You are on page 1of 153

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

20411B
Administering
Windows Server

2012


Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners



Product Number: 20411B
Released: 12/2012



MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE


These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.

If you comply with these license terms, you have the rights below for each license you acquire.

1. DEFINITIONS.

a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.

b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.

c. Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.

d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.

e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.

f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.

g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.

h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.

i. Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.

j. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.

k. MPN Member means an active silver or gold-level Microsoft Partner Network program member in good
standing.



l. Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.

m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.

n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.

o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.

2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.

2.1 Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,


vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.



c. If you are a MPN Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

e. If you are a Trainer.
i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.



ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.

2.4 Third Party Programs and Services. The Licensed Content may contain third party programs or
services. These license terms will apply to your use of those third party programs or services, unless other
terms accompany those programs and services.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject
matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.

c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.



4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.

6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.

7. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.

8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.

9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.



b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to
o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.

Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.

EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.



Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.

EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.

Revised September 2012
Deploying and Maintaining Server Images 1-1
Module 1
Deploying and Maintaining Server Images
Contents:
Lesson 1: Overview of Windows Deployment Services 2
Lesson 2: Implementing Deployment with Windows Deployment Services 4
Lesson 3: Administering Windows Deployment Services 6
Module Review and Takeaways 9

1-2 Administering Windows Server 2012
Lesson 1
Overview of Windows Deployment Services
Contents:
Question and Answers 3

Deploying and Maintaining Server Images 1-3
Question and Answers
Windows Deployment Services Components
Question: What is the advantage of multicasting as opposed to unicasting in volume deployment
scenarios?
Answer: With multicasting, network traffic is managed more effectively.
Discussion: How to Use Windows Deployment Services
Question: The A. Datum Corporation IT staff is about to deploy Windows Server 2012 to various branch
offices. The following information has been provided to the IT staff by management:
The configuration of the various branch office servers is expected to be fairly consistent.
There is no requirement to upgrade settings from existing servers, as these are new branch offices
with no current IT infrastructure in place.
Automation of the deployment process is important, as there are many servers to deploy.
How would you use Windows Deployment Services to aid deployment?
Answer: Answers may vary, but important points to consider are to:
Use answer files to automate the image selection process during deployment.
Use answer files to automate the responses during setup, including domain-joining.
Create a custom image using the steps provided in the preceding topic.
Capture the image and upload to Windows Deployment Services.
Configure Windows Deployment Services to use custom naming.
Configure PXE Server to respond to client requests automatically, and start deployment without the
installer having to press F12 to commence the deployment.
Question: A. Datum Corporation wants to deploy several dozen new servers in their head offices. These
servers will be installed with Windows Server 2012. The following information has been provided to the IT
staff by management:
The configuration of the various servers is expected to vary slightly; there are two basic server
configurations: full server, and Server Core.
Managing network traffic is critical, as the network is near capacity.
How would you advise staff at A. Datum to proceed with the deployment?
Answer: Answers might vary, but points to consider should include:
Create two custom images, and capture them to the Windows Deployment Services server.
Configure multicast transmission on the Windows Deployment Services server(s) to enable efficient
use of the network bandwidth.

1-4 Administering Windows Server 2012
Lesson 2
Implementing Deployment with Windows
Deployment Services
Contents:
Question and Answers 5


Deploying and Maintaining Server Images 1-5
Question and Answers
Managing Deployments with Windows Deployment Services
Question: What is the advantage of defining a client naming policy?
Answer: For unknown clients, a client naming policy saves the administrator from having to remember
previously allocated computer names during the deployment process.

1-6 Administering Windows Server 2012
Lesson 3
Administering Windows Deployment Services
Contents:
Demonstration 7

Deploying and Maintaining Server Images 1-7
Demonstration
Demonstration: How to Administer Images
Demonstration Steps
Install and configure the Windows Deployment Services role
1. Switch to the LON-SVR1 computer.
2. In Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard window, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, click Next.
6. On the Select server roles page, select the Windows Deployment Services check box.
7. In the Add Roles and Features Wizard window, click Add Features.
8. On the Select server roles page, select click Next.
9. On the Select features page, click Next.
10. On the WDS page, review the information presented, and then click Next.
11. On the Select role services page, click Next.
12. On the Confirm installation selections page, click Install.
13. On the Installation Results page, click Close.
14. In Server Manager, click Tools, and then click Windows Deployment Services.
15. In the Windows Deployment Services console, expand Servers.
16. Right-click LON-SVR1.Adatum.com, and then click Configure Server. Click Next.
17. On the Install Options page, click Next.
18. On the Remote Installation Folder Location page, click Next.
19. In the System Volume Warning dialog box, click Yes.
20. On the PXE Server Initial Settings page, click Respond to all client computers (known and unknown),
and then click Next.
21. On the Operation Complete page, clear the Add images to the server now check box, and then
click Finish.
Add a boot image
1. In Windows Deployment Services, in the console tree, expand LON-SVR1.Adatum.com.
2. Right-click Boot Images, and then click Add Boot Image.
3. In the Add Image Wizard, on the Image File page, click Browse.
4. In the Select Windows Image File dialog box, in the navigation pane, click Computer, double click
DVD Drive (D:), double-click sources, and then double click boot.wim.
5. On the Image File page, click Next.
6. On the Image Metadata page, click Next.
7. On the Summary page, click Next.
1-8 Administering Windows Server 2012
8. On the Task Progress page, click Finish.
Add an install image
1. In the Windows Deployment Services console, right-click Install Images, and then click Add Image
Group.
2. In the Add Image Group dialog box, in the Enter a name for the image group field, type Windows
Server 2012, and then click OK.
3. In the Windows Deployment Services console, right-click Windows Server 2012, and then click Add
Install Image.
4. In the Add Image Wizard, on the Image File page, click Browse.
5. In the File name text box, type D:\sources\install.wim, and then click Open.
6. On the Image File page, click Next.
7. On the Available Images page, clear all check boxes except Windows Server 2012
SERVERSTANDARDCORE, and then click Next.
8. On the Summary page, click Next.
9. On the Task Progress page, click Finish.
10. Minimize the Windows Deployment Services window.
Demonstration: How to Configure Multicast Transmission
Demonstration Steps
1. On LON-SVR1, in Windows Deployment Services, in the console tree, right-click Multicast
Transmissions, and then click Create Multicast Transmission.
2. In the Create Multicast Transmission Wizard, on the Transmission Name page, in the Type a name
for this transmission field, type Windows Server 2012 Branch Servers, and then click Next.
3. On the Image Selection page, in the Select the image group that contains the image list, click
Windows Server 2012.
4. In the Name list, click Windows Server 2012 SERVERSTANDARDCORE, and then click Next.
5. On the Multicast Type page, verify that Auto-Cast is selected, and then click Next.
6. Click Finish.
Deploying and Maintaining Server Images 1-9
Module Review and Takeaways
Review Question(s)
Question: Windows Deployment Services supports two types of multicast transmission. Which type is
suitable for minimizing total network traffic during deployment to a fixed number of clients?
Answer: The configuration of scheduled-cast is such that it waits for a threshold number of clients before
starting and deploying simultaneously, which makes it better for a fixed number of clients. This is
especially true if deployment occurs at different times for different computers. Autocast loops around
while client computers are connected. If clients do not connect simultaneously, the Windows Deployment
Services server transmits the image multiple times. This may consume large amounts of network
bandwidth.
Question: How is Windows ADK useful with Windows Deployment Services deployments?
Answer: Windows ADK provides tools, such as ImageX.exe, Sysprep.exe, and Windows SIM that enable
you to manage images for use by Windows Deployment Services. For example, you can use Windows SIM
to create and configure answer files to automate Windows Deployment Services deployments. You also
can use Sysprep to generalize a capture image for Windows Deployment Services. Additionally, Windows
ADK provides a number of Windows PE images and management tools.
Question: What steps are necessary to automate the end-to-end deployment process?
Answer: The following steps are required:
1. Configure your PXE boot policy to Always Continue PXE boot.
2. Configure a default boot image.
3. Create and associate an answer file for your Windows Deployment Services client unattend file.
4. Create and associate an answer file for an install image.
5. Configure clients to boot from hard disk and then PXE, to avoid boot loop.
6. If necessary, configure multicast transmission.
Tools
Tool What it is used for Where to find it
Windows
Deployment
Services console
Administering Windows Deployment Services Server Manager - Tools
WDSutil.exe Command-line management of Windows
Deployment Services
Command line
Windows ADK Managing image files and creating answer
files
Download from
Microsoft.com
Dism.exe Offline and online servicing of images Windows ADK
Netsh.exe Command-line tool for managing network-
related settings
Command line


Configuring and Troubleshooting Domain Name System 2-1
Module 2
Configuring and Troubleshooting Domain Name System
Contents:
Lesson 1: Installing the DNS Server Role 2
Lesson 2: Configuring the DNS Server Role 4
Lesson 3: Configuring DNS Zones 6
Lesson 4: Configuring DNS Zone Transfers 8
Lesson 5: Managing and Troubleshooting DNS 10
Module Review and Takeaways 12
Lab Review Questions and Answers 13

2-2 Administering Windows Server 2012
Lesson 1
Installing the DNS Server Role
Contents:
Demonstration 3

Configuring and Troubleshooting Domain Name System 2-3
Demonstration
Demonstration: Installing the DNS Server Role
Demonstration Steps
1. Switch to LON-SVR1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. If necessary, on the taskbar, click Server Manager.
3. In Server Manager, in the navigation pane, click Dashboard, and then in the details pane, click Add
roles and features.
4. In the Add Roles and Features Wizard, click Next.
5. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
6. On the Select destination server page, click Next.
7. On the Select server roles page, in the Roles list, select the DNS Server check box.
8. In the Add Roles and Features Wizard dialog box, click Add Features.
9. On the Select server roles page, click Next.
10. On the Select features page, click Next.
11. On the DNS Server page, click Next.
12. On the Confirm installation selections page, click Install.
13. After the role is installed, click Close.

2-4 Administering Windows Server 2012
Lesson 2
Configuring the DNS Server Role
Contents:
Demonstration 5

Configuring and Troubleshooting Domain Name System 2-5
Demonstration
Demonstration: Configuring the DNS Server Role
Demonstration Steps
Configure DNS server properties
1. Switch to LON-DC1.
2. If necessary, sign in as Adatum\Administrator with the password Pa$$w0rd.
3. In Server Manager, click Tools, and then click DNS.
4. In DNS Manager, expand LON-DC1, select and then right-click LON-DC1, and then click Properties.
5. In the LON-DC1 Properties dialog box, click the Forwarders tab.
6. On the Forwarders tab, click Edit. You can configure forwarding here. Click Cancel.
7. Click the Advanced tab. You can configure options including securing the cache against pollution.
8. Click the Root Hints tab. You can see the configuration for the root hints servers here.
9. Click the Debug Logging tab, and then select the Log packets for debugging check box. You can
configure debug logging options here.
10. Clear the Log packets for debugging check box, and then click the Event Logging tab.
11. Click Errors and Warnings.
12. Click the Monitoring tab. You can perform simple and recursive tests against the server by using the
Monitoring tab. Select the A simple query against this DNS server check box, and then click Test
Now.
13. Click the Security tab. You can define permissions on the DNS infrastructure here. Click OK.
Configure conditional forwarding
1. In the navigation pane, click Conditional Forwarders.
2. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
3. In the New Conditional Forwarder dialog box, in the DNS Domain box, type contoso.com.
4. Click the <Click here to add an IP Address or DNS Name> box. Type 131.107.1.2, and then press
Enter. Validation will fail since this is just an example configuration.
5. Click OK.
Clear the DNS cache
In the navigation pane, right-click LON-DC1, and then click Clear Cache.

2-6 Administering Windows Server 2012
Lesson 3
Configuring DNS Zones
Contents:
Demonstration 7

Configuring and Troubleshooting Domain Name System 2-7
Demonstration
Demonstration: Creating Zones
Demonstration Steps
Create a reverse lookup zone
1. On LON-DC1, in DNS Manager, in the navigation pane, click Reverse Lookup Zones.
2. Right-click Reverse Lookup Zones, and then click New Zone.
3. In the New Zone Wizard, click Next.
4. On the Zone Type page, click Primary zone, and then click Next.
5. On the Active Directory Zone Replication Scope page, click Next.
6. On the Reverse Lookup Zone Name page, click IPv4 Reverse Lookup Zone, and then click Next.
7. On the second Reverse Lookup Zone Name page, in the Network ID: box, type 172.16.0, and then
click Next.
8. On the Dynamic Update page, click Next.
9. On the Completing the New Zone Wizard page, click Finish.
Create a forward lookup zone
1. Switch to LON-SVR1.
2. Pause your mouse pointer in the lower-left corner of the display, and then click Start.
3. From Start, click DNS.
4. In DNS Manager, in the navigation pane, expand LON-SVR1, and then click Forward Lookup
Zones.
5. Right-click Forward Lookup Zones and then click New Zone.
6. In the New Zone Wizard, click Next.
7. On the Zone Type page, click Secondary zone, and then click Next.
8. On the Zone Name page, in the Zone name: box, type Adatum.com, and then click Next.
9. On the Master DNS Servers page, in the Master Servers list, type 172.16.0.10, and then press Enter.
10. Click Next, and on the Completing the New Zone Wizard page, click Finish.

2-8 Administering Windows Server 2012
Lesson 4
Configuring DNS Zone Transfers
Contents:
Demonstration 9

Configuring and Troubleshooting Domain Name System 2-9
Demonstration
Demonstration: Configuring DNS Zone Transfers
Demonstration Steps
Enable DNS zone transfers
1. Switch to LON-DC1.
2. In DNS Manager, in the navigation pane, expand Forward Lookup Zones.
3. Right-click Adatum.com, and then click Properties.
4. In the Adatum.com Properties dialog box, click the Zone Transfers tab.
5. Select the Allow zone transfers check box, and then click Only to servers listed on the Name
Servers tab.
6. Click Notify, and in the Notify dialog box, click Servers listed on the Name Servers tab. Click OK.
7. Click the Name Servers tab, and then click Add.
8. In the New Name Server Record dialog box, in the Server fully qualified domain name (FQDN)
box, type LON-SVR1.Adatum.com, and then click Resolve. Click OK.
9. In the Adatum.com Properties dialog box, click OK.
Update the secondary zone from the master server
1. Switch to LON-SVR1.
2. In DNS Manager, in the navigation pane, expand Forward Lookup Zones.
3. Refresh the display, click and then right-click Adatum.com, and then click Transfer from Master.
You might need to perform this step a number of times before the zone transfers. Also, note that the
transfer might occur automatically before you perform these steps manually.
Update the primary zone, and then verify the change on the secondary zone
1. Switch to LON-DC1.
2. In DNS Manager, right-click Adatum.com, and then click New Alias (CNAME).
3. In the New Resource Record dialog box, in the Alias name (uses parent domain if left blank) box,
type intranet.
4. In the Fully qualified domain name (FQDN) for target host box, type LON-dc1.adatum.com, and
then click OK.
5. Switch to LON-SVR1.
6. In DNS Manager, click Adatum.com
7. Right-click Adatum.com, and then click Transfer from Master. The record may take some time to
appear. You might need to refresh the display.

