Professional Documents
Culture Documents
20412A
Configuring Advanced Windows Server
2012 Services
MCT USE ONLY. STUDENT USE PROHIBITED
ii Configuring Advanced Windows Server 2012 Services
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2012 Microsoft Corporation. All rights reserved.
Released: 09/2012
MCT USE ONLY. STUDENT USE PROHIBITED
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS
MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to
the Licensed Content named above, which includes the media on which you received it, if any. These license
terms also apply to any updates, supplements, internet based services and support services for the Licensed
Content, unless other terms accompany those items. If so, those terms apply.
BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT
THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy
Program Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only
MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or
exceeds the hardware level specified for the particular MOC Course located at your training facilities or
primary business location.
d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private
Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the MOC Course and any other content accompanying this agreement.
Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media.
f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft
Certification in the technology that is the subject of the training session.
g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy
Program.
h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in
good standing that currently holds the Learning Competency status.
i. Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructor-
led courseware that educates IT professionals or developers on Microsoft technologies.
MCT USE ONLY. STUDENT USE PROHIBITED
j. Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner
Network program member in good standing.
k. Personal Device means one (1) device, workstation or other digital electronic device that you
personally own or control that meets or exceeds the hardware level specified for the particular MOC
Course.
l. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective. These classes are not advertised or
promoted to the general public and class attendance is restricted to individuals employed by or
contracted by the corporate customer.
m. Trainer Content means the trainer version of the MOC Course and additional content designated
solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include
Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta
feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not
include virtual hard disks or virtual machines.
2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is
licensed on a one copy per user basis, such that you must acquire a license for each individual that
accesses or uses the Licensed Content.
2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.
ii. Use of Instructional Components in Trainer Content. You may customize, in accordance with the
most recent version of the MCT Agreement, those portions of the Trainer Content that are logically
associated with instruction of a training session. If you elect to exercise the foregoing rights, you
agree: (a) that any of these customizations will only be used for providing a training session, (b) any
customizations will comply with the terms and conditions for Modified Training Sessions and
Supplemental Materials in the most recent version of the MCT agreement and with this agreement.
For clarity, any use of customize refers only to changing the order of slides and content, and/or
not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you
may not separate the components and install them on different devices.
2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These
license terms will apply to your use of those third party programs or services, unless other terms accompany
those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to that respective component and supplements the terms described in this Agreement.
3. PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other
provisions in this agreement, then these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the
same information and/or work the way a final version of the Licensed Content will. We may change it
for the final version. We also may not release a final version. Microsoft is under no obligation to
provide you with any further content, including the final release version of the Licensed Content.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
MCT USE ONLY. STUDENT USE PROHIBITED
survive this agreement.
c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the
beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for
using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content,
whichever is earliest (beta term). Upon expiration or termination of the beta term, you will
irretrievably delete and destroy all copies of same in the possession or under your control.
4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content,
which may change or be canceled at any time.
a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an
Internet-based wireless network. In some cases, you will not receive a separate notice when they
connect. Using the Licensed Content operates as your consent to the transmission of standard device
information (including but not limited to technical information about your device, system and
application software, and peripherals) for internet-based services.
b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could
harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access
to any service, data, account or network by any means.
5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights
to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
install more copies of the Licensed Content on devices than the number of licenses you acquired;
allow more individuals to access the Licensed Content than the number of licenses you acquired;
publicly display, or make the Licensed Content available for others to access or use;
install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend,
make available or distribute the Licensed Content to any third party, except as expressly permitted
by this Agreement.
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation;
access or use any Licensed Content for which you are not providing a training session to End Users
using the Licensed Content;
access or use any Licensed Content that you have not been authorized by Microsoft to access and
use; or
transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.
6. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in
this agreement. The Licensed Content is protected by copyright and other intellectual property laws and
treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that
appear on the Licensed Content or any components thereof, as delivered to you.
MCT USE ONLY. STUDENT USE PROHIBITED
7. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You
must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, End Users and end use. For additional
information, see www.microsoft.com/exporting.
8. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or
sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement.
9. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
10. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you
agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed
Content in your possession or under your control.
11. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content.
The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the
contents of any third party sites, any links contained in third party sites, or any changes or updates to third
party sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any third party sites. Microsoft is providing these links to third party sites to you only as a convenience,
and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are
the entire agreement for the Licensed Content.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of
your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE
AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO
THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS
WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS,
MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR
CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NON-INFRINGEMENT.
MCT USE ONLY. STUDENT USE PROHIBITED
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY
LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT
DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING
CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT
CORPORATION AND ITS RESPECTIVE SUPPLIERS.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce
contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage.
Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects,
accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera
pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus
par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays
si celles-ci ne le permettent pas.
Acknowledgments
Microsoft Learning wants to acknowledge and thank the following for their contribution toward
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Contents
Module 1: Implementing Advanced Network Services
Lesson 1: Configuring Advanced DHCP Features 1-2
Lesson 2: Configuring Advanced DNS Settings 1-11
Lesson 3: Implementing IPAM 1-21
Lab: Implementing Advanced Network Services 1-31
Course Description
Note: This first release (A) MOC version of course 20412A has been developed on
prerelease software (Release Candidate (RC)). Microsoft Learning will release a B version of this
course after the RTM version of the software is available.
This course will provide you with the knowledge and skills you need to provision advanced services in a
Windows Server 2012 enterprise environment. This course will teach you how to configure and manage
high availability features, file and storage solutions, and network services in Windows Server 2012. You will
also learn about configuring the Active Directory Domain Services (AD DS) infrastructure, and
implementing backups and disaster recovery.
Audience
This course is intended for IT Professionals who have real-world hands-on experience implementing,
managing and maintaining a Windows Server 2012 infrastructure in an existing Enterprise environment,
and wish to acquire the skills and knowledge necessary to carry out advanced management and
provisioning of services within that Windows Server 2012 environment.
The secondary audience for this course will be candidates aspiring to acquire the Microsoft Certified
Systems Administrator (MCSA) credential either in its own right or in order to proceed in acquiring the
Microsoft Certified System Engineer (MCSE) credentials, for which this is a prerequisite. IT professionals
seeking certification in the 70-412: Configuring Advanced Windows Server 2012 Services exam also may
take this course.
Student Prerequisites
This course requires that you meet the following prerequisites:
At least two years hands-on experience working in a Windows Server 2008 or Windows Server 2012
environment
Equivalent knowledge of 20410A: Installing and Configuring Windows Server 2012 course
Installing and configuring Windows Server 2012 into existing enterprise environments, or as
standalone installations
Configuring Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP)
services
Creating and configuring users, groups, computers and organizational units (OUs)
Maintaining network integrity by configuring Network Access using Network Policy Server (NPS)
and Network Access Protection (NAP)
Configuring Remote Access using virtual private networks (VPNs) and Windows 7 DirectAccess
Managing and maintaining the Windows Server 2012 domain environment using Group Policy
Course Objectives
After completing this course, students will be able to:
Configure advanced features for DHCP and DNS, and configure IP Address Management (IPAM).
Configure file services to meet advanced business requirements.
Configure Dynamic Access Control (DAC) to manage and audit access to shared files.
Provide high availability and load balancing for web-based applications by implementing Network
Load Balancing (NLB).
Provide high availability for network services and applications by implementing failover clustering.
Deploy and manage Hyper-V virtual machines in a failover cluster.
Implement a backup and disaster recovery solution based on business and technical requirements.
Plan and implement an AD DS deployment that includes multiple domains and forests.
Course Outline
The course outline is as follows:
Module 1, Implementing Advanced Network Services" describes how to configure advanced DHCP
features and DNS settings, and implement IPAM, which is a new Windows Server 2012 feature.
Module 2, Implementing Advanced File Services" describes how to configure Internet Small Computer
System Interface (iSCSI) storage and Windows BranchCache. The module also describes how to
implement Windows Server 2012 features that optimize storage utilization.
Module 3, Implementing Dynamic Access Control" describes DAC, which is a new Windows Server 2012
feature. It also explains how to plan for a DAC implementation, and how to configure DAC.
Module 4, Implementing Network Load Balancing" describes the features and working of network load
balancing (NLB). It also explains how to configure an NLB cluster and plan an NLB implementation.
Module 5, Implementing Failover Clustering" describes failover clustering features in Windows Server
2012. The module also describes how to implement and maintain failover clusters, and how to configure
highly available applications and services on a failover cluster.
Module 6, Implementing Failover Clustering with Hyper-V" describes options to make virtual machines
highly available, and covers the implementation of Hyper-V virtual machines on failover clusters and
Hyper-V virtual machine movement.
Module 7, Implementing Disaster Recovery" describes disaster recovery, server and data recovery, and
the planning and implementation of a backup solution for Windows Server 2012.
Module 8, Implementing Distributed Active Directory Domain Services Deployments" provides an
overview of distributed AD DS deployments and the process of implementation for the same. It also
describes how to configure AD DS trusts, and implement complex AD DS deployments.
Module 9, Implementing Active Directory Domain Services Sites and Replication" describes how
replication works in AD DS in a Windows Server 2012 AD DS environment, and how to configure AD DS
sites to optimize AD DS network traffic. It also shows how to configure and monitor AD DS replication.
Module 10, Implementing Active Directory Certificate Services" provides an overview of Public Key
Infrastructure (PKI), and describes how to deploy certification authorities (CAs) and certificate templates. It
also covers certificate distribution and revocation, and management of certificate recovery.
Module 11, Implementing Active Directory Rights Management Services" describes AD RMS and how
you can use it to achieve content protection. It also explains how to deploy and manage an AD RMS
infrastructure, and configure AD RMS content protection and external access to AD RMS.
Module 12, Implementing Active Directory Federation Services" describes the identity federation
business scenarios, and how you can use AD FS to address the scenarios. It also describes how to deploy
AD FS, and how to implement it for a single organization, and in a business-to-business (B2B) scenario.
MCT USE ONLY. STUDENT USE PROHIBITED
xx About This Course
Exam/Course Mapping
This course, 20412A: Configuring Advanced Windows Server 2012 Services, has a direct mapping of its
content to the objective domain for the Microsoft exam 70-412: Configuring Advanced Windows Server
2012 Services.
The table below is provided as a study aid that will assist you in preparation for taking this exam, and to
show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam, but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directly
covered in the examination, and will utilize the unique experience and skills of your qualified Microsoft
Certified Trainer.
(continued)
(continued)
(continued)
Important: Attending this course in itself will not successfully prepare you to pass any
associated certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In
addition to attendance at this course, you should also have the following:
Real world, hands-on experience Implementing, Managing and Configuring Active Directory and
Networking infrastructure, working in a Windows Server 2008, Windows Server 2008 R2 or Windows
Server 2012 Enterprise environment.
Additional study outside of the content in this handbook
MCT USE ONLY. STUDENT USE PROHIBITED
xxiv About This Course
There may also be additional study and preparation resources, such as practice tests, available for you to
prepare for this exam. Details of these are available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-412&locale=en-us#tab3
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam is
available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-412&locale=en-us#tab1
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to
change at any time and Microsoft bears no responsibility for any discrepancies between the version
published here and the version available online and will provide no notification of such changes.
Course Materials
The following materials are included with your kit:
Course Handbook: a succinct classroom learning guide that provides the critical technical
information in a crisp, tightly-focused format, which is essential for an effective in-class learning
experience.
Lessons: guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge
and skills retention.
Course Companion Content: searchable, easy-to-browse digital content with integrated premium
online resources that supplement the Course Handbook.
Modules: include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and
answers and Module Reviews and Takeaways sections, which contain the review questions and
answers, best practices, common issues and troubleshooting tips with answers, and real-world
issues and scenarios with answers.
Resources: include well-categorized additional resources that give you immediate access to the
most current premium content on TechNet, MSDN, or Microsoft Press.
Note: For this version of the Courseware on Prerelease Software (specify RC0/Beta etc.),
Companion Content is not available. However, the Companion Content will be published when
the next (B) version of this course is released, and students who have taken this course will be
able to download the Companion Content at that time from the
http://www.microsoft.com/learning/companionmoc site. Please check with your instructor
when the B version of this course is scheduled to release to learn when you can access
Companion Content for this course.
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course xxv
Student Course files: includes the Allfiles.exe, a self-extracting executable file that contains all
required files for the labs and demonstrations.
Note: For this version of the Courseware on Prerelease Software (specify RC0/Beta etc.),
Allfiles.exe file is not available. However, this file will be published when the next (B) version of
this course is released, and students who have taken this course will be able to download the
Allfiles.exe at that time from the http://www.microsoft.com/learning/companionmoc site.
Course evaluation: at the end of the course, you will have the opportunity to complete an
online evaluation to provide feedback on the course, training facility, and instructor.
Important: At the end of each lab, you must close the virtual machine and must not save
any changes. To close a virtual machine (VM) without saving the changes, perform the following
steps:
2. In the Close dialog box, in the What do you want the virtual machine to do? list, click
Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine that is used in this course:
(continued)
Software Configuration
The following software is installed on the VMs:
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better*
DVD drive
Network adapter
*Striped
In addition, the instructor computer must be connected to a projection display device that supports SVGA
1024 x 768 pixels, 16-bit colors.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
1-1
Module 1
Implementing Advanced Network Services
Contents:
Module Overview 1-1
Module Overview
In Windows Server 2012, network services such as Domain Name System (DNS) provide critical support for
name resolution of network and Internet resources. Within DNS, DNS Security Extensions (DNSSEC) is an
advanced feature that provides a means of securing DNS responses to client queries so that malicious
users cannot tamper with them. With Dynamic Host Configuration Protocol (DHCP), you can manage and
distribute IP addresses to client computers. DHCP is essential for managing IP-based networks. DHCP
failover is an advanced feature that can prevent clients from losing access to the network in case of a
DHCP server failure. IP Address Management (IPAM) provides a unified means of controlling IP
addressing.
This module introduces DNS and DHCP improvements, IP address management, and provides details
about how to implement these features.
Objectives
After completing this module you will be able to:
Implement IPAM.
MCT USE ONLY. STUDENT USE PROHIBITED
1-2 Implementing Advanced Netwoork Services
Lesson 1
Config
guring Advance
A ed DHC
CP Featu
ures
DHC CP plays an immportant role in n the Window
ws Server 2012 operating systtem infrastructture. It is the
prim
mary means off distributing im mportant netw
work configuraation information to networkk clients, and it
provvides configurration informattion to other network-enabl
n led services, in
ncluding Windoows Deployme ent
Servvices (WDS) an nd Network Acccess Protectioon (NAP). To suupport a Wind dows Server-baased network
infra
astructure, it iss important that you understtand the DHC P server role. WWindows Server 2012 impro oves
the functionality ofo DHCP by prroviding failover capabilities..
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
CP componentts.
Describe DHC
Explain how to
t configure DHCP
D interactio
on with DNS.
Describe supe
er scopes and multicast scop
pes.
Explain how DHCP
D works with
w IPv6.
Describe DHC
CP name prote
ection.
Describe DHC
CP failover.
Ov
verview of DHCP Com
mponentss
DHC CP is a server role
r that you can
c install on
Winndows Server 2012.
2 With the e DHCP server role,
you can ensure th hat all clients have
h appropria ate IP
adddresses and nettwork configuration informa ation,
which can help eliminate human error during g
configuration. A DHCP
D client is any device run nning
DHC CP client softw
ware that can request
r and retrieve
netwwork settings from
f a DHCP server
s service.
DHC CP clients mayy be computers, mobile devices,
prin
nters, or switch
hes. DHCP mayy also provide IP
adddress information to network k boot clients.
DHC
CP consists of the componen
nts that are listted in the follo
owing table.
Co
omponent Description
D
DHCP scopes The DHCP adm ministrator co nfigures the raange of IP add dresses and related
information allotted to the sserver for distrribution to req
questing clientts.
Each scope ca
an only be assoociated with a single IP subn net. A scope m
must
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 1-3
Component Description
consist of:
A name and description
A range of addresses that can be distributed
A subnet mask
A scope can also define:
IP addresses that should be excluded from distribution
The duration of the IP address lease
DHCP options
You can configure a single DHCP server with multiple scopes, but the
server must be either connected directly to each subnet that it serves, or
have a DHCP relay agent in place. Scopes also provide the primary way
for the server to manage and distribute any related configuration
parameters (DHCP options) to clients on the network.
DHCP options When you assign the IP address inform, you can simultaneously assign
many other network configuration parameters. The most common DHCP
options include:
Default Gateway IP address
DNS server IP address
DNS domain suffix
Windows Internet Name Service (WINS) server IP address
You can apply the options at different levels. They can be applied:
Globally to all scopes
Specifically to particular scopes
To specific clients based on a Class ID value
To clients that have specific IP address reservations configured
Note: IPv6 scopes are slightly different, and will be discussed later in
this lesson.
DHCP database The DHCP database contains configuration data about the DHCP server,
and stores information about the IP addresses that have been distributed.
By default, the DHCP database files are stored in the
%systemroot%\System32\Dhcp folder.
DHCP console The DHCP console is the main administrative tool for managing all aspects
of the DHCP server. This management console is installed automatically on
any server that has the DHCP role installed. However, you can also install it
on a remote server or Windows 8 client by using the Remote Server
Administration Tools (RSAT) and by connecting to the DHCP server for
remote management.
DH
HCP Leases
DHC CP allocates IP
P addresses on a dynamic ba asis. This is kno
own as a lease.. You can conffigure the duraation
of the lease. The default
d lease tiime for wired clients
c is eightt days.
Whe en the DHCP lease has reach nt attempts to renew the leasse.
hed 50 percent of the lease ttime, the clien
Thiss automatic process occurs inn the background. Computeers might havee the same IP aaddress for a lo ong
periiod of time if they
t operate continually on a network with hout being shut down. Clien nt computers aalso
atte
empt renewal during
d the starrtup process.
DH
HCP Server Authorizatio
A on
If th
he server is a domain membe er, you must authorize the WWindows Serveer 2012 DHCP server role in
Actiive Directory Domain
D Service
es (AD DS) beffore it can beg
gin leasing IP aaddresses. Youu must be an
Enteerprise Adminiistrator to auth
horize the DHCCP server. Stan
ndalone Micro osoft servers ve
erify whether tthere
is a DHCP server on o the network, and do not start the DHC P service if this is the case.
Co
onfiguring DHCP Inte
eraction With
W DNS
Durring dynamic IP address alloccation, the DH HCP
ource records automatically for
servver creates reso
DHC CP clients in th
he DNS databa ase. However, those
recoords may not beb deleted auttomatically wh hen
the client DHCP le Y can configure
ease expires. You
DHC CP options to allow the DHC CP server to ow
wn
and fully control the
t creation an nd deletion of
thosse DNS resource records.
Con
nfiguring DHCP
D Option
n 081
Youu can configure e DHCP option n 081 to control
the way that resource records are updated in the
DNS S database. Th his option permmits the client to
provvide its fully qualified domain name (FQDN) and instrucctions to the D DHCP server abbout how it wo ould
like the server to process DNS dynamic
d updattes on its behaalf. You configure option 0811 on the DNS tab
of the Properties window
w for the protocol nod de, or per scop
pe in the DHC CP console. Youu can also configure
DHC CP to perform updates on behalf of its clie ents to any DN NS servers thatt support dynaamic updates.
By default,
d the DH
HCP server beh
haves in the fo
ollowing mann
ner:
The DHCP server dynamically updates DN NS address ho st (A) resourcee records and pointer (PTR)
resource recoords only if req
quested by the
e DHCP clients . By default, th ests that the DHCP
he client reque
server registe
er the DNS PTR ord, while the client registerrs its own DNS A resource record.
R resource reco
The DHCP server discards the A and PTR resource reco rds when the cclients lease iss deleted.
You his option so that it instructss the DHCP serrver to always dynamically u
u can modify th update DNS A
reso
ource records and
a PTR resou urce records no o matter what the client requests. In this w
way, the DHCPP
servver becomes th
he owner of thhe resource reccord because tthe DHCP servver performed the registratio on of
the resource records. Once the DHCP server becomes
b owner of the cllient computers A and PTR
the o
reso
ource records, only that DHCCP server can update
u the DNNS resource reccords for the cclient compute
er
baseed on the dura
ation and reneewal of the DH HCP lease.
MCT USE ONLY. STUDENT USE PROHIBITED
Configurinng Advanced Window
ws Server 2012 Serrvices 1-5
Configuring
C g Advance
ed DHCP Scope
S Desiigns
Yoou can configu
ure advanced DHCP scope designsd
ca
alled superscoppes. A superscoope is a collection of
in
ndividual scopees that are gro
ouped togethe er for
ad
dministrative purposes.
p This allows client
co
omputers to reeceive an IP ad ddress from multiple
lo
ogical subnets even when the e clients are lo
ocated
onn the same phhysical subnet. You can only create
a superscope if you have two or more IP sco opes
already created in DHCP. You u can use the New
N
Su
uperscope Wizzard to select the
t scopes tha at you
wish
w to combine together to create a superrscope.
Benefits
B of Superscopes
S s
A superscope iss useful in seveeral situations. For example, if a scope runss out of addresses and you ccannot
ad
dd more addre esses from the
e subnet, you can
c instead ad d a new subneet to the DHCP P server. This sscope
w lease addresses to clients in the same physical networrk, but the clieents will be in a separate nettwork
will
ogically. This is known as mu
lo ultinetting. Oncce you add a n
new subnet, yoou must config gure routers too
re
ecognize the newn subnet so that you ensure local comm munications in the physical network.
Multicast
M Sco
opes
A multicast scop pe is a collection of multicasst addresses froom the class D IP address raange of 224.0.00.0 to
23 39.255.255.255 5 (224.0.0.0/3)). These addressses are used w when applicatiions need to ccommunicate w with
nu umerous clients efficiently and simultaneo ously. This is acccomplished wwith multiple h
hosts that listen
n to
trraffic for the sa
ame IP addresss.
DHCP
D Integ
gration With IPv6
IP
Pv6 can configure itself withoout DHCP. IPv6 6
en
nabled clients have a self-assigned link-loccal IPv6
ddress. A link-local address is
ad i intended only for
co
ommunication ns within the loocal network. It is
eq
quivalent to thhe 169.254.0.0 self-assigned
ddresses used by IPv4. IPv6-enabled netwo
ad ork
in
nterfaces can, and
a often do, have more tha an one
IP
Pv6 address. Foor example, ad ddresses mightt
in
nclude a self-asssigned link-lo
ocal address an
nd a
DHCP-assigned global addresss. By using DH HCP for
IP
Pv6 (DHCPv6), an IPv6 host canc obtain sub bnet
prefixes, global addresses, and d other IPv6
MCT USE ONLY. STUDENT USE PROHIBITED
1-6 Implementing Advanced Network Services
configuration settings.
Note: You should obtain a block of IPv6 addresses from a Regional Internet Registry. There
are five regional internet registries in the world. They are:
Asia-Pacific Network Information Centre (APNIC) for Asia, Australia, New Zealand, and neighboring
countries
American Registry for Internet Numbers (ARIN) for Canada, many Caribbean and North Atlantic
islands, and the United States
Latin America and Caribbean Network Information Centre (LACNIC) for Latin America and parts of
the Caribbean region
Rseaux IP Europens Network Coordination Centre (RIPE NCC) for Europe, Russia, the Middle East,
and Central Asia
Stateful configuration. Occurs when the DHCPv6 server assigns the IPv6 address to the client along
with additional DHCP data.
Stateless configuration. Occurs when the subnet router assigns IPv6 automatically, and the DHCPv6
server only assigns other IPv6 configuration settings.
Property Use
Prefix The IPv6 address prefix is analogous to the IPv4 address range. It defines
the network portion of the IP address.
Preference This property informs DHCPv6 clients as to which server to use if you
have multiple DHCPv6 servers.
Exclusions This property defines single addresses or blocks of addresses that fall
within the IPv6 prefix but will not be offered for lease.
