20410A ENU TrainerHandbook

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
20410A
Installing and Configuring Windows Server 2012
ii
20410A: Installing and Configuring Windows Server 2012
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners
Product Number: 20410A Part Number: X18-48636 Released: 07/2012
MICROSOFT LICENSE TERMS MICROSOFT INSTRUCTOR-LED COURSEWARE These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which includes the media on which you received it, if any. These license terms also apply to Trainer Content and any updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms apply. BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT. If you comply with these license terms, you have the rights below for each license you acquire. 1. DEFINITIONS. a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning Competency Member, or such other entity as Microsoft may designate from time to time. b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led Courseware conducted by a Trainer at or through an Authorized Learning Center. c. Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee. e. Licensed Content means the content accompanying this agreement which may include the Microsoft Instructor-Led Courseware or Trainer Content. f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware. h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy Program. i. j. Microsoft Learning Competency Member means an active member of the Microsoft Partner Network program in good standing that currently holds the Learning Competency status. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft Official Course that educates IT professionals and developers on Microsoft technologies.
k. MPN Member means an active silver or gold-level Microsoft Partner Network program member in good standing.
l.
Personal Device means one (1) personal computer, device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer. n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program Member to teach an Authorized Training Session, and/or (ii) a MCT. o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional supplemental content designated solely for Trainers use to teach a training session using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form. To clarify, Trainer Content does not include any software, virtual hard disks or virtual machines. 2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content. Below are five separate sets of use rights. Only one set of rights apply to you. a. If you are a Microsoft IT Academy Program Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User who is enrolled in the Authorized Training Session, and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or 2. provide one (1) End User with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or 3. provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v. you will ensure that each End User provided with the hard-copy version of the Microsoft InstructorLed Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
2.1
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Authorized Training Sessions, viii. you will only deliver a maximum of 10 hours of training per week for each Authorized Training Session that uses a MOC title, and ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources for the Microsoft Instructor-Led Courseware. b. If you are a Microsoft Learning Competency Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Authorized Training Session and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware provided, or 2. provide one (1) End User attending the Authorized Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft InstructorLed Courseware, or 3. you will provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure that each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session, vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training Sessions, viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Authorized Training Sessions using MOC, ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers.
c.
If you are a MPN Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Private Training Session, and only immediately prior to the commencement of the Private Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or 2. provide one (1) End User who is attending the Private Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or 3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure that each End User attending an Private Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session, v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Private Training Session, vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training Sessions, viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Private Training Sessions using MOC, ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User: For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. e. If you are a Trainer. i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized Training Session or Private Training Session, and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not install or use a copy of the Trainer Content on a device you do not own or control.
ii.
You may customize the written portions of the Trainer Content that are logically associated with instruction of a training session in accordance with the most recent version of the MCT agreement. If you elect to exercise the foregoing rights, you agree to comply with the following: (i) customizations may only be used for teaching Authorized Training Sessions and Private Training Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of customize refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not separate their components and install them on different devices. 2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft. 2.4 Third Party Programs and Services. The Licensed Content may contain third party programs or services. These license terms will apply to your use of those third party programs or services, unless other terms accompany those programs and services. 2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to your use of that respective component and supplements the terms described in this agreement. 3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the other provisions in this agreement, these terms also apply: a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of the Microsoft technology. The technology may not work the way a final version of the technology will and we may change the technology for the final version. We also may not release a final version. Licensed Content based on the final version of the technology may not contain the same information as the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you with any further content, including any Licensed Content based on the final version of the technology. b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software, technologies, or products to third parties because we include your feedback in them. These rights survive this agreement. c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term). Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies of the Licensed Content in your possession or under your control.
4.
SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: access or allow any individual to access the Licensed Content if they have not acquired a valid license for the Licensed Content, alter, remove or obscure any copyright or other protective notices (including watermarks), branding or identifications contained in the Licensed Content, modify or create a derivative work of any Licensed Content, publicly display, or make the Licensed Content available for others to access or use, copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or distribute the Licensed Content to any third party, work around any technical limitations in the Licensed Content, or reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content. 6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement. Upon termination of this agreement for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in your possession or under your control. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and supplements are the entire agreement for the Licensed Content, updates and supplements. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
7. 8.
9.
10. 11.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply. 12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES. This limitation applies to o anything related to the Licensed Content, services, content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law. It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais. EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et. les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
13.
14.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard. EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas. Revised June 2012
xi
xii
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Stan Reimer - Content Developer and Lead Subject Matter Expert

Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author. Stan has extensive experience consulting on Active Directory Domain Services (AD DS) and Microsoft Exchange Server deployments for some of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft Press. For the last nine years, Stan has been writing courseware for Microsoft Learning, specializing in Active Directory and Exchange Server courses. Stan has been a Microsoft Certified Trainer (MCT) for 12 years.
Damir Dizdarevic - Content Developer and Subject Matter Expert

Damir Dizdarevic, an MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology Specialist (MCTS), and Microsoft Certified IT Professional (MCITP), is a manager and trainer of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir has more than 17 years of experience on Microsoft platforms, and he specializes in Windows Server, Exchange Server, security and virtualization. He has worked as a subject matter expert and technical reviewer on many Microsoft Official Curriculum (MOC) courses, and has published more than 400 articles in various Information Technology (IT) magazines, such as Windows ITPro and INFO Magazine. Damir is also a frequent and highly rated speaker on most of Microsoft conferences in Eastern Europe. Additionally, he is a Microsoft Most Valuable Professional (MVP) for Windows Server Infrastructure Management.
Gary Dunlop - Subject Matter Expert

Gary Dunlop is based in Winnipeg, Canada, and is a technical consultant and trainer for Broadview Networks. He has authored a number of Microsoft Learning titles, and has been an MCT since 1997.
Siegfried Jagott - Content Developer

Siegfried Jagott is a Principal Consultant and Team Lead for the Messaging and Collaboration team at Atos Germany. He is an award winning author of Microsoft Exchange Server 2010 Best Practices (Microsoft Press) and has authored and technically reviewed several MOC courses on various topics such as MOC 10165: Updating Your Skills from Microsoft Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010 SP1. Siegfried has coauthored various other Windows operating system, System Center Virtual Machine Manager (SC VMM) and Exchange books, and is a frequent presenter on these topics at international conferences such as the IT & Dev Connections conference, held in spring 2012, in Las Vegas. Siegfried has planned, designed, and implemented some of the worlds largest Windows and Exchange Server infrastructures for international customers. He received an MBA from Open University in England, and is an MCSE since 1997.
Jason Kellington - Subject Matter Expert

Jason Kellington (MCT, MCITP, and MCSE) is a consultant, trainer, and author. He has experience working with a wide range of Microsoft technologies, and focuses on enterprise network infrastructure. Jason works in several capacities with Microsoft. He is a content developer for Microsoft Learning courseware titles, a senior technical writer for Microsoft IT Showcase, and an author for Microsoft Press.
xiii
Vladimir Meloski - Content Developer

Vladimir is a MCT, an MVP on Exchange Server, and consultant, providing unified communications and infrastructure solutions based on Microsoft Exchange Server, Microsoft Lync Server, and Microsoft System Center. Vladimir has devoted 16 years of professional experience in information technology. Vladimir has been involved in Microsoft conferences in Europe and in the United States as a speaker, moderator, proctor for hands-on labs, and technical expert. He has been also involved as a subject matter expert and technical reviewer for several MOC courses.
Nick Portlock - Subject Matter Expert

Nick has been an MCT for 15 years. He is a self-employed IT trainer, consultant, and author. Last year, Nick taught in over 20 countries. He specializes in AD DS, Group Policy, and Domain Name System (DNS), and has consulted with a variety of companies over the last decade. He has reviewed more than 100 Microsoft courses. Nick is a member of the Windows 7 Springboard Series Technical Expert Panel (STEP) program.
Brian Svidergol - Technical Reviewer

Brian Svidergol specializes in Microsoft infrastructure and cloud-based solutions based around Windows operating systems, AD DS, Exchange Server, System Center, virtualization, and Microsoft Desktop Optimization Package (MDOP). He holds the MCT, MCITP (Enterprise Administrator (EA)), MCITP (Virtualization Administrator (VA)), MCITP (Exchange 2010), and several other Microsoft and industry certifications. Brian authored Microsoft Official Curriculum (MOC) course 6426C: Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory. He has also worked for several years on Microsoft certification exam development and related training content.
Orin Thomas - Subject Matter Expert

Orin Thomas is an MVP, an MCT, and has a variety of MCSE and MCITP certifications. He has written more than 20 books for Microsoft Press, and is a contributing editor at Windows IT Pro magazine. He has been working in IT since the early 1990's. He regularly speaks at events such as TechED in Australia, and around the world on Windows Server, Windows Client, System Center, and security topics. Orin founded and runs the Melbourne System Center Users Group.
Byron Wright - Content Developer and Subject Matter Expert

Byron Wright is a partner in a consulting firm, where he performs network consulting, computer systems implementation, and technical training. Byron is also a sessional instructor for the Asper School of Business at the University of Manitoba, teaching management information systems and networking. Byron has authored and co-authored a number of books on Windows Server operating systems, Windows Vista, and Exchange Server, including the Windows Server 2008 Active Directory Resource Kit.
xiv
Contents
Module 1: Deploying and Managing Windows Server 2012
Lesson 1: Windows Server 2012 Overview Lesson 2: Overview of Windows Server 2012 Management Lesson 3: Installing Windows Server 2012 Lesson 4: Post-Installation Configuration of Windows Server 2012 Lesson 5: Introduction to Windows PowerShell Lab: Deploying and Managing Windows Server 2012 1-2 1-14 1-19 1-24 1-32 1-37
Module 2: Introduction to Active Directory Domain Services

Lesson 1: Overview of AD DS Lesson 2: Overview of Domain Controllers Lesson 3: Installing a Domain Controller Lab: Installing Domain Controllers 2-2 2-8 2-13 2-18
Module 3: Managing Active Directory Domain Services Objects

Lesson 1: Managing User Accounts Lesson 2: Managing Group Accounts Lesson 3: Managing Computer Accounts Lesson 4: Delegating Administration Lab: Managing Active Directory Domain Services Objects 3-3 3-15 3-22 3-27 3-30
Module 4: Automating Active Directory Domain Services Administration

Lesson 1: Using Command-line Tools for Administration Lesson 2: Using Windows PowerShell for Administration Lesson 3: Performing Bulk Operations with Windows PowerShell Lab: Automating AD DS Administration by Using Windows PowerShell 4-2 4-7 4-13 4-20
Module 5: Implementing IPv4

Lesson 1: Overview of TCP/IP Lesson 2: Understanding IPv4 Addressing Lesson 3: Subnetting and Supernetting Lesson 4: Configuring and Troubleshooting IPv4 Lab: Implementing IPv4 5-2 5-6 5-11 5-16 5-23
xv
Module 6: Implementing DHCP

Lesson 1: Installing a DHCP Server Role Lesson 2: Configuring DHCP Scopes Lesson 3: Managing a DHCP Database Lesson 4: Securing and Monitoring DHCP Lab: Implementing DHCP 6-2 6-7 6-12 6-16 6-21
Module 7: Implementing DNS

Lesson 1: Name Resolution for Windows Clients and Servers Lesson 2: Installing and Managing a DNS Server Lesson 3: Managing DNS Zones Lab: Implementing DNS 7-2 7-10 7-16 7-20

Lesson 1: Overview of IPv6 Lesson 2: IPv6 Addressing Lesson 3: Coexistence with IPv6 Lesson 4: IPv6 Transition Technologies Lab: Implementing IPv6 8-2 8-8 8-13 8-17 8-22
Module 9: Implementing Local Storage

Lesson 1: Overview of Storage Lesson 2: Managing Disks and Volumes Lesson 3: Implementing Storage Spaces Lab: Implementing Local Storage 9-2 9-11 9-20 9-25
Module 10: Implementing File and Print Services

Lesson 1: Securing Files and Folders Lesson 2: Protecting Shared Files and Folders using Shadow Copies Lesson 3: Configuring Network Printing Lab: Implementing File and Print Services 10-2 10-15 10-18 10-23
Module 11: Implementing Group Policy

Lesson 1: Overview of Group Policy Lesson 2: Group Policy Processing Lesson 3: Implementing a Central Store for Administrative Templates Lab: Implementing Group Policy 11-2 11-10 11-15 11-19
xvi
Module 12: Securing Windows Servers Using Group Policy Objects

Lesson 1: Windows Security Overview Lesson 2: Configuring Security Settings Lab A: Increasing Security for Server Resources Lesson 3: Restricting Software Lesson 4: Configuring Windows Firewall with Advanced Security Lab B: Configuring AppLocker and Windows Firewall 12-2 12-6 12-15 12-21 12-25 12-29
Module 13: Implementing Server Virtualization with Hyper-V

Lesson 1: Overview of Virtualization Technologies Lesson 2: Implementing Hyper-V Lesson 3: Managing Virtual Machine Storage Lesson 4: Managing Virtual Networks Lab: Implementing Server Virtualization with Hyper-V 13-2 13-8 13-15 13-22 13-27
Lab Answer Keys

Module 1 Lab: Deploying and Managing Windows Server 2012 Module 2 Lab: Installing Domain Controllers Module 3 Lab: Managing Active Directory Domain Services Objects Module 4 Lab: Automating AD DS Administration by Using Windows PowerShell Module 5 Lab: Implementing IPv4 Module 6 Lab: Implementing DHCP Module 7 Lab: Implementing DNS Module 8 Lab: Implementing IPv6 Module 9 Lab: Implementing Local Storage Module 10 Lab: Implementing File and Print Services Module 11 Lab: Implementing Group Policy Module 12 Lab A: Increasing Security for Server Resources Module 12 Lab B: Configuring AppLocker and Windows Firewall Module 13 Lab: Implementing Server Virtualization with Hyper-V L1-1 L2-9 L3-13 L4-21 L5-25 L6-29 L7-35 L8-41 L9-45 L10-49 L11-55 L12-59 L12-65 L13-71
About This Course
xvii
About This Course

This section provides you with a brief description of the course20410A: Installing and Configuring Windows Server 2012 audience, suggested prerequisites, and course objectives.
Course Description
Note: This first release (A) Microsoft Official Curriculum (MOC) version of course 20410A has been developed on prerelease software (Windows 8 Release Preview and Windows Server 2012 Release Candidate (RC)). Microsoft Learning will release a B version of this course after the release to manufacturing (RTM) version of the software is available. This course is part one of a series of three courses, which provide the skills and knowledge necessary to implement a core Windows Server 2012 infrastructure in an existing enterprise environment. The three courses in total will collectively cover implementing, managing, maintaining, and provisioning services and infrastructure in a Windows Server 2012 environment. While there is some cross-over in skillset and tasks across the courses, this course will primarily cover the initial implementation and configuration of those core services, such as Active Directory Domain Services (AD DS), networking services, and initial Hyper-V configuration.
Audience
This course is intended for Information Technology (IT) Professionals who have good Windows operating system knowledge and experience, and want to acquire the skills and knowledge necessary to implement the core infrastructure services in an existing Windows Server 2012 environment. The secondary audience consists of those seeking certification in the 70-410, Installing and Configuring Windows Server 2012 exam.
Student Prerequisites
This course requires that you meet the following prerequisites: A good understanding of networking fundamentals An understanding and experience configuring security and administration tasks in an enterprise environment Experience supporting or configuring Windows operating system clients Good hands-on Windows client operating system experience with Windows Vista, Windows 7, or Windows 8.
Students would also benefit from having some previous Windows Server operating system experience.
Course Objectives
After completing this course, students will be able to: Install and Configure Windows Server 2012. Describe AD DS. Manage AD DS objects. Automate AD DS administration.
xviii
About This Course
Implement TCP/IPv4. Implement Dynamic Host Configuration Protocol (DHCP). Implement Domain Name System (DNS). Implement IPv6. Implement local storage. Share files and printers. Implement Group Policy. Use Group Policy Objects to secure Windows Servers. Implement server virtualization using Hyper-V.
Course Outline
This section provides an outline of the course: Module 1, Deploying and Managing Windows Server 2012 Module 2, Introduction to Active Directory Domain Services Module 3, Managing Active Directory Domain Services Objects Module 4, Automating Active Directory Domain Services Administration Module 5, Implementing IPv4 Module 6, Implementing DHCP Module 7, Implementing DNS Module 8, Implementing IPv6 Module 9, Implementing Local Storage Module 10, Implementing File and Print Services Module 11, Implementing Group Policy Module 12, Securing Windows Servers Using Group Policy Objects Module 13, Implementing Server Virtualization with Hyper-V
Exam/Course Mapping
This course, 20410A: Installing and Confiruging Windows Server 2012 , has a direct mapping of its content to the objective domain for the Microsoft exam 70-410: Installing and Configuring Windows Server 2012. The table below is provided as a study aid that will assist you in preparation for taking this exam and to show you how the exam objectives and the course content fit together. The course is not designed exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world implementation of the particular technology. The course will also contain content that is not directly covered in the examination and will utilize the unique experience and skills of your qualified Microsoft Certified Trainer.
About This Course
xix
Note The exam objectives are available online at the following URL http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab2.
Exam Objective Domain: Exam 70-410: Installing and Configuring Windows Server 2012 Install and Configure Servers This objective may include but is not limited to: Plan for a server installation; plan for server roles; plan for a server upgrade; install Server Core; optimize resource utilization by using Features on Demand; Install migrate roles from previous versions of servers. Windows Server This objective may include but is not limited to: Configure Server Core; delegate administration; add and remove features in offline images; deploy roles on remote servers; convert Server Core to/from full Configure GUI; configure services; configure NIC servers. teaming This objective may include but is not limited to: Design storage spaces; configure basic and dynamic disks; configure MBR and GPT disks; manage volumes; create and mount Configure virtual hard disks (VHDs); configure storage local storage. pools and disk pools Configure Server Roles and Features This objective may include but is not limited to: Create and configure shares; configure share permissions; configure offline files; configure NTFS permissions; configure Configure file access-based enumeration (ABE); configure and share Volume Shadow Copy Service (VSS); access. configure NTFS quotas This objective may include but is not limited to: Configure the Easy Print print driver; Configure configure Enterprise Print Management; print and configure drivers; configure printer pooling; document configure print priorities; configure printer services. permissions This objective may include but is not limited to: Configure WinRM; configure down-level Configure server management; configure servers for servers for day-to-day management tasks; configure remote multi-server management; configure Server management. Core; configure Windows Firewall
Module Mod 1
Course Content Lesson Lab Lesson 1 Mod 1 Ex 1
Mod 1
Lesson 1/2
Mod 1 Ex 1/2/3
Mod 3
Lesson 4
Mod 1 Ex 2
Mod 9
Lesson 2/3
Mod 9 Ex 3/4
Mod 10
Lesson 1/2
Mod 10 Ex 1/2
Mod 10
Lesson 3
Mod 10 Ex 3
Mod 1
Lesson 1/2/4
Mod 12
Lesson 3
Mod 12 Ex 2
xx
About This Course
Exam Objective Domain: Exam 70-410: Installing and Configuring Windows Server 2012 Configure Hyper-V Create and configure This objective may include but is not limited virtual to: Configure dynamic memory; configure machine smart paging; configure Resource Metering; settings. configure guest integration services Create and This objective may include but is not limited configure to: Create VHDs and VHDX; configure virtual differencing drives; modify VHDs; configure machine pass-through disks; manage snapshots; storage. implement a virtual Fibre Channel adapter This objective may include but is not limited to: Implement Hyper-V Network Virtualization; configure Hyper-V virtual Create and switches; optimize network performance; configure configure MAC addresses; configure virtual network isolation; configure synthetic and networks. legacy virtual network adapters Deploy and Configure Core Network Services This objective may include but is not limited to: Configure IP address options; configure subnetting; configure supernetting; configure interoperability between IPv4 and IPv6; configure ISATAP; configure Teredo This objective may include but is not limited to: Create and configure scopes; configure a DHCP reservation; configure DHCP options; configure client and server for PXE boot; configure DHCP relay agent; authorize DHCP server This objective may include but is not limited to: Configure Active Directory integration of primary zones; configure forwarders; configure Root Hints; manage DNS cache; create A and PTR resource records
Course Content Mod 13 Lesson 2 Mod 13 Ex 3
Mod 9
Lesson 1
Mod 13 Mod 13
Lesson 2/3 Lesson 4
Mod 13 Ex 3/4 Mod 13 Ex 2
Mod 1
Lesson 4
Mod 1 Ex 1/2
Configure IPv4 and IPv6 addressing. Deploy and configure Dynamic Host Configuration Protocol (DHCP) service.
Mod 5 Mod 8 Mod 6
Lesson 2/3/4 Mod 5 Ex 1/2 Lesson 3/4 Mod 8 Ex 2 Lesson 1/2/3/4 Mod 6 Ex 1/2
Mod 7
Lesson 1/2/3
Mod 7 Ex 1/2/3
Deploy and configure DNS service.
About This Course
xxi
Exam Objective Domain: Exam 70-410: Installing and Configuring Windows Server 2012 Install and Administer Active Directory This objective may include but is not limited to: Add or remove a domain controller from a domain; upgrade a domain controller; install Active Directory Domain Services (AD DS) on a Server Core installation; install a domain controller from Install from Media Install domain (IFM); resolve DNS SRV record registration controllers. issues; configure a global catalog server This objective may include but is not limited to: Automate the creation of Active Create and Directory accounts; create, copy, configure, manage and delete users and computers; configure Active templates; perform bulk Active Directory Directory operations; configure user rights; offline users and domain join; manage inactive and disabled computers. accounts This objective may include but is not limited to: Configure group nesting; convert groups including security, distribution, universal, Create and domain local, and domain global; manage manage group membership using Group Policy; Active enumerate group membership; delegate Directory the creation and management of Active groups and Directory objects; manage default Active organizational Directory containers; create, copy, units (OUs). configure, and delete groups and OUs Create and Manage Group Policy This objective may include but is not limited to: Configure a Central Store; manage Create Group starter GPOs; configure GPO links; configure Policy objects multiple local group policies; configure (GPOs). security filtering his objective may include but is not limited to: Configure User Rights Assignment; configure Security Options settings; configure Security templates; configure Configure Audit Policy; configure Local Users and security Groups; configure User Account Control policies. (UAC)
Course Content Mod 2 Lesson 3 Mod 2 Ex 1/2
Mod 1
Lesson 4
Mod 3 Mod 4 Mod 3
Lesson 1 Lesson 1/2/3 Lesson 2/4
Mod 3 Ex 2 Mod 4 Ex 1/2/3 Mod 3 Ex 1/2/3
Mod 4
Lesson 1
Mod 4 Ex 4
Mod 11
Lesson 1/2/3
Mod 11 Ex 1/2
Mod 12
Lesson 2
Mod 12 Lab A Ex 1/2/3
xxii
About This Course
Exam Objective Domain: Exam 70-410: Installing and Configuring Windows Server 2012 Create and Manage Group Policy Configure This objective may include but is not limited application to: Configure rule enforcement; configure restriction Applocker rules; configure Software policies. Restriction Policies This objective may include but is not limited to: Configure rules for multiple profiles using Group Policy; configure connection security rules; configure Windows Firewall Configure to allow or deny applications, scopes, ports, Windows and users; configure authenticated firewall Firewall. exceptions; import and export settings
Course Content Mod 12 Lesson 3 Mod 12 Lab B Ex 1
Mod 12
Lesson 4
Mod 12 Lab B Ex 2
Important Attending this course in itself will not successfully prepare you to pass any associated certification exams. The taking of this course does not guarantee that you will automatically pass any certification exam. In addition to attendance at this course, you should also have the following: Minimum of one years real world, hands-on experience Installing and configuring a Windows Server Infrastructure Additional study outside of the content in this handbook
There may also be additional study and preparation resources, such as practice tests, available for you to prepare for this exam. Details of these are available at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab3 You should familiarize yourself with the audience profile and exam prerequisites to ensure you are sufficiently prepared before taking the certification exam. The complete audience profile for this exam is available at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab1 The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to change at any time and Microsoft bears no responsibility for any discrepancies between the version published here and the version available online and will provide no notification of such changes.
About This Course
xxiii
Course Materials
The following materials are included with your kit: Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc Site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers. Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, and Microsoft Press.
Student Course files on the http://www.microsoft.com/learning/companionmoc Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Hyper-V to perform the labs.
xxiv
About This Course
Important At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK. The following table shows the role of each virtual machine used in this course. Virtual machine 20410A-LON-DC1 20410A-LON-SVR1 20410A-LON-SVR2 20410A-LON-SVR3 20410A-LON-SVR4 20410A-LON-HOST1 20410A-LON-CORE Role A domain controller running Windows Server 2012 in the Adatum.com domain. A member server running Windows Server 2012 in the Adatum.com domain. A member server running Windows Server 2012 in the Adatum.com domain. This server will be located on a second subnet. A blank virtual machine on which students will install Windows Server 2012. A stand-alone server running Windows Server 2012 that will be used for joining domains and initial configuration. A bootable VHD for running Windows Server 2012 as the host for Hyper-V. A standalone server running Windows Server 2012 Server Core.
20410A-LON-RTR 20410A-LON-CL1
A router that is used for network activities that require a separate subnet. A client computer running Windows 8 and Microsoft Office 2010 Service Pack 1 (SP1) in the Adatum.com domain. A client computer running Windows 8 and Office 2010 SP1 in the Adatum.com domain that is located in a second subnet.
20410A-LON-CL2
Software Configuration
The following software is installed on each virtual machine:
Microsoft Network Monitor 3.4 is installed on LON-SVR2.
Course Files
There are lab files associated with the labs in this course. The lab files are located in the folder E:\Labfiles\LabXX on NYC-DC1.
About This Course
xxv
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. Hardware level 6 with 8 gigabytes (GB) of random access memory (RAM)
1-1
Module 1
Deploying and Managing Windows Server 2012
Contents:
Module Overview Lesson 1: Windows Server 2012 Overview Lesson 2: Overview of Windows Server 2012 Management Lesson 3: Installing Windows Server 2012 Lesson 4: Post-Installation Configuration of Windows Server 2012 Lesson 5: Introduction to Windows PowerShell Lab: Deploying and Managing Windows Server 2012 Module Review and Takeaways 1-1 1-2 1-14 1-19 1-24 1-32 1-37 1-45
Module Overview
Understanding the capabilities of a new server operating system enables you to leverage that operating system effectively. If you do not understand the capabilities of your new operating system, you may end up using it like you used the previous operating system, and you may forego the advantages of the new system. By understanding how to utilize your new Windows Server 2012 operating system fully, and by understanding the tools that are available to manage that functionality you will provide your organization with more value. This module introduces the new Windows Server 2012 administrative interface. In this module, you will learn about the different roles and features that are available with the Windows Server 2012 operating system. You will also learn about the different installation options from which you can choose when deploying Windows Server 2012. This module discusses the configuration steps that you can perform both during installation and after deployment to ensure that the servers can begin functioning in its assigned role. You will also learn how to use Windows PowerShell to perform common administrative tasks in Windows Server 2012.
Objectives
After completing this module, you will be able to: Describe Windows Server 2012. Describe the management tools available in Windows Server 2012. Install Windows Server 2012. Perform post-installation configuration of Windows Server 2012. Perform basic administrative tasks using Windows PowerShell.
1-2
Lesson 1
Windo ows Serv ver 2012 Overv view

Befo ore deploying Windows Serv ver 2012, you need to under rstand how each of the Wind dows Server 20 012 edit tions might be enefit your organizations ser rvers. You also o need to know w whether a pa articular hardw ware configuration is appropriate for r Windows Serv ver 2012, whe ether a virtual d deployment m might be more suitable than a ph hysical deploym ment, and which installation source allows s you to deploy Windows Se erver 2012 in an efficien nt manner. If you y do not hav ve an understa anding of thes se issues, you c could end up cost ting your orga anization time and money by y making a cho oice that you m must later correct. This s lesson provid des an overview w of the variou us Windows Se erver 2012 edi itions, installat tion options, ro oles, and features. Usin ng this informa ation, you will be able to det termine which h Windows Serv ver 2012 editio on and installation options are righ ht for your org ganization.
Les sson Objecti ives

Afte er completing this lesson, yo ou will be able to: Describe the place of a loca ally deployed server s on a mo odern network k. Explain the difference betw ween the privat te and public c clouds. List the different editions of Windows Ser rver 2012. Describe the difference bet tween a Server r Core installat tion of Window ws Server 2012 2 and tradition nal installation of f Windows Ser rver 2012. Explain the fu unction of the server roles th hat are availab le on compute ers running W Windows Server r 2012. Explain the purpose of vario ous Windows Server 2012 fe eatures.
On n Premises Servers
As an a IT professio onal, you proba ably have hear rd abo out cloud comp puting. You might have hear rd how w software and d services are being b moved to t a pub blic or private cloud c because e the cloud is at a the heart of the future e of enterprise e computing. You Y could also have heard that Wind dows Server 2012 is read dy for the clou ud. As an IT pro ofessional who o has wor rked with locally deployed se ervers for most of your career, it would be reasona able to ask, If f everything is mov ving to the cloud, why do I need n to le earn about deploying Windo ows Server 201 12 loca ally? The reality is, not every service and a applicatio on used on a d aily basis shou uld be hosted in the cloud. Loca ally-deployed servers form the t backbone of an organiza ational networ rk. Locally-dep ployed servers prov vide the follow wing resources s to clients: Infrastructure e services. Serv vers provide cli ients with infra astructure reso ources, including Domain Na ame System (DNS) ) and Dynamic c Host Configu uration Protoco ol (DHCP) serv vices. These services allow clients to connect an nd communica ate with other resources. Wit thout these se ervices, clients w would not be able to connect either to each other o or to rem mote resources s, including res sources hosted d in the cloud.
1-3
Shared files and printers. Servers provide a centralized location that allows users to store and share documents. Servers also host resources such as shared printers that allow groups of users to leverage resources more efficiently. Without these centralized locally deployed resources, sharing files and backing up files centrally would be a more complex and time-intensive process. While it might be possible to host some of this information in the cloud, it doesnt always make sense to send a job to a printer that is in the next room through a server hosted at a remote location. Hosted applications. Servers host applications such as Microsoft Exchange Server, Microsoft SQL Server, Microsoft Dynamics, and Microsoft System Center. Clients access these applications to accomplish different tasks, such as accessing e-mail or self-service deployment of desktop applications. In some cases, these resources can be deployed to the cloud. In many cases these resources must be hosted locally for performance, cost, and regulatory reasons. The choice on whether to host these resources locally or in the cloud depends on the specifics of the individual organization. Network access. Servers provide authentication and authorization resources to clients on the network. By authenticating against a server, a user and client can prove their identity. Even when many of an organizations servers are located in the cloud, people still need to have some form of local authentication and authorization infrastructure. Application, Update, and Operating System deployment. Servers are often deployed locally to assist with the deployment of applications, updates, and operating systems to clients on the organizational network. Because of intensive bandwidth utilization, these servers must be in proximity to the clients to which they are providing this service.
Each organization will have its own requirements. An organization in an area that has limited Internet connectivity is going to rely more on servers on the premises than an organization that has access to high-speed broadband. It is important that, even in a case of Internet connectivity issues, work in an organization can continue. Productivity will be negatively affected if the failure of the organizations Internet connection suddenly means that no one is able to access their shared files and printers. While Windows Server 2012 is promoted as being ready for the cloud, remember that, for all the cloudready features the product has, the operating system is still eminently suited to the traditional workhorse tasks that server operating systems have performed for at least the last two decades. If you have been working as an IT professional for some time, it is likely that you will configure and deploy Windows Server 2012 to perform the same or similar workloads that you configured for servers running Windows Server 2003 and maybe even for Windows NT 4. Question: What is the difference between a server and a client operating system? Question: How has the role of the server evolved over time from the Microsoft Windows NT 4.0 Server operating system to Windows Server 2012?
1-4
Wh hat Is Clou ud Comput ting?

Clou ud computing is a general de escription that t encompasses seve eral different technologies. The most common forms of clo oud computing g are: Infrastructure e as a Service (IaaS) (I . With this form of cloud d computing, you y can run a full virtual machin ne in the cloud d. The cloud hosting provider manages the t hypervisor r platform, and d you manage the virtual ma achine that runs on the t cloud prov viders infrastructure e. Windows Azure Compute is an example of o IaaS. You can run Window ws Server 2012 as a a virtual machine in an Iaa aS cloud, but in some cases th he operating sy ystem will host t the virtual m achines in an IaaS cloud. Platform as a Service (PaaS) ing provider p ). With PaaS, the cloud hosti provisions you with a particu ular platform. For example, a pr rovider may allow you to ho st databases. Y You manage the database it tself, and the cloud d hosting prov vider hosts the database serv ver. SQL Azure e is an examp ple of Platform m as a Service. Software as a Service (Saas) ). The cloud ho osting provide er hosts your a pplication and d all of the infrastructure e that supports s that applicati ion. You purch hase and run a software app plication from a cloud hosting g provider. Win ndows InTune and Microso oft Office 365 are examples of SaaS.
Pub blic and Priv vate Clouds s

A pu ublic cloud is a cloud service that is hosted d by a cloud se ervices provide er, and is made e available for pub blic use. A public cloud may host a single tenant, or host t tenants from multiple orga anizations. As s such, pub blic cloud security is not as st trong as privat te cloud secur ity, but public cloud hosting g typically cost ts less because costs are absorbed by multiple tenan nts. In contrast, privat te clouds are cloud infrastruc cture that is de edicated to a s single organiza ation. Private c clouds may y be hosted by y the organizat tion itself, or may m be hosted d by a cloud se ervices provide er who ensures s that the cloud services s are not share ed with any oth her organizatio on. Priv vate clouds are e more than sim mply large scale hypervisor d deployments; they can use t the System Center 2012 managemen nt suite, which makes it poss sible to provide e self-service d delivery of serv vices and app plications. For example, e in an n organization that has its ow wn private clou ud, it would be e possible for users to use u a self-servic ce portal to re equest multi-tie er applications s including we eb-server, data abase-server, a and stor rage compone ents. Windows Server 2012 and the compo onents of the S System Center 2012 suite are e configured in such a way that th his service request can be pr rocessed autom matically, with hout requiring the man nual deployme ent of virtual machines m and database d serve er software. Question: Which type of cl loud would yo ou use to deplo oy a custom vi irtual machine e running Windows Serv ver 2012?
20410A: Installling and Configuring g Windows Server 2012
1-5
Options O for r Windows s Server 20 012

Th here are severa al different editions of Wind dows Se erver 2012 from which to ch hoose. These ed ditions allow organizations to select a version of Windows W Se erver 2012 tha at best meets their t needs, rat ther th han pay for fea atures that the ey do not require. When W deploying g a server for a specific role, , sy ystems administrators can sa ave substantially by se electing the ap ppropriate edit tion. Th he following ta able lists the Windows W Serve er 2012 ed ditions. Edition Windows Serv ver 2012 Standard edit tion Description D Provides all ro oles and featur res available on the Window ws Server 2012 platform. Supp ports up to 64 4 sockets and u up to 4 terabyt tes (TB) of RAM M. Includes two virtual v machine e licenses. Provides all ro oles and featur res that are ava ailable on the Windows Serv ver 2012 platform m. Includes unli imited virtual machine licenses for virtual machines run on the same h hardware. Sup ports 64 socke ets, up to 640 processor core es, and up to 4 TB of RAM. Aimed at small business ow ners, this editi on allows only y 15 users, can nnot be joined j to a do omain, and inc ludes limited s server roles. Su upports one processor core e and up to 32 2 GB of RAM. Next edition of o Small Busine ess Server. Must be root serv ver in domain. It cannot functio on as a Hyper-V, Failover C Clustering, Serv ver Core, or Re emote Desktop Services server. It h has limits for 25 users and 50 0 devices. Supp ports two processor r cores and 64 GB of RAM. Stand-alone Hyper-V H platfo orm for virtual machines with h no UI. No licensing cost (free) for host OS, but v virtual machin es are licensed d normally. Supports d 4 TB of RAM M. Supports domain join. Doe es not support t other 64 sockets and Windows Serv ver 2012 roles other than lim mited file servic ces features. Entry-level unified storage a appliance. Limited to 50 users, one processor core, 32 GB of f RAM. Suppor rts domain join n.
Windows Serv ver 2012 Datacenter ed dition
Windows Serv ver 2012 Foundation edition
Windows Serv ver 2012 Essentials
Microsoft Hyp per-V Server 2012
Windows Storage Server 2012 Workgroup Windows Storage S Server 2012 Standard
Supports 64 so ockets, but is l licensed on a t two-socket inc crementing basis. Supports 4 TB B of RAM. Inclu udes two virtua al machine lice enses. Support ts domain join. Supports S some e roles includin ng DNS and DHCP Server ro oles, but does not supp port others inc cluding Active Directory Do omain Services nd Active Dire (AD DS), Activ ve Directory Ce ertificate Servic ces (AD CS), an ectory Federation Services (AD FS).. Supports mult tiple users acce essing the sam me host compu uter directly us sing separate mouse, keyboard, a and monitors. Limited to on ne socket, 32 G GB of RAM, and a maximum m of 12 2 sessions. Sup pports some ro oles including D DNS and DHCP Ser rver roles, but does not supp port others inc cluding AD DS, AD CS, and AD FS. Do oes not suppor rt domain join n.
Windows MultiPoint S Server 2012 Standard
1-6
Ed dition Windows W MultiP Point Se erver 2012 Pre emium
De escription Su upports multip ple users access sing the same host compute er directly usin ng separate mouse, , keyboard, an nd monitors. Li imited to two sockets, 4 TB o of RA AM, and a max ximum of 22 se essions. Suppo orts some roles including DN NS an nd DHCP Serve er roles, but do oes not support others including AD DS, A AD CS, an nd AD FS. Supp ports domain j join.
Note: For mo ore information n about the dif fferences betw ween Windows s Server 2012 e editions, see the Windows Server Catalog g at http://ww ww.windowsser rvercatalog.com m/svvp.aspx.
Wh hat Is Serv ver Core?

Serv ver Core is a minimal m installa ation option fo or Win ndows Server 2012 2 that you manage from Win ndows PowerSh hell or a comm mand line rathe er than n by using GUI-based tools. A Windows Se erver 2012 Server Core installation of ffers fewer com mponents and administrative e management t options than the full f installation n of Windows Serv ver 2012. Serve er Core installa ation is the default installation option n when installing Windows Server S 2012. Server Core e has the follow wing advantag ges over a traditional Windows Serv ver 2012 dep ployment: Reduced upd date requireme ents. Because Server S Core ins stalls fewer components, its deployment requires you to t install fewer software upd dates. This red uces the amou unt of time req quired for an administrator r to service Ser rver Core. Reduced hard dware footprin nt. Server Core e computers re equire less RAM M and less har rd disk space. W When virtualized, th his means that you can deplo oy more serve rs on the same e host.
reasing numbe ers of Microsof ft server applic cations are des signed to run on computers with Server Core Incr installed operating systems. For r example, you u can install SQ QL Server 2012 2 on computer rs running the Serv ver Coreinstalled version of f Windows Serv ver 2008 R2. There are two way ys of installing g Windows Ser rver 2012 in a S Server Core co onfiguration: Server Core. The T standard deployment d of f Server Core. It is possible to o convert to th he full version of Windows Serv ver 2012 with the graphical administration n components s only if you ha ave access to a an installation so ource with all server s files, suc ch as a mounte ed Windows im mage file (.wim m) image. Server Core with w Managem ment. Also know wn as Server C Core-Full Serve er. This works t the same as a deployment of o Windows Se erver 2012 with the graphica al component,, except that th he graphical components are not installe ed nor remove ed. You can co onvert between n Server Core with Managem ment and Windows s Server 2012 with w a graphic cal interface by y installing the e graphical features, but with hout needing to sp pecify an installation source.
1-7
You can switch from Server Core to the graphical version of Windows Server 2012 by running the following Windows PowerShell cmdlet, where c:\mount is the root directory of a mounted image that hosts the full version of the Windows Server 2012 installation files:
Import-Module ServerManager Install-WindowsFeature -IncludeAllSubFeature User-Interfaces-Infra -Source c:\mount
Installing the graphical components gives you the option of performing administrative tasks using the graphical tools. You can also add the graphical tools using the sconfig.cmd menu-driven command-line tool. You will learn more about how to perform this task in Lesson 4, Post-installation Configuration of Windows Server 2012. Once you have performed the necessary administrative tasks, you can return the computer to its original Server Core configuration. You can switch a computer that has the graphical version of Windows Server 2012 to Server Core by removing the following features: Graphical Management Tools and Infrastructure Server Graphical Shell
Note: Be careful when removing graphical features, as some servers will have other components installed that are dependent upon those features. When connected locally, you can use the tools that are listed in the following table to manage Server Core deployments of Windows Server 2012. Tool Cmd.exe Function Allows you to run traditional command-line tools such as ping.exe, ipconfig.exe, and netsh.exe. Launches a Windows PowerShell session on the Server Core deployment. You can then perform Windows PowerShell tasks normally. A command-line menu-driven administrative tool that allows you to perform most common server administrative tasks. Allows you to use the Notepad.exe text editor within the Server Core environment. Provides registry access within the Server Core environment. Allows you to view system information about the Server Core deployment. Launches the Task Manager.
PowerShell.exe
Sconfig.cmd
Notepad.exe
Regedt32.exe Msinfo32.exe Taskmgr.exe
Note: If you accidentally close the command window on a computer that is running Server Core, you can recover the command window by performing the following steps: 1. Press Ctrl+Alt+DEL, and then select Task Manager. 2. From the File menu, click New Task (Run), and then type cmd.exe. Server Core supports mostbut not allWindows Server 2012 roles and features. You cannot install the following roles on a computer running Server Core: AD FS
1-8
Application Server Network Polic cy and Access Services (NPA AS) Windows Dep ployment Serv vices (Windows s DS)
Even if a role is av vailable to a co omputer that is running the Server Core in nstallation opti ion, a specific role serv vice that is asso ociated with th hat role may not n be available e.
Note: You can check which roles on Serve er Core are av vailable and wh hich are not by y running the query Get-Wi indowsFeatur re | where-ob bject {$_.Insta llState -eq R Removed}. The Windows Serv ver 2012 admi inistration para adigm focuses s more on man naging many s servers from o one console than the traditional t me ethod of managing each serv ver separately.. This means th hat when you want to perform p an adm ministrative task, you are mo ore likely to m anage multiple computers t that are runnin ng the Serv ver Core opera ating system fr rom one comp puter, than you u are to conne ect to each com mputer individ dually. You u can enable re emote manage ement of a com mputer that is running Serve er Core throug gh sconfig.cmd d, or by running r the following comm mand:
Netsh.exe firewall set serv vice remotead dmin enable A ALL
Wi indows Server 2012 Roles

To properly p plan how h you are going g to use Win ndows Server 2012 2 to support your orga anizations req quirements, yo ou need to be fully f awa are of what roles are availabl le as part of th he ope erating system. . Each version of Windows Server ship ps with a differ rent set of role es. As new vers sions of Windows W Serve er are released, some roles are enhanced and oth hers are depre ecated. For the most part t, the roles tha at are available e in Windows Server S 2012 are familiar to IT professio onals that have e man naged Window ws Server 2008 8 and Windows Serv ver 2003. Win ndows Server 2012 2 supports the server role es that are liste ed in the follow wing table. Ro ole Active Directory y Certificate Se ervices AD CS) (A AD DS Function Allows you u to deploy ce ertification aut thorities and related ro le services. A centraliz zed store of in nformation abo out network objects, in ncluding user a and computer accounts. Use ed for authen ntication and a authorization. Provides w web single sign n-on (SSO) and d secured iden ntify federation n support. Supports s storage of app plication-specific data for directory- aware applica tions that do n not require the e full infrastruct ture of AD DS..
AD FS
Active Directory y Lightweight Directory ervices (AD LD DS) Se
1-9
Role Active Directory Rights Management Services (AD RMS) Application Server
Function Allows you to apply rights management policies to prevent unauthorized access to sensitive documents. Supports centralized management and hosting of highperformance distributed business applications, such as those built with Microsoft .NET Framework 4.5, and .NET Enterprise Services. Provisions client computers on the network with temporary IP addresses. Provides name resolution for TCP/IP networks. Supports sending and receiving of faxes. Also allows you to manage fax resource on the network. Supports the management of shared folders storage, distributed file system (DFS), and network storage. Enables you to host Virtual Machines on computers that are running Windows Server 2012. Authorization infrastructure for remote connections, including Health Registration Authority (HRA) for Network Access Protection (NAP). Supports centralized management of document tasks, including network scanners and networked printers. Supports Seamless Connectivity, Always On, and Always Managed features based on DirectAccess. Also supports Remote Access through virtual private network (VPN) and dial-up connections. Supports access to virtual desktops, session-based desktops, and RemoteApp programs. Allows you to automate and simplify the management of volume license keys and volume key activation. Allows you to manage a Key Management Service (KMS) host or configure AD DSbased activation for computers that are members of the domain. The Windows Server 2012 web server component. Allows you to deploy server operating systems to clients over the network. Provides a method of deploying updates for Microsoft products to network computers.
DHCP Server
DNS Server Fax Server
File and Storage Services
Hyper-V
Network Policy and Access Services
Print and Document Services
Remote Access
Remote Desktop Services (RDS)
Volume Activation Services
Web Server (IIS) Windows DS
Windows Server Update Services (WSUS)
When you deploy a role, Windows Server 2012 automatically configures aspects of the servers configuration (such as firewall settings), to support the role. Windows Server 2012 also automatically deploys role dependencies simultaneously. For example, when you install the WSUS role, the Web Server (IIS) role components that are required to support the WSUS role are also installed automatically.
1-10 Deploying g and Managing Win ndows Server 2012
You u add and remove roles using g the Add Role es and Feature es Wizard, which is available e from the Win ndows Serv ver 2012 Serve er Manager console. If you are using Serve er Core, then y you can also ad dd and remove e role es using the Install-Window wsFeature and d Remove-Win ndowsFeature e Windows Po owerShell cmdlets. Question: Which roles are often co-locat ted on the sam me server?
Wh hat Are the e Features s of Windo ows Server r 2012?

Win ndows Server 2012 2 features are a independe ent com mponents that often support t role services or o support the server directly. For example, Windows Server Backup B is a feat ture as it t only provides s backup supp port for the loc cal serv ver. It is not a resource r that can c be used by y othe er servers on the network. Win ndows Server 2012 2 includes the t features th hat are listed in the fo ollowing table. .
Fe eature .N NET Framework 3.5 Features .N NET Framework 4.5 Features
Descriptio on Installs .NE ET Framework k 3.5 technolog gies. Installs .NE ET Framework k 4.5 technolog gies. This featu ure is installed b by default. Allows asy ynchronous tra ansfer of files t to ensure that other netw work applicatio ons are not ad dversely impac cted. Supports f full-disk and fu ull-volume enc cryption, and startup en nvironment pro otection. Provides a network-base ed key protect tor that can unlock loc cked BitLocker rprotected do omain-joined operating systems. Allows the e server to fun ction as either r a hosted cach he server or a BranchCache e content serve er for BranchCac che clients. Provides a access to files s stored on netw work file system m (NFS) serv vers. Allows you u to enforce b bandwidth allocation on Converged d Network Ad dapters. Provides s support for additional functionality availab ble in Enhanc ed Storage Ac ccess (IEEE 166 67 protocol) device, inc cluding data a access restrictio ons. A high-av vailability featu ure that allows Windows Serv ver 2012 to pa articipate in fa ailover clustering. An admin istrative mana agement tool f for administeri ing
Ba ackground Intelligent Transf fer Service (B BITS) Windows W BitLoc cker Drive Encryption
Bi itLocker netwo ork unlock
Windows W Branc chCache
Client for NFS
Data Center Bridging
En nhanced Stora age
Fa ailover Clustering
Group Policy Management
1-11
Feature
Description Group Policy across an enterprise.
Ink and Handwriting Services
Allows use of Ink Support and Handwriting Recognition. Supports use of Internet Printing Protocol. Centralized management of IP address and namespace infrastructure. Provides iSCSI target and disk management services to Windows Server 2012. Supports discovery services of iSCSI storage area networks (SANs). Allows computer to send print jobs to printers that are shared using the Line Printer Daemon (LPD) service. Allows you to expose Windows PowerShell cmdlets through an ODatabased web service running on the IIS platform. Supports media file infrastructure. Supports message delivery between applications. Supports multiple data paths to storage devices. Allows traffic to be distributed in a load balanced manner across multiple servers that host the same stateless application. Name resolution protocol that allows applications to resolve names on the computer. Supports audio and video streaming applications on IP home networks. Allows you to create connection manager profiles that simplify remote access configuration deployment to client computers. Allows remote support through invitations. Transfers the differences between files over a network, minimizing bandwidth utilization. Collection of consoles and tools for remotely managing roles and features on other services. Relays RPC traffic over HTTP as an alternative to VPN connections. Supports basic TCP/IP services, including Quote of the Day.
Internet Printing Client IP Address Management (IPAM) Server
Internet SCSI (iSCSI) Target Storage Provider Internet Storage name Service (iSNS) Server service Line Printer Remote (LPR) Port Monitor
Management Open Data Protocol (OData) IIS Extension
Media Foundation Message Queuing Multipath input/output (I/O) Network Load Balancing (NLB
Peer Name Resolution Protocol (PNRP)
Quality Windows Audio Video Experience
Remote Access Server (RAS) Connection Manager Administration Kit
Remote Assistance Remote Differential Compression (RDC)
Remote Server Administration Tools
Remote Procedure Call (RPC) over HTTP Proxy Simple TCP/IP Services
1-12 Deploying and Managing Windows Server 2012
Feature Simple Mail Transfer Protocol (SMTP) Server Simple Network Management Protocol (SNMP) Service Subsystem for UNIX-based Applications
Description Supports transfer of email messages.
Includes SNMP agents that are used with the network management services. Supports Portable Operating System Interface for UNIX (POSIX)compliant UNIX-based applications. Allows outbound connections to Telnet servers and other Transmission Control Protocol (TCP)-based services. Allows clients to connect to the server using the Telnet protocol. Allows you to access TFTP servers. Contains the components necessary to support the graphical interface installation option on Windows Server 2012. On graphical installations, this feature is installed by default. Allows use of fingerprint devices for authentication. Supports sending of feedback to Microsoft when joining a Customer Experience Improvement Program (CEIP). Set of .NET Framework classes that support implementing claims based identity on .NET applications. Relational data store that can only be used by Windows roles and features such as WSUS. Task-based command-line shell and scripting language used to administer computers running Windows operating systems. This feature is installed by default. Allows remote management of computers by running Windows PowerShell sessions in a web browser. Allows applications hosting WCF services that to not use HTTP protocols to use features of IIS. Allows fast searches of files hosted on a server for clients compatible with the Windows Search Service. Backup and recovery software for Windows Server 2012. Collection of Windows PowerShell cmdlets that assist in the migration of server roles, operating system settings, files, and shares from computers running previous versions of Windows Server operating systems to
Telnet Client
Telnet Server
Trivial File Transfer Protocol (TFTP) Client User Interfaces and Infrastructure
Windows Biometric Framework (WBF) Windows Feedback Forwarder
Windows Identity Foundation 3.5
Windows Internal Database
Windows PowerShell
Windows PowerShell Web Access
Windows Process Activation service (WAS)
Windows Search service
Windows Server Backup
Windows Server Migration Tools
1-13
Feature
Description Windows Server 2012.
Windows Standards-Based Storage Management
Set of Application Programming Interfaces (APIs) that allow the discovery, management, and monitoring of storage devices that use standards such as Storage Management Initiative Specification (SMI-S). Allows you to control the allocation of CPU and memory resources. Supports Optical Character Recognition on Tagged Image File Format (TIFF) 6.0-compliant files. Windows Remote Management for IIS. Supports name resolution for NetBIOS names.
Windows System Resource Manager (WSRM) Windows TIFF IFilter
WinRM IIS Extension Windows Internet Naming Service (WINS) Server Wireless local area network (LAN) Service Windows on Windows (WoW) 64 Support
Allows the server to use a wireless network interface. Supports running 32-bit applications on Server Core installations. This feature is installed by default. Supports the viewing and singing of documents in XPS formats
XPS Viewer
Features on Demand
Features on Demand is a Windows Server 2012 installation option where features are not available directly on the deployed server, but can be added if you have access to a remote source, such as a mounted image of the full operating system. The advantage of a Features on Demand installation is that it requires less hard disk space than a traditional installation. The disadvantage is that you must have access to a mounted installation source if you want to add a role or feature, something that is not necessary if you perform an installation of Windows Server 2012 with the graphical features enabled. Question: Which feature do you need to install to support NetBIOS name resolution for client computers running a Microsoft Windows NT 4.0 workstation?
Lesson 2
Overvi iew of Window W ws Serve er 2012 Manag gement

Initi ially configurin ng a server cor rrectly can save e you from su bstantial prob blems later. Windows Server 2012 prov vides multiple tools to perfo orm specific ad dministrative ta asks, each of w which is appropriate for a giv ven set of o circumstanc ces. The Windo ows Server 201 12 manageme ent interface al lso enhances t the ability for s server adm ministrators to perform admi inistrative task ks on more tha an one server s simultaneously y. In th his lesson you will learn about the differen nt managemen nt tools that yo ou can use to perform adm ministrative tas sks on computers that are running the Win ndows Server 2 2012 operating g system.

Afte er completing this lesson, yo ou will be able to: ver Manager. Describe Serv Describe how w to use admin nistrative tools. . Describe how w to use Server r Manager to perform p a varie ety of tasks. Describe how w to configure services. Describe how w to configure remote manag gement.
Wh hat Is Serv ver Manage er?

Serv ver Manager is s the primary graphical g tool that you will use to ma anage comput ters running Win ndows Server 2012. 2 You can use the Server r Man nager console to manage bo oth the local se erver and remote servers. You can als so manage servers as groups. g By man naging servers s as groups, yo ou can perf form the same e administrativ ve tasks quickly y acro oss multiple se ervers that eith her perform the e sam me role, or are members of th he same group p. You u can use the server manager console to perf form the follow wing tasks on both local serv vers and remote servers: Add roles and d features Launch Windows PowerShe ell sessions View events Perform serve er configuratio on tasks
Bes st Practice Analyzers A

Serv ver Manager in ncludes a Best Practices Analyzer tool for a all Windows Se erver 2012 roles. With Best Prac ctices Analyzer r, you can dete ermine whethe er roles on you ur network are e functioning e efficiently or if f there are problems that t you need to remediate. Bes st Practices An nalyzer examin nes how a role functions including querying associated event e logs for warning w and e error eventss so you can be aware of health issues associated with w specific ro oles before tho ose health issu ues cause a failure that impa acts the server func ctionality.
20410A: Installin ng and Configuring W Windows Server 20 012
1-15
Administra A tive Tools

When W you use Server S Manage er to perform a sp pecific role-related or feature e-related ad dministrative task, t the conso ole launches th he ap ppropriate adm ministrative tool. When you install a ro ole or feature using u Server Manager M locally y or re emotely, the ap ppropriate adm ministrative to ool is also loaded. For r example, if yo ou use Server Manager M to inst tall the DHCP role on anothe er se erver, the DHC CP console will automatically y be in nstalled on the local server. You Y can install the co omplete set of f administrative tools for Win ndows Se erver 2012 by installing the Remote Server r Administration Tools feature. Th most common he tools that administrators a nly use, (aside from Window ws PowerShell, which you will learn ab bout in Lesson n 5), include: Active Directory Administ trative Center. . With this con nsole, you can perform Activ ve Directory administrat tive tasks such as raising dom main and fores st functional le evels and enab bling the Activ ve Directory Recycle R Bin. You also use this s console to ma anage Dynam ic Access Cont trol. Active Directory Users an nd Computers. With this tool l, you can crea ate and manag ge Active Direc ctory users, comp puters, and gro oups. You can also use this t tool to create O Organizationa al Units (OUs). DNS Conso ole. With the DNS D console, yo ou can configu ure and manag ge the DNS Se erver role. This s includes cre eating forward d and reverse lookup zones a and managing g DNS records. Event Viewer. You can use the Event Viewer to view e events recorde ed in the Wind dows Server 20 012 event logs. Group Polic cy Management Tool. With this t tool, you c can edit Group p Policy Objec cts (GPOs) and manage the eir application n in AD DS. IIS Manage er Tool. You can use this tool l to manage w websites. Performanc ce Monitor. Yo ou can use this s console to vie ew record perf formance data a by selecting counters as ssociated with specific resources that you w want to monit tor. Resource Monitor. M You ca an use this con nsole to view r real-time infor rmation on CPU, memory, di isk and network utilization. Task Scheduler. You can use u this console to manage the execution of scheduled tasks.
Yo ou can access each of these tools from the e Tools menu in Server Man nager.
c also pin fre equently used tools to the W Windows Serve er 2012 taskba ar, or to the Note: You can St tart menu.
Demonstra D ation: Using Server Manager M

In n this demonst tration, you will see how Serv ver Manager is s used to perfo orm the follow wing tasks: Log on to Windows W Serve er 2012 and view the Windo ows Server 201 12 desktop. Add a featu ure by Using th he Add Roles and a Features W Wizard.
View role-related events. Run the Best Practice Analyzer for a role. List the tools available from Server Manager Restart Windows Server 2012.
Demonstration Steps Log on to Windows Server 2012 and view the Windows Server 2012 desktop
Log on to LON-DC1, and then close the Server Manager console.
Add a feature by Using the Add Roles and Features Wizard

1. 2. 3. 4. 5. 6. 7. 8. 9. Open Server Manager from the taskbar. Start the Add Roles and Features Wizard. Select Role-based or featured-based installation. Select Select a server from the server pool, verify that LON-DC1.Adatum.com is selected, and then click Next. On the Select server roles page, select Fax Server. In the Add Roles and Features Wizard dialog box, click Add Features. On the Select features page, click BranchCache. On the Fax Server page, click Next. On the Print and Document Services page, click Next.
10. On the Select role services page, click Next. 11. On the Confirmation page, select the Restart the destination server automatically if required check box, click Yes, click Install and then click Close. 12. Click the flag icon next to Server Manager Dashboard, and review the messages.
View role-related events

1. 2. 3. Click the Dashboard node. In the Roles and Server Groups pane, under DNS, click Events. On the DNS - Events Detail View, change the time period to 48 hours, and the Event Sources to All.
Run the Best Practice Analyzer for a role

1. 2. Under DNS, click BPA results. Select All on the Severity Levels drop-down menu, and then click OK.
List the tools available from Server Manager

Click on the Tools menu, and review the tools that are installed on LON-DC1.
Log off the currently logged-on user

1. 2. On the Start menu, click Administrator, and then click Sign Out. Log on to LON-DC1 using the Adatum\Administrator account and the password Pa$$w0rd.
1-17
Restart R Wind dows Server r 2012

In a Windows PowerShell l window, type e the following g command, and then press Enter:
Shutdown /r /t 60
Configuring C g Services
Se ervices are pro ograms that run in the backg ground an nd provide ser rvices to clients and the host t server. Yo ou can manag ge services thro ough the Services co onsole, which is available thr rough the Too ols menu m in Server Manager. When securing a co omputer, you should s disable e all services ex xcept th hose that are required by the e roles, feature es, and ap pplications tha at are installed on the server r.
St tartup Type es
Se ervices use one e of the follow wing startup ty ypes: Automatic. The service starts automatic cally when the se erver boots. Automatic (Delayed Start t). The service starts automat tically after the e server has bo ooted. Manual. The service must t be started manually, either r by a program m or by an adm ministrator. Disabled. The service is disabled and ca annot be starte ed.
Note: If a se erver is behavi ing problemat tically, open th he Services con nsole, sort by s startup type, an nd then locate e those services that are conf figured to star rt automaticall ly, and which a are not in a ru unning state.
Service Reco overy

Re ecovery option ns determine what w a service does in the ev vent that it fails. You access the Recovery t tab by op pening the DN NS Server Prop perties window w. On the Reco overy tab, you have the follow wing recovery y op ptions: Take no act tion. The servic ce remains in a failed state u until attended to by an administrator. Restart the Service. The service restarts automatically y. Run a Program. Allows yo ou to run a pro ogram or a scr ript. Restart the Computer. Th he computer re estarts after a preconfigured d number of m minutes.
Yo ou can configu ure different re ecovery option ns for the first failure, the sec cond failure, a and subsequen nt fa ailures. You can n also configure a period of time after whi ich the service e failure clock r resets.
Managed M Service Accou unts

Managed M servic ce accounts are e special doma ain-based acco ounts that you u can use with services. The omatically acc ad dvantage of a managed serv vice account is s that the acco ount password is rotated auto cording to o a schedule. These T password d changes are automatic, an nd do not requ uire administra ator interventio on. This minimizes m the chance c that the e service accou unt password w will be compro omised, somet thing that hap ppens be ecause admini istrators traditionally assign simple passwo ords to service e accounts with h the same ser rvice
acro oss a large num mber of server rs, and never bother b to upda ate those passw words. Virtual accounts are serv vice-specific ac ccounts that ar re local rather than domain-based. The pa assword for vir rtual accounts is rota ated and mana aged by the op perating system m. Question: What is the adva antage of a ma anaged service e account com mpared with a traditional domain-based service acco ount?
Co onfiguring Remote Manageme M ent

You u rarely perform m systems adm ministration fro om the server room. Almost A all task ks that you per rform on a daily basis will w be performe ed using remo ote man nagement tech hnologies. Wit th Windows Re emote Man nagement, you u can use Rem mote Shell, remote Win ndows PowerSh hell, and remo ote manageme ent tools to manage a computer remotely. You u can enable Re emote Management from Server Man nager by perfo orming the following steps: 1. 2. 3. In the Server Manager cons sole, click the Local L Server node. In the Proper rties dialog bo ox for the local server, next t to Remote Ma anagement, c click Disabled. This opens the Co onfigure Remo ote Managem ment dialog bo ox. In the Config gure Remote Management M t dialog box, se elect the Enab ble Remote M Management O Of This Server From F Other Computers che eck box, and th hen click OK.
You u can enable re emote manage ement from th he command li ine by running g the command WinRM -qc c. You can disable Remo ote Manageme ent by using th he same metho od that you us se to enable it. . You can disab ble rem mote managem ment on a computer running the Server Co ore installation n option using the sconfig.cm md tool.
Rem mote Desktop

Rem mote Desktop is the tradition nal method by y which system ms administrato ors remotely co onnect to the serv vers that they manage. m You can c configure Remote Deskt top on a comp puter that runn ning the full ve ersion of Windows W Serve er 2012 by per rforming the fo ollowing steps : 1. 2. 3. In the Server Manager cons sole, click the Local L Server n node. Next to Remo ote Desktop, click Disabled d. In the System m Properties dialog d box, on the Remote t tab, select one e of the follow wing options: o o Dont all low connectio ons to this co omputer. The d default state o of remote desk ktop is disabled. Allow co onnections fro om computer rs running any y version of R Remote Desktop. Allows Authentication connectio ons from Remote Desktop clients that do not support N Network Level A n Allow Co onnections on nly from Com mputers runni ng Remote D Desktop with N Network Leve el Authentication. Allow ws secure connections from c computers run nning Remote Desktop client ts that support network-level authentication n n.
You u can enable an nd disable Rem mote Desktop on computers s that are runn ning the Server r Core installat tion option by using th he sconfig.cm md command-line tool.
1-19
Lesson n3
Installing Wi indows Server 2012

When W preparing g to install Win ndows Server 2012, 2 you nee ed to understan nd whether a particular hard dware co onfiguration is s appropriate. You Y also need to know whet ther a Server C Core deployment might be m more su uitable than a full graphical user u interface (GUI) deploym ment, and whic ch installation source allows you to de eploy Window ws Server 2012 in an efficient t manner. In n this lesson yo ou will learn ab bout the proce ess of installing g Windows Server 2012, including the met thods th hat you can use to install the e operating sys stem, the diffe erent installatio on options, the e minimum sys stem re equirements, and a the decisio ons that you ne eed to make w when using the e Installation W Wizard.
Le esson Objec ctives

After completin ng this lesson, you y will be able to: Describe th he different me ethods that yo ou can use to in nstall Window ws Server 2012. . Identify the e different installation types that you can c choose when installing the W Windows Serve er 2012. Determine whether a com mputer or virtu ual machine m meets the minim mum hardware requirement ts necessary to install Windo ows Server 2012. Describe th he decisions that you need to o make when performing a W Windows Serv ver 2012 installation.
In nstallation n Methods
Microsoft M distrib butes Window ws Server 2012 on op ptical media and in an .iso im mage format. ISO fo ormat is becom ming more com mmon as or rganizations acquire softwar re over the Internet ra ather than phy ysically. Once O you have the operating system from Microsoft, M you can c then use your y own meth hod to de eploy the operating system. You can install Windows W Server 2012 by usin ng a variety of methods, m includ ding the follow wing: Optical Media o Disadvantages includ de: Re equires that the e computer ha as access to a D DVD-ROM driv ve. Is usually u slower than USB med dia. Yo ou cannot upda ate the installa ation image w ithout replacin ng the media. Yo ou can only perform one inst tallation per D DVD-ROM at a time.
USB Media o Advant tages include: All l computers allow boot from m USB media. Th he image can be b updated as new software updates and d drivers become available.
The answer file can be stored on a USB drive, minimizing the amount of interaction that the administrator must perform.
Disadvantages include: It requires the administrator to perform special steps to prepare USB media from ISO file.
Mounted ISO image o Advantages include: With virtualization software, you can mount the ISO image directly, and install Windows Server 2012 on the virtual machine.
Network Share o Advantages include: It is possible to boot a server off a boot device (DVD or USB drive) and install from installation files hosted on a network share.
Disadvantages include: This method is much slower than using Windows Deployment Services. If you already have access to a DVD or USB media, it is simpler to use those tools for operating system deployment.
Windows DS o Advantages include: You can deploy Windows Server 2012 from WIM image files or specially prepared VHD files. You can use the Windows Automated Installation Kit (AIK) to configure lite-touch deployment. Clients perform a Pre-Boot eXecution Environment (PXE) boot to contact the WDS server and the operating system image is transmitted to the server over the network. WDS allows multiple concurrent installations of Windows Server 2012 using multicast network transmissions.
System Center Configuration Manager o Advantages include: System Center Configuration Manager allows you to fully automate the deployment of Windows Server 2012 to new servers that do not have an operating system installed. This process is called Zero Touch deployment.
Virtual Machine Manager Templates o Advantages include: Windows Server 2012 is usually deployed in private cloud scenarios from preconfigured virtual machine templates. You can configure multiple components of the System Center suite to allow self-service deployment of Windows Server 2012 virtual machines.
Question: What is another method that you can use to deploy Windows Server 2012?
1-21
In nstallation n Types
How you deploy Windows Server 2012 on a sp pecific server depends d on the circumstance es of th hat deploymen nt. Deploying to t a server that is ru unning Window ws Server 2008 8 R2 requires di ifferent actions than deployi ing to a server r ru unning an x86 edition of Win ndows Server 2003. 2 When W you are performing p the e installation of o the Windows W Server 2012 operati ing system, you can ch hoose one of the t options in the following table.
Installation Option Fresh installat tion
Des scription Allows you to pe erform a fresh install on a ne ew disk or volu ume. Fresh ins stallations are the t most frequ uently used, an nd take the shortest amount t of tim me. You can als so use this opt tion to configu ure Windows S Server 2012 to perform a dual boot b if you wan nt to keep the e existing operating system. An n upgrade pres serves the files s, settings, and applications i installed on the original server. You Y perform an n upgrade whe en you want to o keep all of th hese t continue to use the same server hardwa are. You can o only items and want to dows Server 20 012 from x64 v versions of Windows Server 2003, upgrade to Wind 008, and Wind Windows Server 2003 R2, Wind dows Server 20 dows Server 20 008 R2. grade to an eq quivalent or ne ewer edition o of Windows Server You can only upg h an upgrade b by running set tup.exe from w within the orig ginal 2012. You launch operating system m. Use e migration when migrating g from an x86 v version of Win ndows Server 2 2003, Windows Server 2003 R2, or W Windows Server 2008. You ca an use the Win ndows Ser rver Migration n Tools feature e in Windows S Server 2012 to o transfer files a and set ttings.
Upgrade
Migration
When W you perfo orm a fresh ins stallation, you can deploy W Windows Server r 2012 to an unpartitioned d disk, or to o an existing vo olume. You ca an also install Windows W Serve er 2012 to a sp pecially-prepared VHD file in na b boot to VHD scenario. s Boot t to VHD requires special pre eparation and is not an optio on that you ca an ch hoose when pe erforming a ty ypical installation using the W Windows Setup p wizard.
Ha ardware Re equiremen nts for Win ndows Serv ver 2012

Hardware requirements define the t minimum hard dware that is required r to run n the Windows s Serv ver 2012 serve er. Your actual hardware requ uirements mig ght be greater, and depend on o the services that the t server is ho osting, the load d on the server, and the responsivene ess of your ser rver. Each h role service and a feature places a unique load on network, n disk I/O, I processor, , and memory reso ources. For exa ample, the file server role pla aces diffe erent stresses on o server hard dware than the e DHC CP role. Win ndows Server 2012 2 is suppor rted on Hyper-V and certain other non-Microsof ft virtualization n platforms. W Windows Server r 2012 virtualiz zed deployme ents need to match the e same hardware specificatio ons as physica al deployments s. For example e, when creatin ng a virtu ual machine to o host Window ws Server 2012 2, you need to ensure that yo ou configure the virtual mac chine with h enough mem mory and hard disk space. Win ndows Server 2012 2 has the fo ollowing minim mum hardware e requirement ts: Processor architecture: x86-64 Processor spe eed: 1.4 gigahe ertz (GHz) Memory (RAM M): 512 megab bytes (MB) Hard disk driv ve space: 32 GB, G more if the server has mo ore than 16 GB B of RAM
The Datacenter ed dition of Wind dows Server 20 012 supports th he following h hardware maximums: 640 logical pr rocessors 4 TB of RAM 63 failover clu uster nodes
Additional Re eading: For more m informatio on about the W Windows Serv ver Virtualizatio on Validation Program, see http://w www.windowsservercatalog..com/svvp.aspx x. ver need more hard disk driv ve space if it has more than 16 GB of Question: Why does a serv RAM?
1-23
In nstalling Windows W Server S 2012 2

Th he process of deploying d a se erver operating g sy ystem is simple er today than it i has been in the pa ast. The person n performing the t deployment has to o make fewer decisions, d altho ough the decisions th hat they do ma ake are critical to the success of the de eployment. A typical installa ation of Windo ows Se erver 2012, if you y do not hav ve an existing answer fil le, involves performing the following f steps s: 1. . Connect to the installatio on source. Options for this include e: o Insert a DVD-ROM co ontaining the Windows Server 2012 2 installation files, f and bo oot from the DVD-ROM. D Connec ct a specially prepared p USB drive that host ts the Window ws Server 2012 2 installation files. Perform m a PXE boot, and connect to t a Windows DS server.
o o 2. .
On the first t page of the Windows W Setup p wizard, selec ct the following: o o o Langua age to install Time and currency fo ormat Keyboa ard or input method m
3. .
On the seco ond page of th he Windows Se etup wizard, c lick Install no ow. You can als so use this pag ge to select Repa air Your Comp puter. Use this s option in the e event that an n installation h has become co orrupted, and you are e no longer ab ble to boot into o Windows Se erver 2012. In the Wind dows Setup wizard, on the Select The Ope erating System You Want To Install pag ge, choose from m the available e operating sy ystem installati ion options. Th he default option is Server C Core Installation. On the Lice ense Terms pa age, review the e terms of the e operating sys stem license. Y You must choo ose to accept the license terms before you can n proceed with h the installation process. On the Wh hich Type Of Installation Do o You Want p page, you have e the following g options: o Upgrade. Select this option if you have an existi ng installation n of Windows S Server that you want to upgrade to Windo ows Server 201 12. You should d launch upgra ades from with hin the previou us version n of Windows Server S rather than t booting f from the instal llation source. Custom m. Select this option o if you want w to perform m a new installation.
4. .
5. . 6. .
o 7. .
On the Wh here do you want w to install Windows pa ge, choose an n available disk k on which to i install Windows Server 2012. Yo ou can also cho oose to repart ition and reformat disks from m this page. W When you click Next, the installation process will copy files s and reboot th he computer s several times. On the Sett tings page, pr rovide a passw word for the loc cal Administra ator account.
8. .
Lesson 4
Post-In nstallati ion Con nfigurat tion of W Window ws Serve er 2012 2

The Windows Serv ver 2012 installation process s involves answ wering a minim mal number of f questions. On nce you have complet ted installation n, you need to o perform seve eral post-instal lation configuration steps before you can deploy it in a productio on environmen nt. These steps s allow you to prepare the se erver for the ro ole it will play on your organizations o network. This s lesson covers s how to perform a range of post-installati ion configurat tion tasks, inclu uding configuring netw work addressin ng information n, setting a ser rvers name an nd joining it to o the domain, a and understan nding prod duct activation n options.

Afte er completing this lesson, yo ou will be able to: Describe how w to Server Manager to perfo orm post-insta allation configu uration tasks. Describe how w to configure the network. Describe how w to join an Act tive Directory domain. Explain how to t activate Win ndows Server 2012. 2 Describe how w to perform post-installation n configuratio on of a Server C Core compute er.
Ov verview of Post-Insta allation Co onfiguratio on

Unli ike previous ve ersions of Windows operatin ng systems, the Wind dows Server 20 012 installation n proc cess minimizes s the number of questions th hat you need to answ wer. For examp ple, you no longer need to configure e network conn nections, a com mputer name, a user account t, and domain mem mbership infor rmation. The only o informatio on that t you provide during d the inst tallation proce ess is the password for the default loc cal Administrator acco ount. You u use the Local Server node in the Server Man nager console to perform th he following tasks: Configure the e IP address Set the comp puter name Join an Active e Directory domain Configure the e time zone Enable autom matic updates Add roles and d features Enable remot te desktop Configure Windows Firewall settings
1-25
Configuring C g Server Network N Se ettings

To o communicat te on the netw work, a server needs n co orrect IP addre ess information n. Once you ha ave co ompleted insta allation, you ne eed to either set s or By ch heck the servers IP address configuration. c de efault, a newly y-deployed ser rver attempts to t ob btain IP address information n from a DHCP P server. Yo ou can view a servers IP add dress configura ation by clicking the Loc cal Server nod de in Server Ma anager. If the server has s an IPv4 addre ess in the APIP PA ra ange of 169.25 54.0.1 to 169.254.255.254, th hen the se erver has not been b configure ed with an IP address a from a DHCP se erver. This may y be because a DHCP se erver has not been b configure ed on the netw work, or, if ther re is a DHCP s erver, because e there is a pro oblem with w the networ rk infrastructure that blocks the adapter fr rom receiving an address.
Note: If you u are using only an IPv6 netw work, then an IPv4 address i in this range is s not problematic, an nd IPv6 address information is still configu red automatic cally. You will learn more bout implementing IPv6 in Module M 8, Imp plementing IPv v6. ab
Configuratio C on Using Ser rver Manag ger

Yo ou can configu ure IP address information fo or a server ma anually by perf forming the fo ollowing steps: 1. . 2. . 3. . 4. . In the Serve er Manager co onsole, click on n the address n next to the net twork adapter r that you want to configure. This T will open the Network Connections C w window. Right-click on the networ rk adapter for which you wa ant to configur re an address, and then click k Properties. In the Adap pter Propertie es dialog box, click Internet t Protocol Version 4 (TCP/ /IPv4), and the en click Properties. In the Inter rnet Protocol Version 4 (TC CP/IPv4) Prop perties dialog g box, enter the following IPv v4 address info ormation, and then click OK K twice: o o o o o IP addr ress Subnet t Mask Default t Gateway Preferr red DNS server r Alterna ate DNS server r
Command-L C ine IPv4 Ad ddress Confi iguration

Yo ou can set IPv4 4 address information manu ually from an e elevated comm mand prompt b by using the n netsh.exe co ommand from m the interface ipv4 context. For example, t to configure th he adapter nam med Local Are ea Connection wit th the IPv4 add dress 10.10.10 0.10 and subne et mask 255.25 55.255.0, type the following co ommand:
Netsh int terface ipv4 set address Local Area a Connection static 10.1 10.10.10 255.255.2 255.0
You u can use the same context of o the netsh.ex xe command to o configure DN NS configurati ion. For examp ple, to configure the ada apter named Local Area Con nnection to u se the DNS server at IP addr ress 10.10.10.5 5 as the primary DNS server, type th he following co ommand:
Netsh interface ipv4 set dnsserver rs Local Are ea Connection n static 10.10.10.5 prim mary
You u will learn more about confi iguring IPv4 in n Module 5, Im mplementing I IPv4.
Net twork Card Teaming

With Network Car rd Teaming, yo ou can increas se the availabil lity of a netwo ork resource. W When you conf figure Network Card Tea aming, a comp puter uses one e network addr ress for multip ple cards. In the e event that one of the cards fails, the e computer is able a to mainta ain communica ation with other hosts on the network that are usin he network ca ng that shared address. Netw work card team ming does not require that th ards be the sam me mod del or use the same driver. To T team netwo ork cards, perfo orm the follow wing steps: 1. 2. 3. 4. 5. 6. Ensure that th he server has more m than one e network adap pter. In Server Ma anager, click th he Local Serve er node. Next to Netw work Adapter Teaming, clic ck Disabled. T This will launch h the NIC Team ming dialog b box. In the NIC Te eaming dialog g box, hold dow wn the Ctrl ke y, and then cli ick each netwo ork adapter that you want to add a to the team. Right-click on n these selecte ed network ada apters, and the en click Add t to New Team. In the New Team T dialog bo ox, provide a name n for the t team, and then n click OK.
Ho ow to Join the Doma ain

Whe en you install Windows W Serv ver 2012, the com mputer is assigned a random name. Prior to o joining a domain, you should co onfigure the se erver with h the name it will w use in the domain. As a best b prac ctice, you shou uld use a consistent naming sche eme when dev vising a compu uter name. Com mputers should d be given nam mes that reflec ct thei ir function and d location, not names with pers sonal ties, such h as pet names s, or fictional or o historical characte ers. It is simple er for everyone e to dete ermine that a server named MEL-DNS1 is a DNS S server in Melbourne, than it is to determ mine that t a server named Copernicus s holds the DN NS role in the M Melbourne off fice. the following steps: You u change this name n using the e Server Mana ager console by y performing t 1. 2. 3. 4. 5. In Server Ma anager, click th he Local Serve er node. In the Proper rties window, click c the active e text next to C Computer Nam me. This will la aunch the Syst tem Properties dialog box. In the System m Properties dialog d box, in the Compute r Name tab, c click Change. In the Compu uter Name/Domain Chang ges dialog box x, enter the new w name that y you want to assign to the compu uter. Restart the co omputer to implement the name n change.
1-27
Pr rior to joining the domain, be b sure to com mplete the follo owing steps to o verify that the e new server is s ready to o be domain-jo oined: Ensure that t you are able to resolve the IP address of the domain co ontroller and c contact that do omain controller. Using U the Ping g tool to ping the t domain co ontroller by ho ostname accom mplishes both of these goals. o of the follo owing tasks: Complete one o Create a computer account in the domain that m matches the na ame of the com mputer that yo ou want to join to the domain n. This is often done when la arge numbers of computers need to be joined to the domain automat tically. Join the computer to o the domain using u a securit ty account that t has the right t to perform do omainjoin op perations.
Verify that the security ac ccount that is used for the d omain operat ion already ex xists within the e domain.
h renamed your Windows s Server 2012 s ve verified that it is ready to be server and hav Now that you have omain-joined, you can join the t server to th he domain. do To o join the dom main using Serv ver Manager, perform p the fo ollowing steps:: 1. . 2. . 3. . 4. . 5. . 6. . In Server Manager M , click k the Local Ser rver node. In the Prop perties window w, next to Work kgroup, click W WORKGROUP P. In the Syste em Properties dialog box, on o the Compu uter Name tab b, click Change. In the Com mputer Name/ /Domain Chan nges dialog bo ox, in the Mem mber Of area, click the Dom main option. Enter the new domain name, an nd then click O OK. In the Wind dows Security y dialog box, enter e domain c credentials tha at allow you to o join the computer to the domain n. Restart the computer.
Performing P g Offline Domain D Joi in

Offline O Domain Join is a featu ure you can use e to jo oin a computer r to the domai in when that co omputer does not have an active a network co onnection. This feature can be b useful in sit tuations where w connectiv vity is intermit ttent, such as when w yo ou are deployi ing a server to a remote site co onnected via satellite s uplink. . For example, if you were w deploying servers to locations in Outb back Australia or islands in the Sou uth Pacific. Use the djoin.ex xe command line tool to per rform an n offline doma ain join. You ca an perform an offline do omain join by performing th he following st teps: 1. . 2. . Log on to the t domain controller with a user account that has the a appropriate rig ghts to join oth her computers to the domain n. Open an elevated comma and prompt an nd use the djo oin.exe comma and with the /p provision opt tion. You also ne eed to specify the domain to o which you wa ant to join the e computer, th he name of the e
computer you u will be joinin ng to the doma ain, and the na ame of the sav vefile that you u will transfer to the target of the offline domain n join. For example, to join t the computer C Canberra to th he domain adatum.com using the save efile Canberra-join.txt, type t the following c command:
djoin.exe /provision /domain adatu um.com /machi ine canberra /savefile c:\canberrajoin.txt
3.
Transfer the generated g save efile to the new w computer, a and then run th he djoin.exe co ommand with the /requestODJ J option. For example, to perform the offli ine domain joi in, after transfe erring the save efile Canberra-join n.txt to compu uter Canberra, you would run n the following g command fr rom an elevate ed command pro ompt on Canb berra:
djoin.exe /requestODJ /loadfile ca anberra-join. txt /windows spath %system mroot% /local los
4.
Restart the co omputer to complete the do omain-join ope eration. Question: In what situation n would you perform an offl ine domain jo oin rather than a traditional do omain join?
Activating Windows W Se erver 2012 2

You u must activate e every copy of Windows Ser rver 2012 that you inst tall, to ensure that your orga anization is co orrectly licensed and to receive noti ices for produc ct updates. Wi indows Server 2012 requ uires activation n after installation. Unlike prev vious versions of the Window ws server oper rating system, there is no o longer an ac ctivation grace e peri iod. If you do not perform activation, you cannot perform operating o syste em customization. There are two gen neral strategies that you can n use for activation: a Manual activa ation. Suitable e when you are e deploying a small s number of o servers. Automatic ac ctivation. Suitable when you are deploying g larger numbe ers of servers.
With manual activ vation, you ent ter the produc ct key and the server contacts Microsoft or an administr rator perf forms the activ vation over the e phone or thr rough a specia al clearinghous se website. You u can perform manual activation from the Server Manag ger console by performing th he following st teps: 1. 2. 3. 4. Click the Loca al Server node e. In the Proper rties window, next n to Produc ct ID, click No ot Activated. In the Windo ows Activation n dialog box, enter e the prod duct key, and t then click Acti ivate. If a direct con nnection canno ot be establish hed to the Mic crosoft activati on servers, det tails will displa ay about perform ming activation using a website from a de evice that has a an Internet con nnection, or by y using a local telephone num mber.
Because compute ers running the e Server Core installation opt tion do not ha ave the Server Manager cons sole, you can perform manual activat tion using the slmgr.vbs co ommand. Use t the slmgr.vbs s /ipk comman nd to ente er the product t key, and slmg gr.vbs /ato to o perform activ vation once th he product key y is installed.
1-29
Pr revious version ns of the Wind dows Server op perating system m allowed you u to generalize e a Windows im mage us sing the syspr rep utility, but limited the nu umber of times s due to activa ation being rea armed each tim me you pe erformed this task, and due to an overall limit of three r rearms per inst tallation. With Windows Serv ver 20 012, you can rearm a deploy yment up to 99 99 times. Yo ou can perform m manual activ vation using either the retai l product key, or the multipl le activation key. You ca an use a retail product key to o activate only y a single com puter. Howeve er, a multiple a activation key has a se et number of activations a that you can use. Using a multi ple activation key, you can a activate multip ple co omputers up to a set activation limit. OEM O keys are a special type of o activation ke ey that are pro ovided to a ma anufacturer an nd allow autom matic ac ctivation when n a computer is first powered d on. This type e of activation key is typically y used with co omputers that are running client operating g systems such h as Windows 7 and Window ws 8. OEM key ys are ra arely used with h computers th hat are running g server opera ating systems. Pe erforming activation manually in large-sca ale server depl oyments can b be cumbersom me. Microsoft p provides a method of act tivating large numbers of co omputers auto omatically with hout having to enter product t keys on n each system manually.
Automatic A Activation A
In n previous vers sions of the Windows Server operating sys stem, you could use KMS to perform centr ralized ac ctivation of mu ultiple clients. The Volume Activation A Serv vices server rol e in Windows Server 2012 allows yo ou to manage a KMS server through a new w interface. Th his simplifies th he process of installing a KM MS key on n the KMS serv ver. When you u install Volum me Activation S Services, you ca an also configure Active Dire ectoryba ased activation n. Active Direc ctory-based activation allows s automatic ac ctivation of do omain-joined co omputers. Whe en you use Vo olume Activatio on Services, ea ach computer activated mus st periodically c contact th he KMS server to renew its activation statu us. Yo ou use the Vol lume Activatio on Management Tool (VAMT T) 3.0 in conju nction with Vo olume Activation Se ervices to perform activation n of multiple computers on n networks that are not conne ected directly t to the In nternet. You ca an use VAMT to t generate license reports a and manage client and serve er activation on n en nterprise netw works.
Configuring C g a Server Core Insta allation

Pe erforming pos st installation on o a computer r ru unning the Ser rver Core operating system option o ca an be daunting g to administra ators that have e not pe erformed the task t before. Instead of havin ng GUIba ased tools that t simplify the post-installatio p on co onfiguration process, IT prof fessionals are faced f with w performing g complex con nfiguration tasks from a command-line e interface. Th he good news is that you can perform the e majority m of post t-installation configuration c tasks t us sing the sconfig.cmd comma and-line tool. Using th his utility minim mizes the poss sibility of the Administrator making m syntax errors when using more com mplicated com mmand-line uti ilities. Yo ou can use sco onfig.cmd to perform p the fol llowing tasks: Configure Domain D and Workgroup W info ormation Configure the t computers s name
Add local Administrator accounts Configure Remote Management Enable Windows Update Download and install updates Enable Remote Desktop Configure Network Address information Set the date and time Perform Windows Activation Enable the Windows Server GUI Log off Restart the server Shut down the server
Configure IP Address Information

You can configure the IP address and DNS information using sconfig.cmd or netsh.exe. To configure IP address information using sconfig.cmd, perform the following steps: 1. 2. 3. 4. From a command-line command, run sconfig.cmd. Choose option 8 to configure Network Settings. Choose the index number of the network adapter to which you want to assign an IP address. In the Network Adapter Settings area, choose between one of the following options: o o o o Set Network Adapter Address Set DNS Servers Clear DNS Server Settings Return to Main Menu
Change Server Name

You can change a servers name using the netdom command with the renamecomputer option. For example, to rename a computer to Melbourne, type the following command:
Netdom renamecomputer %computername% /newname:Melbourne
You can change a servers name using sconfig.cmd by performing the following steps: 1. 2. 3. From a command-line command, run sconfig.cmd. Choose option 2 to configure the new computer name. Type the new computer name, and then press Enter.
You must restart a server for the configuration change to take effect.
Joining the Domain

You can join a Server Core computer to a domain using the netdom command with the join option. For example, to join the adatum.com domain using the Administrator account, and to be prompted for a password, issue the command: Netdom join %computername% /domain:adatum.com /UserD:Administrator /PasswordD:*
1-31
Note: Prior to joining the domain, verify that you are able to ping the DNS server by hostname. To join a Server Core computer to the domain using sconfig.cmd, perform the following steps: 1. 2. 3. 4. 5. 6. From a command-line command, run sconfig.cmd. Choose option 1 to configure Domain/Workgroup. To choose the Domain option, type D and then press Enter. Type the name of the domain to which you want to join the computer. Provide the details in domain\username format, of an account that is authorized to join the domain. Type the password associated with that account.
To restart the computer, complete a domain join operation it is necessary.
Adding Roles and Features

You can add and remove roles and features on a computer that is running the Server Core installation option by using the Get-WindowsFeature, Install-WindowsFeature, and Remove-WindowsFeature Windows PowerShell cmdlets. These cmdlets are available after you load the ServerManager Windows PowerShell module. For example, you can view a list of roles and features that are installed by executing the following command:
Get-WindowsFeature | Where-Object {$_.InstallState -eq Installed}
You can install a Windows role or feature using the Install-WindowsFeature cmdlet. For example, to install the NLB feature, execute the command:
Install-WindowsFeature NLB
Not all features are directly available for installation on a computer running the Server Core operating system. You can determine which features are not directly available for installation by running the following command:
Get-WindowsFeature | Where-Object {$_.InstallState -eq Removed}
You can add a role or feature that is not directly available for installation by using the -Source parameter of the Install-WindowsFeature cmdlet. You must specify a source location that hosts a mounted installation image that includes the full version of Windows Server 2012. You can mount an installation image using the DISM.exe command-line utility.
Add the GUI

You can configure a Server Core computer with the GUI using the sconfig.cmd command-line utility. To do this, choose option 12 from within the sconfig.cmd Server Configuration menu.
Note: The process of adding and removing the graphical component of the Windows Server 2012 operating system by using the Install-WindowsFeature cmdlet was covered in Lesson 1. You can also use the dism.exe command-line tool to add and remove Windows roles and features from a Server Core deployment, even though this tool is used primarily for managing image files.
Lesson 5
Introduction to t Wind dows Po owerShell

Win ndows PowerSh hell is a comm mand-line shell and task-base ed scripting te echnology built into the Windows Serv ver 2012 opera ating system th hat simplifies the t automatio on of common systems admi inistration task ks. With Windows Po owerShell, you can automate e common task ks, leaving you u more time fo or more difficu ult systems administr ration tasks. In th his lesson, you u will learn abo out Windows PowerShell, P an d why Window ws PowerShell is perhaps the e mos st critical piece e of a server ad dministrators toolkit. This s lesson describ bes how to use e the Windows PowerShells s built-in disco overability to le earn how to us se spec cific cmdlets and to find rela ated cmdlets. This T lesson also o discusses ho ow to leverage the Windows Pow werShell Integr rated Scripting g Environment (ISE) to assist you in creating effective Windows PowerS Shell scrip pts.

Afte er completing this lesson, yo ou will be able to: Describe the purpose of Wi indows PowerShell. Describe Windows PowerSh hell cmdlet syn ntax, and expla ain how to det termine comm mands associated with a particu ular cmdlet. Describe com mmon Window ws PowerShell cmdlets c used t to manage ser rvices, processe es, roles and features. Describe the functionality of o Windows Po owerShell ISE.
Wh hat Is Wind dows Pow werShell?

Win ndows PowerSh hell is a scripting language desi igned to assist t you in performing day-to-d day adm ministrative tas sks. Windows PowerShell P is made m up of o cmdlets that you execute at a Windows s Pow werShell promp pt, or combine e into Window ws Pow werShell scripts s. Unlike other r scripting lang guages that we ere designed initially for ano other purpose, but have e been adapted for system adm ministration tas sks, Windows PowerShell P is desi igned with sys stem administr ration tasks in mind. An increasing i num mber of Micros soft products such h as Microsoft Exchange Server 2010hav ve grap phical interfaces that build Windows W Powe erShell comma ands. These pr roducts allow y you to view the gen nerated Windows PowerShell script, so you u can execute t the task at a la ater time witho out having to g go thro ough all of the e steps in the GUI. G Being able e to automate complex tasks s simplifies a s server adm ministrators job, and saves time. You u can extend Windows W Powe erShell function nality by addin ng modules. Fo or example, th he Active Direc ctory mod dule includes Windows W PowerShell cmdlet ts that are spec cifically useful for performin ng Active Direc ctoryrelated managem ment tasks. The DNS Server module m include es Windows Po owerShell cmd dlets that are spec cifically useful for performing DNS server-related manag gement tasks.
1-33
Windows W PowerShell P l Cmdlet Syntax S

Windows W PowerShell cmdlets use a verb-no oun sy yntax. Each noun has a collec ction of associ iated ve erbs. The available verbs diff fer with each cmdlets c no oun. Common Windows PowerShe ell cmdlet verb bs in nclude: Get New Set Restart Resume Stop Suspend Clear Limit Remove Add Show Write
Yo ou can learn th he available ve erbs for a parti icular Window ws PowerShell n noun by execu uting the comm mand:
Get-Help -Noun NounNa ame
Yo ou can learn th he available Windows W PowerShell nouns fo or a specific ve erb by executing the comma and:
Get-Help -Verb VerbNa ame
Windows W PowerShell paramet ters start with a dash. Each W Windows Powe erShell cmdlet t has its own as ssociated set of o parameters. You can learn what the para ameters are fo or a particular W Windows Pow werShell cm mdlet by execu uting the command:
Help Cmdl ltName
Yo ou can determ mine which Win ndows PowerS Shell cmdlets a are available by y executing th he Get-Command cm mdlet. Which Windows W PowerShell cmdlet ts are available e depends on w which module es are loaded. Y You can lo oad a module using u the Import-Module cmdlet. c
Co ommon Cm mdlets for Server Administratio on

There are certain cmdlets that you y are more likely to use u as a server administrator. These primar rily relate to services, event logs, pr rocesses, and Serv verManager ru unning on the server.
Ser rvice Cmdlets

You u can use the fo ollowing Wind dows PowerShell cmd dlets to manag ge services on a computer th hat is runn ning Windows s Server 2012: Get-Service. View the prop perties of a ser rvice. e. Creates a new w service. New-Service Restart-Serv vice. Restarts an existing serv vice. Resume-Serv vice. Resumes a suspended service. Set-Service. Configures the e properties of f a service. Start-Service e. Starts a stop pped service. Stop-Service e. Stops a runn ning service. Suspend-Ser rvice. Suspend ds a service.
Eve ent Log Cmd dlets

You u can use the fo ollowing Wind dows PowerShell cmdlets to manage even t logs on a com mputer that is runn ning Windows s Server 2012: Get-EventLo og. Displays eve ents in the spe ecified event lo og. Clear-EventL Log. Deletes al ll entries from the specified event log. Limit-EventL Log. Sets event t log age and size limits. New-EventLo og. Creates a new event log and a new ev vent source on n a computer r running Windo ows Server 2012. Remove-Eve entLog. Remov ves a custom event e log and unregisters all event sources s for the log Show-EventL Log. Shows the event logs of o a computer. Write-EventL Log. Allows yo ou to write eve ents to an even nt log.
Pro ocess Cmdle ets

You u can use the fo ollowing Wind dows PowerShell cmdlets to manage proce esses on a com mputer that is runn ning Windows s Server 2012: Get-Process. Provides information on a process. p Start-Process. Starts a proc cess. Stop-Process s. Stops a proc cess. Wait-Process. Waits for the process to st top before acc cepting input. Debug-Proce ess. Attaches a debugger to o one or more running proce esses.
1-35
ServerManag ger Module e

Th he ServerMana ager module allows a you to add a one of thr ee cmdlets tha at are useful fo or managing f features an nd roles. These e cmdlets are: Get-Windo owsFeature. View V a list of av vailable roles a and features. A Also displays w whether the fea ature is installed, an nd whether the feature is available. An una available featu ure can only be e installed if yo ou have access to an n installation source. s Install-Win ndowsFeature e. Installs a par rticular Windo ows Server role e or feature. Th he AddWindowsF Feature cmdlet is aliased to this t command d and is availab ble in previous s versions of W Windows operating systems. s Remove-W WindowsFeatu ure. Removes a particular W Windows Server r role or featur re.
What W Is Windows PowerShell ISE?

Windows W PowerShell ISE is an n integrated sc cripting en nvironment that provides yo ou with assistance when w using Win ndows PowerShell. It provide es co ommand comp pletion functio onality, and allows yo ou to see all av vailable comm mands and the pa arameters that t can be used with w those co ommands. Windows W PowerShell ISE simp plifies the proc cess of us sing Windows PowerShell be ecause you can n ex xecute cmdlets from the ISE. . You can also use a sc cripting window within Wind dows PowerShell ISE to o construct and d save Window ws PowerShell scripts. Th he ability to view cmdlet par rameters ensures that you ar re aware of th e full functionality of each c cmdlet, an nd can create syntactically-c correct Window ws PowerShell commands. oubleshooting Windows W PowerShell ISE prov vides color-cod ded cmdlets to o assist with tro g. The ISE also provides you with debugging g tools that you u can use to d ebug simple a and complex W Windows Powe erShell sc cripts. Yo ou can use the e Windows Pow werShell ISE en nvironment to o view available e cmdlets by m module. You can then de etermine whic ch Windows Po owerShell mod dule you need to load to acc cess a particula ar cmdlet.
Demonstra D ation: Using Window ws PowerSh hell ISE

In n this demonst tration, you will see how to complete c the f following tasks s: Use Window ws PowerShell l ISE to import t the ServerMa anager module e View the cm mdlets made available a in the e ServerManag ger Module Use the Get t-WindowsFea ature cmdlet fr rom Windows PowerShell IS E
Demonstrati D ion Steps Use U Window ws PowerShe ell ISE to import the Se erverManager module
1. . 2. . Ensure that t you are logge ed on to LON-DC1 as Admin nistrator. In Server Manager M , click k Tools, and th hen click Wind dows PowerSh hell ISE.
3.
At the prompt, type Import-Module ServerManager.
View the cmdlets made available in the ServerManager Module

In the Commands pane, use the Modules drop-down menu to select the Server Manager module.
Use the Get-WindowsFeature cmdlet from Windows PowerShell ISE

1. 2. Click Get-WindowsFeature, and then click Show Details. In the ComputerName field, type LON-DC1, and then click Run.
Demonstration: Using Windows PowerShell

In this demonstration, you will see how to use Windows PowerShell to display the running services and processes on a server.
Demonstration Steps Use Windows PowerShell to display the running services and processes on a server
1. 2. On LON-DC1, open a Windows PowerShell session. Execute the following commands, and then press Enter:
Get-Service | where-object {$_.status -eq Running} Get-Command -Noun Service Get-Process Get-Help Process
3.
Right-click on the Windows PowerShell icon on the taskbar and click Run as Administrator.
1-37
Lab: Deploying and Managing Windows Server 2012

Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. As a new member of the team you help to deploy and configure new servers and services into the existing infrastructure based on the instructions given to you by your IT manager. The marketing department has purchased a new web-based application. You need to install and configure the servers for this application in the data center. One server has a graphic interface and the second server is configured as Server Core.
Objectives
After completing this lab, you will be able to: Deploy Windows Server 2012. Configure Windows Server 2012 Server Core. Manage servers by using Server Manager. Manage servers with Windows PowerShell.
Lab Setup
Estimated time: 60 minutes
Virtual Machines
20410A-LON-DC1 20410A-LON-CORE Administrator Pa$$w0rd
User Name Password
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: a. b. 5. User name: Adatum\Administrator Password: Pa$$w0rd
Repeat steps 1 to 3 for 20410A-LON-CORE. Do not log on until directed to do so.
Exercise 1: Deploying Windows Server 2012

Scenario
The first Windows Server 2012 server that you are installing for the Marketing department will host an SQL Server 2012 database engine instance. You want to configure the server so that it will have the full GUI, as this will allow the application vendor to run support tools directly on the server, rather than requiring a remote connection. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Install the Windows Server 2012 server. Change the server name. Change the date and time. Configure the network and network teaming. Add the server to the domain.
Task 1: Install the Windows Server 2012 server

1. 2. 3. In the Hyper-V Manager console, open the settings of 20410A-LON-SVR3 Configure the DVD drive to use the Windows Server 2012 image file named Win2012_RC.ISO. This file is located at C:\Program Files\Microsoft Learning\20410\Drives. Start 20410A-LON-SVR3. In the Windows Setup Wizard, on the Windows Server 2012 page, verify the following settings, click Next, and then click Install Now. o o o 4. 5. 6. Language to install: English (United States) Time and currency format: English (United States) Keyboard or input method: US
Click to install the Windows Server 2012 Release Candidate Datacenter (Server with a GUI) operating system. Accept the license terms and then click Custom: Install Windows only (advanced). Install Windows Server 2012 on Drive 0.
Note: Depending on the speed of the equipment, the installation will take approximately 20 minutes. The virtual machine will restart several times during this process. 7. Enter the password Pa$$w0rd in both the Password and Reenter password boxes, and then click Finish to complete the installation.
Task 2: Change the server name

1. 2. 3. 4. 5. 6. Log on to LON-SVR3 as Administrator with the password Pa$$w0rd. In Server Manager, on the Local Server node, click on the randomly-generated name next to Computer name. In the System Properties dialog box, on the Computer Name tab, click Change. In the Computer name box, type LON-SVR3, and then click OK. Click OK again, and then click Close. Restart the computer.
1-39
Task 3: Change the date and time

1. 2. 3. 4. On LON-SVR3, on the taskbar, click the time display, and then click Change date and time settings. Click Change Time Zone, and set the time zone to your current time zone. Click Change Date and Time, and verify that the date and time that display in the Date and Time Settings dialog box match those in your classroom. Close the Date and Time dialog box.
Task 4: Configure the network and network teaming

1. 2. 3. 4. 5. 6. 7. 8. On LON-SVR3, click Local Server, and then next to NIC Teaming, click Disabled. Press and hold the Ctrl key and then in the Adapters And Interfaces area, click both Local Area Connection and Local Area Connection 2. Right-click on the selected network adapters, and then click Add to New Team. Enter LON-SVR3 in the Team name, box, click OK, and then close the NIC Teaming dialog box. Refresh the console pane. Next to LON-SVR3, click IPv4 Address Assigned by DHCP, IPv6 Enabled. In the Network Connections dialog box, right-click LON-SVR3, and then click Properties. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. Enter the following IP address information, then and click OK. o o o o 9. IP address: 172.16.0.101 Subnet Mask: 255.255.0.0 Default Gateway: 172.16.0.1 Preferred DNS server: 172.16.0.10
Close all dialog boxes.
Task 5: Add the server to the domain

1. 2. 3. 4. 5. On LON-SVR3, in the Server Manager console, click Local Server. Next to Workgroup, click WORKGROUP. On the Computer Name tab, click Change. Click the Domain option, and in the Domain box, enter adatum.com. Enter the following account details o o 6. 7. 8. 9. Username: Administrator Password: Pa$$w0rd
In the Computer Name/Domain Changes dialog box, click OK. Restart the computer to apply changes. In the System Properties dialog box, click Close. After LON-SVR3 restarts, log on as adatum\Administrator with the password Pa$$w0rd.
Results: After finishing this exercise, you will have deployed Windows Server 2012 on LON-SVR3. You also will have configured LON-SVR3 including name change, date and time, networking, and network teaming.
Exercise 2: Configuring Windows Server 2012 Server Core

Scenario
The web-based tier of the marketing application is a .NET application. To minimize the operating system footprint and reduce the need to apply software updates, you have chosen to host the IIS component on a computer running the Server Core installation option of the Windows Server 2012 operating system. To enable this, you will need to configure a computer that is running Windows Server 2012 with the Server Core installation option. The main tasks for this exercise are as follows: 1. 2. 3. 4. Change the server name. Change the computers date and time. Configure the network. Add the server to the domain.

1. 2. 3. 4. 5. 6. 7. Log on to LON-CORE using the account Administrator with the password Pa$$w0rd. On LON-CORE, type sconfig.cmd. Click option 2 to select Computer Name. Set the computer name as LON-CORE. In the Restart dialog box, click Yes to restart the computer. After the computer restarts, log on to server LON-CORE using the Administrator account. At the command prompt, type hostname, and then press Enter to verify the computers name.
Task 2: Change the computers date and time

1. 2. 3. 4. On LON-CORE, in the sconfig.cmd main menu, type 9 to select Date and Time: Click Change time zone, and then set the time zone to the same time zone that your classroom uses. In the Date and Time dialog box, click Change Date and Time, and verify that the date and time match those in your location. Click OK three times to dismiss the dialog boxes. Exit sconfig.cmd.
Task 3: Configure the network

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CORE, at the command prompt, type sconfig.cmd, and then press Enter. Type 8 to configure Network Settings. Type the number of the network adapter that you want to configure. Type 1 to set the Network Adapter Address. Select static IP address configuration, and then enter the address 172.16.0.111. At the Enter subnet mask prompt, type 255.255.0.0. At the Enter default gateway prompt, type 172.16.0.1. Type 2 to configure the DNS server address. Set the preferred DNS server to 172.16.0.10.
10. Do not configure an alternate DNS server address.
1-41
11. Exit sconfig.cmd. 12. Verify network connectivity to lon-dc1.adatum.com using the Ping tool.