2-10 Administering Windows Server 2012
Lesson 5
Managing and Troubleshooting DNS
Contents:
Demonstration 11

Configuring and Troubleshooting Domain Name System 2-11
Demonstration
Demonstration: Managing DNS Records
Demonstration Steps
Configure TTL
1. Switch to LON-DC1.
2. In DNS Manager, right-click Adatum.com, and then click Properties.
3. In the Adatum.com Properties dialog box, click the Start of Authority (SOA) tab.
4. In the Minimum (default) TTL box, type 2, and then click OK.
Enable and configure scavenging and aging
1. Right-click LON-DC1, and then click Set Aging/Scavenging for All Zones.
2. In the Set Aging/Scavenging Properties dialog box, select the Scavenge stale resource records
check box, and then click OK.
3. In the Server Aging/Scavenging Confirmation dialog box, select the Apply these settings to the
existing Active Directory-integrated zones check box, and then click OK.
Demonstration: Testing the DNS Server Configuration
Demonstration Steps
1. On LON-DC1, pause your mouse pointer in the lower-left of the display, and then click Start.
2. Type cmd, and then press Enter.
3. At the command prompt, type the following command, and then press Enter:
nslookup d2 LON-svr1.Adatum.com
4. Review the information provided by nslookup.
2-12 Administering Windows Server 2012
Module Review and Takeaways
Review Question(s)
Question: You are deploying DNS servers into an Active Directory domain, and your customer requires
that the infrastructure is resistant to single points of failure. What must you consider while planning the
DNS configuration?
Answer: You must ensure that you deploy more than one DNS domain controller into the network.
Question: What is the difference between recursive and iterative queries?
Answer: A client issues a recursive query to a DNS server. It can have only two possible replies: the IP
address of the domain requested, or host not found. An iterative query resolves IP addresses through the
hierarchal DNS namespace. An iterative query returns an authoritative answer or the IP address of a server
that is on the next level down in the DNS hierarchy.
Question: What must you configure before a DNS zone can be transferred to a secondary DNS server?
Answer: You must configure DNS zone transfers to allow the secondary zone server to transfer from the
primary zone.
Question: You are the administrator of a Windows Server 2012 DNS environment. Your company recently
acquired another company. You want to replicate their primary DNS zone. The acquired company is using
Bind 4.9.4 to host their primary DNS zones. You notice a significant amount of traffic between the
Windows Server 2012 DNS server and the Bind server. What is one possible reason for this?
Answer: Bind 4.9.4 does not support IXFR. Each time a change occurs in the Bind zone, it has to replicate
the entire zone to a computer that is running Windows Server 2012 to remain updated.
Question: You must automate a DNS server configuration process so that you can automate the
deployment of Windows Server 2012. What DNS tool can you use to do this?
Answer: You can use dnscmd.exe for this purpose.
Tools
Tool Use for Where to find it
Dnscmd.exe Configure DNS server role Command-line
Dnslint.exe Test DNS server Download from the Microsoft website and
then use from the command-line
Nslookup.exe Test DNS name resolution Command-line
Ping.exe Simple test of DNS name
resolution
Command-line
Ipconfig.exe Verify and test IP functionality
and view or clear the DNS client
resolver cache
Command-line

Configuring and Troubleshooting Domain Name System 2-13
Lab Review Questions and Answers
Lab: Configuring and Troubleshooting DNS
Question: In the lab, you were required to deploy a secondary zone because you were not going to
deploy any additional domain controllers. If this condition changed, meaning LON-SVR1 was a domain
controller, how would that change your implementation plan?
Answer: You could install the AD DS and DNS roles, and then you would not need to configure any
zones or zone transfers.
Maintaining Active Directory Domain Services 3-1
Module 3
Maintaining Active Directory Domain Services
Contents:
Lesson 4: Administering AD DS ......................................................................................................... 2
Lesson 5: Managing the AD DS Database ..................................................................................... 5
Module Review and Takeaways ......................................................................................................... 7

3-2 Administering Windows Server 2012

Lesson 4
Administering AD DS
Contents:
Demonstration 3

Maintaining Active Directory Domain Services 3-3
Demonstration
Demonstration: Managing AD DS by Using Management Tools
Demonstration Steps
Active Directory Users and Computers
View Objects
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In Active Directory Users and Computers, double-click the Adatum.com domain.
3. Double-click the Computers container to see the computer objects in the container.
4. Double-click the Research OU. Note the User and Group objects within the Research OU.
Refresh the view
1. Right-click the Adatum.com domain, and then click Refresh.
2. In the toolbar, click the white and green Refresh icon.
Create objects
1. Right-click the Computers container, click New, and then click Computer.
2. In the Computer name field, type LON-CL4, and then click OK.
Configure object attributes
1. In Active Directory Users and Computers, click the Computers container.
2. Right-click LON-CL4, and then click Properties.
3. In the LON-CL4 Properties window, click the Member Of tab.
4. On the Member Of tab, click Add, type Research, and then click OK.
5. Click OK to close the LON-CL4 Properties window.
View all object attributes
1. In Active Directory Users and Computers, in the menu toolbar, click View, and then click Advanced
Features.
2. Click the Computers container, right-click LON-CL4, and then click Properties.
3. Click the Attribute Editor tab, and then scroll through the Attributes list. Click Cancel.
Active Directory Administrative Center
Navigation
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. Click Adatum (local), click Dynamic Access Control, and then click Global Search.
3. In the navigation pane, click the tab for Tree View.
4. Double-click Adatum (local) to expand the Adatum.com domain.
Perform administrative tasks
1. In Active Directory Administrative Center, click Overview.
2. In the Reset Password section, in the User name field, type Adatum\Adam.
3-4 Administering Windows Server 2012
3. In the Password and Confirm password fields, type Pa$$w0rd.
4. Clear the check box for User must change password at next log on, and then click Apply.
5. In the Global Search section, type Rex in the Search field, and then press Enter.
Use the Windows PowerShell History Viewer
1. In Active Directory Administrative Center, click the Windows PowerShell History toolbar at the
bottom of the screen.
2. View the details for the Set-ADAccountPassword cmdlet used to perform the most recent task.
3. On LON-DC1, close all open windows.
Windows PowerShell
Create a group
1. In Server Manager, click Tools, and then click Active Directory Module for Windows PowerShell.
2. At the PowerShell prompt, type the following, and then press Enter:
New-ADGroup Name SalesManagersGroupCategory Security GroupScope Global
DisplayName Sales Managers Path CN=Users,DC=Adatum,DC=com
3. In Server Manager, click Tools, and then click Active Directory Administrative Center.
4. In Active Directory Administrative Center, double-click Adatum (local), and then, in the details pane,
scroll down, and double-click the Users container.
5. Confirm that the SalesManagers group is present in the Users container.
Move an object to a new OU
1. Switch to the PowerShell prompt.
2. At the PowerShell prompt, type the following command, and then press Enter:
Move-ADObject CN=SalesManagers,CN=Users,DC=Adatum,DC=com TargetPath
OU=Sales,DC=Adatum,DC=com
3. Switch to Active Directory Administrative Center.
4. In Active Directory Administrative Center, double-click Adatum (local), and then, in the details pane,
scroll down and double-click the Sales OU.
5. Confirm that the SalesManagers group has been moved to the Sales OU.

Maintaining Active Directory Domain Services 3-5
Lesson 5
Managing the AD DS Database
Contents:
Demonstration 6

3-6 Administering Windows Server 2012
Demonstration
Demonstration: Performing AD DS Database Maintenance
Demonstration Steps
Stop AD DS
1. On LON-DC1, on the taskbar, click the Server Manager shortcut.
2. In Server Manager, click Tools, and then click Services.
3. In the Services window, right-click Active Directory Domain Services, and then click Stop.
4. In the Stop Other Services dialog box, click Yes.
Perform an offline defragmentation of the AD DS database
1. On LON-DC1, on the taskbar, click the Windows PowerShell shortcut.
2. In the command window, type ntdsutil, and then press Enter.
3. At the ntdsutil.exe: prompt, type the following command, and then press Enter:
activate instance NTDS
4. At the ntdsutil.exe: prompt, type the following command, and then press Enter:
files
5. At the file maintenace: prompt, type the following command, and then press Enter:
compact to C:\
Check the integrity of the offline database
1. At the file maintenace: prompt, type the following command, and then press Enter:
Integrity
2. At the file maintenace: prompt, type the following command, and then press Enter:
quit
3. At the ntdsutil.exe: prompt, type the following command, and then press Enter:
Quit
4. Close the command prompt window.
Start AD DS
1. On the taskbar, click the Server Manager shortcut.
2. In Server Manager, click Tools, and then click Services.
3. In the Services window, right-click Active Directory Domain Services, and then click Start.
4. Confirm that the Status column for Active Directory Domain Services is listed as Running.

Maintaining Active Directory Domain Services 3-7
Module Review and Takeaways
Best Practices
Best Practices for Administering AD DS
Do not virtualize all domain controllers on the same hypervisor host or server.
Virtual machine snapshots provide an excellent reference point or quick recovery method, but you
should not use them as a replacement for regular backups. They also will not allow you to recover
objects by reverting to an older snapshot.
Use RODCs when physical security makes a writable domain controller unfeasible.
Use the best tool for the job. Active Directory Users and Computers is the most commonly used tool
for managing AD DS, but it is not always the best. You can use Active Directory Administrative Center
for performing large-scale tasks or those tasks that involve multiple objects. You also can use the
Active Directory module for Windows PowerShell to create reusable scripts for frequently repeated
administrative tasks.
Enable Active Directory Recycle Bin if your forest functional level supports the functionality. It can be
invaluable in saving time when recovering accidentally deleted objects in AD DS.
Review Question(s)
Question: Which AD DS objects should have their credentials cached on an RODC located in a remote
location?
Answer: Typically, you would cache credentials for user, service, and computer accounts located remotely,
and which require authentication to AD DS.
Question: What benefits does Active Directory Administrative Center provide over Active Directory Users
and Computers?
Answer: Active Directory Administrative Center is built on Windows PowerShell, so you can perform tasks
on a larger scale with more flexibility. You also can use the Active Directory Administrative Center to
administer components like Active Directory Recycle Bin and fine-grained password policies, unlike Active
Directory Users and Computers.
Tools
Tool Used for Where to find it
Hyper-V Manager Managing virtualized hosts on Windows
Server 2012
Server Manager - Tools
Active Directory
module for Windows
PowerShell
Managing AD DS through scripts and from
the command line
Server Manager - Tools
Active Directory Users
and Computers
Managing objects in AD DS Server Manager Tools
Active Directory
Administrative Center
Managing objects in AD DS, enabling and
managing the Active Directory Recycle Bin
Server Manager - Tools
Ntdsutil.exe Managing AD DS snapshots Command prompt
Dsamain.exe Mounting AD DS snapshots for browsing Command prompt

Managing User and Service Accounts 4-1
Module 4
Managing User and Service Accounts
Contents:
Lesson 1: Automating User Account Management 2
Lesson 2: Configuring Password-Policy and User-Account Lockout Settings 6
Lesson 3: Configuring Managed Service Accounts 8
Module Review and Takeaways 10

4-2 Administering Windows Server 2012
Lesson 1
Automating User Account Management
Contents:
Question and Answers 3
Demonstration 3

Managing User and Service Accounts 4-3
Question and Answers
Importing User Accounts with LDIFDE
Question: What advantages does LDIFDE have over the Comma-Separated Values Data Exchange tool
when managing user accounts in an AD DS environment?
Answer: LDIFDE is capable of modifying data as well as performing the import and export of data.
Demonstration
Demonstration: Exporting Users Accounts with Comma-Separated Values
Data Exchange Tool
Demonstration Steps
1. On LON-DC1, click to the Start screen.
2. From the Start screen, type cmd, and then press Enter.
3. In the command prompt window, type the following command, and then press Enter:
csvde -f E:\Labfiles\Mod04\UsersNamedRex.csv -r "(name=Rex*)" -l
DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName
4. Open E:\LABFILES\Mod04\UsersNamedRex.csv in Notepad.
5. Examine the file, and then close Notepad.
6. Close all open windows on LON-DC1.
Demonstration: Importing User Accounts with the Comma-Separated
Values Data Exchange Tool
Demonstration Steps
1. On LON-DC1, on the taskbar, click Windows Explorer.
2. In Windows Explorer, in the navigation pane, expand Computer, expand Allfiles (E:), expand
Labfiles, and then click Mod04.
3. In Windows Explorer, right-click NewUsers.csv, and then click Open With.
4. In the Open With window, click Notepad.
5. In Notepad, view the contents of NewUsers.csv. Note the user names and the location specified for
the users, which is the IT organizational unit (OU).
6. Close Notepad.
7. On LON-DC1, click to the Start screen,
8. From the Start screen, type cmd, and then press Enter.
9. In the Command Prompt window, type the following command, and then press Enter:
csvde -i -f E:\Labfiles\Mod04\NewUsers.csv k
10. On the taskbar, click Server Manager.
11. In the Server Manager window, click Tools, and then click Active Directory Users and Computers.
12. In Active Directory Users and Computers window, expand Adatum.com, and then click IT OU.
4-4 Administering Windows Server 2012
13. Ensure that Albert Carter and Steven Meadows have been imported into the IT OU.
14. Right-click Albert Carter, and then click Reset Password.
15. In the Reset Password window, type Pa$$w0rd in the New password and Confirm password fields,
and then click OK. Click OK in the confirmation window.
16. In Active Directory Users and Computers, right-click Albert Carter, and then click Enable
Account.
17. Click OK in the confirmation window.
18. Repeat steps 14 through 17 for Steven Meadows.
19. Close all open windows on LON-DC1.
Demonstration: Importing User Accounts with LDIFDE
Demonstration Steps
1. On LON-DC1, on the taskbar, click Windows Explorer.
2. In Windows Explorer, in the navigation pane, expand Computer, expand Allfiles (E:), expand
Labfiles, and then click Mod04.
3. In Windows Explorer, right-click NewUsers.ldf, and then click Open With.
4. Click the Try an app on this PC link.
5. In the Open With window, click Notepad.
6. In Notepad, view the contents of NewUsers.ldf. Note the user names and the location specified for
the users (the IT OU).
7. Close Notepad.
8. On LON-DC1, click to the Start screen.
9. From the Start screen, type cmd, and then press Enter.
10. In the command prompt window, type the following command, and then press Enter:
ldifde -i -f E:\Labfiles\Mod04\NewUsers.ldf -k
11. On the taskbar, click Server Manager.
12. In the Server Manager window, click Tools, and then click Active Directory Users and Computers.
13. In the Active Directory Users and Computers window, expand Adatum.com, and then click IT OU.
14. Ensure that Darryl Hamilton and Amandeep Patel have been imported into the IT OU.
15. Right-click Darryl Hamilton, and then click Reset Password.
16. In the Reset Password window, type Pa$$w0rd in the New password and Confirm password fields,
and then click OK. Click OK in the confirmation window.
17. In Active Directory Users and Computers, right-click Darryl Hamilton, and then click Enable
Account.
18. Click OK in the confirmation window.
19. Repeat steps 15 through 18 for Amandeep Patel.
20. Close all open windows on LON-DC1.
Managing User and Service Accounts 4-5
Demonstration: Importing User Accounts with Windows PowerShell
Demonstration Steps
1. On LON-DC1, on the taskbar, click Server Manager.
2. In Server Manager, click Tools, and then click Active Directory Users and Computers.
3. In Active Directory Users and Computers, right-click Adatum.com, click New, and then click
Organizational Unit.
4. In the Name field, type Import Users. Click OK.
5. Close Active Directory Users and Computers.
6. On the taskbar, click Windows Explorer.
7. In Windows Explorer, in the navigation pane, expand Computer, expand Allfiles (E:), expand
Labfiles, and then click Mod04.
8. In Windows Explorer, right-click ImportUsers.ps1, and then click Open With.
9. In the Open With window, click Notepad.
10. In Notepad, view the contents of ImportUsers.ps1.
11. Next to $impfile, change path and filename to csv to E:\Labfiles\Mod04\ImportUsers.csv, and
then save the file.
12. Close Notepad.
13. In Server Manager, click Tools, and then click Active Directory Module for Windows PowerShell.
14. In the Active Directory module for Windows PowerShell window, type the following commands, and
then press Enter after each command. When prompted to change the execution policy press enter to
accept the default option of Y:
Set-ExecutionPolicy remotesigned
E:\Labfiles\Mod04\importusers.ps1
15. At the password prompt, type Pa$$w0rd, and then press Enter.
16. Close the Active Directory module for Windows PowerShell window.
17. In Server Manager, click Tools, and then click Active Directory Users and Computers.
18. In the Active Directory Users and Computers window, expand Adatum.com, and then click the
ImportUsers OU.
19. Ensure that Todd Rowe and Seth Grossman have been imported into the ImportUsers OU.
20. Close all open windows on LON-DC1.

4-6 Administering Windows Server 2012
Lesson 2
Configuring Password-Policy and User-Account
Lockout Settings
Contents:
Question and Answers 7

Managing User and Service Accounts 4-7
Question and Answers
Configuring User Account Policies
Question: Why would you use secpol.msc to configure local account policy settings for a Windows Server
2012 computer instead of using domain- based Group Policy account-policy settings?
Answer: Local security policy settings provide enhanced account security if a Windows Server 2012
computer is not joined to a domain, and therefore unable to apply Group Policy-based domain account-
policy settings. This may be a permanent solution, or you can use it to protect a computer between the
time when Windows Server 2012 is installed, and when it joins the domain and has the domain-based
account policy settings applied.

