You are on page 1of 658

M

C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20411D
Administering Windows Server

2012
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
ii Administering Windows Server

2012

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2013 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at
http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of
the Microsoft group of companies. All other trademarks are property of their respective owners.



Product Number: 20411D
Part Number: X19-55719
Released: May, 2014
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D


MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE


These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.

If you comply with these license terms, you have the rights below for each license you acquire.

1. DEFINITIONS.

a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.

b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.

c. Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.

d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.

e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.

f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.

g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.

h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.

i. Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.

j. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.

k. MPN Member means an active silver or gold-level Microsoft Partner Network program member in good
standing.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D


l. Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.

m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.

n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.

o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.

2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.

2.1 Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D


vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D


c. If you are a MPN Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

e. If you are a Trainer.
i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D



ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.

2.4 Third Party Programs and Services. The Licensed Content may contain third party programs or
services. These license terms will apply to your use of those third party programs or services, unless other
terms accompany those programs and services.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject
matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.

c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D


4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.

6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.

7. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.

8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.

9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D


b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to
o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.

Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.

EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D


Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.

EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.

Revised September 2012
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 xi


M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xii Administering Windows Server

2012
Acknowledgments
Microsoft Learning wants to acknowledge and thank the following for their contribution in developing
this title. Their effort at various developmental stages has ensured that you have a good classroom
experience.
Brian Svidergol Content Developer
Brian Svidergol specializes in Microsoft infrastructure and cloud-based solutions built around Windows

,
Active Directory

, Microsoft

Exchange, Microsoft System Center, virtualization, and Microsoft Desktop


Optimization Pack. He holds many Microsoft and industry certifications. Brian authored the Active
Directory Cookbook, 4th Edition. He has also worked as a Subject Matter Expert, and technical reviewer on
many Microsoft Official Courses and Microsoft Certification exams, and authored or reviewed related
training content.
Dave Franklyn Content Developer
David M. Franklyn, Microsoft Certified Trainer, Microsoft Certified System Engineer (MCSE), Microsoft
Certified Information Technology Professional, Microsoft Most Valuable Professional (MVP), Windows
Expert--IT Pro, is a Senior Information Technology Trainer and Consultant at Auburn University in
Montgomery, Alabama, and the owner of DaveMCT, LLC. He is also Adjunct Faculty with MyITStudy.com.
He is an Eastern USA Regional Lead MCT. Dave has been a Microsoft MVP since 2011. Working with
computers since 1976, Dave started out in the mainframe world and moved into the networking arena
early. Before joining Auburn University in 1998, Dave spent 22 years in the US Air Force as an electronic
communications and computer systems specialist. Dave is president of the Montgomery Windows
Information Technology (IT) Professional Group, and a guest speaker at many events involving Microsoft
products.
Gary Dunlop Content Developer
Gary Dunlop lives in Winnipeg, Canada, and is a technical consultant and trainer for Broadview Networks.
He has authored a number of Microsoft Learning titles and has been an MCT since 1997.
Telmo Sampaio Content Developer
Telmo Sampaio, who has a Bachelor of Science (BS) degree, is also an MCT, MCSE, Microsoft Certified
Solution Developer (MCSD), and was one of the first MCT Regional Leads. Telmo has passed more than 80
Microsoft exams since his first certification in 1996. He is the Chief Geek for MCTrainer.NET and
TechKnowLogical. Telmo specializes in Microsoft System Center, Microsoft SharePoint

, Microsoft SQL
Server

, Windows Server

, and .NET, and has worked for IBM, Microsoft, and several start-ups during the
past 20 years. Telmo is a trainer, consultant, author, and speaker at events such as TechEd, the Microsoft
Management Summit, and the Professional Association for SQL Server. He is very active in the MCT
community, and travels the world providing consulting services and attending training engagements. His
home base is Miami, Florida.
Vladimir Meloski Content Developer
Vladimir is a consultant, Microsoft Certified Trainer, and an MVP on Exchange Server, who provides
unified communications and infrastructure solutions based on Microsoft Exchange Server, Microsoft Lync


Server, Windows Server, and Microsoft System Center. Vladimir has 17 years of professional IT experience,
and has been involved in Microsoft conferences in Europe and the United States as a speaker, moderator,
proctor for hands-on labs, and technical expert. He has also been involved as a Subject Matter Expert and
technical reviewer for Microsoft Official Course titles.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 xiii
Claudia Woods Technical Reviewer
Claudia has been a LAN Administrator, IT Pro Consultant, and technical instructor for more than twenty
years. She designs and implements technology solutions for an international customer base. Claudia also
holds MCSE, MCSA, and MCT certifications for Microsoft, VCP, VCI, and VCI Mentor certifications for
VMware, and certifications for other vendors. Her specialties include Windows Server, Active Directory,
Exchange Messaging, and Virtualization technologies. She has been a Technical Reviewer for more than
ten Microsoft Official Course titles.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xiv Administering Windows Server

2012
Contents
Module 1: Configuring and Troubleshooting Domain Name System
Lesson 1: Configuring the DNS Server Role 1-2
Lesson 2: Configuring DNS Zones 1-12
Lesson 3: Configuring DNS Zone Transfers 1-22
Lesson 4: Managing and troubleshooting DNS 1-25
Lab: Configuring and Troubleshooting DNS 1-34
Module 2: Maintaining Active Directory

Domain Services
Lesson 1: Overview of AD DS 2-2
Lesson 2: Implementing Virtualized Domain Controllers 2-8
Lesson 3: Implementing RODCs 2-18
Lesson 4: Administering AD DS 2-24
Lesson 5: Managing the AD DS Database 2-35
Lab: Maintaining AD DS 2-44
Module 3: Managing User and Service Accounts
Lesson 1: Configuring Password Policy and User Account Lockout Settings 3-2
Lesson 2: Configuring Managed Service Accounts 3-12
Lab: Managing User and Service Accounts 3-20
Module 4: Implementing a Group Policy Infrastructure
Lesson 1: Introducing Group Policy 4-2
Lesson 2: Implementing and Administering GPOs 4-11
Lesson 3: Group Policy Scope and Group Policy Processing 4-17
Lesson 4: Troubleshooting the Application of GPOs 4-33
Lab: Implementing a Group Policy Infrastructure 4-40
Module 5: Managing User Desktops with Group Policy
Lesson 1: Implementing Administrative templates 5-2
Lesson 2: Configuring Folder Redirection and Scripts 5-8
Lesson 3: Configuring Group Policy Preferences 5-14
Lesson 4: Managing Software with Group Policy 5-19
Lab: Managing User Desktops with Group Policy 5-23
Module 6: Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 1: Installing and Configuring a Network Policy Server 6-2
Lesson 2: Configuring RADIUS Clients and Servers 6-6
Lesson 3: NPS Authentication Methods 6-12
Lesson 4: Monitoring and Troubleshooting a Network Policy Server 6-20
Lab: Installing and Configuring a Network Policy Server 6-26
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 xv
Module 7: Implementing Network Access Protection
Lesson 1: Overview of Network Access Protection 7-2
Lesson 2: Overview of NAP Enforcement Processes 7-7
Lesson 3: Configuring NAP 7-13
Lesson 4: Configuring IPsec Enforcement for NAP 7-18
Lesson 5: Monitoring and Troubleshooting NAP 7-27
Lab: Implementing Network Access Protection 7-31
Module 8: Implementing Remote Access
Lesson 1: Overview of Remote Access 8-2
Lesson 2: Implementing DirectAccess by Using the Getting Started Wizard 8-9
Lab A: Implementing DirectAccess by Using the Getting Started Wizard 8-23
Lesson 3: Implementing and Managing an Advanced DirectAccess
Infrastructure 8-29
Lab B: Deploying an Advanced DirectAccess Solution 8-41
Lesson 4: Implementing VPN 8-52
Lab C: Implementing VPN 8-62
Lesson 5: Implementing Web Application Proxy 8-68
Lab D: Implementing Web Application Proxy 8-74
Module 9: Optimizing File Services
Lesson 1: Overview of FSRM 9-2
Lesson 2: Using FSRM to Manage Quotas, File Screens, and Storage
Reports 9-8
Lesson 3: Implementing Classification and File Management Tasks 9-18
Lab A: Configuring Quotas and File Screening Using File Server
Resource Manager 9-22
Lesson 4: Overview of DFS 9-26
Lesson 5: Configuring DFS Namespaces 9-33
Lesson 6: Configuring and Troubleshooting DFS Replication 9-37
Lab B: Implementing Distributed File System 9-43
Module 10: Configuring Encryption and Advanced Auditing
Lesson 1: Encrypting Drives by Using BitLocker 10-2
Lesson 2: Encrypting Files by Using EFS 10-9
Lesson 3: Configuring Advanced Auditing 10-13
Lab: Configuring Encryption and Advanced Auditing 10-21
Module 11: Deploying and Maintaining Server Images
Lesson 1: Overview of Windows Deployment Services 11-2
Lesson 2: Managing Images 11-9
Lesson 3: Implementing Deployment with Windows Deployment
Services 11-16
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xvi Administering Windows Server

2012
Lesson 4: Administering Windows Deployment Services 11-22
Lab: Using Windows Deployment Services to Deploy Windows
Server 2012 11-29
Module 12: Implementing Update Management
Lesson 1: Overview of WSUS 12-2
Lesson 2: Deploying Updates with WSUS 12-9
Lab: Implementing Update Management 12-15
Module 13: Monitoring Windows Server 2012
Lesson 1: Monitoring Tools 13-2
Lesson 2: Using Performance Monitor 13-11
Lesson 3: Monitoring Event Logs 13-20
Lab: Monitoring Windows Server 2012 13-24
Lab Answer Keys
Module 1 Lab: Configuring and Troubleshooting DNS L1-1
Module 2 Lab: Maintaining AD DS L2-9
Module 3 Lab: Managing User and Service Accounts L3-21
Module 4 Lab: Implementing a Group Policy Infrastructure L4-25
Module 5 Lab: Managing User Desktops with Group Policy L5-37
Module 6 Lab: Installing and Configuring a Network Policy Server L6-45
Module 7 Lab: Implementing Network Access Protection L7-51
Module 8 Lab A: Implementing DirectAccess by Using the Getting
Started Wizard L8-61
Module 8 Lab B: Deploying an Advanced DirectAccess Solution L8-67
Module 8 Lab C: Implementing VPN L8-82
Module 8 Lab D: Implementing Web Application Proxy L8-89
Module 9 Lab A: Configuring Quotas and File Screening Using File
Server Resource Manager L9-95
Module 9 Lab B: Implementing Distributed File System L9-99
Module 10 Lab: Configuring Encryption and Advanced Auditing L10-105
Module 11 Lab: Using Windows Deployment Services to Deploy
Windows Server 2012 L11-113
Module 12 Lab: Implementing Update Management L12-119
Module 13 Lab: Monitoring Windows Server 2012 L13-125
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xvii
About This Course
This section provides a brief description of the course20411D: Administering Windows Server

2012,
including its audience, suggested prerequisites, and course objectives.
Course Description
Note: This release (D) Microsoft

Official Curriculum (MOC) version of course 20411 has been developed


on the final release version of Windows Server

2012 R2 software.
This course is part two of a three part series that provides the skills and knowledge necessary to
implement a core Windows Server 2012 and Windows Server 2012 R2 infrastructure in an existing
enterprise environment. The three courses collectively cover implementing, managing, maintaining and
provisioning services and infrastructure in a Windows Server 2012 environment. While there is some cross-
over in skills and tasks across the courses, this course focuses on the administration tasks necessary to
maintain a Windows Server 2012 infrastructure such as configuring and troubleshooting name resolution,
user and group management with Active Directory Domain Services (AD DS) and Group Policy,
implementing Remote Access solutions such as DirectAccess, VPNs and Web Application Proxy,
implementing Network Policies and Network Access Protection, Data Security, deployment and
maintenance of server images, as well as update management and monitoring of Windows Server 2012
environments.
Audience
This course is intended for Information Technology (IT) Professionals with hands on experience working in
a Windows Server 2008 or Windows Server 2012 environment who wish to acquire the skills and
knowledge necessary to be able to manage and maintain the core infrastructure required for a Windows
Server 2012 and Windows Server 2012 R2 environment. The key focus for students is to broaden the initial
deployment of Windows Server 2012 services and infrastructure and provide the skills necessary to
manage and maintain a domain based Windows Server 2012 environment, providing skills in areas such as
User and Group management, Network Access and Data Security. Candidates typically interested in
attending this course are:
Windows Server Administrators experienced in working with Windows Server 2008 or Windows
Server 2012 who wish to gain skills necessary to perform daily management and maintenance
tasks in a Windows Server 2012 or Windows Server 2012 R2 environment.
IT Professionals who are looking to take the 411, Administering Windows Server 2012 exam
IT Professional who want to take any of the following exams:
o The Microsoft Certified Solutions Expert (MCSE) exams in DataCenter, Desktop Infrastructure,
Messaging, Collaboration and Communications
o The Microsoft Certified Solutions Associate (MCSA) exams, which are a pre-requisite for their
individual specialties
Student Prerequisites
This course requires that students meet the following prerequisites, including that they:
Install and Configure Windows Server 2012 into existing enterprise environments or as standalone
installations
Configure local storage
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xviii About This Course
Configure roles and features
Configure file and print services
Configure Windows Server 2012 servers for local and remote administration
Configure IPv4 and IPv6 addresses
Configure Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) services
Configure Active Directory Domains Services (AD DS)
Install domain controllers
Create and configure users, groups, computers, and organizational units (OUs)
Create and manage Group Policies
Configure local security policies
The course pre-requisites can be met by having knowledge equivalent to, or by attendance at, course
20410C: Installing and Configuring Windows Server 2012 as this course will build upon knowledge and
skills covered in that course.
Course Objectives
After completing this course, students will be able to:
Configure and troubleshoot DNS, including DNS replication and caching.
Manage domain controllers and perform maintenance on Active Directory

Domain Services (AD DS).


Configure account and password settings for standard users and configure service accounts.
Implement a Group Policy Object (GPO) infrastructure.
Configure Group Policy settings and Group Policy preferences.
Install and configure Network Policy Server (NPS) as a Remote Authentication Dial-In User Service
(RADIUS) server for centralized authentication.
Implement and manage Network Access Protection (NAP).
Configure remote network access using Routing and Remote Access and DirectAccess.
Implement Web Application Proxy to enable access to internal applications without DirectAccess or
virtual private network (VPN).
Configure File Server Resource Manager (FSRM) and Diagnostic Policy Service (DPS) to optimize file
services.
Configure encryption and advanced auditing to increase file system security.
Create and manage server images by using Windows Deployment Services (Windows DS).
Use Windows Server Update Services (WSUS) to deploy updates to Windows servers and clients.
Monitor Windows Server 2012 and troubleshoot performance issues.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xix
Course Outline
This section provides an outline of the course:
Module 1, Configuring and Troubleshooting Domain Name System
This module starts by describing how to configure and troubleshoot Domain Name System
(DNS), including DNS replication and caching, and the procedures for installing and configuring
the DNS Server role.
Module 2, Maintaining Active Directory Domain Services
This module describes how to maintain Active Directory

Domain Services (AD DS) and provides


information about AD DS forest and schema structure and the AD DS domain structure.
Module 3, Managing User and Service Accounts
This module explains user and service accounts and shows students how to configure account
and password settings for standard users and how to configure service accounts.
Module 4, Implementing a Group Policy Infrastructure
This module describes the components and technologies that comprise the Group Policy
framework.
Module 5, Managing User Desktops with Group Policy
This module discusses Group Policy, including how you can implement and maintain it. This
module contains information about how to configure and understand a variety of policy setting
types.
Module 6, Installing, Configuring, and Troubleshooting the Network Policy Server Role
This module describes how to install and configure Network Policy Server (NPS) as a Remote
Authentication Dial-In User Service (RADIUS) server for centralized authentication. This module
also describes NPS authentication methods and how to monitor and troubleshoot NPS.
Module 7, Implementing Network Access Protection
This module describes how to configure Network Access Protection (NAP) to prevent non-
compliant computers from accessing the network.
Module 8, Implementing Remote Access
This module explains how to implement remote network access using Routing and Remote
Access and DirectAccess.
Module 9, Optimizing File Services
This module provides information about configuring Distributed File System (DFS) and File Server
Resource Manager (FSRM) to optimize file services.
Module 10, Configuring Encryption and Advanced Auditing
This module explains how to encrypt files using Encrypting File System (EFS) to configure
advanced auditing features.
Module 11, Deploying and Maintaining Server Images
This module explains how to create and manage server images by using Windows Deployment
Services (Windows DS).
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xx About This Course
Module 12, Implementing Update Management
This module provides an overview of Windows Server Update Services (WSUS) and how to use
WSUS to deploy updates to Windows servers and clients.
Module 13, Monitoring Windows Server 2012
The final module describes the monitoring tools available in Windows Server 2012, including how
to use Performance Monitor and how to monitor events.

Exam/Course Mapping
This course, 20411D: Administering Windows Server

2012, has a direct mapping of its content to the


objective domain for the Microsoft exam 70-410: Administering Windows Server 2012
The table below is provided as a study aid that will assist you in preparation for taking this exam and
to show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directly
covered in the examination and will utilize the unique experience and skills of your qualified Microsoft
Certified Trainer.
Note: The exam objectives are available online at the following URL:
http://www.microsoft.com/learning/en-us/exam-70-411.aspx, under Skills Measured.
Exam 70-411: Administering Windows Server 2012 MOC
1. Deploy, Manage, and Maintain Servers (16%) Module Lesson Lab
1.1 Deploy and
manage server
images.
This objective may include but is not limited
to: Install the Windows Deployment Services
(WDS) role; configure and manage boot,
install, and discover images; update images
with patches, hotfixes, and drivers; install
features for offline images, configure driver
groups and packages Mod 11
Lesson
1/2/3/4
Mod 11
Ex
1/2/3/4
1.2 Implement
patch
management.
This objective may include but is not limited
to: Install and configure the Windows Server
Update Services (WSUS) role; configure group
policies for updates; configure client-side
targeting; configure WSUS synchronization;
configure WSUS groups; manage patch
management in mixed environments Mod 12
Lesson
1/2
Mod 12
Ex 1/2/3
1.3 Monitor
servers.
This objective may include but is not limited
to: Configure Data Collector Sets (DCS);
configure alerts; monitor real-time
performance; monitor virtual machines (VMs);
monitor events; configure event subscriptions;
configure network monitoring; schedule
performance monitoring Mod 13
Lesson
1/2/3
Mod 13
Ex 1/2/3
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xxi
2. Configure File and Print Services (18%)
2.1 Configure
Distributed File
System (DFS).
This objective may include but is not limited to:
Install and configure DFS namespaces; configure
DFS Replication Targets; configure Replication
Scheduling; configure Remote Differential
Compression settings; configure staging;
configure fault tolerance, clone a DFS
database; recover DFS databases; optimize
DFS replication Mod 9
Lesson
4/5/6
Mod 9
Lab B
Ex
1/2/3
2.2 Configure File
Server Resource
Manager (FSRM).
This objective may include but is not limited to:
Install the FSRM role; configure quotas;
configure file screens; configure reports;
configure file management tasks Mod 9
Lesson
1/2/3
Mod 9
Lab A Ex
1/2
2.3 Configure file
and disk
encryption.
This objective may include but is not limited to:
Configure Bitlocker encryption; configure the
Network Unlock feature; configure Bitlocker
policies; configure the EFS recovery agent;
manage EFS and Bitlocker certificates including
backup and restore Mod 10
Lesson
1/2
Mod 10
Ex 1/2
2.4 Configure
advanced audit
policies.
This objective may include but is not limited to:
Implement auditing using Group Policy and
AuditPol.exe; create expression-based audit
policies; create removable device audit policies Mod 10 Lesson 3
Mod 10
Ex 3
3. Configure Network Services and Access (16%)
3.1 Configure DNS
zones.
This objective may include but is not limited to:
Configure primary and secondary zones;
configure stub zones; configure conditional
forwards; configure zone and conditional
forward storage in Active Directory; configure
zone delegation; configure zone transfer
settings; configure notify settings Mod 1
Lesson
1/2/3/4
Mod 1
Ex
1/2/3
3.2 Configure DNS
records.
This objective may include but is not limited to:
Create and configure DNS Resource Records
(RR) including A, AAAA, PTR, SOA, NS, SRV,
CNAME, and MX records; configure zone
scavenging; configure record options including
Time To Live (TTL) and weight; configure round
robin; configure secure dynamic updates Mod 1
Lesson
1/2/3/4
Mod 1
Ex
1/2/3/4
3.3 Configure VPN
and routing.
This objective may include but is not limited to:
Install and configure the Remote Access role;
implement Network Address Translation (NAT);
configure VPN settings; configure remote dial-in
settings for users; configure routing, configure
Web Application proxy in pass through
mode Mod 8
Lesson
1/4/5
Mod 8
Lab C Ex
1/2 Lab
D Ex
1/2
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xxii About This Course
3.4 Configure
DirectAccess.
This objective may include but is not limited to:
Implement server requirements; implement
client configuration; configure DNS for Direct
Access; configure certificates for Direct Access Mod 8
Lesson
1/2/3
Mod 8
Lab A Ex
1/2/3
Lab B Ex
1/2/3
4. Configure a Network Policy Server Infrastructure (20%)
4.1 Configure
Network Policy
Server (NPS).
This objective may include but is not limited to:
Configure a RADIUS server including RADIUS
proxy; configure RADIUS clients; manage NPS
templates; configure RADIUS accounting;
configure certificates Mod 6
Lesson
1/2/3/4
Mod 6
Ex 1/2
4.2 Configure NPS
policies.
This objective may include but is not limited to:
Configure connection request policies; configure
network policies for VPN clients (multilink and
bandwidth allocation, IP filters, encryption, IP
addressing); import and export NPS policies
Mod 6
Lesson
1/2/3/4
Mod 6
Ex 1/2
Mod 7
Lesson
1/2
Mod 7
Ex
1/2/3
4.3 Configure
Network Access
Protection (NAP).
This objective may include but is not limited to:
Configure System Health Validators (SHVs);
configure health policies; configure NAP
enforcement using DHCP and VPN; configure
isolation and remediation of non-compliant
computers using DHCP and VPN; configure NAP
client settings Mod 7
Lesson
1/2/3/4/5
Mod 7
Ex
1/2/3
5. Configure and Manage Active Directory (13%)
5.1 Configure
service
authentication.
This objective may include but is not limited to:
Create and configure Service Accounts; create
and configure Group Managed Service
Accounts; configure Kerberos delegation;
manage Service Principal Names (SPNs);
configure virtual accounts Mod 3
Lesson
1/2
Mod 3
Ex 1/2
5.2 Configure
Domain
Controllers.
This objective may include but is not limited to:
Transfer and seize operations master roles;
install and configure a read-only domain
controller (RODC); configure Domain
Controller cloning Mod 2
Lesson
2/3/4
Mod 2
Ex 1/4
5.3 Maintain Active
Directory.
This objective may include but is not limited to:
Back up Active Directory and SYSVOL; manage
Active Directory offline; optimize an Active
Directory database; clean up metadata;
configure Active Directory snapshots; perform
object- and container-level recovery; perform
Active Directory restore; configure and restore
objects using the Active Directory Recycle
Bin Mod 2
Lesson
1/3/4/5
Mod 2
Ex 2/3
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xxiii
5.4 Configure
account policies.
This objective may include but is not limited to:
Configure domain and local user password
policy settings; configure and apply
Password Settings Objects (PSOs); delegate
password settings management; configure
account lockout policy settings; configure
Kerberos policy settings Mod 3 Lesson 1
Mod 3
Ex 1
6. Configure and Manage Group Policy (15%)
6.1 Configure
Group Policy
processing.
This objective may include but is not limited to:
Configure processing order and precedence;
configure blocking of inheritance; configure
enforced policies; configure security filtering
and WMI filtering; configure loopback
processing; configure and manage slow-link
processing and Group Policy caching; configure
client-side extension (CSE) behavior, force
Group Policy Update Mod 4
Lesson
1/2/3/4
Lab Ex
1/2/3/4
6.2 Configure
Group Policy
settings.
This objective may include but is not limited to:
Configure settings including software
installation, folder redirection, scripts, and
administrative template settings; import
security templates; import custom
administrative template file; configure property
filters for administrative templates Mod 5
Lesson
1/2/3/4
Lab Ex
1/2/3/4
6.3 Manage Group
Policy objects
(GPOs).
This objective may include but is not limited to:
Back up, import, copy, and restore GPOs; create
and configure Migration Table; reset default
GPOs; delegate Group Policy management
Mod 4 Lesson 2 Lab Ex 4
Mod 5 Lesson 1 Lab Ex 2
6.4 Configure
Group Policy
preferences.
This objective may include but is not limited to:
Configure Group Policy Preferences (GPP)
settings including printers, network drive
mappings, power options, custom registry
settings, Control Panel settings, Internet
Explorer settings, file and folder deployment,
and shortcut deployment; configure item-level
targeting Mod 5
Lesson
1/2/3
Lab Ex
1/2/4

Note: Attending this course in itself will not successfully prepare you to pass any associated
certification exams.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xxiv About This Course
The taking of this course does not guarantee that you will automatically pass any certification exam. In
addition to attendance at this course, you should also have the following:
Real-world, hands-on experience Administering a Windows Server 2012 Infrastructure
Additional study outside of the content in this handbook
There may also be additional study and preparation resources, such as practice tests, available for
you to prepare for this exam. Details of these are available at the following
URL:1http://www.microsoft.com/learning/en-us/exam-70-411.aspx, under Preparation options.
You should also check out the Microsoft Virtual Academy, http://www.microsoftvirtualAcademy.com to
view further additional study resources and online courses which are available to assist you with exam
preparation and career development.
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam
is available at the following URL: http://www.microsoft.com/learning/en-us/course.aspx?ID=20411D,
under Overview, Audience Profile.
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject
to change at any time and Microsoft bears no responsibility for any discrepancies between the version
published here and the version available online and will provide no notification of such changes.
Course Materials
The following materials are included with your kit:
Course Handbook: A succinct classroom learning guide that provides the critical technical
information in a crisp, tightly focused format, which is essential for an effective in-class learning
experience.
You may be accessing either a printed course hand book or digital courseware material via the Arvato
Skillpipe reader. Your Microsoft Certified Trainer will provide specific details but both contain the
following:
o Lessons: guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
o Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
o Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
o Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when it is
needed.
Course Companion content on the http://www.microsoft.com/learning/companionmoc site:
Searchable, easy-to-navigate digital content with integrated premium online resources designed to
supplement the Course Handbook.
o Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and
answers and Module Reviews and Takeaways sections, which contain the review questions and
answers, best practices, common issues and troubleshooting tips with answers, and real-world
issues and scenarios with answers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xxv
o Resources: Include well-categorized additional resources that give you immediate access to the
most up-to-date premium content on TechNet, Microsoft Developer Network

, and Microsoft
Press

.

Course evaluation: At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
o To provide additional comments or feedback on the course, send e-mail to
support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail
to mcphelp@microsoft.com.
Virtual Machine Environment
This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration
In this course, you will use virtual machines built in Microsoft Hyper V to perform the labs
Important: At the end of each lab, you may need to revert the virtual machines to a snapshot.
You can find the instructions for this procedure at the end of each lab.
The following table shows the role of each virtual machine used in this course.
Virtual machine Role
20411D-LON-DC1 A domain controller that is running Windows Server 2012 R2 in the
Adatum.com domain.
20411D-LON-SVR1 A member server that is running Windows Server 2012 R2 in the
Adatum.com domain.
20411D-LON-SVR3 A blank virtual machine on which students will install Windows
Server 2012 R2.
20411D-LON-SVR4 A member server that is running Windows Server 2012 R2 in the
Adatum.com domain.
20411D-LON-RTR A router that is used for network activities that require a separate subnet.
Also running Windows Server 2012 R2.
20411D-LON-CL1 A client computer that is running Windows 8.1 and Microsoft

Office 2013 in
the Adatum.com domain.
20411D-LON-CL2 A client computer that is running Windows 8.1 and Microsoft

Office 2013 in
the Adatum.com domain.
20411D-LON-CL3 A client computer that is running Windows 7 and is a member of the
Adatum.com domain.
20411D-INET1 Windows Server 2012 R2 server simulating an Internet Web and DNS server.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xxvi About This Course
Software Configuration
The following software has been installed in the course:
Windows Server 2012 R2
Windows 8.1
Windows 7
Office 2013 Administrative Templates
XML Notepad
StressTool.exe
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
You may be accessing the lab virtual machines in either in a hosted online environment with a web
browser or by using Hyper-V on a local machine. The labs and virtual machines are the same in both
scenarios however there may be some slight variations because of hosting requirements. Any
discrepancies will be called out in the Lab Notes on the hosted lab platform.
Your Microsoft Certified Trainer will provide details about your specific lab environment.
Course Hardware Level
Where labs are being run locally, to ensure a satisfactory student experience, Microsoft Learning requires
a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner
for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are
taught.
Hardware Level 7:
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better*
16 GB RAM
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
*Striped

In addition, the instructor computer must be connected to a projection display device that supports SVGA
1024 x 768 pixels, 16-bit colors.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xxvii
Navigation in Windows Server 2012
If you are not familiar with the user interface in Windows Server 2012 R2 or Windows 8.1, the following
information will help orient you to the new interface.
Sign in and Sign out replace Log in and Log off.
Administrative tools are found in the Tools menu of Server Manager.
Get to the Start screen, Settings, and Search as follows:
o To get to the Start screen, in the lower-left corner of the screen, click the Start button. This
provides access to some applications.
o To get to Settings, point your mouse to the lower-right corner of the screen, and then click the
Settings charm when it appears. Settings include Control Panel and Power.
o To get to Search, point your mouse to the lower-right corner of the screen, and then click the
Search charm when it appears. This allows you to search applications, settings, and files.
You also may find the following shortcut keys useful:
Windows logo key: Opens the Start screen
Windows logo key +I: Opens Settings
Windows logo key +R: Opens Run
Windows logo key +C: Displays the selection of charms

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D



M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-1
Module 1
Configuring and Troubleshooting Domain Name System
Contents:
Module Overview 1-1
Lesson 1: Configuring the DNS Server Role 1-2
Lesson 2: Configuring DNS Zones 1-12
Lesson 3: Configuring DNS Zone Transfers 1-22
Lesson 4: Managing and troubleshooting DNS 1-25
Lab: Configuring and Troubleshooting DNS 1-34
Module Review and Takeaways 1-39

Module Overview
The Domain Name System (DNS) is the foundation name service in the Windows Server

2012 operating
system. DNS provides name resolution, and it enables DNS clients to locate network services, such as
Active Directory

Domain Services (AD DS) domain controllers, global catalog servers, and messaging
servers. If you configure your DNS infrastructure poorly or it is not working correctly, these important
network services will be inaccessible to your network servers and clients. Therefore, it is vital that you
understand how to deploy, configure, manage, and troubleshoot this critical service.
Objectives
After completing this module, you will be able to:
Install and configure the DNS server role.
Create and configure DNS zones.
Configure DNS zone transfers.
Manage and troubleshoot DNS.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-2 Configuring and Troubleshooting Domain Name System
Lesson 1
Configuring the DNS Server Role
The DNS infrastructure is the basis for name resolution on the Internet and in AD DS domains that are
based on Windows Server 2012. This lesson provides guidance and information about what is required to
configure the DNS server role, and it explains the basic functions of a DNS server.
Lesson Objectives
After completing this lesson, you will be able to:
List the components of a DNS solution.
Install the DNS server role.
Describe how various DNS queries work.
Explain how root hints work.
Explain how forwarding and conditional forwarding work.
Explain how DNS server caching works.
Configure the DNS server role.
Explain DNS round robin.
Explain the considerations for deploying the DNS server role.
Components of a DNS Solution
DNS is a name-resolution service that resolves
names to IP addresses. The DNS service is a
logically partitioned, hierarchical distributed
database that enables many different servers to
host a worldwide database of DNS names. In
Windows Server 2012, DNS is a server role that
provides a solution to ensure that client
computers can find resources on a domain, LAN,
and the Internet. It also facilitates user and
computer authentication in a domain. The
components of a DNS solution include internal
DNS servers, DNS servers on the Internet, and
DNS resolvers or clients.
DNS Servers
A DNS server responds to name and IP address resolution queries from the DNS client service, also known
as the DNS resolver on other computers. DNS servers also can host one or more zones of a particular
domain. Zones contain different resource records. DNS servers also can cache lookups to save time for
common queries. DNS servers also store service locator records in the zones that enable clients to find
domain controllers in AD DS. Domain controllers add or register their service locator records to the DNS
servers zone to which the domain controller belongs. This enables clients to find all domain controllers
for the domain to which they belong. In a domain-based corporate network, you need to secure and
protect these DNS servers and their resource records. The best practice is to implement Active Directory
integrated zones, thereby combining the DNS server roles and the Active Directory role on your domain
controllers. This helps enhance security and facilitates zone transfers and delegation.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-3
DNS Servers on the Internet
DNS servers on the Internet host public zone information, root server information, and other common
top-level domains (TLDs), such as .com, .net, and .edu. Other organizations that have their own domain
names, such as companies, government agencies, and nonprofit organizations, also have their own DNS
servers that you can send iterative queries to through the root and TLD servers. There are millions of these
DNS servers and each might host resource records of web services that your DNS servers will use to
resolve names to IP addresses.
Note: Do not confuse these servers with the DNS servers that host your organizations
public namespace. These are located physically on your perimeter network. Do not store sensitive
domain information such as service locator records on these DNS servers.
DNS Resolvers
A DNS resolver is a service that runs on a client computer. A resolver generates and sends either iterative
or recursive queries to a DNS server. A DNS resolver can be any computer performing a DNS lookup that
requires interaction with a DNS server. DNS servers also can issue DNS requests to other DNS servers.
When a DNS server responds to a name resolution request, the DNS resolver caches that information in
memory so it can access it again if required. It is stored locally rather than going back to the DNS server
each time. However, each record is marked with a Time to Live (TTL) time stamp that automatically flushes
the record out of the cache when the TTL expires.
Demonstration: Installing the DNS Server Role
This demonstration shows how to install the DNS server role.
Demonstration Steps
1. Switch to LON-SVR1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Use Server Manager to install the DNS Server role.
What Are DNS Queries?
DNS clients request name resolution service to
DNS servers in a process called DNS queries. There
are two types of response to DNS queries:
authoritative and nonauthoritative. Note that DNS
servers can also send DNS queries to other DNS
servers when they do not know or have a name
resolution.
A DNS server can be either authoritative or
nonauthoritative for the querys namespace. A
DNS server with resource records for a domain in
a zone that it hosts is authoritative, and any
requests directed to such a server are considered
authoritative queries. In this case, if a name resolution is requested and that DNS server does not have a
resource record corresponding to that name, a Name does not exist response is given by that DNS
server and accepted by the client resolver as authoritative. The client resolver will not ask another DNS

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-4 Configuring and Troubleshooting Domain Name System
server. Nonauthoritative DNS query replies are passed on and derived from other DNS servers that are
responsible for the domain that hosts the resource record.
Note: Only the server with direct authority for the queried name can give an authoritative
answer.
If a local DNS server is nonauthoritative for the querys namespace, the DNS server will do one of the
following:
Check its cache, and return a cached response.
Forward the unresolvable query to a specific server known as a forwarder.
Use well-known addresses of multiple root servers to find an authoritative DNS server to resolve the
query. This process uses root hints.
Recursive Queries
A recursive query is a query made by a DNS client to a DNS server. The DNS client service waits while the
DNS server retrieves the answer. There are two possible results to a recursive query:
The recursive query returns the IP address of the requested host.
The DNS server cannot resolve an IP address.
For security reasons, it sometimes is necessary to disable recursive queries on a DNS server. This prevents
the DNS server in question from forwarding its DNS requests to another server. This can be useful when
you do not want a particular DNS server communicating outside its local network.
Iterative Queries
An iterative query is a query made by a DNS server for information it has either in its zone or in cache.
Iterative queries provide a mechanism for accessing domain-name information that resides across the
DNS system, and enable servers to resolve names quickly and efficiently across many servers.
When a DNS server receives a request that it cannot answer by using its local information or its cached
lookups, it makes the same request to another DNS server by using an iterative query.
When a DNS server receives an iterative query, it might answer with the IP address for the domain name,
if it is known, or with a referral to the DNS servers that are responsible for the domain being queried.
What Are Root Hints?
Root hints are the list of servers on the Internet
that your DNS server uses if it cannot resolve a
DNS query by using a DNS forwarder or its own
cache. Root hints are the highest-level servers in
the DNS hierarchy and can provide the
information necessary for a DNS server to perform
an iterative query to the next-lowest layer of the
DNS namespace.
Root hints install automatically when you install
the DNS role. The installation program copies root
hints from the Cache.dns file that the DNS role
setup files include. You can find root hints in the
DNS console on the DNS Server Properties page, on the Root Hints tab. You also can add root hints to a
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-5
DNS server to support lookups for noncontiguous named domains within a forest. For example, if the
Contoso.com domain is the forest root domain and has a tree named Woodgrovebank.com, you can add
the DNS server addresses for the Woodgrovebank.com tree into the root hints. However, you could also
add these same DNS servers as conditional forwarders for the Woodgrovebank.com tree. You will learn
about conditional forwarders in the next topic.
When a DNS server communicates with a root hints server, it only uses an iterative query. If you select the
Do Not Use Recursion For This Domain option, the server will not be able to perform queries on the root
hints. You might set this option if you want to restrict all name resolutions to a particular network for
security purposes.
If you configure a server to use a forwarder, it will attempt to send a recursive query to its forwarding
server. If the forwarding server does not answer this query, the server will respond that the host could not
be found.
It is important to understand that recursion on a DNS server and recursive queries are not the same thing.
Recursion on a server means that the server will use its root hints and try to resolve a DNS query. The
previous topic discussed iterative and recursive queries in more detail.
What Is Forwarding?
Forwarding provides a way to pass on namespaces
or resource records that not contained in a DNS
servers zone to another DNS server for resolution.
For example, you might want to send all external
name resolution requests to the DNS servers of an
Internet service provider (ISP) rather than directly
to root hints. Alternatively, you might want to
send external DNS queries from a branch office
DNS server to the headquarters DNS servers,
which then go to the root hints to resolve the
name. You also can use conditional forwarders to
forward queries according to specific domain
names.
A network DNS server is designated a forwarder when the networks other DNS servers forward the
queries that they cannot resolve to it. By using a forwarder, you can manage name resolution for names
that are outside your network, such as names on the Internet, and improve the efficiency of name
resolution for your networks computers.
Best Practice: Use a central forwarding DNS server for Internet name resolution. This
security best practice can improve performance and simplify troubleshooting. You can locate the
forwarding DNS server on a perimeter network, which ensures that no server within the network
is communicating directly to the Internet.
Conditional Forwarding
A conditional forwarder is a configuration setting on the DNS server that forwards DNS queries according
to the querys DNS domain name. For example, you can configure a DNS server to forward all queries that
it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP
addresses of multiple DNS servers. This can be useful when you have multiple DNS namespaces in a forest.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-6 Configuring and Troubleshooting Domain Name System
Best Practice for Conditional Forwarding
Use conditional forwarders if you have multiple internal namespaces. This provides faster name resolution.
How DNS Server Caching Works
DNS caching increases the performance of an
organizations DNS system by decreasing the time
it takes to provide DNS lookups. When a DNS
server resolves a DNS name successfully, it adds
the name to its cache. Over time, this builds a
cache of domain names and their associated IP
addresses for the most common domains that an
organization uses or accesses.
Note: The default time to cache DNS data is
one hour. You can configure this by changing the
start of authority (SOA) resource record for the
appropriate DNS zone. However, you cannot do this unless you are the administrator of the
authoritative zones DNS server. For example, if the DNS administrator for the Contoso.com zone
sets the TTL to 2 hours, and you are the DNS administrator for the DNS server that is hosting the
Fabrikam.com DNS zone, you cannot add time to or remove time from the records for
Contoso.com.
A caching-only server will not host any DNS zone data; it only answers lookups for DNS clients. This is the
ideal type of DNS server to use as a forwarder because it does not have an authoritative zone to scan. A
caching-only server only scans cached records or sends a recursive and iterative name resolution query to
other DNS servers. In this configuration, the caching-only server builds up a database for cached name
resolutions, as long as the TTL is valid. This can decrease the time to resolve names, especially if clients
repeatedly request the same name resolutions.
There is a particular security vulnerability in DNS caching that involves records that are placed into the
cache that are purposely not correct, which can lead a DNS server to provide a false name-to-IP
resolution. This is known as DNS cache pollution. If a DNS server does not properly corroborate another
DNS servers authoritative responses, it is possible for the cached results to be invalid, and to include
name resolutions to the domain of an exploiter. The DNS server delivers the address to a client, which
then sends data or requests data from the exploiters servers. Windows Server 2003 and newer versions
protects against this threat by instituting cache pollution protection, which is enabled by default. This
process ensures that the name resolution replies that are returned from the queried DNS domain are from
the requested authoritative DNS server. Therefore, the DNS server that is replying must be authoritative.
To see the DNS servers cache, in the DNS console, set the View menu to Advanced, and an additional
node named Cached Lookups will appear in the console tree. You can expand this node to reveal the
various TLDs of the Internet that you can expand to show the secondary level domains and cached
records. Note that, as time goes by, many of the records will expire because of the TTL. At that point,
another name resolution request must go out to the root hints or forwarders.
The Windows PowerShell

cmdlet Show-DNSServerCache shows all cached DNS server resource records


in the following format: name, resource record data, and TTL. You might want to redirect the output to a
text file, because the number of cached records builds up considerably over time.


M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-7
The DNS client cache is a DNS cache that the DNS Client service stores on a local computer. To view the
current client-side cache, run the ipconfig /displaydns command at the command prompt. If you must
clear the local cache, such as when you are troubleshooting name resolution, you can use the ipconfig
/flushdns command.
Note: You also can use the following cmdlets in the Windows PowerShell command-line
interface:
clear-DnsClientCache to delete the DNS resolver cache
get-DnsClientCache to view the resolver cache
Demonstration: Configuring the DNS Server Role
This demonstration shows how to configure the DNS server properties and conditional forwarding as well
as clearing the cache..
Demonstration Steps
Configure DNS server properties
1. Switch to LON-DC1 and, if necessary, sign in as Adatum\Administrator with the password
Pa$$w0rd.
2. Open the DNS console.
3. Review the properties of the LON-DC1 server:
a. On the Forwarders tab, you can configure forwarding.
b. On the Advanced tab, you can configure options including securing the cache against pollution,
and DNS Security Extensions (DNSSEC).
c. On the Root Hints tab, you can see the configuration for the root hints servers.
d. On the Debug Logging tab, you can configure debug logging options.
e. On the Event Logging tab, you can configure the level of event recording.
f. On the Monitoring tab, you can perform simple and recursive tests against the server.
g. On the Security tab, you can define permissions on the DNS infrastructure.
Configure conditional forwarding
1. From the Conditional Forwarders node, you can configure conditional forwarding:
a. In the New Conditional Forwarder dialog box, in the DNS Domain box, type contoso.com.
b. Click the <Click here to add an IP Address or DNS Name> box. Type 131.107.1.2, and then
press Enter. Validation will fail because this is just an example configuration.
Clear the DNS cache
In the navigation pane, right-click LON-DC1, and then click Clear Cache.
Use Windows PowerShell to configure the DNS server role
1. Open Windows PowerShell and use the Get-DnsServer cmdlet to observe the various DNS settings in
Windows PowerShell. Pipe the output through more to see the output one page at a time.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-8 Configuring and Troubleshooting Domain Name System
2. Pipe the Get-DnsServer output into an Export-Clixml file named DNSExport.xml at the root
directory of drive C. Examine the file.
3. Use Add-DnsServerConditionalForwarderZone to create a conditional forwarder for the
Fabrikam.com zone with a server IP address of 131.107.5.6.
4. Use the DNS console to verify the Fabrikam.com conditional forwarder.
What Is DNS Round Robin?
A DNS zone can contain many records and
different types of records. These records represent
IP addresses of a given host name, alias names,
service locator, mail exchanger, and other
specialized records. Computers can have more
than one IP address on separate network
adapters, or several IP addresses can be bound to
the same adapter. In this case, the computers
host name will resolve not to one IP address, but
two or more, depending on how many IP
addresses it has. Each of these addresses should
have a host resource record in the DNS forward
lookup zone so they can be resolved.
DNS round robin functionality determines which IP addresses to return for a given name. This function
returns a list of all the IP addresses for a given name and then alternates IP addresses within the list for
every DNS query from a unique source. If a DNS responded with a different IP each time to the same
requester, the benefits of caching would be undermined, and it would be inefficient. For example, if you
have a number of Web servers that all have the same content and you want to load balance the HTTP GET
commands sent to them, you need to create an (A) resource record for each Web server with the same
name. For example, you could create the following:
www.contoso.com 60 IN A 172.16.0.11
www.contoso.com 60 IN A 172.16.0.120
www.contoso.com 60 IN A 172.16.0.133
When clients send name resolutions to the DNS server for www.contoso.com, the requests will be
returned as follows:
First request:
172.16.0.11
172.16.0.120
172.16.0.133
Second request:
172.16.0.120
172.16.0.133
172.16.0.11

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-9
Third request:
172.16.0.133
172.16.0.11
172.16.0.120
The requests continue to rotate through the list for all three addresses. Theoretically, every Web server will
receive one third of all requests, and that would load balance the three servers. You should be aware that
using DNS round robin to load balance requests cannot provide any fault tolerance. If one of the three
servers goes down, then approximately one third of the clients are sent to an IP address that will not
respond. Once it times out, these clients can then go to the next address on the list.
Using DNS round robin also returns lists of domain controllers for client authentication. When a user
attempts to sign in to a domain, the Local Security Authority Subsystem Service sends a name resolution
request for the service locator records to the preferred DNS server found in the TCP/IP properties of the
client. The DNS server searches through the service locator records and returns all of the domain
controllers IP addresses found for that zone. This list uses a DNS round robin function similar to the
www.contoso.com address shown above. This is because it returns all of the multiple IP addresses for the
domain controllers in that domain and each subsequent request for the same list returns in a different
order.
Considerations for Deploying the DNS Server Role
When you plan to deploy DNS, you must review
several considerations. Some of the questions that
you should ask include:
How many DNS zones will you configure on
the server and how many DNS records will
each zone contain? Typically, zones map on a
one-to-one basis with domains in your
namespace. When you have a large number
of records, it might make more sense to split
the records into multiple zones.
How many DNS clients will be communicating
with the server on which you configure the
DNS role? The larger the number of client resolvers, the greater is the load placed on the server.
When you anticipate additional load, consider deploying additional DNS servers.
Where will you place DNS servers? For example, will you place the servers centrally, or does it make
more sense to locate DNS servers in branch offices? If there are few clients at a branch office, you
could satisfy most DNS requests by using a central DNS server or by implementing a caching-only
server. A branch office with a large number of users might benefit from a local DNS server with
appropriate zone data.
How you answer the preceding questions will determine how many DNS servers you must deploy and
where you should place them.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-10 Configuring and Troubleshooting Domain Name System
Active Directory Integration
The Windows Server 2012 DNS role can store the DNS database in two different ways, as the following
table shows.
Storage method Description
Text file The DNS server role stores DNS entries in a text file, which you can
edit with a text editor.
Active Directory The DNS server role stores DNS entries in an Active Directory
database, which replicates to other domain controllers even if they do
not run the Windows Server 2012 DNS role. However, only those
domain controllers that you installed with the DNS server role can
write updates to the DNS server zones. You cannot use a text editor to
edit DNS data that Active Directoryintegrated stores.
Active Directoryintegrated DNS zones are easier to manage than traditional text-based zones and they
are more secure. The same Active Directory replication process transfers zone data.
DNS Server Placement
Typically, you will deploy the DNS role on all domain controllers. If you decide to implement some other
strategy, consider the following questions, and keep the answers in mind:
How will client computers resolve names if their usual DNS server becomes unavailable?
What will the impact on network traffic be if client computers start to use an alternate DNS server,
perhaps located remotely?
How will you implement zone transfers? Active Directoryintegrated zones use Active Directory
replication to transfer the zone to all other domain controllers. If you implement zones without Active
Directoryintegrated DNS, you must plan the zone transfer mechanism yourself.
Planning a DNS Namespace
When you begin planning your DNS namespace, you must consider both the internal and external
namespaces. The internal namespace is the one that internal clients and servers use within your private
network. The external namespace is the one by which your organization is referenced on the Internet.
There is no requirement that you should implement the same DNS domain name internally that you have
externally.
When you implement AD DS, you must use a DNS namespace for hosting AD DS records.
Note: Consider your options carefully before selecting a namespace design for AD DS.
Although it is possible to change a namespace after implementing AD DS, the process is time-
consuming, complex, and has many limitations.
To determine a DNS namespace for your AD DS environment, you can choose from the following
scenarios:
Make the internal namespace the same as the public namespace. In this scenario, the internal and
public namespaces are the same, but will have different records. Although this provides simplicity,
which makes it a suitable choice for smaller organizations, it can be difficult to manage for larger
networks. This is known as split DNS, which is covered in a subsequent topic in this lesson.
Make the internal namespace different from the public namespace. In this scenario, the internal and
public namespaces are completely different, with no link between them. This provides for obvious
separation in the namespace. In complex networks with many Internet-facing applications, use of a
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-11
different name introduces some clarity when configuring these applications. For example, edge
servers that are on a perimeter network often require multiple network interface cards, such as one
connected to the private network, and one servicing requests from the public network. If each
network interface card has a different domain name, it often is easier to complete the configuration
of that server.
Make the internal namespace a subdomain of the public namespace. In this scenario, the internal
namespace links to the public namespace, but there is no overlap between them. This provides a
hybrid approach. The internal name is different, which allows for separation of the namespace.
However, the internal name also is related to the public name, which provides simplicity. This
approach is the simplest to implement and manage. However, if you cannot use a subdomain of the
public namespace for AD DS, you should use unique namespaces.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-12 Configuring and Troubleshooting Domain Name System
Lesson 2
Configuring DNS Zones
DNS zones are an important concept in DNS infrastructures because they enable you to logically separate
and manage DNS domains. This lesson provides the foundation for understanding how zones relate to
DNS domains, and provides information about the different types of DNS zones that are available in the
Windows Server 2012 DNS role.
Lesson Objectives
After completing this lesson, you will be able to:
Describe DNS resource records.
Describe a DNS zone.
Describe the various DNS zone types that are available in Windows Server 2012.
Describe Active Directoryintegrated zones.
Explain the purpose of forward and reverse lookup zones.
Explain the purpose of stub zones.
Explain how to create DNS zones.
Explain how you can use DNS zone delegation.
Describe split DNS.
DNS Resource Records
The DNS zone file stores resource records.
Resource records specify a resource type and the
IP address to locate the resource. The most
common resource record is an (A) resource
record. This is a simple record that resolves a host
name to an IP address. The host can be a
workstation, server, or another network device,
such as a router.
Resource records also help find resources for a
particular domain. For instance, when a server that
runs Microsoft

Exchange Server needs to find the


server that is responsible for delivering mail for
another domain, it will request that domains mail exchanger (MX) resource record), which points to the
A record of the host that is running the Simple Mail Transfer Protocol (SMTP) mail service.
Resource records also can contain custom attributes. MX records, for instance, have a preference attribute,
which is useful if an organization has multiple mail servers. This will inform the sending server which mail
server the receiving organization prefers. Service (SRV) resource records also contain information
regarding on which port a service is listening and the protocol that you should use to communicate with
the service.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-13
The following table describes the most common resource records.
DNS resource records Description
Start of authority (SOA) resource record

The record identifies the primary name
server for a DNS zone, in addition to other
specifics, such as TTL and refresh.
Host (A) resource record The main record that resolves a host name
to an Internet Protocol version 4 (IPv4)
address.
Canonical name record (CNAME) resource
record
An alias record type that maps one name to
another. For example, www.microsoft.com is
a CNAME of the A record microsoft.com.
(MX) resource record Use this record to specify an email server for
a particular domain.
(SRV) resource record The record identifies a service that is
available in the domain. AD DS uses these
records extensively.
Name server (NS) resource record The record identifies a name server for a
domain.
IPv6 host (AAAA) resource record The main record that resolves a host name
to an Internet Protocol version 6 (IPv6)
address.
Pointer (PTR) resource record Use this record to look up and map an IP
address to a domain name. The reverse
lookup zone stores the names.
What Is a DNS Zone?
A DNS zone hosts all or a portion of a domain and
its subdomains. The slide illustrates how
subdomains can belong to the same zone as their
parents or can be delegated to another zone. The
microsoft.com domain is separated into two
zones. The first zone hosts the www.microsoft.com
and ftp.microsoft.com records.
Example.microsoft.com is delegated to a new
zone, which hosts the example.microsoft.com
subdomain, and its records
ftp.example.microsoft.com and
www.example.microsoft.com.
Note: The zone that hosts a root of the domain (microsoft.com) must delegate the
subdomain (example.microsoft.com) to the second zone. If this does not occur,
example.microsoft.com will be treated as if it were part of the first zone.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-14 Configuring and Troubleshooting Domain Name System
Zone data can replicate to more than one server. This adds redundancy to a zone because the information
needed to find resources in the zone now exists on two or more servers. The required level of redundancy
is one reason to create zones. If you have a zone that hosts critical server resource records, it is likely that
this zone will have a higher level of redundancy than a zone in which noncritical devices are defined.
Characteristics of a DNS Zone
Zone data is maintained on a DNS server and is stored in one of two ways:
In a flat zone file that contains mapping lists.
Integrated into Active Directory.
A DNS server is authoritative for a zone if it hosts the resource records for the names and addresses that
the clients request in the zone file.
DNS Zone Types
The four DNS zone types are:
Primary
Secondary
Stub
Active Directoryintegrated
Primary Zone
When a zone that a DNS server hosts is a primary
zone, the DNS server is the primary source for
information about this zone, and the DNS server
stores the master copy of zone data in a local file
or in AD DS. When the DNS server stores the zone in a file, the primary zone file is, by default, named
zone_name.dns, and it is located in the %windir%\System32\Dns folder on the server. When the zone is
not stored in AD DS, the DNS server that hosts the primary zone is the only DNS server that has a writable
copy of the zone file.
Secondary Zone
Secondary zones are read-only zones that receive their zone records data from another DNS server. When
a zone that a DNS server hosts is a secondary zone, the DNS server is a secondary source for the zone
information. The zone in this server must be obtained from another remote DNS server that also hosts the
zone. This DNS server must have network access to the remote DNS server to receive updated zone
information. Because a secondary zone is a copy of a primary zone that another server hosts, it cannot be
stored in AD DS. Secondary zones can be useful if you are replicating data from DNS zones that are not
on servers that run the Windows Server operating system, or if you are run DNS on servers that are not
AD DS domain controllers.
Stub Zone
The Windows Server 2003 operating system introduced stub zones, which solve several problems with
large DNS namespaces and multiple tree forests. A multiple tree forest is an Active Directory forest that
contains two different TLD names. In the case of a two-tiered domain tree, we could delegate the DNS
zone of the child domain from the DNS zone of the parent. A delegation record is created in the parent,
and it will refer any name resolution requests for records in the child domain to the child domains
delegated DNS servers.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-15
However, what happens when there are several layers of parent/child domains in a tree? Given this
example, the child domain might have child domains of its own. It might also be beneficial for that child
domain to delegate DNS to its child domains just as its parent did for it. In this case, however, the top
parent domain is not aware of the domain names of its childs sub-domains., and would refer all name
resolution to its child. You can create a stub zone in the top tree domains DNS zone, which is the top
DNS parent. The stub zone that is created here only contains the start of authority (SOA), name server,
and that name servers resource records of the childs sub-domains. This way, the parent can refer name
resolution directly to those sub-childs domains DNS servers. The child domain DNS servers replicate their
stub zone information back to the parent, or other DNS servers that host a stub zone, whenever those key
records change.
Active DirectoryIntegrated Zone
If AD DS stores the zone, DNS can take advantage of the multimaster replication model to replicate the
primary zone. This enables you to edit zone data on any DNS server. You can replace Active Directory
integrated zone data with domain controllers, even if you did not install the DNS role on the domain
controller. Windows Server 2008 introduced a concept called a read-only domain controller (RODC). You
can replicate AD DS objects, including DNS objects in an Active Directoryintegrated zone, to a RODC
from writable domain controllers. However, AD DS objects cannot write directly to a local process on the
RODC. There is additional information about Active Directoryintegrated zones in the next topic.
What Are Active DirectoryIntegrated Zones?
A primary zone server is a single point of failure. If
it goes down, because the secondary zone servers
are read-only, they can resolve names, but cannot
store additional records or accept changes to
records.
You can make a DNS zone fault-tolerant by
integrating it into AD DS. By doing this, it makes
the DNS zone an AD DSintegrated zone. A DNS
server can store zone data in the AD DS database
if the DNS server is a domain controller. When the
DNS server stores zone data in this way, the
records in the zone file are stored as AD DS
objects, and the various properties of these objects are considered AD DS attributes. All domain
controllers that host the DNS zone in the AD DS database are considered primary zone servers for the
zone, and they can accept changes to the DNS zone and then replicate those changes out to all other
domain controllers. Because it uses AD DS replication, each change is sent securely via encrypted
replication traffic. If a domain controller with an Active Directoryintegrated DNS zone fails, as long as
there are other domain controllers with the Active Directoryintegrated zone, DNS functionality for that
zone and the domain continue to operate correctly.
An Active Directoryintegrated zone provides the following benefits:
Multimaster updates. Any writable domain controller to which the zone replicates can write to active
Directoryintegrated zones. This builds redundancy into the DNS infrastructure. In addition,
multimaster updates are particularly important in geographically distributed organizations that use
dynamic update zones, because clients can update their DNS records without having to connect to a
potentially geographically distant primary server.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-16 Configuring and Troubleshooting Domain Name System
Replication of DNS zone data by using AD DS replication. One of the characteristics of AD DS
replication is attribute-level replication in which only changed attributes replicate. An Active
Directoryintegrated zone can take advantage of the benefits of AD DS replication, rather than
replicating the entire zone file as in traditional DNS zone transfer models.
Secure dynamic updates. An Active Directoryintegrated zone can enforce secure dynamic updates.
Either primary zones can allow dynamic updates, or you can turn dynamic updates off. However, you
cannot dynamically update primary DNS zone data securely.
Enhanced security. As with other Active Directory objects, an Active Directoryintegrated zone allows
you to delegate administration of zones, domains, and resource records by modifying the access
control list on the zone.
Note: In most situations, computers within an AD DS domain have a primary DNS suffix
that matches the DNS domain name. Occasionally, you might require these names to differ, such
as following a merger or during an acquisition. When domain names differ, this is called a
disjointed namespace. A disjointed namespace scenario is one in which the primary DNS suffix of
a computer does not match the DNS domain name in which that computer resides. The
computer with the primary DNS suffix that does not match is disjointed.
Forward and Reverse Lookup Zones
Zones can be either forward or reverse. A reverse
zone sometimes is known as an inverse zone.
Forward Lookup Zone
The forward lookup zone resolves host names to
IP addresses and hosts the common resource
records: A, CNAME, SRV, MX, SOA, TXT, and NS.
This zone type must exist for a DNS zone to be
considered authoritative. Client computers send
host names or fully qualified domain names
(FQDNs) of the DNS servers domain to the DNS
server. The DNS server uses the FQDN to look up
a corresponding IP address or to find any resource
record type that the client prescribes, such as a domain controllers SRV records. The DNS server returns
the IP address or addresses to the client in the DNS response.
Reverse Lookup Zone
The reverse lookup zone resolves an IP address to a domain name, and hosts start of authority (SOA),
name server (NS), and pointer (PTR) resource records. A reverse zone functions in the same manner as a
forward zone, but the IP address is the part of the query, and the host name is the returned information.
Reverse zones are not always configured, but you should configure them to reduce warning and error
messages. Many standard Internet protocols rely on reverse zone lookup data to validate forward zone
information. For example, if the forward lookup indicates that training.contoso.com resolves to
192.168.2.45, you can use a reverse lookup to confirm that 192.168.2.45 is associated with
training.contoso.com.
Having a reverse zone is important if you have applications that rely on looking up hosts by their IP
addresses. Many applications will log this information in security or event logs. If you see suspicious
activity from a particular IP address, you can resolve the host by using the reverse zone information. Many

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-17
email security gateways use reverse lookups to validate that the IP address that is sending messages is
associated with a domain.
Overview of Stub Zones
A stub zone is a replicated copy of a zone that
contains only those resource records necessary to
identify that zones authoritative DNS servers. A
stub zone resolves names between separate DNS
namespaces. For example, this might be necessary
when a corporate merger requires that the DNS
servers for two separate DNS namespaces resolve
names for clients in both namespaces.
A stub zone consists of the following:
The delegated zones start of authority (SOA)
resource record, NS resource records, and A
resource records.
The IP address of one or more master servers that you can use to update a stub zone.
The master servers for a stub zone are one or more DNS servers that are authoritative for the child zone,
usually the DNS server that hosts the primary zone for the delegated domain name.
Stub Zone Resolution
When a DNS resolver performs a recursive query operation on a DNS server that is hosting a stub zone,
the DNS server uses the resource records in the stub zone to resolve the query. The DNS server sends an
iterative query to the authoritative DNS servers that the stub zones NS resource records specify as if it
were using NS resource records in its cache. If the DNS server cannot find the authoritative DNS servers in
its stub zone, the DNS server that is hosting the stub zone attempts standard recursion by using root
hints.
The DNS server will store the resource records it receives from the authoritative DNS servers that a stub
zone in its cache lists, but it will not store these resource records in the stub zone itself. Only the start of
authority (SOA), NS record, and glue A resource records returned in response to the query are stored in
the stub zone. The resource records that the cache stores are cached according to the TTL value in each
resource record. The start of authority (SOA), NS record, and glue A resource records, which are not
written to cache, expire according to the expire interval that the stub zones start of authority (SOA)
resource record specifies. During the stub zones creation, the start of authority (SOA) resource record is
created. Start of authority (SOA) resource record updates occur during transfers to the stub zone from the
original, primary zone. If the query was an iterative query, the DNS server returns a referral containing the
servers that the stub zone specifies.
Communication Between DNS Servers That Host Parent and Child Zones
A DNS server that delegates a domain to a child zone on a different DNS server is made aware of new
authoritative DNS servers for the child zone only when resource records for them are added to the parent
zone that the DNS server hosts. This is a manual process that requires administrators for the different DNS
servers to communicate often. Stub zones enable a DNS server that hosts a stub zone for one of its
delegated domains to obtain updates of the authoritative DNS servers for the child zone when the stub
zone updates. The update is performed from the DNS server that hosts the stub zone, and the
administrator for the DNS server that hosts the child zone does not need to be contacted.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-18 Configuring and Troubleshooting Domain Name System
Contrasting Stub Zones and Conditional Forwarders
There might be some confusion about when to use conditional forwarders rather than stub zones. This is
because both DNS features allow a DNS server to respond to a query with a referral for, or by forwarding
to, a different DNS server. However, these settings have different purposes:
A conditional forwarder setting configures the DNS server to forward a query that it receives to a DNS
server, depending on the DNS name that the query contains.
A stub zone keeps the DNS server that hosts a parent zone aware of all the DNS servers that are
authoritative for a child zone.
When to Use Conditional Forwarders
If you want DNS clients on separate networks to resolve the names of each other without having to query
Internet DNS servers, such as when a company merger occurs, you should configure each networks DNS
servers to forward queries for names in the other network. DNS servers in one network will forward names
for clients in the other network to a specific DNS server, which builds a large information cache about the
other network. This allows you to create a direct point of contact between two networks DNS servers,
which reduces the need for recursion.
Stub zones do not provide the same server-to-server benefit, however. This is because a DNS server that
hosts a stub zone in one network replies to queries for names in the other network with a list of all
authoritative DNS servers for the zone with that name, rather than the specific DNS servers that you
designated to handle this traffic. This configuration complicates any security settings that you want to
establish between specific DNS servers that run in each of the networks.
When to Use Stub Zones
Use stub zones when you want a DNS server to remain aware of the authoritative DNS servers for a
foreign zone. A conditional forwarder is not an efficient way to keep a DNS server that hosts a parent
zone aware of the authoritative DNS servers for a child zone. This is because whenever the authoritative
DNS servers for the child zone change, you have to configure the conditional forwarder setting manually
on the DNS server that hosts the parent zone. Specifically, you must update the IP address for each new
authoritative DNS server for the child zone.
Demonstration: Creating Zones
This demonstration shows how to:
Create a reverse lookup zone.
Create a forward lookup zone.
Demonstration Steps
Create a reverse lookup zone
1. Switch to LON-DC1, and then create a new reverse lookup zone for the 172.16.0.0 IPv4 subnet.
2. Enable dynamic updates on the zone.
3. Re-register LON-DC1 by using the ipconfig /registerdns command.
Create a forward lookup zone
1. Switch to LON-SVR1, and then open the DNS console.
2. Create a new forward lookup zone.
3. Configure the type as secondary, and then define LON-DC1 as the master server for this zone.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-19
Create a forward lookup zone with Windows PowerShell
1. In Windows PowerShell, run the cmdlet Add-DnsServerPrimaryZone Name woodgrovebank.com
DynamicUpdate Secure ReplicationScope Domain.
2. In the DNS console, verify that the woodgrovebank.com forward lookup zone appears with the
appropriate settings.
DNS Zone Delegation
DNS is a hierarchical system, and zone delegation
connects the DNS layers together. A zone
delegation points to the next hierarchical level
down and then identifies the name servers that
are responsible for lower-level domain.
When deciding whether to divide a DNS
namespace to make additional zones, consider the
following scenarios in which you might use
additional zones:
You need to delegate management of a part
of the DNS namespace to another
organizational location or department.
You need to divide one large zone into smaller zones so you can distribute traffic loads among
multiple servers. This improves DNS name-resolution performance, and it creates a more fault-
tolerant DNS environment.
You need to extend the namespace by adding numerous subdomains immediately to accommodate
the opening of a new branch or site.
Zone delegation works much the same way that a TLD works with a secondary level domain. The .com
DNS servers refer all requests for Microsoft.com zone name resolution to the DNS servers at Microsoft. In
this way, you delegate the Microsoft DNS zone from the .com zone. In a scenario where Microsoft has a
very vigorous Sales department with numerous computers and other devices with IP addresses, it would
make sense to create a zone named Sales.Microsoft.com to handle the extensive DNS workload for the
Sales department.
To create a delegation, the administrator right-clicks the Microsoft.com forward lookup zone and selects
the New Delegation item, which starts the New Delegation Wizard. The wizard walks the administrator
through the steps to delegate authority for a subdomain to a different zone, either on the current DNS
server or on another DNS server.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-20 Configuring and Troubleshooting Domain Name System
What Is Split DNS?
Using the same namespace internally and
externally simplifies resource access from the
perspective of users, but it also increases
management complexity. You should not make
internal DNS records available externally, but
some synchronization of records for external
resources is typically required. For example, both
your internal and external namespaces might use
the name Contoso.com.
Using unique namespaces for internal and public
namespaces provides a clear delineation between
internal and external DNS, and it eliminates the
need to synchronize records between the namespaces. However, in some cases, having multiple
namespaces might lead to user confusion. For example, you might choose the external namespace of
Contoso.com and the internal namespace of Contoso.local. Note that when you implement a unique
namespace configuration, you are no longer tied to using registered domain names.
Using a subdomain of the public namespace for AD DS avoids the need to synchronize records between
internal and external DNS servers. Because the namespaces are linked, users typically find this structure
easy to understand. For example, if your public namespace is Contoso.com, you might choose to
implement your internal namespace as the subdomain AD, or AD.Contoso.com.
Considering Split DNS
As we have seen, having a matching internal and external DNS namespace can pose certain problems.
However, split DNS can provide a solution to these problems. Split DNS is a configuration in which your
domain has two root-server zones that contain domain-name registration information. Your internal
network hosts are directed to one zone, while external hosts are directed to another for name resolution.
For example, in a nonsplit DNS configuration for the domain Contoso.com, you might have a DNS zone
that looks like the example in the following table.
Host Record type IP address
www A 131.107.1.200
Relay A 131.107.1.201
Webserver1 A 192.168.1.200
Exchange1 A 192.168.0.201
When a client computer on the Internet wants to access the SMTP relay by using the published name of
relay.contoso.com, it queries the DNS server that returns the result 131.107.1.201. The client then
establishes a connection over SMTP to that IP address.
However, client computers on the corporate intranet also use the published name of relay.contoso.com.
The DNS server returns the same result: a public IP address of 131.107.1.201. The client now attempts to
establish a connection to the returned IP address by using the external interface of the publishing
computer. Depending on the client configuration, this might not be successful. By configuring two zones
for the same domain name, one on each of the two DNS servers, you can avoid this problem.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-21
The internal zone for adatum.com would resemble the information in the following table.
Host Record type IP address
www CNAME Webserver1.contoso.com
Relay CNAME Exchange1.contoso.com
Webserver1 A 192.168.1.200
Exchange1 A 192.168.0.201
The external zone for adatum.com would resemble the information in the following table.
Host Record type IP address
www A 131.107.1.200
Relay A 131.107.1.201
MX Relay.contoso.com
Now, client computers in the internal and external networks can resolve the name relay.contoso.com to
the appropriate internal or external IP address.
In organizations that use Active Directoryintegrated DNS zones, Internet users and server functions
outside the firewall must not use the internal Active Directoryintegratedbased DNS servers to resolve
any names. These requests must be confined to the external non-Active Directoryintegrated DNS server
residing on the perimeter network. This server is a primary zone server, and therefore considers itself
authoritative for the same domain name that is being used internally. Therefore, no iterative queries are
ever sent beyond this point. If a name is not found in this primary zone, the authoritative external DNS
server declares the name invalid and not resolvable. On the internal Active Directoryintegratedenabled
DNS servers, for queries outside the firewall, Internet domain names are forwarded to the external DNS
server in the perimeter network. You can make a firewall rule on the inside firewall that only allows the
internal and external DNS servers to use User Datagram Protocol (UDP) port 53 packets between
themselves. The firewall rule will block all other UDP port 53 packets.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-22 Configuring and Troubleshooting Domain Name System
Lesson 3
Configuring DNS Zone Transfers
DNS zone transfers determine how the DNS infrastructure moves DNS zone information from one server
to another. Without zone transfers, the various name servers in your organization maintain disparate
copies of zone data. You also should consider that the zone contains sensitive data, and securing zone
transfers is important. This lesson covers the different methods that the DNS server role uses when
transferring zones.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how DNS zone transfers work.
Explain how to configure zone transfer security.
Configure DNS zone transfers.
What Is a DNS Zone Transfer?
A zone transfer occurs when you replicate the
DNS zone that is on one server to another DNS
server.
Zone transfers synchronize primary and secondary
DNS server zones. This is how DNS builds its
resilience on the Internet. DNS zones must remain
updated on primary and secondary servers.
Discrepancies in primary and secondary zones can
cause service outages and host names that resolve
incorrectly.
Zone transfers can happen in one of three ways:
Full zone transfer. A full zone transfer (AXFR) occurs when you copy the entire zone from one DNS
server to another. A full zone transfer is also called an All Zone Transfer.
Incremental zone transfer. An incremental zone transfer (IXFR) occurs when there is an update to the
DNS server and only the resource records that were changed replicate to the other server.
Fast transfer. Windows

