en you create a site link, you u have a numb ber of configuration opt tions that you can use to help control inter-site replication. Th hese options include: Site Link Cos sts. Site link co osts manage th he flow of replication traffic when there is more m than one rout te for replication traffic. You u can configure site e link costs to indicate i that a link is faster, more e reliable, or is s preferred. Hig gher costs are used d for slow links s, and lower co osts are used for fast f links. AD DS D replicates by b using the con nnection with the t lowest cost. By default, all sit te links are con nfigured with a cost of 100.

MCT USE ONLY. STUDENT USE PROHIBITED


9-19

Configuring g Advanced Windows s Server 2012 Serviices

Replication n Frequency. Intersite replic cation is based d only on polling. By default, , every three h hours a replication partner polls its i upstream re eplication part tners to determ mine whether changes are available. This replica ation interval may m be too lon ng for organiza ations that wa nt changes to the directory to replicate more quickly. Yo ou can change e the polling in nterval by acce essing the properties of the site link object. The minimum pol lling interval is s 15 minutes. n Schedules. By B default, rep plication occur rs 24 hours a d day. However, y you can restric ct Replication intersite rep plication to specific times by y changing the e schedule attr ributes of a site e link.

Demonstra D ation: Conf figuring AD DS Inter rsite Replic cation


In n this demonst tration, you will see how to configure c AD D DS intersite rep plication.

Demonstrati D ion Steps


1. . 2. . 3. . 4. . 5. . From Serve er Manager, op pen Active Dire ectory Sites an nd Services. Rename the e DEFAULTIPSITELINK as nee eded. Right-click the site link, and then click Properties P . Modify the Cost, Replicat tion interval, and Schedule a as needed.

If necessary y, open the pro operties of the e IP node, and then modify t the Bridge all site links opt tion.

Options O for r Configur ring Passw word Replic cation Policies for RO ODCs
RO ODCs have un nique AD DS re eplication re equirements re elated to cache ed users crede entials. Th hey use password replication n policies to de etermine whic ch users credentials might be ca ached on the server. s If a pass sword replicat tion po olicy allows an n RODC to cache a user's cr redentials, the RODC can pro ocess that user rs au uthentication and a service-tic cket activities . If a us ser's credentia als are not allow wed to be cached on th he RODC, the RODC R refers th he authenticat tion an nd service-tick ket activities to o a writable do omain co ontroller.

To o access the pa assword replic cation policy, open o the prope erties of the R ODC in the Do omain Control llers OU, an nd then click the Password Replication Policy P tab. An RODCs passw word replicatio on policy is de etermined by two multivalue ed attributes of o the RODC's computer acc count. These at ttributes are known co ommonly as th he Allowed List t and the Denied List. If a us ser's account is s on the Allow wed List, the user's cr redentials are cached. c You ca an include gro oups on the Al lowed List, in w which case all users who bel long to th he group can have h their cred dentials cached d on the RODC C. If the user is s on the Allowed List and the e Denied List, the e RODC does not n cache the user's u credenti als. The Denie ed List takes pr recedence.

To o facilitate the e management t of password replication po licy, two doma ain local security groups are created in n the Users con ntainer of AD DS. D The first on ne, the Allowe ed RODC Passw word Replicatio on Group, is added to th he Allowed List t for each new w RODC. By def fault, the grou up has no mem mbers. Therefo ore, by default, , a new RO ODC will not cache c any user rs credentials. If there are us sers whose cre edentials you w want to be cached by all domain ROD DCs, add those users to the Allowed A RODC C Password Rep plication Group. As a best pr ractice, yo ou can create one Allow List per site, and configure c only y the users assigned to that s site in the Allo ow List.

MCT USE ONLY. STUDENT USE PROHIBITED

9-20 Implemen nting Active Directory y Domain Services Sites and Replication

The second group p, the Denied RODC R Passwor rd Replication Group, is added to the Den nied List for eac ch new w RODC. If you u want to ensure that domain n RODCs neve er cache certain n users creden ntials, you can n add thos se users to the e Denied RODC C Password Re eplication Grou up. By default, this group co ontains security yomain Admins sens sitive accounts s that are mem mbers of group ps including Do s, Enterprise A Admins, Schema Adm mins, Cert Publishers, and Gr roup Policy Cre eator Owners.

De emonstration: Config guring Pas ssword Rep plication P Policies


In th his demonstration, you will see s how to con nfigure passwo ord replication n policies.

Dem monstration n Steps


1. 2. 3. 4. 5. 6. 7. Run Active Di irectory Users and Compute ers. Precreate an RODC comput ter object nam med LON-ROD DC1. in Controllers s OU, open the e properties of f LON-RODC1 1. In the Domai licy. Click the Pass sword Replica ation Policy tab, and view t the default pol Close the LON N-RODC1 Prop perties. In the Active Directory User rs and Computers console tr ree, click the U Users containe er.

Double-click Allowed ROD DC Password Replication R G Group, and the en go to the M Members tab a and examine the default d memb bership of Allow wed RODC Pa assword Repl lication Group p. There should be no members by default. Click OK. Double-click Denied RODC C Password Rep plication Grou p, and then go o to the Memb bers tab.

8. 9.

10. Click Cancel to t close the De enied RODC Password Replic cation Group p properties.

Tools for Mo onitoring and a Manag ging Repli ication


Afte er you have im mplemented yo our replication configuration, you u must be able e to monitor repl lication for ong going support t, optimization n, and trou ubleshooting. Two T tools are particularly us seful for reporting and analyzing rep plication: the Rep plication Diagn nostics tool (Re epadmin.exe) and a the Directory Serv ver Diagnosis (Dcdiag.exe) ( to ool.

The e Repadmin n.exe Tool

The Replication Diagnostics D too ol, Repadmin.exe, is a co ommand-line tool t that enables you to repo ort the status of replication on each h domain controller. The inf formation that t Repadmin.exe prod duces can help p you spot a potential p problem with replic cation in the fo orest. You can view levels of detail dow wn to the replic cation metada ata for specific objects and a attributes, enab bling you to id dentify where a and whe en a problematic change was made to AD DS. You can e even use Repad dmin.exe to cr reate the replic cation topo ology and forc ce replication between b doma ain controllers s. Rep padmin.exe sup pports a numb ber of comman nds that perfor rm specific tas sks. You can learn about each com mmand by typing repadmin /?:command d. Most comma ands require a rguments. Ma any commands s take

MCT USE ONLY. STUDENT USE PROHIBITED


9-21

Configuring Advanced Windows Server 2012 Services

a DC_LIST parameter, which is simply a network label (DNS, NetBIOS name, or IP address) of a domain controller. Some of the replication monitoring tasks you can perform by using Repadmin are:

Display the replication partners for a domain controller. To display the replication connections of a domain controller, type repadmin /showrepl DC_LIST. By default, Repadmin.exe shows only intersite connections. Add the /repsto argument to see intersite connections, as well. Display connection objects for a domain controller. Type repadmin /showconn DC_LIST to show the connection objects for a domain controller. Display metadata about an object, its attributes, and replication. You can learn a lot about replication by examining an object on two different domain controllers to find out which attributes have or have not replicated. Type repadmin /showobjmeta DC_LIST Object, where DC_LIST indicates the domain controller(s) to query. (You can use an asterisk [*] to indicate all domain controllers.) Object is a unique identifier for the object, its distinguished name or GUID, for example.

You can also make changes to your replication infrastructure by using Repadmin. Some of the management tasks you can perform are: Launching the KCC. Type repadmin /kcc to force the KCC to recalculate the inbound replication topology for the server.

Forcing replication between two partners. You can use Repadmin to force replication of a partition between a source and a target domain controller. Type repadmin /replicate Destination_DC_LIST Source_DC_Name Naming_Context.

Synchronizing a domain controller with all replication partners. Type repadmin /syncall DC/A /e to synchronize a domain controller with all its partners, including those in other sites.

The Dcdiag.exe Tool

The Directory Service Diagnosis tool, Dcdiag.exe, performs a number of tests and reports on the overall health of replication and security for AD DS. Run by itself, dcdiag.exe performs summary tests and reports the results. On the other extreme, dcdiag.exe /c performs almost every test. The output of tests can be redirected to files of various types, including XML. Type dcdiag /? for full usage information. You can also specify one or more tests to perform using the /test:Test Name parameter. Tests that are directly related to replication include: FrsEvent. Reports any operation errors in the File Replication System. DFSREvent. Reports any operation errors in the Distributed File System Replication system. Intersite. Checks for failures that would prevent or delay intersite replication. KccEvent. Identifies errors in the knowledge consistency checker. Replications. Checks for timely replication between domain controllers. Topology. Checks that the replication topology is connected fully for all domain controllers. VerifyReplicas. Verifies that all application directory partitions are instantiated fully on all domain controllers hosting replicas.

MCT USE ONLY. STUDENT USE PROHIBITED

9-22 Implementing Active Directory Domain Services Sites and Replication

Lab: Implementing AD DS Sites and Replication


Scenario

A. Datum has deployed a single AD DS domain with all the domain controllers located in the London data center. As the company has grown and added branch offices with large numbers of users, it has become apparent that the current AD DS environment is not meeting the company requirements. Users in some of the branch offices report that it can take a long time for them to log on to their computers. Access to network resources such as the companys Microsoft Exchange 2010 servers and the Microsoft SharePoint servers can be slow, and they sporadically fail. As one of the senior network administrators, you are responsible for planning and implementing an AD DS infrastructure that will help address the business requirements for the organization. You are responsible for configuring AD DS sites and replication to optimize the user experience and network utilization within the organization.

Objectives
Configure the default site created in AD DS. Create and configure additional sites in AD DS. Configure and monitor replication between AD DS sites.

Lab Setup
20412A-LON-DC1 20412A-TOR-DC1 Estimated time: 60 minutes Virtual machines User Name Password 20412A-LON-DC1 20412A-TOR-DC1 Adatum\Administrator Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: a. b. User name: Adatum\Administrator Password: Pa$$w0rd

5.

Repeat steps 2 through 4 for 20412A-TOR-DC1.

Exercise 1: Modifying the Default Site


Scenario

A. Datum has decided to implement additional AD DS sites to optimize the network utilization for AD DS network traffic. The first step in implementing the new environment is to install a new domain controller for the Toronto site. You will then reconfigure the default site and assign appropriate IP address subnets

MCT USE ONLY. STUDENT USE PROHIBITED


9-23

Configuring Advanced Windows Server 2012 Services

to the site. You have been asked to change the name of the default site to LondonHQ and associate it with the IP subnet 172.16.0.0/24, which is the subnet range used for the London head office. The main tasks for this exercise are as follows: 1. 2. 3. Install the Toronto domain controller Rename the default site Configure IP subnets associated with the default site

Task 1: Install the Toronto domain controller


1. 2. 3. On TOR-DC1, use Server Manager to install Active Directory Domain Services.

When the AD DS binaries have installed, use the Active Directory Domain Services Configuration Wizard to install and configure TOR-DC1 as an additional domain controller for Adatum.com. After the server restarts, log on as Adatum\Administrator with the password of Pa$$w0rd.

Task 2: Rename the default site


1. 2. 3. If necessary, on LON-DC1, open the Server Manager console. Open Active Directory Sites and Services, and then rename the Default-First-Site-Name site to LondonHQ. Verify that both LON-DC1 and TOR-DC1 are members of the LondonHQ site.

Task 3: Configure IP subnets associated with the default site


1. 2.

If necessary, on LON-DC1, open the Server Manager console, and then open Active Directory Sites and Services. Create a new subnet with the following configuration: o o Prefix: 172.16.0.0/24 Site object: LondonHQ

Results: After completing this exercise, you will have reconfigured the default site and assigned IP address subnets to the site.

Exercise 2: Creating Additional Sites and Subnets


Scenario

The next step in implementing the AD DS site design is to configure the new AD DS site. The first site that you need to implement is the Toronto site for the North American data center. The network team in Toronto would also like to dedicate a site called TestSite in the Toronto data center. You have been instructed that the Toronto IP subnet address is 172.16.1.0/24. The test network IP subnet address is 172.16.100.0/24. The main tasks for this exercise are as follows: 1. 2. Create the AD DS sites for Toronto Create IP subnets associated with the Toronto sites

Task 1: Create the AD DS sites for Toronto


1.

If necessary, on LON-DC1 open the Server Manager console, and then open Active Directory Sites and Services.

MCT USE ONLY. STUDENT USE PROHIBITED

9-24 Implementing Active Directory Domain Services Sites and Replication

2.

Create a new site with the following configuration: o o Name: Toronto Site link object: DEFAULTIPSITELINK

3.

Create another new site with the following configuration: o o Name: TestSite Site link object: DEFAULTIPSITELINK

Task 2: Create IP subnets associated with the Toronto sites


1. 2. If necessary, on LON-DC1 open Active Directory Sites and Services. Create a new subnet with the following configuration: o o 3. Prefix: 172.16.1.0/24 Site object: Toronto

Create another new subnet with the following configuration: o o Prefix: 172.16.100.0/24 Site object: TestSite

4.

In the navigation pane, click the Subnets folder. Verify that the three subnets were created and associated with their appropriate site as displayed in the details pane.

Results: After this exercise, you will have created two additional sites representing the IP subnet addresses located in Toronto.