4-8 Administering Windows Server 2012
Lesson 3
Configuring Managed Service Accounts
Contents:
Demonstration 9

Managing User and Service Accounts 4-9
Demonstration
Demonstration: Configuring Managed Service Accounts by Using Windows
PowerShell
Demonstration Steps
Create the Key Distribution Services (KDS) root key for the domain
1. On LON-DC1, from Server Manager, open the Active Directory Module for Windows Powershell
console.
2. At the prompt, type the following command, and then press Enter:
Add-KDSRootKey EffectiveTime ((Get-Date).AddHours(-10))
Create and associate a managed service account
1. At the prompt, type the following command, and then press Enter:
New-ADServiceAccount Name SampleApp_SVR1 DNSHostname LON-DC1.Adatum.com -
PrincipalsAllowedToRetrieveManagedPassword LON-SVR1$
2. At the prompt, type the following command, and then press Enter:
Add-ADComputerServiceAccount identity LON-SVR1 ServiceAccount SampleApp_SVR1
3. At the prompt, type the following command, and then press Enter:
Get-ADServiceAccount -Filter *
4. Verify that the SampleApp_SVR1 service account is listed.
Install a managed service account
1. On LON-SVR1, from Server Manager, open the Active Directory Module for Windows Powershell
console.
2. At the prompt, type the following command, and then press Enter:
Install-ADServiceAccount -Identity SampleApp_SVR1
3. Click the Server Manager shortcut on the Windows Taskbar.
4. In Server Manager, on the Menu toolbar, click Tools, and then click Services.
5. In the Services console, right-click Application Identity, and then click Properties.
Note: The Application Identity service is used as an example. In a production environment,
you would use the actual service that should be assigned the managed service account.
6. In the Application Identity Properties dialog box, click the Log On tab.
7. On the Log On tab, click This account, and then type Adatum\SampleApp_SVR1$.
8. Clear the password for both the Password and Confirm password boxes, and then click OK.
9. Click OK at all prompts.
4-10 Administering Windows Server 2012
Module Review and Takeaways
Review Question(s)
Question: In what scenario could a user have multiple Password Settings Objects applied to their account
without actually having a Password Settings Objects linked to their user account?
Answer: Password Settings Objects can be linked to groups. If a user is a member of one or more groups
to which Password Settings Objects are linked, any Password Settings Objects applied to those groups will
be linked to the user account. However, only the Password Settings Objects with the lowest precedence
value will apply its settings to the users account.
Question: What benefit do Managed Service Accounts provide compared to standard user accounts used
for services?
Answer: Managed Service Accounts provide managed password changes that do not require
administrator intervention.
Tools
Tool What it is used for Where to find it
Comma-Separated
Values Data Exchange
tool
Importing and exporting users by
using .csv files
Command prompt: csvde.exe
LDIFDE Importing, exporting, and
modifying users by using .ldf files
Command prompt: ldifde.exe
Local Security Policy Configuring local account-policy
settings
Secpol.msc
Group Policy
Management console
Configuring domain Group Policy
account-policy settings
Server Manager Tools
Active Directory
Administrative Center
Creating and managing Password
Settings Objects
Server Manager Tools
Active Directory
module for Windows
PowerShell
Creating and Managing Managed
Service Accounts
Server Manager - Tools
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
User accounts contained in a .csv file fail to
import when using the Comma-Separated
Values Data Exchange tool.

Ensure the structure of the .csv file matches the syntax
of your Comma-Separated Values Data Exchange tool
command, especially if the .csv file is exported from a
non-AD DS source.

User password settings are not applying as
expected.

Check for the application of Password Settings Objects.
In the case of multiple Password Settings Objects,
ensure that precedence is configured properly and that
Password Settings Objects have been applied to the
appropriate users and groups.

Managing User and Service Accounts 4-11
Common Issue Troubleshooting Tip
The New-ADServiceAccount cmdlet fails
with key-related messages.

Ensure that the KDS root key has been created by
using the Add-KDSRootKey cmdlet, and the
EffectiveTime parameter for the key is at least 10
hours earlier than the current time.


Implementing a Group Policy Infrastructure 5-1
Module 5
Implementing a Group Policy Infrastructure
Contents:
Lesson 1: Introducing Group Policy 2
Lesson 3: Group Policy Scope and Group Policy Processing 4
Lesson 4: Troubleshooting the Application of GPOs 8
Module Review and Takeaways 11
Lab Review Questions and Answers 13

5-2 Administering Windows Server 2012
Lesson 1
Introducing Group Policy
Contents:
Demonstration 3

Implementing a Group Policy Infrastructure 5-3
Demonstration
Demonstration: How to Create a GPO and Configure GPO Settings
Demonstration Steps
Use the Group Policy Management Console (GPMC) to create a new GPO
1. Switch to LON-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager, click Tools, and then click Group Policy Management.
3. If necessary, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
4. Select and then right-click the Group Policy Objects folder, and then click New.
5. In the New GPO dialog box, in the Name field, type Desktop, and then click OK.
Configure Group Policy settings
1. In Group Policy Management, Expand the Group Policy Objects folder, right-click the Desktop
policy, and then click Edit.
2. In Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Local Policies, and then click Security
Options.
3. In the details pane, double-click Interactive logon: Do not display last user name.
4. In the Interactive logon: Do not display last user name Properties dialog box, select the Define
this policy setting check box, click Enabled, and then click OK.
5. Under the Security Settings node, click System Services.
6. In the details pane, double-click Windows Installer.
7. In the Windows Installer Properties dialog box, select Define this policy setting check box, and
then click OK.
8. Under User Configuration, expand Policies, expand Administrative Templates, and then click
Start Menu and Taskbar.
9. In the details pane, double-click Remove Search link from Start Menu.
10. In the Remove Search link from Start Menu dialog box, click Enabled, and then click OK.
11. Under the Administrative Templates folder, expand Control Panel, and then click Display.
12. In the details pane, double-click Hide Settings tab.
13. In the Hide Settings tab dialog box, click Enabled, and then click OK.
14. Close all open windows on LON-DC1.

5-4 Administering Windows Server 2012
Lesson 3
Group Policy Scope and Group Policy Processing
Contents:
Demonstration 5

Implementing a Group Policy Infrastructure 5-5
Demonstration
Demonstration: How to Link GPOs
Demonstration Steps
Create and edit two GPOs
1. On LON-DC1, if necessary, open Server Manager.
2. In Server Manager, click Tools, and then click Group Policy Management.
3. In the Group Policy Management window, Expand Forest: Adatum.com, Domains, and
Adatum.com, right-click the Group Policy Objects container, and then click New.
4. In the New GPO window, type Remove Run Command in the Name field, and then click OK.
5. In the Group Policy Management window, right-click the Group Policy Objects container, and then
click New.
6. In the New GPO window, type Do Not Remove Run Command in the Name field, and then click
OK.
7. Expand Group Policy Objects and right-click the Remove Run Command GPO, and then click Edit.
8. In Group Policy Management Editor under User Configuration, expand Policies, expand
Administrative Templates, click Start Menu and Taskbar, and then double-click Remove Run
menu from Start Menu.
9. In the Remove Run menu from Start Menu window, click Enabled, and then click OK.
10. Close the Group Policy Management Editor.
11. Right-click the Do Not Remove Run Command GPO, and then click Edit.
12. In Group Policy Management Editor under User Configuration, expand Policies, expand
Administrative Templates, click Start Menu and Taskbar, and then double-click Remove Run
menu from Start Menu.
13. In the Remove Run menu from Start Menu window, click Disabled, and then click OK. Close the
Group Policy Management Editor.
Link the GPOs to different locations
1. In the Group Policy Management window, right-click the Adatum.com domain node in the left pane,
and then click Link an Existing GPO.
2. In the Select GPO window, click Remove Run Command, and then click OK. The Remove Run
Command GPO is now attached to the Adatum.com domain.
3. Click and drag the Do Not Remove Run Command GPO on top of the IT OU.
4. In the Group Policy Management window, click OK to link the GPO.
5. Click the IT OU in the left pane, and then click the Group Policy Inheritance tab in the right pane.
The Group Policy Inheritance tab shows the order of precedence for the GPOs.
Disable a GPO link
1. In the left pane, right-click the Remove Run Command link that is listed under Adatum.com, and
then click Link Enabled to clear the check mark. Refresh the Group Policy Inheritance pane for the IT
OU and then notice the results in the right pane. The Remove Run Command GPO no longer is listed.
5-6 Administering Windows Server 2012
Delete a GPO link
1. In the left pane, expand the IT OU, right-click the Do Not Remove Run Command link, and then
click Delete. Click OK in the popup window.
2. Click the IT OU in the left pane, and then click the Group Policy Inheritance tab in the right pane.
Verify the removal of the Do Not Remove Run Command and the absence of the Remove Run
Command GPOs.
3. In the left pane, right-click the Remove Run Command GPO that is listed under Adatum.com, and
then click Link Enabled to re-enable the link. Refresh the Group Policy Inheritance window for the IT
OU, and then notice the results in the right pane.
4. Close the Group Policy Management console.
Demonstration: How to Filter Policies
Demonstration Steps
Create a new GPO, and link it to the IT organizational unit
1. On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management window, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click the IT organizational unit.
3. Right-click IT, and then click Create a GPO in this domain, and Link it here.
4. In the New GPO window, type Remove Help menu in the Name field, and then click OK.
5. In the Group Policy Management window, expand Group Policy Objects, right-click the Remove
Help menu GPO, and then click Edit.
6. In the Group Policy Management Editor under User Configuration, expand Policies, expand
Administrative Templates, click Start Menu and Taskbar, and then double-click Remove Help
menu from Start Menu.
7. In the Remove Help menu from Start menu window, click Enabled, and then click OK.
8. Close the Group Policy Management Editor window.
Filter Group Policy application by using security group filtering
1. Expand IT, and then click the Remove Help menu GPO link.
2. In the Group Policy Management Console message box, click OK.
3. In the right-hand pane, under Security Filtering, click Authenticated Users, and then click Remove.
4. In the confirmation dialog box, click OK.
5. In the details pane, under Security Filtering, click Add.
6. In the Select User, Computer, or Group dialog box, type Ed Meadows, and then click OK.
Filter the Group Policy application by using WMI filtering
1. In the Group Policy Management window, right-click WMI Filters, and then click New.
2. In the New WMI Filter dialog box, in the Name field, type XP Filter.
3. In the Queries pane, click Add.
4. In the WMI Query dialog box, in the Query field, type the following:
Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional"
Implementing a Group Policy Infrastructure 5-7
5. Click OK.
6. In the New WMI Filter dialog box, click Save.
7. Right-click the Group Policy Objects folder, and then click New.
8. In the New GPO window, type Software Updates for XP in the Name field, and then click OK.
9. Expand the Group Policy Objects folder, and then click the Software Updates for XP GPO.
10. In the right-hand pane, under WMI Filtering, in the This GPO is linked to the following WMI Filter
list, select XP Filter.
11. In the confirmation dialog, click Yes.
12. Close the Group Policy Management console.

5-8 Administering Windows Server 2012
Lesson 4
Troubleshooting the Application of GPOs
Contents:
Demonstration 9

Implementing a Group Policy Infrastructure 5-9
Demonstration
Demonstration: How to Perform What-If Analysis with the Group Policy
Modeling Wizard
Demonstration Steps
Use GPResult.exe to create a report
1. On LON-DC1, open the Start screen.
2. Right-click the Start screen, and then click All apps.
3. In the Apps list, click Command Prompt.
4. In the Administrator: Command Prompt window, type cd desktop, and then press Enter.
5. In the Administrator: Command Prompt window, type the following, and press Enter:
GPResult /r
6. Review the output in the command window.
7. In the Administrator: Command Prompt window, type the following, and then press Enter:
GPResult /h results.html
8. Close the command prompt window, and then double-click the results.html file on the desktop.
9. In the Internet Explorer window, view the results of the report.
10. Close Internet Explorer.
Use the Group Policy Reporting Wizard to create a report
1. Open Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management window, right-click Group Policy Results, and then click Group
Policy Results Wizard.
3. In the Group Policy Results Wizard, click Next.
4. On the Computer Selection page, click Next.
5. On the User Selection page, click Next.
6. On the Summary of Selections page, click Next.
7. On the Completing the Group Policy Results Wizard page, click Finish.
8. Review the Group Policy results.
9. Expand the Group Policy Results folder, right-click the Administrator on LON-DC1 report, and then
click Save Report.
10. In the Save GPO Report dialog box, click Desktop, and then click Save.
Use the Group Policy Modeling Wizard to create a report
1. Right-click the Group Policy Modeling folder, and then click Group Policy Modeling Wizard.
2. In the Group Policy Modeling Wizard, click Next.
3. On the Domain Controller Selection page, click Next.
5-10 Administering Windows Server 2012
4. On the User and Computer Selection page, under User information, click User, and then click
Browse.
5. In the Select User dialog box, type Ed Meadows, and then click OK.
6. Under Computer information, click Browse.
7. In the Choose Computer Container dialog box, expand Adatum, click IT, and then click OK.
8. On the User and Computer Selection page, click Next.
9. On the Advanced Simulation Options page, click Next.
10. On the Alternate Active Directory Paths page, click Next.
11. On the User Security Groups page, click Next.
12. On the Computer Security Groups page, click Next.
13. On the WMI Filters for Users page, click Next.
14. On the WMI Filters for Computers page, click Next.
15. On the Summary of Selections page, click Next.
16. On the Completing Group Policy Modeling Wizard page, click Finish.
17. Review the report.
18. Close all open windows.
Implementing a Group Policy Infrastructure 5-11
Module Review and Takeaways
Review Question(s)
Question:
1. You have assigned a logon script to an OU via Group Policy. The script is located in a shared network
folder named Scripts. Some users in the OU receive the script, whereas others do not. What might be
the possible causes?
2. What GPO settings are applied across slow links by default?
3. You need to ensure that a domain level policy is enforced, but the Managers global group needs to
be exempt from the policy. How would you accomplish this?
Answer:
1. Security permissions might be a problem. If some users do not have read access to shared network
folder where scripts are stored, they will not be able to apply policy. Also, security filtering on GPO
might be the cause for this problem.
2. Registry policy and Security policy are applied even when a slow link is detected. You cannot change
this setting.
3. Set the link to be enforced at the domain level, and use security group filtering to deny Apply Group
Policy permission to the Administrators group.
Tools
Tool Use for Where to find it
Group policy reporting
RSoP
Reporting information about the
current policies being delivered
to clients.
Group Policy Management Console
GPResult A command-line utility that
displays RSoP information.
Command-line utility
GPUpdate Refreshing local and Active
Directory Domain Services (AD
DS)-based Group Policy settings.
Command-line utility
Dcgpofix Restoring the default Group
Policy objects to their original
state after initial installation.
Command-line utility
GPOLogView Exporting Group Policy-related
events from the system and
operational logs into text, HTML,
or XML files. For use with
Windows Vista

, Windows 7, and
newer versions.
Command-line utility
Group Policy
Management scripts
Sample scripts that perform a
number of different
troubleshooting and
maintenance tasks.

5-12 Administering Windows Server 2012
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
Group Policy settings are not applied to all
users or computers in OU where GPO is
applied

Check security filtering on GPO
Check WMI filters on GPO

Group Policy settings sometimes need two
restarts to apply

Enable wait for network before logon option


Implementing a Group Policy Infrastructure 5-13
Lab Review Questions and Answers
Lab: Implementing a Group Policy Infrastructure
Question: Which policy settings are already being deployed by using Group Policy in your organization?
Answer: Answers will vary.
Question: Many organizations rely heavily on security group filtering to scope Group Policy Objects
(GPOs), rather than linking GPOs to specific organizational units (OUs). In these organizations, GPOs
typically are linked very high in the Active Directory logical structureto the domain itself or to a first-
level OU. What advantages do you gain by using security group filtering rather than GPO links to manage
a GPOs scope?
Answer: The fundamental problem of relying on OUs to scope the application of GPOs is that an OU is a
fixed, inflexible structure within Active Directory

, and that a single user or computer can only exist within


one OU. As organizations get larger and more complex, configuration requirements are difficult to match
in a one-to-one relationship with any container structure. With security groups, a user or computer can
exist in as many groups as necessary, and you can add or remove them easily without impacting the
security or management of the user or computer account.
Question: Why might it be useful to create an exemption groupa group that is denied the Apply Group
Policy permissionfor every GPO that you create?
Answer: There are very few scenarios in which you can be guaranteed that all of the settings in a GPO
always will need to apply to all users and computers within its scope. By having an exemption group, you
will always be able to respond to situations in which a user or computer must be excluded. This can also
help in troubleshooting compatibility and functionality problems. Sometimes, specific GPO settings can
interfere with the functionality of an application. To test whether the application works on a "pure"
installation of Windows

, you might need to exclude the user or computer from the scope of GPOs, at
least temporarily for testing.
Question: Do you use loopback policy processing in your organization? In which scenarios and for which
policy settings can loopback policy processing add value?
Answer: Answers will vary. Scenarios could include in conference rooms and kiosks, on virtual desktop
infrastructures, and in other standard environments.
Question: In which situations have you used Resultant Set of Policy (RSoP) reports to troubleshoot Group
Policy application in your organization?
Answer: The correct answer will be based on your own experience and situation.
Question: In which situations have you used, or could you anticipate using, Group Policy modeling?
Answer: The correct answer will be based on your own experience and situation.
Managing User Desktops with Group Policy 6-1
Module 6
Managing User Desktops with Group Policy
Contents:
Lesson 1: Implementing Administrative Templates 2
Lesson 2: Configuring Folder Redirection and Scripts 5
Lesson 3: Configuring Group Policy Preferences 9
Lesson 4: Managing Software with Group Policy 12
Module Review and Takeaways 14
Lab Review Questions and Answers 16

6-2 Administering Windows Server 2012
Lesson 1
Implementing Administrative Templates
Contents:
Demonstration 3