DNS servers also perform fast transfers, which is a type of zone transfer that
uses compression and sends multiple resource records in each transmission.
Not all DNS server implementations support IXFR and fast zone transfers. When integrating a Windows
Server 2012 DNS server with a Berkeley Internet Name Domain (BIND) DNS server, you must ensure that
the features you need are supported by the BIND version that is installed. BIND servers are common on
UNIX-based networks. You might encounter BIND servers when setting up zone transfers with your ISP.
The following table lists the features that various DNS servers support.
DNS server Full zone IXFR Fast transfer
BIND older than
4.9.4
Supported Not supported Not supported
BIND 4.9.4 8.1 Supported Not supported Supported

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-23
DNS server Full zone IXFR Fast transfer
BIND 8.2 Supported Supported Supported
Microsoft
Windows 2000
Server Service Pack 3
Supported Supported Supported
Windows
Server 2003 R2
Supported Supported Supported
Windows
Server 2008 and
Windows
Server 2008 R2
Supported Supported Supported
Windows
Server 2012
Supported Supported Supported
Active Directoryintegrated zones replicate by using multimaster AD DS replication instead of the zone
transfer process. This means that any standard domain controller that also holds the DNS role can update
the DNS zone information, which then replicates to all DNS servers that host the DNS zone.
DNS Notify
A master server uses DNS Notify to alert its configured secondary servers that zone updates are available.
The secondary servers then petition their master to obtain the updates. DNS Notify is an update to the
original DNS protocol specification that permits notification to secondary servers when zone changes
occur. This is useful in a time-sensitive environment where data accuracy is important.
Configuring Zone Transfer Security
Zone information provides organizational data, so
you should take precautions to ensure that you
protect it from hackers, and that it cannot be
overwritten with bad data, a process that is called
DNS poisoning. One way to protect the DNS
infrastructure is to secure the zone transfers.
On the Zone Transfers tab in the Zone Properties
dialog box of a zone, you can specify the list of
allowed DNS servers by right-clicking a zone
name and selecting Properties. You also can use
these options to disallow zone transfers. By
default, zone transfers are turned off.
Although the option that specifies the servers that might request zone data provides security by limiting
the data recipients, it does not secure that data during transmissions. If the zone information is highly
confidential, we recommend that you use an Internet Protocol security (IPsec) policy to secure the
transmission or replicate the zone data over a virtual private network (VPN) tunnel. This prevents packet
sniffing to determine information in the data transmission.
Using Active Directoryintegrated zones replicates the zone data as part of normal AD DS replications.
The zone transfer is then secured as a part of AD DS replication.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-24 Configuring and Troubleshooting Domain Name System
Demonstration: Configuring DNS Zone Transfers
This demonstration shows you how to:
Enable DNS zone transfers.
Update the secondary zone from the master server.
Update the primary zone, and then verify the change on the secondary zone.
Demonstration Steps
Enable DNS zone transfers
1. On LON-DC1, enable zone transfers by configuring the Allow zone transfers option.
2. Configure zone transfers to Only to servers listed on the Name Servers tab.
3. Enable Notify to Servers listed on the Name Servers tab.
4. Add LON-SVR1.adatum.com as a listed name server to receive transfers.
To use Windows PowerShell for the same actions above:
In the Windows PowerShell Administrator console, on LON-DC1, use the following cmdlet:
o Set-DnsServerPrimaryZone -Name "adatum.com" Notify Notify -SecondaryServers
172.16.0.21 SecureSecondaries TransferToSecureServers
Update the secondary zone from the master server
1. Switch to LON-SVR1, and then in the DNS Manager, select Transfer from Master. It is sometimes
necessary to perform this step a number of times before the zone transfers. Also, note that the
transfer might occur automatically at any time.
2. Windows PowerShell equivalent: Add-DnsServerSecondaryZone -Name "Adatum.com" -ZoneFile
"Adatum.com.dns" -MasterServers 172.16.0.10.
Update the primary zone, and then verify the change on the secondary zone
1. Switch back to LON-DC1, and then create a new alias record.
2. Switch back to LON-SVR1, and then verify that the new record is present in the secondary zone. This
might require a manual Transfer from Master and a screen refresh before the record displays.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-25
Lesson 4
Managing and troubleshooting DNS
DNS is a crucial service in the Active Directory infrastructure. When the DNS service experiences problems,
it is important to know how to troubleshoot them and identify the common issues that can occur in a
DNS infrastructure. This lesson covers the common problems that occur in DNS, the common areas from
which you can gather DNS information, and the tools that you can use to troubleshoot problems.
Lesson Objectives
After completing this lesson, you will be able to:
Explain how TTL, aging, and scavenging help you manage DNS records.
Manage TTL, aging, and scavenging for DNS records.
Explain how to test DNS Server Configuration by using DNS tools.
Explain how to monitor DNS by using DNS Event Log, debug logging, and Windows PowerShell.
TTL, Aging, and Scavenging
TTL, aging, and scavenging help manage DNS
resource records in the zone files. Zone files can
change over time, so there needs to be a way to
manage DNS records that are updated or that are
not valid because the hosts they represent are no
longer on a network.
The following table describes the DNS tools that
help to maintain a DNS database.
Tool Description
TTL Indicates how long a DNS record remains valid and in the DNS cache.
Aging Occurs when records that were inserted into a DNS server reach their
expiration and are removed. This keeps the zone database accurate. During
normal operations, aging should take care of stale DNS resource records.
Scavenging Performs DNS server resource record grooming for old records in DNS. If
resource records have not been aged, an administrator can scavenge the
zone database for stale records to force a database cleanup.
If left unmanaged, the presence of stale resource records in zone data might cause problems. For
example:
If a large number of stale resource records remain in server zones, they eventually can use up server
disk space and cause unnecessarily long zone transfers.
A DNS server that loads zones with stale resource records might use outdated information to answer
client queries, which could cause the client computers to experience name resolution or connectivity
problems on the network.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-26 Configuring and Troubleshooting Domain Name System
The accumulation of stale resource records on a DNS server might degrade its performance and
responsiveness.
In some cases, the presence of a stale resource record in a zone could prevent another computer or
host device from using a DNS domain name.
The DNS server service can resolve these problems by doing the following:
Time stamping, based on the current date and time that is set at the server computer, for any
resource records that are added dynamically to primary-type zones. Additionally, time stamps are
recorded in standard primary zones where you enable aging and scavenging.
For resource records that you add manually, you use a time stamp value of zero to indicate that the
aging process does not affect these records and that they can remain without limitation in zone data
unless you otherwise change their time stamp or delete them.
Aging of resource records in local data, based on a specified refresh period, for any eligible zones.
Only primary type zones that the DNS server service loads are eligible to participate in this process.
Scavenging for any resource records that persist beyond the specified refresh period.
When a DNS server performs a scavenging operation, it can determine that resource records have aged to
the point of becoming stale, and it then can remove them from zone data. You can configure servers to
perform recurring scavenging operations automatically, or you can initiate an immediate scavenging
operation at the server.
Note: By default, the aging and scavenging mechanism for the DNS server service is
disabled. You should enable it only when you understand all parameters fully. Otherwise, you
could configure the server to delete records accidentally that you should not delete. If a record is
deleted accidentally, not only will users fail to resolve queries for that record, but also, any user
can create the record and take ownership of it, even on zones that you configure for secure
dynamic update. This is a significant security risk.
A server uses the contents of each time stamp for specific resource records and other aging and
scavenging properties that you can adjust or configure to determine when it scavenges records.
Prerequisites for Aging and Scavenging
Before you can use the aging and scavenging features of DNS, you must ensure that the following
prerequisites are satisfied:
You must enable scavenging and aging at the DNS server and on the zone. Aging and scavenging of
resource records is disabled by default.
You must add resource records to zones dynamically or manually modify them for use in aging and
scavenging operations.
Typically, only those resource records that you add dynamically by using the DNS dynamic update
protocol are subject to aging and scavenging. For records that you add to zones by loading a text-based
zone file from another DNS server or by manually adding them to a zone, a time stamp of zero is set. This
makes these records ineligible for use in aging and scavenging operations.
To change this default, you can administer these records individually to reset and permit them to use a
current, or nonzero, time stamp value. This enables these records to become aged and scavenged.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-27
Demonstration: Managing DNS Records
This demonstration shows how to:
Configure TTL.
Enable and configure scavenging and aging.
Demonstration Steps
Configure TTL
1. Switch to LON-DC1, and then open the Adatum.com zone properties.
2. On the Start of Authority (SOA) tab, configure the Minimum (default) TTL value to be 2 hours.
Enable and configure scavenging and aging
1. Right-click LON-DC1, and then select the Set Aging/Scavenging for All Zones option to configure
aging and scavenging options.
2. Enable Scavenge stale resource records, and then use the default values.
Windows PowerShell equivalent:
1. Set-DnsServerScavenging -RefreshInterval 7.00:00:00 -Verbose PassThru
2. Set-DnsServerZoneAging adatum.com -Aging $true -PassThru Verbose
Demonstration: Testing the DNS Server Configuration
Issues can occur when you do not configure the DNS server, its zones, and its resource records properly.
When resource records cause issues, it can sometimes be more difficult to identify the issue because
configuration problems are not always obvious.
The following table lists possible configuration issues that can cause DNS problems.
Issue Result
Missing records Records for a host are not on the DNS server. They might
have been scavenged prematurely. This can result in
workstations not being able to connect with each other.
Incomplete records Records that are missing the information required to locate
the resource they represent can cause clients requesting the
resource to use invalid information. For example, a service
record that does not contain a needed port address is an
example of an incomplete record.
Incorrectly configured records Records that point to an invalid IP address or have invalid
information in their configuration will cause problems when
DNS clients try to find resources.
The tools you can use to troubleshoot these and other configuration issues are:
Nslookup. Use this tool to query DNS information. The tool is flexible, and it can provide valuable
information about DNS server status. You also can use it to look up resource records and validate
their configuration. Additionally, you can test zone transfers, security options, and MX record
resolution.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-28 Configuring and Troubleshooting Domain Name System
Note: You can use the Windows PowerShell cmdlet Resolve-DnsName to perform similar
functions to Nslookup when troubleshooting DNS.
Windows PowerShell. You can use Windows PowerShell cmdlets to configure and troubleshoot
various DNS aspects.
Dnscmd. Manage the DNS server service with this command-line interface. This utility is useful in
scripting batch files to help automate routine DNS management tasks or to perform simple
unattended setup tasks and the configuration of new DNS servers on your network.
IPconfig. Use this command to view and modify IP configuration details that the computer uses. This
utility includes additional command-line options that you can use to troubleshoot and support DNS
clients. You can view the client local DNS cache by using the command ipconfig /displaydns, and
you can clear the local cache by using ipconfig /flushdns.
Note: You can also use the following Windows PowerShell cmdlets:
clear-DnsClientCache deletes the DNS resolver cache.
get-DnsClientCache displays the resolver cache.
Monitoring tab on DNS server. In the DNS server Monitoring tab, you can configure a test that allows
the DNS server to determine whether it can resolve simple local queries and perform a recursive
query to ensure that the server can communicate with upstream servers. You also can schedule these
tests for regular intervals.
These are basic tests, but they provide a good place to start troubleshooting the DNS service. Possible
causes for a test to fail include:
o The DNS server service has failed.
o The upstream server is not available on the network.
This demonstration shows how to use Nslookup.exe to test the DNS server configuration.
Demonstration Steps
1. Open a command prompt, and then run the following command:
nslookup -d2 LON-DC1.Adatum.com
2. Review the information provided by Nslookup.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-29
Monitoring DNS by Using the DNS Event Log
A DNS server has its own category in the event
log. As with any event log in Event Viewer, you
should review the event log periodically.
Common DNS Events
The following table describes common DNS
events.
Event ID Description
2 The DNS server has started. This message generally appears at startup when either the
server computer or the DNS server service is started.
3 The DNS server has shut down. This message generally appears when either the server
computer is shut down or the DNS server service is stopped manually.
408 The DNS server could not open socket for address [IPaddress]. Verify that this is a valid IP
address for the server computer.
To correct the problem, you can do the following:
1. If the specified IP address is not valid, remove it from the list of restricted interfaces for
the server and restart the server.
2. If the specified IP address is no longer valid and was the only address enabled for the
DNS server to use, the server might not have started because of this configuration
error. To correct this problem, delete the following value from the registry and restart
the DNS server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters\List
enAddress
3. If the IP address for the server computer is valid, verify that no other application that
would attempt to use the same DNS server port, such as another DNS server
application, is running. By default, DNS uses TCP port 53.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-30 Configuring and Troubleshooting Domain Name System
Event ID Description
413 The DNS server sends requests to other DNS servers on a port other than its default port,
TCP port 53.
This DNS server is multihomed and has been configured to restrict DNS server service to
only some of its configured IP addresses. For this reason, there is no assurance that DNS
queries made by this server to other remote DNS servers will be sent by using one of the
IP addresses that was enabled for the DNS server.
Using a port other than port 53 might prevent query answer responses that these servers
return from being received on the different DNS port that the server is configured to
use. To avoid this problem, the DNS server sends queries to other DNS servers by using
an arbitrary non-DNS port, and the response is received regardless of the IP address that
was used.
If you want to limit the DNS server to using only its configured DNS port for sending
queries to other DNS servers, use the DNS console to perform one of the following
changes to the server properties configuration on the Interfaces tab:
Select All IP addresses to enable the DNS server to listen on all configured server IP
addresses.
Select Only the following IP addresses to limit the IP address list to a single server IP
address.
414 The server computer currently has no primary DNS suffix configured. Its DNS name
currently is a single label host name. For example, its configured name is host rather than
host.example.microsoft.com or another FQDN.
Although the DNS server has only a single label name, default resource records created for
its configured zones use only this single label name when mapping the host name for this
DNS server. This can lead to incorrect and failed referrals when clients and other DNS
servers use these records to locate this server by name.
In general, you should reconfigure a DNS server with a full DNS computer name that is
appropriate for its domain or workgroup use on your network.
708 The DNS server did not detect any zones of either primary or secondary type. It will run as
a caching-only server, but it will not be authoritative for any zones.
3150 The DNS server wrote a new version of zone [zonename] to file [filename]. You can view
the new version number by clicking the Record Data tab.
This event should appear only if you configure a DNS server to operate as a root server.
6527 Zone [zonename] expired before it could obtain a successful zone transfer or update from
a master server that is acting as its source for the zone. The zone has been shut down.
This event ID number might appear when you configure the DNS server to host a
secondary copy of the zone from another DNS server that is acting as its source or master
server. Verify that this server has network connectivity to its configured master server.
If the problem continues, consider one or more of the following options:
1. Delete the zone and recreate it, specifying either a different master server or an
updated and corrected IP address for the same master server.
2. If zone expiration continues, consider adjusting the expiration interval.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-31
Monitoring DNS by Using Debug Logging
Sometimes, it might be necessary to get more
details about a DNS problem than what the Event
Viewer provides. In this instance, you can use
debug logging to find additional information.
The following DNS debug logging options are
available:
Direction of packets. This option has the
following settings:
o Send. The DNS server log file logs packets
that the DNS server sends.
o Receive. The log file logs packets that the
DNS server receives.
Content of packets. This option has the following settings:
o Standard query. Specifies that packets containing standard queries, according to Request for
Comments (RFC) 1034, be logged in the DNS server log file.
o Updates. Specifies that packets containing dynamic updates, according to RFC 2136, be logged in
the DNS server log file.
o Notifies. Specifies that packets containing notifications, according to RFC 1996, be logged in the
DNS server log file.
Transport protocol. This option has the following settings:
o UDP. Specifies that packets sent and received over UDP be logged in the DNS server log file.
o TCP. Specifies that packets sent and received over TCP be logged in the DNS server log file.
Type of packet. This option has the following settings:
o Request. Specifies that request packets be logged in the DNS server log file. A request packet is
characterized by a query/response bit set to zero in the DNS message header.
o A query/response bit is a one-bit field that specifies whether this message is a query (0) or a
response.
o Response. Specifies that response packets be logged in the DNS server log file. A response packet
is characterized by a query/response bit set to 1 in the DNS message header.
Enable filtering based on IP address. This option provides additional filtering of packets that are
logged in the DNS server log file. This option allows logging of packets that are sent from specific IP
addresses to a DNS server or from a DNS server to specific IP addresses.
Log file maximum size limit. This option allows you to set the maximum file size for the DNS server
log file. When the DNS server log file reaches its specified maximum size, the DNS server overwrites
the oldest packet information with new information.
If you do not specify a maximum log-file size, the DNS server log file can consume a large amount of
hard disk space.
By default, all debug logging options are disabled. When you enable them selectively, the DNS server
service can perform additional trace-level logging of selected types of events or messages for general
troubleshooting and server debugging.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-32 Configuring and Troubleshooting Domain Name System
Debug logging can be resource intensive, affecting overall server performance and consuming disk space.
Therefore, you should use it only on a temporary basis, when you need more detailed server-performance
information.
Note: Dns.log contains debug logging activity. By default, it is located in the
%SystemRoot%\System32\Dns folder.
Monitoring DNS with Windows PowerShell
Windows Server 2012 added several new
Windows PowerShell cmdlets to configure,
manage, monitor, and troubleshot DNS servers
and services. You have already seen several of
these, such as Get-DnsServer, Add-
DnsServerConditionalForwarderZone, and
Add-DnsServerPrimaryZone.
You can use Windows PowerShell cmdlets for DNS
to create scripts that allow you to conduct
repetitive tasks and other elaborate actions more
easily than continuous typing and clicking in the
DNS console. This has many advantages over the
DNS console because you can save scripts, rerun them, and modify them as needed. You can also use
variables and parameters that are called when the script runs. The dynamic ability of Windows PowerShell
to perform all of these tasks provides you with a valuable tool in your DNS management toolkit.
For a complete list of the DNS cmdlets for Windows PowerShell, see the following:
http://go.microsoft.com/fwlink/?LinkID=331161
Windows Server 2012 R2 has several new Windows PowerShell cmdlets that include enhanced zone level
statistics and enhanced DNSSEC support.
The enhanced zone level statistics from the Get-DnsServerStatistics cmdlet that was introduced in
Windows Server 2012 now has the following additional parameters:
ZoneQueryStatistics. Returns information on queries.
ZoneTransferStatistics. Returns information about full and incremental zone transfers.
ZoneUpdateStatistics. Returns information about any dynamic updates.
To get zone-level statistics, type the following at an elevated Windows PowerShell command prompt:
$statistics = Get-DnsServerStatistics ZoneName Adatum.com
$statistics.ZoneQueryStatistics
$statistics.ZoneTransferStatistics
$statistics.ZoneUpdateStatistics
Windows Server 2012 R2 provides the following additional cmdlets for DNSSEC functionality:
Step-DnsServerSigningKeyRollover. Forces a key signing key rollover when waiting for a parent
delegation signer update. If a server that hosts a securely delegated zone is unable to check if the
delegation signer record in the parent has been updated, this parameter allows you to force a
rollover. It expects the delegation signer record to be manually updated in the parent.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-33
Add-DnsServerTrustAnchor -Root. The Root parameter set permits you to retrieve trust anchors
from the URL specified in the RootTrustAnchorsURL property of the DNS server. This cmdlet has the
following alias: Retrieve-DnsServerRootTrustAnchor.
RootTrustAnchorsURL. The Get-DnsServerSetting and Set-DnsServerSetting cmdlets are
extended to add a new output string of RootTrustAnchorURL.
DNSSEC is a suite of extensions that adds security to the DNS protocol by adding the ability for DNS
servers to validate DNS responses. With DNSSEC, digital signatures accompany resource records. These
digital signatures generate when DNSSEC applies to a DNS zone by using the zone signing process. When
a resolver issues a DNS query for resource record in a signed zone, a digital signature returns a response
so that DNS can perform validation. If validation is successful, the data has not been modified or
tampered with in any way.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-34 Configuring and Troubleshooting Domain Name System
Lab: Configuring and Troubleshooting DNS
Scenario
A. Datum Corporation is a global engineering and manufacturing company with its head office in London,
United Kingdom. An Information Technology office and a data center are located in London to support
the head office and other locations. A. Datum recently deployed a Windows Server 2012 server and client
infrastructure.
Management has asked you to add several new resource records to the DNS service that is installed on
LON-DC1. Records include a new MX record for Exchange Server 2013 and a SRV record for a Microsoft
Lync

Server 2013 deployment that is occurring.
A. Datum is working with a partner organization, Contoso, Ltd. You have been asked to configure internal
name resolution between the two organizations. A small branch office has reported that name resolution
performance is poor. The branch office contains a Windows Server 2012 server that performs several roles.
However, there is no plan to implement an additional domain controller. You have been asked to install
the DNS server role at the branch office and to create a secondary zone of Adatum.com. To maintain
security, you have been instructed to configure the branch office server to be on the Notify list for
Adatum.com zone transfers. You also should update all branch office clients to use the new name server
in the branch office.
You should configure the new DNS server role to perform standard aging and scavenging, as necessary
and as specified by corporate policy. After implementing the new server, you need to test and verify the
configuration by using standard DNS troubleshooting tools.
Objectives
After completing this lab, you will be able to:
Configure DNS resource records.
Configure DNS conditional forwarding.
Install and configure DNS zones.
Troubleshoot DNS.
Lab Setup
Estimated Time: 60 minutes
Virtual machines: 20411D-LON-DC1, 20411D-LON-SVR1, 20411D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V

Manager, click 20411D-LON-DC1, and in the Actions pane, click Start.


3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in by using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Adatum
5. Repeat steps 2 through 4 for 20411D-LON-SVR1 and 20411D-LON-CL1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-35
Exercise 1: Configuring DNS Resource Records
Scenario
You have been asked to add several new resource records to the DNS service on LON-DC1. Records
include a new MX record for Exchange Server 2010, and an SRV record that is required for a Lync
Server 2013 deployment that is taking place currently. You also have been asked to configure a reverse
lookup zone for the domain.
The main tasks for this exercise are as follows:
1. Add the required mail exchanger (MX) record
2. Add the required Microsoft Lync Server records
3. Create the reverse lookup zone
Task 1: Add the required mail exchanger (MX) record
1. Switch to LON-DC1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Open the DNS Manager.
3. Create a new host record with the following properties:
Zone: Adatum.com
Name: Mail1
IP address: 172.16.0.250
4. In the Adatum.com zone, add a new record with the following information:
Type: New Mail Exchanger (MX)
Fully qualified domain name (FQDN) of mail server: Mail1.Adatum.com
Task 2: Add the required Microsoft Lync Server records
1. Create a new host record with the following properties:
Zone: Adatum.com
Name: Lync-svr1
IP address: 172.16.0.251
2. In the Adatum.com zone, add a new record:
Type: Service Location (SRV)
Service: _sipinternaltls
Protocol: _tcp
Port Number: 5061
Host offering this service: Lync-svr1.adatum.com
Task 3: Create the reverse lookup zone
1. Create a new reverse lookup zone with the following properties:
Zone Type: Primary zone
Active Directory Zone Replication Scope: Default
Reverse Lookup Zone Name: IPv4 Reverse Lookup Zone
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-36 Configuring and Troubleshooting Domain Name System
Reverse Lookup Zone Name: 172.16.
Dynamic Update: Default

Results: After this exercise, you should have configured the required messaging service records and the
reverse lookup zone.
Exercise 2: Configuring DNS Conditional Forwarding
Scenario
You have been asked to configure internal name resolution between A. Datum and its partner
organization, Contoso.
The main tasks for this exercise are as follows:
1. Add the conditional forwarding record for Contoso.com
Task 1: Add the conditional forwarding record for Contoso.com
From the Conditional Forwarders node, configure conditional forwarding for Contoso.com:
a. In the New Conditional Forwarder dialog box, in the DNS Domain box, type contoso.com.
b. Click the <Click here to add an IP Address or DNS Name> box, type 131.107.1.2, and then
press Enter. Validation will fail because the server cannot be contacted.
c. Enable Store this conditional forwarder in Active Directory, and replicate it as follows.

Results: After this exercise, you should have configured conditional forwarding.
Exercise 3: Installing and Configuring DNS Zones
Scenario
A small branch office has reported that name resolution performance is poor. The branch office contains a
Windows Server 2012 server that performs several roles. However, there is no plan to implement an
additional domain controller.
You have been asked to install the DNS server role at the branch office, and then create a secondary zone
of Adatum.com. To maintain security, you also have been instructed to configure the branch office server
to be on the Notify list for Adatum.com zone transfers. You also should update all branch office clients to
use the new name server in the branch office, and then configure the new DNS server role to perform
standard aging and scavenging, as needed and specified by corporate policy.
The main tasks for this exercise are as follows:
1. Install the DNS server role on LON-SVR1
2. Create the required secondary zones on LON-SVR1
3. Enable and configure zone transfers
4. Configure Time to Live (TTL), aging, and scavenging
5. Configure clients to use the new name server
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-37
Task 1: Install the DNS server role on LON-SVR1
1. Switch to LON-SVR1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Use Server Manager to install the DNS Server role.
Task 2: Create the required secondary zones on LON-SVR1
1. Open a Windows PowerShell Administrator console.
2. Type the following cmdlet to create the required secondary zone:
Add-DnsServerSecondaryZone -Name "Adatum.com" -ZoneFile "Adatum.com.dns" -
MasterServers 172.16.0.10
Task 3: Enable and configure zone transfers
1. Switch to LON-DC1.
2. Open Windows PowerShell, and then run the following cmdlet to configure zone transfers for the
Adatum.com zone:
Set-DnsServerPrimaryZone -Name "adatum.com" Notify Notifyservers notifyservers
172.16.0.21 -SecondaryServers 172.16.0.21 SecureSecondaries
TransferToSecureServers
3. In DNS Manager, verify the changes to the Zone Transfers settings:
a. In the navigation pane, click Adatum.com, and then, on the toolbar, click Refresh.
b. Right-click Adatum.com, and then click Properties.
c. In the Adatum.com Properties dialog box, click the Zone Transfers tab.
d. Click Notify, verify that the server 172.16.0.21 appears, and then click Cancel.
Task 4: Configure Time to Live (TTL), aging, and scavenging
1. On LON-DC1, open the Adatum.com zone properties.
2. On the Start of Authority (SOA) tab, configure the Minimum (default) TTL value to be 2 hours.
3. Right-click LON-DC1, and then select the Set Aging/Scavenging for All Zones option to configure
aging and scavenging options.
4. Enable Scavenge stale resource records, and then use the default values.
Task 5: Configure clients to use the new name server
1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2. Use Network and Sharing Center to view the properties of Ethernet.
3. Reconfigure Internet Protocol Version 4 (TCP/IPv4) as follows:
Modify the Preferred DNS server: 172.16.0.21.

Results: After this exercise, you should have installed and configured Domain Name System (DNS) on
LON-SVR1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-38 Configuring and Troubleshooting Domain Name System
Exercise 4: Troubleshooting DNS
Scenario
After implementing the new server, you need to test and verify the configuration by using standard DNS
troubleshooting tools.
The main tasks for this exercise are as follows:
1. Test simple and recursive queries
2. Verify start of authority (SOA) resource records with Windows PowerShell
3. To prepare for the next module
Task 1: Test simple and recursive queries
1. On LON-DC1, in DNS Manager, open the LON-DC1 Properties.
2. On the Monitoring tab, perform a simple query against the DNS server. This is successful.
3. Perform simple and recursive queries against this and other DNS servers. The recursive test fails
because there are no forwarders configured.
4. Stop the DNS service, and then repeat the previous tests. They fail because no DNS server is available.
5. Restart the DNS service, and then repeat the tests. The simple test is successful.
6. Close the LON-DC1 Properties dialog box.
Task 2: Verify start of authority (SOA) resource records with Windows PowerShell
1. Open Windows PowerShell on LON-DC1.
2. Type the following command, and then press Enter:
resolve-dnsname name Adatum.com type SOA
3. View the results, and then close the Windows PowerShell console.
Task 3: To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the
following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411D-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411D-LON-SVR1 and 20411D-LON-CL1.

Results: After this exercise, you should have tested and verified DNS.
Question: In the lab, you were required to deploy a secondary zone because you were not
going to deploy any additional domain controllers. If this condition changedthat is, if
LON-SVR1 was a domain controllerhow would that change your implementation plan?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 1-39
Module Review and Takeaways
Review Question(s)
Question: You are deploying DNS servers into an Active Directory domain, and your
customer requires that the infrastructure be resistant to single points of failure. What must
you consider while planning the DNS configuration?
Question: What is the difference between recursive and iterative queries?
Question: What must you configure before a DNS zone can transfer to a secondary DNS
server?
Question: You are the administrator of a Windows Server

2012 DNS environment. Your


company recently acquired another company. You want to replicate their primary DNS zone.
The acquired company is using Berkeley Internet Name Domain (BIND) 4.9.4 to host its
primary DNS zones. You notice a significant amount of traffic between the Windows
Server 2012 DNS server and the BIND server. What is one possible reason for this?
Question: You must automate a DNS server configuration process so that you can automate
the deployment of Windows Server 2012. What DNS tool can you use to do this?
Tools
Tool Use for Where to find it
Dnscmd.exe Configure the DNS server role Command-line
Dnslint.exe Test a DNS server Download from the Microsoft
website and then use from the
command-line
Nslookup.exe Test DNS name resolution Command-line
Ping.exe Simple test of DNS name resolution Command-line
Ipconfig.exe Verify and test IP functionality and view
or clear the DNS client resolver cache
Command-line
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D



M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-1
Module 2
Maintaining Active Directory

Domain Services
Contents:
Module Overview 2-1
Lesson 1: Overview of AD DS 2-2
Lesson 2: Implementing Virtualized Domain Controllers 2-8
Lesson 3: Implementing RODCs 2-18
Lesson 4: Administering AD DS 2-24
Lesson 5: Managing the AD DS Database 2-35
Lab: Maintaining AD DS 2-44
Module Review and Takeaways 2-51

Module Overview
Active Directory

Domain Services (AD DS) is the most critical component in a Windows Server

2012 R2
domain-based network. AD DS contains important information about authentication, authorization, and
resources in your environment. This module explains why you implement specific AD DS features, how
important components integrate with each other, and how you can ensure that your domain-based
network functions properly. You will learn about new features, such as virtualized domain controller
cloning, recent features like read-only domain controllers (RODCs), and other features and tools that you
can use in the AD DS environment.
Objectives
After completing this module, you will be able to:
Explain the general structure of AD DS.
Implement virtualized domain controllers.
Implement RODCs.
Administer AD DS.
Manage the AD DS database.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-2 Maintaining Active Directory

Domain Services
Lesson 1
Overview of AD DS
This lesson covers the core logical components of an AD DS deployment. The AD DS database stores
information on user identity, computers, groups, services, and resources. AD DS domain controllers also
host the service that authenticates user and computer accounts when they sign in to the domain. AD DS
stores information about all of the domains objects, and all users and computers must connect to AD DS
domain controllers when signing in to the network. Therefore, AD DS is the primary means by which you
can configure and manage user and computer accounts on your network.
Lesson Objectives
After completing this lesson, you will be able to:
Describe AD DS components.
Explain the structure of an AD DS forest and schema.
Explain the structure of an AD DS domain.
Describe how to extend an AD DS deployment with Windows Azure

virtual machines.
Overview of AD DS Components
AD DS is composed of both physical and logical
components. To maintain your AD DS
environment effectively, you need to understand
the way the components of AD DS work together.
Physical Components
AD DS information is stored in a database on each
domain controllers hard disk. The following table
lists some of these physical components and their
storage locations.
Physical component Description
Domain controllers Contain copies of the AD DS database. Domain-specific information can be
updated from any domain controller that is a member of the same domain.
Data store The files on each domain controller that store the AD DS information, such as
the ntds.dit database, the Espresso Database (EDB) log files, and the system
volume share, and, as it appears in File Explorer, SYSVOL.
Global catalog
servers
Host the global catalog, which is a partial, read-only copy of all the objects in
every domain in the forest. A global catalog speeds up searches for objects
that might be stored on domain controllers in a different domain in the forest.
RODCs A special AD DS install in read-only format. You typically use these in branch
offices where physical security may not be available and Information
Technology (IT) support staff is not always available on premises compared to
an enterprises main corporate centers.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-3
Logical Components
AD DS logical components are structures that you use to implement an Active Directory design that is
appropriate for an organization. The following table describes some of the types of logical structures that
an Active Directory database might contain.
Logical
component
Description
Partition A section of the AD DS database. You can view, manage, and replicate distinct
sections of the ntds.dit database, such as partitions, or naming contexts.
Schema Defines the list of object types and attributes from which all AD DS objects are
derived.
Domain A logical, administrative boundary for creating and managing AD DS objects such as
users, computers, groups.
Domain
Tree
A collection of domains that share a common root domain and an AD DS
namespace.
Forest A collection of one or more domains that share a common AD DS.
Site Defines logical location of AD DS objects based on association with TCP/IP networks.
A site is used to control AD DS replication traffic. By default, AD DS assumes that
consistent, low-latency, adequate bandwidth exists between all AD DS computers.
Because of this assumption, AD DS computers attempt near-immediate replication
with each other constantly. If network-based constraints exist between AD DS
computers, then additional AD DS sites should be defined and logically linked
together in order to control AD DS replication traffic. Sites are useful in planning
administrative tasks, such as replication of changes to the AD DS database.
OU Organizational units (OUs) are containers in AD DS that provide an option to group
AD DS objects logically within a domain. OUs also provide a framework for
delegating administrative rights and for linking Group Policy Objects (GPOs).
Understanding AD DS Forest and Schema Structure
In AD DS, forest and schema structures are
important for defining the functionality and scope
of your environment.
AD DS Forest Structure
A forest is a collection of one or more trees. A tree
is a collection of one or more domains that share
a common AD DS name space. The first domain
that is created in the forest is called the forest root
domain. Two special groups exist in the forest root
domain: the Enterprise Admins and the Schema
Admins universal groups. The Enterprise Admins
group has full control over every domain within
the forest. The Schema Admins group has full control over changes to the AD DS schema.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-4 Maintaining Active Directory

Domain Services
The AD DS forest is a security boundary. This means that, by default, no users from outside the forest can
access any resources inside the forest. One of the primary reasons why organizations deploy multiple
forests is that they need to isolate administrative permissions between different parts of the organization.
The AD DS forest is also the replication boundary for the configuration and schema partitions in the
AD DS database. This means that all domain controllers in the forest share the same schema. A second
reason why organizations choose to deploy multiple forests is that they must deploy incompatible
schemas within the same organization.
The AD DS forest is the replication boundary for the global catalog. This makes most forms of
collaboration between users in different domains easier. For example, the global catalog lists all
Microsoft

Exchange Server 2013 recipients, making it easy to send mail to any of the users in the forest,
even those users in different domains.
By default, all the domains in a forest automatically trust the other domains in the same forest. This makes
it easy to enable access to resources such as file shares and websites for all users in a forest, regardless of
the domain in which the user account is located.
AD DS Schema Structure
The AD DS schema is the AD DS component that defines all object types and attributes that AD DS uses to
store data. The AD DS schema is sometimes referred to as the blueprint for AD DS. AD DS stores and
retrieves information from a wide variety of applications and services. By standardizing how data is stored,
AD DS can retrieve, update, and replicate data, while maintaining that the integrity of the data.
AD DS uses objects as units of storage. All object types are defined in the schema. Each time that the
directory handles data, the directory queries the schema for an appropriate object definition. Based on
the object definition in the schema, the directory creates the object and stores the data.
Object definitions control both the types of data that the objects can store, and the syntax of the data.
Using this information, the schema ensures that all objects conform to their standard definitions. As a
result, AD DS can store, retrieve, and validate the data that it manages, regardless of the application that is
the original source of the data. Only data that has an existing object definition in the schema can be
stored in the directory. If a new type of data needs to be stored, first create a new object definition for the
data in the schema.
In AD DS, the schema defines the following:
Objects that are used to store data in the directory.
Rules that define what types of objects you can create, what attributes must be defined when you
create the object, and what attributes are optional.
The structure and content of the directory itself.
You can use an account that is a member of the Schema Administrators group to modify the schema
components in a graphical form. Examples of objects that are defined in the schema include user,
computer, group, and site. Among the many hundreds of attributes are location, accountExpires,
buildingName, company, manager, and displayName.
The schema is replicated among all domain controllers in the forest. Any change that is made to the
schema is replicated to every domain controller in the forest from the schema operations master role
holder, typically the first domain controller in the forest.
Because the schema dictates how information is stored, and because any changes to the schema affect
every domain controller, you should make changes to the schema only when necessary. Before making
any changes, you should review the changes through a tightly controlled process, and then implement
them only after you have performed testing to ensure that the changes will not adversely affect the rest of
the forest and any applications that use AD DS.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-5
Although you might not make any change to the schema directly, some applications make changes to the
schema to support additional features. For example, when you install Exchange Server 2013 into your
AD DS forest, the installation program extends the schema to support new object types and attributes.
Understanding AD DS Domain Structure
An AD DS domain is a logical grouping of user,
computer, and group objects for the purposes of
management and security. All of these objects are
stored in the AD DS database, and a copy of this
database is stored on every domain controller in
the AD DS domain.
There are several types of objects that can be
stored in the AD DS database, including user
accounts. User accounts provide a mechanism that
you can use to authenticate and then authorize
users to access resources on the network. Each
domain-joined computer must have an account in
AD DS. This enables domain administrators to also use domain group policies to manage the computers.
The domain also stores groups, which are the mechanism for grouping together objects for administrative
or security reasons, such as user accounts and computer accounts.
The AD DS domain is also a replication boundary. Changes made to any object in the domain are
replicated automatically to all other domain controllers in the domain.
An AD DS domain is an administrative center. It contains an Administrator account and a Domain Admins
group, which both have full control over every object in the domain. Unless they are in the forest root
domain, however, their range of control is limited to the domain. Password and account rules are
managed at the domain level by default. The AD DS domain also provides an authentication center. All
user accounts and computer accounts in the domain are stored in the domain database, and users and
computers must connect to a domain controller to authenticate.
A single domain can contain more than 1 million objects, so most organizations need to deploy only a
single domain. Organizations that have decentralized administrative structures, or that are distributed
across multiple locations, might instead implement multiple domains in the same forest.
Domain Controllers
Changes to the AD DS database can be initiated on any domain controller in a domain except for RODCs.
The AD DS replication service then synchronizes the changes and updates to the AD DS database to all
other domain controllers in the domain. Additionally, either the file replication service (FRS), or the newer
DFS Replication, replicates the SYSVOL folders. By default, DFS Replication is used on the Windows
Server 2008 R2 operating system and above, although you can migrate FRS to DFS Replication on
Windows Server 2003 R2 and above.
An AD DS domain should always have a minimum of two domain controllers. This way, if one of the
domain controllers fails, an alternate domain controller is available to ensure continuity of the AD DS
domain services. When you decide to add more than two domain controllers, consider the size of your
organization and its performance requirements.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-6 Maintaining Active Directory

Domain Services
Organizational Units
An OU is a container object within a domain that you can use to consolidate users, groups, computers,
and other objects. There are two main reasons to create OUs:
To configure objects contained within the OU. You can assign GPOs to the OU, and apply the settings
to all objects within the OU. GPOs are policies that administrators create to manage and configure
computer and user accounts. The most common way to deploy these policies is to link them to OUs.
To delegate administrative control of objects within the OU. You can assign management permissions
on an OU, thereby delegating control of that OU to a user or group within AD DS other than the
administrator.
You can use OUs to represent the hierarchical, logical structures within your organization. For example,
you can create OUs that represent the departments within your organization, the geographic regions
within your organization, or a combination of both departmental and geographic regions. You can use
OUs to manage the configuration and use of user, group, and computer accounts based on your
organizational model.
Every AD DS domain contains a standard set of containers and OUs that are created when you install
AD DS, including the following:
Domain container. The root container to the hierarchy.
Users container. The default location for new user accounts and groups that you create in the
domain. The users container also holds the administrator and guest accounts for the domain and
some default groups.
Computers container. The default location for new computer accounts that you create in the domain.
Domain Controllers OU. The default location for the computer accounts for domain controller
computer accounts. This is the only OU that is present in a new installation of AD DS.
Note: None of the default containers in the AD DS domain can have GPOs linked to them,
except for the default Domain Controllers OU and the domain itself. All the others are default
system-generated containers.
Extending the AD DS Deployment with Windows Azure Virtual Machines
Windows Azure is a Microsoft application
platform for a public cloud. A public cloud is a
cloud infrastructure typically owned and managed
by an organization that provisions cloud services
to the public or a large group. Organizations can
use the Windows Azure platform in many
different ways. For web developers, Windows
Azure enables the hosting of scalable websites
and databases. For infrastructure administrators,
Windows Azure provides capabilities that extend
the organizations infrastructure, to include the AD
DS, into the cloud or provide an infrastructure for
cross-organizational projects. Windows Azure provides IT managers an extensible, low cost, pay-per-use
service.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-7
Windows Azure Virtual Machine is a new service that allows organizations to run virtual machines on a
cloud. Windows Azure Virtual Network makes it easy to set up networks that are separate from the
networks of other customers within the same cloud. However, Windows Azure Virtual Network allows you
to connect to your corporate network infrastructure over the cloud.
Running AD DS domain controllers in Windows Azure Virtual Machines can be beneficial in various
scenarios:
Cloud-only scenarios. You can create a new AD DS forest and domain in Windows Azure, which
enables you to host extranet applications. These applications require domain services without
needing to communicate back to your on-premises network.
Hybrid scenarios. Hybrid scenarios enable you to extend your AD DS infrastructure to the cloud by
deploying the domain controllers of your on-premises AD DS to Windows Azure Virtual Machines.
This can extend corporate applications to the cloud for business-to-business communications
through the cloud, or it can serve as a component in your high availability and recovery strategies.
When deploying AD DS domain controllers in Windows Azure, you can distinguish between a cloud-only
deployment and a hybrid deployment:
Cloud-only deployment. Cloud-only deployments of AD DS enable you to build a new forest in the
cloud. You then can enable Internet and intranet users to access resources on your cloud-only
network. This might be beneficial in the following scenarios:
o Support applications that need AD DS services to be accessible from the Internet and the
intranet.
o Support applications that should be isolated from corporate AD DS.
o Support extranet applications in the cloud.
Hybrid deployment. In a hybrid deployment, you can extend your on-premises AD DS to the cloud by
deploying a virtual domain controller of your existing domain or domains to the cloud. The following
scenarios are for a hybrid deployment of your AD DS domain in the cloud:
o Support applications in the cloud, such as a corporate Microsoft SharePoint

farm.
o Support Active Directory Federation Services (AD FS) in the cloud to enable business-to-business
authentication.
o Serve as a substitute or failover for branch-office or headquarters domain controllers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-8 Maintaining Active Directory

Domain Services
Lesson 2
Implementing Virtualized Domain Controllers
Virtualization is a common practice in IT departments. The consolidation and performance benefits that
virtualization provides are great assets to any organization. Windows Server 2012 AD DS domain
controllers are now more aware of virtualization. In this lesson, you will learn the considerations for
implementing virtualized domain controllers in Windows Server 2012 R2. In addition, you will see how
you can deploy and manage these domain controllers in the AD DS environment.
Lesson Objectives
After completing this lesson, you will be able to:
Identify considerations for implementing virtualized domain controllers.
Describe how to manage virtualized domain controller snapshots.
Describe virtualization of domain controllers in Windows Server 2012.
Describe the domain controller cloning process.
Describe how to deploy a cloned virtualized domain controller.
Identify domain controller virtualization best practices.
Considerations for Virtual Domain Controller Deployment
The Windows Server 2012 operating system is a
cloud-ready operating system. During
deployment, one of the most important decisions
an administrator must make is whether the
organization should choose to use private cloud
virtualization technology or continue to use
physical servers.
Virtualizing servers provides many benefits to
modern IT infrastructures. Some of these benefits
are:
Specifics of physical hardware are abstracted
from the guest operating system in a virtual
machine, which allows them to be ported more easily between virtualization hosts, such as Hyper-V


in Windows Server 2012.
Virtual machines can be moved within clusters and across networks between clusters or stand-alone
virtualization hosts.
Machines can be recovered faster and more easily.
Redundancy of virtual machines increases service levels. You can perform this regardless of whether
the application supports it or not.
Virtual machines can be scaled on demand.
Virtual machines can use more resources during peak hours and conserve energy when they are not
needed. However, servers deployed on physical hardware generally consume the same amount of
electricity whether they are busy or not.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-9
When considering whether to virtualize a domain controller or not, you must consider hardware
requirements. Virtualization is very useful if you want scalable hardware. When you plan resource
utilization on the host computer, remember that the host operating system requires some additional
resources for running virtual machines, such as processing power, memory, network capacity, and disk
space.
The following are additional considerations you should keep in mind when virtualizing domain controllers:
Time synchronization. A Windows

-based AD DS domain infrastructure loosely relies on all


communicating machines being synchronized. When domain controllers and domain members have
a time difference of more than five minutes, clients cannot log on or access resources on the network.
To address this requirement, the Windows operating system includes the Windows Time Service. This
service ensures that the time synchronizes across the domain in the following manner:
o Domain members obtain the time from their domain controller.
o Domain controllers use the primary domain controller (PDC) emulator, an operations master role,
from their own domain. You will learn more about operations master roles in a later lesson.
o The PDC emulator of the forest root domain should be configured with an external time source,
such as an Internet time provider based on an atomic clock, by using the Network Time Protocol.
In virtualized environments, time synchronization is not as simple as on physical computers. The
virtualization engine throttles the use of the virtualization hosts central processing units (CPUs) and
distributes cycles among the virtual machines as needed. The operating system clock relies on stable CPU
cycles, which do not exist in virtual environments. By default, virtualization engines provide time-
synchronization with the guest computers. When virtualization hosts do not participate in time
synchronization, it is likely that the domain time and the virtualization host time will cease to be
synchronized. When physical computers participate in time synchronization, virtual machines are
synchronized to the time on the virtualization host. You must configure the virtualization host to
participate in time synchronization or disable synchronization with the virtual domain controllers for time
synchronization to work properly.
Domain membership of the virtualization host. When you use Hyper-V as a virtualization host, you
can configure whether or not the virtualization host is a member of the AD DS domain. If all domain
controllers are virtualized on Hyper-V, the operating system of the virtualization host starts and
attempts to connect to the domain before the domain controllers are available. You should have a
Hyper-V infrastructure joined to the domain. Failover-clustered physical machines are dependent on
AD DS because versions older than Windows Server 2012 are unable to start a cluster when the
domain is not available. In this case, the virtual machines do not start when AD DS is not available.
This can be solved by:
o Deploying multiple virtualization clusters or deploying a cluster and additional virtualization
hosts. With this, you can ensure that there are no domains in which all domain controllers are
running on a single virtualization cluster.
o Deploying a sufficient number of physical domain controllers per domain to allow for
redundancy and to ensure that the virtualization cluster can start prior to the virtual domain
controllers being available.
o Maintaining a distributed AD DS infrastructure. For example, when you have domain controllers
for every domain available in branch offices or remote data centers, your virtualization hosts can
use those domain controllers when they start.
Single point of failure. AD DS domain controllers are the most important pieces of your infrastructure.
If they fail, users cannot sign in, access resources or applications, and certain applications or services
might not run as well as other applications or services.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-10 Maintaining Active Directory

Domain Services
When virtualizing domain controllers, it is very important to ensure that there is not a single point of
failure for your domain controller AD DS infrastructure. Setting up all domain controllers as virtual
machine nodes on the same virtualization cluster is considered a single point of failure. The same
applies when you have an additional cluster with domain controllers in a separate data center that is
connecting to a storage area network (SAN) which is replicating with the SAN in the first data center.
Replicated SANs have been a single point of failure in some cases.
If domain controllers are distributed as mentioned in the domain membership section above, you
must ensure that there is not a single point of failure. The following domain virtualization
recommendations will prevent you from needing to perform a forest recovery if anything happens to
your virtualization infrastructure.
Moving AD DS to the cloud. Setting up AD DS domain controllers into the Microsoft cloud platform
can help avoid single points of failure. There are different ways this can be implemented that include
the following:
o Backing up domain controllers in the cloud.
o Setting up at least one virtual domain controller per domain in the cloud.
o Replicating a domain controllers virtual machine in the cloud by using Hyper-V Replica.
How Checkpoints Affect Domain Controllers
For virtual machines on Hyper-V, a checkpoint
also saves the hardware configuration
information. By creating checkpoints for a virtual
machine, you can restore the virtual machine to a
previous state. Virtualization hosts are able to
create checkpoints of virtualization guests, which
are useful if you need to change something
because you have an instant recovery option.
Checkpoints allow virtual machines to be reverted
to an earlier point in time, before a configuration
change was made, or an application was installed.
This makes checkpoints a good recovery tool for
administrators and developers, especially when testing system configuration or software changes.
However, using checkpoints can be risky on production systems, because restoring a checkpoint means all
changes after that checkpoint are lost permanently.
AD DS is a distributed and redundant directory where every domain controller of a domain stores
information about every object and attribute in the domain. AD DS uses replication to ensure that data is
synchronized across all domain controllers in the domain. Data that is stored in the schema or
configuration partition of AD DS is replicated to all domain controllers in the forest. Using checkpoints on
virtualized domain controllers can corrupt the AD DS database because of the way updates are made
between domain controllers.
How Domain Controllers Update and Replicate Changes to Objects
AD DS uses a complex replication mechanism, and can store and service millions of objects, including user
accounts. Security principals, which include user accounts, computer accounts, and group objects in
AD DS, have a security identifier (SID) that is used to grant access to resources. Each domain controller
issues SIDs out of a pool of relative identifiers (RIDs).
During the replication process, a sequence of events takes place to ensure that any updated attribute or
object is added to all domain controllers AD DS database. However, it is important to ensure that these

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-11
updates are not repeatedly sent and added to the domain controllers databases. Therefore, you must
carefully track and identify them during the replication process. Every object in AD DS consists of multiple
attributes. When an attribute is changed on any domain controller, the version number of that attribute is
incremented and replicated to the other domain controllers so that each domain controller has a current
copy of that attribute. Additionally, every domain controller stores an update sequence number (USN).
Every time an attribute is written, the current USN is stored with the attributes metadata, and the USN is
then increased. If multiple attributes are written in the same transaction on the same server, they receive
the same USN. The USN is individual and independent for each domain controller and is not replicated
with the attribute. Every time an attribute is written, the domain controller updates the attributes
metadata with a time stamp and the domain controllers own invocation ID. The invocation ID is a number
that is unique for every domain controller, and it identifies the domain controller and its database
uniquely in the forest.
When one domain controller requests replication from another domain controller, the requesting domain
controller knows what USN was last stored. The requesting domain controller and receiving domain
controller are known as replication partners. Every domain controller stores the invocation ID and the last
USN of the changes that replicated from its replication partners. Because of this, the requesting domain
controller can ask the receiving domain controller to check for updates since the last replication.
Afterward, the receiving domain controller compares the version number of every attribute to determine
whether the attribute has been changed remotely, by a third domain controller on the other side of its
replication partner, or locally, by the replication partner itself. Usually the version number of the remote
attribute is higher, so the receiving domain controller takes the change and writes it back into its
database. Additionally, this domain controller applies the same version number and assigns its own USN
to the change. In certain situations, the same version number might appear on both sides of the
replication, such as when the attribute was changed on multiple domain controllers independently. When
this is the case, the domain controller looks at the time stamp of the USN and the most recent change is
selected. Using checkpoints on virtualized domain controllers would break this replication infrastructure
because it would erase all the collected USN and replication data from the check pointed domain
controller.
USN Rollbacks
USN rollbacks are the effects of applying previous checkpoints to virtual domain controllers. The following
example explains how USN rollbacks occur:
1. There are two domain controllers, DC01 and DC02. DC01 has a USN of 2200. DC02 has a USN of
1020.
2. They both receive changes, and they want to replicate again.
3. DC01 has a current USN of 2220. DC02 has a USN of 1040. DC01 requests the updates from DC02
from when DC02s USN was 1020, which is the USN from the last replication from its high watermark
table. DC02 requests all USNs since 2200.
4. An administrator creates a checkpoint of both domain controllers.
5. DC01 and DC02 continue to receive updates. When DC01 is at USN 2260 and DC02 is at USN 1080,
they replicate again. DC01 requests all changes from DC02 since USN 1040, and DC02 requests all
changes since USN 2220. DC01 and DC02 are synchronized again.
6. An administrator rolls back a checkpoint on DC02.
7. Now, DC02 is back at USN 1040 and thinks it has all updates from DC01 since USN 2220. DC01 is at
USN 2260 and thinks it has all updates from DC02 since USN 1080. The next 40 changes on DC02 are
not replicated to DC01.
USN rollbacks leads to an inconsistent AD DS on different domain controllers and is very difficult, if not
impossible, to fix. USN rollbacks can cause several issues that can include different users receiving the
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-12 Maintaining Active Directory

Domain Services
same SID, and user passwords possibly being different for different domain controllers, depending on if a
domain controller with an unreplicated user password had a checkpoint restored. This may affect the
secure channel between computers or even trusts between domains or forests, and replication can be
inconsistent. The same groups can have different members depending on which domain controller is
queried for group membership.
You must avoid USN rollbacks, but they are difficult to prevent when some administrators who have
administrative access to the virtualization infrastructure are not aware of the effect that checkpoints have
on domain controllers. Because checkpoints can only be used on virtual disks, in Windows Server 2008 R2
and earlier versions, there were recommendations that virtual domain controllers should only use physical,
linked volumes instead of virtual disks.
In the next topic, you will learn more about Windows Server 2012 directly addressing this issue.
Domain Controller Virtualization in Windows Server 2012
In the previous topic, we addressed how
snapshots affect virtual domain controllers, and
how applying previous snapshots causes the
AD DS infrastructure to become inconsistent
because of USN rollbacks. Windows Server 2012
addresses and resolves this issue. To safeguard the
virtualization of AD DS, you need the following
components:
A hypervisor that supports Virtual Machine
Generation Identifier, such as Hyper-V in
Windows Server 2012 and newer.
Domain controllers as guest operating
systems based on Windows Server 2012 or Windows Server 2012 R2.
Virtual Machine Generation Identifier is a new identifier that enables the virtualization host to let the
virtualization guest know when changes are made. For example, this notification would take place when a
checkpoint is applied. The virtual domain controller checks the Virtual Machine Generation Identifier
during its startup and prior to every write request made to the database. The host places the Virtual
Machine Generation Identifier into the virtual machines basic input/output system (BIOS) on startup of
that virtual machine, which then stores the identifier in the AD DS database. If the Virtual Machine
Generation Identifier stored in AD DS is the same as the version in its BIOS, then the domain controller will
continue to work as usual and perform the write request. If the Virtual Machine Generation Identifiers do
not match, then the domain controller will delay the write request and run the virtualization safeguards to
ensure it is a valid replication partner without causing corruption.
The Virtualization Safeguards Process
There are two scenarios in which the Virtual Machine Generation Identifier is validated:
When the virtual machine starts after a checkpoint is applied, the application of the checkpoint
triggers the hypervisor host to provide a new Virtual Machine Generation Identifier to the virtual
machine.
When the domain controller tries to write to its AD DS database, and the system is rolled back by
using a checkpoint, the hypervisor host provides a new Virtual Machine Generation Identifier.
The Hyper-V services compares the new Virtual Machine Generation Identifier to the stored Virtual
Machine Generation Identifier. When these identifiers do not match, the domain controllers employ the

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-13
virtualization safeguards. After the restoration is applied, the Virtual Machine Generation Identifier on the
AD DS computer object is updated to match the new ID provided by the hypervisor host.
The virtual machine employs virtualization safeguards by:
Invalidating the local RID pool, which is that domain controllers current allotment of RIDs. You will
learn about RID pools in a later lesson.
Setting a new invocation ID for the domain controller database causes the domain controller to
present itself to other domain controllers as a new domain controller. It participates in replication and
verifies all objects and attributes in its directory against other domain controllers.
Domain Controller Cloning
Rollout of clients and servers is a critical process.
In Windows Server 2008 R2 and earlier versions,
during rollout, administrators would try to limit
the amount of time required to install operating
systems because they took a very long time.
Administrators also needed to limit the network
capacity used for deployments while deploying as
many standardized computers in the shortest
amount of time possible. The process of preparing
and deploying customized operating system
installations was too complex, and not fully
supported when using cloning. Administrators had
to create an image of a customized installation by using tools such as System Preparation Tool (sysprep)
to make certain settings unique, such as a computers name, IP address settings, and the computers SID.
In Windows Vista

and newer versions, an image-based installation replaced the standard file-based


installation. Windows Deployment Services on Windows Server 2008 and above uses standard Windows
Server setup technologies, including Windows Preinstallation Environment (Windows PE), .wim files, and
image-based setup.
Cloud computing virtual machine services, including private, on-premises clouds created with Microsoft
System Center 2012 R2 Virtual Machine Manager, needs to be highly scalable and should allow
installation of new virtual machines with specific roles when needed. Cloud computing virtual machine
services can quickly scale out virtual machines as needed, or shut down unused virtual machines. Cloud
computing virtual machine services also deliver consistent performance regardless of the number of
requests for virtual machines. You can create a virtual machine template, which is a group of virtual
machine settings that are applied when the virtual machines is created. You can use this template to
provision servers in the private cloud, creating a new machine from the template by using the same
technology as cloning. With Windows Server 2008, this was possible for many roles, but not the AD DS
domain controller role.
When you use Windows Server 2012, you are able to clone domain controllers. The following scenarios
benefit from virtual domain controller cloning:
Rapid deployment of additional domain controllers in a new domain.
Quickly restoring business continuity during disaster recovery by restoring AD DS capacity through
rapid deployment of domain controllers by using cloning.
Optimizing private cloud deployments by taking advantage of flexible provisioning of domain
controllers to accommodate increased scale requirements.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-14 Maintaining Active Directory

Domain Services
Rapid provisioning of test environments, enabling deployment and testing of new features and
capabilities before production rollout.
Quickly meeting increased capacity needs in branch offices by cloning existing domain controllers in
branch offices, or by cloning them in the data center and then transferring them to branches by using
Hyper-V.
Cloning domain controllers requires the following:
A hypervisor that supports Virtual Machine Generation Identifier, such as Hyper-V in Windows
Server 2012 and newer.
Domain controllers as guest operating systems based on Windows Server 2012 or Windows
Server 2012 R2.
The domain controller that is to be cloned, or a source domain controller, that must run as a virtual
machine guest on the supported hypervisor.
The PDC emulator must run on Windows Server 2012 or newer. While it is possible to clone Windows
Server 2012 domain controllers when older versions of domain controllers exist, the domain controller
that is holding the PDC emulator master operations role needs to support the cloning process. The
PDC emulator must be online when the virtual domain controller clones start for the first time.
To ensure that AD DS administrators authorize cloning virtualized domain controllers, a member of the
Domain Admins group needs to prepare a computer that is to be cloned. Hyper-V administrators are
unable to clone a domain controller without the support of AD DS administrators, and vice versa.
In order to clone the domain controllers, you need to perform the following steps.
Preparing the Source Virtual Domain Controller
Follow these steps to prepare to deploy virtual machine controllers:
1. Add the source domain controller to the Active Directory group Cloneable Domain Controllers.
2. Verify that the applications and services on the source domain controller support the cloning process.
You can do this by using the Windows PowerShell

cmdlet:
Get-ADDCCloningExcludedApplicationList
If there are applications or services where support for cloning is unknown or not documented, you
need to test them first. If they work after cloning, put the applications or services in the
CustomDCCloneAllowList.xml file. You can create the CustomDCCloneAllowList.xml by using the same
cmdlet as above, and appending the parameter GenerateXML. Optionally you can append the
parameter Force if an existing CustomDCCloneAllowList.xml file needs to be overwritten:
Get-ADDCCloningExcludedApplicationList GenerateXML [-Force]
3. Create a DCCloneConfig.xml file. You need to create this file so that the cloning process recognizes it
and creates a new domain controller from the clone. By creating this file, you can specify a custom
computer name, TCP/IP address settings, and the site name where the new domain controller should
reside. If you do not specify one or all of these parameters, a computer name is generated
automatically and IP address settings are set to dynamic. This requires a Dynamic Host Configuration
Protocol (DHCP) server on the network and assumes that the domain controller clones are in the
same site as the source domain controller. You can use the following Windows PowerShell cmdlet to
create the DCCloneConfig.xml file:
New-ADDCCloneConfigFile [-CloneComputerName <String>] [-IPv4DNSResolver <String[]>]
[-Path <String>] [-SiteName <String>]
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-15
If you want to create more than one clone and specify settings such as computer names and TCP/IP
addressing information, you need to modify the DCCloneConfig.xml file, or create a new, individual one
for each clone, prior to starting it for the first time.
4. Export the source virtual domain controller.
Preparing Multiple Domain Controller Clones
If you want to prepare multiple domain controller clones, do not provide any additional parameters, and
let the computer name generate automatically. In addition, use DHCP to provide TCP/IP addressing
information. Alternatively, you can customize each clone by creating an individual DCCloneConfig.xml file.
To do this, follow these steps:
1. Create the cloned virtual hard disks by exporting and importing the virtual computer.
2. Mount the new cloned virtual hard disks by performing one of the three following steps:
Double-clicking them in File Explorer.
Use Diskpart.exe with the assign command at an elevated command prompt.
Use the Mount-DiskImage Windows PowerShell cmdlet.
3. Use the Offline and Path parameters with the New-ADDCCloneConfigFile cmdlet. E: needs to be
changed to the drive letter you used when mounting the virtual hard disk in the previous step:
New-ADDCCloneConfigFile CloneComputerName LON-DC3 Offline Path E:\Windows\NTDS
4. Unmount the virtual disk files by using Diskpart.exe or the Dismount-DiskImage Windows
PowerShell cmdlet.
Dynamically Assigning Computer Names
If you do not configure DCCloneConfig.xml with a static computer namefor example, to create multiple
clones without an individual configurationthe computer name of the new clone is generated
automatically based on the following algorithm:
The prefix is the first eight characters of the source domain controller computer name. For example, a
source computer name of SourceComputer is abbreviated into a prefix, SourceCo.
A unique naming suffix of the format -CLnnnn is appended to the prefix where nnnn is the next
available value from 00019999 that the PDC emulator determines is not in use currently.
Creating the Virtual Domain Controller Clones
To create the virtual domain controller clones, follow these steps:
1. Ensure that the domain controller, which holds the PDC emulator operations master role, runs on
Windows Server 2012 or Windows Server 2012 R2.
2. Ensure that the PDC emulator and a domain controller hosting the global catalog are online.
3. By using the DCCloneConfig.xml files from the preparation steps, use the import function to create as
many clones as needed. When using Hyper-V, select Copy the virtual machines (create a new
unique ID) to import multiple, individual instances of the same exported computer.
4. As required, individually configure clones following steps 1-3 outlined above.
5. Start the clones.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-16 Maintaining Active Directory

Domain Services
Finalizing Domain Controller Cloning
When a new domain controller clone starts, the following steps are performed automatically:
1. The clone verifies if a Virtual Machine Generation Identifier exists. If the Virtual Machine Generation
Identifier does not exist, the computer either starts up normally when no DCCloneConfig exists or
renames the DCCloneConfig and restarts in Directory Services Restore Mode, which is one of the
specialized boot options available to domain controllers. Starting in Directory Services Restore Mode
is a safeguard, and a domain administrator needs to pay close attention and fix the issue to make the
domain controller work as intended.
2. Check whether the Virtual Machine Generation Identifier changed:
If the Virtual Machine Generation Identifier has not changed, then the starting virtual domain
controller is the original source domain controller. If a DCCloneConfig exists, it is renamed. In any
case, a normal startup is performed and the domain controller is functional again.
If the Virtual Machine Generation Identifier has changed, the virtualization safeguards are
triggered and the process continues.
3. Check if the DCCloneConfig exists. If it does not exist, a check for a duplicate IP address decides
whether to boot normally or in Directory Services Restore Mode. If the DCCloneConfig file exists, the
computer receives the new computer name and IP address settings from that file. The AD DS
database is modified and initialization steps are performed so that a new domain controller is created.
Demonstration: Cloning Domain Controllers
In this demonstration, you will see how to:
Prepare a source domain controller to be cloned.
Export the source virtual machine.
Create and start the cloned domain controller.
Demonstration Steps
Prepare the source domain controller that you want to clone:
1. Switch to LON-DC1.
2. Add the domain controller LON-DC1 to the Active Directory group Cloneable Domain Controllers.
3. Verify applications and services on LON-DC1 to ensure that they support cloning.
4. Create a DCCloneConfig.xml file, and then, within the file, set the cloned domain controller name to
LON-DC3.
5. Shut down LON-DC1.
Export the source virtual machine
1. On the host computer, in Hyper-V Manager, export LON-DC1.
2. Start LON-DC1.
Create and start the cloned domain controller
1. In Hyper-V Manager, import a virtual machine by using the exported files. Name the new virtual
machine 20411C-LON-DC3, and then select Copy the virtual machine (create a new unique ID).
2. In Hyper-V Manager, start LON-DC3.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-17
Domain Controller Virtualization Best Practices
Virtualization provides many benefits, such as
hardware independence, efficient use of
resources, and scalability in private cloud
scenarios. It also provides flexibility when moving
virtual machines across virtualization
infrastructures. In the past, virtualizing domain
controllers required the administrators of the
virtual infrastructure to have knowledge of the
AD DSspecific requirements and to take
precautions not to introduce additional risks to an
AD DS infrastructure.
In Windows Server 2012, fundamental
improvements provide new safeguards to the process of virtualizing domain controllers. The ability to
clone virtual domain controllers was also introduced in Windows Server 2012.
When considering whether to use virtualized domain controllers, you should keep the following best
practices in mind:
Avoid single points of failure. Ensure that you have at least two virtualized domain controllers per
domain on different virtualization hosts. This reduces the risk of losing all domain controllers if a
single virtualization host fails. Also, use different storage networks and storage systems. Maintain
domain controllers in different data centers or regions to reduce the impact of disasters.
Ensure that all computers, including the hypervisor hosts and the domain controller guests,
synchronize their time correctly.
Keep in mind that only virtualization infrastructures that support the new Virtual Machine Generation
Identifier feature support safeguards for creating checkpoints and cloning of virtual domain
controllers.
Use Windows Server 2012 or Windows Server 2012 R2 as the guest operating system for virtual
domain controllers. Only these versions support the new safeguards for virtual domain controllers.
Avoid or disable checkpoints. If the virtualization host or the guest operating systems of the domain
controllers do not support the safeguards for virtualizing domain controllers, disable the possibility of
creating checkpoints. For example, use a pass-through instead of a virtual disk. When the safeguards
are supported, use a virtual disk to support cloning, but avoid using checkpoints.
Hold the virtualization administrators to the same level of trust and responsibility as you do to the
Domain Administrators.
Consider taking advantage of cloning. Cloning can be a deployment or recovery strategy. It provides
a fast and simple way to create many domain controllers in a short time.
Do not start more than 10 new clones at the same time because the file replication used for SYSVOL
only allows 10 replication connections at the same time.
Consider using virtualization technologies that allow you to move virtual machines across site
boundaries. This can be beneficial in your deployment and recovery strategies. For example, you can
create 10 clones in a central location and then move them to remote offices during off-peak hours.
Adjust your naming strategy to allow cloning of domain controllers. For example, retain the first eight
characters of the source domain controller name, and then append a suffix of CLnnnn.
For more information about running domain controllers in Hyper-V, go to:
http://go.microsoft.com/fwlink/?LinkID=331162

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-18 Maintaining Active Directory

Domain Services
Lesson 3
Implementing RODCs
In many cases, such as at a remote branch office or a location where you cannot place a server in a secure
physical environment, RODCs can provide the functionality of a domain controller without potentially
exposing your AD DS environment to unnecessary risks. This lesson will help you to better understand the
methods and best practices that you can use to manage RODCs in the Windows Server 2012 R2
environment.
Lesson Objectives
After completing this lesson, you will be able to:
Explain considerations for implementing RODCs.
Describe how to manage credential caching on an RODC.
Identify the important aspects of managing local administration for RODCs.
Configure credential caching on an RODC.
Considerations for Implementing RODCs
An RODC has a read-only copy of an Active
Directory database, which contains all of the
domains objects, but not all of their attributes.
System-critical attributes, such as passwords, do
not replicate to an RODC by default. Also by
default, additional attributes are prevented from
being replicated to RODCs. If you need certain
information to be stored on the RODC, you can
mark the attribute as confidential and add it to
the Filtered Attribute Set.
Understanding RODC Functionality
You cannot make changes to the AD DS database
on an RODC. All requests for changes are forwarded to a writable domain controller. Because no changes
occur on the RODC, replication of Active Directory changes is one-way only, from writable domain
controllers to the RODC.
Credential Caching
User and computer credentials are not replicated to an RODC by default. To allow user logon requests to
be processed locally by using an RODC, you need to configure a Password Replication Policy (PRP) that
defines which user credentials can be cached. If the RODC is stolen, only passwords for the cached user
and computer accounts need to be reset.
If user and computer credentials are not replicated to an RODC, then a writable domain controller must
be contacted during the authentication process. In a typical branch office scenario, the credentials for
local users and computers would be configured to be cached on an RODC. However, when RODCs are
placed in a perimeter network, the credentials for users and computers typically are not cached.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-19
Administrative Role Separation
To manage a writable domain controller, you must be a member of the domain local Administrators
group. Any user placed in the domain local Administrators group receives permissions to manage all
domain controllers in the domain. However, the RODC administrator in a remote office should not be
given access to the organizations other domain controllers. The administrator of an RODC should receive
permission to manage only that RODC, which may also be configured to provide other services such a file
shares and printing.
Read-Only DNS
Domain Name System (DNS) is a critical resource for a Windows network. If you configure an RODC as a
DNS server, then you can replicate DNS zones through AD DS to the RODC. DNS on the RODC is read-
only. DNS update requests are referred to a writable copy of DNS.
Deploying RODCs
To deploy an RODC, ensure that the following activities are performed:
Ensure that the forest functional level is Windows Server 2003 or newer. That means that all domain
controllers must be Windows Server 2003 or newer, and each domain in the forest must be at the
domain functional level of Windows Server 2003 or newer.
Run ADPrep /RODCPrep. This configures permissions on DNS application directory partitions to allow
them to replicate to RODCs. This is required only if the Active Directory forest has been upgraded.
Ensure that there is a writable domain controller running Windows Server 2008 or newer. An RODC
replicates the domain partition only from these domain controllers. Therefore, each domain with
RODCs must have at least one Windows Server 2008 or newer domain controller. You can replicate
the Schema and Configuration partitions from Windows Server 2003.
You can also choose to deploy an RODC to Windows Azure depending on your need for a writable
domain controller. In most cases, Windows Azure is a more secure environment than a typical small
branch office. However, using an RODC housed in Windows Azure can decrease replication traffic
substantially. You can also create a customized filtered attribute set which will allow the Windows Azure
housed RODC to store some needed replicable attributes.
RODC Installation
Like a writable domain controller, you can install an RODC by performing an attended or an unattended
installation. If you perform an attended installation by using the graphical interface, you select the RODC
as one of the additional domain controller options.
You also can delegate the RODC installation to the administrator in the remote office by performing a
staged installation. In a staged installation, you need to perform the following steps:
1. Ensure that the server to be configured as the RODC is not a member of the domain.
2. A domain administrator then uses Active Directory Users and Computers to stage the RODC account
in the Domain Controllers OU. The wizard for performing this process prompts the administrator for
the necessary information, including the user or group that is allowed to join the RODC to the
domain.
3. The administrator in the remote office runs the AD DS Installation Wizard, and follows the wizard to
join the domain as the staged RODC account.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-20 Maintaining Active Directory