Exercise 3: Configuring AD DS Replication


Scenario

Now that the AD DS sites have been configured for Toronto, the next step is to configure the site links to manage replication between the sites, and then to move the TOR-DC1 domain controller to the Toronto site. Currently all sites belong to DEFAULTIPSITELINK. You need to modify site linking so that LondonHQ and Toronto belong to one common site link called LON-TOR. You should configure this link to replicate every hour. Additionally, you should link the TestSite site only to the Toronto site using a site link named TOR-TEST. Replication should not be available from the Toronto site to the TestSite during the working hours of 9 A.M. and 3 P.M. You then will use tools to monitor replication between the sites. The main tasks for this exercise are as follows: 1. Configure site links between AD DS sites 2. Move TOR-DC1 to the Toronto site 3. Monitor AD DS site replication

Task 1: Configure site links between AD DS sites


1. 2. If necessary, on LON-DC1, open Active Directory Sites and Services. Create a new IP-based site link with the following configuration: o Name: TOR-TEST

MCT USE ONLY. STUDENT USE PROHIBITED


9-25

Configuring Advanced Windows Server 2012 Services

o o 3.

Sites: Toronto, TestSite Modify the schedule to only allow replication from Monday 9am to Friday 3pm

Rename DEFAULTIPSITELINK and configure it with the following settings: o o o Name: LON-TOR Sites: LondonHQ, Toronto Replication: Every 60 minutes

Task 2: Move TOR-DC1 to the Toronto site


1. 2. 3. If necessary, on LON-DC1 open Active Directory Sites and Services. Move TOR-DC1 from the LondonHQ site to the Toronto site. Verify that TOR-DC1 is located under the Servers node in the Toronto site.

Task 3: Monitor AD DS site replication


1. 2. On LON-DC1, on the taskbar, click the Windows PowerShell button. Use the following commands to monitor site replication:
Repadmin /kcc

This command recalculates the inbound replication topology for the server:
Repadmin /showrepl

Verify that the last replication with TOR-DC1 was successful:


Repadmin /bridgeheads

This command displays the bridgehead servers for the site topology:
Repadmin /replsummary

This command displays a summary of replication tasks. Verify that no errors appear:
DCDiag /test:replications

Verify that all connectivity and replication tests pass successfully. 3. Switch to TOR-DC1, and then repeat the commands to view information from the TOR-DC1 perspective.

Results: After this exercise, you will have configured site links and monitored replication.

To prepare for the next module


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-TOR-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

9-26 Implementing Active Directory Domain Services Sites and Replication

Module Review and Takeaways


Question: Why is it important that all subnets are identified and associated with a site in a multisite enterprise? Question: What are the advantages and disadvantages of reducing the intersite replication interval? Question: What is the purpose of a bridgehead server?

Common Issues and Troubleshooting Tips


Common Issue Client cannot locate domain controller in its site. Troubleshooting Tip

Replication between sites does not work.

Replication between two domain controllers in the same site does not work.

Best Practice
You should implement the following best practices when you manage Active Directory sites and replication in your environment: Always provide at least one or more global catalog servers per site. Ensure that all sites have appropriate subnets associated.

Do not setup long intervals without replication when you configure replication schedules for intersite replication. Avoid using SMTP as a protocol for replication.

MCT USE ONLY. STUDENT USE PROHIBITED


10-1

Module 10
Implementing Active Directory Certificate Services
Contents:
Module Overview Lesson 1: PKI Overview Lesson 2: Deploying CAs Lesson 3: Deploying and Managing Certificate Templates Lesson 4: Implementing Certificate Distribution and Revocation Lesson 5: Managing Certificate Recovery Lab: Implementing Active Directory Certificate Services Module Review and Takeaways 10-1 10-2 10-10 10-16 10-21 10-29 10-33 10-41

Module Overview

Public key infrastructure (PKI) consists of several components that help you secure corporate communications and transactions. One such component is the Certification Authority (CA). You can use CAs to manage, distribute, and validate digital certificates that are used to secure information. You can install Active Directory Certificate Services (AD CS) as a root CA or a subordinate CA in your organization. In this module, you will learn about implementing AD CS server role and certificates.

Objectives
After completing this module, you will be able to: Describe PKI. Deploy CAs. Deploy and manage certificate templates. Implement certificate distribution and revocation. Manage certificate recovery.

MCT USE ONLY. STUDENT USE PROHIBITED

10-2 Implemen nting Active Directory y Certificate Services

Lesson 1

PKI Ov verview

PKI helps you veri ify and authen nticate the iden ntity of each p party involved in an electronic transaction. . It also o helps you est tablish trust be etween compu uters and the c corresponding applications t that are hosted d on app plication server rs. A common example includes the use of f PKI technolog gy to secure w websites. Digita al cert tificates are key PKI components that cont tain electronic credentials, w which are used to authenticat te user rs or computers. Moreover, certificates c can n be validated using certifica ate discovery, path validation, and revocation ch hecking proces sses. Windows Server 2012 supports build ding a certifica ate services infra astructure in your y organization using AD CS C component ts.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe PKI. Describe com mponents of a PKI solution. Describe CAs. Describe the AD CS server role r in Window ws Server 2012 2. Describe new w features in AD D CS in Windo ows Server 201 12. Explain the difference betw ween public and private CAs. Describe cros ss-certification hierarchy.

Wh hat Is PKI? ?
PKI is a combinati ion of software e, encryption tech hnologies, processes, and services that assi ist an orga anization with securing its co ommunication ns and business transactions. It is a system of dig gital cert tificates, certification authori ities, and other regi istration autho orities. When an a electronic tran nsaction takes place, PKI verifies and auth henticates the validity of eac ch party involv ved. PKI standards are still evolving, but they are widely w imp plemented as an a essential component of elec ctronic comme erce.

Gen neral conce epts of PKI


In general, g a PKI solution s relies on several technologies and d components.. When you pla an to impleme ent PKI, you should co onsider and un nderstand the following:

Infrastructure e: The meaning g in this contex xt is the same as in any othe er context, such as electricity y, transportation, or water sup pply. Each of these elements s does a specif fic job, and has requirement ts that must be met for it to functi ion efficiently. The sum of th hese elements allows for the e efficient and safe use of PKI. So ome of the elements that ma ake up a PKI ar re the followin ng: o o o A CA A certificate repository y A registra ation authority y

MCT USE ONLY. STUDENT USE PROHIBITED


10-3

Configuring Advanced Windows Server 2012 Services

o o o o

An ability to revoke certificates An ability to back up, recover, and update keys An ability to regulate and track time Client-side processing

Most of these components will be discussed in later topics and lessons of this module. Public/Private Keys: In general, there are two methods for encrypting and decrypting data: o

Symmetric encryption: The methods to encrypt and decrypt data are identical, or mirrors of each other. Data is encrypted by using a particular method or key. To decrypt the data, you must have the same, identical method or key. Therefore, anyone who has the key can decrypt the data. The key must remain private to maintain the integrity of the encryption.

Asymmetric encryption: In this case, the methods to encrypt and decrypt data are not identical or mirrors of each other. Data is encrypted by using a particular method or key. However, a different key is used to decrypt data. This is achieved by using a pair of keys. Each person gets a key pair, which consists of a public key and a private key. These keys are unique, and data that the public key encrypts can be decrypted by using the private key, and vice versa. In this situation, the keys are sufficiently different and knowing or possessing one does not allow you to determine the other. Therefore, one of the keys (public) can be made publicly available without reducing the security of the data, as long as the other key (private) remains privatehence the name Public Key Infrastructure.

Algorithms that use symmetric encryption are fast and efficient for large amount of data. However, because they use a symmetric key, they are not considered secure enough, because you always must transport the key to the other party. Alternatively, algorithms that use asymmetric encryption are secure, but very slow. Because of this, it is common to use hybrid approach, which means that data is encrypted by using symmetric encryption, while the symmetric encryption key is protected with asymmetric encryption. When you implement a PKI solution, your entire system, especially the security aspect, can benefit. The benefits of using PKI include: Confidentiality: A PKI solution enables you to encrypt both stored and transmitted data.

Integrity: You can use PKI to sign data digitally. A digital signature identifies whether any data was modified while information was transmitted.

Authenticity and non-repudiation: Authentication data passes through hash algorithms such as Secure Hash Algorithm 1 (SHA-1) to produce a message digest. The message digest is then digitally signed using the senders private key to prove that the message digest was produced by the sender. Non-repudiation is digitally signed data in which the digital signature provides both proof of the integrity of signed data, and proof of the origin of data.

Standards-based approach: PKI is standards-based, which means that multiple technology vendors are compelled to support PKI-based security infrastructures. It is based on industry standards defined in RFC 2527, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework.

MCT USE ONLY. STUDENT USE PROHIBITED

10-4 Implemen nting Active Directory y Certificate Services

Co omponents s of a PKI Solution S


There are many co omponents that are required d to wor rk together to provide a com mplete PKI solu ution. The PKI compone ents in Window ws Server 2012 2 are: CA: CA issues s and manages s digital certific cates for users, serv vices, and com mputers. By deploying CA A, you establish h the PKI in yo our organization.

Digital certific cates: Digital certificates c are similar in func ction to an ele ectronic passpo ort. A digital certific cate is used to prove the identity of the user (o or other entity) ). Digital certificates contain the electronic crede entials that are e associated with a public key y and a private e key, which a re used to aut thenticate user rs and other devices such as Web servers and mail servers. Dig gital certificate es also ensure t that software or code is run from a trusted source. Digital cer rtificates conta ain various fiel ds, such as Subject, Issuer, and Common n Name. These e fields are used to determine the specific use of the cert tificate. For example, a Web server certific cate might con ntain the Comm mon Name fie eld of web01. .contoso.com m, which would d make that certificate valid only o for that web w server. If a n attempt wer re made to use e that certifica ate on a web server named web02 2.contoso.com m, the user of that server wo ould receive a warning. Certificate tem mplates: This component c de escribes the co ontent and pur rpose of a digital certificate. When reques sting a certifica ate from an AD D CS enterprise e CA, the certi ificate requestor will, depend ding on his or her access rights, be able to sele ect from a vari iety of certifica ate types base ed on certificat te templates, such as User and d Code Signing g. The certifica ate template sa aves users from m low-level, technical decisions about th he type of cert tificate they ne eed. In additio on, they allow a administrators s to distinguish who might requ uest which cert tificates. CRLs and Onl line Responders: o

Certificat te revocation lists (CRLs) are complete, dig gitally signed li ists of certifica ates that have been revoked. These lists are e published pe eriodically and can be retriev ved and cached by clients (b based on the co onfigured lifetime of the CRL L). The lists are e used to verify y a certificates revocation st tatus.

Online Re esponders are part of the On nline Certificat te Status Proto ocol (OCSP) ro ole service in Windows s Server 2008 and a Windows Server 2012. A An Online Resp ponder can rec ceive a reques st to check for r revocation of f a certificate without w requir ring the client to download t the entire CRL. This speeds up certificate re evocation chec cking, and red uces the netw work bandwidth h. It also increa ases scalability y and fault tolerance, by allo owing for array y configuratio n of Online Re esponders.

Public keyba ased applicatio ons and service es: This relates s to application ns or services t that support p public key encryptio on. In other wo ords, the applic cation or servi ces must be able to support t public key implementati ions to gain th he benefits from m it. Certificate and CA management tools: Management to ools provide co ommand-line a and GUI-based d tools to: o o o o o Configure CAs Recover archived a private keys Import and export keys s and certificat tes Publish CA C certificates and CRLs Manage issued certifica ates

MCT USE ONLY. STUDENT USE PROHIBITED


10-5

Configuring g Advanced Windows s Server 2012 Serviices

Authority in nformation acc cess (AIA) and CRL distributi ion points (CD DPs): AIA points determine th he location wh here CA certific cates can be fo ound and valid dated, and CD DP locations de etermine the p points where certificate revocati ion lists can be e found during g certificate va alidation proce ess. Because CR RLs can become lar rge, (dependin ng on the number of certifica ates issued and d revoked by a CA), you can n also publish sma aller, interim CRLs C called del lta CRLs. Delta CRLs contain only the certif ficates revoked d since the last reg gular CRL was published. p This s allows clients s to retrieve th he smaller delt ta CRLs and mo ore quickly build a complete list of revoked d certificates. T The use of delt ta CRLs also allows revocatio on data to be published more frequently, becau use the size of f a delta CRL m means that it usually does no ot require as much m time to transfer t as a fu ull CRL.

Hardware security s modul le (HSM): A ha ardware securit ty module is a n optional sec cure cryptographic hardware device d that acc celerates crypto ographic proc essing for man naging digital keys. It is a hig gh security, specialized stora age that is connected to the CA for manag ging the certifi icates. An HSM M is typically att tached to a co omputer physic cally. This is an n optional add d-on in your PK KI, and is most t widely used in high security environments whe ere there wou ld be a signific cant impact if a key were compromis sed.

Note: The e most importa ant componen nt of any secur rity infrastruct ure is physical security. A ecurity infrastructure is not ju ust the PKI implementation. Other elemen ntssuch as physical se se ecurity and ade equate securit ty policiesare e also importa ant parts of a h holistic security y in nfrastructure.

What W Are CAs? C


A CA is a well-d designed and highly h trusted service in n an enterprise e, which provid des users and co omputers with h certificates, maintains m the CRLs, C an nd optionally responds r to OCSP requests. You ca an install a CA in your enviro onment by dep ploying th he AD CS role on Windows Server S 2012. When W th he first CA is in nstalled, it establishes the PK KI in the ne etwork, and it provides the highest h point in i the whole w structure e. You can have e one or more e ce ertification aut thorities in one e network, but t only on ne CA can be at a the highest point on the CA C hi ierarchy (that CA C is called the root CA, whi ich will be e discussed lat ter in this mod dule).

