You are on page 1of 160

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

20412C
Configuring Advanced Windows Server
2012 Services
Companion Content
ii Configuring Advanced Windows Server 2012 Services

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.

2014 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at


http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of
the Microsoft group of companies. All other trademarks are property of their respective owners

Product Number: 20412C

Released: 01/2014
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE

These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.

If you comply with these license terms, you have the rights below for each license you acquire.

1. DEFINITIONS.

a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.

b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.

c. Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.

d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.

e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.

f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.

g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.

h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.

i. Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.

j. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.

k. MPN Member means an active Microsoft Partner Network program member in good standing.
l. Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.

m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.

n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.

o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.

2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.

2.1 Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:


i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:


i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:


For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

e. If you are a Trainer.


i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.

2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject


matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.

c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.

6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.

7. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.

8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.

9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW.


a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to


o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.

Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.

EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES


DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.

EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.

Revised July 2013


Implementing Advanced Network Services 1-1

Module 1
Implementing Advanced Network Services
Contents:
Lesson 1: Configuring Advanced DHCP Features 2

Lesson 2: Configuring Advanced DNS Settings 4

Lesson 3: Implementing IPAM 6

Lesson 4: Managing IP Address Spaces with IPAM 9

Module Review and Takeaways 12

Lab Review Questions and Answers 14


1-2 Configuring Advanced Windows Server 2012 Services

Lesson 1
Configuring Advanced DHCP Features
Contents:
Demonstration: Configuring DHCP Failover 3
Implementing Advanced Network Services 1-3

Demonstration: Configuring DHCP Failover


Demonstration Steps
Configure a DHCP failover relationship
1. Sign in on LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.

2. In Server Manager, click Tools, and then on the drop-down list, click DHCP. Note that the server is
authorized, but that no scopes are configured.

3. Switch to LON-DC1. In Server Manager, click Tools, and then on the drop-down list, click DHCP.

4. In the DHCP console, expand lon-dc1.adatum.com, select and then right-click IPv4, and then click
Configure Failover.

5. In the Configure Failover Wizard, click Next.

6. On the Specify a partner server to use for failover page, in the Partner Server field, enter
172.16.0.21, and then click Next.
7. On the Create a new failover relationship page, in the Relationship Name field, enter Adatum.

8. In the Maximum Client Lead Time field, set the hours to zero, and then set the minutes to 15.

9. Ensure the Mode field is set to Load balance.

10. Ensure that the Load Balance Percentage is set to 50%.

11. Select the State Switchover Interval check box. Leave the default value of 60 minutes.

12. In the Enable Message Authentication Shared Secret field, type Pa$$w0rd, and then click Next.

13. Click Finish, and then click Close.

14. Switch to LON-SVR1.

15. Refresh the IPv4 node, expand the IPv4 node, and then expand Scope.
16. Click Address Pool, and note that the address pool is configured.

17. Click Scope Options, and note that the scope options are configured.

18. Close the DHCP console on both LON-DC1 and LON-SVR1.

19. Revert LON-SVR1.


1-4 Configuring Advanced Windows Server 2012 Services

Lesson 2
Configuring Advanced DNS Settings
Contents:
Demonstration: Configuring DNSSEC 5
Implementing Advanced Network Services 1-5

Demonstration: Configuring DNSSEC


Demonstration Steps
Configure DNSSEC
1. Sign in on LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.

2. In Server Manager, click Tools, and then in the drop-down list, click DNS.

3. In DNS, expand LON-DC1, expand Forward Lookup Zones, and then select and right-click
Adatum.com.

4. On the menu, click DNSSEC>Sign the Zone.

5. In the Zone Signing Wizard, click Next.


6. Click Customize zone signing parameters, and then click Next.

7. On the Key Master page, click The DNS server LON-DC1 is the Key Master. Click Next.

8. On the Key Signing Key (KSK) page, click Next.

9. On the Key Signing Key (KSK) page, click Add.

10. On the New Key Signing Key (KSK) page, click OK.

11. On the Key Signing Key (KSK) page, click Next.

12. On the Zone Signing Key (ZSK) page, click Next.

13. On the Zone Signing Key (ZSK) page, click Add.

14. On the New Zone Signing Key (ZSK) page, click OK.

15. On the Zone Signing Key (ZSK) page, click Next.

16. On the Next Secure (NSEC) page, click Next.

17. On the Trust Anchors (TAs) page, check the Enable the distribution of trust anchors for this
zone check box, and then click Next.

18. On the Signing and Polling Parameters page, click Next.

19. On the DNS Security Extensions page, click Next, and then click Finish.

20. In DNS Manager, expand Trust Points, expand com, and then click Adatum. Ensure that the DNSKEY
resource records exist, and that their status is valid.

21. In Server Manager, click Tools, and then on the drop-down list, click Group Policy Management.

22. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, right-click Default Domain Policy, and then click Edit.

23. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, and then click the Name Resolution Policy folder.

24. In the Create Rules section, in the Suffix field, type Adatum.com to apply the rule to the suffix of the
namespace.

25. Select the Enable DNSSEC in this rule check box.

26. Select the Require DNS clients to check that the name and address data has been validated by
the DNS server check box, and then click Create.

27. Scroll down and click Apply.

28. Close all open windows.


1-6 Configuring Advanced Windows Server 2012 Services

Lesson 3
Implementing IPAM
Contents:
Demonstration: Implementing IPAM 7
Implementing Advanced Network Services 1-7

Demonstration: Implementing IPAM


Demonstration Steps
Install IPAM
1. Sign in on LON-SVR2 as Adatum\Administrator with the password Pa$$w0rd.

2. In the Server Manager, click Add roles and features.

3. In the Add Roles and Features Wizard, click Next.

4. On the Select installation type page, click Next.

5. On the Select destination server page, click Next.

6. On the Select server roles page, click Next.

7. On the Select features page, select the IP Address Management (IPAM) Server check box.

8. In the Add features that are required for IP Address Management (IPAM) Server popup, click
Add Features, and then click Next.

9. On the Confirm installation selections page, click Install.

10. When the Add Roles and Features Wizard completes, close the wizard.

Configure IPAM
1. In the Server Manager navigation pane, click IPAM.

2. In the IPAM Overview pane, click Connect to IPAM server. Click LON-SVR2.Adatum.com, and then
click OK.

3. Click Provision the IPAM server.

4. In the Provision IPAM Wizard, click Next.


5. On the Configure Database page, click Next.

6. On the Select provisioning method page, ensure that Group Policy Based is selected. In the GPO
name prefix box, type IPAM, and then click Next.

7. On the Confirm the Settings page, click Apply. Provisioning will take a few minutes to complete.

8. When provisioning has completed, click Close.

9. On the IPAM Overview pane, click Configure server discovery.

10. In the Configure Server Discovery dialog box, click Add to add the Adatum.com domain, and then
click OK.

11. On the IPAM Overview pane, click Start server discovery. Discovery may take 5 to 10 minutes to run.
The yellow bar indicates when discovery is complete.

12. On the IPAM Overview pane, click Select or add servers to manage and verify IPAM access.
Notice that the IPAM Access Status is blocked. Scroll down to the Details view, and note the status
report. The IPAM server has not yet been granted permission to manage LON-DC1 via Group Policy.

13. On the taskbar, right-click the Windows PowerShell icon, and then click Run as Administrator.

14. At the Windows PowerShell prompt, type the following command, and then press Enter:

Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn


LON-SVR2.adatum.com DelegatedGpoUser Administrator
1-8 Configuring Advanced Windows Server 2012 Services

15. When you are prompted to confirm the action, type Y, and then press Enter. The command will take a
few minutes to complete.

16. Close Windows PowerShell.

17. Switch to Server Manager. In the IPv4 details pane, right-click LON-DC1, and then click Edit Server.

18. In the Add or Edit Server dialog box, set the Manageability status field to Managed, and then click
OK.

19. Switch to LON-DC1.

20. From the start screen, start a command prompt .

21. In the command prompt, type Gpupdate /force, and then press Enter.

22. Wait for the Gpupdate process to complete and then close the command prompt.

23. Return to LON-SVR2, and in Server Manager, right-click LON-DC1, and then click Refresh Server
Access Status. Discovery may take 5-10 minutes to run. The yellow bar indicates when discovery is
complete. After discovery is complete, refresh IPv4 by clicking the Refresh icon. It may take up to 5
minutes for the status to change.

24. In the IPAM Overview pane, click Retrieve data from managed servers. This action will take a few
minutes to complete.
Implementing Advanced Network Services 1-9

Lesson 4
Managing IP Address Spaces with IPAM
Contents:
Demonstration: Using IPAM to Manage IP Addressing 10
Demonstration: Using IPAM Monitoring 11
1-10 Configuring Advanced Windows Server 2012 Services

Demonstration: Using IPAM to Manage IP Addressing


Demonstration Steps
1. On LON-SVR2, in the Server Manager, in the IPAM console tree, click IP Address Blocks.

2. In the right pane, click the Tasks drop-down arrow, and then click Add IP Address Block.

3. In the Add or Edit IPv4 Address Block dialog box, provide the following values, and then click OK:

o Network ID: 172.16.0.0

o Prefix length: 16

o Description: Head Office

4. In the IPAM console tree, click IP Address Inventory.

5. In the right pane, click the Tasks drop-down arrow, and then click Add IP Address.

6. In the Add IP Address dialog box, under Basic Configurations, provide the following values, and
then click OK:
o IP address: 172.16.0.1

o MAC address: 112233445566

o Device type: Routers

o Description: Head Office Router

7. Click the Tasks drop-down arrow, and then click Add IP Address.

8. In the Add IP Address dialog box, under Basic Configuration, provide the following values:

o IP address: 172.16.0.101

o MAC address: 223344556677

o Device type: Host

9. In the Add IPv4 Address pane, click DHCP Reservation, and then enter the following values:

o Client ID: Check the Associate MAC to Client ID checkbox

o Reservation server name: LON-DC1.Adatum.com

o Reservation name: Webserver

o Reservation type: Both

10. In the Add IPv4 Address pane, click DNS Record, enter the following values, and then click OK:

o Device name: Webserver

o Forward lookup zone: Adatum.com

o Forward lookup primary server: LON-DC1.adatum.com


o Check the Automatically create DNS records for this IP address checkbox.

11. On LON-DC1, open the DHCP console, expand IPv4, expand Scope (172.16.0.0) Adatum, and then
click Reservations. Ensure that the Webserver reservation for 172.16.0.11 displays.

12. Open the DNS console, expand Forward Lookup Zones, and then click Adatum.com. Ensure that a
host record displays for Webserver.
Implementing Advanced Network Services 1-11

Demonstration: Using IPAM Monitoring


Demonstration Steps
1. On LON-SVR2, in Server Manager, in the IPAM console tree, click DNS and DHCP Servers.

2. In the Details view, discuss the LON-DC1.Adatum.com Server Properties.

3. Click the Event Catalog tab, and discuss the events shown.

4. In the IPAM console tree, click on DHCP scopes.

5. Select the Adatum scope, and discuss the information in the Scope Properties.

6. Click the Options tab, and discuss the information displayed.

7. Click the Event Catalog tab, and discuss the events shown.

8. In the IPAM console tree, click on DNS Zone Monitoring.

9. Select the adatum.com zone, and discuss the information in the Zone Properties.
10. Click the Authoritative Servers tab, and discuss the information displayed.

11. In the IPAM console tree, click on Server Scopes.

12. Select the LON-DC1.adatum.com entry with the DNS server role, and discuss the information in the
Server Properties.

13. Click the DNS Zones tab, and discuss the information displayed.

14. Click the Event Catalog tab, and discuss the events shown.
1-12 Configuring Advanced Windows Server 2012 Services

Module Review and Takeaways


Best Practices
Implement DHCP failover to ensure that client computers can continue to receive IP
configuration information in the event of a server failure.

Ensure that there are at least two DNS servers hosting each zone.

Use IPAM to control IP address distribution and static address assignments.

Review Question(s)
Question: What is one of the drawbacks of using IPAM?

Answer: If you use IPAM, then you cannot manage DHCP-capable network devices, such as gateways and
wireless action protocols (WAPs), from the IPAM management console.

Real-world Issues and Scenarios


Question: Some network clients are receiving incorrect DHCP configuration. What tool should you use to
begin the troubleshooting process?

Answer: The IPConfig /All command will report to you if the client is receiving DHCP configuration, and
if so, the IP address of the DHCP server from which the configuration came.

Question: What are some possible causes of the incorrect configurations?

Answer: There may be a rogue DHCP server on the network. Common things to look for will be gateway
devicessuch as cable modems or Private Branch Exchange (PBX) boxesthat have a DHCP component
enabled. Another possibility is that someone has manually configured the IP address on the client.

Tools
Tool Use Location

Dnscmd Configure all aspects of DNS %systemroot%\System32\dnscmd.exe


management

DHCP console Control all aspects of DHCP %systemroot%\System32\dhcpmgmt.msc


management from a user interface

DNS console Control all aspects of DNS %systemroot%\System32\dnsmgmt.msc


management from a user interface

IPAM Control all aspects of IPAM Server Manager


management management
console

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip

Users can no longer access a vendors The IP address of the website may have changed, but
website that they have historically been DNS cache locking is not updating the cached IP
able to access. address for that FQDN because the TTL for the record
has not yet expired. You must flush the cache on the
DNS server manually.

Managed servers are unable to connect to Ensure that the Windows Internal Database service and
Implementing Advanced Network Services 1-13

Common Issue Troubleshooting Tip

the IPAM server. the Windows Process Activation service are running on
the IPAM server.
1-14 Configuring Advanced Windows Server 2012 Services

Lab Review Questions and Answers


Lab: Implementing Advanced Network Services
Question and Answers
Question: Will client computers immediately stop communicating on the network if there is no
functioning DHCP server?

Answer: No, the client computers will continue to function normally on the network until the lease on
their IP address expires.

Question: What is the default size of the DNS socket pool?

Answer: The default size of the DNS socket pool is 2,500 ports.

Question: What value does the DNS cache lock use to determine when to update an IP address in the
DNS cache?

Answer: Determination is made based on the Time to Live (TTL) value of the address record from the start
of authority resource record.
Implementing Advanced File Services 2-1

Module 2
Implementing Advanced File Services
Contents:
Lesson 1: Configuring iSCSI Storage 2

Lesson 2: Configuring BranchCache 6

Lesson 3: Optimizing Storage Usage 8

Module Review and Takeaways 12

Lab Review Questions and Answers 14


2-2 Configuring Advanced Windows Server 2012 Services

Lesson 1
Configuring iSCSI Storage
Contents:
Question and Answers 3
Demonstration: Configuring an iSCSI Target 3
Demonstration: Connecting to the iSCSI Storage 4
Implementing Advanced File Services 2-3

Question and Answers

What Is iSCSI?
Question: Can you use your organizations internal TCP/IP network to provide iSCSI?

Answer: Yes, you can. However, as a best practice, you should have a dedicated TCP/IP network for iSCSI
so that other network traffic does not interfere the iSCSI communication, and so the iSCSI
communication does not interfere with the network traffic.

iSCSI Target Server and iSCSI Initiator


Question: When would you consider implementing diskless booting from iSCSI targets?

Answer: Answers will vary based on experience, but generally, you might consider this if you want to
implement virtualization technologies such as a Virtual Desktop Infrastructure (VDI) in your
organization.

Demonstration: Configuring an iSCSI Target


Demonstration Steps
Add the iSCSI target server role service
1. On LON-DC1, in the Server Manager, click Manage, and then click Add roles and features.

2. In the Add Roles and Features Wizard, on the Before You Begin page, click Next.

3. On the Select installation type page, click Next.

4. On the Select destination server page, ensure that Select server from the server pool is selected,
and then click Next.

5. On the Select server roles page, expand File And Storage Services (2 of 12 Installed), expand File
and iSCSI Services (1 of 11 Installed), select the iSCSI Target Server check box, and then click
Next.

6. On the Select features page, click Next.

7. On the Confirm installation selections page, click Install.

8. When installation completes, click Close.

Create two iSCSI virtual disks and an iSCSI target


1. On LON-DC1, in the Server Manager, in the navigation pane, click File and Storage Services.

2. In the File and Storage Services pane, click iSCSI.

3. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New
iSCSI Virtual Disk.

4. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click drive C, and then click Next.

5. On the Specify iSCSI virtual disk name page, type iSCSIDisk1, and then click Next.

6. On the Specify iSCSI virtual disk size page, in the Size box, type 5, in the drop-down list box, ensure
that GB is selected, and then click Next.

7. On the Assign iSCSI target page, click New iSCSI target, and then click Next.

8. On the Specify target name page, in the Name box, type LON-SVR2, and then click Next.

9. On the Specify access servers page, click Add.


2-4 Configuring Advanced Windows Server 2012 Services

10. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type. In the Type drop-down list box, click IP Address, in the Value field, type 172.16.0.22, and then
click OK.

11. On the Specify access servers page, click Next.

12. On the Enable Authentication page, click Next.

13. On the Confirm selections page, click Create.


14. On the View results page, wait until creation completes, and then click Close.

15. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New
iSCSI Virtual Disk.

16. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click drive C, and then click Next.

17. On the Specify iSCSI virtual disk name page, type iSCSIDisk2, and then click Next.

18. On the Specify iSCSI virtual disk size page, in the Size box, type 5. In the drop-down list box,
ensure that GB is selected, and then click Next.

19. On the Assign iSCSI target page, click lon-svr2, and then click Next.
20. On the Confirm selections page, click Create.

21. On the View results page, wait until creation completes, and then click Close.

Note: Keep the computers running, because you will need them for the next
demonstration.

Demonstration: Connecting to the iSCSI Storage


Demonstration Steps
Preparation steps
Before you start this demonstration, perform the following steps:
1. On the host computer, click on the Hyper-V Manager icon on the taskbar.

2. In the Hyper-V Manager console, right-click 20412C-LON-SVR2, and then click Settings.

3. In the Settings for 20412C-LON-SVR2 window, in the left pane, ensure that both legacy network
adapters are connected to Private Network.

4. If a legacy network adapters has a status of Not connected, click on Legacy Network Adapter, and
then in the right pane, from the Network drop-down list, select Private Network, and then click OK.