Managing User Desktops with Group Policy 6-3
Demonstration
Demonstration: Configuring Settings with Administrative Templates
Demonstration Steps
Filter Administrative Template policy settings
1. Switch to LON-DC1.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. From Server Manager, click Tools, and then click Group Policy Management.
4. In the console tree, expand Forest: Adatum.com, Domains, and Adatum.com, and then click the
Group Policy Objects container.
5. Right-click the Group Policy Objects container, and then click New.
6. In the New GPO dialog box, in the Name field, type GPO1, and then click OK.
7. In the details pane, right-click GPO1, and then click Edit. The Group Policy Management Editor
appears.
8. In the console tree, expand User Configuration, expand Policies, and then click Administrative
Templates.
9. Right-click Administrative Templates, and then click Filter Options.
10. Select the Enable Keyword Filters check box.
11. In the Filter for word(s) text box, type screen saver.
12. In the drop-down list next to the text box, select Exact, and then click OK. Administrative Templates
policy settings are filtered to show only those that contain the words screen saver. Spend a few
moments examining the settings that you have found.
13. In the console tree, under User Configuration, right-click Administrative Templates, and then click
Filter Options.
14. Clear the Enable Keyword Filters check box.
15. In the Configured drop-down list, select Yes, and then click OK. Administrative Template policy
settings are filtered to show only those that have been configured (enabled or disabled). No settings
have been enabled.
16. In the console tree, under User Configuration, right-click Administrative Templates, and clear the
Filter On option.
Add comments to a policy setting
1. In the console tree, expand User Configuration, Policies, Administrative Templates, and Control
Panel, and then click Personalization.
2. Double-click the Enable screen saver policy setting.
3. In the Comment section, type Corporate IT Security Policy implemented with this policy in
combination with Password Protect the Screen Saver, and then click OK.
4. Double-click the Password protect the screen saver policy setting. Click Enabled.
5. In the Comment section, type Corporate IT Security Policy implemented with this policy in
combination with Enable screen saver, and then click OK.
6-4 Administering Windows Server 2012
Add comments to a GPO
1. In the console tree of the Group Policy Management Editor, right-click the root node, GPO1 [LON-
DC1.ADATUM.COM], and then click Properties.
2. Click the Comment tab.
3. Type Adatum corporate standard policies. Settings are scoped to all users and computers in
the domain. Person responsible for this GPO: your name. This comment appears on the Details
tab of the GPO in the Group Policy Management Console (GPMC).
4. Click OK, and then close the Group Policy Management Editor.
Create a new GPO by copying an existing GPO
1. In the GPMC console tree, click the Group Policy Objects container, right-click GPO1, and then click
Copy.
2. Right-click the Group Policy Objects container, click Paste, and then click OK.
3. Click OK.
Create a new GPO by importing settings that were exported from another GPO
1. In the GPMC console tree, click the Group Policy Objects container, right-click GPO1, and then click
Back Up.
2. In the Location: box, type c:\, and then click Back Up.
3. When the backup finishes, click OK.
4. In the GPMC console tree, right-click the Group Policy Objects container, and then click New.
5. In the Name: box, type ADATUM Import, and then click OK.
6. In the GPMC console tree, right-click the ADATUM Import GPO, and then click Import Settings. The
Import Settings Wizard appears.
7. Click Next three times.
8. Select GPO1, and then click Next two times.
9. Click Finish, and then click OK.
10. Close the Group Policy Management console.

Managing User Desktops with Group Policy 6-5
Lesson 2
Configuring Folder Redirection and Scripts
Contents:
Question and Answers 6
Demonstration 6

6-6 Administering Windows Server 2012
Question and Answers
Settings for Configuring Folder Redirection
Question: Users in the same department often sign in to different computers. They need access to their
Documents folder. They also need data to be private. What folder redirection setting would you choose?
Answer: Create a folder for each user under the root path. This creates a Documents folder to which only
the user has access.
Demonstration
Demonstration: Configuring Folder Redirection
Demonstration Steps
Create a shared folder
1. On LON-DC1, on the taskbar, click File Explorer.
2. In the navigation pane, click Computer.
3. In the details pane, double-click Local Disk (C:), and then on the Home tab, click New folder.
4. In the Name box, type Redirect and then press Enter.
5. Right-click the Redirect folder, click Share with, and then click Specific people.
6. In the File Sharing dialog box, click the drop-down arrow, select Everyone, and then click Add.
7. For the Everyone group, click the Permission Level drop-down arrow, and then click Read/Write.
8. Click Share, and then click Done.
9. Close the Local Disk (C:) window.
Create a GPO to redirect the Documents folder
1. Pause the mouse pointer in the lower right of the display, and then click Start.
2. Click Administrative Tools, and then double-click Group Policy Management.
3. Expand Forest: Adatum.com, and then expand Domains.
4. Right-click Adatum.com, and then click Create a GPO in this domain and Link it here.
5. In the New GPO dialog box, in the Name box, type Folder Redirection, and then click OK.
6. Expand Adatum.com, right-click Folder Redirection GPO, and then click Edit.
7. In the Group Policy Management Editor, under User Configuration, expand Policies, expand
Windows Settings, and then expand Folder Redirection.
8. Right-click Documents, and then click Properties.
9. In the Document Properties dialog box, on the Target tab, next to Setting, click the drop-down
arrow, and then select Basic Redirect everyones folder to the same location.
10. Ensure the Target folder location box is set to Create a folder for each user under the root path.
11. In the Root Path box, type \\LON-DC1\Redirect, and then click OK.
12. In the Warning dialog box, click Yes.
13. Close all open windows.
Managing User Desktops with Group Policy 6-7
Test folder redirection
1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2. On the Start screen, type cmd.exe, and then press Enter.
3. At the command prompt, type the following command, and then press Enter:
gpupdate/force
4. At the command prompt, type the following command, and then press Enter:
Y
5. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
6. From the Start screen, click Desktop.
7. Right-click the desktop, and then click Personalize.
8. In the navigation pane, click Change desktop icons.
9. In Desktop Icon Settings, select the Users Files check box, and then click OK.
10. On the desktop, double-click Administrator.
11. Right-click My Documents and then click Properties.
12. In the My Document Properties dialog box, note that the location of the folder is now the Redirect
network share in a subfolder named for the user.
13. Sign out of LON-CL1.
Demonstration: Configuring Scripts with GPOs
Demonstration Steps
Create a logon script to map a network drive
1. On LON-DC1, point to the lower right-hand corner, and then click Start.
2. From the Start screen, type Notepad, and then press Enter.
3. In Notepad, type the following command:
Net use t: \\LON-dc1\Redirect
4. Click the File menu, and then click Save.
5. In the Save As dialog box, in the File name box, type Map.bat.
6. In the Save as type: list, select All Files (*.*).
7. In the navigation pane, click Desktop, and then click Save.
8. Close Notepad.
9. On the desktop, right-click the Map.bat file, and then click Copy.
Create and link a GPO to use the script, and then store the script in the Netlogon
share
1. Open Server Manager.
2. From Server Manager, click Tools, and then click Group Policy Management.
3. Expand Forest: Adatum.com, and then expand Domains.
6-8 Administering Windows Server 2012
4. Right-click Adatum.com, and then click Create a GPO in this domain and link it here.
5. In the New GPO dialog box, in the Name box, type DriveMap, and then click OK.
6. Expand Adatum.com, right-click the Drivemap GPO, and then click Edit.
7. In the Group Policy Management Editor, under User Configuration, expand Policies, expand
Windows Settings, and then click Scripts (Logon/Logoff).
8. In the details pane, double-click Logon.
9. In the Logon Properties dialog box, click Show Files. This opens the Netlogon share in Computer.
10. In the details pane, right-click a blank area, and then click Paste.
11. Close the Logon window.
12. In the Logon Properties dialog box, click Add.
13. In the Add a Script dialog box, click Browse.
14. Click the Map.bat script, and then click Open.
15. Click OK twice to close all dialog boxes.
16. Close the Group Policy Management Editor and the Group Policy Management console.
Sign in to the client to test the results
1. On LON-CL1, sign in as Adatum\Administrator with the password Pa$$word.
2. Click Desktop, and on the taskbar, click File Explorer.
3. Verify that you have a drive mapped to \\Lon-dc1\redirect by examining the navigation pane.
4. Sign out of LON-CL1.

Managing User Desktops with Group Policy 6-9
Lesson 3
Configuring Group Policy Preferences
Contents:
Demonstration 10

6-10 Administering Windows Server 2012
Demonstration
Demonstration: Configuring Group Policy Preferences
Demonstration Steps
Configure a desktop shortcut with Group Policy preferences
1. On LON-DC1, from Server Manager, open the Group Policy Management console.
2. In the Group Policy Management console, click the Group Policy Objects folder, and in the details
pane, right-click the Default Domain Policy, and then click Edit.
3. Expand Computer Configuration, expand Preferences, expand Windows Settings, right-click
Shortcuts, point to New, and then click Shortcut.
4. In the New Shortcut Properties dialog box, in the Action list, select Create.
5. In the Name box, type Notepad.
6. In the Location box, click the arrow, and then select All Users Desktop.
7. In the Target path box, type C:\Windows\System32\Notepad.exe.
Target the preference
1. On the Common tab, select the Item-level targeting check box, and then click Targeting.
2. In the Targeting Editor dialog box, click New Item, and then click Computer Name.
3. In the Computer name box, type LON-CL1, and then click OK twice.
Configure a new folder with Group Policy preferences
1. Under Windows Settings, right-click Folders, point to New, and then click Folder.
2. In the New Folder dialog box, in the Action list, select Create.
3. In the Path field, type C:\Reports.
Target the preference
1. On the Common tab, select the Item-level targeting check box, and then click Targeting.
2. In the Targeting Editor dialog box, click New Item, and then click Operating System.
3. In the Product list, select Windows 8, and then click OK twice.
4. Close the Group Policy Management Editor.
Test the preferences
1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2. Type cmd.exe, and then press Enter.
3. At the command prompt, type the following command, and then press Enter.:
gpupdate /force
4. At the command prompt, type the following command, and then press Enter:
Y
5. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
6. From Start, click Desktop.
Managing User Desktops with Group Policy 6-11
7. Verify the presence of the Notepad shortcut on the desktop.
8. On the taskbar, click File Explorer.
9. Verify the presence of the C:\Reports folder.

6-12 Administering Windows Server 2012
Lesson 4
Managing Software with Group Policy
Contents:
Question and Answers 13

Managing User Desktops with Group Policy 6-13
Question and Answers
How Windows Installer Enhances Software Distribution
Question: Do users need administrative rights to install applications manually that have MSI files?
Answer: Yes. Only MSI files delivered through Group Policy use the Windows Installer service. If a user
attempts to install an MSI file manually, they need administrative rights.
Question: What are some disadvantages of deploying software through Group Policy?
Answer:
Some of the disadvantages include:
Large applications generate a lot of network traffic.
You cannot control when the installation will occur.
Laptop users are not able to connect to the distribution point when they are not connected to the
LAN.
The CSE that delivers software does not function over a slow link, by default.

6-14 Administering Windows Server 2012
Module Review and Takeaways
Best Practices
Best Practices Related to Group Policy Management
Include comments on GPO settings
Use a central store for Administrative Templates when having clients with Windows Vista, Windows 7,
and Windows 8
Use Group Policy preferences to configure settings that are not available in the Group Policy set of
settings
Use Group Policy software installation to deploy packages in .msi format to a large number of users
or computers
Review Question(s)
Question: Why do some Group Policy settings take two logons before going into effect?
Answer: Users typically sign in with cached credentials before Group Policy can apply to the current
session. The settings will take effect at the next logon.
Question: How can you support Group Policy preferences on Windows XP?
Answer: You must download and install the CSEs for Group Policy preferences.
Question: What is the benefit of having a central store?
Answer: A central store is a single folder in SYSVOL that holds all the .ADMX and .ADML files that are
required. After you have set up the central store, the Group Policy Management Editor recognizes it, and
then loads all Administrative Templates from the central store instead of from the local machine.
Question: What is the main difference between Group Policy settings and Group Policy preferences?
Answer: GPO settings enforce some setting on client side, and disable client interface for modification.
However, Group Policy preferences provide settings, and allow the client to modify them.
Question: What is the difference between publishing and assigning software through Group Policy?
Answer: If you assign software to user or computer, it will be installed without asking users whether they
want to install it. Publishing software will allow user to decide whether to install software.
Question: Can you use Windows PowerShell scripts as startup scripts?
Answer: Only computers that are running Windows Server 2008 R2 or Windows 7 (or newer) can run
Windows PowerShell scripts.
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
You have configured folder redirection for
an OU, but none of the users folders are
being redirected to the network location.
When you look in the root folder, you
observe that a subdirectory named for
each user has been created, but they are
empty.

The problem is most likely permission-related. Group
Policy creates the users named subdirectories, but the
users do not have enough permission to create their
redirected folders inside them.

You have assigned an application to an
OU. After multiple logons, users report that
The problem may be permission-related. Users need
Read access to the software distribution share. Another
Managing User Desktops with Group Policy 6-15
Common Issue Troubleshooting Tip
no one has installed the application.

possibility is that the software package was mapped by
using a local path instead of a UNC.

You have a mixture of Windows XP and
Windows 8 computers. After configuring
several settings in the Administrative
Templates of a GPO, users with Windows
XP operating system report that some
settings are being applied and others are
not.

Not all new settings apply to earlier systems such as
Windows XP. Check the setting itself to see to which
operating systems the setting applies.

Group Policy preferences are not being
applied.

Check the preference settings for item-level targeting
or incorrect configuration.


6-16 Administering Windows Server 2012
Lab Review Questions and Answers
Lab: Managing User Desktops with Group Policy
Question: Which options can you use to separate user's redirected folders to different servers?
Answer: You can use Advanced folder redirection to choose different shared folders, on different servers,
for different security groups.
Question: Can you name two methods you could use to assign a GPO to selected objects within an OU?
Answer: You could use WMI Filters to define a criterion for applying Group Policy, such as whether or not
the machine is a laptop or operating system, or you could use permissions on the GPO itself to allow or
deny GPO settings to users or computers.
Question: You have created Group Policy preferences to configure new power options. How can you
ensure that they will be applied only to laptop computers?
Answer: Use item-level targeting to apply the preference to portable computers. Then, the preference will
be applied if the hardware profile of the computer identifies it as a portable computer.
Configuring and Troubleshooting Remote Access 7-1
Module 7
Configuring and Troubleshooting Remote Access
Contents:
Lesson 2: Configuring VPN Access 2
Lesson 3: Overview of Network Policies 7
Module Review and Takeaways 9
Lab Review Questions and Answers 10

7-2 Administering Windows Server 2012
Lesson 2
Configuring VPN Access
Contents:
Demonstration 3

Configuring and Troubleshooting Remote Access 7-3
Demonstration
Demonstration: How to Configure VPN Access
Demonstration Steps
Configure Remote Access as a VPN server
1. Sign in to LON-RTR as Adatum\Administrator with the password Pa$$w0rd.
2. If necessary, on the taskbar, the click Server Manager icon.
3. In the Details pane, click Add roles and features.
4. In the Add Roles and Features Wizard, click Next.
5. On the Select installation type page, click Role-based or feature based installation, and then click
Next.
6. On the Select destination server page, click Next.
7. On the Select server roles page, select the Network Policy and Access Services check box.
8. Click Add Features, and then click Next twice.
9. On the Network Policy and Access Services page, click Next.
10. On the Select role services page, verify that the Network Policy Server check box is selected, and
then click Next.
11. On the Confirm installation selections page, click Install.
12. Verify that the installation was successful, and then click Close.
13. Close the Server Manager window.
14. Pause your mouse pointer in the lower left of the taskbar, and then click Start.
15. On the Start menu, click Network Policy Server.
16. In Network Policy Manager, in the navigation pane, right-click NPS (Local), and then click Register
server in Active Directory.
17. In the Network Policy Server message box, click OK.
18. In the subsequent Network Policy Server dialog box, click OK.
19. Leave the Network Policy Server console window open.
20. Pause your mouse pointer in the lower left of the taskbar, and then click Start.
21. In Start, click Administrative Tools, and then double-click Routing and Remote Access. If the
Enable DirectAccess Wizard starts, click Cancel and then click OK.
22. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable
Routing and Remote Access.
23. In the dialog box, click Yes.
24. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure
and Enable Routing and Remote Access.
25. Click Next, click Remote access (dial-up or VPN), and then click Next.
26. Select the VPN check box, and then click Next.
7-4 Administering Windows Server 2012
27. Click the Local Area Connection 2 network interface, clear the Enable security on the selected
interface by setting up static packet filters check box, and then click Next.
28. On the IP Address Assignment page, click From a specified range of addresses, and then click
Next.
29. On the Address Range Assignment page, click New. In the Start IP address field, type
172.16.0.100, in the End IP address field, type 172.16.0.110, and then click OK.
30. Verify that 11 IP addresses were assigned for remote clients, and then click Next.
31. On the Managing Multiple Remote Access Servers page, click Next.
32. Click Finish.
33. In the Routing and Remote Access dialog box, click OK.
34. If prompted, click OK again.
Configure a VPN Client
1. Switch to LON-CL2.
2. Sign in as Adatum\Administrator with the password of Pa$$w0rd.
3. Click Start, type Control, and then in the Apps list, click Control Panel.
4. In Control Panel, click Network and Internet, click Network and Sharing Center, and then click Set
up a new connection or network.
5. On the Choose a connection option page, click Connect to a workplace, and then click Next.
6. On the How do you want to connect page, click Use my Internet connection (VPN).
7. Click Ill set up an Internet connection later.
8. On the Type the Internet address to connect to page, in the Internet address box, type 10.10.0.1.
9. In the Destination name box, type Adatum VPN.
10. Select the Allow other people to use this connection check box, and then click Create.
11. In the Network And Sharing Center window, click Change adapter settings.
12. Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
13. On the Security tab, in the Type of VPN list, click Point to Point Tunneling Protocol (PPTP).
14. Under Authentication, click Allow these protocols, and then click OK.
15. In the Network Connections window, right-click the Adatum VPN connection, and then click
Connect/Disconnect.
16. In the Networks list on the right, click Adatum VPN, and then click Connect.
17. In Network Authentication, in the User name text box, type Adatum\Administrator.
18. In the Password text box, type Pa$$w0rd, and then click OK.
19. Wait for the VPN connection to be made. Your connection is unsuccessful. You receive an error
relating to authentication issues. This will be addressed in a later demonstration.
20. Close all open windows.
Configuring and Troubleshooting Remote Access 7-5
Demonstration: How to Create a Connection Profile
Demonstration Steps
Install CMAK
1. If necessary, on LON-CL2, sign in as Adatum\administrator with the password Pa$$w0rd.
2. Pause your mouse pointer in the lower left of the taskbar, and then click Start.
3. In Start, type Control, and then in the Apps list, click Control Panel.
4. In Control Panel, click Programs.
5. In Programs, click Turn Windows features on or off.
6. In Windows