One O of the main n purposes of the CA is to issue certificate es, revoke certificates, and pu ublish AIA and d CRL in nformation. By doing that, th he CA ensures that users, ser rvices, and com mputers are iss sued certificate es that ca an be validated d. A CA performs multiple funct tions or roles in n a PKI. In a la rge PKI, separation of CA ro oles among mu ultiple se asks, including ervers is comm mon. A CA prov vides several management m ta g: Verifying th he identity of the t certificate requestor. Issuing cert tificates to requesting users, computers, an nd services. Managing certificate c revo ocation.

When W you deploy a first CA (r root CA) in you ur network, it issues a certifi cate for itself. After that, oth her CAs re eceive certificates from the first CA. You ca an also choose e to issue a cer rtificate for you ur CA by using g one of pu ublic CAs.

MCT USE ONLY. STUDENT USE PROHIBITED

10-6 Implemen nting Active Directory y Certificate Services

Ov verview of the AD CS S Server Ro ole in Win ndows Serv ver 2012


All PKI-related P components are deployed as role r serv vices of the AD D CS server role e. This role is made m up of o several com mponents that are known as role serv vices. Each role e service is resp ponsible for a spec cific portion of f the certificate infrastructur re, while working tog gether to form m a complete solu ution. Role e services of th he AD CS role are: CA. This component issues certificates to users, computers, and services. It also manages cert tificate validity y. Multiple CAs s can be chained to o form a PKI hierarchy.

CA Web enro ollment. This co omponent pro ovides a metho od to issue and d renew certificates for users s, computers, and devices tha at are not joine ed to the dom main, are not co onnected direc ctly to the netw work, or are for use ers of non-Win ndows operat ting systems.

Online Respo onder. You can use this comp ponent to conf figure and ma anage OCSP va alidation and revocation ch hecking. Online e Responder decodes d revoca ation status re equests for spe ecific certificate es, evaluates the status of thos se certificates, and returns a signed respon nse containing the requested d certificate status informatio on. Unlike in Windows W Serve r 2008 R2, you u can install On nline Responder on any version of o Windows Server 2012. The e certificate rev vocation data can come from m a CA on a computer tha at is running Windows W Serve er 2003, Windo ows Server 200 08, or from a n non-Microsoft CA. Network Device Enrollment t Service. With h this compone ent, routers, sw witches, and ot ther network devices can obtain o certificates from AD CS. C On Window ws Server 2008 8 R2, this comp ponent is only available on the t Enterprise and Datacente er editions, bu ut on Windows s Server 2012, you can instal ll this role service on any version of Windows Server. Certificate Enrollment Web Service. This component c wo orks as a proxy y between Win ndows 7 and Windows 8 cl lient computer rs and the CA. This compone ent is new to W Windows Serve er 2008 R2 and d Windows Serv ver 2012, and requires that the t Active Dire ectory forest b be at least at th he Server 2008 8 R2 level. It enables users to connect to a CA by means of a web browser r to perform th he following: o o o o Request, renew, and install issued certificates Retrieve CRLs Download a root certif ficate Enroll over the internet t or across fore ests (new to W Windows Server 2008 R2)

Certificate Au uthority Policy Web Service. This compone ent is new to W Windows Serve er 2008 R2 and d Windows Serv ver 2012. It en nables users to obtain certific cate enrollmen nt policy inform mation. Comb bined with the Certificate Enrollm ment Web Service, it enables policy-based c certificate enro ollment when the client comput ter is not a me ember of a dom main, or when n a domain me ember is not co onnected to th he domain.

MCT USE ONLY. STUDENT USE PROHIBITED


10-7

Configuring g Advanced Windows s Server 2012 Serviices

What W Is Ne ew in AD CS C in Windows Serve er 2012


Like many other Windows Ser rver roles, AD CS is im mproved and enhanced e in Windows W Server 2012. Th he AD CS role in Windows Server 2012 stil ll has th he same six role services, as described d in th he previous topic. In addition, it now provides multiple m new fe eatures and cap pabilities comp pared to o previous vers sions.

In n Windows Ser rver 2008 R2, some s of the AD D CS ro ole services req quire a specific c Windows Ser rver ve ersion. For exa ample, Network Device Enrollment Se ervice (NDES) does not work k on the Windo ows Se erver 2008 Standard edition, , but only on the t Windows W Server 2008 Enterpr rise edition). In n Windows Ser rver 2012, all r role services ar re available on n all Windows W Server versions.

Th he AD CS Serv ver role, in addition to all rela ated role servi ces, can run o n Windows Se erver 2012 with h full GUI, Minimal Se erver Interface, or on a Serve er Core installa ation. You can deploy AD CS S role services in Windows W Server 2012 using Server S Manage er, or Windows s PowerShell cmdlets, while e working loca ally at th he computer or o remotely ove er the network k.

Fr rom a manage ement perspec ctive, AD CS an nd its events, a and the Best Pr ractices Analyz zer tool are no ow fully in ntegrated into the Server Ma anager console e, which mean s that you can n access all its o options directly from Se erver Manager r. AD CS is also o fully manage eable by using the Windows PowerShell co ommand-line in nterface. rsion Th he Windows Server 2012 ver rsion of AD CS S also introduc ces a new certificate templat te versionver cussed separately in Lesson 3. 4 which provid des some new w capabilities. This T will be disc

Certificate Enrollment Web Se ervices is also enhanced e in W Windows Serve er 2012. This fe eature, introdu uced in Windows W 7 and Windows Serv ver 2008 R2, allows a online c ertificate requ uests to come f from untrusted d Active Directory Doma ain Services (AD DS) domains or even from m computers o or devices that are not joined d to a do omain. AD CS in Windows Server 2012 adds the ability t to renew certif ficates automa atically for com mputers th hat are part of untrusted AD DS domains, or o are not join ned to a domain. Fr rom a security perspective, AD A CS in Windows Server 20 012 provides th he ability to re equire the rene ewal of a certificate with the same key. Windows Se erver 2012 also o supports gen nerating truste ed platform module (T TPM)protecte ed keys using TPM-based T key y storage prov viders (KSPs). T The benefit of using a TPM-b based KS SP is true non-exportability of keys that ar re backed up b by the anti-ha mmering mec chanism of TPM Ms (for ex xample, if a user enters a wro ong PIN too many m times). To o enhance sec curity even furt ther, you can n now fo orce encryption n of all certific cate requests that come to A AD CS in Windo ows Server 2012.

Virtual V Smar rt Cards

Sm mart cards, as an option for multi-factor authentication,, have been us sed since Wind dows Server 20 000. Th hey provide en nhanced secur rity over passw words, as it is m much more diff ficult for an un nauthorized us ser to ga ain and mainta ain access to a system. In addition, access to a smart car rd-protected system requires that a us ser both have a valid card an nd know the PIN P that provid des access to t hat card. By de efault, only on ne copy of f the smart car rd exists, so on nly one individual can be usi ng their login credentials at t a time. In add dition, a us ser will quickly y notice if their r card has been lost or stole n, especially w when their card d is combined with ac ccess to doors or other funct tions. This greatly reduces th he risk window w of credential theft in comp parison to o passwords.

MCT USE ONLY. STUDENT USE PROHIBITED

10-8 Implemen nting Active Directory y Certificate Services

How wever, implementation of sm mart card infrastructure has h historically som metimes been too expensive e. To imp plement smart cards, compan nies had to buy hardware, in ncluding smart t card readers and smart car rds. This s cost, in some e cases, prevented the deploy yment of mult ti-factor authe entication.

To address a these issues, Window ws Server 2012 2 AD CS introd duces a techno ology that prov vides the security of sma art cards while reducing mat terial and supp port costs. This s is done by pr roviding Virtua al Smart Cards. Virtual Smart Card ds emulate the e functionality of traditional smart cards, b but instead of requiring the purc chase of additional hardware, they utilize technology th hat users alread dy own and ar re more likely t to have with them at t all times.

ds in Windows s Server 2012 leverage the ca apabilities of t the TPM chip t that is present on Virtual Smart Card mos st of the comp puter motherboards produce ed in the past t two years. Bec cause the chip is already in t the com mputer, there is s no cost for buying b smart cards and smar rt card readers s. However, un nlike traditiona al sma art cards, wher re the user was s in a physical possession of the card, in th he Virtual Smart Card scenar rio, a com mputer (or to be b more specif fic, TPM chip on o its motherb board) acts like e a smart card. By using this app proach, two-fac ctor authentica ation similar to o traditional sm mart cards is a achieved. A use er must have h his or her computer (wh hich has been set s up with the e Virtual Smar rt Card), and al lso know the P PIN necessary to use his or o her Virtual Smart S Card. It is important to understand ho ow Virtual Sma art Cards prote ect private key ys. Traditional smart cards ha ave thei ir own storage e and cryptographic mechanism for protec cting the private keys. In the e Virtual Smart Card scen nario, private keys k are protec cted not by iso olation of phys sical memory, but rather by the cryptogra aphic capabilities of the e TPM: all sensitive information that is stor red on a smart t card is encryp pted using the e TPM, and then stored on o the hard dri ive in its encry ypted form. Alt though private e keys are stor red on a hard d drive (in encrypted e form m), all cryptographic operations occur in th he secure, isolated environm ment of the TPM. Priv vate keys never r leave this env vironment in unencrypted u fo orm. If the har rd drive of the machine is com mpromised in any a way, privat te keys cannot t be accessed, because they are protected and encrypted by TPM M. To provide more m security, you can also encrypt e the dr rive with Wind dows BitLocker r Drive Encryp ption. To deploy d Virtual Smart Cards, you y need Windows Server 2 012 AD CS an d a Windows 8 client machine with h a TPM chip on o motherboard.

Public vs. Pri ivate CAs


Whe en you are pla anning PKI imp plementation for f your organization n, one of the first choices you u should make is be etween private e and public CA As. It is po ossible for you u to establish PKI P by using ei ither of these approach hes. If you decide to use a pr rivate CA, then you deploy the AD CS server role, an nd then n establish an internal PKI. If f you decide to o use an external e PKI, yo ou do not hav ve to deploy an ny serv vice internally. Both approaches have advantag ges and disa advantages, as specified in th he following ta able. CA A type Ex xternal Public CA Adv vantages Trusted T by ma any external clients c (web br rowsers, operating o syst tems) Requires minim mal administration a n Disadvant tages Higher r cost as comp pared to an in nternal CA Cost is based per cate certific cate procurem ment is Certific

MCT USE ONLY. STUDENT USE PROHIBITED


10-9

Configuring g Advanced Windows s Server 2012 Serviices

CA C type

Advantages A

Disadva antages slowe er

Internal Privat te CA

Provides gre eater control o over certificate management m a compared to oa Lower cast as public CA Customized templates ment Autoenrollm

By de efault, not trus sted by exter rnal clients (we eb brow wsers, operatin ng syste ems) Requ uires greater administration

So ome organizat tions have star rted using a hy ybrid approach h to their PKI a architecture. A hybrid appro oach us ses an external public CA for r the root CA, and a hierarch hy of internal C CAs for distribution of certificates. Th his gives organ nizations the advantage a of having h their int ternally issued d certificates tr rusted by exter rnal clients, while sti ill providing th he advantages of an internal CA. The only disadvantage is cost. A hybr rid ap pproach is typically the most t expensive ap pproach, becau use public cert tificates for CA As are very exp pensive. In n addition, you u can also choo ose to deploy internal PKI fo or internal purp poses such as Encrypting File e Sy ystem (EFS), an nd digital signa atures. For ext ternal purpose es, such as prot tecting web or r mail servers w with Se ecure Socket Layer L (SSL), you u must buy a public p certifica ate. This appro oach is not very y expensive, an nd is probably the most cost-effect tive solution.

What W Is a Cross-Certi C ification Hierarchy? H


As cross-certific cation implies, in cross-certification hi ierarchy the ro oot CA in each CA hierarchy provides a cross s-certification certificate to the t root CA A in the other CA hierarchy. The other hie erarchy ro oot CA then installs the supp plied certificate e. By do oing so, the trust flows down to all the su ubordinate CA As below the le evel where the crossce ertification cer rtificate was ins stalled.

Cross-Certifi C cation Bene efits


A cross-certifica ation hierarchy y provides the fo ollowing benef fits: Provides interoperability between busin nesses and bet tween PKI pro oducts rate PKIs Joins dispar Assumes co omplete trust of o a foreign CA A hierarchy

Companies usually deploy cro oss-certificatio ons to establish h a mutual trus st on PKI level, and also to im mplement som me other applic cations that rel ly on PKI, such h as Active Dire ectory Rights M Management Services (A AD RMS). Question: Your Y company y is currently acquiring anoth her company. Both companies run their own PKI. What W could you u do to minimize disruption and continue to provide PKI services seamlessly? ?

MCT USE ONLY. STUDENT USE PROHIBITED

10-10

Implementing Active Directo ory Certificate Service es

Lesson 2

Deploy ying CA As

The first CA that you y install will be a root CA. After you inst all the root CA A, you can opt tionally install a subordinate CA to o apply policy restrictions an nd distribute ce ertificates. You u can also use a CAPolicy.inf f file to automate a additional CA insta allations and provide p additio onal configuration settings that are not avai ilable with the e standard GUIbased installa ation. In this le esson, you will learn about d deploying CAs in the Win ndows Server 2012 2 environm ment.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe options for implem menting CA hierarchies. Explain differences between n standalone and a enterprise e CAs. Describe cons siderations for r deploying a root r CA. Deploy a root t CA. Describe cons siderations for r deploying a subordinate s CA A. Describe how w to use CAPolicy.inf file for installing i the C CA.