Valid and Preferred This property defines how long leased addresses are valid.
lifetimes
1. In the DHCP console, right-click the IPv6 node, and then click New Scope.
MCT USE ONLY. STUDENT USE PROHIBITED
Configurinng Advanced Window
ws Server 2012 Serrvices 1-7
What
W Is DH
HCP Name Protection?
Yoou must prote ect the names that
t DHCP reggisters
in
n DNS on beha alf of systems from
f being
ovverwritten by non-Microsoft
n t systems that use the
ame names. In addition, you must protect the
sa
na ames from beiing overwritten by systems thatt use
sttatic addressess that conflict with
w DHCP-asssigned
adddresses when n they use unse ecure DNS and d DHCP
is not configureed for conflict detections. For
exxample, a UNIX X-based system m named Client1
coould potentially overwrite th he DNS addresss that
was
w assigned an nd registered byb DHCP on behalf of
a Windows-based system also o named Client1. A
ne ew feature in Windows
W Serveer 2012, DHCP P Name Protecction, addressees this issue.
Name
N squattingg is the term used to describe the conflict tthat occurs whhen one client registers a naame with
DNS but that na ame is alreadyy used by another client. Thiss problem cau uses the originaal machine to become
in
naccessible, and it typically occurs
o with systtems that havee the same na mes as Windo ows operating
syystems. DHCP Name Protecttion addresses this by using a resource reccord known as a Dynamic Ho ost
Configuration Iddentifier (DHC CID) to track which machiness originally req
quested which names. The D DHCP
se
erver provides the DHCID record, which is stored in DNSS. When the DHCP server recceives a request by a
machine
m with an existing nam me for an IP ad
ddress, the DHC CP server can refer to the DHCID in DNS tto verify
th
hat the machinne that is reque esting the nam
me is the origin
nal machine thhat used the name. If it is no
ot the
sa
ame machine, then the DNS resource reco ord is not updaated.
To
o enable DHCP Name Protection for an IP
Pv4 or IPv6 nod
de:
To
o enable DHCP Name Protection for a sco
ope:
2.. e IPv4 or IPv6 node, right-click the scope, and the open
Expand the n the Property
y page.
3.. Click DNS, click Advance
ed, and then se
elect the Enab
ble Name Pro
otection checkk box.
MCT USE ONLY. STUDENT USE PROHIBITED
1-8 Implementing Advanced Netwoork Services
Wh
hat Is DHC
CP Failoverr?
DHC CP manages th he distributionn of IP addresses in
TCP P/IP networks of o all sizes. Wh
hen this servicee
failss, clients lose connectivity
c to the network and
a
all of
o its resourcess. A new featurre in Windowss
Servver 2012, DHC CP failover, adddresses this issu
ue.
DH
HCP Failoverr
DHC CP clients reneew their leases on their IP
adddresses at regular, configurabble intervals. When
W
the DHCP service fails, the leasees time out and d
cliennts no longer have IP addressses. In the passt,
DHC CP failover was not possible because DHCP
servvers were independent and unaware
u of eacch
othe er. Therefore, configuring
c tw
wo separate DH HCP servers to
o distribute thee same pool off addresses could
leadd to duplicate addresses. Add ditionally, provviding redund ant DHCP servvices required you to configure
clusstering, and peerform a significant amount of manual con nfiguration andd monitoring.
The new DHCP failover feature enables two DHCP D servers t o provide IP aaddresses and optional
configurations to the same subn nets or scopess. Therefore, yoou can now co onfigure two D DHCP servers to o
repllicate lease information. If on
ne of the serve
ers fails, the otther server servvices the clients for the entirre
subnet.
Note: In Windows Server 2012, you can ure two DHCP servers for failover and
n only configu
onlyy for IPv4 scop
pes and subnetts.
Con
nfiguring DHCP
D Failove
er
To configure
c DHC
CP failover, you u need to establish a failove r relationship between the ttwo DHCP servvers
servvices. You must also give thiss relationship a unique namee. The failoverr partners exch
hange this nam
me
during configurattion. This enabbles a single DH HCP server to have multiple failover relatio
onships with o
other
DHC CP servers so long as they all have unique names. To co nfigure failoveer, use the Con nfiguration Faiilover
wizaard that you caan launch by right-clicking
r the
t IP node orr the scope nod de.
You
u can configure
e failover in on
ne of the two following
f mod
des.
Mode Characteristiccs
Hot Standby In this mode,, one server is the primary seerver and the oother is the
secondary se
erver. The prim mary server actiively assigns IP
P configuration ns for
the scope or subnet. The seecondary DHC CP server only assumes this rrole if
the primary server
s becomees unavailable. A DHCP serve er can
simultaneoussly act as the pprimary for onee scope or sub bnet, and be th he
secondary for another. Adm must configure a percentage of the
ministrators m
scope addressses to be assiggned to the standby server. These addressses are
supplied duriing the Maxim mum Client Leaad Time (MCLT T) interval if th
he
primary serve
er is down. Thee default MCLLT value is 5 pe ercent of the sccope.
The secondarry server takess control of thee whole IP rannge after the M MCLT
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 1-9
Mode Characteristics
interval has passed.
Hot Standby mode is best suited to deployments in which a disaster
recovery site is located at a different location. That way the DHCP server
will not service clients unless there is a main server outage.
Load Sharing This is the default mode. In this mode both servers simultaneously supply
IP configuration to clients. The server that responds to IP configuration
requests depends on how the administrator configures the load
distribution ratio. The default ratio is 50:50.
MCLT
The administrator configures the MCLT parameter to determine the amount of time a DHCP server should
wait when a partner is unavailable, before assuming control of the address range. This value cannot be
zero, and the default is one hour.
Message Authentication
Windows Server 2012 enables you to authenticate the failover message traffic between the replication
partners. The administrator can establish a shared secretmuch like a passwordin the Configuration
Failover Wizard for DHCP failover. This validates that the failover message comes from the failover
partner.
Firewall Considerations
DHCP uses TCP port 647 to listen for failover traffic. The DHCP installation creates the following inbound
and outbound firewall rules:
Microsoft-Windows-DHCP-Failover-TCP-In
Microsoft-Windows-DHCP-Failover-TCP-Out
Demonstration Steps
2. Switch to LON-DC1. In Server Manager, click Tools, and then on the drop-down list, click DHCP.
6. Switch back to LON-SVR1, and note that the IPv4 node is active and the Adatum scope is configured.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 1-11
Lesson
n2
Configuring Advancced DNS Settin
ngs
In
n TCP/IP netwo orks of any size
e, certain serviices are essenttial. DNS is onee of the most ccritical networrk
se
ervices for any network, beca ause many oth her applicationns and servicessincluding A AD DSrely on n DNS
to
o resolve resou
urce names to IP addresses. Without
W nd network-based
DNS, user authenticcations fail, an
re
esources and applications
a may become ina accessible. For this reasons, yyou need to m manage and prrotect
DNS. This lessonn discusses ma anagement tecchniques and o options for op ptimizing DNS resolution. Wiindows
Se
erver 2012 imp plements DNSSEC to protectt DNS responsses. Windows SServer 2012 also supports global
naame zones to provide single e-label name re esolution.
Le
esson Objecctives
After completin y will be able to:
ng this lesson you
Manage DN
NS services.
Optimize DNS
D name reso
olution.
Describe global name zones.
Explain how
w DNSSEC worrks.
Describe th C features for Windows Servver 2012.
he new DNSSEC
Managing
M DNS Services
Like other impoortant network
k services, you must
manage
m DNS. DNS
D managemment consists of the
fo
ollowing tasks:
Configuring
g logging for DNS,
D
Delegating
D Administrat
A ion of DNS
Byy default, the Domain
D Admins group has fullf
pe
ermissions to manage
m all asp
pects of the DNS
se
erver in its hom
me domain, an nd the Enterpriise Admins gro oup has full peermissions to m
manage all asp
pects of
all DNS servers in any domain n in the forest. If you need to
o delegate thee administratio
on of a DNS seerver to
a different user or group, then you can add d that user or g
global group t o the DNS Admins group fo or a
giiven domain in n the forest. Members
M e DNS Admins group can vieew and modifyy all DNS data,,
of the
se
ettings, and co o DNS servers in their homee domain.
onfigurations of
Th
he DNS Admin
ns group is a Domain
D Local security
s group
p, and by defau
ult has no mem
mbers in it.
Configuring
C DNS Loggin
ng
Byy default, DNS
S maintains a DNS
D server log
g, which you caan view in the Event Viewer. This event log
g is
lo
ocated in the Applications
A an gs folder in Evvent Viewer. It records comm
nd Services Log mon events succh as:
For more verbose logging, you can enable debug logging. Debug logging options are disabled by default,
but can be selectively enabled. Debug logging options include the following:
Direction of packets
Contents of packets
Transport protocol
Type of request
Specifying the name and location of the log file, which is located in the %windir%\System32\DNS
directory
Debug logging can be resourceintensive. It can affect overall server performance and consume disk
space. Therefore, you should only enable it temporarily when you require more detailed information
about server performance. To enable debug logging on the DNS server, do the following:
4. Select Log packets for debugging, and then select the events for which you want the DNS server to
record debug logging.
Aging and scavenging is disabled by default. You can enable aging and scavenging in the Advanced
properties of the DNS server, or you can enable it for selected zones in the zones Properties window.
Aging is determined by using parameters known as the Refresh interval and the No-refresh interval. The
Refresh interval is the date and time that the record is eligible to be refreshed by the client. The default is
seven days. The No-refresh interval is the period of time that the record is not eligible to be refreshed. By
default, this is seven days. In the normal course of events, a client host record cannot be refreshed in the
database for seven days after it is first registered or refreshed. However, it then must be refreshed within
the next seven days after the No-refresh interval, or the record becomes eligible to be scavenged out of
the database. A client will attempt to refresh its DNS record at startup, and every 24 hours while the
system is running.
Note: Records that are added dynamically added to the database are time stamped. Static
records that are you entered manually have a time stamp value of zero 0, and will not be affected
by aging and therefore will not be scavenged out of the database.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 1-13
Backing
B Up the
t DNS Database
How you back up u the DNS da atabase depends on how DN NS was implem mented into yoour organizatio on. If
yo
our DNS zone was implemen nted as an Acttive Directory iintegrated zon ne, then your D
DNS zone is in ncluded
in
n the Active Directory databa ase ntds.dit file
e. If the DNS zzone is a primaary zone and iss not stored in
n AD DS,
th
hen the file is stored
s as a .dns file in the %SSystemRoot%\\System32\Dn ns folder.
Backing Up Active
A Directo
ory Integrate
ed Zones
Active Directoryy integrated zo d in AD DS an d are backed u
ones are stored up as part of a System State
e or a
fu up. Additionally, you can back up just the Active Directo
ull server backu ory integrated zone by using
g the
dnscmd command-line tool.
To
o back up an Active
A Directorry integrated zone,
z perform the following steps:
dnscmd /Z
ZoneExport <z
zone name> <zone file na
ame>
Th ool exports the zone data to the file name that you desig
he dnscmd to gnate in the co
ommand, to th
he
%windir%\Syste
% em32\DNS dire ectory.
Optimizing
O g DNS Nam
me Resoluttion
In
n a typical DNS S query event, a client comp puter
atttempts to reso olve a FQDN to t an IP addresss. For
exxample, if a user tries to go to t the FQDN
www.microsoft.
w com, the clien nt computer wiill
peerform a recurrsive query to the t DNS serve er that
it is configured to discover the IP address
asssociated with that FQDN. The local DNS server s
must
m then respo
ond with an au uthoritative response.
If the local DNS S server has no o copy of the DNS
D
naamespace for which it was queried,
q it will
re
espond with an n authoritative e answer to the e client
coomputer. If thee local DNS server does not have
th
hat information n, it will perforrm recursion. Recursion
R referrs to the proceess of having tthe local DNS sserver
itsself make a reccursive query to t another DN NS server until it finds the au
uthoritative ansswer and returrns that
annswer to the client that mad de the original request. By deefault, this servver will be one
e of the serverss on the
nternet that is listed as a root hint. When the local DNS sserver receivess a response, itt will return that
In
in
nformation to thet original requesting client computer.
MCT USE ONLY. STUDENT USE PROHIBITED
1-14 Implementing Advanced Network Services
There are a number of options available for optimizing DNS name resolution. They include features such
as:
Forwarding
Conditional forwarding
Stub zones
Netmask ordering
Forwarding
A forwarder is a network DNS server that you configure to forward DNS queries for host names that it
cannot resolve to other DNS servers for resolution. In a typical environment, the internal DNS server
forwards queries for external DNS host names to DNS servers on the Internet. For example, if the local
network DNS server cannot authoritatively resolve a query for www.microsoft.com, then the local DNS
server can forward the query to the internet service providers (ISPs) DNS server for resolution.
Conditional Forwarding
You also can use conditional forwarders to forward queries according to specific domain names. A
conditional forwarder is a DNS server on a network that forwards DNS queries according to the querys
DNS domain name. For example, you can configure a DNS server to forward all queries that it receives for
names ending with corp.adatum.com to the IP address of a specific DNS server or to the IP addresses of
multiple DNS servers. This can be useful when you have multiple DNS namespaces in a forest. For
example, suppose Contoso.com and Adatum.com are merged. Rather than each domain having to host a
complete replica of the other domains DNS database, you could create conditional forwarders so that
they point to each others specific DNS servers for resolution of internal DNS names.
Stub Zones
A stub zone is a copy of a zone that contains only those resource records necessary to identify that zones
authoritative DNS servers. A stub zone resolves names between separate DNS namespaces, which might
be necessary when you want a DNS server that is hosting a parent zone to remain aware of all the
authoritative DNS servers for one of its child zones. A stub zone that is hosted on a parent domain DNS
server will receive a list of all new DNS servers for the child zone, when it requests an update from the
stub zone's master server. By using this method, the DNS server that is hosting the parent zone maintains
a current list of the authoritative DNS servers for the child zone as they are added and removed.
The delegated zones start of authority (SOA) resource record, name server (NS) resource records, and
A resource records
The IP address of one or more master servers that you can use to update the stub zone
Stub zones can be replicated either in the domain only, or throughout the entire forest.
Stub zone master servers are one or more DNS servers that are responsible for the initial copy of the
zone information, and are usually the DNS server that is hosting the primary zone for the delegated
domain name.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 1-15
Netmask
N Ord
dering
Netmask ordering returns add dresses for typ
pe A (address rrecords) DNS q queries that prrioritize resourrces on
th
he client comp
puters local subnet to the cliient. In other wwords, addressses of hosts thaat are on the ssame
su
ubnet as the re
equesting cliennt will have a higher
h e client computer.
priorityy in the DNS reesponse to the
Lo
ocalization is based
b on IP adddresses. For exxample, if therre are multiplee A records thaat are associate
ed with
th
he same DNS name,
n and eacch of the A records are locateed on a differeent IP subnet, netmask orde ering
eturns an A reccord that is on the same IP subnet as the cclient computeer that made the request.
re
What
W Is the
e GlobalNa
ame Zone??
Thhe DNS Serverr Service in Windows Server 2012
provides the Glo obalName zon ne, which you can use
o contain single-label namess that are unique
to
accross an entire
e forest. This elliminates the need
n to
usse the NetBIOS-based WINS S to provide su
upport
fo
or single-label names. GlobalName zones provide
p
single-label namme resolution forf large enterrprise
ne d not deploy WINS and that have
etworks that do
multiple
m DNS domain environ nments. GlobalName
zo
ones are create ed manually and do not sup pport
dyynamic record d registration.
When
W clients tryy to resolve sh
hort names, the
ey
au
utomatically append their DNS domain na ame. Dependinng on the conffiguration, the ey also try to find the
na
ame in upper--level domain name, or work k through thei r name suffix llist. Therefore, short names aare
esolved in the same domain..
re
Yo
ou use a Globa alName zone tot maintain a list of DNS seaarch suffixes fo
or resolving naames among m multiple
DNS domain en nvironments. For
F example, if an organizatio on supports tw wo DNS domaains, such as
ad
datum.com an nd contoso.com m, users in the adatum.com DNS domain n need to use a FQDN such ass
da
ata.contoso.coom to locate thhe servers in co Otherwise, the domain admin
ontoso.com. O nistrator needs to add
a DNS search suuffix for contosso.com on all the
t systems inn the adatum.ccom domain. Iff the clients just
se
earch for the server name ddata, then the search would fail.
Creating
C a GlobalName Zone
To
o create a GlobalName zone
e, do the follow
wing:
2.. Create a ne
ew forward loookup zone nam
med GlobalNam
me (not case ssensitive). Do n
not allow dynaamic
updates forr this zone.
Op
ptions for Implemen
I ting DNS Security
Because DNS is a critical networrk service, you
musst protect it as much as posssible. A numbeer of
options are available for protecting the DNS
servver, including:
DNS cache lo
ocking
DN
NS Cache Loccking
Cache locking is a security featu ure available with
w
Win ndows Server 2012
2 that allow
ws you to conttrol
whe en information n in the DNS ca ache can be ovverwritten. Wh hen a recursivee DNS server rresponds to a q query,
it ca
aches the results so that it ca
an respond quickly if it receivves another qu uery requestinng the same
infoormation. The period
p of time
e the DNS servver keeps infor mation in its ccache is determmined by the T Time
to Live
L (TTL) value e for a resource record. Inforrmation in thee cache can be overwritten b before the TTL
expires if updated d information about
a that resource record iis received. If aan attacker succcessfully overrwrites
infoormation in thee cache, the atttacker might be
b able to red irect your netw work traffic to a malicious site.
Whe en you enable e cache lockingg, the DNS servver prohibits ccached recordss from being o overwritten forr the
dura ation of the TT
TL value.
You
u configure cacche locking as a percentage value. For exaample, if the caache locking value is set to 550,
then erwrite a cached entry for haalf of the duraation of the TT
n the DNS servver will not ove TL. By default, tthe
cachhe locking perrcentage value
e is 100. This means
m that cach
hed entries will not be overw written for the
e
entiire duration off the TTL.
You
u can configure
e cache locking
g with the dnsscmd tool as ffollows:
1. Launch an ele
evated comma
and prompt.
2. Run the follow
wing comman
nd:
DN
NS Socket Po
ool
The DNS socket pool
p enables a DNS server to o use source po ort randomiza tion when issu uing DNS querries.
Whe en the DNS se ervice starts, the server choosses a source poort from a poo
ol of sockets th
hat are availab
ble for
issuing queries. In
nstead of using g a predicable source port, thhe DNS serverr uses a randomm port numbe er that
it se
elects from the
e DNS socket pool.
p The DNS socket pool m makes cache-taampering attacks more difficcult
because an attack ker must correctly guess both the source p port of a DNS q
query and a raandom transacction
ID to successfully run the attack k. The DNS soccket pool is en abled by default in Window ws Server 2012..
The default size of
o the DNS socket pool is 2,500. When you u configure thee DNS socket p pool, you can
choose a size valu
ue from 0 to 10 ger the value, tthe greater thee protection yyou will have against
0,000. The larg
DNSS spoofing attaacks. If the DN
NS server is run
nning Window ws Server 2012,, you can also configure a DNS
sock
ket pool exclussion list.
You
u can configure
e the DNS socket pool size by
b using the dn
nscmd tool ass follows:
1. Launch an ele
evated comma
and prompt.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 1-17
dnscmd /C
Config /Socke
etPoolSize <value>
DNSSEC
D
DNSSEC enable es a DNS zone and all record
ds in the zone tto be signed ccryptographicaally such that cclient
co
omputers can validate the DNS
D response. DNS is often ssubject to vario
ous attacks, su
uch as spoofing g and
ca
ache-tamperin ng. DNSSEC heelps protect ag
gainst these th reats and provvides a more secure DNS
in
nfrastructure.
How
H DNSSEC Works
In
ntercepting and tampering with w an organizzations
DNS query resp ponse is a common attack method.
If attackers can alter response es from DNS se ervers,
orr send spoofed d responses to o point client
coomputers to thheir own serve ers, they can ga
ain
acccess to sensitive information. Any service that
re
elies on DNS fo or the initial co
onnectionsu uch as
e--commerce we eb servers and email servers are
vuulnerable. DNS SSEC protects clients that are e
making
m DNS qu ueries from acccepting false DNSD
re
esponses.
When
W a DNS se osting a digitally
erver that is ho
signed zone recceives a query, it returns the digital signatu
ures along wit h the requesteed records. A rresolver
orr another serve t public keyy of the public//private key paair from a trusst anchor, and then
er can obtain the
va
alidate that the
e responses arre authentic annd have not beeen tampered with. To do th his, the resolve
er or
se
erver must be configured witth a trust anch hor for the sign
ned zone or fo
or a parent of tthe signed zon ne.
Trust Anchorrs
A trust anchor is an authoritative entity that is representeed by a public key. The TrusttAnchors zone stores
preconfigured public
p keys thaat are associate ed with a speccific zone. In D
DNS, the trust aanchor is the D
DNSKEY
orr DS resource record. Client computers use e these record
ds to build trusst chains. You mmust configure a trust
an
nchor from the e zone on every domain DNS server to vallidate responses from that signed zone. If the
DNS server is a domain contro oller, then Acttive Directory iintegrated zonnes can distribute the trust aanchors.
Name
N Resolu
ution Policy
y Table
Th
he Name Reso olution Policy Table
T (NRPT) contains
c rules tthat control th
he DNS client b
behavior for se
ending
DNS queries and processing thet responses from those qu ueries. For exammple, a DNSSEEC rule promp pts the
client computerr to check for validation
v of the response foor a particular DNS domain suffix. As a besst
practice, Group Policy is the preferred
p methhod of configuuring the NRPTT. If there is no
o NRPT presennt, the
client computerr accepts respoonses without validating theem.
Deploying
D DNSSEC
D
To
o deploy DNSS
SEC:
Configure the zone signing parameters. This option guides you through the steps and enables you
to set all values for the key signing key (KSK) and the zone signing key (ZSK).
Sign the zone with parameters of an existing zone. This option enables you to keep the same
values and options as another signed zone.
Use recommended settings. This option signs the zone by using the default values.
Note: Zones can also be unsigned by using the DNSSEC management user interface to
remove zone signatures.
Note: A key rollover is the act of replacing one key pair with another at the end of a keys
effective period.
New
N DNSSEC Feature
es for Windows Servver 2012
DNSSEC implem mentation was simplified for
Windows
W Server 2012. Althouugh DNSSEC was
w
su
upported in Windows
W Serverr 2008 R2, mosst of
th on and administration tasks were
he configuratio
pe
erformed man nes were signed when
nually, and zon
th
hey were offlin
ne.
DNSSEC
D Zon
ne Signing Wizard
W
Windows
W Server 2012 includees a DNSSEC Zone
Siigning Wizard to simplify thee configuration and
signing process, and to enable online signin ng. The
wizard
w allows yo
ou to choose the
t zone signin ng
paarameters as in
ndicated in thee previous top
pic. If
yo
ou choose to configure
c the zone
z signing settings
s rather than using paarameters from
m an existing zzone or
ussing default va
alues, you can use the wizardd to configuree settings such as:
KSK options
ZSK options
Trust ancho
or distribution options
Signing and
d polling param
meters
New
N Resourcce Records
DNS response validation
v is acchieved by asso
ociating a privvate/public keyy pair (as gene
erated by the
ad
dministrator) with
w a DNS zon ne, and then defining
d additi onal DNS resoource records tto sign and pu ublish
ke
eys. Resource records
r distrib
bute the publicc key while thee private key reemains on thee server. When the
client requests validation,
v DNSSEC adds datta to the respo onse that enabbles the client tto authenticatte the
re
esponse.
Th
he following ta
able describes the new resou
urce records in
n Windows Serrver 2012.
Resource reco
ord Purp
pose
DS Thiss record is a de
elegation reco ord that contai ns the hash off the
pub
blic key of a ch hild zone. This record is signeed by the pare ent
zones private keyy. If a child zon ne of a signed parent is also signed,
the DS records fro om the child m must be manuaally added to tthe
pareent so that a chain
c of trust ccan be created
d.