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CORE, at the command prompt, type sconfig.cmd, and then press Enter. Type 1 to switch to configure Domain/Workgroup. Type D to join a domain. At the Name of domain to join prompt, type adatum.com. At the Specify an authorized domain\user prompt, type adatum\administrator. At the Type the password associated with the domain user prompt, type Pa$$w0rd. At the prompt, click Yes. Restart the server. Log on to server LON-CORE with the adatum\administrator account using the password Pa$$w0rd.
Results: After finishing this exercise you will have configured a Windows Server 2012 Server Core deployment, and verified the servers name.
Exercise 3: Managing Servers

Scenario
After deploying the servers LON-SVR3 and LON-CORE for hosting the Marketing application, you need to install appropriate server roles and features to support the application. With this in mind, you will install the Windows Server Backup feature on both LON-SVR3 and LON-CORE. You will install the Web Server role on LON-CORE. You also need to configure the World Wide Web Publishing service on LON-CORE with the following settings: Startup type: Automatic Log on as: Local System Account First failure: Restart the Service Second failure: Restart the Service Subsequent failures: Restart the server Reset fail count after: 1 days Restart service after: 1 minute Restart computer after: 1 minute
The main tasks for this exercise are as follows: 1. Create a server group. 2. Deploy features and roles to both servers. 3. Review services, and change a service setting.
Task 1: Create a server group

1. 2. 3. 4. 5. 6. 7. 8. Log on to LON-DC1 with the Administrator account and the password Pa$$w0rd. In the Server Manager console, click Dashboard, and then click Create a server group. Click the Active Directory tab, and then click Find Now. In the Server group name box, type LAB-1. Add LON-CORE and LON-SVR3 to the server group. Click LAB-1. Press and hold the Ctrl key to select both LON-CORE and LON-SVR3. When both are selected, scroll down and under the Performance section; select both LON-CORE and LON-SVR3. Right-click LON-CORE, and then click Start Performance Counters.
Task 2: Deploy features and roles to both servers

1. 2. 3. 4. 5. 6. 7. 8. 9. In Server Manager on LON-DC1, click the LAB-1 server group, right-click LON-CORE, and then click Add Roles and Features. Click Next, click Role-based or feature-based installation, and then click Next. Verify that LON-CORE.Adatum.com is selected, and then click Next. Select the Web Server (IIS) Server role. Select the Windows Server Backup feature. Add the Windows Authentication role service, and then click Next. Select the Restart the destination server automatically if required check box, and then click Install. Click Close. Right-click LON-SVR3, click Add Roles and Features, and then click Next.
10. Click Role-based or feature-based installation, and then click Next. 11. Verify that LON-SVR3.Adatum.com is selected, and then click Next twice. 12. Click Windows Server Backup, and then click Next. 13. Select the Restart the destination server automatically if required check box, click Install, and then click Close. 14. In Server Manager, click the IIS node, and verify that LON-CORE is listed.
Task 3: Review services, and change a service setting

1. 2. 3. 4. 5. 6. On LON-CORE, in a command prompt window, enter the command netsh.exe firewall set service remoteadmin enable ALL Log on to LON-DC1 with the adatum\Administrator account. In Server Manager, click LAB-1, right-click LON-CORE, and then click Computer Management. Expand Services and Applications, and then click Services. Verify that the Startup type of the World Wide Web Publishing service is set to Automatic. Verify that the service is configured to use the Local System account.
1-43
7.
Configure the following service recovery settings: o o o o o First failure: Restart the Service Second failure: Restart the Service Subsequent failures: Restart the Computer. Reset fail count after: 1 days Reset service after: 1 minute
8. 9.
Configure the Restart Computer option to 2 minutes, and close the Service Properties dialog box. Close the Computer Management console.
Results: After finishing this exercise you will have created a server group, deployed roles and features, and configured the properties of a service.
Exercise 4: Using Windows PowerShell to Manage Servers

Scenario
The Marketing application vendor has indicated that they can provide some Windows PowerShell scripts to configure the web server that is hosting the application. You need to verify that remote administration is functional before running the scripts. The main tasks for this exercise are as follows: 1. 2. Use Windows PowerShell to connect remotely to servers and view information. Use Windows PowerShell to install new features remotely.
Task 1: Use Windows PowerShell to connect remotely to servers and view information
1. 2. 3. 4. 5. On LON-DC1, in Server Manager, click the LAB-1 server group. Right-click LON-CORE, and then click Windows PowerShell. Type Import-Module ServerManager. Type Get-WindowsFeature, and review roles and features. Use the following command to review the running services on LON-CORE:
Get-service | where-object {$_.status -eq Running}
6. 7.
Type get-process to view a list of processes on LON-CORE. Review the IP addresses assigned to the server with the following command:
Get-NetIPAddress | Format-table
8.
Review the most recent 10 items in the security log with the following command:
Get-EventLog Security -Newest 10
9.
Close Windows PowerShell.
Task 2: Use Windows PowerShell to install new features remotely

1. On LON-DC1, on the taskbar, click the Windows PowerShell icon.
2. 3.
Type import-module ServerManager. Type the following command to verify that the XPS Viewer feature has not been installed on LONSVR3
Get-WindowsFeature -ComputerName LON-SVR3
4.
To deploy the XPS Viewer feature on LON-SVR3, type the following command, and then press Enter:
Install-WindowsFeature XPS-Viewer -ComputerName LON-SVR3
5.
Type the following command to verify that the XPS Viewer feature has now been deployed on LONSVR3:
6. 7.
From the Tools drop down in the Server Manager console, choose Windows PowerShell ISE. In the Untitled1.ps1 script pane, type the following:
Import-Module ServerManager
Install-WindowsFeature WINS -ComputerName LON-SVR3

Install-WindowsFeature WINS -ComputerName LON-CORE
8. 9.
Save the script as InstallWins.ps1 in a new folder named Scripts. Press F5 to execute InstallWins.ps1.
Results: After finishing this exercise you will have used Windows PowerShell to perform a remote installation of features on multiple servers.
To prepare for the next module

When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, switch to the Hyper-V Manager console. In the Virtual Machines list, right click 20410A-LON-DC1, and the click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-CORE and 20410A-LON-SVR3.
1-45
Module Review and Takeaways

Review Questions
Question: What is the benefit of using Windows PowerShell to automate common tasks? Question: What are the advantages to performing a Server Core deployment compared to the Full GUI deployment? Question: What tool can you use to determine which cmdlets are contained in a Windows PowerShell module? Question: Which role can you use to manage Key Management Services (KMS)?
Common Issues and Troubleshooting Tips

Common Issue Remote management connections fail. Troubleshooting Tip
Windows PowerShell cmdlets not available.
Cannot install the GUI features on Server Core deployments.
Unable to restart a computer running Server Core.
Unable to join the domain.
2-1
Module 2
Introduction to Active Directory Domain Services
Contents:
Module Overview Lesson 1: Overview of AD DS Lesson 2: Overview of Domain Controllers Lesson 3: Installing a Domain Controller Lab: Installing Domain Controllers Module Review and Takeaways 2-1 2-2 2-8 2-13 2-18 2-21
Module Overview
Active Directory Domain Services (AD DS) and its related services form the foundation for enterprise networks that run Windows operating systems. The AD DS database is the central store of all the domain objects, such as user accounts, computer accounts, and groups. AD DS provides a searchable hierarchical directory, and provides a method for applying configuration and security settings for objects in the enterprise. In this module, we will study the structure of AD DS, and various components, such as forest, domain, and organizational units (OUs). The process of installing AD DS on a server is refined and improved with Windows Server 2012. This module also examines some of the choices that are now available for installing AD DS on a server.
Objectives
After completing this module, you will be able to: Describe the structure of Active Directory Domain Services (AD DS). Describe the purpose of domain controllers. Install a domain controller.
2-2
Introduction to Active Directory y Domain Services
Lesson 1
Overvi iew of AD A DS
The AD DS databa ase stores info ormation on us ser identity, co omputers, grou ups, services an nd resources. I It also host ts the service that t authentica ates user and computer acco ounts when th hey log on to t the domain. AD D DS form ms a security boundary, b in ad ddition to it be eing a searcha able database o of objects in th he domain. AD D DS prov vides the struc cture with whic ch you can con nfigure and m manage objects s in the databa ase. In th his lesson, you u will explore how h OUs work, , and why you would use the em. You will examine why so ome AD DS domain co ontrollers have additional rol les. You will ex xplore various ways that you u can promote a Win ndows Server 2012 2 server to be a domain controller. c

Afte er completing this lesson, yo ou will be able to: Describe the components of o AD DS. Describe AD DS domains. Describe OUs s and their pur rpose. Describe AD DS forests and d trees, and explain how you u can deploy th hem in a netw work. Explain how a Schema prov vides a set of rules that mana age the object ts and attribut tes that are sto ored in the AD DS domain datab base.
Ov verview of AD DS
AD DS is compose ed of both phy ysical and logical com mponents. Und derstanding the e way the com mponents of AD DS work tog gether is an imp portant part of supporting AD DS services. With the knowledge of f how the AD DS D component ts wor rk together, yo ou can efficient tly manage yo our netw work, and control what resources your use ers can access. In add dition, there ar re many other options including installation an nd configuring g of soft tware and updates, managin ng the security infra astructure, rem mote access, DirectAccess, Bran nchCache and certificate han ndling to mention a few. Group Policy y is a very powe erful tool to manage m all of t hese, and a cle ear understand ding of the AD D DS com mponents is the e key to successful use of Gr roup Policy.
Phy ysical Comp ponents

AD DS informatio on is stored in a single file on n each domain n controllers h hard disk. The f following table e lists som me of the physi ical componen nts and where they are store ed. Ph hysical component Domain control llers Data store De escription Contain copies of the AD DS database. Th he file on each h domain cont troller that stores the AD DS in nformation.
2-3
Physical component Global catalog servers
Description Host the global catalog, which is a partial, read-only copy of all the objects in the forest. A global catalog speeds up searches for objects that might be stored on domain controllers in a different domain in the forest. A special install of AD DS in a read-only form. This is often used in Branch Offices where security and IT support are often less advanced than in the main corporate centers.
Read-only domain controller (RODC)
Logical Components
AD DS logical components are structures that are used to implement an appropriate Active Directory design for an organization. The following table describes some of the types of logical structures that an Active Directory database might contain. Logical component Partition Description A section of the AD DS database. Although the database is one file: NTDS.DIT, it is viewed, managed and replicated as if it consisted of distinct sections or instances, and these are the partitions, also referred to as naming contexts. Defines the list of attributes that all objects in AD DS can have. A logical, administrative boundary for users and computers. A collection of domains that share a common root domain and a Domain Name System (DNS) namespace. A collection of domains that share a common AD DS. A collection of users, groups, and computers as defined by their physical locations. Sites are useful in planning administrative tasks such as replication of the AD DS. These are containers in AD DS, which provide a framework for delegating administrative rights and also for linking Group Policy.
Schema Domain Domain tree
Forest Site
OU
Additional Reading: For more information about domains and forests, please see Domains and Forests Technical Reference at http://go.microsoft.com/fwlink/?LinkId=104447.
2-4
AD D DS Doma ains
An AD A DS domain n is a logical grouping of use er, com mputer, and group objects fo or the purpose e of man nagement and d security. All of o these object ts are stor red in the AD DS D database, and a a copy of this t data abase is stored d on every dom main controller in the AD DS domain. cts that can be e There are several types of objec stor red in the AD DS D database, including user acco ounts. User acc counts provide e a mechanism m by which to authenticate and then authorize use ers to acce ess resources on o the network k. When a user wan nts to log on to o the domain, they must do so at a co omputer that is a member of f the AD DS do omain. For this s reason, each domain-joine ed computer m must which are the mechanism fo have an account in AD DS. The domain also stores groups, w or grouping toge ether objects for f administrat tive or security y reasons, for i instance user a accounts and c computer acco ounts. An AD A DS domain n is an adminis strative center. It holds an Ad dministrator a account and a Domain Admi ins group, which have e full control over o every obje ect in the dom main; however, unless they are in the forest root dom count rules are main, their rang ge of control is limited to th he domain. Pas ssword and acc e managed at the dom main level by default. d Although a domain constitutes c as security bound dary that is larg gely self-mana aging and autonomous, the Enterprise e Admins grou up in the fores st root domain n has full contr rol over every o object in every domain in the AD DS fo orest.
Wh hat Are OU Us?

An Organizationa O al Unit (OU) is a container ob bject with hin a domain that t you can use to consolidate user rs, groups, com mputers, and other o objects. There T are two reasons to o create OUs: To configure objects contai ined within the e OU. You can assig gn Group Polic cy Objects to th he OU, and the settings s apply to all objects within the OU U. Group Policy y Objects (GPO Os) are policies th hat administrators create to manage and configure com mputer and use er accounts. The e most commo on way to deploy these policies s is to link them m to OUs. control of objects within the To delegate administrative a e OU. You can n assign manag gement permissions on an OU, the ereby delegati ing control of that OU to a u user or group w within AD DS other than the e administrator r.
u can use OUs to represent th he hierarchical, logical struct tures within yo our organizatio on. For examp ple, You you can create OU Us that represe ent the depart tments within y your organization, the geog graphic regions with hin your organ nization, or cre eate OUs that are a a combina tion of both d departmental a and geographi ic regi ions. You can then t manage the t configurat tion and use o f user, group, and computer r accounts bas sed on your organization nal model.
2-5
Every AD DS domain contains a standard set of containers and OUs that are created when you install AD DS, including the following: Domain container. Serves as the root container to the hierarchy. Builtin container. Stores a number of default groups. Users container. The default location for new user accounts and groups that you create in the domain. The users container also holds the administrator and guest accounts for the domain, and some default groups. Computers container. The default location for new computer accounts that you create in the domain. Domain controllers OU. The default location for the computer accounts for domain controllers computer accounts. This is the only OU that is present in a new installation of AD DS.
Note: None of the default containers in the AD DS domain can have Group Policies linked to them, except for the default domain controllers OU and the domain itself. All the other containers are just folders. To link Group Policies to apply configurations and restrictions, create a hierarchy of OUs, and then link Group Policies to them.
Hierarchy Design
The design of an OU hierarchy is dictated by the administrative needs of the organization. The design could be based on geographic, functional, resource, or user classifications. Whatever the order, the hierarchy should make it possible to administer AD DS resources as effectively and with as much flexibility as possible. For example, if all computers that IT administrators use must be configured in a certain way, you can group all computers in an OU, and then assign a policy to manage its computers. To simplify administration, you also can create OUs inside other OUs. For example, your organization might have multiple offices, and each office might have a set of administrators who are responsible for managing user and computer accounts in the office. In addition, each office might have different departments with different computer configuration requirements. In this situation, you could create an OU for the office that is used to delegate administration, and create a department OU inside the office OU to assign desktop configurations. Although there is no technical limit to the number of levels in your OU structure, for the purpose of manageability limit your OU structure to a depth of no more than 10 levels. Most organizations use five levels or fewer to simplify administration. Note that Active Directory-enabled applications can have restrictions on the OU depth within the hierarchy, or the number of characters that can be used in the distinguished name (the full Lightweight Directory Access Protocol (LDAP) path to the object in the directory).
2-6
Wh hat Is an AD A DS Fore est?

A fo orest is a collec ction of one or r more domain n tree es. A tree is a collection of on ne or more dom mains.. The first domain that is created in the t fore est is called the e forest root do omain. The for rest root t domain holds s a few objects s that do not exist e in other o domains in the forest. For F example, the fore est root domain holds two sp pecial roles, the sche ema master an nd the domain n naming mast ter. In add dition, the Ente erprise Admins s group and th he Sche ema Admins group g exist onl ly in the forest t root dom main. The Enterprise Admins group has full control over every y domain in th he forest. mples of why more than one e domain may y be required i n the forest: Exam In certain circ cumstances, it might be adva antageous to h have more tha an one domain n in the organization, and these are e typically struc ctured in a tre ee. For instance e, The A. Datum Corporation n might be the domain at the e root of a fore est. Another d omain could b be added to th he tree as a child domain of ad datum.com, an nd have a name that is based d on the DNS s structure and includes the name of the parent domain, for example e atl.ada atum.com. There may be e a requiremen nt to have diffe erent namespa aces in the for rest. If A. Datum m Ltd (adatum.com) and Fabrikam m, Inc. (fabrika am.com) were to merge, then although the e organization n exists in one forest, f you cou uld add a tree to accommod date the secon nd namespace. Apart from th he different nam mespaces, all ob bjects in this fo orest would fu unction as if th he domains we ere both in the e same tree.
Wh hat Is the AD A DS Sch hema?

The schema is the e AD DS component that def fines all objects o and att tributes that AD A DS uses to store s data a. It is sometim mes referred to o as the bluepr rint for AD A DS. AD DS stores and retrieves infor rmation from a wide variety of ap pplications and d services. AD DS stan ndardizes how data is stored in the directo ory so that t it can store and replicate data from these e various sources. By B standardizin ng how data is stor red, AD DS can n retrieve, update, and replic cate data a, while ensuring that the int tegrity of the data d is maintained. m AD DS uses objects as units of storage. s All obj jects are defin ned in the sche ema. Each time e that the direc ctory handles data, the directory queries the schem ma for an appro opriate object definition. Based on the obj ject defi inition in the schema, the dir rectory creates s the object an nd stores the d data. Object definitions s control the ty ypes of data th hat the objects s can store, and the syntax o of the data. Using this information, the t schema en nsures that all objects o confor rm to their sta ndard definitio ons. As a result, AD DS can store, retrieve, and validate v the da ata that it man ages, regardle ess of the application that is the orig ginal source of the data. Only y data that has an existing o object definitio on in the schem ma can be stor red in
2-7
the directory. If a new type of data needs to be stored, a new object definition for the data must first be created in the schema. In AD DS, the schema defines the following: Objects that are used to store data in the directory Rules that define what types of objects you can create, what attributes must be defined when you create the object (mandatory), and what attributes are optional Structure and the content of the directory itself
You can use an account that is a member of the Schema Administrators to modify the schema components in a graphical form. Examples of objects that are defined in the schema include user, computer, group, and site. Among the many attributes are location, accountExpires, buildingName, company, manager, and displayName. The schema master is one of the single master operations domain controllers in AD DS. Because it is a single master, you must make changes to the schema by targeting the domain controller that holds the schema master operations role. The schema is replicated among all domain controllers in the forest. Any change that is made to the schema is replicated to every domain controller in the forest from the schema operations master role holder, typically the first domain controller in the forest. Because the schema dictates how information is stored, and because any changes that are made to the schema affect every domain controller, changes to the schema should be made only when necessary, through a tightly controlled process, and after you have performed testing to ensure that there will be no adverse effects to the rest of the forest. Although you might not make any change to the schema directly, some applications make changes to the schema to support additional features. For example, when you install Microsoft Exchange Server 2010 into your AD DS forest, the installation program extends the schema to support new object types and attributes.
Additional Reading For more information about Windows Server 2012 Release Candidate, see http://www.microsoft.com/en-us/server-cloud/windows-server/v8-default.aspx. For more information about Windows Server 2012 Overview, see http://www.microsoft.com/enus/server-cloud/windows-server/v8-overview.aspx. For more information about Windows Server 2012 Capabilities, see http://www.microsoft.com/en-us/server-cloud/windows-server/2012-capabilities.aspx. For more information about Windows Server 8 (a one-hour long video), see http://channel9.msdn.com/Events/BUILD/BUILD2011/SAC-973F.
2-8
Lesson 2
Overvi iew of Domain D n Contro ollers

Because domain controllers c are responsible fo or all authentic cations, domain controller d deployment is critical to the corr rect functionin ng of the netwo ork. This s lesson examines domain co ontrollers, the logon process s, and the impo ortance of the e DNS in that proc cess. In additio on, this lesson discusses the purpose of the e global catalo og. rations that ca All domain d contro ollers are essen ntially the same, but there ar re certain oper an only be perf formed on spe ecific domain controllers c call led operations masters, whic ch are discusse ed at the end o of this lesson.

Afte er completing this lesson, yo ou will be able to: Describe the purpose of do omain controlle ers. Describe the purpose of the e global catalo og. Describe the AD DS logon process, p and th he importance e of DNS and s service (SRV) resource record ds in the logon pro ocess. Describe the functionality of o SRV records. Explain the fu unctions of ope erations maste ers.
Wh hat Is a Do omain Con ntroller?

A do omain controll ler (DC) is a server that is configured to store a copy of th he AD DS direc ctory data abase (NTDS.D DIT) and a copy y of the System m Volu ume (SYSVOL) folder. All domain controlle ers exce ept read-only domain contro ollers (RODCs) ) store a re ead/write copy y of both NTDS S.DIT and the SYSV VOL folder. NT TDS.DIT is the database itself, and the SYSVOL folder contains all the t template settings for GPOs. . You u can use the AD A DS replicati ion service to sync chronize chang ges and updat tes to the AD DS D data abase between n the domain controllers c in the t dom main. The SYSV VOL folders are e replicated eit ther by the file e replication se ervice (FRS), or by the newer Dist tributed File Sy ystem (DFS) Re eplication. The e domain contr rollers in each domain replic cate all the cha anges and updates betw ween each othe er, and unless they are an RO ODC, they all s store a read/w write copy of th he AD DS database. Domain D contro ollers host several other Acti ive Directoryrelated service es, including th he Kerb beros service, which w is used by user and co omputer accou unts for logon n authenticatio on. You can he Active Dire optionally configu ure domain co ontrollers to ho ost a copy of th ectory Global C Catalog, which is desc cribed in the next n topic. Dom main controlle ers also run som me important services includ ding Kerberos, , which provides logon and passw word change capabilities, c an nd the Key Dist tribution cente er (KDC). The K KDC is the service that issues the Ticket to Get Ticket ts (TGT) to an a account that logs on to the AD DS domain. An AD A DS domain n should alway ys have a minim mum of two d domain controllers. This way, , if one of the dom main controller rs fails, there is s a backup to ensure e continu uity of the AD DS domain se ervices. When y you
2-9
de ecide to add more m than two o domain contr rollers, conside er the size of y your organizat tion and the pe erformance requirements; however, two domain d contro llers should be e considered a an absolute mi inimum. In n a branch offic ce where security may be les ss than optima al, there are so ome additional measures tha at can be e deployed to reduce the im mpact of a brea ach of defense es. If an RODC is compromised, the potent tial loss of f information is i much lower than with a fu ull read-write d domain contro oller. If a hard drive is stolen, , then Bi itLocker ensures that there is a very low ch hance of an int truder being a able to gain an ny useful inform mation from it.
Note: An RODC is a domain controlle er that holds a read-only cop py of the AD D DS database. Yo ou can deploy y an RODC in a remote site where w users mi ight have diffic culty logging o on over an un nreliable Wide e Area Network (WAN) conn nection. Rather r than deploy a full read/writ te domain co ontroller, which might present a security ri isk, you could install a RODC C, which can authenticate us sers locally wit thout providing any write ca apability to the e AD DS datab base. Note: Win ndows BitLock ker is a drive encryption e sys stem that is av vailable for Win ndows Server op perating systems, and for ce ertain Windows client operat ting system ve ersions. BitLock ker securely en ncrypts the entire operating system so tha at the compute er cannot start t without being supplied a se ecret key and (optionally) ( pa assing an integ grity check. A d disk stays encr rypted even if y you transfer it to another co omputer.
What W Is the e Global Catalog?

Within W a single domain, the AD A DS database co ontains all the information about every ob bject in th hat domain. Th his information n is not replicated ou utside the dom main. For exam mple, a query for an ob bject in AD DS S is directed to o one of the do omain co ontrollers for that t domain. If f there is more e than on ne domain in the t forest, then that query will w not provide any results for objects in a different t do omain. For this reason, you can c configure one or more m domain co ontrollers to st tore a copy of f the global catalog. The global cat talog is a distributed da atabase that contains a searchable represe entation of f every object from all the domains in a multi-domain fo orest. By defau ult, the only global catalog s server th hat is created is the first dom main controller r in the forest r root domain. Th he global catalog does not contain c all attr ributes for eac h object. Inste ead, the global l catalog maintains th he subset of at ttributes that are a most likely to be useful in n cross-domai in searches. Th hese attributes might in nclude firstnam me, displayna ame, and locat tion. There co ould be a variety of reasons w why you would d pe erform a searc ch against a glo obal catalog ra ather than a d domain controller that is not t a global catal log. For ex xample, when an Exchange server s receives s an incoming email, it needs to search for r the recipients ac ccount so that t it can decide how to route the message. By automatica ally querying a global catalog, the Ex xchange server is able to loc cate the recipie ent in a multi-d domain enviro onment. When n a user logs on to th heir Active Dire ectory account t, the domain controller perf forming the a uthentication must contact a global ca atalog to check for universal l group memb berships before e the user is au uthenticated. In n a single domain, all domain n controllers sh hould be conf figured as hold ders of the glo obal catalog; ho owever, in n a multi-doma ain environme ent, the Infrastr ructure master r should not b be a global cata alog server. W Which do omain controllers are config gured to hold a copy of the g global catalog g depends on r replication traf ffic and
2-10 Introduction to Active Directory Domain Services
netw work bandwidth. Many orga anizations are opting o to mak ke every doma ain controller a global catalog serv ver. hould a domain n controller be e a global cata alog? Question: Sh
The AD DS Logon L Proc cess

Whe en you log on to AD DS, you ur system look ks in DNS S for SRV records to locate the nearest suitable dom main controller r. SRV records are records th hat spec cify informatio on on available e services, and are reco orded in DNS by b all domain controllers. By y usin ng DNS lookup ps, clients can locate a suitab ble dom main controller r to service the eir logon requests. If th he logon is suc ccessful, the loc cal security auth hority (LSA) bu uilds an access token for the user. The access token contains the security identif fiers (SID Ds) for the user r and any grou ups of which th he user r is a member. . This provides the access cred dentials for any y process initia ated by that user. For examp ple, after loggi ing on to AD D DS, a user runs s Microsoft Office Word W and attempts to open n a file. Word u uses the crede entials in the u users access to oken to check c the level of the users permissions p fo or that file. Sites are used by a client system m when it need ds to contact a domain controller. It starts by looking up p SRV reco ords in DNS. Then the client system attempt to connect to a domain c controller in th he same site be efore tryin ng elsewhere. Adm ministrators can define sites in AD DS. Sites s will usually a align with parts s of the netwo ork that have g good connectivity and bandwidth. b Fo or example, the ere might be a branch office e that is conne ected to the ma ain data acenter by an unreliable WA AN link. In this case, it would be better to d define the data acenter and th he bran nch office as se eparate sites in n AD DS. SRV V records are re egistered in DNS by the Net t Logon service e that is runnin ng on each do omain controlle er. If the SRV records are not entered d in DNS corre ectly, you can t trigger the dom main controlle er to reregister r thos se records by restarting r the Net Logon ser rvice on that d domain contro oller. This proce ess only reregi isters the SRV records; if you want to reregister the host record in nformation in D DNS, you mus st run ipconfig g /reg gisterdns from m a command prompt, just as a you would f for any other c computer.
Note: A SID D is a unique number in the form f of S-1-5-21-41300862 81-375220012 29271587809-500, where w S-1-5-21 represents th he type of ID, the next three e blocks of num mbers (413 30086281-375 52200129-2715 587809) are th he number of t the database w where the acco ount is stor red (usually the e AD DS doma ain), and the la ast section (500 0) is the relativ ve ID (RID), wh hich is the part t of the SID tha at uniquely ide entifies that ac ccount in the d database. Ever ry user and com mputer acco ount and every y group that you y create have a unique SID D but they only y differ from e each other by virtue v of the unique RID. You u can tell that this particular r SID is the SID D for the admin nistrator acco ount because it ends with th he well-known n RID 500. Alth hough the logo on process app pears to the us ser as a single event, it is act tually made up p of two parts. . The user r provides cred dentials, usuall ly a user accou unt name and password, which are then checked agains st the AD DS database. If I the user acco ount name and the passwor rd match the in nformation that is stored in the AD DS database, the t user becom mes an authen nticated user, a and is issued a ticket-grantin ng ticket (TGT) ) by the domain controller. At this point, the user does not have e access to any y resources on the network. A seco ondary process in the background submits s the TGT to th he domain con ntroller, and re equests access to
2-11
th he local machine. The domai in controller is ssues a ticket to o the user, wh ho is then able to interact with the lo ocal computer. . At this point in the process, , the user is au uthenticated to o AD DS and lo ogged on to the local machine. m When W a user subsequently att tempts to connect to anothe er computer o on the network k, the secondary process is run again, and the TGT is submitt ted to the nea rest domain c ontroller. Whe en the domain n co ontroller return ns the ticket, the user can ac ccess the comp puter on the n network, which h generates a logon ev vent at that co omputer.
Note: A domain-joined d computer also logs on to A AD DS when th hey starta fac ct that is of ften overlooke ed. You do not t see the transa action when th he computer u uses its compu uter account na ame and a pas ssword to log on o to AD DS. Once O authenti cated, the com mputer becom mes a member of f the Authentic cated Users gr roup. Although h the compute er logon proce ess does not ha ave any visual confirmat tion in the form m of a graphic c user interface e (GUI), there a are event log e events that ecord the activ vity. Additionally, if auditing is enabled, the ere are more e events that are e viewable in re th he Security Log g of the Event Viewer.
Demonstra D ation: View wing the SR RV Record ds in DNS

Th he demonstrat tion shows the e various types s of SRV record ds that the dom main controlle ers register in D DNS. Th hese records are a crucial to th he operability of AD DS, bec cause they are used to find d domain contro ollers for ) editing. SRV records are also used by do lo ogon, password d changes, and d Group Policy y Object (GPO) omain co ontrollers to find replication partners.
Demonstrati D ion Steps View V the SRV V records by y using DNS S Manager
1. . 2. . Open the DNS D Manager r window, and explore the u nderscore DNS domains. View the di ifferent SRV re ecords that are e registered by y domain contr rollers to prov vide alternate p paths so that clients can discover them. t
What W Are Operations O s Masters? ?

Although all do omain controlle ers are essentially eq qual, there are e some tasks th hat can only be e pe erformed by ta argeting one particular p dom main co ontroller. For example, e if you u need to add an ad dditional domain to the fore est, then you must m be ab ble to connect t to the domain naming mas ster. The do omain controllers that have these roles are e called op perations masters, single ma aster roles, or Flexible F Si ingle Master Operations O (FSM MOs) (pronounced f fizz-mos). The ey are distribut ted as follows: Each forest has one schem ma master and d one domain nam ming master. Each AD DS S domain has one o RID maste er, one infrastr ructure master r, and one prim mary domain controller (PDC} emulator.
The following is a list of Single Master Roles: Schema master. The domain controller where any schema changes are made. To make changes you would typically log on the schema master as a member of both the Schema Admins and Enterprise Admins groups. A user who is a member of both of these groups and who has the appropriate permissions could also edit the schema by using a script. Domain naming master. The domain controller that records additions and removals of domains and also domain name changes. RID master. Whenever an object is created in AD DS, the domain controller where the object is created assigns the object a unique identifying number known as a SID. To ensure that no two domain controllers assign the same SID to two different objects, the RID master allocates blocks of RIDs to each domain controller within the domain. Infrastructure master. This role is responsible for maintaining inter-domain object references, such as when a group in one domain contains a member from another domain. In this situation, the infrastructure master is responsible for maintaining the integrity of this reference. For example, when you look at the security tab of an object, the system looks up the SIDs that are listed and translates them into names. In a multi-domain forest, the infrastructure master looks up SIDs from other domains. The Infrastructure role should not reside on a global catalog server. The exception is when you follow best practices and make every domain controller a global catalog. In that case, the Infrastructure role is disabled because every domain controller knows about every object in the forest.
Note: The Infrastructure role should not reside on a global catalog server. For example, the security tab on an object (file, folder, printer) has a list of SIDs with a matrix of permissions assigned. To ease administration, these SIDs are converted into names such as users and groups, usually before you even see the SIDs appear. If there is more than one domain in the AD DS forest, then there may be SIDs from remote domains in the security tab, and because they are not recognized on the local domain, a mechanism is necessary to look up the actual names. The infrastructure master does this by referring to a GC. If the infrastructure master is also configured as a GC, then the infrastructure service is disabled. PDC emulator. The domain controller that holds the PDC emulator role is the time source for the domain. The domain controllers that hold the PDC emulator role in the forest sync with the domain controller that has the PDC emulator role in the forest root domain. You set this domain controller to synchronize with an external atomic time source. The PDC emulator is the domain controller that receives urgent password changes. If a users password is changed, the information is sent immediately to the domain controller holding the PDC emulator role. This means that if a users password was changed and they subsequently tried to logon, if they were authenticated by a domain controller in a different location that hadnt yet received an update about the new password, it would contact the domain controller holding the PDC emulator role and check for recent changes. When a group policy other than a local group policy is opened for editing, the copy that is edited is the one stored on the PDC emulator.
Note: The global catalog is not one of the Operations Master roles. Question: Why would you make a domain controller a global catalog server?
2-13
Lesson n3
Installing a Domain D Contro oller

So ometimes you need to install additional do omain control lers on your W Windows Serve er 2012 operat ting sy ystem. It might t be that the existing e domain controllers a are overworked d and you nee ed additional re esources. Perha aps you are planning for a new n remote off fice that requires you to dep ploy one or mo ore do omain controllers. You also might be setting up a test la ab or a backup p site. The insta allation metho od that yo ou use varies with w the circum mstances. Th his lesson exam mines several ways w to install additional do main controlle ers. It demonst trates the proc cess of us sing Server Ma anager to insta all AD DS on a local machine e and on a rem mote server. Th his lesson also di iscusses installing AD DS on a Server Core installation, a nd installing A AD DS on a computer using a sn napshot of the e AD DS databa ase that is stor red on remova able media. Yo ou will also exa amine the proc cess of up pgrading a do omain controlle er from an ear rlier Windows o operating syst tem to Window ws Server 2012 2.

After completin ng this lesson, you y will be able to: Explain how w to install a domain control ller by using th he GUI. Explain how w to install a domain control ller on a Serve er Core installa ation of Windo ows Server 201 12. Explain how w to upgrade a domain cont troller. Explain how w to install a domain control ller by using In nstall from Me edia (IFM).
In nstalling a Domain Controller C by Using a GUI

Pr rior to Window ws Server 2012 2, it was comm mon practice to use the t dcpromo. .exe tool to install do omain controllers. If you atte empt to run dc cpromo on a Windows Serv ver 2012 server, you re eceive the follo owing error me essage: T The Active Directory Domain Services S In nstallation Wizard W is re elocated in Server information Manager. M Fo or more n, see ht ttp://go.micr rosoft.com/fw wlink/?LinkId= =22092 1
e dcpromo.exe e tool is a tool that Note: The yo ou run on a se erver to make the t server an AD A DS domain n controller. Un ntil Windows S Server 2012, dc cpromo.exe ha as been the pr referred metho od to install AD D DS, and it us sually runs in G GUI mode; ho owever, in Win ndows Server 2012, 2 this tool is replaced wi ith Server Man nager. Dcprom mo.exe is still su upported for unattended u ins stallations from m the comman ndline interfac ce. When W you run Server S Manage er, you can cho oose whether the operation is performed on the local co omputer, on a remote comp puter, or by me embers of a se erver pool. You u then choose to add the Ac ctive Directory D Dom main Services role. At the en nd of the initia al installation p process, the AD D DS binaries a are in nstalled, but AD D DS is not yet t set up on tha at server. A me essage to that effect displays s in Server Manager.
You can select the link to Promote this server to a domain controller, and then AD DS promotion wizard runs. You are then asked the following questions about the proposed structure. Required information Add a domain controller to an existing domain Add a new domain to an existing forest Add a new forest Specify the domain information for this operation Description Choose whether an additional domain controller is added to a domain. Create a new domain in the forest. Create a new forest. Supply information about the existing domain to which the new domain controller will connect. Enter the name of a user account that has the rights to perform this operation.
Supply the credentials to perform this operation
Some other information you need to collect before running the promotion is listed in the following table. Required information DNS name for the AD DS domain NetBIOS name for the AD DS domain Whether the new forest needs to support Domain controllers running previous versions of Windows operating systems (affects choice of functional level) Whether this domain controller will contain DNS Location to store the database files (For example, NTDS.DIT, edb.log, or edb,chk) Description For example, adatum.com For example, adatum Will there also be Windows Server 2008 domain controller?
Your DNS must be functioning well to support AD DS By default, these files will be stored in C:\windows\NTDS
The wizard continues through several different pages where you can enter prerequisites such as the NetBIOS domain name, DNS configuration, whether this domain controller should be a global catalog server, and the Directory Services Restore Mode password. Finally, you must reboot to complete the installation.
Note: If you need to reinstall the AD DS database from a backup, reboot the domain controller in Directory Services Restore Mode. When the domain controller boots up, it is not running the AD DS services; instead, it is running as a member server in the domain. To log on to that server in the absence of AD DS, log on using the Directory Services Recovery Mode password.
2-15
In nstalling a Domain Controller C on a Serve er Core Installation of Window ws Server 2012 2

In nstall AD DS by y using Server Manager to re emotely co onnect to the server s core ser rver. Once you u install th he AD DS binaries and the se erver is reboot ted, you ca an complete th he installation and configura ation in on ne of three wa ays: In Server Manager, M click the t notification n icon to complete the post-dep ployment configuratio on. This starts the configurat tion and setup of o the domain controller. Create an answer a file and d run dcpromo o /unattend: :D:\answerfi ile.txt where D:\answerf file.txt is the path p to the answer file. Run dcprom mo /unattend d with the app propriate switc ches, for examp ple:
dcpromo /unattend / /In nstallDns:yes /confirmgl obal catalog g:yes /replicaO OrNewDomain:replica /replicadomaindn nsname:mynew wdomain.com /database ePath:"c:\ntd ds" /logPath:"c:\ntdslog gs" /sysvolpa ath:"c:\sysvo ol" /safeMode eAdminPassword:Pa$$w0rd /rebootOnCom mpletion:yes
Upgrading U a Domain n Controlle er

Th here are two ways w to upgrad de to a Window ws Se erver 2012 dom main controlle er: you can eith her up pgrade the op perating system m on existing domain d co ontrollers, or in ntroduce Wind dows Server 20 012 se ervers as doma ain controllers. . Of the two, th he se econd is the pr referred metho od, because th here are no o old or disuse ed code and files remaining. In nstead, you hav ve a clean inst tallation of the e Windows W Server 2012 operati ing system and d AD DS database e.
Upgrading U to o Windows Server 2012

Fo or an organiza ation to upgrad de an AD DS domain d from one runnin ng at Window ws Server 2008 functional leve el to an AD DS S domain runn ning at Window ws Se erver 2012 fun nctional level, all a the domain n controllers m must first be up pgraded from t the Window Se erver 20 008 operating system to the e Windows Server 2012 oper rating system. Yo ou can achieve e this by upgra ading all of the e existing dom main controller rs to Windows Server 2012, o or by in ntroducing new w domain cont trollers running Windows Se erver 2012, and d then phasing g out the exist ting do omain controllers. Although there is no reason to t prevent Win ndows Server 2 2012 servers fr rom being par rt of a Window ws Server 20 008 domain, when w the time comes to have e domain cont trollers running Windows Se erver 2012, you u must up pgrade the sch hema. To upgr rade the schem ma, you must r run the adpre ep tool that is i included in the e Windows W Server 2012 installation media.
To upgrade u the sc chema, log on to the schema a master for th he forest, and in the support t\adprep direc ctory, run adprep /fore estprep from an a elevated cm md.exe window w. You must be e a member of f all of the following groups to have th he necessary rig ghts to run this command: Schema Admins for the fore est Enterprise Ad dmins for the forest Domain Adm mins for the dom main where th he schema mas ster resides
In addition, you must m run the ad dprep comma and again in ea ach domain w where you plan n to introduce Win ndows Server 2012 2 servers as s domain controllers. To do t this, on the Inf frastructure m master for the dom main, in an elev vated cmd.exe e window, run adprep /dom mainprep /gpp prep.
Introduce Win ndows Serve er 2012 Dom main Contro ollers

There are two way ys to introduce e Windows Server 2012 dom main controller rs into your do omain. You can n eith her upgrade Windows W Server r 2008 to Wind dows Server 20 012, or you can have a clean n installation. T To upg grade the oper rating system of o a Windows Server 2008 d omain control ller to Window ws Server 2012 2: 1. 2. 3. Insert the inst tallation disk for Windows Se erver 2012, an nd run Setup. After the lang guage selection page, select Install now. After the ope erating system selection wind dow and the li icense accepta ance page, on the Which typ pe of installation do d you want? ? window, choo ose Upgrade: Install Windo ows and keep p files, setting gs, and apps.
With this type of upgrade, u there e is no need to o preserve use rs settings and d reinstall app plications; everything is upgraded in place e. Remember to check for ha ardware and so oftware compa atibility before e doin ng an upgrade e. To introduce a cle ean install of Windows W Serve er 2012 as a do omain membe er: 1. 2. Deploy and configure c a new w installation of o Windows Se erver 2012 and d join it to the e domain. Promote the new server to be a domain controller c in th he domain by using Server M Manager or on ne of the other methods describe ed previously.
Note: You can c upgrade directly d from Windows W Serve r 2008 and Wi indows Server 2008 R2 to Windows W Serve er 2012. To upgrade servers that are runni ng an earlier v version of Windows Serv ver, you must either e perform m an interim up pgrade to Win ndows Server 2 2008 or Windo ows Server 2008 R2, or perform a clean inst tall.
Ins stalling a Domain D Co ontroller by b Using IF FM

If yo ou have an intervening netw work that is slow, unre eliable, or cost tly, you might find it necessa ary to add d another domain controller at a remote loca ation or branch h office. In this s scenario, it is ofte en better to de eploy AD DS to o a server by using u the Install from Media M (IFM) me ethod. For example, if yo ou connect to a server in the rem mote office and d use Server Manager to inst tall AD DS, you will ne eed to copy th he entire AD DS D data abase and the SYSVOL folde er to the new dom main controller r. This process must take place
2-17
over a potentially unreliable wide area network (WAN) connection. As an alternative, and to significantly reduce the amount of traffic copied over the WAN link, you can make a backup of AD DS by using the NTDSUTIL tool. When you run Server Manager to install AD DS, you can then select the option to Install from Media. Most of the copying is then done locally (perhaps from a USB drive), and the WAN link is used only for security traffic, and to ensure that the new domain controller receives any changes that are made after you create the IFM backup. To install a domain controller by using IFM, browse to a writable domain controller but not an RODC. Use the NTDSUTIL tool to create a snapshot of the AD DS database, and then copy it to the server that will be promoted to a domain controller. Use Server Manager to promote the server to a domain controller by selecting the Install from Media option, and by providing the local path to the IFM directory that you created previously. The full procedure is as follows: 1. On the full domain controller, type the following commands (where C:\IFM is the destination directory that will contain the snapshot of the AD DS database) at an administrative command prompt, and press Enter after each line:
Ntdsutil activate instance ntds ifm create SYSVOL full C:\IFM
2.
On the server that you are promoting to a domain controller, perform the following steps: a. b. c. d. Use Server Manager to add the AD DS Role. Wait while the AD DS binaries are installed. In Server Manager, click the notification icon to complete the post-deployment configuration and a wizard runs. At the appropriate time during the wizard, select the option to install from IFM, and then provide the local path to the snapshot directory.
AD DS then installs from the snapshot. When the domain controller reboots, it contacts other domain controllers in the domain and updates AD DS with any changes that were made since the snapshot was created.
Additional Reading: For more information about the steps necessary to install AD DS, see http://technet.microsoft.com/en-us/library/hh472162.aspx. Question: What is the reason to specify the Directory Services Restore Mode password?
Lab: Installing Domain Controllers

Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You have been asked by your manager to install a new domain controller in the data center to improve logon performance. You have been asked also to create a new domain controller for a branch office by using IFM.
Objectives
After performing this lab, you will be able to: Install a domain controller. Install a domain controller by using IFM.
Lab Setup
Virtual Machines
20410A-LON-DC1 (start first) 20410A-LON-SVR1 20410A-LON-RTR 20410A-LON-SVR2 Administrator Pa$$w0rd
User Name Password
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. 1. 2. 3. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o 4. User name: Administrator Password: Pa$$w0rd Domain: Adatum
Repeat steps 1 to 3 for 20410A-LON-SVR1, 20410A-LON-RTR, and 20410A-LON-SVR2.
Exercise 1: Installing a Domain Controller

Scenario
Users have been experiencing slow logon in London during peak usage times. The server team has determined that the domain controllers are overwhelmed when many users are authenticating simultaneously. To improve logon performance, you are adding a new domain controller in the London data center.
2-19
The main tasks for this exercise are as follows: 1. Add an Active Directory Domain Services (AD DS) role to a member server. 2. Configure a server as a domain controller. 3. Configure a server as a global catalog server.
Task 1: Add an Active Directory Domain Services (AD DS) role to a member server
1. 2. 3. 4. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. From Server Manager, add LON-SVR1 to the server list. Add the Active Directory Domain Services server role to LON-SVR1. Add all required features as prompted. Installation will take several minutes, when the installation is succeeded, click Close to close the Add Roles and Features Wizard.
Task 2: Configure a server as a domain controller

1. Use Server Manager on LON-DC1 perform post-deployment configuration to promote LON-SVR1 to a domain controller with the following options: a. b. c. d. e. Add a domain controller to the existing adatum.com domain Use the credentials Adatum\Administrator with the password Pa$$w0rd. For Domain Controller Options, install the Domain Name System but remove the selection to install the Global Catalog. DSRM password: Pa$$w0rd. All other options: default.
Task 3: Configure a server as a global catalog server

1. 2. Log on to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd. Use Active Directory Sites and Services to make LON-SVR1 a global catalog server.
Results: After completing this exercise, you will have explored Server Manager and promoted a member server to be a domain controller.
Exercise 2: Installing a domain controller by using IFM

Scenario
You have now been assigned by management to manage one of the new branch offices that are being configured. A faster network connection is scheduled to be installed in a few weeks. Until that time, network connectivity is very slow. It has been determined that the branch office requires a domain controller to support local logons. To avoid problems with the slow network connection, you are using IFM to install the domain controller in the branch office. The main tasks for this exercise are as follows: 1. Use the NTDSUTIL tool to generate Install from Media (IFM). 2. Add the AD DS role to the member server. 3. Use IFM to configure a member server as a new domain controller.
Task 1: Use the NTDSUTIL tool to generate Install from Media (IFM)
On LON-DC1, open an administrative command-line interface, and use NTDSUTIL to create an IFM backup of the AD DS database and of the SYSVOL folder.
Task 2: Add the AD DS role to the member server

1. 2. 3. Switch to LON-SVR2, and log on as Adatum\Administrator with the password Pa$$w0rd. Open a command prompt and map K: to \\LON-DC1\C$\IFM. Add the AD DS server role to LON-SVR2.
Task 3: Use IFM to configure a member server as a new domain controller

1. 2. Open a command prompt and use Robocopy to copy the IFM backup from K: to c:\ifm on LON-SVR2. Use Server Manager on LON-SVR2 to perform the post-deployment configuration of AD DS using the following options: a. b. c. d. e. 3. Add a domain controller to the existing adatum.com domain Use Adatum\Administrator with the password Pa$$w0rd for credentials. DSRM password: Pa$$w0rd Use the IFM media to configure and install AD DS. Accept all other defaults.
Restart LON-SVR2 to complete the AD DS installation.
Results: After completing this exercise, you will have installed an additional domain controller for the branch office by using IFM.

When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-RTR, and 20410A-LON-SVR2.
2-21

Review Questions
Question: What are the two main purposes of organizational units? Question: Why would an organization need to deploy an additional tree in the AD DS forest? Question: Which deployment method would you use if you had to install an additional domain controller in a remote location that had a limited WAN connection? Question: If you needed to promote a Server Core installation of Windows Server 2012 to be a domain controller, which tools could you use?
3-1
Module 3
Managing Active Directory Domain Services Objects
Contents:
Module Overview Lesson 1: Managing User Accounts Lesson 2: Managing Group Accounts Lesson 3: Managing Computer Accounts Lesson 4: Delegating Administration Lab: Managing Active Directory Domain Services Objects Module Review and Takeaways 3-1 3-3 3-15 3-22 3-27 3-30 3-36
Module Overview
User accounts are fundamental components of network security. Stored in Active Directory Domain Services (AD DS), they identify users for the purposes of authentication and authorization. Because of their importance, an understanding of user accounts and the tasks related to supporting them are critical aspects of administering a Microsoft Windows enterprise network. Although users and computers, and even services, change over time, business roles and rules tend to remain more stable. Your business probably has a finance role, which requires certain capabilities in the enterprise. The user or users who perform that role might change over time, but the role will remain relatively the same. For that reason, it is not sensible to manage an enterprise by assigning rights and permissions to individual users, computers, or service identities. Instead, you should associate management tasks with groups. Consequently, it is important that you know how to use groups to identify administrative and user roles, to filter Group Policy, to assign unique password policies, and to assign rights and permissions. Computers, like users, are security principals: They have an account with a logon name and password that Windows changes automatically on a periodic basis. They authenticate with the domain. They can belong to groups, and have access to resources, and you can configure them by using Group Policy.
Managing computersboth the objects in Active Directory and the physical devicesis one of the dayto-day tasks of most IT pros. New computers are added to your organization, taken offline for repairs, exchanged between users or roles, and retired or upgraded. Each of these activities requires managing the computers identity, which is represented by its object, or account, and AD DS. As a result, it is important that you know how to create and manage computer objects. In small organizations, one person may be responsible for performing all of these day-to-day administrative tasks. However, in large enterprise networks, with thousands of users and computers, that is not feasible. It is important for an enterprise administrator to know how to delegate specific
3-2
administrative tasks to designated users or groups to ensure that enterprise administration is efficient and effective.
Objectives
After completing this module, you will be able to: Manage user accounts with graphical tools. Manage groups with graphical tools. Manage computer accounts. Delegate permissions to perform AD DS administration.
3-3
Lesson n1
Mana aging User Accounts

A user object in n AD DS is far more m than just t a handful of properties rela ated to the use ers security identity, or r account. It is the cornerstone of identity and access in AD DS. Theref fore, consisten nt, efficient, an nd se ecure processe es regarding th he administration of user acc counts are the e cornerstone o of enterprise security management. m

After completin ng this lesson, you y will be able to: View AD DS S objects by us sing various AD DS manage ment tools. Explain how w to create use er accounts tha at you can use e in an enterpr rise network. Describe ho ow to configur re important user-account u a ttributes. Describe ho ow to create user profiles. Explain how w to use user-a account templ lates to create user accounts s. Manage user accounts.
AD A DS Adm ministration Tools

Be efore you can begin creating g and managin ng user, group, and com mputer accounts, it is importa ant that yo ou understand d which tools you y can use to pe erform these various v manag gement tasks.
Active A Direct tory Administration Sn napIn ns

Most M AD DS administration is s performed with the fo ollowing snap-ins and consoles: Active Directory Users an nd Computers. This snap-in ma anages most co ommon day-to o-day resources, including users s, groups, com mputers, and organiz zational units. This is likely to o be the most heavily used s snap-in for an Active Directo ory administrat tor. Active Directory Sites and d Services. This s snap-in mana ages replicatio on, network to opology, and re elated services. Active Directory Domains s and Trusts. This snap-in co onfigures and m maintains trust t relationships and the forest functional level. Active Directory Schema. This schema examines e and modifies the d definition of A Active Directory y attributes and a object clas sses. It is the blueprint for AD D DS. It is rare ly viewed, and d even more ra arely changed. Therefore, the Active A Directory Schema sna ap-in is not ins stalled, by defa ault.
D DS from a co omputer that is s not a domain n controller, yo ou must Note: To administer AD in nstall Remote Server S Adminis stration Tools (RSAT). RSAT iis a feature tha at can be insta alled from the Fe eatures node of o Server Mana ager on Windo ows Server 20 012.
3-4
You also can install RSAT on Windows clients, including Windows Vista Service Pack 1 (or newer), Windows 7, and Windows 8. After you download the RSAT installation files from Microsofts website, run the Setup Wizard, which steps you through the installation. After installing RSAT, you must turn on the tool or tools that you want to be visible. To do this, use the Turn Windows Features On or Off command in the Programs And Features application in Control Panel. Additional Reading: To download the RSAT installation files, see http://www.microsoft.com/downloads.
Active Directory Administrative Center

Windows Server 2012 provides another option for managing AD DS objects. The Active Directory Administrative Center provides a graphical user interface (GUI) built upon Windows PowerShell. This enhanced interface allows you to perform AD DS object management by using task-oriented navigation. Tasks that you can perform by using the Active Directory Administrative Center include: Create and manage user, computer, and group accounts. Create and manage organizational units (OUs). Connect to, and manage, multiple domains within a single instance of the Active Directory Administrative Center. Search and filter Active Directory data by building queries.
Windows PowerShell
You can use the Active Directory Module for Windows PowerShell to create and manage objects in AD DS. Windows PowerShell is not just a scripting language. It also enables you to run commands that perform administrative tasks, such as creating new user accounts, configuring services, deleting mailboxes, and similar functions. Windows PowerShell is installed by default on Windows Server 2012, but the Active Directory Module is only present when: You install the AD DS or Active Directory Lightweight Directory Services (AD LDS) server roles. You run Dcpromo.exe to promote a computer to a domain controller. You install RSAT.
Directory Service Command-Line Tools

You also can use the Directory Service command-line tools, in addition to Windows PowerShell. These tools enable you to create, modify, manage, and delete AD DS objects, such as users, groups, and computers. You can use the following commands: Dsadd. Use to create new objects. Dsget. Use to display objects and their properties. Dsmod. Use to edit objects and their properties. Dsmove. Use to move objects. Dsquery. Use to query AD DS for objects that match criteria that you supply. Dsrm. Use to delete objects.
3-5
Note: It is s possible to pipe the results s of the Dsque ry command t to other Direct tory Service co ommands. For example, typi ing the followi ing at a comm mand prompt r returns the offi ice telephone nu umber of all users that have a name startin ng with John: dsquery user name John* | dsget user office
Creating C Us ser Accoun nts

In n AD DS, all use ers that requir re access to ne etwork re esources must be configured d with a user account. With W this user account, users can authentica ate to th he AD DS dom main and receiv ve access to ne etwork re esources. A user account is an object that contains all of the in nformation tha at defines a use er in Windows s Server 20 012. A user acc count includes s the user nam me and pa assword, as we ell as group memberships. A user ac ccount also co ontains many other o settings that t yo ou can configu ure based upon your organiz zational re equirements. With W a user acco ount, you can: : Allow or de eny users perm mission to log on o to a compu uter based on their user acco ount identity. Grant users s access to pro ocesses and ser rvices for a spe ecific security c context. Manage users access to resources r such h as AD DS obj jects and their r properties, sh hared folders, f files, directories, and printer queues.
A user account enables a user r to log on to computers c and d domains wit th an identity t that the doma ain can au uthenticate. When W creating a user account t, you must pro ovide a user lo ogon name, w which must be u unique in n the domain/f forest in which h the user acco ount is created d. To o maximize security, you sho ould avoid multiple users sha aring one acco ount, so that e each user that logs on to o the network has a unique user u account and a password.
t focus of th his course, you u also can store e user Note: Although AD DS accounts are the ac ccounts in the local security accounts man nager (SAM) da atabase of eac ch computer, e enabling local lo ogon and access to local reso ources. Local user u accounts a are, for the mo ost part, beyon nd the scope of f this course.
Creating C Use er Accounts

A user account includes the user u name and password, wh hich serve as th he logon crede entials for a us ser. A us ser object also o includes seve eral other attrib butes that des cribe and man nage the user. Yo ou can use the e Active Direct tory Users or Computers C con nsole, Active D Directory Administrative Cent ter, Windows W PowerShell, or the dsadd.exe d com mmand-line to ool to create a user object. rs or Compute To o create a user r object by using the Active Directory User ers console, pe erform the follo owing st teps: 1. . 2. . Right-click the OU or the e container in which w you wan nt to create the user, point to New, and th hen click User. In the First name box, ty ype the users first f name.
3-6
3.
In the Initials box, type the users middle initial(s).
Note: The Initials property is meant for the initials of a users middle name, not the initials of the users first or last name. 4. 5. In the Last name box, type the users last name. The Full name box is populated automatically, although you can make modifications to it, if necessary. The Full name box is used to create several attributes of a user object, most notably, the common name (CN) and display name properties. The CN of a user is the name displayed in the details pane of the snap-in, and it must be unique within the container or OU. If you are creating a user object for a person with the same name as an existing user in the same OU or container, you need to enter a unique name in the Full name field. 6. In the User logon name box, type the name with which the user will log on, and from the dropdown list, select the user principal name (UPN) Suffix that will be appended to the user logon name following the @ symbol. User names in AD DS can contain special characters, including periods, hyphens, and apostrophes. These special characters let you generate accurate user names, such as OHare and Smith-Bates. However, certain applications may have other restrictions, so we recommend that you use only standard letters and numerals until you fully test the applications in your enterprise for compatibility with special characters. The list of available UPN suffixes can be managed by using the Active Directory Domains and Trusts snap-in. Right-click the root of the snap-in, click Properties, and use the UPN Suffixes tab to add or remove suffixes. The DNS name of your AD DS domain is always available as a suffix, and you cannot remove it. 7. In the User logon name (pre-Windows 2000) box, enter the pre-Windows 2000 logon name, often called the downlevel logon name. In the AD DS database, the name for this attribute is sAMAccountName.
Note: It is important to implement a user-account naming strategy, especially in large networks where users may share the same name full name. A combination of last name and first name, and where necessary, additional characters, should yield a unique user account name. Strictly speaking, it is only the UPN name that must be unique within your AD DS forest. The Full name needs to be unique only within the organizational unit where it resides, while the downlevel name must be unique within that domain. 8. 9. Click Next. Enter a temporary password for the user in the Password and Confirm password boxes.
10. Select the User must change password at next logon check box. We recommend that you always select this option, so that the user can create a new password unknown to the IT staff. Appropriate support staff can reset the users password, if necessary to log on as the user or access the users resources. Only users should know their own passwords on a day-today basis. 11. Click Next.
3-7
12 2. Review the summary, and d then click Fin nish. The New Object O User in nterface allows s you to config gure a limited number of acc count-related properties, such as name and password d settings. How wever, a user o object in AD DS supports dozens of additional properties, p which you can co onfigure after y you create the e object. 13 3. Right-click the user objec ct that you created, and then n click Proper rties. 14 4. Configure the t user prope erties. 15 5. Click OK.
Configuring C g User Acc count Attr ributes

When W you creat te a user accou unt in AD DS, you y also configure all a the associat ted account properties, or at ttributes.
Note: The e attributes tha at are associat ted with a user account are a defined as part of the AD D DS chema, which members of th he Schema Admins sc se ecurity group can c modify. Ge enerally, the sc chema do oes not change frequently. However, H when an en nterprise-level application, such as Microso oft Ex xchange Serve er 2010, is intro oduced, many schema ch hanges are req quired. These changes c enable ob bjects, includin ng user objects, to have additional attribut tes. When W you use Active A Director ry Users and Computers C to c create a new u user object, you are not requ uired to de efine many att tributes beyon nd those requir red to allow th he user to logo on by using the account. Sin nce you ca an associate a user object wi ith many attrib butes, it is imp portant that yo ou understand what these attributes ar re, and how yo ou can use the em in your organization.
Attribute A Cat tegories

Th he attributes of o a user object fall into seve eral broad cate egories that ap ppear on tabs o of the user pro operties di ialog box, and include Account att tributes: The Account A tab. Th hese propertie es include logo on names, pass swords, and ac ccount flags. You can c configure many m of these e attributes wh hen you create a new user with the Active Directory Users U and Computers snap-in n. The Account t Properties se ection details t the account att tributes. Personal information: The e General, Add dress, Telepho nes, and Orga anization tabs. The General tab contains the name prope erties that you configure whe en you create a user object, along with the e basic description and contact information. Th he Address an d Telephones tabs provide d detailed conta act information n. The Telepho ones tab also is s where the No otes field is loc cated, which c corresponds to o the info attribu ute. It is a very useful general-purpose text t field that man ny enterprises underuse. The e Organizatio on tab shows the t job title, de epartment, co mpany, and organizational r relationships. re, you can co nfigure the us User config guration management: The Profile P tab. Her sers profile path, logon script, and home fo older. Group mem mbership: The Member Of ta ab. You can ad dd the user to, and remove t the user from, groups. You also ca an change the users primary y group.
3-8
Remote Desktop Services: The Remote Desktop Services Profile, Environment, Remote control, Sessions, and Personal Virtual Desktop tabs. These tabs enable you to configure and manage the users experience when the user connects to a Remote Desktop Services session. Remote access: The Dial-in tab. You can enable and configure remote access permission for a user on the Dial-in tab. Applications: The COM+ tab. This tab enables you to assign the user to an Active Directory COM+ partition set. This feature facilitates the management of distributed applications.
Viewing All Attributes

The Attribute Editor tab allows you to view and edit all attributes of a user object.
Note: The Attribute Editor tab is not visible until you enable Advanced Features from the View menu of the Microsoft Management Console (MMC). The Attribute Editor displays all system attributes of the selected object. The Filter button enables you to choose to see even more attributes, including backlinks and constructed attributes. Backlinks are attributes that result from references to the object from other objects. The easiest way to understand backlinks is to look at an example: the memberOf attribute: When a user is added to a group, it is the groups member attribute that is changed. The distinguished name of the user is added to this multivalued attribute. The member attribute of a group is called a forward link attribute. A users memberOf attribute is updated automatically by AD DS when the user is referred to by a groups member attribute. In other words, you do not ever write directly to the users memberOf attribute. AD DS maintains it dynamically.
A constructed attribute is one of the results from a calculation that AD DS performs. An example is the tokenGroups attribute. This attribute is a list of the security identifiers (SIDs) of all the groups to which the user belongs, including nested groups. To determine the value of tokenGroups, AD DS must calculate the effective membership of the user, which takes a few processor cycles. Because of this, the attribute is not stored as part of the user object, nor is it dynamically maintained. Instead, it is calculated when needed. Because of the processing required to produce constructed attributes, the Attribute Editor tab does not display them by default. In addition, you cannot use constructed attributes in Lightweight Directory Access Protocol (LDAP) queries.
Modifying Attributes for Multiple Users

The Active Directory Users and Computers snap-in enables you to modify the properties of multiple user objects simultaneously. To modify attributes of multiple users in the Active Directory Users and Computers snap-in: 1. 2. Select several user objects by holding the Ctrl key as you click each user, or by using any other multiple-selection technique. Be certain that you select only objects of one class, such as users. After you select the objects, right-click any one of them, and then click Properties.
When you have selected the user objects, a subset of properties is available for modification: General: Description, Office, Telephone Number, Fax, Web page, E-mail Account: UPN suffix, Logon hours, Computer restrictions (logon workstations), all Account options, and Account expires Address: Street, P.O. Box, City, State/province, ZIP/Postal Code, and Country/region
3-9
Profile: Profile path, Logo on script, and Home H folder Organizatio on: Job Title, Department, D Co ompany, and M Manager
Creating C Us ser Profile es

So ome of the op ptional propert ties that you ca an co onfigure for yo our user accou unts are located on th he Profile tab of o the Accoun nt Property pa age. Yo ou can configu ure three prop perties on this page: Profile path h. This is either r a local, or mo ore usually, a UNC U path. The users desktop p settings are e stored in the profile. Once you define a use er profile by using a UNC pa ath, then whichever domain computer c services a users logon n, their deskto op settings will be available. This is known as a a roaming profile.
Note: It is s good practice to use a subfolder of the u users home fo older for the us sers profile ath. pa pt. This is the name n of a batc ch file that con ntains comman nds that execu ute when the u user logs Logon scrip on. Typicall ly, you use the ese commands s to create driv ve mappings. R Rather than us se a logon scrip pt batch file, it is mo ore usual for ad dministrators to t implement logon scripts b by using Group Policy Objec cts (GPOs) or Group G Policy Preferences. P If you y use a logi n script, this va alue should be e in the form o of a filename (w with extension) ) only. Scripts should s be stor red in the C:\W Windows\SYSV VOL\domain\sc cripts folder on all domain cont trollers. Home folde er. This value enables e you to o create a pers onal storage a area in which u users can save their personal do ocuments. You u can specify either e a local p ath, or more u usually, a UNC path to the users folder. You also must spe ecify a drive let tter that is use ed to map a ne etwork drive to o the specified d UNC path.
When W configuring the profile path and hom me folder locat tions, if you us se the variable e %username% % in the pa ath, this is substituted for the actual user name n during a application of t the properties s. Additionally, so long as s the shared pa arent folder ex xists, and the administrator a m modifying the account prop perties has at le east Modify M File perm missions on th he shared folde er, then the us sers subfolder is created aut tomatically. In this in nstance, the file e permissions are modified on o the newly-c created subfol lder so that the user has full control of f his or her home folder.
3-10 Managing g Active Directory Do omain Services Objec cts
Cre eating Use er Account ts with Use er Account Templates

Users in a domain n often share many m similar properties. For example, all sale es representativ ves can belong to the e same security y groups, log on o to the network durin ng similar hour rs, and have ho ome fold ders and roami ing profiles sto ored on the same serv ver. Because of f this, to save time t when creating a ne ew user, you ca an copy an existing user acc count rath her than create e a blank accou unt and popul late each h property. If yo ou want to cre eate multiple users u with broa adly simi ilar properties, , you can use a user account t tem mplate. A user account a template is a generi ic user r account that you have pop pulated with co ommon prope erties. For exam mple, you can create a temp plate acco ount for sales representative es, which you then t configure e with group m memberships, l logon hours, a hom me folder, and roaming profile path. To create c a user account a templa ate, perform th he following st teps: 1. 2. Create a user account, and prepopulate it with the app propriate attrib butes. Disable the user account te emplate so that the template e account cann not be used to o log on to the e network.
To create c a user based b on the te emplate, perfo orm the follow wing steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. Right-click the user account template, an nd then click C opy. The Copy y Object Use er Wizard appe ears. In the First name box, type e the users firs st name. In the Last na ame box, type e the users last t name. Modify the Fu ull name value, if necessary. . In the User lo ogon name bo ox, type the us ser logon nam me, and then se elect the appro opriate UPN su uffix from the drop p-down list. In the User lo ogon name (p pre-Windows 2000) box, ty ype the users u user name. Click Next. In the Passwo s password. ord box and the Confirm password box, type the user Select the app propriate pass sword options.
10. If you created d the new user r account by co opying a disab bled user acco ount, clear the Account is disabled che eck box to enab ble the new ac ccount. It is important to understand th hat not all attributes are copi wing list summ marizes the ied. The follow attributes that are e copied: General tab. No N properties are copied fro om the Genera al tab. Address tab. P.O. box, city, state or provin nce, ZIP or pos stal code, and country or reg gion are copie ed. Note that the e street addres ss itself is not copied. c Account tab. Logon hours, logon worksta ations, account t options, and account expir ration are copi ied. Profile tab. Pr rofile path, log gon script, hom me drive, and h home folder p path are copied d. Organization tab. Department, company, , and manager r are copied.
3-11
Member Of tab. Group membership and primary group are copied.
It is not useful to configure any other attributes in the template, because they will not be copied.
Demonstration: Managing User Accounts by Using Active Directory Users and Computers
After you have created a user account, there are a number of tasks that you perform that are considered Account Management tasks, and may include: Renaming a user account. Resetting a user password. Unlocking a user account. Disabling or enabling a user account. Moving a user account. Deleting a user account.
Renaming a User Account

When you need to rename a user account, there can be one or more attributes that you must change. To rename a user in the Active Directory Users and Computers snap-in, perform the following steps: 1. 2. Right-click the user, and then click Rename. Type the new common name (CN) for the user, and press Enter. The Rename User dialog box appears and prompts you to enter additional name attributes. 3. 4. 5. 6. Type the Full name (which corresponds to the CN and Name attributes). Type the First name and Last name. Type the Display name. Type the User logon name and User logon name (pre-Windows 2000).
Reset a User Password

When attempting to log on, a user who forgets the logon password will see a logon error message. Before the user can log on successfully, you must reset the password. You do not need to know the users old password to do so. To reset a users password in the Active Directory Users and Computers snap-in: 1. Right-click the user object, and then click Reset Password. The Reset Password dialog box appears. 2. Enter the new password in both the New Password and Confirm Password boxes. It is a best practice to assign a temporary, unique, strong password for the user. 3. Select the User Must Change Password at Next Logon check box. It is a best practice to force the user to change the password at the next logon, so that the user creates a password known only by the user. 4. Click OK.
3-12 Managing Active Directory Domain Services Objects
5.
Communicate the temporary password to the user in a secure manner.
Unlocking a User Account

An Active Directory domain supports account lockout policies. A lockout policy is designed to prevent intruders from penetrating the enterprise network by attempting to log on repeatedly with various passwords until they find the correct password. When users attempt to log on with an incorrect password, a logon failure is generated. When too many logon failures occur within a specified period of time, which you define in the lockout policy, the account is locked out. The next time that users attempt to log on, a notification clearly states the account lockout. Your lockout policy can define a period of time after which a lockout account is unlocked automatically. But when users try to log on and discover that they are locked out, it is likely they will contact the help desk for support. To unlock a user account in the Active Directory Users and Computers snap-in, perform the following steps: 1. 2. 3. Right-click the user object, and then click Properties. Click the Account tab. Select the Unlock Account check box.
Windows Server 2012 also provides the option to unlock a users account when you choose the Reset Password command. To unlock a user account while resetting the users password, perform the following step: In the Reset Password dialog box, select the Unlock the users account check box.
This method is particularly handy when a users account is locked out because the user did, in fact, forget the password. You can now assign a new password, specify that the user must change the password at the next logon, and unlock the users account: all in one dialog box.
Note: Watch for drives mapped with alternate credentials, because this is a common cause of account lockout. If the password is changed, and the Windows client attempts repeatedly to connect to the drive, that account is locked out.
Disabling and Enabling User Accounts

User accounts are security principals that can be given access to network resources. Each user is a member of Domain Users and of the Authenticated Users special identity. By default, each user account has at least Read access to the information stored in Active Directory. For this reason, it is important not to leave user accounts open. This also means that you should configure password policies, auditing, and procedures to ensure that accounts are being used appropriately. If a user account is provisioned before it is needed, or if the employee for whom you have set up an account is, or will be, absent for an extended period, disable the account. To disable an account in the Active Directory Users and Computers snap-in: Right-click a user, and then click Disable Account.
If an account is disabled already, the Enable Account command appears when you right-click the user.
Moving a User Account

To move a user object in the Active Directory Users and Computers snap-in, perform the following steps: 1. Right-click the user, and then click Move.
3-13
2.
Click the folder to which you want to move the user account, and then click OK.
Alternatively, you can drag the user object to the destination OU.
Deleting a User Account

When an account is no longer necessary, you can delete it from your directory. To delete a user account in Active Directory Users and Computers, perform the following steps: 1. Select the user and press Delete; or right-click the user, and then click Delete. You are prompted to confirm your choice because of the significant implications of deleting a security principal. 2. Confirm the prompt by clicking OK.
Demonstration
This demonstration shows how to: 1. 2. 3. 4. 5. 6. 7. Open Active Directory Users and Computers. Delete a user account. Create a template account. Create a new user account from a template. Modify the user account properties. Rename the user account. Move the user account.
Demonstration Steps Open Active Directory Users and Computers

1. 2. Log on as Administrator. Open Active Directory Users and Computers.
Delete a user account

Locate Ed Meadows in the Managers OU, and delete the account.
Create a template account

1. 2. 3. Create a folder called C:\userdata, and share it. Grant Everyone Full Control shared permissions on the folder. Note that the NTFS permissions remain unaffected. Create a new user account called _Managers_template. Ensure that the account is created in a disabled state with a strong password. Modify the properties of the template account so that it has a Home folder located in the new shared folder.
Create a new user account from a template

1. 2. Copy the template account, and then configure the new user account with the Full name Ed Meadows, and the logon name of Ed. Configure a strong password, and then enable the account.
Modify the user account properties

1. Open the Ed Meadows account, and then verify that the Home folder has been automatically defined as part of the copy process.
2.
View additional properties.
Rename the user account

Rename the account Ed Meadows2, but cancel the operation after viewing the options for renaming the various account names.
Move the user account

Move the Ed Meadows account to the IT OU.
3-15
Lesson n2
Mana aging Group Ac ccounts s

While W it might be b practical, ev ven desirable, to assign perm missions and abilities to indiv vidual user acc counts in n small networks, it becomes s impractical an nd inefficient i in large enterp prise networks s. For example, , if many us sers need the same s level of access a to a folder, it is more efficient to cr reate a group t that contains t the re equired user ac ccounts, and assign a the grou up the require d permissions . This has the a added benefit of en nabling you to o change a use ers file permiss sions by addin ng or removing g them from g groups rather t than ed diting the file permissions di irectly. Be efore impleme enting groups in your organization, you m must understan nd about the sc cope of variou us Windows W Server group types, and how best t to use these t to manage acc cess to resourc ces or to assign management m rights and abilit ties.

After completin ng this lesson, you y will be able to: Describe gr roup types. Describe gr roup scopes. Explain how w to implemen nt group mana agement. Describe de efault groups and a special ide entities. Manage groups in Windo ows Server.
Group G Type es
In n a Windows Server enterpris se, there are tw wo ty ypes of groups s: security and distribution. When W yo ou create a gro oup, you choo ose the group type t in th he New Objec ct Group dialog box. Distribution gro oups, which are e not securityen nabled, are use ed primarily by y email applica ations. Th his means that t they do not have h SIDs, so they ca annot be given n permission to o resources. Se ending a message to a distribution group sends the e message m to all group g members. Se ecurity groups s are security principals p with SIDs. Yo ou can therefo ore use these groups g in perm mission en ntries in access s control lists (ACLs) ( to contr rol security for r resource acce ess. You also c can use securit ty groups as a mea ans of distribu ution for email applications. If you want to o use a group t to manage sec curity, it must m be a secur rity group.
Note: The e default group type is Security. Be ecause you can use security groups for bo oth resource ac ccess and ema ail distribution, , many organiz zations us se only securit ty groups. How wever, we reco ommend that i f a group is us sed only for em mail distributio on, you sh hould create th he group as a distribution gr roup. Otherwis se, the group i is assigned a S SID, and the SID is ad dded to the us sers security access token, which w can lead to an unneces ssary size incre ease of the sec curity to oken.
Note: The benefit b of using g distribution groups becom mes more evide ent in large-sc cale Exch hange Server deployments, d especially e whe ere there is a n need to nest th hese distributio on groups acro oss the enterpr rise.
Gro oup Scope es

Win ndows Server supports s the no otion of group p scop ping. The scop pe of a group determines d bo oth the range of a gro oups abilities or o permissions s, and the group membe ership. There are a four group scop pes: Local. These exist e on stand-alone servers or workstations, on domain-m member servers s that are not doma ain controllers, , or on domain nmember work kstations. Loca al groups are truly local, which means m that the ey are available e only on the compu uter where the ey exist. The important cha aracteristics of f a local group p are: o o You can assign abilities s and permissio ons only on lo ocal resources, meaning on t the local comp puter. Members s can be from anywhere in the AD DS fore est, and can inc clude: Any security princi ipals from the domain: users s, computers, g global groups, , or domain loc cal grou ups. User rs, computers, and global gro oups from any y domain in the forest. User rs, computers, and global gro oups from any y trusted doma ain. Univ versal groups defined d in any domain in the e forest.
Domain Local. These are us sed primarily to o manage acc ess to resources or to assign n management t responsibilitie es (rights). Dom main local groups exist on d omain contro llers in an AD DS forest, and d they reside. Th consequently y, the groups scope s is localiz zed to the dom main in which t he important characteristics of domain lo ocal groups are e: o You can assign abilities s and permissio ons only on do omain local re esources, mean ning on all compute ers in the local domain. Members s can be from anywhere in the AD DS fore est, and can inc clude: Any security princi ipals from the domain: users s, computers, g global groups, , or domain loc cal grou ups. User rs, computers, and global gro oups from any y domain in the forest. User rs, computers, and global gro oups from any y trusted doma ain. Univ versal groups defined d in any domain in the e forest.
Global. These e are used prim marily to conso olidate users th hat have simila ar characteristi ics. For examp ple, global groups often are use ed to consolida ate users that are part of a d department or r geographic location. The important cha aracteristics of f global groups s are: o o You can assign abilities s and permissio ons anywhere in the forest. Members can include: s can be only from f the local domain, and c
3-17
Us sers, computer rs, and global groups g from th hen local dom main.
Universal. These T groups are a most usefu ul in multidom ain networks a as they combin ne the charact teristics of both dom main local gro oups and globa al groups. Spec cifically, the im mportant chara acteristics of universal groups are: : o o You can assign abilities and permis ssions anywhe re in the fores st, as with glob bal groups ers can be from m anywhere in n the AD DS fo orest, and can include: Membe o Us sers, computer rs, and global groups g from a ny domain in the forest. Un niversal groups s defined in an ny domain in t the forest.
Proper rties of universal groups are propagated to o the global ca atalog, and ma ade available a across the ent terprise on all domain contro ollers that hos st the global ca atalog role. Th his makes unive ersal groups s membership p lists more acc cessible, which h can be useful l in multidoma ain scenarios. F For example, if a universa al group is use ed for email di istribution pur rposes, the pro ocess for deter rmining the me embership list typically is qui icker in distrib uted multidom main networks s.
Im mplement ting Group p Managem ment

Adding groups to other groupsa process called ne estingcan cr reate a hierarch hy of groups that su upport your bu usiness roles and manageme ent ru ules. Now that you have lear rned the business pu urposes and te echnical characteristics of gr roups, it is time to align the two in a st trategy for gro oup management. m Ea arlier in this les sson, you learn ned what type es of ob bjects can be members m of ea ach group scope. Now is time to identify what types t of objects sh hould be mem mbers of each group g scope. This T le eads to the bes st practice for group nesting g, kn nown as IGDLA A, which is: Identities Global grou ups Domain loc cal groups Access
Id dentities (user and computer r accounts) are e members of g global groups s, which repres sent business roles. Th hose role grou ups (global gro oups) are mem mbers of doma in local group ps, which repre esent managem ment ru ules, for examp ple, determinin ng who has Re ead permission n to a specific c collection of fo olders. These r rule groups (domain n local groups) ) are granted access a to resou urces. In the ca ase of a shared d folder, access is granted by adding the domai in local group to the folders s ACL, with a p permission tha at provides the e ap ppropriate leve el of access.
Note: This approach of groups nesting was earlier known as AGDLP, which stands for: accounts, global groups, domain local groups, permissions. The terminology used in this course, IGDLA, has more general scope of application, and it also aligns with industry-standard terminology. In a multidomain forest, there are universal groups also, which fit in between global and domain local groups. global groups from multiple domains are members of a single universal group. That universal group is a member of domain local groups in multiple domains. You can remember the nesting as IGUDLA.
IGDLA Example
This best practice for implementing group nesting translates well even in multi-domain scenarios. Consider the following, which describes usage of IGDLP scenario. This figure on the slide represents a group implementation that reflects not only the technical view of group management best practices (IGDLA), but also the business view of role-based, rule-based management. Consider the following scenario: The sales force at Contoso, Ltd. has just completed its fiscal year. Sales files from the previous year are in a folder called Sales. The sales force needs Read access to the Sales folder. Additionally, a team of auditors from Woodgrove Bank, a potential investor, require Read access to the Sales folder to perform the audit. You would perform the following steps to implement the security required by this scenario: 1. Assign users with common job responsibilities or other business characteristics to role groups implemented as global security groups. Do this separately in each domain. Salespeople at Contoso are added to a Sales role group; Auditors at Woodgrove Bank are added to an Auditors role group. Create a group to manage access to the Sales folders with Read permission. This is implemented in the domain containing the resource that is being managed. In this case, the Sales folder resides in the Contoso domain. The resource access management rule group is created as a domain local group, ACL_Sales Folders_Read. Add the role groups to the resource access management rule group to represent the management rule. These groups can come from any domain in the forest or from a trusted domain, such as Woodgrove Bank. Global groups from trusted external domains, or from any domain in the same forest, can be members of a domain local group. Assign the permission that implements the required level of access. In this case, grant the Allow Read permission to the domain local group.
2.
3.
4.
This strategy results in two single points of management, reducing the management burden. There is one point of management that defines who is in Sales, and one that defines who is an Auditor. Those roles, of course, are likely to have access to a variety of resources beyond simply the Sales folder. There is another single point of management to determine who has Read access to the Sales folder. Furthermore, the Sales folder may not just be a single folder on a single server. It could be a collection of folders across multiple servers, each of which assigns the Allow Read permission to the single domain local group.
3-19
Default D Gro oups and Special S Ide entities

Default D Grou ups
Th here are a num mber of groups that are crea ated au utomatically on a Windows Server S 2012 Se erver. Th hese are called d default local groups, and th hey in nclude well-kno own groups, such as Administrators, Backup Opera ators, and Rem mote Desktop Users. There are additional groups that ar re created in a domain, both h in the Builtin and Users container rs, including Do omain Admins s, En nterprise Admins, and Schem ma Admins. Th he fo ollowing list pr rovides a summ mary of capabilities of th he subset of de efault groups that t have significant permiss sions and user r rights related d to the manag gement of f AD DS: Enterprise Admins A (in the e Users contain ner of the fore st root domain n). This group is a member o of the Administrat tors group in every e domain in the forest, g giving it comp plete access to the configuration of all domain controllers. It also owns the Configuration n partition of t the directory a and has full con ntrol of the domain n naming context in all fores st domains. Schema Ad dmins (Users Co ontainer of the e Forest Root Domain). This group owns a and has full control of the Active Directory D schema. Administrat tors (Built-in Container C of Ea ach Domain). T This group has s complete con ntrol over all d domain controllers and data in th he domain nam ming context. I It can change the membersh hip of all other r administrat can tive groups in the domain, and the Admin istrators group p in the forest root domain c change the e membership of Enterprise Admins, A Schem ma Admins, an nd Domain Admins. The Administrat tors group in the t forest root t domain is arg guably the mo ost powerful se ervice administ tration group in th he forest. Domain Ad dmins (Users Container of Each Domain). T This group is ad dded to the A Administrators group of its doma ain. It therefore e inherits all of f the capabiliti ies of the Adm ministrators gro oup. It is also, by default, add ded to the loca al Administrators group of e each domain m member comp puter, giving Domain Admins ow wnership of all domain d computers. Server Operators (Built-in n Container of Each Domain) ). This group c can perform m maintenance ta asks on domain con ntrollers. It has s the right to lo og on locally, start and stop p services, perfo orm backup and restore ope erations, forma at disks, create e or delete sha res, and shut d down domain controllers. By y default, this s group has no o members. Account Op perators (Built-in Container of o Each Doma ain). This group p can create, m modify, and de elete accounts fo or users, group ps, and computers located in n any OU in th e domain (exc cept the Doma ain Controllers OU), and in th he Users and Computers C con ntainer. Account Operators c cannot modify y accounts th hat are membe ers of the Adm ministrators or Domain Admi ins groups, nor can they modify those groups. Account Operators also can c log on loc cally to domain n controllers. B By default, this s group has no mem mbers. Backup Operators (Built-i in Container of o Each Domain n). This group can perform b backup and re estore operations on domain co ontrollers, and log on locally and shut dow wn domain con ntrollers. By de efault, this group has no membe ers. Print Opera ators (Built-in Container C of Each E Domain). This group ca n maintain pri int queues on domain controllers. It also can log g on locally an nd shut down d domain contro ollers.
You need to carefully manage the default groups that provide administrative privileges, because they typically have broader privileges than are necessary for most delegated environments, and because they often apply protection to their members. The Account Operators group is a good example of this. If you examine the capabilities of the Account Operators group in the preceding list, you can see that its rights are very broadit can even log on locally to a domain controller. In very small networks, such rights would probably be appropriate for one or two individuals who typically would be domain administrators anyway. In large enterprises, the rights and permissions granted to Account Operators usually are far too broad. Additionally, the Account Operators group is, like the other administrative groups, a protected group. Protected groups are defined by the operating system and cannot be unprotected. Members of a protected group become protected. The result of protection is that the permissions (ACLs) of members are modified so that they no longer inherit permissions from their OU, but rather receive a copy of an ACL that is quite restrictive. For example, if you add Jeff Ford to the Account Operators group, his account becomes protected, and the help desk, which can reset all other user passwords in the Employees OU, cannot reset Jeff Fords password. You should try to avoid adding users to the following groups that do not have members by default: Account Operators, Backup Operators, Server Operators, and Print Operators. Instead, create custom groups to which you assign permissions and user rights that achieve your business and administrative requirements. For example, if Scott Mitchell should be able to perform backup operations on a domain controller, but should not be able to perform restore operations that could lead to database rollback or corruption, and should not be able to shut down a domain controller, do not put Scott in the Backup Operators group. Instead, create a group and assign it only the Backup Files And Directories user right, then add Scott as a member.
Special Identities
Windows and AD DS also support special identities, which are groups for which membership is controlled by the operating system. You cannot view the groups in any list (in the Active Directory Users and Computers snap-in, for example), you cannot view or modify the membership of these special identities, and you cannot add them to other groups. You can, however, use these groups to assign rights and permissions. The most important special identities, often referred to as groups (for convenience), are described in the following list: Anonymous Logon. This identity represents connections to a computer and its resources that are made without supplying a user name and password. Prior to Windows Server 2003, this group was a member of the Everyone group. Beginning with Windows Server 2003, this group is no longer a default member of the Everyone group. Authenticated Users. This represents identities that have been authenticated. This group does not include Guest, even if the Guest account has a password. Everyone. This identity includes Authenticated Users and the Guest account. On computers that are running versions of Windows that precede Windows Server 2003, this group includes Anonymous Logon. Interactive. This represents users accessing a resource while logged on locally to the computer that is hosting the resource, as opposed to accessing the resource over the network. When a user accesses any given resource on a computer to which the user is logged on locally, the user is added to the Interactive group automatically for that resource. Interactive also includes users logged on through a Remote Desktop connection.
3-21
Network. This represents users accessing a resource over the network, as opposed to users who are logged on locally at the computer that is hosting the resource. When a user accesses any given resource over the network, the user is automatically added to the Network group for that resource.
The importance of these special identities is that you can use them to provide access to resources based on the type of authentication or connection, rather than the user account. For example, you could create a folder on a system that allows users to view its contents when they are logged on locally to the system, but that does not allow the same users to view the contents from a mapped drive over the network. You could achieve this by assigning permissions to the interactive special identity.
Demonstration: Managing Groups

This demonstration shows how to: 1. 2. 3. 4. Create a new group. Add members to the group. Add a user to the group. Change the group type and scope.
Demonstration Steps Create a new group

1. 2. Open Active Directory Users and Computers. Create a new Global Security group in the IT OU called IT Managers.
Add members to the group

Select multiple users, and then add them to the new group.
Add a user to the group

Open the properties of Ed Meadows, and from the Member Of tab, add him to the IT Managers group.
Change the group type and scope

Open the properties of the IT Managers group, and on the General tab, change the group scope to Universal and the type to Distribution.
Lesson 3
Manag ging Co omputer r Accou unts

A co omputer accou unt begins its life cycle when n you create it t and join it to your domain. Thereafter, da ay-today administrative e tasks include e the following g: Configuring computer c prop perties. Moving the computer c betw ween OUs. Managing the e computer its self. Renaming, re esetting, disabling, enabling, and eventuall ly deleting the e computer obj bject.
It is important tha at you know ho ow to perform m these various s computer-m anagement tasks so you can n configure and ma aintain the com mputer objects s within your o organization.

Afte er completing this lesson, yo ou will be able to: Explain the purpose of the AD DS Compu uters container r. Describe how w to configure the location of o computer ac ccounts. Explain how to t control who o has permissio on to create co omputer accou unts. Describe com mputer account ts and the secu ure channel. Explain how to t reset the sec cure channel.
Wh hat Is the Computer C rs Containe er?

Befo ore you create e a computer object o in the dire ectory service, you must have e a place to pu ut it. Whe en you create a domain, the e Computers container is create ed by default (CN=Compute ( ers). This s container is not n an OU. It is s an object of the t Con ntainer class. There are subtle but b important differences betw ween a contain ner and an OU U. You cannot crea ate an OU with hin a container r, so you canno ot subdivide the Com mputers OU. You Y also canno ot link a GP PO to a contai iner. Therefore e, we recomme end that t you create cu ustom OUs to host computer obje ects, instead of using the Co omputers conta ainer.
3-23
Specifying the Locati ion of Com mputer Acc counts

Most M organizati ions create at least two OUs for co omputer objec cts: one to hos st computer ac ccounts fo or client computers, such as desktops, laptops, an nd other user systems, s and another a for ser rvers. Th hese two OUs are in addition n to the Doma ain Controllers OU that is created d by default du uring th he AD DS insta allation. Computer objec cts are created d in both OUs. There is no technical difference d betw ween a compu uter ob bject in a clien nts OU and a computer c obje ect in a se ervers or domain controllers OU; computer ob bjects are com mputer objects. . However, sep parate OUs O typically ar re created to provide p unique e scopes of ma anagement, so o that you can delegate management m of client objects s to one team and managem ment of server objects to ano other. Yo our administra ative model might necessitat te further divid ding your clien nt and server O OUs. Many or rganizations create sub-OUs s beneath a server OU, to co ollect and manage specific ty ypes of servers s. For ex xample, you might m create an n OU for file an nd print server rs, and an OU for database s servers. By doing so, yo ou can delegat te permissions s to manage co omputer objec cts in the appr ropriate OU to o the team of ad dministrators for f each type of o server. Simil larly, geograph hically-distribu uted organizat tions with loca al de esktop-suppor rt teams often divide a parent OU for clien nts into sub-O OUs for each sit te. This approa ach en nables each sit tes support te eam to create computer c obje ects in the site for client com mputers, and to o join co omputers to th he domain by using those co omputer objec cts. Th hese specific examples e aside e, what is most t important is t that your OU s structure reflec cts your ad dministrative model m so that your OUs can provide single e points of ma anagement for r the delegatio on of ad dministration. Additionally, by y using separat te OUs, you ca an create vario ous baseline co onfigurations b by using differe ent GPOs that are li inked to the cl lient and the server OUs. Wi th Group Polic cy, you can specify configura ation fo or collections of o computers by b linking GPO Os that contain n configuration n instructions t to OUs. It is co ommon fo or organization ns to separate clients into de esktop and lap ptop OUs. You then can link GPOs that spe ecify de esktop or lapto op configurati ion to the appropriate OUs.
Controlling C g Permissio ons to Create Computer Accounts

Th hree condition ns are required d for you to joi in a co omputer to an n Active Directo ory domain: A computer object should d be created in the directory se ervice. You must have h appropria ate permissions on the comput ter object. The e permissions allow a you to join a physical com mputer with a name that matche es that of the object in AD DS D to the domain n. You must be b a member of o the local Administrat tors group on the computer r. This allows you to change the e computers domain or wor kgroup memb bership.
Note: It is not mandatory to create a computer object in the directory service, but it is highly recommended. However, many administrators join computers to a domain without first creating a computer object. When you do this, Windows attempts to join the domain to an existing object. When Windows does not find the object, it fails back and creates a computer object in the default Computer container. The process of creating a computer account in advance is called prestaging a computer. There are two major advantages of prestaging a computer: The account is in the correct OU and is therefore delegated according to the security policy defined by the ACL of the OU. The computer is within the scope of GPOs linked to the OU, before the computer joins the domain.
After you have been given permission to create computer objects, you can do so by right-clicking the OU and choosing Computer from the New menu. Enter the computer name, following the naming convention of your enterprise, and select the user or group that will be allowed to join the computer to the domain with this account. The two computer namesComputer Name and Computer Name (PreWindows 2000)should be the same. There, very rarely, is a justification for configuring them separately.
Note: You can use the Redircmp.exe command-line tool to reconfigure the default computer container. For example, if you want to change the default computer container to an organizational unit called mycomputers, use the following syntax: redircmp ou=mycomputers,DC=contoso,dc=com
Delegating Permissions
By default, the Enterprise Admins, Domain Admins, Administrators, and Account Operators groups have permission to create computer objects in any new OU. However, as discussed earlier, we recommend that you tightly restrict membership in the first three groups, and that you do not add Administrators to the Account Operators group. Instead, you should delegate the permission to create computer objects (called Create Computer Objects) to appropriate administrators or support personnel. This permission, assigned to an OUs group, allows group members to create computer objects in that OU. For example, you might allow your desktop support team to create computer objects in the clients OU, and allow your file server administrators to create computer objects in the file servers OU. To delegate permissions to create computer accounts, you can use the Delegate Control Wizard to choose a custom task to delegate. The next lesson discusses delegation.
3-25
Computer C Accounts A and a Secure Channel ls

Ev very member computer c in an AD DS doma ain maintains m a com mputer accoun nt with a user name n (sAMAccountN s Name) and pas ssword, just lik ke a us ser account do oes. The computer stores its pa assword in the e form of a local security aut thority (L LSA) secret, and d changes its password p with h the do omain approximately every 30 days. The NetLogon servic ce uses the cre edentials to log g on to th he domain, wh hich establishes s the secure ch hannel with w a domain controller. c Computer accounts and the secure s relation nships be etween compu uters and their r domain are robust. Nevertheless, ce ertain scenario os might arise in which a com mputer is no lo onger able to a authenticate w with the do omain. Examples of such sce enarios include e: After reinstalling the operating system on a workstat tion, the works station is unab ble to authentic cate, even thoug gh the technici ian used the sa ame computer r name as was used in the previous installa ation. e new comput Because the e new installat tion generated d a new SID, an nd because the ter does not know the original com mputer accoun nt password in n the domain, it does not be elong to the do omain and can nnot authenticat te to the doma ain. A computer has not been n used for an extended e perio od, perhaps be ecause the use er is on vacatio on or working aw way from the office. o Computers change the eir passwords every 30 days, , and AD DS remembers s the current and previous pa assword. If the e computer is unused within n this period, authenticat tion can fail. A computers LSA secret gets out of syn nchronization with the passw word that the domain know ws. You can think of o this as the co omputer forge etting its passw word. Although h it did not for rget its passwo ord, it just disagre ees with the do omain over wh hat the passwo ord really is. W When this happ pens, the comp puter cannot auth henticate, and the secure ch hannel cannot be created.
Resetting R the Secure Channel

Th he most comm mon signs of co omputer-account problems are: Messages at a logon indica ate that a dom main controller cannot c be cont tacted, that the computer account a might be missing, th hat the password on o the comput ter account is incorrect, or o that the trus st relationship (another wa ay of saying th he secure relati ionship) between th he computer and the domain n has been lost. ages or events in the event lo og Error messa indicate sim milar problems s or suggest th hat passwords, trusts, secure channels, or re elationships w with the domain or a domain n controller hav ve failed. One such error is NETLOGON N Ev vent ID 3210: F Failed To Auth henticate, whic ch appears in the computers s event log. A computer account is missing m in AD DS. D
When the secure channel fails, you must reset the secure channel. Many administrators do this by removing the computer from the domain, putting it in a workgroup, and then rejoining the domain. This is not a good practice, because it has the potential to delete the computer account altogether. This loses the computers SID, and more importantly, its group memberships. When you rejoin the domain, even though the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be recreated. If the trust with the domain has been lost, do not remove a computer from the domain, and then rejoin it. Instead, reset the secure channel. To reset the secure channel between a domain member and the domain, use the Active Directory Users and Computers snap-in, DSMod.exe, NetDom.exe, or NLTest.exe. If you reset the account, the computers SID remains the same, and it maintains its group memberships. To reset the secure channel by using the Active Directory Users and Computers snap-in: 1. 2. 3. Right-click a computer, and then click Reset Account. Click Yes to confirm your choice. Rejoin the computer to the domain, and then restart the computer.
To reset the secure channel by using DSMod: 1. At a command prompt, type the following command:
dsmod computer ComputerDN reset.
2.
Rejoin the computer to the domain, and then restart the computer.
To reset the secure channel by using NetDom, at a command prompt, type the following command, where the credentials belong to the local Administrators group of the computer:
netdom reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *}
This command resets the secure channel by attempting to reset the password on both the computer and the domain, so it does not require rejoining or rebooting. To reset the secure channel by using NLTest, on the computer that has lost its trust, at a command prompt, type the following command:
NLTEST /SERVER:SERVERNAME /SC_RESET:DOMAIN\DOMAINCONTROLLER
You also can use Windows PowerShell with Active Directory Module to reset a computer account. The following example demonstrates how to reset the secure channel between the local computer and the domain to which it is joined. You must run this command on the local computer:
Test-ComputerSecureChannel Repair
Note: You also can reset a remote computers password with Windows PowerShell: invoke-command -computername Workstation1 -scriptblock {reset-computermachinepassword}
3-27
Lesson n4
Deleg gating Adminis A stration n

Although a sing gle person can easily manage e a small netw work with a han ndful of user a and computer ac ccounts, as the e network grow ws, so too doe es the volume o of work that re elates to netw work managem ment. At so ome point, it is s necessary for r teams with particular speci alizations to e evolve, each wi ith responsibility for so ome specific as spect of netwo ork manageme ent. In AD DS e environments,, it is common practice to cr reate OUs O to bring de epartmental or geographic structure s to th e networked o objects, and to o enable config guration of f administrativ ve delegation. It is important t that you know w why and ho ow to create OUs, and how to de elegate admin nistrative tasks to users on ob bjects within th hose OUs.

After completin ng this lesson, you y will be able to: Describe AD D DS permissio ons. Determine a users effective AD DS permissions on an n AD DS objec ct. S object. Delegate ad dministrative control c to a sp pecified user or r group of use ers of an AD DS
AD A DS Perm missions
All AD DS objec cts, such as use ers, computers s, and groups, can be secured by using a list of pe ermissions. The permissions on an object are a ca alled access co ontrol entries (A ACEs), and the ey are as ssigned to users, groups, or computers, c wh hich are also known as security s princip pals. ACEs are saved in n the objects DACL, D which is s part of the ob bjects ACL. The ACL co ontains the sys stem access co ontrol lis st (SACL) that includes auditing settings. Ea ach object in AD A DS has its own o ACL. If you have su ufficient permissions, you can modify the pe ermissions to control c the lev vel of access on na sp pecific AD DS object. o The delegation of ad dministrative co ontrol involves s assigning pe ermissions that t manage m access to objects and d properties in n AD DS. Just a as you can give e a group the ability to chan nge files in n a folder, you can give a gro oup the ability y, for example, to reset passw words on user objects. Th he DACL of an n object also al llows you to as ssign permissio ons to an obje ects specific pr roperties. For ex xample, you ca an allow (or de eny) permissio on to change p phone and ema ail options. Th his is, in fact, no ot just on ne property. It t is a property set that includ des multiple, sp pecific propert ties. Using pro operty sets, you u can ea asily manage permissions p to commonly us sed collections s of properties. But, you could assign more e granular permis ssions and allo ow or deny per rmission to cha ange just som e of the inform mation, such as the mobile m telephone number or the street add dress. Assigning the help desk perm mission to reset t passwords fo or each individ ual user object is tedious. Ev ven so, in n AD DS, it is not a good practice to assign n permissions t to individual o objects. Instead d, you should a assign pe ermissions at the t level of org ganizational units. Th he permissions s you assign to o an OU are inherited by all objects in the OU. So, if you u give the help p desk pe ermission to re eset passwords s for user obje ects and attach h that permissi ion to the OU that contains the us sers, all user objects within that OU will inh herit that perm mission. In just t one step, you u have delegat ted that ad dministrative task. t
Chil ld objects inhe erit the permissions of the pa arent containe er or OU. That container or O OU in turn inherits its permissions p fro om its parent container c OU. If it is a first-le evel container or OU, it inherits the permis ssions from m the domain itself. The reas son child objec cts inherit perm missions from their parents is that, by defa ault, each h new object is created with the Include inheritable pe ermissions fro om this objec cts parent option enabled.
Eff fective AD DS Permissions

Effe ective permissio ons are the res sulting permissions for a security principal, such as a user or group, base ed on the cum mulative effect of each inherited and explicit ACE. Your Y ability to o reset a users pass sword, for example, may be due to your mem mbership in a group that is allowed a the Re eset Pass sword permiss sion on an OU several levels abo ove the user ob bject. The inhe erited permissio on assigned to a group to which yo ou belong resu ults in an effective e permission of Allow w: Reset Passwo ord. You ur effective per rmissions can be b complicated whe en you conside er Allow and Deny D permissio ons, explicit and inheri ited ACEs, and d the fact that you may belon ng to multiple e groups, each of which may y be assigned different t permissions. To calculate c effective permissions for a specific user or a gro oup, an AD DS S object, or for r a file or folde er, you can perform the t following procedure: 1. 2. 3. Right-click the object, file or o folder, click Properties, an nd then click t the Security ta ab. Click Advanc ced, click the Effective E Perm missions tab, a and then click Select. In the Enter the t object name to select field, f type the name of a use er or group, an nd then click O OK. The selected check boxes in ndicate the eff fective permiss sions of the us ser or group fo or that file or f folder.
a can use th he DSACLS com mmand-line to ool to view or modify AD DS S Note: You also perm missions. For example, e to gra ant Amy Read and Execute p permissions on n computer ob bjects with hin the Help Desk D OU, use th he following sy yntax: dsA Acls "OU=Help Desk,OU,DC= =Adatum,DC=C Com" /G Dom ain\Amy:GRGE E;computer Perm missions, whet ther assigned to t your user ac ccount or to a group to whic ch you belong g, are equivalent. This s means that, in the end, an ACE A applies to o you, the user r. The best pra actice is to man nage permissio ons by assigning them to o groups, but it is also possib ble to assign A ACEs to individual users or co omputers. A perm mission that has been assign ned directly to you, the user,, is neither mo ore important n nor less impor rtant than n a permission n assigned to a group to which you belong g. Allo ow permissions s, which allow access, are cum mulative. Whe en you belong to several gro oups, and thos se groups have been n granted perm missions that allow a a variety of tasks, you w will be able to perform all of f the task user account. ks assigned to all of those gr roups, and task ks assigned dir rectly to your u Den ny permissions, which deny access, a override equivalent A Allow permissio ons. If you are e in one group that has been allowed the permissio on to reset pass swords, and an nother group that has been denied permission to reset passwords, the Deny pe ermission prev vents you from m resetting passwords.
3-29
Note: Use Deny permissions rarely. In fact, it is unnecessary to assign Deny permissions, because if you do not assign an Allow permission, users cannot perform the task. Before assigning a Deny permission, check to see if you could achieve your goal by removing an Allow permission instead. For example, if you want to delegate an Allow permission to a group, but exempt only one member from that group, you can use a Deny permission on that specific user account while the group still has an Allow permission. Each permission is granular. Even if you have been denied the ability to reset passwords, you may still have the ability, through other Allow permissions, to change the users logon name or email address. In this lesson, you learned that child objects inherit the inheritable permissions of parent objects by default, and that explicit permissions can override inheritable permissions. This means that an explicit Allow permission will actually override an inherited Deny permission. Unfortunately, the complex interaction of user, group, explicit, inherited, Allow, and Deny permissions can make evaluating effective permissions tedious. You can use the permissions reported by the DSACLs command or on the Permissions tab of the Advanced Security Settings dialog box to begin evaluating effective permissions, but it is still a manual task.
Demonstration: Delegating Administrative Control

In this demonstration, you will see how to: 1. 2. 3. Delegate a standard task. Delegate a custom task. View AD DS permissions resulting from these delegations.
Demonstration Steps Delegate a standard task

1. 2. Open Active Directory Users and Computers. Use the Delegate Control Wizard to grant the IT group the following standard management tasks on the IT OU: o o o Create, delete, and manage user accounts Reset user passwords and force password change at next logon Read all user information
Delegate a custom task

Use the Delegate Control Wizard to grant the following permissions on the IT OU to the IT group: o o o Full Control on computer objects Create computer objects Delete computer objects
View AD DS permissions resulting from these delegations

1. 2. 3. Enable the Advanced Features view in Active Directory Users and Computers. View the Properties of the IT OU. Use the Security tab to verify the assigned permissions. Close all open windows.
Lab: Managing Active Directory Domain Services Objects

Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London office and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You have been working for A. Datum for several years as a desktop-support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office. To begin deployment of the new branch office you are preparing AD DS objects. As part of this preparation, you need to create an OU for the branch office and delegate permission to manage it. Then you need to create users and groups for the new branch office. Finally, you need to reset the secure channel for a computer account that has lost connectivity to the domain in the branch office.
Objectives
After completing this lab, you will be able to: Delegate administration for a branch office. Create and configure user accounts in AD DS. Manage computer objects in AD DS.
Lab Setup
Virtual Machines
20410A-LON-DC1 20410A-LON-CL1 Administrator Pa$$w0rd
User name Password
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, from Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: a. b. c. 5. User name: Administrator Password: Pa$$w0rd Domain: Adatum
Repeat steps 2 to 4 for 20410A-LON-CL1.
3-31
Exercise 1: Delegating Administration for a Branch Office

Scenario
A. Datum delegates management of each branch office to a specific group. This allows an employee who works onsite to be configured as an administrator when required. Each branch office has a branch administrators group that is able to perform full administration within the branch office organizational unit. There is also a branch office help desk group that is able to manage users in the branch office organizational unit, but not other objects. You need to create these groups for the new branch office and delegate permissions to the groups. The main tasks for this exercise are as follows: 1. 2. 3. 4. Delegate administration for Branch Administrators. Delegate a user administrator for the Branch Office Help Desk. Add a member to the Branch Administrators. Add a member to the Branch Help Desk group.
Task 1: Delegate administration for Branch Administrators

1. 2. On LON-DC1, open Active Directory Users and Computers, and create a new organizational unit in the Adatum.com domain called Branch Office 1. Create the following global security groups in the Branch Office 1 organizational unit: o o o 3. 4. Branch 1 Help Desk Branch 1 Administrators Branch 1 Users
Move Holly Dickson from the IT organizational unit to the Branch Office 1 organizational unit. Move the following users to the Branch Office 1 organizational unit: o o o o o Development\Duncan Bart Managers\Ed Meadows Marketing\Connie Vrettos Research\Barbara Zighetti Sales\Arlene Huff
5. 6. 7.
Move the LON-CL1 computer to the Branch Office 1 organizational unit, and then restart the computer. Log on to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. On LON-DC1, in Active Directory Users and Computers, use the Delegate Control Wizard to delegate administration of the Branch Office 1 organizational unit to the Branch 1 Administrators security group. Delegate the following common tasks: o o o o o Create, delete, and manage user accounts Reset user passwords and force password change at next logon Read all user information Create, delete and manage groups Modify the membership of a group
8.
o 9.
Manage Group Policy links
Delegate the following custom tasks: o o Create and delete computer objects in the current OU Full control of computer objects in the current OU
Task 2: Delegate a user administrator for the Branch Office Help Desk
1. 2. On LON-DC1, in Active Directory Users and Computers, use the Delegate Control Wizard to delegate administration of the Branch Office 1 organizational unit to the Branch 1 Help Desk security group. Delegate the following common tasks: o o o Reset user passwords and force password change at next logon Read all user information Modify the membership of a group
Task 3: Add a member to the Branch Administrators

1. 2. 3. 4. 5. 6. Add Holly Dickson to the Branch 1 Administrators global group. Add the Branch 1 Administrators global group to the Server Operators domain local group. Log off -LON-DC1. Log on as Adatum\Holly with a password Pa$$w0rd. You can logon locally at a domain controller because Holly belongs, indirectly, to the Server Operators domain local group. From Server Manager, open Active Directory Users and Computers. Confirm your current credentials in the User Account Control dialog box. Attempt to delete Sales\Aaren Ekelund. You are unsuccessful as you lack the required permissions. Try to delete Branch Office 1\Ed Meadows. You are successful because you have the required permissions.
Task 4: Add a member to the Branch Help Desk group

1. 2. 3. Add Bart Duncan to the Branch 1 Help Desk global group. Close Active Directory Users and Computers, and then close Server Manager. Open Server Manager, and then open Active Directory Users and Computers. In the User Account Control dialog box, specify Adatum\Administrator and Pa$$w0rd as the required credentials. To modify the Server Operators membership list, you must have permissions beyond those available to the Branch 1 Administrators group. Add the Branch 1 Help Desk global group to the Server Operators domain local group. Log off LON-DC1. Log on as Adatum\Bart with the password Pa$$w0rd. You can logon locally at a domain controller because Bart belongs, indirectly, to the Server Operators domain local group. Open Server Manager and then open Active Directory Users and Computers. Confirm your current credentials in the User Account Control dialog box. Try to delete Branch Office 1\Connie Vrettos. You are unsuccessful because you lack the required permissions. Reset Connies password to Pa$$w0rd. You are successful. Log off LON-DC1. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
4. 5. 6. 7. 8. 9.
3-33
Results: After this exercise, you should have successfully created the necessary OU and delegated administration of it to the appropriate group.
Exercise 2: Creating and Configuring User Accounts in AD DS

Scenario
You have been a given a list of new users for the branch office, and you need to begin creating them. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a template user for the branch office. Configure the templates settings. Create a new user for the branch office, based on the template. Log on as a user to test account settings.
Task 1: Create a template user for the branch office

1. 2. 3. On LON-DC1, create a folder called C:\branch1-userdata, and then share it. Modify the shared folder permissions so that the Everyone group as Full Control Allow permissions. From Server Manager, open Active Directory Users and Computers and create a new user with the following properties in the Branch Office 1 organizational unit: o o o o Full name: _Branch_template User logon name: _Branch_template Password: Pa$$w0rd Account is disabled
Task 2: Configure the templates settings

Modify the following properties of the _Branch_template account: o o o City: Slough Group: Branch 1 Users Home folder: \\lon-dc1\branch1-userdata\%username%
Task 3: Create a new user for the branch office, based on the template
1. Copy the _Branch_template user account, and configure the following properties: o o o o o 2. First name: Ed Last name: Meadows Password: Pa$$w0rd User must change password at next logon is cleared. Account is disabled is cleared.
Verify that the following properties have been copied during account creation: o o City: Slough Home folder path: \\lon-dc1\branch1-userdata\Ed
o 3.
Group: Branch 1 Users
Log off from LON-DC1.
Task 4: Log on as a user to test account settings

1. 2. 3. Switch to LON-CL1 and log off. Log on to LON-CL1 as Adatum\Ed with the password Pa$$w0rd. You are able to log on successfully. Verify that you have a drive mapping for Z: to Eds home folder on LON-DC1, and then log off.
Results: After this exercise, you should have successfully created and tested a user account created from a template.
Exercise 3: Managing Computer Objects in AD DS

Scenario
A workstation has lost its connectivity to the domain and cannot properly authenticate users. When users attempt to access resources from this workstation, access is denied. You need to reset the computer account to recreate the trust relationship between the client and the domain. The main tasks for this exercise are as follows: 1. 2. 3. Reset a computer account. Observe the behavior when a client logs on. Rejoin the domain to reconnect the computer account.
Task 1: Reset a computer account

1. 2. 3. 4. On LON-DC1, log on as Adatum\Holly with the password Pa$$w0rd. Open Active Directory Users and Computers. Confirm your credentials in the User Account Control dialog box. Navigate to Branch Office 1. Reset the LON-CL1 computer account.
Task 2: Observe the behavior when a client logs on

Switch to LON-CL1 and attempt to log on as Adatum\Ed with the password Pa$$w0rd. A message is displayed that explains that The trust relationship between this workstation and the primary domain failed. Click OK to acknowledge the message.
Task 3: Rejoin the domain to reconnect the computer account

1. 2. 3. 4. Log on to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. Open Control Panel. Switch to Large icons view, and then open System. View the Advanced system settings, and then select the Computer Name tab. Use the Network ID button to rejoin the computer to the domain. Complete the wizard to rejoin the computer to the domain. Use the following to help complete the wizard: o o User name: administrator Password: Pa$$w0rd
3-35
o o 5. 6.
Domain: Adatum Do you want to enable a domain user account on this computer: No
Restart the computer when prompted. Log on as Adatum\Ed with the password of Pa$$w0rd. You are successful because the computer had been successfully rejoined.
Results: After this exercise, you should have successfully reset the trust relationship.
Prepare for the next module

When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-DC1.