Op ptions for Implemen I ting CA Hierarchies


Whe en you decide e to implement t PKI in your orga anization, one e of the first de ecisions you must mak ke is how to de esign your CA hierarchy. CA hier rarchy determi ines the core design d of your inte ernal PKI, and also a determine es the purpose e of each h CA in the hie erarchy. Each CA C hierarchy includes two or more m CAs. Usua ally, the second d CA (and d all others aft ter that) is dep ployed with a spec cific purpose, because only the t root CA is man ndatory. The following points describe so ome scenarios s for imp plementing a CA C hierarchy.

Policy CA: Policy CAs are a type of subord dinate CA that t are located d directly below t the root CA in n a CA hierarchy. You utilize policy y CAs to issue CA certificates s to subordinate CAs that are e located direc ctly below the po hen different d olicy CA in the hierarchy. Use e policy CAs wh divisions, secto ors, or location ns of your organiza ation require different d issuan nce policies an nd procedures.. Cross-certifica ation trust: In this scenario, two t independe ent CA hierarc chies interoper rate when a CA A in one hierarchy y issues a CA certificate c to a CA in the othe er hierarchy. C Cross-certification trusts are discussed in more m detail lat ter in this mod dule.

Two-tier hiera archy: In a two o-tier hierarchy y, there is a ro oot CA and at l east one subo ordinate CA. In n this scenario, the subordinate CA C is responsib ble for policies,, and for issuin ng certificates to requestors. .

MCT USE ONLY. STUDENT USE PROHIBITED


10-11

Configuring A Advanced Windows S Server 2012 Service es

Standalone e vs. Enterp prise CAs


In n Windows Ser rver 2012, you can deploy tw wo types of f CAs: standalo one CA and en nterprise CA. These ty ypes are not ab bout hierarchy y, but about fu unctionality an nd configuratio on storage. The e most im mportant differ rence between n these two CA A types is Active Directo ory integration n and depende ency. A st tandalone CA can c work without AD DS, an nd does no ot depend on it in any way. An enterprise CA re equires AD DS, , but it also pro ovides several be enefits, such as autoenrollment. Th he following ta able details the e most signific cant di ifferences betw ween standalo one and enterp prise CA As. Characteristic C Typical usage e Standalone e CA A standalo one CA is typic cally used for offline o CAs, but t it can be use ed for a CA tha at is consistently available on n the netwo ork. A standalo one CA does n not depend on n AD DS and c can be deploy yed in nonAct tive Directory environments. e . Enterpr rise CA terprise CA is t typically An ent used to o issue certificates to users, c computers, an nd service es, and is not ty ypically used as an offline CA A. terprise CA req quires An ent AD DS , which can be e used as iguration and a confi registration database e. An enterp prise CA also provides a publ ication point f for certific cates issued to users and co omputers. rs can request User certi ificates from an ente erprise CA usin ng the follo owing methods: Man nual Enrollmen nt Web b Enrollment Auto oenrollment Enro ollment agent Certificate issuance methods All request ts must be manually approved a by a certificate administrator r. Reques sts can be automatically issued or denied d, based on the e templa ates discretion nary access control list (D DACL).

Active Directo ory dependencies s

Certificate req quest methods

Users can only request s from a certificates standalone e CA by using a manual pr rocedure or we eb enrollmen nt.

Most M commonly y, the root CA (which is the first f CA deploy yed) is deploye ed as standalo one CA, and it is taken of ffline after it is ssues a certifica ate for itself an nd for a subor rdinate CA. Alt ternatively, a subordinate CA A is us sually deploye ed as an enterp prise CA, and is configured in n one of scena arios described d in the previo ous to opic.

MCT USE ONLY. STUDENT USE PROHIBITED

10-12

Implementing Active Directo ory Certificate Service es

Co onsideratio ons for Dep ploying a Root CA


Befo ore you deploy y a root CA, th here are severa al decisions that you u should make e. First, you sho ould decide if you will be deploying an offline root t CA or not. n Based on that t decision, you y will also decide if yo ou will be depl loying a standalone root CA A or an enterprise e root t CA. Usually, if you are e deploying a single-layer s CA A hier rarchywhich means that yo ou deploy only ya sing gle CAit is most m common to t choose ente erprise root CA A. However, if you are deplo oying a tw wo-layer hierar rchy, the most common scen nario is to o deploy a stan ndalone root CA C and an ente erprise subordinate CA.

The next factor to o consider is th he operating sy ystem installat tion type. AD C CS is supported in both the f full installation and th es a smaller at he Server Core e installation sc cenarios. Serve er Core provide ttack surface and less administrative e overhead, an nd therefore sh hould be stron ngly considered for AD CS in n an enterprise e environment. In Windows W Serve er 2012, you ca an also use Wi ndows PowerS Shell to deploy y and manage e the AD CS role.

You u should also be b aware that you y cannot change compute er names or co omputer doma ain memberships afte er you deploy on o that compu uter a CA of an ny type, nor ca an you change e the domain n name. Therefore, it is im mportant to de etermine these e attributes before installing a CA. The following table details additional conside erations. Co onsideration A cryptographic c service provider (CSP) that rate a new key y is used to gener Descriptio on The def fault CSP is the e Microsoft Strong Cryptog graphic Provid er. Any pro ovider whose n name starts with a number r sign (#) is a c cryptography N Next Generat tion (CNG) pro ovider. Th he key charact ter length The defau ult key length f for the Microsoft Strong Cry yptographic P Provider is 2,04 48 characters s. This is the m minimum recommen nded value for r a root CA. The defau ult value of the e hash algorith hm is SHA-1. The defau ult value for ce ertificates is five years. The root s server should b be deployed a as an offline CA A. This enhance es security and d safeguard ds the root cert tificate (because it is over the netwo ork). not availa ble to attack o

Th he hash algorithm that is use ed to sign ce ertificates issue ed by a CA Th he validity per riod for certific cates issued by y a CA Th he status of the root server (online ( or of ffline)

Specifically, if you u decide to dep ploy an offline e standalone ro oot CA, there a are some spec cific considerat tions that t you should have h in mind:

Before you iss sue a subordin nate certificate e from root CA A, make sure th hat you provid de at least one CDP and AIA locat tion that will be b available to all clients. Thi s is because, b by default, a st tandalone root t CA

MCT USE ONLY. STUDENT USE PROHIBITED


10-13

Configuring A Advanced Windows S Server 2012 Service es

has the CDP and AIA loca ated on itself. Therefore, T whe en you take th he Root CA off f the network, revocation check will fail, as the CDP an nd AIA locatio ns will be inac ccessible. When you define t these locations, you hat location. y should manually copy CR RL and AIA inf formation to th

Set a validit ty period for CRLs C that root CA publishes t to a long perio od of time (for r example, one e year). This means that you will have to turn on o root CA onc ce per year to publish a new w CRL, and then n copy it to a locat tion that is ava ailable to clients. If you fail to o do so, after t the CRL on the e root CA expi ires, revocation check for all certificates c will also fail.

Publish roo ot CA certificate to a trusted root certificat ion authority s store on all ser rver and client t machines, by b using Group p Policy. You must m do this m manually, beca use a standalo one CA cannot t do it automatica ally, unlike an enterprise e CA. You can also p publish the root CA certifica ate to AD DS b by using the certutil command-lin ne tool.

Demonstra D ation: Depl loying a Ro oot CA


In n this demonst tration, you will see how to deploy d an Ente erprise root CA A.

Demonstrati D ion Steps Deploy D a Roo ot CA


1. . 2. . 3. . 4. . 5. . 6. . In Server Manager, M add the Active Dire ectory Certifi icate Services s role. Select the Certification C Authority A role e service.

After the in nstallation com mpletes success sfully, click the e text Configu ure Active Dire ectory Certifi icate Services on n the destination server. Select to install Enterpris se Root CA. Set the Key y length to 409 96. Name the CA C AdatumRo ootCA.

Considerat C ions for Deploying a Subordin nate CA


Yo ou can use a subordinate CA A to implemen nt policy re estrictions for PKI, P and to dis stribute certific cates to clients. After ins stalling a root CA for the or rganization, yo ou can install one o or more su ubordinate CA As.

When W you are using u a subord dinate CA to di istribute ce ertificates to users or compu uters that have e an ac ccount in an AD A DS environm ment, you can install th he subordinate e CA as an ente erprise CA. Then, you ca an use the data from the clie ent accounts in n AD DS to o distribute and manage cert tificates, and to pu ublish certifica ates to AD DS. However, to co omplete this procedure, p you must be a me ember of the lo ocal Administr rators group, o or have equiva alent pe ermissions. If the t subordinat te CA will be an enterprise C CA, you also ne eed to be a me ember of the D Domain Admins group or o have equiva alent permissio ons.

Fr rom a security perspective, a recommende ed scenario wo ould be to hav ve an offline ro oot standalone e CA and an n Enterprise su ubordinate CA.

MCT USE ONLY. STUDENT USE PROHIBITED

10-14

Implementing Active Directo ory Certificate Service es

A su ubordinate CA A is usually dep ployed to achie eve some of th he following fu unctionalities:

Usage: You may m issue certif ficates for a nu umber of purp poses, such as s secure email and network authentication. The issuing policy for these uses may b e distinct, and d separation pr rovides a basis s for administering g these polices s.

Organizational divisions: Yo ou may have different d policie es for issuing c certificates, de epending upon n an entitys role in n the organiza ation. You can create subord dinate CAs to s separate and a administer thes se policies. Geographic divisions: d Organizations often n have entities s at multiple p physical sites. L Limited networ rk connectivity between b these e sites may req quire individua al subordinate CAs for many or all sites. Load balancin ng: If you will be b using your PKI to issue an nd manage a l large number of certificates, , having only one o CA can res sult in considerable network k load for that single CA. Usin ng multiple subordinate CAs C to issue th he same kind of o certificates d divides the net twork load bet tween CAs.

Backup and fault tolerance: Multiple CAs increase the p possibility that t your network k will always ha ave operational CAs C available to o respond to user u requests.

Ho ow to Use the t CAPolicy.inf File e for Instal llation


If yo ou want to dep ploy root or su ubordinate CA A, and you want to both predefine som me values for use u during installation n and define so ome additiona al para ameters, you can c use the CA APolicy.inf file to t com mplete these st teps. The CAPo olicy.inf file is a plain text file that t contains vario ous settings th hat are used when ins stalling the AD D CS role, or when rene ewing the CA certificate. The e CAPolicy.inf file is not required to in nstall AD CS, bu ut without it, the t defa ault settings will w be applied, and in many cases, c the default setting gs are insufficient. You can use u the CAPolicy.inf fi ile to configure e CAs in more com mplicated deployments. Each h CAPolicy.inf file is divided into sections, and has a sim ple structure, w which can be described as follo ows: A section is an area in the .inf file that contains a logica al group of key ys. A section always appears in brackets in th he .inf file. A key is the parameter p that t is to the left of o the equal (= =) sign. A value is the e parameter that is to the rig ght of the equa al sign.

For example, if yo ou want to spe ecify Authority Information A Access point in n the CAPolicy. .inf file, you will use follo owing syntax:
[AuthorityInformationAccess] URL=http://pki.adatum.com/CertData a/adatumCA.cr rt

In th his example, AuthorityInform A mationAccess is i a section, UR RL is the key, a and http p://pki.adatum.com/CertD Data/adatumC CA.crt is the va alue.

MCT USE ONLY. STUDENT USE PROHIBITED


10-15

Configuring Advanced Windows Server 2012 Services

You can also specify some CA server settings in the CAPolicy.inf file. One example of the section that specifies these settings is :
[certsrv_server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=5 CRLPeriod=Days CRLPeriodUnits=2 CRLDeltaPeriod=Hours CRLDeltaPeriodUnits=4 ClockSkewMinutes=20 LoadDefaultTemplates=True AlternateSignatureAlgorithm=0 ForceUTF8=0 EnableKeyCounting=0

Note: All parameters from the previous examples are optional. You can also use the CAPolicy.inf file when installing AD CS to define the following:

Certification practice statement (CPS): Describes the practices that the CA uses to issue certificates. This includes the types of certificates issued, information for issuing, renewing, and recovering certificates, and other details about the CAs configuration. Object identifier (also known as OID): Identifies a specific object or attribute. CRL publication intervals: Defines the interval between publications for the base CRL. CA renewal settings: Defines renewal settings as follows: o o o Key size: Defines the length of the key pair used during the root CA renewal. Certificate validity period: Defines the validity period for a root CA certificate. CDP and AIA paths: Provides the path used for root CA installations and renewals.

Once you have created your CAPolicy.inf file, you must copy it into the %systemroot% folder of your server (for example, C:\Windows) before you install the AD CS role, or before you renew the CA certificate. Note: The CAPolicy.inf file is processed for both the root and subordinate CA installations and renewals.

MCT USE ONLY. STUDENT USE PROHIBITED

10-16

Implementing Active Directo ory Certificate Service es

Lesson 3

Deploy ying and Mana aging Certificat te Templates

Cert tificate templa ates define how w a certificate can be reques sted and for w what it can be u used. Template es are configured on the e CA, and they y are stored in the Active Dir rectory databa se. There are d different versio ons of tem mplates: the Microsoft Windo ows 2000 Serve er Enterprise C CA supports ve ersion 1 certific cate templates s, the Win ndows Server 2003 2 Enterprise e Edition supp ports versions 1 and 2 templa ates, and Wind dows Server 20 008 Ente erprise suppor rts versions 1, 2, 2 and 3 certificate template es. Windows Se erver 2012 intr roduces version 4 tem mplates, yet still also supports s all three prev vious template e versions. Two o types of certi ificate templat te categories are a users and c computers, and d each can be used for mult tiple l permissions t purposes. You can n assign Full Control, Read, Write, W Enroll, a and Autoenroll to certificate tem mplates. You ca an update certificate templat tes by modifyi ng the origina al certificate te emplate, copying a tem mplate, or superseding existin ng certificate templates. In th his lesson, you u will learn how w to manage a and dep ploy certificate templates.