Domain Services
Managing Credential Caching on an RODC
RODCs provide the capability to store only a
subset of credentials for accounts in AD DS
through the implementation of credential
caching. With credential caching, a PRP
determines which user and computer credentials
can be cached on a specific RODC. If PRP allows
an RODC to cache an accounts credentials, the
RODC can process authentication and service
ticket activities of that account locally. If an
accounts credentials are not cached on the
RODC, such as when the PRP has not been
modified, the RODC chains authentication and
service ticket activities to a writable domain controller.
Password Replication Policy Components
The PRP for an RODC contains both an Allowed List and a Denied List. Each list can contain specific
accounts or groups. An account must be on the Allowed List for credentials to be cached. If a group is on
the Allowed List and a member of that group is on the Denied List, caching is not allowed for that
member.
There are two domain local groups that you can use to allow or deny caching globally to all RODCs in a
domain:
Allowed RODC Password Replication Group is added to the Allowed List of all RODCs. This group has
no members by default.
Denied RODC Password Replication Group is added to the Denied List of all RODCs. By default,
Domain Admins, Enterprise Admins, and Group Policy Creator Owners are the members of this group.
The Allowed List and Denied List are configured on each RODC. The Allowed List contains only the
Allowed RODC Password Replication Group. The default membership of the Denied List includes
Administrators, Server Operators, and Account Operators.
As a domain administrator, you will add accounts separately to each RODC, or add global groups
containing accounts rather than globally allowing password caching. This allows you to limit the number
of credentials cached to only those accounts commonly at that location. You should not cache domain-
wide administrative accounts on RODCs in remote offices. You should cache computer accounts to speed
up authentication of computer accounts during system startup. Additionally, you should cache service
accounts for services that are running at the remote office.
Best Practices for Credential Caching
You should observe the following best practices to ensure the most effective use of cached credentials:
Create separate AD DS global groups for each RODC.
Do not cache passwords for domain-wide administrative accounts.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-21
Managing Local Administration for RODCs
The management of RODCs is separate from other
domain controllers. Accordingly, you can delegate
administration of RODCs to local administrators in
remote offices, without giving those
administrators access to writable domain
controllers. You can delegate administration of an
RODC in the properties of the RODC computer
account on the Managed By tab.
You can specify only a single security principal on
the Managed By tab of an RODC computer
account. Specify a group so that you can delegate
management permissions to multiple users by
making them members of the group. You also can delegate administration of an RODC by using ntdsutil
or dsmgmt with the local roles option, as the following example shows:
C:\>dsmgmt
Dsmgmt: local roles
local roles: add Adatum\Research
You should cache the password for delegated administrators to ensure that you can perform system
maintenance when a writable domain controller is unavailable.
Note: You should never access the RODC with an account that is a member of the Domain
Admins global group. RODC computers are considered compromised by default, so, you should
assume that by logging in to the RODC, you are giving up domain administrator credentials.
Thus, domain administrators should have a separate server administrator type account that is
delegated management access to the RODC.
Demonstration: Configuring RODC Credential Caching
In this demonstration, you will see how to:
Configure password replication groups.
Create a group to manage password replication to the remote office RODC.
Configure a password replication policy for the remote office.
Evaluate the resulting password replication policy.
Monitor credential caching.
Demonstration Steps
Verify requirements for installing an RODC
1. On LON-DC1, in Server Manager, open Active Directory Users and Computers.
2. In the properties of Adatum.com, verify that the forest functional level is set to at least Windows
Server 2003.
3. On LON-SVR1, open Server Manager, and verify whether the computer is a domain member.
4. Assign LON-SVR1 to a workgroup named TEMPORARY.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-22 Maintaining Active Directory

Domain Services
5. Restart LON-SVR1.
6. On LON-DC1, open Active Directory Users and Computers.
7. Delete the LON-SVR1 computer account from the Computers container.
8. In the Domain Controllers OU, precreate an RODC account by using default settings, except for the
following:
Computer name: LON-SVR1
Delegate to: ADATUM\IT
Install an RODC
1. Sign in to LON-SVR1 as Administrator with the password Pa$$w0rd.
2. On LON-SVR1, add the Active Directory Domain Services role.
3. Complete the Active Directory Domain Services Installation Wizard by using default options except
those listed below:
Domain: Adatum.com
Network credentials: Adatum\April (a member of the IT group)
Password for April: Pa$$w0rd
Directory Services restore mode password: Pa$$w0rd
Replicate from: LON-DC1.Adatum.com
4. When installation is complete, restart LON-SVR1.
Configure password replication groups
1. On LON-DC1, in the Users container, view the membership of the Allowed RODC Password
Replication Group, and verify that there are no current members.
2. In the Domain Controllers OU, open the properties of LON-SVR1.
3. On the Password Replication Policy tab, verify that Allowed RODC Password Replication Group
and Denied RODC Password Replication Group are listed.
Create a group to manage password replication to the remote office RODC
1. On LON-DC1, in Active Directory Users and Computers, in the Research OU, create a new group
named Remote Office Users.
2. Add Aziz, Colin, Lukas, Louise, and LON-CL1 to the membership of Remote Office Users.
Configure a Password Replication Policy for the remote office RODC
1. On LON-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, and then
open the properties of LON-SVR1.
2. On the Password Replication Policy tab, allow the Remote Office Users group to replicate
passwords to LON-SVR1.
Evaluate the resulting Password Replication Policy
1. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of LON-SVR1.
2. On the Password Replication Policy tab, click Advanced. On the Resultant Policy tab, add Aziz,
and then confirm that Azizs password can be cached.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-23
Monitor credential caching
1. Attempt to sign in to LON-SVR1 as Aziz. This logon will fail because Aziz does not have permission to
logon to the RODC, but authentication is performed and the credentials are cached.
2. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of LON-SVR1.
3. On the Password Replication Policy tab, click Advanced.
4. On the Policy Usage tab, select the Accounts that have been authenticated to this Read-only
Domain Controller option. Notice that Azizs password has been cached.
Prepopulate credential caching
1. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, right-click
LON-SVR1, and then click Properties.
2. On the Password Replication Policy tab, click Advanced.
3. On the Policy Usage tab, prepopulate the password for Louise and LON-CL1.
4. Read the list of cached passwords, and then confirm that Louise and LON-CL1 have been added.
5. Close all open windows on LON-DC1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-24 Maintaining Active Directory

Domain Services
Lesson 4
Administering AD DS
The AD DS environment contains a large number of management tools that enable you to monitor and
modify AD DS. These tools help you ensure that your organizations domain infrastructure is serving its
purpose and functioning properly. Windows Server 2012 includes a broader set of tools for working within
AD DS than previous versions of the Windows operating system. Improvements to the Active Directory
Administrative Center and the addition of several cmdlets to the Active Directory module for Windows
PowerShell provide even greater control over your AD DS domain.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the Active Directory administrative snap-ins.
Describe the Active Directory Administrative Center.
Describe the Active Directory module for Windows PowerShell.
Explain how to manage AD DS by using management tools.
Explain how to manage operations master roles.
Explain how to manage AD DS backup and recovery.
Overview of Active Directory Administration Snap-ins
There are a number of tools available to
administer and manage your domain. Many of
these tools that were found under the
Administrative Tools menu item in Windows
Server 2008 R2 and earlier versions are now found
in the Tools tab in Windows Server 2012 Server
Manager. Additionally, you can create a Microsoft
management console and add the tools to the
console. The process of adding tools to the
console is referred to as snapping in, and the
added tools are called snap-ins. You will perform
most Active Directory administration by using the
following snap-ins and consoles:
Active Directory Users and Computers. This snap-in manages most common day-to-day resources,
including users, groups, and computers. This is likely to be the most heavily used snap-in for an
administrator of an Active Directory environment.
Active Directory Sites and Services. This Microsoft Management Console (MMC) snap-in manages
replication, network topology, and related services.
Active Directory Domains and Trusts. This MMC snap-in configures and maintains trust relationships
on the domain and forest functional level.
Active Directory Schema. This MMC snap-in examines and modifies the definition of Active Directory
attributes and object classes. The schema is the blueprint for AD DS, and you typically do not view or
change it very often. Therefore, the Active Directory Schema snap-in is not fully installed, by default.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-25
By default, the AD DS administrative snap-ins are installed on computers hosting the domain controller
role. You can add the snap-ins to other computers such as clients running the Windows 8.1 operating
system and Windows Server 2012 member servers, by installing the Remote Server Administration Tools
(RSAT). Follow the steps below to install the RSAT on Windows 8.1 clients:
1. Sign in to the computer you wish to run the administrative snap-ins on as a domain administrator,
and then obtain and install the Remote Server Administration Tools for Windows 8.1 from the Official
Microsoft Download Center. The RSAT is an .msu file, a standalone Windows Update file. 64-and 32-
bit version of the .msu file are available from the Download Center. Select the version that is
appropriate for your client architecture.
2. The RSAT adds all of the AD DS administrative snap-ins to the client. To verify this installation, open
Control Panel, click Programs, click Programs and Features, and then click the hyperlink Turn
Windows Features on or off. Scroll down to find the Remote Server Administrative Tools node,
and expand it in the following order: Role Administrative Tools, AD DS and LDS Tools, AD DS
Tools, AD Snap-ins.
3. On the Start screen, click the down arrow, scroll to the right, find and right-click Administrative
Tools, and then click Pin to Taskbar.
4. In the desktop screen, click the Administrative Tools icon on the task bar. Confirm that the AD DS
administrative snap-ins listed above are available.
Overview of the Active Directory Administrative Center
Windows Server 2012 provides another option for
managing AD DS objects. The Active Directory
Administrative Center provides a GUI built on
Windows PowerShell. This enhanced interface
allows you to perform Active Directory object
management by using task-oriented navigation.
Tasks that you can perform by using the Active
Directory Administrative Center include:
Creating and managing user, computer, and
group accounts.
Creating and managing OUs.
Connecting to and managing multiple domains within a single instance of the Active Directory
Administrative Center.
Searching and filtering Active Directory data by building queries.
Creating and managing fine-grained password policies.
Recovering objects from the Active Directory Recycle Bin.
Installation Requirements
You can install the Active Directory Administrative Center only on computers that are running Windows
Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, the Windows 7 operating system, or
Windows 8. You can install the Active Directory Administrative Center by either:
Installing the AD DS server role through Server Manager.
Installing the RSAT on a Windows Server 2012 server or Windows 8 client.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-26 Maintaining Active Directory

Domain Services
Note: The Active Directory Administrative Center relies on the Active Directory Web
Services (ADWS) service, which you must install on at least one domain controller in the domain.
The service also requires port 9389 to be open on the domain controller where ADWS is running.
New Active Directory Administrative Center Features in Windows Server 2012
The Active Directory Administrative Center includes several new features in Windows Server 2012 that
enable the graphical management of AD DS functionality:
Active Directory Recycle Bin. Active Directory Administrative Center now offers complete
management of the Active Directory Recycle Bin. Administrators can use Active Directory
Administrative Center to view and locate deleted objects, and to manage and restore those objects to
their original or other desired location.
Fine-Grained Password Policy. Active Directory Administrative Center also provides a GUI to create
and manage password settings objects to implement fine-grained password policies in an AD DS
domain.
Windows PowerShell History Viewer. Active Directory Administrative Center functionality is built on
Windows PowerShell. Any command or action that you perform within the Active Directory
Administrative Center interface is executed in Windows Server 2012 through Windows PowerShell
cmdlets. When an administrator performs a task within the Active Directory Administrative Center
interface, the Windows PowerShell History Viewer shows the Windows PowerShell commands that
were issued for the task. This enables administrators to reuse code to create reusable scripts, and
allows them to become more familiar with Windows PowerShell syntax and usage.
What Is Ntdsutil?
Ntdsutil is a command-line executable that you
can use to perform database maintenance,
including the creation of snapshots, offline
defragmentation, and the relocation of the
database files.
You also can use Ntdsutil to clean up domain
controller metadata. If a domain controller is
removed from the domain while offline, it is
unable to remove important information from the
directory service. You can then use Ntdsutil to
clean out the remnants of the domain controller.
Ntdsutil can also reset the password used to log
on to the Directory Services Restore Mode. You configure this password initially during the configuration
of a domain controller. If you forget the password, the ntdsutil set dsrm command can reset it.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-27
Overview of the Active Directory Module for Windows PowerShell
The Active Directory module for Windows
PowerShell in Windows Server 2012 consolidates a
group of cmdlets that you can use to manage
your Active Directory domains. Windows
Server 2012 builds on the foundation provided by
the Active Directory module for Windows
PowerShell originally introduced in Windows
Server 2008 R2, by adding an additional 60
cmdlets. These cmdlets expand the preexisting
Windows PowerShell capabilities and add new
capabilities to replication and resource access
control.
The Active Directory module for Windows PowerShell enables management of AD DS in the following
areas:
User management.
Computer management.
Group management.
OU management.
Password policy management.
Searching and modifying objects.
Forest and domain management.
Domain controller and operations-masters management.
Managed service account management.
Site-replication management.
Central access and claims management.
Cmdlet Examples
The following are examples of cmdlets available in the Active Directory module for Windows PowerShell
in Windows Server 2012:
New-ADComputer creates a new computer object in AD DS.
Remove-ADGroup removes an Active Directory group.
Set-ADDomainMode sets the domain functional level for an Active Directory domain.
Installation
You can install the Active Directory module by using any of the following methods:
By default, on a Windows Server 2008 R2 or Windows Server 2012 server, when you install the AD DS
or Active Directory Lightweight Directory Services (AD LDS) server roles.
By default, when you make a Windows Server 2008 R2 or Windows Server 2012 server a domain
controller.
As part of the RSAT feature on a computer running Windows Server 2008 R2, Windows Server 2012,
Windows 7 or Windows 8.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-28 Maintaining Active Directory

Domain Services
Demonstration: Managing AD DS by Using Management Tools
Each AD DS management tool has a purpose in the administration of a complete AD DS environment.
This demonstration will show you the primary tools that you can use to manage AD DS and a task that
you typically perform with the tool.
This demonstration shows you how to:
Create objects in Active Directory Users and Computers.
View object attributes in Active Directory Users and Computers.
Navigate within the Active Directory Administrative Center.
Perform an administrative task in the Active Directory Administrative Center.
Use the Windows PowerShell Viewer in the Active Directory Administrative Center.
Manage AD DS objects with Windows PowerShell.
Demonstration Steps
Active Directory Users and Computers
View objects
1. On LON-DC1, open Active Directory Users and Computers.
2. Navigate the Adatum.com domain tree, viewing Containers, Organizational Units (OUs), and
Computer, User, and Group objects.
Refresh the view
Refresh the view in Active Directory Users and Computers.
Create objects
1. Create a new computer object named LON-CL4 in the Computers container.
2. To create an object in Active Directory Users and Computers, right-click a domain or a container, such
as Users or Computers, or an OU, point to New, and then click the type of object that you want to
create.
3. When you create an object, you are prompted to configure several of the objects most basic
properties, including the properties that the object requires.
Configure object attributes
1. In Active Directory Users and Computers, open the Properties page for LON-CL4.
2. Add LON-CL4 to the Adatum/Research group.
View all object attributes
1. Enable the Advanced Features view in Active Directory Users and Computers.
2. Open the Properties page for LON-CL4, and then view the AD DS attributes.
Active Directory Administrative Center
Navigation
1. On LON-DC1, open Active Directory Administrative Center.
2. In Active Directory Administrative Center, click the Navigation nodes.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-29
3. Switch to the tree view.
4. Expand Adatum.com.
Perform administrative tasks
1. Navigate to the Overview view.
2. Reset the password for Adatum\Adam to Pa$$w0rd, without requiring the user to change the
password at the next sign-in.
3. Use the Global Search section to find any objects that match this search string: Rex.
Use the Windows PowerShell History Viewer
1. Open the Windows PowerShell History pane.
2. View the Windows PowerShell cmdlet that you used to perform the most recent task.
Windows PowerShell
Create a group
1. Open the Active Directory Module for Windows PowerShell.
2. Create a new group called SalesManagers by using the following command:
New-ADGroup Name SalesManagersGroupCategory Security GroupScope Global
DisplayName Sales Managers Path CN=Users,DC=Adatum,DC=com
3. Open Active Directory Administrative Center, and confirm that the SalesManager group is present in
the Users container.
Move an object to a new OU
1. At the Windows PowerShell prompt, move SalesManagers to the Sales OU by using the following
command:
Move-ADObject CN=SalesManagers,CN=Users,DC=Adatum,DC=com TargetPath
OU=Sales,DC=Adatum,DC=com
2. Switch to Active Directory Administrative Center, and then confirm that the SalesManagers group
has been moved to the Sales OU.
Managing Operations Master Roles
One of the major benefits of using AD DS is that
the AD DS database is not configurable on one
computer, but the database is on all domain
controllers, and each domain controllers database
is writable. This provides simple load balancing
when multiple administrators and users are
adding data or modifying the database. There is
no single writable master domain controller that is
devoted to writing changes, and all domain
controllers can write changes. In an AD DS
environment, multimaster replication means that
all domain controllers have the same general
capabilities and priorities when modifying the AD DS database. However, only one system must perform
certain operations. In AD DS, operation masters are domain controllers that perform a specific function
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-30 Maintaining Active Directory

Domain Services
within the domain environment. In other words, for these specific functions, this particular portion of the
AD DS database is not a multimaster, but a single master. Only one domain controller configures the
database for this data. Certain of these specific functions are applicable to the entire forest and others
only to entire domains within a forest. We therefore have forest-wide and domain-wide operation master
roles.
Forest-Wide Operations Master Roles
The schema master and the domain-naming master must be unique in the forest. Only one domain
controller in the entire forest performs each role. By default, the first domain controller in the forest fulfills
these roles. You can change the role holder to another domain controller, but you must keep these roles
in the forest root domain.
Domain Naming Master Role
The domain-naming role is used when adding or removing domains and application partitions in the
forest. When you add or remove a domain or application partition, the domain-naming master must be
accessible, or the operation will fail.
Schema Master Role
The domain controller holding the schema master role is responsible for making any changes to the
forests schema. All other domain controllers hold read-only replicas of the schema. When you need to
modify the schema, the modifications must be sent to the domain controller that hosts the schema master
role.
Domain-Wide Operations Master Roles
Each domain maintains three single master operations: RID master, infrastructure master, and PDC
Emulator. Only one domain controller in the domain performs each role. By default, the first domain
controller in a domain fulfills these roles. You can change the role holder to another domain controller
within the same domain.
RID Master Role
The RID master plays an integral part in the generation of SIDs for security principals such as users,
groups, and computers. The SID of a security principal must be unique. Because any domain controller
can create accounts, SIDs, a mechanism is necessary to ensure that the SIDs generated by a domain
controller are unique. Active Directory domain controllers generate SIDs by appending a unique RID to
the domain SID. The RID master for the domain allocates pools of unique RIDs to each domain controller
in the domain. Therefore, each domain controller can be confident that the SIDs that it generates are
unique.
Infrastructure Master Role
In a multidomain environment, it is common for an object to reference objects in other domains. For
example, a group can include members from another domain. Its multivalued member attribute contains
the distinguished names of each member. If the member in the other domain is moved or renamed, the
infrastructure master of the groups domain updates the references to the object.
PDC Emulator Role
The PDC Emulator role performs the following crucial functions for a domain:
Participates in special password update handling for the domain. When a user's password is reset or
changed, the domain controller that makes the change replicates the change immediately to the PDC
emulator. This special replication ensures that the domain controllers know about the new password
as quickly as possible.
Manages Group Policy updates within a domain. If you modify a GPO on two domain controllers at
approximately the same time, there could be conflicts between the two versions that could not be
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-31
reconciled as the GPO replicates. To avoid this situation, the PDC emulator acts as the default focal
point for all Group Policy changes.
Provides a master time source for the domain. Many Windows components and technologies rely on
time stamps, so synchronizing time across all systems in a domain is crucial. By default, the PDC
emulator in the forest root domain is the time master for the entire forest. The PDC emulator in each
domain synchronizes its time with the forest root PDC emulator. Other domain controllers in the
domain synchronize their clocks against that domains PDC emulator. All other domain members
synchronize their time with their preferred domain controller.
Acts as the domain master browser. When you open the Network node in File Explorer, you see a list
of workgroups and domains, and when you open a workgroup or domain, you see a list of
computers. The browser service creates these two lists, called browse lists. In each network segment, a
master browser creates the browse list: the lists of workgroups, domains, and servers in that segment.
The domain master browser serves to merge the lists of each master browser so that browse clients
can retrieve a comprehensive browse list.
Guidelines for Placing Operations Master Roles
When you place operations master roles, follow these guidelines:
Place the domain-level roles on a high-performance domain controller.
Do not place the Infrastructure Master domain-level role on a global catalog server, except when
your forest contains only one domain or all of the domain controllers in your forest also are global
catalogs. In Windows Server 2008 and above, when the AD DS role is installed, the default option is to
make that domain controller a global catalog server. Provided you do not change this default option,
all domain controllers will be global catalog servers.
Ensure that the two forest-level roles are on the same domain controller in the forest-root domain.
If necessary, adjust the workload of the PDC emulator by offloading non-AD DS roles to other servers.
The PDC emulator role is the busiest of all the operations master roles, because it handles all the
password updates and pass-through authentication requests.
Note:
You can view the assignment of operations master roles by running the following command:
Netdom query fsmo
Managing AD DS Backup and Recovery
In earlier versions of Windows Server, backing up
AD DS involved creating a backup of the System
State, which was a small collection of files that
included the Active Directory database, the
registry, and other select enterprise-wide system
software.
Because of interdependencies between server
roles, physical configuration, and AD DS, the
System State is now a subset of a Full Server
backup and, in some configurations, might be just
as big. The System State backup captures the AD
DS database and the SYSVOL, as well as all registry
settings on the computer. In other words, a System State backup is a backup of the AD DS. In Windows
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-32 Maintaining Active Directory

Domain Services
Server 2012, you can perform two kinds of backups: manual backups and scheduled backups. The
following System State backup targets are available:
Volume types: either the New Technology File System (NTFS file system) or Resilient File System
(ReFS).
Universal Naming Convention (UNC) path to the local server.
UNC path to a remote server.
Local non-critical volume.
In order to perform a System State backup, the Windows Backup feature must be installed, either from
Server Manager Add Roles and Features or from the Windows PowerShell cmdlet:
Add-windowsfeature Windows-Server-Backup -IncludeAllSubfeature
You can use the Windows Backup Console or the Wbadmin command line executable to create a backup.
For example, if you wanted to create a manual System State backup onto the backup drive S: you would
type the following into a command prompt or Windows PowerShell window and then press Enter:
Wbadmin start systemstatebackup backuptarget:S:\ -quiet
The quiet parameter runs the backup in the background without displaying console messages.
Restoring AD DS Data
When a domain controller or its directory is corrupted, damaged, or failed, you have several options with
which to restore the system.
Nonauthoritative Restore
A nonauthoritative restore is a normal restore operation, where you simply restore a System State backup
from a known good date. For example, suppose the domain controller crashed on Thursday, and you were
making System State backups of each domain controller every night. You would then restore the system
state from Wednesday night. Effectively, you roll the domain controller back in time. When AD DS restarts
on the domain controller, the domain controller contacts its replication partners and requests all
subsequent updates. Effectively, the domain controller catches up with the rest of the domain by using
standard replication mechanisms.
Normal restore is useful when the directory on a domain controller has been damaged or corrupted, but
the problem has not spread to other domain controllers. What about a situation in which damage has
been done, and the damage has been replicated? For example, what if you delete one or more objects,
and that deletion has replicated? In such situations, a normal restore is not sufficient. If you restore a
known good version of AD DS and restart the domain controller, the deletion that happened subsequent
to the backup will simply replicate back to the domain controller.
Authoritative Restore
When a known good copy of AD DS has been restored that contains objects that must override the
existing state of objects in the AD DS database, an authoritative restore is necessary. In an authoritative
restore, you restore the known good version of AD DS, just as you would in a normal restore. However,
before restarting the domain controller, you mark the objects that you wish to retain as authoritative so
that they will replicate from the restored domain controller to its replication partners. When you mark
objects as authoritative, Windows increments the version number of all object attributes to be so high
that the version is virtually guaranteed to be higher than the version number on all other domain
controllers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-33
When the restored domain controller is restarted, it receives updates from its replication partners on all
changes that have been made to the directory. It also notifies its partners that it has changes. The version
numbers of the authoritatively restored objects ensure that partners take these changes and replicate
them throughout the directory service. In forests that have the Active Directory Recycle Bin enabled in
Windows Server 2008 R2 and newer, you can use the Active Directory Recycle Bin as a more simple
alternative to an authoritative restore.
Other Restore Options
The third option for restoring the directory service is to restore the entire domain controller. You restore
the entire domain controller by booting to the Windows Recovery Environment (Windows RE), and then
restoring a full server backup of the domain controller. By default, this is a normal restore. If you also need
to mark objects as authoritative, you must restart the server in the Directory Services Restore Mode and
set those objects as authoritative prior to starting the domain controller into normal operation.
Finally, you can restore a backup of the System State to an alternate location. This allows you to examine
files and, potentially, to mount the ntds.dit file. You should not copy the files from an alternate restore
location over the production versions of those files. Do not do a piecemeal restore of AD DS. You also can
use this option if you want to use the Install From Media option for creating a new domain controller.
Other AD DS Tasks
Certain tasks, such as an off-line defragmentation or moving the AD DS database to another drive, require
you to take AD DS off-line. To take the AD DS off-line, open a command prompt or a Windows
PowerShell window, type the following command, and then press Enter:
Net stop ntds
At this point, you would use the ntdsutil command line utility to perform the various off-line activities. For
example, you can optimize the Active Directory database with an off-line defragmentation. To perform
the off-line defragmentation, after you take the Active Directory off-line, type the following commands,
pressing Enter after each line, but do not type the lines beginning with ##:
ntdsutil
activate instance NTDS
files
##compact to <drive>:\<drivepath>
##For example:
Compact to c:\tempAD
##Del <drive>:\<pathToLogFiles>\*.log
##For example:
Del c:\windows\ntds\*.log
##Copy <temporaryDrive>:\ntds.dit <originalDrive>:\<pathToOriginalDatabaseFile>\ntdis.dit
##For example:
Copy c:\TempAD\ntds.dit c:\windows\ntds\ntds.dit
quit
quit
At this point, you can start AD DS by typing the following command, and then pressing Enter:
Net start ntds
It is possible for the AD DS to store data about itself, called metadata, such as a domain controller that
failed and cannot be restored. In order to remove this metadata, you must use the ntdsutil command as
well.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-34 Maintaining Active Directory

Domain Services
To clean up Active Directory metadata, enter the following into a command prompt or Windows
PowerShell window, and press Enter at the end of each line, but do not type the lines beginning with ##:
ntdsutil
remove selected server <ServerName>
##Or
remove selected server <ServerName1> on <ServerName2>
In the Server Remove Configuration Dialog, review the information and warning, and then click Yes to
remove the server object and metadata.
quit
quit
At this point, Ntdsutil confirms that the domain controller was removed successfully. If you receive an
error message that indicates that the object cannot be found, the domain controller might have been
removed earlier.
You will learn more about additional ntdsutil commands in the next lesson.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-35
Lesson 5
Managing the AD DS Database
At the core of the AD DS environment is the AD DS database. The AD DS database contains all the critical
information required to provide AD DS functionality. Maintaining this database properly is a critical aspect
of AD DS management, and there are several tools and best practices that can help you manage your AD
DS database effectively. This lesson will introduce you to AD DS database management and show you the
tools and methods for maintaining it.
Lesson Objectives
After completing this lesson, you will be able to:
Explain the AD DS database architecture.
Describe Ntdsutil.
Explain how restartable AD DS works.
Describe how to perform AD DS database management.
Describe how to create AD DS snapshots.
Describe how to restore deleted objects.
Describe how to configure the Active Directory Recycle Bin.
Understanding the AD DS Database
AD DS information is stored within the directory
database. Each directory partition, also called a
naming context, contains objects of a particular
replication scope and purpose. There are three AD
DS partitions on each domain controller, as
follows:
Domain. The Domain partition contains all the
objects stored in a domain, including users,
groups, computers, and Group Policy
containers.
Configuration. The Configuration partition
contains objects that represent the logical
structure of the forest, including information about domains, as well as the physical topology,
including sites, subnets, and services.
Schema. The Schema partition defines the object classes and their attributes for the entire directory.
Domain controllers also can host application partitions. You can use application partitions to limit
replication of application-specific data to a subset of domain controllers. Active Directoryintegrated DNS
is a common example of an application that takes advantage of application partitions.
Each domain controller maintains a copy, or replica, of several partitions. The Configuration and the
Schema are each replicated to every domain controller in the forest. The Domain partition for a domain is
replicated to all domain controllers within a domain, but not to domain controllers in other domains, with
the exception of global catalog servers. Therefore, each domain controller has at least three replicas: the
Domain partition for its domain, Configuration, and Schema.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-36 Maintaining Active Directory

Domain Services
AD DS Database Files
The AD DS database is stored as a file named ntds.dit. When you install and configure AD DS, you can
specify the location of the file. The default location is %systemroot%\NTDS. Within ntds.dit are all of the
partitions hosted by the domain controller: the forest schema and configuration; the domain-naming
context; and, depending on the server configuration, the partial attribute set and application partitions.
In the NTDS folder, there are other files that support the Active Directory database. The Edb*.log files are
the transaction logs for Active Directory. When a change must be made to the directory, it is first written
to the log file. The change is committed to the directory as a transaction. If the transaction fails, it can be
rolled back.
The following table describes the different file level components of the AD DS database.
File Description
ntds.dit Main AD DS database file
Contains all AD DS partitions and objects
EDB*.log Transaction log(s)
EDB.chk Database checkpoint file
Edbres00001.jrs
Edbres00002.jrs
Reserve transaction log file that allows the directory to process
transactions if the server runs out of disk space
AD DS Database Modifications and Replication
Under normal operations, the transaction log wraps around, with new transactions overwriting old
transactions that had already been committed. However, if a large number of transactions are made
within a short period of time, AD DS creates additional transaction log files, so you may see several
EDB*.log files if you look in the NTDS folder of a particularly busy domain controller. Over time, those files
are removed automatically. The AD DS uses circular logging, which means the older files are overwritten
with the latest data as the entire set of logs are used.
The EDB.chk file acts like a bookmark for the log files, marking the location before which transactions
have been successfully committed to the database, and after which transactions remain to be committed.
When a disk drive runs out of space, it is highly problematic for the server. It is even more problematic if
that disk hosts the AD DS database, because transactions that may be pending cannot be written to the
logs. Therefore, AD DS maintains two additional log files, edbres0001.jrs and edbres0002.jrs. These are
empty files of 10 megabytes (MB) each. When a disk runs out of space for normal transaction logs, AD DS
recruits the space used by these two files to write the transactions that are in a queue currently. After that,
it safely shuts down AD DS services, and dismounts the database. Of course, it will be important for an
administrator to remediate the issue of low disk space as quickly as possible. The file simply provides a
temporary solution to prevent the directory service from refusing new transactions.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-37
Understanding Restartable AD DS
In most scenarios where AD DS management is
required, you should restart the domain controller
in Directory Services Restore Mode. Administrators
of Windows Server 2012 can stop and start AD DS
just like any other service, and without restarting a
domain controller, which enables them to perform
some management tasks quickly. This feature is
called Restartable Active Directory Domain
Services.
Restartable AD DS reduces the time required to
perform certain operations. You can stop AD DS
so that you can apply updates to a domain
controller. In addition, administrators can stop AD DS to perform tasks such as offline defragmentation of
the Active Directory database, without restarting the domain controller. Other services that are running on
the server and that do not depend on AD DS to function, such as DHCP, remain available to satisfy client
requests while AD DS is stopped.
Restartable AD DS is available by default on all domain controllers that run Windows Server 2012. There
are no functional-level requirements or any other prerequisites for using this feature.
Note: You cannot perform a system state restore of a domain controller while AD DS is
stopped. To complete a system state restore of a domain controller, you need to start in
Directory Services Restore Mode. However, you can perform an authoritative restore of Active
Directory objects while AD DS is stopped by using Ntdsutil.exe.
In order to start the server in Directory Service Restore Mode, you must first start the Advanced Boot
options by following these steps:
1. In the Settings charm, left-click Power, and then press and hold down the Shift key while you click
Restart.
2. After the system has rebooted, a new screen named Chose an option will appear. Select
Troubleshoot on this screen.
3. In the Troubleshoot screen, select Advanced options.
4. In the Advanced options screen, select Startup Settings.
5. In the Startup Settings screen, click Restart.
6. After the computer restarts, you will see the Advanced Boot Options on the screen.
7. In the Advanced Boot Options menu, select the Directory Services Repair Mode option.
Restartable AD DS adds minor changes to the existing MMC snap-ins. A domain controller running
Windows Server 2012 AD DS displays Domain Controller in the Services (Local) node of the Component
Services snap-in and the Computer Management snap-in. Using the snap-in, an administrator can easily
stop and restart AD DS the same way he or she can stop and restart any other service that is running
locally on the server.
Although stopping AD DS is similar to logging on in Directory Services Restore Mode, restartable AD DS
provides a unique state, known as AD DS Stopped, for a domain controller that is running Windows Server
2012.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-38 Maintaining Active Directory

Domain Services
Domain Controller States
The three possible states for a domain controller that is running Windows Server 2012 are:
AD DS Started. In this state, AD DS is started. The domain controller is able to perform AD DSrelated
tasks normally.
AD DS Stopped. In this state, AD DS is stopped. Although this mode is unique, the server has some
characteristics of both a domain controller in Directory Services Restore Mode (DSRM) and a domain-
joined member server.
DSRM. This mode or state allows standard AD DS administrative tasks. With DSRM, the Active
Directory database (Ntds.dit) on the local domain controller is offline. Another domain controller can
be contacted for logon, if one is available. If no other domain controller can be contacted, by default
you can do one of the following:
Log on to the domain controller locally in DSRM by using the DSRM password.
Restart the domain controller to log on with a domain account.
As with a member server, the server is joined to the domain. This means that Group Policy and other
settings are still applied to the computer. However, a domain controller should not remain in the AD DS
Stopped state for an extended period. A domain controller in the AD DS Stopped state cannot service
logon requests or replicate with other domain controllers.
Demonstration: Performing AD DS Database Maintenance
You can use several tasks and related tools to perform AD DS database maintenance.
This demonstration shows how to:
Stop AD DS.
Perform an offline defragmentation of the AD DS database.
Check the integrity of the AD DS database.
Start AD DS.
Demonstration Steps
Stop AD DS
1. On LON-DC1, open the Services console.
2. Stop the Active Directory Domain Services service.
Perform an offline defragmentation of the AD DS database
Run the following commands from a Windows PowerShell prompt, and press Enter after each line:
ntdsutil
activate instance NTDS
files
compact to C:\
Check the integrity of the offline database
1. Run the following commands from a Windows PowerShell prompt, and press Enter after each line:
Integrity
quit
Quit
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-39
2. Close the command prompt window.
Start AD DS
1. Open the Services console.
2. Start the Active Directory Domain Services service.
Creating AD DS Snapshots
Ntdsutil in Windows Server 2012 can create and
mount snapshots of AD DS. A snapshot is a type
of historical backup that captures the exact state
of the directory service at the time of the
snapshot. You can use Ntdsutil to explore the
contents of a snapshot and examine the state of
the directory service at the time the snapshot was
made, or connect to a mounted snapshot with the
LDIFDE tool and export a reimported object into
AD DS.
Creating an AD DS Snapshot
To start the snapshot process, you must first
create a snapshot. To create a snapshot, follow these steps:
1. Open the command prompt.
2. Type ntdsutil, and then press Enter.
3. Type snapshot, and then press Enter.
4. Type activate instance ntds, and then press Enter.
5. Type create, and then press Enter.
6. The command returns a message that indicates that the snapshot set was generated successfully.
7. The globally unique identifier (GUID) that is displayed is important for commands in later tasks. Make
note of the GUID or, alternatively, copy it to the Clipboard.
8. Type quit, and then press Enter.
Schedule snapshots of Active Directory regularly. You can use the Task Scheduler to execute a batch file
by using the appropriate Ntdsutil commands.
Mounting an AD DS Snapshot
To view the contents of a snapshot, you must mount the snapshot as a new instance of AD DS. You can
also accomplish this with Ntdsutil. To mount a snapshot, follow these steps:
1. Open an elevated command prompt.
2. Type ntdsutil, and then press Enter.
3. Type activate instance ntds, and then press Enter.
4. Type snapshot, and then press Enter.
5. Type list all, and then press Enter.
6. Notice that the command returns a list of all snapshots.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-40 Maintaining Active Directory

Domain Services
7. Type mount {GUID}, where GUID is the GUID returned by the create snapshot command, and then
press Enter.
8. Type quit, and then press Enter.
9. Type quit, and then press Enter.
10. Type dsamain -dbpath c:\$snap_datetime_volumec$\windows\ntds
\ntds.dit -ldapport 50000, and then press Enter.
11. The port number, 50000, can be any open and unique TCP port number.
12. A message indicates that the startup of Active Directory Domain Services is complete.
13. Do not close the command prompt window. Leave the command you just ran, Dsamain.exe, running
while you continue to the next step.
Viewing an AD DS Snapshot
After you have mounted the snapshot, you can use tools to connect to and explore the snapshot. Even
Active Directory Users and Computers can connect to the instance. To connect to a snapshot with Active
Directory Users and Computers, follow these steps:
1. Open Active Directory Users and Computers.
2. Right-click the root node, and then click Change Domain Controller.
3. Notice that the Change Directory Server dialog box appears.
4. Click <Type a Directory Server name[:port] here>.
5. Type LON-DC1:50000, and then press Enter.
6. LON-DC1 is the name of the domain controller on which you mounted the snapshot, and 50000 is
the TCP port number that you configured for the instance. You are now connected to the snapshot.
7. Click OK.
Note that snapshots are read-only. You cannot modify the contents of a snapshot. Moreover, there are no
direct methods with which to move, copy, or restore objects or attributes from a snapshot to the
production instance of Active Directory.
Unmounting an AD DS Snapshot
If you mounted the snapshot, when you are finished using or viewing it, you must unmount it. To
unmount the snapshot, follow these steps:
1. Switch to the command prompt in which the snapshot is mounted.
2. Press Ctrl+C to stop DSAMain.exe.
3. Type ntdsutil, and then press Enter.
4. Type activate instance ntds, and then press Enter.
5. Type snapshot, and then press Enter.
6. Type unmount GUID, where GUID is the GUID of the snapshot, and then press Enter.
7. Type quit, and then press Enter.
8. Type quit, and then press Enter.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-41
Understanding How to Restore Deleted Objects
When you delete an object in AD DS, it is moved
to the Deleted Objects container and stripped of
many important attributes. You can reveal the list
of attributes that remain when an object is
deleted, but you can never retain linked attribute
values such as group membership.
As long as the object has not yet been cleaned
out and removed, that is, scavenged, by the
garbage collection process after reaching the end
of its tombstone lifetime, you can restore or
reanimate the deleted object.
To restore a deleted object, follow these steps:
1. Click Start, and, in the Start Search box, type LDP.exe, and then press Ctrl+Shift+Enter. This
executes the command as an administrator.
2. Notice that the User Account Control dialog box appears.
3. Click Use another account.
4. In the User name box, type the user name of an administrator.
5. In the Password box, type the password for the administrative account, and then press Enter.
6. Notice that LDP opens.
7. Click the Connection menu, click Connect, and then click OK.
8. Click the Connection menu, click Bind, and then click OK.
9. Click the Options menu, and then click Controls.
10. In the Load Predefined list, click Return Deleted Objects, and then click OK.
11. Click the View menu, click Tree, and then click OK.
12. Expand the domain, and then double-click CN=Deleted Objects,DC=contoso,DC=com.
13. Right-click the deleted object, and then click Modify.
14. In the Attribute box, type isDeleted.
15. In the Operation section, click Delete.
16. Press Enter.
17. In the Attribute box, type distinguishedName.
18. In the Values box, type the distinguished name of the object in the parent container or the OU into
which you want the objects restoration to occur. For example, type the distinguished name of the
object before it was deleted.
19. In the Operation section, click Replace.
20. Press Enter.
21. Select the Extended check box.
22. Click Run, click Close, and then close LDP.
23. Use Active Directory Users and Computers to repopulate the objects attributes, reset the password
of a user object, and enable the object if it is disabled.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-42 Maintaining Active Directory

Domain Services
Configuring the Active Directory Recycle Bin
In Windows Server 2012, the Active Directory
Recycle Bin can be enabled to provide a simplified
process for restoring deleted objects. This feature
overcomes problems with authoritative restore or
tombstone reanimation. Tombstone reanimation
simply means bringing a tombstoned object back
into the AD DS, because of the additional steps
necessary to begin using it the object fully, such as
re-adding various attribute values manually. The
Active Directory Recycle Bin enables
administrators to restore deleted objects with full
functionality, without having to restore AD DS
data from backups and restart AD DS or reboot domain controllers. Active Directory Recycle Bin builds on
the existing tombstone reanimation infrastructure and enhances your ability to preserve and recover
accidentally deleted Active Directory objects.
How Active Directory Recycle Bin Works
When you enable Active Directory Recycle Bin, all attributes of the deleted Active Directory objects are
preserved, and the objects are restored in their entirety to the same consistent logical state that they were
in immediately before deletion. For example, restored user accounts automatically regain all group
memberships and corresponding access rights that they had immediately before deletion, within and
across domains. Active Directory Recycle Bin works for both AD DS and AD LDS environments.
After you enable Active Directory Recycle Bin, when an Active Directory object is deleted, the system
preserves all of the object's link-valued and non-link-valued attributes, and the object becomes logically
deleted. A deleted object is moved to the Deleted Objects container, and the relative distinguished name,
also known as a RDN, of the object is changed to a "delete-mangled RDN", which is an RDN that is unique
within the Deleted Objects container. A deleted object remains in the Deleted Objects container in a
logically deleted state throughout the duration of the deleted object lifetime. Within the deleted object
lifetime, you can recover a deleted object with Active Directory Recycle Bin and make it a live Active
Directory object again.
The value of the msDS-deletedObjectLifetime attribute determines the deleted object lifetime. For an item
deleted after the Active Directory Recycle Bin has been enabled, that is, a recycled object, the recycled
object lifetime is determined by the value of the legacy tombstoneLifetime attribute. By default, msDS-
deletedObjectLifetime is set to null. When msDS-deletedObjectLifetime is set to null, the deleted object
lifetime is set to the value of the recycled object lifetime. By default, the recycled object lifetime, which is
stored in the tombstoneLifetime attribute, is also set to null. When tombstoneLifetime is set to null, the
recycled object lifetime defaults to 180 days. You can modify the values of the msDS-
deletedObjectLifetime and tombstoneLifetime attributes anytime. When msDS-deletedObjectLife is set to
some value other than null, it no longer assumes the value of tombstoneLifetime.
Enabling the Active Directory Recycle Bin
You can enable the Active Directory Recycle Bin only when the forest functional level is set to Windows
Server 2008 R2 or newer.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-43
To enable the Active Directory Recycle Bin in Windows Server 2012, you can follow either of these sets of
steps:
From the Active Directory module for Windows PowerShell prompt, use the Enable-
ADOptionalFeature cmdlet.
From Active Directory Administrative Center, select the domain, and then click Enable Active
Directory Recycle Bin in the Tasks pane.
Only items that have been deleted after the Active Directory Recycle Bin is turned on can be restored
from the Active Directory Recycle Bin.
Restoring Items from the Active Directory Recycle Bin
In Windows Server 2012, the Active Directory Administrative Center provides a GUI for restoring AD DS
objects that are deleted. When the Active Directory Recycle Bin has been enabled, the Deleted Objects
container is visible in Active Directory Administrative Center. Deleted objects will be visible in this
container until their deleted object lifetime period has expired. You can choose to restore the objects to
their original location or to an alternate location within AD DS.
Demonstration: Using the Active Directory Recycle Bin
In this demonstration, you will see how to:
Enable the Active Directory Recycle Bin.
Create and then delete test accounts.
Restore deleted accounts.
Demonstration Steps
1. On LON-DC1, from Server Manager, open Active Directory Administrative Center.
2. Enable the Recycle Bin.
3. Press F5 to refresh Active Directory Administrative Center.
4. In Active Directory Administrative Center, create the following user accounts in the Research OU.
Give each a password of Pa$$w0rd:
Test1
Test2
5. Delete the Test1 and Test2 user accounts.
6. In Active Directory Administrative Center, navigate to the Deleted Objects folder for the Adatum
domain.
7. Restore Test1 to its original location.
8. Restore Test2 to the IT OU.
9. Confirm that Test1 is now located in the Research OU and that Test2 is in the IT OU.
10. Revert all virtual machines from the host computers Hyper-V Manager.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-44 Maintaining Active Directory

Domain Services
Lab: Maintaining AD DS
Scenario
A. Datum Corporation is a global engineering and manufacturing company with its head office in London,
United Kingdom. An IT office and data center in London support the head office and other locations. A.
Datum recently deployed a Windows Server 2012 server and client infrastructure, and is making several
organizational changes that require modifications to the AD DS infrastructure. A new location requires a
secure method of providing onsite AD DS. A. Datum is opening a new branch office that does not yet
have a secure data center, but does now require a domain controller. You need to deploy a domain
controller for this office. In addition, you have been asked to extend the capabilities of Active Directory
Recycle Bin to the entire organization. As part of an overall virtualization strategy, IT management also
wants you to perform a proof of concept deployment of a domain controller using domain controller
cloning.
Objectives
After completing this lab, you will be able to:
Install and configure an RODC.
Configure and view Active Directory snapshots.
Configure the Active Directory Recycle Bin.
Use domain controller cloning to deploy a domain controller.
Lab Setup
Estimated Time: 75 minutes
Virtual machines: 20411D-LON-DC1, 20411D-LON-SVR1
User Name: Adatum\Administrator
Password: Pa$$w0rd
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20411D-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Adatum
5. Repeat steps 2 through 4 for 20411D-LON-SVR1.
Exercise 1: Installing and Configuring an RODC
Scenario
A. Datum is adding a new branch office. You have been asked to configure an RODC to service logon
requests at the branch office. You also need to configure password policies that ensure caching only of
passwords for local users in the branch office.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-45
The main tasks for this exercise are as follows:
1. Verify requirements for installing an RODC
2. Install an RODC
3. Configure a password replication policy
Task 1: Verify requirements for installing an RODC
1. On LON-DC1, from Server Manager, open Active Directory Users and Computers.
2. In the properties of Adatum.com, verify that the forest functional level is at least Windows
Server 2003.
3. On LON-SVR1, open Server Manager, and verify whether the computer is a domain member.
4. Use System Properties to place LON-SVR1 in a workgroup named TEMPORARY.
5. Restart LON-SVR1.
6. On LON-DC1, open Active Directory Users and Computers.
7. Delete the LON-SVR1 computer account from the Computers container.
8. In the Domain Controllers OU, precreate an RODC account by using default settings, except for the
following:
Computer name: LON-SVR1
Delegate to: ADATUM\IT
9. Close Active Directory Users and Computers.
Task 2: Install an RODC
1. Sign in to LON-SVR1 as Administrator with the password Pa$$w0rd.
2. On LON-SVR1, add the Active Directory Domain Services role.
3. Complete the Active Directory Domain Services Installation Wizard by using default options except
those listed below:
Domain: Adatum.com
Network credentials: Adatum\April (a member of the IT group)
Password for April: Pa$$w0rd
Directory Services restore mode password: Pa$$w0rd
Replicate from: LON-DC1.Adatum.com
4. When installation is complete, restart LON-SVR1.
Task 3: Configure a password replication policy
Configure password replication groups
1. On LON-DC1, from Server Manager, open Active Directory Users and Computers.
2. In the Users container, view the membership of the Allowed RODC Password Replication Group,
and verify that there are no current members.
3. In the Domain Controllers OU, open the properties of LON-SVR1.
4. On the Password Replication Policy tab, verify that the Allowed RODC Password Replication
Group and Denied RODC Password Replication Group are listed.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-46 Maintaining Active Directory

Domain Services
Create a group to manage password replication to the remote office RODC
1. On LON-DC1, in Active Directory Users and Computers, in the Research OU, create a new group
named Remote Office Users.
2. Add Aziz, Colin, Lukas, Louise, and LON-CL1 to the membership of Remote Office Users.
Configure a Password Replication Policy for the remote office RODC
1. On LON-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, and
then open the properties of LON-SVR1.
2. On the Password Replication Policy tab, allow the Remote Office Users group to replicate
passwords to LON-SVR1.
Evaluate the resulting Password Replication Policy
1. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of LON-SVR1.
2. On the Password Replication Policy tab, click Advanced. On the Resultant Policy tab, add Aziz,
and then confirm that Azizs password can be cached.
Monitor credential caching
1. Attempt to sign in to LON-SVR1 as Aziz. This sign-in will fail because Aziz does not have permission
to sign in to the RODC, but authentication is performed and the credentials are now cached.
2. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of LON-SVR1.
3. On the Password Replication Policy tab, open the Advanced configuration.
4. On the Policy Usage tab, select the Accounts that have been authenticated to this Read-only
Domain Controller option. Notice that Azizs password has been cached.
Prepopulate credential caching
1. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, right-click
LON-SVR1, and then click Properties.
2. On the Password Replication Policy tab, click Advanced.
3. On the Policy Usage tab, prepopulate the password for Louise and LON-CL1.
4. Read the list of cached passwords, and then confirm that Louise and LON-CL1 have been added.
5. Close all open windows on LON-DC1.

Results: After completing this exercise, you should have successfully installed and configured a read-only
domain controller (RODC).
Exercise 2: Configuring AD DS Snapshots
Scenario
As part of the overall disaster recovery plan for A. Datum, you have been instructed to test the process for
taking Active Directory snapshots and viewing them. If the process is successful, you will schedule them to
occur on a regular basis to assist in the recovery of deleted or modified AD DS objects.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-47
The main tasks for this exercise are as follows:
1. Create a snapshot of AD DS
2. Make a change to AD DS
3. Mount an Active Directory snapshot, and create a new instance
4. Explore a snapshot with Active Directory Users and Computers
5. Unmount an Active Directory snapshot
Task 1: Create a snapshot of AD DS
Note: The commands in the following step return a message indicating that the snapshot
set was generated successfully. The GUID that displays is important for commands in later tasks.
Make a note of the GUID or copy it to the Clipboard.
On LON-DC1, open a command prompt window, and then type each of the following commands
followed by Enter:
ntdsutil
snapshot
activate instance ntds
create
quit
Quit
Task 2: Make a change to AD DS
1. On LON-DC1, open Server Manager.
2. From Server Manager, open Active Directory Users and Computers.
3. Delete Adam Barr's account from the Marketing OU.
Task 3: Mount an Active Directory snapshot, and create a new instance
1. Open an administrative command prompt, and then type each of the following commands followed
by Enter:
ntdsutil
snapshot
activate instance ntds
list all
The command returns a list of all snapshots.
2. Type each of the following commands followed by Enter:
mount guid
quit
Quit
Where guid is the GUID of the snapshot you created.
3. While many command executables can be run without any issue in Windows PowerShell, you cannot
run the dsamain.exe command from Windows PowerShell. Ensure that you are in the command
prompt as administrator to perform this step.
Use the snapshot to start an instance of Active Directory by typing the following command, all on one
line, and then press Enter:
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-48 Maintaining Active Directory

Domain Services
dsamain /dbpath c:\$snap_datetime_volumec$\windows\ntds\ntds.dit /ldapport 50000
Note that datetime will be a unique value. There should be only one folder on your drive C with a
name that begins with $snap.
4. A message indicates that AD DS startup is complete. Leave Dsamain.exe running, and do not close the
command prompt.
Task 4: Explore a snapshot with Active Directory Users and Computers
1. Switch to Active Directory Users and Computers. Right-click the root node of the snap-in, and then
click Change Domain Controller. Type the directory server name and port LON-DC1:50000, and
then press Enter. Click OK.
2. Locate the Adam Barr user account object in the Marketing OU. Note that Adam Barr's object is
displayed because the snapshot was taken prior to deleting it.
Task 5: Unmount an Active Directory snapshot
1. In the command prompt, press Ctrl+C. to stop DSAMain.exe.
2. Type the following commands:
ntdsutil
snapshot
activate instance ntds
list all
unmount guid
list all
quit
Quit
Where guid is the GUID of the snapshot.

Results: After completing this exercise, you should have successfully configured Active Directory Domain
Services (AD DS) snapshots.
Exercise 3: Configuring the Active Directory Recycle Bin
Scenario
As part of the Disaster Recovery plan for AD DS, you need to configure and test the Active Directory
Recycle Bin to allow for object and container level recovery.
The main tasks for this exercise are as follows:
1. Enable the Active Directory Recycle Bin
2. Create and delete test users
3. Restore the deleted users
4. Prepare for the next module
Task 1: Enable the Active Directory Recycle Bin
1. On LON-DC1, from Server Manager, open Active Directory Administrative Center.
2. Enable the Recycle Bin.
3. Press F5 to refresh Active Directory Administrative Center.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-49
Task 2: Create and delete test users
1. In Active Directory Administrative Center, create the following users in the Research OU. Give
each a password of Pa$$w0rd:
Test1
Test2
2. Delete the Test1 and Test2 accounts.
Task 3: Restore the deleted users
1. In Active Directory Administrative Center, navigate to the Deleted Objects folder for the Adatum
domain.
2. Restore Test1 to its original location.
3. Restore Test2 to the IT OU.
4. Confirm that Test1 is now located in the Research OU and that Test2 is in the IT OU.
Task 4: Prepare for the next module
Note: Do not perform if you are performing the optional exercise entitled Cloning a
Domain Controller. If you are performing the optional exercise, return here when done to finish
the To prepare for the next module task as outlined below.
When you finish the lab, revert the virtual machines to their initial state by completing the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411D-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411D-LON-SVR1.

Results: After completing this exercise, you should have successfully configured the Active Directory
Recycle Bin.
Exercise 4: Optional Exercise: Cloning a Domain Controller
Scenario
IT management at A. Datum wants to be able to deploy new virtual domain controllers rapidly when
necessary. They are considering using the domain controller clone in Windows Server 2012 R2. You must
perform a domain controller cloning procedure as a proof of concept for your IT management team.
The main tasks for this exercise are as follows:
1. Check for domain controller clone prerequisites
2. Export the source domain controller
3. Perform domain controller cloning
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-50 Maintaining Active Directory

Domain Services
Task 1: Check for domain controller clone prerequisites
1. Switch to LON-DC1.
2. Add the domain controller LON-DC1 to the Active Directory group Cloneable Domain Controllers.
3. Verify applications and services on LON-DC1 to support cloning.
4. Create a DCCloneConfig.xml file, and then configure the name ofthat cloned domain as LON-DC3.
5. Shut down LON-DC1.
Task 2: Export the source domain controller
1. On the host computer, in Hyper-V Manager, export LON-DC1.
2. Start LON-DC1.
Task 3: Perform domain controller cloning
1. Import a new virtual machine by using the exported files. Name the new virtual machine 20411D-
LON-DC3, and then select to Copy the virtual machine (create a new unique ID).
2. In Hyper-V Manager, start LON-DC3.
Task 4: Revert and delete virtual machines
Revert the 20411D-LON-DC1 and delete the 20411D-LON-DC3 virtual machines from the host
computers Hyper-V Manager.

Results: After completing this exercise, you will have successfully cloned a domain controller.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 2-51
Module Review and Takeaways
Best Practices:

Best Practices for Administering AD DS
Do not virtualize all domain controllers on the same hypervisor host or server.
Virtual machine snapshots provide an excellent reference point or quick recovery method, but you
should not use them as a replacement for regular backups. They also will not allow you to recover
objects by reverting to an older snapshot.
Use RODCs when physical security makes a writable domain controller unfeasible.
Use the best tool for the job. Active Directory Users and Computers is the most commonly used tool
for managing AD DS, but it is not always the best. You can use Active Directory Administrative Center
for performing large-scale tasks or those tasks that involve multiple objects. You also can use the
Active Directory module for Windows PowerShell to create reusable scripts for frequently repeated
administrative tasks.
Enable Active Directory Recycle Bin if your forest functional level supports the functionality. It can be
invaluable in saving time when recovering accidentally deleted objects in AD DS.
Review Question(s)
Question: Which AD DS objects should have their credentials cached on an RODC located in
a remote location?
Question: What benefits does Active Directory Administrative Center provide over Active
Directory Users and Computers?
Tools
Tool Used for Where to find it
Hyper-V Manager Managing virtualized hosts on
Windows Server 2012
Server Manager - Tools
Active Directory module
for Windows PowerShell
Managing AD DS through scripts
and from the command line
Server Manager - Tools
Active Directory Users
and Computers
Managing objects in AD DS Server Manager Tools
Active Directory
Administrative Center
Managing objects in AD DS,
enabling and managing the Active
Directory Recycle Bin
Server Manager - Tools
Ntdsutil.exe Managing AD DS snapshots,
compacting and moving the AD DS
database, transferring and seizing
operation master roles, and other
uses.
Command prompt
Dsamain.exe Mounting AD DS snapshots for
browsing, compare existing objects
between databases, and other uses.
Command prompt
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D



M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-1
Module 3
Managing User and Service Accounts
Contents:
Module Overview 3-1
Lesson 1: Configuring Password Policy and User Account Lockout Settings 3-2
Lesson 2: Configuring Managed Service Accounts 3-12
Lab: Managing User and Service Accounts 3-20
Module Review and Takeaways 3-24

Module Overview
Managing user accounts in an enterprise environment can be a challenging task. You must ensure that
you configure the user accounts in your environment properly, and that you protect them from
unauthorized use and from users who abuse their account privileges. Using dedicated service accounts for
system services and background processes, as well as setting appropriate account policies, will help to
ensure that your environment running the Windows Server

2012 R2 operating system gives users and
applications the access they need to function properly.
This module will help you to understand the different options available for providing adequate password
security for accounts in your environment, and show you how to configure accounts to provide
authentication for system services and background processes.
Objectives
After completing this module, you will be able to:
Configure password policy and account-lockout settings.
Configure managed service accounts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-2 Managing User and Service Accounts
Lesson 1
Configuring Password Policy and User Account Lockout
Settings
As an administrator, you must ensure that the user accounts in your environment conform to the security
settings established by your organization. Window Server 2012 uses account policies to configure
security-related settings for user accounts. This module will help you to identify the settings available for
configuring account security and the methods available to configure those settings.
Lesson Objectives
After this lesson, you will be able to:
Explain user account policies.
Explain Kerberos policies.
Explain how to configure user account policies.
Describe Password Settings objects (PSOs).
Explain how to configure PSOs.
Configure PSOs.
Discuss planning password policies.
User Account Policies
User account policies in Active Directory

Domain
Services (AD DS) define the default settings for
security-related attributes assigned to user
objects. In AD DS, account policies are separated
into two different groups of settings: password
policy and account lockout. You can configure
both groups of settings in the local policy settings
for an individual Windows Server 2012 server, or
for the entire domain by using the Group Policy
Management Console (GPMC) in AD DS. When
local policy settings conflict with Group Policy
settings, Group Policy settings override local
policy settings.
In the Group Policy Management Editor within AD DS, you can apply most policy settings at different
levels within the AD DS structure: domain, site, or organizational unit (OU). However, you can apply only
account policies at one level in AD DS to the entire domain. Therefore, you can apply only one set of
account policy settings to an AD DS domain.
Password Policy
The password policy settings are designed to work together. For example, you have a user who likes to
use the same password as much as possible. However, due to the password policy requirement to change
the password periodically, the user must create a different password. There are ways the user can work
around this requirement and be able to use a preferred password relatively quickly. In this case,
combining the requirement to change the password periodically with enforcing the password history, as
well as setting a minimum password age makes it more difficult for that user to do so. Remember that the

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 3-3
goal of the password policy is not to make life difficult for the user, but to make it more difficult for
someone to guess or steal the users password.
You define the password policy by using the following settings:
Enforce password history. This is the number of unique new passwords that you must associate with a
user account before an old password can be reused. The default setting is 24 previous passwords.
When you use this setting with the minimum password-age setting, the enforce password history
setting prevents constant reuse of the same password.
Maximum password age. This is the number of days that a password can be used before the user
must change it. Regularly changing passwords helps to prevent the compromise of passwords.
However, you must balance this security consideration against the logistical considerations that result
from requiring users to change passwords too often. The default setting of 42 days is probably
appropriate for most organizations.
Minimum password age. This is the number of days that a password must be used before the user can
change it. The default value is one day, which is appropriate if you also enforce password history. You
can restrict the constant use of the same password if you use this setting in conjunction with a short
setting to enforce password history.
Minimum password length. This is the minimum number of characters that a users password must
contain. The default value is seven. This default is a widely used minimum, but you should consider
increasing the password length to at least 10 to enhance security. Each additional character that is
required makes it exponentially harder to use brute force techniques. This means guessing and
replacing each character until the unauthorized user derives all of the characters. These are some
examples that show the exponential increase in difficulty that longer passwords create:
Seven-character passwords have 10 million possible combinations.
Eight-character passwords have 100 million combinations.
Nine-character passwords have 1 billion possible combinations.
Complexity requirements. Windows Server includes a default password filter that is enabled by
default, and you should not disable it. The filter requires that a password have the following
characteristics:
o Does not contain your name or your user name.
o Contains at least six characters.
o Contains characters from three of the following four groups:
Uppercase letters, such as A and Z.
Lowercase letters, such as a and z.
Numerals, such as 0 and 9.
Special, nonalphanumeric characters, such as !, @, #, ), (, and *.
Account Lockout Policy
You can define thresholds for account lockout, duration of the lockout, and a way to unlock accounts.
Thresholds for account lockout stipulate that accounts become inoperable after a certain number of failed
logon attempts during a certain amount of time. Account lockout policies help to detect and prevent
brute force attacks on account passwords. The following settings are available:
Account lockout duration. Defines the number of minutes that a locked account remains locked. After
the specified number of minutes, the account is unlocked automatically. To specify that an
administrator must unlock the account, set the value to zero. This requires administrators to unlock
high security accounts. You can choose to configure this setting to 30 minutes for normal users.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-4 Managing User and Service Accounts
Account lockout threshold. Determines the number of failed logon attempts that are allowed before a
user account is locked out. A value of zero means that the account is never locked out. You should set
this value high enough to allow for users who mistype their passwords, but low enough to help
ensure that brute force attempts to guess the password fail. Common values for this setting range
from three to five failed logon attempts.
Reset account lockout counter after. Determines how many minutes must elapse after a failed logon
attempt before the bad logon counter is reset to zero. This setting applies when a user has typed in
his or her password incorrectly, but they have not exceeded the account lockout threshold. Consider
setting this value to 30 minutes.
Kerberos Policies
You deploy Kerberos policy settings for the entire
domain from the Default Domain Policy. This
policy is for domain user and computer accounts,
and determines Kerberos-related settings such as
ticket lifetimes and enforcement. Kerberos policies
do not exist in the Local Computer Policy. The
Kerberos Policy configuration options contain
settings for the Kerberos V5 authentication
protocol ticket-granting ticket (TGT), the session
ticket lifetimes, and time-stamp settings. For most
organizations, the default settings are appropriate.
You will find the Kerberos policy in the Group
Policy Object Editor in the Account Policy section of the Computer Configuration, Security Settings, under
the Password and Account Lockout policies just mentioned.
Kerberos is an authentication protocol that issues identity tickets which allow entities to prove who they
are to other entities in a secure manner. Kerberos has several unique advantages as an authentication
protocol. It has the ability to provide delegated authentication by allowing Windows operating systems
services to impersonate a client computer when accessing resources for it. Kerberos provides single sign-
on for domain users and computers by issuing TGTs that they can trade for session tickets to access
specific server sessions. Kerberos has expansive interoperability with other networking components
because Kerberos is part of the TCP/IP suite of non-proprietary protocols. Kerberos provides a more
efficient authentication with servers because you use Kerberos session tickets presented by user-level
services for approved access to server resources. Finally, Kerberos delivers mutual authentication because
the server presents its credentials back to the user-level services.
Kerberos Policy
You can use the Kerberos Policy in a Group Policy Object (GPO) to enforce user logon restrictions and to
define thresholds for maximum service and user ticket lifetime, maximum user ticket renewal lifetime, and
the maximum time computer clocks can be out of synchronization. The following settings are available:
Enforce user logon restrictions. Determines if the Kerberos V5 Key Distribution Center (KDC) will
validate every session ticket request against the user accounts user rights policy. This can add extra
security, but it is not required. Choosing to enforce user logon restrictions can slow down services
access to network resources. This setting is enabled by default.
Maximum lifetime for service ticket. Defines the maximum time a service ticket is valid for
authenticating client access to a particular service. If the service ticket expires before the client
requests the server connection, the server will respond with an error and the client redirects requests
back to the KDC to receive a new service ticket. This maximum lifetime must be at least 10 minutes

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 3-5
but not greater than the maximum lifetime for a user ticket. By default, the maximum service ticket
lifetime is 600 minutes, or 10 hours.
Maximum lifetime for user ticket. Sets the amount of time a user accounts TGT is valid. The default is
10 hours.
Maximum lifetime for user ticket renewal. Sets the amount of time in days that the user accounts TGT
can be renewed. The default is seven days.
Maximum tolerance for computer clock synchronization. Determines the amount of time that client
computers' clocks can be out of sync with the domain controller. The primary domain controller
(PDC) emulator operation master role on a domain determines the correct time for the entire domain.
TGT and service tickets domain replication packets are time stamped and the times on the various
tickets and packets are verified between correspondent computers. However, it is possible for any two
computers to be out of sync on their clocks. Administrators can set the amount of time that the clocks
can be out of sync by. The default for this setting is five minutes.
You can create access control based on claims and compound authentication by deploying Dynamic
Access Control. You must ensure that you have sufficient Windows Server 2008 and higher domain
controllers available that use these new authorization types. The KDC administrative template policy
setting allows you to configure a domain controller to support claims and compound authentication for
Dynamic Access Control and Kerberos armoring. Note that domain controllers running Windows
Server 2003 cannot be in a domain allowing claims and compound authentication. Additionally, Windows
Server 2012 is required for Kerberos clients running the Windows 8 operating system to support claims
and compound authentication by using Kerberos authentication. Devices running Windows 8 will fail
authentication if they cannot find a domain controller running Windows Server 2012. You must ensure
that there are sufficient domain controllers running Windows Server 2012 for any account, referral, and
resource domains that are supported.
Configuring User Account Policies
There are several options available for configuring
user account policies when administering an
AD DS environment.
Local Policy Settings with Secpol.msc
Each individual Windows Server 2012 computer
has its own set of account policies, which apply to
accounts created and managed on the local
computer. To configure these policy settings,
open the Local Security Policy console by running
secpol.msc from the command prompt. You can
locate the password policy and account policy
settings within the Local Security Policy Console
by expanding Security Settings, and then expanding Account Policies.
Group Policy with Group Policy Management
In the AD DS domain environment, you configure domain-wide account policy settings within the Group
Policy Management Editor. Follow these steps to find the settings domain-wide account policy settings:
Expand the Computer Configuration node, expand the Policies node, expand the Windows
Settings node, expand the Security Settings node, and then expand the Account Policies node.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-6 Managing User and Service Accounts
The settings found within the Account Policies node are the same settings found in the Local Security
Policy, with the addition of the Kerberos Policy settings that apply to domain authentication.
The Group Policy Account Policy settings exist in the template of every GPO that you create in the GPMC.
However, you can apply an account policy only once in a domain and in only one GPO. This is the Default
Domain Policy, and it links to the root of the AD DS domain. Therefore, the Account Policy settings in the
Default Domain Policy apply to every computer that is joined to the domain.
Note: If settings conflict between the account policy settings in the Local Security Policy
and the account policy settings in the Default Domain Policy GPO, the Default Domain Policy
settings take precedence.
When you initially install a Windows operating system such as Windows 8.1 or Windows Server 2012 R2,
the computer will have a password policy with settings configured and established by default, but the
account lockout policy does not have any settings configured. When you install a domain, the Default
Domain Policy that is created contains all three policies. The Password and Kerberos Policies settings are
configured and established by default, but there are no settings configured for the account lockout policy.
You can make changes to any of the policies, including configuring the settings in the account lockout
policy. However, you need to consider the implications carefully before doing so.
In most cases, your organization will already have established domains and computer systems that have
these settings configured. Most organizations also have numerous written security policies that dictate
standards for password and account lockout policies. In these cases, you cannot make changes without
approval or addressing the written security policies.
Question: Why would you use secpol.msc to configure local account policy settings for a
computer running the Windows Server

2012 operating system instead of using domain- based


Group Policy account policy settings?
What Are Password Settings Objects?
Starting with Windows Server