Features, select the RAS Connection Manager Administration Kit (CMAK) check box,
and then click OK.
7. Click Close.
Create a connection profile
1. In Control Panel, click Control Panel Home.
2. In the View by list, click Large icons.
3. Click Administrative Tools, and then double-click Connection Manager Administration Kit.
4. In the Connection Manager Administration Kit Wizard, click Next.
5. On the Select the Target Operating System page, click Windows Vista or above, and then click
Next.
6. On the Create or Modify a Connection Manager profile page, click New profile, and then click
Next.
7. On the Specify the Service Name and the File Name page, in the Service name text box, type
Adatum HQ, in the File name text box, type Adatum, and then click Next.
8. On the Specify a Realm Name page, click Do not add a realm name to the user name, and then
click Next.
9. On the Merge Information from Other Profiles page, click Next.
10. On the Add Support for VPN Connections page, select the Phone book from this profile check
box.
11. In the VPN server name or IP address text box, type 10.10.0.1, and then click Next.
12. On the Create or Modify a VPN Entry page, click Next.
13. On the Add a Custom Phone Book page, clear the Automatically download phone book updates
check box, and then click Next.
14. On the Configure Dial-up Networking Entries page, click Next.
15. On the Specify Routing Table Updates page, click Next.
16. On the Configure Proxy Settings for Internet Explorer page, click Next.
17. On the Add Custom Actions page, click Next.
18. On the Display a Custom Logon Bitmap page, click Next.
19. On the Display a Custom Phone Book Bitmap page, click Next.
20. On the Display Custom Icons page, click Next.
7-6 Administering Windows Server 2012
21. On the Include a Custom Help File page, click Next.
22. On the Display Custom Support Information page, click Next.
23. On the Display a Custom License Agreement page, click Next.
24. On the Install Additional Files with the Connection Manager profile page, click Next.
25. On the Build the Connection Manager Profile and Its Installation Program page, click Next.
26. On the Your Connection Manager Profile is Complete and Ready to Distribute page, click Finish.
Examine the created profile
1. Open Windows Explorer.
2. In Windows Explorer, expand drive C, expand Program Files, expand CMAK, expand Profiles,
expand Windows Vista and above, and then expand Adatum. These are the files that you must
distribute.
3. Close all open windows.

Configuring and Troubleshooting Remote Access 7-7
Lesson 3
Overview of Network Policies
Contents:
Demonstration 8

7-8 Administering Windows Server 2012
Demonstration
Demonstration: How to Create a Network Policy
Demonstration Steps
Create a VPN policy based on Windows Groups condition
1. Switch to LON-RTR.
2. Switch to Network Policy Server.
3. In Network Policy Server, expand Policies, and then click Network Policies.
4. In the details pane, right-click the policy at the top of the list, and then click Disable.
5. In the details pane, right-click the policy at the bottom of the list, and then click Disable.
6. In the navigation pane, right-click Network Policies, and then click New.
7. In the New Network Policy Wizard, in the Policy name text box, type Adatum VPN Policy.
8. In the Type of network access server list, click Remote Access Server(VPN-Dial up), and then click
Next.
9. On the Specify Conditions page, click Add.
10. In the Select condition dialog box, click Windows Groups, and then click Add.
11. In the Windows Groups dialog box, click Add Groups.
12. In the Select Group dialog box, in the Enter the object name to select (examples) text box, type
Domain Admins, and then click OK.
13. Click OK again, click Next.
14. On the Specify Access Permission page, click Access granted, and then click Next.
15. On the Configure Authentication Methods page, click Next.
16. On the Configure Constraints page, click Next.
17. On the Configure Settings page, click Next.
18. On the Completing New Network Policy page, click Finish.
Test the VPN
1. Switch to LON-CL2.
2. Pause your mouse pointer in the lower left of the taskbar, and then click Start.
3. In Start, type Control, and then in the Apps list, click Control Panel.
4. In Control Panel, click Network and Sharing Center.
5. In Network and Sharing Center, click Change adapter settings.
6. In the Network Connections window, right-click the Adatum VPN connection, and then click
Connect/Disconnect.
7. In the Networks list on the right, click Adatum VPN, and then click Connect.
8. In Network Authentication, in the User name text box, type Adatum\Administrator.
9. In the Password text box, type Pa$$word, and then click OK.
10. Wait for the VPN connection to be made.
Configuring and Troubleshooting Remote Access 7-9
Module Review and Takeaways
Question: Your organization wants to implement a cost effective solution that interconnects two branch
offices with your head office. In what way could VPNs play a role in this scenario?
Answer: You could implement VPNs in a site-to-site configuration over the Internet to provide the
necessary routing capabilities.
Question: The IT manager at your organization is concerned about opening too many firewall ports to
facilitate remote access from users that are working from home through a VPN. How could you meet the
expectations of your remote users while allaying your managers concerns?
Answer: Implement SSTP as the tunneling protocol. This implements a connection by using HTTPS. This
protocol relies on TCP port 443, a port that is typically already open on corporate firewalls to facilitate
connections to other applications and servicesfor example, Microsoft Outlook

Web App, and Web


services.
Question: You have a VPN server with two configured network policies. The first has a condition that
grants access to members of the Contoso group, to which everyone in your organization belongs, but has
a constraint of Day and Time restrictions for office hours only. The second policy had a condition of
membership of the Domain Admins group and no constraints. Why are administrators being refused
connections out of office hours, and what can you do about it?
Answer: Administrators are also members of the Contoso group, and therefore the first policy condition is
met. The second policy is not processed. The solution is either to remove the administrators from the
Contoso group, or change the policy order so that the administrator policy is first in the list.
Question: How does the DirectAccess client determine if it is connected to the intranet or the Internet?
Answer: When you configure the DirectAccess server, you need to determine the computer that will be a
NLS. The NLS should be a highly-available web server. Based on the response from this web server, the
DirectAccess client determines if it is connected to the intranet or the Internet.
Question: What is the use of an NRPT?
Answer: The NRPT stores a list of DNS namespaces and their corresponding configuration settings. These
settings define the DNS server to contact, and the DNS client behavior for that namespace.
Tools
Tool Use for Where to find it
Services.msc Managing Windows services Administrative Tools
Launch from Run
Gpedit.msc Editing the local Group Policy Launch from Run
Mmc.exe Creating and managing the Microsoft
Management Console
Launch from Run
Gpupdate.exe Managing Group Policy application Run from a command-line

7-10 Administering Windows Server 2012
Lab Review Questions and Answers
Lab A: Configuring Remote Access
Exercise 1: Configuring VPN Clients
Question: In the lab, you configured the VPN server to allocate an IP address configuration by using a
static pool of addresses. Is there an alternative, and if so, what is it?
Answer: Yes, you could use a DHCP server on the internal network to allocate addresses.
Exercise 2: Configuring VPN Clients
Question: If you use the alternative solution, how many addresses are allocated to the VPN server at one
time?
Answer: The DHCP server allocates the VPN server blocks of 10 addresses at a time to allocate to remote
clients.
Exercise 3: Configuring VPN Clients
Question: In the lab, you configured a policy condition of tunnel type and a constraint of a day and time
restriction. If there were two policiesthe one you created plus an additional one that had a condition of
membership of the Domain Admins group and constraints of tunnel type (PPTP or L2TP)why might
your administrators be unable to connect out of office hours?
Answer: The administrators are affected by the first policy, because they are using the tunnel type of
either PPTP or L2TP. Change the policy order.
Lab B: Configuring DirectAccess
Question: Why would you use a GPO to configure certificate deployment?
Answer: You would use a GPO to quickly deploy the required certificates to the DirectAccess clients with
the least amount of effort.
Question: How do you install the DirectAccess feature?
Answer: You use Server Manager to install the Remote Access role, which provides the configuration
option for DirectAccess. Alternatively, you could also install this role by using the Windows PowerShell
command-line interface.
Installing, Configuring, and Troubleshooting the Network Policy Server Role 8-1
Module 8
Installing, Configuring, and Troubleshooting the Network
Policy Server Role
Contents:
Lesson 1: Installing and Configuring a Network Policy Server 2
Lesson 2: Configuring RADIUS Clients and Servers 5
Lesson 4: Monitoring and Troubleshooting a Network Policy Server 8
Module Review and Takeaways 10
Lab Review Questions and Answers 11

8-2 Administering Windows Server 2012
Lesson 1
Installing and Configuring a Network Policy Server
Contents:
Additional Reading 3
Demonstration 3

Installing, Configuring, and Troubleshooting the Network Policy Server Role 8-3
Additional Reading
What Is a Network Policy Server?
Note: You might want to draw a diagram that shows the relationship between these
elements. Use this link to see a sample diagram:
RADIUS Proxy http://go.microsoft.com/fwlink/?LinkID=214827&clcid=0x409
Demonstration
Demonstration: Installing the Network Policy Server Role
Demonstration Steps
Install the NPS Role
1. Switch to LON-DC1.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. If necessary, on the taskbar, click Server Manager.
4. In the details pane, click Add roles and features.
5. In the Add Roles and Features Wizard, click Next.
6. On the Select installation type page, click Role-based or feature based installation, and then click
Next.
7. On the Select destination server page, click Next.
8. On the Select server roles page, select the Network Policy and Access Services check box.
9. Click Add Features, and then click Next twice.
10. On the Network Policy and Access Services page, click Next.
11. On the Select role services page, verify that the Network Policy Server check box is selected, and
then click Next.
12. On the Confirm installation selections page, click Install.
13. Verify that the installation was successful, and then click Close.
14. Close the Server Manager window.
Register NPS in AD DS
1. Pause your mouse pointer in the lower-left of the taskbar, and then click Start.
2. Click Network Policy Server.
3. In Network Policy Manager, in the navigation pane, right-click NPS (Local), and then click Register
server in Active Directory.
4. In the Network Policy Server message box, click OK.
5. In the subsequent Network Policy Server dialog box, click OK.
6. Leave the Network Policy Server console window open.
8-4 Administering Windows Server 2012
Demonstration: Configuring General NPS Settings
Demonstration Steps
Configure a RADIUS server for VPN connections
1. On LON-DC1, in the Network Policy Server console, in the Getting Started details pane, open the
drop-down list under Standard Configuration, and then click RADIUS server for Dial-Up or VPN
Connections.
2. Under Radius server for Dial-Up or VPN Connections, click Configure VPN or Dial-Up.
3. In the Configure VPN or Dial-Up Wizard, click Virtual Private Network (VPN) Connections, accept
the default name, and then click Next.
4. On the RADIUS clients page, click Add.
5. In the New RADIUS Client dialog box, in the Friendly Name box, type LON-RTR, and then click
Verify.
6. In the Verify Address dialog box, in the Address box, type LON-RTR, click Resolve, and then click
OK.
7. In the New RADIUS Client dialog box, in the Shared secret and Confirm shared secret boxes, type
Pa$$w0rd, and then click OK.
8. On the Specify Dial-Up or VPN Server page, click Next.
9. On the Configure Authentication Methods page, ensure that the Microsoft Encrypted Authentication
version 2 (MS-CHAPv2) check box is selected, and then click Next.
10. On the Specify User Groups page, click Next.
11. On the Specify IP Filters page, click Next.
12. On the Specify Encryption Settings page, click Next.
13. On the Specify a Realm Name page, click Next.
14. On the Completing New Dial-Up or Virtual Private Network Connections and RADIUS clients page,
click Finish.
Save the configuration
1. Pause your mouse pointer in the lower-left of the taskbar, and then click Start.
2. In Start, click Windows PowerShell.
3. At the Windows PowerShell

command prompt, type the following command, and then press Enter:
Export-NpsConfiguration path lon-dc1.xml
4. At the Windows PowerShell command prompt, type the following command, and then press Enter:
Notepad lon-dc1.xml
5. Scroll through the file, and then discuss the contents. Close the file.

Installing, Configuring, and Troubleshooting the Network Policy Server Role 8-5
Lesson 2
Configuring RADIUS Clients and Servers
Contents:
Demonstration 6

8-6 Administering Windows Server 2012
Demonstration
Demonstration: Configuring a RADIUS Client
Demonstration Steps
1. Switch to LON-RTR.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. Pause your mouse pointer in the lower-left of the taskbar, and then click Start.
4. On the Start screen, click Administrative Tools, and then double-click Routing and Remote Access.
5. If required, at the Enable DirectAccess Wizard dialog box, click Cancel. Click OK.
6. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable
Routing and Remote Access.
7. In the dialog box, click Yes.
8. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure
and Enable Routing and Remote Access.
9. Click Next, select Remote access (dial-up or VPN), and then click Next.
10. Select the VPN check box, and then click Next.
11. Click the network interface called Local Area Connection 2. Clear the Enable security on the selected
interface by setting up static packet filters check box, and then click Next.
12. On the IP Address Assignment page, select From a specified range of addresses, and then click Next.
13. On the Address Range Assignment page, click New. Type 172.16.0.100 next to Start IP address
and 172.16.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses were
assigned for remote clients, and then click Next.
14. On the Managing Multiple Remote Access Servers page, click Yes, setup this server to work with a
RADIUS server, and then click Next.
15. On the RADIUS Server Selection page, in the Primary RADIUS server box, type LON-DC1.
16. In the Shared secret box, type Pa$$w0rd, and then click Next.
17. Click Finish.
18. In the Routing and Remote Access dialog box, click OK.
19. If prompted again, click OK.
Demonstration: Creating a Connection Request Policy
Demonstration Steps
1. Switch to the LON-DC1 computer.
2. Switch to Network Policy Server console.
3. In Network Policy Server, expand Policies, and then click Connection Request Policies. Notice the
presence of the Virtual Private Network (VPN) Connections policies. The wizard created these
automatically when you specified the NPS role of this server.
4. Right-click Connection Request Policies, and then click New.
5. In the New Connection Request Policy Wizard, in the Policy name box, type Adatum VPN.
Installing, Configuring, and Troubleshooting the Network Policy Server Role 8-7
6. In the Type of network access server list, click Remote Access Server (VPN-Dial up), and then click
Next.
7. On the Specify Conditions page, click Add.
8. In the Select condition dialog box, select NAS Port Type, and then click Add.
9. In the NAS Port Type dialog box, select the Virtual (VPN) check box, and then click OK. Click Next.
10. On the Specify Connection Request Forwarding page, click Next.
11. On the Specify Authentication Methods page, click Next.
12. On the Configure Settings page, click Next.
13. On the Completing Connection Request Policy Wizard page, click Finish.
14. In the Connection Request Policies list, right-click Adatum VPN, and then click Move Up.
15. Ensure that the Adatum VPN policy has a processing order of 1. If not, repeat step 14.