Les sson Objecti ives


Afte er completing this lesson, yo ou will be able to: Describe certificate templat tes. Describe certificate templat te versions in Windows W Serve er 2012. Configure cer rtificate templa ate permission ns. Configure cer rtificate templa ate settings. Describe options for updating a certificat te template. Modify and enable e a certificate template.

Wh hat Are Ce ertificate Templates? T ?


Cert tificate templa ates allow adm ministrators to cust tomize the distribution meth hod of certifica ates, defi ine certificate purposes, and mandate the type of usage u allowed by a certificate e. Administrators can easily create templates, t and d can then quic ckly dep ploy them to th he enterprise by b using the bu uilt-in GUI or command-line managem ment utilities.

Asso ociated with each certificate template is its s DAC CL, which defin nes what secur rity principals have perm missions to rea ad and configu ure the templa ate, and to enroll or autoenroll for certificates c bas sed on the t template. The T certificate templates and d thei ir permissions are defined in n AD DS and ar re valid within the forest. If m more than one e enterprise CA A is runn ning in the Active Directory forest, permission changes w will affect all C CAs.

Whe en you define a certificate te emplate, the definition d of th he certificate te emplate must be available to o all CAs s in the forest. This is accomp plished by stor ring the certifi cate template information in n the Configur ration nam ming context, where w CN=Con nfiguration, an nd DC=ForestR RootName. Th he replication o of this informa ation dep pends on the Active A Directory y replication schedule, and t the certificate template may y not be available to all CAs C until replic cation complet tes. Storage an nd replication are accomplis shed automatic cally.

MCT USE ONLY. STUDENT USE PROHIBITED


10-17

Configuring A Advanced Windows S Server 2012 Service es

Note: Prio or to Windows s Server 2008 R2, R only the En nterprise versio on of Window ws Server su upported management of ce ertificate temp plates. In Wind ows Server 20 008 R2 and Win ndows Server 20 012, you can also a manage ce ertificate temp plates in the St tandard editio ns.

Certificate C Template Versions in Window ws Server 2 2012


Windows W Server 2012 Certific cation Authorit ty su upports four ve ersions of certificate templat tes. Certificate temp plates versions s 1, 2 and 3 are e legacy from previous versions v of Win ndows Server, while ve ersion 4 is new w to Windows Server 2012. Certificate temp plate versions correspond c to o the Windows W Server operating system version. Windows W 2000 Server, Windo ows Server 200 03, Windows W Server 2008, and Windows W Server r 2012 co orrespond to version v 1, versi ion 2, version 3, 3 and ve ersion 4 respec ctively.

Aside from corr responding wit th Windows Se erver op perating system versions, certificate templ late versions a lso have some e functional differences as fo ollows:

Windows 2000 Advanced d Server operating system pr rovides support for version 1 certificate templates. The only modification allow wed to version 1 templates is changing per rmissions to eit ther allow or dis sallow enrollment of the cert tificate templa ate. When you install an ente erprise CA, ver rsion 1 certificate templates t are created c by def fault. As of July y 13, 2010, Wi indows 2000 S Server is no lon nger supported by Microsoft.

Windows Server 2003 Ent terprise Edition operating sy ystems provide e support for v version 1 and v version 2 templates s. You can cust tomize several settings in th he version 2 templates. The d default installa ation provides se everal preconfigured version 2 templates. Y You can add v version 2 temp plates based on n the requiremen nts of your org ganization. Alte ernatively, you u can duplicate e a version 1 certificate temp plate to create a new version 2 of f the template. . You can then n modify and s secure the new wly created ver rsion 2 certificate template. t Whe en new templates are added to a Windows s Server 2003 e enterprise CA, they are version 2 by default.

Windows Server 2008 Ent terprise operating systems b bring support f for new, versio on 3 certificate e templates. Additionally, A support s for ver rsion 1 and ve rsion 2 is prov vided. Version 3 certificate templates support s severa al features of a Windows Serv rver 2008 enterprise CA, such h as CNG. CNG G provides su upport for Suite B cryptograp phic algorithm ms such as ellip ptic curve crypt tography (ECC C). In Windows Server 2008 Ent terprise, you can c duplicate d default version n 1 and version n 2 templates t to bring them up to o version 3. Windows Server 2008 provides s two new cert tificate templates by default: : Kerberos Authentication and OCSP Res sponse Signing g. In Windows Server 2008 R R2, the Standar rd version was s also able to support s certific cate templates s. When you use version 3 ce ertificate temp plates, r the certificate requests, issued certificate you can use e CNG encrypt tion and hash algorithms for es, and protection of private keys s for key excha ange and key archival scenarios. Windows Server 2012 operating system ms provide sup pport for versio on 4 certificate e templates, an nd for all other ve ersions from ea arlier editions of o Windows Se erver. These ce ertificate temp plates are available only to Win ndows Server 2012 2 and Wind dows 8. To hel lp administrato ors separate w what features a are supported by which oper rating system version, v the Co ompatibility t tab was added d to the certific cate template properties tab. It marks options as unavaila ble in the cert tificate template properties, depending upon the sele ected operating g system versi ons of certifica ate client and CA. Version 4

MCT USE ONLY. STUDENT USE PROHIBITED

10-18

Implementing Active Directo ory Certificate Service es

certificate tem mplates also su upport both CSPs and KSPs. They can also be configured d to require re enewal with a same key. k Upg grading certific cate templates s is a process that applies on nly in situations where the CA A has been upg graded from Windows W Server 2008 or 2008 8 R2 to Windo ows Server 201 12. After the up pgrade, you ca an upg grade the certif ficate templates by launchin ng the CA Man nager console and accepting g the upgrade prompt by clicking Yes.

Co onfiguring Certificate e Template e Permissi ions


To configure c certi ificate templat te permissions, you need to define the e DACL for eac ch certificate tem mplate in the Se ecurity tab. Th he permissions s that are assigned to a certificate tem mplate will defi ine which users or gro oups can read, , modify, enroll, or auto oenroll for that certificate te emplate. You u can assign the following pe ermissions to cert tificate templates:

Full Control: : The Full Control permissio on allows a security principal to modify all attributes of a certificate te emplate, which h includes perm missions for the e certificate template itself. It also includ des permission n to modify th he security desc criptor of the certificate tem mplate. Read: The Re ead permission n allows a user r or computer to view the ce ertificate temp plate when enr rolling te for certificate es. The Read permission is also required by y the certificat te server to find the certificat templates in AD A DS. Write: The Write W permissio on allows a use er or compute er to modify th he attributes of f a certificate template, which includes pe ermissions assigned to the c certificate temp plate itself.

Enroll: The Enroll permission allows a user or compute er to enroll for r a certificate b based on the certificate tem mplate. Howev ver, to enroll fo or a certificate e, you must als o have Read p permissions fo or the certificate tem mplate.

Autoenroll: The T Autoenro oll permission allows a user o or computer to o receive a cer rtificate throug gh the autoenrollme ent process. Ho owever, the Au utoenroll perm mission requir es the user or computer to a also have both Re ead and Enroll l permissions for f a certificate e template.

As a best practice, you should assign a certificat te template pe ermissions to g global or unive ersal groups o only. This s is because the certificate te emplate object ts are stored in n the configura ation naming context in AD DS. You u cannot assign n permissions by using doma ain local group ps that are fou und within an A Active Directo ory dom main. You shou uld never assig gn certificate te emplate perm issions to indiv vidual user or computer acc counts. As a best practice, keep the Rea ad permission allocated to th he Authentica ted Users grou up. This permission allocation allows all a users and computers to view v the certifi cate templates in AD DS. Th his permission assignment also allows a the CA that t is running g under the Sys stem context o of a computer r account to vie ew the certificate tem mplates when assigning a certificates.

MCT USE ONLY. STUDENT USE PROHIBITED


10-19

Configuring A Advanced Windows S Server 2012 Service es

Configuring C g Certifica ate Templa ate Setting gs

Be esides configu uring security settings s for cer rtificate te emplates, you can also config gure several other se ettings for each template. Be e aware howev ver, that th he number of configurable c options o depend ds on th he certificate te emplate versio on. For exampl le, ve ersion 1certific cate templates do not allow modification m of any settings, except e for secu urity, while w certificate e templates fro om higher vers sions allow you to configure most of o the available op ptions. Window ws Server 2012 2 provides sev veral de efault certificate templates for f purposes th hat in nclude code sig gning (for digitally signing so oftware), EFS (f for encrypting data), and the e ability for us ers to log on w with a smart ca ard. To custom mize a te emplate for yo our company, duplicate d the template t and t then modify th he certificate c configuration. Fo or example, yo ou can configu ure the followin ng: Format and d content of a certificate bas sed on the cert tificates intend ded use

Note: . Th he intended us se of a certifica ate may relate e to users or to o computers, b based on the ty ypes of security y implementat tions that are required r to us se the PKI. Process of creating c and submitting a va alid certificate request CSP suppor rted Key length Validity per riod Enrollment process or enrollment requirements

Yo ou can also de efine certificate e purpose in ce ertificate settin ngs. Certificate e templates ca an have the fol llowing pu urposes: Single Purp pose: A single purpose p certifi icate serves a s single purpose e, such as allow wing users to log on with a smar rt card. Organizations utilize e single purpos se certificates in cases where e the certificate configuratio on differs from m other certific cates that are b being deploye ed. For exampl le, if all users w will receive a ce ertificate for sm mart card logo on but only a c couple of grou ups will receive e a certificate f for EFS, organizatio ons will genera ally keep these certificates an nd templates s separate to ensure that users s only receive the required certi ificates.

) at the Multiple Pu urposes: A multi-purpose cer rtificate serves s more than on ne purpose (of ften unrelated) same time. While some te emplates (such h as the User t template) serve e multiple pur rposes by default, organizatio ons will often modify m templates to serve ad dditional purposes. For exam mple, if a comp pany intends on issuing certific cates for three purposes, tho ose purposes c can be combin ned into a single certificate template t to ea ase the administrative effort and maintena ance.

MCT USE ONLY. STUDENT USE PROHIBITED

10-20

Implementing Active Directo ory Certificate Service es

Op ptions for Updating U a Certifica ate Templa ate


The CA hierarchy in most organ nizations has one o cert tificate template for each job b function. For r exam mple, there may be a certific cate template for file encryption and another for code signing. Add ditionally, there e may be a few w templates th hat cove er functions fo or most of the common grou ups of subj jects. As an a IT administr rator, you may y need to mod dify an existing certificate e template bec cause of incorr rect settings or other issues i in the original certifica ate tem mplate. You ma ay also need to o merge multip ple existing certificate e templates int to a single tem mplate. You u can update a certificate tem mplate by either modifying t the template, o or superseding g the existing tem mplate:

Modify the original certifica ate template: To T modify a ce ertificate temp plate of version n 2, 3, or 4, you need to make e changes and then apply th hem to that tem mplate. After t this, any certifi icate issued by y a CA based on that t certificate template will inc clude the mod difications that t you made. Supersede ex xisting certifica ate templates: The T CA hierarc chy of an orga anization may have multiple certificate tem mplates that provide the sam me or similar fu unctionality. In n such a scenario, you can supersede or replace the multiple m certificate templates by using a sin ngle certificate e template. You u can make this rep placement in th he Certificate Templates T con nsole by design nating that a n new certificate e template supersedes, or rep places, the exis sting certificat e templates.

De emonstration: Modif fying and Enabling E a Certificat te Templat te


In th his demonstration, you will see s how to mo odify and enab ble a certificate e template.

Dem monstration n Steps Mo odify and en nable a certificate temp plate


1. 2. 3. 4. 5. 6. On LON-SVR1, open the Ce ertificate Temp plates console.. Review the lis st of available templates. Open Propert ties of IPSec ce ertificate temp plate and revie ew available se ettings.

Duplicate the e Exchange Us ser certificate template. Nam me it Exchang ge User Test1, and then con nfigure it to supersed de the Exchange User temp plate. Allow Authen nticated Users to enroll for th he Exchange U User Test1 tem mplate. Publish the te emplate on LO ON-SVR1.

MCT USE ONLY. STUDENT USE PROHIBITED


10-21

Configuring A Advanced Windows S Server 2012 Service es

Lesson n4

Imple ementin ng Certi ificate Distribu D ution an nd Revo ocation

One O step in dep ploying PKI in your y organization will be to define metho ods for certifica ate distribution n and en nrollment. In addition, a durin ng the certificate manageme ent process, the ere will be tim mes that you may need to o revoke certifi icates. There may m be a numb ber of reasons for revoking c certificates, such as if a key be ecomes compromised, or if someone leaves the organiz zation. You nee ed to ensure that network clients ca an determine which w certifica ates are revoke ed before acce epting authent tication reques sts. To ensure sc calability and high h availabilit ty, you can dep ploy the AD CS S Online Respo onder, which c can be used to o provide certifica ate revocation status. In this lesson, you w will learn about t methods for c certificate dist tribution an nd certificate revocation. r

Le esson Objec ctives


After completin ng this lesson, you y will be able to: Describe op ptions for certi ificate enrollm ment. Describe ho ow autoenrollm ment works. Describe th he Restricted Enrollment Age ent. Explain how w to configure e the Restricted d Enrollment A Agent. Describe th he Network De evice Enrollment Service. Explain how w certificate re evocation work ks. Describe co onsiderations for f publishing AIAs and CDP Ps. Describe an n Online Respo onder. Configure Online O Respon nder.