2008,
administrators can define more than one
password policy in a single domain by
implementing fine-grained password policies.
These enable you to have more granular control
over user password requirements, and you can
have different password requirements for different
users or groups.
To support the fine-grained password policy
feature, AD DS in Windows Server 2008 and newer
versions includes two object types:
Password Setting Container. Windows Server
creates the Password Settings Container (PSC) by default, and you can view it in the domains System
container. The container stores the PSOs that you create and link to global security groups or to users.
Password Settings objects. Members of the Domain Admins group create PSOs, and then define the
specific password and account lockout settings to be linked to a specific security group or user.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 3-7
Fine-grained password policies apply only to user objects and to global security groups. You can also use
inetOrgPerson objects instead of user objects. By linking a PSO to a user or a group, you are modifying an
attribute called msDS-PSOApplied, which is empty by default. This approach now treats password and
account lockout settings not as domain-wide requirements, but as attributes to a specific user or a group.
For example, to configure a strict password policy for administrative accounts, create a global security
group, add the administrative user accounts as members, and link a PSO to the group. Applying fine-
grained password policies to a group in this manner is more manageable than applying the policies to
each individual user account. If you create a new service account, you simply add it to the group, and the
account becomes managed by the PSO.
Note: By default, only members of the Domain Admins group can set fine-grained
password policies. However, you also can delegate the ability to set these policies to other users.
Applying Fine-Grained Password Policies
You cannot apply a fine-grained password policy to an OU directly. To apply a fine-grained password
policy to users of an OU, you can use a shadow group. A shadow group is a global security group that
maps logically to an OU, and enforces a fine-grained password policy. You can add an OUs users as
members of the newly created shadow group, and then apply the fine-grained password policy to this
shadow group. If you move a user from one OU to another, you must update the membership of the
corresponding shadow groups.
The settings that you manage using a fine-grained password policy are identical to those in the Password
Policy and Accounts Policy nodes of a GPO. However, you do not implement fine-grained password
policies as part of a Group Policy and you do not apply them as part of a GPO. Instead, there is a separate
class of object in AD DS that maintains the settings for fine-grained password policiesthe PSO.
You can create one or more PSOs in your domain. Each PSO contains a complete set of password and
lockout policy settings. You apply a PSO by linking the PSO to one or more global security groups or
users.
To use a fine-grained password policy, your domain functional level must be Windows Server 2008 or
newer. This means that all of your domain controllers in the domain are running Windows Server 2008 or
newer, and the domain functional level has been raised to Windows Server 2008 or newer.
To confirm and modify the domain functional level, perform the following steps:
1. Open Active Directory Domains and Trusts.
2. In the console tree, expand Active Directory Domains and Trusts, and then expand the tree until
you can see the domain.
3. Right-click the domain, and then click Raise domain functional level.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-8 Managing User and Service Accounts
Configuring PSOs
You can create and apply PSOs in the Windows
Server 2012 environment by using either of the
following tools:
Active Directory Administrative Center
Windows PowerShell


Configuring PSOs by Using Windows
PowerShell
In Windows Server 2012, you can use the new
Windows PowerShell cmdlets in the Active
Directory module for Windows PowerShell to
create and manage PSOs in your domain.
New-ADFineGrainedPasswordPolicy
This cmdlet creates a new PSO, and defines the PSO parameters. For example, the following
command creates a new PSO named TestPwd, and then specifies its settings:
New-ADFineGrainedPasswordPolicy TestPswd -ComplexityEnabled:$true -
LockoutDuration:"00:30:00" -LockoutObservationWindow:"00:30:00" -LockoutThreshold:"0"
-MaxPasswordAge:"42.00:00:00" -MinPasswordAge:"1.00:00:00" -MinPasswordLength:"7" -
PasswordHistoryCount:"24" -Precedence:"1" -ReversibleEncryptionEnabled:$false -
ProtectedFromAccidentalDeletion:$true
Add-FineGrainedPasswordPolicySubject
This cmdlet enables you to link a user or group to an existing PSO. For example, the following
command links the TestPwd PSO to the AD DS group named group1:
Add-ADFineGrainedPasswordPolicySubject TestPswd -Subjects Marketing
Configuring PSOs by Using the Active Directory Administrative Center
The Active Directory Administrative Center provides a GUI for creating and managing PSOs. To manage
PSOs in the Active Directory Administrative Center, follow these steps:
1. Open the Active Directory Administrative Center.
2. Click Manage, click Add Navigation Nodes, select the appropriate target domain in the Add
Navigation Node dialog box, and then click OK.
3. In the Active Directory Administrative Center navigation pane, open the System container, and then
click Password Settings Container.
4. In the Tasks pane, click New, and then click Password Settings.
5. Fill in or edit fields inside the Password Settings page to create a new Password Settings object.
6. Under Directly Applies To, click Add, type Marketing, and then click OK.
This associates the Password Policy object with the members of the global group that you created
for the test environment.
7. Click OK to create the PSO.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 3-9
Note: The Active Directory Administrative Center interface for PSO management uses the
Windows PowerShell cmdlets mentioned previously to carry out the creation and management of
PSOs.
Considerations for Configuring PSOs
It is possible for you to link more than one PSO to a user or a security group. You might do this if a user is
a member of multiple security groups, which might each have an assigned PSO already, or if you assign
multiple PSOs directly to a user object. In either case, it is important to understand that you can apply
only one PSO as the effective password policy.
If you assign multiple PSOs to a user or a group, the msDS-PasswordSettingsPrecedence attribute helps
to determine the resultant PSO. A PSO with a lower value takes precedence over a PSO with a higher
value.
The following process describes how AD DS determines the resultant PSO if you link multiple PSOs to a
user or a group:
1. Any PSO that you link directly to a user object is the resultant PSO. If you link multiple PSOs directly
to the user object, the PSO with the lowest msDS-PasswordSettingsPrecedence value is the
resultant PSO. If two PSOs have the same precedence, the PSO with the mathematically smallest
objectGUID is the resultant PSO.
2. If you do not link any PSOs directly to the user object, AD DS compares the PSOs for all global
security groups that contain the user object. The PSO with the lowest msDS-PasswordSettings
Precedence value is the resultant PSO. If you apply multiple PSOs to the same user, and they
have the same msDS-PasswordSettingsPrecedence value, AD DS applies the PSO with the
mathematically smallest globally unique identifier (GUID).
3. If you do not link any PSOs to the user object, either indirectly through group membership or directly,
AD DS applies the Default Domain Policy.
All user objects contain a new attribute called msDS-ResultantPSO. You can use this attribute to help
determine the distinguished name of the PSO that AD DS applies to the user object. If you do not link a
PSO to the user object, this attribute does not contain any value and the Default Domain Policy GPO
contains the effective password policy.
To view the effect of a policy that AD DS is applying to a user, follow these steps:
1. Open Active Directory Users and Computers, then, on the View menu, ensure that Advanced
Features is enabled.
2. Open the properties of a user account. You can view the msDS-ResultantPSO attribute on the
Attribute Editor tab if you have configured the Show Constructed Attributes option under the
Filter options.
Demonstration: Configuring PSOs
In this demonstration, you will see how to use the Active Directory Administrative Center to create and
configure a PSO. You will create a global security group in the Information Technology (IT) OU named
ITAdmins, and then create a PSO for the group.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-10 Managing User and Service Accounts
Demonstration Steps
1. In Server Manager, select Active Directory Users and Computers.
2. In Active Directory Users and Computers, create a global security group named ITAdmins in the
IT OU.
3. Open the Group Policy Management console, and explore the Default Doman Policy and the
settings for the various account policies.
4. Open the Active Directory Administrative Center, and navigate to Adatum.com, System,
Password Settings Container.
5. Create a new Password Settings object with the following settings:
Name: IT Administrators PSO
Precedence of 1
Minimum password length of 10
Maximum password age of 30
Enforce account lockout policy: enabled
Number of failed logon attempts allowed set to 5
Apply policy to the ITAdmins group created in step 2
6. Close all open windows.
Discussion: Planning Password Policies
Key Points
Consider the following questions, and then discuss
your answers with the class.
Question: Woodgrove Bank, a trusted
lending institution for over 100 years, is
concerned that their customers might
perceive that their security practices are
outdated. The bank president told the
managers that they should review their
policies, and update them to reflect industry
standards. The information systems (IS)
Director asks you to draw up a plan to
enhance the password policy settings. What would you recommend?
Question: Pleased with your answers on the password policy, the IS Director asks you to
come up with a new account lockout policy that will ensure security while also ensuring that
the productivity of bank tellers will not be negatively impacted by being locked out
frequently.
Question: Tailspin Toys is creating a new research department that will work with a global
technology partner on video games. They want to ensure that the strictest password policies
are applied to the researchers in the department. What do you suggest they do?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 3-11
Question: The IS Director wants to know what Microsoft technology experts consider to be
the best practices for configuring password policies. He asks you to make a list. What would
your list include?
Question: Woodgrove Bank, a trusted lending institution for over 100 years, is concerned
that customers might perceive their security practices to be outdated. The bank president
told managers that they should review the policies, and update them to reflect industry
standards. The Director of IS asks you to draw up a plan to enhance the password policy
settings. What would you recommend?
Question: Pleased with your answers on the password policy, the information systems (IS)
Director asked you to come up with a new account lockout policy that will ensure security
while also ensuring that the productivity of bank tellers will not be negatively impacted by
being locked out frequently.
Question: Tailspin Toys is creating a new research department that will work with a global
technology partner on video games. They want to ensure that they apply the strictest
password policies to the researchers in the department. What do you suggest they do?
Question: The IS Director wants to know what Microsoft technology experts consider to be
the best practices for configuring password policies. He asks you to make a list. What best
practices would your list include?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-12 Managing User and Service Accounts
Lesson 2
Configuring Managed Service Accounts
Creating user accounts to provide authentication for applications, system services, and background
processes is a common practice in the Windows environment. Historically, accounts were created, and
often named for use by a specific service. Windows Server 2012 supports AD DS account-like objects
called managed service accounts that make service accounts easier to manage and less of a security risk to
your environment.
This lesson will introduce you to managed service accounts and new functionality related to managed
service accounts introduced in Windows Server 2012.
Lesson Objectives
After completing this lesson, you will be able to:
Describe service accounts.
Identify the challenges of using standard user accounts for services.
Describe managed service accounts.
Explain how to configure managed service accounts.
Describe group-managed service accounts.
Service Account Overview
In the Windows operating system, applications
sometimes require administrative access to local
and network resources. In the past, it was
common to give these applications administrative
account permissions to the resources. For
example, a Microsoft

SQL Server

needs to
manage its databases and it might need local
administrative access to do this. In a distributed
SQL Server environment, with multiple SQL
Servers each hosting numerous databases, it may
need administrative access to all of them. For that
reason, an administrator needs to create an
account for SQL Server that belongs to the Domain Admins group, or at least the computers local
Administrators group with a password set to never expire. Administrators need to remember to
periodically change the password manually on every server service it is run under. This type of account
introduces possible security issues and, if compromised, can endanger the entire domain.
Because of the possible security issues, you could consider running the program or service using a built-in
local account. Windows operating systems have three built-in local accounts to allow program and service
access of resources. These accounts are tied to the individual computer rather than a user account, as
follows:
Local System. Has extensive privileges on the local system and acts as the computer on the network. It
is a very high-privileged built-in account. The name of the account is "NT AUTHORITY\SYSTEM".
Local Service. Has the same level of access to resources and objects as members of the local Users
group. This limited access helps protect the system if individual services or processes are

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 3-13
compromised. Services running as the Local Service account will access network resources as a null
session without any credentials. The name of the account is "NT AUTHORITY\LOCAL SERVICE".
Network Service. Has more access to resources and objects than members of the Users group have,
such as the Local Service account. Services that run as the Network Service account access network
resources by using the credentials of the computer account. The name of the account is "NT
AUTHORITY\NETWORK SERVICE".
Be aware that use of the Local System account could still compromise security, considering the high-level
privileges under which it operates. Therefore, you should take extra care when using this account for
program access. Alternatively, the Local Service account may not have enough privileges to access all the
resources required by the program. If the program needs resources on other computers, you could use
the Network Service account. However, you must add the machine account to a group in the domain or
individually on the other computers. In all cases, you should make a thorough security analysis to ensure
you consider all aspects of using the Service Accounts.
Challenges of Using Standard User Accounts for Services
Many programs such as SQL Server or Internet
Information Services (IIS) contain services that you
install on the server that hosts the program. These
services typically run at server startup or are
triggered by other events. Services often run in
the background and do not require any user
interaction.
For a service to start up and authenticate, you use
a service account. A service account may be an
account that is local to the computer, such as the
built-in Local Service, Network Service, or Local
System accounts. You also can configure a service
account to use a domain-based account located in AD DS.
To help centralize administration and to meet program requirements, many organizations choose to use a
domain-based account to run program services. While this does provide some benefit over using a local
account, there are a number of associated challenges, such as the following:
Extra administration effort may be necessary to manage the service account password securely. This
includes tasks such as changing the password and resolving situations that cause an account lockout.
Service accounts also typically are configured to have passwords that do not expire, which may go
against your organizations security policies.
It can be difficult to determine where a domain-based account is being used as a service account. You
may use a standard user account for multiple services on various servers throughout the environment.
A simple task, such as changing the password, may cause authentication issues for some applications.
It is important to know where and how to use a standard user account when it is associated with an
program service.
Extra administration effort may be necessary to manage the service principal name (SPN). Using a
standard user account may require manual administration of the SPN. If the logon account of the
service changes, the computer name is changed. Alternatively, if a Domain Name System (DNS) host
name property is modified, you may need to manually modify the SPN registrations to reflect the
change. A misconfigured SPN causes authentication problems with the program service.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-14 Managing User and Service Accounts
Windows Server 2012 supports an AD DS object, named a managed service account, which you use to
facilitate service-account management. The following topics provide information on the requirements and
use of managed service accounts in Windows Server 2012.
Managed Service Account and Virtual Accounts
A managed service account is an AD DS object
class that enables simplified password and SPN
management for service accounts. The managed
service account first appeared in Windows 7 and
Windows Server 2008 R2.
Many network-based programs use an account to
run services or provide authentication. For
example, an program on a local computer might
use the Local Service, Network Service, or Local
System accounts. These service accounts may
work fine. However, these typically are shared
among multiple programs and services, making it
difficult to manage for a specific program. Furthermore, you cannot manage these local service accounts
at the domain level.
Alternatively, it is quite common that an program might use a standard domain account that you
configure specifically for the program. However, the main drawback is that you need to manage
passwords manually, which increases administration effort. A managed service account can provide an
program with its own unique account, while eliminating the need for an administrator to administer the
accounts credentials manually.
How a Managed Service Account Works
Managed service accounts are stored in AD DS as msDS-ManagedServiceAccount objects. This class
inherits structural aspects from the Computer class, which it inherits from the User class. This enables a
managed service account to fulfill User-like functions, such as providing authentication and security
context for a running service. It also enables a managed service account to use the same password update
mechanism used by Computer objects in AD DS, a process that requires no user intervention.
Managed service accounts provide the following benefits to simplify administration:
Automatic password management. A managed service account automatically maintains its own
password, including password changes.
Simplified SPN management. You can manage SPN management automatically if you configured
your domain at the Windows Server 2008 R2 domain functional level or higher.
Managed service accounts are stored in the CN=Managed Service Accounts, DC=<domain>, DC=<com>
container. You can view this by enabling the Advanced Features option in the View menu within Active
Directory Users and Computers. This container is visible by default in the Active Directory Administrative
Center.
Requirements for Using Managed Service Accounts
To use a managed service account, the server that runs the service or program must be running Windows
Server 2008 R2 or Windows Server 2012. You also must ensure that Microsoft .NET Framework 3.5.x and
the Active Directory module for Windows PowerShell are both installed on the server.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 3-15
Note: You cannot share a standard managed service account between multiple computers
or that you use in server clusters where the service is replicated between nodes. Additionally, you
cannot use managed service accounts for unattended scheduled tasks.
To simplify and provide full automatic password and SPN management, we strongly recommend that the
AD DS domain be at the Windows Server 2008 R2 functional level or higher. However, if you have a
domain controller running Windows Server 2008 or Windows Server 2003, you can update the Active
Directory schema to Windows Server 2008 R2 to support this feature. The only disadvantage is that the
domain administrator must configure SPN data manually for the managed service accounts.
To update the schema in Windows Server 2008, Windows Server 2003, or mixed-mode environments, you
must perform the following steps:
1. Run adprep/forestprep at the forest level and run adprep/domainprep at the domain level.
2. Deploy a domain controller running Windows Server 2008 R2, Windows Server 2008 with the Active
Directory Management Gateway Service, or Windows Server 2003 with the Active Directory
Management Gateway Service.
Note: The Active Directory Management Gateway Service allows administrators with
domain controllers running Windows Server 2003 or Windows Server 2008 to use Windows
PowerShell cmdlets to manage managed service accounts.
Considerations for Managed Service Accounts on Windows Server 2012 Domain
Controllers
In Windows Server 2012, you create managed service accounts as the new group managed service
account object type by default. However, to accommodate this, you must fulfill one of the requirements
for group managed service accounts before you can create any managed service account on a Windows
Server 2012 domain controller.
On a Windows Server 2012 domain controller, you must create a key distribution services root key for the
domain before you can create any managed service accounts. To create the root key, run the following
cmdlet from the Active Directory module for Windows PowerShell:
Add-KDSRootKey EffectiveTime ((Get-Date).AddHours(-10))
You can find more information about group managed service accounts, including further explanation of
creating a Key Distribution Services (KDS) root key and the cmdlet above later in this lesson.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-16 Managing User and Service Accounts
What Are Group Managed Service Accounts?
Group managed service accounts enable you to
extend the capabilities of standard managed
service accounts to more than one server in your
domain. In server farm scenarios with Network
Load Balancing (NLB) clusters or IIS servers, there
often is a need to run system or program services
under the same service account. Standard
managed service accounts cannot provide
managed service account functionality to services
that are running on more than one server. By
using group managed service accounts, you can
configure multiple servers to use the same
managed service account and still retain the benefits that managed service accounts provide, like
automatic password maintenance and simplified SPN management.
Group Managed Service Account Requirements
In order to support group managed service account functionality, your environment must meet the
following requirements:
At least one domain controller must be running Windows Server 2012 to store managed password
information.
Client computers using group managed service accounts must have Windows 8 or newer, and server-
based computers must have Windows Server 2012 or newer.
You must create a KDS root key on a domain controller in the domain. To create the KDS root key,
run the following command from the Active Directory Module for Windows PowerShell on a
Windows Server 2012 domain controller:
Add-KdsRootKey EffectiveImmediately
Note: The EffectiveImmediately switch uses the current time to establish the timestamp
that marks the key as valid. However, when using the EffectiveImmediately switch, the actual
effective time is set to 10 hours later than the current time. This 10-hour difference is to allow for
AD DS replication to replicate the changes to other domain controllers in the domain. For testing
purposes, it is possible to bypass this functionality by setting the EffectiveTime parameter to 10
hours before the current time by running the following command:
Add-KdsRootKey EffectiveTime ((get-date).addhours(-10))
Understanding Group Managed Service Account Functionality
Group managed service accounts enable managed service account functionality across multiple servers by
delegating the management of managed service account password information to Windows Server 2012
domain controllers. By doing this, the management of passwords is no longer dependent on the
relationship between a single server and AD DS, but is controlled entirely by AD DS.
The group managed service account object contains a list of principals, either computers or AD DS
groups, that are allowed to retrieve group managed service account password information from AD DS.
The principals are then allowed to use the group Managed Service Account for authentication for services.
You create group managed service accounts by using the same cmdlets from the Active Directory Module
for Windows PowerShell. In fact, the cmdlets used for managed service account management will create
group managed service accounts by default.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 3-17
On a Windows Server 2012 domain controller, create a new managed service account by using the New-
ADServiceAccount cmdlet with the PrinicipalsAllowedToRetrieveManagedPassword parameter. This
parameter accepts one or more comma-separated computer accounts or AD DS groups that are
permitted to obtain password information for the group managed service account that is stored in AD DS
on Windows Server 2012 domain controllers.
For example, the following cmdlet will create a new group managed service account called SQLFarm, and
enable the LON-SQL1, LON-SQL2, and LON-SQL3 hosts to use the group managed service account:
New_ADServiceAccount Name LondonSQLFarm PrincipalsAllowedToRetrieveManagedPassword
LON-SQL1, LON-SQL2, LON-SQL3
Once you have added a computer to use the PrincipalsAllowedToRetrieveManagedPassword parameter,
the group managed service account is available to be assigned to services by using the same assignment
process as standard managed service accounts.
Using AD DS Groups to Manage Group Managed Service Account Server Farms
You can use AD DS security groups to identify group managed service accounts. When you use an AD DS
group for the PrincipalsAllowedToRetriveManagedPassword parameter, any computers that are members
of that group will be allowed to retrieve the password and utilize group managed service account
functionality. When you use an AD DS group as the principal allowed to retrieve a managed password,
any accounts that are members of the group will also have the same capability.
Demonstration: Configuring Group Managed Service Accounts
Creating and configuring a managed service account requires the use of four cmdlets from the Active
Directory Module for Windows PowerShell:
Add-KDSRootkey creates the KDS root key to support group managed service accounts, a
requirement on Windows Server 2012 domain controllers (DCs):
Add-KDSRootKey EffectiveImmediately
New-ADServiceAccount creates the managed service account within AD DS:
New-ADServiceAccount Name <MSA Name> -DNSHostname <DC DNS Name>
Add-ADComputerServiceAccount associates the managed service account with a computer
account in the AD DS domain:
Add-ADComputerServiceAccount identity <Host Computer Name> -ServiceAccount <MSA
Name>
Install-ADServiceAccount installs the managed service account on a host computer in the domain
and makes the managed service account available for use by services on the host computer:
Install-ADServiceAccount Identity <MSA Name>
Demonstration Steps:
In this demonstration, you will see how to:
Create the KDS root key for the domain.
Create and associate a managed service account.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-18 Managing User and Service Accounts
Demonstration Steps
Create the Key Distribution Services (KDS) root key for the domain
1. On LON-DC1, from Server Manager, open the Active Directory Module for Windows PowerShell
console.
2. Use the Add-KDSRootKey cmdlet to create the domain KDS root key.
Create and associate a managed service account
1. Use the New-ADServiceAccount cmdlet to create a managed service account.
2. Use the Add-ADComputerServiceAccount cmdlet to associate the managed service account with
LON-SVR1.
3. Use the Get-ADSeviceAccount cmdlet to view the newly created managed service account and
confirm proper configuration.
Install a managed service account
1. On LON-SVR1, open the Active Directory Module for Windows PowerShell console.
2. Use the Install-ADServiceAccount cmdlet to install the managed service account on LON-SVR1.
3. Open Server Manager, and start the Services console.
4. Open the Properties pages for the Application Identity service, and then select the Log On tab.
5. Configure the Application Identity service to use Adatum\SampleApp_SVR1$.
Revert the Virtual Machines
When you are finished with the lab, revert the virtual machines to their initial state.
Kerberos Delegation and Service Principal Names
An program for a service might need to make a
connection to another servers services on behalf
of the client. For example, when a client uses a
front-end server that makes a connection to a
back-end server; however, this connection needs
authentication. Kerberos uses delegation of
authentication to make this happen. The
requesting service, the client in this example,
requests that the KDC authorize a second service
to act on its behalf. The second service can then
delegate authentication to a third service.
However, in Windows Server 2003 and newer,
Microsoft has added the constrained delegation model to limit the scope of services that can be
delegated this way, especially third-tier services and beyond. This provides a safer form of delegation for
services to use. By using constrained delegation, you can configure service account delegation to specific
sets of service accounts. You can configure a particular service account to be trusted for delegation to a
specific instance of a service running on a specific computer or a set of specific instances of services
running on specified computers.
An SPN is a unique identifier for each instance of a service running on a computer. When using Kerberos
authentication, a defined SPN for a service allows clients to identify that instance of the service on the
network. The SPN is registered in AD DS and is associated with the account of the service specified by the
SPN. When a service needs to authenticate to another service, it uses that services SPN to distinguish it

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 3-19
from other services on that computer. A service can use constrained delegation if it can obtain a Kerberos
service ticket for itself on behalf of the user being delegated, in this case, another service. When using
constrained delegation, the user can obtain the service ticket directly by authenticating through curb roles
or the service can obtain the service ticket on behalf of the user.
One problem with this model is that when a domain administrator configured the service for constrained
delegation, the service administrator did not know which front end service was being delegated to the
resource services they owned. In Windows Server 2012, the remedy for this is to allow the ability to
configure a services constrained delegation from the domain administrator to the service administrator.
This allows the backend service administrator to allow or deny access by front-end services. Windows
Server 2012 implements new extensions for constrained delegation. For example, the Service for User to
Proxy, known as S4U2proxy extension allows a service to use its Kerberos service ticket for a user to obtain
a service ticket from the KDC to a back-end service. A service administrator can configure constrained
delegation on the backend services account, even in another domain. You can configure front-end
services, such as Microsoft Office Outlook

Web Access and Microsoft SharePoint

Server for constrained


delegation to back-end servers on other domains. This enhances your ability to support service solutions
across domains by using your existing Kerberos authentication mechanisms.
Windows Server 2012 R2 introduces the Protected User security group. This group generates non-
configurable protection on devices and computers running Windows Server 2012 R2 and Windows 8.1,
and on domain controllers in domains with a primary domain controller running Windows Server 2012 R2.
This substantially reduces the memory footprint of credentials when users sign in to computers on the
network from a non-compromised computer.
The Protected Users group membership cannot authenticate by using NTLM, Digest Authentication,
or Credential Security Support Provider, authentication mechanism also known as CredSSP. On
Windows 8.1 devices, passwords are not cached, so the device that uses any one of these Security
Support Providers (SSPs) will fail to authenticate to a domain when the account is part of the
Protected User group.
The Kerberos protocol will not use the weaker Data Encryption Standard (DES) or RC4 encryption
types in the pre-authentication process. Therefore, you must configure the domain to support at least
the Advanced Encryption Standard cipher suite.
The users account cannot be delegated with Kerberos constrained or unconstrained delegation. This
can cause former connections to other systems to fail if the user is in the Protected Users group.
The default Kerberos TGTs lifetime setting of four hours is configurable by using Authentication
Policies and Silos, which you can access through the Active Directory Administrative Center. This
means that the user must authenticate again after four hours.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-20 Managing User and Service Accounts
Lab: Managing User and Service Accounts
Scenario
A. Datum is a global engineering and manufacturing company with their head office based in London,
United Kingdom. An IT office and data center are located in London to support the London location and
other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum has completed a security review for passwords and account lockout policies. You need to
implement the recommendations contained in the report to control password complexity and length. You
also need to configure appropriate account lockout settings. Part of your password policy configuration
will include a specific password policy you need to assign to the Executive security group. This group
requires a different password policy than the policy applied at the domain level.
You need to configure a new group managed service account to support a new Web-based program.
Using a group managed service account will help maintain the password security requirements for the
account.
Objectives
After completing this lab, you will be able to:
Configure password policy and account lockout settings.
Create and associate a managed service account.
Lab Setup
Estimated Time: 45 minutes
Virtual machines: 20411D-LON-DC1
User Name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V

Manager, click 20411D-LON-DC1, and, in the Actions pane, click Start.


3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
User name: Adatum\Administrator
Password: Pa$$w0rd
Exercise 1: Configuring Password Policy and Account Lockout Settings
Scenario
A. Datum has recently completed a security review for passwords and account lockout policies. You need
to implement the recommendations contained in the report to control password complexity and length.
You also need to configure appropriate account lockout settings. Part of your password policy
configuration will include a specific password policy to be assigned to the Managers security group. This
group requires a different password policy than the policy that has been applied at the domain level.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 3-21
The report has recommended that you apply the following password settings to all accounts in the
domain:
Password history: 20 passwords
Maximum password age: 45 days
Minimum password age: 1 day
Password length: 10 characters
Complexity enabled: Yes
Account Lockout duration: 30 minutes
Account lockout threshold: 5 attempts
Reset account lockout counter after: 15 minutes
The report has also recommended that you apply a separate policy to users in the Managers group, due
to the elevated privileges assigned to those user accounts. The policy applied to the Managers groups
should contain the following settings:
Password history: 20 passwords
Maximum password age: 20 days
Minimum password age: 1 day
Password length: 15 characters
Complexity enabled: Yes
Account Lockout duration: 0 minutes (An administrator will have to unlock the account)
Account lockout threshold: 3 attempts
Reset account lockout counter after: 30 minutes
The main tasks for this exercise are as follows:
1. Configure a domain-based password policy
2. Configure an account lockout policy
3. Configure and apply a fine-grained password policy
Task 1: Configure a domain-based password policy
1. On LON-DC1, open the Group Policy Management console.
2. Edit the Default Domain Policy, and configure the following Account Password Policy settings:
Password history: 20 passwords
Maximum password age: 45 days
Minimum password age: 1 day
Password length: 10 characters
Complexity enabled: Yes
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-22 Managing User and Service Accounts
Task 2: Configure an account lockout policy
1. In the Group Policy Management Editor, configure the following Account Lockout Policy settings for
the Default Domain Policy:
Account Lockout duration: 30 minutes
Account lockout threshold: 5 attempts
Reset account lockout counter after: 15 minutes
2. Close the Group Policy Management Editor.
3. Close Group Policy Management.
Task 3: Configure and apply a fine-grained password policy
1. On LON-DC1, open the Active Directory Administrative Center console.
2. Change the group scope for the Managers group to Global.
Note: Make sure that you open the Properties page for the Managers group, and not the
Managers OU.
3. In the Active Directory Administrative Center, configure a fine-grained password policy for the
Adatum\Managers group with the following settings:
Name: ManagersPSO
Precedence: 10
Password length: 15 characters
Password history: 20 passwords
Complexity enabled: Yes
Minimum password age: 1 day
Maximum password age: 30 days
Number of failed logon attempts allowed: 3 attempts
Reset failed logon attempts count after: 30 minutes
Until an administrator manually unlocks the account: selected
4. Close the Active Directory Administrative Center.

Results: After completing this exercise, you will have configured password policy and account lockout
settings.
Exercise 2: Creating and Associating a Managed Service Account
Scenario
You need to configure a managed service account to support a new Web-based program that you will
deploy to the DefaultAppPool Web service on LON-DC1. Using a managed service account will help
maintain the password security requirements for the account.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 3-23
The main tasks for this exercise are as follows:
1. Create and associate a managed service account
2. Install a group managed service account on LON-DC1
3. To prepare for the next module
Task 1: Create and associate a managed service account
1. On LON-DC1, open the Active Directory Module for Windows PowerShell console.
2. Create the KDS root key by using the Add-KdsRootKey cmdlet. Make the effective time minus 10
hours, so the key will be effective immediately.
3. Create the new service account named Webservice for the host LON-DC1.
4. Associate the Webservice managed account with LON-DC1.
5. Verify the group managed service account was created by using the Get-ADServiceAccount cmdlet.
Task 2: Install a group managed service account on LON-DC1
1. On LON-DC1, install the Webservice service account.
2. From the Tools menu in Server Manager, open Internet Information Services (IIS) Manager.
3. In the Internet Information Services (IIS) Manager console, if a window appears with a Do you want
to get started with Microsoft Web Platform to stay connected message, click Cancel.
4. In the DefaultAppPool Actions pane, in the Advanced Settings dialog box, configure the
DefaultAppPool to use the Webservice$ account as the identity. Note that you can click the ellipses
() by the Identity name to add the Webservice$ account as a Custom Account.
5. Stop and then start the application pool.
Task 3: To prepare for the next module
When you are finished with the lab, revert the virtual machines to their initial state.

Results: After completing this exercise, you will have created and associated a managed service account.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-24 Managing User and Service Accounts
Module Review and Takeaways
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
User accounts contained in a .csv file fail to
import when using the Comma-Separated
Values Data Exchange tool.

Ensure the structure of the .csv file
matches the syntax of your Comma-
Separated Values Data Exchange tool
command, especially if the .csv file is
exported from a non-AD DS source.
User password settings are not applying as
expected.

Check for the program of PSOs. In the case
of multiple PSOs, ensure that precedence
is configured properly and that PSOs have
been applied to the appropriate users and
groups.
The New-ADServiceAccount cmdlet fails
with key-related messages.

Ensure that the KDS root key has been
created by using the Add-KDSRootKey
cmdlet, and the EffectiveTime parameter
for the key is at least 10 hours earlier than
the current time.
Review Question(s)
Question: In what scenario could users have multiple PSOs applied to their accounts without
actually having PSOs linked to their user accounts?
Question: What benefit do managed service accounts provide compared to standard user
accounts when used for services?
Tools
Tool What it is used for Where to find it
Comma-Separated Values Data
Exchange tool
Importing and exporting users
by using .csv files
Command prompt: csvde.exe
LDIFDE utility Importing, exporting, and
modifying users by using .ldf
files
Command prompt: ldifde.exe
Local Security Policy Configuring local account policy
settings
Secpol.msc
Group Policy Management
Console
Configuring domain Group
Policy account policy settings
Server Manager Tools
Active Directory Administrative
Center
Creating and managing PSOs Server Manager Tools
Active Directory module for
Windows PowerShell
Creating and managing
managed service accounts
Server Manager - Tools

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-1
Module 4
Implementing a Group Policy Infrastructure
Contents:
Module Overview 4-1
Lesson 1: Introducing Group Policy 4-2
Lesson 2: Implementing and Administering GPOs 4-11
Lesson 3: Group Policy Scope and Group Policy Processing 4-17
Lesson 4: Troubleshooting the Application of GPOs 4-33
Lab: Implementing a Group Policy Infrastructure 4-40
Module Review and Takeaways 4-46

Module Overview
Group Policy provides an infrastructure within which you can define settings centrally and deploy them to
users and computers in your enterprise. In an environment that is managed by a well-implemented Group
Policy infrastructure, very little configuration takes place by an administrator directly touching a users
computer. You can define, enforce, and update the entire configuration by using the settings in Group
Policy Objects (GPOs) or GPO filtering. By using GPO settings, you can affect an entire site or domain
within an enterprise, or you can narrow your focus to a single organizational unit (OU). This module will
detail what Group Policy is, how it works, and how best to implement it in your organization.
Objectives
After completing this module, you will be able to:
Describe the components and technologies that compose the Group Policy framework.
Configure and understand a variety of policy setting types.
Scope GPOs by using links, security groups, Windows

Management Instrumentation (WMI) filters,


loopback processing, and preference targeting.
Describe how GPOs are processed.
Locate the event logs that contain Group Policyrelated events and troubleshoot the Group Policy
application.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-2 Implementing a Group Policy Infrastructure
Lesson 1
Introducing Group Policy
Several components interact in a Group Policy infrastructure. You need to understand what each
component does, how all of the components work together, and how you can assemble them into
different configurations. This lesson provides a comprehensive overview of Group Policy components,
procedures, and functions.
Lesson Objectives
After completing this lesson, you will be able to:
Identify the business requirements for configuration management.
Describe the core components and terminology of Group Policy.
Explain the benefits of using Group Policy.
Describe GPOs.
Describe GPO scope.
Explain the function and behavior of client-side GPO components.
Create and configure GPOs.
What Is Configuration Management?
In an environment with one computer, such as
your home, you can modify settings such as the
desktop background in several different ways.
Most people would probably open the
Appearance and Personalization screen from
Control Panel, and make the change in the
Windows interface. While that works well for one
computer, it might be tedious if you want to make
the change across multiple computers.
Maintaining a consistent environment is more
difficult with multiple individually managed
computers.
Configuration management is a centralized approach to applying one or more changes to one or more
user accounts or computers. The key elements of configuration management are:
Setting. A setting also is known as a centralized definition of a change. The setting brings a user
account or a computer to a desired state of configuration.
Scope. The scope of the change is the collection of computers or user accounts where changes occur.
Application. The application is a mechanism or process that ensures that the setting is applied to users
and computers within the scope.
Group Policy is a framework within the Windows operating system that enables you to manage
configuration in an Active Directory

Domain Services (AD DS) domain. Group policy components reside


in AD DS, on domain controllers, and on each Windows-based server and client.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-3
Overview of Group Policies
The most granular component of Group Policy is
an individual policy setting. An individual policy
setting defines a specific configuration, such as a
policy setting that prevents a user from accessing
registry-editing tools. If you define that policy
setting and then apply it to a user, that user will
be unable to run tools such as Regedit.exe.
Note that some settings affect a user, known as
user configuration settings or user policies, and
some affect the computer, known as computer
configuration settings or computer policies.
However, settings do not affect groups, security
principals other than user objects, or other directory objects.
Group Policy manages various policy settings, and the Group Policy framework is extensible. You can
manage just about any configurable setting with Group Policy.
In the Group Policy Management Editor, you can define a policy setting by double-clicking it. The policy
setting Properties dialog box appears. Most policy settings can have three states: Not Configured,
Enabled, and Disabled.
In a new GPO, every policy setting defaults to Not Configured. When you enable or disable a policy
setting, a change is made to the configuration of users and computers to which the GPO is applied. When
you return a setting to its Not Configured value, you return it to its default value.
The effect of the change depends on the policy setting. For example, if you enable the Prevent Access To
Registry Editing Tools policy setting, users cannot launch the Regedit.exe Registry Editor. If you disable
the policy setting, you ensure that users can launch the Registry Editor. Notice the double negative in this
policy setting: you disable a policy that prevents an action, so you allow the action.
Some policy settings bundle several configurations into one policy, and these might require additional
parameters.
Note: Many policy settings are complex, and the effect of enabling or disabling them
might not be obvious. Furthermore, some policy settings affect only certain versions of the
Windows operating system. Be sure to review a policy settings explanatory text in the Group
Policy Management Editor details pane or on the Explain tab in the policy settings Properties
dialog box. Additionally, always test the effects of a policy setting and its interactions with other
policy settings before deploying a change in your production environment.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-4 Implementing a Group Policy Infrastructure
Benefits of Using Group Policy
Group Policies are very powerful administrative
tools. You can use them to push various settings
to a large number of users and computers.
Because you can apply them to levels ranging
from local to domain, you also can focus these
settings very precisely.
Primarily, you can use Group Policies to configure
settings from which you do not want users to
deviate. Additionally, you can use Group Policies
to provide additional security and some advanced
system settings, to standardize desktop
environments on all computers in an OU or in an
entire enterprise, and for other purposes that the following sections detail.
Apply Security Settings
GPOs include a large number of security-related settings that you can apply to both users and computers.
For example, you can enforce settings for Windows Firewall and configure auditing and other security
settings. You also can configure full sets of user-rights assignments.
Manage Desktop and Application Settings
You can use a Group Policy to provide a consistent desktop and application environment for all users in
your organization. By using GPOs, you can configure settings for some applications that support GPOs,
and you can configure each setting that affects the look and feel of the user environment.
Deploy Software
GPOs enable you to deploy software to users and computers. When you use the Software Installation
feature of Group Policy, you can deploy software in the .msi format. Additionally, you can enforce
automatic software installation, or you can let your users decide whether they want the software to deploy
to their machines.
Note: Deploying large packages with GPOs might not be the most efficient way of
distributing an application to your organizations computers. In many circumstances, it might be
more effective to distribute the applications as part of the desktop computer image. Be careful
when deploying large packages over a wide area network (WAN) link because the software
distribution might consume a large portion of the available bandwidth and degrade the overall
user experience. For large environments with multiple sites, System Center Configuration
Manager offers more control over software deployments, including the ability to distribute
software to client computers from a local distribution point.
Manage Folder Redirection
With Folder Redirection, you can manage and back up data quickly and effortlessly. By redirecting folders,
you can also ensure that users have access to their data regardless of the computer on which they sign in.
Additionally, you can centralize all user data to one place on a network server, while still providing a user
experience that is similar to storing these folders on their own computers. For example, you can configure
Folder Redirection to redirect users Documents folders to a shared folder on a network server.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-5
Configure Network Settings
Using Group Policy enables you to configure various network settings on client computers. For example,
you can enforce settings for wireless networks for allowing users to connect only to specific service set
identifiers (SSIDs), and with predefined authentication and encryption settings. You also can deploy
policies that apply to wired network settings, and you can configure the client side of services, such as
Network Access Protection (NAP).
Configure Security
Group Policy also enables you to configure security settings. Security settings are available throughout
Group Policy. In addition, you can use security templates to automate the settings in Group Policy.
Security templates are files that represent a specific security configuration. You can import security
templates into a GPO. Information technology (IT) administrators might have used some of the default
templates available in Windows Server

2003, such as the Secure or Highly Secure templates. Today,


Microsoft Security Compliance Manager is the tool of choice for automating security settings for Group
Policy application. Security Compliance Manager is covered in detail in course 20410, Installing and
Configuring Windows Server 2012.
Group Policy Objects
Note: You can manage GPOs in AD DS by
using the Group Policy Management Console
(GPMC).
To create a new GPO in a domain, right-click the
Group Policy Objects container, and then click
New.
To modify the configuration settings in a GPO,
right-click the GPO, and then click Edit. This
opens the Group Policy Management Editor snap-
in.
The Group Policy Management Editor displays the thousands of policy settings that are available in a GPO
in an organized hierarchy that begins with the division between computer settings and user settings: the
Computer Configuration node and the User Configuration node.
GPOs display in a container named Group Policy Objects. The next two levels of the hierarchy are nodes,
named Policies and Preferences. You will learn about the difference between these two nodes later in
this module. Progressing further down the hierarchy, you can see that the Group Policy Management
Editor displays folders, which also are called nodes or policy setting groups. The policy settings are within
the folders. The screenshot below shows the Group Policy hierarchy.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-6 Implementing a Group Policy Infrastructure
GPO Scope
Policy settings in GPOs define configuration.
However, you must specify the computers or users
to which the GPO applies before the configuration
changes in a GPO will affect computers or users in
your organization. This is called scoping a GPO.
The scope of a GPO is the collection of users and
computers that will apply the settings in the GPO.
You can use several methods to manage the
scope of domain-based GPOs. The first is the GPO
link. You can link GPOs to sites, domains, and OUs
in AD DS. The site, domain, or OU then becomes
the maximum scope of the GPO. All computers
and users within the site, domain, or OU, including those in child OUs, will be affected by the
configurations that the policy settings in the GPO specify.
Note: You can link a GPO to more than one domain, OU, or site. Linking GPOs to multiple
sites can introduce performance issues when the policy is being applied, and you should avoid
linking a GPO to multiple sites. This is because, in a multisite network, the GPOs are stored on the
domain controllers in the domain where the GPOs were created. The consequence of this is that
computers in other domains might need to traverse a slow WAN link to obtain the GPOs.
You can further narrow the scope of the GPO with one of two types of filter. Security filters specify
security groups or individual user objects that fall within a GPOs scope, but to which the GPO explicitly
should or should not apply. WMI filters specify a scope by using characteristics of a system, such as an
operating system version or free disk space. Use security filters and WMI filters to narrow or specify the
scope within the initial scope that the GPO link created.
Note: Windows Server 2008 introduced a new component of Group Policy: Group Policy
Preferences. Settings that are configured by Group Policy Preferences within a GPO can be
filtered or targeted based on several criteria. Targeted preferences allow you to further refine the
scope of preferences within a single GPO.
Group Policy Client and Client-Side Extensions
Group Policy Application
It is important to understand the GPO application
process on client computers. The sequence below
details the process:
1. When Group Policy refresh begins, a service
known as the Group Policy Client determines
which GPOs apply to the computer or user.
Windows Vista

introduced the Group Policy
Client.
2. The Group Policy Client downloads any GPOs
that are not cached already.


M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-7
3. Group Policy client-side extensions interpret the settings in a GPO and make appropriate changes to
the local computer or to the currently logged-on user. There are client-side extensions for each major
category of policy setting. For example, there is a security CSE that applies security changes, a CSE
that executes startup and logon scripts, a CSE that installs software, and a CSE that makes changes to
registry keys and values. Each version of the Windows operating system includes added client-side
extensions to extend the functional reach of Group Policy, and there are several dozen client-side
extensions in Windows.
One of the more important concepts to remember about Group Policy is that it is very client-driven. The
Group Policy client pulls the GPOs from the domain, triggering the client-side extensions to apply settings
locally. Group Policy is not a push technology.
In fact, you can configure the behavior of client-side extensions by using Group Policy. Most client-side
extensions will apply settings in a GPO only if that GPO has changed. This behavior improves overall
policy processing by eliminating redundant applications of the same settings. Most policies apply in such
a way that standard users cannot change the setting on their computer, and they will therefore always be
subject to the configuration enforced by Group Policy. However, standard users can change some
settings, and many settings can be changed if a user is an administrator on that system. If users in your
environment are administrators on their computers, you should consider configuring client-side
extensions to reapply policy settings even if the GPO has not changed. That way, if an administrative user
changes a configuration so that it is no longer compliant with policy, the configuration will reset to its
compliant state at the next Group Policy refresh.
Note: You can configure client-side extensions to reapply policy settings at the next
background refresh even if the GPO has not changed. You can do this by configuring a GPO
scoped to computers, and then defining the settings in the Computer
Configuration\Policies\Administrative Templates\System\Group Policy node. For each CSE that
you want to configure, open its policy-processing policy setting, such as Registry Policy
Processing for the Registry CSE. Click Enabled, and select the Process even if the Group Policy
objects have not changed check box.
The security CSE manages an important exception to the default policy-processing settings. Security
settings reapply every 16 hours even if a GPO has not changed.
Note: Enable the Always Wait For Network At Startup And Logon policy setting for all
Windows clients. Without this setting, by default, Windows clients perform only background
refreshes. This means that a client might start up, and then a user might sign in without receiving
the latest policies from the domain. Note that when the setting is enabled, the overall startup and
sign in time will increase. The setting is in Computer Configuration\Policies\Administrative
Templates\System\Logon. Be sure to read the policy settings explanatory text.
Group Policy Refresh
Policy settings in the Computer Configuration node apply at system startup, and then every 90 to 120
minutes thereafter. User Configuration policy settings apply at logon, and then every 90 to 120 minutes
thereafter. The application of policies is called Group Policy refresh.
Note: You can manually force a policy refresh by using the GPUpdate command.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-8 Implementing a Group Policy Infrastructure
Demonstration: How to Create a GPO and Configure GPO Settings
Group Policy settings, also known as policies, are contained in a GPO, and you can view and modify them
by using the Group Policy Management Editor. This demonstration explores the categories of settings that
are available in a GPO.
Computer Configuration and User Configuration
There are two major categories of policy settings: computer settings, which are contained in the
Computer Configuration node, and user settings, which are contained in the User Configuration node:
The Computer Configuration node contains the settings that apply to computers, regardless of who
logs on to them. Computer settings apply when the operating system starts, during background
refreshes, and every 90 to 120 minutes thereafter.
The User Configuration node contains settings that apply when a user logs on to a computer, during
background refreshes, and every 90 to 120 minutes thereafter.
Within the Computer Configuration and User Configuration nodes are the Policies and Preferences
nodes.
The Policies nodes in Computer Configuration and User Configuration contain a hierarchy of folders that
contain policy settings. Because there are thousands of settings, the scope of this course does not include
individual settings. However, it is worthwhile to define the broad categories of settings in the folders.
Software Settings Node
The Software Settings node is the first node. It contains only the Software Installation extension, which
helps you specify how applications are installed and maintained within your organization.
Windows Settings Node
In both the Computer Configuration and User Configuration nodes, the Policies node contains a
Windows Settings node, which includes the Scripts, Security Settings, and Policy-Based QoS nodes.
Note: It also contains the Name Resolution Policy folder that contains settings for
configuring the DirectAccess feature of the Windows 8 operating system, which a later module
discusses.
Scripts Node
The Scripts extension enables you to specify two types of scripts, startup/shutdown in the Computer
Configuration node, and logon/logoff in the User Configuration node. Startup/shutdown scripts run at
computer startup or shutdown. Logon/logoff scripts usually run when a user logs on or off. However,
starting with Windows 8.1, the Windows operating system waits 5 minutes before running logon scripts.
This delay is configurable by modifying the Configure Logon Script Delay GPO setting. When you assign
multiple logon/logoff or startup/shutdown scripts to a user or computer, the Scripts CSE executes the
scripts from top to bottom. You can determine the order of execution for multiple scripts in the
Properties dialog box. When a computer shuts down, the CSE first processes logoff scripts, followed by
shutdown scripts. By default, the timeout value for processing scripts is 10 minutes. If the logoff and
shutdown scripts require more than 10 minutes to process, you must adjust the timeout value with a
policy setting. You can use any ActiveX

scripting language to write scripts. Some possibilities include


Microsoft

Visual Basic

Scripting Edition (VBScript), JScript

, Perl, and MS-DOS

-style batch files (.bat


and .cmd). Logon scripts on a shared network directory in another forest are supported for network logon
across forests. Windows 7 and Windows 8 also support Windows PowerShell

scripts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-9
Security Settings Node
The Security Settings node allows a security administrator to configure security by using GPOs. This can
be done after, or instead of, using a security template to set system security.
Policy-Based QoS Node
This Quality of Service (QoS) node, known as the Policy-Based QoS node, defines policies that manage
network traffic. For example, you might want to ensure that users in the Finance department have priority
for running a critical network application during the end-of-year financial reporting period. The Policy-
Based QoS node enables you to do that.
In the User Configuration node only, the Windows Settings folder contains the additional Remote
Installation Services, Folder Redirection, and Internet Explorer Maintenance nodes. Remote
Installation Services policies control the behavior of a remote operating system installation. Folder
Redirection enables you to redirect user data and settings folders such as AppData, Desktop, Documents,
Pictures, Music, and Favorites from their default user profile location to an alternate location on a
network, where they can be managed centrally. Internet Explorer

Maintenance enables you to administer


and customize Internet Explorer.
Administrative Templates Node
In the Computer Configuration and User Configuration nodes, the Administrative Templates node
contains registry-based Group Policy settings. There are thousands of such settings that are available for
configuring the user and computer environment. As an administrator, you might spend a significant
amount of time manipulating these settings. To assist you with the settings, a description of each policy
setting is available in two locations:
In the Help section while editing the setting. Additionally, the Help section also lists the required
operating system or software for the setting.
On the Extended tab of the Group Policy Management Editor. The Extended tab appears on the
lower left of the details pane, and it provides a description of each selected setting in a column
between the console tree and the settings pane. The required operating system or software for each
setting is also listed.
Demonstration
This demonstration shows how to:
1. Open the GPMC.
2. Create a new GPO named Desktop in the Group Policy container.
3. In the computer configuration, prevent the last logon name from displaying, and then prevent
Windows Installer from running.
4. In the user configuration, remove the Search link from the Start menu, and then hide the display
settings tab.
Demonstration Steps
Use the GPMC to create a new GPO
1. Sign in to LON-DC1 as administrator.
2. Open the Group Policy Management Console.
3. Create a new GPO named Desktop.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-10 Implementing a Group Policy Infrastructure
Configure Group Policy settings
1. Open the new Desktop policy for editing.
2. In the computer configuration, prevent the last logon name from displaying, and prevent Windows
Installer from running.
3. In the user configuration, remove the Search link from the Start menu, and then hide the display
settings tab.
4. Close all open windows.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-11
Lesson 2
Implementing and Administering GPOs
In this lesson, you will examine GPOs in more detail, learning how to create, link, edit, manage, and
administer GPOs and their settings.
Lesson Objectives
After completing this lesson, you will be able to:
Describe domain-based GPOs.
Define GPO storage.
Describe starter GPOs.
Describe how to perform common GPO management tasks.
Explain how to delegate administration of GPOs.
Describe how to use Windows PowerShell to manage GPOs.
Domain-Based GPOs
Domain-based GPOs are created in AD DS and
stored on domain controllers. You can use them
to manage configuration centrally for the
domains users and computers. The other type of
GPO is a local GPO, which is tied to a specific
computer. The remainder of this course refers to
domain-based GPOs rather than local GPOs,
unless otherwise specified.
When you install AD DS, two default GPOs are
created: Default Domain Controllers Policy and
Default Domain Policy.
Default Domain Policy
The Default Domain Policy GPO is linked to the domain, and it applies to Authenticated Users. This GPO
does not have any WMI filters. Therefore, it affects all users and computers in the domain. This GPO
contains policy settings that specify password, account lockout, and Kerberos version 5 authentication
protocol policies. These settings are of critical importance to the AD DS environment, and thus, make the
Default Domain Policy a critical component of Group Policy. You should not add unrelated policy settings
to this GPO. If you need to configure other settings to apply broadly in your domain, create additional
GPOs that link to the domain.
Default Domain Controllers Policy
The Default Domain Controllers Policy GPO is linked to the OU of the domain controllers. Because
computer accounts for domain controllers are kept exclusively in the Domain Controllers OU, and other
computer accounts should be kept in other OUs, this GPO affects only domain controllers or other
computer objects that are in the Domain Controllers OU. You should modify the Default Domain
Controllers GPO to implement your auditing policies and to assign user rights that are required on
domain controllers.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-12 Implementing a Group Policy Infrastructure
Note: Windows computers also have local GPOs, which are primarily used when computers
are not connected to domain environments. Since Windows Vista, all Windows operating systems
have supported the existence of multiple local GPOs. As with domain-based GPOs, it is a good
practice to create new GPOs for customizations. In the Computer Configuration node, you can
configure all computer-related settings. In the User Configuration node, you can configure
settings that you want to apply to all users on a computer. The user settings in the Local
Computer GPO can be modified by the user settings in two new local GPOs: Administrators and
Non-Administrators. These two GPOs apply user settings to logged-on users according to
whether they are members of the local Administrators group, in which case they would use the
Administrators GPO, or not members of the Administrators group, and therefore would use the
Non-Administrators GPO. You can further refine the user settings with a local GPO that applies to
a specific user account. User-specific local GPOs are associated with local, not domain, user
accounts.
Domain-based GPO settings combine with those applied by using local GPOs, but because
domain-based GPOs apply after local GPOs and there are conflicting settings, the settings from
the domain-based GPOs take precedence over the settings from local GPOs. Also, note that local
GPOs can be disabled by using a domain-based GPO.
GPO Storage
Group Policy settings are presented as GPOs in AD
DS user interface tools, but a GPO is actually two
components: a Group Policy container and a
Group Policy template.
The Group Policy container is an AD DS object
that is stored in the Group Policy Objects
container within the domain-naming context of
the directory. Like all AD DS objects, each Group
Policy container includes a GUID attribute that
uniquely identifies the object within AD DS. The
Group Policy container defines basic attributes of
the GPO, but it does not contain any of the
settings. The settings are contained in the Group Policy template, a collection of files stored in the SYSVOL
of each domain controller in the %SystemRoot%\SYSVOL\Domain\Policies\GPOGUID path, where
GPOGUID is the GUID of the Group Policy container. When you make changes to the settings of a GPO,
the changes save to the Group Policy template of the server from which the GPO was opened. By default,
when Group Policy refresh occurs, the client-side extensions apply settings in a GPO only if the GPO has
been updated.
The Group Policy client can identify an updated GPO by its version number. Each GPO has a version
number that increments each time a change is made. The version number is stored as a Group Policy
container attribute and in a text file, Group Policy template.ini, in the Group Policy template folder. The
Group Policy client knows the version number of each GPO it has previously applied. If, during Group
Policy refresh, the Group Policy client discovers that the version number of the Group Policy container has
changed, the client-side extensions will be informed that the GPO is updated.
GPO Replication
Group Policy container and Group Policy template both replicate between all domain controllers in AD
DS. However, these two items use different replication mechanisms.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-13
The Group Policy container in AD DS replicates by the Directory Replication Agent (DRA). The DRA uses a
topology that is generated by the Knowledge Consistency Checker, which you can define or refine
manually. The result is that the Group Policy container replicates within seconds to all domain controllers
in a site and replicates between sites based on your intersite replication configuration.
The Group Policy template in the SYSVOL replicates by using one of the following two technologies: file
replication service (FRS), or Distributed File System (DFS) Replication. FRS replicates SYSVOL in domains
that run on Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, and Windows 2000. If
all domain controllers are running Windows Server 2008 or newer, you can configure SYSVOL replication
by using DFS Replication, which is a much more efficient and robust mechanism.
Because the Group Policy container and Group Policy template replicate separately, it is possible for them
to become out-of-sync for a short time. Typically, when this happens, the Group Policy container will
replicate to a domain controller first. Systems that obtained their ordered list of GPOs from that domain
controller will identify the new Group Policy container. Those systems then will attempt to download the
Group Policy template, and they will notice that the version numbers are not the same. A policy
processing error will record in the event logs. If the reverse happens, and the GPO replicates to a domain
controller before the Group Policy container, clients that obtain their ordered list of GPOs from that
domain controller will not be notified of the new GPO until the Group Policy container has replicated.
Starter GPOs
A Starter GPO is used as a template from which to
create other GPOs within the GPMC. Starter GPOs
only contain Administrative Template settings.
You might use a Starter GPO to provide a starting
point to create new GPOs in your domain. The
Starter GPO already might contain specific
settings that are recommended best practices for
your environment. Starter GPOs can export to,
and imported from, cabinet (.cab) files to make
distribution to other environments simple and
efficient.
The GPMC stores Starter GPOs in a folder named,
StarterGPOs, which is in SYSVOL. Preconfigured Starter GPOs from Microsoft are available for Windows
client operating systems. These Starter GPOs contain Administrative Template settings that reflect
Microsoft-recommended best practices for the configuration of the client environment.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-14 Implementing a Group Policy Infrastructure
Common GPO Management Tasks
Like critical data and AD DSrelated resources,
you must back up GPOs to protect the integrity of
AD DS and GPOs. The GPMC not only provides
the basic backup and restore options, but also
provides additional control over GPOs for
administrative purposes. Options for managing
GPOs include the following:
Backing Up GPOs
You can back up GPOs individually or as a whole
with the GPMC or Windows PowerShell. You must
provide only a backup location, which can be any
valid local or shared folder. You must have Read
permission on the GPO to back it up. Every time that you perform a backup, a new backup version of the
GPO is created, which provides a historical record.
Restoring Backed Up GPOs
You can restore any version of a GPO. If one becomes corrupted or you delete it, you can restore any of
the historical versions of that GPO. The restore interface provides the ability for you to view the settings in
the backup version before restoring it.
Importing GPO Settings from a Backup GPO
You can import policy settings from one GPO into another. Importing a GPO allows you to transfer
settings from a backup GPO to an existing GPO. Importing a GPO transfers only the GPO settings. The
import process does not import GPO links. Security principals defined in the source might need to be
migrated to target.
Note: It is not possible to merge imported settings with the current target GPO settings.
The imported settings will overwrite all existing settings.
Copying GPOs
You can copy GPOs in the same domain and across domains by using the GPMC or Windows PowerShell.
A copy operation copies an existing, live GPO to the desired destination domain. A new GPO is always
created during this process. The new GPO is named copy of OldGPOName. For example, if you copied a
GPO named Desktop, the new version would be named Copy of Desktop. After the file copies to the
Group Policy Objects container, you can rename the policy. The destination domain can be any trusted
domain in which you have the rights to create new GPOs. When copying between domains, security
principals defined in the source might need to be migrated to target.
Note: It is not possible to copy settings from multiple GPOs into a single GPO.
Migration Tables
When importing GPOs or copying them between domains, you can use migration tables to modify
references in the GPO that need to be adjusted for the new location. For example, you might need to
replace the Universal Naming Convention (UNC) path for Folder Redirection with a UNC path that is
appropriate for the new user group to which the GPO will apply. You can create migration tables prior to
this process, or you can create them during the import or cross-domain copy operation.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-15
Delegating Administration of Group Policies
Delegation of GPO-related tasks allows you to
distribute the administrative workload across an
enterprise. You can task one group with creating
and editing GPOs, while another group performs
reporting and analysis duties. A third group might
be in charge of creating WMI filters.
You can delegate the following Group Policy tasks
independently:
Creating GPOs.
Editing GPOs.
Managing Group Policy links for a site,
domain, or OU.
Performing Group Policy Modeling analyses on a given domain or OU.
Reading Group Policy Results data for objects in a given domain or OU.
Creating WMI filters in a domain.
The Group Policy Creator Owners group allows its members to create new GPOs and edit or delete GPOs
that they have created.
Group Policy Default Permissions
By default, the following users and groups have Full Control over GPO management:
Domain Admins.
Enterprise Admins.
Creator Owner.
Local System.
The Authenticated User group has Read and Apply Group Policy permissions.
Creating GPOs
By default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can create new
GPOs. There are two methods by which you can grant a group or user this right:
Add the user or group to the Group Policy Creator Owners group.
Explicitly grant the group or user permission to create GPOs by using the GPMC.
Editing GPOs
To edit a GPO, the user must have both read and write access to the GPO. You can grant this permission
by using the GPMC.
Managing GPO Links
The ability to link GPOs to a container is a permission that is specific to that container. In the GPMC, you
can manage this permission by using the Delegation tab on the container. You also can delegate it
through the Delegation of Control Wizard in Active Directory Users and Computers.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-16 Implementing a Group Policy Infrastructure
Group Policy Modeling and Group Policy Results
You can delegate the ability to use the reporting tools in the same fashion, through the GPMC or the
Delegation of Control Wizard in Active Directory Users and Computers.
Create WMI Filters
You can delegate the ability to create and manage WMI filters in the same fashion, through the GPMC or
the Delegation of Control Wizard in Active Directory Users and Computers.
Managing GPOs with Windows PowerShell
In addition to using the GPMC and the Group
Policy Management Editor, you can also perform
common GPO administrative tasks by using
Windows PowerShell.
The following table lists some of the more
common administrative tasks possible with
Windows PowerShell.
Cmdlet name Description
New-GPO Creates a new GPO.
New-GPLink Creates a new GPO link for the specified GPO.
Backup-GPO Backs up the specified GPOs.
Restore-GPO Restores the specified GPOs.
Copy-GPO Copies a GPO.
Get-GPO Gets the specified GPOs.
Import-GPO Imports the backup settings into a specified GPO.
Set-GPInheritance Grants specified permissions to a user or security
group for the specified GPOs.
For example, the following command creates a new GPO named Sales:
New-GPO -Name Sales -comment "This the sales GPO"
The following command imports the settings from a backup Sales GPO in a folder at C:\Backups into a
new GPO named NewSales:
import-gpo -BackupGpoName Sales -TargetName NewSales -path c:\backups

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-17
Lesson 3
Group Policy Scope and Group Policy Processing
A GPO is a collection of configuration instructions that the client-side extensions of computers will
process. Until the GPO is scoped, it does not apply to any users or computers. The GPOs scope
determines which client-side extensions of which computers will receive and process the GPO. Only the
computers or users within the scope of a GPO will apply the settings in that GPO. You will learn to
manage the scope of a GPO in this lesson. The following mechanisms are used to scope a GPO:
The GPO link to a site, domain, or OU, and whether that link is enabled or not.
The Enforce option of a GPO.
The Block Inheritance option on an OU.
Security group filtering.
WMI filtering.
Policy node enabling or disabling.
Preferences targeting.
Loopback policy processing.
You must be able to define the users or computers to which you plan to deploy these configurations.
Consequently, you must master the art of scoping GPOs. In this lesson, you will learn each of the
mechanisms with which you can scope a GPO, and in the process, you will master the concepts of Group
Policy application, inheritance, and precedence.
Lesson Objectives
After completing this lesson, you will be able to:
Describe GPO links.
Describe GPO processing.
Describe GPO inheritance and precedence.
Use security filters to modify GPO scope.
Describe how to use WMI filters to modify GPO scope.
Describe how to enable and disable GPOs and GPO nodes.
Explain how and when to use loopback processing.
Describe strategies for slow links and computers that are disconnected
Explain when Group Policy settings take effect.
Describe managing Group Policy in a multi-domain environment.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-18 Implementing a Group Policy Infrastructure
GPO Links
You can link a GPO to one or more AD DS sites,
domains, or OUs. After you have linked a GPO, the
users or computers in that container are within
the scope of the GPO, including computers and
users in child OUs.
Link a GPO
To link a GPO, either:
Right-click the domain or OU in the GPMC
console tree, and then click Link as existing
GPO.
If you have not yet created a GPO, click
Create A GPO In This Domain And Link It Here.
You can choose the same commands to link a GPO to a site, but by default, your AD DS sites are not
visible in the GPMC. To show sites in the GPMC, right-click Sites in the GPMC console tree, and then click
Show Sites.
Note: A GPO that is linked to a site affects all computers in the site, without regard to the
domain to which the computers belong, as long as all computers belong to the same Active
Directory forest. Therefore, when you link a GPO to a site, that GPO can apply to multiple
domains within a forest. Site-linked GPOs are stored on domain controllers in the domain in
which you create the GPO. Therefore, domain controllers for that domain must be accessible for
site-linked GPOs to apply correctly. If you implement site-linked policies, you must consider
policy application when planning your network infrastructure. You can either place a domain
controller from the GPOs domain in the site to which the policy is linked, or ensure that a WAN
connection provides access to a domain controller in the GPOs domain.
When you link a GPO to a container, you define the initial scope of the GPO. Select a GPO, and then click
the Scope tab to identify the containers to which the GPO is linked. In the details pane of the GPMC, the
GPO links display in the first section of the Scope tab.
The impact of the GPOs links is that the Group Policy Client downloads the GPO if either the computer or
the user objects fall within the scope of the link. The GPO will download only if it is new or updated. The
Group Policy Client caches the GPO to make policy refresh more efficient.
Link a GPO to Multiple OUs
You can link a GPO to more than one OU. It is common, for example, to apply configuration to computers
in several OUs. You can define the configuration in a single GPO and then link that GPO to each OU. If
you later change settings in the GPO, your changes will apply to all OUs to which the GPO is linked.
Delete or Disable a GPO Link
After you have linked a GPO, the GPO link appears in the GPMC underneath the site, domain, or OU. The
icon for the GPO link has a small shortcut arrow. When you right-click the GPO link, a shortcut menu
appears. To delete a GPO link, right-click the GPO link in the GPMC console tree, and then click Delete.
Deleting a GPO link does not delete the GPO itself, which remains in that GPO container. However,
deleting the link does change the scope of the GPO so that it no longer applies to computers and users
within the previously linked container object.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-19
You also can modify a GPO link by disabling it. To disable a GPO link, right-click the GPO link in the
GPMC console tree and then clear the Link Enabled option.
Disabling the link also changes the GPO scope so that it no longer applies to computers and users within
that container. However, the link remains so that you can easily re-enable it.
Demonstration: Linking GPOs
This demonstration shows how to:
Open the GPMC.
Create two new GPOs.
Link the first GPO to the domain.
Link the second GPO to the IT OU.
Disable the first GPOs link.
Delete the second GPO.
Re-enable the first GPOs link.
Demonstration Steps
Create and edit two GPOs
1. Open the Group Policy Management Console.
2. Create two new GPOs named Remove Run Command and Do Not Remove Run Command.
3. Edit the settings of the two GPOs.
Link the GPOs to different locations
1. Link the Remove Run Command GPO to the domain. The Remove Run Command GPO is now
attached to the Adatum.com domain.
2. Link the Do Not Remove Run Command GPO to the IT OU. The Do Not Remove Run Command GPO
is now attached to the IT OU.
3. View the GPO inheritance on the IT OU. The Group Policy Inheritance tab shows the order of
precedence for the GPOs.
Disable a GPO link
1. Disable the Remove Run Command GPO on the Adatum.com domain.
2. Refresh the Group Policy Inheritance pane for the IT OU, and then notice the results in the right pane.
The Remove Run Command GPO is no longer listed.
Delete a GPO link
1. Select the IT OU, and then delete the Do Not Remove Run Command GPO link. Verify the removal
of the Do Not Remove Run command and the absence of the Remove Run command GPOs.
2. Enable the Remove Run Command GPO on the Adatum.com domain. Refresh the Group Policy
Inheritance window for the IT OU, and then notice the results in the right pane.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-20 Implementing a Group Policy Infrastructure
Group Policy Processing Order
The GPOs that apply to a user, computer, or both
do not apply all at once. GPOs apply in a
particular order. Settings that process first might
be overwritten by conflicting settings that process
later.
Group Policy follows the following hierarchical
processing order:
1. Local GPOs. Each computer that runs
Windows 2000 or newer has at least one local
Group Policy. The local policies apply first,
when such policies are configured.
2. Site-linked GPOs. Policies linked to sites process second. If there are multiple site policies, they
process synchronously in the listed preference order.
3. Domain-linked GPOs. Policies linked to domains process third. If there are multiple domain policies,
they process synchronously in the listed preference order.
4. OU-linked GPOs. Policies linked to top-level OUs process fourth. If there are multiple top-level OU
policies, they process synchronously in the listed preference order.
5. Child OU-linked GPOs. Policies linked to child OUs process fifth. If there are multiple child OU
policies, they process synchronously in the listed preference order. When there are multiple levels of
child OUs, policies for higher-level OUs apply first and policies for the lower-level OUs apply next.
In Group Policy application, the general rule is that the last policy applied wins. For example, a policy that
restricts access to Control Panel applied at the domain level could be reversed by a policy applied at the
OU level for the objects contained in that particular OU.
If you link several GPOs to an OU, their processing occurs in the order that the administrator specifies on
the OUs Linked Group Policy Objects tab in the GPMC. By default, processing is enabled for all GPO links.
You can disable a containers GPO link to block the application of a GPO completely for a given site,
domain, or OU. For example, if a recent change was made to a GPO and it is causing production issues,
you can disable the link or links until the issue is resolved. Note that if the GPO is linked to other
containers, they will continue to process the GPO if their links are enabled.
You also can disable the user or computer configuration of a particular GPO independently from either
the user or computer. If one section of a policy is known to be empty, disabling the other side speeds up
policy processing slightly. For example, if you have a policy that only delivers user desktop configuration,
you could disable the computer side of the policy.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-21
Configuring GPO Inheritance and Precedence
You can configure a policy setting in more than
one GPO, which might result in GPOs conflicting
with each other. For example, you might enable a
policy setting in one GPO, disable it in another
GPO, and then not configure it in a third GPO. In
this case, the precedence of the GPOs determines
which policy setting the client applies. A GPO with
higher precedence prevails over a GPO with lower
precedence.
The GPMC shows precedence as a number. The
smaller the numberthat is, the closer to 1the
higher the precedence. Therefore, a GPO that has
a precedence of 1 will prevail over other GPOs. Select the relevant AD DS container, and then click the
Group Policy Inheritance tab to view the precedence of each GPO.
When a policy setting is enabled or disabled in a GPO with higher precedence, the configured setting
takes effect. However, remember that policy settings are set to Not Configured, by default. If a policy
setting is not configured in a GPO with higher precedence, the policy setting, either enabled or disabled,
in a GPO with lower precedence will take effect.
You can link more than one GPO to an AD DS container object. The link order of GPOs determines the
precedence of GPOs in such a scenario. GPOs with a higher link order take precedence over GPOs with a
lower link order. When you select an OU in the GPMC, the Linked Group Policy Objects tab shows the link
order of GPOs that are link to that OU.
The default behavior of Group Policy is that GPOs linked to a higher-level container are inherited by
lower-level containers. When a computer starts up or a user logs on, the Group Policy Client examines the
location of the computer or user object in AD DS and evaluates the GPOs with scopes that include the
computer or user. Then, the client-side extensions apply policy settings from these GPOs. Policies apply
sequentially, beginning with the policies that link to the site, followed by those that link to the domain,
followed by those that link to OUsfrom the top-level OU down to the OU in which the user or computer
object exists. It is a layered application of settings, so a GPO that applies later in the process overrides
settings that applied earlier in the process because it has higher precedence.
The sequential application of GPOs creates an effect called policy inheritance. Policies are inherited, so the
Resultant Set of Policies (RSoPs) for a user or computer will be the cumulative effect of site, domain, and
OU policies.
By default, inherited GPOs have lower precedence than GPOs that link directly to a container. For
example, you might configure a policy setting to disable the use of registry-editing tools for all users in
the domain by configuring the policy setting in a GPO that links to the domain. All users within the
domain inherit that GPO and its policy setting. However, because you probably want administrators to be
able to use registry-editing tools, you will link a GPO to the OU that contains administrators accounts and
then configure the policy setting to allow the use of registry-editing tools. Because the GPO that links to
the administrators OU takes higher precedence than the inherited GPO, administrators will be able to use
registry-editing tools.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-22 Implementing a Group Policy Infrastructure
Precedence of Multiple Linked GPOs
If multiple GPOs link to an AD DS container object, the objects link order determines their precedence.
To change the precedence of a GPO link, follow this procedure:
1. Select the AD DS container object in the GPMC console tree.
2. Click the Linked Group Policy Objects tab in the details pane.
3. Select the GPO.
4. Use the Up, Down, Move To Top, and Move To Bottom arrows to change the link order of the
selected GPO.
Block Inheritance
You can configure a domain or OU to prevent the inheritance of policy settings. This is known as blocking
inheritance. To block inheritance, right-click the domain or OU in the GPMC console tree, and then select
Block Inheritance.
The Block Inheritance option is a property of a domain or OU, so it blocks all Group Policy settings from
GPOs that link to parents in the Group Policy hierarchy. For example, when you block inheritance on an
OU, GPO application begins with any GPOs that link directly to that OU. Therefore, GPOs that are linked
to higher-level OUs, the domain, or the site will not apply.
You should use the Block Inheritance option sparingly because blocking inheritance makes it more
difficult to evaluate Group Policy precedence and inheritance. With security group filtering, you can
carefully scope a GPO so that it applies to only the correct users and computers in the first place, making
it unnecessary to use the Block Inheritance option.
Enforce a GPO Link
Additionally, you can set a GPO link to be enforced. To enforce a GPO link, right-click the GPO link in the
console tree, and then select Enforced from the shortcut menu.
When you set a GPO link to Enforced, the GPO takes the highest level of precedence. Policy settings in
that GPO will prevail over any conflicting policy settings in other GPOs. Furthermore, a link that is
enforced will apply to child containers even when those containers are set to Block Inheritance. The
Enforced option causes the policy to apply to all objects within its scope. The Enforced option will cause
policies to override any conflicting policies and will apply, regardless of whether a Block Inheritance
option is set.
Enforcement is useful when you must configure a GPO that defines a configuration that is mandated by
your corporate IT security and usage policies. Therefore, you want to ensure that other GPOs do not
override those settings. You can do this by enforcing the GPOs link.
Evaluating Precedence
To facilitate evaluation of GPO precedence, you can simply select an OU or domain, and then click the
Group Policy Inheritance tab. This tab will display the resulting precedence of GPOs, accounting for GPO
link, link order, inheritance blocking, and link enforcement. This tab does not account for policies that are
linked to a site, for GPO security, or WMI filtering.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-23
Using Security Filtering to Modify Group Scope
Although you can use Enforcement and Block
Inheritance options to control the application of
GPOs to container objects, you might need to
apply GPOs only to certain groups of users or
computers rather than to all users or computers
within the scope of the GPO. Although you cannot
directly link a GPO to a security group, there is a
way to apply GPOs to specific security groups. The
policies in a GPO apply only to users who have
Allow Read and Allow Apply Group Policy
permissions to the GPO.
Each GPO has an access control list (ACL) that
defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required
for a GPO to apply to a user or computer. For example, if a GPO is scoped to a computer by its link to the
computers OU, but the computer does not have Read and Apply Group Policy permissions, it will not
download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you
can filter a GPO so that its settings apply only to the computers and users that you specify.
By default, Authenticated Users are assigned Allow Read and Allow Apply Group Policy permissions on
each new GPO. This means that, by default, all users and computers are affected by the GPOs set for their
domain, site, or OU, regardless of the other groups in which they might be members. Therefore, there are
two ways of filtering GPO scope:
Remove the Apply Group Policy permission, currently set to Allow, for the Authenticated Users group,
but do not set this permission to Deny. Then, determine the groups to which the GPO should apply,
and set the Read and Apply Group Policy permissions for these groups to Allow.
Determine the groups to which the GPO should not apply, and set the Apply Group Policy permission
for these groups to Deny. If you deny the Apply Group Policy permission to a GPO, the user or
computer will not apply settings in the GPO, even if the user or computer is a member of another
group that is assigned Apply Group Policy permission.
Filtering a GPO to Apply to Specific Groups
To apply a GPO to a specific security group, perform the following procedure:
1. Select the GPO in the Group Policy Objects container in the console tree.
2. In the Security Filtering section, select the Authenticated Users group, and then click Remove.
Note: You cannot filter GPOs with domain local security groups.
3. Click OK to confirm the change.
4. Click Add.
5. Select the group to which you want the policy to apply, and then click OK.
Filtering a GPO to Exclude Specific Groups
The Scope tab of a GPO does not allow you to exclude specific groups. To exclude a groupthat is, to
deny the Apply Group Policy permissionyou must use the Delegation tab.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-24 Implementing a Group Policy Infrastructure
To deny a group the Apply Group Policy permission, perform the following procedure:
1. Select the GPO in the Group Policy Objects container in the console tree.
2. Click the Delegation tab.
3. Click the Advanced button. The Security Settings dialog box appears.
4. Click the Add button.
5. Select the group you want to exclude from the GPO. Remember, it must be a global group. GPO
scope cannot be filtered by domain local groups.
6. Click OK. The group you selected is granted the Allow Read permission, by default.
7. Clear the Allow Read permission check box.
8. Select the Deny Apply Group Policy check box.
9. Click OK. You are warned that Deny permissions override other permissions. Because Deny
permissions override Allow permissions, we recommend that you use them sparingly. A warning
message reminds you of this best practice. The process to exclude groups with the Deny Apply Group
Policy permission is far more laborious than the process to include groups in the Security Filtering
section of the Scope tab.
10. Confirm that you want to continue.
Note: Deny permissions are not exposed on the Scope tab. Unfortunately, when you
exclude a group, the exclusion is not shown in the Security Filtering section of the Scope tab. This
is another reason to use Deny permissions sparingly.
What Are WMI Filters?
WMI is a management-infrastructure technology
that enables administrators to monitor and
control managed objects in a network. A WMI
query is capable of filtering systems based on
characteristics, including random access memory
(RAM), processor speed, disk capacity, IP address,
operating system version and service pack level,
installed applications, and printer properties.
Because WMI exposes almost every property of
every object within a computer, the list of
attributes that you can use in a WMI query is
virtually unlimited. WMI queries are written by
using WMI Query Language (WQL).
You can use a WMI query to create a WMI filter, with which you can filter a GPO. You can use Group
Policy to deploy software applications and service packs. You might create a GPO to deploy an
application, and then use a WMI filter to specify that the policy should apply only to computers with a
certain operating system and service pack, such as Windows 8.1. The WMI query to identify such
systems is:
Select * FROM Win32_OperatingSystem WHERE Version="6.3.9600"