Connect to the iSCSI target


1. On 20412C-LON-SVR2, in Server Manager, click the Tools menu, and then click iSCSI Initiator.

2. In the Microsoft iSCSI message box, click Yes.

3. In the iSCSI Initiator Properties dialog box, on the Targets tab, type LON-DC1, and then click
Quick Connect.

4. In the Quick Connect window, in the Discovered targets section, click iqn.1991-
05.com.microsoft:lon-dc1-lon-svr2-target, and then click Done.

5. In the iSCSI Initiator Properties dialog box, click OK to close the dialog box.
Implementing Advanced File Services 2-5

Verify the presence of the iSCSI drive


1. On 20412C-LON-SVR2, in Server Manager, on the Tools menu, click Computer Management.

2. In the Computer Management console, under Storage node, click Disk Management. Notice that
the new disks are added. However, they all are currently offline and not formatted.

3. Close the Computer Management console.

Note: Keep the computers running, because you will need them for the next
demonstration.
2-6 Configuring Advanced Windows Server 2012 Services

Lesson 2
Configuring BranchCache
Contents:
Demonstration: Configuring BranchCache 7
Implementing Advanced File Services 2-7

Demonstration: Configuring BranchCache


Demonstration Steps
Add BranchCache for the Network Files role service
1. On LON-DC1, in the Server Manager, click Add roles and features.

2. In the Add Roles and Features Wizard, on the Before You Begin page, click Next.

3. On the Select installation type page, click Next.

4. On the Select destination server page, ensure that Select server from the server pool is selected,
and then click Next.

5. On the Select server roles page, expand File and Storage Services (3 of 12 Installed), expand File
and iSCSI Services (2 of 11 Installed), select the BranchCache for Network Files check box, and
then click Next.

6. On the Select features page, click Next.


7. On the Confirm installation selections page, click Install.

8. When installation completes, click Close.

Enable BranchCache for the server


1. On LON-DC1, click the Start screen.

2. On the Start screen, type gpedit.msc, and then press Enter.

3. Expand Computer Configuration, expand Administrative Templates, expand Network, click


Lanman Server, and then double-click Hash Publication for BranchCache.

4. In the Hash Publication for BranchCache dialog box, click Enabled.

5. In the Options box, under Hash publication actions, select Allow hash publication only for
shared folder on which BranchCache is enabled, and then click OK.

6. Close the Local Group Policy Editor.

Enable BranchCache for a file share


1. On the taskbar, click the File Explorer icon.

2. In the File Explorer window, in the left pane, click Local Disk (C:).

3. On the quick access bar located on the upper left side of the window, click New Folder, type Share,
and then press Enter

4. Right-click Share, and then click Properties.

5. In the Share Properties dialog box, click the Sharing tab, and then click Advanced Sharing.

6. In the Advanced Sharing dialog box, click Share this folder, and then click Caching.

7. In the Offline Settings dialog box, select the Enable BranchCache check box, and then click OK.

8. In the Advanced Sharing dialog box, click OK, and then click Close.

9. Close all open windows.


2-8 Configuring Advanced Windows Server 2012 Services

Lesson 3
Optimizing Storage Usage
Contents:
Question and Answers 9
Demonstration: How to Configure Classification Management 9
Demonstration: Configuring Data Deduplication 10
Implementing Advanced File Services 2-9

Question and Answers

What Is FSRM?
Question: Are you currently using the FSRM in Windows Server 2008 R2? If yes, for what areas do you use
it?

Answer: Answers will vary based on the students experiences with the FSRM in Windows Server 2008 R2.
FSRM is used in the following areas:

File Classification Infrastructure

File management tasks

Quota management

File screening management

Demonstration: How to Configure Classification Management


Demonstration Steps
Create a classification property
1. On LON-SVR1, on the toolbar, click the Server Manager shortcut.

2. In the Server Manager, click Tools, and then click File Server Resource Manager.

3. In File Server Resource Manager, expand the Classification Management node, and then click
Classification Properties.

4. Right-click Classification Properties, and then click Create Local Property.

5. In the Create Local Classification Property window, in the Name field, type Confidential, and in
the Description field, type Assigns a confidentiality value of Yes or No.

6. Under Property type, click the drop-down list box, and then select Yes/No.
7. In the Create Local Classification Property window, click OK.

Create a classification rule


1. In File Server Resource Manager, click the Classification Rules node.

2. Right-click the Classification Rules node, and then click Create Classification Rule.

3. In the Rule name field, type Confidential Payroll Documents.

4. In the Description field, type Classify documents containing the word payroll as confidential,
and then click the Scope tab.

5. In the Scope section, click Add.

6. In the Browse for Folder window, expand Allfiles (E:), expand Labfiles, click Data, and then click
OK.

7. In the Create Classification Rule window, click the Classification tab.

8. In the Classification method area, click the drop-down list box, and then click Content Classifier.

9. In the Property section, choose a Property name of Confidential and a Property value of Yes, and
then click Configure.

10. On the Parameters tab, below the Expression Type column, click the drop-down list box and then
select String.

11. Double-click in the Expression column, then type payroll, and then click OK.
2-10 Configuring Advanced Windows Server 2012 Services

12. In the Create Classification Rule window, click OK.

Modify the classification schedule


1. Right-click the Classification Rules node, and then click Configure Classification Schedule.

2. In the File Server Resource Manager Options window, ensure that the Automatic Classification
tab is selected.

3. In the Schedule window, click the Enable fixed schedule check box.

4. In the Run at field, type 8:30 AM, select Sunday, and then click OK.

5. Right-click the Classification Rules node, and then click Run Classification With All Rules Now.

6. In the Run Classification window, click Wait for classification to complete, and then click OK.

7. View the report, and ensure that File3.txt is listed at the bottom of the report.

8. In a File Explorer window, click drive E, expand Labfiles, expand Data, double-click the file File3.txt,
and then view its contents. Ensure that it contains the word payroll. Open the other files in the
folder and ensure they do not contain the word payroll.

9. Close all open windows on LON-SVR1.

10. Keep the virtual machines running for the next demonstration.

Demonstration: Configuring Data Deduplication


Demonstration Steps
Add the Data Deduplication role service
1. On LON-SVR2, in the Server Manager, click Manage, and then click Add roles and features.

2. In the Add Roles and Features Wizard, on the Before You Begin page, click Next.

3. On the Select installation type page, click Next.

4. On the Select destination server page, ensure that Select server from the server pool is selected,
and then click Next.

5. On the Select server roles page, expand File And Storage Services (1 of 12 Installed), expand File
and iSCSI Services, select the Data Deduplication check box.

6. In the Add Roles and Features Wizard dialog box click Add Features and then click Next.

7. On the Select features page, click Next.

8. On the Confirm installation selections page, click Install.

9. When installation completes, click Close.

Enable Data Deduplication


1. In Server Manager, in the navigation pane, click File and Storage Services.

2. In the File and Storage Services pane, click Volumes.

3. In the Volumes pane, right-click drive E:, and in the drop-down list box, click Configure Data
Deduplication.

4. In the Allfiles (E:\) Deduplication Settings dialog box, in the Data Deduplication drop-down list
box, select General purpose file server, in the Deduplicate files older than (in days) box, type 3,
and then click Set Deduplication Schedule.
Implementing Advanced File Services 2-11

5. In the LON-SVR2 Deduplication Schedule dialog box, click Enable throughput optimization, and
in the Start time drop-down list box, click 2 A.M., and then click OK.

6. In the Allfiles (E:\) Deduplication Settings dialog box, click OK.

Test Data Deduplication


1. On LON-SVR2, open a File Explorer window, navigate to drive E:, right-click Group Policy
Preferences.docx file, and then click Copy.
2. Paste the Group Policy Preferences.docx file to the LabFiles folder.

3. On LON-SVR1, open the E:\LabFiles folder, right-click on Group Policy Preferences.docx, and then
click Properties.

4. In the Properties dialog box, note the values for Size and Size on Disk.

5. Repeat steps five through seven for Group Policy Preferences.docx in the root folder of the E: drive.

6. On LON-SVR2, open the Windows PowerShell window.

7. At the Windows PowerShell prompt, type the following cmdlet, and then press Enter:

Start-DedupJob Type Optimization Volume E:

8. Type Get-DedupJob, and then press Enter. Ensure that the process is running.

9. Wait a minute or two, and then repeat the Get-Dedupjob command.

10. If you get no result, it means that the deduplication job is complete.

11. In the root folder of the E: drive, right-click Group Policy Preferences.docx, and then click
Properties.

12. In the Properties dialog box, note the values for Size and Size on Disk. Size on disk should be much
smaller than it was previously.
2-12 Configuring Advanced Windows Server 2012 Services

Module Review and Takeaways


Best Practices
When you consider an iSCSI storage solution for your organization, spend most of the time on the
design process. The design process is crucial because it allows you to optimize the solution for all
technologies that will be using iSCSI storage, such as file services, Exchange Server, and SQL Server.
The design should also accommodate future growth of your organizations business data. Successful
design processes help guarantee a successful deployment of the solution that will meet your
organizations business requirements.

When you plan for BranchCache deployment, ensure that you work closely with your network
administrators so that you can optimize network traffic across the WAN.

When you plan for file classifications, ensure that you start with your organizations business
requirements. Identify the classifications that you will apply to documents, and then define a method
that you will use to identify documents for classification. Before you deploy the File Classification
Infrastructure, create a test environment. Then test the scenarios to ensure that your solution will
result in a successful deployment, and that your organizations business requirements will be met.

Review Question(s)
Question: How does BranchCache differ from the Distributed File System (DFS) to branch offices?

Answer: BranchCache only caches files that users in a remote location have accessed. DFS replicates all
the contents of folders between the head office and a remote location so that all files exist in
both locations.

Question: Why would you choose to implement BranchCache in hosted cache mode instead of
distributed cache mode?

Answer: When you use the distributed cache mode, the cache is hosted on the computers that requested
the file the first time. However, it is likely that computers or laptops that are running Windows 8.1
may be shut down or removed from the office, or there may be multiple subnets in the branch.
This means that a cached file might not be available, which will force the file to be downloaded
across the WAN link again. However, the hosted cache mode is likely to be used when a
computer that is running the Windows Server 2008 R2 or newer operating system is available in
the branch office.

Question: Can you configure Data Deduplication on a boot volume?

Answer: No, you cannot configure Data Deduplication on a boot volume. You can configure Data
Deduplication only on volumes that are not system or boot volumes. Data Deduplication is also
not supported on the Resilient File System.

Question: Why would you implement a File Classification Infrastructure?

Answer: The File Classification Infrastructure enables you to manage groups of files based on various file
and folder attributes. Using file classification technology, you can automate file and folder
maintenance tasks, such as cleaning up stale data or protecting sensitive information.

Real-world Issues and Scenarios


Question: Your organization is considering deploying an iSCSI solution. You are a Windows Server 2012
administrator who is responsible for designing and deploying the new solution. This new solution will be
used by different types of technologies, such as Windows Server 2012 file server, Exchange Server, and
SQL Server. You face that of designing an optimal iSCSI solution, but at the same time you are not sure
whether the solution you are going to propose to your organization will meet the requirements of all
technologies that will be accessing the iSCSI storage. What should you do?
Implementing Advanced File Services 2-13

Answer: You should include on the team that will design and deploy the iSCSI solution experts from
different areas of specialization. Team members who will be involved in the project should include
Windows Server 2012 administrators, network administrators, storage administrators, and security
administrators. This is necessary so that the iSCSI storage solution has optimal performance and security,
and has consistent management and operations procedures.

Question: Your organization is considering deploying a BranchCache solution. You are a Windows
Server 2012 administrator in your organization, and you are responsible for designing and deploying the
new solution. The organizations business managers are concerned about security of the data that will be
stored in the branch offices. They are also concerned about how the organization will address security
risks such as data tampering, information disclosure, and denial of service attacks. What should you do?

Answer: You should include a security expert on your design team. You should also consider the defense-
in-depth model of analyzing security risks. BranchCache addresses the security risks as follows:

Data tampering. The BranchCache technology uses hashes to confirm that during the communication, the
client computer and the server did not alter the data.

Information disclosure. BranchCache sends encrypted content to clients, but they must have the
encryption key to decrypt the content. Because potential malicious users would not have the encryption
key, if an attacker attempts to monitor the network traffic to access the data while it is in transit between
clients, the attempt will not be successful.

Denial of service. If an attacker tries to overload the client with requests for data, BranchCache technology
includes queue management counters and timers to prevent clients from being overloaded.

Question: Your organization is using large amounts of disk space for data storage and faces the challenge
of organizing and managing the data. Furthermore, your organization must satisfy requirements for
security, compliance, and data leakage prevention for company confidential information. What should
you do?

Answer: You should deploy the File Classification Infrastructure. Based on file classification, you can
configure file management tasks that will enable you to manage groups of files based on various file and
folder attributes. You can also automate file and folder maintenance tasks, such as cleaning up stale data
or protecting sensitive information.

Tools
Tool Use Where to find it

iSCSI target Configure iSCSI targets In Server Manager, under File and
server Storage Servers

iSCSI initiator Configure a client to connect to an In Server Manager, in the Tools


iSCSI target virtual disk drop-down list box

Deduplication Analyze a volume to find out the Available from the command
Evaluation tool potential savings when enabling Data prompt and stored in
(DDPEval.exe) deduplication C:\windows\system32

File Server A set of features that allow you to In Server Manager, in the Tools
Resource manage and classify data that is stored drop-down list box
Manager on file servers
2-14 Configuring Advanced Windows Server 2012 Services

Lab Review Questions and Answers


Lab A: Implementing Advanced File Services
Question and Answers
Question: Why would you implement MPIO together with iSCSI? What problems would you solve with
this approach?

Answer: You must have an MPIO to create a second network route to the iSCSI target. This is useful when
you lose a connection to the iSCSI target because of a loss in a network adapter. With MPIO set
up and configured, if a network adapter fails, another network adapter assumes the failed
network adapters traffic

Question: Why must you have the iSCSI initiator component?

Answer: The iSCSI initiator component is the client component for iSCSI to connect to an iSCSI target.
Windows 8.1 and Windows Server 2012 already have this component preinstalled as a service.
You only have to start it to use it.

Question: Why would you configure file classification for documents located in a folder such as a
Corporate Documentation folder?

Answer: You would configure file classification so that you can perform specific actions only on
documents that are classified as Corporate Documentation. For example, you could configure
the expiration date so that older documents will be archived and later deleted.

Lab B: Implementing BranchCache

Question and Answers


Question: When would you consider implementing BranchCache into your own organization?

Answer: Answers will vary, but implementing BranchCache is only important if you have a branch office
or a location that is connected to your organizations headquarters with a low bandwidth link.
Implementing Dynamic Access Control 03-1

Module 3
Implementing Dynamic Access Control
Contents:
Lesson 2: Implementing DAC Components 2

Lesson 3: Implementing DAC for Access Control 6

Lesson 4: Implementing Access Denied Assistance 9

Lesson 5: Implementing and Managing Work Folders 11

Module Review and Takeaways 13

Lab Review Questions and Answers 15


03-2 Configuring Advanced Windows Server 2012 Services

Lesson 2
Implementing DAC Components
Contents:
Demonstration: Configuring Claims, Resource Properties, and Rules 3
Demonstration: Configuring Classification Rules 5
Implementing Dynamic Access Control 03-3

Demonstration: Configuring Claims, Resource Properties, and Rules


Demonstration Steps
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.

2. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Claim Types.

3. In the Claim Types container, in the Tasks pane, click New, and then click Claim Type.

4. In the Create Claim Type window, in the Source Attribute section, select department.

5. In the Display name text box, type Company Department.


6. Select both User and Computer check boxes, and then click OK.

7. In the Active Directory Administrative Center, in the Tasks pane, click New, and then select Claim
Type.

8. In the Create Claim Type window, in the Source Attribute section, click description.

9. Clear the User check box, select the Computer check box, and then click OK.

10. In the Active Directory Administrative Center, click Dynamic Access Control.
11. In the central pane, double-click Resource Properties.

12. In the Resource Properties list, right-click Department, and then click Enable.

13. In the Resource Properties list, right-click Confidentiality, and then click Enable.

14. Double-click Department.

15. Scroll down to the Suggested Values section, and then click Add.

16. In the Add a suggested value window, in both the Value and Display name text boxes, type
Research, and then click OK two times.

17. Click Dynamic Access Control, and then double-click Resource Property Lists.

18. In the central pane, double-click Global Resource Property List, ensure that both Department and
Confidentiality display, and then click Cancel. If they do not display, click Add, add these two
properties, and then click OK.

19. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Central Access Rules.

20. In the Tasks pane, click New, and then click Central Access Rule.

21. In the Create Central Access Rule dialog box, in the Name field, type Department Match.
22. In the Target Resources section, click Edit.

23. In the Central Access Rule dialog box, click Add a condition.

24. Set a condition as follows: Resource-Department-Equals-Value-Research, and then click OK.

25. In the Permissions section, click Use following permissions as current permissions.

26. In the Permissions section, click Edit.

27. Remove permission for Administrators.

28. In Advanced Security Settings for Permissions, click Add.

29. In Permission Entry for Permissions, click Select a principal.


03-4 Configuring Advanced Windows Server 2012 Services

30. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click
Check Names, and then click OK.

31. In the Basic permissions section, select the Modify, Read and Execute, Read and Write check
boxes.

32. Click Add a condition.

33. Click the Group drop-down list box, and then click Company Department.
34. Click the Value drop-down list box, and then click Resource.

35. In the last drop-down list box, click Department, and then click OK three times.

Note: You should have this expression as a result: User-Company Department-Equals-


Resource-Department.

36. In the Tasks pane, click New, and then click Central Access Rule.

37. For the name of rule, type Access Confidential Docs.

38. In the Target Resources section, click Edit.


39. In the Central Access Rule window, click Add a condition.

40. In the last drop-down list box, click High, and then click OK.

Note: You should have this expression as a result: Resource-Confidentiality-Equals-Value-High.

41. In the Permissions section, click Use following permissions as current permissions.
42. In the Permissions section, click Edit.

43. Remove permission for Administrators.

44. In Advanced Security Settings for Permissions, click Add.

45. In the Permission Entry for Permissions, click Select a principal.

46. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click
Check Names, and then click OK.