Review Questions
Question: Members of a Sales department in a company that has branches in multiple cities travel frequently between domains. How can you provide these members with access to printers on various domains that are managed by using domain local groups? Question: You are responsible for managing accounts and access to resources for your group members. A user in your group transfers into another department within the company. What should you do with the users account? Question: What is the main difference between the Computers container and an OU? Question: When should you reset a computer account? Why is it better to reset the computer account than to disjoin and rejoin it to the domain?
Best Practices Best Practices for User Account Management

Do not let users share user accounts. Always create a user account for each individual, even if that person will not be with your organization for long. o o Educate users about the importance of password security. Ensure that you choose a naming strategy for user accounts that enables you to identify the user to whom the account relates. Also ensure that your naming strategy uses unique names within your domain.
Best Practices for Group Management

When managing access to resources, try to use both domain local group and role groups. o o o Use Universal groups only when necessary because they add weight to replication traffic. Use Windows PowerShell with Active Directory Module for batch jobs on groups. Avoid adding users to built-in and default groups.
Best Practices Related to Computer Account Management

Always provision a computer account before joining computers to a domain, and then place them in appropriate OUs. o o o Redirect the default Computer container to another location. Reset the computer account, instead of disjoining and rejoining. Integrate the Offline Domain Join functionality with unattended installations.
Real-world Issues and Scenarios

1. A project manager in your department is starting a group project that will continue for the next year. Several users from your department and other departments will be dedicated to the project during this time. The project team must have access to the same shared resources. The project manager must be able to manage the user accounts and group accounts in AD DS. However, you do not want to give the project manager permission to manage anything else in AD DS. What is the best way to do this? You are working as an IT technician in Contoso, Ltd. You are managing the Windows Server-based infrastructure. You have to find a method for joining new Windows 8-based computers to a domain during the installation process, without intervention of a user or an administrator.
2.
3-37
Tools
Tool Active Directory Users and Computers Windows Power Shell with Active Directory Module DS utilities Windows PowerShell with Active Directory Module Djoin.exe Redircmp.exe Use Manage groups Where to find it Administrative Tools
Manage groups
Installed as Windows Feature
Manage groups Computer account management Offline domain join Change default computer container View and modify AD DS permissions
Command line Administrative Tools
Command line Command line
DSACLS
Command line
4-1
Module 4
Automating Active Directory Domain Services Administration
Contents:
Module Overview Lesson 1: Using Command-line Tools for Administration Lesson 2: Using Windows PowerShell for Administration Lesson 3: Performing Bulk Operations with Windows PowerShell Lab: Automating AD DS Administration by Using Windows PowerShell Module Review and Takeaways 4-1 4-2 4-7 4-13 4-20 4-24
Module Overview
You can use command-line tools and Windows PowerShell to automate Active Directory Domain Services (AD DS) administration. Automating administration speeds up processes that you might otherwise perform manually. Windows PowerShell includes cmdlets for performing AD DS administration and for performing bulk operations. You can use bulk operations to change many AD DS objects in a single step rather than updating each object manually.
Objectives
After completing this module, you will be able to: Use command-line tools for AD DS administration. Use Windows PowerShell cmdlets for AD DS administration. Perform bulk operations by using Windows PowerShell.
4-2
Automating g Active Directory Do omain Services Administration
Lesson 1
Using Comma and-line e Tools for Adm ministra ation

Win ndows Server 2012 includes s several comm mand-line tool s that you can n use to perfor rm AD DS adm ministration. Many organizations create scr ripts that use c command-line e tools to automate the creation and management t of AD DS objects such as user accounts a and groups. Yo ou must under rstand how to use thes se command-line tools to en nsure that if re equired, you ca an modify the scripts that yo our organizatio on uses s.

Afte er completing this lesson, yo ou will be able to: Describe the benefits of usi ing command-line tools for AD DS admini istration. Describe how w and when to use csvde. Describe how w and when to use ldifde. Describe how w and when to use DS comm mands.
Benefits of Using U Com mmand-Line Tools fo or Adminis stration

Man ny administrat tors prefer to use u graphical tools, t such h as Active Dir rectory Users and a Computers s, for AD DS administration whenever r possible. Graphical tools ar re intuitive to use u because th hey visu ually represent information and a provide op ptions in th he form of rad dio buttons and d dialog boxes s. Whe en information n is represente ed graphically, you do not n need to memorize m synta ax. Graphical tools wo ork well in many situations, but they y cannot be au utomated. To automate a AD DS adm ministration, yo ou need comm mand-line tools s. Com mmand-line to ools can be use ed in scripts, or they can be used by ot ther applicatio ons. Som me benefits of using comman nd-line tools are: a Faster implem mentation of bulk b operations s. For example e, you can expo ort a list of new w user accoun nts from a human resources ap pplication. You u use a comma and-line tool o or script to crea ate the new us ser accounts base ed on the expo orted informat tion. This is mu uch faster than n manually cre eating each ne ew user account individually. Customized processes p for AD A DS adminis stration. You ca an use a custo omized graphic cal program to o gather inform mation about a new group, and a then creat e the new gro oup. When the information is s gathered, the e graphical pro ogram can veri ify that the inf formation form matsuch as t the naming convention is correct. The en, the graphic cal program us ses a comman nd-line tool to create the new w group. This process allows company-spec c cific rules to be e enforced. AD DS admin nistration on se erver core. Serv ver core canno ot run graphic cal administration tools such as Active Direct tory Users an nd Computers s. However, yo u can use com mmand-line tools on server c core.
Note: Serve er core can be administered remotely by u using graphical tools.
4-3
What W Is Csv vde?

Csvde Cs is a comm mand-line too ol that exports or im mports Active Directory D obje ects to or from a co omma-separat ted values (.csv v) file. Many ap pplications are e capable of ex xporting or importing da ata from .csv files. f This make es csvde usefu ul for in nteroperability with other ap pplications, suc ch as da atabases or sp preadsheets. Th he main limitation of csvde is that it canno ot modify m existing Active Directo ory objects; it can c on nly create new w objects. For example, e you can c use cs svde to create e a set of new user u accounts, but yo ou cannot use it to modify the properties of the us ser accounts after they are created. c You ca an also use csv vde to export object properties. For example, you ca an use csvde to t export a list of users and their t email add dresses.
Ex xport Objec cts by Using g csvde

To o export objec cts by using csvde, as a minimum, you nee ed to specify the filename of f the .csv file to o which da ata will be exp ported. With only the filenam me specified, a ll objects in th he domain will be exported. Th he basic syntax x to use csvde e for export is:
Csvde f filename
Other O options that you can us se with csvde are listed in th he following ta able. Option O -d RootDN Description Specifies the e distinguished d name of the container from m which the ex xport will begin. The default is th he domain. Specifies the e scope of the search relative e to the contai iner specified by the option -d. Th he SearchSco pe option can n be either base (this object o only), onelevel (ob bjects within th his container), or subtree (th his container a and all subcontainers). The defaul lt is subtree. Limits the ob bjects returned d to those that t match the filter. The filter i is based on Lightweig ght Directory A Access Protoco ol (LDAP) quer ry syntax. Specifies the e attributes to be exported. U Use the LDAP name for each h attribute, and separate the em with comm mas.
-p SearchSco ope
-r Filter
-l ListOfAtrri ibutes
After the export t completes, th he .csv file will contain a hea ader row and o one row for ea ach object that t was ex xported. The header h row is a comma-sepa arated list with the names of f the attributes s for each obje ect.
Create C Objec cts by Using g csvde

Th he basic syntax x for using csv vde to create objects o is:
Cs svde i f fi ilename k
Th he -i paramete er specifies import mode. Th he -f paramete er identifies the e file name fro om which to im mport. Th he -k paramet ter instructs csvde to ignore error message es, including t he Object Alr ready Exists er rror
4-4
mes ssage. The sup ppress errors option o is usefu ul when impor rting objects to o ensure that a all of the objec cts possible are created, instead of stopping whe en partially com mplete. s being used for an import must m have a he eader row that t contains nam mes of LDAP The .csv file that is attributes for the data in the .cs sv file. Each row w must contain n exactly the c correct numbe er of items as spec cified in the he eader row. You u cannot use cs svde to impor rt passwords, because b passw words in a .csv f file are not pro otected. As a r result, user r accounts crea ated by csvde e have a blank password and d are disabled.
Note: For more m information about para ameters for csv vde, at a comm mand prompt, , type de /?, and then press Enter. csvd
ation about LD DAP query synt tax, see Additional Reading: For more informa http p://go.microso oft.com/fwlink/ /?LinkId=168752.
Additional Reading: For more informa ation about LD DAP query synt tax, see http p://go.microso oft.com/fwlink/ /?LinkId=168752
Wh hat Is Ldifd de?

Ldif fde is a command-line tool that t you can use u to export, create, mo odify, or delete e AD DS objects. Like e csvde, ldifde e uses data tha at is stored in a file. The file must be in n LDAP Data Interchange Fo ormat (LDI IF). Most applications canno ot export or import data a in LDIF format. It is more li ikely that you can obta ain data in LDIF format from m another direc ctory serv vice. An LDIF file is text t-based, with blocks b of lines com mposing a single operation such as creating or mod difying a user object. Each line within the ope eration specifie es something about a the ope eration, such as s an attribute or o the type of operation. A b blank line sepa arates multiple e operations w within the LDIF file. The following is an example of an a LDIF file that creates a sin ngle user.
dn: CN=Bonnie Kearney,OU=Em mployees,OU=U User Accounts s,DC=adatum,D DC=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Bonnie Kearney sn: Kearney title: Operations description: Operations (Lo ondon) givenName: Bonnie displayName: Kearney, Bonnie company: Contoso, Ltd. sAMA AccountName: bonnie.kear rney userPrincipalName: bonnie.k kearney@adatu um.com mail: bonnie.kearney@adatum m.com
4-5
For each operation in an LDIF file, the changetype line defines the operation to be performed. The valid values are add, modify, or delete.
Export Objects by Using ldifde

When using ldifde to export objects, the minimum information you must provide is a filename to hold the data. When no other options are selected, all objects in the domain are exported. The basic syntax for exporting objects by using LDIFE is:
Ldifde f filename
Some other options you can use when exporting objects ldifde are listed in the following table. Option -d RootDN Description The root of the LDAP search. The default is the root of the domain. An LDAP search filter that limits the results returned. The scope, or depth, of the search. This can be: subtree (the container and all child containers) base (the immediate child objects of the container only) onelevel (the container and its immediate child containers)
-r Filter -p SearchScope
-l ListOfAttributes -o ListOfAttributes
A comma-separated list of attributes to include in the export. A comma-separated list of attributes to exclude in the export.
Import Objects by Using ldifde

When you use ldifde to import objects, you must specify the operation to perform on the object. For each operation in an LDIF file, the changetype line defines the operation to be performed. The basic syntax for using ldifde to import objects is:
Ldifde i f filename k
The -i parameter specifies import mode. The -f parameter identifies the file name to import from. The -k parameter instructs ldifde to ignore errors, including the Object Already Exists error. The option suppress errors is useful when importing objects to ensure that all objects possible are created instead of stopping when partially complete. You cannot use ldifde to import passwords, because passwords in an LDIF file would not be secure. As a result, user accounts created by ldifde have a blank password and are disabled.
4-6
Wh hat Are DS S Comman nds?

Win ndows Server 2012 2 includes command-line c e tools called DS co ommands, whic ch are suitable e for use in scripts. You u can use DS co ommand-line tools to create, c view, modify, and rem move AD DS obje ects. The follow wing table des scribes DS com mmand-line tools.
To ool DSadd DSget DSquery DSmod DSrm DSmove
Description Creates AD DS objects. Displays pro operties of AD DS objects. Searches for r AD DS object ts. Modifies AD D DS objects. Removes AD D DS objects. Moves AD D DS objects.
Use er Managem ment Comm mand Examp ples

The following are examples of commands c tha at you could ty ype at a comm mand prompt. To modify m the dep partment of a user account, type:
Dsmo od user cn=Joe Healy,ou=Managers,dc c=adatum,dc=c com dept IT T
To display d the em mail of a user ac ccount, type:

Dsget user cn=Joe Healy,ou=Managers,dc c=adatum,dc=c com email
To delete d a user account, a type:

Dsrm m cn=Joe Healy,ou=Managers,dc=adatu um,dc=com
To create c a new user u account, ty ype:

Dsadd user cn=Joe Healy,ou=Managers,dc c=adatum,dc=c com
Question: What criteria wo ould you use to o select betwe een using csvd de, ldifde, and d the DS commands?
4-7
Lesson n2
Using g Windo ows Pow werShel ll for Ad dministration

Windows W PowerShell is the pr referred scripti ing environme ent in Window ws Server 2012. . It is much eas sier to us se than previous scripting languages such as Microsoft Visual Basic S Scripting Editio on (VBScript). Windows W PowerShell includes s an extensive list of cmdlets s to manage A AD DS objects. Cmdlets can b be used to o create, modif fy, and remove e user account ts, groups, com mputer accoun nts, and organizational units s.

After completin ng this lesson, you y will be able to: Use Window ws PowerShell l cmdlets to manage user ac ccounts. Use Window ws PowerShell l cmdlets to manage groups s. Use Window ws PowerShell l cmdlets to manage compu uter accounts. (OUs). Use Window ws PowerShell l cmdlets to manage organiz zational units (
Using U Wind dows Powe erShell Cm mdlets to M Manage Us sers

Yo ou can use Windows PowerS Shell cmdlets to t cr reate, modify, and delete use er accounts. Th hese cm mdlets can be used for indiv vidual operatio ons or as pa art of a script to t perform bulk operations. Some of f the cmdlets for f managing user accounts are in th he following ta able.
Cmdlet C New-ADUser r Set-ADUser Remove-ADU User Set-ADAccou untPassword Set-ADAccou untExpiration n Unlock-ADA Account
De escription Cr reates user acc counts. Modifies M proper rties of user ac ccounts. De eletes user acc counts. Re esets the passw word of a user r account. Modifies M the exp piration date o of a user accou unt. Un nlocks a user a account when it is locked aft ter exceeding the ac ccepted numb er of incorrect t login attemp pts. En nables a user a account. Di isables a user a account.
Enable-ADAc ccount Disable-ADA Account
4-8
Automating Active Directory Domain Services Administration
Create New User Accounts

When you use the New-ADUser cmdlet to create new user accounts, you can set most user properties including a password. For example: If you do not use the AccountPassword parameter, no password is set and the user account is disabled. The Enabled parameter cannot be set as $true when no password is set. If you use the AccountPassword parameter to specify a password, then you must specify a variable that contains the password as a secure string, or choose to be prompted for the password. A secure string is encrypted in memory. If you set a password then you can enable the user account by setting the Enabled parameter as $true.
Some commonly used parameters for the New-ADUser cmdlet are listed in the following table. Parameter AccountExpirationDate AccountPassword ChangePasswordAtLogon Department Enabled HomeDirectory HomeDrive Description Defines the expiration date for the user account. Defines the password for the user account. Requires the user account to change passwords at the next logon. Defines the department for the user account. Define whether the user account is enabled or disabled. Defines the location of the home directory for a user account. Defines the drive letters that are mapped to the home directory for a user account. Defines the first name for a user account. Defines the last name for a user account. Defines the OU or container where the user account will be created.
GivenName Surname Path
The following is a command you could use to create a user account with a prompt for a password:
New-ADUser Joe Healy AccountPassword (Read-Host AsSecureString Enter password) -Department IT
Question: Are the parameters for all cmdlets that you use to manage user accounts the same?
4-9
Using U Wind dows Powe erShell Cm mdlets to M Manage Gr roups

Yo ou can use Windows PowerS Shell to create, modify, m and del lete groups. Th hese cmdlets can c be us sed for individual operations s or as part of a script to o perform bulk k operations. Some S of the cm mdlets fo or managing groups g are liste ed in the follow wing ta able.
Cmdlet C New-ADGrou up Set-ADGroup p Get-ADGroup Remove-ADG Group Add-ADGrou upMember Get-ADGroupMember Remove-ADG GroupMembe er AddGroupMembe ership ADPrincipalG GetADPrincipalG GroupMembe ership RemoveGroupMembe ership ADPrincipalG
De escription Cr reates new gro oups. Modifies M proper rties of groups s. Di isplays propert ties of groups . De eletes groups. Ad dds members to groups. Di isplays membe ership of groups. Re emoves memb bers from grou ups. Ad dds group me mbership to o objects.
isplays group membership o of objects. Di
Re emoves group p membership from an objec ct.
Create C New Groups G

Yo ou can use the e New-ADGro oup cmdlet to create groups s. However, wh hen you create e groups using g the New-ADGroup N p cmdlet, you must m use the GroupScope G p parameter in a addition to the e group name. This is th he only require ed parameter. The following table lists com mmonly used p parameters for New-ADGro oup. Parameter Name GroupScope Description Defines the name of the group. Defines the scope of the group as DomainLocal, Global, or r versal. You mu ust provide th is parameter. Univ Defines the LDAP display name for the object. Defines whether it t is a security g group or a dist tribution group. If you do not n specify eith her, a security group is creat ted.
DisplayName e GroupCatego ory
4-10 Automating Active Directory Domain Services Administration
Parameter ManagedBy Path SamAccountName
Description Defines a user or group that can manage the group. Defines the OU or container in which the group is created. Defines a name that is backward compatible with older operating systems.
The following command is an example of what you could type at a Windows PowerShell prompt to create a new group:
New-ADGroup Name CustomerManagement Path ou=managers,dc=adatum,dc=com GroupScope Global GroupCategory Security
Manage Group Membership

There are two sets of cmdlets that you can use to manage group membership: *-ADGroupMember and *-ADPrincipalGroupMembership. The distinction between these two sets of cmdlets is the perspective used when modifying group membership. They are: The *-ADGroupMember cmdlets modify the membership of a group. For example, you add or remove members of a group. o o You cannot pipe a list of members to these cmdlets. You can pass a list of groups to these cmdlets.
The *-ADPrincipalGroupMembership cmdlets modify the group membership of an object such as a user. For example, you can modify a user account to add it as a member of a group. o o You can pipe a list of members to these cmdlets. You cannot provide a list of groups to these cmdlets.
Note: When you pipe a list of objects to a cmdlet, you pass a list of objects to a cmdlet. More information about how to pipe a list of objects is covered in Lesson 3: Performing Bulk Operations with Windows PowerShell. The following is a command you could use to add a member to a group. Add-ADGroupMember CustomerManagement Members Joe Healy
4-11
Using U Wind dows Powe erShell Cm mdlets to M Manage Co omputer A Accounts

Yo ou can use Windows PowerS Shell to create, modify, m and del lete computer accounts. These cm mdlets can be used for indiv vidual operatio ons or as pa art of a script to t perform bulk operations. Some of f the cmdlets for f managing computer acco ounts ar re listed in the following tab ble.
Cmdlet C New-ADCom mputer Set-ADComp puter Get-ADComp puter Remove-ADC Computer Test-Comput terSecureCha annel
Description Creates a ne ew computer account. Modifies pr roperties of a c computer acco ount. Displays pro operties of a c computer acco ount. Deletes a co omputer accou unt. Verifies or r repairs the trus st relationship p between a computer a and the domai n. Resets the p password for a computer acc count.
Reset-Compu uterMachineP Password
Create C New Computer C Accounts A

Yo ou can use the e New-ADCom mputer cmdle et to create a n new computer account before the comput ter is jo oined to the do omain. You do o this so you ca an create the c computer acco ount in the cor rrect OU befor re de eploying the computer. c Th he following ta able lists comm monly used pa arameters for N New-ADComp puter. Parameter Name Path Description Defines the e name of the c computer acco ount. Defines the e OU or contain ner where the computer acc count will be crea ted. Defines whe ether the com mputer account t is enabled or r disabled. By y default, the c computer acco ount is enabled d and a random p password is generated.
Enabled
Th he following is s an example that t you can use to create a computer acc count:
Ne ew-ADComputer Name LON-SVR8 Path ou=marketing g,dc=adatum,d dc=com Enabl led $true
Repair R the Tr rust Relatio onship for a Computer A Account

Yo ou can use the e Test-Compu uterSecureCha annel cmdlet w with the Rep pair parameter r to repair a lost trust re elationship bet tween a computer and the domain. d You m must run the cm mdlet on the c computer with the lost
4-12 Automating Active Directory Domain D Services Adm ministration
trus st relationship. The following g is a command d that you cou uld use to repa air the trust relationship for a com mputer account: Test t-ComputerSecureChannel -Repair -
Using Windo ows Power rShell Cmd dlets to Ma anage OUs

You u can use Wind dows PowerShell to create, mod dify, and delet te OUs. These cmdlets c can be used d for individua al operations or o as part of a script to perform p bulk operations. o Som me of the cmd dlets for managing OUs are listed in the following table.
Cm mdlet New-ADOrgan N nizationalUnit t Se et-ADOrganiz zationalUnit Get-ADOrganizationalUnit Remove-ADOr rganizationalU Unit
De escription Cr reates OUs. M Modifies properties of OUs. D isplays proper rties of OUs. D eletes OUs.
Cre eate New OU Us

You u can use New w-ADOrganiza ationalUnit cm mdlet to create e a new OU to represent dep partments or phy ysical locations within in your organization. The following table shows comm monly used pa arameters for t the New-ADO Organizationa alUnit cmdlet. Pa arameter Name N Pa ath ProtectedFrom mAccidentalDe eletion Descrip ption Define es the name of f the new OU. Define es the location n of the new O OU. Preven nts the OU fro om being delet ted accidentally. The de efault value is $true.
The following is an example you u can use when you want to o create a new organizationa al unit:
New-ADOrganizationalUnit Name Sales P Path ou= =marketing,dc=adatum,dc= =com -Protec ctedFromAccid dentalDeletio on $true
Question: In the slide exam mple, is the Pro otectedFromA AccidentalDe eletion parame eter required?
4-13
Lesson n3
Perfo orming Bulk B Op peration ns with Window ws Pow werShell

Windows W PowerShell is a pow werful scripting g environment t that you can use to perform m bulk operations, which w would no ormally be tedious to perform m manually. Y You can also pe erform some b bulk operation ns in graphical tools. To o perform bulk k operations using u Windows s PowerShell, y you must first understand ho ow to create queries fo or a list of AD DS D objects, and how to work k with .csv files s. Then you can create script ts that perform m the bu ulk operations s that you requ uire.

After completin ng this lesson, you y will be able to: Describe bu ulk operations. Use graphic cal tools to perform bulk op perations. Query AD DS D objects by using u Window ws PowerShell. Modify AD DS objects by y using Window ws PowerShell . Use .csv file es. Modify and d execute Wind dows PowerSh hell scripts to p perform bulk o operations.
What W Are Bulk B Opera ations?

A bulk operation n is a single ac ction that chan nges multiple m objects s. Performing a bulk operatio on is much m faster tha an changing many m objects in ndividually. It may m also be more accurate, because b pe erforming man ny individual actions a increas ses the lik kelihood of ma aking a typogr raphical error. Yo ou can perform m bulk operati ions with grap phical to ools, at a comm mand prompt, or by using sc cripts. Ea ach method fo or performing bulk operation ns has di ifferent capabilities. For exam mple: Graphical to ools tend to be limited in th he properties that t they can modify. m Command-line tools tend d to be more flexible f than g raphical tools when defining g queries, and they have more options for modifying objec ct properties. Scripts can combine mult tiple command d-line actions for the most c complexity and d flexibility.
Th he general pro ocess for perfo orming bulk op perations is as follows: 1. . 2. . Define a qu uery. You use the t query to se elect the objec cts that you wa ant to modify. For example, you may want to t modify all user accounts in a specific OU U. Modify the objects define ed by the quer ry. When using g graphical too ols, you typica ally select the o objects that you wa ant to modify, and then edit t the propertie es of those obj ects. When using command d-line tools, you may m use a list of o objects or variables v to ide entify the objects that you w want to modify y.
Demonstration: Using Graphical Tools to Perform Bulk Operations

You can use Active Directory Administrative Center and Active Directory Users and Computers to modify the properties of multiple objects at the simultaneously. To perform a bulk operation with using graphical tools, perform the following steps: 1. 2. 3. 4. Perform a search or create a filter to display the objects that you want to modify. Select the objects. Examine the properties of the objects. Modify the properties that you want to change.
When you use graphical tools to modify multiple user accounts simultaneously, you are limited to modifying the properties that displayed in the user interface. In this demonstration, you will see how to: Create a query for all users. Configure the company attribute for all users. Verify that the company attribute has been modified.
Note: When you use graphical tools to modify multiple user accounts simultaneously, you are limited to modifying the properties that display in the user interface.
Demonstration Steps Create a query for all users

1. 2. 3. On LON-DC1, open Active Directory Administrative Center. Browse to Global Search, and add the criteria Object type is user/inetOrgPerson/computer/group/organization unit. Verify that the criteria that you added is for the type User, and perform the search.
Configure the Company attribute for all users

1. 2. Select all the user Accounts and modify their properties. Type the Company as A. Datum.
Verify that the Company attribute has been modified

Open the properties of Adam Barr, and verify that the company is A. Datum.
4-15
Querying Q Objects O wit th Window ws PowerS Shell

In n Windows Pow werShell, you use u the Get-* cmdlets to o obtain lists of objects, such h as user accou unts. Yo ou can also use these cmdlets to generate e qu ueries for obje ects on which you y can perfor rm bulk op perations. The e following tab ble lists commo only us sed parameter rs with the Get t-AD* cmdlets s.
Parameter SearchBase
Description D Defines the AD D DS path to b begin searchin ng, for example e, the domain or an OU. Defines at wha at level below the SearchBa ase a search sh hould be perfo ormed. You can choose to search o nly in the base e, one level do own, or the ent tire subtree. Defines how many m objects t to return in res sponse to a qu uery. To ensure e that all objects are returned, you u should set th his to $null. Defines which h object prope rties to return and display. T To return all properties, typ pe an asterisk (*). You do no ot need to use this paramete er to use a property y for filtering.
SearchScope e
ResultSetSize e
Properties
Create C a Que ery

Yo ou can use the e Filter parameter or the LD DAPFilter para meter to creat te queries for objects with th he GetAD* A cmdlets. Th he Filter param meter is used for f queries wri itten in Windo ows PowerShel ll Expression La anguage. The LDAPFilter pa arameter is use ed for queries written as LDA AP query strings. Windows Po owerShell Expr ression Langua age is preferre ed because: It is easier to t write querie es in Windows PowerShell Ex xpression Lang guage. You can use e variables inside the queries. There is aut tomatic conve ersion of variab ble types, when n required.
Th he following ta able lists comm monly used op perators you ca an use in Wind dows PowerSh hell Expression La anguage. Operator O -eq -ne -lt -le -gt D Description E Equal to N Not equal to L Less than L Less than or eq qual to G Greater than
4-16 Automating Active Directory Domain D Services Adm ministration
Op perator -g ge -like
Des scription Gre eater than or e equal to Use es wildcards fo or pattern matching
The following is a command tha at you could use u to show all of the proper rties for a user account:
Get-ADUser Administrator P Properties *
The following is a command tha at you could use u to return a ll the user acco ounts in the M Marketing OU, and all it ts child OUs:
Get-ADUser SearchBase ou= =Marketing,dc c=adatum,dc=c com SearchS Scope subtree e
The following is a command tha at you could use u to show all of the user ac ccounts with a last logon dat te olde er than a speci ific date:
Get-ADUser Filter lastlogondate lt January 1, 2 2012
The following is a command tha at you could use u to show all of the user ac ccounts in the Marketing dep partment that have h a last log gon date older than a specifi c date:
Get-ADUser Filter lastlogondate lt January 1, 2 2012 and de epartment eq q Marketing
Note: For more m information about filtering with Get-AD* cmdlets, see http p://technet.mic crosoft.com/en n-us/library/hh h531527(v=ws s.10) . Question: What is the diffe erence betwee en using eq a nd like when n comparing st trings?
Mo odifying Objects O wit th Window ws PowerS hell

To perform p a bulk k operation, yo ou need to pas ss the list of o objects that t you have que eried to another cmd dlet to modify the objects. In n most cases, you y use the Set-AD* cmdlets c to mo odify the objec cts. To pass p the list of queried objec cts to another cmd dlet for further r processing, you y use the pip pe ( | ) character. The pip pe character pa asses each object from m the query to o a second cmd dlet, which the en perf forms a specifi ied operation on each objec ct. The following is a command tha at you could use u for thos se accounts th hat do not have e the company y attribute set. This code would generate g a list of o user r accounts and d set the comp pany attribute to A. Datum.
Get-ADUser Filter company y eq $null | Set-ADUs ser Company A. Datum
4-17
Th he following is s a command that t you could d use to genera ate a list of use er accounts th hat have not lo ogged on n since a speci ific date, and then t disables them: t
Ge et-ADUser Fi ilter lastlogondate lt January 1, 2012 | Di isable-ADAcco ount
Use U Objects from a Text t File

In nstead of using g a list of objec cts from a que ery to perform a bulk operat tion, you can u use a list of obj jects in a text file. This is useful when you need a lis st of objects to o modify or rem move, and it i is not possible e to ge enerate that list by using a query. q For exam mple, the hum man resources d department m may generate a list of us ser accounts to o be disabled. There is no qu uery that can i identify a list o of users that ha ave left the or rganization. When W you use a text file to sp pecify a list of objects, o the te ext file needs to o have the nam me of each ob bject on a single line. Th he following example disables the user acc counts that are e listed in a te ext file:
Ge et-Content C:\users.txt | Disable-ADAccount
Question: Which attribut tes of a user ac ccount can yo ou use when cr reating a query y by using the Filter parameter? p
Working W with w CSV Files

A .csv file can co ontain much more m information th han a simple lis st. Similar to a spreadsheet, a .csv fil le can have mu ultiple rows an nd columns of in nformation. Eac ch row in the .csv . file represents a single object, an nd each colum mn in the .csv file re epresents a pro operty of the object. o This is useful u fo or bulk operati ions such as cr reating user ac ccounts where w multiple pieces of information about t each ob bject are required. Yo ou can use the e Import-Csv cmdlet to read d the co ontents of a .cs sv file into a va ariable, and th hen work w with the data. d After the data is import ted into th he variable, you can then ref fer to each individual row of f data and each h individual co olumn of data. . Each co olumn of data has a name th hat is based on n the header ro ow (the first ro ow) of the .csv v file. You can r refer to ea ach column by y name. Th he following is s an example a .csv file with a header row:
Fi irstName,Last tName,Department Gr reg,Guzik,IT Ro obin,Young,Re esearch Qi iong,Wu,Marke eting
Use U Foreach to Process CSV Data

In n many cases, you y are creatin ng script that will w be reused for multiple .c csv files, and yo ou do not kno ow how many m rows ther re are in each .csv . file. You ca an use a forea ach loop to process each row w in a .csv file. This ty ype of loop do oes not require e that you know w how many r rows there are.
The following is a command that you could use to import a .csv file into a variable, and use a foreach loop to display the first name from each row in a .csv file:
$users=Import-CSV C:\users.csv Foreach ($i in $users) { Write-Host The first name is: $i.FirstName }
Question: In the foreach loop, how does $i change?
Demonstration: Performing Bulk Operations with Windows PowerShell

You can use a script to combine multiple Windows PowerShell commands to perform more complex tasks. Within a script, you often use variables and loops to process data. Windows PowerShell scripts have a .ps1 extension. The execution policy on a server determines whether scripts are able to run. The default execution policy on Windows Server 2012 is RemoteSigned. This means that local scripts can run without being digitally signed. You can control the execution policy on by using the Set-ExecutionPolicy cmdlet. In this demonstration, you will see how to: Configure the department for users in the Research OU. Create a LondonBranch OU. Run the script to create new user accounts in LondonBranch. Verify that the new user accounts were created in LondonBranch.
Demonstration Steps Configure the department for users in the Research OU

1. 2. On LON-DC1, open a Windows PowerShell prompt. At the Windows PowerShell prompt, search for user accounts in the Research OU using the following command:
Get-ADUser Filter * SearchBase ou=Research,dc=adatum,dc=com
3.
Set the department attribute of all users in the Research OU using the following command:
Get-ADUser Filter * SearchBase ou=Research,dc=adatum,dc=com | Set-ADUser Department Research
4.
Display a table-formatted list of users in the Research department. Display the distinguished name and department by using the following command:
Get-ADUser Filter department eq Research | Format-Table DistinguishedName,Department
5.
Use the Properties parameter to allow the previous command to display the department correctly. Use the following command:
Get-ADUser Filter department eq Research Properties Department | Format-Table DistinguishedName,Department
4-19
Create a LondonBranch OU
At the Windows PowerShell prompt, create a new OU named LondonBranch using the following command:
New-ADOrganizationalUnit LondonBranch Path dc=adatum,dc=com
Run the script to create new user accounts in LondonBranch

1. 2. Open E:\Labfiles\Mod04\DemoUsers.csv, and read the header row. Edit DemoUsers.ps1, and review the contents of the script. Note that the script: o o o 3. Refers to the location of the .csv file. Uses a foreach loop to process the .csv file contents. Refers to the columns defined by the header in the .csv file.
At the Windows PowerShell prompt, change to the E:\Labfiles\Mod04 directory and run the following command:
.\DemoUsers.ps1
Verify that the new user accounts were created in LondonBranch

1. 2. In Server Manager, open Active Directory Administrative Center tool. In Active Directory Administrative Center, browse to Adatum (local)>LondonBranch, and verify that the user accounts were created. Note that the passwords are disabled because no password was set during creation.
Lab: Automating AD DS Administration by Using Windows PowerShell

Scenario
A. Datum Corporation is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office. As part of configuring a new branch office, you need to create user and group accounts. Creating multiple users with graphical tools is inefficient, so, you will be using Windows PowerShell.
Objectives
After completing this lab, you will be able to: Create user accounts and group accounts by using Windows PowerShell. Use Windows PowerShell to create user accounts in bulk. Modify user accounts in bulk.
Lab Setup
Lab Setup Estimated time: 45 minutes
Virtual Machines
20410A-LON-DC1 20410A-LON-CL1
User Name Password
Administrator Pa$$w0rd
Repeat steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.
4-21
Exercise 1: Creating User Accounts and Groups by Using Windows PowerShell

Scenario
A. Datum Corporation has a number of scripts that have been used in the past to create user accounts by using command-line tools. It has been mandated that all future scripting will be done by using Windows PowerShell. As the first step in creating scripts, you need to identify the syntax required to manage AD DS objects in Windows PowerShell. The main tasks for this exercise are as follows: 1. 2. Create a user account by using Windows PowerShell. Create a group by using Windows PowerShell.
Task 1: Create a user account by using Windows PowerShell

1. 2. On LON-DC1, open a Windows PowerShell prompt. At the Windows PowerShell prompt, create a new OU named LondonBranch.
New-ADOrganizationalUnit LondonBranch
3.
Create a new user account for Ty Carlson in the LondonBranch OU using the following command:
New-ADUser Name Ty DisplayName Ty Carlson GivenName Ty Surname Carlson Path ou=LondonBranch,dc=adatum,dc=com
4.
Set the password for the new account as Pa$$w0rd, using the following command:
Set-ADAccountPassword Ty
5.
Enable the new user account using the following command:

Enable-ADAccount Ty
6. 7.
On LON-CL1, log on as Ty using a password of Pa$$w0rd. Verify that logon is successful and then sign out of LON-CL1.
Task 2: Create a group by using Windows PowerShell

1. On LON-DC1, at the Windows PowerShell prompt, create a new global security group for users in the London branch office, using the following command:
New-ADGroup LondonBranchUsers Path ou=LondonBranch,dc=adatum,dc=com GroupScope Global GroupCategory Security
2.
At the Windows PowerShell prompt, add Ty as a member of LondonBranchUsers, using the following command:
Add-ADGroupMember LondonBranchUsers Members Ty
3.
At the Windows PowerShell prompt, confirm that Ty has been added as a member of LondonBranchUsers, using the following command:
Get-ADGroupMember LondonBranchUsers
Results: After completing this exercise, you will have created user accounts and groups by using Windows PowerShell.
Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk

Scenario
You have been given a .csv file that contains a large list of new users for the branch office. It would be inefficient to create these users individually with graphical tools. Instead, you will use a Windows PowerShell script to create the users. A colleague that is experienced with scripting has provided you with a script that she created. You need to modify the script to match the format of your CSV file. The main tasks for this exercise are as follows: 1. 2. 3. Prepare the .csv file. Prepare the script. Run the script.
Task 1: Prepare the .csv file

1. 2. On LON-DC1, read the contents in E:\Labfiles\Mod04\LabUsers.ps1 to identify the header requirements for the .csv file Edit the contents in C:\Labfiles\Mod04\LabUsers.csv and add the appropriate header.
Task 2: Prepare the script

1. On LON-DC1, use Windows PowerShell ISE to modify the variables in LabUsers.ps1. o o 2. 3. $csvfile: E:\Labfiles\Mod04\labUsers.csv $OU: ou=LondonBranch,dc=adatum,dc=com
Save the modified LabUsers.ps1. Review the contents of the script.
Task 3: Run the script

1. 2. On LON-DC1, open a Windows PowerShell prompt, and run E:\Labfiles\Mod04\LabUsers.ps1. At the Windows PowerShell prompt, verify that the users were created by using the following command:
Get-ADUser Filter * SearchBase ou=LondonBranch,dc=adatum,dc=com
3.
On LON-CL1, log on as Luka using a password of Pa$$w0rd.
Results: After completing this exercise, you will have used Windows PowerShell to create user accounts in bulk.
Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk

Scenario
You have received a request to update all user accounts in the new branch office OU with the correct address of the new building. You have also been asked to ensure that all of the new user accounts in the branch office are configured to force the users to change their passwords at their next logon. You decide
4-23
to run a script to force all user accounts in the London branch to change their password the next time that they log on. The main tasks for this exercise are as follows: 1. 2. 3. Force all user accounts in LondonBranch to change password at next logon. Configure the address for user accounts in LondonBranch. To prepare for the next module.
Task 1: Force all user accounts in LondonBranch to change password at next logon
1. 2. On LON-DC1, open a Windows PowerShell prompt. At the Windows PowerShell prompt, create a query for user accounts in the LondonBranch OU using the following command:
Get-ADUser Filter * SearchBase ou=LondonBranch,dc=adatum,dc=com | Format-Wide DistinguishedName
3.
At the Windows PowerShell prompt, modify the previous command to force all user accounts to change their password at the next logon.
Get-ADUser Filter * SearchBase ou=LondonBranch,dc=adatum,dc=com | Set-ADUser ChangePasswordAtLogon $true
Task 2: Configure the address for user accounts in LondonBranch

1. 2. 3. On LON-DC1, open Active Directory Administrative Center tool. Open the properties for all user accounts in LondonBranch. Set the address for multiple users as follows: o o o Street: Branch Office City: London Country/Region: United Kingdom
Results: After completing this exercise, you will have modified user accounts in bulk.

When you finish the lab, revert all virtual machines back to their initial state by performing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 to 3 for 20410A-LON-DC1.

Question: A colleague is creating a Windows PowerShell script that creates user accounts from data in a .csv file, but is experiencing errors when attempting to set a default password. Why might this be happening? Question: You are an administrator for a school district that creates 20,000 new user accounts for students each year. The administration system for students can generate a list of the new students and then export it as a .csv file. After the data has been exported to a .csv file, what information do you need to work with the data in a script? Question: The Research department in your organization has been renamed to Research and Development. You need to update the Department property of users in the Research department to reflect this change. Question: You have created a query for user accounts with the department property set to Research by using the Get-ADUser cmdlet and the Filter parameter. What is the next step to update the department property to Research and Development?
5-1
Module 5
Implementing IPv4
Contents:
Module Overview Lesson 1: Overview of TCP/IP Lesson 2: Understanding IPv4 Addressing Lesson 3: Subnetting and Supernetting Lesson 4: Configuring and Troubleshooting IPv4 Lab: Implementing IPv4 Module Review and Takeaways 5-1 5-2 5-6 5-11 5-16 5-23 5-27
Module Overview
Internet Protocol Version 4 (IPv4) is the network protocol used on the Internet and local area networks. To ensure that you can you understand and troubleshoot network communication, it is essential that you understand how IPv4 is implemented.. In this module, you will see how to implement anIPv4 addressing scheme, and determine and troubleshoot network-related problems.
Objectives
At the end of this module, you will be able to: Describe the TCP/IP protocol suite. Describe IPv4 addressing. Determine a subnet mask necessary for supernetting or subnetting. Configure IPv4 and troubleshoot IPv4 communication.
5-2
Implementing IPv4
Lesson 1
Overvi iew of TCP/IP T

Tran nsmission Control Protocol/ Internet Proto ocol (TCP/IP) is s an industry standard suite of protocols th hat es an overview prov vides commun nication in a he eterogeneous network. This lesson provide w of IPv4 and h how it relates to other pr rotocols to ena able network communicatio c on. It also cove ers the concept t of sockets wh hich are used by applic cation to accept network communications s. Combined to ogether this ov verview provid des a foun ndation for un nderstanding and a troublesho ooting network k communicat tion.

At the end of this lesson, you will w be able to: Describe the elements of th he TCP/IP suite e of protocols. Describe the individual protocols that ma ake up the TCP P/IP suite. Describe TCP/IP application n layer protoco ols. Describe a so ocket and ident tify port numb bers for specifi ied protocols.
The TCP/IP Protocol P Su uite

The tasks perform med by TCP/IP in the com mmunication process p are dist tributed betwe een prot tocols. These protocols p are organized o into o four distinct layers of the t TCP/IP stac ck: Application layer. Applications use the application la ayer protocols to access netw work resources. Transport lay yer. The transport layer prot tocols control data transfer t reliabi ility on the network. Internet laye er. The interne et layer protoco ols control packe et movement between b netwo orks. Network inte erface layer. The T network in nterface layer protocols defi ne how datagrams from the e Internet layer r are transmitte ed on the med dia.
Ben nefits of Arc chitecture Layers L

Rath her than creating a single pr rotocol, dividin ng the network k functions int to a stack of se eparate protoc cols prov vides several benefits: b Separate prot tocols make it easier to supp port a variety o of computing platforms. Creating or modifying m protocols to suppo ort new standa ards does not require modif fication of the entire protocol stack. Having multip ple protocols operating o at th he same layer makes it possi ible for applica ations to selec ct the protocols that provide only y the level of se ervice required d. Because the stack s is split into layers, the development d o of the protoco ols can proceed d simultaneou usly by personnel wh ho are uniquely y qualified in the t operations s of the particu ular layers.
5-3
Protocols P in n the TCP/ /IP Suite

Th he Open Syste ems Interconne ection (OSI) model de efines distinct layers related to packaging, , se ending, and receiving data tr ransmissions over o a ne etwork. The layered suite of protocols that t form th he TCP/IP stack k carry out the ese functions.
Application A Layer L
Th he application layer of the TCP/IP T model co orresponds to the applicatio on, presentation, and se ession layers of the OSI model. This layer provides p se ervices and utilities that enab ble application ns to ac ccess network resources.
Transport La ayer
Th he transport la ayer correspon nds to the transport layer of the OSI mode el and is respon nsible for end-to-end co ommunication n using TCP or User Datagram m Protocol (UD DP). The TCP/ IP protocol suite offers application programmers th he choice of TC CP or UDP as a transport lay yer protocol: TCP. Provid des connection n-oriented reliable commun ications for ap pplications. Co onnection-oriented communica ation confirms that the destination is ready y to receive da ata before it se ends the data. To make comm munication reliable, TCP con nfirms that all p packets are rec ceived. Reliabl le communication is desired in most m cases and d is used by most application ns. Web server rs, File Transfe er Protocol (FTP) clients, and d other applica ations that mov ve large amou unts of data us se TCP. UDP. Provides connectionless and unre eliable commu unication. Whe en using UDP, reliable delive ery is the responsibili ity of the application. Applic cations use UD DP for faster co ommunication with less over rhead than TCP. Applications A su uch as streamin ng audio and v video use UDP P so that a sing gle missing pa acket will not delay playback. p UDP is also used by y applications that send sma all amounts of f data, such as Domain Name Syste em (DNS) nam me lookups.
the developer Th he transport la ayer protocol that t an applica ation uses is de etermined by t r of an applicat tion, an nd is based on n the communication require ements of the application.
In nternet Laye er
Th he Internet lay yer correspond ds to the netwo ork layer of th e OSI model a and consists of f several separa ate protocols, including: IP; Addre ess Resolution Protocol (ARP P); Internet Gro oup Managem ment Protocol (IGMP); an nd Internet Co ontrol Message e Protocol (ICM MP). The proto ocols at the Int ternet layer en ncapsulate tran nsport la ayer data into units u called pa ackets, address s them, and rou ute them to th heir destinations. Th he Internet lay yer protocols are: a IP. IP is resp ponsible for ro outing and add dressing. The W Windows 8 op perating system m and the Win ndows r both Server 201 12 operating system implem ment a dual-lay yer IP protocol l stack, including support for IPv4 and IP Pv6. ARP. ARP is s used by IP to o determine th he media acces ss control (MA AC) address of local network adapterst that is, adapte ers installed on n computers on n the local net tworkfrom t the IP address of a uter and are th local host. ARP A is broadca ast-based, mea aning that ARP P frames cann ot transit a rou herefore localized. Some implementations of TC CP/IP provide s support for Re everse ARP (RA ARP) in which t the MAC address of a network ada apter is used to o determine th he corresponding IP address s. IGMP. IGM MP provides sup pport for mult titasking applic cations over ro outers in IPv4 networks. ICMP. ICMP sends error messages in an n IP-based net twork.
5-4
Implementing IPv4
Net twork Inter rface Layer

The network inter rface layer (som metimes referr red to as the liink layer or da ata link layer) c corresponds to o the data a link and physical layers of the OSI model. The network k interface laye er specifies the e requirements s for send ding and recei iving packets on o the network media. This l layer is often n not formally co onsidered part t of the TCP/IP protoc col suite becau use the tasks are performed by the combin nation of the n network adapt ter driv ver and the net twork adapter.
TCP/IP Appli ications

App plications use application a lay yer protocols to o com mmunicate ove er the network k. A client and serv ver must be using the same application a lay yer prot tocol to comm municate. The following f table e lists som me common ap pplication layer protocols.
Pr rotocol HTTP H HTTP/Secure H (H HTTPS)
Description D Used U for comm munication bet tween the web b browsers and d web servers. A version of HT TTP that encry ypts communic cation betwee en web browse ers and a web servers. Used U to transfe er files betwee en FTP clients a and servers. Used U to remotely control a c computer runn ning Windows operating syst tems over o a network k. Used U by server rs and client co omputers for f file and printer r sharing.
FT TP Remote Deskto op Protocol (RDP) Se erver Message e Block (S SMB) Si imple Mail Tra ansfer Protocol (SMTP P) Post Office Prot tocol ve ersion 3 (POP3 3)
Used U to transfe er email messa ages over the I Internet.
Used U to retriev ve messages fr rom some ema ail servers.
5-5
What W Is a Socket? S
When W an applic cation wants to o establish co ommunication n with an application on a remote ho ost, it creates a TCP or a UDP socket, as ap ppropriate. A socket s identifie es the followin ng as pa art of the com mmunication pr rocess: The transpo ort protocol th hat the applica ation uses, which h could be TCP P or UDP The TCP or UDP port num mbers that the e applications are using The IPv4 or r IPv6 address of the source and destination hosts
Th his combinatio on of transport t protocol, IP address, a and p port creates a s socket.
Well-Known W Ports
Applications are e assigned a port number be etween 0 and 65,535. The fir rst 1,024 ports s are known as s wellkn nown ports and d have been assigned to spe ecific applicatio ons. Applicatio ons listening fo or connections s use co onsistent port numbers to make m it easier fo or client applic cations to con nnect. If an app plication listens on a no on-standard port p number, th hen you need to specify the port number when connect ting to it. Clien nt ap pplications typ pically use a random source port number a above 1,024. T The following t table identifies s some of f these well-kn nown ports. Port 80 443 110 25 53 53 20, 21 Protocol TCP TCP TCP TCP UDP TCP TCP Ap pplication HT TTP used by a web server HT TTPS for a sec ure web serve er PO OP3 used for e email retrieval SM MTP that is use ed for sending g email messag ges DNS used for m most name reso olution reques sts DNS used for zo one transfers FT TP used for file e transfers
Yo ou need to be aware of the port numbers that applicatio ons use, so yo u can configure firewalls to allow co ommunication n. Most applica ations have a default d port nu umber for this purpose, but it can be chan nged ns run on a po when w required. For example, some web-bas sed application ort other than port 80 or por rt 443. Question: Are A there othe er well-known ports that you u can think of? ?
5-6
Implementing IPv4
Lesson 2
Understandin ng IPv4 Addressing

Und derstanding IPv v4 network co ommunication is critical to en nsuring that yo ou can implem ment, troublesh hoot, and maintain IPv4 4 networks. On ne of the core components o of IPv4 is addr ressing. Unders standing add dressing, subne et masks, and default d gatewa ays allows you u to identify the proper communication betw ween hosts. To o identify IPv4 communicatio on errors you need to under rstand how the e process is supposed to work k. .

At the end of this lesson, you will w be able to: Describe the information re equired to con nfigure an IPv4 4 host. Identify publi ic and private IPv4 addresses s. Understand how h dotted de ecimal notation n relates to bin nary numbers. Describe a sim mple IPv4 netw work with class sfull addressin g. Describe a co omplex IPv4 ne etwork with cla assless address sing.
IPv v4 Address sing

To configure c netw work connectiv vity, you must be fam miliar with IPv4 addresses and d how they wo ork. Network commun nication for a computer c is dire ected to the IPv v4 address of that computer r. Each h networked computer c must t be assigned a uniq que IPv4 addre ess. Each h IPv4 address s is 32 bits long g. To make IP add dresses more re eadable, they are a shown in dott ted decimal no otation. Dotted d decimal nota ation divides a 32-bit IP Pv4 address int to four groups s of 8 bits which are con nverted to a de ecimal number betw ween zero and d 255. The decimal numbers are sepa arated by a pe eriod (dot). Eac ch decimal num mber is called an octet.
Sub bnet Mask

Each h IPv4 address s is composed of a network ID I and a host ID. The networ rk IDi identifie es the network k on which the comput ter is located. The host ID un niquely identif fies the compu uter on that sp pecific network k. A subn net mask identifies which pa art of an IPv4 address a is the network ID, an nd which part is the host ID. In th he simplest sce enarios, each octet o in a subn net mask is eith her 255 or 0. A 255 represen nts an octet that is part t of the network ID, while a 0 represents an octet that is part of the ho ost ID. For example, a compu uter with h an IP address s of 192.168.23 3.45 and a sub bnet mask of 2 255.255.255.0 has a network k ID of 192.168 8.23.0 and a host ID of 0.0.0.45. 0
Note: The terms network, , subnet, and VLAN V (Virtual Local Area Ne etwork) are often used inte erchangeably. A large network is often sub bdivided into s ubnets, and V VLANs are conf figured on swit tches to repres sent subnets.
5-7
Default D Gate eway

A default gatew way is a device, , usually a rout ter, on a TCP/ IP network tha at forwards IP packets to oth her ne etworks. The multiple m internal networks in n an organizati ion can be refe erred to as an intranet. On O an intranet, any given net twork might ha ave several rou uters that conn nect it to othe er networks, bo oth local an nd remote. You must configure one of the e routers as the e default gatew way for local h hosts. This ena ables the lo ocal hosts to co ommunicate with w hosts on re emote networ rks. Be efore a host se ends an IPv4 packet, p it uses its i own subnet t mask to dete ermine whethe er the destination host is on the same network, n or on n a remote net twork. If the de estination host t is on the sam me network, th he se ending host tra ansmits the pa acket directly to t the destinat tion host. If the e destination h host is on a dif fferent ne etwork, the ho ost transmits th he packet to a router for del ivery. 4 consults the When W a host tra ansmits a pack ket to a remote e network, IPv4 e internal routing table to de etermine th he appropriate e router for the e packet to rea ach the destina ation subnet. I If the routing t table does not t co ontain any rou uting informati ion about the destination su ubnet, IPv4 for rwards the pac cket to the default ga ateway. The ho ost assumes th hat the default t gateway cont tains the requi ired routing in nformation. Th he de efault gateway y is used in mo ost cases. Client computers usually obta ain their IP add dressing inform mation from a Dynamic Host Configuratio on Pr rotocol (DHCP P) server. This is more straigh htforward than n manually ass igning a defau ult gateway on n each ho ost. Most serve ers have a stat tic IP configura ation that is as ssigned manua ally. Question: How is networ rk communication affected i if a default gat teway is config gured incorrectly? ?
Public P and Private IPv4 Addres sses

Devices and hosts that connect directly to the t In nternet require e a public IPv4 address. Host ts and de evices that do not connect directly d to the In nternet do not require a pub blic IPv4 address.
Public P IPv4 Addresses A

Pu ublic IPv4 addresses must be e unique. Inter rnet Assigned Numb bers Authority (IANA) assigns public IP Pv4 addresses to t regional Int ternet registrie es (RIRs). RIRs then assign n IPv4 addresses to Internet service providers (ISPs). Usually, your ISP allocates you y one or r more public addresses from m its address pool. p Th he number of addresses that t your ISP alloc cates to yo ou depends up pon how many y devices and hosts that you u have to conn nect to the Inte ernet.
Private P IPv4 Addresses

Th he pool of IPv4 4 addresses is becoming smaller, so RIRs a are reluctant to o allocate supe erfluous IPv4 ad ddresses. Tech hnologies such as network ad ddress translat tion (NAT) ena able administra ators to use a re elatively small number of public IPv4 addre esses, and at t he same time,, enable local h hosts to conne ect to re emote hosts an nd services on the Internet.
5-8
Implementing IPv4
IANA defines the address range es in the follow wing table as p private. Interne et-based route ers do not forw ward packets originatin ng from, or des stined to, these ranges. Ne etwork 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 Range 10.0.0.0-1 10.255.255.255 5 172.16.0.0 0-172.31.255.2 255 192.168.0.0-192.168.255 5.255
Ho ow Dotted Decimal Notation N Relates R to Binary Nu umbers

Whe en you assign IP addresses, you y use dotted d decimal notation. Dotted decim mal notation is base ed on the deci imal number system. s Howev ver, in the background, computers c use e IP addresses in bina ary. To underst tand how to choose a subne et mas sk for complex x networks, you u must unders stand IP addresses in bin nary. Within an 8-bit oc ctet, each bit position p has a decimal value. A bit b that is set to 0 always has sa zero o value. A bit that t is set to 1 can be conver rted to a decimal value e. The low-ord der bitthe righ htmost bit in th he octetrepr resents a decim mal valu ue of 1. The hig gh-order bit the leftmost bit b in the octet trepresents a decimal valu ue of 128. If all l bits in an octet are set t to 1 the octe ets decimal value is 255 (tha t is: 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1). That is th he highest possible value of an octet. Mos st of the time, you can use a calculator to convert decim mal numbers to o binary and v vice versa. The Calc culator applica ation included in Windows operating o syste ems can perfor rm decimal-to o-binary conversions, as sh hown in the fol llowing examp ple. Binary 10000011 0110 01011 0000001 11 00011000 D otted decimal notation 1 131.107.3.24
5-9
Simple IPv4 4 Impleme entations

IP Pv4 Address s Classes
Th he IANA organ nizes IPv4 addresses into classes. Ea ach class of ad ddress has a dif fferent default t subnet mask m that defines the number of valid hosts on the ne etwork. IANA has named the e IPv4 address s classes from Class A through Class E. Classes A, B, and d C are IP netw works that you u can as ssign to IP add dresses on host t computers. Class C D ad ddresses are used by compu uters and applications fo or multicasting g. The IANA res serves Class E for ex xperimental us se. The following table lists the t ch haracteristics of o each IP addr ress class. Class A B C First octet 1-127 128-191 192-223 Default t subnet mask k 255.0.0 0.0 255.255.0.0 255.255.255.0 Number o of networks 126 16,384 2,097,152 2 Nu umber of host ts pe er network 16,777,214 65,534 254
Note: The e Internet no lo onger uses rou uting based on n the default s subnet mask o of IPv4 ad ddress classes.
Simple IPv4 Networks

Yo ou can use sub bnetting to div vide a large ne etwork into mu ultiple smaller networks. In s simple IPv4 networks, th he subnet mask defines full octets o as part of o the network k ID and host I ID. A 255 repre esents an octe et that is pa art of the netw work ID, and a 0 represents an a octet that is s part of the host ID. For exa ample, you can n use th he 10.0.0.0 net twork with a su ubnet mask of 255.255.0.0 to o create 256 sm maller networks.
Note: The e IPv4 address 127.0.0.1 is us sed as a loopb back address; y you can use this address to te est the local co onfiguration of f the IPv4 prot tocol stack. Co onsequently, th he network address 127 is no ot permitted for configuring g IPv4 hosts.
5-10 Implemen nting IPv4
Mo ore Compl lex IPv4 Im mplementa ations

In complex netwo orks, subnet masks might not be simple combinatio ons of 255 and d 0. Rather, yo ou mig ght subdivide one o octet with some bits tha at are for the t network ID D, and some th hat are for the host ID. This T allows you u to have the specific s numbe er of subnets and hosts s that you requ uire. The follow wing exam mple shows a subnet mask that t can be use ed to divide a class B ne etwork into 16 6 subnets:
17 72.16.0.0/255 5.255.240.0
In many m cases, rat ther than using g a dotted dec cimal repr resentation of the subnet ma ask, the numb ber of bits in the networ rk ID is specifie ed instead. This is called clas ssless interdom main routing (CIDR). The follo owing is an n example of CIDR: C
172.16.0.0/20
Var riable Lengt th Subnet Masks M

Mod dern routers su upport the use e of variable le ength subnet m masks (VLSMs) ). VLSMs allow w you to create e subnets of different sizes when you subdivide e a larger netw work. For exam mple, you could d subdivide a s small netw work with 256 addresses into o 3 smaller net tworks with 12 28 addresses, 6 64 addresses, a and 64 addres sses. This s allows you to o use IP addres sses in a netwo ork more effici iently. Question: Do oes your organ nization use sim mple or comp plex networking g?
5-11
Lesson n3
Subne etting and a Sup pernetting

In n most organiz zations, you ne eed perform su ubnetting to d divide your net twork into sma aller subnets and allocate those subnets for spe ecific purposes s or locations. T To do this you u need to unde erstand how to o select th he correct num mber of bits to include in the e subnet masks s. In some case es, you may also need to com mbine multiple m networ rks into a single larger netwo ork through su upernetting.

At the end of th his lesson, you will be able to o: Describe ho ow bits are use ed in a subnet mask. Identify when to use subn netting. Calculate a subnet mask that t supports a specific num mber of subnet ts. Calculate a subnet mask that t supports a specific num mber of hosts. Identify an appropriate su ubnet mask fo or a scenario. Describe su upernetting.
How H Bits Are A Used in n a Subnet t Mask

In n simple netwo orks, subnet masks are comp posed of fo our octets, and d each octet ha as a value of 255 or 0. If the octet is 25 55, that octet is i part of the network n ID D. If the octet is 0, that octet is part of the host ID. In n complex netw works, you can n convert the subnet s mask m to binary, and evaluate each bit in the e su ubnet mask. A subnet mask is composed of o co ontiguous 1s and a 0s. The 1s start at the lef ftmost bi it and continue uninterrupte ed until the bit ts ch hange to all 0s s. Th he network ID of a subnet mask m can be ide entified by y the 1s. The host h ID can be identified by the t 0s. Any bits taken from f the host ID and allocated to the netw work ID must b be contiguous with the origi inal ne etwork ID. Each bit tha at is 1 is part of o the network k ID. Each bit tha at is 0 is part of o the host ID.
Th he mathematic cal process use ed to compare e an IP address s and a subnet t mask is called d ANDing. When W you use more m bits for the t subnet mask, you can ha ave more subn nets, but fewer hosts on each h su ubnet. Using more m bits than you need allows for subnet growth, but li mits growth fo or hosts. Using g fewer bi its than you ne eed allows for growth in the e number of ho osts you can h ave, but limits s growth in sub bnets.
The Benefits of Using Subnetting S g

Whe en you subdivide a network into subnets, you mus st create a uniq que ID for eac ch subnet. Thes se uniq que IDs are de erived from the e main networ rk ID you allocate some s of the bits in the host ID to the network ID. Th his enables you to create mo ore netw works. By using u subnets, you can: Use a single, large network across multiple physical locat tions. Reduce netwo ork congestion n by segmenting traffic and red ducing broadc casts on each segment. Increase security by dividing the network k and using fire ewalls to contr rol communica ation. Overcome lim mitations of current technolo ogies, such as e exceeding the e maximum number of hosts s that each segment can have.
Calculating Subnet S Addresses

Befo ore you define e a subnet mas sk, estimate ho ow man ny subnets and d hosts for eac ch subnet you may requ uire. This enab bles you to use e the appropria ate num mber of bits for the subnet mask. m You u can calculate the number of o subnet bits that t n you need in the network. n Use th he formula 2 , whe ere n is the num mber of bits. The T result is the num mber of subnet ts that your ne etwork require es. The following table indicates the number of subnets that you can c create by using a specifi ic num mber of bits. Nu umber of bits (n) 1 2 3 4 5 6 Num mber of subnets (2n) 2 4 8 16 32 64
To determine d the subnet addresses quickly, yo ou can use the e lowest value bit in the subnet mask. For exam mple, if you ch hoose to subne et the network k 172.16.0.0 by y using 3 bits, this mean the e subnet mask is
5-13
25 55.255.224.0. The T decimal 22 24 is 11100000 0 in binary, an nd the lowest b bit has a value of 32, so that is the in ncrement betw ween each subn net address. Th he following ta able shows exa amples of calculating subnet t addresses. Binary network number 172.16.00000 0000.00000000 0 172.16.00100 0000.00000000 0 172.16.01000 0000.00000000 0 172.16.01100 0000.00000000 0 172.16.10000 0000.00000000 0 172.16.10100 0000.00000000 0 172.16.11000 0000.00000000 0 172.16.11100 0000.00000000 0 Decimal netw work number 172.16.0.0 172.16.32.0 172.16.64.0 172.16.96.0 172.16.128.0 0 172.16.160.0 0 172.16.192.0 0 172.16.224.0 0
Note: You u can use a subnet calculato or to determine e the appropri iate subnets fo or your ne etwork, rather than calculating them manu ually. Subnet c calculators are e widely availab ble on the In nternet.
Calculating C g Host Add dresses

To o determine host bits in the mask, determine the re equired numbe er of bits for th he supporting hosts on n a subnet. Calculate the number of host bits b re equired by usin ng the formula a 2n-2, where n is the nu umber of bits. This result mu ust be at least the nu umber of host ts that you nee ed for your net twork, an nd is also the maximum m num mber of hosts that t you ca an configure on o that subnet. . On O each subnet t, two host IDs s are allocated au utomatically and cannot be used by comp puters. An address with h the host ID as a all 0s represe ents the ne etwork. An add dress with the host ID as all 1s is th he broadcast address for that network.
The following table shows how many hosts a class C netwo rk has availabl le based on th he number of h host bits. Nu umber of bits (n) 1 2 3 4 5 6 Num mber of hosts (2n-2) 0 2 6 14 30 62
You u can calculate each subnets s range of host t addresses by y using the foll owing process s: 1. 2. The first host is one binary digit higher th han the curren nt subnet ID. The last host is two binary digits d lower th han the next su ubnet ID.
The following table shows exam mples of calcula ating host add dresses. Ne etwork 172.16.64.0/19 172.16.96.0/19 172.16.128.0/19 9 Host range 172.16.64.1 172.16.95.25 54 172.16.96.1 172.16.127.2 254 172.16.128.1 1 172.16.159..254
To create c an appr ropriate addressing scheme for your organ nization, you m must know how w many subne ets you need, and how many hosts you need on each subnet. O Once you have e that information, you can calc culate an appro opriate subnet t mask.
Dis scussion: Creating C a Subnettin ng Scheme e for a New w Office

Read the following scenario and d answer the que estions on the slide. You u are identifyin ng an appropriate network configuration for a new campus s. You have be een allocated the 10.3 34.0.0/16 netw work that you can c subnet as required d. There are four buildings on the new campus, and each h should have its own subne et to allow for rout ting between the t buildings. Each building will have up to 700 us sers. Each build ding will also have h prin nters. The typic cal ratio of use ers to printers is i 50 to 1. 1 You u also need to allocate a subnet for the ser rver data cente er that will hold up to 100 se ervers.
5-15
What W Is Sup pernetting g?

Su upernetting co ombines multiple small netw works in nto a single large network. This may be ap ppropriate when you have a small network k that ha as grown and the address sp pace needs to be ex xpanded. For example, e a bra anch office tha at is us sing the netwo ork 192.168.16 6.0/24 might exhaust all of its IP addr resses and be allocated a the ad dditional netw work 192.168.17.0/24. If the default d su ubnet mask of 255.255.255.0 0 is used for th hese ne etworks then you y must perfo orm routing between th hem. You can use u supernetting to combine e them in nto a single network. To o perform supernetting, the networks that t you are comb bining must be e contiguous. For example, 19 92.168.16.0/24 4 and 192.168. .17.0/24 can be b supernetted d, but you cann not supernet 1 192.168.16.0/24 and 19 92.168.54.0/24 4. Su upernetting is the opposite of o subnetting. When you pe erform superne etting, you allo ocate bits from m the ne etwork ID to the host ID. The e following tab ble shows how w many networks that you ca an combine by y using a specific numb ber of bits. Number of bits 1 2 3 4 Nu umber of netw works combine ed 2 4 8 16 6
Th he following ta able shows an example of su upernetting tw wo class C netw works. Network 192.168.0001 10000.0000000 00/24 192.168.0001 10001.0000000 00/24 192.168.0001 10000.0000000 00/23 Range 192.168 8.16.0-192.168 8.16.255 192.168 8.17.0-192.168 8.17.255 192.168 8.16.0-192.168 8.17.255
Lesson 4
Config guring and a Troublesho ooting I IPv4

If IP Pv4 is configure ed incorrectly, then it affects s the availabili ty of services t that are runnin ng on a server r. To ensu ure the availab bility of network services, you need to und derstand how t to configure and troublesho oot IPv4 4. Windows Server 2012 intro oduces the ability to configu ure IPv4 by usi ing Windows P PowerShell. Th his is usef ful for scripting g. The troubleshooti ing tools in Windows Server 2012 are simi ilar to previous s versions of W Windows opera ating systems. However r, you may not t be familiar with Network M Monitor which can be used to o perform very y deta ailed analysis of o network com mmunication.

At the end of this lesson, you will w be able to: Configure IPv v4 manually to o provide a static configurati ion for a serve er. Configure a server s so that it obtains an IP Pv4 configurat tion automatic cally. Use IPv4 trou ubleshooting to ools. Describe the troubleshootin ng process use ed to resolve f undamental IP Pv4 problems. Describe the function of Ne etwork Monito or. Use Network Monitor to ca apture and ana alyze network traffic.
Co onfiguring IPv4 Manually

You u typically conf figure servers with w a static IP P add dress. This is do one to ensure that t you know w and can document the e IP addresses that are used for various services on your networ rk. For example e, a DNS S server is acce essed at a spec cific IP address s that should not change. IPv4 4 configuration n includes: IPv4 address Subnet mask Default gatew way DNS servers
Stat tic configuratio on requires tha at you visit eac ch computer a and input the I IPv4 configura ation manually y. This met thod of compu uter managem ment is reasona able for servers s, but it is very y time consuming for client com mputers. Manually entering a static configu uration also in creases the ris sk of configura ation mistakes. . You u can configure e a static IP ad ddress either in n the propertie es of the netwo ork connection n or by using t the nets sh command-l line tool. For example, e the fo ollowing comm mand configur res the interfac ce named Loca al Area a Connection with w the static c IP address 10 0.10.0.10, the s ubnet mask of f 255.255.0.0, and a default gate eway of 10.10. .0.1.
Netsh interfac ce ipv4 set address a name= ="Local Area Connection" source=static addr=10.10.0.1 10 mask=255.2 255.0.0 gatew way=10.10.0.1 1
5-17
Windows W Server 2012 also has Windows Po owerShell cmd dlets that you can use to ma anage network k co onfiguration. The T following table t describes s some of the available Wind dows PowerSh hell cmdlets th hat are av vailable for configuring IPv4 4. Cmdlet Set-NetIPAd ddress Description D of f IPv4 configu uration uses Modifies an ex xisting IP addr ress and sets th he subnet mask Enables or dis abled DHCP fo or an interface e Modifies routi ing table entri es, including t the default gatew way (0.0.0.0) Configures the e DNS server t that is used for an interface
Set-NetIPInt terface Set-NetRout te
Set-DNSClientServerAddr resses
Th he following code is an exam mple of the Wi indows Power Shell cmdlets t that you can u use to configure the in nterface named d Local Area Connection C wit th the static IP address 10.10 0.0.10, the subnet mask of 25 55.255.0.0, and d a default gat teway of 10.10 0.0.1.
Set-NetIPAddress Interf faceAlias Lo ocal Area Con nnection IP Pv4Address 10 0.10.0.10 PrefixLength 16 New-NetRoute N InterfaceA Alias Local Area Connect tion Destin nationPrefix 0.0.0.0/0 NextHop N 10.10.0.1
Additiona al Reading: Fo or more inform mation about N et TCP/IP Cmd dlets in Windo ows Po owerShell see: http://technet t.microsoft.com m/en-us/librar ry/hh826123. Question: Do any compu uters or device es in your orga anization have e static IP addresses?
Configuring C g IPv4 Aut tomatically y

DHCP for IPv4 enables e you to o assign autom matic IP Pv4 configurations for large numbers of co omputers with hout having to assign each one in ndividually. The e DHCP service e receives requ uests fo or IPv4 configu uration from co omputers that t you co onfigure to ob btain an IPv4 address automa atically. It also assigns additional IPv4 settings from scopes th hat you define for each of yo our networks subnets. s Th he DHCP service identifies th he subnet from m which th he request orig ginated and as ssigns IP co onfiguration fr rom the releva ant scope. DHCP helps sim mplify the IP co onfiguration pr rocess, bu ut you must be aware that if f you use DHC CP to assign IPv v4 information n and the service is business-critical, yo ou must do the following: er does not pr Include resi ilience in your DHCP service e design so tha at the failure o of a single serve revent the service from function ning.
Configure the e scopes on the DHCP server carefully. If y you make a mistake, it can af ffect the entire e network and prevent comm munication.
If yo ou use a laptop to connect to t multiple net tworks, such as s at work and at home, each h network might requ uire a different t IP configurat tion. Windows operations sy ystem support the use of Aut tomatic Private IP Add dressing (APIPA A) or an altern nate static IP ad ddress for this situation. Whe en you configu ure Windows-based comput ters to obtain an IPv4 address from DHCP P, use the Alter rnate Con nfiguration tab to control th he behavior if a DHCP serve r is not availab ble. By default, , Windows use es APIP PA to assign it tself an IP addr ress automatic cally from the 169.254.0.0 to o 169.254.255.2 255 address ra ange, but with no defau ult gateway or DNS server; th his enables lim mited functiona ality. APIP PA is useful for troubleshoot ting DHCP; if the t computer has an address from the APIPA range, it is s an indication that the e computer ca annot commun nicate with a D DHCP server.
IPv v4 Trouble eshooting Tools

Mos st IPv4 connec ctivity troubles shooting is perf formed at a co ommand-line. Windows Serv ver 2008 includes a number of com mmand-line too ols that t help you diag gnose network k problems.
IPC Config
Ipco onfig is a comm mand-line too ol that displays the curr rent TCP/IP ne etwork configu uration. Add ditionally, you can use the ip pconfig comm mand to refresh DHCP and a DNS settin ngs. The following table describes th he command-line options for ipconfig. Co ommand ip pconfig /all ip pconfig /relea ase Descriptio on View deta ailed configura ation informat tion Release the leased conf figuration bac ck to P server the DHCP Renew th he leased confi iguration View the DNS resolver cache entries Purge the e DNS resolve cache
ip pconfig /renew ip pconfig /displ laydns ip pconfig /flush hdns
Pin ng
Ping g is a comman nd-line tool tha at verifies IP-le evel connectiv ity to another TCP/IP compu uter. It sends ICMP echo request mes ssages and disp plays the recei ipt of correspo onding echo re eply messages s. Ping is the prim mary TCP/IP co ommand that you y use to troubleshoot con nnectivity; how wever, firewalls s might block t the ICM MP messages.
Tra acert
Trac cert is a comm mand-line tool that identifies the path take en to a destination computer r by sending a serie es of ICMP ech ho requests. Tr racert then dis splays the list o of router interf faces between n a source and a dest tination. This tool t also deter rmines which router r has faile ed, and what t he latency (or speed) is. The ese
5-19
results might not be accurate if the router is busy, because the ICMP packets are assigned a low priority by the router.
Pathping
Pathping is a command-line tool that traces a route through the network in a manner similar to Tracert. However, Pathping provides more detailed statistics on the individual steps, or hops, through the network. Pathping can provide greater detail, because it sends 100 packets for each router, which enables it to establish trends.
Route
Route is a command-line tool that allows to view and modify the local routing table. You can use this to verify the default gateway which is listed as the route 0.0.0.0. In Windows Server 2012 you can also use PowerShell cmdlets to view and modify the routing table. The cmdlets for viewing and modifying the local routing table include Get-NetRoute, New-NetRoute, and Remove-NetRoute.
Telnet
You can use the Telnet Client feature to verify whether a server port is listening. For example, the command telnet 10.10.0.10 25 attempts to open a connection with the destination server, 10.10.0.10, on port 25, SMTP. If the port is active and listening, it returns a message to the Telnet client.
Netstat
Netstat is a command-line tool that enables you to view network connections and statistics. For example, the command netstat ab returns all listening ports and the executable that is listening.
Resource Monitor
Resource Monitor is a graphical utility that allows you to monitor system resource utilization. You can use Resource Monitor to view TCP and UDP ports that are in use. You can also verify which applications are using specific ports and the amount of data they are transferring on those ports.
Network Diagnostics
Use Windows Network Diagnostics to diagnose and correct networking problems. In the event of a Windows Server networking problem, the Diagnose Connection Problems option helps you diagnose and repair the problem. Windows Network Diagnostics returns a possible description of the problem and a potential remedy. However, the solution might require manual intervention from the user.
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an error. When these events occur, the Windows operating system records the event in an appropriate event log. You can use Event Viewer to read the event log. IP conflicts are listed in the System event log and might prevent services from starting.
The Troubles shooting Process P

The first step in tr roubleshooting g a network problem is identif fying the scope e of the proble em. The causes of a pr roblem that af ffects a single user will most likely dif ffer from a pro oblem that affe ects all users. u If a prob blem affects on nly a single use er, then n the problem is likely relate ed to the configuration of that t one comp puter. If a prob blem affe ects all users, th hen it is likely that t it is either ra serv ver configuration issue or a network n configuration issu ue. If a problem m affects only a group of users, th hen you need to t determine the t com mmon denomin nator among that t group of users. To troubleshoot t network n comm munication pro oblems, you ne eed to understand the overall communicat tion proc cess. You can identify i where e the process is s breaking dow wn and preven nting commun nication only if f you und derstand how the t overall com mmunication process p works. To understand the overall c communication proc cess, you need d to understand the routing and firewall co onfiguration o on your network. To help ide entify the routing path through t your network, n you can c use Tracer rt. Som me of the steps s that you can use to identify y that cause of f network com mmunication p problems are: 1. If you know what w the correct network configuration for r the host should be, then use ipconfig to o verify that it is configured that t way. If ipc config returns an address on n the 169.254.0.0/16 networ rk, it indicates that t the host faile ed to obtain an n IP address fro om DHCP. Use ping to see s if the remo ote host respon nds. If you use e ping to retur rn the DNS name of the rem mote host, you veri ify both name resolution and d whether the e host responds. Be aware that Windows Firewall on member m servers s and client co omputers often n blocks ping a attempts. In su uch a case, lack k of a ping response e may not indicate that the remote host is s not functiona al. If you can p ping other rem mote hosts on the same s network k it often indica ates that the p problem is on t the remote ho ost. You can use an a application to test the ser rvice you are c connecting to on the remote e host. For exa ample, use Windows s Internet Explo orer to test co onnectivity to a web server. You can also u use Telnet to connect to th he port of the remote r applica ation. Use ping to see s if the defau ult gateway re esponds. Most routers respon nd to ping req quests. If you d do not get a respons se when you ping the defaul lt gateway, the en there is like ely a configuration error on t the client comput ter, such as the default gateway being con nfigured incorrectly. It is also o possible that t the router is expe eriencing error rs.
2.
3.
4.
Note: You can c force ping g to use IPv4 in nstead of IPv6 by using the -4 option. Question: Ar re there any ot ther steps that t you use to tro oubleshoot ne etwork connec ctivity problems?
5-21
What W Is Ne etwork Mo onitor?

Network Monito or is a packet analyzer that enables e yo ou to capture and examine network n packe ets on th he network to which your co omputer is con nnected. Capturing packets is an advan nced troublesh hooting te echnique that helps you to id dentify unusua al ne etwork problems and work towards t a reso olution. Fo or example, by y examining th he packets tr ransmitted on a network you u may be able to see er rrors that are not n reported by b an applicatio on. Yo ou can install Network N Moni itor on either en ndpoint in the e communication process, or r on a th hird computer. . If you install Network Monitor on a third compute er, then you must m configure port mirroring g on the netwo ork switches. E Ensure that you co onfigure port mirroring m to co opy the netwo ork packets tha at are destined d for endpoint ts in the co ommunication n process, to th he switch port where the com mputer with N Network Monit tor is connecte ed. Network Monito or can monito or the packets sent s to other c computers, be ecause it opera ates in promisc cuous mode. m Yo ou can downlo oad Network Monitor M from the t Microsoft download web bsite and insta all it on a work kstation th hat is running either e Window ws 8 or Window ws Server 2012 2. Once install ed, Network M Monitor binds to the lo ocal network ad dapters. When n you launch Network N Monit tor, you can vi iew existing ca aptures, or beg gin a ne ew capture.
Using U Netwo ork Monitor r

Once O you have captured netw work packets, you y must be a ble to interpre et what you se ee, and whethe er the be ehavior is expe ected or not. To T help you, Network Monit or displays the e packets in a summarized li ist in the Fr rame Summary y pane. Th he Frame Sum mmary pane dis splays all captu ured packets, a and provides t the following i information: Time and date: d this enables you to dete ermine in whic ch order the packets were tr ransmitted. Source and d destination: this provides th he source and destination IP P addresses so that you can determine which w comput ters are involve ed in the dialo og. Protocol na ame: the highe est-level protocol that Netwo ork Monitor ca an identify is listed. For exam mple, ARP, (ICMP P, TCP, SMB, an nd others. Kno owing the high h-level protoco ol enables you to pinpoint w which services mig ght be experie encing or causing the proble em that you ar re troubleshoo oting.
When W you selec ct a frame in th he Frame Summary pane, th he Frame Detai ils pane updat tes with the co ontents of f that particula ar frame. You can c step throu ugh the frames details, exam mining the con ntent of each e element as s you proceed. Ea ach layer in the network arch hitecturefrom the applicat tion on down encapsulates its data in th he co ontainer of the e layer below. In other words, an HTTP req quest is encaps sulated in an IPv4 packet, wh hich in tu urn, is encapsu ulated in an Eth hernet frame. When W you have e gathered a la arge amount of o data, it can b be difficult to d determine which frames are e re elevant to your r specific prob blem. You can use u filtering to o show only th hose frames of interest. For e example, yo ou can select to t show only DNSrelated D pa ackets.
5-22 Implementing IPv4
Demonstration: How to Capture and Analyze Network Traffic by Using Network Monitor
You can use Network Monitor to capture and view packets that are transmitted on the network. This allows you to view detailed information that would not normally be possible to see. This type of information can be useful for troubleshooting.
Demonstration Steps Prepare to perform a packet capture

1. 2. Log on to LON-SVR2 as Adatum\Administrator with a password of Pa$$w0rd. Open a Windows PowerShell prompt and run the following command: 3. ipconfig /flushdns
Open Network Monitor 3.4, and create a new capture tab.
Capture packets from a ping request

1. 2. 3. In Network Monitor, start a packet capture. At the Windows PowerShell prompt, ping LON-DC1.adatum.com. In Network Monitor, stop the packet capture.
View ICMP echo request and echo response packets

1. 2. 3. 4. 5. 6. In Network Monitor, scroll down and select the first ICMP packet. Expand the Icmp portion of the packet to view that it is an Echo Request. This is a ping request. Expand the Ipv4 portion of the packet to view the source and destination IP addresses. Expand the Ethernet portion of the packet to view the source and destination MAC addresses. Select the second ICMP packet. In the Icmp portion of the packet, verify that it is an Echo Reply. This is the response to the ping request.
Filter the display of packets for the DNSQueryName of LON-DC1.adatum.com

1. 2. 3. In Network Monitor, in the Display Filter pane, load the standard DNS filter DNSQueryName. Edit the filter to apply for DNS queries for LON-DC1.adatum.com, and apply the filter. Verify that the packets have been filtered to show only packets that match the filter.
5-23
Lab: Implementing IPv4

Scenario
A. Datum has an IT office and data center in London which supports the London location and other locations. They have recently deployed a Windows 2012 Server infrastructure with Windows 8 clients. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office. After a security review, your manager has asked you to calculate new subnets for the branch office to support segmenting network traffic. You also need to troubleshoot a connectivity problem on a server in the branch office.
Objectives
After completing this lab, you will be able to: Calculate subnets for a given set of requirements. Troubleshoot IPv4 connectivity issues.
Lab Setup
Estimated Time: 45 minutes Logon Information Virtual Machines 20410A-LON-DC1 20410A-LON-RTR 20410A-LON-SVR2 Adatum\Administrator Pa$$w0rd
User Name Password
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o 5. User name: Adatum\Administrator Password: Pa$$w0rd
Repeat steps 2-4 for 20410A-LON-RTR, and 20410A-LON-SVR2.
Exercise 1: Identifying Appropriate Subnets

Scenario
The new branch office is configured with a single subnet. After a security review, all branch office network configurations are being modified to place servers on a separate subnet from the client computers. You need to calculate the new subnet mask and the default gateways for the subnets in your branch. The current network for your branch office is 192.168.98.0/24. This network needs to be subdivided into three subnets as follows:
One subnet with at least 100 IP addresses for clients One subnet with at least 10 IP addresses for servers One subnet with at least 40 IP addresses for future expansion
The main tasks for this exercise are as follows: 1. Calculate the bits required to support the hosts on each subnet. 2. Calculate subnet masks and network IDs.
Task 1: Calculate the bits required to support the hosts on each subnet
1. 2. 3. 4. 5. 6. How many bits are required to support 100 hosts on the client subnet? How many bits are required to support 10 hosts on the server subnet? How many bits are required to support 40 hosts on the future expansion subnet? If all subnets are the same size can they be accommodated? Which feature allows a single network to be divided into subnets of varying sizes? How many host bits will you use for each subnet? Use the simplest allocation possible.
Task 2: Calculate subnet masks and network IDs

1. Given the number of host bits allocated, what is the subnet mask that you will use for the client subnet? The client subnet is using 7 bits for the host ID. Therefore, you will use 25 bits for the subnet mask. Binary Decimal
2.
Given the number of host bits allocated, what is the subnet mask that you will use for the server subnet? The server subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet mask Binary Decimal
3.
Given the number of host bits allocated, what is the subnet mask that you will use for the future expansion subnet? The future expansion subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet mask Binary Decimal
5-25
4.
For the client subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the client subnet is the first subnet allocated from the available address pool. Description Network ID First host Last host Broadcast Binary Decimal
5.
For the server subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the server subnet is the second subnet allocated from the available address pool. Description Network ID First host Last host Broadcast Binary Decimal
6.
For the future allocation subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the future allocation subnet is the third subnet allocated from the available address pool. Description Network ID First host Last host Broadcast Binary Decimal
Results: After completing this exercise, you will have identified the subnets required to meet the requirements of the lab scenario.
Exercise 2: Troubleshooting IPv4

Scenario
A server in the branch office is unable to communicate with the domain controller in the head office. You need to resolve the network connectivity problem.
The main tasks for this exercise are as follows: 1. 2. Prepare for troubleshooting. Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1.
Task 1: Prepare for troubleshooting

1. 2. On LON-SVR2, open Windows PowerShell and ping LON-DC1 and verify that it is functional. Run the Break.ps1 script that is located in E:\Labfiles\Mod05. This script creates the problem that you will troubleshoot and repair in the next task.
Task 2: Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1

1. Use your knowledge of IPv4 to troubleshoot and repair the connectivity problem between LON-SVR2 and LON-DC1. Consider using the following tools: 2. IPConfig Ping Tracert Route Network Monitor
When you have repaired the problem, ping LON-DC1 from LON-SVR2 to confirm that the problem is resolved. Note: If you have additional time, run an additional break script from \\LONDC1\E$\Labfiles\Mod05 and troubleshoot that problem.
Results: After completing this lab, you will have resolved an IPv4 connectivity problem.

When you are finished the lab, revert the virtual machines back to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-RTR and 20410A-LON-SVR2.
5-27

Review Questions
Question: You have just started as a server administrator for a small organization with a single location. The organization is using the 131.107.88.0/24 address range for the internal network. Is this a concern? Question: You are working for an organization that provides web hosting services to other organizations. You have a single /24 network from your ISP for the web hosts. You are almost out of IPv4 addresses and have asked ISP for an additional range of addresses. Ideally, you would like to supernet the existing network with the new network. Are there any specific requirements for supernetting? Question: You have installed a new web-based application that runs on a non-standard port number. A colleague is testing access to the new web-based application, and indicates that he cannot connect to it. What are the most likely causes of his problem?
Best Practices
When implementing IPv4, use the following best practices: Allow for growth when planning IPv4 subnets. This ensures that you do not need to change you IPv4 configuration scheme. Define purposes for specific address ranges and subnets. This allows you to easily identify hosts based on their IP address and use firewalls to increase security. Use dynamic IPv4 addresses for clients. It is much easier to manage the IPv4 configuration for client computers by using DHCP than with manual configuration. Use static IPv4 addresses for servers. When servers have a static IPv4 address, it is easier to identify where services are located on the network.

Common Issue IP conflicts Troubleshooting Tip
Multiple default gateways defined
Incorrect IPv4 configuration
Tools
Tool Network Monitor IPConfig Ping Tracert Pathping Use for Capture and analyze network traffic Where to find it Download from Microsoft web site
View network configuration Verify network connectivity Verify network path between hosts Verify network path and reliability between hosts View and configure the local routing table Test connectivity to a specific port View network connectivity information View network connectivity information Diagnose problem with a network connection
Command prompt Command prompt Command prompt Command prompt
Route
Command prompt
Telnet Netstat
Command prompt Command Prompt
Resource monitor Windows Network Diagnostics Event Viewer
Tools in Server Manager
Properties of the network connection
View network related system events
Tools in Server Manager
6-1
Module 6
Implementing DHCP
Contents:
Module Overview Lesson 1: Installing a DHCP Server Role Lesson 2: Configuring DHCP Scopes Lesson 3: Managing a DHCP Database Lesson 4: Securing and Monitoring DHCP Lab: Implementing DHCP Module Review and Takeaways 6-1 6-2 6-7 6-12 6-16 6-21 6-26
Module Overview
Dynamic Host Configuration Protocol (DHCP) plays an important role in the Windows Server 2012 infrastructure. It is the primary means of distributing important network configuration information to network clients, and it provides configuration information to other network-enabled services, including Windows Deployment Services (Windows DS) and network access protection (NAP). To support and troubleshoot a Windows Server-based network infrastructure, it is important that you understand how to deploy, configure, and troubleshoot the DHCP server role.
Objectives
After completing this module, you will be able to: Install the DHCP server role. Configure DHCP scopes. Manage a DHCP database. Secure and monitor the DHCP server role.
6-2
Implementing DHCP
Lesson 1
Installi ing a DH HCP Server Role

Usin ng DHCP can help h simplify client c compute er configuratio on. This lesson describes the benefits of DH HCP, explains how the DHCP protoco ol works, and discusses d how to control DH HCP in a Windo ows Server 201 12 netw work with Active Directory Domain Servic ces (AD DS).

Afte er completing this lesson, yo ou will be able to: ing DHCP. Describe the benefits of usi Explain how DHCP D allocates IP addresses to network cl ients. Explain how the t DHCP lease generation process p works.. Explain how the t DHCP lease renewal proc cess works. Describe the purpose of a DHCP D relay agent. Explain how a DHCP server role is author rized. Explain how to t add and aut thorize the DH HCP server role e.
Benefits of Using U DHC CP

The DHCP protocol simplifies co onfiguration of o Inte ernet Protocol (IP) clients in a network environment. Without using DH HCP, each time e you add d a client to a network, n you have h to configu ure it with h information about a the netw work on which h you installed it, including the IP add dress, the netw works subnet mask, and the default ga ateway for acc cess to other o networks s. Whe en you need to o manage many computers in a netw work, managin ng them manu ually can becom me a time e-consuming process. p Many y corporations man nage thousand ds of computer devices, inclu uding handhelds, deskto op computers, and laptops. It I is not feasib le to manually y manage the network IP configurations for r organizations s of this size. With the DHCP se erver role, you can help to en nsure that all c clients have ap ppropriate con nfiguration info ormation; this helps h to elimin nate human er rror during con nfiguration. W When key config guration info ormation chang ges in the netw work, you can update it usin ng the DHCP se erver role with hout having to o change the inform mation directly y on each computer. DHC CP is also a key y service for mobile m users wh ho change net tworks often. D DHCP enables network adm ministrators to offer complex x network-conf figuration info ormation to no ontechnical use ers, without us sers having to deal wit th their network-configuration details. DHC CP version 6 (v v6) stateful and d stateless con nfigurations ar re supported fo or configuring g clients in an I IPv6 environment. Stat teful configura ation occurs when the DHCP Pv6 server assig gns the IPv6 address to the c client, alon ng with additio onal DHCP dat ta. Stateless co onfiguration oc ccurs when the subnet route er assigns the IPv6 add dress automatic cally, and the DHCPv6 serve er only assigns other IPv6 co nfiguration set ttings.
6-3
NAP is part of a new toolset that t can prevent full access t to the intranet t for computer rs that do not comply with w system hea alth requireme ents. NAP with DHCP helps i solate potentially malware-i infected comp puters trators to ensu from the corporate network. DHCP NAP en nables administ ure that DHCP P clients are co ompliant with w internal sec curity policies. . For example, all network cl ients must be up-to-date an nd have a valid d, upto o-date antiviru us program installed before they t are assign ned an IP conf figuration that t allows full acc cess to th he intranet. Yo ou can install DHCP D as a role e on a Window ws Server 2012 2 Server Core installation. A Server Core in nstallation allow ws you to crea ate a server wit th a reduced a attack surface. To manage D DHCP from the e core se erver, you mus st install and co onfigure the ro ole from the c ommand-line interface. You u also can man nage the Core DHCP role e from a graph hical user interface (GUI)bas sed console w here the DHCP P role is install led already.
How H DHCP P Allocates s IP Addres sses

DHCP allocates IP addresses on o a dynamic basis, ot therwise know wn as a lease. Although A you can c set th he lease duration to unlimite ed, you typically set th he duration for r not more tha an a few hours s or da ays. The defau ult lease time fo or wired client ts is ei ight days, and for wireless clients it is three e days. DHCP uses IP broadcasts to in nitiate co ommunication ns. Therefore, DHCP D servers are a lim mited to comm munication wit thin their IP su ubnet. Th his means that t in many netw works, there is a DHCP se erver for each IP subnet. Fo or a computer r to be conside ered a DHCP client, it ha as to be config gured to obtain an IP addres ss automatical ly. By default, every comput ter is configure ed to ob btain an IP add dress automat tically. In a net twork where a DHCP server i is installed, a D DHCP client will re espond to a DH HCP broadcast t. If a computer is s configured with w an IP addre ess by an adm ministrator, than that comput ter has a static c IP ad ddress and is considered c a non-DHCP n client, and will no ot communicat te with a DHCP server.
How H DHCP P Lease Generation Works W

Yo ou use the fou ur step DHCP lease-generatio on process to assig gn an IP addres ss to clients.. Understanding how each step p works helps you y tr roubleshoot pr roblems when clients cannot t obtain an n IP address. The T four steps are: 1. . The DHCP client c broadca asts a DHCPDIS SCOVER packet to every e compute er in the subnet. Only a computer r that has the DHCP server role, or a computer r or router that is running a DHCP relay agent t responds. In the t latter case, , the DHCP relay y agent forwards the messag ge to the DHCP server s with which it is configured.
6-4
Implementing DHCP
2. 3.
A DHCP Serve er responds with a DHCPOFFER packet. Th his packet cont tains a potential address for r the client.. ceives the DHC CPOFFER packe et. It might rec ceive packets f from multiple servers; in tha at The client rec case, it usually selects the se erver that mad de the fastest r response to its s DHCPDISCOV VER. This typic cally is the DHCP ser rver closest to the client. The e client then br roadcasts a DH HCPREQUEST that contains a server identifier. This inform ms the DHCP servers that rec ceive the broa dcast which se ervers DHCPO OFFER the client has s chosen to acc cept. The DHCP servers receive the DHCPREQU UEST. Those se ervers that the client has not t accepted use e the message as notification tha at the client de eclines that ser rvers offer. The chosen serve er stores the IP P address client t information in i the DHCP database d and r esponds with a DHCPACK m message. If for some reason, the DHCP D server cannot provide the t address th hat was offered d in the initial DHCPOFFER, t the DHCP server sends a DHCP PNAK message e.
4.
ation about ho ow DHCP techn nology works see: Additional Reading: For more informa http p://go.microso oft.com/fwlink/ /?LinkID=1120 075&clcid=0x4 409.
Ho ow DHCP Lease L Rene ewal Work ks

Whe en the DHCP lease reaches 50 5 percent of the t leas se time, the clie ent attempts to t renew the le ease. This s is an automatic process tha at occurs in the e background. Com mputers might have the same e IP add dress for a long g time if they operate o contin nually on a network with hout being shu ut down. To renew r the IP address lease, the t client broa adcasts a DHC CPREQUEST me essage. The server that t leased the IP address origin nally sends a DHC CPACK messag ge back to the client; this mes ssage contains s any new para ameters that have changed since the e original lease e was created. Client computers also attempt renewal r during g the startup p process. This is s because clien nt computers m might have been moved d while they we ere offline; for r example, a la ptop compute er might be plugged into a n new subnet. If renewal unsuccessful, t l is successful, the lease perio od is reset. If t he renewal is u then the client t com mputer attemp pts to contact the t configured d default gatew way. If the gate eway does not t respond, the client assu umes that it is on a new subn net and enters s the Discovery y phase, where e it attempts to o obtain an IP configuration from m any DHCP server. The DHCP role on n Windows Ser rver 2012 supp ports a new fea ature, DHCP S erver Failover protocol. This s prot tocol enables synchronizatio on of lease info ormation betw ween DHCP ser rvers and incre eases DHCP se ervice avai ilability. If one DHCP server is not available e, the other D HCP servers co ontinues to service clients in n the sam me subnet.
6-5
What W Is a DHCP D Relay Agent

DHCP uses IP broadcasts to in nitiate co ommunication ns. Therefore, DHCP D servers are a lim mited to comm munication wit thin their IP su ubnet. Th his means that t in many netw works, there is a DHCP se erver for each IP subnet. If th here are a large nu umber of subn nets, it might be b expensive to o de eploy servers for f every subnet. A single DH HCP se erver might service collection ns of smaller subnets. Fo or the DHCP se erver to respond to a DHCP client re equest, it must t be able to rec ceive DHCP requests. Yo ou can enable this by config guring a DHCP P relay ag gent on each subnet. s A DHC CP relay agent is a co omputer or router that listen ns for DHCP br roadcasts from m DHCP clients s and then rela ays them to DH HCP se ervers in different subnets With W the DHCP relay agent, th he DHCP broa adcast packets can be relaye d into another r IP subnet acr ross a ro outer. Then, yo ou can configu ure the agent in the subnet t that requires IP P addresses. Additionally, yo ou can co onfigure the ag gent with the IP address of the t DHCP serv ver. The agent can then capt ture the client broadcasts and forward them m to the DHCP server in anot ther subnet. Yo ou can also relay DHCP pack kets into ot ther subnets using u a router that t is compat tible with Requ uest for Comm ment (RFC) 154 42.
DHCP D Server Authori ization

DHCP allows a client c compute er to acquire co onfiguration in nformation abo out the netwo ork in which w it starts. DHCP D communication typica ally oc ccurs before any authenticat tion of the use er or co omputer; and because the DHCP D protocol is ba ased on IP bro oadcasts, an incorrectly confi igured DHCP server in a network can n provide inval lid in nformation to clients. c To avo oid this, the ser rver must m be authorized. DHCP au uthorization is the process of regis stering the DHCP Server serv vice in th he Active Direc ctory domain to t support DHCP clients.
Active A Direct tory Requirements

Yo ou must autho orize the Windows Server 20 012 DHCP serv ver role in AD D DS before it ca an begin leasin ng IP P addresses. It is possible to have h a single DHCP D server p providing IP ad ddresses for subnets that con ntain multiple m AD DS domains. The erefore, an Ente erprise Admin istrator accou nt must autho orize the DHCP P server.
r authorization n purposes, you must have a an Enterprise A Administrator in all Note: For do omains with th he exception of o the forest ro oot domain; in this instance, members of the Domain Admins group have h adequate e privilege to authorize a a DH HCP server.
St tandalone DHCP D Serve er Considera ations

A standalone DHCP server is a computer th hat is running W Windows Serve an AD er 2012, that is not part of a DS domain, and d that has the DHCP server role installed a nd configured d. If the standa alone DHCP se erver
6-6
Implementing DHCP
detects an authorized DHCP server in the domain, it does not lease IP addresses and shuts down automatically.
Rogue DHCP Servers

Many network devices have built-in DHCP server software. Many routers can act as a DHCP server, but it is often the case that these servers do not recognize DHCP-authorized servers and might lease IP addresses to clients.
Additional Reading:
For more information about DHCP Resources see:
http://go.microsoft.com/fwlink/?LinkId=99882&clcid=0x409.
For more information about Networking Collection see:
http://go.microsoft.com/fwlink/?LinkId=99883&clcid=0x409.
Demonstration: Adding the DHCP Server Role

Demonstration Steps Install and authorize the DHCP server role
1. 2. 3. 4. Switch to LON-SVR1. Open Server Manager and install the DHCP Server role. In the Add Role Wizard, accept all default settings. Close Server Manager.
6-7
Lesson n2
Configuring DHCP Scopes S

Yo ou must config gure the DHCP P scopes after you install the e DHCP role on a server. A D DHCP scope is the primary method d by which you u can configur re options for a group of IP addresses. A D DHCP scope is based on n an IP subnet t, and can have e settings spec cific to hardwa are or custom groups of clients. This lesson n ex xplains DHCP scopes, s and ho ow to manage e them.