NSEC Wheen the DNS reesponse has no o data to proviide to the clien
nt, this
reco
ord authentica
ates that the ho
ost does not eexist.
Other
O New Enhancemen
E nts
Other
O enhancem
ments for Windows Server 2012 include:
Demonstration Steps
Configure DNSSEC
1. Log on to LON-DC1 as Adatum\Administrator.
3. Use the DNSSEC Zone Signing Wizard to sign the Adatum.com zone. Accept all default settings.
4. Verify that the DNSKEY resource records were created in the Trust Points zone.
5. Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix and that requires DNS client computers to verify that the name and address
data is validated.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 1-21
Lesson
n3
Imple
ementin
ng IPAM
M
With
W the develo opment of IPv6 6 and more annd more devicees requiring IP P addresses, neetworks have b
become
co
omplex and difficult to manaage. Maintaining an updated d list of static IP addresses th
hat have been
n issued
ha
as often been a manual taskk, which can lea
ad to errors. TTo help organizzations manag ge IP addresses,
Windows
W Server 2012 provide
es the IPAM toool.
Le
esson Objecctives
After completin y will be able to:
ng this lesson you
Describe IP
PAM.
Describe IP
PAM architectu
ure.
Describe th
he requirementts for IPAM im
mplementation s.
What
W Is IPA
AM?
IP
P address mana agement is a difficult
d task in
n large
neetworks, becau P address usage is
use tracking IP
la
argely a manua al operation. Windows
W Serve
er 2012
in
ntroduces IPAM M, which is a frramework for
diiscovering, moonitoring utilization, auditing
g, and
managing
m the IP address spacce in a network.
IP
PAM enables th he administrattion and monittoring
off DHCP and DNS, and provid des a compreh hensive
view of where IP addresses arre used. IPAM collects
in
nformation from domain con ntrollers and Network
N
Poolicy Servers (N
NPSs) and storres that inform
mation
in
n the Windowss Internal Database.
IP
PAM assists in the
t areas of IP
P administratio
on as shown in the following
g table.
Cha
aracteristicss of IPAM
Cha
aracteristics of IPAM include::
M server can su
A single IPAM upport up to 150
1 DHCP servvers and 500 D
DNS servers.
A single IPAM
M server can su
upport up to 6,000
6 opes and 150 DNS zones.
DHCP sco
IPAM does no
ot check for IP
P address consistency with ro
outers and switches.
Ben
nefits of IPA
AM
IPAM
M benefits include:
IP address lea
ase and logon event tracking
g.
Note: IPAM
M does not sup
pport managem non-Microsoft network
ment and conffiguration of n
elem
ments.
IPA
AM Archite
ecture
IPAM
M architecture e consists of fo
our main modu
ules,
which are listed in
n the followingg table.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 1-23
Module Description
IPAM discovery You use AD DS to discover servers running Windows Server 2008 and newer
that have DNS, DHCP, or AD DS installed. Administrators can define the scope
of discovery to a subset of domains in the forest. They can also add servers
manually.
IP address space You can use this module to view, monitor, and manage the IP address space.
management (ASM) You can dynamically issue or statically assign addresses. You can also track
address utilization and detect overlapping DHCP scopes.
Multi-server You can manage and monitor multiple DHCP servers. This enables tasks to
management and execute across multiple servers. For example, you can configure and edit DHCP
monitoring properties and scopes and track the status of DHCP and scope utilization. You
can also monitor multiple DNS servers, and monitor the health and status of
DNS zones across authoritative DNS servers.
Operational auditing You can use the auditing tools to track potential configuration problems. You
and IP address can also collect, manage, and view details of configuration changes from
tracking managed DHCP servers. You can also collect address lease tracking from DHCP
lease logs, and collect logon event information from NPS and domain
controllers.
The IPAM server can only manage one Active Directory forest. IPAM is deployed in one of three
topologies:
Hybrid. A central IPAM server is deployed together with a dedicated IPAM server in each site.
Note: IPAM servers do not communicate with one another or share database information.
If you deploy multiple IPAM servers, you must customize each servers discovery scope.
IPAM server. The IPAM server performs the data collection from the managed servers. It also manages
the Windows Internal Database and provides RBAC.
IPAM client. The IPAM client provides the client computer user interface, interacts with the IPAM
server, and invokes Windows PowerShell to perform DHCP configuration tasks, DNS monitoring, and
remote management.
Group Description
IPAM Users Members of this group can view all information that is located in server
discovery, IP address space, and server management. They can view IPAM and
DHCP server operational events, but they cannot view IP address tracking
information.
IPAM MSM IPAM multi-server management (MSM) administrators have IPAM users
privileges, and can perform IPAM common management tasks and server
MCT USE ONLY. STUDENT USE PROHIBITED
1-24 Implemennting Advanced Netw
work Services
Grroup Description
Administrators management tasks.
IP
PAM ASM IPA
AM ASM admin
nistrators havee IPAM users p
privileges, and can perform IPAM
Administrators com
mmon manageement tasks an nd IP address sspace tasks.
IP
PAM IP Audit Meembers of this group have IP
PAM users privvileges, can perform IPAM
Administrators com
mmon manage ement tasks, a nd can view IP
P address trackking informatio
on.
IP
PAM Administrrators IPA
AM Administrators can view aall IPAM data and perform aall IPAM tasks..
Log on to the
e IPAM server with
w a domain
n
account, and not a local acccount.
You must be a member of the
t correct IPA
AM local securrity group on tthe IPAM serve
er.
Enable loggin
ng of account logon events on NPS servers for IPAMs IP add
o domain co ntroller and N dress
tracking and auditing featu
ure.
IPA
AM Hardware and Softw
ware Requirements
The IPAM hardwa
are and software requiremen
nts are as follow
ws:
4 or more gig
gabytes (GB) of
o random acce
ess memory (R
RAM)
Verify that Se
ervice principal names (SPNs) are written.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 1-25
Managing
M IP Addresssing Using
g IPAM
IP
P address space e managemen nt allows
ad
dministrators to t manage, traack, audit, and report
onn an organizattions IPv4 andd IPv6 address spaces.
Thhe IPAM IP address space co onsole providees
ad
dministrators with
w IP address utilization staatistics
an
nd historical trrend data so th
hat they can make
m
in
nformed planning decisions for f dynamic, static,
an
nd virtual addrress spaces. IPAAM periodic taasks
au
utomatically discover the address space an nd
uttilization data as configured on the DHCP servers
hat are managed in IPAM. Yo
th ou can also immport IP
ad
ddress informa ation from com
mma separated d
va
alues (.csv) files.
IP
PAM also enabbles administraators to detect overlapping I P address rang
ges that are deefined on diffe
erent
dresses within a range, creatte DHCP reservvations, and crreate DNS reco
DHCP servers, find free IP add ords.
IP
PAM provides a number of ways
w to filter th
he view of the IP address spaace. You can ccustomize how
w you
view and managge the IP addrress space usin ng any of the fo
ollowing viewss:
IP address blocks
b
IP address ranges
r
IP addresse
es
IP address inventory
i
IP address range
r groups
IP
P Address Blocks
B
IP
P address block ks are the high on. Conceptually, an
hest-level entitties within an IIP address spaace organizatio
IP
P block is an IP
P subnet marke ed by a start and an end IP aaddress, and itt is typically assigned to an
orrganization byy various Regioonal Internet Registries
R (RIRss). Network ad ministrators use IP address bblocks
o create and alllocate IP addrress ranges to DHCP. They caan add, imporrt, edit, and de
to elete IP address
blocks. IPAM au utomatically maps
m IP addresss ranges to thee appropriate IP address blo ock based on the
booundaries of the range. You can add and import
i IP addrress blocks in tthe IPAM conssole.
IP
P Address Ranges
R
IP
P address ranges are the nexxt hierarchical level
l dress space enttities after IP address blocks..
of IP add
Conceptually, an IP address ra ange is an IP subnet marked d by a start and d end IP addreess, and it typiccally
co
orresponds to a DHCP scope e, or a static IP
Pv4 or IPv6 adddress range or address pool that is used to o assign
ad
ddresses to ho osts. An IP address range is uniquely
u identiifiable by the vvalue of the m
mandatory Man naged
Byy Service and Service Insta ance options, which
w help IPA
AM manage an nd maintain ovverlapping or
duuplicate IP add
dress ranges frrom the same console. You ccan add or imp port IP addresss ranges from within
th
he IPAM conso ole.
IP
P Addressess
IP
P addresses are
e the addresses that make up the IP addreess range. IPAM M enables end d-to-end life cyycle
management
m of IPv4 and IPv66 addresses, in
ncluding record d synchronizattion with DHCCP and DNS servers.
IP
PAM automaticcally maps an address to the e appropriate rrange based o d end address of the
on the start and
ange. An IP address is unique
ra ely identifiable
e by the value of mandatoryy Managed By y Service and Service
In
nstance optionns that help IP
PAM manage and a maintain d duplicate IP ad
ddresses from tthe same conssole.
Yoou can add or import IP adddresses from within
w the IPAM
M console.
MCT USE ONLY. STUDENT USE PROHIBITED
1-26 Implementing Advanced Network Services
IP Address Inventory
In this view, you can view a list of all IP addresses in the enterprise along with their device names and
type. IP address inventory is a logical group defined by the Device Type option within the IP addresses
view. These groups allow you to customize the way your address space displays for managing and
tracking IP usage. You can add or import IP addresses from within the IPAM console. For example, you
could add the IP addresses for printers or routers, assign IP address the appropriate device type of printer
or router, and then view your IP inventory filtered by the device type you assigned.
View Description
DNS and DHCP By default, managed DHCP and DNS servers are arranged by
Servers their network interface in /16 subnets for IPv4 and /48 subnets
for IPv6. You can select the view to see just DHCP scope
properties, just DNS server properties, or both.
DHCP scopes The DHCP scope view enables scope utilization monitoring.
Utilization statistics are collected periodically and automatically
from a managed DHCP server. You can track important scope
properties such as Name, ID, Prefix Length, and Status.
DNS Zone Zone monitoring is enabled for forward and reverse lookup
Monitoring zones. Zone status is based on events collected by IPAM. The
status of each zone is summarized.
Server Groups You can organize your managed DHCP and DNS servers into
logical groups. For example, you might organize servers by
business unit or geography. Groups are defined by selecting the
grouping criteria from built-in fields or user-defined fields.
Demonstration Steps
2. In Server Manager, add the IPAM feature and all required supporting features.
3. In the IPAM Overview pane, provision the IPAM server using Group Policy.
4. Enter IPAM as the Group Policy Object (GPO) name prefix, and provision IPAM.
5. In the IPAM Overview pane, configure server discovery for the Adatum domain.
Invoke-Ip
pamGpoProvisi
ioning Domain Adatum.co
om GpoPrefix
xName IPAM I
IpamServerFqd
dn
LON-SVR2.adatum.com DelegatedGp
oUser Admini strator
10
0. Set the man
nageability sta
atus to Manag
ged.
11
1. Switch to LON-DC1.
12
2. Force the update
u of Grou
up Policy.
13
3. Switch back
k to LON-SVR2
2 and refresh the
t IPv4 view.
14
4. In the IPAM
M Overview pane, retrieve da
ata from the m
managed serveer.
IP
PAM Mana
agement and
a Monittoring
Thhe IPAM ASM feature allowss you to efficie ently
view, monitor, and
a manage th he IP address space
s
onn the network. ASM supportts IPv4 public and a
private addressees, and IPv6 gllobal and uniccast
adddresses. Using
g the DNS and d DHCP server view,
yoou can view annd monitor health and
coonfiguration of all the DNS and
a DHCP servvers
th
hat are being managed
m by IP
PAM. IPAM use es
sccheduled taskss to periodicallly collect data from
managed
m servers. You can alsso retrieve dataa on
deemand by usin ng the Retriev ve All Server Data
D
opption.
Utilization
U Monitoring
M
Utilization data is maintained for IP addresss ranges, IP ad dress blocks, aand IP range ggroups within IIPAM.
Yo
ou can configu ure thresholds for the percenntage of the IPP address spacce that is utilized, and then u
use
th
hose thresholdds to determinee under-utiliza
ation and overr-utilization.
Yo
ou can perform a reporting for IPv4 addreess ranges, blo
m utilization trrend building and ocks, and range
groups. The utillization trend window
w allowss you to view ttrends over tim
me periods succh as daily, weekly,
monthly
m or annually, or you can
c view trends over custom m date ranges. Utilization datta from manag ged
DHCP scopes is auto-discoverred, and you canc view this d ata.
Monitoring
M DHCP
D and DNS
D
Using IPAM, you can monitorr DHCP and DN NS servers from
m any physica l location of th
he enterprise. One of
th
he primary ben nefits of IPAM is its ability to
o simultaneoussly manage mu ultiple DHCP sservers or DHC CP
sccopes that are spread across one or more DHCP servers.
DH
HCP Server Managemen
M nt
From
m the IPAM co
onsole, you can manage DHCP servers and
d perform the following actions:
Edit DHCP server properties
Configure the
e user class acrross multiple servers
s simultaaneously
Create and ed
dit new and exxisting user cla ultiple servers simultaneously
asses across mu
Configure the
e vendor class across multiplle servers simu
ultaneously
Retrieve serve
er data from multiple
m serverss
DN
NS Server Ma
anagementt
Youu can start the DNS managem ment console forf any manag ged DNS serveer from a centrral console in the
IPAMM server and retrieve
r server data from the of servers. Thee DNS Zone Monitoring view
e selected set o w
plays all the forward lookup and reverse lo
disp ookup zones o n all the DNS servers that IP PAM is currently
mannaging. For the e forward lookkup zones, IPA AM also displayys all the serveers that are hosting the zone
e, and
the aggregate hea alth of the zon
ne across all th
hese servers an
nd the zone prroperties.
The
e Event Cata
alog
The IPAM event catalog
c provide
es a centralized repository foor auditing all configuration
n changes that are
perfformed on DH HCP servers thaat are managed from a singl e IPAM manag gement conso ole. The IPAM
configuration eve ents console gaathers all of the configuratio
on events. Thesse configuratio
on event catalo
ogs
allows you to view w, query, and generate
g reports of the conssolidated confiiguration chan
nges, along witth
detaails specific to each record.
Co
onsideratio
ons for Imp
plementing IPAM
IPAMM is an agentless technology that uses
Winndows remote management protocols to
mannage, monitor,, and collect data from
distributed servers in the enviro
onment. As succh,
you should be awware of some im mplementation n
considerations.
Installation Co
onsideration
ns
Alth
hough IPAM is relatively simple to install, there
t
are certain consid
derations:
The installatio
on wizard in Se
erver Managerr automaticallyy installs the feeatures require
ed to support
IPAM. There are
a no extra stteps required of
o the adminisstrator.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 1-29
The IPAM client is installed automatically on Windows Server 2012 along with the IPAM server, but
you can uninstall the client separately.
You can uninstall IPAM by using Server Manager. All dependencies, local security groups, and
scheduled tasks will be deleted. The IPAM database will be detached from the Windows Internal
Database.
Functional Considerations
Consider the following IPAM functional specifications:
IPAM can only use Windows Internal Database; it cannot use any other type of database.
The IPAM server must collect DHCP lease information to enable address tracking. Ensure that the
DHCP audit log file size is configured so that it is large enough to contain audit events for the entire
day.
For domain controllers and network policy servers, enable the required events for logging. You can
use Group Policy security settings to perform this task.
Administrative Considerations
Domain and enterprise administrators have full access to IPAM administration. You can delegate
administrative duties to other users or groups by using the IPAM security groups. The installation process
creates local security groups (which have no members by default) on the IPAM server. The local security
groups provide the permissions that are required for administering and using the multiple services that
IPAM employs.
IPAM installation automatically creates the local user groups listed it the following table.
Group Description
IPAM Users Members of this group can view all information in IPAM server
inventory, IP address space, and IPAM server management
consoles. They can view IPAM and DHCP server operational
events, but they cannot view IP address tracking information.
IPAM MSM Members of this group have all the privileges of the IPAM
Administrators Users group, and they can perform IPAM monitoring and
management tasks.
IPAM ASM Members of this group have all the privileges of IPAM Users
Administrators group, and they can perform IPAM IP address space tasks.
IPAM IP Audit Members of this group have all the privileges of IPAM Users
Administrators group, and they can view IP address tracking information.
IPAM Administrators Members of this group can view all IPAM information and
perform all IPAM tasks.
Objectives
Configure advanced DHCP settings.
Lab Setup
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-SVR2
20412A-LON-CL1
Estimated time: 60 minutes
20412A-LON-DC1
20412A-LON-SVR1
Virtual Machine(s)
20412A-LON-SVR2
20412A-LON-CL1
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
5. Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-LON-SVR2. Do not start 20412A-LON-CL1
until directed to do so.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 1-31
1. Configure a superscope
o Router: 192.168.0.1
o Router: 192.168.1.1
5. On LON-SVR1, refresh the IPv4 node, and then note that the IPv4 node is active, and that Scope
Adatum is configured.
12. On LON-DC1, in the Services console, start the DHCP server service.
13. Close the Services console.
Results: After completing this exercise, you will have configured a superscope, DHCP Name Protection,
and configured and verified DHCP failover.
1. Configure DNSSEC.
2. Use the DNSSEC Zone Signing Wizard to sign the Adatum.com zone. Accept all the default settings.
3. Verify that the DNSKEY resource records have been created in the Trust Points zone.
5. Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix, and that requires DNS clients to verify that the name and address data were
validated.
2. Run the following command to view the current size of the socket pool.
3. Run the following command to change the socket pool size to 3,000.
2. Run the following command to change the cache lock value to 75 percent.
3. Create an Active Directory integrated forward lookup zone named GlobalNames by running the
following command:
4. Open the DNS Manager console and add a new host record to the Contoso.com domain named
App1 with the IP address of 192.168.1.200.
5. In the GlobalNames zone, create a new alias named App1 using the FQDN of App1.Contoso.com.
Results: After completing this exercise, you will have configured DNSSEC, the DNS socket pool, DNS
cache locking, and the GlobalName zone.
6. Configure IP address blocks, record IP addresses, and create DHCP reservations and DNS records
2. Enter IPAM as the GPO name prefix, and provision IPAM using the Provision IPAM Wizard.
2. Use Windows PowerShell to grant the IPAM server permission to manage LON-DC1 by running the
following command:
4. Switch to LON-DC1, and force the update of Group Policy using the gpupdate /force.
5. Return to LON-SVR2 and refresh the server access status for LON-DC1 and the IPv4 console view. It
may take up to 10 minutes for the status to change. If necessary, repeat both refresh tasks as needed
until a green check mark displays next to LON-DC1 and the IPAM Access Status shows Unblocked.
6. In the IPAM Overview pane, retrieve data from the managed server.
o Prefix length: 16
2. Add IP addresses for the network router by adding to the IP Address Inventory with the following
parameters:
o IP address: 172.16.0.1
4. Use the IPAM console to create the DNS host record as follows:
5. Right-click the IPv4 entry and create the DHCP reservation and create the DNS Host record.
6. On LON-DC1, open the DHCP console and confirm that the reservation was created in the 172.16.0.0
scope.
7. On LON-DC1, open the DNS Manager console. Confirm that the DNS host record was created.
Results: After completing this exercise, you will have installed IPAM and configured IPAM with IPAM-
related GPOs, IP management server discovery, managed servers, a new DHCP scope, IP address blocks, IP
addresses, DHCP reservations, and DNS records.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
Answer: The IPConfig /All command will tell you if the client is receiving DHCP configuration and the IP
address of the DHCP server from which the configuration came.
Answer: There may be a rogue DHCP server on the network. Common things to look for will be gateway
devicessuch as cable modems or PBX boxesthat have a DHCP component enabled. Another
possibility is that someone has manually configured the IP address on the client.
Best Practice
Implement DHCP failover to ensure that client computers can continue to receive IP configuration
information in the event of a server failure.
Ensure that there are at least two DNS servers hosting each zone.
Tools
Tool Use Location
Module 2
Implementing Advanced File Services
Contents:
Module Overview 2-1
Module Overview
Storage space requirements have been increasing since the inception of server-based file shares. The
Windows Server 2012 and Windows 8 operating systems include two new features to reduce the disk
space that is required, and to manage physical disks effectively: Data deduplication, and Storage Spaces.
This module provides an overview of these features, and explains the steps required to configure them.
In addition to minimizing disk space, another storage concern is the connection between the storage and
the remote disks. Internet SCSI (iSCSI) storage in Windows Server 2012 is a cost-effective feature that
helps create a connection between the servers and the storage. To implement iSCSI storage in Windows
Server 2012, you must be familiar with the iSCSI architecture and components. In addition, you must be
familiar with the tools that are provided in Windows Server to implement an iSCSI-based storage. In
organizations with branch offices, you have to consider slow links and how to use these links efficiently
when sending data between your offices. The Windows BranchCache feature in Windows Server 2012
helps address the problem of slow connectivity. This module explains the BranchCache, feature, and the
steps to configure it.
Objectives
After completing this module, you will be able to:
Lesson 1
Config
guring iSCSI Sto
orage
iSCSSI storage is an
n inexpensive and
a simple wa ay to configuree a connectionn to remote dissks. Many
appplication requirrements dictate that remote storage conneections must b be redundant in nature for faault
erance or high availability. In addition, man
tole ny companies already have ffault tolerant n networks, in w which
the networks are cheap to keep p redundant ass opposed to u using storage aarea networks (SANs). In thiss
lesson, you will leaarn how to creeate a connecttion between sservers and iSC CSI storage. Yo ou will performm
thesse tasks by using IP-based iS SCSI storage. You
Y will also leaarn how to creeate both single and redund dant
connections to an n iSCSI target. You ng the iSCSI in itiator softwarre that is availaable in
Y will practiice this by usin
Winndows Server 2012.
2
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe iSCS
SI and its comp
ponents.
erver and the iSCSI initiator.
Describe the iSCSI target se
Describe iSCS
SI security options.
Configure the
e iSCSI target.
Connect to iS
SCSI storage.
Wh
hat Is iSCSI?
iSCS
SI is a protocol that supportss access to rem mote,
SCSI-based storag ge devices ove er a TCP/IP nettwork.
iSCS
SI carries stand
dard SCSI commands over IP P
netw
works to facilittate data transsfers over intra
anets,
and to manage sttorage over lon ng distances. You
Y
can use iSCSI to trransmit data over
o local area
netw
works (LANs), wide
w area netwworks (WANs),, or
even over the Inteernet.
iSCS
SI relies on standard Etherne et networking
arch
hitecture. Speccialized hardwa are such as hoost
bus adapters (HBA A) or network switches are
optional. iSCSI usees TCP/IP (typiically, TCP porrt
3260). This meanss that iSCSI simmply enables tw wo hosts to neegotiate tasks (for example, session
esta
ablishment, floow control, andd packet size,), and then exc hange SCSI co ommands by u using an existin
ng
Ethe
ernet network.. By doing thiss, iSCSI uses a popular,
p high performance, local storage b bus subsystem
m
arch
hitecture, and emulates it ovver LANs and WANs,
W g a SAN. Unlikke some SAN ttechnologies, iSCSI
creating
requ
uires no specia alized cabling. You can run it over the exissting switching
g and IP infrasttructure. Howe
ever,
you can increase the
t performan nce of an iSCSI SAN deploym ment by operatting it on a deedicated netwo ork or
subnet, as best prractices recommend.