47. In the Basic permissions section, select the Modify, Read and Execute, Read, and Write check boxes.
Click Add a condition.

48. Set the first condition to: User-Group-Member of each-Value-Managers, and then click Add a
condition.

Note: If you cannot find Managers in the last drop-down list box, click Add items. Then in the
Select user, Computer, Service Account, or Group window, type Managers, click Check Names, in
Multiple Names Found window click Managers and then click OK.

49. Set the second condition to: Device-Group-Member of each-Value-ManagersWKS, and then click
OK three times.

Demonstration: Configuring Classification Rules


Demonstration Steps
1. On LON-SVR1, in Server Manager, click Tools, and then click File Server Resource Manager.

2. In File Server Resource Manager, expand Classification Management.


Implementing Dynamic Access Control 03-5

3. Select and then right-click Classification Properties, and then click Refresh.

4. Verify that the Confidentiality and Department properties are listed.

5. Click Classification Rules.

6. In the Actions pane, click Create Classification Rule.

7. In the Create Classification Rule window, for the Rule name, type Set Confidentiality.

8. Click the Scope tab, and then click Add.

9. In the Browse For Folder dialog box, expand Local Disk (C:), click the Docs folder, and then click
OK.

10. Click the Classification tab, make sure that following settings are set, and then click Configure:
o Classification method: Content Classifier

o Property: Confidentiality

o Value: High

11. In the Classification Parameters dialog box, click the Regular expression drop-down list box, and
then click String.

12. In the Expression field, which is next to the word String, type secret, and then click OK.

13. Click the Evaluation Type tab, select Re-evaluate existing property values, click Overwrite the
existing value, and then click OK.

14. In File Server Resource Manager, in the Actions pane, click Run Classification With All Rules Now.

15. Click Wait for classification to complete, and then click OK.

16. After the classification is complete, you will be presented with a report. Verify that two files were
classified. You can confirm this in the Report Totals section.

17. Close the report.


18. On the taskbar, click the File Explorer icon.

19. In the File Explorer window, expand Local Disk (C:), and then click the Docs folder.

20. In the Docs folder, right-click Doc1.txt, click Properties, and then click the Classification tab. Verify
that Confidentiality is set to High.

21. Repeat step 20 on files Doc2.txt and Doc3.txt. Doc2.txt should have the same Confidentiality as
Doc1.txt, while Doc3.txt should have no value. This is because only Doc1.txt and Doc2.txt have the
word secret in their content.
03-6 Configuring Advanced Windows Server 2012 Services

Lesson 3
Implementing DAC for Access Control
Contents:
Demonstration: Creating and Deploying Central Access Policies 7
Demonstration: Evaluating and Managing DAC 8
Implementing Dynamic Access Control 03-7

Demonstration: Creating and Deploying Central Access Policies


Demonstration Steps
1. On LON-DC1, in the Active Directory Administrative Center, click Dynamic Access Control, and then
double-click Central Access Policies.

2. In the Tasks pane, click New, and then click Central Access Policy.

3. In the Name field, type Protect confidential docs, and then click Add.

4. Click the Access Confidential Docs rule, click >>, and then click OK twice.

5. In the Tasks pane, click New, and then click Central Access Policy.

6. In the Name field, type Department Match, and then click Add.

7. Click the Department Match rule, click >>, and then click OK twice.

8. Close the Active Directory Administrative Center.

9. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

10. In the Group Policy Management Console, under Domains, expand Adatum.com, right-click DAC-
Protected, and then click Create a GPO in this domain, and link it here.

11. Type DAC Policy, and then click OK.

12. Right-click DAC Policy, and then click Edit.

13. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security
Settings, expand File System, right-click Central Access Policy, and then click Manage Central
Access Policies.

14. Press and hold the Ctrl button and click both Department Match and Protect confidential docs,
click Add, and then click OK.

15. Close the Group Policy Management Editor and the Group Policy Management Console.

16. On LON-SVR1, on the taskbar, click the Windows PowerShell icon.

17. At a Windows PowerShell command-line interface command prompt, type gpupdate /force, and
then press Enter.

18. Close Windows PowerShell.

19. On the taskbar, click the File Explorer icon.

20. In File Explorer, browse to Local Disk (C:), right-click the Docs folder, and then click Properties.

21. In the Properties dialog box, click the Security tab, and then click Advanced.

22. In the Advanced Security Settings for Docs window, click the Central Policy tab, and then click
Change.

23. In the drop-down list box, select Protect confidential docs, and then click OK twice.

24. Right-click the Research folder, and then click Properties.

25. In the Properties dialog box, click the Security tab, and then click Advanced.

26. In the Advanced Security Settings for Research window, click the Central Policy tab, and then click
Change.

27. In the drop-down list box, click Department Match, and then click OK twice.
03-8 Configuring Advanced Windows Server 2012 Services

Demonstration: Evaluating and Managing DAC


Demonstration Steps
1. On LON-DC1, open Server Manager, click Tools, and then click Group Policy Management.

2. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy Objects.

3. Right-click DAC Policy, and then click Edit.

4. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration,
expand Audit Policies, and then click Object Access.

5. Double-click Audit Central Access Policy Staging, select all three check boxes, and then click OK.

6. Double-click Audit File System, select all three check boxes, and then click OK.

7. Close the Group Policy Management Editor and the Group Policy Management Console

8. On LON-DC1, open Server Manager, click Tools, and then click Active Directory Administrative
Center.

9. In the navigation pane, click Dynamic Access Control.

10. Double-click Central Access Rules, right-click Department Match, and then click Properties.

11. Scroll down to the Proposed Permissions section, click Enable permission staging configuration,
and then click Edit.
12. Click Authenticated Users, and then click Edit.

13. Change the condition to User-Company Department-Equals-Value-Marketing, and then click OK.

14. Click OK twice to close all windows.

15. Switch to LON-SVR1.

16. On the taskbar, click the Windows PowerShell icon.

17. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter. Wait
until Group Policy is updated for both user and computer.

18. Close Windows PowerShell.


Implementing Dynamic Access Control 03-9

Lesson 4
Implementing Access Denied Assistance
Contents:
Demonstration: Implementing Access Denied Assistance 10
03-10 Configuring Advanced Windows Server 2012 Services

Demonstration: Implementing Access Denied Assistance


Demonstration Steps
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

2. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy objects.

3. Right-click DAC Policy, and then click Edit.

4. Under Computer Configuration, expand Policies, expand Administrative Templates, expand


System, and then click Access-Denied Assistance.

5. In the details pane, double-click Customize Message for Access Denied errors.

6. In the Customize Message for Access Denied errors window, click Enabled.

7. In the Display the following message to users who are denied access text box, type You are
denied access because of permission policy. Please request access.

8. Select the Enable users to request assistance check box. Review other options, but do not make any
changes, and then click OK.

9. In the details pane of the Group Policy Management Editor, double-click Enable access-denied
assistance on client for all file types. Click Enabled, and then click OK.

10. Close the Group Policy Management Editor and the Group Policy Management Console.

11. Switch to LON-SVR1, and on the taskbar, click the Windows PowerShell icon.

12. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter. Wait
until Group Policy is updated for both user and computer.
Implementing Dynamic Access Control 03-11

Lesson 5
Implementing and Managing Work Folders
Contents:
Demonstration: Implementing Work Folders 12
03-12 Configuring Advanced Windows Server 2012 Services

Demonstration: Implementing Work Folders


Demonstration Steps
1. On LON-SVR2, in Server Manager, click File and Storage Services, and then click Work Folders.

2. In the WORK FOLDERS tile, click Tasks, and then click New Sync Share

3. In the New Sync Share Wizard, on the Before you begin page, click Next.

4. On the Select the server and path page, click Select by file share, ensure that WF-Share is
highlighted, and then click Next.

5. On the Specify the structure for user folders, accept the default selection (User alias), and then
click Next.

6. On the Enter the sync share name page, accept the default, and then click Next.

7. On the Grant sync access to groups page, note the default selection to disable inherited
permissions and grant users exclusive access, and then click Add.

8. In the Select User or Group dialog box, in the Enter the object names to select, type WFsync, click
Check Names, and then click OK.

9. On the Grant sync access to groups page, click Next.

10. On the Specify device policies page, note the selections, accept the default selection, and then click
Next.

11. On the Confirm selections page, click Create.

12. On the View results page, click Close.

13. Switch to LON-DC1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.

14. Open Server Manager, click Tools, and then click Group Policy Management.

15. Expand Forest: Adatum.com-Domains-Adatum.com, click Group Policy Objects, right-click the
Group Policy Objects container, and then click New.

16. In the New GPO window, type Work Folders GPO in the Name field, and then click OK.
17. Right-click Work Folders GPO, and then click Edit.

18. In the Group Policy Management Editor, expand User Configuration\ Policies\Administrative
Templates\Windows Components, and then click Work Folders.

19. Double-click Specify Work Folders settings in the details pane.

20. In the Specify Work Folders settings dialog box, click Enabled.

21. In the Work Folders URL text box, type https://lon-svr2.adatum.com, and then select Force
automatic setup.

22. Click OK to close the Specify Work Folders settings dialog box, and then close the Group Policy
Management Editor.

23. In the Group Policy Management Console, right-click the Adatum.com domain object, and then
select Link an Existing GPO

24. In the Select GPO window, select Work Folders GPO, and then click OK.

25. Close the Group Policy Management Console.


Implementing Dynamic Access Control 03-13

Module Review and Takeaways


Best Practices
Use central access policies instead of configuring conditional expressions on resources.

Enable Access Denied Assistance settings.

Always test changes that you have made to central access rules and central access policies before you
implement them.

Use file classifications to assign properties to files.

Use Work Folders to synchronize business data across devices.

Use Workplace Join in Bring Your Own Device (BYOD) scenarios.

Review Question(s)
Question: What is a claim?

Answer: A claim is information that AD DS states about an object, which usually is a user or a computer.

Question: What is the purpose of Central Access Policy?

Answer: Central access policies enable administrators to create policies that apply to one or more file
servers in an organization. Central access policies contain one or more central access policy rules.
Each rule contains settings that determine applicability and permissions.

Question: What is the BYOD concept?

Answer: BYOD is the policy of permitting employees to bring personal devices, such as laptops, tablets,
and smart phones, to the workplace, and allowing employees to use those devices to access
privileged company information and applications.

Question: How do Work Folders support BYOD concept?

Answer: By using Work Folders, users can access their business data even from non-Windows and non
domain-joined devices. Also, administrators have control over the data in the case of a lost device
or if a user leaves the company.

Tools
Tool Use Location

Active Directory Administering and creating Administrative tools


Administrative claims, resource properties,
Center rules, and policies

Group Policy Managing Group Policy Administrative tools


Management
Console (GPMC)

Group Policy Editing GPOs GPMC


Management
Editor

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip

Claims are not populated with the appropriate Verify that the correct attribute is selected for the
03-14 Configuring Advanced Windows Server 2012 Services

Common Issue Troubleshooting Tip

values. claim. In addition, check that the attribute value for


A conditional expression does not allow access. a specific object is populated.
Verify that the expression is well defined. In
addition, try using the Effective Access tab to
troubleshoot the problem.
Implementing Dynamic Access Control 03-15

Lab Review Questions and Answers


Lab: Implementing Secure Data Access
Question and Answers
Question: How do file classifications enhance the usage of DAC?

Answer: By using file classifications, you can set attributes on files automatically, and then use these
attributes in conditional expressions when you implement DAC.

Question: Can you implement DAC without central access policy?

Answer: Yes, you can set conditional expressions directly on resources.


Implementing Distributed Active Directory Domain Services Deployments 4-1

Module 4
Implementing Distributed Active Directory Domain
Services Deployments
Contents:
Lesson 1: Overview of Distributed AD DS Deployments 2

Lesson 2: Deploying a Distributed AD DS Environment 5

Lesson 3: Configuring AD DS Trusts 8

Lab Review Questions and Answers 12


4-2 Configuring Advanced Windows Server 2012 Services

Lesson 1
Overview of Distributed AD DS Deployments
Contents:
Question and Answers 3
Resources 4
Implementing Distributed Active Directory Domain Services Deployments 4-3

Question and Answers

Discussion: AD DS Components Overview


Question: What is an AD DS domain?

Answer: An AD DS domain is a logical grouping of user, computer, and group objects for the purpose of
management and security. All of these objects are stored in the AD DS database, and a copy of
this data is stored on every domain controller in the AD DS domain. Because of this, the AD DS
database is fault-tolerant, and clients can access AD DS domain information at any AD DS
domain controller in the AD DS domain. AD DS provides a searchable hierarchical directory, and
provides a framework for applying configuration and security settings for objects in the
enterprise. You can use AD DS and Group Policy Objects (GPOs) to apply configuration and
security settings to user and computer accounts.

Question: What is an AD DS domain tree?

Answer: An AD DS domain tree is a collection of one or more AD DS domains that form a contiguous
namespace. For instance, if the first domain in the forest is adatum.com, you could create an
additional domain as a child domain in that namespace. An example is atl.adatum.com.

Sometimes it is beneficial to have more than one domain in the forest. When you add a domain
to an existing forest, you can add it as a child domain to an existing domain. This adds the
domain to the domain tree. You can also create the domain as a new domain tree in the forest.
An example of this would be if A. Datum Corporation, an established company with an AD DS
forest named adatum.com, acquired a company called Fabrikam, Inc. An additional tree called
fabrikam.com could be created in the adatum.com forest. Although the new domain is a new
domain tree and accompanying new namespace, it is still integrated with the existing forest.

Question: What is an AD DS forest?

Answer: An AD DS forest is a collection of one or more AD DS trees. Each AD DS tree will contain one or
more AD DS domains. The AD DS forest is the outermost boundary for the AD DS security and
administration.

Question: What are trust relationships?

Answer: Trust relationships (trusts) are authentication pipelines between different domains. Some trusts
are generated automatically as part of the domain installation process, and others are trusts that
you create manually for various reasons. Trust relationships form the framework that allows
resource sharing between domains, and they also provide the structure that supports
authentication between domains.

Question: What is the global catalog?

Answer: The global catalog provides a central directory of every object in the forest, and is unique in
each AD DS forest. Unlike the individual domain partitions that store a complete writeable
attribute set for all objects in the domain, the global catalog is a read-only list of some attributes
for every object in the forest. The global catalog makes it easy to locate objects from different
domains in a multidomain forest. For example, Microsoft Exchange Server uses the global
catalog to locate all email recipients in a forest.

Resources

Why Implement Multiple Forests?


4-4 Configuring Advanced Windows Server 2012 Services

Best Practice: As a best practice, choose the simplest design that achieves the required
goal, as it will be less costly to implement and more straightforward to administer.
Implementing Distributed Active Directory Domain Services Deployments 4-5

Lesson 2
Deploying a Distributed AD DS Environment
Contents:
Resources 6
Demonstration: Installing a Domain Controller in a New Domain in a Forest 6
4-6 Configuring Advanced Windows Server 2012 Services

Resources

AD DS Domain Functional Levels

Additional Reading: To learn more about the AD DS domain functional levels, see
Understanding Active Directory Domain Services (AD DS) Functional Levels at
http://go.microsoft.com/fwlink/?LinkId=270028

Demonstration: Installing a Domain Controller in a New Domain in a


Forest
Demonstration Steps
Install the AD DS binaries on TOR-DC1
1. On TOR-DC1, in the Server Manager, click Add Roles and Features.

2. In the Add Roles and Features Wizard, click Next.

3. On the Select installation type page, ensure that Role-based or feature-based installation is
selected, and then click Next.

4. On the Select destination server page, ensure that Select a server from the pool is selected. In the
Server Pool page, verify that TOR-DC1.Adatum.com is highlighted, and then click Next.

5. On the Select server roles page, select the Active Directory Domain Services check box, click Add
Features, and then click Next.

6. On the Select features page, click Next.

7. On the Active Directory Domain Services page, review the message, and then click Next.

8. On the Confirm installation selections page, review the message, and then click Install. Installation
will take several minutes.

9. On the Results page, click Promote this server to a domain controller. The wizard continues.

Configure TOR-DC1 as an AD DS domain controller using the AD DS Installation


Wizard
1. On the Deployment Configuration page, select the Add a new domain to an existing forest
option, and then, next to Select domain type, confirm that Child Domain is selected.

2. In the Parent domain name field, verify that Adatum.com is listed.

3. In the New domain name box, type NA, and then click Next.

4. On the Domain Controller Options page, ensure that Windows Server 2012 R2 is selected as the
Domain functional level, that Domain Name System (DNS) server is selected, and that Global
Catalog (GC) is selected.

5. In the Type the Directory Services Restore Mode (DSRM) password text boxes, type Pa$$w0rd in
both boxes, and then click Next.

6. On the DNS Options page, click Next.

7. On the following three windows (Additional Options, Paths, and Review Options), click Next. In the
Prerequisites Check window, click Install.

8. Review the information, and allow TOR-DC1 to reboot as an AD DS domain controller in the new
AD DS domain that you created in the AD DS forest.
Implementing Distributed Active Directory Domain Services Deployments 4-7

9. Sign in to TOR-DC1 as NA\Administrator with the password Pa$$w0rd, and review some of the
AD DS tools to confirm the installation of the new domain.
4-8 Configuring Advanced Windows Server 2012 Services

Lesson 3
Configuring AD DS Trusts
Contents:
Resources 9
Demonstration: Configuring a Forest Trust 9
Implementing Distributed Active Directory Domain Services Deployments 4-9

Resources

Configuring Advanced AD DS Trust Settings


Additional Reading:

For more information on configuring SID filter quarantining on external trusts, see
http://go.microsoft.com/fwlink/?LinkId=270030

For more information on enabling selective authentication over a forest trust, see
http://go.microsoft.com/fwlink/?LinkId=270046

For more information on name-suffix routing, see http://go.microsoft.com/fwlink/?LinkId=270047

Demonstration: Configuring a Forest Trust


Demonstration Steps
Configure DNS name resolution by using a conditional forwarder
1. On LON-DC1, in Server Manager, click the Tools menu, and in the drop-down list, click DNS. The
DNS manager opens.

2. In the DNS Manager, expand LON-DC1, click and then right-click Conditional Forwarders, and then
click New Conditional Forwarder.