8-8 Administering Windows Server 2012
Lesson 4
Monitoring and Troubleshooting a Network Policy
Server
Contents:
Additional Reading 9

Installing, Configuring, and Troubleshooting the Network Policy Server Role 8-9
Additional Reading
Methods Used to Monitor NPS
Note: To interpret logged data, view the information on the Microsoft TechNet website:
Interpret NPS Database Format Log Files
http://go.microsoft.com/fwlink/?LinkID=214832&clcid=0x409
8-10 Administering Windows Server 2012
Module Review and Takeaways
Review Question(s)
Question: How can you make the most effective use of the NPS logging features?
Answer: You can make the most effective use of the NPS logging features by performing the following
tasks:
Turn on logging (initially) for both authentication and accounting records. Modify these selections
after you determine what is appropriate for your environment.
Ensure that you configure event logging with sufficient capacity to maintain your logs.
Back up all log files on a regular basis, because you cannot recreate them when they become
damaged or are deleted.
Use the RADIUS Class attribute to track usage and simplify the identification of which department or
user to charge for usage. Although the Class attribute, which is automatically generated, is unique for
each request, duplicate records might exist in cases where the reply to the access server is lost and the
request is resent. You might need to delete duplicate requests from your logs to track usage
accurately.
To provide failover and redundancy with SQL Server logging, place two computers that are running
SQL Server on different subnets. Use the SQL Server Create Publication Wizard to configure database
replication between the two servers.
Question: What consideration must you follow if you choose to use a nonstandard port assignment for
RADIUS traffic?
Answer: If you do not use the RADIUS default port numbers, you must configure exceptions on the
firewall for the local computer to allow RADIUS traffic on the new ports.
Question: Why must you register the NPS server in Active Directory?
Answer: When NPS is a member of an Active Directory domain, NPS performs authentication by
comparing user credentials that it receives from network access servers with the user-account credentials
that Active Directory stores. NPS authorizes connection requests by using network policy and by checking
user account dial-in properties in Active Directory. You must register the NPS server in Active Directory to
have permission to access user-account credentials and dial-in properties.
Tools
Tool Use for Where to find it
Network Policy
Server
Managing and creating
Network Policy
Network Policy Server on the Administrative
Tools menu
Netsh command-
line tool
Creating administrative scripts
for configuring and managing
the Network Policy Server role
In a Command Prompt window, type
netsh c nps to administer from a command
prompt
Event Viewer Viewing logged information
from application, system, and
security events
Event Viewer on the Administrative Tools
menu

Installing, Configuring, and Troubleshooting the Network Policy Server Role 8-11
Lab Review Questions and Answers
Lab: Installing and Configuring a Network Policy Server
Question: What does a RADIUS proxy provide?
Answer: When you use NPS as a RADIUS proxy, NPS forwards connection requests to NPS or other
RADIUS servers for processing. Because of this, the domain membership of the NPS proxy is irrelevant. The
proxy does not need to be registered in the AD DS because it does not need access to the dial-in
properties of user accounts. Additionally, you do not need to configure network policies on an NPS proxy,
because the proxy does not perform authorization for connection requests. The NPS proxy can be a
domain member or it can be a stand-alone server with no domain membership.
Question: What is a RADIUS client, and what are some examples of RADIUS clients?
Answer: A NAS is a device that provides some level of access to a larger network. A NAS using a RADIUS
infrastructure is a RADIUS client, sending connection requests and accounting messages to a RADIUS
server for authentication, authorization, and accounting.
Examples of RADIUS clients are:
Network access servers that provide remote access connectivity to an organization network or the
Internet. An example is a computer that is running Windows Server 2012 and the Routing and
Remote Access service, which provides either traditional dial-up or VPN remote-access services to an
organizations intranet.
Wireless access points that provide physical layer access to an organizations network by using
wireless-based transmission and reception technologies.
Switches that provide physical-layer access to an organizations network, by using traditional LAN
technologies such as Ethernet.
RADIUS proxies that forward connection requests to RADIUS servers that are members of a remote
RADIUS server group that you configure on the RADIUS proxy.
Implementing Network Access Protection 9-1
Module 9
Implementing Network Access Protection
Contents:
Lesson 3: Configuring NAP 2
Lesson 4: Monitoring and Troubleshooting NAP 8
Module Review and Takeaways 10
Lab Review Questions and Answers 11

9-2 Administering Windows Server 2012
Lesson 3
Configuring NAP
Contents:
Demonstration 3
Implementing Network Access Protection 9-3
Demonstration
Demonstration: Configuring NAP
Demonstration Steps
Install the NPS server role
1. Switch to LON-DC1 and sign in as Adatum\administrator with the password Pa$$w0rd.
2. If necessary, on the taskbar, click Server Manager.
3. In the details pane, click Add roles and features.
4. In the Add Roles and Features Wizard, click Next.
5. On the Select installation type page, click Role-based or feature based installation, and then click
Next.
6. On the Select destination server page, click Next.
7. On the Select server roles page, select the Network Policy and Access Services check box.
8. Click Add Features, and then click Next twice.
9. On the Network Policy and Access Services page, click Next.
10. On the Select role services page, verify that the Network Policy Server check box is selected, and
then click Next.
11. On the Confirm installation selections page, click Install.
12. Verify that the installation was successful, and then click Close.
13. Close the Server Manager window.
Configure NPS as a NAP health policy server
1. Pause your mouse pointer in the lower-left corner of the taskbar, and then click Start.
2. On the Start screen, click Network Policy Server.
3. In the navigation pane, expand Network Access Protection, expand System Health Validators,
expand Windows Security Health Validator, and then click Settings.
4. In the right pane under Name, double-click Default Configuration.
5. In the navigation pane, click Windows 8/Windows 7/Windows Vista.
6. In the details pane, clear all check boxes except the A firewall is enabled for all network
connections check box.
7. Click OK to close the Windows Security Health Validator dialog box.
Configure health policies
1. In the navigation pane, expand Policies.
2. Right-click Health Policies and then click New.
3. In the Create New Health Policy dialog box, under Policy name, type Compliant.
4. Under Client SHV checks, verify that Client passes all SHV checks is selected.
5. Under SHVs used in this health policy, select the Windows Security Health Validator check box.
6. Click OK.
9-4 Administering Windows Server 2012
7. Right-click Health Policies and then click New.
8. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
9. Under Client SHV checks, select Client fails one or more SHV checks.
10. Under SHVs used in this health policy, select the Windows Security Health Validator check box.
11. Click OK.
Configure network policies for compliant computers
1. In the navigation pane, under Policies, click Network Policies.
2. Important: Disable the two default policies found under Policy Name by right-clicking the policies,
and then clicking Disable.
3. Right-click Network Policies and then click New.
4. On the Specify Network Policy Name and Connection Type page, under Policy name, type
Compliant-Full-Access, and then click Next.
5. On the Specify Conditions page, click Add.
6. In the Select condition dialog box, double-click Health Policies.
7. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK.
8. On the Specify Conditions page, click Next.
9. On the Specify Access Permission page, click Next.
10. On the Configure Authentication Methods page, clear all check boxes, select the Perform
machine health check only check box, and then click Next.
11. Click Next again.
12. On the Configure Settings page, click NAP Enforcement. Verify that Allow full network access is
selected, and then click Next.
13. On the Completing New Network Policy page, click Finish.
Configure network policies for noncompliant computers
1. Right-click Network Policies, and then click New.
2. On the Specify Network Policy Name And Connection Type page, under Policy name, type
Noncompliant-Restricted, and then click Next.
3. On the Specify Conditions page, click Add.
4. In the Select condition dialog box, double-click Health Policies.
5. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK.
6. On the Specify Conditions page, click Next.
7. On the Specify Access Permission page, verify that Access granted is selected, and then click Next.
8. On the Configure Authentication Methods page, clear all check boxes, select the Perform
machine health check only check box, and then click Next.
9. Click Next again.
10. On the Configure Settings page, click NAP Enforcement. Click Allow limited access.
11. Clear the Enable auto-remediation of client computers check box.
12. Click Next, and then click Finish.
Implementing Network Access Protection 9-5
Configure the DHCP server role for NAP
1. Pause your mouse pointer in the lower-left corner of the taskbar, and then click Start.
2. In Start, click Administrative Tools, and then double-click DHCP.
3. In DHCP, expand LON-DC1.Adatum.com, expand IPv4, right-click Scope [172.16.0.0] Adatum, and
then click Properties.
4. In the Scope [172.16.0.0] Adatum Properties dialog box, click the Network Access Protection tab,
click Enable for this scope, and then click OK.
5. In the navigation pane, under Scope [172.16.0.0) Adatum, click Policies.
6. Right-click Policies, and then click New Policy.
7. In the DHCP Policy Configuration Wizard, in the Policy Name box, type NAP Policy, and then click
Next.
8. On the Configure Conditions for the policy page, click Add.
9. In the Add/Edit Condition dialog box, in the Criteria list, click User Class.
10. In the Operator list, click Equals.
11. In the Value list, click Default Network Access Protection Class, and then click Add.
12. Click OK, and then click Next.
13. On the Configure settings for the policy page, click No, and then click Next.
14. On the subsequent Configure settings for the policy page, in the Vendor class list, click DHCP
Standard Options.
15. In the Available Options list, select the 006 DNS Servers check box.
16. In the IP address box, type 172.16.0.10, and then click Add.
17. In the Available Options list, select the 015 DNS Domain Name check box.
18. In the String value box, type restricted.adatum.com, and then click Next.
19. On the Summary page, click Finish.
20. Close DHCP.
Configure client NAP settings
1. Switch to the LON-CL1 computer, and then sign in as Adatum\administrator with the password
Pa$$w0rd.
2. On the Start screen, type napclcfg.msc, and then press Enter.
3. In NAPCLCFG [NAP Client Configuration (Local Computer)], in the navigation pane, click
Enforcement Clients.
4. In the results pane, right-click DHCP Quarantine Enforcement Client, and then click Enable.
5. Close NAPCLCFG [NAP Client Configuration (Local Computer)].
6. Pause your mouse in the lower-left of the taskbar, and then click Start.
7. On the Start screen, type Services.msc, and then press Enter.
8. In Services, in the results pane, double-click Network Access Protection Agent.
9. In the Network Access Protection Agent Properties (Local Computer) dialog box, in the Startup
type list, click Automatic.
9-6 Administering Windows Server 2012
10. Click Start, and then click OK.
11. Pause your mouse in the lower-left of the taskbar, and then click Start.
12. On the Start screen, type gpedit.msc, and then press Enter.
13. In the console tree, expand Local Computer Policy, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click Security Center.
14. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
15. Close the console window.
16. Pause your mouse pointer in the lower-right of the taskbar, and then click Settings.
17. In the Settings list, click Control Panel.
18. In Control Panel, click Network and Internet.
19. In Network and Internet, click Network and Sharing Center.
20. In Network and Sharing Center, in the left pane, click Change adapter settings.
21. Right-click Local Area Connection, and then click Properties.
22. In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4
(TCP/IPv4).
23. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address
automatically.
24. Click Obtain DNS server address automatically, and then click OK.
25. In the Local Area Connection Properties dialog box, click OK.
Test NAP
1. Pause your mouse in the lower-left of the taskbar, and then click Start.
2. On the Start screen, type cmd.exe, and then press Enter.
3. At the command prompt, type the following command, and then press Enter:
Ipconfig
4. Switch to services.
5. In Services, in the results pane, double-click Windows Firewall.
6. In the Windows Firewall Properties (Local Computer) dialog box, in the Startup type list, click
Disabled.
7. Click Stop, and then click OK.
8. In the System Tray area, click the Network Access Protection pop-up warning. Review the
information in the Network Access Protection dialog box. Click Close.
Note: You may not receive a warning in the System Tray area, depending upon the point
at which your computer becomes non-compliant.
9. At the command prompt, type the following command, and then press Enter:
Ipconfig
Implementing Network Access Protection 9-7
10. Notice that the computer has a subnet mask of 255.255.255.255 and a Domain Name System (DNS)
Suffix of restricted.Adatum.com. Leave all windows open.

9-8 Administering Windows Server 2012
Lesson 4
Monitoring and Troubleshooting NAP
Contents:
Demonstration 9

Implementing Network Access Protection 9-9
Demonstration
Demonstration: Configuring NAP Tracing
Demonstration Steps
Configure tracing from the GUI
1. Switch to LON-CL1.
2. Pause your mouse in the lower-left of the taskbar, and then click Start.
3. On the Start screen, type napclcfg.msc, and then press Enter.
4. In the NAPCLCFG [NAP Client Configuration (Local Computer)] console, in the navigation pane,
right-click NAP Client Configuration (Local Computer) from the console tree, and then click
Properties.
5. On the General tab, click Enabled, and in the Basic list, click Advanced, and then click OK.
Configure tracing from the command line
1. Switch to the command prompt.
2. At the command prompt, type the following command, and then press Enter:
netsh nap client set tracing state = enable
9-10 Administering Windows Server 2012
Module Review and Takeaways
Review Question(s)
Question:
What are the three main client configurations that you need to configure for most NAP deployments?
Answer:
Some NAP deployments that use Windows Security Health Validator require that you enable Security
Center. The Network Access Protection service is required when you deploy NAP to NAP-capable client
computers. You also must configure the NAP enforcement clients on the NAP-capable computers.
Question: You want to evaluate the overall health and security of the NAP enforced network. What do
you need to do to start recording NAP events?
Answer: NAP trace logging is disabled by default, but you should enable it if you want to troubleshoot
NAP-related problems or evaluate the overall health and security of your organizations computers. You
can use the NAP Client Management console or the netsh command-line tool to enable logging
functionality.
Question: On a client computer, what steps must you perform to ensure that its health is assessed?
Answer: You must perform the following steps to ensure that it can be assessed for health:
Enable the NAP enforcement client.
Enable the Security Center.
Start the NAP agent service.
Tools
Tool Use For Where to find it
Services Enable and configure the NAP service
on client computers.
Click Start, click Control Panel, click System
and Maintenance, click Administrative
Tools, and then double-click Services.
Netsh nap Using netsh, you can create scripts to
configure a set of NAP automatically,
and display the configuration and
status of the NAP client service.
Open a command window with
administrative rights, and then type netsh
c nap. You can type help to get a full list of
available commands.
Group
Policy
Some NAP deployments that use
Windows Security Health Validator
require that Security Center is
enabled.
Enable the Turn on Security Center
(Domain PCs only) setting in the
Computer Configuration/Administrative
Templates/Windows Components/Security
Center sections of Group Policy.

Implementing Network Access Protection 9-11
Lab Review Questions and Answers
Lab: Implementing NAP
Question: The DHCP NAP enforcement method is the weakest enforcement method in Windows Server
2012. Why is it a less preferable enforcement method than other available methods?
Answer: It is less preferable because a manually assigned IP address on the client machine circumvents
DHCP NAP enforcement.
Question: Could you use the remote access NAP solution alongside the IPsec NAP solution? What benefit
would this scenario provide?
Answer: Yes. You can use one or all of the NAP solutions in an environment. One benefit is that this
solution would use IPsec to secure communication on the intranet, and not just the tunnel between the
Internet host and the Routing and Remote Access server.
Question: Could you have used DHCP NAP enforcement for the client? Why or why not?
Answer: No. It would not have worked, because the IP addresses assigned to the Routing and Remote
Access client are coming from a static pool on the Routing and Remote Access server itself.
Optimizing File Services 10-1
Module 10
Optimizing File Services
Contents:
Lesson 1: Overview of FSRM 2
Lesson 2: Using FSRM to Manage Quotas, File Screens, and Storage Reports 5
Lesson 3: Implementing Classification and File Management Tasks 8
Lesson 4: Overview of DFS 11
Lesson 5: Configuring DFS Namespaces 13
Lesson 6: Configuring and Troubleshooting DFS-R 16
Module Review and Takeaways 18
Lab Review Questions and Answers 19

10-2 Administering Windows Server 2012
Lesson 1
Overview of FSRM
Contents:
Question and Answers 3
Demonstration 3

Optimizing File Services 10-3
Question and Answers
Understanding Capacity Management Challenges
Question: What capacity management challenges have you experienced or are you experiencing in your
environment?
Answer: While answers may vary, guide the students toward a conversation that involves incorporating
the points in this topic as they relate to their specific examples.
Demonstration
Demonstration: How to Install and Configure FSRM
Demonstration Steps
Install the FSRM role service
1. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next.
4. Confirm that role-based or feature-based installation is selected, and then click Next.
5. Confirm that LON-SVR1.Adatum.com is selected, and then click Next.
6. On the Select server roles page, expand File and Storage Services (Installed), expand File and
SCSI Services, and then select the File Server Resource Manager check box.
7. In the pop-up window, click Add Features.
8. Click Next twice to confirm role service and feature selection.
9. On the Confirm installation selections page, click Install.
10. When the installation completes, click Close.
Specify FSRM configuration options
1. In Server Manager, click Tools, and then click File Server Resource Manager.
2. In the File Server Resource Manager window, in the navigation pane, right-click File Server Resource
Manager (Local), and then click Configure Options.
3. In the File Server Resource Manager Options window, click the File Screen Audit tab, and then select
the Record file screening activity in auditing database check box.
4. Click OK to close the File Server Resource Manager Options window.
Manage FSRM by using Windows PowerShell
1. On the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell command prompt, type the following, and then press Enter:
set-FSRMSetting -SMTPServer LON-SVR1 AdminEmailAddress fileadmin@adatum.com
FromEmailAddress fileadmin@adatum.com
3. Close the Windows PowerShell window.
4. In the File Server Resource Manager window, in the navigation pane, right-click File Server Resource
Manager (Local), and then click Configure Options.
10-4 Administering Windows Server 2012
5. On the Email Notifications tab, review the configured options to confirm that they are the same as
the options specified in the Set-FSRMSettings command.
6. Close all open windows.