After completin ng this lesson, you y will be able to: Describe th he purpose of a DHCP scope. Describe a DHCP reservat tion. he DHCP Optio ons. Describe th Describe th he DHCP Class-Level Options s. Explain how w DHCP Optio ons are applied d. Create and configure a DHCP D scope
What W Are DHCP D Scop pes?

A DHCP scope is a range of IP P addresses tha at are av vailable for lea ase, and that are managed by b a DHCP server. A DHCP scope typically t is con nfined to o the IP addres sses in a given subnet. Fo or example, a scope s for the network 19 92.168.1.0/24 (subnet mask of 255.255.255.0), su upports a rang ge from 192.16 68.1.1 through 19 92.168.1.254. When W a computer or device in the 19 92.168.1.0/24 subnet reques sts an IP addre ess, the sc cope that defin ned the range in this example allocates an add dress between 192.168.1.1 and 19 92.168.1.254.
member that the t DHCP serv ver, if deployed d to the same subnet, consumes an IPv4 Note: Rem ad ddress. This ad ddress should be b excluded fr rom the IPv4 a address range. To o configure a scope, s you mu ust define the following f prop perties: Name and description: This property identifies the scope. IP address range: This property p lists th he range of ad ddresses that c can be offered for lease, and usually lists the ent tire range of addresses for a given subnet.. Subnet ma ask: This prope erty is used by y client compu ters to determ mine their locat tion in the organizatio ons network in nfrastructure. Exclusions: This property y lists single ad ddresses or blo ocks of addres sses that fall within the IP address range, but that t will not be offered for lease. Delay: This s property is th he amount of time t to delay b before making g DHCPOFFER. .
6-8
Implementing DHCP
Lease duration: This prope erty lists the lea ase duration. U se shorter durations for sco opes with limit ted IP addresses, and longer durations for more e static networ rks. Options: You u can configure e many option nal properties on a scope, bu ut typically you u will configur re: o o o option 00 03 Router (th he default gate eway for the s ubnet) option 00 06 Domain Name N System (DNS) Servers option 01 15 DNS suffix
IPv v6 scopes
You u can configure e the IPv6 scop pe options as a separate sco ope, in the DHC CP consoles IP Pv6 node. There are seve eral different options o to mod dify, and an en nhanced lease mechanism. Whe en configuring g a DHCPv6 sc cope, you must t define the fo ollowing prope erties: Name and description: Th his property identifies the sco ope. Pv6 address pr refix is analogo ous to the IPv4 4 address rang ge; in essence, it defines the Prefix: The IP network addr ress. Exclusions: This T property lists single addresses or block ks of addresse es that fall with hin the IPv6 pr refix but will not be b offered for lease. Preferred life e times: This property p defin nes how long le eased address es are valid. Options: As with w IPv4, you can configure e many option s.
Wh hat Is a DH HCP Reserv vation?

It of ften is desirable to provide network n device es such h as network printerswith p a predetermin ned IP add dress. Usin ng a DHCP reservation, you can ensure tha at the IP addresses that you set aside from f a configu ured scop pe are not assi igned to anoth her device. A DHCP D rese ervation is a sp pecific IP addre ess, within a scope, that t is reserved pe ermanently for lease to a spe ecific DHC CP client. A DH HCP reservatio on also ensures s that devices with reser rvations are gu uaranteed an IP address even if a scope is depleted of add dresses. Configuring reservations enables you y to cent tralize manage ement of fixed d IP addresses. Con nfiguring DHC CP Reservatio ons To configure c a res servation, you must know th he devices net twork interface e media access s control (MAC C) add dress or physica al address. This address indic cates to the D HCP server tha at the device s should have a rese ervation. You can c acquire a network n interfa aces MAC add dress by using the ipconfig/ /all command. Typically, MAC ad ddresses for ne etwork printers s and other ne etwork devices s are printed on the device. M Most lapt top computers s also note this s information on o the bottom m of their chass sis. The process for co onfiguring a DHCP D reservatio on includes th he following ste eps: 1. 2. Open the DHCP server role e. Expand the DHCP D scope, an nd then click Reservations R .
6-9
3. .
Click More e Actions, and then click New w Reservation n.
What W Are DHCP D Opti ions?

DHCP servers ca an configure more m than just an IP ad ddress; they also provide information abou ut ne etwork resourc ces, such as DN NS servers and d the de efault gateway y. DHCP option ns are values for co ommon config guration data that t applies to o the se erver, scopes, reservations, r and class options. You ca an apply DHCP P options at th he server, scope, user, an nd vendor leve els. An option code identifies the DHCP options, and a most option codes com me from th he RFC documentation found d on the Intern net En ngineering Tas sk Force (IETF) website.
Common C DH HCP Options s

Th he following ta able lists the common option codes that W Windows-base ed DHCP client ts request. Option O code c 1 3 6 15 44 46 47 51 58 59 31 33 43 249 Name Subnet mas sk Router DNS servers s DNS domain name WINS/NBNS S servers (Windows Internet Naming Servi ice / NetBIOS Name Service) WINS/NetBT node type (W WINS / NetBIO OS over TCP/IP P) NetBIOS sco ope ID Lease time Renewal (T1 1) time value Rebinding (T2) ( time value e Perform rou uter discovery Static route Vendor-spe ecific information Classless sta atic routes
6-10 Implemen nting DHCP
Ho ow Are DH HCP Option ns Applied d?

DHC CP applies opt tions to client computers c in the t follo owing order: 1. 2. 3. Server level. A server-level option is assig gned to all DHCP clients c of the DHCP D server. Scope level. A scope-level option is assig gned to all clients of o a scope. Class level. A class-level op ption is assigne ed to all clients that identify them mselves as mem mbers of a class. Reserved clie ent level. A re eservation-leve el option is assig gned to one DHCP D client.
4.
You u need to unde erstand these options o when configuring D HCP, so you w will know which h level settings has prio ority, when you u are configuri ing different se ettings on mu ltiple levels. If th he DHCP optio on settings that are applied at a each level co onflict, then th he options that are applied last override previously applied sett tings. For exam mple, if the def fault gateway is configured a at the scope le evel, and a different de ent, then the r efault gateway y is applied for a reserved clie reserved client t setting becom mes the effective settin ng. You u can also conf figure address s assignment policies at the e server level o or scope level. . Address assignment policy y contains a se et of conditions that you def ine in order to o lease differen nt DHCP IP add dresses and set ttings to differe ent types of DHCP D clients, su uch as comput ters, laptops, n network printe ers, or IP phones. p The co onditions defined in these po olicies include multiple criter ria, such as MA AC address or vendor informatio on, in order to differentiate various v types o of clients.
De emonstration: Creating and Co onfiguring a DHCP S Scope

You u can create scopes using either the Micros soft Managem ment Console (MMC) for the DHCP server r role, or the Netsh netw work configura ation comman nd-line tool. Th he Netsh comm mand-line tool allows you to o man nage scopes re emotely if the DHCP server is running on a Server Core i installation of Windows Serv ver 2012. The Netsh command-line e tool is also useful for script ting and autom mating server provisioning.
Dem monstration n Steps Aut thorize the DHCP Serve er

1. 2. 3. Switch to LON N-SVR1. Open the DHCP console. Authorize the e lon-svr1.ada atum.com server in AD DS.
6-11
Configure scope and scope options in DHCP

1. 2. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand and right-click IPv4, and then click New Scope. Create a new scope with the following properties: o o o o o o o 3. Name: Branch Office IP Address Range: 172.16.0.100172.16.0.200 Length: 16 Subnet Mask: 255.255.0.0 Exclusions: 172.16.0.190-172.16.0.200 Other settings: use default values Configure options Router 172.16.0.1
Use default settings for all other pages, and then activate the scope.
Lesson 3
Manag ging a DHCP D Database D e

The DHCP databa ase stores infor rmation about t the IP addres ss leases. If the ere is a problem m, it is importa ant that t you understa and how to bac ck up the data abase and reso olve database issues. This les sson explains h how to man nage the datab base and its da ata.

Afte er completing this lesson, yo ou will be able to: se. Describe the DHCP databas Explain how to t back up and d restore a DH HCP database. Explain how to t reconcile a DHCP databas se. Explain how to t move a DHC CP database.
Wh hat Is a DH HCP Datab base?

The DHCP databa ase is a dynamic database containing data th hat relates to scopes, s addres ss leas ses, and reservations. The database also contains the data file that stores both the DHCP configuration info ormation and the t lease data for clien nts that have leased an IP ad ddress from the DHC CP server. By default, d the DH HCP database files f are stored in the %systemroot% % %\System32\Dh hcp fold der.
DH HCP Service Database Files

The following table describes so ome of the DH HCP serv vice database files. f Fil le Dhcp.mdb D Dhcp.tmp D Descripti ion Dhcp.md db is the DHCP P server datab base file. Dhcp.tm mp is a tempora ary file that th e DHCP datab base uses as a swap file durin ng database e index mainte enance operat tions. Following g a system fail lure, Dhcp.tmp p sometim mes remains in the Systemroo ot\System32\D Dhcp directory y. J50.log and a J50##### #.log are logs o of all database transactions. The DHCP database e uses this log to recover da ta when neces ssary. This is a checkpoint file e.
J5 50.log and J5 50#####.log J5 50.chk
Note: You should s not rem move or alter any a of the DHC CP service data abase files.
6-13
Th he DHCP serve er database is dynamic. It up pdates as DHC P clients are assigned, or as they release their TC CP/IP configur ration paramet ters. Because the t DHCP data abase is not a distributed da atabase like the e Windows W Intern net Name Serv vice (WINS) ser rver database, maintaining the DHCP serve er database is less co omplex. By y default, the DHCP D databas se and related registry entrie es are backed u up automatica ally at 60-minu ute in ntervals. You ca an change this s default interv val by changin ng the value of f BackupInter rval in the follo owing re egistry key:
HK KEY_LOCAL_MAC CHINE\SYSTEM\ \CurrentControlSet\Servi ces\DHCPServ ver\Parameter rs
Yo ou can also ba ack up a DHCP P database manually at any t time.
Backing B Up p and Restoring a DH HCP Datab base

Yo ou can back up a DHCP data abase manuall ly, or yo ou can configu ure it to backup automatically. An au utomatic back kup is called a synchronous s backup b . A manual backu up is called an asynchronous s ba ackup.
Automatic A (S Synchronou us) Backup

Th he default bac ckup path for the t DHCP back k is sy ystemroot\Syst tem32\Dhcp\B Backup. As a best practice, you ca an modify this path in the server properties to po oint to another volume.
Manual M (Asy ynchronous) ) Backup

If you have an immediate nee ed to create a backup, you c can run the ma anual backup o option in the D DHCP co onsole. This ac ction requires either e administrative-level p ermissions, or that the user account be a member of f the DHCP ad dministrators group. g
What W Is Back ked Up?

When W a synchro onous or async chronous back kup occurs, the e entire DHCP database is sa aved, including g the fo ollowing: All scopes Reservation ns Leases All options, , including serv ver options, sc cope options, r reservation op ptions, and clas ss options All registry keys and othe er configuratio on settings (for r example, aud dit log settings s and folder location settings) that are set in DHCP D server properties. Thes e settings are stored in the f following regis stry key:
HKEY_LOCA AL_MACHINE\SY YSTEM\CurrentControlSet\ \Services\DHC CPServer\Para ameters
To back up this key, open n Registry Editor and save th he specified ke ey to a text file e.
e DNS dynamic update credentials (user name, domain, and password d) that the Note: The DHCP server uses when regist tering DHCP client compute ers in DNS are not backed up p with any ba ackup method d.
Res storing a Da atabase

If yo ou need to restore the datab base, use the Restore R functio on in the DHCP P server conso ole. You will be e prompted for the backups loca ation. Once you have selecte ed the location n, DHCP service e stops, and th he data abase is restor red. To restore the database, , the user acco ount must either have admin nistrative-level perm missions, or be e a member of f the DHCP administrators g roup.
Bac ckup Security

Whe en the DHCP database d file is s backed up, it t should be in a protected lo ocation that on nly the DHCP adm ministrators can n access. This ensures e that any network inf formation in t he backup file es remains prot tected.
Usi ing Netsh

You u also can use commands c in the Netsh DHC CP context to back up the d database; this is useful for ba acking up the t database to t a remote loc cation using a script file. The following com mmand is a scr ript that you ca an use from th he Netsh DHCP prompt to b back up the DH HCP data a for all scopes s:
expo ort "c:\My Folder\Dhcp Configuration C n" all
To restore r the DH HCP database, use the follow wing command d:

impo ort "c:\My Folder\Dhcp Configuration C n" all
Note: The Netsh N DHCP co ontext does no ot exist on serv ver computers s without the D DHCP serv ver role installe ed.
Additional Reading: For more informat tion about back king up the DH HCP database see: http p://go.microso oft.com/fwlink/ /?LinkId=99889&clcid=0x40 09.
Reconciling a DHCP Database

Reconciling scope es can fix incon nsistencies that can affe ect client comp puters. The DHCP Server service stores scope IP addr ressleas se information in two forms: Detailed IP ad ddress lease in nformation, wh hich the DHCP dat tabase stores Summary IP address a lease information, which w the servers Registry stores
Whe en you are rec conciling scope es, the detail and a sum mmary entries are a compared to find inco onsistencies. To correct c and rep pair these inco onsistencies, yo ou must recon ncile any scope e inconsistencies. After you s select and reconcile scope inconsisten ncies, the DHCP service eithe er restores those IP addresse es to the origin nal own ner, or creates a temporary reservation r for r those address ses. These rese ervations are v valid for the lea ase time e that is assign ned to the scop pe. When the lease time exp pires, the addre esses are then recovered for r futu ure use.
20410A: Installin ng and Configuring Windows Server 20 012
6-15
Moving M a DHCP D Data abase

In n the event tha at you must move the DHCP P server ro ole to another server, it is als so advisable th hat you move m the DHCP P database to the t same serve er. This en nsures that clie ent leases are retained, and reduces th he likelihood of o client-config guration issues s. Yo ou move the database d initially by backing it up on n to the old DHCP server. Th hen, shut down n the DHCP service on the old DHC CP server. Next t, copy th he DHCP datab base to the new server, wher re you ca an restore it us sing the norma al database restore procedure.
Lesson 4
Securin ng and Monito oring DHCP

DHC CP protocol ha as no built-in method m for au uthenticating u users. This mea ans that if you do not take prec cautions, IP lea ases could be granted to dev vices and user rs who are una authorized. DHC CP is a core service in many organizations s network envi ironments. If the DHCP servi ice is not work king properly, or if there is a situation that is causin ng problems w with the DHCP P server, it is im mportant that y you can identify the problem and de etermine pote ential causes to o resolve the p problem. This s lesson explain ns how to prev vent unauthor rized users from m obtaining a lease, how to manage rogu ue DHC CP servers, and d how to confi igure DHCP se ervers so that a specific grou up can manage e them.

Afte er completing this lesson, yo ou will be able to: Explain how to t prevent an unauthorized computer from m obtaining a lease. Explain how to t restrict unau uthorized, non nMicrosoft DH HCP servers fro om leasing IP addresses. Explain how to t delegate ad dministration of o the DHCP se erver role. Describe DHC CP statistics. Describe DHC CP audit loggin ng. Identify comm mon issues tha at are possible with DHCP.
Pre eventing an a Unautho orized Com mputer fro om Obtain ning a Leas se
DHC CP by itself can n be difficult to secureit is s desi igned to work before the ne ecessary info ormation is in place p for a clie ent computer to t auth henticate with a domain con ntroller. This is why you should take precautions p to prevent unauthorized com mputers from obtaining o a lea ase with h DHCP. Basi ic precautions that you shou uld take to limit unauthorized acce ess include: Ensuring tha at you reduce e physical acce ess: If users can access an active network n conne ection to the networ rk, their computers are likely y to be able to ob btain an IP add dress. If a netw work port is not t being used, y you should dis sconnect it physically from the switchin ng infrastructu ure. Enabling aud dit logging on n all DHCP se ervers: This can n provide an h historical view of activity, in addition to al llowing you to o trace when an unauthorize ed user obtaine ed an IP addre ess in the netw work. Make sure to schedule time e at regular int tervals to revie ew the audit lo ogs. Requiring au uthenticated Layer 2 conne ections to the e network: Mo ost enterprise hardware swit tches now support Institute of Ele ectrical and Ele ectronics Engin neers, Inc. (IEE EE) 802.1X auth hentication. Th his allows for por rt-level user au uthentication. Secure wireles ss standards, s such as Wi-Fi P Protected Acce ess (WPA) Enterp prise and WPA2 Enterprise, also a use 802.1X X authenticatio on.
6-17
Implement ting NAP: NA AP allows administrators to v validate that a client comput ter is complian nt with system health requirements, such as running all the l atest Window ws operating sy ystem updates or running an up-to-date an ntivirus client. If users who d do not meet se ecurity requirements try to a access the network, they receive e an IP address s configuration n to access a re emediation ne etwork where t they can receive the necessary upd dates. The adm ministrator can n restrict access to the netwo ork by allowing g only healthy com mputers access s to the internal local area n etwork (LAN).
Restricting R Unauthor rized, NonMicrosof ft DHCP Se ervers from m Leasing IP Addresses A

Many M devices and network op perating system ms have multiple m DHCP server implem mentations. Net tworks ar re almost neve er homogeneo ous in nature; th herefore, it is possible p that at t some point a DHCP se erver that does s not check for Active Direct tory au uthenticated servers will be enabled e on the ne etwork. In this case, clients might m obtain in ncorrect co onfiguration data. To o eliminate an unauthorized d DHCP server, you must m first locate e it, and then prevent p it from m co ommunicating g on the netwo ork by disabling it physically, or by y disabling the e DHCP service e. If users complai in that they do o not have con nnectivity to th he network, ch heck the IP add dress of their D DHCP se erver. Use the ipconfig /all command c to check c the IP ad ddress of the D DHCP Server fi ield. If the IP a address is not the IP add dress of an aut thorized DHCP P server, then t there is probably a rogue se erver in the network. Yo ou can use the e DHCP Server r Locator utility y (Dhcploc.exe e) to locate the e DHCP servers that are activ ve on a su ubnet.
Delegating D DHCP Ad dministration

En nsure that only y authorized persons p can ad dminister the DHCP D server ro ole. You can do this by y performing either e of the fo ollowing tasks: : Limit the membership m of the DHCP Administrat tors group. Assign user rs that require read-only acc cess to DHCP mem mbership of the e DHCP Users group.
Th he DHCP Adm ministrators loca al group is use ed to re estrict and grant access to ad dminister DHC CP se ervers. Therefo ore, the DHCP Administrators group is in the built-in n groups on do omain controll lers, or is on local serve ers
Permissions P Required to o Authorize e and Admin nister DHCP P

Authorization of o a DHCP serv vice is only available to Enter rprise administ trators. If the n need exists for ra do own-level adm ministrator to authorize a the domain, d use Ac ctive Directory y delegation.
DHCP Admin nistrators. Any user in the DHCP D Adminis strators group can manage t the servers DH HCP service. ave read-only access to the DHCP console . Any user in th he DHCP Users group can ha e. DHCP Users.
Wh hat Are DH HCP Statist tics?

DHC CP statistics pr rovide informa ation about DH HCP activ vity and use. You Y can use this console to dete ermine quickly y whether ther re is a problem m with the DHCP service or with the ne etworks DHCP P clien nts. An example in which sta atistics might be b usef ful is if the adm ministrator not tices an excess sive amo ount of negative acknowledg gement (NAK) ) packets, which mi ight indicate th hat the server is not prov viding the correct data to clients. You u can configure e the refresh ra ate for the stat tistics in th he General tab b of servers Properties wind dow.
DH HCP Server Statistics S

DHC CP server statis stics provide an a overview of DHCP server usage. You can use this data a to understan nd quic ckly the state of o the DHCP se erver. Information such as n umber of offe ers, number of requests, total inuse addresses, and d total availab ble addresses can c help to pro ovide a picture e of the server s health.
DH HCP Scope Statistics S

DHC CP scope statis stics provide much m fewer detailssuch as total addresse es in the scope e, how many add dresses are in use, u and how many m addresse es are available e. If you notice e that there are e a low numbe er of add dresses available in the server statistics, it might m be that o only one scope e is near its de epletion point. By usin ng scope statistics, an administrator can qu uickly determin ne the status o of the particula ar scope with resp pect to the add dresses availab ble.
Wh hat Is DHC CP Audit Lo ogging?

The DHCP audit lo og provides a traceable log of DHC CP server activ vity. You can use this log to track t leas se requests, gra ants, and denials. This info ormation allow ws you to troub bleshoot DHCP P serv ver performanc ce. The log file es are stored in n the %sy ystemroot%\system32\dhcp folder by default. You u can configure e the log file se ettings in the serv vers Propertie es window. The DHCP audit lo og files are named based on n the wee ekday that the file was create ed. For example, if audit logging is enabled on a Monday, M the file nam me is DhcpSrvL Log-Mon.log.
6-19
Fields That Make M Up a DHCP D Audit t Log

Th he following ta able describes the fields in a DHCP audit lo og. Field ID Date Time Description IP Address Host Name MAC Address Description A DHCP se erver event ID code. The date on o which this entry e was logg ged on the DH HCP server. The time at a which this entry e was logg ed on the DHC CP server. A descript tion of the DHCP server even nt. The IP add dress of the DH HCP client. The host name n of the DHCP client. The MAC address used by the clients network adap pter hardware. .
Common C Eve ent ID Code es

Common event t ID codes inclu ude: ID,Date,Tim me,Description, ,IP Address,Ho ost Name,MAC C Address 00,06/22/99,22:35:10,Started,,,, 56, 06/22/9 99,22:35:10,Authorization fai ilure, stopped servicing,,dom main1.local,, 55, 06/22/9 99,22:45:38,Authorized(servic cing),,domain1 1.local
Discussion: D Common n DHCP Issues

Th he following ta able describes some commo on DHCP issues. En nter the possib ble solutions in n the So olution column n, and then dis scuss them wit th the class.
6-20 Implementing DHCP
Issue Address conflicts
Description The same IP address is offered to two different clients.
Example An administrator deletes a lease. However, the client that had the lease is still operating as if the lease is valid. If the DHCP server does not verify the IP address, it might lease the IP to another machine, causing an address conflict. This can also occur if two DHCP servers have overlapping scopes. If a clients network card driver is configured incorrectly, it might cause a failure to obtain a DHCP address. Additionally, the DHCP server or relay agent on the clients subnet.
Solution
Failure to obtain a DHCP address
The client does not receive a DHCP address and instead receives an Automatic Private IP Addressing (APIPA) self-assigned address.
Address obtained from an incorrect scope
The client is obtaining an IP address from the wrong scope, causing it to experience communication problems. The DHCP database become unreadable or is lost due to a hardware failure.
If the client is connected to the wrong network or the DHCP relay agent is incorrectly configured this error could occur.
DHCP database suffers data corruption or loss
A hardware failure can cause the database to become corrupted.
DHCP server exhausts its IP address pool
The DHCP servers IP scopes have been depleted. Any new clients requesting an IP address are refused.
For example, if all the IPs assigned to a scope are leased this error occurs.
6-21
Lab: Implementing DHCP

Scenario
A. Datum Corporation has an IT office and data center in London, which supports the London location and other locations as well. A. Datum have recently deployed a Windows 2012 Server infrastructure with Windows 8 clients. You have recently accepted a promotion to the server support team. One of your first assignments is to configure the infrastructure service for a new branch office. As part of this assignment, you need to configure a DHCP server that will provide IP addresses and configuration to client computers. Servers are configured with static IP addresses and do not use DHCP.
Objectives
After performing this lab you will be able to: Install and configure the DHCP server role. Configure the DHCP scope and options. Configure a client computer to use DHCP, and then test the configuration. Configure a lease as a reservation. Install and configure a DHCP relay. Test DHCP relay with client.
Lab Setup
Estimated Time: 75 minutes Logon Information Virtual Machines 20410A-LON-DC1 20410A-LON-SVR1 20410A-LON-RTR 20410A-LON-CL1 20410A-LON-CL2 Adatum\Administrator Pa$$w0rd
User Name Password
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Microsoft Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o 5. User name: Administrator Password: Pa$$w0rd Domain: Adatum
Repeat steps 2 to 4 for 20410A-LON-SVR1 and 20410A-LON-CL1.
6.
For the optional Exercise 2, you should repeat steps 2 to 4 for 20410A-LON-RTR, 20410A-LONSVR2, and 20410A-LON-CL2.
Exercise 1: Implementing DHCP

Scenario
As part of configuring the infrastructure for the new branch office, you need to configure a DHCP server that will provide IP addresses and configuration to client computers. Servers are configured with static IP addresses and usually do not use DHCP for obtaining IP addresses. One of the client computers in the branch office needs to access an accounting application in the head office. The network team uses firewalls based on IP addresses to restrict access to this application. The network team has requested that you assign a static IP address to this client computer. Rather than configuring a static IP address on the client computer manually, you decide to create a reservation in DHCP for the client computer. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install DHCP server role. Configure the DHCP scope and options. Configure client to use DHCP and then test the configuration. Configure a lease as a reservation.
Task 1: Install DHCP server role

1. 2. 3. Switch to LON-SVR1. Open Server Manager, and install the DHCP Server role. In the Add Roles and Features Wizard, accept all defaults.
Task 2: Configure the DHCP scope and options

1. 2. 3. 4. 5. Switch to LON-SVR1. In Server Manager, open the DHCP console. Authorize the lon-svr1.adatum.com server in AD DS. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, right-click IPv4, and then click New Scope. Create a new scope with the following properties: o o o o o o o 6. Name: Branch Office IP Address Range: 172.16.0.100172.16.0.200 Length: 16 Subnet Mask: 255.255.0.0 Exclusions: 172.16.0.190-172.16.0.200 Configure options Router 172.16.0.1 For all other settings use default values
Activate the scope.
Task 3: Configure client to use DHCP and then test the configuration
1. To configure a client, switch to LON-CL1.
6-23
2.
Reconfigure the Local Area Connection using the following information: o o o Configure Internet Protocol Version 4 (TCP/IPv4) Obtain an IP address automatically Obtain DNS server address automatically
3. 4.
Open a command prompt, and initiate the DHCP process using the ipconfig /renew command. To test the configuration, verify that LON-CL1 has received an IP address from the DHCP scope by typing in the command prompt: ipconfig /all.
This command will return information, such as IP address, subnet mask and DHCP enabled status, which should be Yes
Task 4: Configure a lease as a reservation

1. 2. 3. 4. 5. 6. 7. Switch to LON-CL1. In a command prompt, type ipconfig/all to display the physical address of the network adapter. Switch to LON-SVR1. Open the DHCP console. In the DHCP console, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, expand Branch Office scope, right-click Reservations, and then click New Reservation. Create a new reservation for LON-CL1 using the physical address of the LON-CL1 network adapter, and the IP address 172.16.0.55. On LON-CL1, use the ipconfig command to renew and then verify the IP address.
Task 5: To prepare for the optional exercise

If you are going to complete the optional lab, revert the following virtual machines: 20410A-LON-CL1 and 20410-LON-SVR1.
Results: After completing these tasks, you will have implemented DHCP, configured DHCP scope and options, and configured a DHCP reservation
Exercise 2: Implementing a DHCP Relay (Optional Exercise)

Scenario
Your manager has asked you to configure a DHCP relay for another subnet in your branch office. This avoids the need to configure an addition DHCP server on the subnet. The main tasks for this exercise are as follows: 1. 2. 3. Install DHCP relay. Configure DHCP relay. Test DHCP relay with client.
Task 1: Install DHCP relay

1. 2. 3. Switch to LON-RTR. In Server Manager, open Routing and Remote Access. Use the following steps to add the DHCP Relay agent to the router:
o o
In the navigation pane, expand IPv4, right-click General and then click New Routing Protocol. In the Routing protocols list, click DHCP Relay Agent and then click OK.
Task 2: Configure DHCP relay

1. 2. Open Routing and Remote Access. Use the following steps to configure the DHCP Relay agent: o o In the navigation pane, right-click DHCP Relay Agent and then click New Interface. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then click OK. In the DHCP Relay Properties Local Area Connection 2 Properties dialog box, click OK. Right-click DHCP Relay Agent and then click Properties. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 172.16.0.21, click Add, and then click OK.
o o o 3.
Close Routing and Remote Access.
Task 3: Test DHCP relay with client

Note: In order to test how a client receives an IP address from DHCP Relay in another subnet, we need to create another DHCP scope. 1. 2. 3. 4. Switch to LON-SVR1. Open the DHCP console. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, right-click IPv4, and then click New Scope. Create a new scope with the following properties: o o o o o o o 5. 6. 7. Name: Branch Office 2 IP Address Range: 10.10.0.10010.10.0.200 Length: 16 Subnet Mask: 255.255.0.0 Exclusions: 10.10.0.190-10.10.0.200 Other settings use default value Configure options Router 10.10.0.1 and other setting use default values
Activate the scope. To test the client, switch to LON-CL2. Open the Network and Sharing Center window and configure Local Area Connection, Internet Protocol Version 4 (TCP/IPv4) properties with following settings: o o Obtain IP address automatically Obtain DNS server address automatically
8.
Open the command prompt.
6-25
9.
In the command prompt, type following command: ipconfig /renew
10. Verify that IP address and DNS server settings on LON-CL2 are obtained from DHCP Server scope installed on LON-SVR1.
Note: IP address should be from following range: 10.10.0.100/16 to 10.10.0.200/16.
Results: After completing these tasks, you will have implemented DHCP relay agent.

When you are finished the lab, revert the virtual machines back to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-SVR2, 20410A-LON-RTR, and 20410A-LON-CL2.

Module Review Questions
Question: You have two subnets in your organization and want to use DHCP to allocate addresses to client computers in both subnets. You do not want to deploy two DHCP servers. What factors must you consider? Question: Your organization has grown, and your IPv4 scope is almost out of addresses. What should you do? Question: What information do you require to configure a DHCP reservation? Question: Can you configure option 003 Router as a Server-level DHCP scope option?
Best Practices
Spend time designing your IP addressing scheme so that it will accommodate both your current and IT infrastructure and any potential future IT infrastructure needs. Determine which devices need DHCP reservations, such as network printers, network scanners, or IP based cameras. Secure your network from non-authorized, rogue DHCP servers. Configure the DHCP database on highly available disk drive configurations, such as redundant array of independent disks (RAID)5 or RAID1, to provide DHCP service availability in case of single disk failure. Back up the DHCP database regularly, and test the restore procedure in isolated, non-production environment. Monitor the system utilization of DHCP servers, and upgrade the hardware of DHCP server if needed, in order to provide better service performance.
Tools
Tool IPConfig.exe Netsh.exe Use for Managing and troubleshooting client IP settings Configuring both client and server-side IP settings, including those for DHCP server role Editing and fine-tuning settings, including those for the DHCP server role Capture and analyze DHCP traffic on a subnet Where to find it Command-line Command-line
Regedit.exe
Windows interface or Command line Download from the Microsoft website
Network Monitor
7-1
Module 7
Implementing DNS
Contents:
Module Overview Lesson 1: Name Resolution for Windows Clients and Servers Lesson 2: Installing and Managing a DNS Server Lesson 3: Managing DNS Zones Lab: Implementing DNS Module Review and Takeaways 7-1 7-2 7-10 7-16 7-20 7-25
Module Overview
Name resolution, one of the most important concepts of every network infrastructure, is the process of software translating between names that users can read and understand, and numerical IP addresses, which are necessary for TCP/IP communications. Client computers use the name resolution process when locating hosts on the Internet, and when locating other hosts and services in an internal network. Doman Name System (DNS) is one of the most common technologies for name resolution. Active Directory Domain Services (AD DS) depends heavily on DNS, as does Internet traffic. This module discusses some basic name resolution concepts as well as installing and configuring DNS service and its components.
Objectives
After completing this module, you will be able to: Describe name resolution for Windows operating system clients and Windows Server servers Install and manage DNS service Manage DNS zones
7-2
Implementing DNS
Lesson 1
Name Resolut tion for r Windo ows Clie ents and d Servers
You u can configure e a computer to t communica ate over a netw work by using a name in place of an IP add dress. The computer use es name resolu ution to find an n IP address th hat correspond ds to a name, such as a host t nam me. This lesson focuses on different types of o computer n ames, the met thods used to resolve them, and how w to troublesho oot problems with w name res solution.

Afte er completing this lesson you u will be able to: t Describe com mputer names. Describe DNS S. Describe DNS S zones and re ecords. Describe how w Internet DNS S names are resolved. Describe Link k Local Multica ast Name Reso olution. Describe how w a client resolv ves a name. Troubleshoot t name resolut tion.
Wh hat Are Co omputer Names? N

The TCP/IP set of protocols iden ntifies source and a dest tination computers by their IP addresses. How wever, comput ter users are much m better at using and remembering g names than numbers. n Because of this, administra ators usually as ssign names to o com mputers. Admin nistrators then n link these nam mes to computer c IP ad ddresses in a name n resolution system such as DN NS. These nam mes are in eithe er host t name format t (which is reco ognized by DN NS) or in NetBIOS N name format (which h is recognized d by Win ndows Internet t Name Service e (WINS)).
Name Type
The type of name e (host name or o NetBIOS nam me) that an ap pplication uses is determined d by the applic cation developer. If the application a dev veloper design ns an applicati ion to request network services through Win ndows sockets, , then host nam mes are used. If, on the othe er hand, the ap pplication deve eloper designs s an app plication to req quest services through t NetBIOS, a NetBIOS S name is used d. Most current applications, including Internet t applications, use Windows socketsand thus use host t namesto ac ccess network serv vices. NetBIOS is used by ma any earlier Win ndows operatin ng system app plications.
Earlier versions of f Microsoft Windows W , such h as Microsoft Windows 98 a and Windows Millennium Ed dition, requ uire NetBIOS to t support networking capab bilities such as s file sharing. H However, since e Microsoft Win ndows 2000, all operating systems support t NetBIOS for b backward com mpatibility with h earlier versions of Win ndows, but do not require NetBIOS themse elves.
c use Windo ows sockets ap pplications to s specify the des stination host e either by IP Note: You can add dress or by hos st name. NetBIOS application ns require the use of a NetB IOS name.
7-3
Host H Names
A host name is a user-friendly y name that is associated wit th a computer rs IP address t to identify it as sa TC CP/IP host. The e host name can be up to 25 55 characters l long, and can contain alphabetic and num meric ch haracters, perio ods, and hyphens. Yo ou can use host names in va arious forms. The two most c common forms are as an alia as, and as a fully qu ualified domai in name (FQDN). An alias is a single name e associated wi ith an IP addre ess, such as pay yroll. Yo ou can combin ne an alias with a domain na ame to create an FQDN. An FQDN is structured for use o on the In nternet, and includes periods s as separators s. An example of an FQDN is s payroll.conto oso.com.
NetBIOS N Nam mes

A NetBIOS nam me is a 16-chara acter name that identifies a NetBIOS resou urce on the ne etwork. A NetB BIOS na ame can repre esent a single computer c or a group of com mputers. The fir rst 15 characte ers are used fo or the na ame; the final character iden ntifies the reso ource or service e that is being g referred to on n the compute er. The 15 5-character na ame may include the computer name, the domain name e, and the nam me of the user who is lo ogged on. The sixteenth char racter is a 1-by yte hexadecim mal identifier. Th he NetBIOS na amespace is fla at, meaning th hat names can be used only o once within a network. You cannot or rganize NetBIO OS names into o a hierarchical structure, as y you can with F FQDNs.
Additiona al Reading: Fo or more inform mation about Ne etBIOS name re esolution see: ht ttp://technet.m microsoft.com/ /en-us/library/ /cc738412(WS S.10).aspx
What W Is DN NS?
DNS is a service e that uses a di istributed data abase to re esolve FQDNs and other hos st names to IP ad ddresses. All Windows W server operating sys stems in nclude a DNS service. s When W you use DNS, D users on your network can lo ocate network resources by typing t in user-friendly na ames (for exam mple, microsof ft.com), which the co omputer then resolves to an IP address. Th he be enefit is that IP Pv4 addresses may be difficu ult to re emember (for example, e 131.1 107.0.32), whil le a do omain name ty ypically is easier to remember. In ad ddition, you ca an use host names that do not n ch hange while th he underlying IP addresses can be changed d to suit your organizational needs. DNS uses a data abase of name es and IP addre esses to provid de this service.. DNS client so oftware performs qu ueries on and updates to the e DNS databas se. For exampl le, within an o organization, a user who is tr rying to lo ocate a print se erver can use the t DNS name e printserver.co ontoso.com, a and the DNS cl lient software will re esolve the nam me to a printers IP address, such s as 172.16 6.23.55. Even if f the printers I IP address changes, th he user-friendly name can re emain the same. Originally, O one file f on the Inte ernet containe ed a list of all d domain names s and their corresponding IP ad ddresses. This list quickly bec came too long g to manage a nd distribute. DNS was deve eloped to solve e the problems associated with usin ng a single inte ernet file. With h the adoption n of IPv6, DNS becomes even more im mportant, beca ause IPv6 addr resses are more e complex tha an IPv4 addresses (for examp ple, 20 001:db8:4136:e38c:384f:3764 4:b59c:3d97).
7-4
Implementing DNS
DNS S groups information about network resou urces into a hie erarchical structure of doma ains. The hier rarchical struct ture of domain ns is an inverte ed tree structu re beginning w with a root do omain at its apex, and descending in nto separate branches b with common c level s of parent do omains, and de escending dow wnward even further into ind dividual child domains. d The r representation n of the entire hierarchical do omain structure is known n as a DNS nam mespace. n with multiple ro ot servers. To participate in the Internet D DNS The Internet uses a single DNS namespace nam mespace, a dom main name mu ust be registere ed with a DNS S registrar. This s ensures that no two orga anizations atte empt to use th he same domain name. If ho osts that are lo ocated on the Internet do no ot need to reso olve names in your domain, you can host a dom main internally y, without regis stering it. How wever, you mus st still ensure t that the domain name is unique from m Internet dom main names, or connectivity to Internet res sources might t be affected. A common way to ensu ure uniquenes ss is to create an a internal dom main in the .lo ocal domain. T he .local doma ain is reserved for s are reserved for internal us inte ernal use in mu uch the same way w that privat te IP addresses se. In addition to reso olving host names to IP addresses, DNS ca an be used to: Locate domain controllers and a global cat talog servers. T This is used wh hen logging on n to AD DS. Resolve IP addresses to hos st names. This is useful when n a log file con ntains only the IP address of a host. Locate mail se erver for email delivery. This s is used for th he delivery of a all Internet em mail.
DN NS Zones and a Record ds

A DNS zone is a specific portion n of DNS nam mespace that contains c DNS records. r A DNS S zone is hosted on n a DNS server that is respon nsible for responding to o queries for re ecords in a spe ecific dom main. For exam mple, the DNS server that is resp ponsible for resolving www.c contoso.com to o an IP address would contain the co ontoso.com zo one. Zon ne content can be stored in a file or in the AD DS database. When W the DNS S server stores s the zone in a file, that t file is located d in a local fold der on the server. When the zone is no ot stored in AD D DS, only y one copy of the zone can be b writable copy, while all others ar re read-only. The most commonly used types s of zones in Windows W Serve er DNS are forw ward lookup z zones and reve erse look kup zones.
For rward Looku up Zones

Forw ward lookup zones resolve host h names to IP addresses, a and hosts com mmon resource e records inclu uding host t (A), alias (CN NAME), service (SRV), mail exchange (MX), start of authority (SOA), and d name server (NS) reso ource records. Although forw ward lookup zones z are capa able of hosting g a number of different record type es, the most co ommon record d type is the ho ost (A) record.. This record is s used when re esolving a host t nam me to an IP add dress.
Rev verse Looku up Zones

Reverse lookup zo ones resolve IP P addresses to domain name es. A reverse zo one functions in the same man ile the host na nner as a forwa ard zone, but the IP address s is the part of the query whi ame is the retu urned
7-5
in nformation. Reverse lookup zones z host SOA A, NS, and poi inter (PTR) resource records. Reverse zone es are no ot always conf figured, but yo ou should conf figure them to o reduce warni ing and error m messages. Many M standard Internet proto ocols rely on re everse zone lo ookup data to v validate forwa ard zone inform mation. Fo or example, if the forward lo ookup indicate es that training g.contoso.com is resolved to 192.168.2.45, you h training.cont ca an use a revers se lookup to co onfirm that 19 92.168.2.45 is a associated with toso.com. Many M email serv vers use a reve erse lookup as one way of re educing spam.. By performing a reverse loo okup, tocol (SMTP) s em mail servers try y to detect open Simple Mail Transfer Prot servers (open r relays). Having a reverse zone is impo ortant if you have applicatio ons that rely on n looking up h hosts by their IP ad ddresses. Many y applications record this inf formation in s ecurity or eve nt logs. If you see suspicious s activity me using the reverse zone information. from a particula ar IP address, you y can look up u the host nam
Resource R Rec cords

esource type, and the IP add Th he DNS zone file f stores resource records. Resource R reco rds specify a re dress to lo ocate the resou urce. The most t common reso ource record is s an A resourc ce record. This is a simple rec cord be a workstation, server, or a th hat resolves a host h name to an a IP address. The host can b another netwo ork de evice, such as a router. Re esource record ds also help fin nd resources fo or a particular domain. For instance, when n a Microsoft Ex xchange server needs to find d the server that is responsib ble for deliveri ng mail for an nother domain, it re equests the ma ail exchanger (MX) ( resource record for tha at domain. This s record points to the A re ecord of th he host that is running the SMTP mail serv vice. Re esource record ds also can con ntain custom attributes. a MX records, for in nstance, have a preference attribute, which w is useful if i an organizat tion has multip ple mail server rs. The MX rec ord tells the se ending server which mail m server the receiving orga anization prefe ers. SRV record ds also contain n information r regarding on w which po ort the service e is listening, an nd the protoco ol that you sho ould use to co ommunicate with the service.
How H Intern net DNS Names Are Resolved

When W resolving g DNS names on o the Internet t, an en ntire system of f computers is used rather th han just a single server. There are hundreds of serve ers on th he Internet, cal lled root server rs, which mana age the ov verall practice of DNS resolu ution. These se ervers ar re represented d by 13 FQDNs s; a list of these e 13 se ervers are prelo oaded on each h DNS server. When W yo ou register a domain d name on o the Interne et, you ar re paying to become part of f this system. To o see how thes se servers work together to resolve a DNS name let t us look at the e name resolut tion process for the name www.microsoft.com: 1. . 2. . 3. . 4. . 5. . A workstati ion queries the e local DNS server for the IP address www w.microsoft.com m. If the local DNS server do oes not have th he information n, then it queries a root DNS S server for the e location of the .com DNS S servers. The local DNS D server que eries a .com DN NS server for t he location of f the microsoft t.com DNS serv vers. The local DNS D server que eries the microsoft.com DNS server for the e IP address of www.microsoft.com. The IP addr ress of www.m microsoft.com is returned to t the workstatio on.
7-6
Implementing DNS
The name resolution process ca an be modified d by caching o or forwarding: Caching. Afte er a local DNS server resolve es a DNS name e, it caches the e results for ap pproximately 2 24 hours. Subseq quent resolutio on requests for the DNS nam me are given th he cached info ormation. Forwarding. A DNS server can be configured to forwa rd DNS reques sts to another DNS server in nstead of querying root servers. Fo or example, req quests for all I nternet names s can be forwa arded to a DNS S server at an In nternet service e provider (ISP P).
Wh hat Is Link-Local Mu ulticast Nam me Resolu ution?

In Windows W Serve er 2012, a new method for reso olving names to t IP addresses s is Link-local Mul lticast Name Resolution R (LLM MNR). Because e of various limitations s (which are be eyond the scope of this lesson) it is us sually used only on localized d netw works. Althoug gh LLMNR is able to resolve IPv4 add dresses, it has been b designed d specifically fo or IPv6 6; so if you want to use it, yo ou must have IPv6 supported and en nabled on your r hosts. LLM MNR is commo only used in ne etworks where: : There are no DNS or NetBIO OS services for name resolution. Implementati ion of these se ervices is not practical p for an ny reason. These services are not available.
For example, you might want to o set up a temporary networ rk for testing p purposes witho out server infra astructure. LLM MNR is support ted on Window ws Vista, Windows Server 2 2008 and all ne ewer Windows s operating sys stems. It us ses a simple sy ystem of reque est and reply messages m to re esolve compute er names to IP Pv6 or IPv4 add dresses. To use u LLMNR, yo ou need to turn on the Netw work Discovery y feature for all nodes on the e local subnet. This feat ture is available in the Netwo ork and Sharin ng Center. Be a aware that Net twork Discove ery is usually disa abled for any network n that you designate as a Public. If yo ou want to con ntrol the use of o LLMNR on your y network, y you can config gure it via Group Policy. To disa able LLMNR via a Group Policy y, set the follow wing Group Po olicy value: e Templates\N Group Policy = Computer Configuration\ C \Administrative Network\DNS C Client\Turn of ff Multicast Nam me Resolution. Set this value to Enabled if you do not wa ant to use LLM MNR or to Disa abled if you wa ant to use LLM MNR.
7-7
How H a Client Resolve es a Name

Windows W opera ating systems support s a num mber of di ifferent metho ods for resolvin ng computer names, n su uch as DNS, WINS, W and the host h name reso olution process. DNS is the Microsoft standard for re esolving host names n to IP Ad ddresses and is s de escribed in detail in the seco ond topic of th his Le esson, What is DNS.
WINS W
WINS W provides a centralized database d for re egistering dyna amic mapping gs of a network ks NetBIOS names s. Support is re etained for WIN NS to provide backwa ard compatibility. Yo ou can resolve e NetBIOS nam mes by using: Broadcast messages. Broadcast messa ages, however,, do not work well on large networks beca ause routers do not propagate e broadcasts. Lmhosts file on all computers. Using an Lmhosts fi le for NetBIOS S name resolut tion is a high maintenanc ce solution, be ecause you mu ust maintain th he file manuall y on all computers.
Note: The e DNS server role in Window ws Server 2008 8 R2 and Windows Server 2012 also provides a new zone type, the o contain sing e GlobalName es zone, which you can use to gle-label na ames that are unique across an entire fore est. This elimin nates the need to use the Ne etBIOS-based WINS W to provide support for single-label na ames.
Host H Name Resolution R Process P

When W an applic cation specifies s a host name and uses Wind dows sockets, TCP/IP uses th he DNS resolve er cache an nd DNS when attempting to o resolve the host name. The e hosts file is lo oaded into the e DNS resolver r cache. If NetBIOS over r TCP/IP is enabled, TCP/IP also uses NetBI IOS name reso olution method ds when resolv ving ho ost names. Windows W opera ating systems resolve r host na ames by: 1. . 2. . 3. . 4. . 5. . 6. . 7. . Checking whether w the ho ost name is the e same as the l local host nam me. Searching the t DNS resolv ver cache. In DNS D client reso olver cache, entries from hosts file are pre-loaded. Sending a DNS D request to o its configure ed DNS servers s. Converting the host name to a NetBIOS name and ch hecking the lo ocal NetBIOS n name cache. Contacting the hosts con nfigured WINS S servers. Broadcastin ng as many as three NetBIOS S name query request messa ages on the su ubnet that is directly attached. Searching the t Lmhosts fil le.
Note: You u can control the t order used d to resolve na ames. For exam mple, if you dis sable NetBIOS over TCP/IP, none of f the NetBIOS name resoluti ion methods a are attempted. . ou can modify the NetBIOS node n type, wh hich changes th he order in wh hich the Alternatively, yo NetBIOS name resolution methods are attempted.
7-8
Implementing DNS
Tro oubleshoo oting Name Resolution

Like e most of other technologies s, name resolution som metimes requires troubleshoo oting. Issues ca an occu ur when the DNS D serveran nd its zones an nd reso ource records are not confi igured properly. Whe en resource re ecords are caus sing issues, it can c som metimes be mo ore difficult to identify the iss sue because configura ation problems are not always obv vious.
Too ols and Com mmands

The command-lin ne tools and co ommands that t you use to troubleshoot these and other o configuration issues are as follow ws: Nslookup: Use this tool to query DNS inf formation. The e tool is flexibl le and can pro ovide a lot of valuable infor rmation about t DNS server st tatus. You also o can use it to look up resource records an nd validate their configuration n. Additionally, you can test z zone transfers,, security optio ons, and MX re ecord resolution. Dnscmd: Use e this command-line tool to manage the D DNS server role e. This tool is u useful in script ting batch files to help automate routine DNS S management t tasks or to pe erform simple unattended setup and configura ation of new DNS D servers on n your network k. Dnslint: Use this tool to dia agnose commo on DNS issues s. This tool diag gnoses configuration issues in DNS quickly, and can generate a report in HTML forma at regarding th he status of the domain that t you are testing. IPconfig: Use e this comman nd to view and d modify IP con nfiguration de etails that the c computer uses s. This tool includes additional com mmand-line options that yo ou can use to t roubleshoot and support DN NS clients. You can view the cli ient local DNS cache using t the command ipconfig/disp playdns, and y you can clear the local cache us sing ipconfig/ /flushdns. If yo ou want to re-register a hos st in DNS, you can use ipconfig /registerdns. Monitoring on o DNS serve er: To test if the server can co ommunicate w with upstream servers you ca an perform simp ple local querie es and recursiv ve queries from m the DNS serv ver Monitorin ng tab. You als so can schedule thes se tests for reg gular intervals. The DNS serv ver Monitoring g tab is availab ble only in Windows Serv ver 2008 and Windows W Server 2012 in the e DNS Server N Name Propertie es window.
Tro oubleshooting Process

Whe en you trouble eshoot name resolution, r you u must underst tand what nam me resolution m methods the S resolver cach com mputer is using g, and in what order the com mputer uses the em. Be sure to o clear the DNS he betw ween resolutio on attempts. If you cannot co onnect to a re mote host and d suspect a name resolution problem, troubles shoot the nam me resolution as follows: 1. 2. Open an elev vated comman nd prompt, and d then clear th he DNS resolve er cache by typ ping IPConfig g /flushdns. Attempt to ping the remote e host by its IP P address. This s helps identify y whether the issue is related d to name resolution. If the ping g succeeds wit th the IP addre ess but fails by y its host name e, then the pro oblem is related to name n resolutio on. Attempt to ping the remote e host by its host name. For accuracy, use the FQDN wit th a trailing pe eriod. For example, if you are wor rking at Conto oso, Ltd, you w would enter the e following command at the e command pro ompt: Ping LO ON-dc1.conto oso.com.
3.
7-9
4.
If the ping is successful, then the problem is most likely not related to name resolution. If the ping is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the appropriate entry to the end of the file. In the previous Contoso, Ltd example, you would add the following line and save the file: 10.10.0.10 LON-dc1.contoso.com
5.
Perform the Ping-by-host-name test once more. Name resolution should now be successful. Verify that the name resolved correctly by examining the DNS resolver cache. To display the DNS resolver cache, at a command prompt type IPConfig /displaydns. Remove the entry that you added to the hosts file, and then clear the resolver cache once more. At the command prompt, type the following command, and then examine the contents of the filename.txt file to identify the failed stage in name resolution: Nslookup.exe d2 LON-dc1.contoso.com. > filename.txt
6. 7.
Note: You also should know how to interpret the DNS resolver cache output so that you can identify whether the name resolution problem lies with the client computers configuration, the name server, or the configuration of records within the name server zone database. Unfortunately interpreting the DNS resolver cache output is beyond the scope of this lesson.
7-10 Implemen nting DNS
Lesson 2
Installi ing and d Manag ging a DNS D Ser rver

To use u a DNS serv vice, you must first install it. Installing the D DNS service on a DNS server is a simple proc cedure. To ma anage your DN NS service, it is important tha at you underst tand the DNS s server compon nents and their purpose e. In this lesson n, you will learn about DNS c components, a and about how w to install and d man nage the DNS Server role.

Afte er completing this lesson, yo ou will be able to: Describe the components of o a DNS solution. Describe root t hints. Describe DNS S queries. Describe forw warding. Explain how DNS D server cac ching works. Describe how w to install the DNS server ro ole.
Wh hat Are the e Compon nents of a DNS Solut tion?

The components of a DNS solut tion include DNS serv vers, DNS serve ers on the Inte ernet, and DNS S reso olvers, or DNS clients.
DN NS Server
A DNS server answ wers recursive and iterative DNS que eries. DNS servers also can ho ost one or more zones of a particu ular domain. Zo ones contain diffe erent resource e records. DNS servers also can cach he lookups to save time for common c quer ries.
DN NS Servers on o the Intern net

DNS S servers on th he Internet are e accessible publicly. These servers host t information about public domains, d such as common to op level doma ains (TLDs) (for r exam mple .COM, .N NET, and .EDU) ).
DN NS Resolver
The DNS resolver generates and d sends iterativ ve or recursive e queries to the DNS Server. A DNS resolve er can be any a computer that is perform ming a DNS lookup that req uires interactio on with the DN NS server. DNS S serv vers also can is ssue DNS requests to other DNS D servers.
7-11
What W Are Root R Hints s?

As previously di iscussed in less son one, topic c four, ro oot hints are a list of the 13 FQDNs F on the e In nternet that yo our DNS server r uses if it cann not re esolve a DNS query q by using a DNS forwar rder or its s own cache. The T root hints list the highest se ervers in the DNS hierarchy, and can provide the ne ecessary inform mation for a DNS D server to perform p an n iterative que ery to the next lowest layer of o the DNS namespace e. oot Servers are e installed auto omatically whe en you Ro in nstall the DNS role. They are copied from the t ca ache.dns file th hat is included in the DNS ro ole se etup files. You also can add root r hints to a DNS server to o support look kups for non-contiguous dom mains within w a forest. When W a DNS se erver communi icates with a ro oot hint server r, it uses only a an iterative qu uery. If you sele ect the Do D Not Use Re ecursion For This T Domain option o (on the e DNS server properties wind dow), the serve er will no ot be able to perform p querie es on the root hints. If you c configure the s server using a forwarder, it w will at ttempt to send d a recursive query to its forw warding serve r; then if the fo orwarding serv ver does not a answer th his query, the first f server resp ponds that the e host could no ot be found. It is important to t understand that recursion n on a DNS ser rver and recurs sive queries ar re not the same thing. Re ecursion on a DNS server me eans that the server s uses its root hints to t try to resolve a DNS query, w whereas a recursive quer ry is a query th hat is made to a DNS server in which the r requester asks the server to a assume th he responsibilit ty for providin ng a complete answer to the e query. The ne ext topics discu uss recursive q queries in n more detail.
What W Are DNS D Queries?

A DNS query is a name resolu ution query tha at is se ent to a DNS Server. S The DNS server then provides either an authoritativ ve or a nonau uthoritative response to the client query.
s important to note that DNS Note: It is se ervers also can n act as DNS re esolvers and se end DNS queries to other DNS ser rvers.
Authoritative A e or Non-Authoritative e Responses R

Th he two types of o responses ar re: Authoritat tive. An authoritative respon nse is one in w which the serve er returns an an nswer that it k knows is correct, bec cause the requ uest is directed d to the author ritative server that manages the domain. A DNS server is authoritative when it hosts a primary p or seco ondary copy o of a DNS zone. Non-autho oritative. A no on-authoritativ ve response is one where the e DNS server t that contains the requested domain d in its cache c answers a query by us sing forwarders or root hints s. Because the answer
7-12 Implementing DNS
provided might not be accurate (because only the authoritative DNS server for the given domain can issue that information), it is called non-authoritative response. If the DNS server is authoritative for the querys namespace, the DNS server checks the zone and then does one of the following: Returns the requested address. Returns an authoritative No, that name does not exist.
Note: An authoritative answer can be given only by the server with direct authority for the queried name. If the local DNS server is non-authoritative for the querys namespace, then the DNS server does one of the following: Checks its cache and return a cached response. Forwards the unresolvable query to a specific server, called a forwarder. Uses well-known addresses of multiple root servers to find an authoritative DNS server to resolve the query. This process uses root hints.
Recursive Queries
In a recursive query the requester asks the DNS server to provide a fully resolved name before returning the answer. The DNS server may have to perform several queries to other DNS servers before it finds the answer. A recursive query has two possible results: The DNS server returns the IP address of the host requested. The DNS server cannot resolve an IP address.
For security reasons, it sometimes is necessary to disable recursive queries on a DNS server. In doing so, the DNS server in question will not attempt to forward its DNS requests to another server. This is useful when you do not want a particular DNS server to communicate outside its local network.
Iterative Queries
Iterative queries access domain name information that resides across the DNS system; by using them, you can resolve names across many servers quickly and efficiently. When a DNS server receives a request that it cannot answer using its local information or its cached lookups, it makes the same request to another DNS server by using an iterative query. When a DNS server receives an iterative query, it might answer with either the IP address for the domain name (if known), or with a referral to the DNS servers that are responsible for the domain being queried.
7-13
What W Is For rwarding?

A forwarder is a network DNS S server that fo orwards qu ueries for exte ernal names to DNS servers outside o th hat network. Yo ou also can cre eate and use co onditional forw warders to forw ward queries ac ccording to sp pecific domain names. Once O you desig gnate a networ rk DNS server as a a fo orwarder, then other DNS servers in the ne etwork fo orward to it the e queries that they cannot re esolve lo ocally. By using g a forwarder, you can mana age na ame resolution n for names ou utside of your ne etwork, such as a names on th he Internet. This im mproves the ef fficiency of nam me resolution for yo our networks computers. Th he forwarder must m be able to o communicat te with the DN NS server that is located on t the Internet. This ther DNS serv er, or configur means m either yo ou configure it t to forward re equests to anot re it to use roo ot hints to o communicate e.
Best Prac ctice: Use a central forwardin ng DNS server r for Internet n name resolutio on. This can im mprove securit ty because you u can isolate th he forwarding DNS server in a perimeter n network, which w ensures that t no server within w the network is comm municating dire ectly to the Internet.
Conditional C Forwarder
A conditional fo orwarder is a DNS D server on a network that t forwards DN S queries acco ording to the q querys DNS domain na ame. For example, you can configure a DN NS server to forward all quer ries that it rece eives for na ames ending with w corp.conto oso.com to the e IP address of f a specific DNS server, or to the IP addresses of multiple m DNS se ervers. This can n be useful wh hen you have m multiple DNS n namespaces in n a forest. Conditional Fo orwarding in Windows W Serv ver 2008 R2 a and 2012 n Windows Ser rver 2008 R2 and Windows Server S 2012, th he conditional forwarder con nfiguration has s been In moved m to a nod de in the DNS console. You can c replicate t his informatio n to other DN NS servers through Active Directory y integration.
Best Prac ctice: Use cond ditional forwar rders if you ha ave multiple in nternal namesp paces. This provides for faster name resolution.
Ho ow DNS Se erver Caching Works s

DNS S caching incre eases the perfo ormance of the orga anizations DN NS system by decreasing d the time it ta akes to provide e DNS lookups s. Whe en a DNS server resolves a DNS D name succ cessfully, it add ds the name to o its cache. Ov ver time e, this builds a cache of dom main names and thei ir associated IP P addresses for r most of the dom mains that the organization uses u or accesse es. The default time to t keep a nam me in the cache e is one e hour. The zon ne owner can change c this by y mod difying the SO OA record for th he appropriate e DNS S zone. A ca aching-only se erver is the ideal type of DNS S server to use e as a forwarde er. It will not host any DNS z zone data a; it only answers lookup req quests for DNS S clients. In Windows W Serve er 2012, you ca an access the content c of DN S server cache e by selecting t the Advanced view in th he DNS Manag ger console. When W you enab ble this view, c cached content t displays as a node in DNS Man nager. You can n also delete si ingle entries (o or the entire ca ache) from DN NS server cache. The DNS client ca ache is a DNS cache c that the DNS client se rvice stores on n the local com mputer. To view w clien nt-side caching, at a comma and-line promp pt run the ipco onfig /display ydns comman nd. This will dis splay the local DNS clie ent cache. If yo ou need to clea ar the local cac che, you can u use ipconfig /f flushdns. You u can prevent DNS D client caches from being overwritten with the DNS Cache Locking feature whic ch is avai ilable in Windo ows Server 200 08 R2 and Win ndows Server 2 2012. When en nabled the cac ched records w will not be overwritten for the durat tion of the tim me to live (TTL) ) value. Cache locking provid des improved secu urity against ca ache poisoning g attacks.
Ho ow to Insta all the DNS S Server Ro ole

The DNS server ro ole is not installed on Windo ows Serv ver 2012 by de efault. Instead, you must add d it in a ro ole-based manner when you configure the e serv ver to perform the role. You install the DNS serv ver role by usin ng the Add Ro oles and Featur res Wiz zard in Server Manager. M You u can also add the DNS serve er role from th he dom main controller r Options pag ge of the Active e Dire ectory Domain n Services Insta allation Wizard d, during which you promote your server to a dom main controller r. Onc ce you install the DNS server r role, the DNS S Man nager snap-in becomes available to add to o your adminis strative consol les. The snap-i in is added auto omatically to the t Server Man nager console and to the DN NS Manager co onsole. You ca an run the DNS S Man nager from the e run window by typing dns smgmt.msc. Whe en you install the t DNS serve er role, the dns scmd.exe com mmand-line tool is also adde ed. You can use e the or help with th DNS SCmd tool to script s and auto omate DNS co onfiguration. Fo his tool, at the e command pro ompt, type e: dnscmd.exe e /?
7-15
To administer a remote DNS server, add the Remote Server Administrative tools to your administrative workstation, which must be running a Windows Vista SP1 or newer Windows operating system.
Demonstration: Installing the DNS Server Role

In many scenarios you will want to have more than one DNS server on your network. You can install additional DNS servers by using Server Manager console. If you want to enable your DNS server to resolve Internet names, you will probably want to enable forwarding.
Demonstration Steps Install a second DNS server

1. 2. 3. On LON-SVR1, open Server Manager. Start the Add Roles and Features Wizard. Add the DNS Server role.
Configure Forwarding
Configure the DNS Server with a forwarder on IP address 172.16.0.10.
Lesson 3
Manag ging DN NS Zone es

DNS S service is a key k service for AD DS. Servers and clients a alike use DNS t to locate domain controllers s and othe er services within the network. You usually y install a DNS S server with a domain contr roller during do omain controller promot tion. The DNS server can the en host zone d data in an Activ ve Directory database. In thi is lesson, you will lea arn about Acti ive Directoryi integrated DN NS zones.

Afte er completing this lesson, yo ou will be able to: Describe DNS S zone types. Describe dyna amic updates. Describe Active Directory-in ntegrated zones. Describe how w to create an Active A Directory-integrated zone.
Wh hat Are DN NS Zone Ty ypes?

The four DNS zon ne types are: Primary Secondary Stub Active Directo oryintegrated d
Primary zone
Whe en a zone that t a DNS server hosts is a prim mary zone, the DNS ser rver is the prim mary source for info ormation about this zone, an nd it stores the e mas ster copy of zo one data either r in a local file or in AD DS. When the DNS server st tores the zone in a file, the p primary zone fi ile by default i is named zone_name.dns, and is located on o the server in the %windir r%\System32\D Dns folder. Wh hen the zone is not stor red in AD DS, this t is the only y DNS server th hat has a writa able copy of th he database.
Sec condary zon ne

Whe en a zone that t a DNS server hosts is a seco ondary zone, t the DNS serve r is a secondar ry source for th he zone information. . The zone at this t server mus st be obtained d from another r remote DNS server that als so host ts the zone. Th his DNS server must have ne etwork access t to the remote DNS server to o receive updated zone information. . Because a sec condary zone is a copy of a primary zone that another s server hosts, th he seco ondary zone ca annot be store ed in AD DS. Secondary zone es can be usef ful if you are re eplicating data a from non n-Windows DN NS zones.
Stu ub zone
A st tub zone is a re eplicated copy y of a zone tha at contains onl ly those resource records tha at are necessary to iden ntify that zone es authoritative DNS servers. A stub zone r resolves name es between sep parate DNS nam mespaces, whic ch might be ne ecessary when a corporate m merger require es that the DNS servers for tw wo sepa arate DNS nam mespaces resolve names for clients in both h namespaces.
7-17
A stub zone con nsists of the fo ollowing: The delegated zones SOA A resource rec cord, NS resou urce records, an nd A resource records. ress of one or more master servers s that yo ou can use to u update the stu ub zone. The IP addr
Th he master serv vers for a stub zone are one or more DNS servers that ar re authoritative for the child zone. Usually this is th he DNS server that is hosting g the primary z zone for the d delegated dom main name.
Active A Direct toryIntegrated zone

If AD DS stores the zone, then n DNS can use e the multimas ster replication n model to rep plicate the prim mary zo one. This enab bles you to edit t zone data on n more than on ne DNS server r simultaneous sly.
What W Are Dynamic D Updates? U

A dynamic upda ate is an update to DNS in real time. Dynamic updates u are im mportant for DNS clients that chan nge locations - they can dy ynamically reg gister and upda ate their resou urce re ecords without t manual interv vention. Th he Dynamic Host Configurat tion Protocol (DHCP) ( client service pe erforms the reg gistration, rega ardless of f whether the clients IP address is obtaine ed from a DHCP server, or is fixed. The e registration occurs o du uring the follo owing events: When the client c starts and the DHCP cl lient service is st tarted. When an IP P address is configured, adde ed, or changed d on any netw work connectio on. When an ad dministrator ru uns the command-line comm mand ipconfig g /registerdn ns.
Th he process of dynamic d updates is as follow ws: 1. . The client identifies a name server and d sends an upd date. If the nam me server host ts only a secon ndary zone then the t name server refuses the e clients updat te. If the zone is not an Activ ve Directory integrated zone, the clien nt may have to o do this sever ral times. Eventually, if the zone supports dynamic updates, the e client reache es a DNS serve er that can writ te to the zone. This is the prim mary server for a standard, file e-based zone or any domain n controller th hat is a name serve er for an Active e Directoryint tegrated zone . If the zone is configured for secure dyn namic updates s, the DNS serv ver refuses the e change. The c client then authenticates and re e-sends the up pdate.
2. .
3. .
In n some configu urations, you may m not want clients c to upda ate their recor rds even in a d dynamic updat te zone. In n this case you can configure e the DHCP server to registe r the records o on the clients behalf. By def fault, a client registers that t it is a (hos st/address) rec cord, and the D DHCP server re egisters the PT TR (pointer/rev verse lo ookup) record. By y default, Wind dows operatin ng systems atte empt to registe er their record ds with their DNS server. You u can modify m this beh havior in the client IP configu uration, or thro ough Group Policy.
Wh hat Are Ac ctive Directory-Integ grated Zon nes?

In Lesson 1, you le earned that DN NS server can store zone data in the AD A DS databas se provided th hat the DNS server is an AD DS dom main controller. Whe en this happen ns, this creates s an Active Dire ectoryintegrat ted zone. The benefits of an n Active Direct toryintegrated d zone are significant: Multimaster r updates. Unlike standard primary zones which can only be modified by a single pr rimary server Active Directory integrated zo ones can be wr ritten to by any y writable DC to which the zo one is replicate ed. This builds redundancy into o the DNS infra astructure. In a addition, Mult timaster updat tes are particularly important in geographically y distributed organizations o t that use dynam mic update zones, because c clients can update th heir DNS recor rds without ha aving to conne ect to a potent tially geograph hically distant primary serve er. Replication of o DNS zone data d by using g AD DS replic cation. One o f the characteristics of Active Directory replication is attri ibute-level rep plication in wh ich only chang ged attributes are replicated d. An Active Directo oryintegrated d zone can leve erage these be enefits of Activ ve Directory re eplication, rath her than replicating the entire zone z file as in traditional DN NS zone transfe er models. Secure dynamic updates. An Active Dire ectoryintegra ated zone can enforce secure e dynamic upd dates. Granular sec curity. As with other Active Directory D obje cts, an Active Directory-inte egrated zone allows you to delega ate administration of zones, domains, and resource reco ords by modify ying the access s control list (A ACL) on the zon ne. Question: Ca an you think of f any disadvan ntages to storin ng DNS inform mation in AD D DS?
De emonstration: Creating an Acti ive Directo oryIntegr rated Zone e

To create c an Activ ve Directory in ntegrated zone e, you must ins stall DNS serve er on a Domain Controller. A All changes in an Act tive Directory integrated i zon ne are replicate ed to all other r DNS servers o on domain controllers throug gh AD DS repli ication mechanism.
Dem monstration n Steps Cre eate an Active Directoryintegrate ed zone

1. 2. 3. 4. 5. 6. On LON-DC1 1, open the DN NS Manager co onsole. Start the New w Zone Wizard. Create new Active A Directory yintegrated forward f lookup p zone. Name the zon ne Contoso.co om. Allow only secure dynamic updates. Review record ds in the new zone. z
Create a record Create a New w Host record in Adatum.com zone named d www which points to 172 2.16.0.100.
7-19
Verify replication to a second DNS server

Verify that new record is replicating to the LON-SVR1 DNS server.
Lab: Implementing DNS

Scenario
A. Datum Corporation has an IT office and data center in London, which supports the London location and other locations. A. Datum has recently deployed a Windows 2012 Server infrastructure with Windows 8 clients. You need to configure the infrastructure service for a new branch office. Your manager has asked you to configure the domain controller in the branch office as a DNS server. You have also been asked to create some new host records to support a new application that is being installed. Finally, you need to configure forwarding on the DNS server in the branch office to support Internet name resolution.
Objectives
After completing this lab you will be able to: Install and configure DNS. Create host records in DNS. Manage the DNS server cache.
Lab Setup
Estimated Time: 40 minutes Logon Information Virtual Machines 20410A-LON-DC1 20410A-LON-SVR1 20410A-LON-CL1 Adatum\Administrator Pa$$w0rd
User Name Password
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o 5. User name: Administrator Password: Pa$$w0rd Domain: Adatum
Repeat steps 2 to 4 for 20410A-LON-SVR1 and 20410A-LON-CL1.
Exercise 1: Installing and Configuring DNS

Scenario
As part of configuring the infrastructure for the new branch office, you need to configure a DNS server that will provide name resolution for the branch office. The DNS server in the branch office will also be a
7-21
domain controller. The Active Directory-integrated zones required to support logons will be replicated automatically to the branch office. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Configure LON-SVR1 as a domain controller without installing the DNS server role. Review configuration settings on the existing DNS server to confirm root hints. Add the DNS server role for the branch office on the domain controller. Verify replication of the Adatum.com Active Directoryintegrated zone. Use NSLookup to test non-local resolution. Configure Internet name resolution to forward to the head office. Use NSLookup to confirm name resolution.
Task 1: Configure LON-SVR1 as a domain controller without installing the DNS server role
1. 2. 3. 4. Use Add roles and features task in Server Manager to add the Active Directory Domain Services role to LON-SVR1. Start the wizard to promote LON-SVR1 to domain controller. Choose to add LON-SVR1 as additional domain controller in Adatum.com domain. Do not install DNS Server.
Task 2: Review configuration settings on the existing DNS server to confirm root hints
1. 2. 3. On LON-DC1, open the DNS Manager console. In DNS Manager, open the Properties window of LON-DC1. Review root hints and forwarder configuration.
Task 3: Add the DNS server role for the branch office on the domain controller
Use Server Manager to add the DNS Server role to LON-SVR1.
Task 4: Verify replication of the Adatum.com Active Directoryintegrated zone

1. 2. On LON-SVR1, open the DNS Manager console. Expand Forward Lookup Zones, and verify that the Adatum.com and _msdcs.Adatum.com zones are replicated. If you do not see these zones, open Active Directory Sites and Services, and force replication between LON-DC1 and LON-SVR1, and then try again.
Task 5: Use NSLookup to test non-local resolution

1. 2. 3. 4. 5. On LON-SVR1, on Local Area Connection Network Adapter, in the preferred DNS server field, remove the IP address 172.16.0.10. Make 127.0.0.1 the preferred DNS server for LON-SVR1. Open a command prompt window on LON-SVR1, and start nslookup. Try to resolve www.nwtraders.msft with nslookup. You will receive negative reply (this is expected).
Task 6: Configure Internet name resolution to forward to the head office

1. 2. On LON-SVR1, open the DNS Manager console. Configure a forwarder for LON-SVR1 to be 172.16.0.10.
Task 7: Use NSLookup to confirm name resolution

On LON-SVR1, in a command prompt window, start nslookup and try to resolve www.nwraders.msft. You should get reply and IP address.
Results: After completing this exercise, you will have installed and configured DNS on LON-SVR1.
Exercise 2: Creating Host Records in DNS

Scenario
Several new web-based applications are being implemented in the head office. Each application requires that you configure a host record in DNS. You have been asked to create the new host records for these applications. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure a client to use LON-SVR1 as a DNS server. Create several host records in the Adatum.com domain for web apps. Verify replication of new records to LON-SVR1. Use the ping command to locate new records from LON-CL1.
Task 1: Configure a client to use LON-SVR1 as a DNS server

1. 2. 3. 4. Log on to LON-CL1 as Adatum\Administrator using the password Pa$$w0rd. Open Control Panel. Open the Properties window for the Local Area Network Connection adapter. Configure preferred DNS server to be 172.16.0.21.
Task 2: Create several host records in the Adatum.com domain for web apps
1. 2. 3. 4. On LON-DC1, open DNS Manager. Navigate to the Adatum.com forward lookup zone. Create new record named www with IP address 17.16.0.100. Create new record named ftp with IP address 172.16.0.200.
Task 3: Verify replication of new records to LON-SVR1

1. 2. 3. On LON-SVR1, open DNS Manager. Navigate to the Adatum.com forward lookup zone. Ensure that records www and ftp display. (You might have to refresh the Adatum.com zone for these records to appear.)
Task 4: Use the ping command to locate new records from LON-CL1
1. 2. On LON-CL1, open a command prompt window. Ping www.adatum.com. Ensure that ping resolves this name to 172.16.0.100.
7-23
3.
Ping ftp.adatum.com. Make sure that ping resolves this name to 172.16.0.200.
Results: After completing this exercise, you will have configured DNS records.
Exercise 3: Managing the DNS Server Cache

Scenario
After you changed some host records in zones configured on LON-DC1, you noticed that clients that use LON-SVR1 as their DNS server, still get old IP addresses during name resolving process. You want to make sure which component is caching this data. The main tasks for this exercise are as follows: 1. 2. 3. 4. Use the ping command to locate Internet record from LON-CL1. Update Internet record to point to the LON-DC1 IP address, retry the location using ping. Examine the content of the DNS cache. Clear the cache, and retry ping.
Task 1: Use the ping command to locate Internet record from LON-CL1
1. 2. 3. On LON-CL1, open a command prompt window. Use ping to locate www.nwtraders.msft. Ensure that name resolves to an IP address. Document the IP address.
Task 2: Update Internet record to point to the LON-DC1 IP address, retry the location using ping
1. 2. 3. 4. 5. On LON-DC1, open the DNS Manager console. Navigate to the nwtraders.msft forward lookup zone. Change the IP address for the record www to be 172.16.0.10. From LON-CL1, ping www.nwtraders.msft Note that you will still have this record resolved with old IP.
Task 3: Examine the content of the DNS cache

1. 2. 3. 4. On LON-SVR1, in the DNS Manager console, enable Advanced View. Browse the content of the Cached Lookups container. On LON-CL1, in a command prompt window, type ipconfig /displaydns. Examine the cached content.
Task 4: Clear the cache, and retry ping

1. 2. 3. 4. Clear the cache on the LON-SVR1 DNS Server. Retry the ping to www.nwtraders.msft on LON-CL1 (The result will still return the old IP address.) Clear the client resolver cache on LON-CL1 by typing ipconfig /flushdns in a command prompt window. On LON-CL1, retry ping to www.nwtraders.msft. (The result should work.)
Results: After completing this exercise, you will have DNS Server cache examined.
To prepare for next module

After you finish the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-SVR1 and 20410A-LON-CL1.
7-25

Review Questions
Question: You are troubleshooting DNS name resolution from a client computer. What must you remember to do before each test? Question: You are deploying DNS servers into an Active Directory domain, and your customer requires that the infrastructure is resistant to single points of failure. What must you consider when planning the DNS configuration? Question: What benefits do you realize by using forwarders?
Best Practices:
When implementing DNS, use the following best practices: Always use host names instead of NetBIOS names. Use forwarders rather than root hints. Be sure to be aware of potential caching issues when troubleshooting name resolution. Use Active Directory-integrated zones instead of primary and secondary zones.

Common Issue Client can sometimes cache invalid DNS records. Troubleshooting Tip
DNS Server performs slowly.
Tools
Name of tool DNS Manager console NSLookup command line tool Ipconfig command line tool Used for Manage DNS server role Troubleshoot DNS Troubleshoot DNS Where to find it Administrative Tools Command line utility Command line utility
8-1
Module 8
Implementing IPv6
Contents:
Module Overview Lesson 1: Overview of IPv6 Lesson 2: IPv6 Addressing Lesson 3: Coexistence with IPv4 Lesson 4: IPv6 Transition Technologies Lab: Implementing IPv6 Module Review and Takeaways 8-1 8-2 8-8 8-13 8-17 8-22 8-26
Module Overview
IPv6 is a technology that helps the Internet support a growing user base and an increasingly large number of IP-enabled devices. The current IPv4 has been the underlying Internet protocol for almost thirty years. Its robustness, scalability, and limited feature set is now challenged by the growing need for new IP addresses. This is due in large part to the rapid growth of new network-aware devices.
Objectives
After completing this module, you will be able to: Describe the features and benefits of IPv6. Describe IPv6 addressing. Describe IPv6 coexistence with IPv4. Describe IPv6 transition technologies.
8-2
Implementing IPv6
Lesson 1
Overvi iew of IPv6

IPv6 6 has been included with Windows clients and servers st tarting with W Windows Server r 2008 and Win ndows Vista. The use of IPv6 is becoming more comm mon on corpo orate networks s and parts of t the Internet. r you to understand how this s technology a affects current networks, and d how to integ grate It is important for IPv6 6 into those ne etworks. This le esson discusse es the benefits of IPv6, and h how it differs fr rom IPv4.

Afte er completing this lesson, yo ou will be able to: Describe the benefits of IPv v6. Describe the differences be etween IPv4 an nd IPv6. Describe the IPv6 address space. s
Benefits of IP Pv6
IPv6 6 support is inc cluded in Wind dows Server 20 012 and Windows 8. The T following list of benefits desc cribes why IPv v6 is being imp plemented.
Lar rger address s space

The IPv6 address space is 128-b bit, of which is muc ch larger than the 32-bit add dress space in IPv4. A 32 2-bit address space s has 232 or o 4,294,967,29 96 possible addresses; a 128-bit ad ddress space has 2128 or 340,282,366,920,9 938,463,463,37 74,607,431,768 8,211, 456 (or 3.4x1038 or o 340 undecillion) possible add dresses. As the Internet continues to grow, IPv6 prov vides for the re equired larger r address space e.
Hie erarchical ad ddressing and routing infrastructu ure

The IPv6 address space is design ned to be mor re efficient for routers, which h means that e even though there are many more ad ddresses, route ers can process data much m more efficiently y because of a address optimization.
Sta ateless and stateful s add dress config guration

IPv6 6 has auto-con nfigure capability without Dy ynamic Host C Configuration P Protocol (DHC CP), and it can disc cover router information so that t hosts can access the Int ternet; this is re eferred to as a stateless address configuration. A stateful s address configuration is when you use the DHCP Pv6 protocol.
Req quired supp port for Inte ernet Protoc col security y (IPsec)
The IPv6 standard ds require supp port for the Au uthentication H Header (AH) and encapsulat ting security payload (ESP) hea aders that are defined d by IPs sec. Although s support for sp pecific IPsec authentication met thods and cryp ptographic alg gorithms are no ot specified, IP Psec is defined d from the star rt as the way to o prot tect IPv6 packets. This guara antees the availability of IPse ec on all IPv6 h hosts.
8-3
End-to-end communica c tion

One O of the design goals for IP Pv6 is to provid de sufficient a ddress space s so that you do o not have to u use tr ranslation mechanisms such as network ad ddress translati ion (NAT). This s simplifies com mmunication b because IP Pv6 hosts can communicate c directly d with each e other ove er the Internet.. This also simp plifies support for ap pplications suc ch as video con nferencing and d other peer-t to-peer applica ations. Howev ver, many or rganizations may m choose to continue using translation m mechanisms as s a security me easure.
Prioritized P delivery
An IPv6 packet contains a field that specifie es how fast the e packet shoul d be processed; so traffic ca an be as ssigned a prior rity. For examp ple, when you are streaming g video traffic, it is critical tha at the packets arrive in n a timely manner. You can set s this field to o ensure that n network device es determine that the packet t de elivery is time-sensitive.
Im mproved su upport for si ingle-subne et environm ments

IP Pv6 has much better b support t of automatic configuration n and operation on single subnet networks s. You reate tempora ca an use the automatic configu uration feature es in IPv6 to cr ary ad-hoc net tworks through h which yo ou can connec ct and share information.
Ex xtensibility
IP Pv6 has been designed d so that developers can extend it with much few wer constraints s than IPv4.
Differences D s Between IPv4 and IPv6

When W the IPv4 address space was designed d, it was un nimaginable th hat it could ev ver be exhauste ed. However, due to o changes in technology t and d an allocation pract tice that did no ot anticipate th he ex xplosion of Int ternet hosts, , it i was clear by 1992 th hat a replacem ment would be necessary. IP Pv6 addresses were w made 12 28 bits long so that th he address space can be subdivided into hi ierarchical routing domains that reflect mo odernda ay Internet top pology. With 128 1 bits there are a en nough bits to create multiple levels of hier rarchy, an nd flexibility fo or designing hierarchical add dressing an nd routing. These are feature es that are cur rrently lacking on the IPv4-b based Internet. .
IP Pv4 and IPv v6 Comparis son

Th he following ta able highlights s the differenc ces between IP Pv4 and IPv6. IPv4 Source and destination add dresses are 32 bits (4 bytes) long. IPsec support t is optional. Microsoft M includes supp port for IPsec in the Microsoft Windows 200 00 and newer operating o systems, but it i is not implem mented by all vendors. IPv6 Source and destinatio on addresses are 128 bits es) long. (16 byte IPsec su upport is required. Any devic ce or operatin ng system imp plementing IPv v6 must support t IPsec.
8-4
Implementing IPv6
IPv4 The IPv4 header contains no identification of packet flow for Quality of Service (QoS) handling by routers. Fragmentation is done by both routers and the sending host. Header includes a checksum. Header includes options.
IPv6 Packet-flow identification for QoS handling by routers is included in the IPv6 header using the Flow Label field. Fragmentation is not done by routers, only by the sending host. Header does not include a checksum. All optional data is moved to IPv6 extension headers. ARP Request frames are replaced with multicast Neighbor Solicitation messages.
Address Resolution Protocol (ARP) uses broadcast ARP Request frames to resolve an IPv4 address to a link-layer address. Internet Group Management Protocol (IGMP) is used to manage local subnet group membership. Internet Control Message Protocol (ICMP) Router Discoverywhich is optionalis used to determine the IPv4 address of the best default gateway. Broadcast addresses are used to send traffic to all nodes on a subnet.
IGMP is replaced with Multicast Listener Discovery (MLD) messages.
ICMP Router Discovery is replaced with required ICMPv6 Router Solicitation and Router Advertisement messages.
There are no IPv6 broadcast addresses. Instead, a link-local scope all-nodes multicast address is used. Does not require either manual configuration or DHCP. Uses IPv6 host (AAAA) resource records in DNS to map host names to IPv6 addresses.
Must be configured either manually or through DHCP. Uses host (A) resource records in the Domain Name System (DNS) to map host names to IPv4 addresses. Uses pointer (PTR) resource records in the IN-ADDR.ARPA DNS domain to map IPv4 addresses to host names. Must support a 576-byte packet size (possibly fragmented).
Uses pointer (PTR) resource records in the IP6.ARPA DNS domain to map IPv6 addresses to host names. Must support a 1280-byte packet size (without fragmentation).
IPv6 Equivalents to IPv4

The following table shows IPv6 equivalents to some common IPv4 addresses. IPv4 Address Unspecified address 0.0.0.0 Loopback address is 127.0.0.1 Autoconfigured addresses (169.264.0.0/16) IPv6 Address Unspecified address is :: Loopback address is ::1 Link-local addresses (FE80::/64)
8-5
IPv4 Address Broadcast add dresses Multicast add dresses (224.0.0 0.0/4)
IPv6 Ad ddress Not ap pplicable in IPv v6 IPv6 m ulticast addres sses (FF00::/8)
IP Pv6 Addre ess Space

Th he most distinguishing featu ure of IPv6 is it ts use of much m larger add dresses. IPv4 addresses a are ex xpressed in fou ur groups of decimal numbe ers, such as s 192.168.1.1. Each grouping g of numbers re epresents a bin nary octet. In binary, b 192.168 8.1.1 is as s follows:
11 1000000.10101 1000.00000001.00000001 (4 oc ctets = 32 Bi its)
However, an IPv v6 address is fo our times large er than an n IPv4 address s. Because of th his, IPv6 addre esses ar re expressed in n hexadecimal (hex).
20 001:DB8:0:2F3B:2AA:FF:FE28:9C5A
Th his might seem m complex for end users, but t the assumpti ion is that use rs will rely on DNS names to o resolve ho osts and will ra arely type IPv6 6 addresses ma anually. The IP Pv6 address in hex is also eas sier to convert t be etween binary y and hexadeci imal than it is to t convert bet tween binary a and decimal. T This simplifies w working with w subnets, an nd calculating hosts and net tworks.
Hexadecima H l Numberin ng System (B Base 16)

In n the hexadecimal numbering system, som me letters repre esent numbers s because, ther re must be 16 unique sy ymbols for eac ch position. Because 10 symb bols (0 through h 9) already ex xist, there mus st be six new sy ymbols fo or the hex syste em; hence, the e letters A thro ough F are use ed. The hexade ecimal number r 10 is equal to o the de ecimal numbe er 16.
Note: You u can use the Calculator C app plication includ ded with Wind dows Server 20 012 to co onvert betwee en binary, decim mal, and hexad decimal numb bers. To o convert an IP Pv6 binary add dress that is 12 28 bits long, yo ou break it int o eight blocks s of 16 bits. Yo ou then co onvert each of f these eight blocks of 16 bit ts into four hex x characters. F For each of the e blocks, you e evaluate fo our bits at a tim me. You should d number each h section of fo our binary num mbers 1, 2, 4, and 8, starting from th he right and moving m left. Tha at is: the first bit [0010] is assig gned the value e of 1. the second bit [0010] is assigned a the va alue of 2. the third bit [0010] is assi igned the valu ued of 4. the fourth bit b [0010] bit is assigned the e value of 8
To o calculate the e hexadecimal value for this section of fou r bits, add up the value of each bit that is set to 1. . In the examp ple of 0010, the e only bit that is set to 1 is th he bit assigned d the value 2. T The rest are se et to ze ero. Therefore, , the hex value e of this section of four bits i is 2.
8-6
Implementing IPv6
Converting From Binary to Hexadecimal

The following table describes converting 8-bits of binary into hexadecimal:
[0010][1111]
Binary Values of each binary position Adding values where the bit is 1
0010 8421 0+0+2+0=2
1111 8421 8+4+2+1=15 or hexadecimal F
The following example is a single IPv6 address in binary form. Note that the binary representation of the IP address is quite long. The following two lines of binary numbers represents one IP address:
0010000000000001000011011011100000000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010
The 128-bit address is now divided along 16-bit boundaries (eight blocks of 16 bits):
0010000000000001 0000001010101010 0000110110111000 0000000011111111 0000000000000000 1111111000101000 0010111100111011 1001110001011010
Each block is further broken into sections of four bits. The following table shows the binary and corresponding hexadecimal values for each section of four bits: Binary [0010][0000][0000][0001] [0000][1101][1011][1000] [0000][0000][0000][0000] [0010][1111][0011][1011] [0000][0010][1010][1010] [0000][0000][1111][1111] [1111][1110][0010][1000] [1001][1100][0101][1010] Hexadecimal [2][0][0][1] [0][D][B][8] [0][0][0][0] [2][F][3][B] [0][2][A][A] [0][0][F][F] [F][E][2][8] [9][C][5][A]
Each 16-bit block is expressed as four hex characters, and is then delimited with colons. The result is as follows:
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
You can simplify IPv6 representation further by removing the leading zeros within each 16-bit block. However, each block must have at least a single digit. With leading zero suppression, the address representation becomes the following:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
8-7
Compressing Zeros
When multiple contiguous zero blocks occur, you can compress these and represent them in the address as a double-colon (::); this further simplifies the IPV6 notation. The computer recognizes :: and substitutes it with the number of blocks necessary to make the appropriate IPv6 address. In the following example, the address is expressed using zero compression:
2001:DB8::2F3B:2AA:FF:FE28:9C5A
To determine how many 0 bits are represented by the ::, you can count the number of blocks in the compressed address, subtract this number from eight, and then multiply the result by 16. Using the previous example, there are seven blocks. Subtract seven from eight, and then multiply the result (one) by 16. Thus, there are 16 bits or 16 zeros in the address where the double colon is located. You can use zero compression only once in a given address. If you use it twice or more, then there is no way to show how many 0 bits are represented by each instance of the double-colon (::). To convert an address into binary, use the reverse of the method described previously: 1. 2. 3. Add in zeros using zero compression. Add leading zeros. Convert each hex number into its binary equivalent.
8-8
Implementing IPv6
Lesson 2
IPv6 Addressi A ng
An essential e part of o working wit th IPv6 is unde erstanding the e different address types and d when they ar re used d. This allows you y to underst tand the overa all communica ation process b between IPv6 h hosts and perf form trou ubleshooting. You Y also need to understand d the processe es available for r configuring a host with an IPv6 add dress to ensure e that hosts are e properly configured.

Afte er completing this lesson, yo ou will be able to: Describe IPv6 6 prefixes. Describe Unic cast IPv6 addre ess types. Describe zone e IDs. Describe address autoconfiguration for IP Pv6. Configure IPv v6 client settings on a netwo ork host.
IPv v6 Prefixes s
Like e the IPv4 addr ress space, the e IPv6 address space is di ivided by alloc cating portions s of the availab ble add dress space for various IP fun nctions. The hig ghorde er bits (bits tha at are at the beginning of th he 128-bit IPv6 address) define are eas statically in n the IP sp pace. The high h-order bits an nd their fixed values v are known as a format prefix. Inte ernet Assigned Numbers Aut thority (IANA) man nages IPv6, and has defined how the IPv6 add dress space will l be divided in nitially. IANA has also o specified the format prefixe es.
IPv v6 Format Prefixes

The following table shows the IPv6 address-sp pace allocation n by format pr refixes. Allocation Re eserved Global unicast addresses a Link-local unica ast addresses Unique local un nicast ddresses ad Multicast M addre esses Prefix binary y value 0000 0000 001 1111 1110 1000 1 1111 1100 P refix hexadecimal va alue 2 or 3 F FE8 F FD Frac ction of the ad ddress spac ce 1/2 256 1/8 8 1/1 1024 1/2 256
1111 1111
F FF
1/2 256
The remaining IPv v6 address spa ace is unassigned.
8-9
IP Pv6 Prefixes s
Th he prefix is the e part of the ad ddress that ind dicates the bits s that have fix xed values, or t that are the subnet prefixs bits. Pre efixes for IPv6 subnets, s route es, and address s ranges are ex xpressed in the e same way as s IPv4 Classless Interdo omain Routing g (CIDR) notations. An IPv6 p prefix is written in address/p prefix-length n notation. Fo or example, 20 001:DB8::/48 and 2001:DB8:0 0:2F3B::/64 are e IPv6 address prefixes.
Note: IPv6 does not use e subnet mask ks.
Unicast U IPv v6 Address s Types

A unicast IPv6 address a is an IP Pv6 address th hat is as ssigned to a single interface in a single com mputer. Th his is equivalen nt to unicast addresses in IPv v4. IPv6 ha as several type es of unicast ad ddresses, and unlike IP Pv4, computers s typically have e multiple IPv6 6 ad ddresses. Diffe erent address types t are used for di ifferent purposes. Th he bits in unica ast IPv4 addre esses are split evenly e be etween netwo ork ID and interface ID: the first 64 bi its are the netw work ID, and the second 64 bits are th he host ID. By default, d the int terface ID port tion of an n IPv6 address s is randomly generated. g
Note: The e interface ID in i IPv6 is equiv valent to the I Pv4 host ID as s discussed in M Module 5.
Global G Unica ast Addresse es

Global unicast addresses a are equivalent e to public p IPv4 ad dresses that are available fro om an Internet Se ervice Provider (ISP). They ar re routable and d reachable gl lobally on the IPv6 portion o of the Internet t. The fie elds in the global unicast address are: Fixed portion set to 001 1. The three hi igh-order bits are set to 001 1. The address prefix for curr rently assigned global addresse addresses beg es is 2000::/3. Therefore, T all g global unicast a gin with either 2 or 3. Global rou uting prefix. This T field identifies the globa al routing prefi ix for a specific c organization ns site. The combin nation of the three t fixed bits s and the 45-b bit global routi ing prefix is us sed to create a 48-bit site prefix, which w is assign ned to an orga anizations ind ividual site. On nce the assignment occurs, r routers on the IPv6 6 Internet then n forward IPv6 traffic that ma atches the 48-bit prefix to th he routers of the organizatio ons site. Subnet ID. The Subnet ID D is used within an organiza tions site to id dentify subnet ts. This fields s size is 16 bits. The e organizations site can use these 16 bits w within its site t to create 65,53 36 subnets, or multiple lev vels of address sing hierarchy, and an efficie ent routing inf frastructure. Interface ID. The Interfac ce ID identifies s the interface e on a specific subnet within the site. This f fields size is 64 bi its. This is eithe er randomly generated, or a assigned by DH HCPv6. In the past, the Interf face ID was based on o the Media Access Contro ol (MAC) addre ess of the netw work interface card to which the address was bound.
Li ink-Local Unicast Addr resses

All IPv6 hosts ha ave a link-loca al address that is used for co ommunication only on the lo ocal subnet. Th he linklo ocal address is automatically generated and non-routabl le. In this way, link-local add dresses are sim milar to
IPv4 4 Automatic Pr rivate IP Addre essing (APIPA) addresses. Ho owever, a link-local address is an essential part of IP Pv6 communic cation. Link k-local address ses are used fo or communicat tion in many s scenarios wher re IPv4 would have used broa adcasts. For ex xample, link-lo ocal addresses are used when n communicat ting with a DH HCPv6 server. In add dition, link-loca al addresses ar re used for neighbor discove ery which is the e IPv6 equivalent of ARP in IPv4. The prefix for link k-local address ses is always FE E80::/64. The fi inal 64-bits are e the interface e identifier.
Unique Local Unicast U Add dresses

Uniq que local addr resses are the IPv6 equivalen nt of IPv4 priva ate addresses. These address ses are routable with hin an organization, but not on the Interne et. IPv4 4 private IP addresses were a relatively sma all part of the overall IPv4 ad ddress space, a and many com mpanies used the same addre ess space. This s caused probl ems when sep parate organizations tried to o com mmunicate dire ectly. It also ca aused problem ms when mergi ng the networ rks of two orga anizations following a merger or a buy yout. To avoid a the dupl lication proble ems experience ed with IPv4 p private address ses, the IPv6 un nique local address structure allocates s 40-bits to an n organization identifier. The e 40-bit organization identifier is randomly y gen nerated. The lik kelihood of two randomly ge enerated 40-b bit identifies be eing the same are very small l. This ensu ures that each organization has a unique address a space.. lue of 1111110 The first seven bit ts of the organ nization identif fier have the fi ixed binary val 0. All unique lo ocal add dresses have th he address pref fix of FC00::/7. . The Local (L) flag is set 1 to o indicate a loc cal address. An nL flag value set to 0 has not yet been b defined. Therefore, T uniq que local addr resses with the e L flag set to 1 have the address prefix x of FD::/8.
Zone IDs
Each h IPv6 host has a single link-local address. If the host has multiple network in nterfaces, the same link-local address is reused on each e network inte erface. To allow w hosts to iden ntify link-local com mmunication on o each unique e network interface, a zo one ID is added d to the link-lo ocal address. A zone ID is used in the following format:
Address%zone_ID
Each h sending host t determines the t zone ID tha at it will associate with h each interface. There is no neg gotiation of zone ID between n hosts. For exam mple, on the same s network, host A might use 3 for the z zone ID on its interface, and d host B might use 6 for the t zone ID on n its interface. Each h interface in a Windows-ba ased host is ass signed a uniqu ue interface ind dex, which is a an integer. In add dition to physic cal network cards, interfaces also include lo oopback and t tunnel interfac ces. Windows-based IPv6 6 hosts use the e interface inde ex of an interface as the zon ne ID for that interface. In th he following exam mple, the interface ID for the network card d is 3.
fe80 0::2b0:d0ff:fee9:4143%3
8-11
Note: You u can view the e zone ID of a link-local addr resses by typin ng IPconfig at t a command prompt. This will display the local IP configu uration.
Address A Au utoconfigu uration for r IPv6

In n most cases, you y will use autoconfiguratio on to provide IPv6 ho osts with an IPv v6 address. There are se everal ways autoconfiguratio on can be im mplemented. You Y control ho ow autoconfigu uration is performed by y using a type of autoconfigu uration.
Autoconfigu A ured Addres ss States

During autocon nfiguration the e IPv6 address of a ho ost goes throu ugh several sta ates that define e the lif fecycle of the IPv6 address. Autoconfigure A ed ad ddresses are in n one or more of the following st tates: Tentative. In the tentativ ve state, verific cation is occur ring to determ mine if the add dress is unique. Duplicate address a detection performs verification. v W When an addres ss is in the tentative state, a node cannot rece eive unicast tra affic. Valid. In th he valid state, the t address ha as been verified d as unique, a nd can send and receive uni icast traffic. Preferred. In the preferre ed state, the address enable s a node to se end and receive unicast traffi ic to and from it t. Deprecated. In a depreca ated state, the e address is val lid, but its use is discouraged d for new communica ation. Invalid. In the invalid state, the address no longer all lows a node to o send or receive unicast traffic.
Types of Aut toconfigura ation

Ty ypes of autoco onfiguration in nclude: Stateless. Address A config guration is only y based on the e receipt of Ro outer Advertise ement messag ges. This includes a router r prefix but b does not in nclude addition nal configuration options su uch as DNS ser rvers. Stateful. Configuration is s based on the e use of a state eful address co onfiguration protocol such a as DHCPv6 to obtain addres sses and other r configuration n options. A ho ost uses statefu ul address configuratio on when: o o It receives instruction ns to do so in Router R Advert isement messa ages. There are a no routers present on the local link.
Both. Conf figuration is ba ased on receipt of Router Ad dvertisement m messages and on DHCPv6.
St tateful Configuration
With W stateful co onfiguration, organizations o can c control how w IPv6 addres ses are assigne ed using DHCP Pv6. If th here are any sp pecific scope options o that yo ou need to con nfiguresuch as the IPv6 ad ddresses of DN NS se erversthen a DHCPv6 serve er is necessary y. When W IPv6 attempts to comm municate with a DHCPv6 serv ver, it uses mu ulticast IPv6 ad ddresses. This is s di ifferent than with w IPv4, which uses broadcast IPv4 addre esses.
Demonstration: Configuring IPv6 Client Settings

In most cases, IPv6 is configured dynamically by using DHCPv6 or router advertisements. However, you can also configure IPv6 manually with a static IPv6 address. The process for configuring IPv6 is similar to the process for configuring IPv4.
Demonstration Steps View IPv6 configuration by using IPconfig.

1. 2. 3. On LON-DC1, open a Windows PowerShell prompt. Use ipconfig to view the link-local IPv6 address on Local Area Connection. Use the Get-NetIPAddress cmdlet to view network configuration.
Configure IPv6 on LON-DC1

1. 2. On LON-DC1, use Server Manager to open the properties window of Local Area Connection for the Local Server. Open the properties of Internet Protocol Version 6 (TCP/IPv6), and enter the following information: o o o o o Use the following IPv6 address IPv6 address: FD00:AAAA:BBBB:CCCC::A Subnet prefix length: 64 Use the following DNS server addresses Preferred DNS server: ::1
Configure IPv6 on LON-SVR1

1. 2. On LON-DC1, use Server Manager to open the properties window of Local Area Connection for the Local Server. Open the properties window of Internet Protocol Version 6 (TCP/IPv6), and enter the following: o o o o o Use the following IPv6 address IPv6 address: FD00:AAAA:BBBB:CCCC::15 Subnet prefix length: 64 Use the following DNS server addresses Preferred DNS server: FD00:AAAA:BBBB:CCCC::A
Verify IPv6 communication is functional

1. 2. 3. 4. On LON-SVR1, open a Windows PowerShell prompt. Use ipconfig to view the IPv6 address for Local Area Connection. Use ping -6 to test IPv6 communication with LON-DC1. Use ping -4 to test IPv4 communication with LON-DC1
8-13
Lesson n3
Coexi istence with IP Pv4

Fr rom its inception, IPv6 was designed d for lo ong-term coex xistence with IP Pv4; in most ca ases your netw work will us se both IPv4 and IPv6 for ma any years. Con nsequently, yo u need to und derstand how t they coexist. Th his lesson prov vides an overview of the tech hnologies that t support the t two IP protoco ols coexistence e. This le esson also desc cribes the diffe erent node typ pes and IP stac ck implementa tions of IPv6. Finally, this les sson the various typ ex xplains how DNS resolves na ames to IPv6 addresses and t pes of IPv6 tra ansition techno ologies.

After completin ng this lesson, you y will be able to: Describe IP P node types. Describe methods m to provide coexisten nce for IPv4 an nd IPv6. Configure DNS D to suppor rt IPv6. Explain IPv6 6 over IPv6 tun nneling.
What W Are Node N Type es?

When W planning an IPv6 netwo ork, you should know what w types of nodes or hosts are on the net twork. Describing the nodes n in the fo ollowing ways helps to o define their capabilities c on the network. This is im mportant if you u use tunneling, because cer rtain ki inds of tunnels s require specific node types s, in ncluding the fo ollowing: IPv4-only node. A node that impleme ents only IPv4 (a and has only IP Pv4 addresses) ) and does not su upport IPv6. IPv6-only node. A node that impleme ents only IPv6 (a and has only IP Pv6 addresses) ) and does not su upport IPv4. Th his node is able to communi icate only with h IPv6 nodes and application ns, and is not comm mon today. Ho owever, it migh ht become mo ore prevalent a as smaller devi ices, such as ce ellular phones and d handheld computers, use the t IPv6 proto ocol exclusively y. IPv6/IPv4 node. A node that impleme ents both IPv4 and IPv6. Win ndows Server 2 2008 and Wind dows Vista or late er use IPv4 and d IPv6 by defa ault. IPv4 node. A node that implements IPv4. It can be a an IPv4-only no ode or an IPv6 6/IPv4 node. IPv6 node. A node that implements IPv6. It can be a an IPv6-only no ode or an IPv6 6/IPv4 node.
Coexistence occ curs when the largest numbe er of nodes (IP Pv4 or IPv6 no des) can comm municate using g an IP Pv4 infrastructu ure, an IPv6 infrastructure, or o an infrastruc cture that is a c combination o of IPv4 and IPv v6. You will w achieve true e migration wh hen all IPv4 no odes are conve erted to IPv6-o only nodes. Ho owever, for the e fo oreseeable futu ure, you can ac chieve practica al migration w when as many IPv4-only nodes as possible are co onverted to IPv v6/IPv4 nodes s. IPv4-only no odes can comm municate with IPv6-only nod des only when you are us sing an IPv4-to o-IPv6 proxy or o translation gateway. g
IPv v4 and IPv v6 Coexiste ence

Rath her than replacing IPv4, mos st organization ns add d IPv6 to their existing e IPv4 network. n Starting with h Windows Ser rver 2008 and Windows Vista, Win ndows operatin ng systems sup pport the simu ultaneous use of IPv4 and IP Pv6 through a dual IP la ayer architectu ure. The Windo ows XP and Win ndows Server 2003 2 operating g systems used da less efficient dual stack architecture.
Dual IP Layer Architecture A e

A dual IP layer arc chitecture, was s implemented d beg ginning with Windows W Vista, and continuin ng thro ough Windows s Server 2012 and a Windows 8. This s architecture contains c both IPv4 and IPv6 Internet layer rs with a single e implementat tion of transpo ort laye er protocols such as TCP and d User Datagra am Protocol (U UDP). Dual stac ck allows for easier migration to IPv6 6, and there ar re fewer files to o maintain to provide IPv6 c connectivity. IP Pv6 is also available without add ding any new protocols p in the network-car rd configuratio on.
Dual Stack Arc chitecture

Dua al stack archite ecture contains s both IPv4 and IPv6 Interne et layers, and h has separate pr rotocol stacks that contain separate implementatio i ons of transport layer protoc cols, such as TC CP and UDP. T Tcpip6.sys, the IPv6 prot tocol driver in Windows Serv ver 2003 and Windows W XP, c contains a sepa arate impleme entation of TCP and UDP P.
DN NS Infrastruc cture Requirements

Just t as DNS is use ed as a support ting service on n an IPv4 netw work, it is also r required on an n IPv6 network k. Whe en IPv6 is adde ed to the netw work, you need d to ensure tha at the records that are neces ssary to suppo ort IPv6 6 name-to-add dress and addr ress-to-name resolution r are added. The DNS records tha at are required d for coex xistence are: Host (A) resource records fo or IPv4 nodes IPv6 host (AA AAA) resource records Reverse looku up pointer (PTR) resource records for IPv4 and IPv6 nodes
Note: In mo ost cases, the IPv6 host (AAA AA) resource re ecords that IPv v6 nodes require are regi istered in DNS S dynamically. Whe en a name can n be resolved to t both an IPv4 4 and IPv6 add dress, both ad ddresses are returned to the client. The client then se elects which ad ddress to use based b on prefix x polices. You can view the p prefix policies in Win ndows Server 2012 2 by using the Get-NetP PrefixPolicy cm mdlet. Each h prefix has a precedence level assigned to o it. In most ca ases, IPv6 is pr referred over IPv4. For example, whe en you ping a host, the ping command wil ll use the IPv6 address instea ad of the IPv4 address.
8-15
The following table displays the typical prefix policies for Windows Server 2012. Prefix ::1/128 fc00::/7 ::/0 ::ffff:0:0/96 2002::/16 2001::/32 ::/96 fec0::/10 3ffe::/16 Precedence 50 45 40 10 7 5 1 1 1 Label 0 13 1 4 14 5 10 11 12 Description IPv6 loopback Unique local Default gateway IPv4 compatible address 6to4 Teredo IPv4 compatible address (depreciated) Site local (depreciated) 6Bone (depreciated)
Additional Reading: For more information about prefix policies see http://technet.Microsoft.com/library/bb877985.
Demonstration: Configuring DNS to Support IPv6

Similar to IPv4 nodes, IPv6 nodes use dynamic DNS automatically-created host records. You can also manually create host records for IPv6 addresses. An IPv6 host (AAAA) resource record is a unique record type and different that IPv4 host (A) resource record.
Demonstration Steps Configure an IPv6 host (AAAA) resource record

1. 2. 3. On LON-DC1, in Server Manager, open the DNS tool and browse to the Adatum.com forward lookup zone. In DNS Manager, verify that IPv6 addresses have been registered dynamically for LON-DC1 and LONSVR1. Create a new host record in Adatum.com with the following settings: o o Name: WebApp IP address: FD00:AAAA:BBBB:CCCC::A
Verify name resolution for an IPv6 host (AAAA) resource record

1. 2. On LON-SVR1, if necessary, open a Windows PowerShell prompt. Use ping to test communication with WebApp.adatum.com.
Wh hat Is IPv6 6 Over IPv4 4 Tunnelin ng?