Options O for r Certificat te Enrollm ment


In n Windows Ser rver 2012, seve eral methods can c be us sed to enroll fo or a user or co omputer certifi icate. Th he use of these e methods dep pends on spec cific sc cenarios. For example, autoe enrollment will probably be use ed to mass-deploy certificate es to a la arge number of o users or com mputers, while manual en nrollment will be used for ce ertificates dedi icated ju ust to specific security s princip pals. Th he following list describes th he different en nrollment met thods, and whe en to use them m:

Autoenrollm ment: Using th his method, the e administrat tor defines the e permissions and a the configuratio on of a certific cate template. These definiti ons help the r requestor to au utomatically re equest, retrieve, and renew certif ficates without t end-user inte eraction. This m method is used d for AD DS do omain computers. The certificate e must be con nfigured for au utoenrollment through Grou up Policy.

CA Web en nrollment: Usin ng this method d, you can ena ble a website CA so that use ers can obtain certificates. . To use CA We eb enrollment t, you must ins stall Internet In nformation Ser rver (IIS) and the web enrollment role on the CA A of AD CS. To o obtain a cert tificate, the req questor logs on to the websi ite, selects the appropriate ce ertificate temp plate, and then n submits a req quest. The cert tificate is issue ed

MCT USE ONLY. STUDENT USE PROHIBITED

10-22

Implementing Active Directo ory Certificate Service es

automatically y if the user ha as the appropriate permissio ns to enroll fo or the certificat te. The CA Web enrollment method m should be used to iss sue certificates s when autoen nrollment cann not be used. Th his can happen in the case of an a Advanced Certificate C requ uest. However r, there can also be cases where autoenrollme ent can be used d for certain certificates, but t not for all certificates.

Manual enrol llment: Using this t method, th he private key y and a certifica ate request are e generated on a device, such as a a web servic ce or a computer. The certifi icate request is then transpo orted to the CA A to or generate the certificate that is requested. . The certificat te is then trans sported back t to the device fo installation. Use U this method when the re equestor canno ot communicate directly with the CA, or if f the device does not n support au utoenrollment.

Enrollment on n behalf (Enrollment Agent): Using this me ethod, a CA ad dministrator cr reates an Enrollment Agent account for f a user. The e user with Enr rollment Agent rights can th hen enroll for certificates on n behalf of oth her users. For example, e use t this method if you need to a allow a manage er to cards preload logon n certificates of o new employ yees on smart c

Ho ow Does Autoenrollm ment Work?


One e of the most common c meth hods for deploying cert tificates in an Active A Director ry environmen nt is to use u autoenrollm ment. This met thod provides an auto omated way to o deploy certif ficates to both users and computers within the PKI. You Y can use auto oenrollment in n environment ts that meet sp pecific requ uirements, suc ch as the use of o certificate tem mplates and Gro oup Policy in AD A DS. It is imp portant to note e, however, tha at you cannot use auto oenrollment with w a standalone CA. You must have an enterprise e CA available to make use of o auto oenrollment.

You u can use autoe enrollment to deploy public keybased ce ertificates auto omatically to users and comp puters in an organization n. The Certifica ate Services ad dministrator du uplicates a cer rtificate templa ate, and then configures the permissions to allow Enroll and d Autoenroll p permissions for r the users who o will receive t the cert tificates. Doma ain-based Grou up Policies, suc ch as compute er-based and u user-based po olicies, can activ vate and manage auto oenrollment. By default, d Group Policy is applied when you restart compu uters, or at logon for users. A Also by default t, Group Policy is refreshed every 90 minutes on n domain mem mbers. This Gro oup Policy sett ting is named Cert tificate Service es Client - Auto o-Enrollment.

An internal i timer triggers autoe enrollment eve ery eight hours s after the last autoenrollme ent activation. The cert tificate template might speci ify user interac ction for each request. For su uch a request, a pop-up win ndow app pears approxim mately 60 secon nds after the user u logs on. Man ny certificates can be distributed without the t client even n being aware that enrollment is taking pla ace. omputers and These include mo ost types of cer rtificates that are a issued to co d services, as w well as many cert tificates issued to users. To enroll e clients automatically for certificates in a domain e environment, y you must: Have membe ership in Doma ain Admins or Enterprise Adm mins, (or equiv valent), which is the minimum required to co omplete this procedure. p Configure a certificate c temp plate with Aut toenroll permis ssions.

MCT USE ONLY. STUDENT USE PROHIBITED


10-23

Configuring A Advanced Windows S Server 2012 Service es

Configure an a autoenrollm ment policy for r the domain.

What W Is Cred dential Roam ming?

Credential Roam ming allows or rganizations to o store certifica ates and privat te keys in AD DS, separately y from ap pplication state or configura ation informati ion.

Credential Roam ming uses exist ting logon and d autoenrollm ent mechanism ms to downloa ad certificates and ke eys to a local computer c whenever a user lo ogs on and, if desired, remove them when n the user logs s off. In ad ddition, the int tegrity of these credentials is maintained u under any con nditions, such a as when certifi icates ar re updated, or r when users lo og on to more than one com mputer at a tim me. This avoids s the scenario w where a us ser is autoenro olled for a cert tificate on each h new machine e to which he or she logs on n. Credential Roam ming is trigger red any time a private key or r certificate in the user's loca al certificate st tore ch hanges, whene ever the user lo ocks or unlock ks the compute er, and whene ever Group Pol licy is refreshed.

All certificate-re elated communication betwe een componen nts on the loca al computer and between th he local co upported in W omputer and AD A DS is signed and encrypt ted. Credential l Roaming is su Windows 7 and d newer Windows W opera ating systems.

What W Is the e Restricte ed Enrollment Agent t?


In n earlier versions of Windows s Server CA, su uch as Windows W Server 2003, it is no ot possible to permit p an n Enrollment Agent A to enroll only a certain n group of f users. As a re esult, every use er with an Enro ollment Agent certificate is able to enroll on behalf of any us ser in an organ nization. Th he Restricted Enrollment E Agent allows you u to lim mit the permis ssions for users s who are designated as s Enrollment Agents, A to enro oll for smart ca ard ce ertificates on behalf b of other r users. The Re estricted En nrollment Age ent is a functionality that was s in ntroduced in th he Windows Se erver 2008 Ent terprise op perating system.

Ty ypically, one or o more author rized individua als within an o rganization ar re designated a as Enrollment Agents. Th he Enrollment Agent needs to t be issued an Enrollment A Agent certifica ate, which enables the agent t to en nroll for smart card certificat tes on behalf of o users. Enroll lment agents a are typically m members of cor rporate se ecurity, IT secu urity, or help desk teams, bec cause these ind dividuals have e already been entrusted wit th sa afeguarding va aluable resourc ces. In some organizations, s such as banks that have man ny branches, h help de esk and security workers mig ght not be con nveniently loca ated to perform m this task. In this case, desi ignating a branch manag ger or other tr rusted employe ee to act as an n Enrollment A Agent is required to enable s smart ca ard credentials s to be issued from f multiple locations. On O a Windows Server 2012 CA A, the restricte ed Enrollment Agent feature es allow an Enr rollment Agen nt to be us sed for one or many certifica ate templates. For each certi ificate templat te, you can cho oose on behalf of which w users or security s group ps the Enrollme ent Agent can enroll. You ca annot constrain n an Enrollmen nt Agent based on n a certain Active Directory organizational o unit (OU) or c container. Inste ead, you must t use se ecurity groups.

MCT USE ONLY. STUDENT USE PROHIBITED

10-24

Implementing Active Directo ory Certificate Service es

Note: Using g restricted Enrollment Agen nts will affect t he performanc ce of the CA. T To optimize performance, you should minimize the t number of f accounts that are listed as Enrollment Age ents. You minim mize the numb ber of account ts in the Enroll ment Agents permissions list. As a best t practice, use group accoun nts in both lists s instead of ind dividual user a accounts.

De emonstration: Config guring the e Restricted d Enrollme ent Agent


In th his demonstration, you will see s how to con nfigure the Re estricted Enrollment Agent.

Dem monstration n Steps Con nfigure the Restricted Enrollment Agent


1. 2. 3. 4. 5. 6. 7. 8. On LON-SVR1, open the Ce ertificate Temp plates console.. Configure All lie Bellew per rmissions to en nroll for an Enr rollment Agen nt certificate. Publish the En nrollment Age ent certificate template. t Log on to LON-CL1 as Ada atum\Allie wit th the passwor rd Pa$$w0rd. Open a MMC C console and add a the Certificates snap-in.. Request the Enrollment E Agent certificate. . Switch to LON N-SVR1, and open o the prope erties of Adatu umRootCA.

Configure the e Restricted En nrollment Agen nt so that Allie e can only issue certificates b based on the U User template, and d only for the Marketing security group.

Wh hat Is Netw work Devic ce Enrollm ment Servic ce?


The Network Device Enrollment t Service (NDES) is the Microsoft imp plementation of o Simple Certi ificate Enro ollment Protoc col (SCEP). SCE EP is a com mmunication protocol p that makes m it possib ble for soft tware that is ru unning on netw work devices such s as ro outers and switcheswhich cannot otherw wise on the networ be authenticated a rkto enroll for X.50 09 certificates from a CA. You u can use NDES S as an Interne et Server API (I ISAPI) filte er on IIS to per rform the following functions: Create and pr rovide one-tim me enrollment passwords to administrator rs. Retrieve awaiting requests from f the CA. Collect and process p SCEP enrollment requ uests for the s oftware that r uns on networ rk devices.

This s feature applie es to organizations that have PKIs with on ne or more Win ndows Server 2012based C CAs, and that want to enhance e the security of their network dev vices. Port secu urity, based on n 802.1x, requir res cert tificates be inst talled on switc ches and acces ss points. Secu re Shell (SSH), instead of Tel lnet, requires a cert tificate on the router, switch, , or access point. NDES is the e service that a allows adminis strators to inst tall cert tificates on dev vices using SCEP.

MCT USE ONLY. STUDENT USE PROHIBITED


10-25

Configuring A Advanced Windows S Server 2012 Service es

Adding support t for NDES can n enhance the flexibility and scalability of a an organizatio on's PKI. Therefore, th his feature should interest PK KI architects, planners, p and a administrators.. Be efore installing g NDES, you must m decide: Whether to o set up a dedicated user acc count for the s service, or use the Network S Service accoun nt. The name of o the NDES re egistration authority and wh hat country/reg gion to use. Th his information n is included in any SCEP cert tificates that are issued.

The CSP to use for the sig gnature key th hat is used to e encrypt communication betw ween the CA a and the registration n authority. The CSP to use for the en ncryption key that t is used to encrypt comm munication be etween the registration n authority and d the network device. The key len ngth for each of o these keys.

In n addition, you u need to creat te and configu ure the certifica ate templates for the certific cates that are used in co onjunction wit th NDES.

In nstalling NDES on a compute er creates a ne ew registration n authority and d deletes any p preexisting re egistration authority certifica ates on the com mputer. There fore, if you pla an to install ND DES on a computer where w another registration au uthority has alr ready been co onfigured, any pending certif ficate requests s should be e processed an nd any unclaim med certificate es should be cl aimed before you install ND DES.

How H Does Certificate e Revocatio on Work?


Re evocation is th he process in which w you disable va alidity of one or o more certificates. By initia ating th he revoke proc cess, you actua ally publish a ce ertificate thum mbprint in the corresponding c g CRL. An overview of the certificate e revocation life cycle is outlined as fo ollows: A certificate e is revoked from the CA MM MC snap-in. Du uring revocatio on, a reason co ode and a date and time are speci ified. This is op ptional, but recomm mended to fill.

The CRL is published usin ng the CA MMC snapmatically base in (or the sc cheduled revo ocation list is published autom ed on the configured value). CRLs can be pub blished in AD DS, D some share ed folder locat tion, or on a w website. When Wind dows client computers are presented p with a certificate, t they use a process to verify revocation status by quer rying the issuin ng CA. This pro ocess determines whether th he certificate is revoked, an nd then presen nts the informa ation to the ap pplication requ uesting the verification. The Windows client computer uses one of the t CRL locatio ons specified i n certificate to o check its validity.

Th he Windows operating o syste ems include a CryptoAPI, C wh ich is responsi ible for the cer rtificate revoca ation an nd status checking processes s. The CryptoA API utilizes the e following pha ases in the certificate checking process: Certificate Discovery: Cer rtificate discovery collects CA A certificates, A AIA informatio on in issued certificates, , and details of f the certificate e enrollment p process.

Path validation: Path valid dation is the process p of verif fying the certif ficate through h the CA chain (or path) until the t root CA ce ertificate is rea ached.

MCT USE ONLY. STUDENT USE PROHIBITED

10-26

Implementing Active Directo ory Certificate Service es

Revocation ch hecking: Each certificate in the certificate c chain is verifie ed to ensure th hat none of the e certificates ar re revoked. Network retri ieval and caching: Network retrieval r is per rformed by usi ing OCSP. Cryp ptoAPI is responsible fo or checking the local cache first f for revoca ation informat ion and if ther re is no match, , making a call using OCSP, which w is based d on the URL p provided by the e issued certifi icate.