Optimizing File Services 10-5
Lesson 2
Using FSRM to Manage Quotas, File Screens, and
Storage Reports
Contents:
Demonstration 6

10-6 Administering Windows Server 2012
Demonstration
Demonstration: Using FSRM to Manage Quotas and File Screens, and to
Generate On-Demand Storage Reports
Demonstration Steps
Create a quota
1. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. On the taskbar, click the Server Manager shortcut.
3. In Server Manager, click Tools, and then click File Server Resource Manager.
4. In File Server Resource Manager, expand the Quota Management node, and then click Quota
Templates.
5. Right-click the 100 MB Limit template, and then click Create quota from template.
6. In the Create Quota window, click Browse.
7. In the Browse for Folder window, expand Allfiles (E:), expand Labfiles, expand Mod10, click Data,
and then click OK.
8. In the Create Quota window, click Create.
9. In the File Server Resource Manager window, click Quotas to view the newly created quota.
Test a quota
1. On the taskbar, click the Windows PowerShell icon.
2. In the Windows PowerShell window, type the following commands, and press Enter after each line:
E:
cd \labfiles\Mod10\data
Fsutil file createnew largefile.txt 130000000
3. Observe the message returned: Error: There is not enough space on the disk.
4. Close the Windows PowerShell window.
Create a file screen
1. In the File Server Resource Manager window, expand the File Screening Management node, and
then click File Screen Templates.
2. Right-click the Block Image Files template, and then click Create File Screen from Template.
3. In the Create File Screen window, click Browse.
4. In the Browser for Folder window, expand Allfiles (E:), expand Labfiles, expand Mod10, click Data,
and then click OK.
5. In the Create File Screen window, click Create.
Test a file screen
1. Open Windows Explorer.
2. In the Windows Explorer window, expand Allfiles (E:), expand Labfiles, and then click Mod10.
3. In Windows Explorer, click the Home tab, click New Item, and then click Bitmap Image.
4. Type testimage, and the press Enter.
Optimizing File Services 10-7
5. The file will be created successfully.
6. Right-click testimage, and then click Copy.
7. Right-click Data, and then click Paste.
8. You will receive a message that you need permission to perform this action. Click Skip to clear the
message.
9. Close Windows Explorer.
Generate a storage report
1. In File Server Resource Manager, in the navigation pane, click and right-click Storage Reports
Management, and then click Generate Reports Now.
2. In the Storage Reports Task Properties window, select the Large Files check box.
3. Click the Scope tab, and then click Add.
4. In the Browse for Folder window, click Allfiles (E:), and then click OK.
5. In the Storage Reports Task Properties window, click OK.
6. In the Generate Storage Reports window, click OK to generate the report.
7. In the window that displays, double-click the html file and examine the report.
8. Close the report window.
9. Close the Interactive window.
10. Close the File Server Resource Manager window.
11. Close the Server Manager window.

10-8 Administering Windows Server 2012
Lesson 3
Implementing Classification and File Management
Tasks
Contents:
Demonstration 9

Optimizing File Services 10-9
Demonstration
Demonstration: How to Configure Classification Management
Demonstration Steps
Create a Classification Property
1. On LON-SVR1, on the toolbar, click the Server Manager shortcut.
2. In Server Manager, click Tools, and then click File Server Resource Manager.
3. In File Server Resource Manager, expand the Classification Management node, and then click
Classification Properties.
4. Right-click Classification Properties, and then click Create Local Property.
5. In the Create Local Classification Property window, in the Name field, type Confidential, and in the
Description field ,type Assigns a confidentiality value of Yes or No.
6. Under Property type, click the drop-down list box, and then select Yes/No.
7. In the Create Local Classification Property window, click OK.
Create a Classification Rule
1. In File Server Resource Manager, click the Classification Rules node.
2. Right-click the Classification Rules node, and then click Create Classification Rule.
3. In the Rule name field, type Confidential Payroll Documents.
4. In the Description field, type Classify documents containing the word payroll as confidential.
5. Click the Scope tab.
6. In the Scope section, click the Add button.
In the Browse for Folder window, expand Allfiles (E:), expand Labfiles, click Mod10, and then click
OK.
7. In the Create Classification Rule window, click the Classification tab.
8. In the Classification method area, click the drop-down list box, and then click Content Classifier.
9. In the Property section, choose a Property name of Confidential and a Property value of Yes, and
then click the Configure button.
10. On the Parameters tab, below the Expression Type column, click the drop down menu and then
select String.
11. Double-click in the Expression column, and then type payroll, and then click OK.
12. In the Create Classification Rule window, click OK.
Modify the Classification Schedule
1. Right-click the Classification Rules node, and then click Configure Classification Schedule.
2. In the File Server Resource Manager Options window, ensure the Automatic Classification tab is
selected.
3. In the Schedule window, click the Enable fixed schedule check box.
4. In the Run at field, type 8:30 AM, select Sunday, and then click OK.
5. Right-click the Classification Rules node, and then click Run Classification With All Rules Now.
10-10 Administering Windows Server 2012
6. In the Run Classification window, click Wait for classification to complete, and then click OK.
7. View the report, and ensure that January.txt is listed at the bottom of the report.
8. In a Windows

Explorer window, click drive E, expand Labfiles, expand Mod10, and then double-
click the Data folder.
9. In the Data folder, double-click the file January.txt, and then view its contents.
10. Close all open windows on LON-SVR1.
Demonstration: How to Configure File Management Tasks
Demonstration Steps
Create a File Management Task
1. On LON-SVR1, on the taskbar, click the Server Manager shortcut.
2. In Server Manager, click Tools, and then click File Server Resource Manager.
3. In File Server Resource Manager, select and then right-click the File Management Tasks node, and
then click Create File Management Task.
4. In the Task name field, type Expire Confidential Documents.
5. In the Description field, type Move confidential documents to another folder.
6. Click the Scope tab.
7. In the Scope section, click the Add button.
8. Expand Allfiles (E:), expand Labfiles, expand Mod10, click Data, and then click OK.
Configure a File Management Task to expire documents
1. In the Create File Management Task window, click the Action tab.
2. On the Action tab, under Type, select File expiration.
3. In Expiration directory, type E:\Labfiles\Mod10\Expired.
4. In the Create File Management Task window, click the Condition tab.
5. On the Condition tab, under the Property conditions section, click the Add button.
6. In the Property Condition window, click the Property drop-down list box, and select Confidential.
Click the Operator drop-down list box, and select Equal. Click the Value drop-down list box, select
Yes, and then click OK.
7. In the Create File Management Task window, click the Schedule tab.
8. Select the Sunday check box.
9. In the Create File Management Task window, click OK.
10. Right-click the Expire Confidential Documents task, and then click Run File Management Task
Now.
11. In the Run File Management Task window, choose Wait for task to complete, and then click OK.
12. View the generated report, ensuring that January.txt is on the list.
13. Open the E:\Labfiles\Mod10\Expired folder, and view the contents. The contents will include folders
representing the server name and previous location of the expired content.
14. Close all open windows.

Optimizing File Services 10-11
Lesson 4
Overview of DFS
Contents:
Additional Reading 13
Demonstration 13

10-12 Administering Windows Server 2012
Additional Reading
What Is Data Deduplication?
Additional Reading: Data Deduplication Overview
http://go.microsoft.com/fwlink/?linkID=270996
Demonstration
Demonstration: How to Install the DFS Role
Demonstration Steps
Install the DFS role
1. Switch to LON-SVR1.
2. On the taskbar, click Server Manager.
3. In Server Manager, click Manage, and then click Add Roles and Features.
4. In the Add Roles and Features Wizard, click Next.
5. On the Select installation type page, click Next.
6. On the Select destination server page, click Next.
7. On the Select server roles page, expand File and Storage Services, expand File and SCSI Services,
and then select the DFS Namespaces check box.
8. In the Add Roles and Features pop-up window, click Add Features.
9. Select the DFS Replication check box, and then click Next.
10. On the Select features page, click Next.
11. On the Confirm installation selections page, click Install.
12. When the installation completes, click Close.
13. Close Server Manager.

Optimizing File Services 10-13
Lesson 5
Configuring DFS Namespaces
Contents:
Demonstration 15

10-14 Administering Windows Server 2012
Demonstration
Demonstration: How to Create Namespaces
Demonstration Steps
Create a new namespace
1. Switch to LON-SVR1.
2. On the taskbar, click the Server Manager shortcut.
3. In Server Manager, click Tools, and then click DFS Management.
4. In the DFS Management console, click Namespaces.
5. Right-click Namespaces, and then click New Namespace.
6. In the New Namespace Wizard, on the Namespace Server page, under Server, type LON-SVR1, and
then click Next.
7. On the Namespace Name and Settings page, under Name, type Research, and then click Next.
8. On the Namespace Type page, ensure that both Domain-based namespace and Enable Windows
Server 2008 mode are selected, and then click Next.
9. On the Review Settings and Create Namespace page, click Create.
10. On the Confirmation page, verify that the create namespace task is successful, and then click Close.
11. In the console, expand the Namespace node, and then click \\Adatum.com\Research. Review the
four tabs in the details pane.
12. In the console, right-click \\Adatum.com\Research, and then click Properties. Review the General,
Referrals, and Advanced tab options.
13. Click OK to close the \\Adatum.com\Research Properties dialog box.
Create a new folder and folder target
1. In the DFS Management console, right-click \\Adatum.com\Research, and then click New Folder.
2. In the New Folder dialog box, under Name, type Proposals.
3. In New Folder dialog box, under Folder targets, click Add.
4. In the Add Folder Target dialog box, type \\LON-SVR1\Proposal_docs, and then click OK.
5. In the Warning dialog box, click Yes to create the shared folder.
6. On the Create Share dialog box, configure the following, and then click OK.
Local path of shared folder: C:\Proposal_docs
Shared folder permissions: Administrators have full access; other users have read and write
permissions
7. In the Warning dialog box, click Yes to create the folder.
8. Click OK to close the New Folder dialog box.
9. In the console, expand \\Adatum.com\Research, and then click Proposals. Notice that currently
there is only one Folder Target. To provide redundancy, a second folder target may be added with
DFS Replication configured.
10. To test the namespace, open Windows Explorer, and in the address bar, type
\\Adatum.com\Research, and then press Enter. The Proposals folder displays.
Optimizing File Services 10-15

10-16 Administering Windows Server 2012
Lesson 6
Configuring and Troubleshooting DFS-R
17
Contents:
Demonstration
Optimizing File Services 10-17
Demonstration
Demonstration: How to Configure DFS-R
Demonstration Steps
Create a new folder target for replication
1. Switch to LON-SVR1.
2. In DFS Management, right-click the Proposals folder, and then click Add Folder Target.
3. In the New Folder Target dialog box, type \\LON-SVR4\Proposal_docs, and then click OK.
4. In the Warning dialog box, click Yes to create the shared folder.
5. On the Create Share dialog box, in the Local path of shared folder field, type C:\Proposal_docs.
6. In the Shared folder permissions field, select Administrators have full access; other users have
read and write permissions, and then click OK.
7. In the Warning dialog box, click Yes to create the folder.
8. In the Replication dialog box, click Yes to create a replication group. The Replicate Folder Wizard
starts.
Create a new replication group
1. In DFS Management, in the Replicate Folder Wizard, on both the Replication Group and
Replicated Folder Name page, accept the default settings, and then click Next.
2. On the Replication Eligibility page, take note that LON-SVR4 and LON-SVR1 are both eligible as
DFS-R members. Click Next.
3. On the Primary Member page, select LON-SVR1 as the primary member, and then click Next.
4. On the Topology Selection page, leave the default selection of Full mesh, which will replicate all
data between all members of the replication group.
If you had three or more members within the replication group, you can also choose Hub and spoke,
which allows you to configure a publication scenario where data is replicated from a common hub to
the rest of the members. You can also choose No topology, which allows you to configure the
topology at a later time.
5. Upon reviewing all the selections, click Next.
6. On the Replication Group Schedule and Bandwidth page, leave the default selection of Replicate
continuously, and then configure the setting to use Full bandwidth. Note that you can also choose
a specific schedule to replicate during specified days and times. Click Next.
7. On the Review Settings and Create Replication Group page, click Create.
8. On the Confirmation page, ensure that all tasks are successful, and then click Close. Take note of the
Replication Delay warning, and then click OK.
9. In the console, expand Replication.
10. Under Replication, click Adatum.com\research\proposals. Click and review each of the tabs in the
details pane.
10-18 Administering Windows Server 2012
Module Review and Takeaways
Review Question(s)
Question: How do FSRM templates for quotas and file screens provide a more efficient FSRM
management experience?
Answer: Templates enable administrators to create quotas and file screens quickly, based on predefined
templates. You also can use templates to manage child quotas in a one-to-many manner. To change the
file size for several quotas created from the template, you only need to change the template.
Question: Why does DFS-R make a more efficient replication platform than FRSM?
Answer: DFS-R uses an advanced delta-based heuristic, which only replicates modified portions of the file
system, whereas FRSM always replicates the complete file. DFS-R also uses RDC to reduce replication-
based network traffic.

Optimizing File Services 10-19
Lab Review Questions and Answers
Lab A: Configuring Quotas and File Screening Using FSRM
Question: What criteria needs to be met to use FSRM for managing a servers file structure?
Answer: The servers must be running Windows Server 2003 SP1 or newer. If you want to use File
Classification Infrastructure, you must be running Windows Server 2008 R2 or newer. Additionally, you
must format the volumes on which you perform FSRM operations with NTFS.
Question: In what ways can classification management and file-management tasks decrease
administrative overhead when dealing with a complex file and folder structure?
Answer: Classification management and file-management tasks can allow administrators to automate the
manual classification and modification of files on a file server. Rather than inspecting files manually, and
performing manual file operations, administrators can set up File Classification Infrastructure to classify
files, and then perform the necessary operations on those files by using file management tasks.
Lab B: Implementing DFS
Question: What are the requirements for deploying a namespace in Windows Server 2008 mode?
Answer: The domain must use Windows Server 2008 domain functional level, and all namespace servers
must be running Windows Server 2008.
Question: What are the benefits of hosting a namespace on several namespace servers?
Answer: Hosting a namespace on several namespace servers increases availability if a namespace server
fails. Users will still be able to access the namespace by using one of the remaining namespace servers. If a
namespace is hosted on a single server, and that server becomes unavailable, clients will not be able to
use namespace links to access shared folders on the network.
Configuring Encryption and Advanced Auditing 11-1
Module 11
Configuring Encryption and Advanced Auditing
Contents:
Lesson 1: Encrypting Files by Using Encrypting File System 2
Lesson 2 : Configuring Advanced Auditing 5
Module Review and Takeaways 7
Lab Review Questions and Answers 8

11-2 Administering Windows Server 2012
Lesson 1
Encrypting Files by Using Encrypting File System
Contents:
Demonstration 3

Configuring Encryption and Advanced Auditing 11-3
Demonstration
Demonstration: Encrypting a File by Using EFS
Demonstration Steps
Verify that a computer account supports EFS on a network share
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In Active Directory Users and Computers, if necessary, expand Adatum.com, and then click Domain
Controllers.
3. Right-click LON-DC1, and then click Properties.
4. In the LON-DC1 Properties dialog box, on the Delegation tab, verify that Trust this computer for
delegation to any service (Kerberos only) is selected, and then click Cancel. This setting is on by
default for domain controllers, but needs to be enabled for most file servers to support EFS.
5. Close Active Directory

Users and Computers.


Use EFS to encrypt a file on a network share
1. On LON-CL1, log on as Adatum\Doug with a password of Pa$$w0rd.
2. On the Start screen, type \\LON-DC1\Mod11Share, and then press Enter.
3. In Windows

Explorer, right-click an open area, point to New, and then click Microsoft Word
Document.
4. Type MyEncryptedFile, and then press Enter to name the file.
5. Double-click MyEncryptedFile to open it.
6. If necessary, click OK to set the user name. Click Dont make changes and then click OK.
7. In the document, type My secret data, and then click the Save button.
8. Close Microsoft

Word.
9. Right-click MyEncryptedFile, and then click Properties.
10. In the MyEncryptedFile Properties dialog box, on the General tab, click Advanced.
11. In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box, and
then click OK.
12. In the MyEncryptedFile Properties dialog box, click OK.
13. Sign out of LON-CL1.
View the certificate used for encryption
1. On LON-DC1, in the Windows Explorer window, expand Computer, expand drive C, and then click
Users. Notice that Doug has a profile on the computer. This is where the self-signed certificate is
stored. It cannot be viewed in the Microsoft Management Console (MMC) Certificates snap-in unless
Doug logs on locally to the server.
2. In the Windows Explorer window, type C:\Users\Doug\Appdata\ and then press Enter.
3. Expand Roaming, expand Microsoft, expand SystemCertificates, expand My, and then expand
Certificates. This is the folder that stores the self-signed certificate for Doug.
Test access to an encrypted file
1. On LON-CL1, log on as Adatum\Alex with a password of Pa$$w0rd.
11-4 Administering Windows Server 2012
2. On the Start screen, type \\LON-DC1\Mod11Share, and then press Enter.
3. Double-click MyEncryptedFile.
4. If necessary, click OK to set the user name.
5. Click OK to clear the access denied message.
6. Click Dont make changes, click OK.
7. Close Microsoft Word.