IPv6 6 over IPv4 tun nneling is the encapsulation e of IPv6 6 packets with an IPv4 heade er so that IPv6 packets can be sent over an IPv v4-only infra astructure. Wit thin the IPv4 header: h The IPv4 Pro otocol field is set s to 41 to ind dicate an encapsulat ted IPv6 packe et. The Source and a Destinatio on fields are se et to IPv4 addresse es of the tunne el endpoints. You Y can configure e tunnel endpo oints manually y as part of the tu unnel interface, or they can be b derived autom matically.
Unli ike tunneling for f the Point-t to-Point Tunne eling Protocol (PPTP) and La ayer Two Tunn neling Protocol (L2T TP), there is no o exchange of messages for tunnel t setup, m maintenance, or termination n. Additionally y, IPv6 over IPv4 tunnelin ng does not pr rovide security y for tunneled IPv6 packets. This means that when you u use IPv6 6 tunneling, it does not need d to establish a protected co onnection first..
8-17
Lesson n4
IPv6 Transiti T on Tech hnologi ies

Tr ransitioning fro om IPv4 to IPv v6 requires coe existence betw ween the two p protocols. Too many applica ations an nd services rely y on IPv4 for it t to be remove ed quickly. Ho owever, there a are several technologies that t aid tr ransition by allowing commu unication betw ween IPv4-only y and IPv6-onl y hosts. There are also techn nologies th hat allow IPv6 communicatio on over IPv4 ne etworks. Th his lesson prov vides information about Intra-Site Automa atic Tunnel Addressing Proto ocol (ISATAP), 6to4, an nd Teredo, wh hich help provide connectivit ty between IPv v4 and IPv6 tec chnology. This s lesson also ad ddresses PortP Proxy, which provides compa atibility for app plications.

After completin ng this lesson, you y will be able to: Describe ISATAP. Describe 6t to4. Describe Te eredo. Describe Po ortProxy. Describe th he transition pr rocess from IPv4 to IPv6.
What W Is ISA ATAP?

IS SATAP is an address-assignm ment technolog gy that yo ou can use to provide unicas st IPv6 connec ctivity be etween IPv6/IP Pv4 hosts acro oss an IPv4 intr ranet. IS SATAP hosts do o not require any a manual co onfiguration, and a can create e ISATAP addre esses us sing standard address autoconfiguration mechanisms. m Yo ou mainly use ISATAP within an or rganizations site, s and althou ugh the ISATA AP co omponent is enabled e by def fault, it only as ssigns IS SATAP-based addresses a if it can c resolve the e name IS SATAP on your r network. An ISATAP addr ress that is bas sed on a privat te IPv4 ad ddress is forma atted like the following f exam mple: [64-bit unic cast prefix]:0:5EFE:w.x.y.z An ISATAP addr ress that is bas sed on a public c IPv4 address s is formatted like the follow wing example: [64-bit unic cast prefix]:200 0:5EFE:w.x.y.z. Fo or example, FD D00::5EFE:192.168.137.133 is s an example o of a private IPv v4 address, and d 20 001:db8::200:5 5EFE:131.107.1 137.133 is an example of a p ublic IPv4 add dress.
What W Is an IS SATAP Rout ter?

IS SATAP allows IPv6 clients on an IPv4-only intranet i to com mmunicate without addition nal manual co onfiguration. An A ISATAP router advertises an IPv6 prefix,, and allows th he clients to co ommunicate w with ot ther IPv6 clients on other IPv v6 subnets.
How ISATAP Tunneling T Works W

You u can initiate IS SATAP tunnelin ng in many wa ays, but the sim mplest way is t to configure an ISATAP host t reco ord in DNS tha at resolves to the t IPv4 addre ess of the ISATA AP router. Win ndows hosts th hat can resolve e this nam me automatically begin using g the specified d ISATAP route er. By using thi is method, you u can configur re ISAT TAP for several computers si imultaneously. . You u can also defin ne ISATAP nam me resolution in i a hosts file, but this is not t recommende ed because it is s diffi icult to manag ge.
Note: By de efault, Window ws Server 2008 8 or newer DNS S servers have a Global Query Block List that prevents ISATAP resolu ution, even if th he host record d is created and properly con nfigured. u need to remo ove ISATAP fro om the Global Query Block L List in DNS if y you are using a an ISATAP You host t record to con nfigure ISATAP P clients. Oth her ways you ca an configure hosts h with an ISATAP router are: Use the Wind dows PowerShe ell cmdlet Set-NetIsatapCo onfiguration Router x.x.x. .x. Use Netsh In nterface IPv6 ISATAP Set Router R x.x.x.x. . Configure the e ISATAP Rou uter Name Gro oup Policy sett ting.
Note: All ISA ATAP nodes are connected to t a single IPv v6 subnet. This s means that all ISATAP nod des are part of the same AD DS site which may not be de esirable. As such, s you shou uld use ISATAP P only for limited testing. For r intranet-wide e deployment, , you should instead de eploy native IPv v6 support.
Wh hat Is 6to4 4?
6to4 4 is a technolo ogy that you use to provide unic cast IPv6 connectivity betwe een IPv6 sites and a host ts across the IP Pv4 Internet. 6to4 6 treats the enti ire IPv4 Interne et as a single link. In the follo owing 6to4 ad ddress, WWXX:YYZZ is the co olonhexadecimal repre esentation of w.x.y.z, w a publi ic IPv4 4 address: 2002:WWXX:Y YYZZ:Subnet_I ID:Interface_ID D,
Ena abling 6to4 Router Fun nctionality in Win ndows Operating Syste ems
To enable e Window ws Server 2012 2 as a 6to4 rou uter, you enable Intern net Connection n Sharing (ICS). When you en nable ICS on a computer tha at is running a Win ndows operatin ng system, the e following occ curs: IPv6 forwarding is enabled on the 6to4 tu unneling and p private interfa ces. The private in nterface conne ects to a single e subnet, and u uses private IP Pv4 addresses f from the 192.168.0.0/2 24 prefix. A 64-bit IPv6 subnet prefix is selected for r advertisemen nt on the priva ate intranet. Th he 6to4 compo onent derives the in ntranet subnet prefix from 20 002:WWXX:YY YZZ:InterfaceIn ndex::/64, in wh hich InterfaceIn ndex is the private interfaces ind dex.
8-19
Router advertisement me essages are sen nt on the priva ate interface.
Th he router adve ertisement messages advertise the ICS com mputer as a de efault router an nd contain the e de erived 6to4 subnet prefix.
How H 6to4 Tu unneling Wo orks

Within W a site, local IPv6 routers advertise 20 002:WWXX:YYZ ZZ:Subnet_ID:::/64 subnet pr refixes so that hosts au utoconfigure 6to4 6 addresses s. IPv6 routers within the site e deliver traffic c between 6to4 hosts. Hosts on in ndividual subne ets are configu ured automatically with a 64 4-bit subnet ro oute for direct delivery to ne eighbors an nd a default ro oute with the next-hop n addr ress of the adv vertising router r. IPv6 traffic that does not m match an ny of the subn net prefixes tha at the site uses s is forwarded to a 6to4 rout ter on the site border. The 6to4 ro outer on the site border has a 2002::/16 ro oute that forwa ards traffic to o other 6to4 site es and a defau ult route of f ::/0 that forw wards traffic to a 6to4 relay on o the IPv4 Inte ernet.
Ex xample
In n the example network show wn in the slide, Host A and H ost B can com mmunicate with h each other b because of f a default route using the next-hop addre ess of the 6to4 4 router in Site e 1. When Host t A communic cates with w Host C in another a site, Host A sends th he traffic to the e 6to4 router i in Site 1 as IPv v6 packets. The e 6to4 ro outer in Site 1, using the 200 02::/16 route in n its routing ta able and the 6t to4 tunnel inte erface, encapsulates th he traffic with an a IPv4 heade er and tunnels it to the 6to4 router in Site 2. The 6to4 ro outer in Site 2 r receives the subnet pre th he tunneled tra affic, removes the IPv4 header, and using t efix route in its s routing table e, fo orwards the IPv v6 packet to Host H C. Fo or example, Ho ost A resides on o subnet 1 within Site 1 and d uses the pub blic IPv4 addre ess of 157.60.91 1.123. Host C resides on o subnet 2 wi ithin Site 2 and d uses the pub blic IPv4 addre ess of 131.107.210.49. The ta able that ap ppears in the slide, s lists the addresses a in th he IPv4 and IPv v6 headers wh hen the 6to4 ro outer in Site 1 sends th he IPv4-encaps sulated IPv6 packet to the 6t to4 router in S Site 2.
What W Is Ter redo?

Te eredo tunnelin ng enables you u to tunnel acr ross the IP Pv4-only Intern net when the clients c are behind an IP Pv4 NAT. Tered do was created d because man ny In nternet connec ctions use priva ate IPv4 addre esses be ehind a NAT. Teredo T is a last t-resort transit tion te echnology for IPv6 connectiv vity. If native IP Pv6, IS SATAP, or 6to4 4 connectivity is i present betw ween co ommunicating g nodes, Teredo is not used. As more m IPv4 NATs s are upgraded d to support 6to4, 6 an nd as IPv6 con nnectivity beco omes ubiquitou us, Te eredo will be used u less frequ uently, until eventually it is not used at all.
Teredo Components
Th he Teredo com mponents are as a follows: Teredo clie ent. Supports a Teredo tunn neling interface e through whic ch packets are e tunneled to o other Teredo clients or nodes on o the IPv6 Internet through h a Teredo rela ay. Teredo ser rver. Connects s to both the IP Pv4 and IPv6 I nternet. The ro ole of the Tere edo server is to o assist in the initia al Teredo client t configuration n, and to facili tate the initial l communication between Teredo clients in di ifferent sites or between Ter redo clients an nd IPv6-only ho osts on the IPv v6 Internet.
Teredo relay y. Forwards pac ckets between n Teredo client ts on the IPv4 Internet and IPv6-only hosts s on the IPv6 Inter rnet. Teredo host-specific relay y. Has interfaces on, and con nnects to, the IPv4 and IPv6 Internet. Additionally, a Teredo host-specific relay can communi icate directly w with Teredo cli ients over the IPv4 Internet witho out needing an intermediate e Teredo relay y. The connecti ivity to the IPv v4 Internet can n be through a public IPv4 addre ess or through h a private IPv4 4 address and a neighboring g NAT. The connectivity to ct connection to the IPv6 Internet, or thro t the IPv6 Internet can be through a direc ough an IPv6 transi ition technolog gy, such as 6to o4.
Wh hat Is Port tProxy?

You u can use the PortProxy P servi ice as an app plication-layer gateway for nodes or app plications that do d not suppor rt IPv6. PortPro oxy facilitates the com mmunication between b nodes s or app plications that cannot c connec ct using a com mmon add dress type, Inte ernet layer prot tocol (IPv4 or IPv6), and TCP port. This services prim mary purpose is i to allow IPv6 nodes to communica ate with IPv4-o only TCP P applications. Port tProxy can pro oxy only TCP data, d and it sup pports only y application-layer protocols s that do not emb bed address or r port information inside the e app plication-layer data. PortProx xy cannot chan nge address in nformation at t the application n level, and is n not flexible. Additiona ally, you will fa are better using g other tunne ling technolog gies to address s many of the issues that t you typically would address by using Por rtProxy. Som me areas where e PortProxy can be helpful and provide so olutions during g a transition p phase include w when: An IPv4-only node can acce ess an IPv6-on nly node. An IPv6-only node can acce ess an IPv4-on nly node. An IPv6 node e can access an n IPv4-only ser rvice that is run nning on a Po ortProxy computer.
Additional Reading: For more informa ation about IPv v6 transition te echnologies se ee http p://go.Microso oft.com/fwlink/ /?LinkID=1120 079&clcid=0x4 409.
8-21
Process P for r Transition ning to IPv v6Only

Th he industry-wide migration from f IPv4 to IP Pv6 is ex xpected to tak ke considerable e time. This wa as taken in nto consideration when desig gning IPv6 and d as a re esult, the transition plan for IPv6 is a multistep process that allo ows for extend ded coexistenc ce. To o achieve the goal g of a pure IPv6 environm ment, us se the followin ng general guidelines: Upgrade yo our application ns to be independent of either IPv v6 or IPv4. For r example, you u can change app plications to us se new Windows Sockets app plication programming inter rfaces (APIs) so th hat name resolution, socket creation, an nd other functions are indep pendent regard dless of wheth her you are using IPv4 or IPv6. Upgrade ro outing infrastru ucture for native IPv6 routin g. You must u upgrade router rs to support b both native IPv6 routing and IP Pv6 routing pr rotocols. Upgrade de evices to support IPv6. The majority m of cur rrent networking hardware s supports IPv6, but many other r types of devices do not. Yo ou need to ver rify that all net twork attached d devicessuc ch as printers and d scannersalso support IPv v6. Update the e DNS infrastru ucture to support IPv6 addre ess and pointer (PTR) resourc ce records. You might have to upg grade the DNS S infrastructure e to support th he new IPv6 host address (A AAAA) resource e s in the IP6.AR records (req quired) and po ointer (PTR) resource records RPA reverse do omain, but this s is optional. Additionally, en nsure that the DNS D servers su upport DNS tra affic over IPv6 6 and DNS dyn namic update for IPv6 host address (AAAA) re esource record ds so that IPv6 hosts can register their nam mes and IPv6 addres sses automatic cally. Upgrade ho osts to IPv6/IPv4 nodes. You u must upgrad e hosts to use both IPv4 and d IPv6. You als so must add DNS re esolver suppor rt to process DNS D query resu ults that contai in both IPv4 and IPv6 addresses. You can de eploy ISATAP in n a limited cap pacity to test IP Pv6 and DNS f functionality.
Most M organizati ions will most likely add IPv6 6 to an existing g IPv4 environ nment and con ntinue to have co oexistence for an extended period p of time. There are stil ll in existence many legacy a applications an nd de evices that do not support IP Pv6, and coexi istence is muc h simpler than n using transiti ion technologi ies such as s ISATAP. IP Pv6 is enabled by default for Windows Vist ta or newer cli ents and Wind dows Server 20 008 or newer s servers. As a best practice, you should d not disable IP Pv6 unless the ere is a technic cal reason to do so. Some fea atures in Windows W opera ating systems rely r on IPv6.

Scenario
A. Datum Corporation has an IT office and data center in London, which support the London location and other locations. They have recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You now need to configure the infrastructure service for a new branch office. The IT manager at A. Datum has been briefed by several application vendors about newly added support for IPv6 in their products. A. Datum does not have IPv6 support in place at this time. The IT manager would like you to configure a test lab that uses IPv6. As part of the test lab configuration, you also need to configure ISATAP to allow communication between an IPv4 network and an IPv6 network.
Objectives
After completing this lab, you will be able to: Configure IPv6. Configure an ISATAP router.
Lab Setup
Estimated Time: 40 minutes Logon Information Virtual Machines 20410A-LON-DC1 20410A-LON-RTR 20410A-LON-SVR2 Adatum\Administrator Pa$$w0rd
User Name Password
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o 5. User name: Administrator Password: Pa$$w0rd Domain: Adatum
Repeat steps 2 to 4 for 20410A-LON-RTR and 20410A-LON- SVR2.
Exercise 1: Configuring an IPv6 Network

Scenario
As the first step in configuring the test lab, you need to configure LON-DC1 as an IPv4only node, and LON-SVR2 as an IPv6only node. You also need to configure LON-RTR to support IPv6 routing.
8-23
The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Verify IPv4 routing. Disable IPv6 on LON-DC1. Disable IPv4 on LON-SVR2. Configure an IPv6 network on LON-RTR. Verify IPv6 on LON-SVR2.
Task 1: Verify IPv4 routing

1. 2. 3. On LON-SVR2, open a Windows PowerShell prompt. Ping LON-DC1 to verify that IPv4 is routing through LON-RTR. Use ipconfig to verify that LON-SVR2 has only a link-local IPv6 address.
Task 2: Disable IPv6 on LON-DC1

1. 2. On LON-DC1, in Server Manager, on the Local Server, open the Local Area Connection properties. Disable IPv6 for Local Area Connection.
Task 3: Disable IPv4 on LON-SVR2

1. 2. On LON-SVR2, in Server Manager, open the properties of Local Area Connection on the Local Server. Disable IPv4 for Local Area Connection.
Task 4: Configure an IPv6 network on LON-RTR

1. 2. On LON-RTR, open Windows PowerShell. Use the following New-NetRoute cmdlet to add an IPv6 network on Local Area Connection 2 to the local routing table: New-NetRoute InterfaceAlias Local Area Connection 2 DestinationPrefix 2001:db8:0:1::/64 Publish Yes 3. Use the following Set-NetIPInterface cmdlet to enable router advertisements on Local Area Connection 2: Set-NetIPInterface InterfaceAlias Local Area Connection 2 AddressFamily IPv6 Advertising Enabled 4. Use ipconfig to verify that Local Area Connection 2 has an IPv6 address on the 2001:db8:0:1::/64 network.
Task 5: Verify IPv6 on LON-SVR2

On LON-SVR2, use ipconfig to verify that Local Area Connection 2 has an IPv6 address on the 2001:db8:0:1::/64 network.
Results: After completing the exercise, students will have configured an IPv6only network.
Exercise 2: Configuring an ISATAP Router

Scenario
After configuring the infrastructure for an IPv4only network and an IPv6only network, you need to configure ISATAP to support communication between the IPv4only nodes and the IPv6only nodes. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Add an ISATAP host record to DNS. Enable the ISATAP router on LON-RTR. Remove ISATAP from the DNS Global Query Block List. Enable ISATAP on LON-DC1. Test connectivity.
Task 1: Add an ISATAP host record to DNS

1. 2. On LON-DC1, in Server Manager, open the DNS tool. Add an ISATAP host record that resolves to 172.16.0.1.
Task 2: Enable the ISATAP router on LON-RTR

1. On LON-RTR, use the following Set-NetIsatapConfiguration cmdlet to enable ISATAP: Set-NetIsatapConfiguration Router 172.16.0.1 2. Use the following Get-NetIPAddress cmdlet to identify the interface index of the ISATAP interface with 172.16.0.1 in the link-local address. Interface index: Get-NetIPAddress | Format-Table InterfaceAlias,InterfaceIndex,IPv6Address 3. Use the Get-NetIPAddress cmdlet to verify the following on the ISATAP interface: o o Forwarding is enabled Advertising is disabled Get-NetIPInterface InterfaceIndex IndexYouRecorded PolicyStore ActiveStore | Format-List 4. Use the following Set-NetIPAddress cmdlet to enable router advertisements on the ISATAP interface: Set-NetIPInterface InterfaceIndex IndexYouRecorded Advertising Enabled 5. Use the following New-NetRoute cmdlet to configure a network route for the ISATAP interface: New-NetRoute InterfaceIndex IndexYouRecorded DestinationPrefix 2001:db8:0:2::/64 Publish Yes 6. Use the following Get-NetIPAddress cmdlet to verify that the ISATAP interface has an IPv6 address on the 2001:db8:0:2::/64 network: Get-NetIPAddress InterfaceIndex IndexYouRecorded
8-25
Task 3: Remove ISATAP from the DNS Global Query Block List
1. 2. 3. 4. On LON-DC1, open Regedit and browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters. Modify GlobalQueryBlockList to remove isatap. Restart the DNS service. Ping isatap to verify it can be resolved. The name should resolve and you should receive four request timed out messages from 172.16.0.1.
Task 4: Enable ISATAP on LON-DC1

1. On LON-DC1, use the following Set-NetIsatapConfiguration cmdlet to enable ISATAP: Set-NetIsatapConfiguration State Enabled 2. Use ipconfig to verify that the Tunnel adapter for ISATAP has an IPv6 address on the 2001:db8:0:2/64 network.
Task 5: Test connectivity

1. On LON-SVR2, use the following ping command to test connectivity to the ISATAP address for LONDC1: ping 2001:db8:0:2:0:5efe:172.16.0.10 2. 3. User Server Manager to modify the properties of TCP/IPv6 on the Local Area Connection 2, and add 2001:db8:0:2:0:5efe:172.16.0.10 as the preferred DNS server. Use the ping command to test connectivity to LON-DC1.
Results: After completing this exercise, students will have configured an ISATAP router on LON-RTR to allow communication between an IPv6only network and an IPv4only network.

After you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-RTR and 20410A-LON-SVR2.

Review Questions
Question: What is the main difference between 6to4 and Teredo? Question: How can you provide a DNS server dynamically to an IPv6 host? Question: Your organization is planning to implement IPv6 internally. After some research, you have identified unique local IPv6 addresses as the correct type of IPv6 addresses to use for private networking. To use unique local IPv6 addresses, you must select a 40-bit identifier that is part of the network. A colleague suggests using all zeros for the 40 bits. Why is this not a good idea? Question: How many IPv6 addresses should an IPv6 node be configured with?
Best Practice:
Use the following best practices when implementing IPv6: Do not disable IPv6 on Windows 8 or Windows Server 2012. Enable coexistence of IPv4 and IPv6 in your organization rather than using transition technologies. Use unique local IPv6 addresses on your internal network. Use Teredo to implement IPv6 connectivity over the IPv4 Internet.
9-1
Module 9
Implementing Local Storage
Contents:
Module Overview Lesson 1: Overview of Storage Lesson 2: Managing Disks and Volumes Lesson 3: Implementing Storage Spaces Lab: Implementing Local Storage Module Review and Takeaways 9-1 9-2 9-11 9-20 9-25 9-30
Module Overview
Storage is one of the key components that you must consider when planning and deploying Windows Server 2012 operating systems. Most organizations require a great deal of storage because users work regularly with applications that create new files that need to be stored in a central location. Storage demands increase when users keep their files for longer periods of time. Every time a user logs on to a server, an audit trail is created in an event log, which also uses storage. Even as files are created, copied, and moved, storage is required. This module introduces you to different storage technologies. It discusses how to implement the storage solutions in Windows Server 2012, and how to use Storage Spaces, a new feature that you can use to combine disks into pools that are then managed automatically.
Objectives
After completing this module you will be able to: Explain the various storage technologies. Manage disks and volumes. Implement Storage Spaces.
9-2
Lesson 1
Overvi iew of Storage S

Whe en you plan a server deployment, one of the t key compo onents that yo ou will require is storage. The ere are various types of storage tha at you can utilize, from locall ly attached sto orage, to storage that is remotely acce essed via Ether rnet, or even connected c with h optical fiber.. You should b be aware of each solutions ben nefits as well as s its limitations s. As you y prepare to o deploy storag ge for your environment, yo ou will need to o make some im mportant decisions. This s lesson addres sses questions you might consider, such as s the following g: Does the stor rage need to be b fast? Does the stor rage need to be b highly availa able? How much storage does yo our deploymen nt actually req uire? How much re esilience do yo ou need to add d to the initial storage requir rement to ensu ure that your investment re emains secure in the future?

Afte er completing this lesson, yo ou will be able to: Describe disk k types and per rformance. Describe direct-attached storage. Describe netw work-attached storage. Describe storage area netw work (SAN). Describe Redundant Array of Independen nt Disks (RAID) ). Describe RAID D levels.
Dis sk Types and Perform mance

There are various types of disks available that t you can use to provide e storage to se erver and clien nt systems. The spee ed of disks is measured m in Inp put Out tputs per secon nd (IPOS).The most common n type es of disks are: : Enhanced Inte egrated Drive Electronics E (EID DE). EIDE is based on standards that were crea ated in 1986. The Integrated I Drive Electronics (IDE) interface supp ports both the e Advanced Technology Attachment A 2 (ATA-2) ( and Advanced Tec chnology Attachment Packe et Interface (ATA API) standards s. Enhanced ref fers to the ATA-2 (Fast ATA) sta andard, which provides faste er transfer rates s and allows fo or multiple channels, eac ch connecting two devices. In n practice, the e terms EIDE, ID DE, and ATA are synonymou us. These drives are a commonly y found connected using a 4 40-wire cable o or 80-wire cable, and can on nly have two dev vices chained at a any time. Du ue to the addr ressing standar rds of this tech hnology, there e is a 128 gigabyte (GB) limitation on storage using u EIDE. Fur rther, the spee eds of EIDE are e limited to a maximum of 133 megabyte es (MB) per sec cond. EIDE dri ives are almost t never used o on servers toda ay.
9-3
Serial Advanced Technology Attachment (SATA). SATA is a computer bus interface, or channel, for connecting the motherboard or device adapters to mass storage devices such as hard disk drives and optical drives. SATA was designed to replace EIDE. It is able to use the same low-level commands, but SATA host adapters and devices communicate via a high-speed serial cable over two pairs of conductors. SATA was introduced in 2003 and can operate at speeds of 1.5, 3.0, and 6.0 GB per second, depending on the SATA revision (1, 2 or 3 respectively). SATA drives are less expensive than other drive options, but also provide less performance. Organizations may choose to deploy SATA drives when they require large amounts of storage, but not high performance. SATA disks are generally low-cost disks that provide mass storage. However, for the lower cost they are also less reliable compared to serial attached SCSI (SAS) disks. A variation on the SATA interface is eSATA, which is designed to enable high-speed access to externally-attached SATA drives.
Small computer system interface (SCSI). SCSI is a set of standards for physically connecting and transferring data between computers and peripheral devices. SCSI was originally introduced in 1978 and was designed as an interface on a lower-level communication, subsequently allowing it to take less processing power and perform transactions at higher speeds. SCSI became a standard in 1986. Similar to EIDE, SCSI was designed to run over parallel cables; however, recently the usage has been expanded to run over other mediums. The 1986 parallel specification of SCSI had initial speed transfers of 40 MB per second. The more recent 2003 implementation, Ultra 640 SCSI, also known as Ultra 5, can transfer data at speeds of 5,120 MB per second. SCSI disks provide higher performance than SATA disks, but are also more expensive. SAS. SAS is a further implementation of the SCSI standard. SAS depends on a point-to-point serial protocol that replaces the parallel SCSI bus technology, and uses the standard SCSI command set. SAS offers backwards-compatibility with second generation SATA drives. SAS drives provide are reliable and made for 24 hours a day, seven days a week (24/7) operations in data centers. With up to 15,000 rotations per minute (RPM), these disks are also the fastest traditional hard disks. Solid State Drives (SSDs). SSDs are data storage devices that use solid-state memory to store data rather than using the spinning disks and movable read/write heads that are used in other disks. SSDs use microchips to store the data and do not contain any moving parts. SSDs provide fast disk access, use less power, and are less susceptible to failure from being dropped than traditional hard disks (such as SAS drives), but are also much more expensive per GB of storage. SSDs typically use a SATA interface so you can usually replace hard disk drives with SSDs without any modifications.
Note: Fibre Channel, fire-wire, or USB-attached disks are also available storage options. They define either the transport bus or the disk type. For example, USB-attached disks use mostly with SATA or SSD drives to store data.
9-4
Wh hat Is Direct Attache ed Storage e?

Alm most all servers provide some e built-in storage. This s type of storag ge is referred to t as direct atta ached storage (DAS). ( DAS can n include disks s that are physically loca ated inside the e server, conne ected dire ectly with an ex xternal array, or o disks that ar re connected to the server with a USB U cable or an a alternative communications me ethodology. Prim marily, DAS sto orage is physically connected d to the server. Becaus se of this, if the e server suffers sa pow wer failure, the e storage is una available. DAS com mes in various disk d types such h as SATA, SAS S or SSD D, which affect the speed and d the performa ance of the storage, and has both advantages and disadvantages s.
Adv vantages of f Using DAS S

A ty ypical DAS syst tem is made up of a data sto orage device th ard disk drives that hat includes a number of ha are connected dir rectly to a com mputer through h a host bus ad dapter (HBA). Between the D DAS and the com mputer, there are a no network k devices such as hubs, switc ches, or router rs. Instead, the storage is connected directly y to the server r that utilizes it t, making DAS S the easiest st torage system to deploy and d maintain. DAS S is also usually y the least exp pensive storage e available tod day, and is wid dely available in various spee eds and sizes to accom mmodate vario ous installation ns. In addition to being inex xpensive, DAS i is very easy to configure. In most instances, yo ou would simply plug in the d device, ensure e that the runn ning Windows ope erating system recognizes it, and then use Disk Managem ment to config gure the disks.
Dis sadvantages s of Using DAS D

Stor ring data locally on DAS makes data centralization more e difficult beca ause the data is located on mul ltiple servers. This T can make it more complex to back up p the data and for users, to lo ocate the data a they are looking for. Fu urthermore, if any one devic ce that has DA S connected to it suffers a p power outage, the stor rage on that co omputer is una available. DAS S also has draw wbacks in its ac ccess methodo ologies. Due to o the way read ds and writes a are handled by y the serv ver operating system, s DAS ca an be slower th han other stor rage technolog gies. Another d drawback is th hat DAS S shares the pr rocessing power and server memory m to wh hich it is conne ected. This me eans that on ve ery busy y servers, disk access may slo ow when the operating o syste em is overload ded.
9-5
What W Is Ne etwork Attached Storage?

Network N attached storage (NA AS) is storage that t is co onnected to a dedicated storage device an nd then ac ccessed over the network. NAS is different t than DAS in that the storage is not t directly attached to ea ach individual server, but rat ther is accessib ble ac cross the netw work to many servers. NAS ha as two di istinct solution ns: a low-end appliance a (NAS S only), an nd an enterprise-class NAS that t integrates s with SA AN. Ea ach NAS devic ce has a dedica ated operating g system th hat solely controls the access s to the data on o the de evice, which re educes the ove erhead associa ated with w sharing the e storage devic ce with other server s services s. An example of NAS softwa are is Windows s St torage Server, a feature of Windows W Serve er 2012. To o enable NAS storage, you need n a storage e device. Frequ uently, these devices are app pliances that do not ha ave any server r interfaces suc ch as keyboard ds, mice and m monitors. Instea ad, to configure the device, you provide a netwo ork configuration and then access a the dev vice across the network. You can then crea ate ne etwork shares on the device by using the name of the N NAS and the sh hare created. T These shares ar re then ac ccessible to users on the net twork. To oday, most SA AN solutions of ffer SAN and NAS N together. The backend head units, dis sks, and techno ologies ar re identical; the access method is the only thing that cha anges. Enterpr rises often provision storage from S; the th he SAN to the servers using FCOE F or iSCSI, while NAS se rvices are mad de available via a CIFS and NFS di isk drives (agg gregates) are th he same, the methods m for w riting are the s same, and the overhead and d re eliability are th he same.
Advantages A of Using NA AS
NAS is an ideal choice for org ganizations tha at are looking for a simple a nd cost-effective way to ach hieve fa ast data access s for multiple clients c at the file level. Users of NAS benef fit from perform mance and productivity gai ins because the processing power p of the N NAS device is d dedicated sole ely to the distri ibution of f the files. NAS also fits nic cely into the market m as a mid d-priced soluti ion. It is not ex xpensive, but i it suits more needs th han DAS in the e following ways: NAS storag ge is usually mu uch larger than DAS. NAS offers a single location for all critic cal files, rather r than inter-dis spersing them on various servers or devices with DAS. NAS offers centralized sto orage at an aff fordable price . NAS units are a accessible from f any oper rating system. They often ha ave multi-proto ocol support a and can serve up da ata via CIFS and NFS at the same s time thus s Windows and d Linux hosts a at the same tim me.
NAS can also be e considered a Plug and Play y solution that t is easy to inst tall, deploy, an nd manage, wi ith or without w IT staff at hand.
Disadvantag D es of Using NAS

NAS is slower th han SAN techn nologies. NAS is frequently a accessed via Et thernet protoc cols. Because o of this, it re elies heavily on n the network supporting the NAS solution n. For this reas son, NAS is commonly used as a file sh haring/storage e solution and cannot (and should not) be used with dat ta-intensive ap pplications suc ch as Microsoft M Excha ange Server an nd Microsoft SQ QL Server.
9-6
NAS S is affordable for small to mid-size m busine esses and, simiilar to DAS, ha s overheads of an operating g system that reads and writes da ata in different ways than a S SAN solution. N NAS systems a are more frequ uently prone to the poss sibility of data loss dependin ng on the size o of the data be eing copied. NAS S is also slower r than SAN tec chnologies. NA AS is frequently y accessed via a Ethernet prot tocols. Because e of this, , it relies heavi ily on the netw work that is sup pporting the N NAS solution. F For this reason n, NAS is comm monly used d as a file shar ring and storag ge solution; it cannot and sh hould not be u used with data intensive app plications such as Microsoft Exchange Server and Micro osoft SQL Serve er.
ation about Wi indows Storag ge Server, see Additional Reading: For more informa http p://go.microso oft.com/fwlink/ /?LinkID=1996 647.
Wh hat Is a SA AN?
The third type of storage is a sto orage area net twork (SAN N). A SAN is a specialized hig gh speed netw work that t connects com mputer systems or host serve ers to high h-performance e storage subs systems. A SAN N usua ally includes various compon nents such as host bus-adapters (HBA As), special sw witches to help route traff fic, and storage disk arrays with w logical unit num mbers (LUNs) for storage. A SA AN enables multiple servers to access a po ool of stor rage in which any a server can potentially ac ccess any storage unit. A SAN uses a network like any othe er network, such as a local area network (L LAN). You u can, therefore e, use a SAN to o connect man ny different de evices and hos sts to provide a access to any d device from m anywhere. Unli ike DAS or NA AS, a SAN is controlled by a hardware h devic ce and offers t the fastest acc cess to the stor rage and offers method ds to minimize e overhead (su uch as using ra aw disks).
Adv vantages of f Using SAN N

SAN N technologies s read and writ te at block leve els, making da ata access muc ch faster. For e example, with most DAS S and NAS solu utions, if you write w a file of 8 GB, the entire e file will have e to be read/written and its checksum calculat ted. With SAN N, the file is written to the dis sk based on th he block size fo or which the SA AN is set up. This speed d is accomplish hed by fiber ac ccess methodo ologies and blo ock level writin ng, instead of having to read/wr rite an entire file f by using a checksum. SAN Ns also provide e: Centralization n of storage in nto a single pool, which enab bles storage re esources and server resource es to igned from the pool when it grow indepen ndently. They also a enable sto orage to be dy ynamically assi t is required. Stor rage on a give en server can be b increased o r decreased as s needed witho out complex reconfiguring g or re-cabling g of devices. Common infr rastructure for attaching stor rage, which en nables a single e common man nagement model for configurat tion and deplo oyment. Storage devic ces that are inh herently shared by multiple systems. Data transfer directly from device to devi ice without ser rver intervention.
9-7
A high leve el of redundancy. Most SANs s are deployed d with multiple e network devi ices and paths s through the e network. As well, the stora age device con ntains redunda ant components such as pow wer supplies and hard disks.
Disadvantag D es of Using SAN

Th he main drawb back to SAN te echnology is th hat due to the e complexities in the configu uration, SAN of ften re equires manag gement tools and expert skill ls. It is also con nsiderably mo re expensive than DAS or NA AS; an en ntry level SAN can often cos st as much as a fully loaded s server with a D DAS or an NAS S device, and t that is without w any SAN disks or con nfiguration. To o manage a SA AN, you often use command d-line tools. Yo ou must have a firm understanding of the un nderlying tech hnology, includ ding the LUN setup, s the Fibr re Channel bac ck end, the blo ock sizing, and d so on. In n addition, each storage vend dor often implements SANs using differen nt tools and features. Becaus se of th his, organizatio ons often have e dedicated pe ersonnel whose e only job is to o manage the SAN deployment.
Note: SAN Ns can be imp plemented usin ng a variety of technologies. The most com mmon op ptions are Fibr re Channel and d Internet SCSI (iSCSI).
What W Is RA AID?
RA AID is a techno ology that you u can use to co onfigure st torage systems s that provide high reliability y and (p potentially) hig gh performanc ce. RAID implements st torage systems s by combining g multiple disk ks into a single logical un nit called a RAID array, which, de epending on the t configurati ion, can withst tand th he failure of on ne or more of the physical hard di isks, or provide e higher perfo ormance than is i av vailable by using a single dis sk. RA AID provides an a important component c re edundancyth hat you can us se when planning and de eploying Wind dows Server 20 012 servers. In most e all of the tim or rganizations, it t is important that the servers are available me. Most serve ers provide highlyre edundant components such as redundant power supplie es, and redund dant network a adapters. The g goal of th his redundancy y is to ensure that t the server r remains avail able even whe en a single com mponent on th he se erver fails. By implementing RAID, you can n provide the s same level of r redundancy for the storage s system.
How H RAID Works W

RA AID enables fa ault tolerance by b using addit tional disks to ensure that th he disk subsyst tem can contin nue to fu unction even if f one or more disks in the su ubsystem fail. R RAID uses two options for en nabling fault to olerance: Disk mirror ring. With disk mirroring, all of the informa ation that is w written to one d disk is also writ tten to another dis sk. If one of the e disks fails, th he other disk is s still available. Parity information. Parity y information is s used in the e event of a disk k failure to calc culate the information that was sto ored on a disk k. If you use thi is option, the s server or RAID D controller cal lculates the pa arity information n for each bloc ck of data that t is written to t the disks, and then stores th his information n on another dis sk or across mu ultiple disks. If f one of the dis sks in the RAID D array fails, th he server can u use the data that is s still available on the functio onal disks alon ng with the par rity informatio on to recreate the data that was w stored on the t failed disk.
9-8
RAID subsystems can also provide potentially better performance than single disks by distributing disk reads and writes across multiple disks. For example, when implementing disk striping, the server can read information from all hard disks in the stripe set. When combined with multiple disk controllers, this can provide significant improvements in disk performance.
Note: Although RAID can provide a greater level of tolerance for disk failure, you should not use RAID to replace traditional backups. If a server has a power surge or catastrophic failure and all of the disks fail, then you would still need to rely on standard backups.
Hardware RAID vs. Software RAID

You implement hardware RAID by installing a RAID controller in the server, and then configuring RAID by using the RAID controller configuration tool. With this implementation, the RAID configuration is hidden from the operating system while the RAID arrays are exposed to the operating system as single disks. The only configuration you need to perform in the operating system is to create volumes on the disks. Software RAID is implemented by exposing all of the disks available on the server to the operating system and then configuring RAID from within the operating system. Windows Server 2012 supports the use of software RAID, and you can use Disk Management to configure several different levels of RAID. When choosing to implement hardware or software RAID, consider the following: Hardware RAID requires disk controllers that are RAID-capable. Most disk controllers shipped with new servers have this functionality. To configure hardware RAID, you need to access the disk controller management program. Normally, you can access this during the server boot process or by using a web page that runs management software. Implementing disk mirroring for the disk containing the system and boot volume with software RAID can require additional configuration when a disk fails. Because the RAID configuration is managed by the operating system, you must configure one of the disks in the mirror as the boot disk. If that disk fails, you may need to modify the boot configuration for the server to start the server. This is not an issue with hardware RAID, because the disk controller will access the available disk and expose it to the operating system. In older servers, you may get better performance with software RAID when using parity because the server processor can calculate parity more quickly than the disk controller can. This is no longer an issue with newer servers, where you may get better performance on the server because you can offload the parity calculations to the disk controller. Question: Should all disks be configured with the same amount of fault tolerance?
9-9
RAID R Levels
When W implementing RAID, yo ou need to dec cide what w level of RA AID to implement. The most co ommon Raid le evels are RAID D 1 (also known n as mirroring), m RAID D 5 (also know wn as striped se et with di istributed parity) and RAID 1+0 1 (also know wn as mirrored m set in a stripe set). The table below w lists th he features for each different t RAID level.
Level RAID 0
Des scription Str riped set wit thout parity or r mirroring Da ata is written seq quentially to each disk Mi irrored set wit thout parity or r str riping Da ata is written to both disks sim multaneously Da ata is written in bits to each sk with parity dis written to sep parate disk or dis sks Da ata is written in bytes to each dis sk with parity written to sep parate disk or dis sks Da ata is written in blocks to each disk with parity written to a dedicated d disk k
Performan nce High read and write nce performan
Space utilizati ion All spac ce on the dis ks is availab ble
Red undancy A si ingle disk failu ure results in t he loss of data all d
Comments Use only in here situations wh you require h high performance e and can tolerate data loss Frequently u used for system an nd boot volume es with hardware RAID
RAID 1
Good performan nce
Can on nly use the am mount of spac ce that is availa able on the smalles st disk One or r more disks u sed for parity
Can n tolerate a sing gle disk failu ure
RAID 2
Extremely high nce performan
Requires that all disks be d synchronized Not currently y used Requires that all disks be d synchronized Rarely used
RAID 3
Very high nce performan
One di sk used fo or parity
RAID 4
Good read d performan nce, poor write e performan nce
One di sk or used fo parity
Rarely used
9-10 Implementing Local Storage
Level RAID 5
Description Striped set with distributed parity Data is written in blocks to each disk with parity spread across all disks Striped set with dual distributed parity Data is written in blocks to each disk with double parity written across all disks Striped sets in a mirrored set A set of drives is striped, and then the strip set is mirrored
Performance Good read performance, poor write performance
Space utilization The equivalent of one disk used for parity
Redundancy Can tolerate a single disk failure
Comments Commonly used for data storage where performance is not critical, but maximizing disk usage is important Commonly used for data storage where performance is not critical but maximizing disk usage and availability are important Not commonly used
RAID 6
Good read performance, poor write performance
The equivalent of two disks used for parity
Can tolerate two disk failures
RAID 0+1
Very good read and write performance
Only half the disk space is available due to mirroring
Can tolerate the failure of two or more disks as long as all failed disks are in the same striped set Can tolerate the failure of two or more disks as long as both disks in a mirror do not fail
RAID 1+0
Mirrored set in a stripe set Several drives are mirrored to a second set of drives, and then one drive from each mirror is striped
Very good read and write performance
Only half the disk space is available due to mirroring
Frequently used in scenarios where performance and redundancy are critical, and the cost of the required additional disks is acceptable
9-11
Lesson n2
Mana aging Disks D and d Volum mes

Id dentifying whic ch storage technology that you y will want t to deploy is th he first critical s step in making g sure th hat your enviro onment is prep pared for data storage requi rements. This, however, is only the first ste ep. Th here are other r steps that you u will need to take to prepar re for data sto orage requirem ments. Fo or example, on nce you have identified the best b storage so olution, or hav ve chosen a mix of storage so olutions, you need n to figure out the best way w to manage e that storage.. Ask yourself t the following qu uestions: What disks will you alloca ate to a storag ge pool? Will the typ pe of file system ms be the sam me for all disks? ?
Th his lesson addresses these an nd similar questions, includin ng why it is im mportant to ma anage disks, an nd what to ools you need to manage dis scs.

After completin ng this lesson, you y will be able to: Describe se electing a parti ition table form mat. Describe th he difference between b basic and dynamic d disk types. Explain a re esilient file syst tem. Describe ho ow to select a file system. Explain mount points and d links. Create mou unt points and d links. Describe th he process of extending e and shrinking volu umes.
Selecting a Partition Table Form mat

A partition table e format, or pa artition style, refers to th he method tha at an operating g system such as Windows W Server 2012 uses to organize part titions or r volumes on a disk. For Win ndows operatin ng sy ystems, you can decide betw ween master bo oot re ecord (MBR) an nd GUID partit tion table (GPT T).
MBR M
Th he MBR partiti ion table forma at is the standard pa artitioning sch heme that has been used on hard di isks since the first f personal computers c cam me out in n the 1980s. Th he MBR partitio on table forma at has th he following ch haracteristics: Supports a maximum of four f primary partitions p per d drive A partition can have max ximum of 2 ter rabytes (TB) (2..19 x 10^12 by ytes) If you initia alize a disk larg ger than 2 TB using u MBR, the e disks are only able to store e volumes up t to 2 TB and the res st of the storag ge will not be used. u You mus st convert the disk to GPT if you want to u use all of its space.
9-12 Implemen nting Local Storage
Note: You should s use the e MBR partition n table format t for disk drive es that never su urpass 2 TB in si ize. This provid des you with a bit more spac ce because GP PT requires mo ore disk space than MBR.
GPT T
The GPT was intro oduced with Windows W Server 2003 and Wi indows XP 64 4-bit Edition to o overcome th he limitations of MBR R, and to addr ress larger disk ks. GPT has the e following cha aracteristics: GPT is the suc ccessor of MBR R partition tab ble format Supports a maximum m of 128 partitions pe er drive A partition ca an have up to 8 zettabytes (Z ZB) A hard disk ca an have up to 18 exabytes (E EB), with 512 k kilobytes (KB) logical block a addressing (LB BA)
Note: If you ur hard disk is larger than 2 TB, T you should d use the GPT partition table e format.
Additional Reading: For frequently ask ked questions about the GU ID partitioning g table disk arch hitecture, see http://support h .microsoft.com m/kb/302873.
Sel lecting a Disk D Type

Whe en selecting a type of disk fo or use in Wind dows Serv ver 2012, you can c choose be etween basic disks d and dynamic disk ks.
Bas sic Disk

Basi ic storage uses s normal partit tion tables tha at are used d by all version ns of the Wind dows operating g system. A disk tha at is initialized for basic stora age is calle ed a basic disk k. A basic disk contains c basic part titions, such as s primary parti itions and exte ended part titions. You can subdivide ex xtended partiti ions into o logical drives s. By default, d when you y initialize a disk in Windo ows, the disk is s configured a as a basic disk. You can easily y convert basic disk ks to dynamic disks d without any a loss of dat ta; however, w when convertin ng a dynamic d disk to basi ic disk, all data a on the disk will w be lost. Som me applications cannot addre ess data that is s stored on dy ynamic disks. T There is also no o performance e gain by converting c bas sic disks to dyn namic disks. Fo or these reason ns, most admin nistrators do n not convert ba asic disk ks to dynamic disks d unless th hey need to use some of the additional volume configur ration options that are available with dynamic disks s.
Dyn namic Disk

Dyn namic storage is supported in n all Windows operating sys stems including g the Window ws XP operating g systems and the Microsoft M Wind dows NT Serv ver 4.0 operati ng system. A d disk that is init tialized for dyn namic stor rage is called a dynamic disk k. A dynamic disk contains dy ynamic volumes. With dynam mic storage, yo ou can perform disk and volume management m without w the nee ed to restart W Windows opera ating systems. Whe en you configu ure dynamic disks, d you creat te volumes rat ther than partitions. A volum me is a storage unit that t is made from m free space on n one or more disks. You can n format the vo olume with a f file system, and can assign a drive letter or configure it with a mount point.
9-13
The following is a list of the dynamic volumes that are available: Simple volumes. A simple volume uses free space from a single disk. It can be a single region on a disk, or consist of multiple, concatenated regions. A simple volume can be extended within the same disk or on to additional disks. If a simple volume is extended across multiple disks, it becomes a spanned volume. Spanned volumes. A spanned volume is created from free disk space that is linked together from multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume cannot be mirrored, and is not fault-tolerant; therefore, if you lose one disk, you will lose the entire spanned volume. Striped volumes. A striped volume has data that is spread across two or more physical disks. The data on this type of volume is allocated alternately and evenly to each of the physical disks. A striped volume cannot be mirrored or extended, and is not fault-tolerant. This means that the loss of one disk causes the immediate loss of all the data. Striping is also known as RAID-0. Mirrored volumes. A mirrored volume is a fault-tolerant volume that has all data duplicated onto two physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume cannot be extended. Mirroring is also known as RAID-1. RAID-5 volumes. A RAID-5 volume is a fault-tolerant volume that has data striped across a minimum of three or more disks. Parity is also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume cannot be mirrored or extended.
Required Disk Volumes

Regardless of which type of disk you use, you must configure both a system volume and a boot volume on one of the hard disks in the server: System volumes. The system volume contains the hardware-specific files that are needed to load Windows operating system (for example, Bootmgr and BOOTSECT.bak). The system volume canbut does not have tobe the same as the boot volume. Boot volumes. The boot volume contains the Windows operating system files that are located in the %Systemroot% and %Systemroot%System32 folders. The boot volume canbut does not have to be the same as the system volume.
Note: When you install the Windows 8 operating system or the Windows Server 2012 operating system in a clean installation, a separate system volume is created to enable encrypting the boot volume by using Windows BitLocker drive encryption.
Additional Reading: For more information about how basic disks and volumes work, see http://go.microsoft.com/fwlink/?LinkID=199648. For more information about dynamic disks and volumes, see http://go.microsoft.com/fwlink/?LinkID=199649.
Sel lecting a File F System m

Whe en you configu ure your disks in Windows Server 2012, you can cho oose between FAT, NTFS, and ReFS file systems.
File e Allocation n Table (FAT T)

The file allocation table (FAT) is the most simp plistic of the file systems s that Window ws operating systems support. The T FAT file sy ystem is characterized by a table that res sides at the ve ery top of the volume e. To protect th he volume, two copies of the FAT file system are e maintained in i case e one becomes damaged. In n addition, the file allocation tables and a the root directory must be stor red in a fixed lo ocation so that the systems boot files can n be correctly located. A disk formatted with w FAT is allo ocated in clust ters, whose siz zes are determ mined by the siz ze of the volum me. Whe en a file is crea ated, an entry is created in the directory, a and the first clu uster number containing da ata is esta ablished. This entry e in the tab ble either indic cates that this is the last clus ster of the file, , or points to t the next t cluster. There e is no organiz zation to the FAT F directory s structure, and f files are given the first open n loca ation on the dr rive. Because of the siz ze limitation with w the file allo ocation table, t the original re elease of FAT c could only acce ess part titions that we ere less than 2 GB in size. To enable larger disks, Microso oft developed FAT32. FAT32 supports partition ns of up to 2 TB. FAT T does not prov vide any secur rity for files on the partition. You should never use FAT o or FAT32 as th he file system for disks attached to Windows Server 2012 servers. Y You might con nsider using FA AT or FAT32 to o form mat external media m such as USB U flash media. exFA AT (Extended FAT) F is a file sy ystem designed d especially fo r flash drives. It can be used d where FAT32 is not suitable, such as when w you need d a disc format t that works w with a television n, which requires a disc that is larg ger than 2 TB. exFAT e is suppo orted in a num mber of media devices, such as modern flat panel TVs, m media cent ters, and porta able media pla ayers.
NTFS
NTF FS is the standa ard file system m for all Windo ows operating systems begin nning with Win ndows NT Serv ver 4.0. Unlike FAT, th here are no spe ecial objects on o the disk, and d there is no d dependence on n the underlying hard dware, such as s 512-byte sect tors. In additio on, in NTFS the ere are no spe ecial locations o on the disk, su uch as the tables. NTF FS is an improv vement over FA AT in several ways, w such as b better support t for metadata, and the use o of advanced data str ructures to imp prove perform mance, reliabilit ty, and disk sp pace utilization n. NTFS also ha as add ditional extensi ions such as se ecurity access control c lists (A ACLs), which yo ou can use for auditing, file system journaling, and encryption. NTF FS is required for f a number of o Windows Se erver 2008 R2 roles and features such as A Active Directory y Dom main Services (AD ( DS), Volum me Shadow Se ervices (VSS), D Distributed File e System (DFS) and File Rep plication Servic ces (FRS). NTFS S also provides s a much highe er level of secu urity than FAT or FAT 32. Resilient File Sys stem (ReFS) The Resilient File System S (ReFS) was introduce ed with Windo ows Server 2012 to enhance the capabilitie es of NTF FS. ReFS was developed to im mprove upon NTFS N by offeri ng larger max ximum sizes fo or individual files, dire ectories, disk vo olumes, and other items. Ad dditionally, ReF FS offers greater resiliency, m meaning better data verification, error correction, an nd scalability.
9-15
Re eFS uses features from NTFS S, and is design ned to maintai in backward co ompatibility w with its older W Windows op perating system versions. Windows 8 clien nts or older Wi indows client o operating systems can read and write w to ReFS ha ard-drive parti itions and to shares on a ser rver, just as the ey can with tho ose running N NTFS. Yo ou should use ReFS with ver ry large volumes and very lar rge file shares to overcome the NTFS limit tation of er rror checking and a correction n. Because ReFS was not ava ilable prior to Windows Serv ver 2012 (the o only ch hoice was NTFS), it makes se ense to use ReF FS with Windo ows Server 201 12 instead of N NTFS to achiev ve better er rror checking, better reliabili ity, and less co orruption.
al Reading: Fo or more inform mation on how w FAT works, see Additiona ht ttp://go.microsoft.com/fwlin nk/?LinkID=199652. Fo or more inform mation on how w NTFS works, see http://go.m m/fwlink/?LinkID=199654. microsoft.com Question: What file syste em do you cur rrently use on your file serve er? Will you co ontinue to use it?
What W Is a Resilient R File System? ?

Th he Resilient File System (ReF FS) is a new fea ature in Windows W Server 2012. ReFS is s based on the e NTFS fil le system, and provides the following f adva antages: Metadata in ntegrity with checksums c Expanded protection p aga ainst data corru uption Maximizes reliability, especially during a loss of power (w while NTFS has s been known to experience corruption in similar circumstanc ces) Large volum me, file, and di irectory sizes Storage pooling and virtu ualization, which makes crea ating and man naging file systems easier Data stripin ng for perform mance (bandwid dth can be ma anaged) and re edundancy for r fault toleranc ce Disk scrubb bing for protec ction against la atent disk erro ors Resiliency to t corruptions with recovery for maximum m volume availa ability Shared stor rage pools acro oss machines for f additional failure toleran nce and load b balancing
Re eFS inherits so ome features fr rom NTFS, incl luding the follo owing: BitLocker drive encryption Access-control lists for se ecurity Update seq quence numbe er (USN) journa al Change not tifications Symbolic lin nks, junction points, p mount points and rep parse points Volume sna apshots File IDs
Because ReFS uses a subset of features from NTFS, N it is desi gned to maint tain backward compatibility with NTF FS. Therefore, Windows W 8 clie ents or older Windows W client t operating sy ystems can read and write to o ReFS unning NTFS. However, as hard d-drive partitio ons and shares s on a server, just as they can n with those ru imp plied in its nam me, the new file e system offers s greater resilie ency, meaning g better data v verification, err ror corr rection, and sc calability. Beyond its greater resiliency, Re eFS also surpas sses NTFS by o offering larger maximum size es for individu ual files s, directories, disk d volumes, and a other item ms, as listed in t the following t table. At ttribute Maximum M size of o a single file Maximum M size of o a single volu ume Limit ~16 exabyte es (EB) (18.446 6.744.073.709.5 551.616 bytes) ) 2^78 bytes w with 16 KB clu uster size (2^64 * 16 * 2^10) Windows st tack addressing g allows 2^64 4 bytes 2^64 2^64
Maximum M number of files in a directory Maximum M number of director ries in a vo olume Maximum M file name n length Maximum M path length Maximum M size of o any storage e pool Maximum M number of storage e pools in a sy ystem Maximum M number of spaces in a storage po ool
32,000 Unico ode characters s 32,000 4 petabytes (PB) No limit
No limit
Wh hat Are Mo ount Point ts and Link ks?

With the NTFS and ReFS file sys stems, you can n crea ate mount points and links to refer to files, dire ectories, and vo olumes.
Mo ount Points
Mou unt points are used in Windo ows operating g systems to make a portion of a disk or the entire disk k useable by th he operating sy ystem. Most com mmonly, moun nt points are as ssociated with drive lette er mappings so o that the ope erating system can gain n access to the e disk through the drive lette er. Sinc ce the Microso oft Windows 20 000 Server ope erating system was first introduced, you ha ave been able to enable volu ume mount po oints, which yo ou can then n use to moun nt a hard disk to t an empty fo older that is loc cated on anot ther drive. For example, if yo ou add a ne ew hard disk to o a server, rath her than moun nting the drive e using a drive letter, you can n assign a fold der nam me such as C:\d datadrive to th he drive. When n you do this, a any time you a access the C:\d datadrive folde er, you are actually accessing the new n hard disk.
9-17
Volume mount points can be useful in the following scenarios: If you are running out of drive space on a server and you want to add disk space without modifying the folder structure. You can add the hard disk, and configure a folder to point to the hard disk. If you are running out of available letters to assign to partitions or volumes. If you have several hard disks that are attached to the server, you may run out of available letters in the alphabet to which to assign drive letters. By using a volume mount point, you can add additional partitions or volumes without using more drive letters. If you need to separate disk input/output (I/O) within a folder structure. For example, if you are using an application that requires a specific file structure, but which uses the hard disks extensively, you can separate the disk I/O by creating a volume mount point within the folder structure.
Note: You can assign volume mount points only to empty folders on an NTFS partition. This means that if you want to use an existing folder name, you must first rename the folder, create and mount the hard disk using the required folder name, and then copy the data to the mounted folder.
Links
A link is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path. Windows supports the following two types of links: A symbolic file link (also known as a soft link) A symbolic directory link (also known as a directory junction)
A link which is stored on a server share could refer back to a directory on a client that is not actually accessible from the server where the link is stored. Because the link processing is done from the client, the link would work correctly to access the client, even though the server cannot access the client. Links operate transparently: applications that read or write to files that are named by a link behave as if they are operating directly on the target file. For example, you can use a symbolic link to link to a HyperV parent virtual hard disk file from another location. Hyper-V uses the link to work with the parent virtual hard drive (VHD) as it would use the original file. The benefit of using symbolic links is that you do not need to modify the properties of your differencing VHD.
Note: In Hyper-V, you can use a differencing virtual hard disk (VHD) to save space by making changes only to the child VHD, when the child VHD is part of a parent/child VHD relationship. Links are sometimes easier to manage than mount points. Mount points force you to place the files on the root of the volumes, whereas with links you can be more flexible with where you save files. You can create links in a Windows Explorer window, or by using the mklink.exe tool in a command-line interface window.
Demonstration: Creating Mount Points and Links

In this demonstration, you will see how to create a mount point and then assign it to a folder. Then you will see the process of creating a link between folders and a link for a file, and see how to use both links.
Demonstration Steps Create a mount point

1. 2. 3. 4. Log on to LON-SVR1 with the username Adatum\Administrator and the password Pa$$w0rd. Open Computer Management, and then expand Disk Management. In Disk Management, initialize Disk2 with GPT (GUID Partition Table). On Disk 2, create a Simple Volume with the following parameters: o o o o 5. 6. Size: 4000 MB Do not assign a drive letter or drive path File system: NTFS Volume label: MountPoint
Wait until the volume is created, right-click MountPoint, and then click Change Drive Letter and Paths. Change the drive letter as follows: o o Mount in the following empty NTFS folder Create new Folder C:\MountPointFolder and use it as mount point.
7.
On the taskbar, open a Windows Explorer window, and then click Local Disk (C:). You should now see the MountPointFolder with a size of 4,095,996 KB assigned to it. Notice the icon that is assigned to the mount point.
Create a link between folders

1. 2. In Windows Explorer, on drive C, create a shortcut to C:\Windows\System32 with the name System32 Shortcut. In Windows Explorer, in the right pane, double-click System32 Shortcut. Notice how the shortcut path changes automatically to the correct path in the Address bar.
Create a link for a file

1. 2. In Windows Explorer, on drive C, create a shortcut to C:\Windows\System32\mspaint.exe and name it Paint Shortcut. In Windows Explorer, in the right pane, double-click Paint Shortcut. Note how the link opens Paint. Using links can be very useful if you want to refer to a file such as a virtual hard disk that is located on another drive.
9-19
Extending and a Shrink king Volum mes

In n versions of Windows W prior to Windows Se erver 20 003 or Window ws Vista, you required additional so oftware to shrink or extend a volume on your di isk. Since Wind dows Server 20 003 and Windows Vista, this functionality is inclu uded in the Windows op perating system so you can use the Disk Management M sn nap-in to resiz ze NTFS volum mes. When W you want t to resize a vo olume, you mu ust be aw ware of the following: ave the ability to shrink or extend You only ha NTFS volum mes. FAT, FAT3 32 or exFAT vo olumes cannot be resized. r You can on nly extend ReFS S volumes, not t shrink them. To extend a volume, the available disk space must be e adjacent to t the volume tha at is extended. If free space is not t adjacent to the t volume, yo ou will not be a able to extend d the disk. You can ext tend a volume e using free space on the sam me disk as wel ll as other disk ks. When you e extend a volume with other disks, you create a dynamic d disk w with a striped v volume. In a st triped volume, , if one disk fails, al ll data on the volume v is lost. . Also, a striped d volume cann not contain bo oot or system partitions, thus t you canno ot extend your boot partitio ons by using an nother disk. When you want w to shrink k a partition, im mmovable files s such as page e files are not r relocated. This s means that you ca annot reclaim space s beyond the location w where these file es are on the v volume. If you have the requirement to shrink k a partition more, m you need d to delete or m move the imm movable files. F For example, yo ou can remove e the page file e, shrink the vo olume, and the en add the pag ge file back ag gain.
Note: As a best practice e for shrinking g volumes, you u should defrag gment the files on the vo olume before you y shrink it. This T method re eturns the max ximum amoun nt of free disk s space. During the defr ragment proce ess, you can ide entify any imm moveable files.. If bad clusters are found on the partitio on, you will no ot be able to sh hrink it.
To o modify a vol lume, you can use Disk Management, the Diskpart.exe tool, or the Res size-Partition n cm mdlet.
al Reading: Fo or more inform mation about h how to extend d a basic volum me, see Additiona ht ttp://technet.m microsoft.com/ /de-de/library/ /cc771473. Fo or more inform mation about how h to shrink a basic volume e, see http://te echnet.microso oft.com/dede e/library/cc731894.
Lesson 3
Implem menting g Storag ge Spac ces

Man naging physica al disks that ar re attached dir rectly to a serv ver has proven n to be a tedious task for adm ministrators. To o overcome this problem, ma any organizati ions used SAN Ns that essentia ally grouped phy ysical disks together. SAN Ns require spec cial configuration, however, and sometime es special hard dware, which m makes them expensive. To ove ercome these is ssues, you can n use Storage S Spaces, which i is a Windows S Server 2012 fe eature that t pools disks to ogether and presents them to t the operatin ng system as a single disk. T This lesson explains how w to configure and implemen nt the Storage e Spaces featur re. Man naging physica al disks that ar re attached dir rectly to a serv ver has proven n to be a tedious task for adm ministrators. To o overcome this problem, ma any organizati ions used SAN Ns that essentia ally grouped phy ysical disks together. SAN Ns require spec cial configuration, however, and sometime es special hard dware, which m makes them expensive. To ove ercome these is ssues, you can n use Storage S Spaces, which i is a Windows S Server 2012 fe eature that t pools disks to ogether and presents them to t the operatin ng system as a single disk. T This lesson explains how w to configure and implemen nt the Storage e Spaces featur re.

Afte er completing this lesson, yo ou will be able to: Describe the use of Storage e Spaces. Describe vario ous options fo or configuring virtual disks. Describe adva anced manage ement options s for Storage S paces. Configure Sto orage Spaces.
Wh hat Is the Storage S Sp paces Feature?

Stor rage Spaces is a storage virtu ualization capa ability that t is built into Windows W Serve er 2012 and Win ndows 8. It is a feature that is s available for both NTF FS and ReFS vo olumes, that pr rovides redund dancy and pooled storag ge for numero ous internal and exte ernal drives of differing sizes s and interface es. You u can use Stora age Spaces to add a physical disks d of any a type and si ize to a storage pool, and th hen crea ate highly available virtual disks from it. Th he prim mary advantag ge of Storage Spaces S is that you y do not n manage single disks, but t can manage mul ltiple disks as one o unit. To create c a highly y-available virt tual disk, you need n the follow wing: Disk drive. Th his is a volume that you can access a from yo our Windows o operating syste em, for examp ple, by using a drive letter. Virtual disk (o or storage spac ce). This is very y similar to a p physical disk fro om the perspe ective of users and applications. However, virtu ual disks are more m flexible be ecause they in nclude thin pro ovisioning or ju ustin-time (JIT) allocations, a and d they include e resiliency to p physical disk fa ailures with bu uilt-in function nality such as mirro oring.
9-21
Storage poo ol. A storage pool p is a collect tion of one or more physical disks that you can use to create virtual disks s. You can add d to a storage pool any avail able physical d disk that is not t formatted or r attached to o another stora age pool. Physical dis sk. Physical disks are disks su uch as SATA or r SAS disks. If y you want to ad dd physical dis sks to a storage poo ol, the disks ne eed to satisfy the t following r requirements: o One ph hysical disk is required r to cre eate a storage pool; a minim mum of two ph hysical disks is require ed to create a resilient mirror virtual disk. A minimum of three physical disks are required t to create a virt tual disk with resiliency thro ough parity. Three-w way mirroring requires at lea ast five physic al disks. Disks must m be blank and unformatted; no volum me must exist o on them. Disks can c be attached using a varie ety of bus inte rfaces includin ng iSCSI, SAS, S SATA, SCSI, an nd USB. If you want w to use failover clusterin ng with storag e pools, you c cannot use SAT TA, USB or SCS SI disks.
o o o
Virtual V Disk k Configur ration Opt tions

Yo ou can create virtual disks fr rom storage po ools. If yo our storage po ool contains more m than one disk, yo ou can also cre eate redundan nt virtual disks. . To co onfigure virtua al disks or Stor rage Spaces in Server Manager M or Win ndows PowerS Shell, you need d to co onsider the red dundancy func ctionality show wn in th he following ta able.
Feature Storage layou ut
Desc cription This s feature defin nes the numbe er of disks from m the storage p pool that are allo ocated. Valid options o include e: Simple S . A simpl le space has da ut no redundancy. In data st triping, ata striping bu lo ogically sequential data is se egmented acro oss all disks in a way that acc cess to th hese sequentia al segments ca an be made to o different phy ysical storage d drives. Striping S makes it possible to access multiple segments of data concurr rently. Do D not host im mportant data o on a simple vo olume, because e it provides n no fa ailover capabilities when the e disk that is st toring the data a fails. Two-way T and three-way t mirr rors. Mirror spa aces maintain two or three c copies of o the data that they host (tw wo data copies s for two-way mirrors and th hree data d copies for r three-way mi irrors). Duplica ation happens with every write to ensure e that all data copies ar re always curre ent. Mirror spa aces also stripe e the data d across mu ultiple physical drives. Mirror r spaces provid de the benefit of greater g data th hroughput and d lower access latency. They also do not introduce a risk of corrup pting at-rest da ata, and do no ot require the e extra journalin ng stage when w writing data. d Parity P . A parity space is very similar to a sim mple space. Da ata, along with h parity in nformation, is striped across multiple phys sical drives. Parity enables St torage Spaces S to conti inue to service e read and writ te requests even when a driv ve has fa ailed. Parity is always rotated d across availa able disks to en nable I/O
Feature
Description optimization. Storage spaces require a minimum of three physical drives for parity spaces. Parity spaces have increased resiliency through journaling.
Disk sector size
A storage pools sector size is set when it is created. If the list of drives being used contains only 512 and/or 512e drives, then the pool is defaulted to 512e. If, however, the list contains at least one 4-KB drive, then the pool sector size is defaulted to 4 KB. Optionally, an administrator can explicitly define the sector size that all contained spaces in the pool will inherit. After an administrator defines this, the Windows operating system will only permit you to add drives that have a compliant sector size, that is: 512 or 512e for a 512e storage pool, and 512, 512e, or 4 KB for a 4-KB pool. This defines how the drive is allocated to the pool. Options are: Data Store. This is the default allocation when any drive is added to a pool. Storage spaces can automatically select available capacity on data-store drives for both storage space creation and JIT allocation. Manual. Administrators can choose to specify manual as the usage type for drives that are added to a pool. A manual drive is not used automatically as part of a storage space unless it is specifically selected at the creation of that storage space. This usage property makes it possible for administrators to specify particular types of drives for use by only certain Storage Spaces. Hot Spare. Drives added as Hot-Spares to a pool are reserve drives that are not used in the creation of a storage space. If a failure occurs on a drive that is hosting columns of a storage space, a reserve drive is called upon to replace the failed drive.
Drive allocation
Provisioning schemes
You can provision a virtual disk by using two different schemes: Thin provisioning space. Thin provisioning is a mechanism that allows storage to be easily allocated on a just-enough and JIT basis. Storage capacity in the pool is organized into provisioning slabs that are not allocated until the point in time when datasets grow to require the storage. As opposed to the traditional fixed storage allocation methodwhere large pools of storage capacity are allocated but may remain unusedthin provisioning optimizes utilization of available storage. Organizations are also able to save on operating costs such as electricity and floor space that are associated with keeping unused drives operating. The downside of using thin provisioning is lower performance of your disks. Fixed provisioning space. With Storage Spaces, fixed provisioned spaces also employ the flexible provisioning slabs. The difference between thin provisioning and a fixed provisioning space is that the storage capacity in the fixed provisioning space is allocated at the same time that the space is created.
Cluster disk requirement
Failover clustering prevents interruption to workloads or data in the event of a machine failure. For a pool to support failover, clustering all assigned drives must support a multi-initiator protocol, such as SAS.
Note: You can use Storage Spaces to create both thin and fixed provisioning virtual disks within the same storage pool. Having both provisioned types in the same storage pool is convenient, particularly when they are related to the same workload. For example, you can choose to have a thin provisioning space to host a database and a fixed provisioning space to host its log.
9-23
Question: What do you call c a virtual disk that is large er than the am mount of disk s space available on n the physical disks portion of the storage e pool?
Advanced A Managem M ent Options for Stor rage Space es

Se erver Manager r provides you with basic management m of virtual disks and a storage po ools. In Se erver Manager r, you can crea ate storage pools, add to o and remove physical disks from pools, an nd cr reate, manage, and delete vi irtual disks. For ex xample, in Serv ver Manager you y can view the physical disks th hat are attache ed to a virtual disk, an nd Server Man nager will displ lay if any of th hese di isks are unhealthy. Fa ailed disks in a virtual disk or storage pool are co orrected by removing the disk that is causing the problem. Tools such as defrag gmenting, scan n disk. or r chkdsk do not apply for re epairing a storage pool. To r replace a failed d disk, you add d a new disk to o the po ool. The new disk d will autom matically resync chronize when n disk mainten nance occurs. T This will occur during da aily maintenan nce, or you can n trigger it manually. Windows W PowerShell provide es advanced management m o options for virt tual disks and storage pools. . Some ex xamples of the e command-lin ne interfaces are listed in the e following tab ble. Windows W Pow werShell cmdle et Get-StorageP Pool Get-VirtualD Disk Repair-VirtualDisk Get-PhysicalDisk | Where{$_.HealthSta atus ne Healthy} Reset-Physic calDisk Get-VirtualD Disk | Get-Phy ysicalDisk Description n Lists storag ge pools Lists virtual l disks Repairs a V Virtual Disk Lists unhea althy physical d disks
Removes a physical disk f from a storage e pool Lists physic cal disks that are used for a v virtual disk
Additiona al Reading: To o learn more about a storage cmdlets in Wi indows PowerS Shell, see ht ttp://technet.m microsoft.com/ /en-us/library/ /hh848705.asp px.
Demonstra D ation: Conf figuring St torage Spa aces

In n this demonst tration, you will see how to create c a storag ge pool, a simp ple virtual disk k, and a volume.
Demonstrati D ion Steps Create C a stor rage pool

1. . On LON-SV VR1, in Server Manager, acce ess File and St torage Service es and Storag ge Pools.
2.
In the STORAGE POOLS pane, create a New Storage Pool named StoragePool1, and add all of the available disks.
Create a simple virtual disk and a volume

1. In the VIRTUAL DISKS pane, create a New Virtual Disk with these settings: o o o o o 2. 3. Storage pool: StoragePool1 Disk name: Simple vDisk Storage layout: Simple Provisioning type: Thin Size: 2 GB
On the View results page, wait until the creation is completed, make sure the Create a volume when this wizard closes check box is selected. In the New Volume Wizard, create a volume with these settings: o o o Virtual disk: Simple vDisk File system: ReFS Volume label: Simple Volume
9-25
Lab: Implementing Local Storage

Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office. Your manager has asked to add disk space to a file server. After creating volumes, your manager has also asked you to resize those volumes based on updated information he has been given. Finally, you need to make data storage redundant by creating a 3-way mirrored virtual disk.
Objectives
After completing this lab, you will be able to: Install and configure a new disk. Resize volumes. Configure a storage pool. Configure a redundant storage space.
Lab Setup
Virtual Machines
20410A-LON-DC1 20410A-LON-SVR1 Administrator Pa$$w0rd
User Name Password
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. 1. 2. 3. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o 4. User name: Administrator Password: Pa$$w0rd Domain: Adatum
Repeat steps 1 to 3 for 20410A-LON-SVR1.
Exercise 1: Installing and Configuring a New Disk

Scenario
The file server in your branch office is low on disk space. You need to add a new disk to the server and create volumes based on specifications provided by your manager. The main tasks for this exercise are as follows: 1. 2. 3. Initialize a new disk. Create and format two simple volumes on the disk. Verify the drive letter in a Windows Explorer window.
Task 1: Initialize a new disk

1. 2. 3. Log on to LON-SVR1 with username of Adatum\Administrator and the password of Pa$$w0rd. In Server Manager, open Computer Management, and then access Disk Management. Initialize Disk 2 and configure it to use GPT (GUID Partition Table).
Task 2: Create and format two simple volumes on the disk

1. In the Computer Management console, on Disk 2, create a Simple Volume with the following attributes: o o o o 2. Volume size: 4000 MB Drive Letter: F File system: NTFS Volume label: Volume1
In the Computer Management console, on Disk 2, create a Simple Volume with the following attributes: o o o o Volume size: 5000 MB Drive Letter: G File system: ReFS Volume label: Volume2
Task 3: Verify the drive letter in a Windows Explorer window

1. Use Windows Explorer to make sure you can access the following volumes: o o 2. Volume1 (F:) Volume2 (G:),
On Volume2 (G:), create a folder named Folder1.
Results: After you complete this lab, you should have initialized a new disk, created two simple volumes, and formatted them. You should also have verified that the drive letters are available in Windows Explorer.
9-27
Exercise 2: Resizing Volumes

Scenario
After installing the new disk in your file server, you are contacted by your manager who indicates that the information he gave you was incorrect. He now needs you to resize the volumes without losing any data. The main tasks for this exercise are as follows: 1. 2. Shrink Volume1. Extend Volume2.
Task 1: Shrink Volume1

Use Disk Management to shrink Volume1 (F:) by 1000 MB.
Task 2: Extend Volume2

1. 2. Use Disk Management to extend Volume2 (G:) by 1000 MB. Use Windows Explorer to verify that the folder Folder1 is still on drive G.
Results: After this lab, you should have made one volume smaller, and extended another.
Exercise 3: Configuring a Redundant Storage Space

Scenario
Your server does not have a hardware-based RAID card, but you have been asked to configure redundant storage. To support this feature, you need to create a storage pool. After creating the storage pool, you will also need to create a redundant virtual disk. As the data is critical, the request for redundant storage specifies that you need to use a three-way mirrored volume. Shortly after the volume is in use, a disk fails and you have to add another disk to the storage pool to replace it. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Create a storage pool from five disks that are attached to the server. Create a three-way mirrored virtual disk. Copy a file to the volume, and verify that it is visible in Windows Explorer. Remove a physical drive. Verify that the mspaint.exe file is still accessible. Add a new disk to the storage pool. To prepare for the next module.
Task 1: Create a storage pool from five disks that are attached to the server
1. 2. 3. On LON-SVR1, open Server Manager. In the left pane, click File and Storage Services, and then in the Servers pane, click Storage Pools. Create a storage pool with the following settings: o o o Name: StoragePool1 PhysicalDisk3 PhysicalDisk4
o o o
PhysicalDisk5 PhysicalDisk6 PhysicalDisk7
Task 2: Create a three-way mirrored virtual disk

1. On LON-SVR1, in Server Manager, in the VIRTUAL DISKS pane, create a virtual disk with the following settings: o o o o o o 2. Storage pool: StoragePool1 Name: Mirrored Disk Storage Layout: Mirror Resiliency settings: Three-way mirror Provisioning type: Thin Virtual disk size: 10 GB
In the New Volume Wizard, create a volume with the following settings: o o o o Virtual disk: Mirrored Disk Drive letter: H File system: ReFS Volume label: Mirrored Volume
Task 3: Copy a file to the volume, and verify that it is visible in Windows Explorer
1. 2. On the Start screen, type command prompt, and then press Enter. Type the following command:
Copy C:\windows\system32\mspaint.exe H:\
3.
Open Windows Explorer from the taskbar, and access Mirrored Volume (H:). You should now see mspaint.exe in the file list.
Task 4: Remove a physical drive

On Host machine, in Hyper-V Manager, in the Virtual Machines pane, change 20410A-LON-SVR1 settings to the following: o Remove Hard Drive 20410A-LON-SVR1-Disk5.vhdx.
Task 5: Verify that the mspaint.exe file is still accessible

1. 2. 3. 4. Switch to LON-SVR1. Use Windows Explorer and browse to H:\mspaint.exe to ensure access to the file is still available. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh Storage Pools button. Notice the warning that displays next to Mirrored Disk. Open Mirrored Disk Properties, and access the Health pane. Notice that the Health Status indicates a Warning. The Operational Status should indicate Incomplete or Degraded.
9-29
Task 6: Add a new disk to the storage pool

1. 2. 3. Switch to LON-SVR1. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh Storage Pools button. In the STORAGE POOLS pane, right-click StoragePool1, click Add Physical Disk, and then click PhysicalDisk8 (LON-SVR1).
Results: After completing this lab, you should have created a storage pool and added five disks to it. Then you should have created a three-way mirrored, thinly provisioned virtual disk from the storage pool. You should have also copied a file to the new volume and verified that it is accessible. Next, you should have verified that the virtual disk was still available and could be accessed after removing a physical drive. Finally, you should have added another physical disk to the storage pool.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-SVR1.

Review Questions
Question: Your current volume runs out of disk space. You have another disk available in the same server. What actions in Windows can you perform to help you add disk space? Question: What are the two different types of disks in Disk Management? Question: What are the most important implementations of RAID? Question: You attach five 2 TB disks to your Windows Server 2012 computer. You want to manage them almost automatically, and if one disk fails, you want to make sure the data is not lost. What feature can you implement to accomplish this?
Best Practices
The following are recommended best practices: If you want to shrink a volume, defragment the volume first so you can reclaim more space from the volume. Use the GPT partition table format for disks larger than 2 TB. For very large volumes, use ReFS. Do not use FAT or FAT32 on Windows Server disks. Use the Storage Spaces feature to let the Windows operating system manage your disks.
Tools
Tool Disk Management Use Initialize disks. Create and modify volumes. Diskpart.exe Initialize disks. Create and modify volumes from a command prompt. Mklink.exe Chkdsk.exe Create a symbolic link to a file or folder. Check a disk for a NTFSformatted volume. Cannot be used for ReFS or Virtual Disks. Disk defragmentation tool for NTFS formatted volumes. Cannot be used for ReFS or Virtual Disks. Command prompt Command prompt Where to find it In Server Manager on the Tools menu (part of Computer Management) Command prompt
Defrag.exe
Command prompt
10-1
Module 10
Implementing File and Print Services
Contents:
Module Overview Lesson 1: Securing Files and Folders Lesson 2: Protecting Shared Files and Folders using Shadow Copies Lesson 3: Configuring Network Printing Lab: Implementing File and Print Services Module Review and Takeaways 10-1 10-2 10-15 10-18 10-23 10-28
Module Overview
Accessing files and printers on the network is one of the most common activities in the Windows Server environment. Reliable, secure access to files and folders and print resources is often the first requirement of a Windows Server 2012-based network. To provide access to file and print resources on your network, you must understand how to configure these resources within Windows Server 2012 server, and how to configure appropriate access to the resources for users in your environment. This module discusses how to provide these important file and print resources from Windows Server 2012. You will learn how to enable and configure file and print services in Windows Server 2012, and you will learn important considerations and best practices for working with file and print services.
Objectives
After completing this module, you will be able to: Secure shared files and folders. Protect shared files and folders by using shadow copies. Configure network printing.
10-2 Implemen nting File and Print Services
Lesson 1
Securin ng Files s and Fo olders

The files and folde ers that your servers s store ty ypically contain n your organiz zations busine ess and functio onal data a. Providing ap ppropriate acc cess to these files and folders s, usually over the network, is an importan nt part of managing m file and a print services in Window ws Server 2012 2. This s lesson gives you y informatio on necessary to o secure files a and folders on n your Window ws Server 2012 serv vers, so that yo our organizatio ons data is ava ailable and pro otected.

Afte er completing this lesson, yo ou will be able to: Explain NTFS file system pe ermissions. Describe a shared folder. Explain permissions inherita ance. Explain how effective e permissions work when w you acce ss shared folde ers. Explain access-based enum meration. Describe Offline files. Create and co onfigure a shared folder.
Wh hat Are NT TFS Permis ssions?

NTF FS permissions are assigned to t files or folders on a storage drive e that is formatted with NTFS. The permissions that you assign n to NTFS files and fold ders govern use er access to th hese files and fold ders. The following points describe th he key aspects s of NTF FS permissions: NTFS permiss sions can be as ssigned to an individual file e or folder, or sets s of files or folders. NTFS permiss sions can be as ssigned individ dually to objects tha at include user rs, groups, and d computers. NTFS permiss sions are contr rolled by denying or grantin g specific type es of NTFS file and folder access, such as read or o write. NTFS permiss sions can be in nherited from parent p folders . By default, th he NTFS permi issions that are e assigned to a folder are also o assigned to newly created folders or file es within that p parent folder.
NTFS Permissi ion Types

There are two assignable NTFS permissions ca ategories: stan ndard, and adv vanced.
Standard Permi issions

Stan ndard permissions provide th he most comm monly used pe rmission settin ngs for files an nd folders. You u assign standard permissions in the t main NTFS S Permissions A Assignment window.
10-3
The following table details the standard permissions options for NTFS files and folders. File permissions Full Control Description Grants the user complete control of the file or folder, including control of permissions. Grants the user permission to read, write, or delete a file or folder, including creating a file or folder. Grants the user permission to read a file and start programs. Grants the user permission to see file or folder content and start programs. Grants the user permission to write to a file. Grants the user permission to view a list of the folders contents.
Modify
Read and Execute Read Write List folder contents (folders only)
Note: Granting users Full Control permissions on a file or a folder gives them the ability to perform any file system operation on the object, and the ability to change permissions on the object. They can also remove permissions on the resource for any or all users, including you.
Advanced Permissions
Advanced permissions can provide a much greater level of control over NTFS files and folders. Advanced permissions are accessible by clicking the Advanced button, and then accessing the Security tab of a file or folders Properties sheet. The following table details the Advanced permissions for NTFS files and folders. File permissions Traverse Folder/Execute File Description The Traverse Folder permission applies only to folders. This permission grants or denies the users ability to browse through folders to reach other files or folders, even if the user has no permissions for the traversed folders. The Traverse Folder permission takes effect only when the group or user is not granted the Bypass Traverse Checking user right. The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right. The Execute File permission grants or denies access to program files that are running. If you set the Traverse Folder permission on a folder, the Execute File permission is not automatically set on all files in that folder. The List Folder permission grants the user permission to view file names and subfolder names. The List Folder permission applies only to folders and affects only the contents of that folder. This permission is not affected if the folder on which you are setting the permission is listed in the folder list. In addition, this setting has no effect on viewing the file structure from a command-line interface. The Read Data permission grants or denies the user permission to view data in files. The Read Data permission applies only to files,
List Folder/Read Data
10-4 Implementing File and Print Services
File permissions Read Attributes
Description The Read Attributes permission grants the user permission to view the basic attributes of a file or a folder such as read-only and hidden attributes. Attributes are defined by NTFS. The Read Extended Attributes permission grants the user permission to view the extended attributes of a file or folder. Extended attributes are defined by applications, and can vary by application. The Create Files permission applies only to folders, and grants the user permission to create files in the folder. The Write Data permission grants the user permission to make changes to the file and overwrite existing content by NTFS. The Write Data permission applies only to files. The Create Folders permission grants the user permission to create folders in the folder. The Create Folders permission applies only to folders. The Append Data permission grants the user permission to make changes to the end of the file, but not to delete or overwrite existing data. The Append Data permission applies only to files. The Write Attributes permission grants the user permission to change the basic attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS. The Write Attributes permission does not imply that you can create or delete files or folders; it includes only the permission to make changes to the attributes of a file or folder. To grant Create or Delete permissions, see the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete entries in this table. The Write Extended Attributes permission grants the user permission to change the extended attributes of a file or folder. Extended attributes are defined by programs, and can vary by program. The Write Extended Attributes permission does not imply that the user can create or delete files or folders; it includes only the permission to make changes to the attributes of a file or folder. To grant Create or Delete permissions, see the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete entries in this table. The Delete Subfolders and Files permission grants the user permission to delete subfolders and files, even if the Delete permission is not granted on the subfolder or file. The Delete Subfolders and Files permission applies only to folders. The Delete permission grants the user permission to delete the file or folder. If you have not been assigned Delete permission on a file or folder, you can still delete the file or folder if you are granted Delete Subfolders and Files permissions on the parent folder. Read Permissions grants the user permission to read permissions about the file or folder, such as Full Control, Read, and Write. Change Permissions grants the user permission to change permissions on the file or folder, such as Full Control, Read, and Write.
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
Read Permissions
Change Permissions
10-5
File permissions Take Ownership
Description The Take Ownership permission grants the user permission to take ownership of the file or folder. The owner of a file or folder can change permissions on it, regardless of any existing permissions that protect the file or folder. The Synchronize permission assigns different threads to wait on the handle for the file or folder, and then synchronize with another thread that may signal it. This permission applies only to multiple-threaded, multiple-process programs.
Synchronize
Note: Standard permissions are combinations of several individual Advanced permissions that are grouped into commonly file and folder usage scenarios.
NTFS Permissions Examples

The following are basic examples of assigning NTFS permissions.
Example 1
For the Marketing Pictures folder, an administrator has chosen to assign Adam Carter Allow permissions for the Read permission type. Under default NTFS permissions behavior, Adam Carter will have Read access to the files and folders that are contained in the Marketing Pictures folder.
Example 2
When applying NTFS permissions, the results are cumulative. For example, let us carry on with the given example and say that Adam Carter is also a part of the Marketing group. The Marketing group has been given Write permissions on the Marketing Pictures folder. When we combine the permissions assigned to Adam Carters user account with the permissions assigned to the Marketing group, Adam would have both Read and Write permissions for the Marketing Pictures folder.
Important Rules for NTFS Permissions

There are two groupings of NTFS permissions: Explicit vs. Inherited. When you apply NTFS permissions, permissions that are explicitly applied to a file or a folder take precedence over those that are inherited from a parent folder. Deny vs. Allow. After NTFS permissions have been divided into explicit and inherited permissions, any Deny permissions that exist override conflicting Allow permissions within the group.
Therefore, taking these rules into account, NTFS permissions apply in the following order: 1. 2. 3. 4. Explicit Deny Explicit Allow Inherited Deny Inherited Allow
It is important to remember that NTFS permissions are cumulative, and these rules apply only when two NTFS permission settings conflict with each other.
Note: Permissions inheritance is discussed in more detail later in this lesson.
How to Config gure NTFS Permissions P

You u can view and configure NTFS permissions by following these steps: 1. 2. 3. r for which you u want to assig gn permissions s, and then click Properties. Right-click the file or folder In the Proper rties window, click c the Secur rity tab. In this s tab, you can select the curr rent users or g groups that have bee en assigned pe ermissions to view v the specif fic permissions s assigned to e each principal. To open an editable permis ssions dialog box b so that you u can modify e existing permissions or add new users or groups, click the Ed dit button.
Wh hat Are Sh hared Folde ers?

Shared folders are e a key compo onent to granti ing acce ess to files on your y server fro om the networ rk. Whe en you share a folder, the fo older and all of f its contents are made available to multiple users s simu ultaneously ov ver the networ rk. Shared folders maintain a separa ate set of perm missions from the NTF FS permissions, which apply to the folders s contents. These permissions are e used to provi ide an extra e level of security for files and folders that t are made available on the netw work. Mos st organization ns deploy dedicated file serv vers to host h shared folders. You can store files in shared fold ders according to categories or functions. For F example, y you can put sh hared files for t the Sales dep partment in one shared folde er, and shared files for the M Marketing depa artment in ano other.
s process applies only to the folder l level. You cann not share an in ndividual Note: The sharing file or a group of files.
Acc cessing a Sh hared Folder

Users typically acc cess a shared folder f over the e network by u using its Unive ersal Naming C Convention (UN NC) add dress. The UNC C address conta ains the name of the server on which the f folder is hoste ed, and the act tual shar red folder nam me, separated by b a backward d slash (\) and preceded by t two backward slashes (\\). Fo or exam mple, the UNC C path for the Sales shared fo older on the L LON-SVR1 serv ver would be \ \\LON-SVR1\Sa ales.
Sha aring a Fold der on the Network N

Win ndows Server 2012 2 provides different ways s to share a fol lder: Select the app propriate drive e, and then in the Files and S Storage Servic ces section in S Server Manage er, select the New w Share task. Use the File Sharing S Wizard d, either from the t folders rig ght-click menu u, or by clicking g the Share button on the Sharin ng tab of the folders f Proper rties window. Use Advanced d Sharing by clicking c the Ad dvanced Shari ing button on n the Sharing t tab of the fold ders Properties window. Use the Netsh h command-line tool from a commandlin ne window.
10-7
Note: When sharing a folder, you will be asked to give the shared folder a name. This name does not have to be the same name as the actual folder. It can be a descriptive name that better describes the folder contents to network users.
Administrative Shares
You can create administrative (or hidden) shared folders that need to be available from the network, but should be hidden from users browsing the network. You can access an administrative shared folder by typing in its UNC path, but the folder will not display if you browse the server by using a Windows Explorer window. Administrative shared folders also typically have a more restrictive set of permissions assigned to the shared folder to reflect the administrative nature of the folders contents. To hide a shared folder, append the dollar symbol ($) to the folders name. For example, a shared folder on LON-SVR1 named Sales can be made into a hidden shared folder by naming it Sales$. The shared folder is accessible over the network by using the UNC path \\LON-SVR1\Sales$.
Note: Shared folder permissions apply only to users who access the folder over the network. They do not affect users who access the folder locally on the computer where the folder is stored.
Shared Folder Permissions

Just like NTFS permissions, you can assign shared folder permissions to users, groups, or computers. However, unlike NTFS permissions, shared folder permissions are not configurable for individual files or folders within the shared folder. Shared folder permissions are set once for the shared folder, itself and apply universally to the entire contents of the shared folder for users who access the folder over the network. When you create a shared folder, the default assigned shared permission for the Everyone group is set to Read. The following table lists the permissions that you can grant to a shared folder. Shared folder permission Read Description Users can view folder and file names, view file data and attributes, run program files and scripts, and navigate the folder structure within the shared folder. Users can create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files, and perform all tasks permitted by the Read permission. Users can change file permissions, take ownership of files, and perform all tasks permitted by the Change permission.
Change
Full Control
Note: When you assign Full Control permissions on a shared folder to a user, that user can modify permissions on the shared folder, which includes removing all users, including you, from the shared folders permissions list. In most cases, you should grant Change Permission instead of Full Control permission.
Permissions Inheritanc ce
By default, d NTFS and a shared folders use inhe eritance to pro opagate permissions through hout a fo older structure. . When you cre eate a file or a fold der, it is automatically assigned the permissions that t are set on any folders that exist above it (par rent folders) in n the hierarchy y of the folder structure.
How Inheritan nce Is Applie ed

Con nsider the follo owing example e structure: Ad dam Carter Marketing group ew York Editor rs group Ne
Folder or File Marketing (folde er) Marketing Pictures (folder) ew York (folde er) Ne Fa all_Composite.j jpg (file)
Assigned Permissions Read Marketing M None set Write New N York Edito ors None set
A Adams Permis ssions R Read R Read (inherited d) R Read(i) + Write e R Read(i) + Write e(i)
In th his example, Adam A is a mem mber of two gro oups that are assigned perm missions for file es or folders w within the folder structure. They are as s follows: The top-level folder, Marke eting, has an as ssigned permi ssion for the M Marketing Gro oup giving them m Read access. In the next level, the Marke eting Pictures folder f has no e explicit permis ssions set, but because of permissions in nheritance, Ad dam has Read access to this folder and its contents from m the permissio ons that are set on the Marketin ng folder. In the third le evel, the New York Y folder has Write permis ssions assigned d to one of Ad dams groups New York Editors. In addition to this explicitly assigned Write e permission, t the New York folder also inh herits the Read perm mission from the t Marketing folder. These permissions p pass down to file and folder ermissions set objects, cumu ulating with an ny explicit Read and Write pe t on those files s. The fourth an nd last level is the t Fall_Comp posite.jpg file. Even though n no explicit permissions have been set for this file e, Adam has both b Read and Write access t to the file due to the inherited permissions from both the e Marketing fo older and the New N York fold der.
Per rmission Co onflicts

Som metimes, explic citly set permis ssions on a file e or folder will conflict with p permissions inherited from a pare ent folder. In these t cases, the e explicitly ass signed permiss sions always ov verride the inh herited permissions. In th he given exam mple, if Adam Carter C was den nied Write acce ess to the pare ent Marketing folder, but the en explicitly granted Write access to t the New Yo ork folder, the g granted Write e access permis ssions would take prec cedence over the t inherited deny d Write acc cess permissio n.
10-9
Blocking B Inh heritance

Yo ou can also dis sable the inheritance behavior for a file or r a folder (and its contents) o on an NTFS drive to ex xplicitly define e permissions for f a set of obj jects without i ncluding any o of the inherite ed permissions from an ny parent folders. Windows Server 2012 provides an opt tion for blocking inheritance e on a file or a folder To o block inherit tance on a file or folder, com mplete the follo owing steps: Right-click the file or fold der where you want to block k inheritance, a and then click Properties. In the Prop perties window w, click the Security tab, and then click the e Advanced button. In the Adva anced Security y Settings wind dow, click the C Change Perm missions button n. In the next Advanced Sec curity Settings window, click the Disable inheritance bu utton.
At this point, yo ou are prompted to either co onvert the inhe erited permiss sions into explicit permission ns or re emove all inherited permissio ons from the object o to start with a blank p permissions sla ate.
Resetting R De efault Inheri itance Beha avior

After you block inheritance, changes c made to permission ns on the paren nt folder struct ture no longer r have an n effect on the e permissions for f the child object (and its c contents) that has blocked in nheritance, un nless you re eset that behav vior from one of the parent folders by sele ecting the Rep place all child objects with in nheritable per rmissions from m this object check box. W When you select this check bo ox, the existing g set of pe ermissions on the current fo older are propa agated down t to all child objects in the tree e structure, an nd ov verride all explicitly assigned d permissions for f those files and folders. T his check box is located dire ectly bjects parent un nder the Inclu ude inheritabl le permissions from this ob t check box.
Effective Pe ermissions s
Access to a file or folder in Windows W Server r 2012 is granted based on o a combinat tion of permiss sions. When W a user att tempts to acce ess a file or folder, the pe ermission that t applies is dep pendent on various fa actors, includin ng: Explicitly de efined and inh herited permiss sions that apply to t the user. Explicitly de efined and inh herited permiss sions that apply to t the groups to which the user u belongs. How the us ser is accessing g the file or fol lders locally, or over o the netwo ork.
Ef ffective NTFS permissions p are e the cumulativ ve permissions s that are assig gned to a user r for a file of fo older ba ased on the fa actors listed ab bove. The follow wing principle es determine e effective NTFS permissions: Cumulative e permissions are a the combin nation of the h highest NTFS p permissions gr ranted to the u user and to all the groups of which h the user is a member. For e example, if a u user is a memb ber of a group p that has Read permission and is a member of o a group tha at has Modify p permission, the user is assign ned cumulative Modify permi issions. Deny permissions overrid de equivalent Allow A permissi ions. However,, an explicit Allow permission can override an n inherited Den ny permission. For example, if a user is den nied Write acc cess to a folder r via an inherited Deny D permission, but is explic citly granted W Write access to o a subfolder o or a particular f file, the explicit Allo ow overrides th he inherited Deny D for the pa articular subfo lder or file.
10-10
You can apply permissions to a user or to a group. Assigning permissions to groups is preferred because they are more efficient than managing permissions that are set for many individuals. NTFS file permissions take priority over folder permissions. For example, if a user has Read permission to a folder, but has been granted Modify permission to certain files in that folder, the effective permission for those files will be set to Modify. Every object in an NTFS drive or in Active Directory Domain Services (AD DS) is owned. The owner controls how permissions are set on the object and to whom permissions are granted. For example, a user who creates a file in a folder where they have Modify permissions can change the permissions on the file to Full Control.
Effective Permissions Tool

Windows Server 2012 provides an Effective Permissions tool that shows the effective NTFS permissions on a file or folder for a user, based on permissions assigned to the user account and groups that the user account belongs to. You can access Effective Permissions tool by using the following steps: 1. 2. 3. 4. Right-click the file or folder for which you want to analyze permissions, and then click Properties. In the Properties window, click the Advanced button. In the Advanced Security Settings window, click the Effective Permissions tab. Choose a user or group to evaluate by using the Select button.
Combining NTFS Permissions and Shared Folder Permissions

NTFS permissions and shared folder permissions work together to control access to file and folder resources that are accessed from a network. When you configure access to network resources on an NTFS drive, use the most restrictive NTFS permissions to control access to folders and files, and combine them with the most restrictive shared folder permissions to control access to the network.
How Combining NTFS and Shared Folder Permissions Works

When you apply both NTFS and shared folder permissions, remember that the more restrictive of the two permissions dictates the access that a user will have to a file or folder. . The following two examples explain this further: If you set the NTFS permissions on a folder to Full Control, but you set the shared folder permissions to Read, then that user has only Read permission when accessing the folder over the network. Access is restricted at the shared folder level, and any greater access at the NTFS permissions level does not apply. Likewise, if you set the shared folder permission to Full Control, and you set the NTFS permissions to Write, then the user will have no restrictions at the shared folder level, but the NTFS permissions on the folder will grant only Write permissions to that folder.
The user must have appropriate permissions on both the NTFS file or folder and the shared folder. If no permissions exist for the user (either as an individual or as the member of a group) on either resource, access is denied.
Considerations for Combined NTFS and Shared Folder Permissions

The following are several considerations that make administering permissions more manageable: Grant permissions to groups instead of users. Groups can always have individuals added or deleted, while permissions on a case-by-case basis are difficult to track and cumbersome to manage. Use Deny permissions only when necessary. Because Deny permissions are inherited, assigning deny permissions to a folder can result in users not being able to access files further down in the folder structure tree. You should assign Deny permissions only in the following situations:
20410A: Installing g and Configuring W Windows Server 201 12
10-11
o o
To excl lude a subset of o a group tha at has Allow pe ermissions To excl lude one specific permission n when you ha ve granted Fu ull Control perm missions to a u user or a group
Never deny y the Everyone e group access s to an object. If you deny ev veryone access s to an object, you deny Administrators acce essincluding yourself. Inste ead, remove th he Everyone group from the e permissions s list, as long as a you grant pe ermissions for the object to other users, groups, or computers. Grant perm missions to an object o that is as a high in the f folder structur re as possible, so that the sec curity settings are e propagated throughout t the tree. For exa ample, instead of bringing groups representing all departments of the comp pany together into a Read fo older, assign D Domain Users ( (which is a def fault group for all a user accoun nts on the dom main) to the sha are. In this ma anner, you elim minate the nee ed to update dep partment groups before new w users receive e the shared fo older. Use NTFS permissions p ins stead of shared d permissions for fine-graine ed access. Con nfiguring both NTFS and shared folder permis ssions can be difficult. d Consid der assigning t the most restrictive permissi ions for a group tha at contains ma any users at the shared folde er level, and th hen use NTFS p permissions to o assign permissions s that are more specific.
What W Is Acc cess-Based d Enumera ation?

With W access-bas sed enumeration, users see only o the fil les and folders s which they have permission n to ac ccess. Access-b based enumeration provides sa be etter user expe erience becaus se it displays a less co omplex view of o the contents s of a shared fo older, making m it easier r for users to find the files th hat they ne eed. Windows Server 2012 allows a access-b based en numeration of f folders that a server shares over th he network.
Enabling Acc cess-Based Enumeratio on

To o enable acces ss-based enum meration for a shared fo older: 1. . 2. . 3. . 4. . 5. . Open Serve er Manager. In the navig gation pane, click File and Storage S Servic ces. In the navig gation pane, click Shares. In the Share es pane, right-click the share ed folder for w which you wan nt to enable ac ccess-based enumeratio on, and then cl lick Properties. In the Prop perties window w, click Setting gs, and then se elect the Enabl le access-base ed enumerati ion check box.
When W the Enab ble access-bas sed enumerat tion check box x is selected, access-based enumeration is en nabled on the shared folder. . This setting is s unique to ea ach shared fold der on the serv ver.
e File and Storage Services console c is the o only place in t he Windows S Server 2012 Note: The in nterface where e you can confi igure access-b based enumera ation for a shared folder. Acc cess-based en numeration is not available in i any of the properties p wind dows that are accessible by right-clicking th he shared folde er in Windows s Explorer.
10-12
Wh hat Are Of ffline Files? ?