Co onsideratio ons for Pub blishing AI IAs and CD DPs


Whe en you are ma anaging and issuing certificates, it is ve ery important to properly co onfigure certificate exte ensions that ar re used to verify the certifica ate of the CA, and the ce ertificate that is being used by the user. These ex xtensions, calle ed AIA and CD DP, are part t of each certif ficate. They mu ust point to pr roper loca ations, or PKI may m not function correctly.

Wh hat Is AIA?
AIA addresses are e the URLsad ddresses that uniq quely identify each location on the Interne et or intra anetin the certificates that t a CA issues. These T add dresses tell the verifier of a ce ertificate wher re to retrieve the CA's certificate. c AIA A access URLs can c be HTTP, F File Transfer Pr rotocol (FTP), L Lightweight Dire ectory Address s Protocol (LDA AP), or FILE addresses.

Wh hat Is CDP?
CDP P is a certificate extension th hat indicates from where the e certificate rev vocation list fo or a CA can be retrieved. It can co ontain none, one, o or many HTTP, H FILE, or L LDAP URLs.

AIA A and CDP Publishing P

If yo ou use only an n online CA, these values are configured by y default local ly on the CA. H However, if yo ou wan nt to deploy an n offline root CA C or if you wa ant to publish AIA and CDP to an internet t facing locatio on, you must reconfig gure these valu ues so that the ey apply to all certificates iss sued by the root CA. The AIA A and CDP P extensions define where client applicatio ons can locate AIA and CDP information fo or the root CA A. The are generally t form matting and pu ublishing of AI IA and CDP ex xtension URLs a the same for root CAs and subordinate CAs. You can publish the root CA A certificate an nd the CRL to t the following l locations: Active Directo ory Web servers File Transfer Protocol P (FTP) servers File servers

Pub blication Po oints

To ensure e accessib bility to all com mputers in the e forest, publis h the offline ro oot CA certific cate and the of ffline root t CAs CRL to Active A Director ry by using the e Certutil com mmand. This pla aces the root C CA certificate and CRL L in the Configuration namin ng context, which Active Dire ectory replicat tes to all doma ain controllers in the fore est. For computers tha at are not mem mbers of Activ ve Directory, pl ertificate and C CRL on web servers lace the CA ce by using u the HTTP P protocol. Loc cate the web servers s on the internal netwo ork, and also o on the external

MCT USE ONLY. STUDENT USE PROHIBITED


10-27

Configuring A Advanced Windows S Server 2012 Service es

ne etwork if exter rnal client com mputers (or inte ernal clients fr rom external n networks) require access. This s is very im mportant if you u are using int ternally issued certificates ou utside your com mpany. Yo ou can also pu ublish certificat tes and CRLs to ftp:// and FI LE:// URLs, but it is recommended that yo ou use on nly LDAP and HTTP URLs, be ecause they are the most wid dely supported d URL formats s for interopera ability pu urposes. The order o in which you list the CD DP and AIA ex xtensions is im portant becau use the certifica ate ch haining engine e searches the URLs sequent tially. Place the e LDAP URL fir rst in the list if your certificat tes are mostly m used inte ernally.

What W Is an Online Re esponder?


By y using OCSP, an Online Res sponder provid des clients with an efficient e way to o determine th he re evocation statu us of a certifica ate. OCSP subm mits ce ertificate status requests usin ng HTTP. Clients access CRLs C to determ mine the revoca ation st tatus of a certif ficate. CRLs might be large, and clients might ut tilize a large am mount of time e to se earch through these CRLs. An Online Responder ca an dynamically y search these CRLs for the clients c an nd respond on nly to the requ uested certifica ate.

Yo ou can use a single Online Responder R to de etermine revocation status information for ce ertificates that are issued by a single CA, or o by multiple C CAs. However,, you can use m more than one e Online Re esponder to distribute CA re evocation infor rmation. Yo ou can install an a Online Resp ponder on any y computer tha at runs Windo ows Server 200 08 Enterprise o or Windows W Server 2012. You sh hould install an n Online Respo onder and a CA A on different computers. Th he fo ollowing opera ating systems can c use Online e Responder fo or validation o of certificate sta atus: Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista V Windows 7 Windows 8

Fo or scalability and high availa ability, you can n deploy the O Online Respond der in a load-b balanced array y using Network Load Balancing B (NLB B), which proce esses certificat te status reque ests. You can m monitor and m manage ea ach member of o the array ind dependently. To T configure th he Online Resp ponder, you m must use the Online Re esponder man nagement cons sole. Yo ou must config gure the CAs to t include the URL of the On nline Responde er in the AIA e extension of iss sued ce ertificates. The e OCSP client uses u this URL to o validate the certificate stat tus. You must also issue the OCSP Re esponse Signin ng certificate template, t so th hat the Online Responder ca an also enroll t that certificate.

How H to Insta all and Conf figure Onlin ne Responde er

Yo ou can install Online O Respon nders on comp puters that are e running Wind dows Server 20 008 R2 or Windows Se erver 2012. Yo ou should insta all Online Resp ponders after t he CAs, but be efore issuing a any client certif ficates.

MCT USE ONLY. STUDENT USE PROHIBITED

10-28

Implementing Active Directory Certificate Services

The certificate revocation data is derived from a published CRL that can come from a CA on a computer that is running Windows Server 2008 or newer, or Windows Server 2003, or from a non-Microsoft CA. Before configuring a CA to support the Online Responder service, the following must be present: IIS must be installed on the computer during the Online Responder installation. The correct configuration of IIS for the Online Responder is installed automatically when you install an Online Responder.

An OCSP Response Signing certificate template must be configured on the CA, and autoenrollment used to issue an OCSP Response Signing certificate to the computer on which the Online Responder will be installed.

The URL for the Online Responder must be included in the AIA extension of certificates issued by the CA. This URL is used by the Online Responder client to validate certificate status.

After an Online Responder has been installed, you need to create a revocation configuration for each CA and CA certificate that is served by an Online Responder. A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued using a specific CA key. These configuration settings include: CA certificate. This certificate can be located on a domain controller, in the local certificate store, or imported from a file.

Signing certificate for the Online Responder. This certificate can be selected automatically for you, selected manually (which involves a separate import step after you add the revocation configuration), or you can use the selected CA certificate.

Revocation provider that will provide the revocation data used by this configuration. This information is entered as one or more URLs where the valid base and delta CRLs can be obtained.

Demonstration: Configuring an Online Responder


In this demonstration, you will see how to configure an Online Responder.

Demonstration Steps Configure an Online Responder


1. 2. 3. 4. 5. 6. 7. On LON-SVR1, use Server Manager to add an Online Responder role service to the existing AD CS role. Configure a new AIA distribution location on AdatumRootCA to be http://lon-svr1/ocsp. On AdatumRootCA, publish the OCSP Response signing certificate template, and allow Authenticated users to enroll. Open the Online Responder Management console. Add revocation configuration for AdatumRootCA. Enroll for OCSP Response signing certificate. Ensure that the revocation configuration status displays as working.

MCT USE ONLY. STUDENT USE PROHIBITED


10-29

Configuring A Advanced Windows S Server 2012 Service es

Lesson n5

Mana aging Ce ertificat te Reco overy

Certificate or ke ey recovery is one o of the mo ost important m management t tasks during th he certificate li ife cycle. Yo ou use a key archival and rec covery agent for f data recove ery if you lose e your public and private key ys. You ca an also use aut tomatic or manual key archival and key re ecovery metho ods to ensure t that you can gain ac ccess to data in the event that your keys are lost. In this lesson, you wi ill learn how to o manage key y ar rchival and rec covery in AD CS C in Windows Server 2012 A AD CS.

Le esson Objec ctives


After completin ng this lesson, you y will be able to: Describe th he process of key k archival and recovery. Configure Automatic A Key y Archival. Configure CA C for Key Arc chival. Explain key y recovery. Recover a lost key.

Overview O of o Key Arch hival and Recovery R


If you lose your r public and pr rivate keys, you u will no ot be able to access a any data that is encry ypted by us sing the certifi icates public key. k This data can c in nclude Encrypt ting File System m (EFS) and Se ecure/Multipurpose Internet t Mail Extensio ons (S S/MIME). There efore, archival and recovery of pu ublic and priva ate keys are im mportant.

Conditions C fo or Losing Keys K


Yo ou may lose ke ey pairs due to o the following g co onditions:

User profile e is deleted or corrupted. A CSP C encrypts a private key and stores the en ncrypted priva ate key in the l local file system m and registry y in the user profile e folder. Deletion or corruption of the prof file results in th he loss of the private key ma aterial.

Operating system s is reins stalled. When you y reinstall th he operating s system, the pre evious installat tions of the user pro ofiles are lost, including the private key m aterial. Disk is corrupted. If the hard h disk becom mes corrupted d and the user r profile is unav vailable, the private key materia al is lost autom matically. Computer is i stolen. If a users compute er is stolen, the e user profile w with the private key material is unavailable e.

Key K Archival and Recovery Agents

Yo ou use key arc chival and Key Recovery Age ents (KRA) for d data recovery. You can ensu ure that CA ad dministrators can c recover pr rivate keys by archiving a them m. KRAs are de esignated users s who are able e to re etrieve the orig ginal certificate e, private key, and public ke ey that were us sed to encrypt the data, from m the CA A database. A specific certifi icate template e is applied to a KRA. When y you enable key archival in a version 2 certificate tem mplate, the CA encrypts and stores that pri ivate key in its s database. In s situations whe ere the

MCT USE ONLY. STUDENT USE PROHIBITED

10-30

Implementing Active Directo ory Certificate Service es

CA has stored the e subjects private key in the CA database, you can use k key recovery to o recover a corr rupted or lost key.

Dur ring the key recovery process, the certificat te manager re etrieves the encrypted file that contains the cert tificate and private key from the CA database. Next, a KR RA decrypts th he private key from the encry ypted file and returns th he certificate and private key y to the user.

Sec curity for Ke ey Archival

Whe en you have a configured CA A to issue a KR RA certificate, a any user with Read and Enr roll permission n on the KRA certificate e template can n enroll and be ecome a KRA. As a result, Do omain Admins s and Enterpris se Adm mins receive pe ermission by default. d Howev ver, you must e ensure the foll lowing: Only trusted users are allow wed to enroll for this certifica ate. The KRAs rec covery key is st tored in a secu ure manner. The server wh here the keys are a archived is in a separate physical secur re location.

Understanding g Key Archiv val and Rec covery

Key recovery implies that the pr rivate key port tion of a publi c-private key p rchived and pair may be ar reco overed. Private e key recovery does not reco over any data o or messages. It t merely enables a user to retrieve lost or damaged keys, or o for an administrator to as sume the role of a user for d data access or data reco overy purposes. In many app plications, data a recovery can not occur with hout first perfo orming key reco overy. The key recovery procedure is as a follows: 1.

The user requ uests a certifica ate from a CA and provides a copy of the private key as s part of the re equest. The CA, which h is processing g the request, archives the e ncrypted priva ate key in the C CA database a and issues a certif ficate to the re equesting user. The issued ce ertificate can be used by an application a suc ch as EFS to en ncrypt sensitiv ve files.

2. 3.

If, at some po oint, the privat te key is lost or r damaged, th e user can con ntact the comp panys Certifica ate Manager to recover r the private key. The Certificate Ma anager, with th he help of the KRA, recovers the private key, st tores it in a protected file fo ormat, and sen ds it back to t he user.

4.

s store, it once After the user r stores the rec covered privat te key in the u sers local keys e again can be e used by an applica ation such as EFS to decrypt previously enc crypted files or r to encrypt ne ew ones.

Co onfiguring Automatic Key Arch hival


Befo ore you can us se key archival, you must perform seve eral configurat tion steps. The e key archival feat ture is not enabled by default, and you sho ould configure both CA A and certificate templates for f key archival and key k recovery. The following step ps describe the e automatic ke ey arch hival process: 1. Configure the e KRA certificate template. Only O Enterprise Ad dministrators or o Domain Administrators are allowed to request a KRA K certificate. If you y want to en nroll some oth her user with a KR RA certificate, you must spec cify it on the templa ate DACL.

MCT USE ONLY. STUDENT USE PROHIBITED


10-31

Configuring Advanced Windows Server 2012 Services

2.

Configure Certificate Managers: a.

CA enforces a person to be a Certificate Manager, if defined. The Certificate Manager usually holds a private key for valid KRA certificates. By default, the CA Administrator is a Certificate Manager for all users, except for cases with another explicit definition. However, as a best practice, you should separate these two roles if possible.

b.

A CA Officer is defined as a Certificate Manager. This user has the security permission to issue and manage certificates. The security permissions are configured on a CA in the Certification Authority MMC snap-in, in the CA Properties dialog box, from the Security tab. A KRA is not necessarily a CA Officer or a Certificate Manager. These roles may be segmented as separate roles. A KRA is a person who holds a private key for a valid KRA certificate.

c. 3.

Enable KRA: a. b. c. d. Log on as Administrator of the server, or as CA Administrator if role separation is enabled.

In the CA console, right-click the CA name, and then click Properties. To enable key archival, on the Recovery Agents tab, click Archive the key. By default, the CA uses one KRA. However, you must first select the KRA certificate for the CA to begin archival by clicking Add.

The system finds valid KRA certificates, and then displays available KRA certificates. These are generally published to AD DS by an enterprise CA during enrollment. KRA certificates are stored under the KRA container in the Public Key Services branch of the configuration partition in AD DS. Because CA issues multiple KRA certificates, each KRA certificate will be added to the multivalued user attribute of the CA object. Select one certificate, and then click OK. Ensure that you have selected the intended certificate.

e. f. 4.

After you have added one or more KRA certificates, click OK. KRA certificates are only processed at service start.