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-25
When the Group Policy Client evaluates the GPOs it has downloaded to determine which should be
handed off to the client-side extensions for processing, it performs the query against the local system. If
the system meets the criteria of the query, the query result is a logical True, and the client-side extensions
process the GPO.
WMI exposes namespaces, within which are classes that can be queried. Many useful classes, including
Win32_Operating System, are found in a class called root\CIMv2.
To create a WMI filter, perform the following procedure:
1. Right-click the WMI Filters node in the GPMC console tree, and then click New. Type a name and
description for the filter, and then click the Add button.
2. In the Namespace box, type the namespace for your query.
3. In the Query box, enter the query.
4. Click OK, and then click Save.
To filter a GPO with a WMI filter, perform the following procedure:
1. Select the GPO or GPO link in the console tree.
2. Click the Scope tab.
3. Click the WMI drop-down list, and then select the WMI filter. In the pop-up window, click Yes to
confirm the change of the WMI filter.
You can filter a GPO with only a single WMI filter, but you can also create a WMI filter with a complex
query that uses multiple criteria. You can link a single WMI filter to one or more GPOs. The General tab of
a WMI filter displays the GPOs that use the WMI filter.
There are significant caveats regarding WMI filters:
First, mastering the WQL syntax of WMI queries can be challenging. However, you can often find
examples on the Internet when you search by using the keywords WMI filter and WMI query with
a description of the query that you want to create.
Second, WMI filters are expensive in terms of Group Policy processing performance. Because the
Group Policy Client must perform the WMI query at each policy-processing interval, there is a slight
impact on system performance every 90 to 120 minutes. With the performance of todays computers,
the impact might not be noticeable. However, you should test the effects of a WMI filter prior to
deploying it widely in your production environment.
Note: Note that the WMI query processes only once, even if you use it to filter the scope of
multiple GPOs.
Demonstration: Filtering Policies
This demonstration shows how to:
Create a GPO that removes the Help menu link from the Start menu, and then link it to the IT OU.
Use security filtering to exempt a user from the GPO.
Test Group Policy application.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-26 Implementing a Group Policy Infrastructure
Demonstration Steps
Create a new GPO, and link it to the IT OU
1. Open the Group Policy Management Console on LON-DC1.
2. Create a new GPO named Remove Help menu, and then link it to the IT OU.
3. Modify the settings of the GPO to remove Help from the Start menu.
Filter Group Policy application by using security group filtering
1. Remove the Authenticated Users entry from the Security Filtering list for the Remove Help menu
GPO in the IT OU.
2. Add the user Ed Meadows to the security filtering list. Now, only Ed Meadows has the Apply Group
Policy permission.
Filter Group Policy application by using WMI filtering
1. Create a WMI filter named XP Filter.
2. Add the following query to the filter:
Select * from Win32_OperatingSystem where Version = "6.3.9600"
3. Save the query as XP filter.
4. Create a new GPO named Software Updates for XP.
5. Modify the policys properties to use the XP filter.
6. Close the Group Policy Management Console.
Enable and Disable GPOs and GPO Nodes
You can prevent the settings in the Computer
Configuration or User Configuration nodes
from processing during policy refresh by changing
the GPO Status.
To enable or disable a GPO's nodes, select the
GPO or GPO link in the console tree, click the
Details tab shown in the figure, and then select
one of the following from the GPO Status drop-
down list:
Enabled. Both computer configuration
settings and user configuration settings will
be processed by client-side extensions during
policy refresh.
All Settings Disabled. client-side extensions will not process the GPO during policy refresh.
Computer Configuration Settings Disabled. During computer policy refresh, computer configuration
settings in the GPO will not be applied.
User Configuration Settings Disabled. During user policy refresh, user configuration settings in the
GPO will not be applied.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-27
You can configure GPO Status to optimize policy processing. For example, if a GPO contains only user
settings, then setting the GPO Status option to disable computer settings prevents the Group Policy Client
from attempting to process the GPO during computer policy refresh. Because the GPO contains no
computer settings, there is no need to process the GPO, and you can save a few processor cycles.
Note: You can define a configuration that should take effect in case of an emergency,
security incident, or other type of disaster in a GPO, disable it, and then link the GPO so that it
scopes to appropriate users and computers. If you require the configuration to be deployed,
enable the GPO.
Loopback Policy Processing
By default, a users settings come from GPOs that
are scoped to the user object in AD DS. Regardless
of which computer a user logs on to, the RSoPs
that determine the users environment are the
same. There are situations, however, in which you
might want to configure a user differently,
depending on the computer in use. For example,
you might want to lock down and standardize
user desktops when they sign in to computers in
closely managed environments, such as
conference rooms, reception areas, laboratories,
classrooms, and kiosks. It also is important for
Virtual Desktop Infrastructure scenarios, including remote virtual machines and Remote Desktop Services.
Imagine a scenario in which you want to enforce a standard corporate appearance for the Windows
desktop on all computers in conference rooms and other public areas of your office. How will you
centrally manage this configuration by using Group Policy? Policy settings that configure desktop
appearance are in the User Configuration node of a GPO. Therefore, by default, the settings apply to
users, regardless of which computer they log on to. The default policy processing does not give you a way
to scope user settings to apply to computers, regardless of which user logs on. That is how loopback policy
processing can be useful.
Loopback policy processing alters the default algorithm that the Group Policy Client uses to obtain the
ordered list of GPOs that should apply to a users configuration. Instead of user configuration being
determined by the User Configuration node of GPOs that are scoped to the user object, user
configuration can be determined by the User Configuration node policies of GPOs that are scoped to the
computer object.
The Configure user Group Policy loopback processing mode policy setting, which is in the Computer
Configuration\Policies\Administrative Templates\System\Group Policy folder in the Group Policy
Management Editor, can be set to Not Configured, Enabled, or Disabled, like all policy settings.
When enabled, the policy can specify the Replace or Merge mode:
Replace. In this case, the GPO list for the user is replaced entirely by the GPO list already obtained for
the computer at computer startup. The settings in the User Configuration policies of the computers
GPOs apply to the user. The Replace mode is useful in a situation such as a classroom, where users
should receive a standard configuration rather than the unrestricted configuration that applies to
users in a less managed environment.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-28 Implementing a Group Policy Infrastructure
Merge. In this case, the GPO list obtained for the computer at computer startup appends to the GPO
list obtained for the user when logging on. Because the GPO list obtained for the computer applies
later, settings in GPOs on the computers list have precedence if they conflict with settings in the
users list. This mode would be useful when you need to apply additional settings to users typical
configurations. For example, you might allow a user to receive the users typical configuration when
logging on to a computer in a conference room or reception area, but replace the wallpaper with a
standard bitmap and disable the use of certain applications or devices.
Note: Note that when you combine loopback processing with security group filtering, the
application of user settings during policy refresh uses the computers credentials to determine
which GPOs to apply as part of the loopback processing. However, the logged-on user also must
have the Apply Group Policy permission for the GPO to apply successfully. Also, note that the
loopback processing flag is configured on a per-session basis rather than per GPO.
Strategies for Slow Links and Disconnected Systems
Some settings that you can configure with Group
Policy can be impacted by the speed of the link
that a users computer has with your domain
network. For instance, deploying software by
using GPOs would be inappropriate over slower
links. Furthermore, it is important to consider the
effect of GPOs on computers that are
disconnected from the domain network.
Slow Links
The Group Policy Client addresses the issue of
slow links by detecting the connection speed to
the domain and by determining whether the
connection should be considered a slow link. Each CSE then uses that determination to decide whether to
apply settings. For example, if a slow link is detected, the software extension is configured to forego policy
processing so that software does not install.
Note: By default, a link is considered to be slow if it is less than 500 kilobits per second
(Kbps). However, you can configure this to a different speed.
If Group Policy detects a slow link, it sets a flag to indicate the slow link to the client-side extensions. The
client-side extensions then can determine whether to process the applicable Group Policy settings. The
following table describes the default behavior of some of the client-side extensions.
Client-side extension Slow link processing Can it be changed?
Registry policy processing On No
Internet Explorer Maintenance Off Yes
Software Installation policy Off Yes
Folder Redirection policy Off Yes

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-29
Client-side extension Slow link processing Can it be changed?
Scripts policy Off Yes
Security policy On No
Internet Protocol security (IPsec) policy Off Yes
Wireless policy Off Yes
Encrypting File System (EFS) Recovery policy On Yes
Disk Quota policy Off Yes
Disconnected Computers
If a user is working while disconnected from the network, the settings previously applied by Group Policy
continue to take effect. That way, a users experience is identical, regardless of whether he or she is on the
network or away. A notable exception to this rule is that startup, logon, logoff, and shutdown scripts will
not run if the user is disconnected.
If a remote user connects to the network, the Group Policy Client wakes up and determines whether a
Group Policy refresh window was missed. If so, it performs a Group Policy refresh to obtain the latest
GPOs from the domain. Again, based on their policy processing settings, the client-side extensions
determine whether settings in those GPOs are applied.
Group Policy Caching
A new Group Policy feature named Group Policy Caching was introduced in Windows Server 2012 R2 and
Windows 8.1. Group Policy Caching, which is on by default on computers that run Windows Server 2012
R2 or Windows 8.1, caches Group Policy information after every background processing session. The
cached information saves locally on the computer. The Group Policy Caching feature has the following
characteristics:
If Group Policy is configured to run synchronously, as it is by default, then the cached Group Policy
information can be used in place of a GPO download. This can improve the overall performance of
Group Policy.
If Group Policy is configured to run asynchronously, then computers will download the latest version
of the GPOs on demand and not use the cached information.
In the new Group Policy Caching setting in Group Policy, there are two settings, one for slow link
detection and one for a timeout period. Computers use these to determine whether they are on a
slow link or whether they are disconnected from the network. If they are disconnected from the
network, Group Policy processing is suspended.
Group Policy Caching improves performance in general by reducing the repetitive downloads of GPOs,
and especially for computers that are connected by a slow link, by reducing the overall bandwidth
consumption over the slow link.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-30 Implementing a Group Policy Infrastructure
Identifying When Settings Become Effective
Several processes must complete before Group
Policy settings actually apply to a user or a
computer. This topic discusses these processes.
GPO Replication Must Happen
Before a GPO can take effect, the Group Policy
container in AD DS must replicate to the domain
controller from which the Group Policy Client
obtains its ordered list of GPOs. Additionally, the
Group Policy template in SYSVOL must replicate
to the same domain controller.
Group Changes Must Be Incorporated
Finally, if you have added a new group or changed the membership of a group that is used to filter the
GPO, that change also must be replicated. Furthermore, the change must be in the security token of the
computer and the user. This requires either a restart for the computer to update its group membership or
a logoff and logon for the user to update its group membership.
User or Computer Group Policy Refresh Must Occur
Refresh happens at startup for computer settings, at logon for user settings, and every 90 to 120 minutes
thereafter, by default.
Note: Remember that the practical impact of the Group Policy refresh interval is that, when
you make a change in your environment, on average, domain computers will receive the changes
after one-half of that time, or 45 to 60 minutes, has passed.
By default, Windows clients with Windows XP and newer only perform background refreshes at startup
and logon. This means that a client might start up and a user might sign in without receiving the latest
policies from the domain. We highly recommend that you change this default behavior so that policy
changes implement in a managed, predictable way. Enable the policy setting Always Wait For Network
At Startup And Logon for all Windows clients. The setting is in Computer
Configuration\Policies\Administrative Templates\System\Logon. Be sure to read the policy settings
explanatory text. Note that this does not affect the startup or logon time for computers that are not
connected to a network. If a computer detects that it is disconnected, it does not wait for a network.
Logon or Restart
Although most settings apply during a background policy refresh, some client-side extensions do not
apply the setting until the next startup or logon event. For example, newly added startup and logon script
policies do not run until the next computer startup or logon. Software installation will occur at the next
startup if the software is assigned in computer settings. Changes to Folder Redirection policies will not
take effect until the next logon.
Manually Refresh Group Policy
When you troubleshoot Group Policy processing, you might need to initiate a Group Policy refresh
manually so that you do not have to wait for the next background refresh. You can use the GPUpdate
command to initiate a Group Policy refresh. Used on its own, this command triggers processing identical
to a background Group Policy refresh. Both computer policy and user policy refresh. Use the
/target:computer or /target:user parameter to limit the refresh to computer or user settings,
respectively. During background refresh, by default, settings apply only if the GPO has been updated. The
/force switch causes the system to reapply all settings in all GPOs scoped to the user or computer. Some

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-31
policy settings require a logoff or restart before they actually take effect. The /logoff and /boot switches
of GPUpdate cause a logoff or restart, respectively. You can use these switches when you apply settings
that require a logoff or restart.
For example, the command that will cause a total refresh application, and restart and logon to apply
updated policy settings, if necessary, is:
gpupdate /force /logoff /boot
Most client-side extensions Do Not Reapply Settings If the GPO Has Not Changed
Remember that most client-side extensions apply settings in a GPO only if the GPO version has changed.
This means that if a user can change a setting that was specified originally by Group Policy, the setting will
not be brought back into compliance with the settings that the GPO specifies until the GPO changes.
Fortunately, a non-privileged user cannot change most policy settings. However, if a user is an
administrator of his or her computer, or if the policy setting affects a part of the registry or of the system
that the user has permissions to change, this could create a conflict.
You have the option of instructing each CSE to reapply the settings of GPOs, even if the GPOs have not
been changed. You can configure the processing behavior of each CSE in the policy settings that are
found in Computer Configuration\Administrative Templates\System\Group Policy.
Considerations For Managing Group Policy In A Multi-Domain
Environment
Managing Group Policy in a multi-domain
environment brings more complexity for
administrators and requires more planning to
ensure seamless operations. Some of the common
challenges faced by Group Policy administrators in
a multi-domain environment are:
Ensuring that a GPO in one domain matches
the same GPO in another domain.
Deploying new GPOs to multiple domains.
Migrating GPOs in case of a consolidation or
a merger/acquisition.
Ensuring that a GPO meant for one domain is not linked to a site that contains domain controllers for
other domains.
Same Policy, Multiple Domain
There are a couple of familiar cases where administrators want the same GPO in different domains. One
such scenario is when a test AD DS environment must match a production AD DS environment for user
acceptance testing or for compliance. Another scenario is when a company has multiple domains and
needs to deploy common settings to all enterprise computers. In both of these cases, the following
considerations are important.
A domain trust simplifies the ongoing administration of maintaining the same GPOs in a multi-
domain environment by allowing for easy copy operations from the GPMC or Windows PowerShell. In
addition, restore operations are also seamless across domains.
As mentioned previously in this module, a migration table can be used to update UNC paths and
security principals. For example, if a GPO references a specific file server, the UNC path can update on

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-32 Implementing a Group Policy Infrastructure
the fly to reference a different file server in the other domain. If a security principal is referenced in
one domain, it can be updated to the other domain.
Migrating GPOs
Migrating GPOs is the process of taking GPOs in one domain and moving them to another domain. This is
a common task in a merger or acquisition scenario, or when a company is migrating internally to a new
AD DS environment. The same methods for deploying new GPOs across multiple domains can be used
implement a domain trust, and then use migration tables. The GPMC or Windows PowerShell can handle
the operational aspects of the migration, such as copy, backup and restore, or import settings. To import a
GPO named GPO2 from the current domain, adatum.com, to the target domain of contoso.com, you
could use the following Windows PowerShell command:
Import-GPO BackupGpoName GPO2 -TargetName GPO2 -Path C:\temp\GPO\backups Domain
adatum.com
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-33
Lesson 4
Troubleshooting the Application of GPOs
With the interaction of multiple settings in multiple GPOs scoped by using a variety of methods, Group
Policy application can be complex to analyze and understand. Therefore, you must be equipped to
evaluate and troubleshoot your Group Policy implementation effectively, identify potential problems
before they arise, and solve unforeseen challenges. Windows Server provides tools that are indispensable
for supporting Group Policy. In this lesson, you will explore the use of these tools in both proactive and
reactive troubleshooting and support scenarios.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how to refresh GPOs on a client computer.
Analyze the set of GPOs and policy settings that have been applied to a user or computer.
Generate RSoP reports to help in the analysis of GPO settings.
Proactively model the impact of Group Policy or Active Directory changes on the RSoP.
Locate the event logs that contain Group Policyrelated events.
Refreshing GPOs
Computer configuration settings apply at startup,
and then they are refreshed at regular intervals.
Any startup scripts run at computer startup. The
default refresh interval is every 90 minutes, but
this is configurable. The exception to the set
interval is domain controllers, which have their
settings refreshed every 5 minutes.
User settings apply at logon and refresh at
regular, configurable intervals. The default refresh
interval for user settings is also 90 minutes. Any
logon scripts run at logon.
Note: A number of user settings require two
logons before a user sees the effect of a GPO. This is because users who log on to the same
computer use cached credentials to speed up logons. This means that, although the policy
settings are being delivered to the computer, the user is already logged on and the settings will
therefore not take effect until the next logon. The Folder Redirection setting is an example of this.
You can change the refresh interval by configuring a Group Policy setting. For computer settings, the
refresh interval setting is found in the Computer Configuration\Policies\Administrative
Templates\System\Group Policy node. For user settings, the refresh interval is found at the
corresponding settings under User Configuration. An exception to the refresh interval is security settings.
The security settings section of the Group Policy will refresh at least every 16 hours, regardless of the
interval that you set for the refresh interval.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-34 Implementing a Group Policy Infrastructure
You can also refresh Group Policy manually. The command line utility Gpupdate refreshes and delivers
any new Group Policy configurations. The Gpupdate /force command refreshes all the Group Policy
settings. There is also a new Windows PowerShell Invoke-GPUpdate cmdlet, which performs the same
function.
A new feature available in Windows Server 2012 and in Windows 8 is Remote Policy Refresh. This feature
allows administrators to use the GPMC to target an OU and force a Group Policy refresh on all of its
computers and their currently logged-on users. To do this, you right-click any OU, and then click Group
Policy Update. The update occurs within 10 minutes.
Note: Sometimes, the failure of a GPO to apply is a result of problems with the underlying
technology that is responsible for replicating both AD DS and SYSVOL. In Windows Server 2012,
you can view the replication status by using Group Policy Management, selecting the Domain
node, clicking the Status tab, and then clicking Detect Now.
What is RSoP?
Group Policy inheritance, filters, and exceptions
are complex, and it is often difficult to determine
which policy settings will apply.
RSoP is the net effect of GPOs that are applied to
a user or computer, taking into account GPO links,
exceptions, such as Enforced and Block
Inheritance, and application of security and WMI
filters. RSoP is also a collection of tools that help
you evaluate, model, and troubleshoot the
application of Group Policy settings. RSoP can
query a local or remote computer, and then
report on the exact settings that were applied to
the computer and to any user who has logged on to the computer. RSoP also can model the policy
settings that are anticipated to be applied to a user or computer under a variety of scenarios, including
moving an object between OUs or sites, or changing an objects group membership. With these
capabilities, RSoP can help you manage and troubleshoot conflicting policies.
Windows Server 2012 provides the following tools for performing RSoP analysis:
The Group Policy Results Wizard
The Group Policy Modeling Wizard
GPResult.exe

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-35
Generate RSoP Reports
To help you analyze the cumulative effect of GPOs
and policy settings on a user or computer in your
organization, the GPMC includes the Group Policy
Results Wizard. If you want to understand exactly
which policy settings have applied to a user or a
computer and why, the Group Policy Results
Wizard is the tool to use.
Generate RSoP Reports with the Group
Policy Results Wizard
The Group Policy Results Wizard can reach into
the WMI provider on a local or remote computer
that runs Window Vista or a newer version of the
Windows operating system. The WMI provider can report everything there is to know about the way
Group Policy was applied to the system. The WMI provider knows when processing occurred, which GPOs
were applied, which GPOs were not applied and why, errors that were encountered, and the exact policy
settings that took precedence and their source GPO.
The requirements for running the Group Policy Results Wizard are:
The target computer must be online.
You must have administrative credentials on the target computer.
The target computer must be running the Windows XP operating system or a newer version.
You must be able to access WMI on the target computer. This means the computer must be online,
connected to the network, and accessible through ports 135 and 445.
Note: Performing RSoP analysis by using the Group Policy Results Wizard is just one
example of remote administration. To perform remote administration, you might need to
configure inbound rules for the firewall that your clients and servers use.
The WMI service must be started on the target computer.
If you want to analyze RSoP for a user, that user must have logged on at least once to the computer,
although it is not necessary for the user to be logged on currently.
After you have ensured that the requirements are met, you are ready to run an RSoP analysis.
To run an RSoP report, right-click Group Policy Results in the GPMC console tree, and then click Group
Policy Results Wizard. The wizard prompts you to select a computer. It then connects to the WMI
provider on that computer, and provides a list of users that have logged on to it. You then can select one
of the users, or you can skip RSoP analysis for user configuration policies.
The wizard produces a detailed RSoP report in a dynamic HTML format. If Internet Explorer Enhanced
Security Configuration is set, you will be prompted to allow the console to display the dynamic content.
You can expand or collapse each section of the report by clicking the Show or Hide link, or by double-
clicking the heading of the section.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-36 Implementing a Group Policy Infrastructure
The report is displayed on three tabs:
Summary. The Summary tab displays the status of Group Policy processing at the last refresh. You
can identify information that was collected about the system, the GPOs that were applied and denied,
security group membership that might have affected GPOs that were filtered with security groups,
WMI filters that were analyzed, and the status of client-side extensions.
Settings. The Settings tab displays the RSoP settings that applied to the computer or user. This tab
shows you exactly what has happened to the user through the effects of your Group Policy
implementation. You can learn a tremendous amount of information from the Settings tab, although
some data is not reported, including IPsec, wireless, and disk-quota policy settings.
Policy Events. The Policy Events tab displays Group Policy events from the event logs of the target
computer.
After you generate an RSoP report with the Group Policy Results Wizard, you can right-click the report to
rerun the query, print the report, or save the report as either an XML file or an HTML file that maintains
the dynamic expanding and collapsing sections. You can open both file types with Internet Explorer, so
the RSoP report is portable outside the GPMC.
If you right-click the node of the report itself, under the Group Policy Results folder in the console tree,
you can switch to Advanced View. In the Advanced View, RSoP is displayed by using the RSoP snap-in,
which exposes all applied settings, including IPsec, wireless, and disk quota policies.
Generate RSoP Reports with GPResult.exe
The GPResult.exe command is the command-line version of the Group Policy Results Wizard. GPResult
taps into the same WMI provider as the wizard, produces the same information and, in fact, enables you
to create the same graphical reports. GPResult runs on Windows XP and newer.
When you run the GPResult command, you are likely to use the following options:
/s computername
This option specifies the name or IP address of a remote system. If you use a dot (.) as the computer
name, or do not include the /s option, the RSoP analysis is performed on the local computer:
/scope [user | computer]
This displays RSoP analysis for user or computer settings. If you omit the /scope option, RSoP analysis
includes both user and computer settings:
/userusername
This specifies the name of the user for which you want to display RSoP data:
/r
This option displays a summary of RSoP data:
/v
This option displays verbose RSoP data, which presents the most meaningful information:
/z
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-37
This displays super verbose data, including the details of all policy settings that are applied to the system.
Often, this is more information than you will require for typical Group Policy troubleshooting:
/udomain\user/ppassword
This provides credentials that are in the Administrators group of a remote system. Without these
credentials, GPResult runs by using the credentials with which you are logged on:
[/x | /h] filename
This option saves the reports in the XML or HTML format. These options are available in Windows Vista
Service Pack 1 and newer, and Windows Server 2008 and newer.
Troubleshoot Group Policy with the Group Policy Results Wizard or GPResult.exe
As an administrator, you will likely encounter scenarios that require Group Policy troubleshooting. You
might need to diagnose and solve problems that could include the following:
GPOs are not applying at all.
The RSoPs for a computer or user is not what was expected.
The Group Policy Results Wizard and GPResult.exe often will provide the most valuable insight into
Group Policy processing and application problems. Remember that these tools examine the WMI RSoP
provider to report exactly what happened on a system. Examining the RSoP report will often point you to
GPOs that are scoped incorrectly or policy processing errors that prevented the application of GPO
settings.
Demonstration: Performing What-If Analysis with the Group Policy
Modeling Wizard
If you move a computer or user between sites, domains, or OUs, or if you change its security group
membership, the GPOs that are scoped to that user or computer will change. Therefore, the RSoP for the
computer or user will be different. The RSoP will also change if slow link or loopback processing occurs, or
if there is a change to a system characteristic that a WMI filter targets.
Before you make any of these changes, you should evaluate the potential impact that a user or computer
will have on the RSoP. The Group Policy Results Wizard can perform RSoP analysis only on what has
actually happened. To predict the future, and to perform what-if analyses, you can use the Group Policy
Modeling Wizard. To perform Group Policy Modeling, right-click the Group Policy Modeling node in the
GPMC console tree, click Group Policy Modeling Wizard, and then perform the steps in the wizard.
Modeling is performed by conducting a simulation on a domain controller, so you are first asked to select
a domain controller. You do not need to be logged on locally to the domain controller, but the modeling
request will be performed on the domain controller. You then are asked to specify the settings for the
simulation by:
Selecting a user or computer object to evaluate, or specifying the OU, site, or domain to evaluate.
Choosing whether slow link processing should be simulated.
Specifying to simulate loopback processing and, if so, choosing Replace or Merge mode.
Selecting a site to simulate.
Selecting security groups for the user and for the computer.
Choosing which WMI filters to apply in the simulation of user and computer policy processing.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-38 Implementing a Group Policy Infrastructure
When you have specified the simulations settings, a report is produced that is very similar to the Group
Policy Results report discussed earlier. The Summary tab shows an overview of which GPOs will process,
and the Settings tab details the policy settings that will apply to the user or computer. This report, too,
can be saved by right-clicking it, and then choosing Save Report.
Demonstration
This demonstration shows how to:
Run GPResult.exe from the command prompt.
Run GPResult.exe from the command prompt, and then output the results to an HTML file.
Open the GPMC.
Run the Group Policy Reporting Wizard, and then view the results.
Run the Group Policy Modeling Wizard, and then view the results.
Demonstration Steps
Use GPResult.exe to create a report
1. On LON-DC1, open a Windows PowerShell Command Prompt window.
2. Run the following commands:
Gpresult /r
Gpresult /h results.html
3. Open the results.html report in Internet Explorer, and then review the report.
Use the Group Policy Reporting Wizard to create a report
1. Close the Windows PowerShell window, and then open the Group Policy Management Console.
2. From the Group Policy Results node, launch the Group Policy Results Wizard.
3. Complete the wizard by using the defaults.
4. Review the report, and then save the report to the desktop.
Use the Group Policy Modeling Wizard to create a report
1. From the Group Policy Modeling node, launch the Group Policy Modeling Wizard.
2. Specify the user for the report as Ed Meadows and the computer container as the IT OU.
3. Complete the wizard by using the defaults, and then review the report.
4. Close the Group Policy Management Console.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-39
Examine Policy Event Logs
Windows Vista introduced ways to improve your
ability to troubleshoot Group Policy, not only with
RSoP tools, but also with improved logging of
Group Policy events, including the:
System log, which reports high-level
information about Group Policy, including
errors created by the Group Policy Client
when it cannot connect to a domain
controller or locate GPOs.
Application log, which captures events that
are recorded by client-side extensions.
Group Policy Operational log, which provides detailed information about Group Policy processing.
To find Group Policy logs, open the Event Viewer. The System and Application logs are in the Windows
Logs node. The Group Policy Operational Log is in Applications And Services
Logs\Microsoft\Windows\GroupPolicy\Operational.
Additional Logging for Windows Server 2012 R2 and Windows 8.1
Additional information is available in the Group Policy Operational log beginning with Windows
Server 2012 R2 and Windows 8.1. The following new event IDs are some examples of the additional
logging:
Event ID 4257. This event logs the start of the policy download on a computer.
Event ID 4126. This event marks the time when a computer receives applicable policies.
Event ID 5257. This event marks the completion of the policy download.
In addition, WMI processing information has been enhanced and new information is available in the logs,
which can be helpful for troubleshooting WMI-related Group Policy issues.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-40 Implementing a Group Policy Infrastructure
Lab: Implementing a Group Policy Infrastructure
Scenario
A. Datum Corporation is a global engineering and manufacturing company with its head office in London,
England. An IT office and a data center are located in London to support the London office and other
locations. A. Datum recently deployed a Windows Server 2012 server and client infrastructure.
You have been asked to use Group Policy to implement standardized security settings to lock computer
screens when users leave computers unattended for 10 minutes or more. You also have to configure a
policy setting that will prevent access to certain programs on local workstations.
After some time, you have been made aware that a critical application fails when the screens saver starts,
and an engineer has asked you to prevent the setting from applying to the team of Research engineers
that uses the application every day. You also have been asked to configure conference room computers to
use a 45-minute timeout.
After creating the policies, you need to evaluate the RSoPs for users in your environment to ensure that
the Group Policy infrastructure is optimal and that all policies apply as intended.
Objectives
After completing this lab, you will be able to:
Create and configure GPOs.
Manage Group Policy scope.
Troubleshoot Group Policy application.
Manage GPOs.
Lab Setup
Estimated Time: 90 minutes
Virtual machines: 20411D-LON-DC1, 20411D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, click Administrative Tools, and then double-click Hyper-V
Manager.
2. In Hyper-V

Manager, click 20411D-LON-DC1, and in the Actions pane, click Start.


3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in by using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Adatum
5. Repeat steps 2 and 3 for 20411D-LON-CL1. Do not sign in to LON-CL1 until directed to do so.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-41
Exercise 1: Creating and Configuring GPOs
Scenario
You have been asked to use Group Policy to implement standardized security settings to lock computer
screens when users leave computers unattended for 10 minutes or more. You also have to configure a
policy setting that will prevent users from running the Notepad application on local workstations.
The main tasks for this exercise are as follows:
1. Create and Edit a GPO
2. Link the GPO
3. View the Effects of the GPOs Settings
Task 1: Create and Edit a GPO
1. On LON-DC1, from Server Manager, open the Group Policy Management Console.
2. Create a GPO named ADATUM Standards in the Group Policy Objects container.
3. Edit the ADATUM Standards policy, and then navigate to User Configuration\Policies,
Administrative Templates\System.
4. Prevent users from running Notepad.exe by configuring the Dont run specified Windows
applications policy setting.
5. Navigate to the User Configuration\Policies\Administrative Templates\Control
Panel\Personalization folder, and then configure the Screen saver timeout policy to 600 seconds.
6. Enable the Password protect the screen saver policy setting, and then close the Group Policy
Management Editor window.
Task 2: Link the GPO
Link the ADATUM Standards GPO to the Adatum.com domain.
Task 3: View the Effects of the GPOs Settings
1. Sign in to LON-CL1 as Adatum\Pat with the password Pa$$w0rd.
2. Attempt to change the screen saver wait time and resume settings. You are prevented from doing this
by Group Policy.
3. Attempt to run Notepad. You are prevented from doing this by Group Policy.

Results: After this exercise, you should have created, edited, and linked the required GPOs.
Exercise 2: Managing GPO Scope
Scenario
After some time, you have been made aware that a critical application that the Research Engineering
team uses is failing when the screen saver starts. You have been asked to prevent the GPO setting from
applying to any member of the Engineering security group. You also have been asked to configure
conference room computers to be exempt from corporate policy. However, they always must have a 45-
minute screen saver timeout applied.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-42 Implementing a Group Policy Infrastructure
The main tasks for this exercise are as follows:
1. Create and Link the Required GPOs
2. Verify the Order of Precedence
3. Configure the Scope of a GPO with Security Filtering
4. Configure Loopback Processing
Task 1: Create and Link the Required GPOs
1. On LON-DC1, open Active Directory Users and Computers and in the Research OU, create a sub-
OU named Engineers, and then close Active Directory Users and Computers.
2. In the Group Policy Management Console, create a new GPO linked to the Engineers OU named
Engineering Application Override.
3. Configure the Screen saver timeout policy setting to be Disabled, and then close the Group Policy
Management Editor.
Task 2: Verify the Order of Precedence
In the Group Policy Management Console, select the Engineers OU, and then click the Group Policy
Inheritance tab. Notice that the Engineering Application Override GPO has precedence over the
ADATUM Standards GPO. The screen saver timeout policy setting you just configured in the
Engineering Application Override GPO will apply after the setting in the ADATUM Standards GPO.
Therefore, the new setting will overwrite the standards setting, and will win. Screen saver timeout will
be disabled for users within the scope of the Engineering Application Override GPO.
Task 3: Configure the Scope of a GPO with Security Filtering
1. On LON-DC1, open Active Directory Users and Computers. In the Research\Engineers OU, create
a global security group named GPO_Engineering Application Override_Apply.
2. In the Group Policy Management Console, select the Engineering Application Override GPO.
Notice that, in the Security Filtering section, the GPO applies by default to all authenticated users.
Configure the GPO to apply only to the GPO_Engineering Application Override_Apply group.
3. In the Users folder, create a global security group named GPO_ADATUM Standards_Exempt.
4. In the Group Policy Management Console, select the ADATUM Standards GPO. Notice that in the
Security Filtering section, the GPO applies by default to all authenticated users.
5. Configure the GPO delegation to deny Apply Group Policy permission to the GPO_ADATUM
Standards_Exempt group.
Task 4: Configure Loopback Processing
1. On LON-DC1, switch to Active Directory Users and Computers.
2. Create a new OU named Kiosks.
3. Under Kiosks, create a sub-OU named Conference Rooms.
4. Switch to the Group Policy Management Console.
5. Create a new GPO named Conference Room Policies, and then link it to the Kiosks\Conference
Rooms OU.
6. Confirm that the Conference Room Policies GPO is scoped to Authenticated Users.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-43
7. Edit the Conference Room Policies GPO, and then modify the Screen Saver timeout policy to
launch the screen saver after 45 minutes.
8. Modify the Configure user Group Policy loopback processing mode policy setting to use Merge
mode.

Results: After this exercise, you should have configured the required scope of the GPOs.
Exercise 3: Verifying GPO Application
Scenario
After creating the required policies, you need to evaluate the RSoPs for the users in your environment to
ensure that the Group Policy infrastructure is healthy, and that all policies apply as intended.
The main tasks for this exercise are as follows:
1. Perform RSoP Analysis
2. Analyze RSoP with GPResults
3. Evaluate GPO Results by Using the Group Policy Modeling Wizard
4. Review Policy Events and Determine GPO Infrastructure Status
Task 1: Perform RSoP Analysis
1. On LON-CL1, verify that you are still signed in as Adatum\Pat. If necessary, provide the password of
Pa$$w0rd.
2. At an elevated command prompt, sign in as Adatum\Administrator with the password Pa$$w0rd.
3. Run the gpupdate /force command. After the command has completed, make a note of the current
system time, which you will need to know for a task later in this lab:
Time:
4. Restart LON-CL1, and then wait for it to restart before proceeding with the next task.
5. On LON-DC1, switch to the Group Policy Management Console.
6. Use the Group Policy Results Wizard to run an RSoP report for Pat on LON-CL1.
7. Review Group Policy Summary results. Identify the time of the last policy refresh and the list of
allowed and denied GPOs for both user and computer configuration. Identify the components that
were used to process policy settings.
8. Click the Details tab. Review the settings that applied during user and computer policy application,
and then identify the GPO from which the settings were obtained.
9. Click the Policy Events tab, and then locate the event that logs the policy refresh that you triggered
with the GPUpdate command at the beginning of the task.
10. Click the Summary tab, right-click the page, and then choose Save Report. Save the report as an
HTML file to your desktop, and then open the RSoP report.
Task 2: Analyze RSoP with GPResults
1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2. At a command prompt, run the gpresult /r command. RSoP summary results are displayed. The
information is very similar to the Summary tab of the RSoP report that was produced by the Group
Policy Results Wizard.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-44 Implementing a Group Policy Infrastructure
3. Type gpresult /v, and then press Enter. A more detailed RSoP report is produced. Notice that many
of the Group Policy settings that were applied by the client are listed in this report.
4. Type gpresult /z, and then press Enter. The most detailed RSoP report is produced.
5. Type gpresult /h:"%userprofile%\Desktop\RSOP.html", and then press Enter. An RSoP report is
saved as an HTML file to your desktop.
6. Open the saved RSoP report from your desktop. Compare the report, its information, and its
formatting with the RSoP report that you saved in the previous task.
Task 3: Evaluate GPO Results by Using the Group Policy Modeling Wizard
1. Switch to LON-DC1.
2. Start the Group Policy Modeling Wizard.
3. Select Adatum\Mike as the user, and LON-CL1 as the computer for modeling.
4. When prompted, select the Loopback Processing check box, and then click Merge. Even though the
Conference Room Polices GPO specifies loopback processing, you must instruct the Group Policy
Modeling Wizard to consider loopback processing in its simulation.
5. When prompted, on the Alternate Active Directory Paths page, choose the Kiosks\Conference
Rooms location. You are simulating the effect of LON-CL1 as a conference room computer.
6. Accept all other options as defaults.
7. On the Details tab, scroll to and expand, if necessary, User Details, Group Policy Objects, and
Applied GPOs.
8. Check whether the Conference Room Policies GPO applies to Mike as a User policy when he logs on
to LON-CL1 if LON-CL1 is in the Conference Rooms OU.
9. Scroll to and expand, if necessary, User Details, Policies, Administrative Templates, and Control
Panel/Personalization.
10. Confirm that the screen saver timeout is 2,700 seconds (45 minutes), the setting configured by the
Conference Room Policies GPO that overrides the 10-minute standard configured by the ADATUM
Standards GPO.
Task 4: Review Policy Events and Determine GPO Infrastructure Status
1. On LON-CL1, you are signed in as Adatum\Administrator.
2. Open Control Panel, and then browse to the Event Viewer.
3. Locate and review Group Policy events in the System log.
4. Locate and review Group Policy events in the Application log. Review the events and identify the
Group Policy events that have been entered in this log. Which events are related to Group Policy
application and which are related to the activities you have been performing to manage Group
Policy? Note that depending on how long the virtual machine has been running, you might not have
any Group Policy events in the application log.
5. Browse to the Group Policy Operational log and locate the first event related to the Group Policy
refresh you initiated in Exercise 1: Creating and Configuring GPOs, with the GPUpdate command.
Review that event and the events that followed it.

Results: After this exercise, you should have used RSoP tools to verify the correct application of your
GPOs.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 4-45
Exercise 4: Managing GPOs
Scenario
You must back up all critical GPOs. You use the Group Policy Management backup feature to back up the
ADATUM Standard GPO.
The main tasks for this exercise are as follows:
1. Perform a Backup of GPOs
2. Perform a Restore of GPOs
3. Troubleshooting GPOs
4. Preparing for the Next Module
Task 1: Perform a Backup of GPOs
1. Switch to LON-DC1, and in the Group Policy Management Console, in the navigation pane, click
Group Policy Objects.
2. Back up the ADATUM Standards GPO to C:\.
Task 2: Perform a Restore of GPOs
In the Group Policy Management Console, restore the previous backup of ADATUM Standards.
Task 3: Troubleshooting GPOs
1. Run the GPOTroubleshooting.ps1 Windows PowerShell script in the Allfiles directory
(E:\Labfiles\Mod04\).
2. Verify that the ADATUM Standards GPO is not applying to Pat.
3. Troubleshoot and resolve the problem.
Task 4: Preparing for the Next Module
When you have finished the lab, revert all virtual machines back to their initial state.

Results: After this exercise, you should have performed common management tasks on your GPOs.
Question: Which policy settings are already being deployed by using Group Policy in your
organization?
Question: Many organizations rely heavily on security group filtering to scope GPOs, rather than
linking GPOs to specific OUs. In these organizations, GPOs typically are linked very high in the
Active Directory logical structureto the domain itself or to a first-level OU. What advantages do
you gain by using security group filtering rather than GPO links to manage a GPOs scope?
Question: Why might it be useful to create an exemption groupa group that is denied the
Apply Group Policy permissionfor every GPO that you create?
Question: Do you use loopback policy processing in your organization? In which scenarios and
for which policy settings can loopback policy processing add value?
Question: In which situations have you used RSoP reports to troubleshoot Group Policy
application in your organization?
Question: In which situations have you used, or might you anticipate using, Group Policy
Modeling?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-46 Implementing a Group Policy Infrastructure
Module Review and Takeaways
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
Group Policy settings are not applied to all
users or computers in an OU where a GPO
is applied


Group Policy settings sometimes need two
restarts to apply


Review Question(s)
Question: You have assigned a logon script to an OU via Group Policy. The script is in a
shared network folder named Scripts. Some users in the OU receive the script, whereas others
do not. What might be the possible causes?
Question: What GPO settings apply across slow links by default?
Question: You need to ensure that a domain-level policy is enforced, but the Managers
global group needs to be exempt from the policy. How would you accomplish this?
Tools
Tool Use for Where to find it
Group Policy
reporting
RSoP
Reporting information about the
current policies being delivered to
clients.
Group Policy Management Console.
GPResult A command-line utility that displays
RSoP information.
Command-line utility built into the
Windows operating system.
GPUpdate Refreshing local and AD DSbased
Group Policy settings.
Command-line utility built into the
Windows operating system.
Dcgpofix Restoring the default Group Policy
Objects to their original state after
initial installation.
Command-line utility that shipped with
Windows Server

2003.
GPOLogView Exporting Group Policyrelated
events from the System and
Operational logs into text, HTML, or
XML files. For use with
Windows Vista

, Windows 7, and
newer versions.
Command-line utility available as a free
download from the Microsoft Download
Center.
Group Policy
Management
scripts
Sample scripts that perform a
number of different troubleshooting
and maintenance tasks.
Available as a free download from the
Microsoft Download Center.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-1
Module 5
Managing User Desktops with Group Policy
Contents:
Module Overview 5-1
Lesson 1: Implementing Administrative templates 5-2
Lesson 2: Configuring Folder Redirection and Scripts 5-8
Lesson 3: Configuring Group Policy Preferences 5-14
Lesson 4: Managing Software with Group Policy 5-19
Lab: Managing User Desktops with Group Policy 5-23
Module Review and Takeaways 5-29

Module Overview
Using Group Policy Objects (GPOs), you can implement desktop environments across your organization
by using Administrative templates, Folder Redirection, Group Policy preferences, and, where applicable,
use software deployment to install and update application programs. It is important to know how to use
these various GPO features so that you can configure your users computer settings properly.
Objectives
After completing this module, you will be able to:
Describe and implement Administrative templates.
Configure folder redirection and scripts by using GPOs.
Configure GPO preferences.
Manage software by using GPOs.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-2 Managing User Desktops with Group Policy
Lesson 1
Implementing Administrative templates
The Administrative Template files provide the majority of the available GPO settings. These GPO settings
modify specific registry keys. Administrative templates are sometimes called using registry-based policies.
For many applications, the most simple and best way to support centralized management of policy
settings is to use the registry-based policy that the Administrative Template files provide. In this lesson,
you will learn how to configure Administrative templates.
Lesson Objectives
After completing this lesson, you will be able to:
Describe Group Policy Administrative templates.
Describe ADM and ADMX, or Administrative Template, files.
Describe the central store.
Describe example scenarios for using Administrative templates.
Explain how to configure settings with Administrative templates.
What Are Administrative templates?
You can use Administrative templates to control
the environment of an operating system and the
user experience. There are two sets of
Administrative templates: one for users and one
for computers. You can use some Administrative
templates for both users and computers.
Using the Administrative template sections of the
GPO, you can deploy thousands of modifications
to the registry. Administrative templates have the
following characteristics:
They are organized into subfolders that deal
with specific areas, such as network, system,
and components of the Windows operating system.
The settings in the computer section edit the HKEY_LOCAL_MACHINE hive in the registry, and the
settings in the user section edit the HKEY_CURRENT_USER hive in the registry.
Some Administrative Template settings exist for both user and computer. For example, there is a
setting to prevent Skype from running in both the user and the computer templates. In case of
conflicting settings, the computer setting prevails.
Some Administrative Template settings are available only to certain versions of the Windows
operating system. For example, you can apply a number of new settings only to the Windows

8
operating system and newer versions of the Windows operating system. Double-clicking the settings
displays the supported versions for that setting.
In GPOs, some Administrative Template settings leave their settings in place on computers after the
GPOs no longer apply to the computer. This is called tattooing. In such cases, you can manually adjust
the settings or the Administrative Template or you can leave the setting in place.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-3
What Are ADM and ADMX Files?
ADM Files
ADM files are text files that define the user
interface and policy settings that an administrator
can configure through Group Policy. Each
successive Windows operating system and service
pack has included a newer version of ADM files.
The ADM templates are located in the
%SystemRoot%\Inf folder.
ADM files are limited in certain ways. ADM files
use their own markup language. Therefore, it is
difficult to customize ADM files. A major
drawback of ADM files is that they are copied into every GPO that is created, and consume about 3
megabytes (MB) of space. This can cause the System Volume (SYSVOL) folder to become very large and
increase replication traffic.
ADMX Files
The Windows Vista

operating system and the Windows Server

2008 operating system introduced a new


format for displaying registry-based policy settings. You use a standards-based XML file format known as
ADMX files to define these settings. These new files replace ADM files.
Group Policy tools on Windows Server 2008 and Windows Vista and newer operating systems continue to
recognize the custom ADM files that you have in your existing environment, but ignore any ADM file that
ADMX files have superseded. Unlike ADM files, ADMX files are not stored in individual GPOs. The Group
Policy Editor automatically reads and displays settings from the local ADMX file store. By default, ADMX
files are stored in the Windows\PolicyDefinitions folder, but they can be stored in a central location.
ADMX files are language neutral. The plain-language descriptions of the settings are not part of the
ADMX files. They are stored in language-specific ADML files. This means that administrators who speak
different languages, such as English or Spanish, can use a language-specific ADML file to look at the same
GPO and see the policy descriptions in their own language. ADML files are stored in a subfolder of the
PolicyDefinitions folder. By default, only the ADML language files for the language of the installed
operating system are installed. You must install additional languages manually.
Migrate Classic Administrative templates to .ADMX
ADMX Migrator is a snap-in for the Microsoft Management Console (MMC) that simplifies the process of
converting your existing Group Policy ADM templates to the new ADMX format and provides a graphical
user interface for creating and editing Administrative templates. You can download the ADMX Migrator
from the Microsoft Download Center website.
Download the ADMX Migrator from the Microsoft Download Center website
http://go.microsoft.com/fwlink/?linkID=270013

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-4 Managing User Desktops with Group Policy
The Central Store
For domain-based enterprises, you can create a
central store location of ADMX files, which anyone
with permission to create or edit GPOs can access.
The Group Policy Management Editor in Windows
Vista or newer operating systems and Windows
Server 2008 or newer operating systems
automatically reads and displays Administrative
Template policy settings from ADMX files that are
stored in the central store, and then ignores the
ones stored locally. If a domain controller is not
available, the local store is used.
Initially, you must create the central store, and
then update it manually on a domain controller. The use of ADMX files is dependent on the computers
operating system where you are creating or editing a GPO.
To create a central store for .admx and .adml files, create a folder that is named PolicyDefinitions in the
following location: \\FQDN\SYSVOL\FQDN\policies. For example, to create a central store for the
corp.contoso.com domain, create a PolicyDefinitions folder in the following location:
\\corp.contoso.com\SYSVOL\corp.contoso.com\Policies.
A user must copy all files and subfolders of the PolicyDefinitions folder. The Windows folder contains the
PolicyDefinitions folder on a computer that runs the Windows 7 operating system or newer versions of the
Windows operating system. The PolicyDefinitions folder stores all .admx files and .adml files for all
languages that are enabled on the client computer.
Note: You must update the PolicyDefintions folder after each service pack and for other
additional software updates, such as Microsoft

Office 2013 ADMX files.


Discussion: Practical Uses of Administrative templates
Spend a few minutes examining the
Administrative templates, and consider how you
could employ some of them in your organization.
Be prepared to share information about your
organizations current use of GPOs and logon
scripts, such as:
How do you currently provide desktop
security?
How much administrative access do users
have to their systems?
Which Group Policy settings will you find
useful in your organization?


M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-5
Demonstration: Configuring Settings with Administrative templates
Group Policy editing tools in Windows Server 2012 and newer operating systems provide several
functionalities that make GPOs easier to configure and manage of GPOs easier. In this demonstration, you
will review these options.
Filter Policy Settings for Administrative templates
A disadvantage in the Group Policy editing tools in previous versions of the Windows operating system is
the inability to search for a specific policy setting. With thousands of policies to choose from, it can be
difficult to locate the exact setting that you want to configure. The Group Policy Management Editor in
Windows Server 2008 R2 and newer solves this problem for Administrative Template settings. You now
can create filters to help you search for specific policy settings.
To create a filter, follow these steps:
1. Open the Group Policy Management Editor
2. Right-click Administrative templates, and then click Filter Options.
3. To search for a specific policy, select the Enable keyword filters check box, enter the words to
include in the filter, and then select the fields in which you would like to search.
You can also filter for Group Policy settings that apply to specific versions of the Windows operating
system, Windows Internet Explorer

, and other Windows components. Note that the filter only applies to
settings in the Administrative templates nodes.
Filter Based on Comments
You also can search and filter based on policy-setting comments. Windows enables you to add comments
to policy settings in the Administrative Templates node. To add a comment to a policy setting, double-
click that policy setting, and then click the Comment tab.
It is a good practice to add comments to configured policy settings. You should document the
justification for a setting and its intended effect. You also should add comments to the GPO itself.
Windows Server 2012 enables you to attach comments to a GPO. In the Group Policy Management Editor,
in the console tree, right-click the root node, click Properties, and then click the Comment tab.
How to Copy GPO Settings
Starter GPOs can contain only Administrative templates policy settings. But in addition to using Starter
GPOs, there are two other ways to copy settings from one GPO into a new GPO:
You can copy and paste entire GPOs in the Group Policy Objects container of the Group Policy
Management Console (GPMC), so that you have a new GPO with all settings of the source GPO.
To transfer settings between GPOs in different domains or forests, right-click a GPO, and then click
Back Up. In the target domain, create a new GPO, right-click the GPO, and then click Import
Settings. You will be able to import the settings of the backed-up GPO.
Filtering Administrative Template Policy Settings
http://go.microsoft.com/fwlink/?linkID=270014
This demonstration shows how to:
Filter Administrative Template policy settings.
Apply comments to Administrative Template policy settings.
Add comments to Administrative Template policy settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-6 Managing User Desktops with Group Policy
Create a new GPO by copying an existing GPO.
Create a new GPO by importing settings that were exported from another GPO.
Demonstration Steps
Filter Administrative Template policy settings
1. On LON-DC1, open the Group Policy Management Console.
2. Create a new GPO named GPO1.
3. Open GPO1 for editing.
4. Locate the User Configuration, Policies, Administrative Templates node.
5. Filter the settings to display only those Administrative templates that contain the keywords screen
saver.
6. Filter the settings to display only configured values.
Add comments to a policy setting
1. Locate the Personalization value from User Configuration\Policies\ Administrative
Templates\Control Panel.
2. Add a comment to both the Password Protect the screen saver and Enable screen saver values.
Add comments to a GPO
Open the GPO1 policy root node, and then add a comment to the Comment tab.
Create a new GPO by copying an existing GPO
Copy GPO1, and then paste it to the Group Policy Objects folder.
Create a new GPO by importing settings that were exported from another GPO
1. Back up GPO1.
2. Create a new GPO called ADATUM Import.
3. Import the settings from the GPO1 backup into the ADATUM Import GPO.
Extending Administrative templates
As discussed previously, Administrative templates
offer administrators thousands of configurable
settings that you can deploy to computers or user
objects. A lesser-known feature of Administrative
templates is the ability to extend the
Administrative templates to include more settings
that are not otherwise available. To extend the
Administrative templates, follow these four major
steps:
1. Download the Administrative Template or
create a new custom template from scratch.
Many vendors, including Microsoft and other
third-party developers, offer free downloads of administrative templates. One popular administrative
template is the template for Microsoft Office. The Administrative Template for Microsoft Office allows
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-7
for customization of settings specific to Office, including specific settings for each of the applications
included in the Office suite.
2. Add the Administrative templates to a GPO. Once you add an administrative template to a GPO, a
new folder or set of folders containing new settings becomes available for customization.
3. Customize the administrative template settings. You can customize the administrative template
settings in the same way you customize regular GPO settings. By using the familiar Group Policy
Management Editor, it is easy for administrators to customize their applications.
4. Deploy the GPO along with the administrative template settings. Once deployed, you configure
applications through the administrative template settings.
Demonstration: Configuring Administrative templates
Demonstration Steps
Add the Office 2013 administrative template files to LON-DC1:
1. On LON-DC1, copy the Office 2013 administrative template files from the E:\Labfiles\Mod05\Office
2013 folder to the PolicyDefinitions folder.
Configure Office 2013 settings:
1. On LON-DC1, create a new GPO named Office 2013.
2. Edit the Office 2013 GPO by enabling the Display Developer tab in the ribbon setting.
3. Edit the Office 2013 GPO by disabling the Replace text as you type setting.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-8 Managing User Desktops with Group Policy
Lesson 2
Configuring Folder Redirection and Scripts
You can use GPOs to deploy scripts to users and computers. You also can redirect folders that are
included in the users profile to a central server. These features enable you to configure the users desktop
settings more easily and, where desirable, to create a standardized desktop environment that meets your
organizations needs.
Lesson Objectives
After completing this lesson, you will be able to:
Describe folder redirection.
Explain the settings available for configuring folder redirection.
Describe security settings for redirected folders.
Explain how to configure folder redirection.
Describe Group Policy settings for applying scripts.
Explain how to configure scripts by using Group Policy.
What Is Folder Redirection?
You can use the Folder Redirection feature to
manage data effectively and, if you choose, to
back up data. By redirecting folders, you can
ensure user access to data regardless of the
computers from which a user logs in. Folder
redirection has the following characteristics:
When you redirect folders, you change the
folders storage location from the users
computers local hard disk to a shared folder
on a network file server.
After you redirect a folder to a file server, it
still appears to the user as if the folder is
stored on the local hard disk.
You can use the Offline Files technology in conjunction with redirection to synchronize data in the
redirected folder to the users local hard drive. This ensures that users have access to their data if a
network outage occurs or if the user is working offline.
Advantages of Folder Redirection
There are many advantages of folder redirection, including:
Users that log in to multiple computers can access their data as long as they can access the network
share.
Offline folders allow users to access their data even if they disconnect from the LAN.
You can easily back up data that is stored on servers in network shares.
You can reduce roaming profile size greatly by redirecting data from the profile.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-9
Settings for Configuring Folder Redirection
In a GPO, the following settings are available for
folder redirection:
None. None is the default setting. Folder
redirection is not enabled.
Basic. Basic folder redirection is for:
o Users who must redirect their folders to
the same parent folder.
o Users who need their data to be private.
Advanced. You can use Advanced redirection
to specify different network locations for
different Active Directory

security groups.
Follow the Documents folder. Follow the Documents folder redirection is available only for the
Pictures, Music, and Videos folders. This setting makes the affected folder a subfolder of the
Documents folder.
Target Folder Locations for Basic and Advanced Settings
If you choose the either the Basic or Advanced setting for folder redirection, you can choose from the
following target folder locations:
Create a folder for each user under the root path. This option creates a folder in the form
\\server\share\User Account Name\Folder Name. For example, if you want to store your users
desktop settings in a shared folder called Documents on a server called LON-DC1, you could define
the root path as \\lon-dc1\Documents.
Each user has a unique path for the redirected folder to ensure that data remains private. By default, each
user is granted exclusive rights to his or her folder. In the case of the Documents folder, the current
contents of the folder are moved to the new location.
Redirect to the following location. This option uses an explicit path for the redirection location. It
causes multiple users to share the same parent path for the redirected folder. By default, the user is
granted exclusive rights to the folder. In the case of the Documents folder, the current contents of the
folder are moved to the new location.
Redirect to the local user profile location. This option moves the location of the folder to the local user
profile under the Users folder.
Redirect to the users home directory. This option is available only for the Documents folder. When
used, the Documents folder is redirected to the home directory configured on the users Active
Directory user object.
Note: After the initial creation and application of a GPO that delivers folder redirection
settings, users require two log ins before redirection takes effect. This is because users will log in
with cached credentials. To allow folder redirection settings to take effect with just one log in, the
Always wait for the network at computer startup and logon Group Policy setting has to be
enabled. However, enabling the policy setting will degrade the overall user log in experience
because it will take longer to log in.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-10 Managing User Desktops with Group Policy
Question: Users in the same department often log in to different computers. They need
access to their Documents folder. They also need data to be private. What folder redirection
setting would you choose for these users?
Security Settings for Redirected Folders
You must create and configure the permissions
manually on a shared network folder to store the
redirected folders. However, folder redirection
also can create the users redirected folders.
Folder permissions are handled as follows:
When you use this option, the correct
subfolder permissions are set automatically.
If you manually create folders, you must know
the correct permissions.
The tables below illustrates these permissions.
NTFS permissions for root folder
Creator/Owner Full control subfolders and files only
Administrator None
Security group of users that save data on the share List Folder/Read Data, Create Folders/Append
Data-This Folder Only
System Full control
Share permissions for root folder
Creator/Owner Full control subfolders and files only
Security group of users that save data on the share Full control
NTFS permissions for each users redirected folder
Creator/Owner Full control subfolders and files only
%Username% Full control, owner of folder
Administrators Full control
System Full control

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-11
Demonstration: Configuring Folder Redirection
This demonstration shows how to:
Create a shared folder.
Create a GPO to redirect the Documents folder.
Test folder redirection.
Demonstration Steps
Create a shared folder
1. On LON-DC1, create a folder named C:\Redirect.
2. Share the folder to Everyone with Read/Write permission.
Create a GPO to redirect the Documents folder
1. Open the Group Policy Management Console. Create a GPO named Folder Redirection, and then
link it to the Adatum domain.
2. Edit the Folder Redirection GPO.
3. Configure the Documents folder properties to use the Basic-Redirect everyones folder to the
same location setting.
4. Ensure that the Target folder location is set to Create a folder for each user under the root path.
5. Specify the root path as \\LON-DC1\Redirect.
6. Close all open windows on LON-DC1.
Test folder redirection
1. Log in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2. Check the properties of the Documents folder. The path will be \\LON-DC1\Redirect.
3. Log off of LON-CL1.
Group Policy Settings for Applying Scripts
You can use Group Policy scripts to perform a
number of tasks. There may be actions that you
need to perform every time a computer starts up
or shuts down, or when users log in or log off. For
example, you can use scripts to:
Clean up desktops when users log off and
shut down computers.
Delete the contents of temporary directories.
Map drives or printers.
Set environment variables.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-12 Managing User Desktops with Group Policy
Scripts that are assigned to the computer run in the security context of the Local System account. Scripts
that are assigned to the user who is logging on run in that users security context.
Other Group Policy settings control aspects of how scripts run. For example, if multiple scripts are
assigned, you can control whether they run synchronously or asynchronously.
You can write scripts in any scripting language that the Windows client can interpret, such as Microsoft
Visual Basic

Scripting Edition (VBScript), Microsoft JScript

, or simple command or batch files.