3. In the New Conditional Forwarder window, in the DNS Domain: box, type treyresearch.net.

4. In the IP addresses of the master servers: text box, type 172.16.10.10. Click in the open space, and
then click OK. (If an error displays, ignore it).
5. Close the DNS Manager.

6. Switch to TREY-DC1, and repeat steps 1 through 5. Use the domain name Adatum.com with the IP
address 172.16.0.10.

Configure a two-way selective forest trust


1. In LON-DC1, from the Tools menu, click Active Directory Domains and Trusts.

2. When the Active Directory Domains and Trusts window opens, right-click Adatum.com, and then
click Properties.
3. In the Adatum.com Properties dialog box, on the Trusts tab, click New Trust.

4. In the New Trust Wizard, click Next.

5. On the Trust Name page, in the Name text box, type treyresearch.net, and then click Next.

6. In the New Trust Wizard, click Forest trust, and then click Next.

7. In the Direction of Trust page, click Two-way, and then click Next.

8. In the Sides of Trust page, click Both this domain and the specified domain, and then click Next.

9. In the User name: text box, type Administrator. In the Password text box, type Pa$$w0rd, and then
click Next.

10. In the Outgoing Trust Authentication Level-Local Forest page, click Selective authentication,
and then click Next,

11. In the Outgoing Trust Authentication Level-Specified Forest page, click Selective authentication,
and then click Next.

12. In the Trust Selections Complete page, click Next.


4-10 Configuring Advanced Windows Server 2012 Services

13. In the Trust Creation Complete page, click Next.

14. In the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust, and then click Next.

15. In the Confirm Incoming Trust page, click Yes, confirm the incoming trust, and then click Next.

16. On the Completing the New Trust Wizard page, click Finish.

17. In the Adatum.com Properties dialog box, click OK.


Implementing Distributed Active Directory Domain Services Deployments 4-11

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip

You receive error messages such as: DNS Usually, these errors are caused by a DNS record
lookup failure, RPC server unavailable, lookup failure or incorrectly configured firewall.
domain does not exist, or domain Ensure there are at least two working DNS servers
controller could not be found. that are available on the network. Ensure that
every computer has at least two DNS servers that
are configured in the network configuration.
Verify that DNS servers are able to successfully
resolve queries for DNS records outside of their
DNS domain (for instance, Internet addresses). Use
various troubleshooting tools such as nslookup,
dnslint, DCdiag, netdiag, repadmin, replmon, and
Event Viewer.

User cannot be authenticated to access Use the Active Directory Domains and Trusts
resources on another AD DS domain or console, (Domain.msc), or the command-line tool
Kerberos realm. Netdom to validate trust relationships. If
necessary, reset the trust password. Check to
ensure that trust relationships are configured for
the right direction.
Verify that all AD DS domain controllers have
registered all of the correct SRV records in the
DNS database. (You can restart the netlogon
service on an AD DS domain controller to force it
to reregister the SRV records in the DNS
database.)
4-12 Configuring Advanced Windows Server 2012 Services

Lab Review Questions and Answers


Lab: Implementing Distributed AD DS Deployments
Question and Answers
Question:

Why did you configure a delegated subdomain record in DNS on LON-DC1 before adding the child
domain na.adatum.com?

Answer: You did this so that the Domain Name System running on LON-DC1 would be able to locate a
DNS server for the na.adatum.com DNS domain.

Question: What are the alternatives to creating a delegated subdomain record in the previous question?

Answer: On LON-DC1, you could create a stub zone for na.adatum.com to provide an up-to-date list of
the DNS servers for the na.adatum.com DNS domain. You could also configure on LON-DC1 a
secondary DNS zone file for na.adatum.com, but it would entail more DNS replication traffic.

Question: When you are creating a forest trust, why would you create a selective trust instead of a
complete trust?

Answer: You would create a selective trust instead of a complete trust if you did not require a full link-up
between two forests, but wanted a strictly controlled amount of interactivity.
Implementing Active Directory Domain Services Sites and Replication 5-1

Module 5
Implementing Active Directory Domain Services Sites and
Replication
Contents:
Lesson 1: AD DS Replication Overview 2

Lesson 2: Configuring AD DS Sites 4

Lesson 3: Configuring and Monitoring AD DS Replication 6

Module Review and Takeaways 9

Lab Review Questions and Answers 11


5-2 Configuring Advanced Windows Server 2012 Services

Lesson 1
AD DS Replication Overview
Contents:
Question and Answers 3
Implementing Active Directory Domain Services Sites and Replication 5-3

Question and Answers

How AD DS Replication Works Within a Site


Question: Describe the circumstances that result when you manually create a connection object between
domain controllers within a site.

Answer: Creating a connection object manually is not typically required or recommended because the
KCC does not verify or use the manual connection object for failover. The KCC will also not
remove manual connection objects, which means that you must remember to delete connection
objects that you create manually.
5-4 Configuring Advanced Windows Server 2012 Services

Lesson 2
Configuring AD DS Sites
Contents:
Demonstration: Configuring AD DS Sites 5
Implementing Active Directory Domain Services Sites and Replication 5-5

Demonstration: Configuring AD DS Sites


Demonstration Steps
1. On LON-DC1, in the Server Manager, click Tools, and then click Active Directory Sites and Services.

2. In Active Directory Sites and Services, expand Sites, and then click Default-First-Site-Name.

3. Right-click Default-First-Site-Name, and then click Rename.

4. Type LondonHQ, and then press Enter.

5. In the navigation pane, right-click Sites, and then click New Site.

6. In the New Object Site dialog box, in the Name text box, type Toronto.

7. Select DEFAULTIPSITELINK, and then click OK.

8. In the Active Directory Domain Services dialog box, click OK.

9. In the navigation pane, right-click Subnets, and then click New Subnet.
10. In the New Object Subnet dialog box, in the Prefix text box, type 172.16.0.0/24.

11. Under Select a site object for this prefix, click LondonHQ, and then click OK.

12. In the navigation pane, right-click Subnets, and then click New Subnet.

13. In the New Object Subnet dialog box, in the Prefix text box, type 172.16.1.0/24.
14. Under Select a site object for this prefix, click Toronto, and then click OK.

15. In the navigation pane, expand LondonHQ, and then expand Servers.

16. Right-click TOR-DC1, and then click Move.

17. In the Move Server dialog box, select Toronto, and then click OK.

18. In the navigation pane, expand Toronto, and then expand Servers.

19. Verify that TOR-DC1 is now located in the Toronto Site.


5-6 Configuring Advanced Windows Server 2012 Services

Lesson 3
Configuring and Monitoring AD DS Replication
Contents:
Demonstration: Configuring AD DS Intersite Replication 7
Demonstration: Configuring Password Replication Policies 7
Implementing Active Directory Domain Services Sites and Replication 5-7

Demonstration: Configuring AD DS Intersite Replication


Demonstration Steps
1. On TOR-DC1, in Server Manager, click Tools and then click Active Directory Sites and Services.

2. In Active Directory Sites and Services, expand Sites, and then expand Inter-Site Transports.

3. Click IP, right-click DEFAULTIPSITELINK, and then click Rename.

4. Type LON-TOR, and then press Enter.

5. Right-click LON-TOR, and then click Properties. Describe the Cost, Replicate every, and Change
Schedule options.

6. In the LON-TOR Properties dialog box, next to Replicate every, configure the value to be 60
minutes.

7. Click Change Schedule.

8. Highlight the range from Monday 12 PM to Friday 4 PM, as follows:

o Using the mouse, click at the Monday at 12:00 PM tile.

o With the mouse button still pressed down, drag the cursor to the Friday at 4:00 PM tile.

9. Click Replication Not Available and then click OK.

10. Click OK to close the LON-TOR Properties dialog box.

11. In the navigation pane, right-click IP, and then click Properties.

12. In the IP Properties dialog box, point out and explain the Bridge all site links option.

13. Click OK to close the IP Properties dialog box.

Demonstration: Configuring Password Replication Policies


Demonstration Steps
1. On LON-DC1, from Server Manager, click Tools and then click Active Directory Users and
Computers.

2. In the console tree, expand the Adatum.com domain, and then click the Domain Controllers
organizational unit (OU).

3. Right-click Domain Controllers, and then click Pre-create Read-only Domain Controller account.

4. In the Active Directory Domain Services Installation Wizard, on the Welcome page, click Next.

5. On the Network Credentials page, click Next.

6. On the Specify the Computer Name page, type LON-RODC1, and then click Next.

7. On the Select a Site page, click Toronto, and then click Next.

8. On the Additional Domain Controller Options page, click Next.

9. On the Delegation of RODC Installation and Administration page, click Next.

10. Review your selections on the Summary page, and then click Next.

11. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

12. In the console, click the Domain Controllers OU.

13. Right-click LON-RODC1, and then click Properties.

14. Click the Password Replication Policy tab, and then view the default policy.
5-8 Configuring Advanced Windows Server 2012 Services

15. Click Cancel to close LON-RODC1 Properties.

16. In the Active Directory Users and Computers console, click the Users container.

17. Double-click Allowed RODC Password Replication Group, and then click the Members tab.

18. Examine the default membership of Allowed RODC Password Replication Group, and then click OK.
There should be no members by default.

19. Double-click Denied RODC Password Replication Group.

20. Click the Members tab.

21. Click Cancel to close the Denied RODC Password Replication Group properties.
Implementing Active Directory Domain Services Sites and Replication 5-9

Module Review and Takeaways


Best Practices
Implement the following best practices when you manage Active Directory sites and replication in
your environment: Always provide at least one or more global catalog servers per site.

Ensure that all sites have appropriate subnets associated.

Do not set up long intervals without replication when you configure replication schedules for intersite
replication.

Avoid using SMTP as a protocol for replication.

Review Question(s)
Question: Why is it important that all subnets are identified and associated with a site in a multisite
enterprise?

Answer: The process of locating domain controllers and other services can be made more efficient by
referring clients to the correct site based on the clients IP address and the definition of subnets.
If a client has an IP address that does not belong to a site, the client will query for all domain
controllers in the domain. This is not an efficient strategy. In fact, a single client can be
performing actions against domain controllers in different sites, which can lead to unexpected
results if those changes have not yet replicated. Therefore, it is crucial that each client knows
what site it is in, which you can achieve by ensuring that domain controllers can identify what a
clients site location.

Question: What are the advantages and disadvantages of reducing the intersite replication interval?

Answer: Reducing the intersite replication interval improves convergence. Changes made in one site
replicate more quickly to other sites. There are actually few, if any, disadvantages. If you consider
that the same changes must replicate whether they wait 15 minutes or three hours to replicate, it
is primarily a matter of replication timing rather than replication quantity. However, in some
extreme situations, it is possible that allowing a smaller number of changes to occur more
frequently might be less preferable than allowing a large number of changes to replicate less
frequently.

Question: What is the purpose of a bridgehead server?

Answer: The bridgehead server is responsible for all replication into and out of the site. Instead of
replicating all domain controllers from one site with all domain controllers in another site, you
can use bridgehead servers to manage intersite replication. However, if a particular bridgehead
server is not specifically needed for performance reasons or other factors, it is considered a best
practice to let the ISTG choose the bridgehead servers from among the available pool of site
domain controllers.

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip

Client cannot locate domain controller in Verify whether all SRV records for the domain controller
its site. are present in DNS.
Verify whether the domain controller has an IP address
from the subnet that is associated with that site.
Verify that the client is a domain member and has the
correct time.
5-10 Configuring Advanced Windows Server 2012 Services

Common Issue Troubleshooting Tip

Replication between sites does not work. Verify whether site links are configured correctly.
Verify the replication schedule.
Verify whether the firewall between the sites permits
traffic for Active Directory replication. Use repadmin
/bind.

Replication between two domain Verify whether both domain controllers appear in same
controllers in the same site does not work. site.
Verify whether AD DS is operating correctly on the
domain controllers.
Verify network communication, and that the time on
each server is valid.
Implementing Active Directory Domain Services Sites and Replication 5-11

Lab Review Questions and Answers


Lab: Implementing AD DS Sites and Replication
Question and Answers
Question: You decide to add a new domain controller to the LondonHQ site named LON-DC2. How can
you ensure that LON-DC2 is used to pass all replication traffic to the Toronto site?

Answer: You would have to configure this new domain controller as the preferred bridgehead server for
the LondonHQ site.

Question: You have added the new domain controller named LON-DC2 to the LondonHQ site. Which
AD DS partitions will be modified as a result?

Answer: It is likely that all of the partitions except the schema partition will be modified. You add the new
domain controller to both the domain partition and the configuration partition to ensure that
AD DS replication is configured correctly. If you are using Active Directoryintegrated DNS, then
the domain controller records also will update in the DNS application partitions.

Question: In the lab, you created a separate site link for the Toronto and TestSite sites. What might you
also have to do to ensure that LondonHQ does not automatically create a connection object directly with
the TestSite site?

Answer: You may also have to turn off automatic site-link bridging so that you disable site transitivity
among LondonHQ, Toronto, and the TestSite.
Implementing AD CS 6-1

Module 6
Implementing AD CS
Contents:
Lesson 1: Using Certificates in a Business Environment 2

Lesson 2: PKI Overview 4

Lesson 3: Deploying CAs 6

Lesson 4: Deploying and Managing Certificate Templates 9

Lesson 5: Implementing Certificate Distribution and Revocation 11

Lesson 6: Managing Certificate Recovery 15

Module Review and Takeaways 19

Lab Review Questions and Answers 21


6-2 Configuring Advanced Windows Server 2012 Services

Lesson 1
Using Certificates in a Business Environment
Contents:
Demonstration: Signing a Document Digitally 3
Implementing AD CS 6-3

Demonstration: Signing a Document Digitally


Demonstration Steps
1. On LON-CL1, open Windows PowerShell.

2. At the Windows PowerShell command prompt, type mmc.exe, and then press Enter.

3. Click the File menu, and then select Add/Remove Snap-in.

4. Select Certificates, click Add, select My user account, click Finish, and then click OK.

5. Expand Certificates-Current User, right-click Personal, select All Tasks, and then click Request
New Certificate.

6. In the Certificate Enrollment Wizard, click Next twice.

7. On the Certificate Enrollment page, in the list of available templates, select User, click Enroll, and
then click Finish.

8. Close the Console 1 window without saving changes.

9. Open Microsoft Word 2013.

10. In a blank document, type some text, and then save the file to the desktop.

11. On the toolbar, click INSERT, and then in the Text pane, in the Signature Line drop-down list box,
click Microsoft Office Signature Line.

12. In the Signature setup window, type your name in the Suggested signer text box, type
Administrator in the Suggested signers title text box, type Administrator@adatum.com in the
Suggested signers email address text box, and then click OK.

13. Right-click the signature line in the document, and then click Sign

14. In the Sign window, click Change.

15. On the Certificate list, select the certificate with todays date, and then click OK.

16. In the text box right to the sign X, type your name, click Sign, and then click OK.

Note: Explain to the students that besides typing your name, you also can select an image
instead. This image can be your scanned, handwritten signature.

17. Ensure that the document cannot be edited anymore.

18. Close Word 2013, and save the changes when prompted.

19. Stay signed in for the next demonstration.


6-4 Configuring Advanced Windows Server 2012 Services

Lesson 2
PKI Overview
Contents:
Question and Answers 5
Implementing AD CS 6-5

Question and Answers

What Is a Cross-Certification Hierarchy?


Question: Your company is currently acquiring another company. Both companies run their own PKI.
What could you do to minimize disruption and continue to provide PKI services seamlessly?
Answer: You could implement a cross-certification hierarchy.
6-6 Configuring Advanced Windows Server 2012 Services

Lesson 3
Deploying CAs
Contents:
Demonstration: Deploying a Root CA 7
Demonstration: Configuring CA Properties 7
Implementing AD CS 6-7

Demonstration: Deploying a Root CA


Demonstration Steps
Deploy a root CA
1. On LON-SVR1, in the Server Manager, click Add roles and features.

2. On the Before You Begin page, click Next.

3. On the Select installation type page, click Next.

4. On the Select destination server page, click Next.

5. On the Select server roles page, select Active Directory Certificate Services. In the Add Roles and
Features Wizard, click Add Features, and then click Next.
6. On the Select features page, click Next.

7. On the Active Directory Certificate Services page, click Next.

8. On the Select role services page, ensure that Certification Authority is selected, and then click
Next.

9. On the Confirm installation selections page, click Install.

10. On the Installation progress page, after the installation completes successfully, click the text
Configure Active Directory Certificate Services on the destination server.

11. In the AD CS Configuration Wizard, on the Credentials page, click Next.

12. On the Role Services page, select Certification Authority, and then click Next.

13. On the Setup Type page, select Enterprise CA, and then click Next.

14. On the CA Type page, click the Root CA option, and then click Next.

15. On the Private Key page, ensure that Create a new private key is selected, and then click Next.

16. On the Cryptography for CA page, keep the default selections for Cryptographic Service Provider
(CSP) and Hash Algorithm, but set the Key length to 4096, and then click Next.

17. On the CA Name page, in the Common name for this CA box, type AdatumRootCA, and then click
Next.

18. On the Validity Period page, click Next.

19. On the CA Database page, click Next.

20. On the Confirmation page, click Configure.

21. On the Results page, click Close.


22. On the Installation progress page, click Close.

Demonstration: Configuring CA Properties


Demonstration Steps
1. On LON-SVR1, open the Server Manager, click Tools, and then click Certification Authority.

2. In the certsrv console, right-click AdatumRootCA, and then select Properties.

3. On the General tab, click View Certificate. When the Certificate window opens, review the data on
the General, Details, and Certification Path tabs, and then click OK.
6-8 Configuring Advanced Windows Server 2012 Services

4. On the Policy Module tab, click Properties. Review the settings available for the Default policy
module, and then click OK.

5. On the Exit Module tab, click Properties. Show the Publication Settings available in the default Exit
module, and then click OK.

6. On the Extensions tab, review the options available for the CDP and AIA locations.

7. On the Security tab, review the available options on the access control list (ACL), and also review the
default permissions.