An offline o file is a copy of a netw work file that is stor red on a client computer. By y using offline files f user rs can access network-based n d files when their clien nt computer is s disconnected d from the netw work. Offline files and fo olders are edit ted or modified d by the client, and the e changes are synchronized with the network copy y of the files the next time the clien nt is reconnect ted to the netw work. The sync chronization sc chedule and behavior b of off fline files s is controlled by the client operating o syste em. Offline files are av vailable to the following ope erating systems s: Windows 8 Windows Serv ver 2012 clients Windows 7 Windows Serv ver 2008 R2 Windows Serv ver 2008 Windows Vist ta Windows Serv ver 2003 Windows XP
On a Windows Se erver 2012 com mputer, you vie ew the Offline Settings wind dow for a share ed folder by clicking the Caching butto on in the Adva anced Sharing window . The e following opt tions are availa able within the e Offline Settings window: w Only the file es and programs that users s specify are a available offli ine. This is the e default optio on when you set t up a shared folder. f When you y use this op ption, no files o or programs are available of ffline by default, an nd users contro ol which files and a programs they want to a access when th hey are not connected to o the network. No files or programs p from m the shared folder are ava ailable offline e. This option blocks client computers fro om making co opies of the file es and program ms on the shar red folder. All files and programs tha at users open n from the sha ared folder ar re automatica ally available offline. Whenever a user accesses the shared folder or r drive and ope ens a file or pr rogram in it, th hat file or program is s automatically y made availab ble offline to t hat user. Files and programs s that are automatically y made availab ble offline remain in the offli ne files cache and synchronize with the ve ersion on the server until the cach he is full or the e user deletes t the files. Files a and programs that are not opened are not n available of ffline. Optimized fo or performan nce. If you sele ect the Optimi ized for perfo ormance check box, executa able files (.exe, .dll) that are run from the share ed folder by a client comput ter are automa atically cached d on that client computer. The next n time the client c compute er runs the exe ecutable files, it will access its s local cache instead d of the shared d folder on the e server.
10-13
Note: The Offline Files feature must be enabled on the client computer for files and programs to be cached automatically. In addition, the Optimized for performance option does not have any effect on client computers that use Windows Vista or older, as these operating systems perform the program-level caching automatically, as specified by this option.
Configuring the Always Work Offline Setting

You can configure Windows Server 2012 and Windows 8 computers to use the Always available offline mode when accessing shared folders. When you configure this option, client computers always use the locally cached version of the files from a network share, even if they are connected to the file server by a high-speed network connection. This configuration typically results in faster access to files for client computers, especially when connectivity or speed of a network connection is intermittent. Synchronization with the files on the server occurs according to the offline files configuration of the client computer.
How to Enable the Always Work Offline Mode

To enable Always work offline mode, you use Group Policy to enable the Configure slow-link mode setting, and you set the latency value to 1: 1. 2. On an AD DS domain controller, open Group Policy Management Console. To optionally create a new Group Policy Object (GPO) for Offline Files settings, right-click the appropriate domain or Organizational Unit (OU), and then click Create a GPO in this domain, and Link it here. In the console tree, right-click the GPO for which you want to configure the Offline Files settings, and then click Edit. In the Group Policy Management Editor, in the console tree, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then expand Offline Files. Right-click Configure slow-link mode, and then click Edit. In the Configure slow-link mode window, click Enabled. In the Options box, click Show. In the Show Contents window, in the Value name box, specify the shared folder path for which you want to enable Always Offline mode.
3. 4.
5. 6. 7. 8.
Note: To enable Always Offline mode on all file shares, type a wildcard character (*). 9. In the Value box, type 1 to set the latency threshold to one millisecond, and then click OK.
Demonstration: Creating and Configuring a Shared Folder

Creating and configuring a shared folder is typically done within Windows Explorer, from the Sharing tab on the Properties window of the file or folder. When creating a shared folder, always ensure that you set permissions that are appropriate for all of the files and folders within the shared folder location.
Demonstration Steps Create a shared folder

1. Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd.
10-14
2. 3.
Create a folder named Data on drive E. Share the Data folder.
Assign permissions for the shared folder

Grant the Authenticated Users Change permissions for \\LON-SVR1\Data.
Configure access-based enumeration

1. 2. 3. Open Server Manager. Navigate to the Share pane in the File and Storage Services management console. Open the Data Properties window for the \\LON-SVR1\Data, and enable access-based enumeration.
Configure offline files

1. 2. 3. Open the Data Properties window for E:\Data. Navigate to the Sharing tab and open the advanced sharing settings. Open the caching settings, and then disable offline files.
10-15
Lesson n2
Prote ecting Shared Files F and d Folde ers using g Shado ow Copies
Sh hadow copies are used to re estore previous s versions of fi les and folders s. It is much fa aster to restore ea previous version n of a file from m a shadow copy than from a traditional b backup copy, w which might be e stored of ffsite. Files and d folders can be b recovered by b administrato ors, or directly y by end users. Th his lesson intro oduces you to shadow copie es, and shows y you how to co onfigure a sche edule of drive sn napshots in Wi indows Server 2012.

After completin ng this lesson, you y will be able to: Describe sh hadow copies. Describe co onsiderations for f scheduling shadow copie es. Identify me ethods for restoring data from shadow cop pies. Restore dat ta from a shad dow copy.
What W Are Shadow S Co opies?

A shadow copy is a static imag ge (or a snapsh hot) of a set of data, su uch as a file or folder. Shadow w co opies provide the t capability to recover file es and fo olders based on snapshots th hat are taken of o st torage drives. After A a snapsh hot is taken, yo ou can view and potentially restore previous p versio ons of fil les and folders s that existed at a the time tha at the sn napshot was ta aken. A shadow copy does not mak ke a complete copy of all files for each h snapshot. Instead, after a sn napshot is taken, Windows Server 2012 tracks chang ges to th he drive. A spe ecific amount of o disk space is s allocated for tra acking the changed disk bloc cks. When you u access a prev vious version o of a file, some of the co ontent might be b in the curre ent version of the t file, and so ome might be in the snapsho ot. but this behav By y default, the changed c disk blocks b are stor red on the sam me drive as the e original file, b vior can be e modified. Yo ou can also def fine how much h disk space is allocated for shadow copie es. Multiple sna apshots ar re retained unt til the allocate ed disk space is s full, after wh ich, older snap pshots are rem moved to make e room fo or new snapsho ots. The amount of disk spac ce that is used d by a snapsho ot is based on t the size of disk k ch hanges betwee en snapshots. Be ecause a snaps shot is not a co omplete copy of files, shado ow copies cann not be used as s a replacemen nt for tr raditional back kups. If the disk k containing a drive is lost o or damaged, th hen the snapsh hots of that drive are also lost. Sh hadow copies are suitable fo or recovering data d files, but n not for more c complex data such as databases th hat need to be e logically cons sistent before a backup is pe erformed. A da atabase that is restored from m previous version ns is likely to be b corrupt and d require datab base repairs.
10-16
Co onsideratio ons for Sch heduling Shadow Co opies

The default sched dule for creatin ng shadow cop pies is Mon nday through Friday at 07:00 0 A.M., and ag gain at noon. n You can modify the de efault schedule e as desi ired for your organization. o Whe en scheduling shadow copie es: Consider that t increasing the frequency of f shadow copie es increases the load on the server. You sh hould not sche edule drive sha adow copies more than t once each hour. Increase the frequency f of shadow copies for frequently changing data. This T increases the t likelihood tha at recent file ch hanges are cap ptured. Increase the frequency f of shadow copies for important t data. This inc creases the like elihood that re ecent file changes are a captured.
Restoring Da ata from a Shadow Copy C

Prev vious versions of files can be e restored by either e user rs or administr rators. Most us sers are unawa are that t they can do this t and they will w need instructions on ho ow to restore a previous vers sion of a file. Adm ministrators can access previous versions of o files dire ectly on the ser rver that stores the files. Use ers can access previous versions of files over the netw work from a file share. In both cases, previ ious vers sions are acces ssed from the Properties win ndow of the file or folde er. Whe en viewing pre evious versions s of a folder, you y can browse the av vailable files an nd select only the file that yo ou need. If mu ultiple versions s of files are avai ilable, you can n review each version v before deciding whic ch one to resto ore. Finally, yo ou can copy a prev vious version of o a file to an alternate a locat tion instead of f restoring it to o its previous location. This prev vents overwriting the curren nt file version. Win ndows XP SP2 or newer, Windows Vista, an nd Windows 7 operating system clients are e capable of acce essing previous file versions without installing any addit ional software e. For Windows s XP clients tha at are runn ning Windows s XP SP1 or old der operating systems, s you m must install the e Previous Ver rsions Client.
10-17
Demonstration: Restoring Data from a Shadow Copy

Shadow copies can be created using the default schedule, or you can modify the schedule to provide more frequent snapshots. In either case, you will only see the versions of the file as it has changed. Taking a shadow copy of a file that doesnt change has no actual effect on the shadow copy. No additional versions are available, and no space is used in the snapshot, for that particular file.
Demonstration Steps Configure shadow copies

1. 2. On LON-SVR1, open Windows Explorer. Enable Shadow Copies for Local Disk (C:).
Create a new file

1. 2. 3. 4. Open Windows Explorer. Create a folder in drive C named Data. Create a text file named TestFile.txt in the Data folder. Change the contents of TestFIle.txt by adding the text Version 1.
Create a shadow copy

1. 2. 3. In Windows Explorer, right-click Local Disk (C:) and then click Configure Shadow Copies. In the Shadow Copies window, click Create Now. When the shadow copy is complete, click OK.
Modify the file

1. 2. 3. In Windows Explorer, double-click TestFile.txt to open the document. In Notepad, type Version 2. Close Notepad, and click Save to save the changes.
Restore a previous version

1. 2. 3. 4. In Windows Explorer, right-click TestFile.txt, and then click Restore previous versions. Restore the most recent version. In the warning window, click Restore. Open TestFile.txt to open the document and verify that the previous version is restored.
10-18
Lesson 3
Config guring Network N k Printing

By using u the Print t and Document Services role in Windows Server 2012, y you can share printers on a netw work and cent tralize print ser rver and netwo ork printer ma anagement. By y using the Prin nt Management console, you can monitor m print queues, and re eceive importa ant notificatio ns regarding p print server act tivity. Win ndows Server 2012 2 introduce es new feature es and importa ant changes to o the Print and Document Se ervices role e that you can use to manage your networ rk printing env vironment bett ter. This lesson n explains the imp portant aspects s of network printing, and in ntroduces new network print ting features that are availab ble in Win ndows Server 2012. 2

Afte er completing the lesson, you will be able to: Identify the benefits b of netw work printing. Describe Enha anced Point an nd Print. Identify secur rity options for r network prin nting. Create multip ple configurations for a print t device. Describe printer pooling. Describe Bran nch Office Dire ect Printing. Identify meth hods for deploy ying printers to t clients.
Benefits of Network N Printing

You u can configure e network prin nting by using Win ndows Server 2012 2 as a print t server for use ers. In this configuration n, client compu uters submit pr rint jobs s to the printer server for delivery to a prin nter that t is connected to the networ rk. The biggest benef fit of using Windows Server 2012 as a print server is s centralized management m of o prin nting. Instead of o managing client c connectio ons to many m individua al devices, you manage their r connection to the e server. Printe er drivers are installed centrally on the server, , and then distributed to wor rkstations. By centralizing c printing on a ser rver, you also simplify s troub leshooting. It is relatively easy to determin ne whe ether printing problems are caused by the printer, serve r, or client com mputer. A ne etwork printer r is more expen nsive than tho ose typically us sed for local pr rinting but it a also has signific cantly , lower consumable es costs and be etter quality printing. Theref fore, the cost o of printing is s still minimized, because the initial cost of the printer is spread d over all the c computers tha at connect to t that printer. Fo or exam mple, a single network print ter could servic ce 100 users o or more. Network printers can also be pu ublished in AD D DS, which allo ows users to se earch for print ters in their do omain.
10-19
What W Is Enh hanced Po oint and Pr rint?

En nhanced Point t and Print is a new function in Windows W Server 2012 that ma akes it easier to install drivers for netw work printers. Enhanced E Poin nt and Pr rint uses the new version 4 (v4) ( driver type e that is in ntroduced in Windows W Serve er 2012 and Windows 8. .
Understandi U ng V3 Drive ers and V4 Drivers D

Th he Windows printer p driver st tandard that is s used in n previous vers sions of Windo ows Server has existed in n relatively the same form sin nce the introduction of f version 3 (v3) drivers in Windows 2000 op perating systems. With v3 dr rivers, printer manufacturers m s created custo omized print d drivers for each h sp pecific device that t they prod duced, to ensure that Window ws application ns could use al ll of their print ters fe eatures. Under the v3 model, printer infrastructure mana agement requi ires administra ators to mainta ain drivers for each print device in the environm ment, and sepa arate 32 and 6 64-bit drivers f for a single pri int de evice, to suppo ort both platfo orms.
In ntroducing the V4 Printer Driver

Windows W Server 2012 and Wi indows 8 include support fo r v4 print drive ers, and enables improved p print de evice driver management an nd installation. . Under the v4 4 model, print devices manuf facturers can c create Pr rint Class Drive ers that support similar print ting features a and printing la nguage that m may be commo on to a la arge set of dev vices. Common n printing lang guages may in nclude Printer C Control Langu uage (PCL), .ps or XML Pa aper Specificat tion (XPS). Version 4 driver rs are typically y delivered by using u Window ws Update or W Windows Softw ware Update Se ervices. Unlike v3 driver rs, v4 drivers are not delivere ed from a prin ter store that is hosted on th he print server r. Th he V4 driver model m provides s the following g benefits: Sharing a printer p does no ot require prov visioning drive ers that match the client arch hitecture. icts. Driver files are isolated on a per-driver basis, prevent ting driver file naming confli A single dri iver can suppo ort multiple de evices. Driver pack kages are smaller and more streamlined s th han v3 drivers, resulting in fa aster driver installation times. The printer driver and the e printer user interface can b be deployed in ndependently. .
Using U Enhanced Point and a Print for r Driver Inst tallation

Under the v4 model, m printer sharing s and dr river installatio on operates automatically un nder Enhanced d Point an nd Print. When n a network pr rinter is installe ed on a client computer, the e server and client work toge ether to id dentify the prin nt device. The driver then ins stalls directly f from the driver store on the client machine, or from Windows Update or Win ndows Softwar re Update Serv vices. With W Enhanced Point and Prin nt, the print de evice drivers n o longer need d to be maintained on the pr rint se erver. Driver in nstallation for network n print devices becom mes faster beca ause printer dr rivers no longe er need to o be transferre ed over the net twork from ser rver to client. If the driver store on the clien nt machine doe es not contain n a driver for th he network printer that is be eing in nstalled, and if an appropriat te driver canno ot be obtained d from Window ws Update or W Windows Server
10-20
Upd date Services, Windows W uses a fallback mechanism to en nable cross-pla atform printing g using the print driv ver from the pr rint server.
Sec curity Opt tions for Network N Pr rinting

Whe en a printer is shared over a network, in many m case es no security is required. Th he printer is considered to be open access, that t is everyon ne is allowed to print on o it. This is the e default configuration for a printer that is shared on a Win ndows server. The permissions that are availab ble for shared prin nting include: Print: This pe ermission allow ws users to prin nt documents on the printer. By default, the e Everyone gro oup is assigned d this permissio on. Manage this s printer: This permission allows users to m modify printer settings, inclu uding updating g rators, Server O drivers. By de efault, this perm mission is given to Administr Operators, and d Print Operat tors. Manage doc cuments: This permission allows users to m modify and de elete print jobs s in the queue. . This permission is assigned to CREATOR OWN NER, which me eans that the u user who create es a print job manages that t job. Administ trators, Server Operators, an nd Print Operators also have this permissio on for all print jobs.
De emonstration: Creating Multip ple Configu urations fo or a Print D Device

Crea ating multiple configuration ns for a print device enables you to assign print queues t to specific users or groups to print high priority job bs to a printer that is being u used by other users. When a print job is se ent to the high priority print p queue, th he print server will process th he job before any jobs coming from the normal prio ority queue.
Dem monstration n Steps Cre eate a share ed printer

1. 2. 3. 4. Open the Dev vices and Print ter window. Add a printer r using the LPT T1 local port, and a the Broth her Color Leg Type1 Class d driver. Name the printer AllUsers. Share the prin nter using the default setting gs.
Cre eate a secon nd shared printer that uses u the sam me port
1. 2. 3. 4. Open the Dev vices and Print ter window. Add a printer r using the LPT T1 local port, and a the Broth her Color Leg Type1 Class d driver. Name the printer Executives. Share the prin nter using the default setting gs.
10-21
In ncrease prin nting priorit ty for a high h priority pr rint queue

1. . 2. . Open the Executives E Printer properties window. Increase the e Priority to 10 0.
What W Is Printer Pooling?

Pr rinter pooling is a way to com mbine multiple e physical printers into a single logical unit. To T client co omputers, the printer pool appears to be a single printer. When jo obs are submit tted to the printer po ool, they can be b processed by b any available printer in the pr rinter pool. rinter pooling increases the scalability and d Pr av vailability of ne etwork printing by using a printer p po ool. If one prin nter in the poo ol is unavailabl le (for ex xample, from a large print jo ob, a paper jam m, or be eing offline), all a jobs are sent to the remaining printers. If a printer pool does s not have suff ficient ca apacity, you ca an add anothe er printer to the printer pool without perfo orming any clie ent configuration. A printer pool is s configured on o a server by specifying mu ultiple ports for r a printer. Eac ch port is the location of f one physical printer. In mo ost cases, the ports p are an IP address on th e network, ins stead of a local LPT or USB connection n. Th he requiremen nts for a printe er pool are as follows: f Printers mu ust use the sam me driver: Clien nts use a single e printer drive er for generatin ng print jobs. A All printers mu ust accept prin nt jobs in the sa ame format. In n many cases, this means tha at a single prin nter model is us sed. Printers sho ould be in the same location n: The printers in a printer po ool should be located physic cally close together. When use ers retrieve the eir print jobs, t they must chec ck all printers in the printer pool to find their document. There is no way fo or users to kno ow which print ter has printed d their docume ent.
What W Is Bra anch Office e Direct Printing?

Br ranch Office Direct D Printing reduces netwo ork co osts for organizations that have centralized d their Windows W Server roles. When Branch Office Direct Pr rinting is enab bled, Windows clients obtain printer in nformation from the print server, but send the print jobs direct tly to the print ter. The print data d no lo onger travels to o the central server and then n back to o the branch office o printer. This T configurat tion re educes traffic between b the cl lient computer, the print server, and d the branch office o printer, and a re esults in increa ased network efficiency. e Br ranch Office Direct D Printing is transparent to the
10-22
user r. In addition, the t user can print p even if th he print server is unavailable e for some reas son (for examp ple if the wide area network (WAN) link to the data a center is dow wn). This is bec cause the print ter information n is cach hed on the clie ent computer in the branch office..
Con nfiguring Branch Office Direct Printing

Bran nch Office Dire ect Printing is configured by y an administra ator using the Print Manage ement console or a Win ndows PowerSh hell command d-line interface. To configure c Bran nch Office Dire ect Printing fro om the Print M Management co onsole, use the e following ste eps: 1. 2. 3. In Server Man nager, open th he Print Manag gement conso le. In the navigat tion pane, exp pand Print Serv vers, and then expand the print server that t is hosting the e network print ter for which Branch B Office Direct D Printing g will be enable ed. Click the Prin nters node, rig ght-click on the desired prin ter, and then c click Enable B Branch Office Direct Printing.
To configure c Bran nch Office Dire ect Printing usi ing a Windows s PowerShell c command-line e interface, type the follo owing command at a Windo ows PowerShel ll window com mmand prompt t:
Set t-Printer -na ame "<Printer Name Here>" -ComputerN Name <Print S Server Name H Here> Ren nderingMode BranchOffice B
De eploying Printers to Clients

Dep ploying printer rs to clients is a critical part of o man naging printing services on the t network. A well l-designed system for deploying printers is scalable and can be b used to manage hundred ds or thou usands of com mputers. The options for de eploying print ters are: Group Policy preferences. You Y can use Gr roup Policy prefere ences to deplo oy shared print ters to Windows XP, X Windows Vista, V Windows s 7, and Windows s 8 clients. The e printer can be associated with either the user u account or o computer acc count, and can n be targeted by b group. For Windows W XP com mputers, you must m install the e Group Policy y Preference C Client Extension. GPO created by Print Mana agement. The Print Managem ment administ trative tool can n add printers to a GPO for distribution to client computers based on eithe er a user account or a comp puter account. Windows XP computers mu ust be configured to run Pus shprinterconne ections.exe. Manual instal llation. Each us ser can add pr rinters manual ly by either br rowsing the ne etwork or using the Add Printer Wizard; W It is important to not te that networ rk printers that t are installed manually are available only y to the user th hat installed th hem. If multipl e users share a computer, th hey must each h install the printer manually. .
10-23
Lab: Implementing File and Print Services

Scenario
Your manager has recently asked you to configure file and print services for the branch office. This requires you to configure a new shared folder that is used by multiple departments, configure shadow copies on the file servers, and configure a printer pool.
Objectives
After performing this Lab you will be able to: Create and configure a file share. Configure a shadow copy Create and configure a printer pool.
Lab Setup
Estimated Time: 40 minutes Logon Information Virtual Machines 20410A-LON-CL1 20410A-LON-DC1 20410A-LON-SVR1 Adatum\Administrator Pa$$w0rd
User Name Password
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20410A-LON-DC1 and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o 5. 6. User name: Administrator Password: Pa$$w0rd Domain: Adatum
Repeat steps 2 to 4 for 20410A-LON-SVR1. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.
Exercise 1: Creating and Configuring a File Share

Scenario
Your manager has asked you to create a new shared folder for use by all departments. There will be a single file share with separate folders for each department. To ensure that users only see files to which they have access, you need to enable access-based enumeration on the share.
10-24
There have been problems in other branch offices with conflicts when offline files are used for shared data structures. To avoid conflicts, you need to disable Offline Files for this share. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Create the folder structure for the new share. Configure NTFS permissions on the folder structure. Create the shared folder. Test access to the shared folder. Enable access-based enumeration. Test access to the share. Disable Offline Files for the share.
Task 1: Create the folder structure for the new share

1. 2. Log on to LON-SVR1 as Adatum\Administrator with a password Pa$$w0rd. Open a Windows Explorer window, and create the following folders: o o o o o E:\Data E:\Data\Development E:\Data\Marketing E:\Data\Research E:\Data\Sales
Task 2: Configure NTFS permissions on the folder structure

1. 2. 3. In Windows Explorer, block the NTFS permissions inheritance for E:\Data, and when prompted, convert inherited permissions into explicit permissions. In Windows Explorer, remove permissions for LON-SVR1\Users on subdirectories in E:\Data. In Windows Explorer, add the following NTFS permissions for the folder structure: Folder E:\Data E:\Data\Development E:\Data\Marketing E:\Data\Research E:\Data\Sales Permissions No change Modify: Adatum\Development Modify: Adatum\Marketing Modify: Adatum\Research Modify: Adatum\Sales
Task 3: Create the shared folder

1. 2. In Windows Explorer, share the E:\Data folder. Assign the following permissions to the shared folder: o Change: Adatum\Authenticated Users
10-25
Task 4: Test access to the shared folder

1. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd.
Note: Bernard is a member of the Development group. 2. 3. 4. Open Windows Explorer. Navigate to \\LON-SVR1\Data. Attempt to open the Development, Marketing, Research, and Sales folders.
Note: Bernard should have access to the Development folder. However, although Bernard can still see the other folders, he does not have access to their contents. 5. Log off LON-CL1.
Task 5: Enable access-based enumeration

1. 2. 3. 4. 5. Switch to LON-SVR1 Open Server Manager. Select File and Storage Management. Select Shares. Open the Properties window for the Data share, and from the Settings page, enable Access-based enumeration.
Task 6: Test access to the share

1. 2. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd. Click the Desktop tile and then open a Windows Explorer window, and navigate to \\LONSVR1\Data.
Note: Bernard can now view only the Development folder, the folder for which he has been assigned permissions. 3. 4. Open the Development folder to confirm access. Log off LON-CL1.
Task 7: Disable Offline Files for the share

1. 2. 3. 4. Switch to LON-SVR1. Open Windows Explorer. Navigate to E:\ Open the Properties window for the Data folder, and disable Offline file caching.
Results: After finishing this exercise, you will have created a new shared folder for use by multiple departments.
10-26
Exercise 2: Configuring Shadow Copies

Scenario
A. Datum Corporation stores daily backups offsite for disaster recovery. Every morning the backup from the previous night is taken offsite. To recover a file from backup requires the backup tapes to be shipped back onsite. The overall time to recover a file from backup can be a day or more. Your manager has asked you to ensure that shadow copies are enabled on the file server so you can restore recently modified or deleted files without using a backup tape. Because the data in this branch office changes frequently, you have been asked to configure a shadow copy to be created once per hour. The main tasks for this exercise are as follows: 1. 2. 3. Configure shadow copies for the file share. Create multiple shadow copies of a file. Recover a deleted file from a shadow copy.
Task 1: Configure shadow copies for the file share

1. 2. 3. 4. 5. Switch to LON-SVR1. Open Windows Explorer. Navigate to drive E, right-click Allfiles (E:), and then click Configure Shadow Copies. Enable Shadow Copies for the E:\ drive. Configure the settings to schedule hourly shadow copies for the E:\ drive.
Task 2: Create multiple shadow copies of a file

1. 2. 3. On LON-SVR1, switch to Windows Explorer, and navigate to the E:\Data\Development folder. Create a new text file named Report.txt. Switch the Shadow Copies window, and then click Create Now.
Task 3: Recover a deleted file from a shadow copy

1. 2. 3. 4. 5. 6. Switch back to the Windows Explorer window. Delete the Report.txt file. Open the Properties window for E:\Data\Development, and then click the Previous Versions tab. Open the most recent version of the Development folder, and then copy the Report.txt file. Paste the file back into the Development folder. Close Windows Explorer and all open windows.
Results: After finishing this exercise, you will have enabled shadow copies on the file server.
Exercise 3: Creating and Configuring a Printer Pool

Scenario
Your manager has asked you to create a new shared printer for your branch office. However, instead of creating the shared printer on the local server in the branch office, he has asked you to create the shared printer in the head office and use Branch Office Direct Printing. This allows the printer to be managed in the head office, but prevents print jobs from traversing WAN links.
10-27
To ensure high availability of this printer, you need to format it as a pooled printer. Two physical print devices of the same model have been installed in the branch office for this purpose. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install the Print and Document Services server role. Install a printer. Configure printer pooling. Install a printer on a client computer.
Task 1: Install the Print and Document Services server role

1. 2. On LON-SVR1, open Server Manager. Install the Print and Document Services role, and accept the default settings.
Task 2: Install a printer

1. On LON-SVR1 use the Print Management console to install a printer with following parameters: a. b. c. 2. 3. IP Address: 172.16.0.200 Driver: Microsoft XPS Class Driver Name: Branch Office Printer
Enable Branch Office Direct Printing. List the printer in AD DS.
Task 3: Configure printer pooling

1. In the Print Management console, create a new port on LON-SVR1 with the following configuration: a. b. c. 2. 3. Type: Standard TCP/IP port IP Address: 172.16.0.201 Connection: Generic Network Card
Open the Branch Office Printer Properties page, and on the Ports tab, enable printer pooling. Select port 172.16.0.201 as the second port.
Task 4: Install a printer on a client computer

1. 2. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd. Add a printer, selecting the Branch Office Printer on LON-SVR1 printer.
Results: After finishing this exercise, you will have Installed the Print and Document Services server role and installed a printer with printer pooling.

After you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-SVR1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-CL1 and 20410A-LON-DC1.
10-28

Review Questions:
Question: How does inheritance affect explicitly assigned permissions on a file? Question: Why should you not use shadow copies as a means for data backup? Question: In which scenarios could Branch Office Direct Printing be beneficial?
Tools
Name of tool Effective Permissions Tool Used for Assessing combined permissions for a file, folder or shared folder. Where to find it Under Advanced, on the Security tab of the Properties page of a file, folder or shared folder. Command prompt.
Netsh command-line tool Print Management administrative
Configuring Windows Server 2012 networking components. Managing the print environment in Windows Server 2012.
The Tools menu in Server Manager.
11-1
Module 11
Implementing Group Policy
Contents:
Module Overview Lesson 1: Overview of Group Policy Lesson 2: Group Policy Processing Lesson 3: Implementing a Central Store for Administrative Templates Lab: Implementing Group Policy Module Review and Takeaways 11-1 11-2 11-10 11-15 11-19 11-23
Module Overview
Maintaining a consistent environment across an organization is challenging. Administrators need a mechanism to configure and enforce user and computer settings and restrictions. Group Policy can provide that consistency by enabling administrators to centrally manage and apply configuration settings. This module provides an overview of Group Policy and provides details about how to implement group policies.
Objectives
After completing this module, you will be able to: Create and manage Group Policy Objects. Describe Group Policy processing. Implement a central store for administrative templates.
11-2 Implemen nting Group Policy
Lesson 1
Overvi iew of Group G Policy P

Group Policy allow ws you to cont trol the compu uting environm ment. It is impo ortant to unde erstand how G Group Policy functions, so s you can app ply Group Policy correctly. T his lesson prov vides an overv view of Group Policy structure, and def fines local and domain group policies. It al lso describes t the types of se ettings availabl le for uses s and groups. Group Policy allow ws you to cont trol the compu uting environm ment. It is impo ortant to unde erstand how G Group Policy functions, so s you can app ply Group Policy correctly. T his lesson prov vides an overv view of Group Policy structure, and def fines local and domain group policies. It al lso describes t the types of se ettings availabl le for uses s and groups.

Afte er completing this lesson, yo ou will be able to: Describe the components of o Group Policy y. Describe multiple local Gro oup Policy Obje ects (GPOs). Describe storage options fo or domain GPO Os. Describe GPO O policies and preferences. Describe start ter GPOs. Describe the process of delegating GPO management. m Describe the process of creating and man naging GPOs.
Co omponents s of Group p Policy

Group Policies are e configuration n settings that t allow administrato ors to enforce settings by mod difying the com mputer-specific and user-specific regi istry settings on o domain-bas sed computers s. You can group Group Policies together, to make GPOs, G which you can the en apply to sec curity principle es (use ers, groups or computers). c
GPOs
A GPO G is an objec ct that contain ns one or more e policy settings tha at apply config guration settin ng for user rs, computers, or both. GPOs are stored in SYSV VOL, and can be managed by b using the Group Policy Manageme ent Console (G GPMC). Within the GPMC, yo ou can open an nd edit a GPO by using the G Group Policy Manageme ent Editor. GPO Os are logically y linked to Act tive Directory containers to o apply settings to the objects in those containers.
Gro oup Policy Settings S

A Group Policy se etting is the mo ost granular co omponent of G Group Policy. It defines a specific configur ration change to apply to t an object (a computer or a user, or both h) within Activ ve Directory Do omain Services s (AD D DS). Group Po olicy has thous sands of config gurable setting gs. These settings can affect t nearly every a area of the computing environment. . Not all setting gs can be app lied to all olde er versions of W Windows Serve er and Windows op perating system ms. Each new version v introdu uces new settings and capab bilities that only
11-3
apply to that specific version. If a computer has a Group Policy setting applied that it cannot process, it simply ignores it. Most policy settings have three states: Not Configured. The GPO will not modify the existing configuration of the particular setting for the user or computer. Enabled. The policy setting will be applied. Disabled. The policy setting is specifically reversed.
By default, most settings are set to Not Configured.
Note: Some settings are multi-valued or have text string values. These are typically used to provide specific configuration details to applications or operating system components. For example, a setting may provide the URL of the home page for Windows Internet Explorer or blocked applications. The effect of the change depends on the policy setting. For example, if you enable the Prohibit Access to Control Panel policy setting, users will be unable to open Control Panel. If you disable the policy setting, you ensure that users can open Control Panel. Notice the double negative in this policy setting: You disable a policy that prevents an action, so you allow the action.
Group Policy Settings Structure

There are two distinct areas of Group Policy settings: User settings. These are settings that modify the HKey Current User hive of the registry. Computer settings. These are settings that modify the HKEY Local Machine hive of the registry.
User and computer settings each have three areas of configuration, as described in the following table. Section Software settings Description Contain software settings that can be deployed to either the user or the computer. Software that is deployed to a user is specific to that user. Software that is deployed to the computer is available to all users of that computer. Contain script settings and security settings for both user and computer, and Internet Explorer maintenance for the user configuration. Contain hundreds of settings that modify the registry to control various aspects of the user and computer environment. New administrative templates may be created by Microsoft or other vendors. You can add these new templates to the GPMC. For example, Microsoft has Office 2010 templates that are available for download, and that you can add to the GPMC.
Windows operating system settings Administrative templates
Group Policy Management Editor

The Group Policy Management Editor (GPME) displays the individual Group Policy settings that are available in a GPO. These are displayed in an organized hierarchy that begins with the division between computer settings and user settings, and then expands to show the Computer Configuration node and the User Configuration node. The Group Policy Management Editor is where all Group Policy settings and preferences are configured.
Gro oup Policy Preferences P

In addition to the Group Policy sections show wn in the previo ous table, a Pr references nod de is present under both the Computer Configuration and User Configuration C n nodes in the G Group Policy M Management Editor. Pref ferences provid de even more capabilities with w which to co onfigure the e environment, a and are discuss sed later in this modu ule.
Loc cal Group Policy

All systems s runnin ng the Microso oft Windows 2000 operatin ng systems or n newer also hav ve local Group p Policies that are available. Local l policy setting gs only apply t o the local ma achine, but can n be exported and imp ported to other r computers.
Wh hat Are Mu ultiple Loc cal GPOs?

In Windows W opera ating systems prior to Windo ows Vista, there was only o one available user configuration in the local Group p Policy. That configuration was s applied to all l users who log gged on from f that local computer. Th his is still true, but Win ndows Vista and a newer clien nt operating systems, and Wind dows Server 2008 and newe er Win ndows Server operating o syste ems have an added feat turemultiple local l GPOs. In Windows 8 an nd Win ndows Server 2012, 2 it is now possible to ha ave diffe erent user sett tings for differe ent local users s; this is on nly available fo or the users co onfigurations in Group Policy. The ere is only one set of comput ter configurati ions available that affects all l users of the com mputer. Win ndows 8 and Windows W Serve er 2012 provide e this ability w with the followi ing three layer rs of Local Gro oup Policy Objects: Local Group Policy P (contain ns the compute er configuratio on settings) Administrator and Non-Administrator Group Policy User-specific Local Group Policy P
llers. Due to th e to th his feature is domain control he nature of th heir role, Note: The exception dom main controller rs cannot have e local Group Policies P
How the Layer rs Are Proce essed

The layers of Loca al Group Policy y Objects are processed p in th he following o order: 1. 2. 3. Local Group Policy P Administrators and Non-Ad dministrators Group G Policy User-specific Local Group Policy P
With the exceptio on of the categ gories of Administrator or No on-Administra ator, it is not possible to app ply loca al Group Policies to groups, but only to ind dividual local u user accounts. Domain users s are subject to o the loca al Group Policy y, or the Administrator or No on-Administra ator settings, a s appropriate.
11-5
Note: Domain administ trators can disa able processin ng Local Group p Policy Object ts on clients th hat are running g Windows clie ent operating systems and W Windows Serve er operating sy ystems by en nabling the Tu urn Off Local Group Policy y Objects Proc cessing policy setting in a do omain Group Po olicy Object.
Storage of Domain GPOs G

Group Policy se ettings are pres sented as GPO Os in the Group Policy Management to ool, but a GPO is ac ctually two com mponents: a Group G Policy te emplate, an nd a Group Po olicy container.
Group G Policy y Template

Group Policy templates are th he actual collec ction of se ettings that you can change. Group Policy te emplates are st tored in the %SystemRoot% % %\PolicyDefinitions folder. Windows Se erver 2012 con ntains Group Policy P template es with th housands of co onfigurable set ttings. When you y cr reate a new Gr roup Policy, th he Group Policy y Management M Ed ditor presents the templates s in a new GPO O. When you e edit and save the GPO, a new w Group Po olicy container r is created.
Group G Policy y Container

Th he Group Polic cy container is s an Active Dire ectory object t that is stored i in the Active D Directory datab base. Ea ach Group Policy container includes i a glob bally unique id dentifier (GUID D) attribute tha at uniquely ide entifies th he object withi in AD DS. The Group Policy container c defi nes basic attributes of the G GPO such as lin nks and ve ersion number rs, but it does not contain an ny of the settin ngs. Instead, th he settings are e contained in the Group Policy template, which h is a collection n of files stored d in the SYSVO OL of each dom main controlle er. SY YSVOL is located in the %Sys stemRoot% \SYSVOL\Doma in\Policies\GPOGUID path, w where GPOGU UID is th he GUID of the e Group Policy y container. Wh hen you make e changes to th he settings of a GPO, the cha anges ar re saved to the e Group Policy y template of the t server from m which the GP PO was opene ed. By y default, when Group Policy y refresh occurs, the Group Policy client-s ide extensions s (CSEs) apply s settings in n a GPO only if f the GPO has been updated d. Th he Group Polic cy Client can id dentify an upd dated GPO by its version num mber. Each GP PO has a versio on nu umber that is incremented each e time a change is made.. The version n number is store ed as an attrib bute of th he Group Polic cy container, and in a text file e, GPT.ini, in th he Group Polic cy Template fo older. The Group Po olicy Client knows the versio on number of each e GPO that t it has previou usly applied. If f, during Group Policy re efresh, the Gro oup Policy Client discovers th hat the version n number of th he Group Polic cy container ha as been ch hanged, the CS SEs will be info ormed that the e GPO is upda ted. When W editing a Group Policy, , the version on the compute er that has the e primary dom main controller (PDC) em mulator Flexib ble Single Mast ter Operations (FSMO) role i s the version b being edited. I It does not ma atter what w computer you are using g to perform th he editing, the e GPMC is focu used on the PD DC emulator by de efault. It is pos ssible to chang ge the focus of f the GPMC to o edit a version n on a differen nt domain cont troller.
Wh hat Are Gr roup Polici ies and Pre eferences? ?

Group Policy Pref ferences are a feature in the Win ndows Server 2012 2 operating g system. Pref ferences includ de more than 20 Group Polic cy exte ensions that ex xpand the rang ge of configurable settings within a GPO. G Preferenc ces help to red duce the need for logon scripts.
Note: Wind dows XP operating systems need n to have h the Group p Policy client-side extension ns installed to process Group Polic cy preferences. . wnloaded from m the Microsoft t These can be dow wnload website e. dow
Cha aracteristics s of Preferences

Pref ferences have the following characteristics s: Preferences exist e for both computers c and d users. Unlike Group p Policy setting gs, preferences s are not enfor rced, and users s can change t the configurations that are estab blished by pref ferences. Preferences can c be manage ed through the e Remote Serv ver Administration Tools (RSA AT). Preferences can c be applied only once at startup s or logo on, or refreshe ed at intervals. Unlike Group p Policy setting gs, preferences s are not remo oved when the GPO is no lon nger applied, b but you can chan nge this behavi ior. Preferences can c easily be ta argeted to cert tain users or co ough a variety of ways, such as omputers thro security group membership p or operating system versio on. Preferences are a not available for local gro oup policies. Unlike Group p Policy, the user interface of f the setting is not disabled.
Com mmon Uses s for Group Policy Prefe erences

Alth hough you can n configure ma any settings th hrough Group Policy preferences, some of the more com mmon uses s are as follows: Drive mappin ngs for users Configuring desktop d shortc cuts for users or o computers Setting enviro onment variab bles Mapping prin nters Setting power options Configuring Start S menus Configuring data d sources Configuring Internet option ns Scheduling ta asks
11-7
What W Are Starter S GPO Os?

St tarter GPOs are templates th hat assist in the e cr reation of GPO Os. When creat ting new GPOs s, you ca an choose to use u a starter GP PO as the sour rce. This makes m it easier and faster to create c multiple e GPOs with w the same baseline b config guration.
Available A Set ttings

St tarter GPOs ca an only contain n settings from m the Administrative Templates T nod de of either the e User Configuration section or the Computer C Configuration section. The So oftware Setting gs and Windows W Settin ngs nodes of Group Policy ar re not av vailable, becau use these node es involve inter raction of f services and are more com mplex and dom main-dependen nt.
Ex xporting St tarter GPOs

Yo ou can export starter GPOs to t a Cabinet file (.cab) and t hen load that .cab file into a another enviro onment th hat is complete ely independent of the sourc ce domain/for rest. Exporting a starter GPO O allows you to o send th he .cab file to other o administ trators, who ca an then use it i in other areas.. For example, you may create a GPO that define es Internet Exp plorer security settings. If you u want all sites s and domains s to employ th he same se ettings, then yo ou could expo ort the starter GPO G to a .cab file, and then distribute it.
When W to Use e Starter GP POs

Th he most comm mon situation in which you would w use a sta arter GPO is w when you want a group of se ettings fo or a type of computer role. For F example, yo ou may want a all corporate la aptops to have e the same de esktop re estrictions, or all a file servers to t have the same baseline G Group Policy se ettings, but enable variations s for di ifferent depart tments.
In ncluded Starter GPOs

Th he GPMC inclu udes a link to create c a Starte er GPO folder, which contain ns a number of f predefined st tarter GPOs. These po olicies provide preconfigured d security-orie nted settings f for enterprise clients (EC) an nd Sp pecialized Secu urity Limited d Functionality (SSLF) clients for both user and computer r settings on W Windows Vista and Windo ows XP SP2 op perating system ms. You can us se these polici es as starting points when y you de esign security policies.
Delegating D Managem ment of GP POs

Administrators can delegate some s of the Group Po olicy administr rative tasks to other users. These us sers do not have to be doma ain administrators; th hey can be use ers that are gra anted certain rights r to GPOs. For exam mple, a user wh ho manages a pa articular Organ nizational Unit t (OU) could be b ta asked with performing repor rting and analy ysis du uties, while the e help desk gr roup is allowed d to edit GPOs for that OU. O A third gro oup of develop pers might m be put in n charge of cre eating Window ws Management M In nstrumentation n (WMI) filters.
11-8 Implementing Group Policy
The following Group Policy tasks can be delegated independently: Creating GPOs Editing GPOs Managing Group Policy links for a site, domain, or OU Performing Group Policy modeling analysis Reading Group Policy results data Creating WMI filters
The Group Policy Creator Owners group lets its members create new GPOs, and edit or delete GPOs that they have created.
Group Policy Default Permissions

By default, the following users and groups have full access to manage Group Policy: Domain Admins Enterprise Admins Creator Owner Local System
The Authenticated User group has Read and Apply Group Policy permissions only.
Permissions for Creating GPOs

By default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can create new GPOs. You can use two methods to grant a group or user this right: Add the user to the Group Policy Creator Owners group Explicitly grant the group or user permission to create GPOs by using GPMC
Permissions for Editing GPOs

To edit a GPO, the user must have both Read and Write access to the GPO. You can grant this permission by using the GPMC.
Managing GPO Links

The ability to link GPOs to a container is a permission that is specific to that container. In GPMC, you can manage this permission by using the Delegation tab on the container. You can also delegate it through the Delegation of Control Wizard in Active Directory Users and Computers.
Group Policy Modeling and Group Policy Results

You can delegate the ability to use the reporting tools in the same fashion, either through GPMC or through the Delegation of Control Wizard in Active Directory Users and Computers.
Creating WMI Filters

You can delegate the ability to create and manage WMI filters in the same fashion, either through GPMC or through the Delegation of Control Wizard in Active Directory Users and Computers.
11-9
Demonstration: Creating and Managing GPOs

In this demonstration, you will see how to use the GPMC to create a new GPO. You will also see how you can use the Group Policy Management Editor to edit the GPO settings. Finally, you will see how Windows PowerShell is used to create a GPO.
Demonstration Steps Create a GPO by using the GPMC

Log on to LON-DC1 as Administrator and create a policy named Prohibit Windows Messenger.
Edit a GPO with the Group Policy Management Editor

1. 2. Edit the policy to prohibit the use of Windows Messenger. Link the Prohibit Windows Messenger GPO to the domain.
Use Windows PowerShell to create a GPO

Use Windows PowerShell to create a GPO named Desktop Lockdown.
11-10
Lesson 2
Group Policy Process sing

Und derstanding ho ow Group Polic cy is applied is s the key to be eing able to de evelop a Group p Policy strate egy. This s lesson shows you how Grou up Policy is ass sociated with A Active Directo ory objects, how w it is processe ed, and how to contro ol the applicat tion of Group Policy. After cr reating the GP POs and config guring the sett tings you want to apply y, they must be e linked to con ntainers. GPOs s are applied in n a specific ord der. This order r may dete ermine what settings are app plied to object ts. There are tw wo default pol licies that are a automatically crea ated. These po olicies are used d to deliver pas ssword and sec curity settings s for the domain and for dom main controllers. The ap pplication of policies p can als so be controlle ed through sec curity filtering. .

Afte er completing this lesson, yo ou will be able to: Describe a GP PO link. Describe how w GPOs are app plied to contai iners and obje ects. Describe the Group Policy processing p ord der. Describe the default GPOs. Describe GPO O security filter ring.
GP PO Links
Onc ce you have created a GPO and a defined all the settings that you want w it to deliv ver, the next step is to li ink the policy to t an Active Directory D conta ainer. A GPO link is the logical connec ction of the po olicy to a container. Yo ou can link a single GPO to mul ltiple containers by using the e GPMC. You can c link GPOs to the following f types of containers s: Sites Domains OUs
Onc ce a GPO is linked to a conta ainer, by defau ult the policy is applied to all the objec cts in the conta ainer, and sub sequently all t the child conta ainers under th hat pare ent object. This is because th he default perm missions of the e GPO are suc h that Authenticated Users h have Read and Apply Group G Policy permission. You u can modify t this behavior b by managing p permissions on n the GPO O. You u can disable links to contain ners, which rem moves the conf figuration sett tings. You can also delete lin nks. Dele eting links doe es not delete the actual GPO O, only the logi ical connection to the conta ainer. GPO Os cannot be linked directly to users, groups or compute ers. In addition n, GPOs canno ot be linked to the system containers s of AD DS, inc cluding Builtin, , Computers, U Users, or Mana aged Service A Accounts. The A AD DS system containers s receive Group Policy settings from GPOs linked to the domain level o only.
11-11
Applying A GPOs G
Computer confi iguration settings are applie ed at st tartup, and the en are refreshe ed at regular in ntervals. Any startup scripts are run at computer star rtup. Th he default inte erval is every 90 9 minutes, but t this is co onfigurable. Th he exception to the set inter rval is do omain controllers, which hav ve their setting gs re efreshed every y five minutes. User settings are applied at lo ogon and are re efreshed at reg gular, configurable intervals; the de efault is also 90 9 minutes. Any logon scripts are ru un at logon.
n of user settings requ uire two Note: A number lo ogons before the user sees th he effect of the e GPO. This is because users s logging on to o the same co omputer use cached credent tials to speed up u logons. Thi is means that, although the policy se ettings are being delivered to the compute er, the user is a already logged d on and thus the settings will w not take eff fect until the next n logon. The e folder redire ction setting is s an example o of this. Yo ou can change e the refresh in nterval by conf figuring a Gro up Policy setti ing. For compu the uter settings, t re efresh interval setting is foun nd in the Computer Configu uration\Polic cies\Administ trative Te emplates\Sys stem\Group Policy P node. Fo or user setting gs, the refresh interval is foun nd at the co orresponding settings s under r User Configuration. An exc ception to the refresh interva al is security se ettings. Th he security set ttings section of o the Group Policy P will be re efreshed at lea ast every 16 ho ours, regardles ss of the in nterval that you u set for the re efresh interval. . Yo ou can also ref fresh Group Po olicy manually y. The comman nd line utility G Gpupdate refr reshes and del livers an ny new Group Policy configu urations. The Gpupdate G /fo orce command d refreshes all t the Group Policy se ettings. There is i also a new Windows W Powe erShell Invoke e-Gpupdate cm mdlet, which p performs the s same fu unction. A new feature in Windows Server 2012 is Re emote Policy R Refresh. This fe eature allows a administrators s to use th he GPMC to target an OU an nd force Group p Policy refresh h on all of its c computers and d their current tly lo ogged-on user rs. To do this, you y right-click any OU, and t then click Gro oup Policy Update. The upd date oc ccurs within 10 0 minutes.
Group G Polic cy Process sing Order r

GPOs are not ap pplied simultaneously; rathe er, they ar re applied in a logical order. GPOs that are e ap pplied later in the process of f applying GPO Os ov verwrite any co onflicting policy settings tha at were ap pplied earlier. GPOs are applie ed in the follow wing order: Local group p policies: Each h system running Windows 2000 or newer potentially already has a local Group Policy configured. c
11-12
Site group po olicies: Policies that are linked to sites are p processed nex xt. Domain grou up policies: Policies that are linked to the d domain are pro ocessed next. T There are often multiple polic ces at the dom main level. Thes se policies are processed in o order of prefe erence. OU group po olicies: Policies linked to OUs s are processed d next. These p policies contain settings that t are unique to the e objects in tha at OU. For example, the Sale es users may have special req quired settings s. You can link a pol licy to the Sale es OU to delive er those setting gs. Child OU policies: Any polic cies that are lin nked to child O OUs are proce essed last.
Objects in the con eir processing order. In the c ntainers receiv ve the cumulative effect of al ll polices in the case of a conflict between settings, the last policy applied a takes effect. For exa ample, a doma ain-level policy y may restrict access to registry r editing g tools, but yo ou could config gure an OU-le evel policy and link it to the I IT OU to reverse that po olicy. Because the OU-level policy p is applie ed later in the process, acces ss to registry tools wou uld be available.
ch as Enforcem ment and Inher ritance Blockin ng can change the effect Note: Other methods suc of policies p on con ntainers. If multiple m policies are applied at a the same lev vel, the admin istrator can as ssign a prefere ence value to control the order of processing. . The default preference p ord er is the order r in which the policies were linked. You u can also disab ble the user or r computer configuration of f a particular G GPO. If one sec ction of a polic cy is kno own to be emp pty, then you should disable the empty sec ction to speed up policy pro ocessing. For exam mple, if you ha ave a policy th hat only delivers user deskto p configuratio on, you could d disable the com mputer-side of the policy.
Wh hat Are the e Default GPOs? G

Dur ring the installa ation of the AD D DS role, two o defa ault GPOs are created: Defau ult Domain Po olicy, and Default Doma ain Controller Policy.
Def fault Domain Policy

This s policy is linke ed to the doma ain and affects s all secu urity principles s in the domain. It contains the t pass sword policy settings, the ac ccount lockout t settings, and Kerb beros policy. As a best practice, this policy should not have othe er settings configured. If you u need to configure other set ttings to apply a to the en ntire domain th hen you should crea ate new policie es to deliver th he settings, and d then n link the polic cies to the dom main.
Def fault Domain Controlle ers Policy

This s GPO is linked d to the domai in controllers OU, and shou ld only affect d domain contro ollers. This policy is desi igned to provide auditing se ettings and use er rights, and s should not be used for other purposes.
11-13
GPO G Securi ity Filtering

By y nature, a GPO applies to all the security principles in the e container, an nd all child con ntainers be elow the paren nt. You may wish w to change that be ehavior and ha ave certain GP POs apply only y to pa articular security principles. For example, you y may m want to exempt certain users u in an OU U from a re estrictive deskt top policy. You u can accomplish this th hrough security filtering. Ea ach GPO has an a Access Cont trol List (ACL) that t de efines permissions to that GPO. The defau ult pe ermission is fo or Authenticate ed Users to hav ve the Re ead and Apply y Group Policy y permission ap pplied. By y adjusting the e permissions in the ACL, you can control which security y principles rec ceive permissio on to ha ave the GPO settings applied d. There are tw wo approaches s you might ta ake to do this: deny access to o the Group Policy, or limit permiss sions to Group p Policy.
e Authenticate ed Users group p includes all u user and comp puter accounts s that have Note: The be een authentica ated to AD DS S.
Deny D Access to Group Policy P

If most security principles in the t container should s receive e the policy set ttings but som me should not, then yo ou can exempt t particular sec curity principle es by denying them access t to the Group P Policy. For exam mple, if all the users in the t Sales OU should receive a policy excep pt the Sales Ma anagers group p. Then you ca an ex xempt that gro oup (or user) by b adding that t group to the ACL of the GP PO, and then s setting the per rmission to o Deny.
Li imit Permis ssions to Gro oup Policy

Alternatively, if you have crea ated a GPO tha at should only be applied to o a few security y principles in a co ontainer, you can c remove the Authenticate ed Users grou p from the AC CL, add the sec curity principle es that sh hould receive the t GPO settin ngs, and then grant g them the e Read and Ap pply Group Po olicy permission ns. For ex xample, you may m have a GPO O with computer configurat tion settings th hat should only y apply to lapt top co omputers. You u could remove e the Authenti icated Users g roup from the e ACL, add the computer acc counts of f the laptops, and a then grant them the Read and Apply Group Policy permission.
Note: Nev ver deny acces ss to the Authe enticated User r group. If you u do, then secu urity principles would d never receive e the GPO sett tings. he ACL of a GP PO is accessed d in the GPMC by selecting t he GPO in the e Group Policy Object folder and Th th hen clicking the Delegation>Advanced ta ab.
11-14
Dis scussion: Identifying g Group Po olicy Appli ication

Sce enario
The slide illustrate es a portion of f the A. Datum m Corporations AD DS structure, which contains the Sale es OU with its child c OUs and the Servers OU. O GPO1 is linke ed to the Adatu um domain container. The GPO configu ures power options that turn off the t monitors and a disks after r 30 minutes of inactivity, and re estricts access to registry editin ng tools. GPO2 has set ttings to lock down d the desk ktops of the Sales Users U OU, and configure prin nters for Sales Users. GPO3 configu ures power op ptions for lapto ops in the Sale s Laptops OU.. GPO4 configu ures a differen nt set of power r options to en nsure that the servers never go into power r save mode.
Som me users in the e Sales OU hav ve administrativ ve rights on th heir computers s, and have cre eated local po olicies to specifically grant access to Co ontrol Panel. Question: What power opt tions will the servers in the S Servers OU rec ceive? Question: What power opt tions will the la aptops in the S Sales Laptops OU receive? Question: What power opt tions will all ot ther computer rs in the domain receive? Question: Will users in the Sales Users OU who have cr reated local po olicies to grant access to Control Panel be able to ac ccess Control Panel? P Question: If you y needed to o grant access to Control Pan nel to some us sers, how would you do it? Question: Ca an GPO2 be ap pplied to other r department O OUs?
De emonstration: Using Group Po olicy Diagn nostic Tool ls

In th his demonstration you will see how to use e Gpupdate to refresh Group p Policy, displa ay Resultant Se et of Policy (RSoP), and d output the re esults to an HT TML file. You w will also see ho ow to use the G Group Policy Mod deling Wizard to test policie es.
Dem monstration n Steps Use e Gpupdate e to refresh Group Polic cy, display R RSOP, and o output the r results to an n HTML file
1. 2. 3. On LON-DC1 1, use Gpupdate to refresh the GPOs. Use Gpresult t /H to create an HTML file that t displays th he current GPO O settings. Open the HTML report and d review the re esults.
Use e the Group p Policy Mod deling Wiza ard to test t the policy
Use the Group Policy Mode eling Wizard to o simulate a po olicy applicatio n the Manager rs OU on for users in who log onto o any compute er.
11-15
Lesson n3
Imple ementin ng a Cen ntral Sto ore for Administrative e Temp plates
In n a large organ nization, there may be many y GPOs and mu ultiple adminis strators manag ging them. Wh hen an ad dministrator ed dits a GPO, the e template file es are pulled fr rom the local w workstation. The central stor re provides a singl le folder in SYS SVOL that contains all of the e templates req quired to create and edit GP POs. Th his lesson discusses the files that make up the templates s, and discusse es how to creat te a central sto ore lo ocation to prov vide consistenc cy in the temp plates that adm ministrators use e.

After completin ng this lesson, you y will be able to: Describe th he central store e. Describe ad dministrative templates. Describe ho ow administrat tive templates work. Describe managed m and unmanaged po olicy settings.
What W Is the e Central Store? S

If your organiza ation has multi iple administra ation workstations, w th here could be potential p issue es when ed diting GPOs. If f you do not have a Central Store in which w to hold th he template files, then the workstation w you u are editing fr rom will use th he .admx (ADMX) and a .adml (AD DML) files that are st tored in the loc cal PolicyDefin nitons folder. If di ifferent administration work kstations have di ifferent operat ting systems or are at differe ent se ervice pack lev vels, there may y be difference es in the ADMX and ADM ML files. For ex xample, the AD DMX an nd ADML files that are stored on a Window ws 7 workstation w with no service pack installed may m not be the e same as the files that are stored on a Windows Se erver 2012 dom main controlle er. Th he Central Store addresses this issue. The Central C Store p provides a sing gle point from m which administration workstations w can download th he same ADMX X and ADML f files when edit ting a GPO. The local workstation always checks th hat the administrator is using g to perform administration a s to see if a Ce entral Store exi ists be efore loading the local ADM MX and ADML files in the Gro oup Policy Obj ject Editor. Wh hen the local workstation w det tects a Central Store, it then downloads th e template file es. In this way, there is a con nsistent ad dministration experience e am mong multiple workstations. Yo ou must create e and provision the Central Store S manually y. First you mu ust create a folder on a dom main co ontroller, name e the folder Po olicyDefinitio ons, and store the folder at C:\Windows\SYSVOL\sysvol\{D Domain Name e}\Policies\. Th his folder will n now be your Central Store. Y You must m then copy y all the conten nts of the C:\W Windows\Policy yDefinitions fo older to the Ce entral Store. Th he ADML files in th his folder are also a in a langua age-specific fo older (such as en-US).
11-16
Wh hat Are Ad dministrati ive Templa ates?

An administrative a template is made m up of two o XML files s types: ADMX and ADML. ADMX files sp pecify the registry setting to change. AMD DX files are language-neutral. ADML files ge enerate the user interface to o configure the e Administrativ ve Templates policy p settings in the e Group Policy y Management Editor. ADML L files are langu uage-specific.
ADM MX and ADML L files are store ed in the %Sy ystemRoot%\P PolicyDefinition ns folder. You can also o create your own o custom ad dministrative tem mplates in XML format. Administrative templates that con ntrol Microsof ft Office produ ucts (such as O Office Word, Office Exce el and Office PowerPoint)a are also availab ble from the M Microsoft down nload website. . Adm ministrative Templates have the following characteristics s: They are orga anized into sub bfolders that house h configur ration options for specific ar reas of the environment, , such as netwo ork, system, an nd Windows co omponents. The settings in the compute er section edit t the HKEY_LO OCAL_MACHIN NE registry hive e, and settings in the user section edit the HK KEY_CURRENT T_USER registry y hive. Some settings exist for both h user and com mputer. For ex xample, there i is a setting to prevent Windo ows Messenger fro om running in n both the user r and the com puter templat tes. In case of c conflicting sett tings, the computer r setting preva ails. Some settings are available e only to certai in versions of W Windows oper rating systems s, such as sever ral new settings that can be ap pplied only to the Windows 7 and newer o operating syste ems versions. Double-clicking the settings will display the t supported versions for th hat setting. An ny setting that cannot be pro ocessed by an older Window ws operating sy ystem is simpl ly ignored by t that system.
AD DM Files
Prio or to Windows Vista, adminis strative templa ates had an .ad dm (ADM) file extension. AD DM files were lang guage-specific c, and were difficult to custom mize. ADM file es are stored in n SYSVOL as p part of the Gro oup Policy template. If f an ADM file is i used in mult tiple GPOs, the en the file is st tored multiple times. This incr ation traffic. reases the size of SYSVOL, an nd therefore in ncreases the siz ze of Active Directory replica
Ho ow Admini istrative Te emplates Work W

Adm ministrative Templates have settings for alm most every aspect of th he computing environment. Each setting in the tem mplate correspo onds to a regis stry setting that controls an aspect of o the comput ting environment. For example, whe en you enable the setting that preve ents access to Control C Panel, this changes the value e in the registr ry key that con ntrols that t aspect.
11-17
The Administrative Templates node is organized as shown in the following table. Section Computer settings Nodes Control Panel Network Printers System Windows Components All Settings User settings Control Panel Desktop Network Shared Folders Start Menu and Taskbar System Windows Components All Settings
Most of those nodes contain multiple subfolders to further organize settings into logical groupings. Even with this organization, finding the setting you need can be a daunting task. To help you locate settings, the All Settings folder allows you to filter the entire list of settings by either the computer or the user section. The following filter options are available: Managed or unmanaged Configured or not configured Commented By keyword By platform
You can also combine multiple criteria. For example, you could filter to find all the configured settings that apply to Internet Explorer 10 by using the keyword ActiveX.
11-18
Ma anaged an nd Unmana aged Polic cy Settings s

There are two typ pes of policy se ettings: manag ged, and unmanaged. All policy setti ings in a GPOs Adm ministrative Templates are managed m policies. The Group Policy service contro ols the manage ed policy settings and removes a policy p setting when w it is no longer within scope of th he user or com mputer. The Gr roup Policy ser rvice does not control unmanage ed policy settings. These policy settings are persis stent. The Grou up Policy service doe es not remove unmanaged policy p settings.
Ma anaged Polic cy Settings

A managed m policy y setting has th he following characteristics: The user interface (UI) is loc cked, so that a user cannot c change the set tting. Managed policy settin ngs result in the appropriate a UI being disable ed. For exampl le, if you config gure the deskt top wallpaper through a Gro oup Policy setting, then the user will see t hose settings g greyed out in his or her loca al user interface. Changes are made in restric cted areas of the t registry, to o which only ad dministrators h have access. These reserved regis stry keys are: o o o o HKLM\So oftware\Policie es (computer settings) s HKCU\So oftware\Policie es (user setting gs) HKLM\So oftware\Micros soft\Windows\ \Current Versio on\Policies (co omputer settin ngs) HKCU\So oftware\Micros soft\Windows\ \Current Versio on\Policies (us ser settings)
Changes mad de by a Group Policy setting and the UI loc ckout are relea ased if the use er or computer r falls out of scope of the GPO. Fo or example, if you delete a G GPO, managed d policy setting gs that had be een applied to a user u will be released. This me eans that, gen erally, the sett ting resets to its previous sta ate. Additionally, the UI interfac ce for the setting is enabled..
Unmanaged Policy Settings

In contrast, an unmanaged policy setting mak kes a change t that is persistent in the registry. If the GPO O no long ger applies, the setting rema ains. This is often called tatto ooing the regis stryin other words, making ga perm manent chang ge. To reverse the t effect of th he policy settin ng, you must d deploy a chang ge that reverts s the configuration to the t desired sta ate. Additionally, an unmana aged policy set tting does not lock the UI fo or that setting. By default t, the Group Policy Managem ment Editor hi ides unmanaged policy settings to discour rage you from implementing a configuration that is difficult to r evert. Many of the settings t that are available in Group Policy pref ferences are un nmanaged sett tings.
11-19
Lab: Implementing Group Policy

Scenario
A. Datum Corporation is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. In your role as a member of the server support team, you help to deploy and configure new servers and services into the existing infrastructure based on the instructions given to you by your IT manager. Your manager has asked you to create a central store for ADMX files to ensure that everyone can edit GPOs that have been created with customized ADMX files. You also need to create a starter GPO that includes Internet Explorer settings, and then configure a GPO that applies GPO settings for the Marketing department and the IT department.
Objectives
After completing this lab, you will be able to: Configure a Central Store. Create GPOs.
Lab Setup
Virtual Machines
User Name Password
Lab Setup Instructions

Repeat steps 2-3 for 20410A-LON-CL1. Do not log on until directed to do so.
11-20
Exercise 1: Configuring a Central Store

Scenario
A. Datum recently implemented a customized ADMX template to configure an application. A colleague obtained the ADMX files from the vendor before creating the Group Policy Object with the configurations settings. The settings were applied to the application as expected. After implementation, you noticed that you are unable to modify the application settings in the Group Policy Object from any location other than the workstation that was originally used by your colleague. To resolve this issue, your manager has asked you to create a Central Store for administrative templates. After you create the Central Store, your colleague will copy the vendor ADMX template from the workstation into the Central Store. The main tasks for this exercise are as follows: 1. 2. 3. 4. View the location of administrative templates in a Group Policy Object (GPO). Create a central store. Copy administrative templates to the central store. Verify the administrative template location in GPMC.
Task 1: View the location of administrative templates in a Group Policy Object (GPO)
1. 2. 3. Log on to LON-DC1 as Administrator with a password of Pa$$w0rd. Start the Group Policy Management Console (GPMC). Open the Default Domain Policy and view the location of the administrative templates.
Task 2: Create a central store

1. 2. Open Windows Explorer and browse to C:\Windows\SYSVOL\sysvol\Adatum.com\Policies. Create a folder named PolicyDefinitions which will be used for the Central Store.
Task 3: Copy administrative templates to the central store

Copy the contents of the default PolicyDefinitions folder located at C:\Windows\PolicyDefinitions to the new PolicyDefinitions folder located at C:\Windows\SYSVOL\sysvol\Adatum.com\Policies.
Task 4: Verify the administrative template location in GPMC

Verify that the Group Policy Object Editor is using the ADMX files from the central PolicyDefinitions folder, by viewing the location information text of the Administrative templates folder.
Results: After completing this exercise, you will have configured a Central Store
Exercise 2: Creating GPOs

Scenario
After a recent meeting of the IT Policy committee, management has decided that A. Datum will use Group Policy to restrict access to the General page of Internet Explorer for users. Your manager has asked you to create a starter GPO that can be used for all departments with default restriction settings for Internet Explorer. You then need to create the GPOs that will deliver the settings for members of all departments except for the IT department.
11-21
The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. Create a Windows Internet Explorer Restriction default starter GPO Configure the Internet Explorer Restriction starter GPO Create a domain Internet Explorer Restrictions GPO From the Internet Explorer Restrictions starter GPO Test Application of the GPO for Domain Users Use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy Test the GPO application for IT Department Users Test Application of the GPO for other domain users To prepare for the next module
Task 1: Create a Windows Internet Explorer Restriction default starter GPO

1. 2. Open the GPMC and create a starter GPO named Internet Explorer Restrictions. Type a comment that states This GPO disables the General page in Internet Options.
Task 2: Configure the Internet Explorer Restriction starter GPO

Configure the starter GPO named Internet Explorer Restrictions to disable the General page of Internet Options.
Task 3: Create a domain Internet Explorer Restrictions GPO From the Internet Explorer Restrictions starter GPO
Create a new GPO named IE Restrictions that is based on the Internet Explorer Restrictions starter GPO, and link it to the Adatum.com domain.
Task 4: Test Application of the GPO for Domain Users

1. 2. 3. 4. 5. Log on to LON-CL1 as Adatum\Brad, with a password of Pa$$w0rd. Open the Control Panel. Attempt to change your homepage. Open Internet Options to verify that the General tab has been restricted. Sign out of LON-CL1.
Task 5: Use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy
On LON-DC1, open Group Policy Management, and configure security filtering on the IE Restrictions policy to deny access to the IT department.
Task 6: Test the GPO application for IT Department Users

1. 2. 3. 4. Log on to LON-CL1 as Brad, with a password of Pa$$w0rd. Open the Control Panel. Attempt to change your homepage. Verify that the Internet Properties dialog opens to the General page, and all settings are available. Sign out of LON-CL1.
11-22
Task 7: Test Application of the GPO for other domain users

1. 2. 3. 4. 5. Log on to LON-CL1 as Boris, with a password of Pa$$w0rd. Open the Control Panel. Attempt to change your homepage. Open Internet Options to verify that the General tab has been restricted. Sign out of LON-CL1.
Results: After completing this lab, you will have created a GPO.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-CL1.
11-23

Review Questions
Question: What are some of the advantages and disadvantages of using site-level GPOs? Question: You have a number of logon scripts that map network drives for users. Not all users need these drive mappings, so you must ensure that only the desired users receiving the mappings. You want to move away from using scripts. What is the best way to map network drives without using scripts for selected users?
Best Practices
The following are recommended best practices: Do not use the Default Domain and Default Domain Controllers policies for other uses. Instead, create new policies. Limit the use of security filtering and other mechanisms that make diagnostics more complex. Disable the User or Computer sections of policies, if they have no settings configured. If you have multiple administration workstations, create a Central Store. Add comments to your GPOs to explain what the policies are doing. Design your OU structure to support Group Policy application.

Common Issue A user is experiencing abnormal behavior on their workstation. All users in a particular OU are having issues, and the OU has multiple GPOs applied. Troubleshooting Tip
Tools
Tool Group Policy Management Console (GPMC) Group Policy Object Editor Use Controls all aspects of Group Policy Use to configure settings in GPOs Use to determine what settings are applying to a user or computer Use to test what would occur if settings were applied to users or computers, prior to actually applying the settings Use to configure Group Policy settings that apply only to the local computer Where to find it In Server Manager, on the Tools menu Accessed by editing any GPO
Resulting Set of Policies (RSoP)
In the GPMC
Group Policy Modeling Wizard
In the GPMC
Local Group Policy Editor
Accessed by creating a new Microsoft Management Console (MMC) on the local computer, and adding the Group Policy Object Editor snap-in
12-1
Module 12
Securing Windows Servers Using Group Policy Objects
Contents:
Module Overview Lesson 1: Windows Security Overview Lesson 2: Configuring Security Settings Lab A: Increasing Security for Server Resources Lesson 3: Restricting Software Lesson 4: Configuring Windows Firewall with Advanced Security Lab B: Configuring AppLocker and Windows Firewall Module Review and Takeaways 12-1 12-2 12-6 12-15 12-21 12-25 12-29 12-36
Module Overview
Protecting IT infrastructure has always been a priority to organizations. Many security risks are threatening companies and their critical data. Failure to have adequate security policies can lead to data loss, server unavailability, and companies losing credibility. To protect from security threats, companies must have well-designed security policies that include many components, from organizational to IT-related. Security policies must be evaluated on a regular basis, because as security threats evolve, so IT must also evolve. Before you start designing security policies to help protect your organizations data, services, and IT infrastructure, you must learn how to identify security threats, how to plan your strategy to mitigate security threats, and how to secure your Windows Server 2012 infrastructure.
Objectives
After completing this module, you will be able to: Describe Windows security. Configure security settings by using Group Policy. Restrict unauthorized software from running on servers and clients. Configure Windows Firewall with Advanced Security.
12-2 Securing Windows Servers Using Group Policy Obj jects
Lesson 1
Windo ows Security Ov verview w

As organizations o expand e their availability a of network n data, a applications, a and systems, ensuring netwo ork infra astructure secu urity becomes more challeng ging. Security technologies in the Window ws Server 2012 2 ope erating system enable organizations to pro ovide better pr rotection for th heir network r resources and orga anizational ass sets in increasingly complex environments s and business scenarios. This lesson review ws the tools and concept ts that are available for implementing secu urity within a W Windows 8 and Windows Se erver 2012 infrastructur re. Win ndows Server 2012 2 includes numerous n feat tures that prov vide different methods for im mplementing secu urity. These fea atures combine to form the core of Windo ows Server 201 12s security fu unctionality. Und derstanding these features and their associated concepts s, as well as be eing familiar w with their basic c imp plementation, is i critical to ma aintaining a se ecure environm ment.

Afte er this lesson, you y will be abl le to: Describe secu urity risks for Windows W Serve er 2012, and th he costs associ iated with them m. Describe how w the defense-i in-depth model addresses se ecurity. 2012 security. Describe best t practices for increasing Win ndows Server 2
Dis scussion: Identifying g Security Risks and Costs

The first step in de efending your r systems is iden ntifying the po otential securit ty risks and the eir asso ociated costs. Once O you do that, t you can make m inte elligent decisio ons about how to allocate reso ources to mitig gate those risks. Review the question on the slide and participate in the discussion to identify some of the risks an nd asso ociated costs to o Windows-ba ased networks.
Ap pplying De efense-In-D Depth to Inc crease Secu urity

You u can mitigate risks to your organizations o com mputer network by providing g security at va arious infra astructure laye ers. The term defense-in-dep d pth is ofte en used to describe the use of o multiple sec curity tech hnologies at different points throughout your y orga anization. Defense-in-depth h technologies include layers s of secu urity that exten nd from user policies p all the way dow wn to the appli ication and the e data itself.
12-3
Policies, Procedures, and Awareness

Security policy measures need to operate within the context of organizational policies regarding security best practices. For example, enforcing a strong user password policy is not helpful if users write their passwords down and stick them to their computer screens, so users must be taught how to protect their passwords. Another example of security best practice is ensuring that users do not leave their desktop computer without first locking the desktop or logging off from the computer. When establishing a security foundation for your organizations network, it is a good idea to start with establishing appropriate policies and procedures and making users aware of them. Then you may progress to the other aspects of the defense-in-depth model.
Physical Security
If any unauthorized person can gain physical access to a computer on your network, then most other security measures are not useful. You must ensure that computers containing the most sensitive data, such as servers, are physically secure, and that access is granted to authorized personnel only.
Perimeter
These days, no organization is an isolated enterprise. Organizations operate within the Internet, and many organization network resources are available from the Internet. This might include building a website to describe your organizations services, or making internal services such as web conferencing and email accessible externally, so that users can work from home or from branch offices. Perimeter networks mark the boundary between public and private networks. Providing reverse proxy servers in the perimeter network enables you to provide more secure corporate services across the public network. Many organizations implement so-called network access quarantine control, where computers that connect to the corporate network are checked for different security criteria, such as whether the computer has the latest security updates, antivirus updates, and other company-recommended security settings. If these conditions are true, the computer is allowed to connect to corporate network. If not, the computer is placed in isolated network, called quarantine, with no access to corporate resources. Once the computer has its security settings remediated, it is removed from the quarantine network and is allowed to connect to corporate resources.
Note: A reverse proxy, such as Microsoft Forefront Threat Management Gateway 2010, enables you to publish services, such as email or web services, from the corporate intranet without placing the email or web servers in the perimeter, or exposing them to external users. Microsoft Forefront Threat Management acts as both reverse proxy and as a firewall solution.
Networks
Once you connect computers to a network, either internal or public, they are susceptible to a number of threats. These threats include eavesdropping, spoofing, denial of service, and replay attacks. This is especially relevant when communication takes place over public networks by employees who are working from home, or from remote offices. You should deploy a firewall solution, such as Microsoft Forefront Threat Management Gateway 2010, to protect from different types of network threats.
Host
The next layer of defense is the layer that is used for the host computer. You must keep computers secure with the latest security updates. You also have to configure security policies, such as password complexity, and configure host firewall and install antivirus software. Steps mentioned above contain a process that is called security hardening.
Application
App plications are only o as secure as your latest security updat te. You should d consistently u use the Windo ows Upd date feature in Windows ope erating system ms to keep you r applications up-to-date. M Moreover, app plications must t be tested by IT security adm ministrators, w whether they ha ave any securi ity vulnerabilities that t might allow an a external att tacker to comp promise applic cations or othe er network com mponents. Steps men ntioned above e contain a pro ocess that is called applicatio on hardening.
Dat ta
The final layer of security s is data a security. To help h ensure th he protection o of your networ rk, ensure the proper use of file user permissio ons by using Access A Control Lists (ACLs), im mplement the encryption of f confidential data with Encryptio on File System (EFS), and per rform backups s of data regularly.
Additional Reading: For the latest Mic crosoft security y bulletin and advisory information, see http p://technet.mic crosoft.com/en n-us/security/d default.aspx. Additional Reading: For more informa ation about co mmon types o of network atta acks, see http p://technet.mic crosoft.com/en n-us/library/cc c959354.aspx . Question: Ho ow many layer rs of the defen nse-in-depth m model should y you implement in your organization? ?
Best Practice es for Incre easing Security

Con nsider the follo owing best practices for incr reasing security y: Apply all avai ilable security updates as qu uickly as possible fo ollowing their release. r You sh hould strive to implement security y updates as so oon as possible to o ensure that your y systems are protected fro om known vuln nerabilities. Microsoft pub blicly releases the details of known vulner rabilities after an update has s been released d, which can le ead to an incre eased volume of ma alware attemp pting to exploit t the vulnerability. However, you u must still ensure that you adeq quately test up pdates before they are appli ed widely with hin your organ nization. Follow the pr rinciple of least t privilege. Pro ovide users and d service accounts with the lowest permission levels require ed to complete e their necessary tasks. This e ensures that an ny malware us sing those credentials is limited in its impact. It also limits the abili ity of users to accidentally d delete data or modify critica al operating sy ystem settings. Restrict conso ole logon. Logging on locally y at a console is a greater ris sk to a server t than accessing g data remotely. This is because so ome malware can c only infect t a computer b by using a use er session at the desktop. If yo ou allow admin nistrators to us se Remote Des sktop Connect tion for server administration, ensure that enhanced security features su uch as user acc count control are enabled. Restrict physical access. If so omeone has physical p access to your servers, that person n has virtually unlimited acc cess to the data on that serve er. An unautho orized person could use a w wide variety of tools to quickly res set the password on local administrator ac ccounts and all low local acces ss, or use a US SB drive to introduce malware e.
12-5
Additional Reading: For more information about best practices for enterprise security, see http://technet.microsoft.com/en-us/library/cc750076.aspx.
Lesson 2
Config guring Security S y Setting gs

Onc ce you have learned about security threats s and risks, and d about best p practices for increasing secur rity, you can start conf figuring securi ity for your Wi indows 8 and d Windows Ser rver 2012 environment. In th his lesson, you will lea ecurity setting arn how to configure securit ty settings. To apply those se gs to multiple u users and computers in your organiza ation, you will use Group Po olicy. For example, you can u use Group Polic cy to configure password policy settin ngs and then deploy d them o on multiple use ers. ty component that you can u use to configu ure security for r both users an nd Group Policy has a large securit com mputers. You ca an apply secur rity consistentl ly across the o organization in n Active Directory Domain Serv vices (AD DS) by b defining sec curity settings in a Group Po olicy Object (G GPO) that is ass sociated with a site, dom main, or Organ nizational Unit (OU).

Afte er completing this lesson, yo ou will be able to: Describe how w to configure Security temp plates. Describe wha at user rights are and how to o configure the em. Describe how w to configure Security Optio ons. Describe how w to configure User Account Control. Describe how w to configure Auditing. Describe how w to configure Restricted Gro oups. Describe how w to configure Account Policy Settings.
Co onfiguring Security Templates T

Secu urity templates are files that you can use to t man nage and conf figure security settings on Win ndows-based computers. c Depending on th he various categories s of security se ettings, security y tem mplates are divi ided into logic cal sections. Yo ou can configure eac ch of the follow wing sections acco ording to a companys needs and requests s: Account polic cies: password policy, accoun nt lockout policy y, and Kerbero os policy Local policies s: audit policy, user rights assignment, and a security op ptions Event log: application, syste em, and security event log se ettings Restricted gro oups: member rship of groups s that have spe ecial rights and permissions System servic ces: startup and d permissions for system ser rvices Registry: perm missions for registry keys File system: permissions p for r folders and fi iles
12-7
When W you configure a securit ty template, yo ou can use it to o configure a s single comput ter or to config gure multiple m compu uters on the ne etwork. The following are a f few ways that you can config gure and distr ribute th he security tem mplates: The secedit t.exe command d-line tool The Securit ty Templates sn nap-in The Securit ty Configuratio on and Analysis Wizard Group Polic cy Security Co ompliance Man nager
Configuring C g User Rig ghts

User U rights assig gnment refers to the ability to t pe erform actions s on the opera ating system. Each E co omputer has it ts own set of user u rights, suc ch as the rig ght to change e the system tim me. Most right ts are granted either to t the Local Sy ystem or to the e Administrator. Th here are two ty ypes of user rights: Privileges define d access to o computer an nd domain res sources. For ex xample, rights to t back up files and d directories. Logon right ts define who is i authorized to t log on to a com mputer, and ho ow they can lo og on. For exam mple, logon rig ghts may defin ne the right to o log on to a system m locally.
ou can configu ure rights thro ough Group Po olicy. The defau ult domain po olicy has no rig ghts defined by y Yo de efault. Yo ou can configu ure settings for User Rights by b accessing: C Computer Co nfiguration\P Policies \W Windows Sett tings\Security y Settings\Local Policies\U User Rights As ssignment fro om the Group p Policy Management M Console C (GPM MC). So ome examples s of commonly y used user rights (and polici ies configured by them) are: : Add workst tations to dom main. Determin nes which users s or groups ca an add worksta ations to the d domain. Allow log on o locally. Dete ermines which users can log on the compu uter. Allow log on o through Rem mote Desktop Services. Dete ermines which h users or grou ups have permission to log on as Remote Deskto op Services Clie ent. Back up file es and director ries. Determine es which users s have permiss sions to back u up files and fol lders on a computer r. Change the e system time. Determines which w users or g groups have right to change e the time and d date on the internal clock of th he computer. Force shutd down from a re emote system. Determines w which users are e allowed to sh hut down a co omputer from a remote location on o the network k. Shut down the system. Determines which of the user rs who are logg ged on locally y to a compute er are allowed to shut down the e computer.
Co onfiguring Security Options O

You u can use Group Policy to configure securit ty options. The computer security settings that you y can configure in security s option ns include the follo owing: Administrator and Guest ac ccount names Access to disk k and CD/DVD D drives Digital data signatures Driver installa ation behavior Logon promp pts User account control
You u can also conf figure settings for security op ptions by acce essing Comput ter Configuration\Policies \Windows Setting gs\Security Sett tings\Local Po olicies\Security y Options from m the GPMC. The following are examples of commonly c use ed security opt tions: Interactive lo ogon: Do not t display last user u name. De etermines whe ether the name e of the last us ser to log on to the computer displays in the Windows W logon window. Accounts: Re ename admin nistrator accou unt. Determin nes whether a d different account name is associated with the security y identifier (SID D) for the acco ount Administr rator. Accounts: Re ename admin nistrator accou unt. Determin nes whether a d different account name is associated with the security y identifier (SID D) for the acco ount Administr rator. Devices: Restrict CD-ROM M access to loc cally logged- on user only. Determines w whether a CD-ROM is accessible to t both local and remote use ers simultaneo ously.
Co onfiguring User Acco ount Contr rol

Adm ministrative acc counts carry with w them a hig gher deg gree of security y risk. When an n administrativ ve acco ount is logged d on, its privileg ges allow acce ess to the entire Window ws operating system, s including the registry, system files, and co onfiguration settings. As long as a an administrative account t is logg ged on, the system is vulnera able to attack and has the potential to be compromised. User Account Con ntrol (UAC) is a security featu ure that t helps prevent unauthorized d changes to a com mputer, by aski ing the user fo or permission or o adm ministrator cred dentials before e performing actions that could d potentially af ffect the comp puter's operati on or that cha ange settings t that affect mul ltiple user rs. By default, d both standard users and administr rators access re esources and r run applications in the secur rity context of a stand dard user. The UAC prompt provides p a way y for a user to elevate his or r her status from a stan ndard user account to an administrator acc count without t logging off, s switching users s, or using Run n As. UAC C creates a mo ore secure envi ironment in which to run an nd install applic cations.
12-9
When an application requires administrator-level permission, UAC notifies the user as follows: If the user is an administrator, the user confirms to elevate his or her permission level and continue. This process of requesting approval is known as Admin Approval Mode.
Note: In Windows Server 2012, the built-in Administrator account does not run in Admin Approval Mode. The result is that no UAC prompts display when using the local Administrator account. If the user is not an administrator, then a username and password for an account that has administrative permissions needs to be entered. Providing administrative credentials temporarily gives the user administrative privileges, but only to complete the current task. After the task is complete, permissions change back to those of a standard user.
When using this process of notification and elevation to administrator account privileges, changes cannot be made to the computer without the user knowing. This can help prevent malicious software (malware) and spyware from being installed on or making changes to a computer. UAC allows the following system-level changes to occur without prompting, even when a user is logged on as a local user: Install updates from Windows Update Install drivers from Windows Update or those that are packaged with the operating system View Windows operating system settings Pair Bluetooth devices with the computer Reset the network adapter, and perform other network diagnostic and repair tasks
Modifying UAC Behavior

You can modify the UAC notification experience to adjust the frequency and behavior of UAC prompts. To modify UAC behavior on a single computer, access the Windows Server 2012 control panel in System and Security. You can also configure UAC settings by accessing from the GPMC: Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\Security Options. The following are examples of some GPO settings that you can configure for UAC: User Account Control: Run all administrators in Admin Approval Mode. Controls the behavior of all UAC policy settings for the computer. If this setting is disabled, UAC will not run on this computer. User Account Control: Administrator Approval Mode for the built-in Administrator account. When you enable this setting, the built-in Administrator account uses Admin Approval Mode. User Account Control: Detect application installations and prompt for elevation. This setting controls the behavior of application installation detection for the computer. User Account Control: Only elevate executables that are signed and validated. When you enable this setting, a Public Key Infrastructure (PKI) check is performed on the executable file to verify that it originates from a trusted source. If the file is verified, then the file is permitted to run.
Note: By default, UAC is not configured or enabled in Server Core installations of Windows Server 2012.
12-10
Securing g Windows Servers Using U Group Policy Objects
Co onfiguring Auditing
Typically, one of the t componen nts of an orga anizations sec curity strategy is recording user u activ vities behavior r, such as successful or unsuccessful attem mpts to access s business-critical data a that is stored d in different fo olders, or succ cessful or unsuccessful u lo ogon attempts on different serv vers. Recording these security-related s d events is call led secu urity auditing. Security auditi ing produces secu urity event log gs that adminis strators can vie ew in the Security Event t Log in Event Viewer. Afte er configuring auditing, information in sec curity event logs can help your organization audit their complianc ce with import tant business-related and secu urity-related data by tracking g precisely def fined activities s such as: A group adm ministrator who o has modified settings or da ata on servers that contain fi inance informa ation. An employee e within a defin ned group that t has accessed d an important t folder contain ning data from m different departments. A user who is s trying to log on to his or he er account rep peatedly witho out success from an internal company com mputer. You might m find that the employee e who owns that user accoun nt was on a vacation that week, wh hich means some other emp ployee was tryi ng to log on w with a differen nt user account t.
u can configure e security audi iting settings by b accessing fr rom the GPMC C: Computer C Configuration n You \Po olicies\Window ws Settings\S Security Settin ngs\Local Pol licies\Audit P Policy. The following are examples of some s GPO sett tings that you can configure e for UAC: Audit accoun nt logon even nts. Determine es whether the e operating sys stem audits ea ach time the computer validates an acco ounts credenti ials. Audit accoun nting manage ement. Determ mines whether r to audit each h event of acco ount managem ment, such as creati ing, changing, renaming, or deleting a use er account, cha anging a passw word, or enabling or disabling a user account. Audit object t access. Deter rmines whethe er operating sy ystem audits h have access to non-Active Directory objects, such as fo olders or files. Before config uring audit se ettings with Gro oup Policy, yo ou must configure system acce ess control lists s (SACLs) on fo olders or files t to allow auditing for a speci ific type of action n, such as write e, read, or mod dify. Audit system m events. Dete ermines wheth her the operati ing system aud dits system-related events, s such as attempting g to change th he system time e, attempting a system startu up or shutdow wn, or the security log size excee eding a configurable thresho old warning.
Additional Reading: For more informa ation about sec curity auditing g, see http p://technet.mic crosoft.com/en n-us/library/hh h849638.aspx.
12-11
Configuring C g Restricte ed Groups s

In n some cases, you y may want to control the e membership m of certain group ps in a domain such as s the local adm ministrators gro oupto preve ent the ad ddition of othe er user accoun nts to those groups. Yo ou can use the e Restricted Gr roups policy to o co ontrol group membership m by y specifying what w members m are pl laced in a grou up. If you defin ne a Re estricted Groups policy and then refresh Group G Po olicy, any curre ent member of o a group that t is not on n the Restricte ed Groups policy members list is re emoved, includ ding default members m such as a do omain adminis strators. Although you can control dom main groups by b assigning Re estricted Grou ups policies to domain contro ollers, yo ou should use this setting pr rimarily to con nfigure membe ership of critica al groups such h as Enterprise Admins an nd Schema Ad dmins. You can n also use this setting to cont trol the memb bership of built-in local grou ups on workstations w an nd member ser rvers. For exam mple, you can place the Help pdesk group in nto the local Administrators group on all workstations. w Yo ou cannot spe ecify local users s in a domain GPO. Local us ers who curren ntly are in the local group th hat the Re estricted Groups policy cont trols will be rem moved. The on nly exception t to this is that t the local Administrators account is alw ways in the loca al Administrato ors group. Yo ou can configu ure the setting gs for Restricted Groups by a accessing from m the GPMC: Computer Con nfiguration\Po olicies\Windo ows Settings\ \Security Settings\Restricte ed Groups.
Configuring C g Account t Policy Settings

Account policie es protect your r organization s ac ccounts and da ata by mitigating the threat of ac ccount passwo ord brute force e attacks. Securing yo our network en nvironment re equires that all users ut tilize strong pa asswords. Pass sword policy se ettings co ontrol the com mplexity and lif fetime of user pa asswords. You can configure e password policy se ettings through Group Policy y.
Im mplementin ng Account Policies

Th he policy settin ngs under Acc count policies are a im mplemented at t the domain level. A Windo ows Se erver 2012 dom main can have e multiple pass sword an nd account loc ckout policies, which are call led fine-graine ed password p policies. You ca an apply these multiple m policies to a user or to t a global sec curity group in n a domain, bu ut not to an or rganizational u unit (O OU).
y need to ap pply a fine-grained password d policy to use ers of an OU, y you can use a Note: If you sh hadow group, which w is a glob bal security gro oup that is log gically mapped d to an OU.
12-12
You can configure Account policy settings by accessing from the GPMC: Computer Configuration \Policies\Windows Settings\Security Settings\Account Policies.
Account Policies Components

Account policy components include password policies, account lockout policies, and Kerberos policy.
Password Policy
Password policies that you can configure are listed in the following table. Policy Password must meet complexity requirements Function Requires passwords to: Be at least six characters long. Contain a combination of at least three of the following types of characters: uppercase letters, lowercase letters, numbers, and symbols (punctuation marks). Must not contain the users user name or screen name. Enforce password history Prevents users from creating a new password that is the same as their current password or a recently used password. To specify how many passwords are remembered, provide a value. For example, a value of 1 means that only the last password will be remembered, and a value of 5 means that the previous five passwords will be remembered. The greater number ensures better security. The default value is 24. Enforcing password history ensures that passwords that have been compromised are not used repeatedly. Best Practice Enable this setting. These complexity requirements can help ensure a strong password. Strong passwords are more difficult to decrypt than those containing simple letters or numbers.
12-13
Policy Maximum password age
Function Sets the maximum number of days that a password is valid. After this number of days, the user will have to change the password.
Best Practice By default it is 42 days; it is recommended that you set is at 90 days. Setting the number of days too high provides hackers with an extended window of opportunity to determine the password. Setting the number of days too low frustrates users who have to change their passwords too frequently, and could result in more frequent calls to the IT help desk. Set the minimum password age to at least 1 day. By doing so, you require that the user can only change their password once a day. This will help enforce other settings. For example, if the past five passwords are remembered, this will ensure that at least five days must pass before the user can reuse the original password. If the minimum password age is set to 0, the user can change their password six times on the same day and begin reusing the original password on the same day. Set the length to between 8 and 12 characters (provided that they also meet complexity requirements). A longer password is more difficult to crack than a shorter password, assuming the password is not a word or a common phrase. Do not use this setting unless you use a program that requires it. Enabling this setting decreases the security of stored passwords.
Minimum password age
Sets the minimum number of days that must pass before a password can be changed.
Minimum password length
Specifies the fewest number of characters that a password can have.
Store passwords by using reversible encryption
Provides support for applications that require knowledge of a user password for authentication purposes.
12-14
Account Lockout Policy

Account Lockout Policies that you can configure are listed in the following table. Policy Account lockout threshold Function Specifies the number of failed login attempts that are allowed before the account is locked. For example, if the threshold is set to 3, the account will be locked out after a user enters incorrect login information three times. Allows you to specify a timeframe, in minutes, after which the account automatically unlocks and resumes normal operation. If you specify 0, then the account will be locked indefinitely until an administrator manually unlocks it. Best Practice A setting of 50 allows for reasonable user error, and limits repeated login attempts for malicious purposes.
Account lockout duration
After the threshold has been reached and the account is locked out, the account should remain locked long enough to block or deter any potential attacks, but short enough not to interfere with productivity of legitimate users. A duration of 30 to 90 minutes should work well in most situations. Using a timeframe between 30 and 60 minutes is usually sufficient to deter automated attacks and manual attempts by an attacker to guess a password.
Reset account lockout counter after
Defines a timeframe for counting the incorrect login attempts. If the policy is set for one hour, and the account lockout threshold is set for three attempts, a user can enter the incorrect login information three times within one hour. If they enter incorrect information twice, but get it correct the third time, the counter will reset after one hour has elapsed (from the first incorrect entry) so that future failed attempts will again start counting at one.
Kerberos Policy This policy is for domain user accounts, and determines Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy.
12-15
Lab A: Increasing Security for Server Resources

Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. As a new member of the team you help to deploy and configure new servers and services into the existing infrastructure based on the instructions given to you by your IT manager. Your manager has given you some security-related settings that need to be implemented on all member servers. You also need to implement file system auditing for a file share used by the Marketing department. Finally, you need to implement auditing for domain logons.
Objectives
After completing this lab, you will be able to: Use Group Policy to secure member servers. Audit File System Access. Audit Domain Logons.
Lab Setup
Repeat steps 2-4 for 20410A-LON-SVR1 and steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.
Exercise 1: Using Group Policy to Secure Member Servers

Scenario
A. Datum uses the Computer Administrators group to provide administrators with permissions to administer member servers. As part of the installation process for a new server, the Computer Administrators group from the domain is added to the local Administrators group on the new server. Recently, this important step was missed when configuring several new member servers. To ensure that the Computer Administrators group is always given permission to manage member servers, your manager has asked you to create a GPO that sets the membership of the local Administrators group on member servers to include Computer Server Administrators. . This GPO also needs to enable Admin Approval Mode for UAC.
12-16
The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. Create a Member Servers Organizational Unit (OU) and move servers into it. Create a Server Administrators group. Create a Member Server Security Settings GPO and link it to the Member Servers OU. Configure group membership for local administrators to include Server Administrators and Domain Admins. Verify that Computer Administrators has been added to the local Administrators group. Modify the Member Server Security Settings Group Policy Object (GPO) to remove Users from Allow log on locally. Modify the Member Server Security Settings GPO to enable User Account Control: Admin Approval Mode for the Build-in Administrator Account. Verify that a standard user cannot log on to a member server.
Task 1: Create a Member Servers Organizational Unit (OU) and move servers into it
1. 2. 3. On LON-DC1, open Active Directory Users and Computers. Create new OU called Member Servers OU. Move servers LON-SVR1 and LON-SVR2 to Member Servers OU.
Task 2: Create a Server Administrators group

On LON-DC1, in Member Servers OU, create a new global security group called Server Administrators.
Task 3: Create a Member Server Security Settings GPO and link it to the Member Servers OU
1. 2. 3. On LON-DC1, open the Group Policy Management Console. In the Group Policy Management Console window, in the Group Policy Objects container, create a new GPO with a name Member Server Security Settings. In the Group Policy Management Console, link the Member Server Security Settings to Member Servers OU.
Task 4: Configure group membership for local administrators to include Server Administrators and Domain Admins
1. 2. 3. 4. 5. On LON-DC1, open Group Policy Management Console. Edit the Default Domain Policy. Navigate to Computer Configuration, click Policies, click Windows Settings, click Security Settings, and then click Restricted Groups. Add the Server Administrators and Domain Admins groups to the Administrators group. Close the Group Policy Management Editor.
12-17
Task 5: Verify that Computer Administrators has been added to the local Administrators group
1. 2. Switch to LON-SVR1, and log on as Adatum\Administrator with a password of Pa$$w0rd. Open a Windows PowerShell window, and from a Windows PowerShell command prompt, type following command:
gpupdate/force
3. 4. 5.
Open Server Manager, open the Computer Management console, and then expand Local Users and Groups. Confirm that the Administrators group contains both ADATUM\Domain Admins and ADATUM\Server Administrators as members. Close the Computer Management console.
Task 6: Modify the Member Server Security Settings Group Policy Object (GPO) to remove Users from Allow log on locally
1. 2. 3. Switch to LON-DC1. On LON-DC1, in the Group Policy Management Console, edit the Member Server Security Settings GPO. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\User Rights Assignment, and configure Allow log on locally for Domain Admins and Administrators security groups. Close the Group Policy Management Editor.
4.
Task 7: Modify the Member Server Security Settings GPO to enable User Account Control: Admin Approval Mode for the Build-in Administrator Account
1. 2. On LON-DC1, in the Group Policy Management Console, edit the Member Server Security Settings GPO. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\Security Options, and enable User Account Control: Admin Approval Mode for the Built-in Administrator account. Close the Group Policy Management Editor.
3.
Task 8: Verify that a standard user cannot log on to a member server

1. 2. Switch to LON-SVR1. Open Windows PowerShell, and from a Windows PowerShell command prompt, type following command:
gpupdate/force
3. 4. 5.
Log off of LON-SVR1. Try to log back on to LON-SVR1 as Adatum\Adam with a password of Pa$$w0rd. Verify that you cannot log on to LON-SVR1.
Results: After completing this exercise, you should have used Group Policy to secure Member servers.
12-18
Exercise 2: Auditing File System Access

Scenario
The manager of the Marketing department has concerns that there is no way to track who is accessing files that are on the departmental file share. Your manager has explained that only users with permissions are allowed to access the files. However, the manager of the Marketing department would like to try logging access to the files that are in the file share to see which users are accessing specific files. Your manager has asked you to enable auditing for the file system that is on the Marketing department file share, and to review the results with the manager of the Marketing department. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Modify the Member Server Security Settings GPO to enable object access auditing. Create and share a folder. Enable auditing on the HR folder for Domain Users. Create a new file in the file share from LON-CL1. View the results in the security log on the domain controller.
Task 1: Modify the Member Server Security Settings GPO to enable object access auditing
1. 2. On LON-DC1, in the Group Policy Management console, edit the Member Server Security Settings GPO. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\Audit Policy, and enable Audit object access with both Success and Failure settings.
Task 2: Create and share a folder

1. 2. On LON-SVR1, on drive C, create a new folder with the name HR. Configure the HR folder with Read/Write sharing permissions for user Adam.
Task 3: Enable auditing on the HR folder for Domain Users

1. On LON-SVR1, in the Local Disk (C:) window, configure auditing on the HR folder, with following settings: o o o o 2. Select a principal: Domain Users Type: All Permission: Read & execute, List folder content, Read, Write Leave other settings with their default values.
Open a command prompt window and refresh Group Policy using the gpupdate /force command.
Task 4: Create a new file in the file share from LON-CL1

1. 2. 3. Switch to LON-CL1. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd. Open a command prompt window, and type the following command:
gpupdate/force
4.
Close the command prompt window.
12-19
5. 6. 7. 8.
Log off LON-CL1 and then log on again, as Adatum\Adam with a password of Pa$$w0rd. Open the HR folder on LON-SVR1, by using following Universal Naming Convention (UNC) path: \\LON-SVR1\HR. Create a text document with a name Employees. Log off of LON-CL1.
Task 5: View the results in the security log on the domain controller
1. 2. 3. Switch to LON-SVR1, and start Event Viewer. In the Event Viewer window, expand Windows Logs, and then open Security. Verify that following event and information displays: o o o o Source: Microsoft Windows Security Auditing Event ID: 4663 Task category: File System An attempt was made to access an object.
Results: After completing this exercise, you should have enabled file system access auditing.
Exercise 3: Auditing Domain Logons

Scenario
After a security review, the IT policy committee has decided to begin tracking all user logons to the domain. Your manager has asked you to enable auditing of domain logons and verify that they are working. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Modify the Default Domain Policy GPO. Run GPUpdate. Log on to LON-CL1 with an incorrect password. Review event logs on LON-DC1. Log on to LON-CL1 with the correct password. Review event logs on LON-DC1.
Task 1: Modify the Default Domain Policy GPO

1. 2. On LON-DC1, in the Group Policy Management Console, edit the Default Domain Policy Group Policy Object. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\Audit Policy, and then enable Audit account logon events with both Success and Failure settings. Update Group policy by using the Gpupdate /force command.
3.
12-20
Task 2: Run GPUpdate

1. 2. 3. Switch to LON-CL1. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd. Open the a command prompt window, and type the following command:
gpupdate/force
4.
Close the command prompt window, and log off LON-CL1.
Task 3: Log on to LON-CL1 with an incorrect password

Log on to LON-CL1 as Adatum\Adam with a password of password.
Note: This password is intentionally incorrect to generate a security log which shows that that an unsuccessful login attempt has been made.
Task 4: Review event logs on LON-DC1

1. 2. 3. On LON-DC1, start Event Viewer. In the Event Viewer window, expand Windows Logs, and then click Security. Review the event logs for the following message: Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
Task 5: Log on to LON-CL1 with the correct password

Log on to LON-CL1 as Adatum\Adam with a password of Pa$$w0rd.
Note: This password is correct, and you should be able to log on successfully as Adam.

1. 2. 3. On LON-DC1, start Event Viewer. In the Event Viewer window, expand Windows Logs, and then click Security. Review the event logs for the following message: A user successfully logged on to a computer.
Results: After completing this exercise, you should have enabled domain logon auditing.
To prepare for the next lab

To prepare for the next lab, leave the virtual machines running.
12-21
Lesson n3
Restri icting Software S e

Users need acce ess to the appl lications that help h them do t their jobs. How wever, unnecessary or unwanted ap pplications oft ten get installe ed on client computers, whet ther unintentio onally or for m malicious or no onbu usiness purpos ses. Unsupport ted or unused software is no ot maintained or secured by y the administr rators; th herefore, that software s could d be attacked and a used as an n entry point f for attackers to o gain unautho orized ac ccess or spread d computer vir ruses. Consequ uently, it is of t the utmost im mportance for y you to ensure that on nly necessary software s gets installed on all the compute ers in your orga anization. It is also vital that t you prevent softwar re from runnin ng that is not allowed a or is no o longer used or supported. .

After completin ng this lesson, you y will be able to: Describe ho ow software re estriction policies are used to o restrict unau uthorized softw ware from runn ning on servers and d clients.
Describe th he purpose of AppLocker A .
Describe Ap ppLocker rules s and how to use u them to re estrict unautho orized software e from running g on servers and d clients. Describe ho ow to create AppLocker A rule es.
What W Are Software S Restriction R Policies?