Note: In Windows Server 2008 R2 and Windows Server 2012, the UI in the Group Policy
Management Editor for Logon, Logoff, Startup, and Shutdown scripts provides an additional tab
for Windows PowerShell

scripts. You can deploy your Windows



PowerShell script by adding it to
this tab. The Windows Server 2008 R2 operating system or newer and the Windows 7 operating
system or newer can run Windows PowerShell scripts through Group Policy.
Scripts are stored in shared folders on the network. You need to ensure that the client has access to that
network location. If clients cannot access the network location, the scripts fail to run. Although any
network location stores scripts, as a best practice, use the Netlogon share because all users and computers
that are authenticated to Active Directory Domain Services (AD DS) have access to this location.
For many of these settings, using Group Policy preferences is a better alternative to configuring them in
Windows images or using logon scripts. Group Policy preferences are covered in more detail later in this
module.
Demonstration: Configuring Scripts with GPOs
This demonstration shows how to:
Create a logon script to map a network drive.
Create and link a GPO to use the script, and store the script in the Netlogon share.
Log in to the client to test the results.
Demonstration Steps
Create a logon script to map a network drive
1. On LON-DC1, launch Notepad, and then type the following command:
Net use t: \\LON-dc1\Redirect
2. Save the file as Map.bat.
3. Copy the file to the clipboard.
Create and link a GPO to use the script, and store the script in the Netlogon share
1. Use the Group Policy Management Console to create a new GPO named Drivemap, and then link it
to the Adatum.com domain.
2. Edit the GPO to configure a user logon script.
3. Paste the Map.bat script into the Netlogon share.
4. Add the Map.bat script to the logon scripts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-13
Log in to the client to test the results
1. On LON-CL1, log in as Adatum\Administrator with the password Pa$$word.
2. Verify that drive is mapped.
3. Log off of LON-CL1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-14 Managing User Desktops with Group Policy
Lesson 3
Configuring Group Policy Preferences
Prior to the release of the Windows Server

2008 operating system, you could not use Group Policy to


control common settings that affect the user and computer environment, such as mapped drives.
Typically, these settings were delivered through logon scripts or imaging solutions.
However, the Windows Server 2012 operating system Group Policy preferences are built-in to the GPMC,
which enable settings such as mapped drives to be delivered through Group Policy. Additionally, you can
configure preferences by installing the Remote Server Administration Tools (RSAT) on a computer that is
running Windows 7 or Windows 8. This allows you to deliver many common settings by using Group
Policy.
Lesson Objectives
After completing this lesson, you will be able to:
Describe Group Policy preferences.
Identify the differences between Group Policy settings and preferences.
Describe Group Policy preference features.
Identify the preference item-level targeting options.
Explain how to configure settings by using preferences.
What Are Group Policy Preferences?
Group Policy preference extensions include more
than 20 Group Policy extensions that expand the
range of configurable settings within a GPO. You
now can use preferences to apply a number of
settings that had to be applied by scripts in the
past, such as drive mappings.
Group Policy preferences are supported natively
on Windows Server 2008 and newer, and on
Windows Vista Service Pack 2 (SP2) and newer.
You can download and install Group Policy client-
side extensions of Group Policy preferences for
Windows Server 2003, Windows XP Service Pack 3
(SP3), and Windows Vista Service Pack 1 (SP1) to provide support for preferences on those systems.
Examples of the new Group Policy preference extensions include:
Folder Options
Drive Maps
Printers
Scheduled Tasks
Services
Start Menu

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-15
Configuring Group Policy preferences does not require any special tools or software installation, but they
are natively part of the GPMC in the Windows Server 2008 operating system and newer, and are applied
in the same manner as Group Policy settings by default. Preferences have two distinct sections: Windows
Settings and Control Panel Settings.
When you configure a new preference, you can perform the following four basic actions:
Create. Create a new preference setting for the user or computer.
Delete. Remove an existing preference setting for the user or computer.
Replace. Delete and recreate a preference setting for the user or computer. The result is that Group
Policy preferences replace all existing settings and files associated with the preference item.
Update. Modify an existing preference setting for the user or computer.
Comparing Group Policy Preferences and Administrative templates
Preferences are similar to policies in that they
apply configurations to the user or computer.
However, there are several differences in the way
that you can configure and apply them. One of
these differences is that preferences are not
enforced. However, you can configure preferences
to be reapplied automatically.
The following is a list of other differences between
Group Policy settings and preferences:
Preference settings are not enforced.
Group Policy settings disable the user
interface for settings that the policy manages. Preferences do not do this.
Group Policy settings are applied at regular intervals. You can apply preferences once only or at
regular intervals.
The end user can change any preference setting that is applied through Group Policy, but users are
prevented from changing policy settings.
In some cases, you can configure the same settings through a policy setting as well as a preference
item. If conflicting preference and Group Policy settings are configured and applied to the same
object, the value of the policy setting always applies.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-16 Managing User Desktops with Group Policy
Features of Group Policy Preferences
After you create a Group Policy preference, you
must configure its properties. Different
preferences will require different input
information. For example, shortcut preferences
require target paths, whereas environment
variables require variable types and values. Group
Policy Preferences also provide a number of
features in the common settings properties to
assist in the deployment.
General Properties Tab
Basic information is provided in the General
Properties tab. Here, the first step is to specify the
action for the preference: Create, Delete, Replace, or Update. Different settings will be available,
depending on the initial action selected. For example, when creating a drive mapping, you must provide a
Universal Naming Convention (UNC) path and an option for the drive letter that you want to assign.
Common Properties Tab
The common properties are consistent for all preferences. You can use the Common Property tab to
control the behavior of the preference as follows:
Stop processing items in this extension if an error occurs. If an error occurs while processing a
preference, no other preferences in this GPO will process.
Run in logged-on users security context. Preferences can run as the System account or the logged-on
user. This setting forces the logged-on user context.
Remove this item when it is no longer applied. Unlike policy settings, preferences are not removed
when the GPO that delivered it is removed. This setting will change that behavior.
Apply once and do not reapply. Normally, preferences are refreshed at the same interval as Group
Policy settings. This setting changes that behavior to apply the setting only once on logon or startup.
Use item-level targeting. One of the most powerful features of preferences is item-level targeting. You
can use this feature to specify criteria easily, so that you can determine exactly which users or
computers will receive a preference. Criteria include, but is not limited to:
o Computer name
o IP address range
o Operating system
o Security group
o User
o Windows Management Instrumentation (WMI) queries

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-17
Item-Level Targeting Options
Item-level targeting is a feature that allows Group
Policy settings to apply to computers or user
objects only when the computers or user objects
match defined criteria. This makes very powerful
targeting control possible and allows Information
Technology (IT) administrators to pinpoint exactly
to where and when a setting should apply. Item-
level targeting offers the following capabilities:
Target 27 different categories. Item-level
targeting can use 27 different categories for
targeting computers and user objects. This
allows for precision targeting. See Figure 5.1
for the complete list of categories.
Combine different categories together by using AND or OR Boolean logic. Instead of using a single
category for targeting, you can use multiple categories. For example, if you want to deploy printers
only to portable computers and only when the users of the portable computers are members of the
Sales group, you can do that with item-level targeting. You can then go a step further by deploying
one group of printers if the computers are portable, being used by a member of the Sales group, and
in a specific IP subnet, while deploying another set of printers when the IP subnet changes.
Refresh item-level targeting during the Group Policy background refresh. This means that configuring
computer and user objects by using item-level targeting is a dynamic way to manage the user objects
and computer objects.
The following figure shows the 27 different categories for item-level targeting.
Image not available in the media folder
Demonstration: Configuring Group Policy Preferences
This demonstration shows how to:
Configure a desktop shortcut with Group Policy preferences.
Target the preference.
Configure a new folder with Group Policy preferences.
Target the preference.
Test the preference.
Demonstration Steps
Configure a desktop shortcut with Group Policy preferences
1. On LON-DC1, in the Group Policy Management Console, open the Default Domain Policy for
editing.
2. Navigate to Computer Configuration\Preferences\ Windows Settings\Shortcuts.
3. Create a new shortcut to the Notepad.exe program.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-18 Managing User Desktops with Group Policy
Target the preference
Target the preference for the computer LON-CL1.
Configure a new folder with Group Policy preferences
1. Navigate to User Configuration\Preferences\Windows Settings\Folders.
2. Create a new folder for the C:\Reports folder.
Target the preference
Target this preference for computers that are running the Windows 8 operating system.
Test the preferences
1. Switch to LON-CL1, and refresh Group Policy by using the following command at the command
prompt:
gpupdate /force
2. Log in and verify the presence of both the C:\Reports folder and the Notepad shortcut on the
Desktop.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-19
Lesson 4
Managing Software with Group Policy
Windows Server 2012 includes a feature called Software Installation and Maintenance that AD DS, Group
Policy, and the Windows Installer service use to install, maintain, and remove software from your
organizations computers. In this lesson, you will learn how to manage software with Group Policy.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the role Group Policy software distribution plays in the software lifecycle.
Describe how Windows Installer enhances software distribution.
Describe the difference between assigning software and publishing software.
Explain how to manage software upgrades by using Group Policy.
How Group Policy Software Distribution Helps to Address the Software
Lifecycle
The software lifecycle consists of four phases:
preparation, deployment, maintenance, and
removal. You can use Group Policy to manage all
phases except the preparation. You can apply
Group Policy settings to users or computers in a
site, domain, or organizational unit (OU) to install,
upgrade, or remove software automatically.
By applying Group Policy settings to software, you
can manage the phases of software deployment
without deploying software on each computer
individually.
Using Group Policy to manage the software
lifecycle has some advantages and some disadvantages that are important to consider. The advantages of
using Group Policy to manage the software lifecycle are:
Group Policy software distribution is available as part of Group Policy and AD DS. Thus, using Group
Policy does not incur any additional costs for your organization, and is always available to implement
because it is already installed and ready for use.
Group Policy software distribution does not require client software, agent software, or additional
management software. IT administrators can use familiar tools to manage the software lifecycle.
Group Policy software distribution is quick and easy to use. This allows for both faster software
distribution and reduced IT training costs.
The disadvantages of using Group Policy to manage the software lifecycle are:
Group Policy software distribution has a minimal feature set. This minimal feature set limits the ability
to control aspects of the distribution such as the day and time of installation, the order of installation
when deploying multiple applications, and the reboot process, such as reboot suppression or reboot
windows.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-20 Managing User Desktops with Group Policy
Group Policy software distribution does not have any reporting. Thus, you cannot easily gather
information such as how many computers have the distributed software, which computers an
installation failed on, or which computers do not have the distributed software. This could lead to a
scenario in which you deploy an update to an application and the update attempts to install on
computers that no longer have the application to be updated.
Group Policy software distribution is limited to deployment of Windows Installer packages. IT
administrators have to convert non-MSI installation programs into MSI packages before being able to
deploy the software by using Group Policy.
Note:
For larger organizations, especially organizations that have more than 500 computers, and for
any organizations with specific software distribution requirements, Microsoft System Center 2012
Configuration Manager provides enterprise-level features and control. These enterprise-level
features and control eliminate the disadvantages found in Group Policy software distribution.
How Windows Installer Enhances Software Distribution
To enable Group Policy to deploy and manage
software, Windows Server 2012 uses the Windows
Installer service. This component automates the
installation and removal of applications by
applying a set of centrally-defined setup rules
during the installation process. The Windows
Installer service installs the .msi package files. .msi
files contain a database that stores all the
instructions required to install the application.
Small applications may be entirely stored as .msi
files, whereas other larger applications will have
many associated source files that the MSI
references. Many software vendors provide .msi files for their applications.
The Windows Installer service has the following characteristics:
This service runs with elevated privileges, so that the Windows Installer service can install software
regardless of which user is signed into the system. Users only require read access to the software
distribution point.
Applications are resilient. If an application becomes corrupted, the installer will detect and reinstall or
repair the application.
Windows Installer cannot install .exe files. To distribute a software package that installs with an .exe
file, you must convert the .exe file must to an .msi file by using a third-party utility.
Question: Do users need administrative rights to install applications that have .msi files
manually?
Question: What are some of the disadvantages of deploying software through Group Policy?

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-21
Assigning and Publishing Software
Two deployment types are available for delivering
software to clients. Administrators can either
install software for users or computers in advance
by assigning the software, or give users the option
to install the software when they require it by
publishing the software in AD DS. Both user and
computer configuration sections of a GPO have a
Software Settings section. You can add software to
a GPO by adding a new package to the Software
Installation node and then specifying whether to
assign or publish it.
You also can choose advanced deployment of a
package. Use this option to apply a customization file to a package for custom deployment. For example,
if you use the Office Customization tool to create a setup customization file to deploy Microsoft Office.
Assigning Software
Assigning software has the following characteristics:
When you assign software to a user, the users Start menu advertises the software when the user logs
on. Installation does not begin until the user double-clicks the application's icon or a file that is
associated with the application.
Users do not share deployed applications. When you assign software to a user, an application that
you install for one user through Group Policy may not be available to other users. Assigning software
to a user is preferred when the software is used by a subset of users, or when the software has
licensing costs associated with it and you do not want to purchase licenses that will not be used.
When you assign an application to a computer, the application is installed the next time that the
computer starts. The application will be available to all users of the computer. Assigning software to a
computer is preferred when you need to have the software installed on a specific set of computers or
on all computers in an environment, regardless of which users use the computers. This is a common
situation when dealing with agent software, such as monitoring agents, security-related agents, or
management agents.
Publishing Software
Publishing software has the following characteristics:
The Programs\Programs and Features\ shortcut in Control Panel advertises a published application to
the user. Users can install the application by using the Install a program from the network shortcut, or
extension activation can install the application. Extension activation will initiate the program
installation when a user clicks on a file type that is associated with the program.
Control Panel does not advertise applications to users who do not have permission to install them.
Applications cannot be published to computers.
Note: When configuring Group Policy to deploy an application, a UNC path must be
available to the application installer. If you use local paths, the deployment will fail.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-22 Managing User Desktops with Group Policy
Managing Software Upgrades by Using Group Policy
Software vendors occasionally release software
updates. These usually address minor issues, such
as a performance update or a feature
enhancement that does not warrant a complete
application reinstallation. Microsoft releases some
software patches as .msp files.
Major updates that provide new functionality
require users to upgrade a software package to a
newer version. You can open the GPO that
deploys a software package, modify the software
installation settings, and then use the Upgrades
tab to upgrade a package. When you perform
upgrades by using Group Policy, youll notice the following characteristics:
You may redeploy a package if the original Windows Installer file has been modified.
Upgrades will often remove the old version of an application and install a newer version. These
upgrades usually maintain application settings.
You can remove software packages if they were delivered originally by using Group Policy. This is
useful if you are replacing a line-of-business (LOB) application with a different application. Removal
can be mandatory or optional.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-23
Lab: Managing User Desktops with Group Policy
Scenario
A. Datum Corporation is a global engineering and manufacturing company with its head office in London,
England. An IT office and a data center are located in London to support the London head office and
other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum has been using logon scripts to provide users with drive mappings to file shares. The
maintenance of these scripts is an ongoing problem because they are large and complex. Your manager
has asked you to implement the drive mappings by using Group Policy preferences so that logon scripts
can be removed.
Your manager has also asked you to place a shortcut to the Notepad application for all users that belong
to the IT security group and to add a new Computer Administrators security group as a local
Administrator on all servers.
A. Datum wants to be able to manage Office 2013 settings for all client computers. They have decided to
use Administrative templates to do this.
Objectives
After completing this lab, you will be able to:
Implement settings by using Group Policy preferences.
Configure Office 2013 settings using Administrative templates.
Configure folder redirection.
Deploy software by using Group Policy.
Lab Setup
Estimated Time: 45 minutes
Virtual Machines: 20411D-LON-DC1, 20411D-LON-CL1
User Name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, click Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V

Manager, click 20411D-LON-DC1, and, in the Actions pane, click Start.


3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log in using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Adatum
5. Repeat steps 2 through 4 for 20411D-LON-CL1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-24 Managing User Desktops with Group Policy
Exercise 1: Implementing Settings by Using Group Policy Preferences
Scenario
A. Datum has been using logon scripts to provide users with drive mappings to file shares. The
maintenance of these scripts is an ongoing problem because they are large and complex. Your manager
has asked you to implement the drive mappings by using Group Policy preferences so that logon scripts
can be removed. Your manager has also asked you to place a shortcut to the Notepad application for all
users that belong to the IT security group.
The main tasks for this exercise are as follows:
1. Create a new GPO, and link it to the Branch Office 1 organizational unit (OU)
2. Edit the default Domain Policy with the required Group Policy preferences
3. Test the preferences
Task 1: Create a new GPO, and link it to the Branch Office 1 organizational unit (OU)
1. On LON-DC1, open File Explorer, and then create a folder and share it with specific people by using
the following properties:
Path: C:\Branch1Share
name: Branch1
Permissions: Everyone, Read/Write
2. On LON-DC1, open Active Directory Users and Computers, and then create an OU in the
Adatum.com domain called Branch Office 1.
3. Move user Holly Dickson from the IT OU to the Branch Office 1 OU.
4. Move the LON-CL1 computer to the Branch Office 1 OU.
5. Open the Group Policy Management Console.
6. Create and link a new GPO named Branch1 to the Branch Office 1 OU.
7. Open the Branch1 GPO for editing.
8. Edit the GPO to configure a mapped drive by using Group Policy preferences.
9. Map the S:\ drive to \\LON-dc1\Branch1.
Task 2: Edit the default Domain Policy with the required Group Policy preferences
1. Open the Default Domain Policy for editing.
2. Navigate to User Configuration\Preferences\Windows Settings\Shortcuts.
3. Create a new shortcut to the Notepad.exe program:
Name: Notepad
Action: Create
Location: Desktop
Target path: C:\Windows\notepad.exe
4. Target the preference for members of the IT security group.
5. Close all open windows.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-25
Task 3: Test the preferences
1. Switch to LON-CL1 and restart the computer.
2. Log in as Adatum\Administrator with the password Pa$$w0rd.
3. Open the Command Prompt window, and then use the gpupdate /force command to refresh the
Group Policy.
4. Log off of LON-CL1.
5. Log in to LON-CL1 as Adatum\Holly with the password Pa$$w0rd.
6. Verify that a drive is mapped to \\LON-DC1\Branch1.
7. Verify that the shortcut to Notepad is on Hollys desktop.
8. If the shortcut does not appear, repeat steps 2 through 5.
9. Log off of LON-CL1.

Results: After this exercise, you should have created the required scripts and preference settings
successfully, and then assigned them by using Group Policy Objects (GPOs).
Exercise 2: Managing Microsoft Office 2013 by Using Administrative
templates
Scenario
In order to manage the Office 2013 settings by using GPOs, you need to import the Office 2013
Administrative templates into a GPO. Then you need to verify that you can configure the settings and that
the settings are being applied to target computers.
The main tasks for this exercise are as follows:
1. Import the Office 2013 Administrative templates
2. Configure Office 2013 settings
3. Verify that the settings have been applied
Task 1: Import the Office 2013 Administrative templates
On LON-DC1, copy the Office 2013 Administrative template files from the E:\Labfiles\Mod05\Office
2013 folder to the PolicyDefinitions folder.
Task 2: Configure Office 2013 settings
1. On LON-DC1, create a new GPO named Office 2013.
2. Edit the Office 2013 GPO by enabling the Display Developer tab in the ribbon setting.
3. Edit the Office 2013 GPO by disabling the Replace text as you type setting.
Task 3: Verify that the settings have been applied
1. Log in to LON-CL1 as Adatum\Holly.
2. Run Microsoft Word on LON-CL1.
3. Verify that the Developer tab is present and that Microsoft Word is not auto correcting misspelled
words as you type.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-26 Managing User Desktops with Group Policy
Results: After this exercise, you should have successfully added the Microsoft

Office 2013 administrative


template files to a GPO, customized Office 2013 settings, and validated the settings on a computer that is
in the GPO scope.
Exercise 3: Deploying Software by Using Group Policy
Scenario
In order to provide employees with a standardized XML editor, you need to deploy Microsoft XML
Notepad 2007 to all domain computers by using a GPO.
The main tasks for this exercise are as follows:
1. Deploy XML Notepad 2007 by using a new GPO
2. Verify that XML Notepad 2007 was successfully deployed on LON-CL1
Task 1: Deploy XML Notepad 2007 by using a new GPO
1. On LON-DC1, create a new GPO named Deploy XML Notepad, and link it to the domain.
2. Edit the GPO and configure the computer assigned software deployment of \\LON-DC1-
Mod05\xmlnotepad.msi.
Task 2: Verify that XML Notepad 2007 was successfully deployed on LON-CL1
1. Switch to LON-CL1, and then restart it.
2. Log in to LON-CL1 after restarting, and then verify that XML Notepad 2007 is installed.

Results: After this exercise, you should have successfully deployed XML Notepad 2007 to all domain-
joined computers and verified the installation on LON-CL1.
Exercise 4: Configuring Folder Redirection
Scenario
In order to help minimize profile sizes, your manager has asked you to configure folder redirection for the
branch office users. This will allow you to redirect several profile folders to each users home drive.
The main tasks for this exercise are as follows:
1. Create a shared folder to store the redirected folders
2. Create a new GPO and link it to the Branch Office OU
3. Edit the folder redirection settings in the policy you created
4. Test the folder redirection settings
5. To prepare for the next module
Task 1: Create a shared folder to store the redirected folders
On LON-DC1, open File Explorer, and then create a folder and share it with Specific people by
using the following properties:
o Path: C:\Branch1\Redirect
o Share name: Branch1Redirect
o Permissions: Everyone, Read/Write
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-27
Task 2: Create a new GPO and link it to the Branch Office OU
1. On LON-DC1, open Group Policy Management.
2. Create and link a new GPO named Folder Redirection to the Branch Office 1 OU.
Task 3: Edit the folder redirection settings in the policy you created
1. Open the Folder Redirection GPO for editing.
2. Under User Configuration, browse to Folder Redirection, and then configure the Documents folder
properties to use the Basic-Redirect everyones folder to the same location setting.
3. Ensure that the Target folder location is set to Create a folder for each user under the root path.
4. Specify the root path as \\LON-DC1\Branch1Redirect.
5. Close all open windows on LON-DC1.
Task 4: Test the folder redirection settings
1. Switch to LON-CL1.
2. Log in as Adatum\Administrator with the password Pa$$w0rd.
3. Open the Command Prompt window, and then use the gpupdate /force command to refresh the
Group Policy.
4. Log off, and then log in as Adatum\Holly with the password Pa$$word.
5. Browse to the desktop.
6. Right-click the desktop, and then use the Personalize menu to enable Users Files on the desktop.
7. From the Desktop, open the Holly Dickson folder.
8. Right-click Documents, and then click Properties.
9. In the Document Properties dialog box, note that the location of the folder is now the network
share in a subfolder named for the user.
10. If the folder redirection is not evident, log off, and then log in as Adatum\Holly with the password
Pa$$word. Repeat steps 7 to 9.
11. Log off of LON-CL1.
Task 5: To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the
following steps:
1. On the host computer, start Microsoft Hyper-V

Manager.
2. In the Virtual Machines list, right-click 20411D-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411D-LON-CL1.

Results: After this exercise, you should have successfully configured folder redirection to a shared folder
on the LON-DC1 server.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-28 Managing User Desktops with Group Policy
Question: Which options can you use to separate a user's redirected folders to different servers?
Question: Can you name two methods you could use to assign a GPO to selected objects within
an organizational unit (OU)?
Question: You have created Group Policy preferences to configure new power options. How can
you ensure that they will be applied only to laptop computers?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 5-29
Module Review and Takeaways
Best Practices:

Best Practices Related to Group Policy Management
Include comments on GPO settings.
Use a central store for Administrative templates when client computers run Windows Vista

or newer.
Use Group Policy preferences to configure settings that are not available in the policy settings.
Use Group Policy software installation to deploy packages in .msi format to a large number of users
or computers.
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
You have configured folder redirection for an
OU, but none of the users folders is being
redirected to the network location. When you
look in the root folder, you observe that a
subdirectory named for each user exists, but
those subdirectories are empty.


You have assigned an application to an OU. After
multiple log-ins, users report that no one has
installed the application.


You have computers running a mixture of the
Windows XP operating system and the
Windows 8 operating system. After configuring
several settings in the Administrative templates
of a GPO, users with the Windows XP operating
system report that some settings are being
applied and others are not.


Group Policy preferences are not being applied.


Review Question(s)
Question: Why can some Group Policy settings take two log ins before going into effect?
Question: How can you support Group Policy preferences on Windows XP?
Question: What is the benefit of having a central store?
Question: What is the main difference between Group Policy settings and Group Policy
preferences?
Question: What is the difference between publishing and assigning software through Group
Policy?
Question: Can you use Windows PowerShell

scripts as startup scripts?


M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D



M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-1
Module 6
Installing, Configuring, and Troubleshooting the Network
Policy Server Role
Contents:
Module Overview 6-1
Lesson 1: Installing and Configuring a Network Policy Server 6-2
Lesson 2: Configuring RADIUS Clients and Servers 6-6
Lesson 3: NPS Authentication Methods 6-12
Lesson 4: Monitoring and Troubleshooting a Network Policy Server 6-20
Lab: Installing and Configuring a Network Policy Server 6-26
Module Review and Takeaways 6-30

Module Overview
The Network Policy Server (NPS) role in the Windows Server

2012 operating system provides support for


the Remote Authentication Dial-In User Service (RADIUS) protocol, which you can configure as a RADIUS
server or proxy. Additionally, NPS provides Network Access Protection (NAP) services. To support remote
clients and to implement NAP, it is important that you know how to install, configure, and troubleshoot
NPS.
Objectives
After completing this module, you will be able to:
Install and configure NPS.
Configure RADIUS clients and servers.
Explain NPS authentication methods.
Monitor and troubleshoot NPS.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-2 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 1
Installing and Configuring a Network Policy Server
NPS is implemented as a server role in Windows Server 2012 and newer versions. While installing the NPS
role, you must decide whether to use NPS as a RADIUS server, RADIUS proxy, or a NAP policy server. After
the installation, you can use the NPS Management console or Windows PowerShell

to configure NPS.
You must understand how to install and configure the NPS role in order to support your RADIUS or NAP
infrastructure.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the NPS role service.
Explain how to install NPS.
Describe the tools used to configure an NPS.
Explain how to configure general NPS settings.
What Is a Network Policy Server?
NPS enables you to create and enforce
organization-wide network access policies for
client health, connection request authentication,
and connection request authorization. You also
can use NPS as a RADIUS proxy to forward
connection requests to NPS or other RADIUS
servers that you configure in remote RADIUS
server groups.
You can use NPS to implement network-access
authentication, authorization, and client health
policies with any combination of the following
three functions:
RADIUS server
RADIUS proxy
NAP policy server
RADIUS Server
NPS performs centralized connection authentication, authorization, and accounting for wireless,
authenticating switch, and dial-up and virtual private network (VPN) connections. When using NPS as a
RADIUS server, you configure network access servers (NASs), such as wireless access points and VPN
servers, as RADIUS clients in NPS. You also configure the network policies that NPS uses to authorize
connection requests, and you can configure RADIUS accounting so that NPS logs accounting information
to log files on the local hard disk or in a Microsoft

SQL Server

database.
NPS is the Microsoft implementation of a RADIUS server. NPS enables the use of a heterogeneous set of
wireless, switch, remote access, or VPN equipment. You can use NPS with the Routing and Remote Access
service, which is available in releases from the Windows

2000 operating system through the Windows


Server 2008 R2 operating system. In addition, you can use NPS with the new Remote Access role in
Windows Server 2012 and newer.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-3
When an NPS server is a member of an Active Directory

Domain Services (AD DS) domain, NPS uses


AD DS as its user-account database and provides single sign-on (SSO) capability. This means that the
same set of user credentials enable network-access control, such as authenticating and authorizing access
to a network, and access to resources within the AD DS domain.
Organizations that maintain network access, such as Internet service providers (ISPs), have the challenge
of managing a variety of network-access methods from a single administration point, regardless of the
type of network-access equipment they use. The RADIUS standard supports this requirement. RADIUS is a
client-server protocol that enables network-access equipment, when used as RADIUS clients, to submit
authentication and accounting requests to a RADIUS server.
A RADIUS server has access to user-account information, and can verify network-access authentication
credentials. If the users credentials are authentic and RADIUS authorizes the connection attempt, the
RADIUS server then authorizes the users access based on configured conditions, and logs the network-
access connection in an accounting log. Using RADIUS allows you to collect and maintain the network-
access user authentication, authorization, and accounting data in a central location, rather than on each
access server.
RADIUS Proxy
When using NPS as a RADIUS proxy, you configure connection request policies that indicate which
connection requests the NPS server will forward to other RADIUS servers and to which RADIUS servers you
want to forward connection requests. You also can configure NPS to forward accounting data for logging
by one or more computers in a remote RADIUS server group. With NPS, your organization also can
outsource its remote-access infrastructure to a service provider, while retaining control over user
authentication, authorization, and accounting. You can create NPS configurations for the following
solutions:
Wireless access.
Organization dial-up or VPN remote access.
Outsourced dial-up or wireless access.
Internet access.
Authenticated access to extranet resources for business partners.
NAP Policy Server
When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-
capable client computers that attempt to connect to the network. NPS also acts as a RADIUS server when
it is configured with NAP, performing authentication and authorization for connection requests. You can
configure NAP policies and settings in NPS, including system health validators (SHVs), health policy, and
remediation server groups that allow client computers to update their configuration to be compliant with
your organizations network policy.
Windows 7 and newer versions and Windows Server 2008 R2 and newer versions include NAP, which
helps protect access to private networks by ensuring that client computers are configured in accordance
with the organizations network health policies before they can connect to network resources.
Additionally, NAP monitors client computer compliance with the administrator-defined health policy
while the computer is connected to the network. NAP autoremediation allows you to ensure that
noncompliant computers are updated automatically, bringing them into compliance with health policy so
that they can connect to the network successfully.
System administrators define network health policies, and then create these policies by using NAP
components that either NPS provides, depending on your NAP deployment, or that third-party
companies provide.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-4 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Health policies can include software requirements, security-update requirements, and required-
configuration settings. NAP enforces health policies by inspecting and assessing the health of client
computers, restricting network access when client computers are deemed unhealthy, and remediating
unhealthy client computers for full network access.
Demonstration: Installing the Network Policy Server Role Service
This demonstration shows how to:
Install the NPS role service.
Register NPS in AD DS.
Demonstration Steps
Install the NPS Role
1. Switch to LON-DC1.
2. Open Windows 8 Server Manager, and then add the Network Policy and Access Services role.
3. Close Server Manager.
Register NPS in AD DS
1. Open the Network Policy Server console.
2. Register the server in AD DS.
3. Leave the Network Policy Server window open.
Tools for Configuring a Network Policy Server
After you install the Network Policy Server role,
you can open the Network Policy Server tool on
the Administrative Tools menu, or you can use the
Network Policy Server snap-in to create a custom
Microsoft Management Console (MMC) tool. You
also can use netsh commands to manage and
configure the NPS role.
The following tools enable you to manage the
Network Policy and Access Services server role:
Network Policy Server MMC snap-in. Use the
Network Policy Server MMC snap-in to
configure a RADIUS server, a RADIUS proxy,
or a NAP technology.
Windows PowerShell. You also can use Windows PowerShell cmdlets to configure and manage a
Network Policy Server. For example, to export the NPS configuration, you can use the Export-
NpsConfiguration -Path <filename> cmdlet.
Netsh commands for NPS. The netsh commands for NPS are a command set that is equivalent to all
configuration settings that are available through the NPS MMC snap-in. You can run netsh
commands manually at the netsh prompt or in administrator scripts.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-5
One example of using netsh is that, after you install and configure NPS, you can save the
configuration by using the netsh nps show config > path\file.txt command. You then save the NPS
configuration with this command each time that you make a change.
Demonstration: Configuring General NPS Settings
This demonstration shows how to:
Configure a RADIUS server for VPN connections.
Save the configuration.
Demonstration Steps
Configure a RADIUS server for VPN connections
1. In the Network Policy Server console, launch the Configure VPN or Dial-Up Wizard.
2. Add LON-RTR as a RADIUS client.
3. Use a shared secret of Pa$$word for authentication between the RADIUS client and the NPS server.
4. Select Microsoft Encrypted Authentication version 2 (MS-CHAPv2) for authentication.
Save the configuration
1. Open Windows PowerShell.
2. Use the Export-NpsConfiguration -Path lon-dc1.xml command to save the configuration.
3. Examine this configuration with notepad.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-6 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 2
Configuring RADIUS Clients and Servers
RADIUS is an industry-standard authentication protocol that many vendors use to support the exchange
of authentication information between elements of a remote-access solution. To centralize your
organizations remote-authentication needs, you can configure NPS as a RADIUS server or a RADIUS
proxy. While configuring RADIUS clients and servers, you must consider several factors, such as the
RADIUS servers that will authenticate connection requests from RADIUS clients and the ports that RADIUS
traffic will use.
Lesson Objectives
After completing this lesson, you will be able to:
Describe a RADIUS client.
Describe a RADIUS Proxy.
Explain how to configure a RADIUS client.
Describe the how to use of a connection request policy.
Describe and configure connection request processing for a RADIUS proxy environment.
Explain how to create a new connection request policy.
What Is a RADIUS Client?
RADIUS clients are usually NASs such as wireless
access points, 802.1X authenticating switches, and
VPN servers. A network access server (NAS) is
defined as a device that provides access to a
larger network. You can configure a NAS to act as
a RADIUS client. RADIUS clients communicate with
a RADIUS server for authentication, authorization,
and accounting. By default, RADIUS devices
communicate with each other over ports 1812
and 1813 or 1645 and 1646. End-user computing
devices such as wireless laptop computers, tablets,
and other computing devices are not typically
RADIUS clients. These types of devices are clients of the NAS devices. In addition to deploying NPS as a
RADIUS server, a RADIUS proxy, or a NAP policy server, you must also configure RADIUS clients in NPS.
RADIUS Client Examples
Examples of network access servers include the following:
NASs that provide remote access connectivity to an organizations network or the Internet. For
example, a computer that is running the Windows Server 2012 operating system and the Remote
Access Service (RAS) that provides either traditional dial-up or VPN remote access services to an
organizations intranet.
Wireless access points that provide physical-layer access to an organizations network by using
wireless-based transmission and reception technologies.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-7
Switches that provide physical-layer access to an organizations network using traditional local area
network (LAN) technologies, such as Ethernet.
NPS-based RADIUS proxies that forward connection requests to RADIUS servers that are members of
a remote RADIUS server group that you configure on the RADIUS proxy, or other RADIUS proxies.
What Is a RADIUS Proxy?
A RADIUS proxy routes RADIUS messages
between RADIUS clients and RADIUS servers that
perform user authentication, authorization, and
accounting for the connection attempt.
As a RADIUS proxy, NPS is a central switching or
routing point through which RADIUS access and
accounting messages flow. NPS records
information in an accounting log about forwarded
messages.
You can use NPS as a RADIUS proxy when:
You are a service provider who offers
outsourced dial, VPN, or wireless network-access services to multiple customers.
In this case, your NAS sends connection requests to the NPS RADIUS proxy. Based on the user names
realm portion in the connection request, the NPS RADIUS proxy on your premises that your company
also maintains forwards the connection request to a RADIUS server. The customer maintains the
RADIUS server and can authenticate and authorize the connection attempt.
You want to provide authentication and authorization for user accounts that are not:
o Members of the domain in which the NPS server is a member.
o Members of a domain that has a two-way trust with the NPS servers member domain.
This includes accounts in untrusted domains, one-way trusted domains, and other forests. Instead of
configuring your access servers to send their connection requests to an NPS RADIUS server, you can
configure them to send their connection requests to an NPS RADIUS proxy. The NPS RADIUS proxy
uses the realm-name portion of the user name, and then forwards the request to an NPS server in the
correct domain or forest. Connection attempts for user accounts in one domain or forest can be
authenticated for a NAS in another domain or forest.
You want to perform authentication and authorization by using a database that is not a Windows
account database.
In this case, NPS forwards connection requests that match a specified realm name to a RADIUS server
that has access to a different database of user accounts and authorization data. An example of
another user database is a Microsoft SQL Server database.
You want to process a large number of connection requests.
In this case, instead of configuring your RADIUS clients to attempt to balance their connection and
accounting requests across multiple RADIUS servers, you can configure them to send their connection
and accounting requests to an NPS RADIUS proxy.
The NPS RADIUS proxy dynamically balances the load of connection and accounting requests across
multiple RADIUS servers, and it increases processing of large numbers of RADIUS clients and
authentications each second.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-8 Installing, Configuring, and Troubleshooting the Network Policy Server Role
You want to provide RADIUS authentication and authorization for outsourced service providers and
minimize intranet firewall configuration.
An intranet firewall is between your intranet and your perimeter network A perimeter network is the
network between your intranet and the Internet. By placing an NPS server on your perimeter network,
the firewall between your perimeter network and intranet must allow traffic to flow between the NPS
server and multiple domain controllers.
When replacing the NPS server with an NPS proxy, the firewall must allow only RADIUS traffic to flow
between the NPS proxy and one or multiple NPS servers within your intranet.
Demonstration: Configuring a RADIUS Client
This demonstration shows how to configure a RADIUS client.
Demonstration Steps
1. Switch to LON-RTR.
2. Open Routing and Remote Access.
3. Disable the existing configuration.
4. Reconfigure LON-RTR as a VPN server with the following information:
Public interface: Ethernet 2
The VPN server allocates addresses from the pool: 172.16.0.100 to 172.16.0.110
Option to configure the server with: Yes, set up this server to work with a RADIUS server
Primary RADIUS server: LON-DC1
Secret: Pa$$w0rd
5. Start the VPN service.
What Is a Connection Request Policy?
Connection request policies are sets of conditions
and settings that allow network administrators to
designate which RADIUS servers perform
authentication and authorization of connection
requests that the NPS server receives from RADIUS
clients. You can configure connection request
policies to designate which RADIUS servers to use
for RADIUS accounting.
Note: You can export connection request
policies, other NPS policies, and the entire NPS
server configuration from one NPS server, and
then import them to a different NPS server. Use the Netsh command line utility or the Export-
NpsConfiguration and Import-NpsConfiguration commands in Windows PowerShell to
perform exports and imports.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-9
You can create a series of connection request policies so that some RADIUS request messages sent from
RADIUS clients are processed locally, and NPS functions as a RADIUS server, and so that other types of
messages are forwarded to another RADIUS server, where NPS functions as a RADIUS proxy. This is useful
in a multi-domain environment where some requests should go to a different RADIUS server.
With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy, based on a
variety of factors, including:
The time of day and day of the week.
The realm name in the connection request.
The connection type that you are requesting.
The RADIUS clients IP address.
Conditions
Connection request policy conditions are one or more RADIUS attributes that are compared to the
attributes of the incoming RADIUS access request message. If multiple conditions exist, NPS enforces the
policy only if all of the conditions in the connection request message and in the connection request policy
match.
Settings
Connection request policy settings are a set of properties that are applied to an incoming RADIUS
message. Settings consist of the following groups of properties:
Authentication
Accounting
Attribute manipulation
Advanced
Default Connection Request Policy
When you install NPS, a default connection request policy is created with the following conditions:
Authentication is not configured.
Accounting is not configured to forward accounting information to a remote RADIUS server group.
Attribute manipulation is not configured with rules that change attributes in forwarded connection
requests.
Forwarding Request is turned on, which means that the local NPS server authenticates and authorizes
connection requests.
Advanced attributes are not configured.
The default connection request policy uses NPS as a RADIUS server. To configure an NPS server to act as a
RADIUS proxy, you also must configure a remote RADIUS server group. You can create a new remote
RADIUS server group while you are creating a new connection request policy with the New Connection
Request Policy Wizard. You either can delete the default connection request policy or verify that the
default connection request policy is the last policy processed.
Note: If you installed NPS and the Routing and Remote Access service on the same
computer, and you configure the Routing and Remote Access service for Windows authentication
and accounting, it is possible for Routing and Remote Access service authentication and
accounting requests to be forwarded to a RADIUS server. This can occur when Routing and
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-10 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Remote Access service authentication and accounting requests match a connection request
policy that is configured to forward them to a remote RADIUS server group.
Configuring Connection Request Processing
The default connection request policy uses NPS as
a RADIUS server, and processes all authentication
requests locally.
Considerations for Configuring
Connection Request Processing
When configuring connection request processing,
consider the following:
To configure an NPS server to act as a
RADIUS proxy and forward connection
requests to other NPS or RADIUS servers, you
must configure a remote RADIUS server
group, and then add a new connection request policy that specifies conditions and settings that the
connection requests must match.
You can use the New Connection Request Policy Wizard to create a new remote RADIUS server group
when you create a new connection request.
If you do not want the NPS server to act as a RADIUS server and process connection requests locally,
you can delete the default connection request policy.
If you want the NPS server to act as both a RADIUS server, by processing connection requests locally,
and as a RADIUS proxy, by forwarding some connection requests to a remote RADIUS server group,
then you should add a new policy, and then verify that the default connection request policy is the
last policy processed.
Ports for RADIUS and Logging
By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for IPv6 and IPv4 for all
installed network adapters.
Note: If you disable either IPv4 or IPv6 on a network adapter, NPS does not monitor
RADIUS traffic for the uninstalled protocol.
The values of 1812 for authentication and 1813 for accounting are RADIUS standard ports defined in
Request for Comments (RFC) 2865 Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866,
"RADIUS Accounting." However, by default, many existing access servers, and often legacy access servers,
use port 1645 for authentication requests and port 1646 for accounting requests. When you are
considering what port numbers to use, make sure that you configure NPS and the access server to use the
same port numbers. If you do not use the RADIUS default port numbers, you must configure exceptions
on the firewall for the local computer to enable RADIUS traffic on the new ports.
Configuring NPS UDP Port Information
You can use the following procedure to configure the User Datagram Protocol (UDP) ports that NPS uses
for RADIUS authentication and accounting traffic.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-11
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
To configure the NPS UDP port information by using the Windows interface, follow these steps:
1. Open the NPS console.
2. Right-click Network Policy Server, and then click Properties.
3. Click the Ports tab, and then examine the settings for ports.
4. If your RADIUS authentication and RADIUS accounting UDP ports vary from the provided default
values 1812 and 1645 for authentication and 1813 and 1646 for accounting, type your port settings in
Authentication and Accounting.
Note: To use multiple port settings for authentication or accounting requests, separate the
port numbers with commas.
Demonstration: Creating a Connection Request Policy
This demonstration shows how to create a VPN connection request policy.
Demonstration Steps
1. On LON-DC1, switch to the Network Policy Server console.
2. View the existing Connection Request Policies. The wizard created these automatically when you
specified the NPS role of this server.
3. Create a new Connection Request Policy with the following settings:
Type of network access server: Remote Access Server (VPN-Dial up)
Condition: NAS Port Type as Virtual (VPN)
Other settings: default values
4. Assign the new policy the highest priority.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-12 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 3
NPS Authentication Methods
Authentication is the process of verifying the identity of a user or computer that is attempting to connect
to a network. NPS must receive proof of identity from the user or computer in the form of credentials.
NPS authenticates and authorizes a connection request before allowing or denying access when users
attempt to connect to your network through NASs, also known as RADIUS clients. These NASs can be
devices such as wireless access points, 802.1X authenticating switches, dial-up servers, and VPN servers.
When you deploy NPS, you can specify the required type of authentication method for access to your
network.
Some authentication methods implement the use of password-based credentials. The NAS then passes
these credentials to the NPS server, which verifies the credentials against the user accounts database.
Other authentication methods implement the use of certificate-based credentials for the user, the client
computer, the NPS server, or some combination of the three. Certificate-based authentication methods
provide strong security and we recommend them over password-based authentication methods.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the password-based authentication methods for an NPS server.
Describe how to use certificates to provide authentication for network clients.
Describe the types of certificates that various authentication methods require.
Describe how to deploy certificates for Protected Extensible Authentication Protocol (PEAP) and
Extensible Authentication Protocol (EAP).
Password-Based Authentication Methods
Any authentication method has advantages and
disadvantages in terms of security, usability, and
breadth of support. However, password-based
authentication methods do not provide strong
security because malicious individuals can guess
passwords, and, for that reason, we do not
recommend them. Instead, consider using a
certificate-based authentication method for all
network access methods that support certificate
use. This is especially true for wireless connections.
For these types of connections, consider using
PEAP-MS-CHAP v2 or PEAP-TLS.
The configuration of the NAS determines the authentication method you require for the client computer
and network policy on the NPS server. Consult your access server documentation to determine which
authentication protocols are supported.
You can configure NPS to accept multiple authentication protocols. You also can configure your NASs,
also called RADIUS clients, to attempt to negotiate a connection with client computers by requesting the
use of the most secure protocol first, then the next most secure, and so on, down to the least secure. For
example, the Routing and Remote Access service tries to negotiate a connection by using the following
protocols in the order shown:

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-13
1. EAP
2. MS-CHAP v2
3. MS-CHAP
4. Challenge Handshake Authentication Protocol (CHAP)
5. Shiva Password Authentication Protocol (SPAP)
6. Password Authentication Protocol (PAP)
When you choose EAP as the authentication method, the negotiation of the EAP type occurs between the
access client and the NPS server.
MS-CHAP Version 2
MS-CHAP v2 provides stronger security for network access connections than its predecessor, MS-CHAP.
MS-CHAP v2 is a one-way encrypted password, mutual-authentication process that works as follows:
1. The authenticator, which is either the NAS or the NPS server, sends a challenge to the access client
that consists of a session identifier and an arbitrary challenge string.
2. The access client sends a response that contains:
The user name.
An arbitrary peer-challenge string.
A one-way encryption of the received challenge string, the peer-challenge string, the session
identifier, and the users password.
3. The authenticator checks the clients response, and then sends back a response that contains:
An indication of the connection attempts success or failure.
An authenticated response based on the sent challenge string, the peer-challenge string, the
clients encrypted response, and the users password.
4. The access client verifies the authentication response and, if correct, uses the connection. If the
authentication response is not correct, the access client terminates the connection.
MS-CHAP
MS-CHAP, also known as MS-CHAP version 1, is a nonreversible, encrypted password-authentication
protocol.
The challenge handshake process works as follows:
1. The authenticator, which is the NAS or the NPS server, sends a challenge to the access client that
consists of a session identifier and an arbitrary challenge string.
2. The access client sends a response that contains the user name and a nonreversible encryption of the
challenge string, the session identifier, and the password.
3. The authenticator checks the response and, if valid, authenticates the users credentials.
Note: If you use MS-CHAP, MS-CHAP v2, or EAP-TLS as the authentication protocol, then
you can use Microsoft Point-to-Point Encryption to encrypt the data that was sent on the Point-
to-Point Protocol or Point-to-Point Tunneling Protocol (PPTP) connection.
MS-CHAP v2 provides stronger security for network access connections than MS-CHAP. Therefore, we
recommend using MS-CHAP v2 instead of MS-CHAP.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-14 Installing, Configuring, and Troubleshooting the Network Policy Server Role
CHAP
The CHAP is a challenge-response authentication protocol that uses the industry-standard MD5 hashing
scheme to encrypt the response. Various vendors of NASs and clients use CHAP. A server that is running
Routing and Remote Access supports CHAP, so access clients that require CHAP are authenticated.
Because CHAP requires the use of a reversibly-encrypted password, you should consider using another
authentication protocol, such as MS-CHAP v2.
Additional Considerations
When implementing CHAP, consider the following:
When users passwords expire, CHAP does not provide the ability for them to change passwords
during the authentication process.
Verify that your NAS supports CHAP before you enable it on an NPS servers network policy. For more
information, refer to your NAS documentation.
You cannot use Microsoft Point-to-Point Encryption with CHAP.
PAP
PAP uses plaintext passwords and is the least secure authentication protocol. It typically is only negotiated
if the access client and NAS cannot negotiate a more secure authentication method. When you enable
PAP as an authentication protocol, user passwords are sent in plaintext form. Anyone capturing the
packets of the authentication process can read the password easily, and then use it to gain unauthorized
access to your intranet. We strongly discourage the use of PAP, especially for VPN connections.
Unauthenticated Access
With unauthenticated access, user credentials such as a user name and password are not required.
Although there are some situations in which unauthenticated access is useful, in most cases, we do not
recommend that you deploy unauthenticated access to your organizations network.
When you enable unauthenticated access, users can access your network without sending user credentials.
Additionally, unauthenticated access clients do not negotiate the use of a common authentication
protocol during the connection establishment process, and they do not send NPS a user name or
password.
If you permit unauthenticated access, clients can connect without being authenticated if the
authentication protocols that are configured on the access client do not match the authentication
protocols that are configured on the NAS. In this case, the use of a common authentication protocol is not
negotiated, and the access client does not send a user name and password. This circumstance creates a
serious security problem. Therefore, you should not allow unauthenticated access on most networks.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-15
Using Certificates for Authentication
Certificates are digital documents that certification
authorities (CAs) issue, such as Active Directory
Certificate Services (AD CS) or the VeriSign public
CA. You can use certificates for many purposes,
such as code signing and securing email
communication. However, with NPS, you use
certificates for network access authentication
because they provide strong security for
authenticating users and computers, and
eliminate the need for less secure, password-
based authentication methods. NPS servers use
EAP-TLS and PEAP to perform certificate-based
authentication for many types of network access, including VPN and wireless connections.
Authentication Methods
You can configure two authentication methods, EAP and PEAP, to use certificate-based authentication.
You use EAP to configure the authentication type TLS (EAP-TLS), and PEAP to configure the
authentication types TLS (PEAP-TLS) and MS-CHAP v2 (PEAP-MS-CHAP v2). These authentication
methods always use certificates for server authentication. Depending on the authentication type that you
configure with the authentication method, you also might use certificates for user authentication and
client computer authentication.
Note: Using certificates for VPN connection authentication is the strongest form of
authentication available in Windows Server. You must use certificates for Internet Protocol
security (IPsec) authentication on VPN connections that are based on Layer Two Tunneling
protocol (L2TP) over IPsec. PPTP connections do not require certificates, although you can
configure PPTP connections to use certificates for computer authentication when you use EAP-
TLS as the authentication method. For wireless clients such as computing devices with wireless
network adapters, such as your portable computer or personal digital assistant, use PEAP with
EAP-TLS and smart cards or certificates for authentication.
Note: You can deploy certificates for use with NPS by installing and configuring the AD CS
server role.
Mutual Authentication
When you use EAP with a strong EAP type, such as TLS with smart cards or certificates, the client and the
server use certificates to verify their identities to each other. This is called mutual authentication.
Certificates must meet specific requirements to allow the server and the client to use them for mutual
authentication.
One such requirement is configuring the certificate with one or more purposes in extended key usage
(EKU) extensions to correlate with the actual certificate use. For example, you must configure a certificate
that you use for a clients authentication with the Client Authentication purpose. Similarly, you must
configure a certificate that you use for a servers authentication with the Server Authentication purpose.
When you use certificates for authentication, the authenticator examines the client certificate, seeking the
correct purpose object identifier in EKU extensions. For example, the object identifier for the Client
Authentication purpose is 1.3.6.1.5.5.7.3.2. When you use a certificate for client computer authentication,
this object identifier must be present in the EKU extensions of the certificate or authentication will fail.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-16 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Certificate Templates
Certificate Templates is an MMC snap-in that enables customization of the certificates that AD CS issues.
Customization possibilities include how you use certificates and what the certificates contain, including
their purposes. In Certificate Templates, you can duplicate a default template, such as the Computer
template, to customize the template that the CA uses to assign certificates to computers. You also can
customize a duplicated certificate template and assign purposes to it in EKU extensions. By default, the
Computer template includes the Client Authentication purpose and the Server Authentication purpose in
EKU extensions.
The certificate template that you customize can include any purpose for which you will use the certificate.
For example, if you use smart cards for authentication, you can include the Smart Card Logon purpose as
well as the Client Authentication purpose. When using NPS, you can configure NPS to check certificate
purposes before granting network authorization. NPS can check additional EKUs and Issuance Policy
purposes, also known as Certificate Policies.
Note: Some non-Microsoft CA software might contain a purpose named All, which
represents all possible purposes. This is indicated by a blank, or null, EKU extension. Although All
is intended to mean all possible purposes, you cannot substitute the All-purpose for the Client
Authentication purpose, the Server Authentication purpose, or any other purpose that is related
to network access authentication.
Required Certificates for Authentication
The following table details the certificates that are
required to deploy each of the listed certificate-
based authentication methods successfully.
Certificate
Required for EAP-TLS
and PEAP-TLS?
Required for PEAP-
MS-CHAP v2?
Details
CA certificate in the
Trusted Root
Certification
Authorities certificate
store for the Local
Computer and Current
User
Yes. The CA certificate
is enrolled
automatically for
domain member
computers. For
nondomain member
computers, you must
import the certificate
manually into the
certificate store.
Yes. This certificate is
enrolled automatically
for domain member
computers. For
nondomain member
computers, you must
import the certificate
manually into the
certificate store.
For PEAP-MS-CHAP
v2, this certificate is
required for mutual
authentication
between client and
server.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-17
Certificate
Required for EAP-TLS
and PEAP-TLS?
Required for PEAP-
MS-CHAP v2?
Details
Client computer
certificate in the
certificate store of the
client
Yes. Client computer
certificates are
required unless user
certificates are
distributed on smart
cards. Client
certificates are
enrolled automatically
for domain member
computers. For
nondomain member
computers, you must
import the certificate
manually or obtain it
with the Web-
enrollment tool.
No. User
authentication is
performed with
password-based
credentials, not
certificates.
If you deploy user
certificates on smart
cards, client
computers do not
need client certificates.
Server certificate in
the certificate store of
the NPS server
Yes. You automatically
distribute server
certificates to
members of the RAS
and Information
Access Service (IAS)
servers group in
AD DS.
Yes. In addition to
using AD CS for server
certificates, you can
purchase server
certificates from other
CAs that computers
already trust.
The NPS server sends
the server certificate
to the client computer.
The client computer
uses the certificate to
authenticate the NPS
server.
User certificate on a
smart card
Automatically
distribute server
certificates to
members of the RAS
and IAS servers group
in AD DS.
No. User
authentication is
performed with
password-based
credentials, not
certificates.
For EAP-TLS and
PEAP-TLS, if you do
not auto-enroll client
computer certificates,
user certificates on
smart cards are
required.
The Institute of Electrical and Electronic Engineers, Inc. (IEEE) 802.1X authentication provides
authenticated access to 802.11 wireless networks and wired Ethernet networks. 802.1X provides support
for secure EAP types, such as TLS with smart cards or certificates. You can configure 802.1X with EAP-TLS
in a variety of ways.
If you configure the Validate server certificate option on the client, the client authenticates the server by
using its certificate. You accomplish client computer and user authentication by using certificates from the
client certificate store or a smart card, establishing mutual authentication.
With wireless clients, you can use PEAP-MS-CHAP v2 as the authentication method. PEAP-MS-CHAP v2 is
a password-based user authentication method that uses TLS with server certificates. During PEAP-MS-
CHAP v2 authentication, if you configure the Validate server certificate option on the client, the NPS
server supplies a certificate to validate its identity to the client. You accomplish client computer and user
authentication with passwords, which eliminates some of the difficulty of deploying certificates to wireless
client computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-18 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Deploying Certificates for PEAP and EAP
All certificates that you use for network access
authentication with EAP-TLS and PEAP must meet
the requirements for X.509 certificates and work
for connections that use Secure Sockets
Layer/Transport Layer Security (SSL/TLS). After this
minimum requirement is met, both client and
server certificates have additional requirements.
Minimum Server Certificate
Requirements
You can configure clients to validate server
certificates by using the Validate server certificate
option within the authentication protocols
properties. With PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS as the authentication method, the client
accepts the server authentication attempt when the certificate meets the following requirements:
The Subject name contains a value. If you issue a certificate to your NPS server that has a blank
Subject, the certificate is not available to authenticate your NPS server. Follow these steps to
configure the certificate template with a Subject name:
1. Open Certificate Templates.
2. In the details pane, right-click a duplicated certificate template that you want to change, and
then click Properties.
3. Click the Subject Name tab, and then click Build from this Active Directory information.
4. From the Subject name format drop-down list, select a value other than None.
The computer certificate on the server chains to a trusted root CA, and does not fail any of the checks
that CryptoAPI performs and that the remote access or network policies specify.
The NPS or VPN server computer certificate is configured with the Server Authentication purpose in
EKU extensions. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.
The server certificate is configured with a required algorithm value of RSA. Follow these steps to
configure the required cryptography setting:
1. Open Certificate Templates.
2. In the details pane, right-click a duplicated certificate template that you want to change, and
then click Properties.
3. Click the Cryptography tab. From the Algorithm name drop-down menu, select RSA. Ensure
that Minimum key size is set to 2048.
The Subject Alternative Name (SubjectAltName) extension. If you use this extension, it must contain
the servers fully qualified domain name (FQDN). Follow these steps to configure the certificate
template with the Domain Name System (DNS) name of the enrolling server:
1. Open Certificate Templates.
2. In the details pane, right-click a duplicated certificate template that you want to change, and
then click Properties.
3. Click the Subject Name tab, and then click Build from this Active Directory information.
4. In Include this information in alternate subject name area, select DNS name.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-19
With PEAP and EAP-TLS, NPS servers display a list of all installed certificates in the computer certificate
store, except the following:
Certificates that do not contain the Server Authentication purpose in EKU extensions.
Certificates that do not contain a subject name.
Registry-based and smart card-logon certificates.
Minimum Client Certificate Requirements
With EAP-TLS or PEAP-TLS, the server accepts the client authentication attempt when the certificate meets
the following requirements:
An enterprise CA issued the client certificate or it is mapped to an Active Directory user or computer
account.
The user or computer certificate on the client chains to a trusted-root CA, and the certificate includes
the Client Authentication purpose in EKU extensions. The object identifier for Client Authentication is
1.3.6.1.5.5.7.3.2. Cryptography Application Programming Interface (CryptoAPI) performs checks on
the certificates based on remote access and/or network policies.
The 802.1X client does not use registry-based certificates that are either smart card-logon or
password-protected certificates.
For user certificates, the Subject Alternative Name extension in the certificate contains the user
principal name (UPN). Follow these steps to configure the UPN in a certificate template:
1. Open Certificate Templates.
2. In the details pane, right-click a duplicated certificate template that you want to change, and
then click Properties.
3. Click the Subject Name tab, and then click Build from this Active Directory information.
4. In the Include this information in alternate subject name area, select User principal name
(UPN).
For computer certificates, the Subject Alternative Name extension in the certificate must contain the
clients FQDN, also known as the DNS name. Follow these steps to configure this name in the
certificate template:
1. Open Certificate Templates.
2. In the details pane, right-click a duplicated certificate template that you want to change, and
then click Properties.
3. Click the Subject Name tab, and then click Build from this Active Directory information.
4. In the Include this information in alternate subject name area, select DNS name.
With PEAP-TLS and EAP-TLS, clients display a list of all installed certificates in the Certificates snap-in, with
the following exceptions:
Wireless clients do not display registry-based and smart card-logon certificates.
Wireless clients and VPN clients do not display password-protected certificates.
Certificates that do not contain the Client Authentication purpose in EKU extensions.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-20 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 4
Monitoring and Troubleshooting a Network Policy Server
You can monitor NPS by configuring and using logging for events and user authentication and
accounting requests. Event logging enables you to record NPS events in the system and security event
logs. You can use request logging for connection analysis and billing purposes. The information that the
log files collect is useful for troubleshooting connection attempts and for security investigation.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the methods for monitoring NPS.
Describe how to configure log file properties.
Describe how to configure Microsoft SQL Server logging in NPS.
Describe how to configure NPS events to record in Event Viewer.
Methods Used to Monitor NPS
The two types of accounting, or logging, that you
can use to monitor NPS are:
Event logging for NPS. You can use event
logging to record NPS events in the system
and security event logs. You use this primarily
for auditing and troubleshooting connection
attempts.
Logging user authentication and accounting
requests. You can log user authentication and
accounting requests to log files in text format
or database format, or you can log to a stored
procedure in a Microsoft SQL Server database.
Use request logging primarily for connection analysis and billing purposes, and as a security
investigation tool, because it enables you to identify a hackers activity.
To make the most effective use of NPS logging:
Turn on logging initially for authentication and accounting records. Modify these selections after you
determine what is appropriate for your environment.
Ensure that you configure event logging with sufficient capacity to maintain your logs.
Back up all log files on a regular basis because you cannot recreate them when they are damaged or
deleted.
Use the RADIUS Class attribute to track usage and simplify identification of which department or user
to charge for usage. Although the Class attribute, which is generated automatically, is unique for
each request, duplicate records might exist in cases where the reply to the access server is lost and the
request is re-sent. You might need to delete duplicate requests from your logs to track usage
accurately.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-21
To provide failover and redundancy with Microsoft SQL Server logging, place two computers that are
running Microsoft SQL Server on different subnets. Use the Microsoft SQL Server Create Publication
Wizard to set up database replication between the two servers. For more information, refer to the
Microsoft SQL Server documentation.
Note: To interpret logged data, view the information on the Microsoft TechNet website:
Interpret NPS Database Format Log Files
http://go.microsoft.com/fwlink/?LinkID=214832&clcid=0x409
Logging NPS Accounting
You can configure NPS to perform RADIUS
accounting for user authentication requests,
Access-Accept messages, Access-Reject messages,
accounting requests and responses, and periodic
status updates. You can use this procedure to
configure the log files where you want to store
the accounting data.
Considerations for Configuring
Accounting for NPS
The following list provides more information
about configuring NPS accounting:
To send the log file data for collection by another process, you can configure NPS to write to a
named pipe. To use named pipes, set the log file folder to \\.\pipe or \\ComputerName\pipe. The
named pipe server program creates a named pipe called \\.\pipe\iaslog.log to accept the data. To use
named pipes:
o In the Local File Properties dialog box, in the Create a new log file area, select Never
(unlimited file size).
To create the log file directory, instead of user variables, use system environment variables such as
%systemdrive%, %systemroot%, and %windir%. For example, the following path, using the
environment variable %windir%, locates the log file at the system directory in the subfolder
\System32\Logs, that is, %windir%\System32\Logs\.
Switching log-file formats does not cause NPS to create a new log file. If you change log file formats,
the file that is active when the change occurs will contain a mixture of the two formats. Records at the
start of the log will have the previous format, and records at the end of the log end will have the new
format.
If you are administering an NPS server remotely, you cannot browse the directory structure. If you
need to log accounting information to a remote server, specify the log file name by typing a Universal
Naming Convention (UNC) name, such as \\MyLogServer\LogShare.
If RADIUS accounting fails due to a full hard-disk drive or other causes, NPS stops processing
connection requests. This prevents users from accessing network resources.
NPS enables you to log to a Microsoft SQL Server database in addition to, or instead of, logging to a
local file.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-22 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Note: If you do not supply a full path statement in Log File Directory, the default path is
used. For example, if you type NPSLogFile in Log File Directory, the file is located at
%systemroot%\System32\NPSLogFile.
Configuring Log File Properties
To configure log file properties by using the Windows interface, follow these steps:
1. Open the Network Policy Server MMC snap-in.
2. In the console tree, click Accounting.
3. In the details pane, click Change Log File Properties.
4. In Log File Properties, on the Log File tab, in Directory, type the location where you want to store
NPS log files. The default location is the systemroot\System32\LogFiles folder.
5. From the Format drop-down menu, select from DTS Compliant, ODBC (Legacy), and IAS (Legacy).
6. To configure NPS to start new log files at specified intervals, click the interval that you want to use:
For heavy transaction volume and logging activity, click Daily.
For lower transaction volumes and logging activity, click Weekly or Monthly.
To store all transactions in one log file, click Never (unlimited file size).
To limit the size of each log file, click When log file reaches this size, and then type a file size,
after which a new log is created. The default size is 10 megabytes (MB).
7. To configure NPS to delete log files automatically when the disk is full, click When disk is full delete
older log files. If the oldest log file is the current log file, it is not deleted.
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
Configuring Microsoft SQL Server Logging
You can configure NPS to perform RADIUS
accounting to a Microsoft SQL Server database.
You can use this procedure to configure logging
properties and the connection to the running
Microsoft SQL Server that stores your accounting
data. The Microsoft SQL Server database can be
on the local computer or on a remote server.
Note: NPS formats accounting data as an
XML document that it sends to the report_event
stored procedure in the Microsoft SQL Server
database that you designate in NPS. For Microsoft
SQL Server logging to function properly, you must have a stored procedure named report_event
in the Microsoft SQL Server database that can receive and parse the XML documents from NPS.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-23
Configuring Microsoft SQL Server Logging in NPS
To configure Microsoft SQL Server logging in NPS using the Windows interface, follow these steps:
1. Open the Network Policy Server MMC snap-in.
2. In the console tree, click Accounting.
3. In the details pane, click Change SQL Server Logging Properties. The SQL Server Logging
Properties dialog box opens.
4. In the Log the following information area, select the information that you want to log:
To log all accounting requests, select Accounting requests.
To log authentication requests, select Authentication requests.
To log periodic status, such as interim accounting requests, select Periodic accounting status.
To log periodic status, such as interim authentication requests, select Periodic authentication
status.
5. To configure the number of concurrent sessions that you want to allow between the NPS server and
the Microsoft SQL Server database, type a number in the Maximum number of concurrent sessions
box.
6. To configure the Microsoft SQL Server data source, click Configure. The Data Link Properties dialog
box opens. On the Connection tab, specify the following:
To specify the servers name on which the database is stored, type or select a name in the Select
or enter a server name box.
To specify the authentication method with which to sign in to the server, click Use Windows NT
integrated security, or click Use a specific user name and password, and then type your
credentials in the User name and Password boxes.
To allow a blank password, select Blank password.
To store the password, select Allow saving password.
To specify to which database to connect on the computer that is running Microsoft SQL Server,
click Select the database on the server, and then select a database name from the list.
7. To test the connection between the NPS server and the computer that is running Microsoft SQL
Server, click Test Connection.
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-24 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Configuring NPS Events to Record in the Event Viewer
You can configure NPS event logging to record
connection request failure and success events in
the Event Viewer system log.
Configuring NPS Event Logging
To configure NPS event logging by using the
Windows interface, perform the following tasks:
1. Open the Network Policy Server snap-in.
2. Right-click NPS (Local), and then click
Properties.
3. On the General tab, select each of the
following options, as required, and then click OK:
Rejected authentication requests.
Successful authentication requests.
Note: To complete this procedure, you must be a member of the Domain Admins group or
the Enterprise Admins group.
Using the event logs in Event Viewer, you can monitor NPS errors and other events that you configure
NPS to record. NPS records connection request failure events in the System and Security event logs by
default. Connection request failure events consist of requests that NPS rejects or discards. Other NPS
authentication events are recorded in the Event Viewer. Note that the Event Viewer security log might
record some events containing sensitive data.
Connection Request Failure Events
Although NPS records connection request failure events by default, you can change the configuration
according to your logging needs. NPS rejects or ignores connection requests for a variety of reasons,
including the following:
The RADIUS message is not formatted according to RFC 2865 Remote Authentication Dial-in User
Service (RADIUS)," and RFC 2866, "RADIUS Accounting."
The RADIUS client is unknown.
The RADIUS client has multiple IP addresses and has sent the request on an address other than the
one that you define in NPS.
The message authenticator, also known as a digital signature, that the client sent is invalid because
the shared secret is invalid.
NPS was unable to locate the user names domain.
NPS was unable to connect to the user names domain.
NPS was unable to access the user account in the domain.
When NPS rejects a connection request, the information in the event text includes the user name, access
server identifiers, the authentication type, the name of the matching network policy, and the reason for
the rejection.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-25
Connection Request Success Events
Although NPS records connection request success events by default, you can change the configuration
according to your logging needs. When NPS accepts a connection request, the information in the event
text includes the user name, access server identifiers, the authentication type, and the name of the first
matching network policy.
Logging Schannel Events
Secure channel (Schannel) is a security support provider (SSP) that supports a set of Internet security
protocols, such as SSL and TLS. These protocols provide identity authentication and secure, private
communication through encryption.
Logging of client-certificate validation failures is a secure channel event and is not enabled on the NPS
server, by default. You can enable additional secure channel events by changing the following registry key
value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-26 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lab: Installing and Configuring a Network Policy Server
Scenario
A. Datum is a global engineering and manufacturing company with its head office in London, United
Kingdom. An Information Technology (IT) office and data center located in London supports the London
office and other locations. A. Datum has recently deployed a Windows Server 2012 server and client
infrastructure.
A. Datum is expanding its remote-access solution to the entire organization. This will require multiple VPN
servers that are located at different points to provide connectivity for its employees. You are responsible
for performing the tasks necessary to support these VPN connections.
Objectives
After completing this lab, you will be able to:
Install and configure NPS to support RADIUS.
Configure and test a RADIUS client.
Lab Setup
Estimated Time: 45 minutes
Virtual Machines: 20411D-LON-DC1, 20411D-LON-RTR, 20411D-LON-CL2
User Name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V

Manager, click 20411D-LON-DC1, and then, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
User name: Adatum\Administrator
Password: Pa$$w0rd
5. Perform steps 2 through 4 for 20411D-LON-RTR and 20411D-LON-CL2.
Exercise 1: Installing and Configuring NPS to Support RADIUS
Scenario
You have been tasked with installing an NPS into the existing infrastructure to be used for RADIUS
services. In this exercise, you will configure the RADIUS server with appropriate templates to help manage
any future implementations. You also need to configure Accounting to log authentication information to
a local text file on the server.
The main tasks for this exercise are as follows:
1. Install and Configure the Network Policy Server
2. Configure NPS Templates
3. Configure RADIUS Accounting
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-27
Task 1: Install and Configure the Network Policy Server
1. Switch to LON-DC1.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. Using Server Manager, install the Network Policy and Access Services role by using default values
to complete the installation wizard.
4. Open the Network Policy Server console, and then register the server in Active Directory.
5. Leave the Network Policy Server console open.
Task 2: Configure NPS Templates
1. Create a new Shared Secrets template with the following properties:
Name: Adatum Secret
Shared secret: Pa$$w0rd
2. Create a new RADIUS Clients template with the following properties:
Friendly name: LON-RTR
Address (IP or DNS): LON-RTR
Shared Secret: Use Adatum Secret template
3. Leave the Network Policy Server console open.
Task 3: Configure RADIUS Accounting
1. In the Network Policy Server console, launch the Accounting Configuration Wizard.
2. Choose the Log to a text file on the local computer option, and then use the default values to
complete the wizard.
3. Leave the Network Policy Server console open.

Results: After this exercise, you should have enabled and configured Network Policy Server (NPS) to
support Remote Authentication Dial-In User Service (RADIUS) in the required environment.
Exercise 2: Configuring and Testing a RADIUS Client
Scenario
You need to configure a server as a VPN server and a RADIUS client, including the client configuration,
and then you need to modify the Network Policy settings.
The main tasks for this exercise are as follows:
1. Configure a RADIUS Client
2. Configure a Network Policy for RADIUS
3. Test the RADIUS Configuration
4. To Prepare for the Next Module
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-28 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Task 1: Configure a RADIUS Client
1. Create a RADIUS client by using the following property:
Template: LON-RTR
2. Leave the console open, and then switch to LON-RTR.
3. Sign in as Adatum\Administrator with the password Pa$$w0rd.
4. Open Routing and Remote Access, and Disable Routing and Remote Access.
5. Select Configure and Enable Routing and Remote Access.
6. Reconfigure LON-RTR as a VPN server:
Ethernet 2 is the public interface
The VPN server allocates addresses from the pool: 172.16.0.100 > 172.16.0.110
The server is configured with the option Yes, set up this server to work with a RADIUS server.
Primary RADIUS server: LON-DC1
Secret: Pa$$w0rd
The VPN service starts.
Task 2: Configure a Network Policy for RADIUS
1. Switch to LON-DC1.
2. Switch to the Network Policy Server console.
3. Disable the two existing network policies. These will interfere with the processing of the policy that
you are about to create.
4. Create a new Network Policy by using the following properties:
Policy name: Adatum VPN Policy
Type of network access server: Remote Access Server(VPN-Dial up)
Condition: NAS Port Type = Virtual (VPN)
Permission: Access granted
Authentication methods: default
Constraints: default
Settings: default
Task 3: Test the RADIUS Configuration
1. Switch to LON-CL2 and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Create a new VPN connection with the following properties:
Internet address to connect to: 10.10.0.1
Destination name: Adatum VPN
Allow other people to use this connection: true
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 6-29
3. After you create the VPN, modify its settings by viewing the properties of the connection, and then
selecting the Security tab. Use the following settings to reconfigure the VPN:
Type of VPN: Point to Point Protocol (PPTP)
Authentication: Allow these protocols =Microsoft CHAP Version 2 (MS-CHAP v2)
4. Test the VPN connection. Use the following credentials:
User name: Adatum\Administrator
Password: Pa$$w0rd
Task 4: To Prepare for the Next Module
When you are finished with the lab, revert all virtual machines to their initial state. To do this, perform
the following steps:
1. On the host computer, start Microsoft Hyper-V

Manager.
2. In the Virtual Machines list, right-click 20411D-LON-CL2, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411D-LON-RTR and 20411D-LON-DC1.