8. On the Certificate Managers tab, review the options and explain how to restrict security principals to
specific certificate templates, and then click Cancel.
9. Close the certsrv console
Implementing AD CS 6-9

Lesson 4
Deploying and Managing Certificate Templates
Contents:
Demonstration: Modifying and Enabling a Certificate Template 10
6-10 Configuring Advanced Windows Server 2012 Services

Demonstration: Modifying and Enabling a Certificate Template


Demonstration Steps
Modify and enable a certificate template
1. On LON-SVR1, on the taskbar, click the Server Manager icon.

2. In the Server Manager, click Tools, and then click Certification Authority.

3. In the Certification Authority console, expand AdatumRootCA, right-click Certificate Templates,


and then click Manage.

4. Review the list of default templates. Examine the templates and their properties.

5. In the Details pane, double-click IPsec.

6. In the IPsec Properties dialog box, scroll through the tabs, and note what you can modify on each
tab. Note that on the Security tab, you can define permissions for enrollment. Click Cancel to close
the template.

7. In the Certificate Templates console, in the Details pane, right-click the Exchange User certificate
template, and then click Duplicate Template.

8. In the Properties of New Template dialog box, review options on the Compatibility tab.

9. Click the General tab, and then in the Template display name text box, type Exchange User Test1.

10. Click the Superseded Templates tab, and then click Add.

11. Click the Exchange User template, and then click OK.

12. Click the Security tab, and then click Authenticated Users.

13. Under the Permissions for Authenticated Users node, select the Allow check boxes for Read,
Enroll, and Autoenroll, and then click OK.

14. Close the Certificate Templates console.

15. In the Certification Authority console, right-click Certificate Templates, point to New, and then click
Certificate Template to Issue.

16. In the Enable Certificate Templates dialog box, select the Exchange User Test1 certificate, and
then click OK.
Implementing AD CS 6-11

Lesson 5
Implementing Certificate Distribution and Revocation
Contents:
Demonstration: Configuring the Restricted Enrollment Agent 12
Demonstration: Configuring an Online Responder 13
6-12 Configuring Advanced Windows Server 2012 Services

Demonstration: Configuring the Restricted Enrollment Agent


Demonstration Steps
Configure the Restricted Enrollment Agent
1. On LON-SVR1, on the taskbar, click the Server Manager icon.

2. In the Server Manager console, click Tools, and then open the Certification Authority.

3. In the certsrv console, expand AdatumRootCA, right-click Certificate Templates, and then click
Manage.

4. In the Certificate Templates console, double-click Enrollment Agent, click the Security tab, and then
click Add.

5. In the Select Users, Computers, Service Accounts, or Groups window, type Allie, click Check Names,
and then click OK.

6. On the Security tab, click Allie Bellew, select Allow for Read and Enroll permissions, and then click
OK.

7. Close the Certificate Templates console.

8. In the certsrv console, right-click Certificate Templates, point to New, and then click Certificate
Template to Issue.

9. In the list of templates, click Enrollment Agent, and then click OK.

10. Switch to LON-CL1, and sign in as Adatum\Allie with the password Pa$$w0rd.

11. On the Start screen, type mmc.exe, and then press Enter.

12. In Console1, open the File menu, and then click Add/Remove Snap-in.

13. Click Certificates, click Add, and then click OK.

14. Expand Certificates Current User, and then click Personal.

15. Right-click Personal, point to All Tasks, and then click Request New Certificate.

16. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.

17. On the Select Certificate Enrollment Policy page, click Next.

18. On the Request Certificates page, select Enrollment Agent, click Enroll, and then click Finish.

19. Switch to LON-SVR1.

20. In the Certification Authority console, right-click AdatumRootCA, and then click Properties.

21. In the AdatumRootCA Properties dialog box, click the Enrollment Agents tab.
22. On the Enrollment Agents tab, click Restrict Enrollment agents.

23. In the pop-up window, click OK.

24. On the Enrollment Agents tab, under Enrollment Agents, click Add.

25. In the Select User, Computer, or Group window, type Allie, click Check Names, and then click OK.

26. Click Everyone, and then click Remove.

27. In the certificate templates section, click Add.

28. In the list of templates, select User, and then click OK.

29. In the Certificate Templates section, click <All>, and then click Remove.
Implementing AD CS 6-13

30. In the permission section, click Add.

31. In the Select User, Computer, or Group window, type Marketing, click Check Names, and then click
OK.

32. In the Permission section, click Everyone, click Remove, and then click OK.

Demonstration: Configuring an Online Responder


Demonstration Steps
Configure an Online Responder
1. On LON-SVR1, on the taskbar, click the Server Manager icon.

2. In the Server Manager, click Add roles and features.

3. Click Next three times.

4. On the Select server roles page, expand Active Directory Certificate Services (Installed), and then
select Online Responder.

5. Click Add Features.

6. Click Next two times, and then click Install.

7. When the message displays that installation is successful, click Configure Active Directory
Certificate Services on the destination server.

8. In the AD CS Configuration Wizard, click Next.

9. Select Online Responder, and then click Next.

10. Click Configure, and then click Close two times.

11. In the Server Manager console, click Tools, and then click the Certification Authority console on
LON-SVR1.
12. In the Certification Authority console, right-click AdatumRootCA, and then click Properties.

13. In the AdatumRootCA Properties dialog box, on the Extensions tab, in the Select extension list,
click Authority Information Access (AIA), and then click Add.

14. In the Add Location dialog box, type http://LON-SVR1/ocsp, and then click OK.

15. Select the Include in the AIA extension of issued certificates check box.

16. Select the Include in the online certificate status protocol (OCSP) extension check box, and then
click OK.

17. In the Certificate Authority box, restart Active Directory Certificate Services by clicking Yes.

18. In the certsrv console, expand AdatumRootCA, right-click the Certificate Templates folder, and
then click Manage.

19. In the Certificate Templates console, double-click the OCSP Response Signing template.

20. In the OCSP Response Signing Properties dialog box, click the Security tab. Under Permissions for
Authenticated Users, select the Allow for Enroll check box, and then click OK.

21. Close the Certificate Templates console.

22. In the Certification Authority console, right-click the Certificate Templates folder, point to New, and
then click Certificate Template to Issue.
6-14 Configuring Advanced Windows Server 2012 Services

23. In the Enable Certificate Templates dialog box, select the OCSP Response Signing template, and
then click OK.

24. On LON-SVR1, in Server Manager, click Tools, and then click Online Responder Management.

25. In the Online Responder Management console, right-click Revocation Configuration, and then click
Add Revocation Configuration.

26. In the Add Revocation Configuration Wizard, click Next.

27. On the Name the Revocation Configuration page, in the Name text box, type AdatumCA Online
Responder, and then click Next.

28. On the Select CA Certificate Location page, click Next.

29. On the Choose CA Certificate page, click Browse, click the AdatumRootCA certificate, click OK, and
then click Next.

30. On the Select Signing Certificate page, verify that both Automatically select a signing certificate
is selected and Auto-Enroll for an OCSP signing certificate are selected, and then click Next.

31. On the Revocation Provider page, click Finish. The revocation configuration status will display as
Working.

32. Close the Online Responder console.


Implementing AD CS 6-15

Lesson 6
Managing Certificate Recovery
Contents:
Demonstration: Configuring a CA for Key Archival 16
Demonstration: Recovering a Lost Private Key 17
6-16 Configuring Advanced Windows Server 2012 Services

Demonstration: Configuring a CA for Key Archival


Demonstration Steps
Configure automatic key archival
1. On LON-SVR1, open the Certification Authority console.

2. In the Certificate Authority console, expand the adatumRootCA node, right-click the Certificate
Templates folder, and then click Manage.

3. In the Details pane, right-click the Key Recovery Agent certificate, and then click Properties.

4. In the Key Recovery Agent Properties dialog box, on the Issuance Requirements tab, clear the CA
certificate manager approval check box.

Note: This is for test purposes only. In a production environment, you should not change
this value.

5. On the Security tab, notice that Domain Admins and Enterprise Admins are the only groups that
have the Enroll permission, and then click OK. Make no changes here.

6. Close the Certificates Templates console.

7. In the Certificate Authority console, right-click Certificate Templates, click New, click Certificate
Template to issue, click Key Recovery Agent, and then click OK. This process configures a CA to
issue certificates based on the Key Recovery Agent template.

8. Click the Start screen, type mmc.exe, and then press Enter.
9. In the Console 1 window, click File, and then click Add/remove Snap-In.

10. On the Add/Remove Snap-ins page, select Certificates, and then click Add.

11. Select My user account, click Finish, and then click OK.

12. Expand Certificates - Current User, and then click Personal. Right-click Personal, select All tasks,
and then click Request New Certificate.

13. In the Certificate Enrollment Wizard, click Next twice.


14. On the Request Certificates page, select Key Recovery Agent and then click Enroll.

15. Click Finish.

16. Confirm that the new certificate displays in the Certificates store. If it displays, then you have enrolled
the Administrator as the KRA. Minimize the Certificates console.

17. Open the properties of AdatumRootCA.

18. On the Recovery Agents tab, click Archive the Key, click Add, and then select the Administrator
certificate. Click OK.

19. Click OK and click Yes to restart AD CS.

20. Right-click Certificate Templates, and then click Manage.

21. Double-click the Exchange User Test1 certificate to open the Properties dialog box. On the
Request Handling tab, click both Archive subjects encryption private key and Include
symmetric algorithms allowed by the subject. If popup window displays, click OK.

22. Click OK to close the template.


Implementing AD CS 6-17

Demonstration: Recovering a Lost Private Key


Demonstration Steps
Recover a lost private key
1. On LON-SVR1, click to the Start screen, type mmc.exe and then press Enter.

2. Click File, and then click Add/Remove Snap-in.

3. Select Certificates, and then click Add.

4. Click My user account, and then click Finish and then click OK.

5. Expand Certificates - Current User, expand Personal, and then right-click Certificates. Then select
All tasks, and click Request New Certificate. Click Next twice.

6. Enroll for the Exchange User Test1 certificate by using the wizard. When you select the Exchange
User Test1 template in the wizard, click to open settings to enter Subject name. In the Type list, click
Email, and in the value field, type administrator@adatum.com, click Add, click OK, and then click
Enroll. Click Finish.

7. Verify that the certificate displays in the Personal->Certificates store.

8. Simulate a lost private key by deleting the administrator@adatum.com certificate from the Personal
certificate store. Right-click administrator@adatum.com, click Delete, and then click Yes. Minimize
the Certificates (Console1) console.

9. In the Certification Authority console, in the Issued Certificates folder, double-click the certificate with
Exchange User Test1 as the template name. This is the certificate that you issued in an earlier step.
From the Details tab, record the serial number. (You can copy and paste it to Notepad, and then
remove spaces between numbers.)

10. Open a command-prompt window with elevated privileges. (On the Start menu, type cmd, right-click
Command Prompt, and then click Run as Administrator.)

11. In the command-prompt window, switch to the root of drive C by typing cd.., and then press Enter.
(You might have to do this twice.)

12. Select the certificate serial number from Notepad, right-click it, and then select Copy.

13. Switch back to the command-prompt window, and type the following command, where
<serialnumber> is a number that you paste from Notepad:

Certutil -getkey <serialnumber > outputblob

Press Enter.

Note: If a question mark appears at the beginning of the number after you paste it in,
delete it. Also ensure that you remove all spaces from the serial number, or enclose the serial
number in quotation marks.

14. After the command completes successfully, open drive C and verify that the Outputblob file displays.

15. Switch back to the command-prompt window. At a command prompt, type the following, and then
press Enter:

Certutil -recoverkey outputblob recover.pfx

16. When prompted, type Pa$$w0rd as the new password, and then confirm the password.
6-18 Configuring Advanced Windows Server 2012 Services

17. Browse to drive C, and then verify that the Recover.pfx filethe recovered keyis created.

18. Right click the file recover.pfx, and then click Install PFX. (Note: If Install PFX option is not available,
select Open with and then click Crypto Shell Extensions)

19. Click Next two times.

20. Enter the password Pa$$w0rd, click Next twice, click Finish, and then click OK.

21. Restore the Certificates console (Console 1). Refresh the Certificates store.

22. Verify that the administrator@adatum.com certificate now displays.


Implementing AD CS 6-19

Module Review and Takeaways


Best Practices
When you deploy CA infrastructure, deploy a stand-alone (non-domain-joined) root CA, and an
enterprise subordinate CA (issuing CA). After the enterprise subordinate CA receives a certificate from
root CA, take root CA offline.

Issue a certificate for root CA for a long period of time, such as 15 or 20 years.

Use autoenrollment for certificates that are widely used.

Use a Restricted Enrollment Agent whenever possible.

Use Virtual Smart Cards to improve logon security.

Review Question(s)
Question: What are some reasons that an organization would utilize PKI?

Answer: An organization would utilize PKI to improve security, identity control, and digital signing of
code.

Question: What are some reasons that an organization would use an enterprise root CA?

Answer: If an organization wants to use only one CA, and wants to use certificate templates and
autoenrollment, then an enterprise root CA will be the only choice.
Question: List the requirements to use autoenrollment for certificates.

Answer: To use autoenrollment for certificates, you must have an enterprise CA, and you must configure
Group Policy options. In addition, you must enable autoenrollment for the desired certificates,
and you must configure Group Policy Objects.

Question: What are the steps to configure an Online Responder?

Answer: To configure an Online Responder, you must create Responder Configuration, and you must
enroll for an OCSP Signing certificate. You must also add a Responder URL to AIA.

Real-world Issues and Scenarios


Contoso, Ltd. wants to deploy PKI to support and secure several services. They have decided to use
Windows Server 2012 Certificate Services as a platform for PKI. Certificates will be primarily used for EFS,
digital signing, and for web servers. Because documents that will be encrypted are important, it is crucial
to have a disaster recovery strategy in case of key loss. In addition, clients that will access secure parts of
the company website must not receive any warning in their browsers.

What kind of deployment should Contoso select?

What kind of certificates should Contoso use for EFS and digital signing?

What kind of certificates should Contoso use for a website?

How will Contoso ensure that EFS-encrypted data is not lost if a user loses a certificate?

Tools
Certificate Authority console

Certificate Templates console

Certificates console

Certutil.exe
6-20 Configuring Advanced Windows Server 2012 Services

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip

The location of the CA certificate that is specified Use the Certification Authority snap-in to
in the AIA extension is not configured to include configure the AIA extension to include the
the certificate name suffix. Clients may not be certificate name suffix in each location.
able to locate the correct version of the issuing
CA's certificate to build a certificate chain, and
certificate validation may fail.

CA is not configured to include CRL distribution Use the CA snap-in to configure the CRL
point locations in the extensions of issued distribution point extension and to specify the
certificates. Clients may not be able to locate a network location of the CRL.
CRL to check the revocation status of a The default locations of the CRL are added to
certificate, and certificate validation may fail. the CRL distribution point extension settings
during CA installation, and the CA is configured
to include the default locations in the extensions
of all issued certificates.

CA was installed as an enterprise CA, but Group Use the Group Policy Management Console to
Policy settings for user autoenrollment have not configure user autoenrollment policy settings,
been enabled. An enterprise CA can use and use the Certificate Templates snap-in to
autoenrollment to simplify certificate issuance configure autoenrollment settings on the
and renewal. If autoenrollment is not enabled, certificate template.
certificate issuance and renewal may not occur as
expected.
Implementing AD CS 6-21

Lab Review Questions and Answers


Lab A: Deploying and Configuring CA Hierarchy
Question and Answers
Question: Why is it not recommended to install just an enterprise root CA?

Answer: For security reasons, root CAs should be offline, without any network access. A root enterprise
CA cannot be offline, so there is no maximum protection for its key.

Lab B: Deploying and Managing Certificates

Question and Answers


Question: What is the main benefit of OCSP over CRL?

Answer: OCSP provides status for a single certificate that clients request, instead of downloading the
entire CRL and delta CRLs. In addition, responses are much faster and more reliable, because
clients do not cache them.

Question: What must you do to recover private keys?

Answer: To recover private keys, you must configure CA to archive private keys for specific templates, and
you must issue a KRA certificate.
Implementing Active Directory Rights Management Services 07-1

Module 7
Implementing Active Directory Rights Management Services
Contents:
Lesson 2: Deploying and Managing an AD RMS Infrastructure 2

Lesson 3: Configuring AD RMS Content Protection 5

Lesson 4: Configuring External Access to AD RMS 8

Module Review and Takeaways 10

Lab Review Questions and Answers 11


07-2 Configuring Advanced Windows Server 2012 Services

Lesson 2
Deploying and Managing an AD RMS Infrastructure
Contents:
Demonstration: Installing the First Server of an AD RMS Cluster 3
Implementing Active Directory Rights Management Services 07-3

Demonstration: Installing the First Server of an AD RMS Cluster


Demonstration Steps
Configure Service Account
1. In the Server Manager, click Tools, and then click Active Directory Administrative Center.

2. Select and then right-click Adatum (local), click New, and then click Organizational Unit.

3. In the Create Organizational Unit dialog box, in the Name field, type Service Accounts, and then
click OK.

4. Right-click the Service Accounts organizational unit (OU), click New, and then click User.

5. In the Create User dialog box, enter the following details, and then click OK:
o First name: ADRMSSVC

o User UPN logon: ADRMSSVC

o Password: Pa$$w0rd

o Confirm Password: Pa$$w0rd

o Password never expires: Enabled

o User cannot change password: Enabled

6. Close the Active Directory Administrative Center.

Prepare DNS
1. In the Server Manager, click Tools, and then click DNS.

2. In the DNS Manager console, expand LON-DC1, and then expand Forward Lookup Zones.

3. Select and then right-click Adatum.com, and then click New Host (A or AAAA).

4. In the New Host dialog box, enter the following information, and then click Add Host:

o Name: adrms

o IP address: 172.16.0.21

5. Click OK and then click Done, and then close the DNS Manager console.

Install the AD RMS role


1. Sign in to LON-SVR1 with the Adatum\Administrator account and the password Pa$$w0rd.

2. In the Server Manager, click Manage, and then click Add Roles and Features.

3. In the Add Roles and Features Wizard, click Next three times.

4. On the Server Roles page, click Active Directory Rights Management Services.

5. In the Add Roles and Features Wizard dialog box, click Add Features, and then click Next four
times.

6. Click Install, and when it finishes, and then click Close.

Configure AD RMS
1. In the Server Manager, click the AD RMS node.