An iSCSI SAN de
eployment inccludes the follo
owing:
TCP/IP netw work. You can use standard network interfface adapters and standard Ethernet proto ocol
network sw witches to connnect the serverrs to the storagge device. To p
provide sufficient performannce, the
network should provide speeds
s of at le
east 1 gigabit pper second (Gbbps), and shouuld provide muultiple
paths to the e iSCSI target. As a best pracctice, use a ded
dicated physiccal and logical network to acchieve
fast, reliable
e throughput.
iSCSI targetts. This is another method off gaining acceess to storage. iSCSI targets p present or advvertise
storage, sim
milar to contro d drives of llocally attacheed storage. However, this sto
ollers for hard disk orage is
accessed ovver a network, instead of loccally. Many sto orage vendors implement haardware-level iiSCSI
targets as part
p of their sto orage devicess hardware. Ot her devices orr appliancesssuch as Windo ows
Storage Serrver 2012 devicesimpleme ent iSCSI targeets by using a ssoftware driver together with at
least one Etthernet adapte er. Windows Server 2012 pro ovides the iSCSSI target serve
erwhich is efffectively
a driver for the iSCSI prottocolas a rolle service.
iS
SCSI Targe
et Server and iSCSI In
nitiator
Th
he iSCSI targett server and th
he iSCSI initiato
or are
de
escribed beloww.
iS
SCSI Target Server
Th
he iSCSI targett server role se
ervice providess for
so
oftware-based and hardware e-independentt iSCSI
diisk subsystemss. You can use the iSCSI target
se e iSCSI targets and iSCSI virtu
erver to create ual
diisks. You can then use Server Manager to
manage
m these iSCSI targets an
nd virtual disks.
Network/diiskless boot. Byy using boot-ccapable netwo ork adapters or a software lo oader, you can use
iSCSI targetts to deploy diiskless servers quickly. By usiing differencin
ng virtual diskss, you can save
e up to
90 percent of the storage e space for the e operating sysstem images. TThis is ideal for large deployyments
of identical operating sysstem images, such
s as a Hypeer-V server farm, or high-pe erformance
computing (HPC) clusterss.
Server application storage. Some appliccations such a s Hyper-V and d Microsoft Exchange Serve er
require block storage. The iSCSI target server can pro ovide these ap pplications withh continuouslyy
available bllock storage. Because
B the sto
orage is remottely accessible, it can also co
ombine block sstorage
for central or branch officce locations.
MCT USE ONLY. STUDENT USE PROHIBITED
2-4 Implementing Advanced File Seervices
Heterogeneo
ous storage. iSC
CSI target server supports iSC
CSI initiators that are not baased on the
Windows op
perating systemm, so you can share storage on Windows sservers in mixe ed environmen
nts.
Lab environmments. The iSCS SI target server role enables your Window ws Server 2012 computers to be
network-acce essible block sttorage devicess. This is usefull in situations iin which you w
want to test
applications before
b deployiing them on SAN storage.
iSCSSI target servers that providee block storage net network; no additional
e utilize your eexisting Ethern
harddware is required. If high ava ailability is an important critterion, consideer setting up a high availability
gh availability cluster, you wiill need shared
clusster. With a hig d storage for the clustereitther hardware e Fibre
Chaannel storage, or a Serial Atta ached SCSI (SA AS) storage arrray. The iSCSI ttarget server integrates directly
into
o the failover cluster feature as a cluster role.
iSC
CSI Initiator
The iSCSI initiatorr service has be
een a standard
d component iinstalled by deefault since Wiindows Server 2008
and Windows Vistta. To connect your compute mply start the Microsoft iSCSSI
er to an iSCSI ttarget, you sim
Initiiator Service and configure it.
The new features in Windows Server 2012 incclude:
Authenticatioon. You can enable Challenge Handshake A Authentication n Protocol (CH HAP) to authennticate
nections, or you can enable reverse
initiator conn r CHAP tto allow the in
nitiator to auth
henticate the iSSCSI
target.
Query initiato
or computer fo
or ID. This is on ws Server 2012.
nly supported with Windowss 8 or Window
http
p://blogs.techn
net.com/b/fileccab/archive/20
012/05/21/intrroduction-of-iiscsi-target-in--windows-
servver-2012.aspx
Op
ptions for Implemen
I ting High Availabilitty for iSCSSI
In addition to connfiguring the basic
b iSCSI targ
get
servver and iSCSI in
nitiator setting
gs, you can
inte
egrate these seervices into mo ore advanced
configurations.
Con
nfiguring iS
SCSI for High Availabiliity
Creaating a single connection to iSCSI storage
mak ge available. However, it doe
kes that storag es not
mak ke that storage
e highly available. Losing the
e
connection resultss in the server losing access to its
storrage. Thereforee, most iSCSI storage
s
connections are made
m redundant through one of
twoo high availability technologies: Multiple
Connnection Sessioon (MCS) and Multipath I/O (MPIO).
Alth
hough similar in i results they achieve, these
e two technolo hes to achieve high
ogies use diffe rent approach
avaiilability for iSC
CSI storage connnections.
MCT USE ONLY. STUDENT USE PROHIBITED
Configurinng Advanced Window
ws Server 2012 Serrvices 2-5
MCS
M is a feature
e of the iSCSI protocol
p that:
Enables mu
ultiple TCP/IP connections
c from the initiato
or to the targeet for the same
e iSCSI session.
Supports au
utomatic failovver. If a failure
e occurs, all ou tstanding iSCSSI commands aare reassigned
d to
another connection automatically.
Requires exxplicit support by iSCSI SAN devices, altho ugh the Wind ows Server 2012 iSCSI target server
role supporrts it.
MPIO
M provides redundancy differently. MPIIO:
Is widely su
upported. Man ny SANs can usse the default DSM without any additional software, while
others requuire a specialized DSM from the manufactu urer.
mplex to configure, and is no
Is more com ot as fully auto
omated during
g failover as M
MCS.
iS
SCSI Securrity Option
ns
Be ecause iSCSI iss a protocol that provides acccess to
sttorage devices over a TCP/IP P network, it is crucial
th
hat you secure your iSCSI sollution to prote ect it
from malicious users or attack ks. You can mitigate
rissks to your iSC
CSI solution byy providing seccurity at
vaarious infrastru
ucture layers. The
T term defen nse-in-
deepth is often used to describ be the use of multiple
m
se
ecurity technologies at differrent points
th
hroughout you ur organization n.
Defense-in-Dep
pth security strrategy includess:
Policies, pro
ocedures, and awareness. Ass a
security besst practice, seccurity policy
measures need
n to operatte within the co ontext of orgaanizational pollicies. For exam
mple, consider
enforcing a strong user password
p policy throughout the organizatiion, but having g an even stro
onger
administrattor password policy
p for accessing iSCSI sto
orage devices aand computers that have iSC CSI
manageme ent software installed.
Perimeter. Perimeter netw works mark the boundary beetween public and private networks. Proviiding
firewalls and reverse proxxy servers in th
he perimeter n
network enablees you to provvide more secuure
corporate services
s across the public nettwork, and to prevent possib
ble attacks on the iSCSI storaage
devices fromm the Internett.
Networks. Once
O you conn nect iSCSI storrage devices to
o a network, th hey are suscep ptible to a nummber of
threats. The
ese threats include eavesdro opping, spoofin ng, denial of seervice, and rep
play attacks. Yoou
should use authentication n such as CHA AP, to protect ccommunication between iSC CSI initiators an
nd iSCSI
MCT USE ONLY. STUDENT USE PROHIBITED
2-6 Implementing Advanced File Services
targets. You might also consider implementing Internet Protocol security (IPsec) for encrypting the
traffic between iSCSI initiators and iSCSI targets. Isolating iSCSI traffic to its own virtual LAN (VLAN)
also strengthens security by not allowing malicious users that are connected on corporate VLAN
network to attack iSCSI storage devices that are connected to a different VLAN. You should also
protect network equipment such as routers and switches that are used by iSCSI storage devices, from
unauthorized access.
Host. The next layer of defense is the protection layer for the host computers that are connected to
iSCSI storage devices. You must maintain secure computers by using the latest security updates. You
should consistently use the Windows Update feature in Windows operating systems to keep your
operating system up-to-date. You also have to configure security policies such as password
complexity, configure the host firewall, and install antivirus software.
Application. Applications are only as secure as their latest security update. For applications that run
on your servers but do not integrate in Windows Update, you should regularly check for security
updates issued by the application vendor. You should also update the iSCSI management software
according to vendor recommendations and best practices.
Data. This is the final layer of security. To help protect your network, ensure that you are using file
user permissions properly. Do this by using BitLocker, Access Control Lists (ACLs), implementing the
encryption of confidential data with Encrypting File System (EFS), and performing regular backups of
data.
Demonstration Steps
2. In the Add Roles and Features Wizard, install the following roles and features to the local server, and
accept the default values:
o File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
2. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New
iSCSI Virtual Disk. Create a virtual disk with the following settings:
o Name: iSCSIDisk1
o Disk size: 5 GB
3. On the View results page, wait until creation completes, and then close the View Results page.
MCT USE ONLY. STUDENT USE PROHIBITED
Configurinng Advanced Window
ws Server 2012 Serrvices 2-7
4.. In the iSCSII VIRTUAL DISK KS pane, click TASKS, and th hen in the TAS
SKS drop-dow
wn list, click Ne
ew iSCSI
Virtual Dissk. Create a virrtual disk that has these settiings:
o Name: iSCSIDisk2
o Disk sizze: 5 GB
o iSCSI ta
arget: LON-SV
VR2
5.. On the View
w results page, wait until crreation compleetes, and then
n close the View
w Results pag
ge.
Demonstra
D ation: Conn
necting to the iSCSI Storage
In
n this demonsttration, you will see how to:
Demonstrati
D ion Steps
Connect
C to the iSCSI tarrget
1.. Log on to LON-SVR2
L with
h username off Adatum\Adm
ministrator a nd password P
Pa$$w0rd.
o Quick Connect:
C LON-DC1
o Discove
er targets: iqn
n.1991-05.com
m.microsoft:lo
on-dc1-lon-sv
vr2-target
Verify
V the prresence of the iSCSI driive
1.. In Server Manager,
M on the Tools menu, open Compu
uter Managem
ment.
2.. In the Computer Manage ement consolee, under Storag ge node, acceess Disk Mana agement. Notiice that
the new dissks are added. However, theyy all are curren
ntly offline and
d not formatte
ed.
Considerat
C ions for Im
mplementiing iSCSI SStorage
When
W designingg your iSCSI sttorage solution
n,
co
onsider following best practiices:
n on at least 1 Gbps
Deploy the iSCSI solution
networks.
Read the vendor-specific best practices for different types of deployments and applications that will
use iSCSI storage solution, such as Exchange Server and Microsoft SQL Server.
IT personnel who will be designing, configuring, and administering the iSCSI storage solution must
include IT administrators from different areas of specialization, such as Windows Server 2012
administrators, network administrators, storage administrators, and security administrators. This is
necessary so that the iSCSI storage solution has optimal performance and security, and has consistent
management and operations procedures.
When designing an iSCSI storage solution, the design team should also include application-specific
administrators, such as Exchange Server administrators and SQL server administrators, so that you can
implement the optimal configuration for the specific technology or solution.
MCT USE ONLY. STUDENT USE PROHIBITED
Configurinng Advanced Window
ws Server 2012 Serrvices 2-9
Lesson
n2
Configuring Branch
hCache
Brranch offices have
h unique management
m ch
hallenges. A brranch office tyypically has slo
ow connectivityy to the
en
nterprise netw work and limite ed infrastructure for securing
g servers. Also,, you need to b back up data tthat you
maintain
m in you
ur remote bran nch offices, which is why org anizations preefer to centralizze data where e
poossible. Thereffore, the challe
enge is being able
a to providee efficient acceess to networkk resources forr users
in
n branch officees. The BranchC Cache helps yo ou overcome tthese problem ms by caching ffiles so they do
o not
haave to be transferred repeattedly over the network.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe ho
ow BranchCache works.
Explain how
w to configure
e BranchCache server setting
gs.
Explain how
w to configure
e BranchCache client settingss.
Explain how
w to configure
e BranchCache.
Explain how
w to monitor BranchCache.
B
How
H Does BranchCacche Work??
Th
he BranchCach he feature introduced with
Windows
W Server 2008 R2 and Windows 7 re educes
th
he network usee on WAN con nnections betw
ween
branch offices and
a headquartters by locally
ca
aching frequenntly used files on computers in the
branch office.
HTTP or HT
TTPS protocolss. These protoccols are
used by we
eb browsers an
nd other appliccations.
MB), including signed SMB trraffic protocoll. This protocol is used for acccessing
Server messsage block (SM
shared fold
ders.
Background d Intelligent Trransfer Service
e (BITS). A Win
ndows compon nent that distriibutes contentt from a
server to clients by using only idle netw work bandwidtth. BITS is also a componentt used by Syste em
Center Con nfiguration Manager.
BrranchCache re etrieves data frrom a server when
w the clientt requests the data. Because BranchCache is a
pa ease WAN use.. BranchCache only caches the read reque
assive cache, itt will not incre ests, and will no
ot
in
nterfere when a user saves a file.
BrranchCache im
mproves the reesponsiveness of
o common neetwork applicaations that acccess intranet se ervers
accross slow WA
AN links. Because BranchCachhe does not reequire addition
nal infrastructu
ure, you can im
mprove
th
he performancce of remote networks by deeploying Windo ows 7 or Winddows 8 to cliennt computers, and by
deeploying Wind
dows Server 20008 R2 and Wiindows Server 2012 to serveers, and then enabling the
BrranchCache fe
eature.
MCT USE ONLY. STUDENT USE PROHIBITED
2-10 Implementing Advanced File Services
BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL),
SMB Signing, and end-to-end IPsec. You can use BranchCache to reduce network bandwidth use and to
improve application performance, even if the content is encrypted.
You can configure BranchCache to use hosted cache mode or distributed cache mode:
Hosted cache. This mode operates by deploying a computer that is running Windows Server 2008 R2
or newer versions as a hosted cache server in the branch office. Client computers are locating the host
computer so that they can retrieve content from the hosted cache when available. If the content is
not available in the hosted cache, the content is retrieved from the content server by using a WAN
link and then provided to the hosted cache so that the successive client requests can get it from
there.
Distributed cache. For smaller remote offices, you can configure BranchCache in the distributed cache
mode without requiring a server. In this mode, local client computers running Windows 7 or Windows
8 maintain a copy of the content and make it available to other authorized clients that request the
same data. This eliminates the need to have a server in the branch office. However, unlike the Hosted
Cache mode, this configuration works per subnet only. In addition, clients who hibernate or
disconnect from the network cannot provide content to other requesting clients.
Note: When using BranchCache, you may use both modes in your organization, but you
can configure only one mode per branch office.
BranchCache functionality in Windows Server 2012 has improved in the following ways:
BranchCache allows for more than one hosted cache server per location to allow for scale.
A new underlying database uses the Extensible Storage Engine (ESE) database technology from
Exchange Server. This enables a hosted cache server to store significantly more data (even up to
terabytes).
A simpler deployment means that you do not need a Group Policy Object (GPO) for each location. To
deploy BranchCache, you only need a single GPO that contains the settings. This also enables clients
to switch between hosted cache mode and distributed mode when they are traveling between
locations without the need to use site-specific GPOs, which should be avoided in multiple scenarios.
1. The client computer that is running Windows 8 connects to a content server that is running Windows
Server 2012 in the head office, and requests content similar to how it would retrieve content without
using BranchCache.
2. The content server in the head office authenticates the user and verifies that the user is authorized to
access the data.
3. Instead of sending the content itself, the content server in the head office returns identifiers or hashes
of the requested content to the client computer. The content server sends that data over the same
connection that the content would have typically been sent.
o If you configure it to use distributed cache, the client computer multicasts on the local subnet to
find other client computers that have already downloaded the content.
o If you configure it to use hosted cache, the client computer searches for the content on the
configured hosted cache.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 2-11
BranchCach
B he Require
ements
BrranchCache op ptimizes trafficc flow between n head
nch offices. Windows Server 2008
offfices and bran
R22, Windows Se erver 2012, and d client compu uters
ru
unning Window ws 7 and Wind dows 8 can benefit
from using Bran nchCache. (Earrlier versions of
o
Windows
W operaating systems dod not benefit from
th ou can use BranchCache to cache
his feature.) Yo c
onnly the conten d on file servers or
nt that is stored
w servers that are running Windows Servver
web
20008 R2 or Windows Server 2012.
2
Requirement
R ts for Using
g BranchCacche
To
o use BranchCCache for file se
ervices, you must
pe
erform the following tasks:
Configure client
c compute
ers either by using Group Po
olicy or the nettsh branchcacche set servicce
command.
If you want to use
u BranchCache to cache co
ontent from th orm following tasks:
he file server, yyou must perfo
Configure hash
h publicatio
on for BranchC
Cache.
Create Bran
nchCacheenabled file share
es.
BrranchCache is supported on the full installlation and Servver Core installation of Wind
dows Server 20
012. By
de
efault, BranchC nstalled on Windows Server 2012.
Cache is not in
Requirement
R ts for Distributed Cach
he Mode and
d Hosted Ca
ache Mode
In
n the Distribute
ed Cache mod de, BranchCach he works acrosss a single subnet only. If clie
ent computerss are
co
onfigured to use
u the Distribu uted Cache mo ode, any clientt computer ca n use a multicast protocol caalled
WS-Discovery
W to
o search locallly for the computer that hass already down nloaded and caached the con
ntent.
Yoou should connfigure the clie
ent firewall to enable
e incomin ng traffic, HTTTP, and WS-Disscovery.
In
n clients, however, they will search
s for a ho
osted cache se rver, and if on
ne is discovered
d, clients
au
utomatically seelf-configure as
a hosted cach he mode clientts. In the Hosteed Cache mod de, the client
co
omputers auto omatically self--configure as hosted
h cache m
mode clients, aand they will ssearch for the host
se
erver so that th
hey can retrievve content from m the Hosted Cache. Furthermore, you can use Group P Policy so
MCT USE ONLY. STUDENT USE PROHIBITED
2-12 Implemennting Advanced File Services
S
In both
b cache mo
odes, BranchCa ache uses the HTTP
H protocol for data transsfer between cclient compute
ers
ng the cached data.
and the computer that is hostin
Co
onfiguring BranchCache Serverr Settings
You
u can use BrancchCache to cache web conteent,
which is delivered
d by HTTP or HTTPS.
H You can
n also
use BranchCache to cache shareed folder content,
which is delivered
d by the SMB protocol.
p
The following table lists the servvers that you can
c
configure for Bran
nchCache.
Se
erver Description
Web
W server or BITS
B server To configure a Windo ws Server 2012 web server o or an
application server thatt uses the BITSS protocol, insttall
the BrannchCache featu ure. Ensure thaat the BranchC
Cache
service has
h started. Th hen, configure clients who will use
the BrannchCache featu ure. No additioonal web serveer
configurration is requirred.
File server You musst install the B ranchCache fo or the Networkk Files
role servvice of the Filee Services serveer role before yyou
enable BranchCache
B fo
for any file shaares. After you install
the BrannchCache for t he Network Fiiles role service e, use
Group Policy
P to enabl e BranchCachee on the serve er. You
must the en configure eeach file share to enable
BranchCCache.
Hosted cache se
erver For the Hosted
H Cache mode, you m ust add the
BranchC Cache feature tto the Window ws Server 20122
server th
hat you are co nfiguring as a Hosted Cache e
server.
To help secure commu nt computers use
unication, clien
Transport Layer Securiity (TLS) when communicating
with thee Hosted Cachee server.
By defauult, BranchCac he allocates fivve percent of the
disk space on the activve partition fo
or hosting cachhe
data. Hoowever, you caan change this value by using
Group Policy
P or the ne
etsh tool by ruunning netsh
branchccache set cach hesize commaand.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 2-13
Configuring
C g BranchC
Cache Clien
nt Settingss
Yoou do not havve to install the
e BranchCache e
fe
eature on cliennt computers, because
b BrancchCache
is already includ
ded if the clien
nt is running
Windows
W 7 or Windows
W 8. Hoowever, Branch hCache
is disabled by default on cliennt computers. ToT
ennable and configure BranchC Cache, you mu ust
peerform the following steps:
Enabling Bra
anchCache
Yo
ou can enable the BranchCa
ache feature on
n client compu
uters by using Group Policy, or by using th
he
ne
etsh branchcaache set serviice command.
To
o enable BrancchCache settin
ngs by using Group
G Policy, p
perform the folllowing steps ffor a domain-b
based
GPO:
Enabling the
e Distributed
d Cache Mo
ode or Hoste
ed Cache M
Mode
Yo
ou can configu
ure the Branch
hCache mode on puters by usin g Group Policyy, or by using the
o client comp
ne
etsh branchcaache set serviice command.
To
o configure BrranchCache mo
ode by using Group
G Policy, p
perform the fo
ollowing steps for a domain--based
GPO:
4.. Choose eith her the Distributed Cache orr the Hosted C Cache mode. Y You may also e enable both the
Distributed Cache mode and Automatic Hosted Cach he Discovery b by Service Connection Point policy
settings. Th
he client computers will operrate in distribu
uted cache mo ode unless theyy find a hostedd cache
server in the branch office. If they find a hosted cach e server in thee branch office
e, they will worrk in
hosted cach he mode.
MCT USE ONLY. STUDENT USE PROHIBITED
2-14 Implementing Advanced File Services
To configure BranchCache settings by using the netsh branchcache set service command, open a
command-line interface window, and perform the following steps:
1. Use the following netsh syntax for the Distributed Cache mode:
In Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between client
computers, but this mode does not use the WS-Discovery protocol. In the Hosted Cache mode, you
should configure the client firewall to enable the incoming rule, BranchCacheContent Retrieval (Uses
HTTP).
Demonstration Steps
2. In the Add Roles and Features Wizard, install the following roles and features to the local server:
o File And Storage Services (Installed)\File and iSCSI Services\BranchCache for Network Files
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 2-15
o Select Allow
A hash publication on
nly for shared folder on wh
hich BranchCa
ache is enable
ed
Monitoring
M g BranchCa
ache
After the initial configuration,, you want to verify
v
th
hat BranchCache is configure ed correctly annd
fu
unctioning correctly. You can n use the netsh
branchcache sh how status all command to o
diisplay the BrannchCache service status. Thee client
an
nd Hosted Cacche servers display additiona al
in
nformation, succh as the locattion of the loca
al
ca
ache, the size of
o the local cache, and the sttatus of
th
he firewall rule
es for HTTP andd WS-Discoverry
protocols that BranchCache
B uses.
u
Yo
ou can also use the following tools to mon
nitor
BrranchCache:
Performancce counters. Usse this tool to monitor BrancchCache perfoormance monittor counters.
BranchCach he performancce monitor cou unters are usefful debugging
g tools for mon
nitoring BranchCache
effectiveness and health. You can also use
u BranchCacche performan nce monitoringg to determine e the
bandwidth savings in thee Distributed Cache mode orr in the Hosted d Cache mode e. If you have
implemente ed Microsoft System
S Center Operations M Manager 2012 iin the environment, you can n use the
Windows BranchCache
B Management
M Pack
P for Opera tions Manager 2012.
MCT USE ONLY. STUDENT USE PROHIBITED
2-16 Implemennting Advanced File Services
S
Lesson 3
Optimizing Sttorage Usage
U
Every organization stores data on o different sto orage systemss. As storage syystems processs more and more
data a at higher speeeds, the dema and for disk sp he large amount of
pace for storin g the data hass increased. Th
filess, folders, and information, and the way they are stored, organized, maanaged, and m maintained,
becomes a challen nge for organiizations. Furthermore, organ nizations must satisfy requireements for seccurity,
commpliance, and data
d leakage prevention
p for company con fidential inform mation.
Win
ndows Server 2012
2 introduce
es many technologies that caan help organizations respond to the
challenges of mannaging, maintaaining, securing, and optimizzing data that is stored on ddifferent storagge
devices. The techn
nologies includ
de the File Server Resource M
Manager, file cclassification in
nfrastructure, aand
Data deduplicatioon, each of which provides new features ass compared to o Windows Serrver 2008 R2.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe the File Server Ressource Manager.
Explain how to
t configure Data
D deduplication.
Wh
hat Is File Server Ressource Manager?