Configuring Encryption and Advanced Auditing 11-5
Lesson 2
Configuring Advanced Auditing
Contents:
Demonstration 6

11-6 Administering Windows Server 2012
Demonstration
Demonstration: Configuring Advanced Auditing
Demonstration Steps
Create and edit a GPO for audit policy configuration
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In Group Policy Management, double-click Forest: Adatum.com, double-click Domains, double-
click Adatum.com, right-click Group Policy Objects, and then click New.
3. In the New GPO window, type File Audit in the Name field, and then press Enter.
4. Double-click the Group Policy Objects container, right-click File Audit, and then click Edit.
5. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration,
expand Audit Policies, and then click Object Access.
6. Double-click Audit Detailed File Share.
7. In the Properties window, select the Configure the following events check box.
8. Select the Success and Failure check boxes, and then click OK.
9. Double-click Audit Removable Storage.
10. In the Properties window, select the Configure the following events check box.
11. Select the Success and Failure check box, and then click OK.
12. Close the Group Policy Management Editor.
13. Close Group Policy Management.
Configuring Encryption and Advanced Auditing 11-7
Module Review and Takeaways
Question: Some users are encrypting files that are stored on network shares to protect them from other
departmental users with NTFS permissions to those files. Is this an effective way to prevent users from
viewing and modifying those files?
Answer: Yes. An EFSencrypted file cannot be opened or modified by unauthorized users. By default, only
the user that encrypted the file and the recovery agent can decrypt the file.
Question: Why might EFS be considered a problematic encryption method in a widely-distributed
network file server environment?
Answer: EFS encryption is based primarily on personal certificates, which are commonly stored in a user
profile. The ability to decrypt files relies strictly on access to the certificate in the profile, which may not be
available, depending on the computer to which the user is logging on.
Question: You have configured an audit policy by using Group Policy to apply to all of the file servers in
your organization. After enabling the policy and confirming that the Group Policy settings are being
applied, you discover that no audit events are being recorded in the event logs. What is the most likely
reason for this?
Answer: To audit file access, you must configure files or folders to audit specific events. If you do not do
so, the audit events will not be recorded.
Tools
Tool Used to Where to find it?
Group Policy
Management
Console
Manage GPOs containing audit policy
settings
Server Manager - Tools
Event Viewer View audit policy events Server Manager - Tools


11-8 Administering Windows Server 2012
Lab Review Questions and Answers
Lab: Configuring Encryption and Advanced Auditing
Question: In Exercise 1, Task 1, why were you asked to generate a new Data Recovery Agent certificate by
using the AdatumCA certification authority (CA)?
Answer: The AdatumCA CA is recognized as a trusted authority for computers that are joined to the
domain. Generating the certificate from AdatumCA makes the certificate more portable and more
convenient to use than a self-signed certificate that are generated from a Windows Server 2012 computer.
Question: What are the benefits of placing servers in an organizational unit (OU), and then applying audit
policies to that OU?
Answer: You can target specific servers to record audit events, rather than having the auditing process
apply across the entire enterprise. This is especially important when auditing records a large amount of
events. Writing a large amount of events to physical disks on all servers in the organization could cause
significant performance issues.
Question: What is the reason for applying audit policies across the entire organization?
Answer: If you are trying to pinpoint a general problem, or if you are unsure where a specific event is
occurring, targeting a larger group of servers may be necessary to capture the event. In this case, event
filtering can be used to search for a specific audit event.
Implementing Update Management 12-1
Module 12
Implementing Update Management
Contents:
Module Review and Takeaways 2
Lab Review Questions and Answers 3

12-2 Administering Windows Server 2012
Module Review and Takeaways
Review Question(s)
Question: A colleague has argued that all updates to the Windows operating system should be applied
automatically when they are released. Do you recommend an alternative process?
Answer: All updates should be tested before they are applied in a production environment. That is, you
should first deploy updates to a set of test computers by using WSUS.
Question: Your organization implements several applications that are not Microsoft applications. A
colleague has proposed using WSUS to deploy application and operating system updates. Are there any
potential issues with using WSUS?
Answer: Yes. WSUS is an excellent tool for deploying updates for Microsoft applications such as Microsoft
Office and Windows operating system updates. However, WSUS does not deploy updates for all Microsoft
applications, and it does not deploy updates for non-Microsoft applications. Microsoft System Center
2012 Configuration Manager is a better choice when you need to deploy updates for non-Microsoft
applications.
Question: Why is WSUS easier to manage in an AD DS domain?
Answer: WSUS takes advantage of the AD DS OU structure for deploying client settings through Group
Policy. You can also use Group Policy settings to configure client-side targeting to determine the WSUS
group membership of a client computer.
Tools
Tool Use Where to find it
WSUS Administration
console
Administer WSUS Server Manager - Tools
Windows PowerShell
WSUS cmdlets
Administer WSUS from the
commandline interface
Windows PowerShell


Implementing Update Management 12-3
Lab Review Questions and Answers
Lab: Implementing Update Management
Question: You created a separate group for the Research department. Why would you configure a
separate group for part of your organizations computers?
Answer: The Research department may have special considerations or security practices that require a
different process for testing and approving updates than the rest of the organization. In addition, other
departments may have administrators that have been delegated the responsibility for managing the
update approval process.
Question: What is the advantage of configuring a downstream WSUS server?
Answer: If the main WSUS and the downstream server are connected by a slow wide area network (WAN)
connection, the downstream WSUS server only downloads the updates once for the client computers it
services, instead of each client computer downloading the update individually over the WAN connection
from the main WSUS server.

Monitoring Windows Server 2012 13-1
Module 13
Monitoring Windows Server 2012
Contents:
Lesson 2: Using Performance Monitor 2
Lesson 3: Monitoring Event Logs 7
Module Review and Takeaways 10
Lab Review Questions and Answers 11

13-2 Administering Windows Server 2012
Lesson 2
Using Performance Monitor
Contents:
Demonstration 3

Monitoring Windows Server 2012 13-3
Demonstration
Demonstration: Capturing Counter Data with a Data Collector Set
Demonstration Steps
Create a data collector set
1. Switch to the LON-SVR1 computer.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. Pause your mouse in the lower-left of the taskbar, and then click Start.
4. In Start, type Perf, and in the Apps list, click Performance Monitor.
5. In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User
Defined.
6. Right-click User Defined, point to New, and then click Data Collector Set.
7. In the Create New Data Collector Set Wizard, in the Name box, type LON-SVR1 Performance.
8. Click Create manually (Advanced), and then click Next.
9. On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.
10. On the Which performance counters would you like to log? page, click Add.
11. In the Available counters list, expand Processor, click % Processor Time, and then click Add >>.
12. In the Available counters list, expand Memory, click Pages/sec, and then click Add >>.
13. In the Available counters list, expand PhysicalDisk, click % Disk Time, and then click Add >>.
14. Click Avg. Disk Queue Length, and then click Add >>.
15. In the Available counters list, expand System, click Processor Queue Length, and then click Add
>>.
16. In the Available counters list, expand Network Interface, click Bytes Total/sec, click Add >>, and
then click OK.
17. On the Which performance counters would you like to log? page, in the Sample interval box,
type 1, and then click Next.
18. On the Where would you like the data to be saved? page, click Next.
19. On the Create the data collector set? page, click Save and close, and then click Finish.
20. In Performance Monitor, in the results pane, right-click LON-SVR1 Performance, and then click
Start.
Create a disk load on the server
1. Pause over your mouse in the lower-left of the taskbar, and then click Start.
2. In Start, type Cmd, and in the Apps list, click Command Prompt.
3. At the command prompt, type the following command, and then press Enter:
Fsutil file createnew bigfile 104857600
4. At the command prompt, type the following command, and then press Enter:
13-4 Administering Windows Server 2012
Copy bigfile \\LON-dc1\c$
5. At the command prompt, type the following command, and then press Enter:
Copy \\LON-dc1\c$\bigfile bigfile2
6. At the command prompt, type the following command, and then press Enter:
Del bigfile*.*
7. At the command prompt, type the following command, and then press Enter:
Del \\LON-dc1\c$\bigfile*.*
8. Close the command prompt.
Analyze the resulting data in a report
1. Switch to Performance Monitor.
2. In the navigation pane, right-click LON-SVR1 Performance, and then click Stop.
3. In Performance Monitor, in the navigation pane, click Performance Monitor.
4. On the toolbar, click View log data.
5. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Add.
6. In the Select Log File dialog box, double-click Admin.
7. Double-click LON-SVR1 Performance, double-click the SVR1_date-000001 folder, and then
double-click DataCollector01.blg.
8. Click the Data tab, and then click Add.
9. In the Add Counters dialog box, in the Available counters list, expand Memory, click Pages/sec,
and then click Add >>.
10. Expand Network Interface, click Bytes Total/sec, and then click Add >>.
11. Expand PhysicalDisk, click %Disk Time, and then click Add >>.
12. Click Avg. Disk Queue Length, and then click Add >>.
13. Expand Processor, click %Processor Time, and then click Add >>.
14. Expand System, click Processor Queue Length, click Add >>, and then click OK.
15. In the Performance Monitor Properties dialog box, click OK.
16. On the toolbar, click the down arrow, and then click Report.
Demonstration: Configuring an Alert
Demonstration Steps
Create a data collector set with an alert counter
1. On LON-SVR1 computer, in Performance Monitor, in the navigation pane, expand Data Collector
Sets, and then click User Defined.
2. Right-click User Defined, point to New, and then click Data Collector Set.
3. In the Create New Data Collector Set Wizard, in the Name box, type LON-SVR1 Alert.
Monitoring Windows Server 2012 13-5
4. Click Create manually (Advanced), and then click Next.
5. On the What type of data do you want to include? page, click Performance Counter Alert, and
then click Next.
6. On the Which performance counters would you like to monitor? page, click Add.
7. In the Available counters list, expand Processor, click %Processor Time, click Add >>, and then
click OK.
8. On the Which performance counters would you like to monitor? page, in the Alert when list,
click Above.
9. In the Limit box, type 10, and then click Next.
10. On the Create the data collector set? page, click Finish.
11. In the navigation pane, expand the User Defined node, and then click LON-SVR1 Alert.
12. In the results pane, right-click DataCollector01, and then click Properties.
13. In the DataCollector01 Properties dialog box, in the Sample interval box, type 1, and then click the
Alert Action tab.
14. Select the Log an entry in the application event log check box, and then click OK.
15. In the navigation pane, right-click LON-SVR1 Alert, and then click Start.
Generate a server load that exceeds the configured threshold
1. Pause your mouse in the lower-left of the taskbar, and then click Start.
2. Click to the Start screen, type Cmd, and then in the Apps list, click Command Prompt
3. At the command prompt, type the following commands, and then press Enter:
C:
Cd\Labfiles
4. At the command prompt, type the following commands, and then press Enter:
StressTool 95
5. Wait one minute to allow generation of alerts.
6. Press Ctrl+C.
7. Close the command prompt.
Examine the event log for the resulting event
1. Pause your mouse in the lower-left of the taskbar, and then click Start.
2. In Start, type Event, and in the Apps list, click Event Viewer.
3. In Event Viewer, in the navigation pane, expand Applications and Services, expand Microsoft,
expand Windows, expand Diagnosis-PLA, and then click Operational.
4. Examine the log for performance-related messages. These have an Event ID of 2031. Leave Event
Viewer running.
13-6 Administering Windows Server 2012
Demonstration: Viewing Reports in Performance Monitor
Demonstration Steps
View a performance report
1. On LON-SVR1, in Performance Monitor, in the navigation pane, expand Reports, expand User
Defined, and then click LON-SVR1 Performance.
2. Expand the folder beneath LON-SVR1 Performance. The previous collection process of the data
collector set generated this report. You can change from the chart view to any other supported view.
3. Close all open windows.

Monitoring Windows Server 2012 13-7
Lesson 3
Monitoring Event Logs
Contents:
Demonstration 8

13-8 Administering Windows Server 2012
Demonstration
Demonstration: Creating a Custom View
Demonstration Steps
View Server Roles custom views
1. On LON-SVR1, open to Event Viewer.
2. In the navigation pane, expand Custom Views, expand Server Roles, and then click Web Server
(IIS). This is the Web Server role-specific custom view.
Create a custom view
1. In the navigation pane, right-click Custom Views, and then click Create Custom View.
2. In the Create Custom View dialog box, select the Critical, Warning, and Error check boxes.
3. In the Event logs list, expand Windows Logs, and then select the System and Application check
boxes. Click the mouse back in the dialog box, and then click OK.
4. In the Save Filter to Custom View dialog box, in the Name box, type Adatum Custom View, and
then click OK.
5. In Event Viewer, in the right pane, view the events that are visible within your custom view.
Demonstration: Configuring an Event Subscription
Demonstration Steps
Configure the source computer
1. Switch to LON-DC1.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. Pause your mouse in the lower-left of the taskbar, and then click Start.
4. In Start, type Cmd, and in the Apps list, click Command Prompt.
5. At the command prompt, type the following command, and then press Enter:
winrm quickconfig
Note: The service is already running.
6. Pause your mouse in the lower left of the taskbar, and then click Start.
7. Click Administrative Tools, and then double-click Active Directory Users and Computers.
8. In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then
click Builtin.
9. In the results pane, double-click Administrators.
10. In the Administrators Properties dialog box, click the Members tab.
11. Click Add, and in the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box,
click Object Types.
12. In the Object Types dialog box, select the Computers check box, and then click OK.
13. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter
the object names to select box, type LON-SVR1, and then click OK.
Monitoring Windows Server 2012 13-9
14. In the Administrator Properties dialog box, click OK.
Configure the collector computer
1. Switch to LON-SVR1.
2. Pause your mouse in the lower left of the taskbar and then click Start.
3. In Start, type Cmd, and in the Apps list, click Command Prompt.
4. At the command prompt, type the following command, and then press Enter:
Wecutil qc
5. When prompted, type Y, and then press Enter.
Create and view the subscribed log
1. In Event Viewer, in the navigation pane, click Subscriptions.
2. Right-click Subscriptions, and then click Create Subscription.
3. In the Subscription Properties dialog box, in the Subscription name box, type LON-DC1 Events.
4. Click Collector Initiated, and then click Select Computers.
5. In the Computers dialog box, click Add Domain Computers.
6. In the Select Computer dialog box, in the Enter the object name to select box, type LON-DC1, and
then click OK.
7. In the Computers dialog box, click OK.
8. In the Subscription Properties LON-DC1 Events dialog box, click Select Events.
9. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check
boxes.
10. In the Logged list, click Last 30 days.
11. In the Event logs list, select Windows Logs. Click the mouse back in the Query Filter dialog box,
and then click OK.
12. In the Subscription Properties LON-DC1 Events dialog box, click OK.
13. In Event Viewer, in the navigation pane, expand Windows Logs.
14. Click Forwarded Events.
15. Examine any listed events.
13-10 Administering Windows Server 2012
Module Review and Takeaways
Review Question(s)
Question: What significant counters should you monitor in Performance Monitor?
Answer: You should monitor the following:
Processor > % Processor Time
System > Processor Queue Length
Memory > Pages/sec
Physical Disk > % Disk Time
Physical Disk > Avg. Disk Queue Length
Question: Why is it important to monitor server performance periodically?
Answer: By monitoring server performance, you can perform capacity planning, identify and remove
performance bottlenecks, and assist with server troubleshooting.
Question: Why should you use performance alerts?
Answer: By using alerts, you can react more quickly to emerging performance-related problems, perhaps
before they have a chance to impinge on users productivity.
Tools
Tool Use for Where to find it
Fsutil.exe Configuring and managing the file system Command line
Performance
Monitor
Monitoring and analyzing real-time and
logged performance data
Start menu
Logman.exe Managing and scheduling performance-
counter and event-trace log collections
Command line
Resource
Monitor
Monitoring the use and performance of CPU,
disk, network, and memory in real time
Start menu
Event Viewer Viewing and managing event logs Start menu
Task Manager Identifying and resolving performance-related
problems
Start menu

Monitoring Windows Server 2012 13-11
Lab Review Questions and Answers
Lab: Monitoring Windows Server 2012
Question: During the lab, you collected data in a data collector set. What is the advantage of collecting
data in this way?
Answer: By collecting data in data collector sets, you can analyze and compare the data against historical
data, and then derive conclusions regarding server capacity.
Send Us Your Feedback
You can search the Microsoft Knowledge Base for known issues at Microsoft Help and Support before
submitting feedback. Search using either the course number and revision, or the course title.
Note Not all training products will have a Knowledge Base article if that is the case, please
ask your instructor whether or not there are existing error log entries.
Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort.
We review every e-mail received and forward the information on to the appropriate team. Unfortunately,
because of volume, we are unable to provide a response but we may use your feedback to improve your
future experience with Microsoft Learning products.
Reporting Errors
When providing feedback, include the training product name and number in the subject line of your e-
mail. When you provide comments or report bugs, please include the following:
1. Document or CD part number
2. Page number or location
3. Complete description of the error or suggested change
Please provide any details that are necessary to help us verify the issue.
Important All errors and suggestions are evaluated, but only those that are validated are
added to the product Knowledge Base article.