2. Next to Configuration required for Active Directory Rights Management Services at LON-SVR1,
click More.

3. On the All Servers Task Details and Notifications page, click Perform Additional Configuration.
07-4 Configuring Advanced Windows Server 2012 Services

4. In the AD RMS Configuration: LON-SVR1.adatum.com dialog box, click Next.

5. On the AD RMS Cluster page, click Create a new AD RMS root cluster, and then click Next.

6. On the Configuration Database page, click Use Windows Internal Database on this server, and
then click Next.

7. On the Service Account page, click Specify.

8. In the Windows Security dialog box, enter the following details, click OK, and then click Next:

o Username: ADRMSSVC

o Password: Pa$$w0rd

9. On the Cryptographic Mode page, click Cryptographic Mode 2, and then click Next.

10. On the Cluster Key Storage page, click Use AD RMS centrally managed key storage, and then
click Next.

11. On the Cluster Key Password page, enter the password Pa$$w0rd twice, and then click Next.

12. On the Cluster Web Site page, verify that the Default Web Site is selected, and then click Next.

13. On the Cluster Address page, provide the following information, and then click Next:

o Connection Type: Use an unencrypted connection (http://)

o Fully-Qualified Domain Name: adrms.adatum.com

o Port: 80

14. On the Licensor Certificate page, type Adatum AD RMS, and then click Next.

15. On the SCP Registration page, click Register the SCP now, and then click Next.

16. Click Install, and then click Close. The installation might take several minutes.

17. Click to the Start screen, click Administrator, and then click Sign Out.

Note: You must sign out before you can manage AD RMS.
Implementing Active Directory Rights Management Services 07-5

Lesson 3
Configuring AD RMS Content Protection
Contents:
Resources 6
Demonstration: Creating a Rights-Policy Template 6
Demonstration: Creating an Exclusion Policy to Exclude an Application 6
07-6 Configuring Advanced Windows Server 2012 Services

Resources

What Are Exclusion Policies?

Additional Reading: To find out more about enabling exclusion policies, see Enabling
Exclusion Policies at http://go.microsoft.com/fwlink/?LinkId=270031

Demonstration: Creating a Rights-Policy Template


Demonstration Steps
1. In the Server Manager, click Tools, and then click Active Directory Rights Management Services.

2. In the Active Directory Rights Management Services console, click the LON-SVR1\Rights Policy
Templates node.

3. In the Actions pane, click Create Distributed Rights Policy Template.

4. In the Create Distributed Rights Policy Template Wizard, on the Add Template Identification
Information page, click Add.

5. On the Add New Template Identification Information page, enter the following information, and
then click Add, and then click Next:

o Language: English (United States)


o Name: ReadOnly

o Description: Read-only access. No copy or print.

6. On the Add User Rights page, click Add.

7. On the Add User or Group page, type executives@adatum.com, and then click OK.

8. When executives@adatum.com is selected, under Rights, click View. Verify that Grant owner
(author) full control right with no expiration is selected, and then click Next.

9. On the Specify Expiration Policy page, choose the following settings, and then click Next:

o Content Expiration: Expires after the following duration (days): 7

o Use license expiration: Expires after the following duration (days): 7

10. On the Specify Extended Policy page, click Require a new use license every time content is
consumed (disable client-side caching), click Next, and then click Finish.

Demonstration: Creating an Exclusion Policy to Exclude an Application


Demonstration Steps
1. On LON-SVR1, switch to the Active Directory Rights Management Services console.

2. Click the Exclusion Policies node, and then click Manage application exclusion list.

3. In the Actions pane, click Enable Application Exclusion.

4. In the Actions pane, click Exclude Application.

5. In the Exclude Application dialog box, enter the following information, and then click Finish:

o Application File name: Powerpnt.exe

o Minimum version: 14.0.0.0


Implementing Active Directory Rights Management Services 07-7

o Maximum version: 16.0.0.0


07-8 Configuring Advanced Windows Server 2012 Services

Lesson 4
Configuring External Access to AD RMS
Contents:
Resources 9
Implementing Active Directory Rights Management Services 07-9

Resources

Options for Enabling External Users with AD RMS Access

Additional Reading: To learn more about AD RMS Trust Policies, see


http://go.microsoft.com/fwlink/?LinkId=270032

Implementing TPD

Additional Reading: To can learn more about importing TPDs, see Add a Trusted
Publishing Domain at http://go.microsoft.com/fwlink/?LinkId=270033

Sharing AD RMS-Protected Documents by Using Windows Live ID

Additional Reading: To can learn more about using Windows Live ID to establish RACs for
users, see http://go.microsoft.com/fwlink/?LinkId=270034
07-10 Configuring Advanced Windows Server 2012 Services

Module Review and Takeaways


Best Practices
Before you deploy AD RMS, you must analyze your organizations business requirements and create
the necessary templates. You should meet with users to inform them of AD RMS functionality, and
also ask for feedback on the types of templates that they would like to have available.

Strictly control membership of the Super Users group. Users in this group can access all protected
content. Granting a user membership of this group gives them complete access to all AD RMS-
protected content.

Review Question(s)
Question: What are the benefits of having an SSL certificate installed on the AD RMS server when you are
performing AD RMS configuration?

Answer: You can protect the connection between clients and the AD RMS server with SSL.

Question: You need to provide access to AD RMS-protected content to five users who are unaffiliated
contractors, and who are not members of your organization. Which method should you use to provide
this access?

Answer: Use Windows Live ID to provide RAC to the unaffiliated contractors.

Question: You want to block users from protecting Office PowerPoint content by using AD RMS
templates. What steps should you take to accomplish this goal?
Answer: You should configure an application exclusion for the Office PowerPoint application.
Implementing Active Directory Rights Management Services 07-11

Lab Review Questions and Answers


Lab: Implementing AD RMS
Question and Answers
Question: What steps can you take to ensure that you can use Information Rights Management with the
AD RMS role?

Answer: You need to configure a server certificate for the AD RMS server before you deploy AD RMS.
Implementing and Administering AD FS 08-1

Module 8
Implementing and Administering AD FS
Contents:
Lesson 2: Deploying AD FS 2

Lesson 3: Implementing AD FS for a Single Organization 4

Lesson 4: Deploying AD FS in a Business-to-Business Federation Scenario 8

Lesson 5: Extending AD FS to External Clients 10

Module Review and Takeaways 14

Lab Review Questions and Answers 15


08-2 Configuring Advanced Windows Server 2012 Services

Lesson 2
Deploying AD FS
Contents:
Demonstration: Installing the AD FS Server Role 3
Implementing and Administering AD FS 08-3

Demonstration: Installing the AD FS Server Role


Demonstration Steps
Install AD FS
1. On LON-DC1, in the Server Manager, click Manage, and then click Add Roles and Features.

2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.

3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.

4. On the Select destination server page, click LON-DC1.Adatum.com, and then click Next.

5. On the Select server roles page, select the Active Directory Federation Services check box, and
then click Next.

6. On the Select features page, click Next.

7. On the Active Directory Federation Services (AD FS) page, click Next.

8. On the Confirm installation selections page, click Install.

9. Wait until installation is complete, and then click Close.

Add a DNS record for AD FS


1. On LON-DC1, in the Server Manager, click Tools, and then click DNS.

2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.

3. Right-click Adatum.com, and then click New Host (A or AAAA).

4. In the New Host window, in the Name box, type adfs.

5. In the IP address box, type 172.16.0.10, and then click Add Host.
6. In the DNS window, click OK, and then click Done.

7. Close DNS Manager.

Configure AD FS
1. In the Server Manager, click the Notifications icon, and then click Configure the federation service
on this server.

2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click Create
the first federation server in a federation server farm, and then click Next.

3. On the Connect to Active Directory Domain Services page, click Next to use
Adatum\Administrator to perform the configuration.

4. On the Specify Service Properties page, in the SSL Certificate box, select adfs.adatum.com.

5. In the Federation Service Display Name box, type A. Datum Corporation, and then click Next.

6. On the Specify Service Account page, click Create a Group Managed Service Account.

7. In the Account Name box, type ADFS, and then click Next.

8. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.

9. On the Review Options page, click Next.

10. On the Pre-requisite Checks page, click Configure.

11. On the Results page, click Close.


08-4 Configuring Advanced Windows Server 2012 Services

Lesson 3
Implementing AD FS for a Single Organization
Contents:
Demonstration: Configuring Claims Provider and Relying Party Trusts 5
Implementing and Administering AD FS 08-5

Demonstration: Configuring Claims Provider and Relying Party Trusts


Demonstration Steps
Configure a Claims Provider Trust
1. On LON-DC1, in the Server Manager, click Tools, and then click AD FS Management.

2. In the AD FS Management console, expand Trust Relationships, and then click Claims Provider
Trusts.

3. Right-click Active Directory, and then click Edit Claim Rules.

4. In the Edit Claim Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.

5. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Send LDAP Attributes as Claims, and then click Next.

6. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
7. In the Attribute store drop-down list, select Active Directory.

8. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type:

o E-Mail-Addresses: E-Mail Address

o User-Principal-Name: UPN

9. Click Finish, and then click OK.

Configure a certificate for a web-based app


1. On LON-SVR1, in Server Manager, click Tools and click Internet Information Services (IIS)
Manager.

2. If necessary, in the prompt for connecting to Microsoft Web Platform components, select the Do not
show this message check box and then click No.

3. In IIS Manager, click LON-SVR1 (ADATUM\Administrator) and then double-click Server


Certificates.

4. In the Actions pane, click Create Domain Certificate.

5. In the Create Certificate window on the Distinguished Name Properties page, enter the following and
then click Next.

o Common name: lon-svr1.adatum.com

o Organization: A. Datum

o Organizational unit: IT

o City/locality: London

o State/Province: England

o Country/region: GB

6. On the Online Certification Authority page, click Select.

7. In the Select Certification Authority window, click AdatumCA and click OK.

8. On the Online Certification Authority page, in the Friendly name box, type AdatumTestApp
Certificate and click Finish.
08-6 Configuring Advanced Windows Server 2012 Services

9. In IIS Manager, expand LON-SVR1 (ADATUM\Administrator), expand Sites, click Default Web
Site, and in the Actions Pane, click Bindings.

10. In the Site Bindings window, click Add.

11. In the Add Site Binding window, in the Type box, select https.

12. In the SSL certificate box, select AdatumTestApp Certificate and click OK.

13. In the Site Bindings window, click Close.

14. Close IIS Manager.

Configure a WIF application for AD FS


1. On LON-SVR1, in the Server Manager, click Tools, and then click Windows Identity Foundation
Federation Utility.

2. On the Welcome to the Federation Utility Wizard page, in the Application configuration
location box, type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the
sample web.config file.

3. In the Application URI box, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the


path to the sample application that will trust the incoming claims from the federation server, and
then click Next to continue.

4. On the Security Token Service page, click Use an existing STS, in the STS WS-Federation
metadata document location box, type https://adfs.adatum.com/federationmetadata/2007-
06/federationmetadata.xml, and then click Next to continue.

5. On the STS signing certificate chain validation error page, click Disable certificate chain
validation, and then click Next.
6. On the Security token encryption page, click No encryption, and then click Next.

7. On the Offered claims page, review the claims that will be offered by the federation server, and then
click Next.

8. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and then
click Finish.

9. In the Success window, click OK.

Configure a Relying-Party Trust


1. On LON-DC1, in the AD FS console, click Relying Party Trusts.

2. In the Actions pane, click Add Relying Party Trust.

3. In the Relying Party Trust Wizard, on the Welcome page, click Start.

4. On the Select Data Source page, click Import data about the relying party published online or
on a local network.

5. In the Federation Metadata address (host name or URL) box, type https://lon-
svr1.adatum.com/adatumtestapp/, and then click Next. This downloads the metadata configured
in the previous section.

6. On the Specify Display Name page, in the Display name box, type A. Datum Test App, and then
click Next.

7. On the Configure Multi-factor Authentication Now page, click I do not want to configure multi-
factor authentication settings for this relying party trust at this time, and then click Next.
Implementing and Administering AD FS 08-7

8. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying
party, and then click Next.

9. On the Ready to Add Trust page, review the relying-party trust settings, and then click Next.

10. On the Finish page, click Close.

11. Leave the Edit Claim Rules for A. Datum Test App window open for the next demonstration.
08-8 Configuring Advanced Windows Server 2012 Services

Lesson 4
Deploying AD FS in a Business-to-Business Federation
Scenario
Contents:
Demonstration: Configuring Claim Rules 9
Implementing and Administering AD FS 08-9

Demonstration: Configuring Claim Rules


Demonstration Steps
1. On LON-DC1, in the AD FS Manager, in the Edit Claim Rules for A. Datum Test App window, on the
Issuance Transform Rules tab, click Add Rule.

2. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click
Next.

3. In the Claim rule name box, type Send Group Name Rule.

4. In the Incoming claim type drop-down list, click Group, and then click Finish.

5. In the Edit Claim Rules for A. Datum Test App window, on the Issuance Authorization Rules tab,
click the rule named Permit Access to All Users, and then click Remove Rule.

6. Click Yes to confirm.

Note: With no rules, users are not permitted access.

7. On the Issuance Authorization Rules tab, click Add Rule.

8. On the Select Rule Template page, in the Claim rule template box, select Permit or Deny Users
Based on an Incoming Claim, and then click Next.

9. On the Configure Rule page, in the Claim rule name box, type Permit Production Group Rule.

10. In the Incoming claim type drop-down list, select Group.

11. In the Incoming claim value box, type Production, click Permit access to users with this
incoming claim, and then click Finish.

12. On the Issuance Authorization Rules tab, click Add Rule.

13. On the Select Rule Template page, in the Claim rule template box, select Permit or Deny Users
Based on an Incoming Claim, and then click Next.

14. On the Configure Rule page, in the Claim rule name box, type Allow A. Datum Users.

15. In the Incoming claim type drop-down list, select UPN.

16. In the Incoming claim value box, type @adatum.com, click Permit access to users with this
incoming claim, and then click Finish.

17. Click the Allow A. Datum Users rule, and then click Edit Rule.

18. In the Edit Rule Allow Adatum Users dialog box, click View Rule Language.

19. Click OK, and then click Cancel.

20. In the Edit Claim Rules for A. Datum Test App window, click OK.
08-10 Configuring Advanced Windows Server 2012 Services

Lesson 5
Extending AD FS to External Clients
Contents:
Demonstration: Installing and Configuring Web Application Proxy 11
Implementing and Administering AD FS 08-11

Demonstration: Installing and Configuring Web Application Proxy


Demonstration Steps
Install Web Application Proxy
1. On LON-SVR2, in the Server Manager, click Manage, and then click Add Roles and Features.

2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.

3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.

4. On the Select destination server page, click LON-SVR2.Adatum.com, and then click Next.

5. On the Select server roles page, expand Remote Access, select the Web Application Proxy check
box, and then click Next.

6. On the Select features page, click Next.

7. On the Confirm installation selections page, click Install.

8. On the Installation progress page, click Close.

Export the adfs.adatum.com certificate from LON-DC1


1. On LON-DC1, on the Start screen, type mmc, and then press Enter.

2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.

4. In the Certificates snap-in window, click Computer account, and then click Next.

5. In the Select Computer window, click Local Computer (the computer this console is running on),
and then click Finish.

6. In the Add or Remove Snap-ins window, click OK.

7. In the Microsoft Management Console, expand Certificates (Local Computer), expand Personal,
and then click Certificates.

8. Right-click adfs.adatum.com, point to All Tasks, and then click Export.

9. In the Certificate Export Wizard, click Next.

10. On the Export Private Key page, click Yes, export the private key, and then click Next.

11. On the Export File Format page, click Next.

12. On the Security page, select the Password check box.

13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.

14. On the File to Export page, in the File name box, type C:\adfs.pfx, and then click Next.

15. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close the
success message.

16. Close the Microsoft Management Console, and then do not save the changes.

Import the adfs.adatum.com certificate on LON-SVR2


1. On LON-SVR2, on the Start screen, type mmc, and then press Enter.

2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.
08-12 Configuring Advanced Windows Server 2012 Services

4. In the Certificates snap-in window, click Computer account, and then click Next.

5. In the Select Computer window, click Local Computer (the computer this console is running on),
and then click Finish.

6. In the Add or remove Snap-ins window, click OK.

7. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.

8. Right-click Personal, point to All Tasks, and then click Import.

9. In the Certificate Import Wizard, click Next.

10. On the File to Import page, in the File name box, type \\LON-DC1\c$\adfs.pfx, and then click
Next.

11. On the Private key protection page, in the Password box, type Pa$$w0rd.

12. Select the Mark this key as exportable check box, and then click Next.
13. On the Certificate Store page, click Place all certificates in the following store.

14. In the Certificate store box, select Personal, and then click Next.

15. On the Completing the Certificate Import Wizard page, click Finish.

16. Click OK to clear the success message.

17. Close the Microsoft Management Console, and then do not save the changes.

Configure Web Application Proxy


1. On LON-SVR2, in the Server Manager, click the Notifications icon, and then click Open the Web
Application Proxy Wizard.

2. In the Web Application Proxy Wizard, on the Welcome page, click Next.

3. On the Federation Server page, enter the following, and then click Next:
o Federation service name: adfs.adatum.com

o User name: Adatum\Administrator

o Password: Pa$$w0rd

4. On the AD FS Proxy Certificate page, in the Select a certificate to be used by the AD FS proxy
box, select adfs.adatum.com, and then click Next.

5. On the Confirmation page, click Configure.

6. On the Results page, click Close.

7. Leave the Remote Access Management Console open for the next task.

Configure an Application
1. On LON-SVR2, in the remote Access Management Console, click Web Application Proxy and click
Publish.

2. In the Publish New Application Wizard, on the Welcome page, click Next.
3. On the Preauthentication page, click Pass-through and click Next.

4. On the Publishing Settings page, in the Name box, type External App.

5. In the External URL and Backend server URL boxes, type https://adfs.adatum.com/externalapp/.

6. In the External certificate box, select adfs.adatum.com and click Next.


Implementing and Administering AD FS 08-13

7. On the Confirmation page, click Publish.

8. On the Results page, click Close.


08-14 Configuring Advanced Windows Server 2012 Services

Module Review and Takeaways


Question: Your organization is planning to implement AD FS. In the short term, only internal clients will
be using AD FS to access internal applications. However, in the long run, you will be providing access to
web-based applications that are secured by AD FS to users at home. How many certificates should you
obtain from a third-party CA?