Youu can use the File
F Server Reso ource Manage er
(FSR
RM) to manage e and classify data
d that is sto
ored
on file
f servers. FSRRM includes thhe following
feattures:
File managem ment tasks. You u can use this feature to appply a conditionnal policy or acction to files, b
based
on their classification. The conditions
c of a file managem ment task incluude the file loccation, the
classification properties, thee date the file was created, tthe last modifi ed date of the
e file, and the llast
time that the file was accessed. The actions that a file m management ttask can take in nclude the abiility to
expire files, encrypt files, an
nd run a custom command.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 2-17
Quota management. You can use this feature to limit the space that is allowed for a volume or folder.
You can apply quotas automatically to new folders that are created on a volume. You can also define
quota templates that you can apply to new volumes or folders.
File screening management. You can use this feature to control the types of files that users can store
on a file server. You can limit the extension that can be stored on your file shares. For example, you
can create a file screen that disallows files with an .mp3 extension from being stored in personal
shared folders on a file server.
Storage reports. You can use this feature to identify trends in disk usage, and identify how your data
is classified. You can also monitor attempts by users to save unauthorized files.
You can configure and manage the FSRM by using the File Server Resource Manager Microsoft
Management Console (MMC) snap-in, or by using the Windows PowerShell command-line interface.
The following FSRM features are new with Windows Server 2012:
Integration with Dynamic Access Control. Dynamic Access Control can use a file classification
infrastructure to help you centrally control and audit access to files on your file servers.
Manual classification. Manual classification enables users to classify files and folders manually without
the need to create automatic classification rules.
Access Denied Assistance. You can use Access Denied Assistance to customize the access denied error
message that displays for users in Windows 8 Consumer Preview when they do not have access to a
file or a folder.
File management tasks. The updates to file management tasks include Active Directory Domain
Services (AD DS) and Active Directory Rights Management Services (AD RMS) file management tasks,
continuous file management tasks, and dynamic namespace for file management tasks.
Automatic classification. The updates to automatic classification increase the level of control you have
over how data is classified on your file servers, including continuous classification, Windows
PowerShell for custom classification, updates to the existing content classifier, and dynamic
namespace for classification rules.
Question: Are you currently using the FSRM in Windows Server 2008 R2? If yes, for what
areas do you use it?
MCT USE ONLY. STUDENT USE PROHIBITED
2-18 Implemennting Advanced File Services
S
Wh
hat Is File Classification?
File classifications enable admin nistrators to
configure automa atic procedures for defining a
desiired property on o a file, based d on condition
ns
speccified in classiffication rules. For
F example, you
y
can set the Confid dentiality pro operty to Highh on
all documents
d wh
hose content co ontains the wo
ord
seccret.
In Windows
W Serve
er 2008 R2 and d Windows Serrver
2012, classification managemen nt and file
mannagement task ks enable administrators to
mannage groups of o files based on
o various file and
a
fold
der attributes. You
Y can autom mate file and fo
older
maintenance task ks, such as cleaning up stale data,
d or proteccting sensitivee information. For this reason
n, file
and folder mainte enance tasks are more efficieent as compareed to maintain ning the file syystem by navig
gating
ough its hierarchical view.
thro
Classsification mannagement is de esigned to easse the burden and managem ment of data th hat is spread across
the organization. You can classify files in a variety of ways. IIn most scenarrios, classification is perform
med
mannually. The filee classification infrastructure in Windows S erver 2012 enables organizaations to conve ert
thesse manual processes into automated policcies. Administraators can speccify file management policiess
baseed on a files classification,
c and
a apply corp porate requirem
ments for man naging data baased on busine ess
valu
ue.
You
u can use file classification to
o perform the following
f actio
ons:
2. Create, updatte, and run classification rulees. Each rule asssigns a singlee predefined property and vaalue
to files within
n a specified diirectory, based
d on installed cclassification p
plug-ins.
3. When running a classificatio on rule, reevalluate files thatt are already cllassified. You ccan choose to
overwrite exissting classification values, orr add the valuee to propertiess that support multiple value es.
You can also use classificatiion rules to deeclassify files th
hat are not in tthe classificatio
on criterion
anymore.
Wh
hat Are Cla
assification
n Rules?
The file classification infrastructure uses
classification ruless to scan files automatically,
a and
thenn to classify them according to the conten nts of
a file. You configuure file classificcations in the File
F
Servver Resource Manager
M conso ole. Classification
properties are deffined centrallyy in AD DS so that
thesse definitions can
c be shared across file servvers
withhin the organizzation. You can create
classification ruless that scan files for a standarrd
strin
ng, or for a string that match hes a pattern
(reggular expressioon). When a co onfigured
classification paraameter is found d in a file, thatt file
is classified as con
nfigured in the e classification rule.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 2-19
2. Determine the method you to want to use to identify documents for classification.
After you have a defined the classifications, you can plan the Dynamic Access Control implementation by
defining conditional expressions that enable you to control access to highly confidential documents based
on particular user attributes.
Demonstration Steps
Create a classification property
1. On LON-SVR1, the Server Manager console should open automatically. From Server Manager, start
the File Server Resource Manager.
2. In File Server Resource Manager, create a local property with the following settings:
3. In File Server Resource Manager, create a classification rule with the following settings:
o General tab, Rule name: Corporate Documents Rule, and ensure that the rule is enabled.
4. Run the classification with all rules, and select Wait for classification to complete.
5. Review the Automatic classification report that displays in Windows Internet Explorer, and ensure
that report lists the same number of files classified as in the Corporate Documentation folder.
MCT USE ONLY. STUDENT USE PROHIBITED
2-20 Implemennting Advanced File Services
S
Op
ptions for Storage
S Optimizatio
on in Wind
dows Serve
er 2012
Winndows Server 2012
2 includes new
n options fo
or
storrage optimizattion that provid
de you with an n
efficcient way to de
eploy, adminisster, and securre
your storage soluttions. Storage optimization
feattures include:
Features on Demand.
D Featuures on Deman nd enables you u to save on d isk space by allowing you to o
remove role and
a feature file es from the op perating system m. If these rolees and featuress need to be
installed on the server, the installation file
es will be retrieeved from remmote locations, installation mmedia,
or Windows Update.
U You ca an remove fea ature files from
m both physicaal and virtual computers, Win ndows
image (.wim) files, and offline virtual hardd disks (VHDs) .
Data dedupliccation. Data deduplication iddentifies and rremoves duplications within data without
compromising the integrityy of the data. Data
D deduplicaation is highly scalable, resource efficient, and
nonintrusive. It can run con arge volumes of primary data without affe
ncurrently on la ecting other
workloads onn the server. Lo
ow impact on the
t server worrkloads is main ntained by thro ottling the CPU
U and
memory resources that are consumed. Ussing Data ded uplication jobs, you can schedule when Data
deduplication
n should run, specify
s the reso
ources to dedu uplicate, and ffine-tune file sselection. When
combined witth BranchCach he, the same optimization teechniques are aapplied to datta that is transfferred
over the WANN to a branch office. This ressults in faster ffile download ttimes, and red duced bandwid dth
consumption.
NFS Data Store. The Netwo ork file system (NFS) Data Sto ore is the NFS server implem mentation in
Windows Servver 2012 operating systems. In Windows SServer 2012, th he NFS server ssupports high
availability, which
w means thhat you can de eploy the serveer in a failover clustering con nfiguration. When a
over cluster, a nd if that servver fails, the NFFS server will faail
client conneccts to a NFS serrver in the failo
over to anoth her node in the hat the client c an still connecct to the NFS sserver.
e cluster, so th
De
emonstration: Config
guring Datta Dedupliication
In th
his demonstration, you will see
s how to:
Dem
monstration
n Steps
3. In the Add Roles and Features Wizard, install the following roles and features to the local server, and
accept the default values:
2. In the Volumes pane, right-click E:, and select Configure Data Deduplication.
As a senior server administrator at A. Datum, you are responsible for implementing the new file storage
technologies for the organization. You will implement iSCSI storage to provide a less complicated option
for deploying large amounts of storage.
Objectives
Configure iSCSI storage.
Lab Setup
Estimated Time: 75 minutes
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-SVR2
20412A-LON-DC1
Virtual Machine(s) 20412A-LON-SVR1
20412A-LON-SVR2
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
3. Configure MPIO.
3. In the Add Roles and Features Wizard, install the following roles and features to the local server, and
accept the default values:
o File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
o Storage location: C:
o Disk name: iSCSIDisk1
o Size: 5 GB
3. On the View results page, wait until the creation completes, and then click Close.
o Storage location: C:
o Size: 5 GB
o Size: 5 GB
o iSCSI target: lon-dc1
MCT USE ONLY. STUDENT USE PROHIBITED
2-24 Implementing Advanced File Services
o Storage location: C:
o Size: 5 GB
o Storage location: C:
3. Right-click LON-SVR2 and then click Disable Routing and Remote Access. Click Yes and then close
the Routing and Remote Access console.
4. In Server Manager, start the Add Roles and Features Wizard and install the Multipath I/O feature.
5. In Server Manager, on the Tools menu, open iSCSI Initiator, and configure the following:
6. In Server Manager, on the Tools menu, open MPIO, and configure the following:
8. In Server Manager, on the Tools menu, click MPIO and verify that Device Hardware ID
MSFT2005iSCSIBusType_0x9 is added to the list.
2. In the iSCSI Initiator Properties dialog box, perform the following steps:
o Disconnect all Targets.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
2. In File Server Resource Manager, under Classification Management, create a local property with the
following settings:
o Name: Corporate Documentation
o General tab, Rule name: Corporate Documents Rule, and ensure that the rule is enabled.
3. Review the Automatic classification report that displays in Internet Explorer, and ensure that the
report lists the same number of classified files as in the Corporate Documentation folder.
MCT USE ONLY. STUDENT USE PROHIBITED
2-26 Implementing Advanced File Services
4. Close Internet Explorer, but leave the File Server Resource Manager open.
2. In the File Server Resource Manager console, create a classification rule with the following settings:
o General tab, Rule name: Expiration Rule, and ensure that the rule is enabled
o Evaluation type tab: Re-evaluate existing property values and Aggregate the values
3. Select both Run the classification with all rules and Wait for classification to complete.
4. Review the Automatic classification report that appears in Internet Explorer, and ensure that report
lists the same number of classified files as the Corporate Documentation folder.
5. Close Internet Explorer, but leave the File Server Resource Manager open.
o General tab, Task name: Expired Corporate Documents and ensure that the task is enabled
Note: This value is for lab purposes only. In a real scenario, the value would be 365 days or more,
depending on each companys policy
2. Review the File management task report that displays in Internet Explorer, and ensure that the report
lists the same number of classified files as the Corporate Documentation folder.
3. Start Event Viewer, and in the Event Viewer console, open the Application event log.
4. Review events with numbers 908 and 909. Notice that 908 FSRM started a file management job,
and 909 FSRM finished a file management job.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 2-27
Results: After completing this exercise, you will have configured a file classification infrastructure so that
the latest version of the documentation is always available to users.
2. In the Virtual Machines list, right-click 20417A-LON-SVR2, and then click Revert.
Keep all other virtual machines running for the next lab.
MCT USE ONLY. STUDENT USE PROHIBITED
2-28 Implementing Advanced File Services
Objectives
Configure the main office servers for BranchCache.
Lab Setup
Estimated Time: 30 Minutes
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-CL1
20412A-LON-CL2
20412A-LON-DC1
20412A-LON-SVR1
Virtual Machine(s)
20412A-LON-CL1
20412A-LON-CL2
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
2. Open Server Manager, and install the BranchCache for network files role service.
5. Enable the BranchCache setting, and then select Allow hash publication only for shared folders on
which BranchCache is enabled.
o Permissions: default
c. Action: Allow
f. Action: Allow
6. Close the Group Policy Management Editor and Group Policy Management console.
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.
3. Open Group Policy Management, and block GPO inheritance on the BranchCacheHost OU.
4. Restart LON-SVR1 and log on as Adatum\Administrator with the password Pa$$w0rd.
Enable-BCHostedServer
RegisterSCP
Get-BCStatus
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
o Type the maximum round trip network latency (milliseconds) after which caching begins:
0
4. Start 20412A-LON-CL1, open a command prompt window, and refresh the Group Policy settings
using the command gpupdate /force.
5. At the command prompt, type netsh branchcache show status all, and then press Enter.
6. Start the 20412A-LON-CL2, open the command prompt window, and refresh the Group Policy
settings using the command gpupdate /force.
7. At the command prompt, type netsh branchcache show status all, and then press Enter.
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
2. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click
Performance Monitor.
3. Remove existing counters, change to report view, and then add the BranchCache object counters to
the report.
MCT USE ONLY. STUDENT USE PROHIBITED
2-32 Implementing Advanced File Services
2. In the navigation pane of the Performance Monitor console, under Monitoring Tools, click
Performance Monitor.
3. In Performance Monitor, remove existing counters, change to a report view, and then add the
BranchCache object to the report.
2. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click
Performance Monitor.
3. In the Performance Monitor, remove existing counters, change to a report view, and then add the
BranchCache object to the report.
3. Read the performance statistics on LON-CL1. This file was retrieved from LON-DC1 (Retrieval: Bytes
from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes
Served).
4. Switch to LON-CL2.
5. Open \\LON-DC1.adatum.com\share, and copy the executable file to the local desktop. This should
not take as long, because the file is cached.
6. Read the performance statistics on LON-CL2. This file was obtained from the hosted cache (Retrieval:
Bytes from Cache).
7. Read the performance statistics on LON-SVR1. This server has offered cached data to clients (Hosted
Cache: Client file segment offers made).
Results: At the end of this exercise, you will have verified that BranchCache is working as expected.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
Question: Why would you want to implement BranchCache in Hosted Cache mode instead
of Distributed Cache mode?
Your organization is considering deploying a BranchCache solution. You are a Windows Server 2012
administrator in your organization, and are responsible for designing and deploying the new solution. The
organizations business managers are concerned about security of the data that will be stored in the
branch offices. They are also concerned about how the organization will address security risks such as data
tampering, information disclosure, and denial of service attacks. What should you do?
Answer: You should include a security expert on your design team. You should also consider the defense-
in-depth model of analyzing security risks. BranchCache addresses the security risks as follows:
Data tampering. The BranchCache technology uses hashes to confirm that during the communication,
the client and the server did not alter the data.
Information disclosure. BranchCache sends encrypted content to clients, but they must have the
encryption key to decrypt the content. Because potential malicious user would not have the
encryption key, if an attacker attempts to monitor the network traffic to access the data while it is in
transit between clients, the attempt will not be successful.
Denial of service. If an attacker tries to overload the client with requests for data, BranchCache
technology includes queue management counters and timers to prevent clients from being
overloaded.
Your organization is using large amounts of disk space for data storage and is facing a challenge of
organizing and managing the data. Furthermore, your organization must satisfy requirements for security,
compliance, and data leakage prevention for company confidential information. What should you do?
Answer: You should deploy the file classification infrastructure. Based on file classification, you can
configure file management tasks that will enable you to manage groups of files based on various file and
folder attributes. You can also automate file and folder maintenance tasks, such as cleaning up stale data
or protecting sensitive information.
Best Practice:
When considering an iSCSI storage solution for your organization, spend most of the time on the
design process. The design process is crucial because it allows you to optimize the solution for all
MCT USE ONLY. STUDENT USE PROHIBITED
2-34 Implementing Advanced File Services
technologies that will be using iSCSI storage, such as file services, Exchange Server, and SQL Server.
The design should also accommodate future growth of your organizations business data. Successful
design processes guarantee a successful deployment of the solution that will meet your organizations
business requirements.
When planning for BranchCache deployment, ensure that you work closely with your network
administrators so that you can optimize network traffic across the WAN.
When planning for file classifications, ensure that you start with your organizations business
requirements. Identify the classifications that you will apply to documents, and then define a method
that you will use to identify documents for classification. Before you deploy the file classification
infrastructure, create a test environment and test the scenarios to ensure that your solution will result
in a successful deployment and that your organizations business requirements will be met.
Tools
Tool Use Where to find it
iSCSI target Configure iSCSI targets In Server Manager, under File and
server Storage Servers
iSCSI initiator Configure a client to connect In Server Manager, in the Tools drop-
to an iSCSI target virtual disk down list box
Module 3
Implementing Dynamic Access Control
Contents:
Module Overview 3-1
Module Overview
The Windows Server 2012 operating system introduces a new feature for enhancing access control for
file-based and folder-based resources. This feature, called Dynamic Access Control, extends regular NTFS
file systembased access control by enabling administrators to use claims, resource properties, policies,
and conditional expressions to manage access. In this module, you will learn about Dynamic Access
Control, and how to plan for it and implement it.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of Dynami
D c Accesss Contrrol
Dyn
namic Access Control
C is a new
w Windows Seerver 2012 featture that you ccan use for acccess managem ment.
Dyn
namic Access Control
C offers a new way of securing
s and ccontrolling acccess to resourcces. Before you
u
imp
plement this feature, you sho ould understan
nd how it workks and which ccomponents it uses. This lessson
pressents an overvview of Dynamic Access Conttrol.
Lessson Objectiives
Afte ou will be able to:
er completing this lesson, yo
Define Dynam
mic Access Con
ntrol.
Define identitty.
Define claim and claim type
es.
Wh
hat Is Dyna
amic Acce
ess Controll?
Typically, most of an organizatio ons data is sto
ored
on file
f servers. Therefore, IT adm ministrators must
provvide proper se ecurity and acccess control to file
servver resources. In
I previous verrsions of Winddows
Servver, IT administrators controlled most acce ess to
file server resourcces by using NTTFS permission ns
and access contro ol lists.
Dyn
namic Access Control
C provide
es:
Foundation
n Technolo
ogies for Dynamic
D A
Access Con
ntrol
Dynamic Accesss Control combines many Windows
W
Se
erver 2012 technologies to provide
p a flexib
ble and
granular authorrization and au
uditing experieence.
Dynamic Accesss Control uses the following
te
echnologies:
Auditing fo
or secure monitoring and acccountability.
everal compon
Se nents and tech
hnologies are updated
u in Wi ndows Server 2012 to suppo
ort Dynamic A
Access
Control. The mo
ost important updates are:
Dy
ynamic Acccess Contrrol vs. Alternative Peermissions Technologies
Dynnamic Access Control
C controls access to file
e-
baseed resources. ItI does not ove
erlap with olde er,
welll-known techn nologies that provide
p similar
ead, Dynamic Access Contro
funcctionality. Inste ol
ends the functionality of older technologie
exte es for
controlling file-baased resource access.
a
In previous
p versions of Window ws Server, the basic
b
mecchanism for file e and folder access control was
w
NTFFS permissions. By using NTFFS permissionss and
theiir access control lists (ACLs), administratorss can
control access to resources base ed on user namme
secu
urity identifierss (SIDs) or group membership
SIDss, and the leve
el of access succh as Read-onlly, Change, an d Full Control.. However, oncce you provide
e
som
meone with, for example, Rea ad Only accesss to a docume nt, you cannott prevent that person from
copying the conte ent of that doccument into a new documen nt or printing tthe documentt.
By implementing AD RMS, you can establish an a additional llevel of file control. Unlike, N
NTFS permissio ons,
which are not appplication-aware e, AD RMS sets a policy thatt can control ddocument acce ess inside the
app
plication that th
he user uses to
o open it. By im
mplementing A AD RMS, you eenable users to o protect
doccuments withinn applications.
Wh
hat Is Iden
ntity?
Idenntity is usually defined as a set of data thatt
uniqquely describe es a person or a thing (somettimes
refe
erred to as subjject or entity) anda contains
ormation about the subject's relationships to
info
othe er entities. Identity is usuallyy verified by ussing a
trussted source of information.
in
nformation tha at is published in a passport is accurate forr the passport owner. Becausse you usually use the
paassport outside of your coun ntry of residen
nce, other counntries must also trust the info
ormation in yo our
paassport. They must
m trust the organization that issued yo ur passport an nd consider it reliable. Basedd on
th ant you access to their territo
hat trust, otherr countries gra ories (which caan be considerred resources)..
Thherefore, in this example, to access resourcces in other coountries, each person is requuired to have a
do able and trusteed source and
ocument (passsport) that is isssued by a relia d that containss critical claimss that
deescribe the person.
Thhe Windows Server operatin ng system usess a similar conccept of identityy. An administtrator creates a user
acccount in AD DS
D for a person n controller pu blishes user acccount information, such as a
n. The domain
se
ecurity identifier and group membership attributes.
a Wheen a user accesses a resource e, Windows Se erver
crreates an authorization token.
To
o continue thee foreign trave u are the user, and the autho
el analogy, you orization token
n is the passpo
ort. Each
un
nique piece off information in the authorizzation token is a claim madee about your user account. DDomain
co ms. Domain-joined computeers and domain
ontrollers publish these claim n users trust domain controlllers to
provide authoritative informa ation.
We
W can then say that identityy, with respect to authenticattion and autho
orization, is infformation pubblished
ab
bout an entity from a trusted
d source. Furth
hermore, the i nformation is considered au uthoritative because
th
he source is tru
usted.
Eaarlier versions of Windows Server used the e security identtifier (SID) to rrepresent the iidentity of a user or
coomputer. Users authenticate e to the domain with a speciffic user name and password. The unique logon
na ame translatess into the SID. The domain controller valid ates the passw word and publishes the SID o of the
seecurity principaal and the SIDs of all the gro
oups within wh hich the princi pal is a memb ber. The domaiin
coontroller claim
ms the user's SID is valid and should be useed as the identtity of the userr. All domain m members
trrust their domaain controller; therefore, the
e response is trreated as authoritative.
What
W Is a Claim?
C
Windows
W Server 2008 and Wiindows Server 2003
usse claims in Acctive Directoryy Federation Se ervices
(A
AD FS). In this context,
c claimss are statemen nts
made
m about useersfor example, name, identity,
keey, group, privvilege, or capabbilitywhich are
a
un nderstood by the
t partners in n an AD FS
fe
ederation. AD FS also provides AD DSbase ed
claims, and the ability to convvert the data from
hese claims into Security Assertions Markup
th
Laanguage (SAM ML) format. In previous
p versio
ons of
AD FS, the only attributes that could be retrieved
from AD DS and d incorporated d directly into a claim
was
w SID informa ation for user and
a group acccounts. All oth er claim inform mation was deefined within and
re
eferenced from m a separate da atabase, know wn as an attribu
ute store. Wind
dows Server 20012 now allow ws you
to
o read and use e any attribute directly from AD DS. You do o not need to use a separate e AD FS attribu
ute
his type of information for Acctive Directoryybased comp
sttore to hold th puter or user acccounts.
MCT USE ONLY. STUDENT USE PROHIBITED
3-6 Implementing Dynamic Access Control
By definition,
d a cla
aim is somethiing that AD DSS states about a specific objeect (usually a uuser or compu
uter).
A claim provides information
i fro
om the trustedd source abou t an entity. So ome examples of claims are tthe
SID of a user or coomputer, the department
d assification of a file, and thee health state o
cla of a computer.. All
thesse claims state
e something abbout a specific object.
An entity
e ore than one claim. When co
normallyy contains mo onfiguring reso
ource access, any combinatio
on of
claim
ms can be used to authorize
e access to reso
ources.
In Windows
W Serve uthorization mechanism is exxtended. You ccan now use u
er 2012, the au user claims and d
device claims for file
f and folderr authorizationn in addition to
o NTFS permisssions that are based on userrs SID
or group
g SIDs. By using claims, you can now base
b your acceess control deccision on SID aand other attribute
ues. Note that Windows Servver 2012 still su
valu upports using group membeership for auth horization decisions.
Use
er Claim
A usser claim is infformation that is provided byy a Windows SServer 2012 do omain controlller about a useer.
Win
ndows Server 20122 domain controllers
c can use most AD DS user attrib butes as claim iinformation. T
This
provvides administtrators with a wide
w range of possibilities fo
or configuring and using claiims for access
control.
Dev
vice Claim
A deevice claimwwhich is often called
c a compuuter claimis information th hat is provided
d by a Window ws
Servver 2012 doma ain controller about
a a device
e that is repressented by a co
omputer accou unt in AD DS. A
As
with
h user claims, device
d claims can
c use most ofo the AD DS aattributes that are applicable e to computerr
objeects.