In ntroduced in th he Windows XP operating sy ystem an nd the Window ws Server 2003 3 operating system, so oftware restrict tion policies (SRP) give ad dministrators tools t that they y can use to ide entify an nd specify which application ns are permitte ed to ru un on client co omputers. SRP settings are co onfigured and deployed to clients c by using g Group Policy. So oftware Restric ction Policies policies p are use ed in Windows W Server 2012 to prov vide Windows XP and Windows W Vista compatibility y. An SRP set is s made up p of the follow wing rules and security levels s.
Rules R
Ru ules govern ho ow SRP respon nds to an appli ication that is being run or i nstalled. Rules s are the key co onstructs withi in an SRP, and a group of ru ules together d determine how w an SRP respo onds to applica ations be eing run. Rules s can be based d on one of the following cri iteria that app ply to the primary executable e file for th he application in question: Hash. A cry yptographic fin ngerprint of the file. Certificate. A software pu ublisher certific cate that is use ed to digitally sign a file. Path. The lo ocal or UNC pa ath to where the t file is store ed. Zone. The Internet zone.
12-22
Sec curity Levels s

Each h applied SRP is assigned a security s level that t governs th he way that th he operating sy ystem reacts w when the application th hat is defined in the rule is ru un. The three a available secur rity level settin ngs are as follo ows: Disallowed. The T software identified in th he rule will not t run, regardles ss of the acces ss rights of the e user. Basic User. Allows A the softw ware identified d in the rule to o run as a stan ndard, non-adm ministrative us ser. Unrestricted d. Allows the so oftware identif fied in the rule e to run unrest tricted by SRP. .
Usin ng these three settings, there e are two prim mary ways to u se SRPs: If an administ oftware that s hould be allow trator has a co omprehensive list of all the so wed to run on clients, the De efault Security y Level can be set to Disallow wed. All applic cations that sh hould be allow wed to run can be identified in SRP P rules that wo ould apply eith her the Basic U User or Unrestricted securit ty level to each individual app plication, depe ending on the security requir rements. If an administ trator does no ot have a comp prehensive list of the softwar re that should be allowed to o run on clients, the e Default Secu urity Level can be set to Unre estricted or B Basic User, dep pending on security requirements s. Any applications that shou uld not be allow wed to run can n then be iden ntified by using g SRP rules, which would w use a security level set tting of Disallo owed.
Soft tware Restrictio on Policy settings can be fou und in Group Policy at the fo ollowing locat tion: Com mputer Config guration\Poli icies\Window ws Settings\Se ecurity Setting gs \Software Restriction Policies s.
estriction Polic ation about usi ing software re cies to Additional Reading: For more informa prot tect against un nauthorized so oftware, see ht ttp://go.micros soft.com/fwlin nk/?LinkId=203 3296.
Wh hat Is AppLocker?
App pLocker, which h was introduce ed in the Win ndows 7 operating system an nd Windows Serv ver 2008 R2, is a security sett ting that contr rols which applications users are allo owed to run. App pLocker provid des administrat tors a variety of o met thods for determining quickly and concise ely the iden ntity of applica ations that the ey may want to o restrict, or to whic ch they may want w to permit acce ess. AppLocker is applied thr rough Group Policy P to computer c objects within an OU. O Individual App pLocker rules can c also be app plied to individ dual AD DS users or gr roups. App pLocker also co ontains option ns for monitoring or auditing g the applicatio on of rules. Ap ppLocker can h help orga anizations prevent unlicense ed or malicious s software from m executing, a and can selecti ively restrict Acti iveX controls from being in nstalled. It can also reduce th he total cost of f ownership by y ensuring tha at wor rkstations are standardized s across a the ente erprise, and tha at users are ru unning only the software and d app plications that are a approved by the enterpr rise. Usin ng AppLocker technology, co ompanies can reduce admin nistrative overh head and help p administrator rs control how users s can access an nd use files, such as .exe files s, scripts, Wind dows Installer f files (.msi and .msp files s), and DLLs.
12-23
Yo ou can use Ap ppLocker to res strict software that: Is not allow wed to be used d in the compa any. Is no longer used or it is replaced r with newer version n. Is no longer supported in n the company y. Should be used u only by specific s departments.
Yo ou can configu ure AppLocker r settings by browsing in GP PMC to: Computer Configuration\Policie es \W Windows Sett tings\Security y Settings\Ap pplication Con ntrol Policies. AppLocker is av vailable in the following Windows operatin ng system edit tions: Windows Server 2008 R2 Standard ope erating system Windows Server 2008 R2 Enterprise operating system m Windows Server 2008 R2 Datacenter op perating syste m Windows Server 2008 R2 for Itanium-b based Systems operating syst tem Windows Server 2012 Windows 7 Ultimate operating system Windows 7 Enterprise op perating system m Windows 8
Additiona al Reading: Fo or more inform mation about A AppLocker, see ht ttp://technet.m microsoft.com/ /en-us/library/ /hh831409.asp px.
AppLocker A Rules
AppLocker defin nes rules based on file attrib butes th hat are derived d from the digital signature of o the fil le. File attribut tes in the digit tal signature in nclude: Publisher name Product name File name File version
Default D Conf figuration

Th he default con nfiguration for AppLocker co ontains a set of default rules for each rule collection n. This se et of rules ensu ures that the fi iles that are ne ecessary for W Windows operat erate ting systems to run and ope no ormally are allowed to run.
Allow A and De eny Rule Ac ctions

Allow A and Den ny are rule actions that allow w or deny execu ution of applic cations based on a list of ap pplications tha at you configure. The Allow action on rule es limits execution of applica ations to an allowed lis st of applicatio ons, and blocks s everything else. The Deny action on rule es takes the op pposite approa ach and allows the execu ution of any application except those on a list of denied d applications. These actions s also provide a mean ns to identify exceptions to those actions.
12-24
You should use AppLocker when software is being used that is: Not allowed for use in the company. Give an example of software that can disrupt employees business productivity, such as social networking software, or software that streams video files or pictures that can use a large amount of network bandwidth. No longer used. Software that is not needed in the company is no longer maintained. No longer supported. Software that is not updated with security updates might pose a security risk.
Enforce or Audit Only

When AppLocker policy is set to Enforce, rules are enforced and all events are audited. When AppLocker policy is set to Audit Only, rules are evaluated and events are written in to the AppLocker Log, but no enforcement takes place.
Demonstration: Creating AppLocker Rules

In this demonstration, you will see how to: Create a GPO to enforce the default AppLocker Executable rules. Apply the GPO to the domain. Test the AppLocker rule.
Demonstration Steps Create a GPO to enforce the default AppLocker Executable rules
1. 2. 3. 4. 5. 6. 7. 8. On LON-DC1, open the Group Policy Management console. Create a new GPO named WordPad Restriction Policy. Edit the WordPad Restriction Policys Security Settings by using AppLocker to create a new Executable Rule. Set the permission of the new rule to Deny, the condition to Publisher, and then select wordpad.exe. If prompted, click OK to create default rules. In the Group Policy Management Editor, browse to Computer Configuration\ Policies \Windows Settings\Security Settings\ Application Control Policies\ AppLocker. In AppLocker, configure enforcement with Enforce rules. In the Group Policy Management Editor, browse to Computer Configuration\ Policies \Windows Settings\Security Settings\System Services. Configure Application Identity Properties with Define this policy setting and Select service startup mode with Automatic.
Apply the GPO to the Contoso.com domain

1. 2. 3. Open a command prompt window, type gpupdate /force, and then press Enter. Start and then log on to 20410A-LON-SVR1 as Adatum\Alan, with the password, Pa$$w0rd. In the command prompt window, type gpupdate /force, and then press Enter. Wait for the policy to update.
Test the AppLocker rule

Attempt to start WordPad, and then verify that WordPad does not start.
12-25
Lesson n4
Configuring Windows Firew wall wit th Adva anced Security

Windows W Firewa all with Advanced Security is s an important t tool for enha ancing the secu urity of Windo ows Se erver 2012. This snap-in help ps to prevent several s differen nt security issu ues such as port scanning or r malware. m Windo ows Firewall with w Advanced Security has m multiple firewall profiles, each of which app plies un nique settings to different ty ypes of networ rks. You can m manually config gure Windows s Firewall rules on ea ach server, or configure c them m centrally by using Group P Policy.

After completin ng this lesson, you y will be able to: Describe th he features of Windows W Firew wall with Adva nced Security.. Describe Firewall Profiles. Describe Co onnection Security Rules. Describe ho ow to deploy Windows W Firew wall rules.
What W Is Windows Firewall with h Advanced d Security y?

Windows W Firewa all with Advanced Security is sa ho ost-based firew wall that is included in Wind dows Se erver 2012. This snap-in runs s on the local co omputer and restricts r netwo ork access to an nd from th hat computer. Unlike a perim meter firewall, which w provides protec ction only from m threats on th he In nternet, a host-based firewall provides protection from threats wh herever they originate. For ex xample, fo or a host that is not behind a firewall, it pro otects from LAN or Int ternet.
In nbound and d Outbound d Rules

In nbound rules control c commu unication that is in nitiated by ano other device or r computer on the network, with the host computer. By default, all inb bound co ommunication n is blocked except the traffic c that is explic citly allowed by y an inbound rule. Outbound O rules s control comm munication tha at is initiated b by the host com mputer, and is s destined for a device or r computer on n the network. By default, all outbound co mmunication is allowed except the traffic that is ex xplicitly blocke ed by an outbo ound rule. If yo ou choose to b block all outbo ound commun nication except the tr raffic that is explicitly allowed d, you must ca arefully catalog g the software e that is allowe ed to run on th hat co omputer and the t network co ommunication required by t hat software. Yo ou can create inbound and outbound o rule es based on Us ser Datagram Protocol (UDP P) and Transmi ission Control Protoco ol (TCP) ports. You can also create c inbound d and outboun nd rules that a allow a specific c ex xecutable netw work access, re egardless of the port numbe er that is being g used.
Connection C Security S Rul les

rity (IPsec) for Windows Serv Yo ou use Connec ction Security Rules to config gure Internet P Protocol Secur ver 20 012. When the ese rules are co onfigured, you u can authentic cate communi ication betwee en computers, and th hen use that in nformation to create c firewall rules based o n specific user r and compute er accounts.
12-26
Additional Enh hancements s

Win ndows Firewall with Advance ed Security is a Microsoft Ma anagement Co onsoles (MMC) ) snap-in that a allows you to perform ad dvanced config guration of Windows Firewa all. Win ndows Firewall in Windows Vista, V Windows s 7, Windows 8 8, Windows Se erver 2008, Win ndows Server 2008 R2, and Windows Server 2012 has h the following enhanceme ents: Supports filte ering for both incoming and outgoing traf ffic. Provides a MMC snap-in th hat you can use e to configure e advanced set ttings. Integrates fire ewall filtering and IPsec prot tection setting gs. Enables you to t configure ru ules to control network traffi ic. Provides netw work location-aware profiles. Enables you to t import or ex xport policies.
You u can configure e Windows Fire ewall settings on each comp puter individua ally, or with Gr roup Policy at: : Com mputer Configuration\Policie es\Windows Se ettings\Securit ty Settings\Windows Firewal ll with Advanced Secu urity.
dows Server 20 012 introduces the additiona al option for ad dministering W Windows Note: Wind Firewall by using the t Windows PowerShell P command-line in nterface.
Dis scussion: Why W Is a Host-Based d Firewall Important? ?

Win ndows Firewall with Advance ed Security is enabled by default on Windows s Server 2012. Review the discussion question and participat te in a disc cussion to iden ntify the benefits of using a hosth base ed firewall suc ch as Windows s Firewall with Adv vanced Security y. Question: Why is it important to use a ho ostbased firewall such as Wind dows Firewall with w Advanced Sec curity?
Firewall Prof files

Win ndows Firewall with Advance ed Security is a netw work-aware ap pplication that t uses firewall prof files to provide e a consistent configuration for netw works of a spe ecific type. Win ndows Server 2012 2 allows you to defi ine a network as either a dom main netw work, a public network, or a private netwo ork. With Windows Fir rewall with Adv vanced Securit ty, you can define a configuration c set for each ty ype of netw work; each con nfiguration set t is referred to as a firew wall profile. Fir rewall rules are e activated onl ly for spec cific firewall pr rofiles.
12-27
Windows W Firewa all with Advanced security in ncludes the fol llowing profile es: Profile Public De escription Us se when you are a connected to an untruste ed public netw work. Ot ther than dom main networks, all networks a are categorized d as Public. By y de efault, the Pub blic (most restr rictive) profile is used in Windows Vista, Windows W 7, and d Windows 8. Us se when you are a connected behind a firew wall. A network is cat tegorized as p rivate only if a an administrato or or an ap pplication iden ntifies the netw work as private e. This profile is referred to a as th he Home profil le in Windows Vista, Window ws 7, and Wind dows 8. Us se when your computer c is pa art of a Windo ows operating system do omain. Windows W operating systems a automatically i dentify netwo orks on which it ca an authenticate e access to the e domain cont troller. No other networks ca an be placed in n this category y. This profile i s referred to a as the Work dows 7, and W pr rofile in Windo ows Vista, Wind Windows 8.
Private
Domain
Windows W Server 2012 allows multiple firewa all profiles to b be active on a server simulta aneously. This means th hat a multi-hom med server tha at is connected d to both the internal netwo ork and the pe erimeter netwo ork can ap pply the doma ain firewall pro ofile to the inte ernal network, and the publi ic or private fir rewall profile t to the pe erimeter network.
Connection C n Security Rules

A connection se ecurity rule for rces authentica ation be etween two pe eer computers s before they can c es stablish a conn nection and tra ansmit secure in nformation. They also secure e that traffic by y en ncrypting the data that is tra ansmitted betw ween co omputers. Win ndows Firewall with Advance ed Se ecurity uses IPsec to enforce e these rules. Th he configurable connection security rules are: Isolation. An isolation rule e isolates computers by restrictin ng connections that are base ed on credentials such as doma ain membership or health statu us. Isolation ru ules allow you to t implement an isolation st trategy for serv vers or domai ns. Authenticat tion Exemption n. You can use an authentica ation exemptio on to designat te connections s that do not require e authenticatio on. You can designate compu uters by a spec cific IP address s, an IP addres ss range, a subnet, or a predefined d group such as a a gateway. Serve-to-Se erver. A server-to-server rule protects conn nections betwe een specific co omputers. This type of rule usually y protects conn nections betwe een servers. W When creating t the rule, specif fy the network k endpoints between b which h communicat tions are prote ected. Then de esignate requir rements and th he authenticat tion that you want w to use.
12-28
Tunnel. With a tunnel rule, you can prote ect connection s between gat teway comput ters. Typically, you would use a tunnel t rule when connecting g across the Int ternet betwee en two security y gateways. Custom. Use a custom rule to authenticat te connections s between two o endpoints wh hen you canno ot set up authentica ation rules that you need by y using the oth her rules availa able in the new w Connection Security Rule Wizard.
How Firewall Rules R and Connection Security S Rul les Work To ogether
Firewall rules allow w traffic through the firewall, but do not s secure that tra ffic. To secure traffic with IPsec, you can create co onnection secu urity rules. How wever, connect tion security ru ules do not allo ow traffic thro ough a firew wall. You must t create a firew wall rule to do this. Connecti on security rules are not app plied to progra ams and services; they y are applied between b the co omputers that make up the t two endpoints s.
De eploying Fi irewall Rul les

How w you deploy Windows W Firew wall rules is an imp portant conside eration. Choos sing the app propriate meth hod ensures that rules are dep ployed accurate ely and with minimum m effort. You can deploy Windo ows Firewall ru ules in the follo owing way ys: Manually. You u can individually configure firewall rules on each server. However, in an environment with more tha an a few server rs, this is labor-in ntensive and prone p to error. . This method is typ pically used on nly during testing and troublesh hooting. Using Group Policy. The pre eferred way to o distribute fire ewall rules is b by using Group p Policy. After creating and testing a GPO with the requ uired firewall ru ules, you can q quickly and accurately deplo oy the firewall rules to a large num mber of compu uters. Exporting and d importing fir rewall rules. Windows W Firewa all with Advanced Security a also gives you t the option to imp port and expor rt firewall rules s. You can exp port firewall rules to create a backup befor re you manually con nfigure firewall rules during troubleshootin t ng. When you import firewall rules, they are treated as a complete c set and replace all currently conf figured firewall rules.
12-29
Lab B: Configuring AppLocker and Windows Firewall

Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. As a new member of the team, you help to deploy and configure new servers and services into the existing infrastructure based on the instructions given to you by your IT manager. Your manager has asked you to implement AppLocker to restrict non-standard applications from running. He also has asked you to create new Windows Firewall rules for any member servers running web-based applications.
Objectives
After completing this lab, you will be able to: Configure AppLocker Policies. Configure Windows Firewall.
Lab Setup
Virtual Machines
User Name Password
Repeat steps 2-4 for 20410A-LON-SVR1 and 20410A-LON-CL1.
12-30
Exercise 1: Configuring AppLocker Policies

Scenario
Your manager has asked you to configure new AppLocker policies to control the use of applications on user desktops. The new configuration should allow programs to be run only from approved locations. All users must be able to run applications from the C:\Windows directory and from C:\Program Files. You also need to add an exception to run a custom-developed application that resides in a non-standard location. The first stage of the implementation will log compliance with rules. The second stage of implementation will prevent unauthorized programs from running. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Create an OU for Client Computers. Move LON-CL1 to the Client Computers OU. Create a Software Control GPO and link it to the Client Computers OU. Run GPUpdate on LON-SVR1. Run app1.bat in the C:\CustomApp folder. View AppLocker events in an event log. Create a rule that allows software to run from C:\CustomApp. Modify Software Control GPO to enforce the rules. Verify that an application can still be run from C:\CustomApp.
10. Verify that an application cannot be run from the Documents folder.
Task 1: Create an OU for Client Computers

1. 2. 3. Switch to LON-DC1. Open Active Directory Users and Computers. Create new OU called Client Computers OU.
Task 2: Move LON-CL1 to the Client Computers OU

On LON-DC1, in the Active Directory Users and Computers console, move LON-CL1 to Client Computers OU.
Task 3: Create a Software Control GPO and link it to the Client Computers OU
1. 2. 3. 4. 5. 6. On LON-DC1, open the Group Policy Management Console. In the Group Policy Management Console window, in the Group Policy Objects container, create a new Group Policy Object (GPO) with a name Software Control GPO. Edit the Software Control GPO. In the Group Policy Management Editor window, browse to Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Application Control Policies/ AppLocker. Create default rules for Executable Rules, Windows Installer Rules, Script Rules, and Packaged app Rules. Configure the rule enforcement for Executable rules, Windows Installer Rules, Script Rules, and Packaged app Rules with Audit only option.
12-31
7.
In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings, click System Services and then double-click Application Identity. In the Application Identity Properties dialog box, select the Define this policy setting and under Select service startup mode, select Automatic, and then click OK. Close the Group Policy Management Editor.
8. 9.
10. In the Group Policy Management Console, link the Software Control GPO to Member Servers OU.
Task 4: Run GPUpdate on LON-SVR1

1. 2. Switch to LON-SVR1. Open a command prompt window, and type the following command:
gpupdate/force
3.
Close the command prompt window and restart LON-SVR1.
Task 5: Run app1.bat in the C:\CustomApp folder

1. 2. Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd. At the command prompt, type following command:
C:\CustomApp\app1.bat
Task 6: View AppLocker events in an event log

1. 2. 3. On LON-SVR1, start Event Viewer. In the Event Viewer window, browse to Application and Services Logs/ Microsoft/AppLocker, and review the events. Click MSI and Scripts, and review the event logs for App1.bat.
Task 7: Create a rule that allows software to run from C:\CustomApp

1. 2. On LON-DC1, edit the Software Control GPO with the following settings Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Application Control Policies/ AppLocker. Create an AppLocker script rule with following settings: o o o o Permissions: Allow Conditions: Path Path: %OSDRIVE%\CustomApp\app1.bat Name and Description: Custom App Rule
Task 8: Modify Software Control GPO to enforce the rules

1. 2. Use the Enforce rules option to configure rule enforcement for Executable rules, Windows Installer Rules, Script Rules, and Packaged app Rules. Close the Group Policy Management Editor.
Task 9: Verify that an application can still be run from C:\CustomApp

1. 2. Switch to LON-SVR1. Open a command prompt window, and type the following command:
12-32
gpupdate/force
3. 4. 5. 6.
Close the command prompt window and restart LON-SVR1. Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd. Open a command prompt and verify that you can run the app1.bat application, which is located in the C:\CustomApp folder. Log off of LON-SVR1.
Task 10: Verify that an application cannot be run from the Documents folder
1. 2. On LON-SVR1, from CustomApp folder, copy app1.bat to the Documents folder. Verify that application cannot be run from Documents folder, and that the following message appears: This program is blocked by Group Policy. For more information, contact your system administrator.
Results: After completing this exercise, you should have used Group Policy to configure Windows Firewall with Advanced Security to create rules to allow inbound network communication through TCP port 8080.
Exercise 2: Configuring Windows Firewall

Scenario
Your manager has asked you to configure Windows Firewall rules for a set of new application servers. These application servers have a web-based application that is listening on a non-standard port. You need to configure Windows Firewall to allow network communication through this port. You will use security filtering to ensure that the new Windows Firewall rules apply only to the application servers. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Create a group called Application Servers. Add LON-SRV1 as a group member. Create a new Application Servers GPO. Link the Application Servers GPO to the Member Servers OU. Use security filtering to limit the Application Server GPO to members of Application Server group. Run GPUpdate on LON-SRV1. View the firewall rules on LON-SRV1.
Task 1: Create a group called Application Servers

On LON-DC1, in Active Directory Users and Computers, in the Member Servers OU, create a new global security group called Application Servers.
Task 2: Add LON-SRV1 as a group member

In the Active Directory Users and Computers console, in the Member Servers OU, open Application Servers Properties, and then and then add LON-SVR1 as a group member.
Task 3: Create a new Application Servers GPO

1. On LON-DC1, open the Group Policy Management Console.
12-33
2. 3.
In the Group Policy Management Console window, in the Group Policy Objects container, create a new Group Policy Object (GPO) with a name Application Servers GPO. In the Group Policy Management Editor, under In the Group Policy Management Editor window, browse to Computer Configuration/ Policies/ Windows Settings/ Security Settings / Application Control Policies/ Windows Firewall with Advanced Security. Configure an inbound rule with the following settings: o o o o o o o Rule Type: Custom Protocol type: TCP Specific Ports: 8080 Scope: Any IP address Action: Allow the connection Profile: Domain Name: Application Server Department Firewall Rule
4.
5.
Close the Group Policy Management Editor.
Task 4: Link the Application Servers GPO to the Member Servers OU

In the Group Policy Management Console, link the Application Servers GPO to the Member Servers OU.
Task 5: Use security filtering to limit the Application Server GPO to members of Application Server group
1. 2. On LON-DC1, open Group Policy Management Console, expand the Member Servers OU, and then click Application Servers GPO. In the right-hand pane, under Security Filtering, remove Authenticated Users, and configure Application Servers GPO to apply only to the Application Servers security group.
Task 6: Run GPUpdate on LON-SRV1

1. 2. Switch to LON-SRV1. Open a command prompt window, and type the following command:
gpupdate/force
3. 4.
Close the command prompt window. Restart LON-SVR1 and then log back on as Adatum\Administrator with the password of Pa$$w0rd.
Task 7: View the firewall rules on LON-SRV1

1. 2. 3. 4. Switch to LON-SVR1. Start Windows Firewall with Advanced Security. In Windows Firewall with Advanced Security window, in Inbound rules, verify that Application Server Department Firewall Rule you created using Group Policy earlier, is configured. Verify that you cannot edit Application Server Department Firewall Rule, because it is configured through Group Policy.
12-34
Results: After completing this exercise, you should have configured AppLocker policies for all users whose computer accounts are located in the Client Computers OU organizational unit. The policies you configured should allow these users to run applications that are located in the folders C:\Windows and C:\Program Files, and run the custom-developed application app1.bat in the C:\CustomApp folder.
12-35

When you finish the lab, revert the virtual machines to their initial state by performing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-SVR1 and 20410A-LON-CL1.
12-36

Review Questions
Question: Does the defense-in-depth model prescribe specific technologies that you should use to protect Windows Server operating system servers? Question: What setting must you configure to ensure that users are allowed only three invalid logon attempts? Question: You want to place an application control policy on a new type of executable file. What must you do before you can create a rule for this executable code? Question: You are creating a GPO with standardized firewall rules for the servers in your organization. You tested the rules on a stand-alone server in your test lab. The rules appear on the servers after the GPO is applied, but they are not taking effect. What is the most likely cause of this problem? Question: Last year, your organization developed a security strategy that included all aspects of a defense-in-depth model. Based on that strategy, your organization implemented security settings and policies on the entire IT infrastructure environment. Yesterday, you read in an article that new security threats were detected on the Internet, but now you realize that your company strategy does not include a risk analysis and mitigation plan for those new threats. What should you do?
Best Practices
The following are best practices: Always make a detailed security risk assessment before planning which security features your organization should deploy. Create a separate GPO for security settings that applies to different type of users in your organization, because each department might have different security needs. Make sure that the security settings that you configure are reasonably easy to use so that they are accepted by employees. Frequently, very strong security policies are too complex or difficult for employees to adopt. Always test security configurations that you plan to implement with a GPO in an isolated, nonproduction environment. Only deploy policies in your production environment after this testing is completed successfully.

Common Issue The user cannot log on locally to a server. After configuring auditing, there are too many events logged in the Security Event Log in Event Viewer. Some users complain that their business applications can no longer access resources on the server. Troubleshooting Tip
12-37
Tools
Tool Group Policy Management Console (GPMC) Use for A graphical tool that you use to create, edit, and apply Group Policy Objects (GPOs). Applies security settings that control which applications are allowed to be run by users. A host-based firewall that is included as a feature in Windows Server 2012 and Windows Server 2008. Deploying security policies based on Microsoft Security Guide recommendations and industry best practices. Where to find it Server Manager/Tools
AppLocker
GPO Editor in GPMC
Windows Firewall with Advanced Security Security Compliance Manager
Server Manager/Tools if configured individually, or GPO Editor in GPMC for deploying with Group Policy
Download from the Microsoft website at http://technet.microsoft.com/enus/solutionaccelerators/cc835245.aspx .
13-1
Module 13
Implementing Server Virtualization with Hyper-V
Contents:
Module Overview Lesson 1: Overview of Virtualization Technologies Lesson 2: Implementing Hyper-V Lesson 3: Managing Virtual Machine Storage Lesson 4: Managing Virtual Networks Lab: Implementing Server Virtualization with Hyper-V Module Review and Takeaways 13-1 13-2 13-8 13-15 13-22 13-27 13-33
Module Overview
Server virtualization has only been a part of the Windows Server operating system since the release of Windows Server 2008 and the introduction of the Hyper-V role. Server virtualization allows organizations to save money through server consolidation. Because of these efficiencies, server administrators need to be able to distinguish which server workloads might run effectively in virtual machines, and which server workloads must remain deployed in a more traditional server environment. This module introduces you to the Hyper-V role, the components of the role, how best to deploy the role, and the new features of the Hyper-V role that are introduced with Windows Server 2012.
Objectives
After completing this module, you will be able to: Understand and describe Microsoft's virtualization technologies. Implement Hyper-V. Manage virtual machine storage. Manage virtual networks.
13-2 Implemen nting Server Virtualiz zation with Hyper-V
Lesson 1
Overvi iew of Virtualiz V zation Technol T ogies

You u can deploy many m different types of virtua alization on ne etworks where e Windows ope erating system ms are prim marily deployed. The type of f virtualization that you choo ose depends o on what you ne eed to accomp plish. Alth hough this module is primarily concerned with server vir rtualization, in this lesson yo ou will learn ab bout othe er types of virt tualization and d the situations in which it is s appropriate t to deploy them m.

Afte er completing this lesson, yo ou will be able to: Describe serv ver virtualizatio on using Hyper-V.
M Describe Windows AzureTM .
se desktop virt tualization. Explain when you would us Determine the components s required to implement pre esentation virtu ualization. Explain the be enefits of Micr rosoft Applicat tion Virtualizat tion (App-V) o over traditiona al application deployment
Ser rver Virtua alization with w Hyper r-V

With server virtua alization, you can c create sepa arate virtu ual machines, and run them concurrently using u the resources of a single server operating syst tem. These virtual machines are know wn as guests. The T com mputer running g Hyper-V is known as the host. Virtual machine guests g function n as normal com mputers. When n users are logg ged on remote ely usin ng Remote Des sktop Connect tion (RDC) or a Win ndows PowerSh hell remote session, you would w have to examine the t properties of a compute er clos sely to determine whether it is a virtual mac chine or a trad ditionally deplo oyed physical mac chine. Virtual machine m guest ts that are host ted on the sam me hypervisor are independe ent of one ano other. You u can run multiple virtual ma achines that are using differe ent operating s systems on a h host server simu ultaneously, provided the ho ost server has enough e resou rces.
Virtual Machin nes and Har rdware Usag ge

By implementing virtual machin nes, you use ha ardware more efficiently. In most cases, a service or app plication does not n consume more m than a fr raction of the r resources that are available on the host com mputer. When deployed as virtual machine es, you can org ganize multiple e services and applications f from sepa arate virtual machines m on to o the same hos st server so tha at the resource es of that host server are use ed mor re effectively. For F example, if f you have fou ur separate ser rvices and app plications that e each consume e from 10 to t 15 percent of o a host serve er's hardware resources, r you can install the ese services an nd applications s in virtu ual machines, and then place e them on the e same hardwa are where on a average, they w will consume a total of 40 4 to 60 percen nt of the host server's hardw ware. This s is a simplified d example. In real r world environments, you u must make a adequate prep parations before coloca ating virtual machines; you have h to ensure e that the hard ware resource e needs of all the virtual mac chines that t are hosted on n the host hyp pervisor do not t exceed the h hypervisors hardware resour rces.
13-3
Service and Application A n Isolation in n Virtual Ma achines

Ke eeping one pa articular service e or applicatio on functioning in a reliable m manner can be e challenging. T This ta ask becomes even more com mplicated if you u need to dep ploy multiple se ervices and ap pplications on t the sa ame server. For example, you u might need to t deploy app plication A and d application B at a branch o office. Th hese applicatio ons conflict wh hen run on the e same compu uter, but you ca an only afford enough hardw ware for on ne server. Running these applications with hin virtual mac chines can solv ve this problem m.
Server Conso olidation

With W server virtualization, you u can consolida ate onto a sing gle host, serve ers that would otherwise nee ed to olated from th ru un on separate e hardware. Be ecause each vir rtual machine on a host is iso he other virtua al machines m on the same host, it t is possible to o deploy servic ces and applica ationssuch a as Exchange Se erver 20 010, SQL Serve er 2012, and Active A Directory y domain co ontrollerson the same phy ysical compute er, but ho osted within virtual machine es. This means that an organ nization only needs to deploy y one physical l server in n place of the three t servers that they would d have needed d in the past.
Best Prac ctice: Microsof ft recommends that you not t deploy a Mic crosoft Exchang ge mailbox se erver on the sa ame computer r that holds a domain d contro oller role. Micro osoft also reco ommends th hat you not de eploy a SQL Server 2012 data abase engine i instance on th e same compu uter that ho osts the domain controller ro ole. Instead, deploy each of these workloa ads on separat te virtual machines m and then run those virtual machin nes as guests o on the same se erver virtualiza ation host; th his is a support ted configurat tion.
Simplifying Server S Deployment

Yo ou can also use virtualization n to simplify th he process of s server deploym ment: There are virtual v machine e templates for common ser rver configurat tions included with products s such as Microsoft System S Center 2012 - Virtual Machine Man nager (VMM). You can configure these tem mplates rather conf figuring virtual l machines from the very be ginning. You can als so create virtua al machine self-service porta als that enable e end users to provision approved servers and d applications automatically a without w requir ring the direct t intervention o of the systems s administrat tion team. You u create these virtual v machin ne self-service portals with V VMM and Microsoft System Cen nter 2012 - Ser rvice Manager r.
What W Is Windows Azure?

Windows W Azure e is cloud-base ed platform wh here yo ou can purchase capacity, either for virtual machines m or for r applications, such as SQL Server da atabases on SQ QL Azure. As a cloud-based hosting so olution, you pa ay for capacity y you use, rather than pa aying a fixed rate. r For examp ple, rather than pa aying a month hly flat rate to rent a server on o a ra ack at a hosting provider, the e cloud hosting provider charge es you based on o use. You pay less when w the server r is experiencin ng minimal use and. yo ou pay more as a use increase es. Cloud-based ca apacity is elasti ic, meaning it can grow or shrink quickly q as requ uired. For exam mple, in a trad itionally hoste ed solution, yo ou might choos se a sp pecific server chassis. c Then, if f you need to increase capac city rapidly, yo ou would have e to switch to a another
class of server har rdware, which would require e you to migra te from the fir rst physical host. All of this ta akes time e and planning g. Similarly if your y need for capacity c decre eases, you wou uld need to decide whether mig grating to a low wer class of hardware is wort th the cost, or if your organi ization should continue to p pay for a cla ass of hardwar re that you do not need righ ht nowand m may or may no ot need in the future. By usin ng a host ting provider, capacity is sca aled automatic cally and your organization i is charged for only what you u use, all without w the complexity of migration. This s can be very useful u when yo ou have to pro ovide proof-of-concept solut tions when pro oposing projec cts. Rath her than purch hase test hardw ware and have e to deploy a p proof-of-conce ept solution to o that hardwar re to dem monstrate a pro oject's feasibility, you can qu uickly deploy a cloud based virtual machin ne . Once the p proofof-c concept solutio on is validated d, you can choo ose to discard it, or keep it d depending on operational concerns. This is cheaper c than acquiring a hardware for a pro oof-of-concept t solution whic ch may be disc carded if the project does no ot go ahead or r turns out to b be infeasible.
Hosting Websites or Prod duction App plications

Clou ud-based platf forms like Win ndows Azure also allow you t to deploy app plications witho out having to dep ploy the underlying server infrastructure. For example, if you need a da atabase, instea ad of having to o dep ploy both Wind dows Server 20 012 and SQL Server S 2012, an nd then deploy y the specific d database, you can rent t the cloud-based database server, and the en host the da atabase there. For a successful cl loud strategy, you must be able a to determ mine correctly w which services s and applicatio ons are more econom mical to host wi ith a host prov vider, and whic ch services and d applications are more economical to host on premises s. Many factors that are uniq que to an orga anization are in nvolved in making this determination n, and a strategy that is best t for one organ nization may n not be appropriate for anoth her.
De esktop Virt tualization n

Clie ent Hyper-V V
You u can install the e Hyper-V role e on computer rs that t are running Windows W 8 Pro o and Window ws 8 Ente erprise operati ing systems. Th his allows you to run virtual machin ne guests on client compute ers. Client Hyper-V, th he Hyper-V fea ature in Windo ows 8 Pro and Windows s 8 Enterprise, has the same proc cessor requirements as Hype er-V on Windo ows Serv ver 2012: the computer c must have an x64 plat tform that supports second-level address tran nslation (SLAT), and have a minimum m of 4 giga abytes (GB) of random acces ss memory (RA AM).
Clie ent Hyper-V on Windows 8

The Client Hyper-V role on Win ndows 8 suppo orts many of th he features tha at are available e with Hyper-V V on Win ndows Server 2012, 2 but does s not support enterprise e feat tures such as v virtual machine e migration. Client Hyp per-V also does not support publishing applications that t are installed o on the virtual machine gues st to the host operating g systems Start menu. This was w a feature t that was prese ent in Window ws XP Mode on n Win ndows 7, which h used Virtual PC (Virtual PC is the client v virtualization fe eature availabl le to some com mputers runnin ng specific edit tions of the Windows 7 oper rating system).
Clie ent Hyper-V in enterprise e environme ents

In enterprise e environments, Clie ent Hyper-V is often used fo r developmen nt purposes, or r to allow specific user rs to run previous versions of o the Window ws operating sy ystem so that t they can acces ss applications that
13-5
ar re incompatibl le with Window ws 8. When large numbers o of people with hin an organiza ation need reg gular ac ccess to a prev vious version of o the Window ws operating sy ystem, you sho ould consider d deploying Microsoft En nterprise Desk ktop Virtualizat tion (MED-V).
MED-V M
MED-V M is a cent trally managed d form of clien nt-hosted virtu ualization. MED D-V allows adm ministrators to o ce entrally deploy y and manage virtual machin nes running on n clients. MED D-V allows applications that a are co ompatible with h previous vers sions of the Windows W client operating syst tem, such as W Windows XP, to o be pu ublished in suc ch a way so that they are acc cessible throug gh the Window ws 8 Start men nu. MED-V is a available as s part of the Microsoft M Deskt top Optimization Pack.
Additiona al Reading: Fo or more inform mation about M MED-V see: ht ttp://www.mic crosoft.com/en n-us/windows/ /enterprise/pro oducts-and-te chnologies/mdop/medv.aspx.
Virtual V Deskt top Infrastr ructure

Virtual Desktop Infrastructure e (VDI) is a form m of desktop v virtualization w where client operating systems are ho osted centrally y as virtual machines. Clients s connect to th hese virtual ma achines using client software e such as s RDC. Using the Add Roles and a Features Wizard, W you ca an configure a server to supp port VDI by ch hoosing a Remote Deskt top Services in nstallation. You u can also insta all the Remote e Desktop Virtu ualization Hos st role fe eature in addition to the Hyp per-V role, whe en configuring g a host server r to function as a VDI server. . VDI can simplify y the managem ment of client operating syst tems in the following ways: For all the client c compute ers that are ho osted on a sing gle server, it is easier to ensu ure that they are backed up regularly. The client virtual v machine es can be host ted on a highly y available Hyp per-V host. In the event that a client computer breaks, users are still able to ac ccess their virtu ual machine us sing other RDC methods.
VDI is also one method of allo owing organiz zations to impl lement Bring Your Own Dev vice (BYOD) p policies. In n this scenario, workers bring g their own computer to the e office and use e RDC softwar re to connect t to the virtual machine that has been n assigned to them.
Presentatio P on Virtualiz zation

Pr resentation vir rtualization dif ffers from desk ktop virtualization in the following ways: In desktop virtualization, each user is assigned their own virtual v machine e that is runnin ng a client opera ating system. In presentation n virtualizatio on, users log on and run separate sessions on a server or se ervers. For exam mple, users Alex and a Brad migh ht be logged onto o the same remote desktop ser rver, running different d sessions usi ing RDC. With deskto op virtualizatio on, the applica ations run within virtual v machines.With presen ntation virtualizatio on, the desktop p and the applications run o on the host ser rver.
On networks that use Windows Server 2012, presentation p v virtualization is s provided by t the Remote Desktop Services server role. Cli ients can acces ss presentation n virtualization n in the follow wing ways: Full Desktop p. Clients can use u a remote desktop d client s such as RDC to o access a full desktop sessio on and to run ap pplications on the Windows Server 2012 h ost server. RemoteApp applications. Rather than use u a full deskt top client like RDC, RemoteA App allows applications that t run on the e host Window ws Server 2012 2 server to be d displayed on t the client computer. RemoteApp applications a ca an be deployed d as Windows Installer (.msi) ) files using tra aditional softw ware deployment methods. m This allows you to associate file t types with Rem moteApp applications. Remote Desk ktop Web Access. Clients can access a we eb site on a sp pecially configu ured server and launch RemoteApp applications and Rem mote Desktop s sessions from t their browser.
Rem mote Desktop Gateway y

Rem mote Desktop Gateway G allow ws external clie ents to access R Remote Deskto op and Remot teApp without t usin ng virtual priva ate network (V VPN), or the Windows 7 and Windows 8 op perating system ms DirectAccess feat ture. Remote Desktop D Gatew way is a role se ervice that you can install on a computer running Windo ows Serv ver 2012. Remote Desktop Gateway G server rs are deployed d on perimete er networks. Yo ou can configu ure the RDC client wit th the address of Remote De esktop Gatewa ay servers. When you do this s, the client checks to see if it is on th he organization nal network. If f it is, it makes a direct conne ection to the R Remote Deskto op serv ver. If it is not, it routes the connection c to the t Remote De esktop server through the R Remote Deskto op Gateway.
Ap pplication Virtualizat V tion

App plication Virtua alization, also known k as App p-V, uses s special client t software, kno own as the App p-V Client, that is insta alled on the client to allow app plications to eit ther run on or be streamed to t clien nt computers. App-V, like Med-V, M is availa able as part p of the Mic crosoft Desktop p Optimization n Pack, and is not a native Windo ows Server 2012 role or fe eature.
Application iso olation

App p-V isolates the e application from f the opera ating system and runs it t in a special separate virtual environment. This s means that applications tha at em, because o you cannot install l and run direc ctly on a host operating o syste of compatibilit ty problems, ar re able e to run as App p-V applications. For example, application ns written for W Windows XP th hat cannot run n on the Windows 8 op perating system m can be run on o Windows 8 if deployed th hrough App-V V. With App-V, , you can also run appli ications that might m be comp patible with the e host operating system, but t may be problematic when n run together r. For example, , you can use A App-V to depl loy and run dif fferent version ns of Microsoft Office Word W simultan neously.
Application streaming
Ano other useful fea ature of App-V V is application n streaming. W When an applic cation is stream med only thos se part ts of the applic cation that are e being used are transmitted d to the client computer. This speeds up app plication deployment becaus se only partn not allof the e application m must be transm mitted across th he netw work to the client computer.
13-7
Application portability
When deployed with Microsoft System Center 2012 Configuration Manager, App-V allows applications to follow users across multiple computers, without requiring a traditional installation on those client computers. For example, a user can log on to a colleague's computer and have App-V stream that application to them so that they can use it on that computer. The application is not installed locally, and when the user logs off, the application is no longer available to other users of the computer.
Lesson 2
Implem menting g Hyper r-V

Und derstanding ho ow Hyper-V wo orks and how virtual machin nes function is critical to effe ectively deploy ying serv ver virtualizatio on in a Window ws Server 2012 2 network env vironment. Wh hen you plan a server virtu ualization strat tegy using Win ndows Server 2012 2 as a virtu ual machine ho ost, you need to know what you can and cannot do. This s lesson discusses Hyper-V, the hardware requirements r f for deploying Hyper-V on a computer run nning hine Win ndows Server 2012, 2 the different compone ents of a virtua al machine and d the benefits o of virtual mach inte egration service es. It also discu usses how to measure m virtua al machine reso ource use with h Windows Pow werShell cmdle ets.

Afte er completing this lesson, yo ou will be able to: Install the Hyper-V server ro ole. Describe the appropriate ha ardware for Hy yper-V deploy yment. Describe virtu ual machine co omponents. Configure dynamic memory. Configure virt tual machine integration i ser rvices. Configure virt tual machine start s and stop actions. Perform Hype er-V resource metering tasks s.
Ab bout Hyper r-V

Hyp per-V is the hardware virtualization role avai ilable in Windo ows Server 201 12. Hardware virtu ualization prov vides virtual machines m with direct d acce ess to the host t's hardware. This T is in contra ast to soft tware virtualiza ation products s, such as Virtu ual Serv ver 2005 R2, th hat provide access indirectly usin ng the operatin ng system. You u use the Hype er-V role to con nfigure Windo ows Serv ver 2012 to fun nction as a hyp pervisor. Wind dows Serv ver 2012 can then host virtua al machine guests that t are running supported s ope erating systems. In som me documentation, the virtua al machine host (in this case the Wind dows Server 20 012 computer that is runnin g Hyper-V) is referred to as the parent partition and virtual machines running on the Hyper-V V host are refer rred to as child d partitions. You u can deploy Hyper-V H to a co omputer runni ing Windows S Server 2012 by y using the Ad dd Roles and Feat tures Wizard. You Y can install the Hyper-V role on both W Windows Serve er 2012 Full GUI and Windows Serv ver 2012 Serve er Core. There is also a Serve er Hyper Core e edition of Win ndows Server 2 2012, which includes only the components necessary n to ho ost virtual mac chines. Virtual machine adm ministration is d done loca ally through Windows W Power rShell, or remo otely through t the Hyper-V m manager conso ole.
13-9
Hardware H Requireme R ents for Hy yper-V

When W deciding on the hardw ware to use with ha se erver on which h you will install the Hyper-V V role, yo ou need to ens sure the follow wing: The server must have an x64 platform that t supports SL LAT and Data Execution E Prev vention. The CPU ca apacity of the host h server mu ust meet the re equirements of the guest virtual machines. A virtual machine hosted on Hyper-V in n Windows Server 2012 can n support a ma aximum of 1 TB of RAM R and up to o 32 virtual processors. The server must have eno ough memory to support th e memory req quirements of a all of the virtual machines th hat must run concurrently, c plus p enough m memory to run the host Wind dows Server 20 012 operating system. s The server must have e at least 4 GB B of RAM. The storage e subsystem pe erformance must meet the i input/output ( (I/O) needs of the guest virtu ual machines. Whether W deplo oyed locally or r on SANs, it m may be necessa ary to place dif fferent virtual machines on o separate ph hysical disks, to o deploy a high h performance e redundant array of indepe endent disks (RAID D), solid-state drives d (SSD), hy ybrid-SSD, or a combination n of all three. The host se erver's network k adapters must be able to s support the ne etwork through hput requirem ments of the guest virtual v machine es. This may re equire installing g multiple net twork adapters s and using multiple Network Interface Card (NIC) teams for r virtual machi ines that have high network k use requirements.
Virtual V Mac chine Hard dware

Virtual machine es use virtual (o or, simulated) ha ardware. The host h operating g system, Wind dows Se erver 2012 with the Hyper-V V role installed, uses th he virtual hardware to media ate access to actual ha ardware. For example, e a virtu ual network ad dapter ca an be mapped d to a virtual ne etwork that is in turn mapped m to an actual a network k interface. Virtual machine es have the following simulat ted ha ardware by de efault: BIOS. Simu ulates the computer's BIOS. Just as on a standa alone compute er you can con nfigure various fact tors on the virt tual machine such s as: o o The bo oot order for th he virtual machine's virtual h hardware From which w device it t will boot (for example, from m a DVD drive , Integrated D Drive Electronic cs (IDE), legacy network adap pter, or floppy disk) Num Lock
13-10
Memory. Allows you to allocate memory resources to the virtual machine. An individual virtual machine can be allocated up to 1 TB of memory. You will learn about configuring memory later in this lesson. Processor. Allows you to allocate processor resources to the virtual machine. You can allocate up to 32 virtual processors to a single virtual machine. IDE Controller 0. A virtual machine can only support two IDE controllers and, by default, two are allocated to each virtual machine. Each IDE controller can support two devices. You can connect virtual hard disks or virtual DVD drives to an IDE controller. If booting from a hard disk drive or DVDROM, the boot device must be connected to an IDE controller. Use IDE controllers to connect virtual hard disks and DVD-ROMs to virtual machines that use any operating systems that do not support integration services. IDE Controller 1. Allows additional virtual hard drives and DVD-ROMs to be deployed to the virtual machine. SCSI Controller. A small computer system interface (SCSI) controller can only be used on virtual machines that you deploy with any operating systems that support integration services. Synthetic Network Adapter. Synthetic network adapters represent computer network adapters. You can only use synthetic network adapters with supported virtual machine guest operating systems. COM 1. Allows you to configure a connection through a named pipe. COM 2. Allows you to configure an additional connection through a named pipe. Diskette Drive. Allows you to map a VHD floppy disk image to a virtual diskette drive.
You can add the following hardware to a virtual machine by editing the virtual machine's properties and clicking on Add Hardware: SCSI Controller. You can add up to four virtual SCSI devices. Each controller supports up to 64 disks. Network Adapter. A single virtual machine can have a maximum of eight synthetic network adapters. You will learn more about synthetic network adapters in Lesson 4. Legacy Network Adapter. Legacy network adapters allow you to use network adapters with any operating systems that do not support integration services. You can also use legacy network adapters to allow network deployment of operating system images. A single virtual machine can have up to four legacy network adapters. You will learn more about legacy network adapters in Lesson 4. Fibre Channel adapter. Allows a virtual machine to connect directly to a Fibre Channel storage area network (SAN). A Fibre Channel adapter requires that the Hyper-V host have a Fibre Channel host bus adapter (HBA) that also has a Windows Server 2012 driver that supports Virtual Fibre Channel. RemoteFX 3D video adapter. The RemoteFX 3D video adapter allows virtual machines to display high performance graphics by leveraging DirectX and graphics processing power on the host Windows Server 2012 serve.
Additional Reading: For more information about Virtual Fibre Channel adapters see: http://technet.microsoft.com/en-us/library/hh831413.aspx.
13-11
Configuring C g Dynamic c Memory y

In n the first relea ase of Hyper-V V with Window ws Se erver 2008, you could only assign a a static amount a of f memory to virtual v machine es. Unless you took sp pecial precautions to measur re the precise amount of f memory that t a virtual machine required, you were w likely to ei ither under allocate or over allocate memory. m Dynamic Memo ory allows you to allocate a minimum m amou unt of memory y to a virtual machine, m an nd then to allo ow the virtual machine m to req quest ad dditional mem mory as needed d. Dynamic Me emory was w introduced with Windows Server 2008 R2 Se ervice Pack 1 (SP1). ( Rather th han attempting to guess how w much memo ory a virtual m machine require es, Dynamic Memo ory allows you to configure Hyper-V H so tha at the virtual m machine is allo ocated as much h as it ne eeds. You can choose a mini imum value, which w will alwa ys be allocated d to the virtua al machine. You can also choose a maximum m value e, which the virtual machine e will not excee ed even if the v virtual machin ne re equests more memory. m Virtual machines must m support H Hyper-V integr ration services to use dynamic memory. m With W Windows Server 2012, an administrato or can modify dynamic mem mory minimum m and maximum m memory m values while the virtu ual machine is running. This was not possi ible with Wind dows Server 20 008 R2 SP P1. You can pe erform this task from a Virtual Machine's s settings dialog box.
Smart Paging g
Another new memory feature e that is availab ble in Window ws Server 2012 is Smart Pagin ng. Smart Paging provides a solut tion to the pro oblem of minim mum memory allocation rela ated to virtual machine start tup. Virtual machine es can require more memory y during startu up than they re equire during normal operat tion. In th he past, it was necessary to allocate a the mi inimum memo ory required fo or startup, to e ensure that startup ne oc ccurredthis meant that the e amount of memory m allocat ted could be m more than the virtual machin ne eeded during normal operat tion. Smart Paging uses disk k paging to ass sign additional temporary m memory to o a virtual mac chine when it is starting up. This T allows you u to allocate m memory based on what the v virtual machine m needs when it is ope erating normal lly, rather than n the amount t that it needs d during startup. Unfortunately, Smart S Paging results in lowe er performance e because it us ses disk resour rces that are used by th he host server and other virtual machines.
tion: You can configure c virtu ual machine m memory using t the Note: About configurat Se et-VMMemor ry Windows Po owerShell cmd dlet.
Additiona al Reading: Fo or more inform mation about Hy yper-V Dynam mic Memory se ee: ht ttp://technet.m microsoft.com/ /en-us/library/ /hh831766.asp px.
13-12
Implementing Server Virtualization with Hyper-V V
Co onfiguring Virtual Ma achine Integration S Services

Onc ce you have installed guests onto the host serv ver you can use e install Virtua al Machine Inte egration Servic ces to improve the performance of both b the host and a the guests sthe guest is s said to be b integrated in nto the host se erver. Sup pported operat ting systems ca an use integration serv vices compone ents, and adapter functionali ity such h as SCSI adap pters and synth hetic network adapters. Hyper-V V supported virtual machine gue est operating systems include e: Windows Serv ver 2012 Windows Serv ver 2008 R2 with w SP1 Windows Serv ver 2008 with Service Pack 2 (SP2) Windows Serv ver 2003 R2 with w SP2 Windows Hom me Server 201 11 Windows MultiPoint Server r 2011 Windows Sma all Business Se erver 2011 Windows Serv ver 2003 with SP2 CentOS 6.0-6 6.2 CentOS 5.5-5 5.7 Red Hat Enterprise Linux 6.0-6.2 Red Hat Enterprise Linux 5.5-5.7 SUSE Linux En nterprise Serve er 11 with SP1or SP2 SUSE Linux En nterprise Serve er 10 with Serv vice Pack 4 (SP P4) Windows 7 with w SP1 Windows Vist ta with SP2 Windows XP with Service Pack 3 (SP3)
Note: Support for the Windows XP ope erating system ends in April 2014. Support t for Win ndows Server 2003 2 and Wind dows Server 20 003 R2 expires s in July 2015.
13-13
Yo ou can install the t Hyper-V in ntegration serv vices compone ents on an ope erating system m by accessing the Virtual Machine e Connection window, w and th hen in the Act tion menu, clic cking the Inser rt Integration n Se ervices Setup Disk item. Yo ou can then ins stall the releva ant operating s system drivers either manua ally or au utomatically. You Y can also en nable the follo owing virtual m machine integr ration compon nents: Operating system shutd down. Allows the t Hyper-V s erver to initiat te a graceful sh hutdown of th he guest virtual machine. Time synch hronization. Allows A the virtu ual machine to o use the host server's proce essor for the purposes of time synchronization. ange. Allows the t Hyper-V ho ost to write da ata to the regis stry of the virtual machine Data excha Heartbeat. Allows Hyper r-V to determine if the virtua al machine has s become unre esponsive. Backup (vo olume snapsh hot). Allows th he Volume Sha adow Copy Ser rvice (VSS) pro ovider to create e snapshots of o the virtual machine m for the purposes of backup opera ation, without interrupting th he virtual machines' normal operations.
Configuring C g Virtual Machine M St tart and St top Action ns

Virtual Machine e start and stop p actions allow w you to co onfigure what steps the Hyp per-V host perf forms with w specific virtual machines when the Hyp per-V ho ost is started or o shut down. You Y can use vi irtual machine m start and stop action ns to ensure th hat cr ritical virtual machines m alway ys start automa atically whenever w a Hyp per-V host is re estarted, and that t th hey are shut do own gracefully y if the server receives r a shutdown com mmand. Yo ou configure startup s and shutdown setting gs for ea ach individual virtual machin ne by editing the t properties of th he virtual mach hine. You do th his by rig ght clicking on n the virtual machine m and cli icking Settings s. Yo ou can configu ure the followi ing options in the Automatic c Start Actions s window: Nothing. The T virtual mac chine is not sta arted automat tically when the Hyper-V hos st starts, even if the virtual machine was in a running r state when w the Hyp per-V host was shut down. Automatic rvice stopped cally start if it t was running g when the ser d. The virtual m machine will st tart if it was running g when the Hy yper-V host received the com mmand to shu ut down, or in the event that t the ff. virtual machine was runn ning when the server suffered d a failure that t caused it to b be powered of Always sta art this virtual l machine aut tomatically. T The virtual mac chine always st tarts when the e HyperV host start ts. You can con nfigure a startu up delay to en nsure that multiple virtual machines do no ot attempt sta artup at the same time.
ou can configu ure the followi ing options in the Automatic c Stop Actions s window: Yo Save the virtual machin ne state. Saves s the active sta ate of the virtu ual machine, in ncluding memo ory to disk. Allows s the virtual machine to be resumed r when n the Hyper-V host restarts. s powered off with the possibility of data loss. Turn off th he virtual mac chine. The virt tual machine is hut down in a graceful manner. Shut down n the guest op perating syste em. The virtua al machine is sh This option n is only availab ble if integratio on services co mponents are e installed on the virtual mac chine.
13-14
Note: You can c also config gure virtual ma achine automa atic start and a automatic stop p actions u the Set-V VM cmdlet with the Autom maticStartActio on and Autom maticStopAction by using para ameters.
Hy yper-V Res source Met tering

Reso ource metering allows you to track the reso ource utilizatio on of virtual machines hosted d on Win ndows Server 2012 2 computers with the Hyper-V role e installed. With resource me etering, you can measure the e follo owing parame eters on individ dual Hyper-V virtual v mac chines: Average GPU use Average phys sical memory use, u including: o o Minimum m memory use e Maximum m memory use e
Maximum dis sk space alloca ation Incoming net twork traffic fo or a network ad dapter Outgoing net twork traffic fo or a network adapter
By measuring m how w much of these resources each e virtual ma achine uses, an n organization can bill dep partments or cu ustomers base ed on their hos sted virtual ma achines use, ra ather than char rging a flat fee e per virtu ual machine. An A organization with only int ternal custome ers can also us se these measu urements to se ee patt terns of use an nd plan future expansions. You u perform resource metering g tasks using Windows W Powe erShell cmdlets s in the Hyper-V Windows Pow werShell module. There is no o GUI tool that allow you to p perform this ta ask. You can u use the followin ng cmd dlets to perform resource me etering tasks: Enable-VMR ResourceMete ering. Starts co ollecting data o on a per virtua al machine bas sis. Disable-VMR ResourceMete ering. Disables resource met tering on a pe er virtual mach hine basis. Reset-VMRe esourceMeteri ing. Resets virt tual machine r resource mete ering counters. . Measure-VM M. Displays reso ource metering statistics for a specific virtu ual machine.
Additional Reading: For more informat tion about reso ource metering g for Hyper-V see: http p://technet.mic crosoft.com/en n-us/library/hh h831661.aspx.
13-15
Lesson n3
Mana aging Virtual Machine M e Storag ge

Hyper-V provides many differ rent virtual ma achine storage e options. If yo ou know which h option is app propriate fo or a given situa ation, then you u can ensure that a virtual m machine perfor rms well. Howe ever, if you do o not un nderstand the different virtu ual machine sto orage options,, you may end d up deploying g virtual hard d disks th hat consume unnecessary u sp pace or that pla ace an unnece essary perform mance burden o on the host Hy yper-V se erver. In n this lesson, yo ou will learn about different virtual hard d disk types, diffe erent virtual ha ard disk forma ats, and th he benefits and d limitations of using virtual machine snap pshots.

After completin ng this lesson you y will be able to: Explain the purpose of virtual hard disk k. Create a vir rtual hard disk k type. Manage vir rtual hard disks. Deploy diff ferencing disks s to reduce sto orage. Use virtual machine snap pshots.
What W Is a Virtual V Har rd Disk?

A virtual hard disk is a special file format that re epresents a traditional hard disk d drive. You u can co onfigure a virtual hard disk with w partitions and an n operating sy ystem. Virtual hard h disks can be us sed with virtua al machines, an nd you can als so mount m virtual hard disks using g the Window ws Se erver 2008, Wi indows Server 2008 R2, Wind dows Se erver 2012, and Windows 8, and Windows s7 op perating systems. Windows Server 2012 su upports boot to t virtual hard disk; this allow ws you to o configure the e computer to boot into a Windows W Server 2012 operati ing system tha at is de eployed on a virtual v hard dis sk, or into cert tain ed ditions of the Windows W 8 op perating system m that is deployed on a virtual hard disk. You can create a virtual hard disk using: The Hyper-V manger con nsole. The Disk Management co onsole. The diskpar rt command-li ine tool. The New-V VHD Windows PowerShell cm mdlet.
Note: Som me editions of f Windows 7 an nd the Window ws Server 2008 8 R2 operating g system also su upport boot to o virtual hard disk. d
13-16
VHDX vs. VHD D

Virtual hard disks use the .vhd extension. e Win ndows Server 2 2012 introduce es the new VHDX format for r virtu ual hard disks. The VHDX for rmat has the fo ollowing bene efits over the V VHD format that was used in n Hyp per-V on Windows Server 20 008 and Windo ows Server 200 08 R2: virtual hard di VHDX virtual hard disks can n be as large as a 64 TB. VHD v isks were limited to 2 TB. rtual hard disk k file structure means that th e disk is less likely to becom me corrupt if th he The VHDX vir host server su uffers an unexp pected power outage. VHDX virtual hard disk form mat supports better b alignme ent when deplo oyed to a large e sector disk. ow larger block size for dyna amic and diffe erencing disks, which provide es VHDX virtual hard disks allo better perform mance for these workloads.
u can convert an a existing VHD file to VHDX X format using g the Edit Virtu ual Hard Disk w wizard, if you h have You upg graded a Windows Server 2008 or Window ws Server 2008 R2 Hyper-V server to Windows Server 2012. It is also possible to convert from VHDX format to VHD. You w will learn more e about conve erting virtual hard disk ks later in this lesson. l
SM MB Share Sup pport

Win ndows Server 2012 2 now supp ports virtual ha ard disks that a are stored on SMB 3 file sha ares. This is an alternative to stor ring virtual har rd disk files on n internet SCSI (iSCSI) or Fibr re Channel SAN N devices. Wh hen crea ating a virtual machine in Hy yper-V on Win ndows Server 2 2012, you can specify a netw work share. You u spec cify this when choosing the virtual hard di isk location or attaching an e existing virtual hard disk. Th he file shar re must suppo ort SMB 3. This s limits you to placing virtual l hard disks on n file shares that are hosted on file serv vers with Wind dows Server 20 012. Older vers sions of Windo ows Server do not support SMB 3.
Additional Reading: For more informat tion about Virtu ual Hard Disk formats see: http p://technet.mic crosoft.com/en n-us/library/hh h831446.aspx.
Cre eating Virt tual Disk Types T

Whe en you configu ure a virtual ha ard disk, you can c choose between several s differen nt disk types, including fixed, dy ynamic, and pass through. Differencing disks s will be discus ssed later in in this lesson.
Cre eating Fixed d Virtual Hard Disks

Whe en you create a fixed virtual hard disk, all of o the hard d disk space is allocated during the creatio on proc cess. This has the t advantage e of minimizing g frag gmentation, wh hich improves virtual hard disk perf formance whe en hosted on tr raditional stora age devices. This has the t disadvanta age of requirin ng you to allocate all l space used by the fixed virt tual hard disk at the time that the disk is c created.. In ma any situations. you wil ll not know precisely how much disk space e a virtual mac chine needs. If f you use fixed hard disk ks, you may en nd up allocating space to sto orage that is no ot actually required.
13-17
To create a fixed virtual hard disk, perform the following steps: 1. 2. 3. 4. 5. 6. 7. Open the Hyper-V Manager console. On the Actions pane, click New, and then click Hard Disk. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next. In the New Virtual Hard Disk Wizard, on the Choose Disk Format page, click either VHD or VHDX, and then click Next. On the Choose Disk Type page, click Fixed size, and then click Next. On the Specify Name and Location page, enter a name for the virtual hard disk, and then specify a folder in which to host the virtual hard disk file. On the Configure Disk page, choose one of the following options: o o Create a new blank virtual hard disk of the specified size. Copy the contents of a specified physical disk. Allows you to replicate an existing physical disk on the server as a virtual hard disk. The fixed hard disk will be the same size as the disk that you have replicated. Replicating an existing physical hard disk does not alter data on the existing disk. Copy the contents of a specified virtual hard disk. Allows you to create a new fixed hard disk based on the contents of an existing virtual hard disk.
Note: You can create a new fixed hard disk using the New-VHD Windows PowerShell cmdlet with the -Fixed parameter.
Note: Disk fragmentation is less of an issue when virtual hard disks are hosted on RAID volumes, or on SSDs. Improvements in Hyper-V (since it was first introduced with Windows Server 2008) also minimize the performance differences between dynamic and fixed virtual hard disks.
Dynamic Disks
When you create a dynamic virtual hard disk, you specify a maximum size for the file. The disk itself only uses the amount of space that needs to be allocated, and will grow as necessary. For example, if you create a new virtual machine and specify a dynamic disk, only a small amount of disk space will be allocated to the new disk. For a VHD format virtual hard disk, approximately 260 kilobytes (KB) are allocated. For a VHDX format virtual hard disk, approximately 4,096 KB are allocated. As storage is allocated, the dynamic virtual hard disk will grow. If you delete files from a dynamically expanding virtual hard disk, the virtual hard disk file will not shrink. You can only shrink a dynamically expanding virtual hard disk file by performing a shrink operation. You will learn how to shrink virtual hard disks later in this lesson. You perform similar steps when creating a dynamically expanding virtual hard disk to when you create a fixed virtual hard disk. The difference is that on the Choose Disk Type page, you choose the Dynamically Expanding type.
Note: You can create a new dynamic hard disk using the New-VHD Windows PowerShell cmdlet with the -Dynamic parameter.
Pass-Through Disks
Pass-through disks allow the virtual machine to access a physical disk drive, rather than to use a virtual hard disk. You can use pass-through disks to connect a virtual machine directly to an iSCSI logical unit
13-18
num mber (LUN). When W you use pass-through p disks, d the virtua al machine mu ust have exclus sive access to the targ get disk. To do this, you must use the disk management console on th he host to take e the disk offlin ne. Onc ce the disk is offline, o you can n connect it to one of the vir rtual machine' s disk controllers. You u can attach a pass-through disk by performing the follo owing steps: 1. 2. 3. 4. Ensure that th he target hard disk is offline. Use the Hype er-V console to o edit an existing virtual mac chine's proper rties. Click on an ID DE or SCSI controller, click Add, and then c click Hard Dri ive. In the Hard Drive D dialog bo ox, select Phys sical Hard Dis k. From the dr rop-down men nu, select the d disk that you want to use as the e pass-through h disk.
d not have to o shut a virtual machine dow wn if you conne ect the pass-th hrough Note: You do disk k to a virtual machine's m SCSI controller. If you y want to co onnect to a virt tual machine's s IDE controller, then yo ou must first shut down the virtual machin ne. Question: Why might you consider using g fixed virtual hard disks inst tead of dynam mic virtual hard disks. Question: In what types of f situations mig ght you encou unter difficultie es if you use dy ynamically expanding disks.
Ma anaging Virtual Hard d Disks

From m time to time e, you will need to perform maintenance operations on virtual hard disks. For exam mple you might want to com mpact a virtual hard disk k to free up spa ace, or conver rt a virtual hard d disk to another a format t as your needs change. You can perf form the follow wing maintena ance operation ns on virtu ual hard disks: Convert the disk d from fixed d to dynamic. Convert the disk d from dyna amic to fixed. Convert a virt tual hard disk in VHD format to VHDX. Convert a virt tual hard disk in VHDX format to VHD.
Whe en you conver rt a virtual hard d disk, the con ntents of the ex xisting virtual hard disk are copied to a ne ewly crea ated virtual hard disk that ha as the settings that you have e chosen. For e example, when n converting fr rom a fixed virtual hard disk to a dyna amic virtual hard disk, a new dynamic virtu ual hard disk is s created, the contents of the ex xisting fixed virtual hard disk k are copied to o the new dyna amic virtual ha ard disk, and t then the existing fixed virtual hard di isk is deleted, with w the new d dynamic virtua al hard disk taking its place. To convert c a virtual hard disk, perform p the following steps: 1. 2. 3. In the Hyper-V Manager co onsole, from th he Actions pan ne, click Edit D Disk. In the Edit Vir rtual Hard Disk k Wizard, on the Before You u Begin page,, click Next. On the Local Virtual Hard Disk page, click Browse. Se elect the virtua al hard disk that you want to o convert.
13-19
4. . 5. .
On the Cho oose Action page, p select Co onvert, and the en click Next. On the Con nvert Virtual Hard H Disk pag ge, choose bet tween VHD an nd VHDX format. The current disk format will already be sel lected. If you want w to conver rt between the ese two formats, choose the appropriate e format, and then t click Nex xt. You do not have to chang ge format. On the Con nvert Virtual Hard H Disk pag ge, choose bet tween Fixed Si ize and Dynam mically Expanding. If you also wa ant to convert the hard disk type, choose t the appropriat te type, and th hen click Next t. On the Con nfigure Disk page, p choose the t destination n location for t the disk.
6. . 7. .
Yo ou can also shrink a dynamic c virtual hard disk d that is not t using all of the space that it is allocated For parent volume ex xample, a dyna amic virtual ha ard disk might be allocated 6 60 GB on the p e, but only use e 20 GB of f that space. You shrink a vir rtual hard disk by selecting t the Compact o option in the E Edit Virtual Ha ard Disk Wizard. W Yo ou cannot shri ink fixed virtua al hard disks. You Y must first c convert a fixed d virtual hard d disk to dynam mic be efore you can compact the disk. d Yo ou can use the e resize-partit tion and the resize-vhd Win ndows PowerS Shell cmdlets t to compact a dy ynamically exp panding virtua al hard disk. Yo ou can also use the Edit Virtual Hard Disk Wizard to exp pand a disk. Yo ou can expand both dynamic cally ex xpanding and fixed virtual hard disks.
Reducing R Storage S Ne eeds with Differenci ng Disks

Differencing dis sks are separat te virtual hard disks th hat record the changes made e to a parent disk. d Differencing dis sks allow you to t reduce the amount a of f hard disk spa ace consumed by virtual hard disks at t the cost of di isk performanc ce. Differencin ng disks work w well with SSD, S and wher re there is a lim mited am mount of spac ce available on n the host volume and th he disk perform mance compen nsates for the pe erformance dr rawbacks of us sing a differenc cing di isk. Yo ou can link mu ultiple differen ncing disks to a single pa arent disk. How wever, if you modify m the par rent di isk, the links to o all of the diff ferencing disks s will fail. Yo ou can reconn nect a differenc cing disk to the parent using g the Inspect D Disk tool, which is available in the Actions pane of f the Hyper-V Manager cons sole. You can a also use the Inspect Disk too ol to locate the e parent di isk of a differe encing disk. To o create a diffe erencing disk, perform the fo ollowing steps s: 1. . 2. . 3. . 4. . 5. . 6. . Open the Hyper-V H Manager console. In the Actio ons pane, click k New, and the en click Hard D Disk. In the New Virtual Hard Disk D Wizard, on the Before Y You Begin pa age, click Next t. On the Cho oose Disk Format page, clic ck VHD, and th hen click Next t. On the Cho oose Disk Typ pe page, click Differencing D , and then click k Next. On the Spe ecify Name an nd Location page, p provide t the location of f the parent ha ard disk.
13-20
You u can create a differencing d vi irtual hard disk k using the Ne ew-VHD Wind dows PowerShell cmdlet. For r exam mple, to create e a new differe encing disk na amed c:\diff-di isk.vhd that us ses the virtual hard disk c:\p parent.vhd, use e the following g Windows Pow werShell comm mand:
New-VHD c:\diff-disk.vhd -P ParentPath C:\parent.vhd
Using Snapsh hots

Snapshots represe ent the state of o a virtual mac chine at a particular poi int in time. The ey are a static image of the set of o data on the virtual machin ne at the moment the snapshot s is tak ken. Snapshots s are stor red in either .avhd or .avhdx format depen nding on the t virtual hard d disk format. You can take a snap pshot of a virtual machine fr rom the Action n men nu of the Virtu ual Machine Co onnection window, or from the Hyper-V console. Ea ach virtual machine can have a maxim mum of 50 snap pshots. You u can take snap pshots at any time, t even whe en a virtu ual machine is shut down. When W you take a snap pshot of a running virtual machine, the snapshot include es the content ts of the virtua al machines mem mory. Whe en taking snap pshots of multiple virtual ma achines that ar re part of the s same group, fo or example a v virtual dom main controller r and virtual member m server, , you should ta ake these snap pshots simultaneously. This ensu ures that items s such as comp puter account passwords are e synchronized d between the e virtual DC and the virtu ual member se erver. Rem member that when w you rever rt to a snapsho ot, you are rev verting to a com mputers state e at that point in time e. If you take a computer ba ack to a point before b it had p performed a co omputer passw word change w with a dom main controller r, you will need d to rejoin tha at computer to o the domain o or run the netd dom resetpw wd com mmand.
Sna apshots vs. Backups

Snapshots are not t a replacemen nt for backups. Snapshot dat ta is stored on n the same volu ume as the vir rtual hard d disks. If the volume v hosting these files fa ails, both the s napshot and t the virtual hard d disk files will l be lost.
Exp porting Snapshots

You u can perform a virtual mach hine export of a snapshot. W When you perfo orm an export of the snapshot, Hyp per-V will creat te full virtual hard h disks that represent the e state of the v virtual machine e at the time the snap pshot was take en. If you choo ose to export an a entire virtua al machine, all l snapshots ass sociated with t the virtu ual machine will w also be exported.
Dif fferencing Disk D Files

Whe en you create a snapshot, Hy yper-V writes differencing d disk (.avhd, or ..avhdx) files, w which store the e data that t differentiates s the snapshot from the prev vious snapshot t, or from the parent virtual hard disk. Wh hen ed back into the previous sn you delete snapsh hots, this data is either discarded, or merge napshot or par rent virtu ual hard disk. For F example: If you delete the most recent snapshot, th he data is disc arded. With H Hyper-V in Win ndows Server 2 2012, this space is reclaimed r imm mediately rathe er than when t he virtual mac chine is shut down.
13-21
If you delete the second most recent snapshot, the data is merged so that the earlier and latter snapshot states of the virtual machine retain their integrity.
Managing Snapshots
When you apply a snapshot, the virtual machine reverts to the configuration as it existed at the time the snapshot was taken. Reverting to a snapshot does not delete existing snapshots. If you revert to a snapshot after making a configuration change, you will be prompted to take a snapshot. It is only necessary to create a new snapshot if you want to return to that current configuration. It is possible to create snapshot trees that have different branches. For example, if you took a snapshot of a virtual machine on Monday, Tuesday and then on Wednesday, and if on Thursday you apply the Tuesday snapshot and then made changes to the configuration of the virtual machine, you will have created a new branch that diverts from the original Tuesday snapshot. You can have multiple branches as long as you do not exceed the 50 snapshots per virtual machine limit.
13-22
Lesson 4
Manag ging Vir rtual Ne etworks s

Hyp per-V provides several differe ent options for network com mmunication b between virtual machines. Hy yperV allows you to co onfigure virtua al machines that communica ate with an ext ternal network k in a manner simi ilar to tradition nally deployed d physical host ts. It also allow ws you to confi igure virtual m machines so tha at they y are only able e to communic cate with a lim mited number o of other virtual machines tha at are hosted o on the sam me Hyper-V host in Windows s Server 2012. Knowing the o options availab ble for Hyper-V V virtual networks ensu ures that you can c leverage those options to t best meet y your organizat ion's needs.

Afte er completing this lesson you u will be able to: t ual switches. Describe virtu Configure net twork virtualiz zation. Manage a virtual machine MAC M address pool. p Configure virt tual network adapters. a
Wh hat Is a Vir rtual Switc ch?

A virtual switch is a virtual versio on of a network swit tch. The term virtual v network k, which was used in Windows W Serve er 2008, has be een replaced by b the term m virtual switch h in Windows Server 2012. Virtual V swit tches control how h network traffic flows betw ween virtual machines m that are a hosted on the Hyp per-V server, and between virtual machines and the rest of the org ganizational ne etwork. You man nage virtual sw witches through the virtual sw witch man nager which is accessible thr rough the Actions pan ne of the Hyper-V Manager console. c Hyper r-V on Windows W Serve er 2012 suppo orts three different type es of virtual sw witches: External. Use e this type of switch to map a network to a specific netw work adapter o or network ada apter team. Window ws Server 2012 2 supports mapping an exte ernal network t to a wireless network adapte er if you have inst talled the Wire eless local area a network (LAN N) Service on t the host Hyper r-V server, and d if the Hyper-V server s has a co ompatible adapter. Internal. Use e internal virtua al switches to communicate c virtual machin nes on the Hyp per-V between the v host, and to communicate c between the virtual v machine es and the Hyp per-V host itse elf. Private. Use private switche es only to com mmunicate bet tween virtual m machines on th he Hyper-V ho ost; you cannot use private swit tches to comm municate betwe een the virtual machines and d the Hyper-V V host itself.
Whe en configuring g a virtual netw work, you can also configure e a virtual LAN N (VLAN) ID to be associated with the network. This allows you to extend existin ng VLANs on th he external ne etwork to VLAN Ns within the Hyp per-V host's ne etwork switch. VLANs allow you y to partitio on network traf ffic, and function as separate e logical networks. Traffic T can onl ly pass from one VLAN to an nother if it pas sses through a router.
13-23
Yo ou can configu ure the followi ing extensions s for each virtu ual switch type e: Microsoft NDIS Capture e. This extensio on allows for d data travelling across the virtual switch to be captured. Microsoft Windows Filt tering Platfor rm. This extens sion allows dat ta travelling ac cross the virtual switch to be filtered.
Additiona al Reading: Fo or more inform mation about Vi irtual Switches s see: ht ttp://technet.m microsoft.com/ /en-us/library/ /hh831452.asp px.
Hyper-V H Ne etwork Vir rtualization

Hyper-V Netwo ork Virtualizatio on allows you to isolate virtual machines m that share s the same e Hyper-V host, but b are from different organi izations. Fo or example, if you provide an Infrastructur re as a Se ervice (IaaS) to o differing businesses, you will w want to o isolate their virtual v machines from each other. o Network Virtualization allows you to go bey yond ba asic traffic partitioning by as ssigning these virtual machines m to sep parate VLANs as a way of iso olating ne etwork traffic. You would primarily deploy y Network Virtualization in scen narios where you y were w using Hyp per-V to host virtual v machine es for an nother organiz zation. When W you configure Network k Virtualization n, each guest v virtual machine e has two IP addresses that function in n the following g manner: Customer IP address. Th his address is assigned a by th e customer to o the virtual ma achine. This IP P address is configured c in such s a way tha at communicat tion with the c customer's inte ernal network can occur even though the vi irtual machine e might be hos sted on a Hype er-V server tha at is connected d to a separate pu ublic IP networ rk. To display the t customer I IP address, exe ecute IPCONF FIG in a commandline window w on the virtua al machine. Provider IP P address. Thi is address is th he IP address a assigned by the e hosting prov vider. This address is visible to th he hosting pro ovider and to other o hosts on the physical n network but it is not visible f from the virtual machine.
Network Virtualization allows you to host multiple m machi nes that use th he same custo omer address for ex xample, 192.16 68.15.101on n the same Hyp per-V host, be ecause the virtu ual machines w will be assigne ed di ifferent provid der IP addresse es.
Additiona al Reading: Fo or more inform mation about N etwork Virtual lization see: ht ttp://technet.m microsoft.com/ /en-us/library/ /hh831395.asp px.
13-24
Ma anaging Virtual Mac chine MAC C Addresse es

Unle ess you specify y a static medi ia access contr rol (MA AC) address, Hy yper-V dynam mically allocates a MAC address to each e virtual ma achine network adapter from a po ool of MAC ad ddresses. You can c configure the add dress range of this pool from m MAC Address Ran nge setting of the t Virtual Switch Man nager console. . By default, a Hyper-V host has a poo ol of 255 MAC addresses. Whe en virtual mac chines use private or internal l netw works, the MA AC address that t is allocated to netw work adapters is not likely to o be of concer rn because the Hype er-V host will ensure e that dup plicate MAC ad ddresses are no ot assigned to different virtu ual machines. H However, when you have mu ultiple Hyp per-V hosts and d those compu uters host virtu ual machines t that use adapt ters connected d to external netw works, you sho ould ensure that each Hyper r-V host uses a different poo ol of MAC addresses. This ensures sign the same MAC addresses to that t separate Hyp per-V hosts tha at connect to the t same netw work do not ass the virtual machin nes that they host. h Whe en virtual mac chines are alloc cated IP addre esses through a Dynamic Ho ost Configuratio on Protocol (D DHCP) rese ervation, you should conside er using static MAC M addresse es. A DHCP res servation ensures that a part ticular IP address is alway ys allocated to o a specific MA AC address. You u can configure e the MAC add dress range by y performing t he following s steps: 1. 2. 3. 4. 5. Open the Hyp per-V Manage er console. Select the Hy yper-V host tha at you wish to configure. On the Action ns pane, select t Virtual Switc ch Manager. Under Global l Network Sett tings, click MA AC Address Ra ange. Specify a min nimum and a maximum m rang ge for the MAC C address.
MAC addresses ar ng ranges for multiple Hype re in hexadecim mal format. When W configurin er-V hosts, you u should consider changing the values v of the se econd from th e last pair of d digits. The follo owing table displays exam mples of range es for multiple e Hyper-V host ts. Hy yper-V Host Host 1 MAC C Address Ran nge Min nimum: 00-15-5D-0F-AB-00 Max ximum: 00-15-5D-0F-AB-FF Min nimum: 00-15-5D-0F-AC-00 Max ximum: 00-15-5D-0F-AC-FF Min nimum: 00-15-5D-0F-AD-00 Max ximum: 00-15-5D-0F-AD-FF
Host 2
Host 3
13-25
Configuring C g Virtual Network N Adapters A

Virtual network k adapters allow w the virtual machine m gu uest operating g system to communicate us sing the virtual switches that you conf figure using the Virtual Switch Manager M conso ole. You can ed dit the properties of a virtual v machin ne to modify th he properties of a network adapt ter. From the Network Adapter pane on the e virtual machine's se ettings dialog box, you can configure c the fo ollowing: nes which virtu ual Virtual Switch. Determin switch the network n adapt ter connects to o. VLAN ID. Allows A you to specify s a VLAN N ID that the virtual machine will w use for com mmunication t that passes thr rough this ada apter. Bandwidth h Managemen nt. Allows you to specify a m minimum and a maximum ba andwidth to be allocated to o the adapter by Hyper-V. The minimum b bandwidth allo ocation is reserved by Hyper r-V for the network adapter, eve en when other virtual networ rk adapters on n virtual machi ines hosted on n the Hyper-V ho ost are functioning at capacity.
Bo oth synthetic network n adapt ters and legacy y network ada apters support the following advanced features: MAC addre ess allocation n. You can configure a MAC address to be assigned from m the MAC add dress pool, or you can configur re the network k adapter to us se a fixed MAC C address. You u can also conf figure MAC addre ess spoofing. This T is useful when the virtua al machine nee eds to provide specific netwo ork access, such h as when the virtual machin ne is running a mobile devic ce emulator that requires net twork access. DHCP Guard. Drops DHC CP messages from f virtual ma achines that a re functioning g as unauthoriz zed DHCP serve ers. This may be b necessary in n scenarios wh here you are m managing a Hyp per-V server th hat hosts virtua al machines for others, but does d not have direct control over the configuration of th hose virtual machines. Router Guard. Drops rou uter advertisem ment and redir rection messag ges from virtual machines th hat are configured as unauthoriz arios where yo zed routers. Th his may be nec cessary in scena ou do not have e direct control ove er the configur ration of virtua al machines. Port Mirro oring. Allows you y to copy inc coming and ou utgoing packe ets from a netw work adapter t to another virt tual machine that t you have configured fo r monitoring. NIC Teami ing. Allows you u to add the virtual v network k adapter to an n existing team m on the host Hyper-V server.
ynthetic netwo ork adapters re equire the gue est operating s system to supp port integratio on services. In a addition Sy to o the Advanced d features liste ed earlier, synt thetic network k adapters supp port the follow wing hardware e ac cceleration fea atures: Virtual Ma achine Queue. This feature uses u hardware packet filterin ng to deliver n network traffic directly to the gues st. This improv ves performanc ce as the packe et does not ne eed to be copi ied from the h host operating system s to the virtual v machine. Virtual Mac hine Queue re equires that th he host computer has a network adapter a that su upports this fe eature.
13-26
IPsec task offloading. This feature allows calculation-intensive security association tasks to be performed by the host's network adapter. In the event that sufficient hardware resources are not available, the guest operating system performs these tasks. You can configure a maximum number of offloaded security associations between a range of 1 and 4,096. IPsec task offloading requires guest operating system and network adapter support. SR-IOV. Single-root I/O virtualization (SR-IOV) allows multiple virtual machines to share the same Peripheral Component Interconnect Express (PCIe) physical hardware resources. If sufficient resources are not available, then network connectivity falls back to be provided through the virtual switch. Single-root I/O virtualization (SR-IOV) requires specific hardware and special drivers to be installed on the guest operating system.
Legacy network adapters emulate common network adapter hardware. You use legacy network adapters in the following situations: You want to support network boot installation scenarios for virtual machines. For example, you want to deploy an operating system image from a Windows Deployment Services (Windows DS) server or through Configuration Manager. You need to support operating systems that do not support integration services and do not have drivers for the synthetic network adapter.
Legacy network adapters do not support the hardware acceleration features that synthetic network adapters support. You cannot configure virtual machine queue, IPsec task offloading, or Single-root I/O virtualization for legacy network adapters.
13-27
Lab: Implementing Server Virtualization with Hyper-V

Scenario
A. Datum Corporation has an IT office and data center in London, which supports the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. Your assignment is to configure the infrastructure service for a new branch office. To more effectively use the server hardware that is currently available at branch offices, your manager has decided that all branch office servers will run as virtual machines. You must now configure a virtual network and a new virtual machine for these branch offices.
Objectives
After performing this lab you will be able to: Install the Hyper-V Server role. Configure virtual networking. Create and configure a virtual machine. Use virtual machine snapshots.
Lab Setup
Estimated Time: 60 minutes Logon Information Virtual Machines User Name Password 20410A- LON-HOST1 Adatum\Administrator Pa$$w0rd
1. 2.
Reboot the classroom computer and choose 20410A-LON-HOST1 from the Windows Boot Manager Log on to LON-HOST1 with the Administrator account and the password Pa$$w0rd.
Exercise 1: Installing the Hyper-V Server Role

Scenario
The first step in migrating to a virtualized environment for the branch office is installing the Hyper-V server role on a new server. The main tasks for this exercise are as follows: 1. 2. Install the Hyper-V server role. Complete Hyper-V role installation and verify settings.
Task 1: Install the Hyper-V server role

1. 2. 3. Reboot the classroom computer and from the Windows Boot Manager, choose 20410A-LON-HOST1. Log onto the computer with the Administrator account and the password Pa$$w0rd. In Server Manager, click Local Server and then configure the following network settings:
13-28
o o o o 4.
IP Address: 172.16.0.31 Subnet mask: 255.255.0.0 Default gateway: 172.16.0.1 Preferred DNS server: 172.16.0.10
Use the Add Roles and Features Wizard to add the Hyper-V role to LON-HOST1 with the following options: o o o Do not create a virtual switch Use the Default stores locations Allow the server to restart automatically if required.
5.
After a few minutes, the server will automatically restart. Ensure that you restart the machine from the boot menu as 20410A-LON-HOST1. The computer will restart several times
Task 2: Complete Hyper-V role installation and verify settings

1. 2. 3. 4. Log on to LON-HOST1 using the account Administrator with the password Pa$$word. When the Hyper-V tools installation completes, click Close. Open the Hyper-V Manager console and then click LON-HOST1. Edit the Hyper-V settings of LON-HOST1, and configure the following settings: o o Keyboard: Use on the virtual machine Virtual Hard Disks: C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks
Results: After this exercise, you will have deployed the Hyper-V role to a physical server.
Exercise 2: Configuring Virtual Networking

Scenario
After installing the Hyper-V server role on the new server, you need to configure the virtual network. You need to create both a network that is connected to the physical network, and a private network that can be used only for communication between virtual machines. The private network will be used once virtual machines are configured for high availability. You also need to configure a specific range of MAC addresses for the virtual machines. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure the external network. Create a private network. Create an internal network. Configure the MAC address range.
Task 1: Configure the external network

1. 2. Open the Hyper-V console, and then click on LON-HOST1. Use the Virtual Switch Manager to create a new External virtual network switch with the following properties: o Name: Switch for External Adapter
13-29
External Network: Mapped to the host computer's physical network adapter. (This will vary depending on the host computer.)
Task 2: Create a private network

1. 2. On LON-HOST1, open the Hyper-V Manager console. Use the Virtual Switch Manager to create a new virtual switch with the following properties. o o Name: Private Network Connection type: Private network
Task 3: Create an internal network

1. 2. On LON-HOST1, open the Hyper-V Manager console. Use the Virtual Switch Manager to create a new virtual switch with the following properties. o o Name: Internal Network Connection type: Internal network
Task 4: Configure the MAC address range

1. 2. On LON-HOST1, open the Hyper-V Manager console. Use the Virtual Switch Manager to configure the following MAC Address Range settings: o o Minimum: 00-15-5D-0F-AB-A0 Maximum: 00-15-5D-0F-AB-EF
Results: After this exercise, you will have configured virtual switch options on a physically deployed Windows Server 2012 server running the Hyper-V role.
Exercise 3: Creating and Configuring a Virtual Machine

Scenario
You have been asked to deploy two virtual machines to LON-HOST1. You have copied a sysprepped VHD file that hosts a Windows Server 2012 installation. To minimize disk space use at the cost of performance, you are going to create two differencing files based on the sysprepped VHD. You will then use these differencing files as the virtual hard disk files for the new virtual machines. The main tasks for this exercise are as follows: 1. 2. 3. Create differencing disks. Create virtual machines. Enable resource metering.
Task 1: Create differencing disks

1. Use Windows Explorer to create the following folders: o o E:\Program Files\Microsoft Learning\Base \LON-GUEST1 E:\Program Files\Microsoft Learning\Base \LON-GUEST2
13-30
Note: The drive letter may depend upon the number of drives on the physical host machine. 2. In the Hyper-V Manager console, create a virtual hard disk with the following properties: o o o o o 3. Disk Format: VHD Disk Type: Differencing Name: LON-GUEST1.vhd Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\ Parent Location: E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd
Open Windows PowerShell, import the Hyper-V module, and then run the following command:
New-VHD E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd -ParentPath E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd
4. 5.
Inspect disk E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd. Verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files \Microsoft Learning\Base\Base12A-WS2012-RC.vhd as a parent.
Task 2: Create virtual machines

1. 2. On LON-HOST1, in the Hyper-V Manager console, in the Actions pane, click New, and then click Virtual Machine. Create a virtual machine with the following properties: o o o o o o 3. Name: LON-GUEST1 Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\ Memory: 1024 MB Use Dynamic Memory: Yes Networking: Private Network Connect Virtual Hard Disk: E:\Program Files\Microsoft Learning\Base\LON-GUEST1 \lon-guest1.vhd
Open Windows PowerShell, import the Hyper-V module, and execute the following command:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd -SwitchName "Private Network"
4. 5. 6.
Use the Hyper-V Manager console, edit the settings of LON-GUEST2. Configure the following: Automatic Start Action: Nothing. Automatic Stop Action: Shut down the guest operating system.
Task 3: Enable resource metering

At the Windows PowerShell command-line prompt, import the Hyper-V module and enter the following commands:
Enable-VMResourceMetering LON-GUEST1 Enable-VMResourceMetering LON-GUEST2
13-31
Results: After this exercise, you will have deployed two separate virtual machines using a sysprepped virtual hard disk file as a parent disk for two differencing disks.
Exercise 4: Using Virtual Machine Snapshots

Scenario
You are in the process of developing a strategy to mitigate the impact of incorrectly applied change requests. As a part of this strategy development, you are testing the speed and functionality of using virtual machine snapshots to roll back to a previously existing stable configuration. In this exercise, you will deploy Windows Server 2012 in a virtual machine. You will create a stable configuration for that virtual machine, and then take a virtual machine snapshot. You will then modify the configuration, and then roll back to the snapshot. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Deploy Windows Server 2012 in a virtual machine. Create a virtual machine snapshot. Modify the virtual machine. Revert to the existing virtual machine snapshot. View resource metering data.
Task 1: Deploy Windows Server 2012 in a virtual machine

1. 2. Use the Hyper-V Manager console to start LON-GUEST1. Open the Virtual Machine Connection Window and perform the following steps to deploy Windows Server 2012 on the virtual machine: o o o o 3. 4. On the Settings page, click Skip. On the Settings page, select I accept the license terms for using Windows and click Accept. On the Settings page, click Next to accept the Region and Language settings. On the Settings page enter the password Pa$$w0rd twice and click Finish.
Log on to the virtual machine using the account Administrator and the password Pa$$w0rd. Reset the name of the virtual machine to LON-GUEST1, and then restart the virtual machine.
Task 2: Create a virtual machine snapshot

1. 2. Log on to the LON-GUEST1 virtual machine, and verify that the name of the computer is set to LONGUEST1. Create a snapshot of LON-GUEST1, and name the snapshot Before Change.
Task 3: Modify the virtual machine

1. 2. 3. Log on to the LON-GUEST1 virtual machine, and use the Server Manager console to change the computer's name to LON-Computer1. Reboot the virtual machine. Log on to the LON-GUEST1 virtual machine, and verify that the server name is set to LON-Computer1.
13-32
Task 4: Revert to the existing virtual machine snapshot

1. 2. Revert the virtual machine. Verify that the Computer Name of the virtual machine is set to LON-GUEST1.
Task 5: View resource metering data

1. On LON-HOST1, import the Hyper-V Windows PowerShell module and issue the following command:
Measure-VM LON-GUEST1
2.
Note the average CPU, average RAM, and total disk use figures and then close the PowerShell window.
Results: After this exercise, you will have used virtual machine snapshots to recover from a virtual machine misconfiguration.
Revert the virtual machines

After you finish the lab, restart the computer in Windows Server 2008 R2. 1. 2. Click on the Windows PowerShell icon on the Taskbar. In the Windows PowerShell window, enter the following command and press enter:
Shutdown /r /t 5
3.
From the Windows Boot Manager, choose Windows Server 2008 R2
13-33

Review Questions
Question: In which situations should you use a fixed memory allocation rather than dynamic memory? Question: In which situations must you use VHDX format virtual hard disks as opposed to VHD format virtual hard disks? Question: You want to deploy a Windows Server 2012 Hyper-V virtual machine's virtual hard disk on a file share. What operating system must the file server be running to support this configuration?

Common Issue Cannot deploy Hyper-V on an x64 platform. Troubleshooting Tip
Virtual Machine does not use dynamic memory.
Best Practices
When implementing server virtualization with Hyper-V, use the following best practices: Ensure that the processor on the computer that will host Hyper-V supports SLAT. Servers that support the Hyper-V role on Windows Server 2008 and Windows Server 2008 R2 may not support Hyper-V on Windows Server 2012. Ensure that a virtual machine host is provisioned with adequate RAM. Having multiple virtual machines paging the hard disk drive because they are provisioned with inadequate memory will decrease performance for all virtual machines on the Hyper-V host. Monitor virtual machine performance carefully. A virtual machine that uses a disproportionate amount of server resources can adversely impact the performance of all other virtual machines that are hosted on the same Hyper-V server.
Tools
You can use the following tools with Hyper-V to deploy and manage virtual machines. Name of tool Sysinternals disk2vhd tool Used for Use to convert physical hard disks to VHD format. Where to find it You can download this tool from the Microsoft TechNet website.
13-34
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.
L1-1
Module 1: Deploying and Managing Windows Server 2012
Lab: Deploying and Managing Windows Server 2012

Exercise 1: Deploying Windows Server 2012
Task 1: Install the Windows Server 2012 server
1. 2. 3. 4. 5. 6. 7. 8. 9. Open the Hyper-V Manager console. Click 20410A-LON-SVR3. In the Actions pane, click Settings. Under Hardware, click DVD Drive. Click Image file, and then click Browse. Browse to C:\Program Files\Microsoft Learning\20410\Drives, and then click Win2012_RC.ISO. Click Open and then click OK. In the Hyper-V Manager console, double-click 20410A-LON-SVR3 to open the Virtual Machine Connection Window. In the Virtual Machine Connection Window, In the Action menu, click Start. In the Windows Setup Wizard, on the Windows Server 2012 page, verify the following settings, and then click Next. o o o Language to install: English (United States) Time and currency format: English (United States) Keyboard or input method: US
10. On the Windows Server 2012 page, click Install now. 11. On the Select the operating system you want to install page, select Windows Server 2012 Release Candidate Datacenter (Server with a GUI), and then click Next. 12. On the License terms page, review the operating system license terms. Select the I accept the license terms check box, and then click Next. 13. On the Which type of installation do you want?, click Custom: Install Windows only (advanced). 14. On the Where do you want to install Windows? page, verify that Drive 0 Unallocated Space has enough space for the Windows Server 2012 operating system, and then click Next.
Note: Depending on the speed of the equipment, the installation will take approximately 20 minutes. The virtual machine will restart several times during this process. 15. On the Settings page, enter the password Pa$$w0rd in both the Password and Reenter password boxes, and then click Finish.

1. 2. Log on to LON-SVR3 as Administrator with the password Pa$$w0rd. In Server Manager, click Local Server.
L1-2 20410A: Installing and Configuring Windows Server 2012
3. 4. 5. 6. 7. 8.
Click on the randomly-generated name next to Computer name. This will launch the System Properties dialog box. In the System Properties dialog box, on the Computer Name tab, click Change. In the Computer Name/Domain Changes dialog box, in the Computer name text box, enter the name LON-SVR3, and then click OK. In the Computer Name/Domain Changes dialog box, click OK. Close the System Properties dialog box. In the Microsoft Windows dialog box, click Restart Now.
Task 3: Change the date and time

1. 2. 3. 4. 5. 6. 7. 8. Log on to server LON-SVR3 Administrator with the password Pa$$w0rd. On the taskbar, click the time display. A pop-up window with a calendar and a clock displays. On the pop-up window, click Change date and time settings. In the Date and Time dialog box, click Change Time Zone. In the Time Zone Settings dialog box, set the time zone to your current time zone, and then click OK. In the Date and Time dialog box, click Change Date and Time. Verify that the date and time that display in the Date and Time Settings dialog box match those in your classroom, and then click OK. Click OK to close the Date and Time dialog box.
Task 4: Configure the network and network teaming

1. 2. 3. 4. 5. 6. 7. 8. 9. In the Server Manger console on LON-SVR3, click Local Server. Next to NIC Teaming, click Disabled. In the NIC Teaming dialog box, press and hold the Ctrl key, and then in the Adapters And Interfaces workspace, click both Local Area Connection and Local Area Connection 2. Right-click the selected network adapters, and then click Add to New Team. In the New Teaming dialog box, in the Team name field. type LON-SVR3, and then click OK. Close the NIC Teaming dialog box. Refresh the Server Manager console. In the Server Manager console, next to LON-SVR3, click IPv4 Address Assigned by DHCP, IPv6 Enabled. In the Network Connections dialog box, right-click LON-SVR3, and then click Properties. In the LON-SVR3 Properties dialog, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
10. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, enter the following IP address information, and then click OK. o o o o IP address: 172.16.0.101 Subnet Mask: 255.255.0.0 Default Gateway: 172.16.0.1 Preferred DNS server: 172.16.0.10
Module 1: Deploying and Managing Windows Server 2012 L1-3
11. Click Close to close the LON-SVR3 Properties dialog box. 12. Close the Network Connections dialog box.

1. 2. 3. 4. 5. 6. On LON-SVR3, in the Server Manager console, click Local Server. Next to Workgroup, click WORKGROUP. In the System Properties dialog box, on the Computer Name tab, click Change. In the Computer Name/Domain Changes dialog box, in the Member Of area, click the Domain option. In the Domain box, enter adatum.com, and then click OK. In the Windows Security dialog box, enter the following details, and then click OK: o o 7. 8. 9. Username: Administrator Password: Pa$$w0rd
In the Computer Name/Domain Changes dialog box, click OK. When informed that you must restart the computer to apply changes, click OK. In the System Properties dialog box, click Close.
10. In the Microsoft Windows dialog box, click Restart Now. 11. After LON-SVR3 restarts, log on as adatum\Administrator with the password Pa$$w0rd.
Results: After finishing this exercise, you will have deployed Windows Server 2012 on LON-SVR3. You also will have configured LON-SVR3 including name change, date and time, networking, and network teaming.
Exercise 2: Configuring Windows Server 2012 Server Core

1. 2. 3. 4. 5. 6. 7. Log on to LON-CORE using the account Administrator with the password Pa$$w0rd. At the command prompt, type sconfig.cmd. To select Computer Name, type 2, and then press Enter. Enter the computer name LON-CORE, and then press Enter. In the Restart dialog box, click Yes. Log on to server LON-CORE using the Administrator account. At the command prompt, type hostname, and then press Enter to verify the computers name.
Task 2: Change the computers date and time

1. 2. 3. When logged on to server LON-CORE with the Administrator account, at the command prompt, type sconfig.cmd, and then press Enter. To select Date and Time, type 9, and then press Enter. In the Date and Time dialog box, click Change time zone. Set the time zone to the same time zone that your classroom uses, and then click OK.
4. 5.
In the Date and Time dialog box, click Change Date and Time, and verify that the date and time match those in your location. Click OK two times to dismiss the dialog boxes. In the command prompt window, type 15, and then press Enter to exit Server Configuration.
Task 3: Configure the network

1. 2. 3. 4. 5. 6. 7. 8. 9. Ensure that you are logged on to server LON-CORE using the account Administrator and password Pa$$w0rd. At the command prompt, type sconfig.cmd, and then press Enter. To configure Network Settings, type 8, and then press Enter. Type the index number of the network adapter that you want to configure, and then press Enter. On the Network Adapter Settings page, type 1, and then press Enter. This sets the Network Adapter Address. To select static IP address configuration, type S, and then press Enter. At the Enter static IP address: prompt, type 172.16.0.111, and then press Enter. At the Enter subnet mask prompt, Type 255.255.0.0, and then press Enter. At the Enter default gateway prompt, type 172.16.0.1, and then press Enter.
10. On the Network Adapter Settings page, type 2, and then press Enter. This configures the DNS server address. 11. At the Enter new preferred DNS server prompt, type 172.16.0.10, and then press Enter. 12. In the Network Settings dialog box, click OK. 13. Press Enter to not configure an alternate DNS server address. 14. Type 4, and then press Enter to return to the main menu. 15. Type 15, and then press Enter to exit sconfig.cmd. 16. At the command prompt, type ping lon-dc1.adatum.com to verify connectivity to the domain controller from LON-CORE.

1. 2. 3. 4. 5. 6. 7. 8. 9. Ensure that you are logged on to server LON-CORE using the account Administrator with password Pa$$w0rd. At the command prompt, type sconfig.cmd, and then press Enter. To switch to configure Domain/Workgroup, type 1, and then press Enter. To join a domain, type D, and then press Enter. At the Name of domain to join prompt, type adatum.com. At the Specify an authorized domain\user prompt, type adatum\administrator, and then press Enter. At the Type the password associated with the domain user prompt, type Pa$$w0rd and then press Enter. At the Change Computer Name prompt, click Yes. At the Enter new computer name prompt, press Enter.
10. To restart the server, type 13, and then press Enter.
11. In the Restart dialog box, click Yes. 12. Log on to server LON-CORE with the adatum\administrator account and the password Pa$$w0rd.
Results: After finishing this exercise, you will have configured a Windows Server 2012 Server Core deployment, and verified the servers name.
Exercise 3: Managing Servers

Task 1: Create a server group
1. 2. 3. 4. 5. 6. 7. 8. Log on to LON-DC1 with the Administrator account and the password Pa$$w0rd. In the Server Manager console, click Dashboard, and then click Create a server group. In the Create Server Group dialog box, click the Active Directory tab, and then click Find Now. In the Server group name box, type LAB-1. Use the arrow to add LON-CORE and LON-SVR3 to the server group. Click OK to close the Create Server Group dialog box. Click LAB-1. Press and hold the Ctrl key, and then select both LON-CORE and LON-SVR3. When both are selected, scroll down and under the Performance section; select both LON-CORE and LON-SVR3. Right-click LON-CORE, and then click Start Performance Counters.
Task 2: Deploy features and roles to both servers

1. 2. 3. 4. 5. 6. 7. 8. 9. In Server Manager on LON-DC1, click LAB-1. Scroll to the top of the pane, right-click LON-CORE, and then click Add Roles and Features. In the Add Roles and Features Wizard, click Next. On the Select installation type page, click Role-based or feature-based installation, and then click Next. On the Select destination server page, verify that LON-CORE.Adatum.com is selected, and then click Next. On the Select server roles page, select Web Server (IIS), and then click Next. On the Features page, select Windows Server Backup, and then click Next. On the Web Server Role (IIS) page, click Next. On the Select Role Services page, add the Windows Authentication role service, and then click Next.
10. On the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install. 11. Click Close to close the Add Roles and Features Wizard. 12. In Server Manager, right-click LON-SVR3, and then click Add Roles and Features. 13. In the Add Roles and Features Wizard, on the Before you begin page, click Next. 14. On the Select installation type page, click Role-based or feature-based installation.
15. On the Select destination server page, verify that LON-SVR3.Adatum.com is selected, and then click Next. 16. On the Server Roles page, click Next. 17. On the Select features page, click Windows Server Backup, and then click Next. 18. On the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install. 19. Once the install commences, click Close. 20. In Server Manager, click the IIS node, and verify that LON-CORE is listed.
Task 3: Review services, and change a service setting

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to LON-CORE with the adatum\Administrator account and using the password Pa$$w0rd. At a command prompt, type netsh.exe firewall set service remoteadmin enable ALL, and then press Enter. Log on to LON-DC1 with the adatum\Administrator account and the password Pa$$w0rd. In Server Manager, click LAB-1. Right-click LON-CORE, and then click Computer Management. In the Computer Management console, expand Services and Applications, and then click Services. Right-click the World Wide Web Publishing service, and then click Properties. Verify that the Startup type is set to Automatic. In the World Wide Web Publishing Service dialog box, on the Log On tab, verify that the service is configured to use the Local System account. In the World Wide Web Publishing Service dialog box, on the Recovery tab, configure the following settings: o o o o o First failure: Restart the Service Second failure: Restart the Service Subsequent failures: Restart the Computer. Reset fail count after: 1 days Reset service after: 1 minute
10. In the World Wide Web Publishing Service Properties dialog box, on the Recovery tab, click the Restart Computer Options button. 11. In the Restart Computer Options dialog box, in the Restart Computer After box, type 2, and then click OK. 12. Click OK to close the World Wide Web Publishing Services Properties dialog box. 13. Close the Computer Management console.
Results: After finishing this exercise, you will have created a server group, deployed roles and features, and configured the properties of a service.
Exercise 4: Using Windows PowerShell to Manage Servers

Task 1: Use Windows PowerShell to connect remotely to servers and view information
1. 2. 3. 4. 5. 6. Log on to LON-DC1 with the adatum\Administrator account and the password Pa$$w0rd. In the Server Manager console, click LAB-1. Right-click LON-CORE, and then click Windows PowerShell. At the command prompt, type Import-Module ServerManager, and then press Enter. Type Get-WindowsFeature to review the roles and features installed on LON-CORE. Type the following command to review the running services on LON-CORE:
Get-service | where-object {$_.status -eq Running}
7. 8.
Type get-process, and then press Enter to view a list of processes on LON-CORE. Type the following command to review the IP addresses assigned to the server:
Get-NetIPAddress | Format-table
9.
Type the following command to review the most recent 10 items in the security log:
Get-EventLog Security -Newest 10
10. Close Windows PowerShell.
Task 2: Use Windows PowerShell to install new features remotely

1. 2. 3. On LON-DC1, on the taskbar, click the Windows PowerShell icon. At the Windows PowerShell command prompt, type import-module ServerManager, and then press Enter. To verify that the XPS Viewer feature has not been installed on LON-SVR3, type the following command, and then press Enter:
4.
To deploy the XPS Viewer feature on LON-SVR3, type the following command, and then press Enter:
Install-WindowsFeature XPS-Viewer -ComputerName LON-SVR3
5.
To verify that the XPS Viewer feature has now been deployed on LON-SVR3, type the following command and then press Enter:
6. 7.
In the Server Manager console, from the Tools drop-down menu, click Windows PowerShell ISE. In the Windows PowerShell ISE window, in the Untitled1.ps1 script pane, type the following, pressing Enter after each line:
Import-Module ServerManager
Install-WindowsFeature WINS -ComputerName LON-SVR3

Install-WindowsFeature WINS -ComputerName LON-CORE
8. 9.
Click the Save icon. Select the root of Local Disk (C:). Create a new folder named Scripts, and then save the script in that folder as InstallWins.ps1. Press F5 to run the script.
Results: After finishing this exercise, you will have used Windows PowerShell to perform a remote installation of features on multiple servers.