Answer: The only AD FS certificate that needs to be trusted is the service-communication certificate. The
token-signing and token-decrypting certificates can be left as self-signed. Therefore, only a single
certificate from a third party is required.

Question: Your organization has an application for customers that allows them to view their orders and
invoices. At the present time, all customers have a user name and password that is managed within the
application. To simplify access to the application and reduce support calls, your organization has rewritten
the application to support AD FS for authentication. What do you need to configure to support the
application?

Answer: You need to perform the following tasks:

1. Configure the application to trust incoming claims. Use the WIF Federation Utility to
configure the application.

2. Configure a relying-party trust for the application. This configures AD FS to provide claims to
the application for authorized users.

3. Configure claim rules for the relying-party trust. This configures which information is
provided to the application.

Question: Your organization has an application for customers that allows them to view their orders and
invoices. At the present time, all customers have a user name and password that is managed within the
application. To simplify access to the application and reduce support calls, your organization has rewritten
the application to support AD FS for authentication. A Web Application Proxy is being configured to
support application access over the Internet. Internally, your AD FS server uses the host name
adfs.contoso.com and resolves to 10.10.0.99. How will you allow external partners to resolve
adfs.contso.com to the external IP address of Web Application Proxy?

Answer: Use split DNS to allow the proper resolution of adfs.contoso.com to the correct IP address
internally and externally. The internal DNS server resolves adfs.contoso.com to the internal IP
address of the AD FS server. The external DNS server resolves adfs.contoso.com to the external IP
address of Web Application Proxy.

Question: Your organization has implemented a single AD FS server and a single Web Application Proxy
successfully. Initially, AD FS was used for only a single application, but now it is being used for several
business-critical applications. AD FS must be configured to be highly available.

During the installation of AD FS, you selected to use the Windows Internal Database. Can you use this
database in a highly available configuration?

Answer: Yes, the Windows Internal Database can be used to support up to five AD FS servers. The first
AD FS server is the primary server where all configuration changes take place. Changes in the
primary server are replicated to the other AD FS servers.

Question: Your organization wants to control access to applications that are available from the Internet
by using Workplace Join. What DNS changes need to be performed so that devices can locate the Web
Application Proxy during the Workplace Join process?

Answer: Devices identify the server name based on the UPN name provided during the workplace-join
process. Assuming that your organization uses only a single UPN name, you need to create a host
record for enterpriseregistration.yourdomainname.com that resolves to the IP address of the Web
Application Proxy server.
Implementing and Administering AD FS 08-15

Lab Review Questions and Answers


Lab A: Implementing AD FS
Question and Answers
Question: Why was it important to configure adfs.adatum.com to use as a host name for the AD FS
service?

Answer: If you use the host name of an existing server for the AD FS server, you will not be able to add
additional servers to your server farm. All servers in the server farm must share the same host
name when they provide AD FS services. The host name for AD FS also is used by AD FS proxy
servers.

Question: How can you test whether AD FS is functioning properly?

Answer: You can access https://hostname/federationmetadata/2007-06/federationmetadata.xml on


the AD FS server.

Lab B: Implementing AD FS for External Partners and Users

Question and Answers


Question: Why would the need to configure certificate trusts between organizations be avoided when
you use certificates from a trusted provider on the Internet?

Answer: In this lab, certificate trusts needed to be configured because the certificates were internally
generated by each organization. The CA certificate for each organization was configured as
trusted in the other organization so that the certificates issued by each organization would be
trusted.

If you use certificates from a trusted provider on the Internet, that provider is already trusted by
the other organization. Consequently, certificates are automatically trusted.

Note that on rare occasions, high-security environments may have chosen to remove trusted root
certification authorities that are installed by default. Also, if updates to trusted root certification
authorities are not applied, certificates issued by some public certification authorities may not be
trusted.

Question: Could you have created authorization rules in Adatum.com and achieved the same result if you
had instead created authorization rules in TreyResearch.net?

Answer: Yes. However, to allow the authorization rules to be configured at Adatum.com, the
implementation of AD FS at TreyResearch.net must pass through the group membership claims
to AD FS at Adatum.com.
Implementing Network Load Balancing 9-1

Module 9
Implementing Network Load Balancing
Contents:
Lesson 2: Configuring an NLB Cluster 2

Module Review and Takeaways 5

Lab Review Questions and Answers 6


9-2 Configuring Advanced Windows Server 2012 Services

Lesson 2
Configuring an NLB Cluster
Contents:
Demonstration: Deploying NLB 3
Demonstration: Configuring NLB Affinity and Port Rules 3
Implementing Network Load Balancing 9-3

Demonstration: Deploying NLB


Demonstration Steps
Create a Windows Server 2012 R2 NLB cluster
1. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd, and on the taskbar,
click the Server Manager icon.
2. In the Server Manager console, click the Tools menu, and then click Windows PowerShell ISE.

3. In the Windows PowerShell ISE window, enter the following command, and then press Enter:

Invoke-Command -Computername LON-SVR1,LON-SVR2 -command {Install-WindowsFeature


NLB,RSAT-NLB}

4. Enter the following command, and then press Enter:

New-NlbCluster -InterfaceName "Ethernet" -OperationMode Multicast -ClusterPrimaryIP


172.16.0.42 -ClusterName LON-NLB

5. Enter the following command, and then press Enter:

Add-NlbClusterNode -InterfaceName "Ethernet" -NewNodeName "LON-SVR2" -


NewNodeInterface "Ethernet"

6. In the Server Manager console, click the Tools menu, and then click Network Load Balancing
Manager.

7. Verify that nodes LON-SVR1 and LON-SVR2 display with the status of Converged for the LON-NLB
cluster.

8. Right-click the LON-NLB cluster, and then click Cluster properties.

9. In the LON-NLB(172.16.0.42) dialog box, on the Cluster Parameters tab, verify that the cluster is
set to use the Multicast operations mode.

10. On the Port Rules tab, verify that there is a single port rule named All that starts at port 0 and ends
at port 65535 for both Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), and
uses Single affinity.

11. Click OK to close the dialog box.

Demonstration: Configuring NLB Affinity and Port Rules


Demonstration Steps
Configure affinity for NLB cluster nodes
1. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.

2. At the Windows PowerShell prompt, type the following commands, pressing Enter after each
command:

Cmd.exe
Mkdir c:\porttest
Xcopy /s c:\inetpub\wwwroot c:\porttest
Exit
New-Website -Name PortTest -PhysicalPath "C:\porttest" -Port 5678
New-NetFirewallRule -DisplayName PortTest -Protocol TCP -LocalPort 5678
9-4 Configuring Advanced Windows Server 2012 Services

Configure NLB port rules


1. On LON-SVR1, in Server Manager, click Tools, and then click Network Load Balancing Manager.

2. In the Network Load Balancing Manager console, right-click LON-NLB, and then click Cluster
Properties.

3. In the LON-NLB(172.16.0.42), on the Port Rules tab, select the All port rule, click Remove, and
then click OK to close the LON-NLB(172.16.0.42).

4. In the Network Load Balancing Manager console, right-click LON-NLB, and then click Cluster
Properties.

5. In the LON-NLB(172.16.0.42), on the Port Rules tab, click Add.

6. In the Add/Edit Port Rule dialog box, enter the following information, and then click OK:
o Port range: 80 to 80

o Protocols: Both

o Filtering mode: Multiple Host

o Affinity: None

7. Click OK to close the LON-NLB(172.16.0.42).

8. In the Network Load Balancing Manager console, right-click LON-NLB, and then click Cluster
Properties.

9. On the Port Rules tab, click Add.

10. In the Add/Edit Port Rule dialog box, enter the following information, and then click OK:

o Port range: 5678 to 5678

o Protocols: Both

o Filtering mode: Single Host

11. Click OK to close the LON-NLB(172.16.0.42).

12. In the Network Load Balancing Manager console, right-click LON-SVR1, and then click Host
Properties.

13. On the Port Rules tab, click the port rule that has 5678 as the Start and End value, and then click
Edit.

14. Click the Handling priority value, and change it to 10.


Implementing Network Load Balancing 9-5

Module Review and Takeaways


Question: You have created a four-node Windows Server 2012 NLB cluster. The cluster hosts a website
that is hosted on IIS. What happens to the cluster if you shut down the World Wide Web publishing
service on one of the nodes?

Answer: Nothing will happen, because NLB only detects server failure and not the failure of a particular
application. In addition, approximately every fourth request to the application from clients will
not be served.

Question: You want to host the www.contoso.com, www.adatum.com, and www.fabrikam.com websites
on a four-node NLB cluster. The cluster IP address will be a public IP address, and each fully qualified
domain name is mapped in DNS to the cluster's public IP address. What steps should you take on each
node to ensure that traffic is directed to the appropriate site?

Answer: You will need to configure host headers for each site on each node. In addition, you must ensure
that host header configuration is identical.

Question: You have an eight-node Windows NLB cluster that hosts a web application. You want to ensure
that traffic from a client that uses the cluster remains with the same node throughout their session, but
that traffic from separate clients is distributed equitably across all nodes. Which option do you configure
to accomplish this goal?

Answer: You must configure affinity settings to accomplish this.

Real-world Issues and Scenarios


To become a true high-availability solution, use a monitoring solution with NLB that will detect
application failure. This is because NLB clusters will continue to direct traffic to nodes with failed
applications as long as NLB, which is independent of the application, continues to send heartbeat traffic.
9-6 Configuring Advanced Windows Server 2012 Services

Lab Review Questions and Answers


Lab: Implementing NLB
Question and Answers
Question: How many additional nodes can you add to the LON-NLB cluster?

Answer: The LON-NLB cluster can scale to 32 nodes.

Question: What steps would you take to ensure that LON-SVR1 always manages requests for web traffic
on port 5678, given the port rules established by the end of this exercise?

Answer: You configure the host priority. You also set the rule to use single host filtering mode.

Question: What is the difference between a Stop and a Drainstop command?

Answer: Stop terminates all active connections immediately. Drainstop blocks new connections, but
allows existing connections to complete normally.
Implementing Failover Clustering 10-1

Module 10
Implementing Failover Clustering
Contents:
Lesson 2: Implementing a Failover Cluster 2

Lesson 3: Configuring Highly Available Applications and Services on a


Failover Cluster 4

Lesson 4: Maintaining a Failover Cluster 6

Module Review and Takeaways 9

Lab Review Questions and Answers 11


10-2 Configuring Advanced Windows Server 2012 Services

Lesson 2
Implementing a Failover Cluster
Contents:
Demonstration: Validating and Configuring a Failover Cluster 3
Implementing Failover Clustering 10-3

Demonstration: Validating and Configuring a Failover Cluster


Demonstration Steps
1. On LON-SVR3, in the Server Manager, click Tools, and then click Failover Cluster Manager.

2. In the Failover Cluster Manager, in the console tree, ensure that Failover Cluster Manager is
selected, and then under Management, click Validate Configuration and then click Next.

3. In the Enter name field, type LON-SVR3, and then click Add.

4. In the Enter name field, type LON-SVR4, click Add, and then click Next.

5. Verify that Run all tests (recommended) is selected, and then click Next.
6. In the Confirmation window, click Next.

7. Wait for the validation tests to finish, and then in the Summary window, click View Report.

8. Close the report window, remove the check mark next to Create the cluster now using the
validated nodes, and then click Finish.

9. On LON-SVR3, in the Failover Cluster Manager, in the Management section of the center pane,
select Create Cluster.

10. Read the Before You Begin information page.


11. Click Next, type LON-SVR3, and then click Add. Type LON-SVR4, and then click Add.

12. Verify the entries, and then click Next.

13. In the Access Point for Administering the Cluster section, enter Cluster1 as the Cluster Name.

14. Under Address, type 172.16.0.125 as the IP address, and then click Next.

15. On the Confirmation page, verify the information, and then click Next.

16. On the Summary page, click Finish to return to the Failover Cluster Manager.
10-4 Configuring Advanced Windows Server 2012 Services

Lesson 3
Configuring Highly Available Applications and
Services on a Failover Cluster
Contents:
Demonstration: Clustering a File Server Role 5
Implementing Failover Clustering 10-5

Demonstration: Clustering a File Server Role


Demonstration Steps
1. On LON-SVR3, open the Failover Cluster Manager, and then expand Cluster1.adatum.com.

2. Expand Storage, and then click Disks. Verify that three cluster disks are available.

3. Right-click Roles, and then select Configure Role.

4. On the Before You Begin page, click Next.

5. On the Select Role page, select File Server, and then click Next.

6. On the File Server Type page, click File Server for general use, and then click Next.

7. On the Client Access Point page, in the Name box, type AdatumFS, and in the Address box, type
172.16.0.130, and then click Next.

8. On the Select Storage page, click Cluster Disk 2, and then click Next.

9. On the Confirmation page, click Next.


10. On the Summary page, click Finish.
10-6 Configuring Advanced Windows Server 2012 Services

Lesson 4
Maintaining a Failover Cluster
Contents:
Demonstration: Configuring CAU 7
Implementing Failover Clustering 10-7

Demonstration: Configuring CAU


Demonstration Steps
1. On LON-DC1, in Server Manager, click Add roles and features.

2. In the Add Roles and Features Wizard, on the Before You Begin page, click Next.

3. On the Select installation type page, click Next.

4. On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.

5. On the Select server roles page, click Next.

6. On the Select features page, in the list of features, click Failover Clustering. In Add features that
are required for Failover Clustering? dialog box, click Add Features. Click Next.

7. On the Confirm installation selections page, click Install.

8. When installation is complete, click Close.

9. On LON-DC1, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.

10. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list box,
select Cluster1, and then click Connect.

11. In the Cluster Actions pane, click Preview updates for this cluster.

12. In the Cluster1-Preview Updates window, click Generate Update Preview List.

Note: You need to have an Internet connection for this step.

13. After several minutes, updates will be shown in the list. Review updates, and then click Close.

14. In the Cluster Actions pane, click Create or modify Updating Run Profile.

15. Review and explain the available options. Do not make any changes, and then click Close when you
are finished.

16. Click Apply updates to this cluster.

17. On the Getting Started page, click Next.

18. On the Advanced options page, review options for updating, and then click Next.

19. On the Additional Update Options page, click Next.


20. On the Confirmation page, click Update, and then click Close.

21. In the Cluster nodes pane, you can review the updating progress.

Note: You should emphasize that one node of the cluster is in Waiting state, while the
other node is restarting after it is updated.

22. Wait until the process is finished.

Note: This may require restart of both nodes.


10-8 Configuring Advanced Windows Server 2012 Services

23. Sign in to LON-SVR3 with the username Adatum\Administrator and the password Pa$$w0rd.

24. On LON-SVR3, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.

25. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list box,
select Cluster1. Click Connect.

26. Click Configure cluster self-updating options.

27. On the Getting Started page, click Next.

28. On the Add CAU Clustered Role with Self-Updating Enabled page, click Add the CAU clustered
role, with self-updating mode enabled, to this cluster, and then click Next.

29. In the Specify self-updating schedule area, click Weekly, select 4:00 AM for Time of day, and then
select Sunday for Day of the week. Click Next.

30. On the Advanced Options page, click Next.

31. On the Additional Update Options page, click Next.


32. On the Confirmation page, click Apply.
Implementing Failover Clustering 10-9

Module Review and Takeaways


Best Practices
Try to avoid using a quorum model that depends just on the disk for Hyper-V high availability or a
Scale-Out File Server.

Perform regular backups of the cluster configuration.

Ensure that in case one node fails, other nodes can handle the load.

Carefully plan multisite clusters.

Review Question(s)
Question: Why is using a disk-only quorum configuration generally not a good idea?

Answer: The failover cluster stops functioning if the LUN that is used as the disk for the quorum fails.
Even if all the other resources, including the disk for the applications, are available, all nodes do
not provide any service when the quorum disk is not available.

Question: What is the purpose of CAU?

Answer: CAU enables administrators to automatically update cluster nodes with little or no loss in
availability during the update process. Also, administrators should not manage an update process
across all nodes of the cluster.

Question: What is the main difference between synchronous and asynchronous replication in a multisite
cluster scenario?

Answer: When you use synchronous replication, the host receives a write-complete response from the
primary storage after the data is written successfully on both storage systems. If the data is not
written successfully to both storage systems, the application must attempt to write to the disk
again. With synchronous replication, both storage systems are identical.

When you use asynchronous replication, the node receives a write-complete response from the
storage after the data is written successfully on the primary storage. The data is written to the
secondary storage on a different schedule, depending on the hardware or software vendors
implementation.

Question: What is an enhanced feature in multisite clusters in Windows Server 2012?

Answer: In Windows Server 2012, you can adjust cluster quorum settings so that nodes do or do not have
a vote when the cluster determines whether it has quorum.

Real-world Issues and Scenarios


Question: Your organization is considering the use of a geographically dispersed cluster that includes an
alternative data center. Your organization has only a single physical location, together with an alternative
data center. Can you provide an automatic failover in this configuration?

Answer: No, you cannot provide an automatic failover in this configuration. To provide an automatic
failover, you must have at least three sites.

Tools
The tools for implementing failover clustering include:

Tool Use for Where to find it

Failover Cluster Cluster management Administrative Tools


10-10 Configuring Advanced Windows Server 2012 Services

Tool Use for Where to find it

Manager console

Cluster-Aware Cluster update management Administrative Tools


Updating console

Windows PowerShell Cmdlet-based management Administrative Tools

Server Manager General server mangement Taskbar

iSCSI initiator Establishing a connection Administrative Tools


with an iSCSI target

Disk Management Disk and volume managment Computer Management

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip

Cluster Validation Wizard reports an error Review the report that Cluster Validation Wizard
provides and determine the problem.

Create Cluster Wizard reports that not all Review installed roles and features on cluster
nodes support the desired clustered role nodes. A clustered role must be installed on each
cluster node.