Results: After this exercise, you should have deployed a VPN server, and then configured it as a RADIUS
client.
Question: What does a RADIUS proxy provide?
Question: What is a RADIUS client, and what are some examples of RADIUS clients?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-30 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Module Review and Takeaways
Review Question(s)
Question: How can you make the most effective use of the NPS logging features?
Question: What consideration must you follow if you choose to use a nonstandard port
assignment for RADIUS traffic?
Question: Why must you register the NPS server in AD DS?
Tools
Tool Use for Where to find it
Network Policy Server Managing and creating
Network Policy
Network Policy Server on the
Administrative Tools menu
Netsh command-line tool Creating administrative scripts
for configuring and managing
the Network Policy Server role
In a Command Prompt window,
type netsh c nps to administer
the Network Policy Server role
from a command prompt
Event Viewer Viewing logged information
from application, system, and
security events
Event Viewer on the
Administrative Tools menu

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-1
Module 7
Implementing Network Access Protection
Contents:
Module Overview 7-1
Lesson 1: Overview of Network Access Protection 7-2
Lesson 2: Overview of NAP Enforcement Processes 7-7
Lesson 3: Configuring NAP 7-13
Lesson 4: Configuring IPsec Enforcement for NAP 7-18
Lesson 5: Monitoring and Troubleshooting NAP 7-27
Lab: Implementing Network Access Protection 7-31
Module Review and Takeaways 7-37

Module Overview
Your network is only as secure as the least-secure computer attached to it. Many programs and tools exist
to help you to secure your network-attached computers, such as antivirus or malware detection software.
However, if the software on some of your computers is not up to date, or if you have not enabled or
configured them correctly, then these computers could pose a security risk.
Computers that remain within the office environment and always connect to the same network are
relatively easy for you to keep configured and updated. Computers that connect to different networks,
especially unmanaged networks, are less easy to control. For example, it is difficult to control laptop
computers that users use to connect to customer networks or public Wi-Fi hotspots. Furthermore,
unmanaged computers that are seeking to connect remotely to your network, such as users connecting
from their home computers, also pose a challenge.
Network Access Protection (NAP) enables you to create customized health-requirement policies to
validate computer health before allowing computers to access the network or communicate with other
computers on the network. Additionally, NAP can update compliant computers automatically to ensure
their ongoing compliance, and can limit the access of noncompliant computers to a restricted network
until they become compliant.
Objectives
After completing this module, you will be able to:
Describe how NAP can help protect your network.
Describe the various NAP enforcement processes.
Configure NAP.
Monitor and troubleshoot NAP.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-2 Implementing Network Access Protection
Lesson 1
Overview of Network Access Protection
NAP is a policy-enforcement platform that is built into all Windows client computers beginning with the
Windows

XP operating system with Service Pack 3 (SP3), and all server-based operating systems
beginning with the Windows Server

2008 operating system. You can use NAP to protect network assets
more strongly by enforcing compliance with system-health requirements. NAP provides the necessary
software components to help ensure that computers connected or connecting to your network remain
manageable, and so that they do not become a security risk to your enterprises network and other
attached computers. Understanding the functionality and limitations of NAP will help you protect your
network from the security risks posed by noncompliant computers.
Lesson Objectives
After completing this lesson, you will be able to:
Explain what NAP is and how you can use NAP to enforce computer health requirements.
Describe the scenarios in which you would use NAP.
Describe the NAP enforcement methods.
Describe the architecture of a NAPenabled network infrastructure.
What Is Network Access Protection?
NAP provides components and an application
programming interface (API) that can help enforce
compliance with your organizations health-
requirement policies for network access or
communication. NAP enables you to create
solutions for validating computers that connect to
your networks, and to provide necessary updates
or access to requisite health-update resources.
Additionally, NAP enables you to limit the access
or communication of noncompliant computers.
You can integrate NAPs enforcement features
with software from other vendors or with custom
programs. It is important to remember that NAP does not protect a network from hackers. Rather, it helps
you maintain the health of your organizations networked computers automatically, which in turn helps
maintain your networks overall integrity. For example, if a computer has all of the software and
configuration settings that the health policy requires, the computer is compliant and will have unlimited
network access. However, NAP does not prevent an authorized user with a compliant computer from
uploading malware or malicious software to the network or engaging in other inappropriate behavior.
How to use NAP
You can use NAP in three distinct ways:
To validate the health state. When a computer attempts to connect to the network, NAP validates the
computers health state against the health-requirement policies that the administrator defines. You
also can define what to do if a computer is not compliant. In a monitoring-only environment, all
computers have their health state evaluated, and NAP logs the compliance state of each computer for
analysis. In a limited access environment, computers that comply with the health-requirement policies

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-3
have unlimited network access, and computers that do not comply with health-requirement policies
have access limited to a restricted network.
To enforce health-policy compliance. You can help ensure compliance with health-requirement
policies by choosing to update noncompliant computers automatically with missing software updates
or configuration changes through management software, such as Microsoft

System Center 2012


Configuration Manager. In a monitoring-only environment, NAP will ensure that computers update
their network access before they receive required updates or configuration changes. In a limited
access environment, noncompliant computers have limited access until the updates and configuration
changes are complete. In both environments, computers that are compatible with NAP can become
compliant automatically and you can define exceptions for computers that are not NAP compatible.
To limit network access. You can protect your networks by limiting the access of noncompliant
computers. You can base limited network access on a specific amount of time, or on what resources
that the noncompliant computer can access. In the latter case, you define a restricted network that
contains health update resources, and the limited access will last until the noncompliant computer
comes into compliance. You also can configure exceptions so that computers that are not compatible
with NAP have unlimited network access. By default, computers that are running operating systems
other than Windows are not compatible with NAP. However, there are third-party solutions that you
can use to extend NAP technology to other operating systems.
NAP Scenarios
NAP provides a solution for common types of
hardware considerations, such as roaming laptops,
desktop computers, visiting laptops, and
unmanaged computers. Depending on the needs
of your organization, you can configure a solution
to address any or all of these scenarios for your
network.
Roaming laptops
Portability and flexibility are two primary
advantages of a laptop, but these features also
present a system health threat. Laptop users
frequently connect their laptops to other
networks. While users are away from your organization, their laptops might not receive the most recent
software updates or configuration changes. Additionally, exposure to unprotected networks, such as the
Internet, could introduce security-related threats to the laptops. NAP allows you to check any laptops
health state when it reconnects to the organizations network, whether through a virtual private network
(VPN) or a Windows 8 DirectAccess connection.
Desktop computers
Although users typically do not take their desktop computers out of your companys buildings, they still
can present a threat to your network. To minimize this threat, you must maintain these computers with
the most recent updates and required software. Otherwise, these computers are at risk of infection from
websites, email, files from shared folders, and other publicly accessible resources. You can use NAP to
automate health state checks to verify each desktop computers compliance with health-requirement
policies. You can check log files to determine which computers do not comply. Additionally, by using
management software, you can generate automatic reports and automatically update noncompliant
computers. When you change health-requirement policies, you can configure NAP to provision
computers automatically with the most recent updates.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-4 Implementing Network Access Protection
Visiting laptops and devices
Organizations frequently need to allow consultants, business partners, and guests to connect to their
private networks. The laptops and devices that these visitors bring into your organization might not meet
system health requirements and can present health risks. NAP enables you to determine which visiting
laptops and devices are noncompliant and limit their access to restricted networks. Typically, you would
not require or provide any updates or configuration changes for visiting laptops and devices. You can opt
to configure Internet access for visiting laptops and devices, but not for other organizational computers
that have limited access.
Unmanaged home computers
Sometimes, unmanaged home computers that are not a member of the companys Active Directory


domain can connect to a managed company network through VPN. Unmanaged home computers
provide an additional challenge because you cannot physically access these computers. Lack of physical
access makes enforcing compliance with health requirements, such as the use of antivirus software, more
difficult. However, NAP enables you to verify the health state of a home computer every time it makes a
VPN connection to the company network, and to limit its access to a restricted network until it meets
system health requirements.
NAP Enforcement Methods
Components of the NAP infrastructure, known as
enforcement clients and enforcement servers,
require health-state validation, and enforce
limited network access for noncompliant
computers. All Windows client computers
beginning with Windows XP with SP3, and all
server-based operating systems beginning with
Windows Server 2008 include NAP support for the
following network-access or communication
methods:
IPsec-protected traffic. Internet Protocol
security (IPsec) enforcement confines
communication to compliant computers after they connect successfully and obtain a valid IP address
configuration. IPsec enforcement is the strongest form of limited network access or communication in
NAP.
Institute of Electrical and Electronics Engineers (IEEE) 802.1Xauthenticated network connections. IEEE
802.1X enforcement requires that a computer is compliant to obtain unlimited network access
through an IEEE 802.1Xauthenticated network connection. Examples of this type of network
connection include an authenticating Ethernet switch or an IEEE 802.11 wireless access point (AP).
Remote access VPN connections. VPN enforcement requires that a computer is compliant to obtain
unlimited network access through a remote access VPN connection. For noncompliant computers,
network access is limited through a set of IP packet filters that the VPN server applies to the VPN
connection.
DirectAccess connections. DirectAccess connections require that a computer is compliant to obtain
unlimited network access through a DirectAccess server. For noncompliant computers, network access
is limited to the set of computers that are defined as infrastructure servers by using the infrastructure
tunnel. Compliant computers can create the separate intranet tunnel that provides unlimited access
to intranet resources. DirectAccess connections use IPsec enforcement.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-5
Dynamic Host Configuration Protocol (DHCP) address configurations. DHCP enforcement requires
that a computer is compliant to obtain an unlimited access IPv4 address configuration from a DHCP
server. For noncompliant computers, network access is restricted with an IPv4 address configuration
that limits access to the restricted network.
These network access or communication methods, or NAP enforcement methods, are useful separately or
together for limiting noncompliant computer access or communication. A server that is running Network
Policy Server (NPS) in Windows Server 2012 acts as a health policy server for all of these NAP enforcement
methods.
NAP Platform Architecture
The following table describes the components of a
NAP-enabled network infrastructure.
Components Description
NAP clients

These computers support the NAP platform for communication and for
validation prior to network access of a systems health.
NAP enforcement
points
These are computers or network-access devices that use NAP or that you can
use with NAP to require evaluation of a NAP clients health state, and then
provide restricted network access or communication. NAP enforcement points
use a NPS that is acting as a NAP health policy server to evaluate the health
state of NAP clients, whether to allow network access or communication, and
the set of remediation actions that a noncompliant NAP client must perform.
NAP enforcement points include the following:
Health Registration Authority (HRA). A computer that runs Windows
Server 2012 and Internet Information Services (IIS), and that obtains health
certificates from a certification authority (CA) for compliant computers.
VPN server. A computer that runs Windows Server 2012 and Routing and
Remote Access, and that enables remote access VPN intranet connections
through remote access.
DHCP server. A computer that runs Windows Server 2012 and the DHCP
Server service, and that provides automatic IPv4 address configuration to
intranet DHCP clients.
Network access devices. These are Ethernet switches or wireless access points
that support IEEE 802.1X authentication.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-6 Implementing Network Access Protection
Components Description
NAP health policy
servers
These are computers that run Windows Server 2012 and the NPS service, and
that store health-requirement policies and provide health-state validation for
NAP. NPS is the replacement for the Internet Authentication Service (IAS), and
the Remote Authentication Dial-In User Service (RADIUS) server and proxy that
Windows Server 2003 provides.
NPS also acts as an authentication, authorization, and accounting server for
network access. When acting as an authentication, authorization, and
accounting server or NAP health policy server, NPS typically runs on a separate
server for centralized configuration of network access and health-requirement
policies. The NPS service also runs on NAP enforcement points, based on
Windows Server 2012, that do not have a built-in RADIUS client, such as an HRA
or a DHCP server. However, in these configurations, the NPS service is acting as
a RADIUS proxy to exchange RADIUS messages with a NAP health policy server.
Health requirement
servers
These computers provide the current system health state for NAP health policy
servers. An example of these would be a health requirement server for an
antivirus program that tracks the latest version of the antivirus signature file.
Active Directory
Domain Services
(AD DS)
This Windows directory service stores account credentials and properties, and
also stores Group Policy settings. Although not required for health-state
validation, AD DS is required for IPsec-protected communications, 802.1X-
authenticated connections, and remote access VPN connections.
802.1X devices An 802.1X device can be an authenticating Ethernet switch or an IEEE 802.11
wireless AP.
Restricted network This is a separate logical or physical network that contains:
Remediation servers. These computers contain health update resources that
NAP clients can access to remediate their noncompliant state. Examples
include antivirus signature distribution servers and software update servers.
NAP clients with limited access. These computers are placed on the restricted
network when they do not comply with health-requirement policies.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-7
Lesson 2
Overview of NAP Enforcement Processes
When a client attempts to access or communicate on the network, it must present its system health state
or proof-of-health compliance. If a client cannot prove that it is compliant with system-health
requirements, such as that it has the latest operating system and antivirus updates installed, then you can
limit its access to, or communication on, the network to a restricted network that contains server
resources. You can restrict this access until you remedy the health-compliance issues. After the updates
install, the client requests access to the network or attempts the communication again. If compliant, the
client receives unlimited access to the network or the communication is allowed.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the general NAP enforcement processes.
Discuss IPsec enforcement.
Describe 802.1X enforcement.
Explain VPN enforcement.
Discuss DHCP enforcement.
NAP Enforcement Processes
Whatever form of NAP enforcement you select,
many of the client-server communications are
common. The following points summarize these
communications:
Between a NAP client and a HRA. The NAP
client sends its current system health state to
the HRA and requests a health certificate from
the HRA. If the client is compliant, the HRA
sends a health certificate to the NAP client. If
the client is noncompliant, the HRA sends
remediation instructions to the client.
Between a NAP client and a remediation
server. Although the NAP client has unlimited intranet access, it accesses the remediation server to
ensure that it remains compliant. If the NAP client has limited access, it communicates with the
remediation server to become compliant, based on instructions from the NAP health policy server.
Between an HRA and a NAP health policy server. The HRA sends RADIUS messages to the NAP health
policy server that contains the NAP clients system health state. The NAP health policy server sends
RADIUS messages to indicate that the NAP client has either:
o Unlimited access because it is compliant. Based on this response, the HRA obtains a health
certificate, and then sends it to the NAP client.
o Limited access until it performs a set of remediation functions. Based on this response, the HRA
does not issue a health certificate to the NAP client.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-8 Implementing Network Access Protection
Between an 802.1X network access device and a NAP health-policy server. The 802.1X network access
device sends RADIUS messages to transfer Protected Extensible Authentication Protocol (PEAP)
messages that an 802.1X NAP client sends. The NAP health policy server sends RADIUS messages to:
o Indicate that the 802.1X client has unlimited access because it is compliant.
o Indicate a limited access profile to place the 802.1X client on the restricted network until it
performs a set of remediation functions.
o Send PEAP messages to the 802.1X client.
Between a VPN server and a NAP health policy server. The VPN server sends RADIUS messages to
transfer PEAP messages that are sent by a VPN-based NAP client. The NAP health policy server sends
RADIUS messages to:
o Indicate that the VPN client has unlimited access because it is compliant.
o Indicate that the VPN client has limited access through a set of IP packet filters that are applied
to the VPN connection.
o Send PEAP messages to the VPN client.
Between a DHCP server and a NAP health policy server. The DHCP server sends the NAP health policy
server RADIUS messages that contain the DHCP clients system health state. The NAP health policy
server sends RADIUS messages to the DHCP server to indicate that the DHCP client has either:
o Unlimited access because it is compliant.
o Limited access until it performs a set of remediation functions.
Between a NAP health policy server and a health requirement server. When you are performing
network access validation for a NAP client, the NAP health policy server might have to contact a
health requirement server to obtain information about the current requirements for system health.
Communication based on the type of enforcement
Depending upon the type of enforcement you select, the following communication occurs:
Between a NAP client and an 802.1X network access device. The NAP client performs authentication
of the 802.1X connection, and then provides its current system health state to the NAP health policy
server. The NAP health policy server provides either remediation instructions, because the 802.1X
client is noncompliant, or indicates that the 802.1X client has unlimited network access. NAP routes
these messages through the 802.1X network access device.
Between a NAP client and a VPN server. The NAP client that acts as a VPN client indicates its current
system health state to the NAP health policy server. The NAP health policy server responds with
messages to provide either remediation instructions, because the VPN client is noncompliant, or to
indicate that the VPN client has unlimited intranet access. NAP routes these messages through the
VPN server.
Between a NAP client and a DHCP server. The NAP client, which is also the DHCP client,
communicates with the DHCP server to obtain a valid IPv4 address configuration and to indicate its
current system health state. The DHCP server allocates an IPv4 address configuration for the restricted
network, and then provides remediation instructions if the DHCP client is noncompliant, or it allocates
an IPv4 address configuration for unlimited access if the DHCP client is compliant.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-9
IPsec Enforcement
With IPsec enforcement, a computer must be
compliant to initiate communications with other
compliant computers. Because IPsec-based NAP
enforcement uses IPsec, you can define
requirements for protected communications with
compliant computers based on one of the
following communications characteristics:
IP address.
Transmission Control Protocol port number.
User Datagram Protocol (UDP) port number.
IPsec enforcement restricts communication to
compliant computers after they have connected successfully and obtained a valid IP address
configuration. IPsec enforcement is the strongest form of limited network access or communication in
NAP.
The components of IPsec enforcement consist of an HRA that is running Windows Server 2012 and an
IPsec enforcement client in one of the following operating systems:
Windows XP with SP3
Windows Vista


Windows 7
Windows 8
Windows 8.1
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
The HRA obtains X.509 certificates for NAP clients when the clients prove that they are compliant. These
health certificates then authenticate NAP clients when they initiate IPsec-protected communications with
other NAP clients on an intranet.
IPsec enforcement limits communication for IPsec-protected NAP clients by dropping incoming
communication attempts sent from computers that cannot negotiate IPsec protection by using health
certificates. Unlike 802.1X and VPN enforcement, in which enforcement occurs at the network entry point,
each individual computer performs IPsec enforcement. Because you can take advantage of IPsec policy
settings, the enforcement of health certificates can be done for any of the following:
All computers in a domain.
Specific computers on a subnet.
A specific computer.
A specific set of TCP or UDP ports.
A set of TCP or UDP ports on a specific computer.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-10 Implementing Network Access Protection
Considerations for IPsec enforcement
When selecting an IPsec NAP enforcement method, consider the following points:
IPsec enforcement is more complex to implement than other enforcement methods, because it
requires an HRA and a CA.
No additional hardware is required to implement IPsec enforcement. There is no need to upgrade
switches or Wireless Application Protocols (WAPs), which you would have to do if you select 802.1X
enforcement.
You can implement IPsec enforcement in any environment.
IPsec enforcement is very secure and difficult to circumvent.
You can configure IPsec to encrypt communication for additional security.
IPsec enforcement is applied to IPv4 and IPv6 communication.
802.1X Enforcement
With 802.1X enforcement, a computer must be
compliant to obtain unlimited network access
through an 802.1X-authenticated network
connection, such as to an authenticating Ethernet
switch or an IEEE 802.11 wireless AP.
For noncompliant computers, network access is
limited through a restricted access profile that the
Ethernet switch or wireless AP places on the
connection. The restricted access profile can
specify either IP packet filters, or a virtual local
area network (VLAN) identification (ID) that
corresponds to the restricted network. 802.1X
enforcement imposes health policy requirements every time a computer attempts an 802.1X-
authenticated network connection. 802.1X enforcement also monitors the health status of the connected
NAP client actively, and then applies the restricted access profile to the connection if the client becomes
noncompliant.
The components of 802.1X enforcement consist of NPS in Windows Server 2012 and an Extensible
Authentication Protocol(EAP) host enforcement client in Windows 7, Windows 8, Windows Server 2008,
and Windows Server 2012 clients, whether server computers or client computers. 802.1X enforcement
provides strong limited network access for all computers that access the network through an 802.1X-
authenticated connection.
To implement 802.1X enforcement, you must ensure that the network switches or wireless APs support
802.1X authentication. The switches or wireless APs then act as an enforcement point for NAP clients. The
health status of the client is sent as part of the authentication process. When a computer is noncompliant,
the switch places the computer on a separate VLAN or uses packet filters to restrict access to only
remediation servers.
Considerations for 802.1X enforcement
When deciding the 802.1X NAP enforcement method for your organization, consider the following points:
The switch or wireless AP that connects with the client enforces noncompliant computer isolation.
This makes it very difficult to circumvent, and is therefore very secure.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-11
Use 802.1X enforcement for internal computers. This type of enforcement is appropriate for local area
network (LAN) computers with both wired and wireless connections.
You cannot use 802.1X enforcement if your switches and wireless APs do not support the use of
802.1X for authentication.
VPN Enforcement
VPN enforcement imposes health-policy
requirements every time that a computer
attempts to obtain a remote access VPN
connection to the network. VPN enforcement also
actively monitors the health status of the NAP
client, and applies the restricted networks IP
packet filters to the VPN connection if the client
becomes noncompliant.
The components of VPN enforcement consist of
NPS in Windows Server 2012. It also consists of a
VPN enforcement client that is part of the remote
access client in Windows client computers and
server-based operating systems.
VPN enforcement provides limited network access for all computers that access the network through a
remote access VPN connection. VPN enforcement uses a set of remote-access IP packet filters to limit
VPN client traffic, so that it can reach only the resources on the restricted network, which are typically
remediation servers. The VPN server applies the IP packet filters to the IP traffic that it receives from the
VPN client, and silently discards all packets that do not correspond to a configured packet filter.
Considerations for VPN enforcement
When considering the VPN NAP enforcement method, consider the following points:
VPN enforcement is best suited in situations in which you are using VPN already. It is unlikely that
you will implement VPN connections on an internal network to use VPN enforcement.
Use VPN enforcement to ensure that staff members connecting from home computers are not
introducing malware to your network. Users often do not maintain their home computers correctly,
and they represent a high risk. Many users do not have antivirus software, or do not apply Windows
updates regularly.
Use VPN enforcement to ensure that roaming laptops are not introducing malware to your network.
Roaming laptops are more susceptible to malware than computers directly on the corporate network,
because they may be unable to download virus updates and Windows updates from outside the
corporate network. They also are more likely to be in environments where malware is present.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-12 Implementing Network Access Protection
DHCP Enforcement
DHCP enforces health-policy requirements every
time that a DHCP client attempts to lease or
renew an IP address configuration. DHCP
enforcement also actively monitors the NAP
clients health status and, if the client becomes
noncompliant, renews the IPv4 address
configuration for access only to the restricted
network.
The components of DHCP enforcement consist of
a DHCP Enforcement service that is part of the
DHCP Server service in Windows Server 2012. It
also consists of a DHCP enforcement client that is
part of the DHCP Client service in all Windows client computers beginning with Windows XP with SP3,
and all server-based operating systems beginning with Windows Server 2008.
Because DHCP enforcement relies on a specific IPv4 address configuration that a user who has
administrator-level access can override, it is the weakest form of limited network access in NAP. DHCP
address configuration limits network access for the DHCP client through its IPv4 routing table. DHCP
enforcement sets the DHCP Router option value to 0.0.0.0, so the noncompliant computer does not have
a configured default gateway. DHCP enforcement also sets the subnet mask for the allocated IPv4 address
to 255.255.255.255 so that there is no route to the attached subnet.
To allow the noncompliant computer to access the restricted networks remediation servers, the DHCP
server assigns the Classless Static Routes DHCP option. This option contains host routes to the restricted
networks computers, such as the Domain Name System (DNS) and remediation servers. The result of
DHCP limited network access is an IP configuration and routing table that only allows connectivity to
destination IP addresses that reside on the restricted network. Therefore, when an application attempts to
send to a unicast IPv4 address other than those supplied by the Classless Static Routes option, the TCP/IP
protocol returns a routing error.
Considerations for DHCP enforcement
When considering the DHCP NAP enforcement method, consider the following points:
DHCP enforcement is easy to implement, and can apply to any computer with a dynamic IP address.
DHCP enforcement is easy to circumvent. A client can circumvent DHCP enforcement by using a
static IP address. Additionally, a user could modify a noncompliant computer by adding static host
routes to reach servers that are not remediation servers.
DHCP enforcement is not possible for IPv6 clients. If computers on your network use IPv6 addresses
to communicate, DHCP enforcement is ineffective.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-13
Lesson 3
Configuring NAP
If you want your NAP deployment to work optimally, it is important that you understand what each of the
NAP components does, and how they interact to protect your network. If you want to protect your
network by using NAP, you need to understand the configuration requirements for the NAP client, as well
as how to configure NPS as a NAP health policy server, configure health policies and network policies, and
configure the client and server settings. It also is important to test the NAP before using it.
Lesson Objectives
After completing this lesson, you will be able to:
Describe system health validators (SHVs).
Explain the use of a health policy.
Discuss the use of remediation server groups.
Describe the NAP client-configuration requirements.
Explain how to enable and configure NAP.
What Are System Health Validators?
System health agents (SHAs) and SHVs are NAP
infrastructure components that provide health-
state status and validation. Windows 8 includes a
Windows Security Health Validator (WSHV) that
monitors the Windows Security Center settings.
Windows Server 2012 also includes a WSHV.
The design of NAP makes it very flexible and
extensible, and it can interoperate with any
vendors software that provides SHAs and SHVs
that use the NAP API. An SHV receives a
statement of health (SoH), and then compares the
system health-status information in the SoH with
the required system health state. For example, if the SoH is from an antivirus SHA, and it contains the last
version number for the virus-signature file, then the corresponding antivirus SHV can check with the
antivirus health requirement server for the latest version number to validate the NAP clients SoH.
The SHV returns a SoH response (SoHR) to the NAP Administration Server. The SoHR can contain
remediation information about how the corresponding SHA on the NAP client can meet current system-
health requirements. For example, the SoHR that the antivirus SHV sends could instruct the NAP clients
antivirus SHA to request the latest version, by name or IP address, of the antivirus signature file from a
specific antivirus signature server.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-14 Implementing Network Access Protection
What Is a Health Policy?
Health policies consist of one or more SHVs and
other settings that you can use to define client-
computer configuration requirements for the
NAP-capable computers that connect to your
network. When NAP-capable clients connect to
the network, the client computer sends a SoH to
the NPS. The SoH is a report of the client
configuration state, and NPS compares the SoH to
the requirements that the health policy defines. If
the client configuration state does not match the
requirements that the health policy defines, then,
depending on the NAP configuration, NAP:
Rejects the connection request.
Places the NAP client on a restricted network, where it can receive updates from remediation servers
that bring the client into compliance with health policy. After the NAP client achieves compliance and
resubmits its new health state, NPS enables it to connect.
Allows the NAP client to connect to the network despite its noncompliance with health policy.
You can define NPS client-health policies by adding one or more SHVs to the health policy. After you
configure a health policy with one or more SHVs, you can add it to the Health Policies condition of a
network policy that you want to use to enforce NAP when client computers attempt connection to your
network.
What Are Remediation Server Groups?
A remediation server group is a list of restricted
network servers that provide resources that bring
noncompliant NAP-capable clients into
compliance with your defined client health policy.
A remediation server hosts the updates that a
NAP agent can use to bring noncompliant client
computers into compliance with health policy, as
defined by NPS. For example, a remediation server
can host antivirus signatures. If a health policy
requires that client computers have the latest
antivirus definitions, then the following work
together to update noncompliant computers:
An antivirus SHA.
An antivirus SHV.
An antivirus policy server.
The remediation server.


M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-15
NAP Client Configuration
Remember these basic guidelines when you
configure NAP clients:
Some NAP deployments that use the
Windows Security Health Validator require
that you enable Security Center. Security
Center is not included with Windows
Server 2008, Windows Server 2008 R2,
Windows Server 2012, or Windows
Server 2012 R2.
You must enable the Network Access
Protection Client service when you deploy
NAP to NAP-capable client computers.
You must configure the appropriate NAP enforcement clients on the NAP-capable computers.
Enable Security Center in Group Policy
You can use the Enable Security Center in the Group Policy procedure to enable Security Center on NAP-
capable clients by using Group Policy. Some NAP deployments that use Windows Security Health
Validator require Security Center.
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
To enable Security Center in Group Policy, follow these steps:
1. Open the Group Policy Management console.
2. In the console tree, double-click Local Computer Policy, double-click Computer Configuration,
double-click Administrative Templates, double-click Windows Components, and then double-click
Security Center.
3. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
Enable the Network Access Protection Service on Clients
You can use the Enable the Network Access Protection Service on Clients procedure to enable and
configure NAP service on NAP-capable client computers. When you deploy NAP, enabling this service is
required.
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
To enable the Network Access Protection service on client computers, follow these steps:
1. Open Control Panel, click System and Security, click Administrative Tools, and then double-click
Services.
2. In the services list, scroll down and then double-click Network Access Protection Agent.
3. In the Network Access Protection Agent Properties dialog box, change Startup Type to
Automatic, and then click OK.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-16 Implementing Network Access Protection
Enable and Disable NAP Enforcement Clients
You can use the Enable and Disable NAP Enforcement Clients procedure to enable or disable one or more
NAP enforcement clients on NAP-capable computers. These can include the following client types:
DHCP enforcement client.
Remote access enforcement client.
EAP enforcement client.
IPsec enforcement client, which is also used for DirectAccess connections.
Remote Desktop Gateway (RD Gateway) enforcement client.
To enable and disable NAP Enforcement Clients, follow these steps:
1. Open the NAP client configuration console (NAPCLCFG.MSC).
2. Click Enforcement Clients. In the details pane, right-click the enforcement client that you want to
enable or disable, and then click Enable or Disable.
Note: To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. If the computer
is joined to a domain, members of the Domain Admins group are able to perform this procedure.
As a security best practice, consider performing this procedure by using the Run as command.
Demonstration: Configuring NAP
This demonstration shows how to:
Install the NPS server role.
Configure NPS as a NAP health policy server.
Configure health policies.
Configure network policies for compliant computers.
Configure network policies for noncompliant computers.
Configure the DHCP server role for NAP.
Configure client NAP settings.
Test NAP.
Demonstration Steps
Install the NPS server role
1. Switch to LON-DC1, and sign in as a domain administrator.
2. Open Server Manager, and then install the Network Policy and Access Services role.
Configure NPS as a NAP health policy server
1. Open the Network Policy Server console.
2. Configure the Windows Security Health Validator to require that all Windows 8 computers are
running a firewall.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-17
Configure health policies
1. Create a health policy named Compliant in which the condition is that Client passes all SHV checks.
2. Create another health policy named Noncompliant in which the condition is that Client fails one or
more SHV checks.
Configure network policies for compliant computers
1. Disable the two existing network policies. These will interfere with the processing of the policies you
are about to create.
2. Create a new network policy named Compliant-Full-Access that has a condition of the Compliant
health policy. Computers are granted unrestricted access.
Configure network policies for noncompliant computers
Create a new network policy named Noncompliant-Restricted that has a condition of the
Noncompliant health policy. Computers are granted restricted access.
Configure the DHCP server role for NAP
1. Open the DHCP console.
2. Modify the properties of the IPv4 scope to support Network Access Protection.
3. Create a new DHCP policy that allocates appropriate DHCP scope options to noncompliant
computers. These options assign a DNS suffix of restricted.Adatum.com.
Configure client NAP settings
1. Enable the DHCP Quarantine Enforcement Client on LON-CL1.
2. Start the Network Access Protection Agent service.
3. Use the local Group Policy Management console to enable the Security Center.
4. Reconfigure LON-CL1 to obtain an IP address from a DHCP server.
Test NAP
1. Verify the obtained configuration by using ipconfig.
2. Disable and stop the Windows Firewall service.
3. In the System Tray area, click the Network Access Protection pop-up warning. Review the
information in the Network Access Protection dialog box. Click Close.
4. Verify the obtained configuration by using ipconfig.
5. Notice that the computer has a subnet mask of 255.255.255.255 and a DNS suffix of
restricted.Adatum.com. Leave all windows open.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-18 Implementing Network Access Protection
Lesson 4
Configuring IPsec Enforcement for NAP
Lesson Objectives
After completing this lesson, you will be able to:
Describe what IPsec is and how it you can use it to secure network traffic.
Describe the IPsec authentication and encryption options.
Describe the steps that occur when a client connects to the network with IPsec enforcement enabled.
Describe the planning components for IPsec enforcement, including defining the secure networks,
boundary networks, and restricted networks, and also describe how these networks enforce IPsec
policies.
Describe how to implement the HRA server and the configuration of the server.
Describe the CA requirements for IPsec enforcement, and describe how to configure the CA to meet
these requirements.
What Is IPsec?
IPsec is a protocol suite standardized by the
Internet Engineering Task Force (IETF) to
secure IP communications by using
cryptography. IETF standardized IPsec with a
series of Request For Comments (RFCs). It
operates at the Internet layer, also called layer
3, of the Open Systems Interconnection (OSI)
model. It is built into the vast majority of
operating systems in use today, including all
supported versions of Windows. IPsec has the
following characteristics:
IPsec can protect communication between
two independent computers or between two independent networks.
IPsec works in the background. Applications and services do not need to be aware of, or configured
to work with IPsec. Instead, IPsec is applied transparently.
You can use IPsec to provide protection against intellectual property theft, corruption of data, man-
in-the-middle attacks, and various other network-based attacks.
Windows supports IPsec transport mode and IPsec tunnel mode. Transport mode is commonly used
for Layer Two Tunneling Protocol (L2TP)/IPSEC VPNs while tunnel mode is commonly used for site-
to-site connectivity such as a wide area network (WAN).
You can use packet filtering to strictly control the network traffic coming from a host or going to a
host. This gives administrators far reaching control of network communication.
You often combine IPsec with other forms of network-based protection mechanisms such as network-
based firewalls, host-based firewalls, and Group Policy. It is a good practice to implement multiple layers
of security on a network. Using multiple layers of security is often referred to as defense in depth or as a
multilayered security strategy.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-19
In a common corporate deployment, IPsec relies on the following components:
AD DS. AD DS provides the common infrastructure and is a prerequisite for common
implementations of a Microsoft-based public key infrastructure (PKI). In addition, you can use Group
Policy to standardize on security related settings for IPsec.
PKI. You can use Active Directory Certificate Services (AD CS) to distribute certificates automatically to
ease the administrative overhead of implementing IPsec. Configuring a CA for IPsec is discussed in
more detail in the Configuring the Certification Authority topic later in this module.
Two or more computers running a supported version of Windows and joined to the same domain.
The computers can be client computers or server-based computers.
IPsec Authentication and Encryption Options
IPsec offers flexible authentication options and
encryption options. For authentication, IPsec
provides the following methods:
Kerberos V5 authentication protocol.
Kerberos is the default authentication
protocol used by Windows computers when
the computers are part of the same AD DS
domain or trusted AD DS domains.
When computers are not part of the same
AD DS domain or trusted AD DS domains,
certificate authentication is used. Certificate
authentication is most common between
companies that are partners, between company employees and external parties, such as consultants,
board members, and customers.
In development or testing scenarios, a preshared key can be used instead of Kerberos or certificate
authentication. This method is not secure because the key is stored in plain text. This method is rarely
implemented and provides authentication protection only.
The encryption options provided by IPsec are based on the security association (SA) and include the
following options:
Data Encryption Standard (DES). DES uses a 56-bit key, which is considered insecure today.
Triple DES (3DES). 3DES (pronounced triple des) uses three 56-bit keys by applying DES three times
for encryption.
Advanced Encryption Standard (AES). Multiple key lengths are supported: 128, 192, and 256 bits.
Security increases as the key length size increases. The vast majority of new IPsec implementations use
AES today because it provides the strongest security and does not require additional administrative
effort.
In addition to authentication and encryption, IPsec relies on data integrity to secure network
communication. You use data integrity to ensure that communication received from a computer was not
modified en route to the destination. Data integrity relies on the same encryption standards as data
encryption, but you use it to sign a hash for integrity purposes. For implementations of IPsec with AES, the
encryption and integrity options must match and are often grouped together.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-20 Implementing Network Access Protection
NAP with IPsec Enforcement Components
You can deploy NAP enforcement for IPsec
policies for Windows Firewall by using a CA, an
HRA server, a computer running NPS, and an IPsec
enforcement client. The CA issues X.509
certificates with the System Health object
identifier (OID) to NAP clients when they are
determined to be compliant. You then use these
certificates to authenticate NAP clients when they
initiate IPsec communications with other IPsec
clients on an intranet.
IPsec enforcement confines your networks
communication to compliant clients and provides
the strongest NAP implementation available. Because this enforcement method uses IPsec, you can define
requirements for secure communications on a per-IP address or per-TCP/UDP port number basis.
The process for configuring NAP with IPsec enforcement
NAP with IPsec enforcement provides the strongest and most flexible method for maintaining client
computer compliance with network health requirements. To implement NAP with IPsec, you must do the
following:
Configure a CA to issue health certificates. You must use the System Health Authentication template,
and you must grant the HRA permission to enroll the certificate.
Install HRA. The HRA is a component of NAP that is central to IPsec enforcement. The HRA obtains
health certificates on behalf of NAP client computers when they are compliant with network health
requirements. These health certificates authenticate NAP client computers for IPsec-protected
communications with other NAP client computers on an intranet. If a NAP client computer does not
have a health certificate, the IPsec peer authentication fails.
Select authentication requirements. The HRA can provide health certificates to authenticated domain
users only, or optionally provide health certificates to anonymous users.
Configure the NPS server with the required health policies. The policies will vary based on the
company security requirements and existing infrastructure.
Configure NAP client computers for IPsec NAP enforcement. The NAP agent must be running, and
the NAP IPsec enforcement client must be running. You can do this by using Group Policy or local
policy, or by using the commands available in the Netsh command-line tool.
Use IPsec policies to create logical networks. IPsec enforcement divides a physical network into three
logical networks. A computer is a member of only one logical network at any time. The logical
networks are:
o Secure network. Computers on the secure network have health certificates and require that
incoming communication be authenticated by using these certificates.
o Boundary network. Computers on the boundary network have health certificates but do not
require IPsec authentication of incoming communication attempts.
o Restricted network. Computers on the restricted network do not have health certificates.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-21
How IPsec Enforcement Works
To obtain a health certificate and become a
secure network member, a NAP client that is using
IPsec enforcement starts on the network and uses
the following process:
1. When the computer starts, the host-based
firewall is enabled; however, it does not allow
any exceptions so that no other computer can
initiate communications with it. At this point,
the computer is in the restricted network
because it does not have a health certificate.
The computer can communicate with other
computers in the restricted and boundary
networks and can access the Internet. However, it cannot initiate communications with the computers
in the secure network.
2. The NAP client obtains network access and an IP address configuration.
3. The IPsec NAP enforcement client sends its credentials and system statement of health (SSoH) to the
HRA by using HTTP or a protected HTTP over a Secure Sockets Layer (SSL) session.
4. The HRA passes the SSoH to the NAP health policy server in a RADIUS Access-Request message.
5. The NPS service on the NAP health policy server receives the RADIUS Access-Request message,
extracts the SSoH, and passes it to the NAP Administration Server component.
6. The NAP Administration Server receives the SSoH and forwards the SoHs to the appropriate SHVs.
7. The SHVs analyze their SoHs and return SoHRs to the NAP Administration server.
8. The NAP Administration server passes the SoHRs to the NPS service.
9. The NPS service compares the SoHRs to the configured health policies and creates the System
Statement of Health Response (SSoHR).
10. The NPS service constructs and sends a RADIUS Access-Accept message with the SSoHR as a RADIUS
vendor specific attribute to the HRA.
11. The HRA sends the SSoHR back to the IPsec NAP enforcement client. If the NAP client is compliant,
the HRA also issues a health certificate.
After the health certificate is issued the NAP client removes any existing health certificates, if necessary,
and adds the newly issued health certificate to its computer certificate store. The IPsec NAP enforcement
client configures IPsec settings to authenticate by using the health certificate for IPsec-protected
communications. It also configures the host-based firewall to allow incoming communications from any
peer that uses a health certificate for IPsec authentication. The NAP client now belongs to the secure
network.
Note: The IPsec NAP enforcement client performs steps 3 through 11 whenever new SoH
information arrives at the NAP Agent or when the health certificate is about to expire.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-22 Implementing Network Access Protection
Noncompliant NAP client
If the NAP client is noncompliant, the NAP client does not have a health certificate and cannot initiate
communication with computers in the secure network. The NAP client performs the following remediation
process to become a secure network member:
1. The IPsec NAP enforcement client passes the SSoHR to the NAP Agent.
2. The NAP Agent passes the SoHRs in the SSoHR to the appropriate SHAs.
3. Each SHA analyzes its SoHR and, based on the contents, performs the remediation as needed to
correct the NAP clients system health state.
4. Each SHA that required remediation passes an updated SoH to the NAP Agent.
5. The NAP Agent collects the updated SoHs from all of the SHAs that required remediation, creates a
new SSoH, and passes it to the IPsec NAP enforcement client.
6. The IPsec NAP enforcement client uses HTTP or a protected HTTP over SSL session to send its new
SSoH to the HRA.
7. The HRA receives the SSoH and sends it to the NAP health policy server in a RADIUS Access-Request
message.
8. The NPS service on the NAP health policy server receives the RADIUS Access-Request message,
extracts the SSoH, and passes it to the NAP Administration Server.
9. The NAP Administration Server receives the SSoH and forwards the SoHs to the appropriate SHVs.
10. The SHVs analyze the contents of their SoHs and return SoHRs to the NAP Administration Server.
11. The NAP Administration Server passes the SoHRs to the NPS service.
12. The NPS service compares the SoHRs to the configured set of health policies and creates the SSoHR.
13. The NPS service constructs and sends a RADIUS Access-Accept message containing the SSoHR to the
HRA.
14. The HRA receives the RADIUS Access-Accept message, extracts the SSoHR, and sends it to the NAP
client by using HTTP or the HTTP over SSL session. Because the NAP client now is compliant, the HRA
issues the NAP client a health certificate.
Planning IPsec Logical Networks
IPsec enforcement divides a physical network into
three logical networks. A computer is a member
of only one logical network at any time. The
logical networks are defined by which computers
have health certificates and which computers
require IPsec authentication with health
certificates for incoming communication attempts.
The logical networks allow for limited network
access and remediation, and provide compliant
computers with protection from noncompliant
computers.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-23
IPsec enforcement defines the following logical networks:
Secure network. The set of computers that have health certificates and require that incoming
communication attempts use health certificates for IPsec authentication. On a managed network,
most server and client computers that are members of the AD DS domain would be in the secure
network.
Boundary network. The set of computers that have health certificates but do not require incoming
communication attempts to use health certificates for IPsec authentication. Computers in the
boundary network must be accessible to computers on the entire network.
Restricted network. The set of computers that do not have health certificates. This includes
noncompliant NAP client computers, guests on the network, or computers that are not NAP-capable
such as computers that are running versions of Windows that do not support NAP, computers
running the Mac operating system, or UNIX-based computers.
Based on the three logical networks, the following types of initiated communications are possible: secure,
boundary, and restricted.
Secure network
Computers in the secure network can initiate communications with computers in all three logical
networks. Communications initiated to computers in the secure network or boundary network are
authenticated with IPsec and health certificates. IPsec does not authenticate communications initiated to
computers in the restricted network.
Computers in the secure network will accept communications initiated from computers in the secure and
boundary networks that IPsec authenticates, but will not accept communications initiated from computers
in the restricted network. For example, a client computer in the secure network can request a webpage
from a web server in the secure network. However, a client computer in the restricted network cannot
request a web page from a web server in the secure network. You can configure the requirements for
initiated communication on a TCP or UDP port basis to limit specific traffic. For example, it is possible to
require IPsec authentication with health certificates for remote procedure call (RPC) traffic, but not web
traffic. In this case, a client computer in the restricted network could request a webpage from a web server
in the secure network, but not be able to use RPC to connect to that same server.
Boundary network
Computers in the boundary network can initiate communications with computers in the secure or
boundary networks that are authenticated with IPsec and health certificates or with computers in the
restricted network that IPsec does not authenticate.
Computers in the boundary network will accept communications initiated from computers in the secure
and boundary networks that are authenticated with IPsec and health certificates, and from computers in
the restricted network that IPsec does not authenticate.
Boundary network members typically consist only of the HRA and NAP remediation servers. Servers in the
boundary network must be accessible from noncompliant NAP clients in the restricted network to
perform initial remediation functions and obtain health certificates. Additionally, they must be accessible
from compliant computers in the secure network to perform ongoing remediation functions, renew health
certificates, and manage computers in the boundary network.
A computer is a member of the secure or boundary network for the time specified in the health
certificates validity period. Before the health certificate expires, the IPsec-protected NAP client contacts
the HRA to obtain a new health certificate. You can configure the validity time for health certificates on
the HRA. Validity time typically spans hours rather than years, in the case of computer or user certificates.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-24 Implementing Network Access Protection
Restricted network
Computers in the restricted network can initiate communications with computers in the restricted and
boundary networks. Computers in the restricted network cannot initiate communications to computers in
the secure network, unless the IPsec policy settings of the secure networks computers specifically allow
them to.
Computers in the restricted network can accept communications initiated from computers in all three
logical networks.
Configuring the HRA Server
To support IPsec NAP enforcement, you must
configure an HRA server. This process involves the
following steps:
1. Configure authentication requirements. When
you install the HRA, you are prompted to
configure the HRA. The HRA either issues
certificates only when users are authenticated
to the domain, or to optionally provide health
certificates to anonymous users. If you select
to allow only domain-authenticated users, a
single website named DomainHRA is created.
If you choose to allow anonymous users to
obtain health certificates, an additional website, NonDomainHRA, is created to support that
configuration.
2. Configure CAs. The HRA must be associated, either during installation or subsequently, with either a
standalone or enterprise CA. This is discussed in the next topic.
3. Configure the request policy. The security settings used by the HRA to communicate with clients are
known as request policy settings. You can use the HRA snap-in to specify these security mechanisms
and determine which asymmetric key algorithm, hash algorithm, and cryptographic service provider
(CSP) the HRA server uses to encrypt communication with client computers.
Note: It is not mandatory that you configure request policy settings on your HRA server. By
default, a NAP-capable client computer initiates a negotiation process with an HRA server by
using a mutually acceptable default security mechanism for encrypting communication.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-25
Configuring the Certification Authority
To obtain and issues certificates, you must
associate the HRA with a CA. This process involves
choosing a CA type, verifying CA security settings,
and configuring additional settings.
Choose a CA type
When configuring the HRA to use a CA, you can
select one of the following:
Standalone CA. A standalone CA issues
certificates that are not based on templates.
Consequently, you do not need to configure a
certificate template. However, you must still
configure CA security settings and certificate issuance requirements so that the HRA can request and
issue health certificates automatically to client computers that are health policycompliant.
Enterprise CA. An enterprise CA certificate is based on templates. Therefore, if you select an enterprise
CA, you must configure the required certificate template as part of the CA preparation process.
Note: If you install your enterprise CA on a computer that is running Windows Server 2008
or Windows Server 2012, the required HRA template already exists. If your enterprise CA is
running Windows Server 2003, you must manually create the required template.
Complete the following tasks on your enterprise CA to ensure that it is ready to support the requirements
of your HRA:
1. Verify certificate availability. Use the Certificate Templates snap-in to check for the presence of the
System Health Authentication template.
2. Verify certificate enrollment permissions for the HRA. To check that the HRA has the required
permissions to obtain and issue health certificates, follow these steps:
a. Open the Certificate Templates snap-in, and view the properties of your System Health
Authentication template.
b. Check the security settings to verify that both the Enroll and Autoenroll permissions have been
granted to the DNS name of your HRA server.
Verify CA security settings
After selecting the CA type, you must now verify the CA security settings. For NAP client computers to
obtain health certificates automatically when they have been determined to be compliant with network
health requirements, you must configure your NAP CAs to issue health certificates automatically. Use the
following process to ensure that certificates are issued automatically.
1. Open the Certification Authority management console snap-in.
2. Verify that the Policy Module for your CA is configured with this value: Follow the settings in the
certificate template, if applicable. Otherwise, automatically issue the certificate.
Note: This process applies to both enterprise and standalone CA servers.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-26 Implementing Network Access Protection
Configure additional settings
You can add the CA to the HRA during installation of the HRA role or at any time thereafter by using the
HRA console. After you add the CA to the HRA, you can use the HRA console to complete these additional
tasks:
1. Configure CA wait time. The HRA attempts to obtain health certificates only from the CA that is
configured first in the processing order, unless that CA has been marked as unavailable. You can
change the number of minutes to wait before identifying a CA as unavailable.
2. Configure health certificate validity period. Client computers attempt to renew their health certificate
15 minutes before expiration or when a change in client health status occurs. You can configure a
custom validity period for health certificates. The default validity period is four hours.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-27
Lesson 5
Monitoring and Troubleshooting NAP
Monitoring and troubleshooting NAP is an important administrative task because of different technology
levels, including varied expertise and prerequisites, for each NAP enforcement method. Trace logs are
available for NAP, but are disabled by default. These logs serve two purposes: troubleshooting and
evaluating a networks health and security.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how NAP tracing can help monitor and troubleshoot NAP.
Explain how to configure NAP tracing.
Troubleshoot NAP with the Netsh command-line tool.
Use the NAP event log to troubleshoot NAP.
What Is NAP Tracing?
Aside from the preceding general guidelines, you
can use the NAP Client Configuration console to
configure NAP tracing. Tracing records NAP
events in a log file, and is useful for
troubleshooting and maintenance. Additionally,
you can use tracing logs to evaluate your
networks health and security. You can configure
three levels of tracing: Basic, Advanced, and
Debug.
Enable NAP tracing when:
Troubleshooting NAP problems.
Evaluating the overall health and security of your organizations computers.
In addition to trace logging, you can view NPS accounting logs. These logs can contain useful NAP
information. By default, NPS accounting logs are located in %systemroot%\system32\logfiles.
The following logs might contain NAP-related information:
IASNAP.LOG. This file contains detailed data about NAP processes, NPS authentication, and NPS
authorization.
IASSAM.LOG. This file contains detailed data about user authentication and authorization.
Demonstration: Configuring NAP Tracing
Two tools are available for configuring NAP tracing. The NAP Client Configuration console is part of the
Windows user interface, and Netsh is a command-line tool.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-28 Implementing Network Access Protection
Using the Windows user interface
You can use the Windows user interface to enable or disable NAP tracing and to specify the level of
recorded detail by performing the following steps:
1. Open the NAP Client Configuration console by running napclcfg.msc.
2. In the console tree, right-click NAP Client Configuration (Local Computer), and then click
Properties.
3. In the NAP Client Configuration (Local Computer) Properties dialog box, select Enabled or
Disabled.
Note: To perform this procedure, you must be a member of the Administrators group
on the local computer, or you must have been delegated the appropriate authority. As a
security best practice, we recommend that you perform this operation by using the Run As
command.
4. If you chose Enabled, under Specify the level of detail at which the tracing logs are written, select
Basic, Advanced, or Debug.
Using a command-line tool
To use a command-line tool to enable or disable NAP tracing and specify the level of recorded detail,
perform the following steps:
1. Open an elevated command prompt.
2. To enable or disable NAP tracing, do one of the following:
To enable NAP tracing and configure for basic or advanced logging, type: netsh nap client set
tracing state=enable level =[advanced or basic].
To enable NAP tracing for debug information, type: netsh nap client set tracing state=enable
level =verbose.
To disable NAP tracing, type: netsh nap client set tracing state=disable.
Note: To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. As a security
best practice, we recommend that you perform this operation by using the Run As command.
Viewing log files
To view the log files, navigate to the %systemroot%\tracing\nap directory, and then open the particular
trace log that you want to view.
Demonstration Steps
Configure tracing from the GUI
1. On LON-CL1, open the NAPCLCFG [NAP Client Configuration (Local Computer)] console.
2. From the NAP Client Configuration (Local Computer) properties, enable Advanced tracing.
Configure tracing from the command line
At the command prompt, type netsh nap client set tracing state = enable, and then press Enter.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-29
Troubleshooting NAP
You can use the following tools to troubleshoot
NAP.
Netsh commands
Use the Netsh NAP command to help
troubleshoot NAP issues. The following command
displays the status of a NAP client, including the
following:
Restriction state.
Status of enforcement clients.
Status of installed SHAs.
Trusted server groups that have been configured.
netsh NAP client show state
The following command displays the local configuration settings on a NAP client, including:
Cryptographic settings.
Enforcement client settings.
Settings for trusted server groups.
Client-tracing settings that have been configured.
netsh NAP client show config
The following command displays the Group Policy configuration settings on a NAP client, including:
Cryptographic settings.
Enforcement client settings.
Settings for trusted server groups.
Client-tracing settings that have been configured.
netsh NAP client show group
Troubleshooting NAP with Event Logs
NAP services record NAP-related events into the
Windows event logs. To view these events, follow
these steps:
Open Event Viewer, select Custom Views,
select Server Roles, and then select Network
Policy and Access Services.
The following events provide information about
NAP services that are running on an NPS server:
Event ID 6272. Network Policy Server granted
access to a user. Occurs when a NAP client


M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-30 Implementing Network Access Protection
authenticates successfully, and, depending on its health state, obtains full or restricted access to the
network.
Event ID 6273. Network Policy Server denied access to a user. Occurs when an authentication or
authorization problem arises, which is associated with a reason code.
Event ID 6274. Network Policy Server discarded the request for a user.
Occurs when a configuration problem arises, or if the RADIUS client settings are incorrect or NPS
cannot create accounting logs.
Event ID 6276. Network Policy Server quarantined a user. Occurs when the client access request
matches a network policy that is configured with a NAP enforcement setting of Allow limited access.
Event ID 6277. Network Policy Server granted access to a user, but put it on probation because the
host did not meet the defined health policy. Occurs when the client access request matches a network
policy that is configured with a NAP enforcement setting of Allow full network access for a limited
time when the date specified in the policy has passed.
Event ID 6278. Network Policy Server granted full access to a user because the host met the defined
health policy. Occurs when the client access request matches a network policy that is configured with
a NAP enforcement setting of Allow full network access.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-31
Lab: Implementing Network Access Protection
Scenario
A. Datum is a global engineering and manufacturing company with its head office in London, United
Kingdom. An Information Technology (IT) office and data center in London support the head office and
other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
To help increase security and meet compliance requirements, A. Datum is required to extend their VPN
solution to include NAP. You need to establish a way to verify and, if required, automatically bring client
computers into compliance whenever they connect remotely by using the VPN connection. You will
accomplish this goal by using NPS to create system health validation settings and network and health
policies, and to configure NAP to verify and remediate client health.
Objectives
After completing this lab, you will be able to:
Configure NAP components.
Configure VPN access.
Configure the client settings to support NAP.
Lab Setup
Estimated Time: 60 minutes
Virtual machines: 20411D-LON-DC1, 20411D-LON-RTR, 20411D-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, click Administrative Tools, and then double-click Hyper-V
Manager.
2. In Microsoft Hyper-V

Manager, click 20411D-LON-DC1, and, in the Actions pane, click Start.


3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in by using the following credentials:
User name: Adatum\Administrator
Password: Pa$$w0rd
5. Perform steps 2 through 4 for 20411D-LON-CL2 and 20411D-LON-RTR.
Exercise 1: Configuring NAP Components
Scenario
You should configure NAP components, such as certificate requirements, health and network policies, and
connection-request policies as the first step in implementing compliance and security.
The main tasks for this exercise are as follows:
1. Configure Server and Client Certificate Requirements
2. Configure Health Policies
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-32 Implementing Network Access Protection
3. Configure Network Policies
4. Configure Connection Request Polices for VPN
Task 1: Configure Server and Client Certificate Requirements
1. Switch to the LON-DC1 virtual server.
2. Open the Certification Authority tool.
3. In the Certificate Templates Console details pane, open the properties of the Computer certificate
template.
4. On the Security tab, grant the Authenticated Users group the Allow Enroll permission.
5. Restart the Certification Authority.
6. Close the Certification Authority tool.
Task 2: Configure Health Policies
1. Switch to the LON-RTR computer.
2. Create a management console by running mmc.exe.
3. Add the Certificates snap-in with the focus on the local computer account.
4. Navigate to the Personal certificate store and request a new certificate.
5. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and
then click Next.
6. Enroll the Computer certificate that is listed.
7. Close the console, and do not save the console settings.
8. Using Server Manager, install the NPS Server with the following role services:
Network Policy Server
9. Open the Network Policy Server console.
10. Expand the Network Access Protection node to the Windows Security Health Validator node,
and open the Default Configuration.
11. On the Windows 8/Windows 7/Windows Vista tab, clear all check boxes except A firewall is
enabled for all network connections.
12. Create a health policy with the following settings:
Name: Compliant
Client SHV checks: Client passes all SHV checks
SHVs used in this health policy: Windows Security Health Validator
13. Create a health policy with the following settings:
Name: Noncompliant
Client SHV checks: Client fails one or more SHV checks
SHVs used in this health policy: Windows Security Health Validator
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-33
Task 3: Configure Network Policies
1. Disable all existing network policies.
2. Configure a new network policy with the following settings:
Name: Compliant-Full-Access
Conditions: Health Policies, Compliant
Access permissions: Access granted
Settings: NAP Enforcement, Allow full network access
Authentication methods: none
Perform machine health check only: Yes
3. Configure a new network policy with the following settings:
Name: Noncompliant-Restricted
Conditions: Health Policies, Noncompliant
Access permissions: Access granted
Settings: NAP Enforcement, Allow limited access is selected, and Enable auto-remediation of
client computers is not selected.
IP Filters: IPv4 input filter
o Destination network: 172.16.0.10/255.255.255.255
o IPv4 output filter:
o Source network: 172.16.0.10/255.255.255.255
Authentication methods: none
Perform machine health check only: Yes
Task 4: Configure Connection Request Polices for VPN
1. Disable existing connection request policies.
2. Create a new Connection Request Policy with the following settings:
Policy name: VPN connections
Type of network access server: Remote Access Server (VPN-Dial up)
Conditions, Tunnel type: L2TP, SSTP, and PPTP
Authenticate requests on this server: Enabled
On the Specify Authentication Methods page, perform the following:
3. Select Override network policy authentication settings.
4. Add Microsoft: Protected EAP (PEAP).
5. Add Microsoft: Secured password (EAP-MSCHAP v2).
6. Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is
enabled.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-34 Implementing Network Access Protection
Results: After this exercise, you should have installed and configured the required Network Access
Protection (NAP) components, created the health and network policies, and created the connection
request policies.
Exercise 2: Configuring Virtual Private Network Access
Scenario
After configuring NAP, you will configure a VPN server, and then enable the PING protocol through the
firewall for testing purposes.
The main tasks for this exercise are as follows:
1. Configure a VPN Server
2. Allow PING for Testing Purposes
Task 1: Configure a VPN Server
1. On LON-RTR, open Routing and Remote Access.
2. Disable Routing and Remote Access.
3. Select Configure and Enable Routing and Remote Access.
4. Use the following settings to complete configuration:
Select Remote access (dial-up or VPN).
Select the VPN check box.
Select the interface named Internet, and clear the Enable security on the selected interface by
setting up static packet filters check box.
Select Ethernet as the network selection.
Under IP Address Assignment, type 172.16.0.100 and 172.16.0.110 for the IP addresses
respectively.
Complete the process by accepting defaults when you receive a prompt, and by clicking OK to
confirm any messages.
5. In the Network Policy Server, click the Connection Request Policies node, and verify that the
Microsoft Routing and Remote Access Service Policy is disabled. This was created automatically
when Routing and Remote Access was enabled.
6. Close the Network Policy Server management console, and then close the Routing and Remote
Access console.
Task 2: Allow PING for Testing Purposes
1. On LON-RTR, open Windows Firewall with Advanced Security.
2. Create an inbound rule with the following properties:
Type: Custom
All programs
Protocol type: Select ICMPv4, and then click Customize
Specific ICMP types: Echo Request
Default scope
Action: Allow the connection
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-35
Default profile
Name: ICMPv4 echo request
3. Close the Windows Firewall with Advanced Security console.

Results: After this exercise, you should have created a VPN server and configured inbound
communications.
Exercise 3: Configuring the Client Settings to Support NAP
Scenario
In this exercise, you will enable a client VPN to connect to the Adatum network. You then will enable and
configure the required client-side NAP components.
The main tasks for this exercise are as follows:
1. Enable a Client NAP Enforcement Method
2. Establish a VPN Connection
3. To Prepare for the Next Module
Task 1: Enable a Client NAP Enforcement Method
1. Switch to the LON-CL2 computer.
2. Run the NAP Client Configuration tool (napclcfg.msc).
3. Under Enforcement Clients, enable the EAP Quarantine Enforcement Client.
4. Close the NAP Client Configuration tool.
5. Run services.msc, and then configure the Network Access Protection Agent service for automatic
startup.
6. Start the service.
7. Close the services console.
8. Open the Local Policy Editor (gpedit.msc), and then enable the Local Computer Policy/Computer
Configuration/Administrative Templates/Windows Components/Security Center/Turn on
Security Center (Domain PCs only) setting.
9. Close the Local Group Policy Editor.
Task 2: Establish a VPN Connection
1. On LON-CL2, create a new VPN connection with the following properties:
Internet address to connect to: 10.10.0.1
Destination name: Adatum VPN
Allow other people to use this connection: Enable
2. After you have created the VPN, modify its settings by viewing the properties of the connection, and
then clicking the Security tab. Use the following settings to reconfigure the VPN:
Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled)
Properties of this authentication type:
o Validate server certificate: Disable
o Connect to these servers: Disable
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-36 Implementing Network Access Protection
o Authentication method: Secured password (EAP-MSCHAP v2)
o Enable Fast Reconnect: Disable
o Enforce Network Access Protection: Enable
3. Test the VPN connection:
In the Network Connections window, connect to the Adatum VPN connection
4. At the command prompt, run ipconfig /all to verify that the System Quarantine State is Not
Restricted.
5. Ping 172.16.0.10.
6. Disconnect the Adatum VPN.
7. Switch to LON-RTR.
8. Open Network Policy Server.
9. In the Default Configuration of the Windows Security Health Validator, enable the Restrict access for
clients that do not have all available security updates installed option on the
Windows 8/Windows 7/Windows Vista page.
10. Switch back to LON-CL2, and then reconnect the VPN.
11. Run the ipconfig /all command to verify that the System Quarantine State is Restricted.
12. Disconnect the VPN.
Task 3: To Prepare for the Next Module
When you are finished with the lab, revert all virtual machines to their initial state. To do this, perform the
following steps:
1. On the host computer, start Microsoft Hyper-V

Manager.
2. In the Virtual Machines list, right-click 20411D-LON-CL2, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411D-LON-RTR and 20411D-LON-DC1.

Results: After this exercise, you should have created a new VPN connection on LON-CL2, and have
enabled and tested NAP on LON-CL2.
Question: The DHCP NAP enforcement method is the weakest enforcement method in
Windows Server 2012. Why is it a less preferable enforcement method than other available
methods?
Question: Could you use the remote access NAP solution alongside the IPsec NAP solution?
What benefit would this scenario provide?
Question: Could you have used DHCP NAP enforcement for the client? Why or why not?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 7-37
Module Review and Takeaways
Review Question(s)
Question: What are the three main client configurations that you need to configure for most
NAP deployments?
Question: You want to evaluate the overall health and security of the NAP enforced
network. What do you need to do to start recording NAP events?
Question: On a client computer, what steps must you perform to ensure that its health is
assessed?
Tools
Tool Use for Where to find it
Services Enable and configure the NAP
service on client computers.
In Control Panel, click System and
Maintenance, click Administrative
Tools, and then double-click
Services.
Netsh NAP Using Netsh, you can create
scripts to configure NAP
automatically, and display the
configuration and status of
the NAP client service.
Open a command window with
administrative rights, and then type
netsh c nap. You can type help to
get a full list of available commands.
Group Policy Some NAP deployments that
use Windows Security Health
Validator require that Security
Center is enabled.
Enable the Turn on Security Center
(Domain PCs only) setting in the
Computer
Configuration/Administrative
Templates/Windows
Components/Security Center
sections of Group Policy.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D



M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-1
Module 8
Implementing Remote Access
Contents:
Module Overview 8-1
Lesson 1: Overview of Remote Access 8-2
Lesson 2: Implementing DirectAccess by Using the Getting Started Wizard 8-9
Lab A: Implementing DirectAccess by Using the Getting Started Wizard 8-23
Lesson 3: Implementing and Managing an Advanced DirectAccess Infrastructure 8-29
Lab B: Deploying an Advanced DirectAccess Solution 8-41
Lesson 4: Implementing VPN 8-52
Lab C: Implementing VPN 8-62
Lesson 5: Implementing Web Application Proxy 8-68
Lab D: Implementing Web Application Proxy 8-74
Module Review and Takeaways 8-78

Module Overview
Remote access technologies in the Windows Server

2012 operating system enable users to connect


securely to data and resources in corporate networks. In Windows Server 2012, four component
technologies, virtual private network (VPN), DirectAccess, routing, and Web Application Proxy, are
integrated into a single, unified server role called Remote Access.
In this module, you will learn how to implement remote access technologies in Windows Server 2012. You
will also learn about different implementation scenarios for small or medium-sized organizations and
enterprise organizations.
Objectives
After completing this module, you will be able to:
Install and manage the Remote Access role in Windows Server 2012.
Implement DirectAccess by using the Getting Started Wizard.
Implement and manage an advanced DirectAccess infrastructure.
Implement VPN access.
Implement Web Application Proxy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-2 Implementing Remote Access
Lesson 1
Overview of Remote Access
The type of remote access technology that an organization chooses to implement generally depends on
the organizations business requirements. Some organizations might deploy several remote access
technologies on different servers, and they might deploy other technologies on the same server. For
example, organizations that need administrators to manage servers from the Internet will deploy
DirectAccess, and they will deploy Web Application Proxy if they need to publish internal applications to
the Internet.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the remote access options available in Windows Server 2012.
Describe how to manage remote access in Windows Server 2012.
Explain how to install and manage the Remote Access role in Windows Server 2012.
Describe the considerations for deploying a public key infrastructure (PKI) for remote access in
Windows Server 2012.
Remote Access Options
The Remote Access role in Windows Server 2012
and Windows Server 2012 R2 provides four
remote access options:
DirectAccess.
VPN.
Routing.
Web Application Proxy.
Each of these options represents a technology
that organizations can use for different business
scenarios to access internal resources from offices
in remote locations or from the Internet.
DirectAccess
DirectAccess enables remote users to securely access corporate resources, such as email servers, shared
folders, or internal websites, without connecting to a VPN. When connecting with DirectAccess, users
dont need to perform any action, as DirectAccess automatically establishes a connection to the corporate
network. DirectAccess also provides increased productivity for a mobile workforce by offering the same
connectivity experience both inside and outside the office. With the new unified management experience,
you can configure DirectAccess and older VPN connections from one location. Other enhancements in
DirectAccess include simplified deployment and improved performance and scalability.
VPN
VPN connections enable your users who are working offsite, such as at home, at a customer site, or from a
public wireless access point, to access a server on your organizations private network. VPN connections
use the infrastructure that a public network, such as the Internet, provides. From the users perspective,
the VPN is a point-to-point connection between a computer, the VPN client, and their organizations

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-3
server. The exact infrastructure of the shared or public network is irrelevant because it appears as if the
data is sent over a dedicated private link.
Routing
Windows Server 2012 can act as a router or network address translation (NAT) device between two
internal networks or between the Internet and the internal network. Routing works with routing tables
and supports routing protocols such as Routing Information Protocol version 2, Internet Group
Management Protocol (IGMP), and Dynamic Host Configuration Protocol (DHCP) Relay Agent.
Web Application Proxy
Web Application Proxy is a new feature in Windows Server 2012 R2. It provides reverse proxy functionality
for web applications located in an organizations internal network where users that are located on the
Internet can access internal web applications. Web Application Proxy preauthenticates users by using
Active Directory

Federation Services (AD FS) technology and acts as an AD FS proxy.