Wh
hat Is a Ce
entral Acce
ess Policy?
Onee of the fundam mental compo onents of Dyna amic
t central acccess policy. This
Access Control is the
Winndows Server 2012
2 feature enables
ministrators to create policiess that they can
adm n
app
ply to one or more
m file serverrs. You create
policies in the Acttive Directory Administrative
A e
Cen
nter, which then stores them in AD DS, and d you
then
n apply them by b using Group Policy. The
centtral access policy contains one or more central
acce
ess policy ruless. Each rule co
ontains settingss that
dete
ermine applica ability and perrmissions.
Befo
ore you create e a central acce
ess policy, you
ast one central access rule. Central access rrules define al l parameters aand conditionss that
musst create at lea
control access to specific resourrces.
A ce
entral access ru
ule has three configurable
c parts:
p
Name. For ea
ach central acccess rule, you should
s configu
ure a descriptivve name.
Target resourrce. This is a co
ondition that defines
d to whicch data the po
olicy applies. Yo ou define a
condition by specifying an attribute and its value. For eexample, a parrticular central policy rule might
apply to any data that you classify as sensitive. You cann also apply th e rule to all re
esources to wh
hich
the central acccess policy appplies.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 3-7
Permissions. This is a list of one or more access control entries (ACEs) that define who can access data.
For example, you can specify Full Control Access to a user with attribute EmployeeType set to FTE
(full-time employee). This is the key component of each central access rule. You can combine and
group conditions that you place in the central access rule. You can set permissions either to
proposed (for staging purposes) or current.
After you configure one or more central access rules, you then add these rules to the central access policy,
which is then applied to the resources.
The central access policy enhances, but does not replace, the local access policies or discretionary access
control lists (DACLs) that are applied to files and folders on a specific server. For example, if a DACL on a
file allows access to a specific user, but a central access policy that is applied to the file restricts access to
the same user, the user will not be able to obtain access to the file. Likewise, if the central access policy
allows access but the DACL does not allow access, then the user will not be able to access the file.
1. Create a claim, and then connect it to users or computer objects by using attributes.
2. Create file property definitions.
5. Use Group Policy to deploy the policy to file servers. By doing this, you make file servers aware that a
central access policy exists in AD DS.
Lesson 2
Planning for Dynami
D ic Accesss Contrrol
Dynnamic Access Control
C requirees detailed planning prior too implementation. You shoulld identify reassons
for implementing Dynamic Acce ess Control, annd plan for cen olicy, file classifications, auditting,
ntral access po
and access-denied
d assistance. In
n this lesson, you
y will learn aabout planningg Dynamic Acccess Control.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe reassons for implem
menting Dynamic Access Co
ontrol.
Planning
P fo
or Central Access Po
olicy
Im
mplementing central
c access policy is not
mandatory
m for Dynamic
D Access Control. Ho owever,
fo
or consistent co onfiguration of
o access contrrol on
all file servers, you
y should imp plement at least one
ceentral access policy.
p By doing g so, you enabble all
fille servers within a specific sccope to use a central
c
acccess policy wh hen protecting g content in sh
hared
fo
olders.
o Only fu
ull time employees should be able to acce ss technical do
ocumentation from previouss
projectts.
3.. Translate th on policies that you require into expressions. In the case
he authorizatio e of Dynamic A Access
Control, expressions are attributes
a that are associated
d with both thhe resources (fiiles and folderrs) and
the user or device that se
eeks access to the resources. These expresssions state addditional identiffication
requiremen nts that must be
b met to acce ess protected ddata. Values th
hat are associated with any
he user or deviice to producee the same value.
expressionss on the resource obligate th
4.. Next, you should break down
d the expreessions that yo ou have createed, and determ
mine what claim m types,
resource prroperties, and device claims that you mustt create to dep ploy your policcies. In other w
words,
dentify the attributes for acccess filtering.
you must id
Pla
anning File
e Classifica
ations
Whe en planning yo our Dynamic Access
A Control
impplementation, youy should incclude file
classifications. Although file classsifications are
e not
manndatory for Dyynamic Access Control, they can
enhance the automation of the entire processs. For
exammple, if you reequire that all documents
d that
are classified Conffidentiality: High be accessib ble to
top management only, regardle ess of the serve er on
which the documents exist, you should ask
yourself how you identify these documents, and a
howw to classify theem appropriattely.
Whe
en planning fo
or file classifica
ations, do the following:
f
Identify which
h classification
n or classificatio want to apply tto documents.
ons that you w
Pla
anning File
e Access Auditing
A
In Windows
W Serveer 2008 R2 and d Windows Serrver
2012, you can use e advanced audit policies to
impplement detaile ed and more precise
p file systtem
auditing. In Windo ows Server 2012, you can alsso
impplement auditin ng together with
w Dynamic Access
A
Conntrol to utilize the new Windows security
auditing capabilities. By using conditional
expressions, you can
c configure auditing so that it
onlyy occurs in speecific cases. For example, you u
mayy want to audit attempts to openo shared
fold
ders by users inn countries oth her than the
country where the e shared folder is located. Yo ou
achieve this by immplementing proposed
p permmissions in the central access rules.
With Global Object Access auditing, administrators can defiine computer system accesss control lists
(SAC
CLs) according er the file systeem or registry. The specified SACL is then
g to the objectt type for eithe
app
plied automaticcally to every object
o of that type. You can use a Global O Object Access Audit policy to
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 3-11
enforce the Object Access Audit policy for a computer, file share, or registry without configuring and
propagating conventional SACLs. Configuring and propagating a SACL is a complex administrative task
that is difficult to verify, particularly if you must verify to an auditor that a security policy is being
enforced.
Note: Auditors can verify that every resource in the system is protected by an audit policy
by viewing the contents of the Global Object Access Auditing policy setting.
Resource SACLs are also useful for diagnostic scenarios. For example, setting a Global Object Access Audit
policy to log all activity for a specific user and enabling the Access Failures audit policies in a resource
such as a file system or registry can help administrators quickly identify which object in a system is
denying a user access.
Before you implement auditing you should prepare an audit plan. In the auditing plan, you should
identify resources, users, and activities that you want to track. You can implement auditing for several
scenarios, such as:
Tracking changes to user and machine attributes. As with files, users and machine objects can have
attributes, and changes to these can affect whether users can access files. Therefore, tracking changes
to user or machine attributes can be valuable. Users and machine objects are stored in AD DS, which
means that you can track their attributes using Directory Service Access auditing.
Obtaining more information from user logon events. In Windows Server 2012, a user logon event
(4624) contains information about the attributes of the file that was accessed. You can view this
additional information by using audit log management tools to correlate user logon events with
object access events, and by enabling event filtering based on both file attributes and user attributes.
Providing more information from object access auditing. In Windows Server 2008 R2 and Windows
Server 2012, file access events 4656 and 4663 now contain information about the attributes of the file
that was accessed. Event log filtering tools can use this additional information to help you identify the
most relevant audit events.
Tracking changes to central access policies, central access rules, and claims. Because theseobjects are
stored in AD DS, you can audit them just as you would any other securable object in AD DS by using
Directory Service Access auditing.
Tracking changes to file attributes. File attributes determine which central access policy applies to the
file. A change to the file attributes can potentially affect the access restrictions on the file. You can
track changes to file attributes on any machine by configuring Authorization Policy Change auditing
and Object Access auditing for file systems. Event 4911 is introduced in Windows Server 2012 to
differentiate this event from other Authorization policy change events.
MCT USE ONLY. STUDENT USE PROHIBITED
3-12 Implemennting Dynamic Access Control
Pla
anning Acccess Denie
ed Assistan
nce
Access Denied Assistance helps end users
deteermine why th hey cannot acccess a resource e. It
also
o allows IT stafff to properly diagnose
d a
problem, and then direct the re esolution. Wind dows
Servver 2012 enables you to custtomize messag ges
aboout denied acce ess and provid de users with the
ability to request access without contacting th he
help
p desk or IT tea am. In combin nation with
Dynnamic Access Control,
C Accesss Denied Assisttance
can inform the filee administrato or of user and
reso
ource claims, enabling
e the addministrator to
o
mak ke educated decisions aboutt how to adjust
policies or fix userr attributes (fo
or example,. if the
t departmen
nt is listed as H
HR instead of H
Human Resources).
Whe
en planning fo
or Access Denied Assistance, you should in
nclude the follo
owing :
Create the em
mail text that users
u use to req
quest access. I f you allow ussers to requestt access to
resources, you can prepare text that is ad
dded to their eemail messages.
Determine the recipients fo or the Access Request
R email messages. You u can choose tto send email tto
folder ownerss, file server ad
dministrators, or
o any other sp
pecified recipi ent. Messagess should alwayys be
he proper persson. If you have a help desk ttool or monito
directed to th oring solution that allows emmail
messages, you can also dire ect those messsages to generrate user requeests in your he
elp desk solutio
on
automaticallyy.
Decide on the
e target opera
ating systems. Access
A Denied
d Assistance on
nly works with Windows 8 o
or
Windows Servver 2012.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 3-13
Lesson
n3
Deplo
oying Dynamic
D c Accesss Contro
ol
Too deploy Dynaamic Access Co ontrol, you mu
ust perform sevveral steps and
d configure se
everal objects. In this
le
esson, you will learn about im
mplementing and
a configurin ng Dynamic Acccess Control.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe th
he prerequisite
es for impleme
enting Dynamicc Access Control.
Enable support in AD DS for Dynamic Access
A Controll.
Prerequisit
P es for Imp
plementing
g Dynamicc Access Co
ontrol
Be
efore impleme enting Dynamiic Access Conttrol,
yo
ou must ensurre that your servers meet cerrtain
prerequisites. Claims-based authorization re
equires
th
he following in
nfrastructure:
At least onee Windows Server 2012 dom main controllerr must be acceessible by the W Windows cliennt
computer in the user's do omain. The new w authorizatioon and auditing mechanism requires exten nsions
to AD DS. These
T extensioons build the Windows
W claim dictionary, wh hich is where WWindows operrating
systems stoore claims for an
a Active Direcctory forest. Cllaims authorizzation also relie
es on the Kerb
beros
Key Distribuution Center (KDC). The Win ndows Server 22012 KDC conttains the Kerberos enhancem ments
that are req
quired to transsport claims within a Kerberoos ticket and ccompound ide entity. Windowws Server
2012 KDC also
a includes an a enhancement to support Kerberos armo oring. Kerberoos armoring is an
implementa ation of Flexib
ble Authenticattion Secure Tu
unneling. It proovides a proteccted channel bbetween
the Kerberoos client and thhe KDC.
You must havve a Windows 8 client if you are using devvice claims. Old
der Windows o
operating syste
ems
do not suppo
ort device claim
ms.
Alth
hough a Windo ows Server 201
12 domain con ntroller is requ
uired, there is n
no requiremen nt for having a
Winndows Server 2012
2 domain and
a forest funcctional level, u nless you wan nt to use claims across a fore
est
trusst. This means that
t a have domain controllerss on Windows Server 2008 aand Windows SServer
you can also
2008 R2 with the forest functionnal level locate
ed on Window ws Server 2008.
Ena
abling Sup
pport in AD DS for Dynamic
D A
Access Con
ntrol
Afte
er fulfilling the
e software requ
uirements for
enabling Dynamicc Access Contrrol support, yo ou
musst enable claim m support for the
t Windows Server
S
2012 KDC. Kerberros support forr Dynamic Acccess
Conntrol provides a mechanism for f including user
u
claim
m and device authorization information in na
Winndows authenttication token. Access checkss
perfformed on resources (such as a files or folde
ers),
use this authorization information to verify
idenntity.
To configure
c the Support
S mic Access Control and Kerb
Dynam beros armoring
g policy setting, choose one
e of
the four listed opttions:
Do not supp
port Dynamic Access Contrrol and Kerbe
eros armoring
g
Support Dyn
namic Access Control and Kerberos
K arm
moring
Always prov
vide claims an
nd FAST RFC behavior
b
Youu use the remaining policy se a the domain controllers aree Windows Server 2012 dom
ettings when all main
controllers and th
he domain funcctional level is configured to
o Windows Serrver 2012. The Always provid
de
claim
ms and FAST RFC
R behavior policy
p a the Also faail unarmored authenticatio
setting and on requests policy
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 3-15
se
etting enable Dynamic
D Accesss Control and
d Kerberos armmoring for the domain. Howe ever, the latterr policy
se
etting requiress all Kerberos authentication
a service and ti cket-granting service (TGS) communicatio on to
usse Kerberos arrmoring. Windows Server 2012 domain co ntrollers read this configuration while oth her
doomain controllers ignore this setting.
Im
mplementting Claimss and Reso
ource Prop
perty Obje
ects
After you enable support for Dynamic Acceess
Control in AD DS,
D you must next
n create and
d
co e property objects.
onfigure claims and resource
Creating
C and
d Configurin
ng Claim Ty
ypes
Too create and configure claim
ms, you primarily use
he Active Direcctory Administtrative Center. You
th
usse the Active Directory
D Administrative Cen nter to
crreate attribute-based claims,, which are the e most
co
ommon type of o claim. Howe ever, you can also
a use
th
he Active Direcctory module for
f Windows
PoowerShell to create certificate-based claims. All
When
W you selecct the attribute
e that you wannt to use to creeate a claim, yo
ou also must p
provide a nam me for
th
he claim. The suggested
s nam
me for the claim
m is always thee same as the selected attribbute name. Ho owever,
yo
ou can also proovide an alternnate or more meaningful
m naame for the claaim. Optionallyy, you can also
o
provide suggestted values for a claim. This iss not mandato ory, but do thiss can reduce the possibility ffor
making
m mistakees.
Creating
C and
d Configurin
ng Resource
e Propertiess
Although resource propertiess are at the corre of Dynamic Access Contro ol, you should implement th hem
affter you have defined
d user and device claim
ms. Remembeer that if a claim
m does not maatch the speciffied
re
esource properrty value, then
n access to the data might no
ot be allowed.. Therefore, revversing the ord
der of
MCT USE ONLY. STUDENT USE PROHIBITED
3-16 Implementing Dynamic Access Control
implementation would risk inadvertently blocking users from data that they otherwise should be able to
access.
When you use claims to control access to files and folders, you must also provide additional information
for those resources. You do this by configuring the resource property objects. You manage resource
properties in the Resource Properties container, which is located in the Dynamic Access Control node in
the Active Directory Administrative Center. You can create your own resource properties, or you can use
one of preconfigured properties, such as Project, Department, and Folder Usage. All predefined
resource property objects are disabled by default. If you want to use any of them, you should first enable
them. If you want to create your own resource property object, you can specify the property type, and the
allowed or suggested values.
When you create resource property objects, you can select properties to include in the files and folders.
When evaluating file authorization and auditing, the Windows operating system uses the values in these
properties along with the values from user and device claims.
After you have configured user and device claims and resource properties, you must then protect the files
and folders by using conditional expressions that evaluate user and device claims against constant values,
or values within resource properties. You can do this in any of the following three ways:
If you want to include only specific folders, you can use the Advanced Security Settings Editor to
create conditional expressions directly in the security descriptor.
To include several (or all) file servers, you can create central access policy rules, and then link those
rules to the Central Policy objects. You can then use Group Policy to deploy the Central Policy objects
to file servers, and then configure the share to use the Central Policy object. However, using central
access policies is the most efficient and preferred method for securing files and folders. This is
discussed further in the next topic.
You can use file classifications to include certain files with a common set of properties across various
folders or files.
You can use claims and resource property objects together in conditional expressions. Windows Server
2012 and Windows 8 support one or more conditional expressions within a permission entry. Conditional
expressions simply add another applicable layer to the permission entry. The results of all conditional
expressions must evaluate to True for Windows to grant the permission entry for authorization. For
example, suppose that you define a claim called Department for a user (with a source attribute
department), and that you define a resource property object called Dept. You can now define a
conditional expression that says that the user can access a folder (with the applied resource property
objects) only if the user attribute Department value is equal to the value of property Dept on the folder.
Note that if the Dept resource property object has not been applied to the file(s) in question, or if Dept is
a null value, then the user will be granted access to the data.
Note: Access is controlled not by the claim, but by the resource property object. The claim
must provide the correct value corresponding to the requirements set by the resource property
object. If the resource property object does not involve a particular attribute, then additional or
extra claim attributes associated with the user or device are ignored.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 3-17
Im
mplementting Centra
al Access Rules
R and Policies
Central access policies
p enablee you manage and
de
eploy consisteent authorizatioon throughoutt the
orrganization byy using central access rules and
Central Access Policy
P objects.
Configuring
C Central Acccess Rules
Yo
ou typically cre
eate and confiigure central access
a rules in the Active Dirrectory Adminiistrative Cente
er.
However, you can also use Windows PowerrShell to perforrm the same task.
To
o create a new
w central access rule, do the following:
f
o Use foollowing perm missions as pro oposed perm missions. Use th his option to aadd the permisssions
entries in the permissions list to the list of propoosed permissio ns entries for tthe newly creaated
central access rule. You
Y can combine the propossed permission ns list with file system auditin
ng to
model the effective access
a that useers have to thee resource, without having to o change the
permissions entries inn the current permissions
p lisst. Proposed peermissions gen nerate a speciaal audit
event to
t the event loog that describbes the propossed effective acccess for the u users.
Note: Pro
oposed permisssions do not apply
a to resou rces; they exisst for simulatio
on purposes
on
nly.
MCT USE ONLY. STUDENT USE PROHIBITED
3-18 Implemennting Dynamic Access Control
o Use folloowing permisssions as curre ent permissio ons. Use this o ption to add tthe permission ns
entries in
n the permissio ns entries for tthe newly created
ons list to the list of the curreent permission
central acccess rule. The
e current permmissions list reppresents the addditional permmissions that thhe
Windowss operating sysstem considerss when you deeploy the central access rule to a file server.
Central access
a rules doo not replace thhe existing seccurity. When m making authoriization decisio ons,
Windowss evaluates perrmission entrie es from the ce ntral access ruule's current peermissions list,
NTFS, and share permissions lists.
Implementin
ng File Acccess Auditiing
The Global Objectt Access Auditing feature in
Winndows 8 and Windows
W Serve
er 2012 enables you
to configure
c objecct access auditting for every file
and folder in a co omputers file system.
s You usse
this feature to cen ntrally managee and configurre
Winndows operatin ng systems to monitor everyy file
and folder on the computer. To o enable objectt
acceess auditing inn previous verssions of Windo ows
Servver, you had to o configure this option in ba asic
audit policies (in GPOs),
G and turrn on auditing for a
speccific security principal
p in the objects SACLL.
Sommetimes this ap pproach did no ot easily recon
ncile
withh company policiessuch ass Log all administrative writte activity on sservers contain
ning financial
ormationbeccause you can turn on objectt access audit logging at thee object level, but not at the
info
servver level. The new
n audit category in Windo ows Server 20008 R2 and Win
ndows Server 22012 enables
admministrators to manage objecct access auditting using a m uch wider scope.
You
u should configgure Global Ob bject Access Auditing for yo ur enterprise b by using the se
ecurity policy oof a
dom
main-based GP PO. The two se ecurity policy settings
s that arre required to enable globall object accesss
auditing are locatted in the follo
owing locations:
Computer Co onfiguration\W
Windows Settin ngs\Security Seettings\Advancced Audit Policcy\Audit
Policies\Object Access\Audit File System
Computer Co onfiguration\W
Windows Settin ngs\Security Seettings\Advancced Audit Policcy\Audit
Policy\Global Object Accesss Auditing\File
e System
Global Object Acccess Auditing includes a subccategory for fiile system and registry.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 3-19
Note: If both
b a file or fo
older SACL and a Global Obj bject Access Au uditing policy (or a single
egistry setting SACL and a Global Object Access
re A Auditing
g policy) are co onfigured on a computer,
th
he effective SAACL is derived byb combining the file or fold der SACL and tthe Global Obj bject Access
Auditing policy.. This means th hat an audit evvent is generatted if an activiity matches eitther the file
orr folder SACL or
o the Global Object
O Access Auditing policcy.
Im
mplementting Accesss Denied Assistance
A
One
O of the mosst common errrors that users receive
when
w they try too access a file or folder on a
re
emote file servver is an accesss denied error.
Tyypically, this errror occurs whhen a user triess to
acccess a resourcce without havving proper
peermissions to dod so, or because of incorrecctly
co
onfigured perm missions or ressource ACLs. Using
U
Dynamic Accesss Control can createc further
co
omplications. ForF example, usersu with
peermissions willl not be grante ed access if a relevant
r
atttribute in theiir account is misspelled.
m
When
W users receive this error,, they usually try
t to
co
ontact the admministrator to obtain
o access. However, adm
ministrators usu
ually do not ap
pprove access to
re
esources, so they redirect the
e users to sommeone else for approval.
In
n Windows Serrver 2012, therre is a new featture to help bo oth users and administratorss in such situattions.
Thhis feature is called Access Denied
D Assistan
nce. It helps ussers respond to
o access denie
ed issues withoout
in
nvolving IT stafff. It does this by providing information ab bout the probl em and directting users to thhe
proper person.
Access
A Denie
ed Remediation
Thhe Access Den
nied Assistance
e feature provides three wayys for troublesh
hooting issues with access denied
errrors:
Remediatio on by the data owner. Admin nistrators can ddefine owners for shared follders. This enables
users to sen
nd email messages to the da ata owners to rrequest accesss. For example, if a user is
accidentallyy left off a secu
urity group meembership, or the users dep partment attrib bute is misspelled, the
data ownerr might be able e to add the user
u to the grooup. If the dataa owner does n not know how w to
grant accesss to the user, the
t data owne er can forward this informatiion to the app propriate IT
administrattor. This is helppful because th
he number of user support rrequests escalaated to the sup pport
desk shouldd be limited to o specialized caases, or cases tthat are difficu
ult to resolve.
Implementin
ng File Classsifications
To implement Dynamic Access Control effectively,
you must have we ell-defined claims and resource
properties. Althou ugh claims are defined by
attributes for a usser or a device,, resource
properties are mo ost often manu ually created and
defiined. File classifications enabble administrattors
to define
d automattic proceduress for defining a
desiired property ono the file, bassed on conditions
speccified in a classification rule. For example, you
can set the Confid dentiality pro operty to High h on
all documents
d whhose content co ontains the wo ord
seccret. You could then use this property in
Dyn namic Access Control
C to speccify that only employees
e wit h their emplo
oyeetype attrib
butes set to
Man nager can acccess those docu uments.
In Windows
W Serve
er 2008 R2 and d Windows Serrver 2012, classsification man
nagement and file managem ment
task
ks enable administrators to manage
m groupps of files based
d on various fiile and folder aattributes. Witth
thesse tasks, you can automate file
f and folder maintenance tasks, such as cleaning up sttale data or
prottecting sensitivve information
n.
Classsification man nagement is deesigned to easse the burden and managem ment of data th
hat is spread o
out in
the organization. You can classify files in a variety of ways. IIn most scenarrios, you classify files manuaally.
The file classification infrastructure in Windowws Server 20088 R2 enables organizations to o convert thesse
man nual processess into automated policies. Ad dministrators ccan specify filee managementt policies based on
a files classificatio
on, and then apply corporatee requirementts for managin ng data based on a business value.
You
u can use file classification to
o perform the following
f actio
ons:
es, which you ccan assign to fiiles by running
Define classification properrties and value g classification
n rules.
Create, updatte, and run classification rulees. Each rule asssigns a singlee predefined property and vaalue
n a specified diirectory based on installed cclassification pllug-ins.
to files within
When running a classificatio on rule, reevalluate files thatt are already cllassified. You ccan choose to
overwrite exissting classification values or add the valuee to properties that support multiple value es. You
can also use this
t to declassiify files that arre no longer in n the classificattion criteria.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 3-21
Im
mplementting Centra
al Access Policy
P Changes
After you impleement Dynamic Access Contrrol, you
might
m have to make
m some changes. For exaample,
yo
ou might have e to update conditional expressions,
orr you might want to change claims. You must
m
ca
arefully plan any change to Dynamic
D Access
Control compon nents.