You cannot create a print server cluster This is not supported in Windows Server 2012. You
should use other technologies, such as configuring
print server in the virtual machine that is highly
available, to provide a highly available print server.
Implementing Failover Clustering 10-11

Lab Review Questions and Answers


Lab: Implementing Failover Clustering
Question and Answers
Question: What information do you have to collect as you plan a failover cluster implementation and
choose the quorum mode?

Answer: You have to collect information such as the:

Number of applications or services that will be deployed on the cluster.

Performance requirements and characteristics for each application or service.

Number of servers that must be available to meet the performance requirements.

Location of the users who use the failover cluster.

Type of storage used for the shared cluster storage.

Question: After running the Validate a Configuration Wizard, how can you resolve the network
communication single point of failure?

Answer: You can resolve the network communication single point of failure by adding network adapters
on a separate network. This provides communication redundancy between cluster nodes.

Question: In what situations might it be important to enable failback of a clustered application only
during a specific time?

Answer: Setting the failback to a preferred node at a specific time is important when you have to ensure
that the failback does not interfere with client connections, backup windows, or other
maintenance that a failback would interrupt.
Implementing Failover Clustering with Hyper-V 11-1

Module 11
Implementing Failover Clustering with Hyper-V
Contents:
Lesson 1: Overview of Integrating Hyper-V with Failover Clustering 2

Lesson 2: Implementing Hyper-V Virtual Machines on Failover Clusters 4

Lesson 3: Implementing Hyper-V Virtual Machine Movement 7

Module Review and Takeaways 10

Lab Review Questions and Answers 12


11-2 Configuring Advanced Windows Server 2012 Services

Lesson 1
Overview of Integrating Hyper-V with Failover
Clustering
Contents:
Question and Answers 3
Implementing Failover Clustering with Hyper-V 11-3

Question and Answers

Options for Making Virtual Machines Highly Available


Question: Do you use any high availability solution for virtual machines in your environment?

Answer: Answers may vary. For example, you can use storage replication, which is one alternative for
failover clustering.

What Is New in Failover Clustering for Hyper-V in Windows Server 2012


R2?
Question: Do you think that these new features will be useful for your environment? If yes, which one(s)?

Answer: Answers may vary.


11-4 Configuring Advanced Windows Server 2012 Services

Lesson 2
Implementing Hyper-V Virtual Machines on Failover
Clusters
Contents:
Question and Answers 5
Demonstration: Implementing Virtual Machines on Clusters (optional) 5
Implementing Failover Clustering with Hyper-V 11-5

Question and Answers

Configuring a Shared Virtual Hard Disk


Question: What is the main benefit of using shared hard virtual disks?

Answer: If you use a shared hard virtual disk as cluster storage, you do not have to provide Fibre Channel
or an iSCSI connection to the virtual machines.

Using Scale-Out File Servers Over SMB 3.0 for Virtual Machines
Question: Have you considered storing virtual machines on the SMB share? Why or why not?

Answer: Answers may vary. The students will probably emphasize performance issues as a reason for not
deploying virtual machines on the SMB share.

Maintaining and Monitoring Virtual Machines in Clusters


Question: What are some alternative technologies that you can use for virtual machine and network
monitoring?

Answer: You can use dedicated monitoring software such as Microsoft System Center 2012 Operations
Manager.

Demonstration: Implementing Virtual Machines on Clusters (optional)


Demonstration Steps
1. Ensure that LON-HOST1 is the owner of the ClusterVMs disk in Failover Cluster Manager. If it is not,
then move the ClusterVMs resource to LON-HOST1 before doing this procedure.

2. On LON-HOST1, open File Explorer, browse to E:\Program Files\Microsoft


Learning\20412\Drives\20412C-LON-CORE\Virtual Hard Disks, and then copy the 20412C-LON-
CORE.vhd virtual hard disk file to the C:\ClusterStorage\Volume1 location. (Note: The drive letter
may be different based upon the number of drives on the physical host machine)

3. In the Failover Cluster Manager console, click Roles, and then in the Actions pane, click Virtual
Machines.

4. Click New Virtual Machine.

5. Select LON-HOST1 as the cluster node, and click OK.

6. In the New Virtual Machine Wizard, click Next.

7. On the Specify Name and Location page, type TestClusterVM for the Name, click Store the virtual
machine in a different location, and then click Browse.

8. Browse to and select C:\ClusterStorage\Volume1, click Select Folder, and then click Next.

9. On the Specify Generation page, select Next.

10. On the Assign Memory page, type 1536, and then click Next.

11. On the Configure Networking page, click External Network, and then click Next.

12. On the Connect Virtual Hard Disk page, click Use an existing virtual hard disk, and then click
Browse.

13. Locate C:\ClusterStorage\Volume1, select 20412C-LON-CORE.vhd, and then click Open.

14. Click Next, and click Finish.

15. On the Summary page of the High Availability Wizard, click Finish.
11-6 Configuring Advanced Windows Server 2012 Services

16. Right-click the TestClusterVM, and click Settings.

17. In the Settings for TestClusterVM on LON-Host1, expand Processor in the left navigation pane, and
then click Compatibility.

18. In the right pane, select the check box before the Migrate to a physical computer with a different
processor version option.

19. Click OK.

20. Right-click TestClusterVM, and click Start.

21. Ensure that the machine starts successfully.

22. Open Failover Cluster Manager on LON-HOST2.

23. Expand VMCluster.Adatum.com, and click Roles.

24. Right-click TestClusterVM, select Move, select Live Migration, and then click Select Node.

25. Click LON-HOST2, and click OK.

26. Right-click TestClusterVM, and click Connect.

27. Ensure that you can access and operate the virtual machine while it is migrating to another host.

28. Wait until migration is finished.


Implementing Failover Clustering with Hyper-V 11-7

Lesson 3
Implementing Hyper-V Virtual Machine Movement
Contents:
Question and Answers 8
Demonstration: Implementing Hyper-V Replica (optional) 8
11-8 Configuring Advanced Windows Server 2012 Services

Question and Answers

Virtual Machine Migration Options


Question: When would you export and import a virtual machine instead of migrating it?

Answer: If you want to move a virtual machine to the host that does not support a shared-nothing
migration, or you do not have a cluster, you must export and import the virtual machine. For
example, you use this method if you want to move a virtual machine from Windows Server 2012
host to the Hyper-V in Windows 8.

New Features of Hyper-V Replica in Windows Server 2012 R2


Question: Do you see extended replication as a benefit for your environment?

Answer: Answers will vary.

Demonstration: Implementing Hyper-V Replica (optional)


Demonstration Steps
1. On LON-HOST2, open the Hyper-V Manager console.

2. In Hyper-V Manager, right-click LON-HOST2, and then select Hyper-V Settings.

3. In Hyper-V Settings for LON-HOST2, click Replication Configuration.

4. In the Replication Configuration pane, click Enable this computer as a Replica server.

5. In the Authentication and ports section, select Use Kerberos (HTTP).

6. In the Authorization and storage section, click Allow replication from any authenticated server,
and then click Browse.

7. Click Computer, double-click Local Disk (E), and then click New folder. Type VMReplica for folder
name, and press Enter. Select the E:\VMReplica\ folder, and click Select Folder.
8. In the Hyper-V Settings for LON-HOST2, click OK.

9. In the Settings window, read the notice, and then click OK.

10. Click the Start screen, and click the Control Panel.

11. In the Control Panel, click System and Security, and then click Windows Firewall. Click Advanced
settings, and then click Inbound Rules.

12. In the right pane, in the rule list, find and right-click the Hyper-V Replica HTTP Listener (TCP-In)
rule, and then click Enable Rule.

13. Close the Windows Firewall with Advanced Security console, and close Windows Firewall.

14. Repeat Steps one through 15 on LON-HOST1.

15. On LON-HOST1, open Hyper-V Manager. Click LON-HOST1, and right-click 20412C-LON-CORE.

16. Click Enable Replication.

17. On the Before You Begin page, click Next.

18. On the Specify Replica Server page, click Browse.

19. In the Select Computer window, type LON-HOST2, and click Check Names, and click OK. Then click
Next.

20. On the Specify Connection Parameters page, review the settings, and ensure that Use Kerberos
authentication (HTTP) is selected, and then click Next.
Implementing Failover Clustering with Hyper-V 11-9

21. On the Choose Replication VHDs page, ensure that 20412C-LON-CORE.vhd is selected, and then
click Next.

22. On the Configure Replication Frequency page, select 30 seconds from the drop-down list box, and
click Next.

23. On the Configure Additional Recovery Points page, select Maintain only the latest recovery
point, and then click Next.

24. On the Choose Initial Replication Method page, click Send initial copy over the network, select
Start replication immediately, and then click Next.

25. On the Completing the Enable Replication wizard page, click Finish.

26. Wait five to 10 minutes. You can monitor the progress of initial replication in the Status column in
the Hyper-V Manager console. When it completes (progress reaches 100 percent), ensure that
20412C-LON-CORE has appeared on LON-HOST2 in Hyper-V Manager.
27. On LON-HOST2 in Hyper-V Manager, right-click 20412C-LON-CORE.

28. Select Replication, and then click View Replication Health.

29. Review the content of the window that appears, and ensure that there are no errors, and then click
Close.

30. On LON-HOST1, open Hyper-V Manager, and verify that 20412C-LON-CORE is turned off.

31. Right-click 20412C-LON-CORE, select Replication, and then click Planned Failover.

32. In the Planned Failover window, ensure that the option Start the Replica virtual machine after
failover is selected, and then click Fail Over.

33. On LON-HOST2, in Hyper-V Manager, ensure that 20412C-LON-CORE is running.

34. On LON-HOST1, right-click 20412C-LON-CORE, point to Replication, and then click Remove
Replication.

35. In the Remove Replication dialog box, click Remove Replication.


11-10 Configuring Advanced Windows Server 2012 Services

Module Review and Takeaways


Best Practices
Develop standard configurations before you implement highly available virtual machines. The host
computers should be configured as close to identically as possible. To ensure that you have a
consistent Hyper-V platform, you should configure standard network names, and use consistent
naming standards for CSVs.

Use new features in Hyper-V Replica to extend your replication to more than one server.

Consider using Scale-Out File Server clusters as storage for highly available virtual machines.

Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster
Management that can block you from making mistakes when you manage highly available virtual
machines. For example, it blocks you from creating virtual machines on storage that is inaccessible
from all nodes in the cluster.

Review Question(s)
Question: Do you have to implement CSV in order to provide high availability for virtual machines in
VMM in Windows Server 2012?

Answer: No, you do not have to implement CSV to provide high availability. However, CSV makes it much
easier to implement and manage an environment where you have multiple Hyper-V hosts that
access multiple LUNs on shared storage.

Tools
The tools for implementing failover clustering with Hyper-V include:

Tools Where to Find Use

Failover Cluster Administrative Tools Failover clustering management


Manager

Hyper-V Administrative Tools Virtual machine management


Manager

VMM Console Start menu Hyper-V hosts and virtual machine management

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip

Virtual machine failover fails after you The CSV home folder is located on the host-server
implement CSV and migrate the shared system drive. You cannot move it. If the host
storage to CSV. computers use different system drives, the failovers
will fail because the hosts cannot access the same
storage location. All failover cluster nodes should use
the same hard-drive configuration.

A virtual machine fails over to another All the nodes in a host cluster must have the same
node in the host cluster, but loses all networks configured. If they do not, then the virtual
network connectivity. machines cannot connect to a network when they
failover to another node.
Implementing Failover Clustering with Hyper-V 11-11

Common Issue Troubleshooting Tip

Four hours after restarting a Hyper-V host By default, virtual machines do not fail back to a host
that is a member of a host cluster, there computer after they have migrated to another host.
are still no virtual machines running on the You can enable failback on the virtual machine
host. properties in Failover Cluster Management, or you
can implement PRO in VMM.
11-12 Configuring Advanced Windows Server 2012 Services

Lab Review Questions and Answers


Lab: Implementing Failover Clustering with Hyper-V
Question and Answers
Question: How can you extend Hyper-V Replica in Windows Server 2012 R2?

Answer: You can use the Extended Replication feature to add a third host machine that can replicate with
passive copy and with configurable replication timeout.

Question: What is the difference between Live Migration and Storage Migration?

Answer: In Live Migration, you move the machine from one host to another; in Storage Migration, you
move virtual machine storage and, optionally, configuration files to another location on the same
server.
Implementing Business Continuity and Disaster Recovery 12-1

Module 12
Implementing Business Continuity and Disaster Recovery
Contents:
Lesson 2: Implementing Windows Server Backup 2

Lesson 3: Implementing Server and Data Recovery 4

Module Review and Takeaways 6

Lab Review Questions and Answers 8


12-2 Configuring Advanced Windows Server 2012 Services

Lesson 2
Implementing Windows Server Backup
Contents:
Demonstration: Configuring a Scheduled Backup 3
Implementing Business Continuity and Disaster Recovery 12-3

Demonstration: Configuring a Scheduled Backup


Demonstration Steps
1. Switch to LON-SVR1.

2. On LON-SVR1, in the Server Manager, click Tools, and then click Windows Server Backup.

3. Click Local Backup, and then in the Actions pane, click Backup Schedule.

4. In the Backup Schedule Wizard, on the Getting Started page, click Next.

5. On the Select Backup Configuration page, click Custom, and then click Next.

6. On the Select Items for Backup page, click Add Items.

7. Expand Local disk (C:), select the HR Data check box, and then click OK.

8. Click Advanced Settings.

9. Click Add Exclusion, click C:\HR Data\Old HR file.txt, and then click OK.
10. Click OK to close the Advanced Settings dialog box.

11. Click Next.

12. On the Specify Backup Time page, next to Select time of day, select 1:00 AM, and then click Next.

13. On the Specify Destination Type page, click Backup to a shared network folder, and then click
Next. Review the warning, and then click OK.

14. On the Specify Remote Shared Folder page, in the Path text box, type \\LON-DC1\Backup, and then
click Next.

15. In the Register Backup Schedule dialog box, in the Username text box, type Administrator, in the
Password text box, type Pa$$w0rd, and then click OK.
16. Click Finish, and then click Close.

17. In the Actions pane, click Backup Once.

18. In the Backup Once Wizard, select Scheduled backup options, and then click Next.

19. On the Confirmation page, click Backup.

20. On the Backup Progress page, click Close.

21. Close Windows Server Backup.


12-4 Configuring Advanced Windows Server 2012 Services

Lesson 3
Implementing Server and Data Recovery
Contents:
Demonstration: Using Windows Server Backup to Restore a Folder 5
Implementing Business Continuity and Disaster Recovery 12-5

Demonstration: Using Windows Server Backup to Restore a Folder


Demonstration Steps
1. On LON-SVR1, open Windows Explorer, browse to drive C, and then delete the HR Data folder.

2. From the Server Manager, start Windows Server Backup, and then click Recover.

3. In the Recovery Wizard, on the Getting Started page, click A backup stored on another location,
and then click Next.

4. On the Specify Location Type page, click Remote shared folder, and then click Next.

5. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
6. On the Select Backup Date page, click Next.

7. On the Select Recovery Type page, click Next.

8. On the Select Items to Recover page, expand LON-SVR1, click Local Disk (C:) drive, and in the
right pane, click HR Data, and then click Next.

9. On the Specify Recovery Options page, under Another Location, type C:\, and then click Next.

10. On the Confirmation page, click Recover.

11. On the Recovery Progress page, click Close.

12. In Windows Explorer, browse to drive C, and ensure that the HR Data folder is restored.
12-6 Configuring Advanced Windows Server 2012 Services

Module Review and Takeaways


Best Practices
Analyze your important infrastructure resources and mission-critical and business-critical data. Based
on that analysis, create a backup strategy that will protect the company's critical infrastructure
resources and business data.

Work with the organizations business managers to identify the minimum recovery time for business-
critical data. Based on that information, create an optimal restore strategy.

Always test backup-and-restore procedures regularly. Perform testing in a non-production and


isolated environment.

Review Question(s)
Question: You want to create a strategy that includes how to back up different technologies that are used
in your organization such as DHCP, DNS, AD DS, and SQL Server. What should you do?

Answer: Read documentation about the optimal backup strategy for each technology, because every
technology has specific best practices concerning backup and restore. Then, based on this
information, create documentation and a checklist for backup-and-restore procedures.

Question: How frequently should you perform backups on critical data?

Answer: The frequency at which you perform a backup of critical data depends on your organizations
requirements, and on how frequently data changes. You should always plan backup strategies
according to risk assessments. If your critical data changes significantly during the day, then you
should perform backup at least once per day, and consider performing multiple VSS snapshots
during the day.

Real-world Issues and Scenarios


Question: Your organization needs information about which data to back up, how frequently to back up
different types of data and technologies, where to store backed up data (onsite or in the cloud), and how
fast it can restore backed-up data. How would you improve your organizations ability to restore data
efficiently when it is necessary?

Answer: Your company should develop backup-and-restore strategies based on multiple parameters,
such as business-continuity needs, risk-assessment procedures, and critical resource and data
identification. You must develop strategies that should then be evaluated and tested. These strategies
should take into consideration the dynamic changes that are occurring with new technologies, and the
changes that may occur with your organizations growth.

Tools
Tool Use Where to find it
Windows Perform on-demand or scheduled backup Server Manager Tools
Server and restore of data and servers.
Backup

Windows Perform on-demand or scheduled backup Server Manager Tools


Azure to the cloud, and restore data from the
Backup backup located in the cloud.

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip
Implementing Business Continuity and Disaster Recovery 12-7

Common Issue Troubleshooting Tip

The server has suffered a major failure on Perform a bare-metal restore on a new system
its components. by using the backup set that you created. Use
the documentation and checklist that you
created as part of your company's backup-and-
restore strategy and procedures.
12-8 Configuring Advanced Windows Server 2012 Services

Lab Review Questions and Answers


Lab: Implementing Windows Server Backup and Restore
Question and Answers
Question: You are concerned about business-critical data that is located on your company's servers. You
want to perform backups every day, but not during business hours. What should you do?

Answer: You should perform a scheduled backup that runs every day after business hours, for example at
1 A.M.

Question: Users report that they can no longer access data that is located on the server. You connect to
the server, and you realize that the shared folder where users were accessing data is missing. What should
you do?

Answer: You should restore the folder by using Windows Server Backup.