Configure user templates: a. b. In the Certificate Templates MMC, right-click the key archival template, and then click Properties.

To always enforce key archival for the CA, in the Properties dialog box, on the Request Handling tab, select the Archive subjects encryption private key check box. In Windows Server 2008 or later CAs, select the Use advanced symmetric algorithm to send the key to the CA option.

Demonstration: Configuring CA for Key Archival


In this demonstration, you will see how to configure automatic key archival.

Demonstration Steps Configure automatic key archival


1. 2. 3. 4. Configure adatumRootCA to issue Key Recovery Agent certificates without approval. Enroll Administrator for Key Recovery Agent certificate. Configure adatumRootCA to use certificate enrolled in step 2 as Key Recovery Agent. Configure Exchange User Test 1 certificate template to allow key archival.

MCT USE ONLY. STUDENT USE PROHIBITED

10-32

Implementing Active Directo ory Certificate Service es

5.

Configure adatumRootCA A to allow key archival. a

Recovering a Lost Key


Key recovery cons sists of several steps, and you mus st strictly follow w the procedu ure to recover arch hived keys. The e procedure fo or key recovery y is as follo ows: 1. Find recovery y candidates. You Y will require e two pieces of info ormation to pe erform key reco overy. First, the Cert tificate Manager or the CA Administrator locates the correct certifica ate entry in the CA C database. Then, T the Certif ficate Manager or the CA Administrator obtains s the serial number r of the correc ct certificate en ntry and the KRA certificate required for key recovery.

2.

Retrieve PKCS S #7 BLOB from m the databas se. This is the f first half of the e key recovery step. A Certificate Manager or a CA Administr rator retrieves the correct BL LOB from the C CA database. T The certificate and the encrypted d private key to be recovered are present in PKCS #7 BL LOB. The privat te key is encry ypted alongside the e public key of f one or more KRAs.

3.

Recover key material m and sa ave to PKCS #12 (.pfx). This is the second half of the key y recovery step p. The holder of one e of the KRA private keys dec crypts the priv vate key to be recovered. In addition, the h holder the certificate and private ke generates a password-prote p ected .pfx file that contains t ey.

port recovered keys. The password-protect ted .pfx file is d delivered to th he end user. Th his user import ts the Imp .pfx file into the lo ocal user certif ficate store. Alt ternatively, the e KRA or an ad dministrator ca an perform this part of the procedure on behalf of th he user.

De emonstration: Recov vering a Lo ost Private Key (optio onal)


In th his demonstration, you will see s how to rec cover a lost pri ivate key.

Dem monstration n Steps Rec cover a lost private key y


1. 2. 3. 4. 5. 6. Enroll Administrator for Exc change User Te est1 certificate e. Delete the ce ertificate from Administrator A personal store e to simulate k key loss. On LON-SVR1 in CA console, retrieve the e serial numbe er of lost certifi icate. Use command Certutil -ge etkey <serialn number> outp putblob to ge enerate blob fi ile. Use command Certutil -rec coverkey outputblob reco over.pfx, to rec cover the priva ate key. Import the pr rivate key back k to administra ator personal s store.

MCT USE ONLY. STUDENT USE PROHIBITED


10-33

Configuring Advanced Windows Server 2012 Services

Lab: Implementing Active Directory Certificate Services


Scenario

As A. Datum Corporation has expanded, its security requirements have also increased, and the security department is particularly interested in enabling secure access to critical web sites, and in providing additional security for features such as EFS, smart cards, and the Windows 7 and Windows 8 DirectAccess feature. To address these and other security requirements, A. Datum Corporation has decided to implement a PKI using the AD CS role in Windows Server 2012.

As one of the senior network administrators at A. Datum Corporation, you are responsible for implementing the AD CS deployment. You will be deploying the CA hierarchy, developing the procedures and process for managing certificate templates, and deploying and revoking certificates.

Objectives
Deploy a standalone root CA, and an enterprise subordinate CA. Configure certificate templates. Configure certificate enrollment. Configure certificate revocation. Configure and perform private key archival and recovery.

Lab Setup
Estimated Time: 120 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-SVR2 20412A-LON-CA1 20412A-LON-CL1

User Name: Adatum\Administrator Password: Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Adatum\Administrator Password: Pa$$w0rd

5.

Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR2, 20412A-LON-CA1 and 20412ALON-CL1. Do not log on until instructed to do so.

Exercise 1: Deploying a standalone root CA


Scenario

A. Datum Corporation wants to start using certificates for various purposes, and you now need to install the appropriate CA infrastructure. Because they are using AD DS with Windows Server 2012 AD DS, you decided to implement the AD CS role. When you were reviewing available designs, you decided to

MCT USE ONLY. STUDENT USE PROHIBITED

10-34

Implementing Active Directory Certificate Services

implement a standalone root CA. This CA will be taken offline after it issues a certificate for a subordinate CA. The main tasks for this exercise are as follows: 1. 2. Install the Active Directory Certificate Services (AD CS) server role on non-domain joined server. Configure a new certificate revocation location.

Task 1: Install the Active Directory Certificate Services (AD CS) server role on nondomain joined server
1. 2. 3. 4. 5. Log on to LON-CA1 as Administrator using the password Pa$$w0rd. Use the Add Roles and Features Wizard to install the Active Directory Certificate Services role. After installation completes successfully, click the text Configure Active Directory Certificate Services on the destination server. Configure the AD CS role as a standalone root CA. Name it AdatumRootCA. Set the key length to 4096, accept all other values as default.

Task 2: Configure a new certificate revocation location


1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CA1, open the Certification Authority console. Open the Properties window for AdatumRootCA.

Configure new locations for CDP to be on http://lon-svr1.adatum.com/CertData/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Select options: Include in the CDP extensions of issued certificates and Include in CRLs. Clients use this to find Delta CRL locations. Configure new locations for AIA to be on http://lon-svr1.adatum.com/CertData /<ServerDNSName>_<CaName><CertificateName>.crt Select the Include in the AIA extension of issued certificates check box. Publish the certificate revocation list on LON-CA1. Export the root CA certificate, and copy the .cer file to \\lon-svr1\C$. Copy the content of folder C:\Windows\System32\CertSrv\CertEnroll to \\lon-svr1\C$.

Results: After completing this exercise, you will have installed and configured a standalone root CA.

Exercise 2: Deploying an Enterprise Subordinate CA


Scenario

After deploying the standalone root CA, the next step is to deploy an enterprise subordinate CA. A. Datum Corporation wants to use an enterprise subordinate CA to utilize AD DS integration. In addition, because root CA is standalone, you want to publish its certificate to all clients. The main tasks for this exercise are as follows: 1. 2. 3. Install and configure AD CS role on LON-SVR1. Install a subordinate Certification Authority (CA) certificate. Publish the RootCA certificate through Group Policy.

MCT USE ONLY. STUDENT USE PROHIBITED


10-35

Configuring Advanced Windows Server 2012 Services

Task 1: Install and configure AD CS role on LON-SVR1


1. 2. 3. 4. 5. 6. 7. 8. Log on to LON-SVR1 as Adatum\Administrator with the password of Pa$$w0rd. Install the Active Directory Certificate Services role on LON-SVR1. Include the Certification Authority and Certification Authority Web Enrollment role services. After installation is successful, click Configure Active Directory Certificate Services on the destination server. Select the Certification Authority and Certification Authority Web Enrollment role services. Configure LON-SVR1 to be an Enterprise CA. Configure the CA Type to be a Subordinate CA. For the CA Name type Adatum-IssuingCA. Save the request file to the local drive.

Task 2: Install a subordinate Certification Authority (CA) certificate


1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, install the RootCA.cer certificate in the Trusted Root Certification Authority store.

Navigate to Local Disk (C:) and copy the AdatumRootCA.crl and LON-CA1 _AdatumRootCA.crt files to C:\inetpub\wwwroot\CertData. Copy the LON-SVR1.Adatum.com_Adatum- IssuingCA.req request file to \\lon-ca1\C$\. Switch to LON-CA1.

From the Certification Authority console on LON-CA1, submit a new certificate request, by using .req file that you copied in step 3. Issue the certificate and export it to p7b format with complete chain. Save the file to \\lon-svr1\C$\SubCA.p7b. Switch to LON-SVR1. Install the SubCA certificate on LON-SVR1 using the Certification Authority console. Start the service.

Task 3: Publish the RootCA certificate through Group Policy


1. 2. 3. On LON-DC1, from Server Manager open the Group Policy Management Console. Edit the Default Domain Policy. Publish the RootCA.cer file from \\lon-svr1\C$ to Trusted Root Certification Authorities store in Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.

Results: After completing this exercise, you will have deployed and configured an enterprise subordinate CA

Exercise 3: Configuring Certificate Templates


Scenario

After deploying the CA infrastructure, the next step is to deploy the certificate templates that are required in the organization. For the beginning, A. Datum Corporation wants to implement a new Web server certificate and implement smart card certificates for users. They also want to implement new certificates on the LON-SVR2 web server.

MCT USE ONLY. STUDENT USE PROHIBITED

10-36

Implementing Active Directory Certificate Services

The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a new template based on the Web server template. Create a new template for users that includes smart card logon. Configure the templates so they can be issued. Update the Web server certificate on the LON-SVR2 Web Server.

Task 1: Create a new template based on the Web server template


1. 2. 3. 4. 5. On LON-SVR1, from the Certification Authority console, open the Certificate Templates Console. Duplicate the Web Server template. Create a new template and name it Adatum Web Server. Configure validity for 3 years. Configure the private key as exportable.

Task 2: Create a new template for users that includes smart card logon
1. 2. 3. 4. 5. 6. 7. In the Certificate Templates Console, duplicate the User certificate template. Name the new template Adatum Smart Card User. On the Subject Name tab, clear both the Include e-mail name in subject name and the E-mail name check boxes. Add Smart Card Logon to Application Policies of the new certificate template. Configure this new template to supersede the User template. Allow Authenticated Users to Read, Enroll, and Autoenroll for this certificate. Close the Certificate Templates Console.

Task 3: Configure the templates so they can be issued

Configure LON-SVR1 to issue certificates based on the Adatum Smart Card User and Adatum Web Server templates.

Task 4: Update the Web server certificate on the LON-SVR2 Web Server
1. 2. 3. 4. Log on to LON-SVR2 as Adatum\Administrator with the password of Pa$$w0rd. Refresh the Group Policy and restart server if needed. From Server Manager, open the Internet Information Services (IIS) Manager. Enroll for a domain certificate using the following parameters: o o o o o o 5. Common name: lon-svr2.adatum.com Organization: Adatum Organizational Unit: IT City/locality: Seattle State/province: WA Country/region: US

Create HTTPS binding for Default Web Site, and associate it with new certificate.

MCT USE ONLY. STUDENT USE PROHIBITED


10-37

Configuring Advanced Windows Server 2012 Services

Results: After completing this exercise, you will have created and published new certificate templates.

Exercise 4: Configuring Certificate Enrollment


Scenario

The next step in implementing the PKI at A. Datum Corporation is configuring certificate enrollment. A. Datum wants to enable different options for distributing the certificates. Users should be able to enroll automatically, and smart card users should get their smart cards from Enrollment Agents. Adatum has delegated enrollment agent rights for the Marketing department group to Allie Bellew. The main tasks for this exercise are as follows: 1. 2. 3. Configure autoenrollment for users. Verify autoenrollment. Configure the Enrollment Agent for smart card certificates.

Task 1: Configure autoenrollment for users


1. 2. 3. 4. On LON-DC1, open Group Policy Management. Edit the Default Domain Policy. Navigate to User Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click to highlight Public Key Policies. Enable the Certificate Services Client Auto-Enrollment option, and enable Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates. Enable the Certificate Services Client Certificate Enrollment Policy. Close Group Policy Management Editor and Group Policy Management console.

5. 6.

Task 2: Verify autoenrollment


1. 2. 3. On LON-SVR1, open Windows PowerShell and use gpupdate /force to refresh Group Policy. Open an mmc.exe console and add the Certificates snap-in focused on the user account. Verify that you have been issued a certificate based on the Adatum Smart Card User template.

Task 3: Configure the Enrollment Agent for smart card certificates


1. 2. 3. 4. 5. On LON-SVR1, from the Certification Authority console, open the Certificate Templates console. Allow Allie Bellew to enroll for an Enrollment Agent certificate. Publish the Enrollment Agent certificate template. Log on to LON-CL1 as Allie, and enroll for an Enrollment Agent certificate.

On LON-SVR1, open properties of Adatum-IssuingCA, and configure Restricted Enrollment Agent so that Allie can only issue certificates based on Adatum Smart Card User, for security group Marketing.

Results: After completing this exercise, you will have configured and verified autoenrollment for users, and configured an enrollment agent for smart cards.

MCT USE ONLY. STUDENT USE PROHIBITED

10-38

Implementing Active Directory Certificate Services

Exercise 5: Configuring Certificate Revocation


Scenario

As part of configuring the certificate infrastructure, A. Datum Corporation wants to configure revocation components on newly established CAs. You will configure CRL and Online Responder components. The main tasks for this exercise are as follows: 1. 2. Configure Certified Revocation List (CRL) distribution. Install and configure an Online Responder.

Task 1: Configure Certified Revocation List (CRL) distribution


1. 2. 3.

On LON-SVR1, in the Certification Authority console, right-click Revoked Certificates, and then click Properties. Set the CRL publication interval to 1 Day, and set the Delta CRL publication interval to 1 hour. Review CDP locations on Adatum-IssuingCA.

Task 2: Install and configure an Online Responder


1. 2