When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, switch to the Hyper-V Manager console. In the Virtual Machines list, right click 20410A-LON-DC1, and the click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-CORE and 20410A-LON-SVR3.
L2-9
Module 2: Introduction to Active Directory Domain Services
Lab: Installing Domain Controllers

Exercise 1: Installing a Domain Controller
Task 1: Add an Active Directory Domain Services (AD DS) role to a member server
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. In Server Manager, in the left column, select All Servers. Right-click All Servers and then click Add Servers. In the Add Servers dialog box, in the Name (CN) box, type LON-SVR1 and then click Find Now. Under Name, click LON-SVR1 and then click the arrow to add the server to the Selected column. Click OK to close the Add Servers dialog box. In Server Manager, in the Servers window, right-click LON-SVR1, and select Add Roles and Features. In the Add Roles and Features Wizard, click Next. In the Select installation type window, ensure that Role-based or feature-based installation is selected, and then click Next.
10. On the Select destination server page, ensure that Select a server from the server pool is selected. In the Server Pool window, verify that LON-SVR1.Adatum.com is highlighted, and then click Next. 11. On the Select server roles page, select the Active Directory Domain Services check box, click Add Features, and then click Next. 12. On the Select features page, click Next. 13. On the Active Directory Domain Services page, click Next. 14. On the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install. 15. Installation will take several minutes, when the installation is succeeded, click Close to close the Add Roles and Features Wizard.
Task 2: Configure a server as a domain controller

1. 2. 3. 4. 5. 6. 7. On LON-DC1, in Server Manager on the menu bar, on the left of the Manage button, click the yellow Alert button. In the Post-deployment Configuration window that appears, click Promote this server to a domain controller. The wizard continues. In the Deployment Configuration page, ensure that the radio button next to Add a domain controller to an existing domain is selected, and then, beside the Domain line, click Select. In the Windows Security dialog box that opens, enter Adatum\Administrator in the Username box and in the Password box, type Pa$$w0rd, and then click OK. In the Select a domain from the forest window, click adatum.com, and then click OK. In the Deployment Configuration window, click Next. On the Domain Controller Options page, ensure that Domain Name System (DNS) server is selected, and then deselect the check box next to Global Catalog (GC).
Note: You would usually want to enable the global catalog as well, but for the purpose of this lab, this is done in the next section. 8. 9. In the Type the Directory Services Restore Mode (DSRM) password section, type Pa$$w0rd in both text boxes, and then click Next. On the DNS Options page, click Next.
10. On the Additional Options page, click Next. 11. On the Paths page, accept the default folders, and then click Next. 12. On the Review Options page, click View Script, examine the Windows PowerShell script that the wizard generates, close the Notepad window, and then click Next. 13. On the Prerequisites Check page, read any warning messages, and then click Install. 14. When the task completes successfully, click Close.
Task 3: Configure a server as a global catalog server

1. 2. 3. 4. 5. 6. Log on to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd. In Server Manager, click Tools and then click Active Directory Sites and Services. When the Active Directory Sites and Services window opens, expand Sites, expand Default-FirstSite-Name, expand Servers, and then expand LON-SVR1. In the left column, right-click NTDS Settings and select Properties. In the NTDS Settings Properties dialog box, select the check box next to Global Catalog. Click OK and close Active Directory Sites and Services.
Results: After completing this exercise, you will have explored Server Manager and promoted a member server to be a domain controller.
Exercise 2: Installing a domain controller by using IFM

Task 1: Use the NTDSUTIL tool to generate Install from Media (IFM)
1. 2. 3. 4. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. Hover the mouse in the lower right corner of the desktop, and when the side bar appears, click Start. On the Start screen, type CMD and then press Enter. In the Command Prompt window, type the following, pressing Enter after each line:
Ntdsutil Activate instance ntds Ifm Create sysvol full c:\ifm
Task 2: Add the AD DS role to the member server

1. 2. 3. Switch to LON-SVR2, and log on as Adatum\Administrator with the password Pa$$w0rd. Hover the mouse in the lower right corner of the desktop, and when the side bar appears, click Start. On the Start screen, type CMD and then press Enter.
Module 2: Introduction to Active Directory Domain Services L2-11
4.
Type the following command, and then press Enter:

Net use k: \\LON-DC1\c$\IFM
5. 6. 7. 8. 9.
Switch to Server Manager. From the list on the left, click Local Server. In the toolbar, click Manage, and then click Add Roles and Features. On the Before you begin page, click Next. On the Select installation type page, ensure that Role-based or feature-based installation is selected, and then click Next.
10. On the Select destination server page, verify that LON-SVR2.Adatum.com is highlighted, and then click Next. 11. On the Select server roles page, click Active Directory Domain Services, in the Add Roles and Features Wizard window, click Add Features, and then click Next. 12. In the Select Features window, click Next. 13. On the Active Directory Domain Services page, click Next. 14. On the Confirm installation selections page, click Restart the destination server automatically if required. Click Yes at the message box. 15. Click Install. 16. After the installation is succeeded, click Close.
Task 3: Use IFM to configure a member server as a new domain controller

1. On LON-SVR2, in the command prompt window, type the following command, and then press Enter:
Robocopy k: c:\ifm /copyall /s
2. 3. 4. 5. 6.
Close the command prompt window. In the Server Manager toolbar, to the left of the Manage button, click the yellow Alert button. In the Post-deployment Configuration window, click Promote this server to a domain controller. On the Deployment Configuration page, ensure that Add a domain controller to an existing domain is selected, and confirm that adatum.com is entered as the target domain. Click Next. On the Domain Controller Options page, ensure that both Domain Name System (DNS) server and global catalog are selected. For the DSRM password, enter Pa$$w0rd in both boxes, and then click Next. On the DNS Options page, click Next. On the Additional Options page, select the check box next to Install from media, in the text box, type C:\ifm and then click verify. When the path has been verified, click Next.
7. 8. 9.
10. On the Paths page, click Next. 11. On the Review Options page, click Next, and then observe the wizard as it performs a check for prerequisites. 12. Click Install and wait while AD DS is configured. While this task is running, read the information messages that display on the screen.
13. Wait for the server to restart.
Results: After completing this exercise, you will have installed an additional domain controller for the branch office by using IFM.

When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-RTR, and 20410A-LON-SVR2.
L3-13
Module 3: Managing Active Directory Domain Services Objects
Lab: Managing Active Directory Domain Services Objects

Exercise 1: Delegating Administration for a Branch Office
Task 1: Delegate administration for Branch Administrators
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to LON-DC1. From Server Manager, click Tools. Click Active Directory Users and Computers. In Active Directory Users and Computers, click Adatum.com. Right-click Adatum.com, point to New, and then click Organizational Unit. In the New Object Organizational Unit dialog box, in the Name box, type Branch Office 1, and then click OK. Right-click Branch Office 1, point to New, and then click Group. In the New Object Group dialog box, in the Group name box, type Branch 1 Help Desk, and then click OK. Right-click Branch Office 1, point to New, and then click Group.
10. In the New Object Group dialog box, in the Group name box, type Branch 1 Administrators, and then click OK. 11. Right-click Branch Office 1, point to New, and then click Group. 12. In the New Object Group dialog box, in the Group name box, type Branch 1 Users, and then click OK. 13. In the navigation pane, click IT. 14. In the details pane, right-click Holly Dickson, and then click Move. 15. In the Move dialog box, click Branch Office 1, and then click OK. 16. In the navigation pane, click the Development organizational unit. 17. In the details pane, right-click Bart Duncan, and then click Move. 18. In the Move dialog box, click Branch Office 1, and then click OK. 19. In the navigation pane, click the Managers organizational unit. 20. In the details pane, right-click Ed Meadows, and then click Move. 21. In the Move dialog box, click Branch Office 1, and then click OK. 22. In the navigation pane, click the Marketing organizational unit. 23. In the details pane, right-click Connie Vrettos, and then click Move. 24. In the Move dialog box, click Branch Office 1, and then click OK. 25. In the navigation pane, click the Research organizational unit.
26. In the details pane, right-click Barbara Zighetti, and then click Move. 27. In the Move dialog box, click Branch Office 1, and then click OK. 28. In the navigation pane, click the Sales organizational unit. 29. In the details pane, right-click Arlene Huff, and then click Move. 30. In the Move dialog box, click Branch Office 1, and then click OK. 31. In the navigation pane, click Branch Office 1. 32. In the navigation pane, click Computers. 33. In the details pane, right-click LON-CL1, and then click Move. 34. In the Move dialog box, click Branch Office 1, and then click OK. 35. Switch to LON-CL1. 36. Pause your mouse pointer in the lower-right corner of the display, and then click Settings. 37. Click Power, and then click Restart. 38. When the computer has restarted, log on as Adatum\Administrator with the password of Pa$$w0rd. 39. Switch to the LON-DC1 computer. 40. If necessary, switch to Active Directory Users and Computers. 41. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next. 42. On the Users or Groups page, click Add. 43. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Administrators, and then click OK. 44. On the Users or Groups page, click Next. 45. On the Tasks to Delegate page, in the Delegate the following common tasks list, select the following check boxes, and then click Next: o o o o o o Create, delete, and manage user accounts Reset user passwords and force password change at next logon Read all user information Create, delete and manage groups Modify the membership of a group Manage Group Policy links
46. On the Completing the Delegation of Control Wizard page, click Finish. 47. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next. 48. On the Users or Groups page, click Add. 49. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Administrators, and then click OK. 50. On the Users or Groups page, click Next. 51. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
Module 3: Managing Active Directory Domain Services Objects L3-15
52. On the Active Directory Object Type page, select Only the following objects in the folder, select the following check boxes, and then click Next: o o o Computer objects Create selected objects in this folder Delete selected objects in this folder
53. On the Permissions page, select the General check box, and the Full Control check box, and then click Next. 54. On the Completing the Delegation of Control Wizard page, click Finish.
Task 2: Delegate a user administrator for the Branch Office Help Desk
1. 2. 3. 4. 5. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next. On the Users or Groups page, click Add. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Help Desk and then click OK. On the Users or Groups page, click Next. On the Tasks to Delegate page, in the Delegate the following common tasks list, select the following check boxes, and then click Next: o o o 6. Reset user passwords and force password change at next logon Read all user information Modify the membership of a group
On the Completing the Delegation of Control Wizard page, click Finish.
Task 3: Add a member to the Branch Administrators

1. 2. 3. 4. 5. 6. 7. 8. 9. In the navigation pane, click Branch Office 1. In the details pane, right-click Holly Dickson, and then click Add to a group. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Administrators, and then click OK. In the Active Directory Domain Services dialog box, click OK. In the details pane, right-click Branch 1 Administrators, and then click Add to a group. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Server Operators, and then click OK. In the Active Directory Domain Services dialog box, click OK. On your host computer, in the 20410A-LON-DC1 window, on the Action menu, click Ctrl+Alt+Delete. On LON-DC1, click Sign out.
10. Log on to LON-DC1 as Adatum\Holly with the password Pa$$w0rd. You can logon locally at a domain controller because Holly belongs, indirectly, to the Server Operators domain local group. 11. On the desktop, in the task bar click Server Manager. 12. In the User Account Control dialog box, in the User name box, type Holly. In the Password box, type Pa$$w0rd, and then click Yes. 13. From Server Manager, click Tools.
14. Click Active Directory Users and Computers. 15. In Active Directory Users and Computers, expand Adatum.com. 16. In the navigation pane, click Sales. 17. In the details pane, right-click Aaren Ekelund, and then click Delete. 18. Click Yes to confirm. 19. Click OK to acknowledge that you do not have permissions to perform this task. 20. In the navigation pane, click Branch Office 1. 21. In the details pane, right-click Ed Meadows, and then click Delete. 22. Click Yes to confirm. You are successful because you have the required permissions.
Task 4: Add a member to the Branch Help Desk group

1. 2. 3. 4. 5. 6. 7. 8. 9. In the details pane, right-click Bart Duncan, and then click Add to a group. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Help Desk, and then click OK. In the Active Directory Domain Services dialog box, click OK. Close Active Directory Users and Computers. Close Server Manager. To modify the Server Operators membership list, you must have permissions beyond those available to the Branch 1 Administrators group. On the desktop, click Server Manager. In the User Account Control dialog box, in the User name box, type Adatum\Administrator. In the Password box, type Pa$$w0rd, and then click Yes. In Server Manager, click Tools. In the Tools list, click Active Directory Users and Computers.
10. In Active Directory Users and Computers, expand Adatum.com. 11. In the navigation pane, click Branch Office 1. 12. In the details pane, right-click Branch 1 Help Desk, and then click Add to a group. 13. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Server Operators, and then click OK. 14. In the Active Directory Domain Services dialog box, click OK. 15. On your host computer, in the 20410A-LON-DC1 window, on the Action menu, click Ctrl+Alt+Delete. 16. On LON-DC1, click Sign out. 17. Log on as Adatum\Bart with the password Pa$$w0rd. You can logon locally at a domain controller because Bart belongs, indirectly, to the Server Operators domain local group. 18. On the desktop, click Server Manager. 19. In the User Account Control dialog box, in the User name box, type Bart. In the Password box, type Pa$$w0rd, and then click Yes. 20. In Server Manager, click Tools. 21. Click Active Directory Users and Computers. 22. In Active Directory Users and Computers, expand Adatum.com.
23. In the navigation pane, click Branch Office 1. 24. In the details pane, right-click Connie Vrettos, and then click Delete. 25. Click Yes to confirm. You are unsuccessful because you lack the required permissions. Click OK. 26. Right-click Connie Vrettos, and then click Reset Password. 27. In the Reset Password dialog box, in the New password and Confirm password boxes, type Pa$$w0rd, and then click OK. 28. Click OK to confirm the successful password reset. 29. On your host computer, in the 20410A-LON-DC1 windows, on the Action menu, click Ctrl+Alt+Delete. 30. On LON-DC1, click Sign out. 31. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
Results: After this exercise, you should have successfully created the necessary OU and delegated administration of it to the appropriate group.
Exercise 2: Creating and Configuring User Accounts in AD DS

Task 1: Create a template user for the branch office
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, on the Taskbar, click Windows Explorer. Click Desktop, and then double-click Computer. Double-click Local Disk (C:). On the menu, click Home, and then click New folder. Type branch1-userdata, and then press Enter. Right-click branch1-userdata, and then click Properties. In the branch1-userdata Properties dialog box, on the Sharing tab, click Advanced Sharing. Select the Share this folder check box, and then click Permissions. In the Permissions for branch1-userdata dialog box, select the Full Control Allow check box, and then click OK.
10. In the Advanced Sharing dialog box, click OK, and then in the branch1-userdata Properties dialog box, click Close. 11. In Server Manager, click Tools. 12. Click Active Directory Users and Computers, and then expand Adatum.com. 13. Right-click Branch Office1, point to New, and then click User. 14. In the New Object User dialog box, in the Full name box, type _Branch_template. 15. In the User logon name box, type _Branch_template, and click Next. 16. In the Password and Confirm password boxes, type Pa$$w0rd. 17. Select the Account is disabled check box, and then click Next. 18. Click Finish.
Task 2: Configure the templates settings

1. 2. 3. 4. 5. 6. 7. From within the Branch Office 1 OU, right-click _Branch_template, and then click Properties. In the _Branch_template Properties dialog box, on the Address tab, in the City box, type Slough. Click the Member Of tab. Click Add. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Users, and then click OK. Click the Profile tab. Under Home folder, click Connect, and in the To: box, type \\lon-dc1\branch1-userdata \%username%. Click Apply, and then click OK.
Task 3: Create a new user for the branch office, based on the template
1. 2. 3. 4. 5. 6. 7. 8. 9. Right-click _Branch_template, and then click Copy. In the New Object User dialog box, in the First name box, type Ed. In the Last name box, type Meadows. In the User logon name box, type Ed, and then click Next. In the Password and Confirm password boxes, type Pa$$w0rd. Clear the User must change password at next logon check box. Clear the Account is disabled check box, and then click Next. Click Finish. Right-click Ed Meadows, and then click Properties.
10. In the Ed Meadows Properties dialog box, click the Address tab. Notice that the City is configured. 11. Click the Profile tab. Notice that the home folder location is configured 12. Click the Member Of tab. Notice that Ed belongs to the Branch 1 Users group. Click OK. 13. On your host computer, in the 20410A-LON-DC1 window, on the Action menu, click Ctrl+Alt+Delete. 14. On LON-DC1, click Sign out.
Task 4: Log on as a user to test account settings

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to LON-CL1. On your host computer, in the 20410A-LON-CL1 window, on the menu, click Ctrl+Alt+Delete. On LON-CL1, click Sign out. Log on to LON-CL1 as Adatum\Ed with the password of Pa$$w0rd. On the Start screen, click Desktop. On the Taskbar, click Windows Explorer. In the navigation pane, click Desktop, and then in details, double-click Computer. Verify that Drive Z is mapped to \\lon-dc1\branch1userdata\Ed. Double-click Ed (\\lon-dc1\branch1-userdata) (Z:).
10. If you receive no errors, you have been successful.
11. On your host computer, in the 20410A-LON-CL1 window, on the Action menu, click Ctrl+Alt+Delete. 12. On LON-CL1, click Sign out.
Results: After this exercise, you should have successfully created and tested a user account created from a template.
Exercise 3: Managing Computer Objects in AD DS

Task 1: Reset a computer account
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, log on as Adatum\Holly with the password Pa$$w0rd. On the task bar, click Server Manager. In the User Account Control dialog box, in the User name box, type Holly. In the Password box, type Pa$$w0rd, and then click Yes. From Server Manager, click Tools. Click Active Directory Users and Computers. In Active Directory Users and Computers, expand Adatum.com. In the navigation pane, click Branch Office 1. In the details pane, right-click LON-CL1, and then click Reset Account. In the Active Directory Domain Services dialog box, click Yes.
10. In the Active Directory Domain Services dialog box, click OK.
Task 2: Observe the behavior when a client logs on

1. 2. 3. 4. Switch to LON-CL1. Log on as Adatum\Ed with the password Pa$$w0rd. A message is displayed that explains that The trust relationship between this workstation and the primary domain failed. Click OK.
Task 3: Rejoin the domain to reconnect the computer account

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. On the Start screen, right-click the display, click All apps, and in the Apps list, click Control Panel. In Control Panel, in the View by list, click Large icons. Click System. In the navigation list, click Advanced system settings. In System Properties, click the Computer Name tab. Click Network ID. On the Select the option that describes your network page, click Next. On the Is your company network on a domain page, click Next.
10. On the You will need the following information page, click Next.
11. On the Type your user name, password, and domain name for your domain account page, in the Password box, type Pa$$w0rd. The other fields are completed. Click Next. 12. In the User Account and Domain Information dialog box, click Yes. 13. On the Do you want to enable a domain user account on this computer? page, click Do not add a domain user account, and then click Next. 14. Click Finish, and then click OK. 15. In the Microsoft Windows dialog box, click Restart Now. 16. Log on as Adatum\Ed with the password of Pa$$w0rd. You are successful because the computer had been successfully rejoined.
Results: After this exercise, you should have successfully reset the trust relationship.

When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-DC1.
L4-21
Module 4: Automating Active Directory Domain Services Administration
Lab: Automating AD DS Administration by Using Windows PowerShell

Exercise 1: Creating User Accounts and Groups by Using Windows PowerShell
Task 1: Create a user account by using Windows PowerShell
1. 2. On LON-DC1, on the taskbar, click the Windows PowerShell icon. At the Windows PowerShell prompt, type the following command, and then press Enter:
New-ADOrganizationalUnit LondonBranch
3.

New-ADUser Name Ty DisplayName Ty Carlson GivenName Ty Surname Carlson Path ou=LondonBranch,dc=adatum,dc=com
4.

Set-ADAccountPassword Ty
5. 6. 7. 8. 9.
When prompted for the current password, press Enter. When prompted for the desired password, type Pa$$w0rd, and then press Enter. When prompted to repeat the password, type Pa$$w0rd, and then press Enter. At the Windows PowerShell prompt, type Enable-ADAccount Ty, and then press Enter. On LON-CL1, log on as Ty using a password of Pa$$w0rd.
10. Verify that logon is successful and then sign out of LON-CL1.
Task 2: Create a group by using Windows PowerShell

1. On LON-DC1, at the Windows PowerShell prompt, type the following command, and then press Enter:
New-ADGroup LondonBranchUsers Path ou=LondonBranch,dc=adatum,dc=com GroupScope Global GroupCategory Security
2.

Add-ADGroupMember LondonBranchUsers Members Ty
3.

Get-ADGroupMember LondonBranchUsers
Results: After completing this exercise, you will have created user accounts and groups by using Windows PowerShell.
Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk

Task 1: Prepare the .csv file
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, on the taskbar, click the Windows Explorer icon. In the Windows Explorer window, expand E:, expand Labfiles, and then click Mod04. Right-click LabUsers.ps1, and then click Edit. In Windows PowerShell ISE, read the comments at the top of the script, and then identify the requirements for the header in the .csv file. Close Windows PowerShell ISE. In Windows Explorer, double-click LabUsers.csv. In the How do you want to open this type of file (.csv) window, click Notepad. In Notepad, type the following line at the top of the file: FirstName,LastName,Department,DefaultPassword Click File, and then click Save.
10. Close Notepad.
Task 2: Prepare the script

1. 2. 3. 4. 5. 6. On LON-DC1, in Windows Explorer, right-click LabUsers.ps1, and then click Edit. In Windows PowerShell ISE, under Variables, replace C:\path\file.csv with E:\Labfiles\Mod04\LabUsers.csv. Under Variables, replace ou=orgunit,dc=domain,dc=com with ou=LondonBranch,dc=adatum,dc=com. Click File, and then click Save. Scroll down and review the contents of the script. Close Windows PowerShell ISE.
Task 3: Run the script

1. 2. 3. 4. On LON-DC1, on the taskbar, click the Windows PowerShell icon. At the Windows PowerShell prompt, type cd E:\Labfiles\Mod04, and then press Enter. Type .\LabUsers.ps1, and then press Enter. Type the following command, and then press Enter:
Get-ADUser Filter * SearchBase ou=LondonBranch,dc=adatum,dc=com
5. 6.
Close the Windows PowerShell prompt. On LON-CL1, log on as Luka using a password of Pa$$w0rd.
Results: After completing this exercise, you will have used Windows PowerShell to create user accounts in bulk.
Module 4: Automating Active Directory Domain Services Administration L4-23
Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk

Task 1: Force all user accounts in LondonBranch to change password at next logon
1. 2. On LON-DC1, on the task bar, click the Windows PowerShell icon. At the Windows PowerShell Prompt, type the following command, and then press Enter:
Get-ADUser Filter * SearchBase ou=LondonBranch,dc=adatum,dc=com | Format-Wide DistinguishedName
3. 4.
Verify that only users from the LondonBranch organizational unit are listed. At the Windows PowerShell prompt, type the following command, and then press Enter:
Get-ADUser Filter * SearchBase ou=LondonBranch,dc=adatum,dc=com | Set-ADUser ChangePasswordAtLogon $true
5.
Close Windows PowerShell.
Task 2: Configure the address for user accounts in LondonBranch

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Results: After completing this exercise, you will have modified user accounts in bulk. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center. In Active Directory Administrative Center, in the Navigation pane, browse to Adatum (local) > LondonBranch. Click the Type column header to sort based on the object type. Select all user accounts, right-click the user accounts, and then click Properties. In the Multiple Users window, under Organization, select the Address check box. In the Street box, type Branch Office. In the City box, type London. In the Country/Region box, select United Kingdom, and then click OK. Close Active Directory Administrative Center.

When you finish the lab, revert all virtual machines back to their initial state by performing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 to 3 for 20410A-LON-DC1.
L5-25

Exercise 1: Identifying Appropriate Subnets
Task 1: Calculate the bits required to support the hosts on each subnet
1. How many bits are required to support 100 hosts on the client subnet? Seven bits are required to support 100 hosts on the client subnet (27-2=126, 26-2=62). 2. How many bits are required to support 10 hosts on the server subnet? Four bits are required to support 10 hosts on the server subnet (24-2=14,23-2=6). 3. How many bits are required to support 40 hosts on the future expansion subnet? Six bits are required to support 40 hosts on the future expansion subnet (26-2=62, 25-2=30). 4. If all subnets are the same size, can they be accommodated? No. If all subnets are the same size, then all subnets must use 7 bits to support 126 hosts. Only a single class Csized address with 254 hosts has been allocated. Three subnets of 126 hosts would not fit. 5. Which feature allows a single network to be divided into subnets of varying sizes? Variable length subnet masking allows you to define different subnet masks when subnetting. Therefore, variable length subnet masking allows you to have subnets of varying sizes. 6. How many host bits will you use for each subnet? Use the simplest allocation possible. The client subnet is 7 host bits. This allows for up to 126 hosts and uses half of the allocated address pool. The server and future expansion subnets are 6 host bits. This allows for up to 62 hosts on each subnet and uses the other half of the address pool.
Task 2: Calculate subnet masks and network IDs

1. Given the number of host bits allocated, what is the subnet mask that you will use for the client subnet? The client subnet is using 7 bits for the host ID. Therefore, you will use 25 bits for the subnet mask. Binary 11111111.11111111.11111111.10000000 Decimal 255.255.255.128
2.
Given the number of host bits allocated, what is the subnet mask that you will use for the server subnet? The server subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet mask. Binary 11111111.11111111.11111111.11000000 Decimal 255.255.255.192
3.
Given the number of host bits allocated, what is the subnet mask that you will use for the future expansion subnet? The future expansion subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet mask. Binary 11111111.11111111.11111111.11000000 Decimal 255.255.255.192
4.
For the client subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the client subnet is the first subnet allocated from the available address pool. Description Network ID First host Last host Broadcast Binary 11000000.10101000.1100010.00000000 11000000.10101000.1100010.00000001 11000000.10101000.1100010.01111110 11000000.10101000.1100010.01111111 Decimal 192.168.98.0 192.168.98.1 192.168.98.126 192.168.98.127
5.
For the server subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the server subnet is the second subnet allocated from the available address pool. Description Network ID First host Last host Broadcast Binary 11000000.10101000.1100010.10000000 11000000.10101000.1100010.10000001 11000000.10101000.1100010.10111110 11000000.10101000.1100010.10111111 Decimal 192.168.98.128 192.168.98.129 192.168.98.190 192.168.98.191
Module 5: Implementing IPv4 L5-27
6.
For the future allocation subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the future allocation subnet is the third subnet allocated from the available address pool. Description Network ID First host Last host Broadcast Binary 11000000.10101000.1100010.11000000 11000000.10101000.1100010.11000001 11000000.10101000.1100010.11111110 11000000.10101000.1100010.11111111 Decimal 192.168.98.192 192.168.98.193 192.168.98.254 192.168.98.255
Results: After completing this exercise, you will have identified the subnets required to meet the requirements of the lab scenario.
Exercise 2: Troubleshooting IPv4

Task 1: Prepare for troubleshooting
1. 2. 3. 4. 5. On LON-SVR2, on the taskbar, click the Windows PowerShell icon. At the Windows PowerShell prompt, type ping LON-DC1, and then press Enter. Open a Windows Explorer window, and browse to \\LON-DC1\E$\Labfiles\Mod05. Right-click Break.ps1 and click Run with Powershell. Close Windows Explorer.
Task 2: Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1

1. 2. 3. 4. 5. 6. 7. 8. On LON-SVR2, at the Windows PowerShell prompt, type ping LON-DC1, and then press Enter. Notice that the destination host is unreachable. Type tracert LON-DC1, and then press Enter. Notice that the host is unable to find the default gateway, and that it is not the default gateway that is responding back. Type ipconfig, and then press Enter. Notice that the default gateway is configured correctly. Type ping 10.10.0.1, and then press Enter. Notice that the default gateway is responding, but that packets are not being routed there. Type Get-NetRoute, and then press Enter. Notice that the entry for the default gateway (0.0.0.0) is correct, but there is an unnecessary entry for the 172.16.0.0 network. Type Remove-NetRoute DestinationPrefix 172.16.0.0/16, and then press Enter. This removes the unnecessary route to the 172.16.0.0 network. The default gateway will be used for routing instead. Press Y, and then press Enter to confirm removed of the route from active routes. Type ping LON-DC1, and then press Enter. Notice that the ping is now successful.
Task 3: To Prepare for the next module

When you are finished the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.
1. 2. 3. 4.
On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-RTR and 20410A-LON-SVR2.
Results: After completing this lab, you will have resolved an IPv4 connectivity problem.
L6-29
Module 6: Implementing DHCP
Lab: Implementing DHCP

Exercise 1: Implementing DHCP
Task 1: Install DHCP server role
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to LON-SVR1. In Server Manager, click Add roles and features. In the Add Roles and Features Wizard, click Next. On the Select installation type page, click Next. On Select destination server page, click Next. On the Select server roles page, select the DHCP Server check box. In the Add Roles and Features Wizard window click Add Features, and then click Next. On the Select features page, click Next. On the DHCP Server page, click Next.
10. On the Confirm installation selections page, click Install. 11. On the Installation progress page, wait until the following information appears Installation succeeded on lon-svr1.adatum.com, and then click Close.
Task 2: Configure the DHCP scope and options

1. 2. 3. 4. In the Server Manager Dashboard, click Tools, and then click DHCP. In the DHCP console, expand lon-svr1.adatum.com. Right-click lon-svr1.adatum.com, and then click Authorize. In the DHCP console, right-click lon-svr1.adatum.com, and then click Refresh. Notice that the icons next to IPv4 IPv6 changes color from red to green, which means that DHCP server has been authorized in Active Directory Domain Services (AD DS). In the DHCP console, in the navigation pane, click lon-svr1.adatum.com, expand IPv4, right-click IPv4, and then click New Scope. In the New Scope Wizard, click Next. On the Scope Name page, in the Name box, type Branch Office, and then click Next. On the IP Address Range page, complete the page using the following information: o o o o 9. Start IP address: 172.16.0.100 End IP address: 172.16.0.200 Length: 16 Subnet mask: 255.255.0.0, and then click Next.
5. 6. 7. 8.
On the Add Exclusions and Delay page, complete the page using the following information: o o Start IP address: 172.16.0.190 End IP address: 172.16.0.200, click Add, and then click Next
10. On the Lease Duration page, click Next.
11. On the Configure DHCP Options page, click Next. 12. On the Router (Default Gateway) page, in the IP address box, type 172.16.0.1, click Add, and then click Next. 13. On the Domain Name and DNS Servers page, click Next. 14. On the WINS Servers page, click Next. 15. On the Activate Scope page, click Next. 16. On the Completing the New Scope Wizard page, click Finish.
Task 3: Configure client to use DHCP and then test the configuration
1. 2. 3. 4. 5. 6. 7. To configure a client, switch to the LON-CL1 computer. Move the mouse on the lower right corner of the screen, click on Search icon, and then in the Search box, type Control Panel. Press Enter. In Control Panel, under Network and Internet, click View Network Status and Tasks. In the Network and Sharing Center window, click Change Adapter Settings. In the Network Connections window, right click Local Area Connection, and then click Properties. In the Local Area Connection Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, select Obtain an IP address automatically radio button, then select Obtain DNS server address automatically radio button, click OK, and then click Close. Move the mouse on the lower right corner of the screen, click on Search icon, and then in Search box, type Command Prompt. Press Enter. Type ipconfig /renew, and then press Enter.
8. 9.
10. To test the configuration, verify that LON-CL1 has received an IP address from the DHCP scope by typing in the command prompt: ipconfig /all. This command will return information, such as IP address, subnet mask and DHCP enabled status, which should be Yes.
Task 4: Configure a lease as a reservation

1. 2. 3. 4. 5. 6. 7. Switch to LON-CL1. In the command prompt, type ipconfig /all, and then press Enter. Write down the Physical Address of LON-CL1 network adapter. Switch to LON-SVR1. In the Server Manager dashboard, click Tools, and then click DHCP. In the DHCP console, expand lon-svr1.adatum.com, expand IPv4, expand Branch Office, right-click Reservations, and then click New Reservation. In the New Reservation window: o o o in the Reservation Name field, type LON-CL1 in the IP address field, type 172.16.0.155 in the MAC address field, type the physical address you wrote down in step 3
Module 6: Implementing DHCP L6-31
o 8. 9.
click Add and then click Close.
Switch to LON-CL1. In a command prompt, type ipconfig /release, and then press Enter. This causes LON-CL1 to release any currently leased IP addresses.
10. In a command prompt, type ipconfig /renew, and then press Enter. This causes LON-CL1 to lease any reserved IP addresses. 11. Verify that IP address of LON-CL1 is now 172.16.0.155.
Task 5: To prepare for the optional exercise

If you are going to do the optional lab, revert the virtual machines that are no longer required. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-SVR1.
Results: After completing these tasks, you will have implemented DHCP, configured DHCP scope and options, and configured a DHCP reservation
Exercise 2: Implementing a DHCP Relay (Optional Exercise)

Task 1: Install DHCP relay
1. 2. 3. 4. Switch to LON-RTR. In Server Manager, click on Tools, and then click Routing and Remote Access. In the navigation pane, expand LON-RTR (local), expand IPv4, right-click General, and then click New Routing Protocol. In the Routing protocols list, click DHCP Relay Agent, and then click OK.
Task 2: Configure DHCP relay

1. 2. 3. 4. 5. 6. In the navigation pane, right-click DHCP Relay Agent and then click New Interface. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then click OK. In the DHCP Relay Properties Local Area Connection 2 Properties dialog box, click OK. Right-click DHCP Relay Agent and then click Properties. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 172.16.0.21, click Add, and then click OK. Close Routing and Remote Access
Task 3: Test DHCP relay with client

Note: In order to test how a client receives an IP address from DHCP Relay in another subnet, we need to create another DHCP scope.
1. 2. 3. 4. 5. 6. 7.
Switch to LON-SVR1. In the Server Manager Dashboard, click Tools, and then click DHCP. In the DHCP console, expand lon-svr1.adatum.com. In the DHCP console, in the navigation pane, click lon-svr1.consoto.com, expand IPv4, right-click IPv4, and then click New Scope. In the New Scope Wizard, click Next. On the Scope Name page, in the Name box, type Branch Office 2, and then click Next. On the IP Address Range page, complete the page using the following information, and then click Next: o o o o Start IP address: 10.10.0.100 End IP address: 10.10.0.200 Length: 16 Subnet mask: 255.255.0.0
8.
On the Add Exclusions and Delay page, complete the page using the following information, click Add, and then click Next: o o Start IP address: 10.10.0.190 End IP address: 10.10.0.200
9.
On the Lease Duration page, click Next.
10. On the Configure DHCP Options page, click Next. 11. On the Router (Default Gateway) page, in the IP address box, type 10.10.0.1, click Add, and then click Next. 12. On the Domain Name and DNS Servers page, click Next. 13. On the WINS Servers page, click Next. 14. On the Activate Scope page, click Next. 15. On the Completing the New Scope Wizard page, click Finish. 16. To test the client, switch to LON-CL2. 17. On the Start screen, type Control Panel. Press Enter. 18. Under Network and Internet, click View network status and tasks. 19. In the Network and Sharing Center window, click Change Adapter Settings, right-click Local Area Connection, and then click Properties. 20. In the Local Area Connection Properties window, click Internet Protocol Version 4 (TCP/IPv4) and then click Properties. 21. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click on Obtain IP address automatically, then click on Obtain DNS server address automatically, click OK and then click Close. 22. Navigate to the lower right corner, choose search from the right menu and then type cmd and press Enter to start Command Prompt. 23. In the command prompt, type following command: ipconfig /renew
Module 6: Implementing DHCP L6-33
24. Verify that IP address and DNS server settings on LON-CL2 are obtained from DHCP Server scope Branch Office 2 installed on LON-SVR1.
Note: IP address should be from following range: 10.10.0.100/16 to 10.10.0.200/16
Task 4: To Prepare for the next module

When you are finished the lab, revert the virtual machines back to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-SVR2, 20410A-LON-RTR, and 20410A-LON-CL2.
Results: After completing these tasks, you will have implemented DHCP relay agent.
L7-35
Module 7: Implementing DNS
Lab: Implementing DNS

Exercise 1: Installing and Configuring DNS
Task 1: Configure LON-SVR1 as a domain controller without installing the DNS server role
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to LON-SVR1 as Adatum\Administrator using the password of Pa$$w0rd. In the Server Manager console, click Add roles and features. On the Before you begin page, click Next. On the Select installation type page, click Next. On the Select destination server page, make sure that LON-SVR1.Adatum.com is selected, and then click Next. On the Select server roles page, select Active Directory Domain Services. When Add Roles and Features Wizard window displays, click Add Features, and then click Next. On the Select features page, click Next. On the Active Directory Domain Services page, click Next.
10. On the Confirm installation selections page, click Install. 11. On the Installation progress page, when the Installation succeeded message displays, click Close. 12. In the Server Manager console, on the navigation page, click AD DS. 13. At the title bar where Configuration required for Active Directory Domain Services at LON-SVR1 displays, click More. 14. On the All Server Task Details and Notifications page, click Promote this server to a domain controller. 15. In the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration page, ensure that Add a domain controller to an existing domain is selected, and then click Next. 16. On the Domain Controller Options page, clear the Domain Name System (DNS) server check box, and leave only Global Catalog (GC) selected. Type Pa$$w0rd in both text fields, and then click Next. 17. On the Additional Options page, click Next. 18. On the Paths page, click Next. 19. On the Review Options page, click Next. 20. On the Prerequisites Check page, click Install.
Note: Server will automatically restart as part of the procedure. 21. After LON-SVR1 restarts, log on as Adatum\Administrator.
Task 2: Review configuration settings on the existing DNS server to confirm root hints
1. 2. 3. 4. 5. 6. 7. 8. Log on to LON-DC1 as Adatum\Administrator using the password Pa$$w0rd. In the Server Manager console, click Tools. Click DNS. In the DNS Manager console, click and then right-click LON-DC1, and then select Properties. Click the Root hints tab. Ensure that root hints servers display. Click the Forwarders tab. Ensure that the list displays no entries, and that the Use root hints if no forwarders are available option is selected. Click Cancel. Close the DNS Manager console.
Task 3: Add the DNS server role for the branch office on the domain controller
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, in the Server Manager console, click Add roles and features. On the Before you begin page, click Next. On the Select installation type page, click Next. On the Select destination server page, ensure that LON-SVR1.Adatum.com is selected, and then click Next. On the Select server roles page, select DNS Server. When the Add Roles and Features Wizard window displays, click Add Features, and then click Next. On the Select Features page, click Next. On the DNS Server page, click Next. On the Confirm installation selections page, click Install.
10. On the Installation progress page, when the message Installation succeeded displays, click Close.
Task 4: Verify replication of the Adatum.com Active Directoryintegrated zone

1. 2. 3. 4. 5. 6. On LON-SVR1, in the Server Manager console, click Tools. Select DNS. In the DNS Manager console, expand LON-SVR1, and then expand Forward Lookup Zones. This container will most likely be empty. Switch back to Server Manager, click Tools, and then select Active Directory Sites and Services. In the Active Directory Sites and Services console, expand Sites, expand Default-First-Site-Name, expand Servers, expand LON-DC1, and then click NTDS Settings. In the right pane, right-click the LON-SVR1 replication connection, and select Replicate Now.
Note: If you receive an error message, proceed to the next step and then retry this step after 3-4 minutes. 7. In the navigation pane, expand LON-SVR1, and then click NTDS Settings.
Module 7: Implementing DNS L7-37
8. 9.
In the right pane, right-click the LON-DC1 replication connection, and then select Replicate Now. Click OK. Switch back to the DNS Manager console, right-click Forward Lookup Zones, and then select Refresh.
10. Ensure that both the _msdcs.Adatum.com and Adatum.com containers display. 11. Close DNS Manager.
Task 5: Use NSLookup to test non-local resolution

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, switch to the Start screen, and type Control Panel. Press Enter. In Control Panel, click View network status and tasks. Click Change adapter settings. Right-click Local Area connection, and then select Properties. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. In the preferred DNS server field, remove the IP address, type 127.0.0.1, click OK, and then click Close. On LON-SVR1, right-click the taskbar, and select Task Manager. In the Task Manager window, click More details. Click the File menu, and then click Run new task.
10. In the Create new task window, type cmd, and then press Enter. 11. In the command prompt window, type nslookup, and press Enter. 12. At the nslookup prompt, type www.nwtraders.msft, and then press Enter. You will not receive any reply, because that zone does not exist on the DNS server on LON-SVR1. 13. In the command prompt window type quit, and press Enter. 14. Leave the command prompt window open.
Task 6: Configure Internet name resolution to forward to the head office

1. 2. 3. 4. On LON-SVR1, open the DNS Manager console. In the DNS Manager console, right-click LON-SVR1, and then click Properties. Click the Forwarders tab, and then click Edit. In the Edit Forwarders window, type 172.16.0.10, and then click OK two times.
Task 7: Use NSLookup to confirm name resolution

1. 2. 3. 4. 5. On LON-SVR1, switch to a command prompt window. In the command prompt window, type nslookup, and then press Enter. At the nslookup prompt, type www.nwtraders.msft, and then press Enter. Ensure that you receive an IP address for this host as a non-authoritative answer. Type quit, and then press Enter.
Results: After completing this exercise, you will have installed and configured DNS on LON-SVR1.
Exercise 2: Creating Host Records in DNS

Task 1: Configure a client to use LON-SVR1 as a DNS server
1. 2. 3. 4. 5. 6. 7. On LON-CL1, log on as Adatum\Administrator using the password Pa$$w0rd. On the Start screen, type Control Panel. Press Enter. In Control Panel, click View network status and tasks. Click Change adapter settings. Right-click Local Area connection, and then select Properties. Select Internet Protocol Version 4 (TCP/Ipv4), and then click Properties. Delete the IP address for preferred DNS server. In the preferred DNS server box, type 172.16.0.21, click OK, and then click Close.
Task 2: Create several host records in the Adatum.com domain for web apps
1. 2. 3. 4. On LON-DC1, in the Server Manager console, click Tools, and then click DNS. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, and then click on Adatum.com. Right-click Adatum.com, and select New Host (A or AAAA). In the New Host window, configure the following settings: a. b. 5. 6. Name: www IP address: 172.16.0.100
Click Add Host, and then click OK. In the New Host window, configure the following settings: o o Name: ftp IP address: 172.16.0.200
7.
Click Add Host, click OK, and then click Done.
Task 3: Verify replication of new records to LON-SVR1

1. 2. 3. On LON-SVR1, in the Server Manager console, click Tools, and then click DNS. In the DNS Manager console, expand LON-SVR1, expand Forward Lookup Zones, and then click Adatum.com. Ensure that both www and ftp resource records display. (If they do not display, right-click Adatum.com, and then select Refresh). It may take a couple of minutes for the records to appear.
Task 4: Use the ping command to locate new records from LON-CL1
1. 2. 3. 4. 5. 6. 7. On LON-CL1, right-click the taskbar, and then select Task Manager. In the Task Manager window, click More details. Open the File menu, and then select Run new task. In the Create new task window, type cmd, and then press Enter. In the Command prompt window, type ping www.adatum.com, and then press Enter. Make sure that name resolves to 172.16.0.100. ( You will not receive replies.) Type ping ftp.adatum.com, and then press Enter.
Module 7: Implementing DNS L7-39
8. 9.
Ensure that name resolves to 172.16.0.200 (You will not receive replies.) Close the command prompt window and the Task Manager.
Results: After completing this exercise, you will have configured DNS records.
Exercise 3: Managing the DNS Server Cache

Task 1: Use the ping command to locate Internet record from LON-CL1
1. 2. 3. 4. 5. 6. 7. On LON-CL1, right-click the taskbar, then and select Task Manager. In the Task Manager window, click More details. Open the File menu, and select Run new task. In the Create new task window, type cmd, and then press Enter. In the command prompt window, type ping www.nwtraders.msft, and then press Enter. Ping will not work, but ensure that the name resolves to an IP address. Leave the command prompt window open.
Task 2: Update Internet record to point to the LON-DC1 IP address, retry the location using ping
1. 2. 3. 4. 5. 6. On LON-DC1, open DNS Manager. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, and then click nwtraders.msft. In the right pane, right-click www, and then select properties. Change the IP address to 172.16.0.10, and then click OK. Switch back to LON-CL1. In the command prompt window, type ping www.nwtraders.msft, and then press Enter. Ping will not work, and the old IP address will still be displayed in command prompt window.
Task 3: Examine the content of the DNS cache

1. 2. 3. 4. 5. 6. 7. Switch to LON-SVR1, and in the Server Manager console, click Tools, and then click DNS. Select LON-SVR1, click the View menu, and then select Advanced. Expand LON-SVR1, expand the Cached Lookups node, expand .(root), expand msft, and then click nwtraders. In the right pane, examine the cached content. Switch to LON-CL1. In the command prompt window, type ipconfig /displaydns, and then press Enter. Look for cached entries.
Task 4: Clear the cache, and retry ping

1. 2. On LON-SVR1, in the DNS Manager console, right-click LON-SVR1, and then select Clear Cache. Switch to LON-CL1.
3. 4. 5. 6.
In a command prompt window, at a command prompt, type ping www.nwtraders.msft, and then press Enter. The return will still be the old IP address. In a command prompt window, type ipconfig /flushdns, and then press Enter. In the command prompt window, type ping www.nwtraders.msft, and press Enter. Ping now should work on address 172.16.0.10.
Task 5: To prepare for next module

When you are finished the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-SVR1 and 20410A-LON-CL1.
Results: After completing this exercise, you will have DNS Server cache examined.
L8-41

Exercise 1: Configuring an IPv6 Network
Task 1: Verify IPv4 routing
1. 2. 3. 4. On LON-SVR2, on the taskbar, click the Windows PowerShell icon. At the Windows PowerShell prompt, type ping lon-dc1, and then press Enter. Notice that there are four replies from 172.16.0.10. Type ipconfig, and then press Enter. Verify that the only IPv6 address listed is a link-local address.
Task 2: Disable IPv6 on LON-DC1

1. 2. 3. 4. 5. 6. On LON-DC1, in Server Manager, click Local Server. In the Properties window, beside Local Area Connection, click 172.16.0.10, IPv6 enabled. In the Network Connections window, right-click Local Area Connection, and then click Properties. In the Local Area Connection Properties window, clear the Internet Protocol Version 6 (TCP/IPv6) check box, and then click OK. Close the Network Connections window. In Server Manager, verify that Local Area Connection lists only 172.16.0.10. You may need to refresh the view.
Task 3: Disable IPv4 on LON-SVR2

1. 2. 3. 4. 5. 6. On LON-SVR2, in Server Manager, click Local Server. In the Properties window, next to Local Area Connection, click 10.10.0.24, IPv6 enabled. In the Network Connections window, right-click Local Area Connection 2, and then click Properties. In the Local Area Connection 2 Properties window, clear the Internet Protocol Version 4 (TCP/IPv4) check box, and then click OK. Close the Network Connections window. In Server Manager, verify that Local Area Connection now lists only IPv6 enabled. You may need to refresh the view.
Task 4: Configure an IPv6 network on LON-RTR

1. 2. On LON-RTR, on the taskbar, click the Windows PowerShell icon. At the Windows PowerShell prompt, type the following cmdlet, and then press Enter: New-NetRoute InterfaceAlias Local Area Connection 2 DestinationPrefix 2001:db8:0:1::/64 Publish Yes 3. At the Windows PowerShell prompt, type the following cmdlet, and then press Enter: Set-NetIPInterface InterfaceAlias Local Area Connection 2 AddressFamily IPv6 Advertising Enabled
4.
Type ipconfig, and then press Enter. Notice that Local Area Connection 2 now has an IPv6 address on the 2001:db8:0:1::/64 network.
Task 5: Verify IPv6 on LON-SVR2

On LON-SVR2, at the Windows PowerShell prompt, type ipconfig, and then press Enter. Notice that Local Area Connection 2 now has an IPv6 address on the on the 2001:db8:0:1::/64 network.
Results: After completing the exercise, students will have configured an IPv6only network.
Exercise 2: Configuring an ISATAP Router

Task 1: Add an ISATAP host record to DNS
1. 2. 3. 4. 5. 6. 7. 8. On LON-DC1, in Server Manager, click Tools, and then click DNS. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com. Right-click Adatum.com, and then click New Host (A or AAAA). In the New Host window, in the Name box, type ISATAP. In the IP address box, type 172.16.0.1, and then click Add Host. Click OK to clear the success message. Click Done to close the New Host window. Close DNS Manager.
Task 2: Enable the ISATAP router on LON-RTR

1. On LON-RTR, at the Windows PowerShell prompt, type the following command, and then press Enter: Set-NetIsatapConfiguration Router 172.16.0.1 2. Type the following command, and then press Enter: Get-NetIPAddress | Format-Table InterfaceAlias,InterfaceIndex,IPv6Address 3. 4. Record the InterfaceIndex of isatap interface that has an IPv6 address that includes 172.16.0.1. Interface index: Type the following command, and then press Enter: Get-NetIPInterface InterfaceIndex IndexYouRecorded PolicyStore ActiveStore | Format-List 5. 6. Verify that Forwarding is enabled for the interface and that Advertising is disabled. Type the following command, and then press Enter: Set-NetIPInterface InterfaceIndex IndexYouRecorded Advertising Enabled 7. Type the following command, and then press Enter: New-NetRoute InterfaceIndex IndexYouRecorded DestinationPrefix 2001:db8:0:2::/64 Publish Yes 8. Type the following command, and then press Enter: Get-NetIPAddress InterfaceIndex IndexYouRecorded
Module 8: Implementing IPv6 L8-43
9.
Verify that an IPv6 address is listed on the 2001:db8:0:2::/64 network.
Task 3: Remove ISATAP from the DNS Global Query Block List
1. 2. On LON-DC1, at the Windows PowerShell prompt, type regedit, and then press Enter. In the Registry Editor window, expand HKEY_LOCAL_MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services, expand DNS, click Parameters, and double-click GlobalQueryBlockList. In the Edit Multi-String window, delete isatap, and then click OK. If an error appears indicating that there was an empty string, click OK to continue. Close the Registry Editor. At the Windows PowerShell prompt, type Restart-Service DNS Verbose, and then press Enter. Type ping isatap, and then press Enter. The name should resolve and you should receive four request timed out messages from 172.16.0.1.
3. 4. 5. 6. 7.
Task 4: Enable ISATAP on LON-DC1

1. On LON-DC1, at the Windows PowerShell prompt, type the following command, and then press Enter: Set-NetIsatapConfiguration State Enabled 2. 3. Type ipconfig, and then press Enter. Verify that the Tunnel adapter for ISATAP has an IPv6 address on the 2001:db8:0:2/64 network. Notice that this address includes the IPv4 address of NYC-DC1.
Task 5: Test connectivity

1. On LON-SVR2, at the Windows PowerShell prompt, type the following command, and then press Enter: ping 2001:db8:0:2:0:5efe:172.16.0.10 2. 3. 4. 5. 6. 7. 8. 9. In Server Manager, if necessary, click Local Server. In the Properties window, next to Local Area Connection 2, click IPv6 enabled. In the Network Connections window, right-click Local Area Connection 2, and then click Properties. In the Local Area Connection 2 Properties window, click Internet Protocol Version 6 (TCP/IPv6), and then click Properties. In the Internet Protocol Version 6 (TCP/IPv6) Properties window, click Use the following DNS server addresses. In the Preferred DNS server box, type 2001:db8:0:2:0:5efe:172.16.0.10, and then click OK. In the Local Area Connection 2 Properties window, click Close. Close the Network Connections window.
10. At the Windows PowerShell prompt, type ping LON-DC1, and then press Enter. Notice that four replies are received from LON-DC1.
Task 6: To prepare for the next module

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-RTR and 20410A-LON-SVR2.
Results: After completing this exercise, students will have configured an ISATAP router on LON-RTR to allow communication between an IPv6only network and an IPv4only network.
L9-45
Module 9: Implementing Local Storage
Lab: Implementing Local Storage

Exercise 1: Installing and Configuring a New Disk
Task 1: Initialize a new disk
1. 2. 3. 4. 5. 6. Log on to LON-SVR1 with username of Adatum\Administrator and the password of Pa$$w0rd. In Server Manager, click the Tools menu, in the Tools drop-down list, click Computer Management. In the Computer Management console, under the Storage node, click Disk Management. In the Disks pane, right-click Disk2, and then from drop-down list, click Online. Right-click Disk2, and then click Initialize Disk. In the Initialize Disk dialog box, select the Disk 2 check box, ensure that all other Disk check boxes are cleared, click GPT (GUID Partition Table), and then click OK.
Task 2: Create and format two simple volumes on the disk

1. 2. 3. 4. 5. 6. 7. 8. 9. In the Computer Management console, in Disk Management, right-click the black marked box right of Disk 2, and then click New Simple Volume. In the New Simple Volume Wizard, on Welcome to the New Simple Volume Wizard page, click Next. On the Specify Volume Size page, in the Simple volume size MB field, type 4000, and then click Next. On Assign Drive Letter or Path page, ensure that the Assign the following drive letter check box is selected, and that F is selected in from the drop-down menu, and then click Next. On the Format Partition page, from the File system drop-down menu, click NTFS, in the Volume label text box, type Volume1, and then click Next. On Completing the New Simple Volume Wizard page, click Finish. in the Disk Management window, right-click the black marked box right of Disk 2, and then click New Simple Volume. In the New Simple Volume Wizard, on Welcome to the New Simple Volume Wizard page, click Next. On the Specify Volume Size page, in the Simple volume size in MB field, type 5000, and then click Next.
10. On the Assign Drive Letter or Path page, ensure that the Assign the following drive letter check box is selected, and that G is selected in from the drop-down list, and then click Next. 11. On the Format Partition page, from the File system drop-down menu, click ReFS, in the Volume label text box, type Volume2, and then click Next. 12. On the Completing the New Simple Volume Wizard page, click Finish.
Task 3: Verify the drive letter in a Windows Explorer window

1. 2. On the taskbar, open a Windows Explorer window, expand Computer, and then click Volume1 (F:). In Windows Explorer, click Volume2 (G:), right-click Volume2 (G:), point to New, and then click Folder.
3.
In the New folder field, type Folder1, and then press Enter.
Results: After you complete this lab, you should have initialized a new disk, created two simple volumes, and formatted them. You should also have verified that the drive letters are available in Windows Explorer.
Exercise 2: Resizing Volumes

Task 1: Shrink Volume1
1. 2. 3. On LON-SVR1, switch to the Computer Management console. In the Computer Management console, in Disk Management, in the middle-pane, right-click Volume1 (F:), and then click Shrink Volume. In the Shrink F: window, in the Enter the amount of space to shrink in MB field, type 1000, and then click Shrink.
Task 2: Extend Volume2

1. 2. 3. 4. 5. On LON-SVR1, in Disk Management, in the middle-pane, right-click Volume2 (G:), and then click Extend Volume. In Extend Volume Wizard, on the Welcome to the Extended Volume Wizard page, click Next. On the Select Disks page, in the Select the amount of space in MB field, type 1000, and then click Next. On the Completing the Extended Volume Wizard page, click Finish. In a Windows Explorer window, click Volume2 (G:), and verify that Folder1 is available on the volume.
Results: After this lab, you should have made one volume smaller, and extended another.
Exercise 3: Configuring a Redundant Storage Space

Task 1: Create a storage pool from five disks that are attached to the server
1. 2. 3. 4. 5. 6. On LON-SVR1, on the taskbar, click the Server Manager icon. In the left pane, click File and Storage Services, and then in the Servers pane, click Storage Pools. In the STORAGE POOLS pane, click TASKS, and then in the TASKS drop-down menu, click New Storage Pool. In the New Storage Pool Wizard window, on the Before you begin page, click Next. On the Specify a storage pool name and subsystem page, in the Name box, type StoragePool1, and then click Next. On the Select physical disks for the storage pool page, click the following Physical disks, and then click Next: o o o PhysicalDisk3 PhysicalDisk4 PhysicalDisk5
Module 9: Implementing Local Storage L9-47
o o 7. 8.
PhysicalDisk6 PhysicalDisk7
On the Confirm selections page, click Create. On the View results page, wait until the creation completes, then click Close.
Task 2: Create a three-way mirrored virtual disk

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, in Server Manager, in the Storage Spaces pane, click StoragePool1. In the VIRTUAL DISKS pane, click TASKS, and then from the TASKS drop-down menu, click New Virtual Disk. In the New Virtual Disk Wizard window, on the Before you begin page, click Next. On the Select the server and storage pool page, click StoragePool1, and then click Next. On the Specify the virtual disk name page, in the Name box, type Mirrored Disk, and then click Next. On the Select the storage layout page, in the Layout list, select Mirror, and then click Next. On the Configure the resiliency settings page, click Three-way mirror, and then click Next. On the Specify the provisioning type page, click Thin, and then click Next. On the Specify the size of the virtual disk page, in the Virtual disk size box, type 10, and then click Next.
10. On the Confirm selections page, click Create. 11. On the View results page, wait until the creation completes, ensure that the Create a volume when this wizard closes check box is selected, and then click Close. 12. In the New Volume Wizard window, on the Before you begin page, click Next. 13. On the Select the server and disk page, in the Disk pane, click the Mirrored Disk virtual disk, and then click Next. 14. On the Specify the size of the volume page, click Next to confirm the default selection. 15. On the Assign to a drive letter or folder page, ensure that H is selected in the Drive letter dropdown menu, and then click Next. 16. On the Select file system settings page, in the File system drop-down menu, select ReFS, in the Volume label box, type Mirrored Volume, and then click Next. 17. On the Confirm selections page, click Create. 18. On the Completion page, wait until the creation completes, and then click Close.
Task 3: Copy a file to the volume, and verify that it is visible in Windows Explorer
1. 2. Click to the Start screen, type command prompt, and then press Enter. In the command prompt window, type the following command, and then press Enter:
Copy C:\windows\system32\mspaint.exe H:\
3. 4. 5.
Close the command prompt window. On the taskbar, click the Windows Explorer icon, and in the Windows Explorer window, click Mirrored Volume (H:). Verify that mspaint.exe displays in the file list.
6.
Close Windows Explorer.
Task 4: Remove a physical drive

1. 2. 3. On Host machine, in Hyper-V Manager, in the Virtual Machines pane, right-click 20410A-LON-SVR1, and then click Settings. In Settings for 20410A-LON-SVR1, in the Hardware pane, click Hard Drive 20410A-LON-SVR1Disk5.vhdx. In the Hard Drive pane, click Remove, and then click OK. Click Continue.
Task 5: Verify that the mspaint.exe file is still accessible

1. 2. 3. 4. 5. 6. 7. Switch to LON-SVR1. On the taskbar, click the Windows Explorer icon, and in the Windows Explorer window, click Mirrored Volume (H:). In the file list pane, verify that mspaint.exe is still available. Close Windows Explorer. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh Storage Pools button. Notice the warning that displays next to Mirrored Disk. In the VIRTUAL DISK pane, right-click Mirrored Disk, and then click Properties. In the Mirrored Disk Properties window, in the left pane, click Health. Notice that the Health Status indicates a Warning. The Operational Status should indicate Incomplete or Degraded. Click OK to close the Mirrored Disk Properties window.
8.
Task 6: Add a new disk to the storage pool

1. 2. 3. 4. Switch to LON-SVR1. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh Storage Pools button. In the STORAGE POOLS pane, right-click StoragePool1, and then click Add Physical Disk. In the Add Physical Disk window, click PhysicalDisk8 (LON-SVR1), and then click OK..
Results: After completing this lab, you should have created a storage pool and added five disks to it. Then you should have created a three-way mirrored, thinly provisioned virtual disk from the storage pool. You should have also copied a file to the new volume and verified that it is accessible. Next, you should have verified that the virtual disk was still available and could be accessed after removing a physical drive. Finally, you should have added another physical disk to the storage pool.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-SVR1.
L10-49
Lab: Implementing File and Print Services

Exercise 1: Creating and Configuring a File Share
Task 1: Create the folder structure for the new share
1. 2. 3. 4. 5. 6. 7. Log on to LON-SVR1 as Adatum\Administrator with a password Pa$$w0rd. On the taskbar, click the Windows Explorer shortcut. In a Windows Explorer window, in the navigation pane, expand Computer, and then click Allfiles (E:). On the menu toolbar, click Home, click New folder, type Data, and then press Enter. Double-click the Data folder. On the menu toolbar, click Home, click New folder, type Development, and then press Enter. Repeat Step 6 for the following new folder names: o o o Marketing Research Sales
Task 2: Configure NTFS permissions on the folder structure

1. 2. 3. 4. 5. 6. 7. 8. 9. In Windows Explorer, navigate to drive E, right-click the Data folder, and then click Properties. In the Data Properties window, click Security, and then click Advanced. In the Advanced Security Settings for Data window, click Disable Inheritance. In the Block Inheritance window, click Convert inherited permissions into explicit permissions on this object. Click OK to close the Advanced Security Settings for Data window. Click OK to close the Data Properties window. In Windows Explorer, double-click the Data folder. Right-click the Development folder, and then click Properties. In the Development Properties window, click Security, and then click Advanced.
10. In the Advanced Security Settings for Development window, click Disable Inheritance. 11. In the Block Inheritance window, click Convert inherited permissions into explicit permissions on this object. 12. Remove the two permissions entries for Users (LON-SVR1\Users), and then click OK. 13. On the Security tab, click Edit. 14. In the Permissions for Development window, click Add. 15. Type Development, click Check names, and then click OK. 16. Select the check box for Allow Modify in the Permissions for Development section. 17. Click OK to close the Permissions for Development window.
L10-50
18. Click OK to close the Development Properties window. 19. Repeat steps 8 through 18 for the Marketing, Research, and Sales folders, assigning Modify permissions to the Marketing, Research, and Sales groups for their respective folders.
Task 3: Create the shared folder

1. 2. 3. 4. 5. 6. 7. 8. 9. In Windows Explorer, navigate to drive E, right-click the Data folder, and then click Properties. On the Data Properties window, click the Sharing tab, and then click Advanced Sharing. In the Advanced Sharing Window, select the Share this folder check box, and then click Permissions. In the Permissions for Data window, click Add. Type Authenticated Users, click Check names, and then click OK. In the Permissions for Data window, click Authenticated Users, and then select the Allow checkbox for the Change permission. Click OK to close the Permissions for Data window. Click OK to close the Advanced Sharing window. Click Close to close the Data Properties window.
Task 4: Test access to the shared folder

1. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd.
Note: Bernard is a member of the Development group. 2. 3. 4. 5. On the Start screen, click the Desktop tile. On the taskbar, click the Windows Explorer icon. In Windows Explorer, in the address bar, type \\LON-SVR1\Data, and then press Enter. Double-click the Development folder.
Note: Bernard should have access to the Development folder. 6. Attempt to access the Marketing, Research, and Sales folders. NTFS permissions on these folders will prevent you from doing this.
Note: Bernard can still see the other folders, even though he does not have access to their contents. 7. Log off LON-CL1.
Task 5: Enable access-based enumeration

1. 2. 3. 4. Switch to LON-SVR1. On the taskbar, click the Server Manager icon. In Server Manager, in the navigation pane, click File and Storage Services. On the File and Storage Services page, in the navigation pane, click Shares.
L10-51
5. 6. 7. 8.
In the Shares pane, right-click Data, and then click Properties. Click Settings, and then select the Enable access-based enumeration check box. Click OK to close the Data Properties window. Close Server Manager.
Task 6: Test access to the share

1. 2. 3. 4. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd. Click the Desktop tile. On the taskbar, click the Windows Explorer icon. In Windows Explorer, in the address bar, type \\LON-SVR1\Data, and then press Enter.
Note: Bernard can now view only the Development folder, the folder for which he has been assigned permissions. 5. Double-click the Development folder.
Note: Bernard should have access to the Development folder. 6. Log off LON-CL1.
Task 7: Disable Offline Files for the share

1. 2. 3. 4. 5. 6. 7. Switch to LON-SVR1. On the taskbar, click the Windows Explorer icon. In Windows Explorer, navigate to drive E, right-click the Data folder, and then click Properties. On the Data Properties window, click the Sharing tab, click Advanced Sharing, and then click Caching. In the Offline Settings window, select No files or programs from the shared folder are available offline, and then click OK. Click OK to close the Advanced Sharing window. Click Close to close the Data Properties window.
Exercise 2: Configuring Shadow Copies

Task 1: Configure shadow copies for the file share
1. 2. 3. 4. 5. 6. 7. Switch to LON-SVR1. Open Windows Explorer. Navigate to drive E, right-click Allfiles (E:), and then click Configure Shadow Copies. In the Shadow Copies window, click the E:\ drive, and then click Enable. In the Enable Shadow Copies window, click Yes. In the Shadow Copies window, click Settings. In the Settings window, click Schedule.
L10-52
8. 9.
In the E:\ window, change Schedule Task to Daily, change Start time to 12:00 AM, and then click Advanced. In the Advanced Schedule Options window, select Repeat task, and then set the frequency to every 1 hours.
10. Select Time, and change the time value to 11:59PM. 11. Click OK twice. 12. Click OK to close the Settings window. 13. Leave the Shadow Copies window open.
Task 2: Create multiple shadow copies of a file

1. 2. 3. 4. On LON-SVR1, open a Windows Explorer window, and navigate to the E:\Data\Development folder. On the menu toolbar, click Home, click New item, and then click Text Document. Type Report, and then press Enter. Switch back to the Shadow Copies window, and then click Create Now.
Task 3: Recover a deleted file from a shadow copy

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, switch back to the Windows Explorer window. Right-click Report.txt, and then click Delete. In Windows Explorer, right-click on the Development folder, and then click Properties. In the Development Properties window, click the Previous Versions tab. Click the most recent folder version for Development , and then click Open. Confirm that the Report .txt is in the folder, right-click Report.txt, and then click Copy. Close the Windows Explorer window that just opened. In the other Windows Explorer window, right-click on the Development folder, and then click Paste. Close Windows Explorer.
10. Click OK and close all open windows.
Exercise 3: Creating and Configuring a Printer Pool

Task 1: Install the Print and Document Services server role
1. 2. 3. 4. 5. On LON-SVR1, on the taskbar, click the Server Manager shortcut. In Server Manager, on the menu toolbar, click Manage, and then click Add Roles and Features. Click Next, select Role-based or feature-based Installation, and then select Next again. On the Select destination server page, select the server on which you want to install the Print and Document Services. The default server is the local server. Click Next. On the Select Server Roles page, select the Print and Document Services check box. In the Add Roles and Features Wizard window, click Add Features, and then click Next in the Select server roles window On the Select Features page, click Next. On the Print and Document Services page, review the Notes for the administrator, and then click Next.
6. 7.
L10-53
8. 9.
On the Select Role Services page, click Next until the Confirm Installation Selections page displays. Click Install to install the required role services. Click Close.
Task 2: Install a printer

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, in the Server Manager, click Tools and then click Print Management. Expand Printer Servers, expand LON-SVR1, right-click Printers, and then click Add Printer. Click Add a TCP/IP or Web Services Printer by IP address or hostname, and then click Next. Change the Type of Device to TCP/IP Device, In the Host name box, type 172.16.0.200 clear the Auto detect printer driver to use check box, and then click Next. Under Device Type, click Generic Network Card, and then click Next. Click Install a new driver, and then click Next. Click Microsoft as the Manufacturer, under Printers, click Microsoft XPS Class Driver, and then click Next. Change the Printer Name to Branch Office Printer, and then click Next.
10. Click Next two times to accept the default printer name and share name, and to install the printer. 11. Click Finish to close the Network Printer Installation Wizard. 12. In the Print Management console, right-click the Branch Office Printer, and then click Enable Branch Office Direct Printing. 13. In the Print Management console, right-click the Branch Office Printer, and then select Properties. 14. Click the Sharing tab, select the List in the directory check box, and then click OK.
Task 3: Configure printer pooling

1. 2. 3. 4. 5. 6. 7. 8. 9. In the Print Management console, right-click Ports under LON-SVR1, and then click Add Port. In the Printer Ports window, select Standard TCP/IP Port, and then click New Port. In the Add Standard TCP/IP Printer Port Wizard, click Next. In the Printer Name or IP Address field, type 172.16.0.201, and then click Next. In the Additional port information required window, click Next. Click Finish to close the Add Standard TCP/IP Printer Port Wizard. Click Close to close the Printer Ports window. In the Print Management console, click Printers, right-click Branch Office Printer, and then click Properties. On the Branch Office Printer Properties page, click the Ports tab, select the Enable printer pooling check box, and then click the 172.16.0.201 port to select it as the second port.
10. Click OK to close the Branch Office Printer Properties page. 11. Close the Print Management Console.
L10-54
Task 4: Install a printer on a client computer

1. 2. 3. 4. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd. On LON-CL1, on the Start screen, type Contol Panel. Press Enter. Under Hardware and Sound, click Add a device. In the Add a device window, click on Branch Office Printer on LON-SVR1. Click Next. The device installs automatically.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-SVR1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-CL1 and 20410A-LON-DC1.
L11-55
Lab: Implementing Group Policy

Exercise 1: Configuring a Central Store
Task 1: View the location of administrative templates in a Group Policy Object (GPO)
1. 2. 3. 4. 5. 6. 7. Log on to LON-DC1 as Administrator with a password of Pa$$w0rd. In Server Manager, click Tools, and then click Group Policy Management. In the Group Policy Management Console (GPMC), expand Forest: Adatum.com, expand Domains, expand Adatum.com and then expand the Group Policy Objects folder. Right-click the Default Domain Policy, and then click Edit. In the Group Policy Management Editor, expand the Default Domain Policy, expand User Configuration, expand Policies, and then click Administrative Templates. Point your mouse over the Administrative Templates folder, and note that the location is Administrative Templates: Policy definitions (.admx files) retrieved from the local computer. Close the Group Policy Management Editor.
Task 2: Create a central store

1. 2. 3. 4. On the taskbar, click the Folder icon to launch a Windows Explorer window. Expand Local Disk (C:), expand Windows, expand SYSVOL, expand sysvol, expand Adatum.com, and then click Policies. In the details pane, right-click on a blank area, click New, and then click Folder. Name the folder PolicyDefinitions.
Task 3: Copy administrative templates to the central store

1. 2. 3. 4. In Windows Explorer, navigate back to C:\Windows, and open the PolicyDefinitions folder. Select the entire contents of the PolicyDefinitions folder. (Hint: click in the details pane, and then use the Ctrl+A keys to select all of the content.) Right-click the selection, and then click Copy. Expand Local Disk (C:), expand Windows, expand SYSVOL, expand sysvol, expand Adatum.com, Browse to C:\Windows\SYSVOL\sysvol\Adatum.com\Policies and open the PolicyDefinitions folder. Right-click in the empty folder area, and then click Paste.
5.
Task 4: Verify the administrative template location in GPMC

1. 2. In the GPMC, right-click the Default Domain Policy, and then click Edit. Expand Polices, point your mouse over the Administrative Templates folder, and view the local information text. Note that it now says Administrative Templates: Policy definitions (ADMX files) retrieved from the Central Store. Close the Group Policy Management Editor.
3.
Results: After completing this exercise, you will have configured a Central Store
L11-56
Exercise 2: Creating GPOs

Task 1: Create a Windows Internet Explorer Restriction default starter GPO
1. 2. In the GPMC right-click the Starter GPOs folder, and then click New. In the New Starter GPO dialog box, in the Name field, type Internet Explorer Restrictions, and in the Comment field, type This GPO disables the General page in Internet Options, and then click OK.
Task 2: Configure the Internet Explorer Restriction starter GPO

1. 2. 3. 4. 5. 6. 7. 8. Expand the Starter GPOs folder, right-click the Internet Explorer Restrictions GPO, and then click Edit. Expand User Configuration, Administrative Templates, and then click All Settings. Right-click All Settings, and then click Filter Options. In the Filter Options dialog box, select the Enable Keyword Filters check box. In the Filter for word(s): field, type General page. In the drop-down box, select Exact, and then click OK. Double-click the Disable the General page setting, click Enabled, and then click OK. Close the Group Policy Starter GPO Editor.
Task 3: Create a domain Internet Explorer Restrictions GPO From the Internet Explorer Restrictions starter GPO
1. 2. 3. In the GPMC, right-click the Adatum.com domain, and then click Create a GPO in this domain, and link it here. In the New GPO dialog box, in the Name field, type IE Restrictions. Under Source Starter GPO, click the drop down box, select Internet Explorer Restrictions, and then click OK.
Task 4: Test application of the GPO for domain users

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to LON-CL1 as Adatum\Brad with a password of Pa$$w0rd. Move your mouse to the bottom, right of the desktop and in the flyout, click the Search charm. In the Apps search box, type Control Panel. In the Search Apps results, click Control Panel. In the Control Panel window, click Network and Internet. In the Network and Internet dialog box, click Change your homepage. A message box appears informing you that this feature has been disabled. Click OK to acknowledge the message. Click Internet Options. Notice that in the Internet Properties dialog box the General page does not appear. Close all open windows, and sign out.
L11-57
Task 5: Use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy
1. 2. 3. 4. 5. 6. 7. 8. Switch to LON-DC1. In the GPMC expand the Group Policy Objects folder, and then in the left pane, click the IE Restrictions policy. In the details pane, click the Delegation tab. Click the Advanced button. In the IE Restrictions Security Settings dialog box, click Add. In the Select Users, Computers, Service Accounts, or Groups field, type IT, and then click OK. In the IE Restrictions Security Settings dialog box, click the IT (Adatum\IT) group, next to the Apply group policy permission, select the Deny check box, and then click OK. Click Yes to acknowledge the Windows Security dialog box.
Task 6: Test the GPO application for IT Department Users

1. 2. 3. 4. 5. 6. 7. Log on to LON-CL1 as Brad with a password of Pa$$w0rd. Move your mouse to the bottom, right corner of the desktop, and in the flyout, click the Search charm. In the Apps search box, type Control Panel. In the Apps results window, click Control Panel. In the Control Panel window, click Network and Internet. In the Network and Internet dialog box, click Change your homepage. The Internet Properties dialog opens to the General page, and all settings are available. Close all open windows, and sign out.
Task 7: Test Application of the GPO for other domain users

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to LON-CL1 as Boris with a password of Pa$$w0rd. Move your mouse to the bottom, right corner of the desktop, and in the flyout, click the Search charm. In the Apps search box, type Control Panel. In the Apps results window, click Control Panel. In the Control Panel window, click Network and Internet. In the Network and Internet dialog box, click Change your homepage. A message box appears informing you that this feature has been disabled. Click OK to acknowledge the message. Click Internet Options. In the Internet Properties dialog box, notice that the General page does not display. Close all open windows, and sign out.
Results: After completing this lab, you will have created a GPO.
L11-58

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-CL1.
L12-59
Module 12: Securing Windows Servers Using Group Policy Objects
Lab A: Increasing Security for Server Resources

Exercise 1: Using Group Policy to Secure Member Servers
Task 1: Create a Member Servers Organizational Unit (OU) and move servers into it
1. 2. 3. 4. 5. 6. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers console, in the navigation pane, right-click Adatum.com, click New, and then click Organizational Unit. In the New Object - Organizational Unit window, type Member Servers OU, and then click OK. In the Active Directory Users and Computers console, in the navigation pane, click Computers container. Press and hold the Ctrl key. In the details pane, click LON-SVR1 and LON-SVR2, right-click the selection and then click Move. In the Move window, click Member Servers OU, and then click OK.
Task 2: Create a Server Administrators group

1. 2. 3. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers console, in the navigation pane, right-click the Member Servers OU, click New, and then click Group. In the New Object Group window, in the Group Name field, type Server Administrators, and then click OK.
Task 3: Create a Member Server Security Settings GPO and link it to the Member Servers OU
1. 2. 3. 4. 5. On LON-DC1, in the Server Manager window, click Tools, and then click Group Policy Management. In the Group Policy Management window, expand Forests: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy Objects, and then click New. In the New GPO window, in the Name: field, type Member Server Security Settings, and then click OK. In the Group Policy Management Console window, right-click Member Servers OU, and then click Link an Existing GPO. In the Select GPO window, in Group Policy Objects window, click Member Server Security Settings, and then click OK.
L12-60
Task 4: Configure group membership for local administrators to include Server Administrators and Domain Admins
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, in the Group Policy Management Console window, expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click Restricted Groups. Right-click Restricted Groups, and then click Add Group. In the Add Group dialog box, in the Group name field, type Administrators, and then click OK. In the Administrators Properties dialog box, next to Members of this group, click Add. In the Add Member dialog box, type Adatum\Server Administrators, and then click OK. Next to Members of this group, click Add. In the Add Member dialog box, type Adatum\Domain Admins, and then click OK twice. Close the Group Policy Management Editor.
Task 5: Verify that Computer Administrators has been added to the local Administrators group
1. 2. 3. 4. Switch to LON-SVR1. Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd. On the taskbar, click the Windows PowerShell icon. At the Windows PowerShell command prompt, type the following command:
gpupdate/force
5. 6. 7. 8.
In the Server Manager window, click Tools, and then click Computer Management. In the Computer Management console, expand Local Users and Groups, click Groups, and then in the right pane, double-click Administrators. Confirm that the Administrators group contains both ADATUM\Domain Admins and ADATUM\Server Administrators as members. Click Cancel. Close the Computer Management console.
Task 6: Modify the Member Server Security Settings Group Policy Object (GPO) to remove users from Allow log on locally
1. 2. 3. 4. Switch to LON-DC1. On LON-DC1, in the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy Objects. In the right pane, right-click Member Server Security Settings, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment. In the right pane, right-click Allow log on locally, and then click Properties. In the Allow log on locally Properties window, select the Define these policy settings check box, and then click Add User or Group.
5. 6.
Module 12: Securing Windows Servers Using Group Policy Objects L12-61
7. 8. 9.
In the Add User or Group window, type Domain Admins, and then click OK. Click Add User or Group. In the Add User or Group window, type Administrators, and then click OK twice.
10. Close the Group Policy Management Editor.
Task 7: Modify the Member Server Security Settings GPO to enable User Account Control: Admin Approval Mode for the Build-in Administrator Account
1. 2. 3. On LON-DC1, in the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy Objects. In the right pane, right-click Member Server Security Settings, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options. In the right pane, right-click User Account Control: Admin Approval Mode for the Built-in Administrator account, and then click Properties. In the User Account Control: Admin Approval Mode for the Built-in Administrator account Properties window, select the Define this policy settings check box, ensure that Enabled radio button is selected, and then click OK. Close the Group Policy Management Editor.
4. 5.
6.
Task 8: Verify that a standard user cannot log on to a member server

1. Switch to LON-SVR1. On the taskbar, click the Windows PowerShell icon. 2. From the Windows PowerShell command prompt, type following command:
gpupdate/force
3. 4. 5.
Log off of LON-SVR1. Try to log on to LON-SVR1 as Adatum\Adam with a password of Pa$$w0rd. Verify that you cannot log on to LON-SVR1, and that a logon error message displays.
Results: After completing this exercise, you should have used Group Policy to secure Member servers.
Exercise 2: Auditing File System Access

Task 1: Modify the Member Server Security Settings GPO to enable object access auditing
1. 2. 3. 4. Switch to LON-DC1. On LON-DC1, in the Group Policy Management console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy Objects. In the right pane, right-click Member Server Security Settings, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, click Audit Policy, and then in the right pane, right-click Audit object access, and then click Properties.
L12-62
5.
In the Audit object access Properties window, select the Define these policy settings check box, select both the Success and Failure check boxes, and then click OK.
Task 2: Create and share a folder

1. 2. 3. 4. 5. On LON-SVR1, on the taskbar, click Windows Explorer, and then, in navigation pane, click Computer. In the Computer window, double-click Local Disk (C) click Home, click New folder, and then type HR. In the Computer window, right-click the HR folder, click Share with, and then click Specific people. In the File Sharing window, type Adam, click Add. Change the Permission Level to Read/Write and then click Share and then click Done.
Task 3: Enable auditing on the HR folder for Domain Users

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, in the Local Disk (C:) window, right-click the HR folder, and then click Properties. In the HR Properties window, click the Security tab, and then click Advanced. In the Advanced Security Settings for HR window, click the Auditing tab, and then click Add. In the Auditing Entry for HR window, click Select a principal. In the Select User, Computer, Service Account or Group window, in the Enter the object name to select field, type Domain Users, and then click OK. In the Auditing Entry for HR window, from the Type drop-down menu, select All. In the Auditing Entry for HR window, under Permission list, select the Write check box, and then click OK three times. Switch to the Start screen, type cmd, and then press Enter. In the command prompt window, type following command:
gpupdate /force
10. Close the command prompt window.
Task 4: Create a new file in the file share from LON-CL1

1. 2. 3. 4. Switch to LON-CL1. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd. On the Start screen, type cmd, and then press Enter. In the command prompt window, type the following command:
gpupdate /force
5. 6. 7. 8. 9.
Close the command prompt window. Log off LON-CL1, and then log on again as Adatum\Adam with a password of Pa$$w0rd. On the Start screen, type \\LON-SVR1\HR, and then press Enter. In HR window, click Home, click New item, click Text Document, in the file name field, type Employees, and then press Enter. Log off of LON-CL1.
Task 5: View the results in the security log on the domain controller
1. 2. 3. 4. Switch to LON-SVR1. In the Server Manager window, click Tools, and then click Event Viewer. In the Event Viewer window, expand Windows Logs, and then click Security. Verify that following event and information displays: o o o o Source: Microsoft Windows Security Auditing Event ID: 4663 Task category: File System An attempt was made to access an object.
Results: After completing this exercise, you should have enabled file system access auditing.
Exercise 3: Auditing Domain Logons

Task 1: Modify the Default Domain Policy GPO
1. 2. 3. On LON-DC1, in the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy Objects. In the right pane, right-click Default Domain Policy, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy. In the right pane, right-click Audit account logon events, and then click Properties. In Audit account logon events Properties window, select the Define these policy settings check box, select both the Success and Failure check boxes, and then click OK. Update Group policy by using the Gpupdate /force command.
4. 5.
Task 2: Run GPUpdate

1. 2. 3. 4. Switch to LON-CL1. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd. On the Start screen, type cmd, and then press Enter. In the command prompt window, type following command:
gpupdate/force
5.
Close the command prompt window, and log off LON-CL1.
Task 3: Log on to LON-CL1 with an incorrect password

Log on to LON-CL1 as Adatum\Adam with a password of password.
Note: This password is intentionally incorrect to generate a security log which shows that that an unsuccessful login attempt has been made.
L12-64

1. 2. 3. On LON-DC1, in Server Manager, click Tools, and then click Event Viewer. In the Event Viewer window, expand Windows Logs, and then click Security. Review the event logs for following message: Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
Task 5: Log on to LON-CL1 with the correct password

Log on to LON-CL1 as Adatum\Adam with a password of Pa$$w0rd.
Note: This password is correct, and you should be able to log on successfully as Adam.

1. 2. 3. 4. Log on to LON-DC1. In the Server Manager window, click Tools, and then click Event Viewer. In the Event Viewer window, expand Windows Logs, and then click Security. Review the event logs for the following message: A user successfully logged on to a computer.
Task 7: To prepare for the next lab

To prepare for the next lab, leave the virtual machines running.
Results: After completing this exercise, you should have enabled domain logon auditing.
Lab B: Configuring AppLocker and Windows Firewall

Exercise 1: Configuring AppLocker Policies
Task 1: Create an OU for Client Computers
1. 2. 3. 4. Switch to LON-DC1. In Server Manager, click Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers console, in the navigation pane, right-click Adatum.com, click New, and then click Organizational Unit. In the New Object - Organizational Unit window, type Client Computers OU, and then click OK.
Task 2: Move LON-CL1 to the Client Computers OU

1. 2. 3. On LON-DC1, in the Active Directory Users and Computers console, in the navigation pane, click Computers container. In the details pane, right-click LON-CL1, and then click Move. In the Move window, click Client Computers OU, and then click OK.
Task 3: Create a Software Control GPO and link it to the Client Computers OU
1. 2. 3. 4. 5. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. In the Group Policy Management Console window, expand Forests: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy Objects, and then click New. In New GPO window, in the Name: text box, type Software Control GPO, and then click OK. In the right pane, right-click Software Control GPO, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, and then expand AppLocker. Under AppLocker, right-click Executable Rules, and then click Create Default Rules. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules. In the navigation pane, click AppLocker, and then in the right pane, click Configure rule enforcement. In the AppLocker Properties window, under Executable rules, select the Configured check box, and then from the drop-down menu, select Audit only.
6. 7. 8. 9.
10. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules, and then click OK. 11. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings, click System Services and then double-click Application Identity. 12. In the Application Identity Properties dialog box, select the Define this policy setting and under Select service startup mode, select Automatic, and then click OK. 13. Close the Group Policy Management Editor.
L12-66
14. In the Group Policy Management Console, right-click Member Servers OU, and then click Link an Existing GPO. 15. In the Select GPO window, in Group Policy Objects list, click Software Control GPO, and then click OK.
Task 4: Run GPUpdate on LON-SVR1

1. 2. 3. 4. Switch to LON-SVR1. Move the mouse pointer in the lower right corner, and then click Search. In the Search box, type cmd, and then press Enter. In command prompt window, type following command:
gpupdate/force
5. 6.
Close the command prompt window. Move the mouse pointer in the lower right corner, click Settings, click Power, and then click Restart.
Task 5: Run app1.bat in the C:\CustomApp folder

1. 2. 3. 4. Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd. Point the mouse pointer over the lower right corner of the screen, and then, when it appears, click Search. In the Search box, type cmd, and then press Enter. At the command prompt, type following command:
C:\CustomApp\app1.bat
Task 6: View AppLocker events in an event log

1. 2. 3. On LON-SVR1, open the Server Manager window, click Tools, and then click Event Viewer. In the Event Viewer window, expand Application and Services Logs, expand Microsoft, expand Windows, and then expand AppLocker. Click MSI and Scripts, and review the event logs for App1.bat.
Task 7: Create a rule that allows software to run from C:\CustomApp

1. 2. 3. 4. 5. 6. 7. 8. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. In the Group Policy Management window, in the Group Policy Objects node, edit the Software Control GPO. In the console tree, double-click Application Control Policies, double-click AppLocker, right-click Script rules, and then click Create New Rule. On the Before You Begin page, click Next. On the Permissions page, select the Allow radio button, and then click Next. On the Conditions page, click Path radio button, and then click Next. On Path page, in the Path field, type the following path: %OSDRIVE%\CustomApp\app1.bat to enter the targeted folder for the applications, and then click Next. On Exception page, click Next, on the Name and Description page, in the Name field, type Custom App Rule, and then click Create.
Task 8: Modify Software Control GPO to enforce the rules

1. 2. 3. 4. In the Software control GPO window, in navigation pane, click AppLocker, and then in the right pane, click Configure rule enforcement. In AppLocker Properties window, under Executable rules, select the Configured check box, and then from drop-down menu, select Enforce rules. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules, and then click OK. Close Group Policy Management Editor.
Task 9: Verify that an application can still be run from C:\CustomApp

1. 2. 3. 4. Switch to LON-SVR1. Move the mouse pointer in the lower right corner, and then click Search. In the Search box, type cmd, and then press Enter. In the command prompt window, type following command:
gpupdate/force
5. 6. 7. 8. 9.
Close the command prompt window. Point the mouse pointer over the lower-right corner, click Settings, click Power, and then click Restart. Log on to LON-SVR1 as Adatum\Tony with a password of Pa$$w0rd. Open a command prompt. Verify that you can still run c:\customapp\app1.bat.
Task 10: Verify that an application cannot be run from the Documents folder
1. On LON-SVR1, on the taskbar, click on Windows Explorer, and then in navigation pane click on Computer. In the Computer window, double-click Local Disk (C:), double-click the CustomApp folder, right-click app1.bat, and then click Copy. In CustomApp window, on the navigation pane, right-click the Documents folder, and then click Paste. In command prompt, type C:\Users\Tony\Documents\app1.bat. Verify that application cannot be run from Documents folder, and that the following message displays: This program is blocked by Group Policy. For more information, contact your system administrator. Close all open windows and log off.
2. 3. 4.
5.
Results: After completing this exercise, you will have configured AppLocker policies for all users whose
computer accounts are located in the Client Computers OU organizational unit. The policies you configured should allow these users to run applications that are located in the folders C:\Windows and C:\Program Files, and run the custom-developed application app1.bat in the C:\CustomApp folder.
L12-68
Exercise 2: Configuring Windows Firewall

Task 1: Create a group called Application Servers
1. 2. 3. 4. Switch to LON-DC1. In the Server Manager window, click Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers console, in the navigation pane, right-click the Member Servers OU, click New, and then click Group. In the New Object Group window, in the Group Name field, type Application Servers, and then click OK.
Task 2: Add LON-SRV1 as a group member

1. 2. 3. 4. In the Active Directory Users and Computers console, in the navigation pane, click the Member Servers OU, in the details pane right-click Application Servers group, and then click Properties. In the Application Server Properties window, click Members tab, and then click Add. In Select Users, Computers, Service Accounts or Groups, click Object Types, click Computers, and then click OK. In Enter the object names to select, type LON-SVR1, and then click OK.
Task 3: Create a new Application Servers GPO

1. 2. 3. 4. 5. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. In the Group Policy Management Console, expand Forests: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy Objects, and then click New. In the New GPO window, in the Name: field, type Application Servers GPO, and then click OK. In the Group Policy Management Console, right-click Application Servers GPO, and then click Edit. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, and then click Windows Firewall with Advanced Security - LDAP://CN={GUID}. In the Group Policy Management Editor, click Inbound Rules. Right-click Inbound Rules, and then click New Rule. In the New Inbound Rule Wizard, on the Rule Type page, click Custom, and then click Next. On the Program page, click Next.
6. 7. 8. 9.
10. On the Protocol and Ports page, in the Protocol type list, click TCP. 11. In the Local port list, click Specific Ports, in the text box, type 8080, and then click Next. 12. On the Scope page, click Next. 13. On the Action page, click Allow the connection, and then click Next. 14. On the Profile page, clear the Private and Public check boxes, and then click Next. 15. On the Name page, in the Name box, type Application Server Department Firewall Rule, and then click Finish. 16. Close the Group Policy Management Editor.
Task 4: Link the Application Servers GPO to the Member Servers OU

1. 2. On LON-DC1, In the Group Policy Management Console, right-click Member Servers OU, and then click Link an Existing GPO. In the Select GPO window, in Group Policy objects list, click Application Servers GPO, and then click OK.
Task 5: Use security filtering to limit the Application Server GPO to members of Application Server group
1. 2. 3. 4. 5. 6. 7. On LON-DC1, in the Group Policy Management Console, click Member Servers OU. Expand the Member Servers OU, and then click the Application Servers GPO link. In the Group Policy Management Console message box, click OK. In the right-hand pane, under Security Filtering, click Authenticated Users, and then click Remove. In the confirmation dialog box, click OK. In the details pane, under Security Filtering, click Add. In the Select User, Computer, or Group dialog box, type Application Servers, and then click OK.
Task 6: Run GPUpdate on LON-SRV1

1. 2. 3. 4. Switch to LON-SRV1 and log on as Adatum\Administrator. Move the mouse pointer in the lower right corner, and then click Search. In the Search box, type cmd, and then press Enter. In the command prompt window, type following command, and then press Enter:
gpupdate/force
5. 6.
Close the command prompt window. Restart LON-SVR1 and then log back on as Adatum\Administrator with the password of Pa$$w0rd.
Task 7: View the firewall rules on LON-SRV1

1. 2. 3. 4. 5. Switch to LON-SVR1. In Server Manager, click Tools, and then click Windows Firewall with Advanced Security. In the Windows Firewall with Advanced Security window, click Inbound rules. In the right pane, verify that Application Server Department Firewall Rule that you created earlier using Group Policy is configured. Verify that you cannot edit the Application Server Department Firewall Rule, because it is configured through Group Policy.
L12-70

When you finish the lab, revert the virtual machines to their initial state by performing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20410A-LON-SVR1 and 20410A-LON-CL1.
Results: After completing this exercise, you should have used Group Policy to configure Windows Firewall with Advanced Security to create rules to allow inbound network communication through TCP port 8080.
L13-71
Lab: Implementing Server Virtualization with Hyper-V

Exercise 1: Installing the Hyper-V Server Role
Task 1: Install the Hyper-V server role
1. 2. 3. 4. 5. 6. 7. Reboot the classroom computer and from the Windows Boot Manager, choose 20410A-LONHOST1. Log onto LON-HOST1 with the Administrator account and the password Pa$$w0rd. In Server Manager, click Local Server. In the Properties pane, click the IPv4 address assigned by DHCP link. In the Network Connections dialog box, right-click the network object and then click Properties. In the Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and then click Properties. On the General tab, click Use the following IP address and configure the following: o o o 8. IP Address: 172.16.0.31 Subnet mask: 255.255.0.0 Default gateway: 172.16.0.1
On the General tab, click Use the following DNS server addresses and then configure the following: o Preferred DNS server: 172.16.0.10
9.
Click OK to close the Properties dialog box.
10. Click Close. 11. Close the Network Connections dialog box. 12. In the Server Manager console, from the Manage menu, click Add Roles and Features. 13. In the Add Roles and Features Wizard, on the Before you begin page, click Next. 14. On the Select installation type page, click Role-based or feature-based installation, and then click Next. 15. On the Select destination server page, ensure that LON-HOST1 is selected, and then click Next. 16. On the Select server roles page, select Hyper-V. 17. In the Add Roles and Features Wizard dialog box, click Add Features. 18. On the Select server roles page, click Next. 19. On the Select features page, click Next. 20. On the Hyper-V page, click Next. 21. On the Virtual Switches page, verify that no selections have been made, and then click Next. 22. On the Virtual Machine Migration page, click Next.
L13-72
23. On the Default Stores page, review the location of the Default Stores, and then click Next. 24. On the Confirm installation selections page, select Restart the destination server automatically if required. 25. In the Add Roles and Features Wizard, review the message regarding automatic restarts, and then click Yes. 26. On the Confirm Installation Selections page, click Install. 27. After a few minutes, the server will restart automatically. Ensure that you restart the machine from the boot menu as 20410A-LON-HOST1. The computer will restart several times.
Task 2: Complete Hyper-V role installation and verify settings

1. 2. 3. 4. 5. 6. 7. Log on to LON-HOST1 using the account Administrator with the password Pa$$word. When the installation of the Hyper-V tools completes, click Close to close the Add Roles and Features Wizard. In the Server Manager console, click the Tools menu, and then click Hyper-V Manager. In the Hyper-V Manager console, click LON-HOST1. In the Hyper-V Manager console, in the Actions pane, with LON-HOST1 selected, click Hyper-V Settings. In the Hyper-V Settings for LON-HOST1 dialog box, click on the Keyboard item. Verify that the Keyboard is set to the Use on the virtual machine option. In the Hyper-V Settings for LON-HOST1 dialog box, click on the Virtual Hard Disks item. Verify that the location of the default folder to store Virtual Hard Disk files is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks, and then click OK.
Results: After this exercise, you should have deployed the Hyper-V role to a physical server.
Exercise 2: Configuring Virtual Networking

Task 1: Configure the external network
1. 2. 3. 4. In the Hyper-V Manager console, click LON-HOST1. From the Actions menu, click Virtual Switch Manager. In the Virtual Switch Manager for LON-HOST1 dialog box, select New virtual network switch. Ensure that External is selected, and then click Create Virtual Switch. In the Virtual Switch Properties area, enter the following information, and then click OK: o o 5. Name: Switch for External Adapter External Network: Mapped to the host computer's physical network adapter. (This will vary depending on the host computer.)
In the Apply Networking Changes dialog box, review the warning, and then click Yes.
Task 2: Create a private network

1. 2. 3. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1. From the Actions menu, click Virtual Switch Manager. Under Virtual Switches, click New virtual network switch.
L13-73
4. 5.
Under Create virtual switch, select Private, and then click Create Virtual Switch. In the Virtual Switch Properties section of the Virtual Switch Manager dialog box, configure the following settings, and then click OK: o o Name: Private Network Connection type: Private network
Task 3: Create an internal network

1. 2. 3. 4. 5. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1. From the Actions menu, click Virtual Switch Manager. Under Virtual Switches, select New virtual network switch. Under Create virtual switch, select Internal and then click Create Virtual Switch. In the Virtual Switch Properties section, configure the following settings, and then click OK: o o Name: Internal Network Connection type: Internal network
Task 4: Configure the MAC address range

1. 2. 3. 4. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1 On the Actions menu, click Virtual Switch Manager. Under Global Network Settings, click MAC Address Range. On MAC Address Range settings, configure the following values, and then click OK: o o 5. Minimum: 00-15-5D-0F-AB-A0 Maximum: 00-15-5D-0F-AB-EF
Close the Hyper-V Manager console.
Results: After this exercise, you should have configured virtual switch options on a physically deployed Windows Server 2012 server running the Hyper-V role.
Exercise 3: Creating and Configuring a Virtual Machine

Task 1: Create differencing disks
1. 2. On the taskbar, click Windows Explorer. Click Computer, and then browse to the following location: E:\Program Files\Microsoft Learning\Base. (Note: The drive letter may depend upon the number of drives on the physical host machine) Verify that the Base12A-WS2012-RC.vhd hard disk image file is present. Click the Home tab, and then click the New Folder icon twice to create two new folders. Right-click each folder and rename each folders to each name listed below: o o 5. LON-GUEST1 LON-GUEST2
3. 4.
Close Windows Explorer.
L13-74
6. 7. 8. 9.
In the Server Manager console, click the Tools menu and click Hyper-V Manager. In the Actions pane, click New, and then click Hard Disk. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next. On the Choose Disk Format page, select VHD, and then click Next.
10. On the Choose Disk Type page, select Differencing, and then click Next. 11. On the Specify Name and Location page, specify the following details, and then click Next: o o Name: LON-GUEST1.vhd Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
12. On the Configure Disk page, type the location: E:\Program Files\Microsoft Learning \Base\Base12A-WS2012-RC.vhd, and then click Finish. 13. On the taskbar, click the PowerShell icon. 14. At the PowerShell prompt, type the following command to import the Hyper-V module, and then press Enter.
Import-Module Hyper-V
15. At the PowerShell prompt, type the following command to create a new differencing disk to be used with LON-GUEST2 and then press Enter:
New-VHD E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd -ParentPath E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd
16. Close the PowerShell window. 17. In the Actions pane of the Hyper-V Manager console, click Inspect Disk. 18. In the Open dialog box, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\, click LON-GUEST2.vhd, and then click Open. 19. In the Virtual Hard Disk Properties dialog box, verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base \Base12A-WS2012-RC.vhd as a parent, and then click Close.
Task 2: Create virtual machines

1. 2. 3. 4. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1. In the Hyper-V Manager console, in the Actions pane, click New, and then click Virtual Machine. In the New Virtual Machine Wizard, on the Before You Begin page, click Next. On the Specify Name and Location page, select Store the virtual machine in a different location, enter the following values, and then click Next: o o 5. 6. Name: LON-GUEST1 Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
On the Assign Memory page, enter a value of 1024 MB, select the Use Dynamic Memory for this virtual machine option, and then click Next. On the Configure Networking page, for the connection, choose Private Network, and then click Next.
L13-75
7.
On the Connect Virtual Hard Disk page, choose Use an existing virtual hard disk. Click Browse and browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1.vhd. Click Open and then click Finish. On the Taskbar, click the PowerShell icon. At the PowerShell prompt, enter the following command to import the Hyper-V module:
8. 9.
10. At the PowerShell prompt, enter the following command to create a new virtual machine named LON-GUEST2:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd -SwitchName "Private Network"
11. Close the PowerShell window. 12. In the Hyper-V Manager console, click LON-GUEST2. 13. In the Actions pane, under LON-GUEST2, click Settings. 14. In the Settings for LON-GUEST2 on LON-HOST1 dialog box, click Automatic Start Action, and set the Automatic Start Action to Nothing. 15. In the Settings for LON-GUEST2 on LON-HOST1 dialog box, click Automatic Stop Action, and set the Automatic Stop Action to Shut down the guest operating system. 16. Click OK to close the Settings for LON-GUEST2 on LON-HOST1 dialog box.
Task 3: Enable resource metering

1. 2. On the taskbar, click the Windows PowerShell icon. At the Windows PowerShell prompt, enter the following command to import the Hyper-V module:
3.
At the Windows PowerShell prompt, enter the following commands to enable resource metering on the virtual machines:
Enable-VMResourceMetering LON-GUEST1 Enable-VMResourceMetering LON-GUEST2
Results: After this exercise, you should have deployed two separate virtual machines using a sysprepped virtual hard disk file as a parent disk for two differencing disks.
Exercise 4: Using Virtual Machine Snapshots

Task 1: Deploy Windows Server 2012 in a virtual machine
1. 2. 3. 4. In the Hyper-V Manager console, click on LON-GUEST1. In the Actions pane, click Start. Double click LON-GUEST1 to open the Virtual Machine Connection Window. In the LON-GUEST1 on LON-HOST1 - Virtual Machine Connection Window, on the Settings page, click Skip.
L13-76
5. 6. 7. 8.
On the Settings page, select the I accept the license terms for using Windows check box, and then click Accept. On the Settings page, click Next to accept the Region and Language settings. On the Settings page, enter the password Pa$$w0rd twice, and then click Finish. In the LON-GUEST1 on LON-HOST1 - Virtual Machine Connection window, from the Action menu, click Ctrl+Alt+Delete. Log on to the virtual machine using the account Administrator and the password Pa$$w0rd. On the virtual machine, in the Server Manager console click Local Server, and then click the randomly assigned name next to the computer name.
9.
10. In the System Properties dialog box, on the Computer Name tab, click Change. 11. Set the Computer Name to LON-GUEST1, and then click OK. 12. In the Computer Name/Domain Changes dialog box, click OK. 13. Click Close to close the System Properties dialog box. 14. In the Microsoft Windows dialog box, click Restart Now.
Task 2: Create a virtual machine snapshot

1. 2. 3. 4. Log on to the LON-GUEST1 virtual machine using the Administrator account and the password Pa$$w0rd. In the Server Manager console, click the Local Server node, and verify that the name of the computer is set to LON-GUEST1. In the Virtual Machine Connection window, from the Action menu, click Snapshot. In the Snapshot Name dialog box, enter the name Before Change, and then click Yes.
Task 3: Modify the virtual machine

1. 2. 3. 4. 5. 6. 7. 8. In the Server Manager console, click Local Server, and then next to Computer name, click LON-GUEST1. In the System Properties dialog box, on the Computer Name tab, click Change. Set the Computer Name to LON-Computer1, and then click OK. In the Computer Name/Domain Changes dialog box, click OK. Close the System Properties dialog box. In the Microsoft Windows dialog box, click Restart Now.. Log back on to the LON-GUEST1 virtual machine using the Administrator account and the password Pa$$w0rd. In the Server Manager console, click Local Server, and verify that the server name is set to LON-Computer1.
Task 4: Revert to the existing virtual machine snapshot

1. 2. 3. In the Virtual Machine Connection window, from the Action menu, click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Server Manager console, in the Local Server node in the Virtual Machines list, verify that the Computer Name is set to LON-GUEST1.
L13-77
Task 5: View resource metering data

1. 2. On LON-HOST1, on the taskbar, click the Windows PowerShell icon. At the Windows PowerShell command-line prompt, enter the following command to import the Hyper-V module:
3.
At the Windows PowerShell command-line prompt, enter the following command to retrieve resource metering information:
Measure-VM LON-GUEST1
4. 5.
Note the average CPU, average random access memory (RAM), and total disk usage figures. Close the Windows PowerShell window.
Task 6: Revert the virtual machines

1. 2. Click on the Windows PowerShell icon on the Taskbar. In the Windows PowerShell window, enter the following command and press enter:
Shutdown /r /t 5
3.
From the Windows Boot Manager, choose Windows Server 2008 R2
Results: After this exercise, you should have used virtual machine snapshots to recover from a virtual machine misconfiguration.

20410A ENU TrainerHandbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

20410A ENU TrainerHandbook

Uploaded by

Copyright:

Available Formats

O F F I C I A L

Installing and Configuring Windows Server 2012

20410A: Installing and Configuring Windows Server 2012

Product Number: 20410A Part Number: X18-48636 Released: 07/2012

20410A: Installing and Configuring Windows Server 2012

20410A: Installing and Configuring Windows Server 2012

Stan Reimer - Content Developer and Lead Subject Matter Expert

Damir Dizdarevic - Content Developer and Subject Matter Expert

Gary Dunlop - Subject Matter Expert

Siegfried Jagott - Content Developer

Jason Kellington - Subject Matter Expert

20410A: Installing and Configuring Windows Server 2012

Vladimir Meloski - Content Developer

Nick Portlock - Subject Matter Expert

Brian Svidergol - Technical Reviewer

Orin Thomas - Subject Matter Expert

Byron Wright - Content Developer and Subject Matter Expert

20410A: Installing and Configuring Windows Server 2012

Module 2: Introduction to Active Directory Domain Services

Module 3: Managing Active Directory Domain Services Objects

Module 4: Automating Active Directory Domain Services Administration

Module 5: Implementing IPv4

20410A: Installing and Configuring Windows Server 2012

Module 6: Implementing DHCP

Module 7: Implementing DNS

Module 8: Implementing IPv6

Module 9: Implementing Local Storage

Module 10: Implementing File and Print Services

Module 11: Implementing Group Policy

20410A: Installing and Configuring Windows Server 2012

Module 12: Securing Windows Servers Using Group Policy Objects

Module 13: Implementing Server Virtualization with Hyper-V

Lab Answer Keys

About This Course

About This Course

About This Course

About This Course

Course Content Lesson Lab Lesson 1 Mod 1 Ex 1

About This Course

Course Content Mod 13 Lesson 2 Mod 13 Ex 3

Lesson 2/3 Lesson 4

Mod 13 Ex 3/4 Mod 13 Ex 2

Mod 5 Mod 8 Mod 6

Deploy and configure DNS service.

About This Course

Course Content Mod 2 Lesson 3 Mod 2 Ex 1/2

Mod 3 Mod 4 Mod 3

Lesson 1 Lesson 1/2/3 Lesson 2/4

Mod 3 Ex 2 Mod 4 Ex 1/2/3 Mod 3 Ex 1/2/3

Mod 12 Lab A Ex 1/2/3

About This Course

Course Content Mod 12 Lesson 3 Mod 12 Lab B Ex 1

About This Course

Virtual Machine Environment

Virtual Machine Configuration

About This Course

Microsoft Network Monitor 3.4 is installed on LON-SVR2.

About This Course

Course Hardware Level

Deploying and Managing Windows Server 2012

Windo ows Serv ver 2012 Overv view

Les sson Objecti ives

20410A: Installing and Configuring Windows Server 2012