Foor this purposee, Windows Se erver 2012 introduces the co oncept of stagiing. Staging en nables users too verify
th
heir proposed policy updates before enforrcing them. To o use staging, yyou deploy the e proposed po olicies
along with the enforced
e policcies, but you do not actually grant or denyy permissions. Instead, the W Windows
op perating system logs an aud dit event (48188) any time thee result of the access check tthat is using th
he
sttaged policy differs from thee result of an access check thhat is using thee enforced pollicy.
MCT USE ONLY. STUDENT USE PROHIBITED
3-22 Implementing Dynamic Access Control
Objectives
Plan the Dynamic Access Control implementation.
Lab Setup
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-CL1
20412A-LON-CL2
20412A-LON-DC1
20412A-LON-SVR1
Virtual Machine(s)
20412A-LON-CL1
20412A-LON-CL2
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 3-23
The security department is also concerned that managers are accessing files using their home computers,
which may not be highly secure. Therefore, you must create a plan for securing the documents regardless
of where they are located, and ensure that the documents can only be accessed from authorized
computers. Authorized computers for managers are members of the security group ManagersWks.
The support department reports that a high number of calls are generated by users who cannot access
resources. You must implement a feature that helps users understand error messages better, and that will
enable them to request access automatically.
The main tasks for this exercise are as follows:
3. Move LON-CL1, LON-CL2, and LON-SVR1 computer objects into the Test OU.
4. On LON-DC1, from Server Manager, open the Group Policy Management Console.
5. Remove the Block Inheritance setting that is applied to the Managers OU. This is to remove the
block inheritance setting used in a later module in the course.
7. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, and then click KDC.
8. Enable the KDC support for claims, compound authentication and Kerberos armoring policy
setting.
13. Verify that user Aidan Delaney is a member of Managers department, and that Allie Bellew is the
member of the Research department. Department entries should be filled into the appropriate
attribute for each user profile.
Results: After completing this exercise, you will have planned for Dynamic Access Control deployment,
and you will have prepared AD DS for Dynamic Access Control implementation.
3. Open the Claim Types container, and verify that there are no default claims defined.
4. Open the Resource Properties container, and note that all properties are disabled by default.
5. Open the Resource Property Lists container, and then open the properties of the Global Resource
Property List.
6. In the Resource Properties section, review available resource properties, and then click Cancel.
2. Open the Claim Types container, and create a new claim type for users and computers using the
following settings:
o Source Attribute: Department
2. Create a new claim type for computers using the following settings:
Results: After completing this exercise, you will have reviewed the default claim types, configured claims
for users, and configured claims for devices.
2. Classify files.
5. Open the Global Resource Property List, ensure that Department and Confidentiality are included
in the list, and then click Cancel.
6. Close the Active Directory Administrative Center.
2. Refresh Classification Properties, and verify that Confidentiality and Department properties are
listed.
o Scope: C:\Docs
o Property: Confidentiality
o Value: High
o Evaluation Type: Re-evaluate existing property values, and then click Overwrite the existing
value
5. Open a Windows Explorer window, browse to the C:\Docs folder, and then open the Properties
window for files Doc1.txt, Doc2.txt, and Doc3.txt.
MCT USE ONLY. STUDENT USE PROHIBITED
3-26 Implementing Dynamic Access Control
6. Verify values for Confidentiality. Doc1.txt and Doc2.txt should have confidentiality set to High.
Results: After completing this exercise, you will have configured resource properties for files, classified
files, and assigned properties to a folder.
2. Click Dynamic Access Control, and then open the Central Access Rules container.
3. Create a new Central Access Rule with the following values:
o Permissions: Remove Administrators, and then add Authenticated Users, Modify, with
condition User-Company Department-Equals-Resource-Department
2. Create new GPO named DAC Policy, and in the Adatum.com domain, link it to Test OU.
5. Click both Department Match and Protect confidential docs, click Add, and then click OK.
6. Close both the Group Policy Management Editor and the Group Policy Management Console.
4. Apply the Protect confidential docs central policy to the C:\Docs folder.
5. In the right pane, double-click Customize Message for Access Denied errors.
6. In the Customize Message for Access Denied errors window, click Enabled.
7. In the Display the following message to users who are denied access text box, type You are
denied access because of permission policy. Please request access.
8. Select the Enable users to request assistance check box, and then click OK.
9. Double-click Enable access-denied assistance on client for all file types, enable it, and click OK.
10. Close both the Group Policy Management Editor and the Group Policy Management Console.
Results: After completing this exercise, you will have configured central access rules and central access
policies for Dynamic Access Control.
MCT USE ONLY. STUDENT USE PROHIBITED
3-28 Implementing Dynamic Access Control
3. Browse to \\LON-SVR1\Docs, and verify that you can only open Doc3.
4. Try to access \\LON-SVR1\Research. You should be unable to access it.
7. Open Windows Explorer, and try to access \\LON-SVR1\Research. You should be able to access it
and open files in it.
10. Open Windows Explorer and try to access \\LON-SVR1\Docs. You should be able to open all files in
this folder.
11. Log off LON-CL1.
12. Start and then log on to LON-CL2 as Adatum\Aidan with the password Pa$$w0rd.
13. Open Windows Explorer and try to access \\LON-SVR1\Docs. You should be unable to see Doc1 and
Doc2, because the LON-CL2 is not permitted to view secret documents.
Results: After completing this exercise, you will have validated Dynamic Access Control functionality.
3. Verify staging.
4. Double-click Audit Central Access Policy Staging, select all three check boxes, and then click OK.
5. Double-click Audit File System, select all three check boxes, and then click OK.
6. Close the Group Policy Management Editor and the Group Policy Management console.
2. In the Proposed permissions section, configure the condition for Authenticated Users as follows:
User-Company Department-Equals-Value-Marketing.
2. In Windows Explorer, try to access \\LON-SVR1\Research, and the files within it.
3. Switch to LON-SVR1.
4. Open Event Viewer, open Security Log, and then look for events with Event ID 4818.
2. Open the Advanced options for Security, and then click Effective Access.
3. Click select a user.
4. In the Select User, Computer, Service Account, or Group window, type April, click Check Names, and
then click OK.
5. Click View effective access.
6. Review the results. The user should not have access to this folder.
10. Click View Effective access. The user should now have access.
Results: After completing this exercise, you will have implemented new resource policies.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
Best Practices
Use central access policies instead of configuring conditional expressions on resources.
Tools
Tool Use Location
Group Policy Management Editing Group Policy Objects Group Policy Management
Editor Console
MCT USE ONLY. STUDENT USE PROHIBITED
4-1
Module 4
Implementing Network Load Balancing
Contents:
Module Overview 4-1
Module Overview
Network Load Balancing (NLB) is a Windows Server network component. NLB uses a distributed algorithm
to balance IP traffic load across multiple hosts. It helps to improve the scalability and availability of
business-critical, IP-based services. NLB also provides high availability, because it detects host failures and
automatically redistributes traffic to surviving hosts. To effectively deploy NLB, you must understand its
functionality and the scenarios where its deployment is appropriate. The main change to NLB in Windows
Server 2012 is the inclusion of a comprehensive set of Windows PowerShell cmdlets. These cmdlets
enhance your ability to automate the management of Windows Server 2012 NLB clusters. The Network
Load Balancing console, which is also available in Windows Server 2008 and Windows Server 2008 R2, is
also present in Windows Server 2012
This module introduces you to NLB, and shows you how to deploy this technology, the situations for
which NLB is appropriate, how to configure and manage NLB clusters, and how to perform maintenance
tasks on NLB clusters.
Objectives
After completing this module, you will be able to:
Describe NLB.
Lesson 1
Overviiew of NLB
N
Befoore you deployy NLB, you nee ed to have a fiirm understan ding of the types of server wworkloads for w which
this high availability technologyy is appropriate. If you do no
ot understand the functionality of NLB, it iis
possible that you will deploy it in a manner thhat does not a ccomplish you ur overall objectives. For exaample,
you need to unde erstand why NLB is appropria ate for web appplications, but not for Micro
osoft SQL Serrver
dataabases.
Thiss lesson provid
des an overview
w of NLB, and the features n o
new to NLB in Windows Servver 2012. It also
desccribes how NLLB works normally, and durinng server failurre and server rrecovery.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe NLB
B technology.
Describe how
w NLB works.
Explain how NLB
N accommo
odates server fa
ailures and reccovery.
Describe new
w NLB features in Windows Server 2012.
Wh
hat Is NLB?
NLBB is a scalable, high availability feature thatt you
can install on all editions
e of Winndows Server 2012.
2
A sccalable technollogy is one whhere you can ad dd
addditional compo onents (in this case
c additiona al
clusster nodes) to meet increasinng demand. A node
in a Windows Servver 2012 NLB cluster is a
commputer, either physical or virttual, that is run
nning
the Windows Servver 2012 opera ating system.
Winndows Server 20122 NLB clustters can have
betwween two and 32 nodes. Wh hen you create e an
NLBB cluster, it creates a virtual network
n addre ess
and virtual network adapter. Th he virtual network
adapter has an IP address and a media accesss control (MAC o this address is
C) address. Nettwork traffic to
evenly distributed d across the noodes in the cluster. In a basicc NLB configurration, each noode in an NLB
clusster will service
e requests at a rate that is ap
pproximately eequal to that o of all other nod
des in the clustter.
Whe en an NLB clusster receives a request, it will forward that request to thee node that is currently leastt
utilized. You can configure
c NLB to preference e some nodes o over others.
NLB are. This means that if one of the nodes in the NLB clustter goes offline
B is failure-awa e, requests willl no
long
ger be forward ded to that node, but other nodes in the ccluster will conntinue to accep pt requests. When
the failed node reeturns to servicce, incoming re
equests will bee redirected un
ntil traffic is baalanced acrosss all
noddes in the clustter.
MCT USE ONLY. STUDENT USE PROHIBITED
Configurinng Advanced Window
ws Server 2012 Serrvices 4-3
How
H NLB Works
W
When
W you configure an application to use NLB,
N
clients address the
t application n using the NLLB
cluster address rather than the address of nodes
n
th
hat participate in the NLB cluuster. The NLBB cluster
ad
ddress is a virtual address that is shared be
etween
he hosts in the NLB cluster.
th
NLB directs trafffic in the following manner: All
ho osts in the NLBB cluster receivve the incomin
ng
t cluster, which is
trraffic, but only one node in the
de etermined thro ough the NLB process, will accept
a
th
hat traffic. All other
o nodes in the NLB clustter will
drop the traffic..
Which
W node in the
t NLB cluste er accepts the traffic depend
ds on the confiiguration of po ort rules and aaffinity
se
ettings. Throug
gh these settin etermine if tra ffic that uses a particular po
ngs, you can de ort and protoco ol will
e accepted by a particular node, or whether any node in
be n the cluster w will be able to aaccept and resspond.
NLB also sends traffic to node es based on cu urrent node uttilization. New traffic is directed to nodes tthat are
be
eing least utilizzed. For example, if you havve a four node cluster wheree three of the n nodes are resp
ponding
to
o requests from m 10 clients an
nd one node iss responding to he node that has fewer
o requests fro m 5 clients, th
clients will receiive more incom
ming traffic unntil utilization iis more evenlyy balanced across the nodes..
How
H NLB Works
W with
h Server Fa
ailures and
d Recoveryy
NLB is able to detect
d the failu
ure of cluster nodes.
n
When
W a cluster node is in a fa
ailed state, it is
re
emoved from the t cluster, and d the cluster does
d not
diirect new traffic to the node. Failure is detected
byy using heartbbeats. NLB clusster heartbeatss are
trransmitted eveery second between nodes in na
cluster. A node is automaticallly removed fro om a
NLB cluster if it misses five coonsecutive heartbeats.
When
W a node iss added or remmoved from a cluster,
c
a process known as convergence occurs.
Convergence allows the cluste er to determin ne its
cuurrent configuration. Converrgence can only occur
if each node is configured
c witth the same po ort rules.
NlbCluster. Lets
L you manage the NLB clu
uster. Includess the Get, New
w, Remove, Re
esume, Set, Sttart,
Stop, and Suspend verbs.
NlbClusterPo ortRuleNodeH
HandlingPrio
ority. Lets you set priority on ule basis. Supports
n a per-port ru
the Set ver.,
NlbClusterPo
ortRuleNodeW
Weight. Lets you
y set node w
weight on a peer-port rule baasis. Supports tthe
Set verb.
Lesson
n2
Configuring an NLB
B Cluste
er
To
o deploy NLB successfully, you must first haveh a firm un derstanding o
of its deployme ent requirements. You
must
m also have planned the manner
m in whicch you are goi ng to use portt rules and affiinity settings tto
nsure that trafffic to the application that is being hosted on the NLB clluster is handle
en ed appropriate ely.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
Describe ho
ow to impleme
ent NLB.
Explain con
nfiguration opttions for NLB.
Explain how
w to configure
e NLB affinity and
a port rules.
Describe ne
etwork conside
erations for NLLB.
Deploymen
D nt Require
ements forr NLB
NLB requires that all hosts in the NLB cluste er
re
eside on the sa ame TCP/IP subnet. Although
TC CP/IP subnets can be configured to span multiple
m
ge eographic locaations, NLB clu
usters are unlikkely to
acchieve converg gence successffully if the late
ency
be etween nodes exceeds 250 milliseconds
m (m
ms).
When
W you are designing
d geoggraphically disspersed
NLB clusters, yo ead choose to deploy
ou should inste
ann NLB cluster at
a each site, an
nd then use Do omain
Name System (D DNS) round ro obin to distribuute
trraffic between sites.
Yoou can only usse TCP/IP protocol with netwwork adapters that participatte in NLB clustters. NLB suppports
IP
Pv4 and IPv6. The
T IP addresses of servers th hat participatee in an NLB clu
uster must be sstatic and musst not
bee dynamically allocated. When you install NLB, Dynamicc Host Configu uration Protocool (DHCP) is disabled
onn each interfacce that you configure to parrticipate in thee cluster.
De
emonstration: Deplo
oying NLB
Thiss demonstratio
on shows how to create a Windows Serverr 2012 NLB cluster.
Dem
monstration
n Steps
Cre
eate a Windows Server 2012 NLB Cluster
C
1. Log on to LO g the Adatum\\Administrat or account.
ON-SVR1 using
4. Open Networrk Load Balanccing Manager from the Tool s menu and viiew the clusterr.
Co
onfiguratio
on Optionss for NLB
Connfiguring NLB clusters
c involvves specifying how
h
hostts in the cluste
er will respondd to incoming
netw
work traffic. How NLB directts traffic depen nds
on the
t port and protocol
p that itt is using, and
wheether the clientt has an existin ng network session
h a host in the cluster. You can configure these
with t
settings by using port rules and affinity settings.
Porrt Rules
With port rules, yo ou can configu ure how reque ests to
speccific IP addressses and ports are
a directed byy the
NLB B cluster. You can
c load balan nce traffic on
Trannsmission Control Protocol (TCP)
( port 80 across
a
all nodes
n in an NLLB cluster, whille directing all requests to TC
CP port 25 to a specific hostt.
To specify
s how yoou want to disttribute requestts across nodees in the clusteer, you configu
ure a filtering m
mode
wheen creating a port
p rule. You can
c do this in the Add/Edit Port Rule diaalog box, which h you can use to
configure one of the
t following filtering
f modees:
Multiple hossts. When you configure thiss mode, all NL B nodes respo ond according to the weight
assigned to each
e node. Nod de weight is caalculated autoomatically, baseed on the perfformance
I a node fails, other nodes in
characteristics of the host. If n the cluster ccontinue to resspond to incomming
requests. Mulltiple host filte
ering increases availability an
nd scalability, aas you can increase capacityy by
adding nodess, and the cluster continues to t function in the event of n node failure.
Note: Highest priority is the lowest number, with a priority of 1 being higher priority than a
priority of 10.
Disable this port range. When you configure this option, all packets for this port range are dropped,
without being forwarded to any cluster nodes. If you do not disable a port range and there is no
existing port rule, the traffic is forwarded to the host with the lowest priority number.
You can use the following Windows PowerShell cmdlets to manipulate port rules:
Set-NlbClusterPortRule. Use this cmdlet to modify the properties of an existing port rule.
Note: Each node in a cluster must have identical port rules. The exception to this is the load
weight (in multiple-hosts filter mode) and handling priority (in single-host filter mode).
Otherwise, if the port rules are not identical, the cluster will not converge.
Affinity
Affinity determines how the NLB cluster distributes requests from a specific client. Affinity settings only
come into effect when you are using the multiple hosts filtering mode. You can select from the following
affinity modes:
None. In this mode, any cluster node responds to any client request, even if the client is reconnecting
after an interruption. For example, the first webpage on a web application might be retrieved from
the third node, the second web page from the first node, and the third web page from the second
node. This affinity mode is suitable for stateless applications.
Single. When you use this affinity mode, a single cluster node handles all requests from a single client.
For example, if the third node in a cluster handles a clients first request, then all subsequent requests
are also handled by that node. This affinity mode is useful for stateful applications.
Class C. When you set this mode, a single node will respond to all requests from a class C network
(one that uses the 255.255.255.0 subnet mask). This mode is useful for stateful applications where the
client is accessing the NLB cluster through load-balanced proxy servers. These proxy servers will have
different IP addresses, but will be within the same class C (24 bit) subnet block.
Host Parameters
You configure the host parameters for a host by clicking the host in the Network Load Balancing
Manager console, and then from the Host menu, clicking Properties. You can configure the following
host settings for each NLB node:
Priority. Each NLB node is assigned a unique priority value. If no existing port rule matches the traffic
that is addressed to the cluster, traffic will be assigned to the NLB node that is assigned the lowest
priority value.
Dedicated IP address. You can use this parameter to specify an address the host uses for remote
management tasks. When you configure a dedicated IP address, NLB configures port rules so that
they do not affect traffic to that address.
MCT USE ONLY. STUDENT USE PROHIBITED
4-8 Implementing Network Load Balancing
Subnet Mask. When you are selecting a subnet mask, ensure that there are enough host bits to
support the number of servers in the NLB cluster, and any routers that connect the NLB cluster to the
rest of the organizational network. For example, if you plan to have a cluster that has 32 nodes and
supports two routes to the NLB cluster, you will need to set a subnet mask that supports 34 host bits
or moresuch as 255.255.255.192.
Initial host state. You can use this parameter to specify the actions the host will take after a reboot.
The default Started state will have the host rejoin the NLB cluster automatically. The Suspended state
pauses the host, allowing you to perform operations that require multiple reboots without triggering
cluster convergence. The Stopped state stops the node.
Demonstration Steps
Configure Affinity for NLB Cluster Nodes
1. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.
2. In Windows PowerShell, enter each of the following commands, pressing Enter after each command:
Cmd.exe
Mkdir c:\porttest
Xcopy /s c:\inetpub\wwwroot c:\porttest
Exit
New-Website Name PortTest PhysicalPath C:\porttest Port 5678
New-NetFirewallRule DisplayName PortTest Protocol TCP LocalPort 5678
3. In Network Load Balancing Manager, edit the properties of the LON-NLB cluster.
o Port range: 80 to 80
o Protocols: Both
o Affinity: None
o Protocols: Both
7. Configure the port rule for port 5678 and set handling priority to 10.
MCT USE ONLY. STUDENT USE PROHIBITED
Configurinng Advanced Window
ws Server 2012 Serrvices 4-9
Network
N Co
onsiderations for NLLB
Yo
ou must consid der several facctors when youu are
de
esigning a nettwork to suppo ort an NLB cluster.
Th
he primary deccision is whethher you want to
co
onfigure the NLB
N cluster to useu Unicast or
Multicast
M er operation mode.
cluste
Unicast
U Mod
de
When
W you configure a NLB cluster to use unicast
mode,
m all cluste
er hosts use thee same unicastt MAC
ad
ddress. Outgoing traffic usess a modified MAC M
ad
ddress that is determined
d byy the cluster ho
osts
priority setting. This prevents the switch tha at
ha
andles outbou m having problems
und traffic from
with
w all cluster hosts
h using the e same MAC address.
a
When
W you use unicast
u mode with
w a single network
n adapt er on each node, only comp puters that use e the
ame subnet can communicatte with the node using the n
sa nodes assigneed IP address. IIf you have to
pe
erform any no
ode manageme ent tasks, such g using Remotte Desktop to apply software
h as connecting e
up
pdates, you wiill need to perfform these tassks from a com
mputer that is o
on the same TTCP/IP subnet as the
no
ode.
When
W you use unicast
u mode with
w two or more network aadapters, one aadapter will be e used for dedicated
cluster commun nication, and the other adappter or adapterrs can be used
d for managemment tasks. When you
usse unicast mod
de with multipple network addapters, you caan perform clu ster managem
ment tasks such
h as
co
onnecting usinng Remote Pow werShell to add or remove r oles and featu
ures.
Multicast
M Mo
ode
When
W you configure an NLB cluster
c to use multicast modde, each cluster host keeps itts original MACC
ad
ddress, but also is assigned an
a additional multicast
m MAC h node in the ccluster is assigned the
C address. Each
sa
ame additional MAC multica ast address. Muulticast mode requires netwoork switches and routers thaat
su
upport multicaast MAC addre esses.
In
nternet Group Manage
ement Proto
ocol Multica
ast
In
nternet Group Management Protocol (IGM MP) multicast m mode is a speccial form of muulticast mode tthat
prevents the ne etwork switch from
f being flo
ooded with trafffic. When you u deploy IGMP P multicast mo
ode,
trraffic is forward
ded only throu
ugh switch porrts that particip
pate in the NLLB cluster. IGM
MP multicast m
mode
re
equires switch hardware thatt supports this functionality.
Network
N Con
nsiderationss
Yo ou can improvve NLB cluster performance whenw using un nicast mode byy using separaate virtual locaal area
ne etworks (VLAN Ns) for cluster traffic
t and management trafffic. Using VLAANs segments traffic, therebyy
preventing man nagement trafffic from affecting cluster trafffic. When you
u host NLB nod des on virtual
machines
m using Windows Servver 2012, you can also use n network virtuallization to segment manage ement
trraffic from clusster traffic.
MCT USE ONLY. STUDENT USE PROHIBITED
4-10 Implemennting Network Load Balancing
B
Lesson 3
Planning an NLB
N Imp
plementtation
Wheen you are plaanning an NLB implementatiion, you must ensure that th he applicationss that you dep ploy
are appropriate fo
or NLB. Not alll applications are
a suitable fo
or deployment on NLB cluste ers, and it is
imp
portant for youu to be able to identify whichh ones can ben
nefit from thiss technology. Y
You also need to
kno
ow what steps you
y can take to t secure NLB, and be familiaar with the op
ptions that youu have to scale NLB,
should the applicaation hosted on
o the NLB cluster require grreater capacityy.
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
Explain how to
t design application and sto
orage supportt for NLB.
De
esigning Application
ns and Storrage Supp ort for NLLB
Because clients ca
an be redirecteed to any nodee in
an NLB
N cluster, ea ach node in thee cluster must be
able
e to provide a consistent expperience. Thereefore,
wheen you are dessigning applicaations and storrage
support for NLB applications,
a yo
ou must ensurre that
you configure eacch node in thee same way, an nd
thatt each node ha
as access to the same data.
All hosts
h in an NLB cluster should run the sam me applicationss and be confiigured in the ssame way. Whe en
you are using web b applications,, you can use Internet Inform
mation Services (IIS) 8.0s shaared configuraation
funcctionality to en
nsure that all nodes
n N cluster are configured in
in the NLB n the same manner.