Managing Remote Access in Windows Server 2012
After you install the Remote Access role on a
server running Windows Server 2012, you can
manage the role by using the Microsoft
Management Console (MMC), or by using
Windows PowerShell

. You can use the MMC for


your daily tasks of managing remote access, and
you can use Windows PowerShell for managing
multiple servers and for scripting or automating
the management tasks.
There are two MMCs for managing the Remote
Access role: the Remote Access Management
Console and the Routing and Remote Access
console. You can access these consoles from the Tools menu in Server Manager.
The Remote Access Management Console
The Remote Access Management Console allows you to manage DirectAccess, VPN, and Web Application
Proxy. When you open this console for the first time, it provides you with a wizard-based setup to
configure remote access settings according to your business requirements. After you configure the initial
remote access settings, you will be provided with the following options in the console to manage your
remote access solution:
Configuration. You can edit the remote access settings by using wizards and by using the graphical
representation of the current network configuration in the console.
Dashboard. You can monitor the overall status of servers and clients that are part of the remote
access solution.
Operational status. You can access detailed information on the status of the servers that are part of
the remote access solution.
Remote client status. You can access detailed information on the status of the clients that are
connecting to the remote access solution.
Reporting. You can generate historical reports on different parameters, such as remote access usage,
access details, connection details, and server load statistics.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-4 Implementing Remote Access
The Routing and Remote Access Console
You can use the Routing and Remote Access console to configure a server running Windows Server 2012
as a NAT device, as a router for both IPv4 and IPv6 protocols, and as a VPN server. After the configuration
is complete, you can manage the remote access solution by using following options in the console:
Server Status. You can monitor the status of the remote access server (RAS), the ports in use, and the
servers uptime.
Remote Access Client, Ports, Remote Access Logging. You can monitor the client status, port
status, and detailed logging information about clients connected to the remote access server.
IPv4. You can configure the IPv4 settings such as NAT, IPv4 routing with static routes, and the
following routing protocols: Routing Information Protocol version 2, Internet Group Management
Protocol, and DHCP Relay Agent.
IPv6. You can configure IPv6 settings, such as IPv6 routing with static routes and DHCP Relay Agent
routing protocol.
Windows PowerShell Commands
Windows PowerShell commands in Windows Server 2012 allow you to configure remote access and allow
you to create scripts for automation of some configuration and management procedures. Some examples
of Windows PowerShell commands for remote access include:
Set-DAServer. Sets the properties specific to the DirectAccess server.
Get-DAServer. Displays the properties of the DirectAccess Server.
Set-RemoteAccess. Modifies the configurations that are common to both DirectAccess and VPN,
such as the Secure Sockets Layer (SSL) certificate, Internal interface, and Internet interface.
Get-RemoteAccess. Displays the configuration of DirectAccess and VPN, both Remote Access VPN
and site-to-site VPN.
You can list all remote access cmdlets by running following cmdlet in Windows PowerShell window:
Get-Command Module RemoteAccess
For complete list of remote access cmdlets in Windows PowerShell, visit the following link:
http://go.microsoft.com/fwlink/?LinkID=331164
Demonstration: Installing and Managing the Remote Access Role
In this demonstration, you will learn how to:
Install the Remote Access role.
Manage the Remote Access role.
Demonstration Steps
Install the Remote Access Role
1. On LON-SVR1, switch to the Server Manager console, click Manage, and then start the Add Roles and
Features wizard.
2. Complete the wizard with the following settings:
On the Before You Begin page, click Next.
On the Select installation type page, click Next.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-5
On the Select destination server page, click Next.
On the Select server roles page, click Remote Access, and then click Next.
On the Select features page, click Next.
On the Remote Access page, click Next.
On the Select role services page, click DirectAccess and VPN (RAS), and in the Add Roles and
Features Wizard page, click Add Features.
On the Select role services page, click Next.
On the Confirm installation selection page, click Install, and then when installation finishes,
click Close.
Manage the Remote Access Role
1. In the Server Manager console, open the Remote Access Management Console.
2. In the Remote Access Management Console, review the options for configuring and managing
remote access.
3. From the Server Manager console, open the Routing and Remote Access console.
4. In the Routing and Remote Access console, review the options for configuring and managing remote
access.
Network Address Translation
NAT functionality is a component of the Routing
and Remote Access service that enables corporate
computers to access resources on the Internet or
other public networks. NAT technology translates
private IPv4 addresses in a corporate network into
public IPv4 addresses.
Why Is NAT Necessary?
Computers and devices that need to connect to
Internet have to be configured with public IP
addresses. However, the number of public IPv4
addresses is becoming limited every day and
organizations cannot obtain public IPv4 address
for every corporate computer. Therefore organizations use private IP addressing for corporate computers.
Because private IP addresses are not routable on the Internet, computers configured with private IP
address cannot access the Internet. By using NAT, organizations need to obtain only one public IPv4
addresses to access the Internet. NAT translates a private IPv4 address into a public IPv4 address, which
provides Internet access to corporate computers.
The NAT server has two network adapters. One of these network adapters is configured with a private
IPv4 address and is connected to the corporate network, whereas the other network adapter is configured
with a public IPv4 address and is connected to the Internet.
How NAT Works
In order for a client computer to connect to the Internet by using NAT, it has to be configured to use the
NAT server as a default gateway. When a client computer on the private network requests access to a
computer located on the Internet, such as a web server, the NAT-enabled server translates the outgoing

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-6 Implementing Remote Access
packets and then sends them to the web server on the Internet. The NAT server also translates the
response from the web server on the Internet and returns it to the client on the corporate network.
The NAT server secures the corporate network by hiding the IP addresses of computers in a corporate
network. When a computer in the corporate network communicates with a web server located on the
Internet, only the external IP address of the NAT server is visible to the Internet web server. Furthermore,
you can configure Windows Firewall and Advanced Security on the NAT server to protect your corporate
network from Internet security threats.
The NAT server can also be used to connect computers from different subnets in a corporate network. In
this scenario, a client computer located in the corporate network needs to access resources such as
intranet web servers in a different corporate subnet. The NAT server translates the client computer
packets and sends them to the intranet web server, receives the response from the intranet web server,
and then sends the received content to the client computer.
Considerations for Deploying a PKI for Remote Access
PKI helps you verify and authenticate the identity
of each party involved in an electronic transaction.
It also helps establish trust between computers
and the corresponding applications that are
hosted on application servers. A common example
includes the use of PKI technology to secure
websites and remote access. Digital certificates are
key components of PKI that contain electronic
credentials, which are used to authenticate users
or computers. Windows Server 2012 supports
building a certificate services infrastructure in your
organization by using Active Directory Certificate
Services (AD CS) components.
Using PKI for Remote Access
When employees of an organization access internal resources from the Internet, it is very important that
the communication and data in transit are protected from interception by unauthorized users. Therefore,
the communication between the employees located on the Internet and the internal resources should be
encrypted. Furthermore, users that connect from the Internet and their computers should be
authenticated. Remote access technologies in Windows Server 2012 use PKI for authenticating users and
computers and encrypting data and communication when users are remotely accessing internal resources.
When planning for using PKI for remote access in your organizations, you should consider following:
Will you use PKI for deploying server certificates on remote access servers only?
Will you use PKI for deploying server certificates on remote access servers, deploying computer
certificates for client computers, and deploying user certificates for users?
Which type of certificates will you use? You can use self-signed certificates or certificates issued by a
private certification authority (CA) or by a public CA.
o Self-signed certificates are issued by the server itself, and, by default, they are trusted only by the
issuing server, and not by other computers in the organization. You can use self-signed
certificates in small and medium-sized organizations that use DirectAccess configured with the
Getting Started Wizard, which provides simple setup and configuration.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-7
o You typically use certificates issued by a private CA in organizations that want to manage their
own PKI infrastructure and where PKI is used for many purposes, such as remote access, client
authentication, and server authentication. These organizations realize significant cost benefits
because a large number of certificates are not purchased, but are issued by the private CA. When
deploying a private CA, an administrator can create customized certificate templates that will
meet an organizations specific business requirements. Administrators can also configure
autoenrollment, so that all trusted users or computers automatically enroll for a certificate from
the private CA. However, a private CA requires greater administrative efforts for managing CA
servers and providing user support in organizations.
o You use certificates issued by a public CA in organizations that deploy certificates for applications
which need to be trusted by many different operating systems, or for computers and devices that
are not managed by these organizations. You cannot use a private CA because, by default, a
private CA provides certificates that need to be trusted only by domain computers. Therefore,
using a private CA is less appropriate in this scenario. public CAs are also used by organizations
that do not have a PKI infrastructure deployed or organizations that need a smaller number of
certificates. Organizations that use certificates generated by public CAs require less administrative
effort for managing PKI. This is because organizations administrators do not manage the public
CA infrastructure. Purchasing certificates from a public CA involves procedures that are different
from the ones required from private CAs. For example, an organization that needs to purchase a
certificate from a public CA has to prove the ownership of the domain name.
When deploying advanced DirectAccess infrastructure, you use certificates generated by a private or
public CA. Using self-signed certificates is not supported in advanced DirectAccess infrastructures.
o The following table lists the advantages and disadvantages of using certificates issued by a public
or private CA.
CA type Advantages Disadvantages
Private CA Provides greater control over
certificate management
Lower cost when compared to a
public CA
Customized templates
Autoenrollment
By default, not trusted by
external clients (web
browsers, operating
systems)
Requires greater
administration

Public CA Trusted by many external clients
(web browsers, operating systems)
Requires minimal administration
Higher cost when
compared to an internal CA
Cost is based per certificate
Certificate procurement is
slower
Some organizations have started using a hybrid approach for their PKI architecture. A hybrid
approach uses an external public CA for the root CA, and a hierarchy of internal CAs for the
distribution of certificates. This gives organizations the advantage of having their internally issued
certificates trusted by external clients, while still providing the advantages of an internal CA. The
only disadvantage to this method is the cost. A hybrid approach is typically the most expensive
approach because public certificates for CAs are very expensive.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-8 Implementing Remote Access
Configuring User Settings for Remote Access
Business requirements for remote access in
organizations may vary by employee type. Some
employees may not need remote access, while
others may, based on additional conditions. You
can use the Active Directory Users and Computers
console to configure user settings for different
remote access options. The settings are located in
the Dial-In Properties of the user account.
User Settings for Remote Access include:
Network Access Permission. Defines the
actions that the Remote Access role will
perform when a user tries to establish a
connection and is authenticated by Active Directory Domain Services (AD DS). There are three actions
that can be configured:
o Allow access. Remote access is allowed for the user connecting from a remote location.
o Deny access. Remote access is denied for the user connecting from a remote location.
o Control access through NPS network policy. This action is configured by default in the user
account properties in the Active Directory Users and Computers console. A remote access server
can have multiple Network Policy Server (NPS) network policies configured. NPS network policies
perform multiple checks to verify whether different conditions about the remote access user and
computer are met. Based on the verification results, NPS network policy will allow or deny the
remote access. If all NPS Network Policies are deleted, then remote access will be denied to users
that are configured using NPS Network Policy, because there is no NPS Network Policy available
to authorize them for remote access.
Verify Caller ID. If a remote access client computer establishes a connection using a telephone line,
the remote access server can be configured to verify caller ID information. For this option to be
configured, the telephony equipment at the remote access server location must be able to transfer
the caller ID information to the remote access server by using appropriate drivers.
Callback Options. If Callback Options is enabled, once the remote access client computer initiates a
connection by using a telephone line, the remote access server calls back the client computer. The
number that the server uses for calling back the client is the caller number, or it can be a number
configured by the administrator.
Assign Static IP Addresses. In many scenarios, after the remote access client computer successfully
establishes a connection with the remote access server, an IP address is assigned automatically to the
remote access client computer by the organizations DHCP server. However, an administrator can also
configure a static IP address for the remote access client computer by using dial-in properties of the
user account.
Apply Static Routes. An administrator can configure static routes that will be added to the remote
access client computer routing table when the connection is established with the remote access
server.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-9
Lesson 2
Implementing DirectAccess by Using the Getting Started
Wizard
The DirectAccess feature in Windows Server 2012 enables seamless remote access to intranet resources
without first establishing a user-initiated VPN connection. The DirectAccess feature also ensures seamless
connectivity to the application infrastructure, for both internal users and remote users.
Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess
enables any application on the client computer to have complete access to intranet resources.
DirectAccess also enables you to specify resources and client-side applications that are restricted for
remote access.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the components that are required to implement DirectAccess.
Describe DirectAccess server deployment options.
Describe DirectAccess tunneling protocol options.
Describe how DirectAccess works for internal clients.
Describe how DirectAccess works for external clients.
Explain how to deploy DirectAccess by running the Getting Started Wizard.
Identify the changes made by the Getting Started Wizard.
Explain the limitations of deploying DirectAccess by using the Getting Started Wizard.
DirectAccess Components
To deploy and configure DirectAccess, your
organization must support the following
infrastructure components:
DirectAccess server.
DirectAccess clients.
Network location server.
Internal resources, such as corporate
applications.
An AD DS domain.
Group Policy.
PKI (optional for the internal network).
Domain Name System (DNS) server.
Network Access Protection (NAP) server.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-10 Implementing Remote Access
DirectAccess Server
The DirectAccess server can be any computer running Windows Server 2012 that you join to a domain,
that accepts connections from DirectAccess clients, and that establishes communication with intranet
resources. This server provides authentication services for DirectAccess clients and acts as an Internet
Protocol security (IPsec) tunnel mode endpoint for external traffic. The new Remote Access server role
allows centralized administration, configuration, and monitoring for both DirectAccess and VPN
connectivity.
Compared with the previous implementation in Windows Server 2008 R2, the new wizard-based setup
simplifies DirectAccess management for small and medium-sized organizations. The wizard does so by
removing the need for full PKI deployment and removing the requirement for two separate network
interface cards that are connected to the Internet and configured with two consecutive public IPv4
addresses. In Windows Server 2012, the wizard detects the actual implementation state of the
DirectAccess server, and then automatically selects the best deployment method, thereby masking from
the administrator the complexity of manually configuring IPv6 transition technologies.
DirectAccess Clients
A DirectAccess client can be any domain-joined computer running the Windows

8 operating system,
Windows 7 Enterprise, or Windows 7 Ultimate.
Note: With off-premises provisioning, you can join the client computer to a domain
without requiring the client computer to be located within your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Teredo is used if the client is separated from the DirectAccess server by a NAT device. Note that the user
does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client computer using 6to4 or Teredo from connecting to the
DirectAccess server, the client computer automatically attempts to connect by using the Internet Protocol
over Secure Hypertext Transfer Protocol (IP-HTTPS) protocol, which uses an SSL connection to ensure
connectivity.
Network Location Server
A DirectAccess client uses the network location server to determine its location. If the client computer can
securely connect to the network location server by using Hypertext Transfer Protocol over Secure Sockets
Layer (HTTPS), then the client computer assumes it is on the intranet, and the DirectAccess policies are not
enforced. If the network location server is not contactable, the client assumes it is on the Internet. The
network location server is installed on the DirectAccess server with the web-server role.
Note: The URL for the network location server is distributed by using a Group Policy Object
(GPO).
Internal Resources
You can configure any application that is running on internal servers or client computers to be available
for DirectAccess clients. For older applications and servers that do not have IPv6 support, such as in the
Windows Server 2003 operating system or other third-party operating systems, Windows Server 2012
includes native support for protocol translation through NAT64 and name resolution through DNS64a
gateway to convert IPv6 communication from the DirectAccess client to IPv4 for the internal servers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-11
Active Directory Domain
You must deploy at least one AD DS domain running, at a minimum, Windows Server 2003 domain
functional level. DirectAccess provides integrated multiple-domain support, which allows client computers
from different domains to access resources that may be located in different trusted domains.
Group Policy
You need to use Group Policy for the centralized administration and deployment of DirectAccess settings.
The Getting Started Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess
server, and selected servers.
PKI
PKI deployment is optional for simplified configuration and management. DirectAccess enables client
authentication requests to be sent over an HTTPS-based Kerberos proxy service running on the
DirectAccess server. This eliminates the need for establishing a second IPsec tunnel between clients and
domain controllers. The Kerberos proxy will send Kerberos requests to domain controllers on behalf of the
client.
However, for a full DirectAccess configuration that allows NAP integration, two-factor authentication, and
force tunneling, you still must implement certificates for authentication for every client that will
participate in DirectAccess communication.
DNS Server
When using ISATAP), you must use at least Windows Server 2008 R2, Windows Server 2008 with the
Q958194 hotfix, Windows Server 2008 SP2 or newer, or a third-party DNS server that supports DNS
message exchanges over the ISATAP.
NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance
checking and enforce security policy for DirectAccess clients over the Internet. DirectAccess provides the
ability to configure NAP health check directly from the setup user interface.
IPv6 - Technology Overview
http://go.microsoft.com/fwlink/?LinkID=269679
Remote Access (DirectAccess, Routing and Remote Access) Overview
http://go.microsoft.com/fwlink/?LinkID=269658
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-12 Implementing Remote Access
DirectAccess Server Deployment Options
DirectAccess server deployment options in
Windows Server 2012 include:
Deploying multiple endpoints. When you
implement DirectAccess on multiple servers in
different network locations, the DirectAccess
client computer running the Windows 8
operating system automatically chooses the
closest endpoint. You must specify the
endpoint manually for DirectAccess client
computers running Windows 7. This also
works for Distributed File System (DFS) shares
that are redirected to an appropriate AD DS
site.
Multiple domain and multiple forest support. Organizations that have complex multidomain or
multiforest infrastructure can deploy DirectAccess servers in multiple domains or forests. In this
scenario, DirectAccess client computers can connect to DirectAccess servers located in different
domains or forests.
Deploy a DirectAccess server behind a NAT. You can deploy a DirectAccess server behind a NAT
device, with support for a single or multiple interfaces, which removes the prerequisite for a public
address. In this configuration, only IP-HTTPS is deployed, which allows a secure IP tunnel to be
established by using a secure HTTP connection.
Support for one-time password (OTP) and virtual smart cards. DirectAccess supports OTP
authentication, where users are authenticated by providing a combination of user name, password,
and an OTP. This feature requires a PKI deployment. In addition, DirectAccess can use the trusted
platform module (TPM)based virtual smart card, which uses the TPM of a client computer, to act as a
virtual smart card for two-factor authentication.
Offload network adapters with support for network information center (NIC) Teaming. NIC Teaming in
Windows Server 2012 is fully supported without the need for third-party drivers. DirectAccess servers
support NIC Teaming. This capability allows DirectAccess client computers to benefit from bandwidth
aggregation on the network cards and failover capability in case one of the network cards is not
working.
Off-premises provisioning. With the new Djoin.exe tool, you can easily provision a non-domain
computer with an Active Directory binary large object (BLOB) so that the computer can be joined to a
domain without being connected to the internal network. After the computer is joined to the domain,
it can access the intranet resources by using DirectAccess.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-13
DirectAccess Tunneling Protocol Options
DirectAccess uses IPv6 and IPsec when clients
connect to internal resources. However, many
organizations do not have native IPv6
infrastructure. Therefore, DirectAccess uses
transitioning tunneling technologies to connect
IPv6 clients to IPv4 internal resources, and by
communicating through IPv4-based Internet.
DirectAccess tunneling protocols include:
ISATAP. ISATAP enables DirectAccess clients
to connect to the DirectAccess server over
IPv4 networks for intranet communication. By
using ISATAP, an IPv4 network emulates a
logical IPv6 subnet to other ISATAP hosts, where ISATAP hosts automatically tunnel to each other for
IPv6 connectivity. Windows Vista

, Windows Server 2008, and newer Windows client and server


operating systems can act as ISATAP hosts. ISATAP does not need changes on IPv4 routers because
IPv6 packets are tunneled within an IPv4 header. In order to use ISATAP, you have to configure DNS
servers to answer ISATAP queries, and IPv6 must be enabled on network hosts.
6to4. 6to4 enables DirectAccess clients to connect to the DirectAccess server over the IPv4-based
Internet. You can use 6to4 when clients have a public IP address. IPv6 packets are encapsulated in an
IPv4 header, and then sent over the 6to4 tunnel adapter to the DirectAccess server. You can configure
the 6to4 tunnel adapter for DirectAccess clients and the DirectAccess server by using a GPO. 6to4
does not work if clients are located behind an IPv4 NAT device.
Teredo. Teredo enables DirectAccess clients to connect to the DirectAccess server across the IPv4
Internet, when clients are located behind an IPv4 NAT device. In this scenario, you should configure
the firewall to allow outbound traffic on User Datagram Protocol (UDP) port 3544. Clients that have a
private IPv4 address use Teredo to encapsulate IPv6 packets in an IPv4 header and send them over
the IPv4-based Internet. You can configure Teredo for DirectAccess clients and the DirectAccess
server by using a GPO.
IP-HTTPS. IP-HTTPS enables DirectAccess clients to connect to the DirectAccess server over the IPv4-
based Internet. IP-HTTPS is used by clients that are unable to connect to the DirectAccess server by
using ISATAP, 6to4, or Teredo. You can configure IP-HTTPS for DirectAccess clients and the
DirectAccess server by using Group Policy.
For more information on IPv6 transition technologies, visit the following link:
http://go.microsoft.com/fwlink/?LinkID=154382
For an overview of Teredo, visit the following link:
http://go.microsoft.com/fwlink/?LinkId=169500
For more information on IP-HTTPS, visit the following link:
http://go.microsoft.com/fwlink/?LinkId=169501

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-14 Implementing Remote Access
How DirectAccess Works for Internal Clients
A network location server is an internal network
server that hosts an HTTPS-based URL.
DirectAccess clients try to access a network
location server URL to determine if they are
located on the intranet or on a public network.
The DirectAccess server also can be the network
location server. In some organizations where
DirectAccess is a business-critical service, the
network location server should be highly available.
Generally, the web server on the network location
server does not have to be dedicated exclusively
to supporting DirectAccess clients.
The network location server must be available from each company location, because the behavior of the
DirectAccess client depends on the response from the network location server. Branch locations may need
a separate network location server at each branch location to ensure that the network location server
remains accessible even when there is a link failure between branches.
How DirectAccess Works for Internal Clients
The DirectAccess connection process happens automatically, without user intervention. DirectAccess
clients use the following process to connect to intranet resources:
1. The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the network
location server URL. Because the FQDN of the network location server URL corresponds to an
exemption rule in the Name Resolution Policy Table (NRPT), the DirectAccess client instead sends the
DNS query to a locally-configured DNS server (an intranet-based DNS server). The intranet-based
DNS server resolves the name.
2. The DirectAccess client accesses the HTTPS-based URL of the network location server, and during this
process, it obtains the certificate of the network location server.
3. Based on the certificate revocation list (CRL) distribution points field of the network location servers
certificate, the DirectAccess client checks the CRL revocation files in the CRL distribution point to
determine if the network location servers certificate has been revoked.
4. If the HTTP response code is 200, the DirectAccess client determines the success of accessing the
network location server URL. This can be successful access, certificate authentication, or a revocation
check. Next, the DirectAccess client will use the network location awareness service to determine if it
should switch to the domain firewall profile and ignore the DirectAccess policies because it is on the
corporate network.
5. The DirectAccess client computer attempts to locate and log on to the AD DS domain by using its
computer account. Because the client no longer references any DirectAccess rules in the NRPT for the
rest of the connected session, all DNS queries are sent through interface-configured DNS servers, also
known as intranet-based DNS servers. With the combination of network location detection and
computer domain logon, the DirectAccess client configures itself for normal intranet access.
6. Based on the computers successful logon to the domain, the DirectAccess client assigns the domain
(firewall network) profile to the attached network.
By design, the DirectAccess connection security tunnel rules are scoped for the public and private firewall
profiles, and they are disabled from the list of active connection security rules. The DirectAccess client has
successfully determined that it is connected to its intranet, and does not use DirectAccess settings, that is
NRPT rules or Connection Security tunnel rules. The DirectAccess client can access intranet resources
normally. It also can access Internet resources through normal means, such as a proxy server.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-15
Question: How will you configure the settings for different types of clients that need
DirectAccess?
How DirectAccess Works for External Clients
When a DirectAccess client cannot reach the URL
specified for the network location server, the
DirectAccess client assumes that it is not
connected to the intranet and that it is located on
the Internet. When the client computer cannot
communicate with the network location server, it
starts to use NRPT and connection security rules.
The NRPT has DirectAccess-based rules for name
resolution, and connection security rules define
DirectAccess IPsec tunnels for communication
with intranet resources. Internet-connected
DirectAccess clients use the following process to
connect to intranet resources.
1. The DirectAccess client attempts to access the network location server.
2. The client attempts to locate a domain controller.
3. The client attempts to access intranet resources first, and then Internet resources.
DirectAccess Clients Attempt to Access the Network Location Server
The DirectAccess clients attempt to access the network location server as follows:
1. The client tries to resolve the FQDN of the network location server URL. Because the FQDN of the
network location server URL corresponds to an exemption rule in the NRPT, the DirectAccess client
does not send the DNS query to a locally configured DNS server, such as an Internet-based DNS
server. An external Internet-based DNS server would not be able to resolve the name.
2. The DirectAccess client processes the name resolution request as defined in the DirectAccess
exemption rules in the NRPT.
3. Because the network location server is not found on the same network where the DirectAccess client
is currently located, the DirectAccess client applies a public or private firewall network profile to the
attached network.
4. The Connection Security tunnel rules for DirectAccess, scoped for the public and private profiles,
provide the public or private firewall network profile.
The DirectAccess client uses a combination of NRPT rules and connection security rules to locate and
access intranet resources across the Internet through the DirectAccess server.
DirectAccess Client Attempts to Locate a Domain Controller
After starting up and determining its network location, the DirectAccess client attempts to locate and log
on to a domain controller. This process creates an IPsec tunnel, or infrastructure tunnel, by using the IPsec
tunnel mode and encapsulating security payload (ESP), to the DirectAccess server. The steps in this
process are:
1. The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which
specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS name
query that is addressed to the IPv6 address of the intranet DNS server, and forwards it to the
DirectAccess clients TCP/IP stack for sending.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-16 Implementing Remote Access
2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3. Because the destination IPv6 address in the DNS name query matches a connection security rule that
corresponds with the infrastructure tunnel, the DirectAccess client uses Authenticated Internet
Protocol (AuthIP) and IPsec to negotiate and authenticate an encrypted IPsec tunnel to the
DirectAccess server. The DirectAccess client, both the computer and the user, authenticates itself with
its installed computer certificate and its NTLM credentials, respectively.
Note: AuthIP enhances authentication in IPsec by adding support for user-based
authentication with Kerberos version 5 or SSL certificates. AuthIP also supports efficient protocol
negotiation and the use of multiple sets of credentials for authentication.
4. The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the
DirectAccess server.
5. The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name
query response is sent back to the DirectAccess server and back through the IPsec infrastructure
tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When the user on the
DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel.
DirectAccess Client Attempts to Access Intranet Resources
The first time that the DirectAccess client sends traffic to an intranet location, such as an email server, that
is not on the list of destinations for the infrastructure tunnel, the following process occurs:
1. The application or process that attempts to communicate constructs a message or payload, and
hands it off to the TCP/IP stack for sending.
2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3. Because the destination IPv6 address matches the connection security rule that corresponds with the
intranet tunnel which specifies the IPv6 address space of the entire intranet, the DirectAccess client
uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess
server. The DirectAccess client authenticates itself with its installed computer certificate and the user
accounts Kerberos credentials.
4. The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
5. The DirectAccess server forwards the packet to the intranet resources. The response is sent back to
the DirectAccess server and back through the intranet tunnel to the DirectAccess client.
Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure
tunnel connection security rule goes through the intranet tunnel.
DirectAccess Client Attempts to Access Internet Resources
When the user or a process on the DirectAccess client attempts to access an Internet resource, such as an
Internet web server, the following process occurs:
1. The DNS client service passes the DNS name for the Internet resource through the NRPT. There are
no matches. The DNS client service constructs the DNS name query that is addressed to the IP
address of an interface-configured Internet DNS server and hands it off to the TCP/IP stack for
sending.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-17
2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3. Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query
normally.
4. The Internet DNS server responds with the IP address of the Internet resource.
5. The user application or process creates the first packet to send to the Internet resource. Before
sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing
rules or connection security rules for the packet.
6. Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Any subsequent Internet resource traffic that does not match a destination in either the infrastructure
intranet tunnel or connection security rules is sent and received normally.
The process of accessing the domain controller and intranet resources is very similar to the connection
process, because both of these processes use NRPT tables to locate an appropriate DNS server to resolve
the name queries. However, the main difference is in the IPsec tunnel that is established between the
client and DirectAccess server. When accessing the domain controller, all the DNS queries are sent
through the IPsec infrastructure tunnel, and, when accessing intranet resources, a second IPsec tunnel is
established to access intranet resources.
Question: If you were using 6to4 instead of Teredo, would you need two sequential public IP
addresses on the DirectAccess server?
Demonstration: Running the Getting Started Wizard
In this demonstration, you will learn how to configure DirectAccess by running the Getting Started
Wizard.
Demonstration Steps
Create security group for DirectAccess client computers
1. On LON-DC1, open the Active Directory Users and Computers console, and create an organizational
unit (OU) with the name DA_Clients OU. Inside that OU, create a Global Security group with the
name DA_Clients.
2. Add LON-CL1 to the DA_Clients security group.
3. Close the Active Directory Users and Computers console
Configure DirectAccess by Running the Getting Started Wizard
On LON-RTR, in the Server Manager console, select Remote Access Management. Complete the
Run the Getting Started Wizard in the Remote Access Management Console with the following
settings:
1. On the Configure Remote Access page, click Deploy DirectAccess only.
2. Verify that Edge is selected, and then in the Type the public name or IPv4 address used by clients
to connect to Remote Access server box, type 131.107.0.10.
3. On the Remote Access Review page, remove Domain Computers, and add DA_Clients as remote
clients.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-18 Implementing Remote Access
4. Ensure that the Enable DirectAccess for mobile computers only check box is cleared.
5. Restart LON-RTR.
Getting Started Wizard Configuration Changes
The Getting Started Wizard makes multiple
configuration changes so that DirectAccess clients
can connect to the intranet. These changes
include:
GPO settings. Two GPOs, DirectAccess Server
Settings and DirectAccess Client Settings, are
created in order to define which computers
will be DirectAccess servers and which
computers will be DirectAccess clients:
o DirectAccess Server Settings GPO.
Defines the settings that will apply to the
DirectAccess servers. These settings
include:
Global Settings. Define the IPsec Internet Control Message Protocol (ICMP) that will be
allowed through the local firewall on the DirectAccess server.
Inbound Rules. Define inbound IP-HTTPS traffic to provide connectivity across HTTP proxies
and firewalls. Inbound rules also allow traffic to the DNS64 server that is deployed on the
remote access server.
Connection Security Settings. Define the IPv6 address prefixes and the Kerberos
authentication settings.
o The DirectAccess Client Settings GPO. Defines the settings that will apply to the DirectAccess
clients. These settings include:
Public Key Policies/Trusted Root Certification Authorities. DirectAccess client computers
are configured to trust the self-signed certificates that the DirectAccess server issues.
Global Settings. Define the IPsec ICMP protocol that will be allowed through the local
firewall on the DirectAccess clients.
Outbound Rules. Define the outbound IP-HTTPS traffic to provide connectivity across HTTP
proxies and firewalls.
Connection Security Settings. Define the IPv6 address prefixes and the Kerberos
authentication settings.
DNS server settings. In the DNS Manager console, under Forward Lookup Zones, the Getting Started
Wizard creates A and AAAA records for the following hosts: directaccess-corpConnectivityHost,
DirectAccess-NLS, and directaccess-WebProbeHost.
Remote clients. In the wizard, you can configure the following DirectAccess settings for client
computers:
o Select groups. You can select which groups of client computers will be configured for
DirectAccess. By default, the Domain Computers group will be configured for DirectAccess. In the
wizard, you can edit this setting and replace the Domain Computers group with a custom
security group.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-19
o Enable DirectAccess for mobile computers only. This setting is enabled by default, and it can
be disabled in the wizard.
o Network Connectivity Assistant. Network Connectivity Assistant runs on every client computer
and provides DirectAccess connectivity information, diagnostics, and remediation support.
o Resources that validate connectivity to internal network. DirectAccess client computers need
information that will help them decide whether they are located on an intranet or the Internet.
Therefore, they will contact resources you provide in this wizard. You can provide a URL that will
be accessed by HTTP request, or an FQDN that will be contacted by the ping command. By
default, this is not configured.
o Helpdesk email address. By default, this setting is not configured.
o DirectAccess connection name. The default name is Workplace Connection.
o Allow DirectAccess clients to use local name resolution. This setting is disabled by default.
Remote access server. In the wizard, you define the network topology where the DirectAccess server
is located:
o On an edge of the internal corporate network, where the edge server has two network adapters.
o On a server located behind an edge device, where the server has two network adapters.
o On a server located behind an edge device, where the server has one network adapter.
One of the preceding settings will be selected in the wizard already. The public name or IPv4 address
where DirectAccess clients connect from Internet is entered in the wizard already.
You can also define the network adapter to which the DirectAccess clients connect, in addition to the
certificates that the IP-HTTPS connections use.
Infrastructure servers. In the wizard, you define infrastructure servers. DirectAccess clients connect
to these servers before they connect to internal corporate resources. By default, two entries are
configured: the domain name suffix and DirectAccess-NLS name followed by the domain name suffix.
For example, if the domain name is contoso.com, then following entries are configured: contoso.com
and DirectAccess-NLS.contoso.com.
Demonstration: Identifying the Getting Started Wizard Settings
In this demonstration, you will identify the changes made by the DirectAccess Getting Started Wizard.
Demonstration Steps
1. On LON-RTR, switch to the Server Manager console, and then open the Remote Access Management
console.
2. In the Remote Access Management console, select DirectAccess and VPN.
3. In the Remote Access Setup window, under the image of the client computer labeled as Step 1
Remote Clients, click Edit to display the DirectAccess Client Setup window.
4. Review the default settings of all items in the menu on the left, Deployment Scenario, Select Groups,
and Network Connectivity Assistant, and then close the window without saving any changes.
5. In the Remote Access Setup window, under the image of the server computer labeled as Step 2
Remote Access Servers, click Edit to display the Remote Access Server Setup window.
6. Record the default settings of all items in the menu on the left, Network Topology, Network Adapters,
and Authentication, and then close the window without saving any changes.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-20 Implementing Remote Access
7. In the Remote Access Setup window, under the image of the server computer labeled as Step 3
Infrastructure Servers, click Edit to display the Infrastructure Server Setup window.
8. Review the default settings of all items in the menu on the left, Network Location Server, DNS, DNS
Suffix Search List, and Management, and then close the window without saving any changes.
9. In the Remote Access Setup window, under the image of the server computer labeled as Step 4
Application Servers, click Edit to display the DirectAccess Application Server Setup window.
10. Review the default settings for all items, and then close the window without saving any changes.
11. Close all open windows.
Review the Infrastructure Changes in the Group Policy Management Console
1. On LON-RTR, in Server Manager, open the Group Policy Management console.
2. In the Group Policy Management console, , expand Forest: Adatum.com, expand Domains, expand
Adatum.com and notice that two new GPOs are created: DirectAccess Client Settings, and
DirectAccess Server Settings.
3. Review the DirectAccess Server Settings GPO settings.
4. In the details pane, under Computer Configuration (Enabled), review the Windows Firewall with
Advanced Security settings. Notice that there are three groups of firewall settings configured for
DirectAccess clients: Global Settings, Inbound Rules, and Connection Security Settings.
5. In the Global Settings firewall settings, review the IPsec ICMP exception setting.
6. In the Inbound Rules firewall settings, review the following configuration:
Core Networking IP-HTTPS (TCP-In). This rule allows the inbound IP-HTTPS traffic to provide
connectivity across HTTP proxies and firewalls.
Domain Name Server (UDP-In) and Domain Name Server (TCP-In). These rules allow traffic
to the DNS64 server that is deployed on the remote access server. Notice the IPv6 address in the
rules. It is the address of the London_Network adapter on LON-RTR.
7. In the Connection Security Settings row, review the following configuration:
DirectAccess Policy-DaServerToCorpSimplified. Review the IPv6 address prefixes and compare
them with the IPv6 address prefixes that you recorded in step 6 of the previous section in this
demonstration. Notice that they are the same prefixes that are configured with the Getting
Started Wizard.
8. Under Connection Security Settings, review the First Authentication, Second Authentication, Key
Exchange (Main Mode), and Data Protection (Quick Mode) configurations.
9. In the navigation pane, select the DirectAccess Client Settings GPO, and then click the Settings tab.
10. In the details pane, under Computer Configuration (Enabled), in the Security Setting row, review the
Public Key Policies/Trusted Root Certification Authorities configuration, and then notice that the
GPO is configuring the DirectAccess client computers to trust the self-signed certificates
131.107.0.10 and DirectAccess-NLS.Adatum.com that are issued by LON-RTR.
11. In the details pane, under Computer Configuration (Enabled), in the Security Setting row, review the
Windows Firewall with Advanced Security settings.
12. Notice that there are three groups of firewall settings configured for the DirectAccess clients: Global
Settings, Outbound Rules, and Connection Security Settings.
13. In the Global Settings row, review the IPsec ICMP exception setting.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-21
14. In the Outbound Rules row, review the following settings:
Core Networking IPHTTPS (TCP-Out). This rule allows the outbound IP-HTTPS traffic to
provide connectivity across HTTP proxies and firewalls.
15. In the Connection Security Settings row, review the three rules, and then compare the IPv6 address
prefixes with the IPv6 address prefixes you recorded in step 6 of the previous section in this
demonstration. Notice that they are the same prefixes that are configured with the Getting Started
Wizard.
16. Under the Connection Security Settings row, in the First Authentication row, review the Kerberos
authentication setting.
17. Repeat step 16 for Second Authentication, Key Exchange (Main Mode), and Data Protection
(Quick Mode).
18. Close the Group Policy Management Console.
19. On LON-DC1, in Server Manager, open the DNS Manager console.
20. In the DNS Manager console, in the Adatum.com forward lookup zone, notice the A or AAAA records
for the following hosts: directaccess-corpConnectivityHost, DirectAccess-NLS, and directaccess-
WebProbeHost. These records are created by the Getting Started Wizard.
Limitations of DirectAccess Deployments When Using the Getting Started
Wizard
The Getting Started Wizard is simple to
implement, but it is not suitable for deployments
that need to support multisite access, that require
a highly-available infrastructure, or that require
support for computers running Windows 7 in a
DirectAccess scenario.
Self-Signed Certificates
The Getting Started Wizard creates a self-signed
certificate to enable SSL connections to the
DirectAccess and network location servers. In
order for DirectAccess to function, you need to
ensure the CRL distribution point for both
certificates is available externally. In addition, the self-signed certificate is supported for single
DirectAccess server scenarios only and cannot be used in multisite deployments.
Note: The CRL contains all revoked certificates and reasons for revocation.
Because of these limitations, most companies configure either a public certificate for the DirectAccess and
network location servers or provide certificates generated by an internal CA. Organizations that have
implemented an internal CA can use the web server certificate template to issue a certificate to the
DirectAccess and network location server servers. The organizations must also ensure that CRL distribution
points are accessible from the Internet.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-22 Implementing Remote Access
Network Location Server Design
The network location server is a critical part of a DirectAccess deployment. The Getting Started Wizard
deploys the network location server on the same server as the DirectAccess server. If DirectAccess client
computers on the intranet cannot successfully locate and access the secure Web page on the network
location server, they might not be able to access intranet resources. When DirectAccess clients obtain a
physical connection to the intranet or experience a network status change on the intranet, such as an
address change when roaming between subnets, they attempt an HTTPS connection to the network
location server URL. If the client can establish an HTTPS connection to a network location server and check
the revocation status for the web servers certificate, the client determines that it is on the intranet. As a
result, the NRPT will be disabled on the client and Windows Firewall will be configured to use the Domain
profile with no IPsec tunnels.
The network location server needs to be deployed on a highly-available, high-capacity intranet web
server. Larger companies will consider implementing the network location server on a Network Load
Balanced cluster or by using an external hardware balancer.
Support for Windows 7
The Getting Started Wizard configures the remote access server to act as a Kerberos proxy to perform
IPsec authentication without requiring certificates. Client authentication requests are sent to a Kerberos
proxy service running on the DirectAccess server. The Kerberos proxy then sends Kerberos requests to
domain controllers on behalf of the client. This configuration is only applicable for clients running
Windows 8 or Windows Server 2012. If Windows 7 clients need to be supported for DirectAccess, you
must deploy a PKI to issue computer certificates for backward compatibility.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-23
Lab A: Implementing DirectAccess by Using the Getting
Started Wizard
Scenario
Many users at A. Datum Corporation work from outside the organization. This includes mobile users as
well as people who work from home. These users currently connect to the internal network by using a
third-party VPN solution. The security department is concerned about the security of the external
connections and wants to ensure that the connections are as secure as possible. The support team wants
to minimize the number of support calls related to remote access, and would like to have more options
for managing remote computers.
Information Technology (IT) management at A. Datum is considering deploying DirectAccess as the
remote access solution for the organization. As an initial proof-of-concept deployment, management has
requested that you configure a simple DirectAccess environment that can be used with client computers
running Windows 8.
Objectives
After completing this lab, you will be able to:
Verify that the infrastructure is prepared for the DirectAccess deployment.
Run the Getting Started Wizard.
Validate the DirectAccess deployment.
Lab Setup
Estimated Time: 30 minutes
Virtual Machine(s): 20411D-LON-DC1, 20411D-LON-SVR1, 20411D-LON-RTR, 20411D-LON-CL1
User Name: Adatum\Administrator
Password: Pa$$w0rd

Virtual Machine(s): 20411D-INET1
User Name: Administrator
Password: Pa$$w0rd
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V

Manager, click 20411D-LON-DC1, and, in the Actions pane, click Start.


3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
User name: Adatum\Administrator
Password: Pa$$w0rd
5. Repeat steps 2 through 4 for 20411D-LON-SVR1, 20411D-LON-RTR, and 20411D-LON-CL1.
6. In Microsoft Hyper-V

Manager, click 20411D-INET1, and, in the Actions pane, click Start.


M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-24 Implementing Remote Access
7. In the Actions pane, click Connect. Wait until the virtual machine starts.
8. Sign in using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Exercise 1: Verifying Readiness for a DirectAccess Deployment
Scenario
Before you deploy DirectAccess, you need to ensure that the infrastructure is ready for the deployment.
The main tasks for this exercise are as follows:
1. Document the network configuration
2. Verify the server readiness for DirectAccess
Task 1: Document the network configuration
Verify the IP Address on LON-DC1
1. Switch to LON-DC1.
2. Open Control Panel.
3. Open the Ethernet Properties dialog box.
4. Open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.
5. Document the current IP address, subnet mask, default gateway, and DNS configuration.
Verify Network Configuration on LON-RTR
1. Switch to LON-RTR.
2. Open Server Manager, and then, from the Tools menu, open Routing and Remote Access.
3. In the Routing and Remote Access console, disable Routing and Remote Access. This step is
necessary in order to disable the Routing and Remote Access that was preconfigured for this lab.
4. Open Control Panel.
5. Under the Network and Internet section, click View network status and tasks.
6. In the Network and Sharing Center window, click on Change adapter settings.
7. In the Network Connections window, verify that there are three network adapters: Ethernet,
Ethernet 2, and Internet.
8. In the Network Connections window, disable, and then enable Ethernet adapter.
9. Repeat step 8 for Internet network connection.
10. Verify that Ethernet adapter is connected to the domain network adatum.com.
11. Open the Ethernet Properties dialog box.
12. Open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.
13. Verify that the IP address corresponds with the subnet used in the domain network. (The IP address
should be 172.16.0.1.)
14. Open the Internet Properties dialog box.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-25
15. Open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.
16. Verify that IP address corresponds with the subnet used to simulate Internet connectivity. (The IP
address should be 131.107.0.10.)
Note: If you notice that the Internet network adapter is connected to Adatum.com, disable
Routing and Remote Access service (RRAS). This is because for DirectAccess, you will need at least
one adapter to be on the external network.
Verify Network Configuration on LON-CL1
1. Switch to LON-CL1.
2. Open Control Panel, click Network and Sharing Center and then click Change adapter settings.
3. Verify that the Ethernet adapter is connected to domain network Adatum.com.
4. Open the Ethernet Properties dialog box.
5. Open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.
6. Document the current IP address, subnet mask, default gateway, and DNS configuration.
Verify Network Configuration on LON-SVR1
1. Switch to LON-SVR1.
2. Open Control Panel, and, under the Network and Internet section, select View network status and
tasks, and then select Change adapter settings.
3. Verify that the Ethernet adapter is connected to domain network Adatum.com.
4. Open the Ethernet Properties dialog box.
5. Open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.
6. Document the current IP address, subnet mask, default gateway, and DNS configuration.
Verify Network Configuration on INET1
1. Switch to INET1.
2. Open Control Panel, then under the Network and Internet section, click View network status and
tasks to open the Network Connections window.
3. Document the current IP address, subnet mask, and DNS configuration of the Ethernet adapter.
Note: The INET1 server role in this module is to simulate the Internet DNS server.
Task 2: Verify the server readiness for DirectAccess
1. On LON-DC1, open the Active Directory Users and Computers console, and create an OU with the
name DA_Clients OU. Inside that OU, create a Global Security group with the name DA_Clients.
2. Add LON-CL1 to the DA_Clients security group.
3. Close the Active Directory Users and Computers console.

Results: After completing this exercise, you should have successfully verified the readiness for
DirectAccess deployment.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-26 Implementing Remote Access
Exercise 2: Configuring DirectAccess
Scenario
You have verified that the infrastructure is prepared for the DirectAccess deployment. A colleague has
already installed the role on LON-RTR. You now need to configure DirectAccess on the DirectAccess server
by using the Getting Started Wizard.
The main tasks for this exercise are as follows:
1. Configure DirectAccess by using the Getting Started Wizard
Task 1: Configure DirectAccess by using the Getting Started Wizard
1. Switch to LON-RTR.
2. In the Server Manager console, select Remote Access Management. Complete the Run the Getting
Started Wizard in the Remote Access Management console with the following settings:
On the Configure Remote Access page, click Deploy DirectAccess only.
Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients to
connect to Remote Access server box, type 131.107.0.10.
On the Remote Access Review page, change remote clients to DA_Clients.
Clear the Enable DirectAccess for mobile computers only check box.

Results: After completing this exercise, you should have successfully configured DirectAccess by using the
Getting Stared Wizard.
Exercise 3: Validating the DirectAccess Deployment
Scenario
Now that you have configured DirectAccess, you need to verify that DirectAccess is working. You will start
by verifying the changes made by the Getting Started Wizard, and then you will verify that client
computers can access the internal network by using DirectAccess.
The main tasks for this exercise are as follows:
1. Verify the GPO deployment
2. Test DirectAccess connectivity
Task 1: Verify the GPO deployment
1. Switch to LON-CL1.
2. When you configured the DirectAccess server, the wizard created two Group Policies and linked them
to the domain. To apply them, restart LON-CL1, and then sign in as Adatum\Administrator by using
the password Pa$$w0rd.
3. On LON-CL1, open the Command Prompt window, and then type gpupdate /force to force apply
Group Policy.
4. At the command prompt, type gpresult /R to verify that the DirectAccess Client Settings GPO is
applied to the Computer Settings.
Note: If the DirectAccess Client Settings GPO is not applied, restart LON-CL1, and then repeat Step 2
and Step 3 on LON-CL1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-27
5. Type the following command at the command prompt:
netsh name show effectivepolicy
and verify that following message displays DNS Effective Name Resolution Policy Table Settings
Note: DirectAccess settings are inactive when this computer is inside a corporate network.
6. Simulate moving the client computer LON-CL1 out of the corporate network and to the Internet, by
disabling the Ethernet network adapter and enabling the Ethernet 2 network adapter, which is
configured with following values:
IP address: 131.107.0.20
Subnet mask: 255.255.0.0
Preferred DNS server: 131.107.0.100
7. Close all open windows.
Task 2: Test DirectAccess connectivity
Verify Connectivity to the Internal Network Resources
1. Switch to LON-CL1.
2. On the taskbar, start Internet Explorer.
3. In the Address bar, type http://lon-svr1.adatum.com, and then press Enter. The default Internet
Information Services (IIS) 8.0 web page for LON-SVR1 displays. Note: If the default Internet
Information Services (IIS) 8.0 web page for LON-SVR1 doesnt appear, restart LON-CL1. After LON-
CL1 restarts, sign in as Adatum\Administrator and repeat steps 2 and 3 again.
4. Leave the Windows Internet Explorer

window open.
5. On the Start screen, type \\LON-SVR1\Files, and then press Enter. Note that you are able to access
the folder content.
6. Close all open windows.
7. Move the mouse pointer to the lower-right corner of the screen, in the notification area, click search,
and then, in the search box, type cmd.
8. At the command prompt, run the ipconfig command.
Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an IP-HTTPS
address.
Verify Connectivity to the DirectAccess Server
1. At the command prompt, type the following command:
Netsh name show effectivepolicy
Verify that DNS Effective Name Resolution Policy Table Settings presents two entries for
adatum.com and Directaccess-NLS.Adatum.com.
2. At the Windows PowerShell prompt, type the following command, and then press Enter:
Get-DAClientExperienceConfiguration
Notice the DirectAccess client settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-28 Implementing Remote Access
Verify Client Connectivity on DirectAccess Server
1. Switch to LON-RTR.
2. In the Remote Access Management console pane, click Remote Client Status.
Notice that Client is connected via IP-HTTPS. In the Connection Details pane, in the bottom-right of
the screen, note the use of Kerberos for the Machine and the User.
3. Close all open windows.
Note: After completing the lab, do not revert the virtual machines.
Results: After completing this exercise, you should have successfully verified that client computers can
access the internal network by using DirectAccess.

Question: Why did you create the DA_Clients group?
Question: How will you configure IPv6 addresses for client computers running the Windows

8
operating system to use DirectAccess?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-29
Lesson 3
Implementing and Managing an Advanced DirectAccess
Infrastructure
The Getting Started Wizard in the Remote Access Management console provides an easy way for
organizations to configure DirectAccess connectivity for remote clients. However, as you learned in the
previous lesson, there are limitations to deploying DirectAccess by using the Getting Started Wizard.
Therefore, instead of using the Getting Started Wizard, some organizations choose to deploy DirectAccess
by configuring advanced features, such as using PKI, configuring advanced DNS settings, and configuring
advanced settings for network location servers and management servers.
Lesson Objectives
After completing this lesson, you will be able to:
Describe advanced DirectAccess options.
Explain how to integrate a PKI with DirectAccess.
Explain how to implement certificates for DirectAccess clients.
Describe the considerations for planning internal network configuration.
Explain how to configure advanced DNS settings.
Describe how to implement network location servers.
Describe how to implement management servers.
Describe how to modify the DirectAccess infrastructure.
Explain how to monitor DirectAccess connectivity.
Explain how to troubleshoot DirectAccess connectivity.
Overview of the Advanced DirectAccess Options
You can configure advanced DirectAccess options
by using the Remote Access Management
console, or by using Windows PowerShell. When
you install the Remote Access server role, there
are two wizards available in the Remote Access
Management console for initial DirectAccess
deployment:
The Getting Started Wizard that you can use
for deploying DirectAccess quickly.
The Remote Access Setup Wizard that you
can use to configure advanced options for
DirectAccess
The following are the advanced options you can use to configure DirectAccess:
Scalable and customized PKI infrastructure. The DirectAccess deployment can benefit from a custom
PKI solution, whether used with a public or a private CA. You can configure the PKI components
according to your organizations business requirements, for example, to provide support for
computers running Windows 7.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-30 Implementing Remote Access
Customized network configuration options. Organizations can benefit from deploying DirectAccess
that meets specific network topology and design requirements, including complex scenarios such as
multisite and multidomain deployments. You can configure the DirectAccess clients so that they can
connect to the corporate network by using multiple Internet connections in different geographical
locations as DirectAccess entry points. Customized network configuration options include advanced
DNS configurations and firewall settings.
Scalable and highly-available server deployment. While configuring advanced DirectAccess options,
organizations can use a variety of solutions for better scalability of the servers. This helps them
achieve their business goal of better remote access performance. Additionally, in cases where
DirectAccess is a business critical solution, organizations can deploy multiple servers that are highly
available so that no single point of failure exists and users can establish DirectAccess connectivity
regardless of any potential issue. You can also configure management servers that will perform
management tasks, such as deploying Windows updates on DirectAccess clients and servers.
Customized monitoring and troubleshooting. Advanced DirectAccess options include customized
monitoring and troubleshooting options that will help you to diagnose and resolve any potential
DirectAccess issue quickly.
Integrating a PKI with DirectAccess
While planning the implementation of
DirectAccess, organizations can choose to use a
private or public CA. If an organization has
already deployed an internal PKI infrastructure
that is used for different purposes, such as user or
server authentication, the organization can further
customize the current PKI infrastructure in order
to enhance the deployment of DirectAccess.
Configuring PKI for DirectAccess includes the
following steps:
1. Add and configure the Active Directory
Certificate Services server role if it is not
already present. At least one server with the Certificate Authority role should be present in the
corporate network. The CA server receives certificate requests, issues certificates for network location
server and DirectAccess clients and servers, and manages the CRL.
For more information on the Active Directory Certificate Services server role on Windows
Server 2012, visit the following link:
http://go.microsoft.com/fwlink/?LinkID=331165
2. Create the certificate template. DirectAccess needs a web certificate template to be configured on the
CA server, which will be used for issuing a certificate to the network location server. The network
location server will use its web certificate to authenticate itself to DirectAccess client computers and
to encrypt traffic between itself and DirectAccess client computers.
3. Create a CRL distribution point and publish the CRL list. When connecting to the network location
server, DirectAccess client computers check if the certificate presented to them by the network
location server is revoked. Therefore, you have to configure your CA server with a CRL distribution
point where the CRL will be published and will be accessible to the DirectAccess client computers.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-31
4. Distribute the computer certificates. DirectAccess uses IPsec for encrypting the traffic between
DirectAccess client computers and DirectAccess servers. IPsec requires that the CA server issue
computer certificates to both DirectAccess client computers and DirectAccess servers. The most
efficient way for distributing computer certificates is by using Group Policy.
Implementing Client Certificates for DirectAccess
Organizations that have an environment with
computers running Windows 7 can also use
DirectAccess. For a computer running Windows 7
to use DirectAccess, a computer certificate for
IPsec authentication should be issued to the
computer.
The most efficient way to issue certificates to
client computers is by using Group Policy. The
general steps for configuring a GPO for issuing
certificates are:
1. Create a GPO and link the GPO to the OU
where DirectAccess client computers are
located.
2. Edit the GPO created in the previous step by navigating to Computer Configuration
\Policies\Windows Settings\Security Settings\Public Key Policies, and then, at Automatic Certificate
Request Settings, configure Automatic Certificate Request to issue the Computer certificate.
3. To apply the GPO settings to the DirectAccess client computers, perform one, but not both, of the
following actions:
At each DirectAccess client computer, run the gpupudate /force command.
Restart the DirectAccess client computer.
4. Verify that the GPO has been applied by performing following actions:
Open an MMC on a client computer, and add the Certificates for Local Computer snap-in .
In the Certificates console, verify that a certificate with the DirectAccess client computer name is
present, and in the right console pane, under the Intended Purposes column, verify that Client
Authentication and Server Authentication is displayed.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-32 Implementing Remote Access
Internal Network Configuration Options
Depending on your organizations business
requirements, you can configure multiple network
topologies when deploying an advanced
DirectAccess infrastructure.
Consider following when planning for internal
network configuration :
Plan for DirectAccess server location. You can
install the DirectAccess server in different
network configurations:
o Edge. The DirectAccess server role service
is installed on a computer that acts as an
edge server. An edge server also acts as a firewall. The edge server has two network adapters,
where one network adapter is connected to the Internet and the other network adapter is
connected to the internal network.
o Behind an edge device with two network adapters. In this configuration, the DirectAccess role
service is installed on a computer located in a perimeter network behind an edge device. The
DirectAccess server has two network adapters, where one network adapter is connected to the
perimeter network and the other network adapter is connected to the internal network.
o Behind an edge device with one network adapter. This configuration assumes that the
DirectAccess role service is installed on a computer located in the internal network.
Plan the IP address assignment. You should plan your IP addressing depending on whether your
organization has deployed native IPv6 addressing, both IPv6 and IPv4, or IPv4 only addressing. In a
scenario where both Internet and intranet IP addressing is IPv4, you have to configure the external
network adapter of the DirectAccess server with two consecutive public IPv4 addresses. This
configuration is required by the Teredo tunneling protocol because the DirectAccess server will act as
a Teredo server.
Plan the firewall configuration. The DirectAccess server requires specific ports to be opened on the
corporate firewall so that the DirectAccess client computers can connect from the Internet to the
internal network. Firewall ports required for DirectAccess on an IPv4 network include:
o Teredo traffic. UDP destination port 3544 inbound and UDP source port 3544 outbound.
o 6to4 traffic. IP Protocol 41 inbound and outbound.
o IP-HTTPSTCP destination port 443 and TCP source port 443 outbound.
o For scenarios where DirectAccess and a network location server are installed on the same server
with a single adapter, TCP port 62000 on the server should be open.
Plan for AD DS. DirectAccess requires at least one domain controller installed on a server running
Windows Server 2003 or later Windows Server operating systems. The computer where the
DirectAccess role service is installed should be a domain member. The DirectAccess client computers
also have to be domain members. DirectAccess clients can establish a connection from the Internet
with any domain in the same forest as the DirectAccess server and with any domain that has a two-
way trust with the DirectAccess server forest.
Plan for client deployment. Before deploying clients, you should configure the following settings:
o Create a security group for DirectAccess client computers and configuring the group
membership.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-33
o Configure DirectAccess to be available for all computers in the domain or just for mobile
computers.
o Configure the Network Connectivity Assistant.
For more information on deploying DirectAccess clients, visit the following link:
http://go.microsoft.com/fwlink/?LinkID=331166
Configuring Advanced DNS Settings
Detailed planning for a DNS server is very
important for proper configuration of
DirectAccess. This is because many components of
the DirectAccess technology use the DNS service.
DirectAccess supports a DNS server on servers
running Windows Server 2003 and newer
Windows Server operating systems. We
recommend using a DNS integrated with AD DS.
DNS in DirectAccess is used for the following:
Resolving network location server.
DirectAccess clients attempt to resolve the
network location server name in DNS, and
then contact the network location server to determine if they are on the internal network.
Resolving IP-HTTPS server name. The IP-HTTPS name should be resolved by DirectAccess client
computers by using public DNS servers.
Checking CRL revocation. DirectAccess client computers attempt to resolve the CRL distribution point
name in DNS.
Answering ISATAP queries. DNS servers should be configured to answer ISATAP queries. By default,
the DNS server service blocks name resolution for the name ISATAP through the DNS Global Query
Block List.
Connectivity verifiers. To verify connectivity to an internal network, DirectAccess creates a default web
probe that is used by DirectAccess client computers. For this, the following names should be
registered in DNS, where the Getting Started Wizard creates them automatically:
o directaccess-webprobehost. Should resolve to the internal IPv4 address of the DirectAccess server
or to the IPv6 address in an IPv6-only environment.
o directaccess-corpconnectivityhost. Should resolve to the localhost, or loopback, address.
Therefore, A and AAAA records should be created in DNS. The A record should resolve to the
IPv4 address 127.0.0.1 and the AAAA record should resolve to the IPv6 address that is
constructed out of NAT64 prefix with the last 32 bits as 127.0.0.1. The NAT64 prefix can be
retrieved by running the get-netnattransitionconfiguration cmdlet.
To separate Internet traffic from intranet traffic in DirectAccess, Windows Server 2012 and Windows 8
include the NRPT, a feature that allows DNS servers to be defined per DNS namespace, rather than per
interface.
The NRPT stores a list of rules. Each rule defines a DNS namespace and the configuration settings that
describe the DNS clients behavior for that namespace.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-34 Implementing Remote Access
When a DirectAccess client is on the Internet, each name query request is compared against the
namespace rules stored in the NRPT, and:
If a match is found, the request is processed according to the settings in the NRPT rule.
If a name query request does not match a namespace listed in the NRPT, the request is sent to the
DNS servers configured in the TCP/IP settings for the specified network interface.
DNS settings on the network interface are configured depending on the client location:
For a remote client computer, the DNS servers are typically the Internet DNS servers configured
through the Internet service provider (ISP).
For a DirectAccess client on the intranet, the DNS servers are typically the intranet DNS servers
configured through DHCP.
Single-label names, for example, http://internal, typically have configured DNS search suffixes appended
to the name before they are checked against the NRPT.
If no DNS search suffixes are configured, and the single-label name does not match any other single-label
name entry in the NRPT, the request is sent to the DNS servers specified in the clients TCP/IP settings.
Namespaces, such as internal.adatum.com, for example, are entered into the NRPT, followed by the DNS
servers to which requests matching that namespace should be directed. If an IP address is entered for the
DNS server, which is typically the DirectAccess server, all DNS requests are sent directly to the DNS server
over the DirectAccess connection. The NRPT allows DirectAccess clients to use intranet DNS servers for
name resolution of internal resources and Internet DNS for name resolution of other resources. Dedicated
DNS servers are not required for name resolution. DirectAccess is designed to prevent the exposure of
your intranet namespace to the Internet.
Some names must be treated differently with regard to name resolution; these names should not be
resolved by using intranet DNS servers. To ensure that these names are resolved with the DNS servers
specified in the clients TCP/IP settings, you must add them as NRPT exemptions.
NRPT is controlled through Group Policy. When a computer is configured to use NRPT, the name
resolution mechanism uses the following, in this order:
The local name cache.
The hosts file.
NRPT.
Then, the name resolution mechanism sends the query to the DNS servers specified in the TCP/IP settings.
You may also need to create exemption rules in NRPT in the following scenarios:
If your organization uses multiple domain names in the internal namespace, you have to add more
DNS suffixes in NRPT.
If the FQDNs of your CRL distribution points are based on the intranet namespace, you have to create
exemption rules for the FQDNs of the CRL distribution points.
In a scenario where the organizations domain name is the same on both the Internet and on the
intranet, that is a split-brain DNS configuration, you have to create exemption rules that will direct
Internet clients to resolve Internet FQDN or intranet FQDN.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-35
Implementing Network Location Servers
The network location server hosts the network
location server website that can be located on the
DirectAccess server or on another server in your
organization. If the network location server
website is located on the DirectAccess server, the
website is created automatically when you deploy
DirectAccess. If the network location server
website is located on another computer running a
Windows Server operating system, you have to
install IIS on that computer manually, and then
configure the network location server website.
You should configure the network location server
to meet the following requirements:
An HTTPS server certificate that is configured for the network location server website.
The DirectAccess client computers trust the CA that issues the HTTPS certificate for the network
location server website.
The network location server website server certificate must be checked against a CRL.
The DirectAccess client computers on the internal network must be able to resolve the name of the
network location server.
The network location server should not be accessible to DirectAccess client computers on the
Internet.
If DirectAccess is business critical for the organization, the network location server should be
configured with high availability for computers located on the internal network.
Implementing Management Servers
Management servers in a DirectAccess
infrastructure are the servers that perform
different management tasks, such as Windows
Update and antivirus updates. Management
servers also perform software or hardware
inventory assessments. In a DirectAccess
infrastructure, domain controllers are also
considered management servers.
DirectAccess clients can automatically discover
management servers:
Domain controllers. DirectAccess servers
perform auto-discovery of domain controllers
for all domains in the same forest as the DirectAccess server and DirectAccess client computers.
System Center Configuration Manager servers. DirectAccess servers perform auto-discovery of
Microsoft

System Center 2012 Configuration Manager servers for all domains in the same forest as
the DirectAccess server and DirectAccess client computers.


M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-36 Implementing Remote Access
Discovery of domain controllers and Configuration Manager servers is automatically performed during
the initial DirectAccess configuration.
You can display the detected management servers by using the following Windows PowerShell cmdlet:
Get-DAMgmtServer Type All
After the initial DirectAccess deployment, if any changes are made, such as adding or removing
management servers, such as domain controllers or Configuration Manager servers, you can update the
management servers list by clicking Refresh Management Servers in the Remote Access Management
console.
Management servers should meet following requirements:
Management servers should be accessible over the first tunnel, which is an infrastructure tunnel.
During the initial DirectAccess deployment, management servers are, by default, automatically
configured to be accessible over the infrastructure tunnel.
Management servers must fully support IPv6. If native IPv6 is deployed, management servers
communicate with DirectAccess clients by using native IPv6 address. In an IPv4 environment,
management servers communicate with DirectAccess clients by using ISATAP.
Demonstration: Modifying the DirectAccess Infrastructure
In this demonstration, you will see how to modify the DirectAccess infrastructure deployed by using the
Getting Started Wizard and how to apply advanced configuration settings.
Demonstration Steps
Configure the Remote Access Role
1. On, LON-RTR, in the Server Manager console, start the Remote Access Management console, and
then click DirectAccess and VPN.
2. In the details pane of the Remote Access Management console, under Step 1, click Edit, and then
specify the following:
Select Groups: DA_Clients.
Network Connectivity Assistant Resource: https://lon-svr1.adatum.com
3. In the details pane of the Remote Access Management console, under Step 2, click Edit.
4. On the Network Topology page, verify that Edge is selected, and then type 131.107.0.10.
5. Verify that Use a self-signed certificate created automatically by DirectAccess server is selected.
6. On the Network Adapters page, verify that CN=131.107.0.10 is used as a certificate to authenticate
IP-HTTPS connections.
7. On the Authentication page, select Use computer certificates, click Browse, and then select
AdatumCA.
8. Select Enable Windows 7 client computers to connect via DirectAccess.
9. On the Authentication page, click Finish.
10. In details pane of the Remote Access Management console, under Step 3, click Edit.
11. On the Network Location Server page, select The network location server is deployed on a remote
web server (recommended), type https://lon-svr1.adatum.com, and then select Validate.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-37
12. On the DNS page, examine the values, and then click Next.
13. In the DNS Suffix Search List, examine the values, and then click Next.
14. On the Management page, click Finish.
15. In the details pane of the Remote Access Management console, display the settings for Step 4.
16. In the Remote Access Setup windows, review the settings, and then click Finish.
17. In the details pane of the Remote Access Management console, click Finish.
18. In the Remote Access Review page, click Cancel.
Note: The DirectAccess configuration is not applied because additional prerequisites also
need to be configured, such as AD DS configuration, firewall settings, and certificate deployment.
How to Monitor DirectAccess Connectivity
You can monitor DirectAccess connectivity by
using the Remote Access Management console.
This console contains information on how
DirectAccess server components work. By using
the Remote Access Management console, you can
also monitor DirectAccess client connectivity
information. By monitoring DirectAccess
connectivity, you can obtain information about
DirectAccess role service health that will help you
troubleshoot potential connectivity issues.
Remote Access Management console includes the
following monitoring components:
Dashboard. The Remote Access Management console includes a centralized dashboard for multiple
DirectAccess monitored components. It contains the following information: Operation status,
Configuration status, DirectAccess, and VPN client status. Information about each of these
components is available in separate windows in the Remote Access Management Console.
Operation Status. Operation status provides information about the health of each DirectAccess
component: DNS, DNS64, domain controllers, IP-HTTPS, Kerberos, NAT64, network adapters, network
location server, and Network security and services. If the DirectAccess component is healthy, a green
check mark appears next to it. If there is any issue with the DirectAccess component, it is marked with
a blue question mark. By clicking the component, you can obtain detailed information about the
related issue, the cause of the issue, and how to resolve it.
Remote Access Client Status. Remote Access Client Status displays information about the DirectAccess
client computers that connect to the DirectAccess server. The information displayed in this window
includes: User Name, Host Name, ISP Address, Protocol/Tunnel, and Duration. For each DirectAccess
client connection, you can view more detailed information.
Remote Access Reporting. Remote Access reporting provides same information as Remote Access
Client Status, but as a historical DirectAccess client usage report. You can choose the start date and
end date for the report. In addition, Remote Access Reporting displays Server Load Statistics, which is
statistical connectivity information on Total DirectAccess sessions, Average sessions per day,
Maximum concurrent sessions, and Unique DirectAccess clients.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-38 Implementing Remote Access
How to Troubleshoot DirectAccess Connectivity
Organizations should develop a troubleshooting
methodology for DirectAccess connectivity in
order to quickly eliminate any problem that
DirectAccess client computers face.
Troubleshooting methodology should contain
step-by-step instructions on how to diagnose the
problem.
You can troubleshoot DirectAccess connectivity by
using the following methods:
Troubleshooting methodology. Whenever
DirectAccess client computers are not able to
connect to the DirectAccess server, we
recommend that you follow a methodology to diagnose the problem. Troubleshooting methodology
includes the following steps:
o Confirm that DirectAccess supports the operating system version you are using.
o Confirm that the DirectAccess client computer is a member of the domain.
o Confirm that the DirectAccess client computer received computer configuration Group Policy
settings for DirectAccess.
o Confirm that the DirectAccess server computer received computer configuration Group Policy
settings for DirectAccess.
o Confirm that the DirectAccess client computer has a global IPv6 address.
o Confirm that the DirectAccess client computer is able to reach the IPv6 addresses of the
DirectAccess server.
o Confirm that the intranet servers have a global IPv6 address.
o Confirm that the DirectAccess client computer on the Internet correctly determines that it is not
on the intranet.
o Ensure that the DirectAccess client computer is assigned the domain firewall profile.
o Confirm that the DirectAccess client computer can connect to intranet DNS servers by using IPv6
protocol, and that the DirectAccess client computer is able to use intranet DNS servers to resolve
and to reach intranet FQDNs.
Also, confirm that the DirectAccess client computer is able to communicate with intranet servers
by using application layer protocols.
o Confirm that the DirectAccess client computer is able to establish both IPsec infrastructure and
intranet tunnels with the DirectAccess server.
o Command-line tools. Use the following command-line tools for performing the checks according
to your troubleshooting methodology:
o Netsh
o Ping
o Nslookup
o Ipconfig

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-39
o Certutil
o Nltest
GUI tools. Use the following GUI tools for performing the checks according to your troubleshooting
methodology:
o Remote Access Server Management Console.
o Group Policy Management Console (GPMC) and Editor.
o Windows Firewall with Advanced Security.
o Event Viewer.
o Certificates.
Demonstration: Monitoring and Troubleshooting DirectAccess
Connectivity
In this demonstration, you will learn how to monitor and troubleshoot DirectAccess connectivity.
Demonstration Steps
Verify DirectAccess Group Policy Configuration Settings for Windows 8 Clients
1. Switch to LON-CL1.
2. Restart LON-CL1, and then sign in as Adatum\Administrator with the password Pa$$w0rd. Open
the Command Prompt window, and then run the following commands:
gpupdate /force
gpresult /R
3. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for
the Computer Settings.
Note: If DirectAccess Client Settings GPO is not applied, restart LON-CL1, sign in as
Adatum\Administrator by using the password Pa$$w0rd, and then repeat step 2 on LON-CL1.
Move the Client Computer to the Internet Virtual Network
1. Switch to LON-CL1.
2. Simulate moving the client computer LON-CL1 out of the corporate network and to the Internet, by
disabling the Ethernet network adapter and enabling the Ethernet 2 network adapter which is
configured with following values:
IP address: 131.107.0.20
Subnet mask: 255.255.0.0
Preferred DNS server: 131.107.0.100
3. Close the Network Connections window.
Verify Connectivity to the DirectAccess Server
1. On LON-CL1, open a Command Prompt window, and then run the following command:
ipconfig
2. Notice the IP address that starts with 2002. This is an IP-HTTPS address.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-40 Implementing Remote Access
3. If you notice that there is no IP address for iphttpsinterface, type the following commands, restart
the computer, and then repeat steps 1 and 2:
Netsh interface teredo set state disabled
Netsh interface 6to4 set state disabled
4. At the command prompt, type the following command, and then press Enter:
Netsh name show effectivepolicy
Monitoring DirectAccess Connectivity
1. Switch to LON-RTR.
2. On LON-RTR, open the Remote Access Management console, and then, in the left pane, click
Dashboard.
3. Review the information in the central pane, under the DirectAccess and VPN Client Status.
If no information appears, restart LON-CL1, and then repeat steps 2 and 3.
4. In the left pane, click Remote Client Status, and then, in the central pane, review the information
under the Connected Clients list.
5. In the left pane, click Reporting, and then, in the central pane, click Configure Accounting.
6. In the Configure Accounting window, under Select Accounting Method, click Use inbox accounting,
click Apply, and then click Close.
7. In the central pane, under Remote Access Reporting, review the options for monitoring historical
data.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Administering Windows Server

2012 8-41
Lab B: Deploying an Advanced DirectAccess Solution
Scenario
The proof-of-concept deployment of DirectAccess was a success, so IT management has decided to
enable DirectAccess for all mobile clients, including computers running Windows 7. IT management also
wants to ensure that the DirectAccess deployment is scalable and provides redundancy.
You need to modify the proof-of-concept deployment to meet the new requirements.
Objectives
After completing this lab, you will be able to:
Prepare the infrastructure for the advanced DirectAccess deployment.
Implement the advanced DirectAccess infrastructure.
Validate the DirectAccess deployment.
Lab Setup
Estimated Time: 60 minutes
Virtual Machine(s): 20411D-LON-DC1, 20411D-LON-SVR1, 20411D-LON-RTR, 20411D-LON-CL1,
20411D-LON-CL3
User Name: Adatum\Administrator
Password: Pa$$w0rd

Virtual Machine(s): 20411D-INET1
User Name: Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20411D-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
User name: Adatum\Administrator
Password: Pa$$w0rd
5. Repeat steps 2 through 4 for 20411D-LON-SVR1, 20411D-LON-RTR, 20411D-LON-CL3, and
20411D-LON-CL1.
6. In Microsoft Hyper-V

Manager, click 20411D-INET1, and, in the Actions pane, click Start.


7. In the Actions pane, click Connect. Wait until the virtual machine starts.
8. Sign in using the following credentials:
User name: Administrator
Password: Pa$$w0rd
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-42 Implementing Remote Access
Exercise 1: Preparing the Environment for DirectAccess
Scenario
As the first step in implementing the advanced DirectAccess solution, you need to prepare the network
infrastructure. You will configure an internal network location server, and then configure and distribute
the required certificates.
The main tasks for this exercise are as follows:
1. Configure the AD DS and DNS requirements
2. Configure CRL distribution
3. Configure client certificate distribution
4. Configure the network location server and DirectAccess server certificates
Task 1: Configure the AD DS and DNS requirements
Edit the Security Group for DirectAccess Client Computers
1. Switch to LON-DC1.
2. Open the Active Directory Users and Computers console, and then in the OU named DA_Clients OU,
modify the membership of the DA_Clients group to include LON-CL3 and LON-CL1.
3. Close the Active Directory Users and Computers console.
Create Required DNS Records
1. Open the DNS Manager console, and then create new host records with the following settings:
Name: nls; IP Address: 172.16.0.21
Name: crl; IP Address: 172.16.0.1
2. Close the DNS Manager console.
Note: The NLS record will be used by the client to determine the network location.