Reference Links:
L You can n find out morre about IIS 8.00s shared conffiguration with
h Windows
Servver 2012 at htttp://learn.iis.ne
et/page.aspx/2264/shared-co onfiguration/
You
u can also use technologies
t such
s as file sha
ares that are ho
osted on Clustter Shared Volumes (CSV) to o host
app
plication config
guration inform
mation. File shares hosted on n CSVs allow mmultiple hosts to have accesss to
app
plication data and
a configurattion informatio on. File shares that are hosteed on CSVs are
e a feature of
Win
ndows Server 2012.
2
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 4-11
Considerat
C ions for Deploying an
a NLB Clu
uster on V
Virtual Macchines
Virtual
V Mach
hine Placem
ment
Yo
ou should placce NLB cluster nodes on separate
ha
ard disks on thhe Hyper-V host.
h That way, should
a disk or disk arrray fail, even if
i one node be
ecomes unavaiilable, other N NLB cluster nod
des that are ho osted on
th
he same Hyperr-V host will re emain online. As
A a best practtice, you should configure thhe Hyper-V ho ost with
re
edundant hard dware, includin ng redundant disks,
d networkk adapters, and d power suppliies. This will m
minimize
he chance thatt hardware failure on the Hyper-V host willl lead to all no
th odes in an NLB
B cluster becom ming
un
navailable. Wh hen you are ussing multiple network
n ming to ensure that
adapteers, configure network team
virtual machines are able to maintain
m ork even in thee event that individual netwo
access to the netwo ork
ad
dapter hardwa are suffers a failure.
Where
W possible, deploy NLB virtual
v machine e nodes on se parate hyper-V V hosts. When n you are plann ning
th
his type of con
nfiguration, enssure that the virtual
v machinees that particip
pate in the NLLB cluster are lo
ocated
onn the same TCCP/IP subnet. This
T protects th he NLB cluster from other tyypes of server ffailure, such ass the
fa
ailure of a motherboard or any other single e point of failu
ure.
Virtual
V Mach
hine Networrk Configurration
Be ecause addingg additional virrtual network adapters
a is a sttraightforward
d process, you can configure e the
NLB cluster to use
u unicast mo ode, and then deploy
d each vvirtual machinee with multiplee network adapters.
Yo ate separate viirtual switches for cluster traaffic and node management traffic, becausse
ou should crea
seegmenting trafffic can improvve performancce. You can alsso use networkk virtualization n to partition ccluster
trraffic from nod
de managemen nt traffic. You can use VLAN tags as a metthod of partitio oning cluster ttraffic
from node man nagement trafffic.
When
W you are using
u unicast mode,
m ensure that
t you enablle MAC addresss spoofing for the virtual ne etwork
ad
dapter on the Hyper-V host.. You can do thhis by editing the virtual nettwork adapters settings on tthe
Virtual Machinne Settings diaalog box, whicch is available through the HHyper-V Manag ger. Enabling MAC
ad
ddress spoofin
ng allows unicaast mode to co
onfigure MAC address assign nment on the virtual networrk
ad
dapter.
NLB
N Cluster vs.
v Virtual Machine
M Hig
gh Availabi lity
Virtual machine e high availability is the proccess of placing virtual machin nes on failoverr clusters. Whe
en a
fa
ailover cluster node fails, the virtual machin ne fails over, s o that it is hossted on anothe er node. Though
fa
ailover clusterinng and NLB arre both high availability tech hnologies, theyy serve different purposes. FFailover
clustering suppo pplications succh as SQL Servver, whereas N LB is suited to
orts stateful ap o stateless appllications
su
uch as websites. Highly available virtual ma achines do no t allow an app plication to scaale, because yo
ou
ca
annot add nod des to increase e capacity. Howwever, it is posssible to deplo oy NLB cluster nodes as high hly
avvailable virtuall machines. In this scenario, the
t NLB clusteer nodes fail ovver to a new H Hyper-V host in n the
evvent that the original
o Hyper--V host fails.
MCT USE ONLY. STUDENT USE PROHIBITED
4-12 Implemennting Network Load Balancing
B
Co
onsideratio
ons for Seccuring NLB
B
NLBB clusters are almost
a always used
u to host web
w
appplications that are
a important to the
orgaanization. Beca ause of this im
mportance, you u
should take steps to secure NLB B, both by
restricting the trafffic that can ad
ddress the clusster,
and by ensuring that
t appropriate permissionss are
appplied.
Con
nfigure Port Rules
Whe en securing NLB clusters, you must first en nsure
thatt you create po ock traffic to all
ort rules to blo
portts other than those
t used by applications hosted
h
on the
t NLB cluste er. When you do d this, all inco
oming
trafffic that is not specifically
s add
dressed to app plications that are running o on the NLB cluster will be
dropped, before beingb forwardeed to cluster nodes.
n If you d o not do this ffirst step, all in
ncoming trafficc that
is no
ot managed by a port rule will w be forward ded to the clus ter node with the lowest clu uster priority vaalue.
Con
nfigure Fire
ewall Rules
You
u should also ensure
e ndows Firewall with Advanceed Security is cconfigured on
that Win n each NLB cluster
nod
de. When you enable
e NLB on
n a cluster nod ng firewall rulees are created and enabled
de, the followin
auto
omatically. Thiis allows NLB to
t function and d communicatte with other n nodes in the clluster:
Network Load
d Balancing (D
DCOM-In)
Network Load
d Balancing (IC
CMP4-ERQ-In))
Network Load
d Balancing (IC
CMP6-ERQ-In))
Network Load
d Balancing (R
RPCSS)
Network Load
d Balancing (W
WinMgmt-In)
Network Load
d Balancing (IC
CMP4-DU-In)
Network Load
d Balancing (IC
CMP4-ER-In)
Network Load
d Balancing (IC
CMP6-DU-In)
Network Load
d Balancing (IC
CMP6-EU-In)
Whe
en you are con
nfiguring additional firewall rules, rememb
ber the followiing:
When you are e using multipple network adapters in unicaast mode, con nfigure differennt firewall rules for
each network k interface. Forr the interface used for manaagement taskss, you should cconfigure the
firewall rules to allow inbouund managem ment traffic onlyy. For examplee, enabling the
e use of remotte
Windows Pow werShell, Wind dows Remote Manager
M (Win dows RM), and d Remote Desktop for
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 4-13
management tasks. You should configure the firewall rules on the network interface the cluster node
uses, to provide an application to the cluster, and to allow access to that application. For example,
allow incoming traffic on TCP ports 80 and 443 on an application that uses the HTTP and HTTPS
protocols.
When you are using multiple network adapters in multicast mode, configure firewall rules that allow
access to applications that are hosted on the cluster, but block access to other ports.
Co
onsideratio
ons for Sca
aling NLB
Scalling is the proccess of increassing the capaciity of
an NLB
N cluster. Fo or example, if you
y have a fou ur-
nodde NLB cluster and each node in the cluste er is
beinng heavily utiliized to the point where the
clusster cannot ma anage more tra affic, you can add
a
addditional nodes. Adding nodess will spread th he
sam
me load across more computers, reducing the t
loadd on each currrent cluster node. Capacity
incrreases because e a larger number of similarlyy
configured compu uters can manage a higher
worrkload than a smaller
s numbe er of similarly
configured compu uters.
An NLB cluster supports up to 323 nodes. This means that yo ou can scale-oout a single NLLB cluster so thhat 32
sepa
arate nodes paarticipate in th
hat cluster. Wh
hen you considder scaling an aapplication so that it is hoste
ed on
a 32
2-node NLB cluster, rememb ber that each node
n in the clu
uster must be o on the same TTCP/IP subnet.
An alternative
a to building singlee NLB clusters is to build mu ultiple NLB clu sters, and then
n to use DNS rround
robin to share traffic between th hem. DNS round robin is a ttechnology thaat allows a DN NS server to pro ovide
requuesting clientss with differentt IP addresses to the same h ostname in seequential order. For example e, if
ddresses associated with a ho
therre are three ad ostname, the ffirst requestingg host receivess the first addrress,
the second receives the second address, the thirdt receives tthe third, and so forth. Whenn you use DNSS
round robin with NLB, you asso ociate the IP adddresses of eacch cluster withh the hostname e that is used by
the application.
Disttributing trafficc between NLBB clusters usingg DNS round rrobin also allo ows you to dep ploy NLB cluste ers
acro
oss multiple sittes. DNS round d robin supports netmask orrdering. This teechnology enssures that clien nts on
ubnet are provvided with an IP address of a host on the saame network, if one is availaable. For exam
a su mple,
you might deployy three four-no ode NLB cluste ers in the citiess of Sydney, M
Melbourne, and d Canberra, and use
DNS S round robin to distribute traffic
t between n them. With n netmask ordering, a client thhat is accessingg the
appplication in Syddney will be dirrected to the NLB
N cluster ho osted in Sydneyy. A client thatt is not on the same
subnet as the NLB B cluster nodess, such as a clie
ent in the city of Brisbane, w
would be direccted by DNS ro ound
robin to the Sydney, Melbourne e, or Canberra NLB cluster.
Co
onsideratio
ons for Upg
grading NLB
N Clusterrs
Upg grading NLB cllusters involves moving clustter
noddes from one host
h operating systemfor
exam mple Windows Server 2003 or Windows Server
2008to Window ws Server 2012 2. Upgrading th he
clusster might not involve perforrming an operrating
system upgrade on o each node, because in som me
casees the original host operating system migh ht not
support a direct upgrade
u to Winndows Server 2012.
In cases where the e original hostt operating sysstem
doees not support a direct upgra ade to Window ws
Servver 2012, you can
c perform a migration.
and Windows Server 2012. Keep in mind that while mixed operating system NLB clusters are supported,
they are not recommended. You should configure the NLB cluster so that all hosts are running the same
operating system as soon as possible.
Note: In some situations, it will not be possible to upgrade the operating system of a
cluster node.
When you are performing an upgrade, you can use one of the following strategies:
Piecemeal Upgrade. During this type of upgrade, you add new Windows Server 2012 nodes to an
existing cluster, and then remove the nodes that are running earlier versions of the Windows Server
operating system. This type of upgrade is appropriate when the original hardware and operating
system does not support a direct upgrade to Windows Server 2012.
Rolling upgrade. During this type of upgrade, you upgrade one node in the cluster at a time. You do
this by taking the node offline, performing the upgrade, and then rejoining the node back to the
cluster.
Reference Links: You can learn more about upgrading NLB clusters at the following link:
http://technet.microsoft.com/en-us/library/cc731691(WS.10).aspx
MCT USE ONLY. STUDENT USE PROHIBITED
4-16 Implementing Network Load Balancing
As you intend to automate the process of deploying Windows NLB clusters, you will use Windows
PowerShell to perform many of the cluster setup and configuration tasks. You will also configure port
rules and affinity, which will allow you to deploy multiple load-balanced web applications on the same
Windows NLB clusters.
Objectives
Create a Windows NLB cluster.
Lab Setup
Estimated Time: 45 minutes
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-SVR2
Username: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
2. Open iis-8.png in Microsoft Paint, and use the Paint Brush tool and the color red to mark the IIS
Logo in a distinctive manner.
7. Navigate to http://LON-SVR2. Verify that the website is not marked in a distinctive manner.
8. Close Internet Explorer.
2. In Windows PowerShell ISE, type the following command, and then press Enter:
2. View the properties of the LON-NLB cluster, and verify the following:
o There is a single port rule named All that starts at port 0 and ends at port 65535 for both TCP
and UDP protocols, and that it uses Single affinity.
MCT USE ONLY. STUDENT USE PROHIBITED
4-18 Implementing Network Load Balancing
Results: After this exercise, you should have successfully implemented an NLB cluster.
2. In Windows PowerShell, enter the following commands, pressing Enter after each command:
Cmd.exe
Mkdir c:\porttest
Xcopy /s c:\inetpub\wwwroot c:\porttest
Exit
New-Website -Name PortTest -PhysicalPath "C:\porttest" -Port 5678
New-NetFirewallRule -DisplayName PortTest -Protocol TCP -LocalPort 5678
3. Open Windows Explorer and then browse to and open c:\porttest\iis-8.png in Microsoft Paint.
4. Use the Blue paintbrush to mark the IIS Logo in a distinctive manner.
5. Switch to LON-DC1.
7. Verify that the IIS Start page with the image marked with blue displays.
8. Switch to LON-SVR1.
9. On LON-SVR1, open Network Load Balancing Manager, and view the cluster properties of LON-NLB.
o Port range: 80 to 80
o Protocols: Both
o Affinity: None
o Protocols: Both
15. Configure the Handling Priority value of the port rule for port 5678 as 10.
2. Using Internet Explorer, navigate to http://lon-nlb, refresh the Web page 20 times, and verify that
web pages with and without the distinctive red marking display.
3. On LON-DC1, navigate to address http://LON-NLB:5678, refresh the web page 20 times, and verify
that only the web page with the distinctive blue marking displays.
3. Verify that node LON-SVR1 displays as Suspended, and that node LON-SVR2 displays as Converged.
Results: After this exercise, you should have successfully configured and managed an NLB cluster.
2. Switch to LON-DC1.
3. On LON-DC1, open Internet Explorer, and navigate to http://LON-NLB.
4. Refresh the website 20 times. Verify that the website is available, but that it does not display the
distinctive red mark on the IIS logo until LON-SVR1 has restarted.
2. On LON-DC1, navigate to http://lon-nlb and verify that only the welcome page with the red IIS logo
displays.
Results: After this exercise, you should have successfully validated high availability for the NLB cluster.
MCT USE ONLY. STUDENT USE PROHIBITED
4-20 Implementing Network Load Balancing
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
Lab Review
Question: How many additional nodes can you add to the LON-NLB cluster?
Question: What steps would you take to ensure that LON-SVR1 always manages requests for
web traffic on port 5678, given the port rules that exist at the end of this exercise?
Question: You have an eight-node Windows NLB cluster that hosts a web application. You want
to ensure that traffic from a client that uses the cluster remains with the same node throughout
their session, but that traffic from separate clients is distributed equitably across all nodes. Which
option do you configure to accomplish this goal?
Module 5
Implementing Failover Clustering
Contents:
Module Overview 5-1
Module Overview
Providing high availability is important for any organization that wants to provide continuous services to
its users. High availability is a term that denotes the capability of a system or device to be usable when it
is required. You can express high availability as a percentage, which is calculated by dividing the actual
service time by the required service time. High availability does not mean that the system will be free of
any downtime. However, a network that has an uptime of 99.999 percent often is considered highly
available. Failover clustering is one of the main technologies in Windows Server 2012 that can provide
high availability for various applications and services. In this module, you will learn about failover
clustering, its components, and implementation techniques.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of Failover
F r Clusterring
Failoover clustering g is a high availability processs, wherein an instance of a service or app plication that iss
runn ning over one machine can fail-over onto a different maachine in the ffailover clusterr if the first maachine
failss. Failover clustters in Windowws Server 2012 2 provide a hig gh availability solution for mmany server roles
and applications. By implementting failover clu usters, you can
n maintain app plication or service availabiliity if
onee or more computers in the failover
f clusterr fail.
Befo
ore you implemment failover clustering,
c you
u should be fam
miliar with genneral high availability concepts.
You
u must also undderstand clustering terminology, and how w failover clusteers work. Finallly, you must b
be
miliar with new clustering feattures in Windo
fam ows Server 20112.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe high
h availability.
over clustering improvementts in Windows Server 2012.
Describe failo
Describe failo
over cluster components.
Describe a qu
uorum.
Describe failo
over cluster sto
orage.
Wh
hat Is High
h Availability?
Availability refers to a level of se
ervice that
appplications, serviices, or system
ms provide.
Availability is exprressed as the percentage
p of time
thatt a service or system is availaable. Highly
avaiilable systems have minimal downtime
whe ether planned or unplanned and are available
morre than 99 percent of the tim me, depending g on
an organizations
o needs and budget. For exam mple,
a syystem that is unavailable for 8.75 hours per year
wou uld have a 99.99 percent availlability rating, and
wou uld be conside ered highly ava ailable.
Thhe availability measurement period can alsso have a sign nificant effect o
on the definitio
on of availability. For
exxample, a requ uirement for 99.9 percent avvailability over a one-year peeriod allows foor 8.75 hours o
of
doowntime, whereas a requirem ment for 99.9 percent availaability over a roolling four-weeek window allows for
onnly 40 minutess of downtime e per period.
Foor high availabbility, you also should identiffy and negotiaate planned ou utages, service
e and support hhours,
maintenance
m acctivities, service
e pack updates, and softwarre updates. Theese are schedu uled outages, aand
tyypically not inccluded as downtime; you typ based on unplaanned outages only.
pically calculatte availability b
However, you haveh to negotia ate exactly which planned o utages you wiill consider as d downtime.
Failover Clu
ustering in
n Windowss Server 20
012
While
W most of the failover cluustering feature
es and
ad
dministration techniques
t om Windows Server
fro
20008 R2 are pre esent in Windo ows Server 20112,
so
ome new featu ures and technnologies in Winndows
erver 2012 increase scalabilitty and cluster storage
Se
avvailability, and provide bette er and easier
management
m an
nd faster failovver.
Th
he important new
n features in
n Windows Server
20
012 failover clustering includ
de:
Improved CSVs.
C This tech
hnology was in ntroduced in W
Windows Serveer 2008 R2, and d it became veery
popular forr providing virttual machine storage.
s In Winndows Server 2 2012, CSVs ap ppear as CSV file
systems, an
nd they supporrt server messa age block (SM B) version 3.0 storage for Hyyper-V and o other
applications. In addition, CSV can use the Server Messsage Block (SM MB) Multichan nnel and SMB Direct
features to enable traffic to stream acro oss multiple neetworks in a clluster. It is also
o possible to
implement file server on CSVs, in scale--out mode. Fo or additional seecurity, you can use Window ws
BitLocker drive encrypttion for CSV diisks, and you ccan make CSV storage visible e only to a sub
bset of
nodes in a cluster. For reliability, you ca
an scan and reepair CSV volumes with zero offline time.
Cluster-Aware Updating. In earlier versions of Windo ows Server, upd dating cluster nodes to miniimize or
avoid down ntime requiredd significant prreparation andd planning. In aaddition, updaating cluster nodes
was a mosttly manual procedure, which caused additiional administ rative effort. W Windows Serve er 2012
introduces Cluster-Aware e Updating, a new
n technolog gy for this purp
pose. Cluster-A Aware Updatin ng
automatica ally updates clu
uster nodes with the Window ws Update hottfix, while keep ping the cluste
er online
and minimiizing downtim me. This techno ology will be exxplained in moore detail in LLesson 4: Mainntaining
a Failover Cluster.
C
MCT USE ONLY. STUDENT USE PROHIBITED
5-4 Implementing Failover Clusterinng
Active Directo
ory integration n improvemen nts. In Window ws Server 2008,, failover cluste
ering is integraated
in AD DS. Winndows Server 20122 improvess on this integ
gration. Administrators can n now create clusster
computer objjects in targete ed organizatio
onal units (OUss), or by defau
ult in the same OUs as the clu uster
nodes. This alligns failover cluster
c dencies on AD DS with the d elegated dom
depend main administraation
model that is used in manyy IT organizatioons. In additio n, you can noww deploy failover clusters wiith
access only to
o read-only do omain controllers.
Managementt improvementts. Although fa ailover clusteriing in Windowws Server 2012 still uses almo
ost
the same man nagement con nsole and the same
s administtrative techniques, Windows Server 2012 b brings
some importa ant manageme ent improvements. In the Vaalidation wizarrd, the validation speed for large
failover cluste
ers is improved
d and new testts for CSVs, thee Hyper-V rolee, and virtual mmachines are
added. In add dition, new Windows PowerS Shell cmdletts are availablee for managing g clusters,
monitoring clustered virtua al machine app plications, and creating highhly available Internet Small
Computer System Interface e (iSCSI) targets.
Rem
moved and Deprecated
d Features
In Windows
W er 2012 clusterring, some of the features fro
Serve om older failovver clustering versions are
rem
moved or depre
ecated. If you are
a upgrading g from an olde r version, you should be awaare of these
changes:
The Cluster.exxe command-line tool is dep precated. How
wever, you can still optionallyy install it with the
failover cluste
ering tools. Faiilover clusterin
ng Windows PoowerShell cmddlets provide a functionality that
is generally th
he same as cluuster.exe commands.
The Support forf 32-bit cluster resource dynamic-link lib braries (DLLs) is deprecated, but you can
optionally insstall 32-bit DLLLs. Cluster reso
ource DLLs sho
ould be updateed to 64-bit.
The Print Servver role is removed from the bility Wizard, and it cannot b
e High Availab be configured iin the
Failover Clustter Manager.
The Add-ClusterPrintServ
verRole cmdlet is deprecated
d, and it is nott supported in Windows Servver
2012.
A fa
ailover clusterin
ng solution co
onsists of severral
com
mponents, whicch include:
Nodes. These are computerrs that are mem mbers
of a failover cluster.
c These computers
c n Cluster servicce, and resourcces and appliccations associated to
run
cluster.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 5-5
Network. This is a network across which cluster nodes can communicate with one another, and with
clients. There are three types of networks that can be used in a cluster: public, private, and public-
and-private. These networks are discussed in more detail in the Failover Cluster Networks topic.
Resource. This is an entity that is hosted by a node. It is managed by the Cluster service, and can be
started, stopped, and moved to another node.
Cluster storage. This is a storage system that is usually shared between cluster nodes. In some
scenarios, such as clusters of servers running Microsoft Exchange Server, shared storage is not
required.
Clients. These are computers (or users) that are using the Cluster service.
Service or application. This is a software entity that is presented to clients and used by clients.
Is aware when another node joins or leaves the cluster. In addition, each node is aware when a node
or resource is failing, and has the ability to take those services over.
Is connected to a network through which client computers can access the cluster.
Is aware of the services or applications that are running locally, and the resources that are running on
all other cluster nodes.
Cluster storage usually refers to logical devicestypically hard disk drives or logical unit numbers
(LUNs)to which all the cluster nodes attach through a shared bus. This bus is separate from the bus that
contains the system and boot disks. The shared disks store resources such as applications and file shares
that the cluster will manage.
A failover cluster typically defines at least two data communications networks: one network enables the
cluster to communicate with clients, and the second isolated network enables the cluster node members
to communicate directly with one another. If a directly-connected shared storage is not being used, then
a third network segment (for iSCSI or Fibre Channel) can exist between the cluster nodes and a data
storage network.
Most clustered applications and their associated resources are assigned to one cluster node at a time. The
node that provides access to those cluster resources is the active node. If the nodes detect the failure of
the active node for a clustered application, or if the active node is taken offline for maintenance, the
clustered application is started on another cluster node. To minimize the impact of the failure, client
requests are immediately and transparently redirected to the new cluster node.
MCT USE ONLY. STUDENT USE PROHIBITED
5-6 Implementing Failover Clusterinng
Wh
hat Are CS
SVs?
In classic failover cluster deployyment, only a single
s
nodde at a time co ontrols a LUN ono the shared
storrage. This means that anothe er node canno ot see
sharred storage, un ntil it becomess an active nod de.
CSVV is a new technology introduced in Windo ows
Servver 2008 R2, which
w enables multiple
m nodess to
sharre a single LUNN concurrentlyy. Each node
obta ains exclusive access to indivvidual files on the
LUNN instead of to o the entire LUN. In other wo ords,
CSVV provides a so olution so that multiple node es in
the cluster can access the same NTFS file syste em
simu ultaneously.
In th
he first version
n in Windows Server
S 2008 R2 2, CSV was dessigned only for hosting virtu ual machines thhat
are running on a Hyper-V serve er in a failover cluster. This ennabled administrators to havve a single LUN
thatt hosts multiple virtual mach hines in a failovver cluster. Mu
ultiple cluster n
nodes have acccess to the LUUN,
but each virtual machine
m runs only
o on one no ode at a time. IIf the node onn which a virtual machine is
runnning fails, CSVV enables the virtual
v machine e to restart on a different noode in the failo
over cluster.
Addditionally, this provides simplified disk man nagement for hosting virtual machines, as compared to each
virtu
ual machine re equiring a sepa
arate LUN.
In Windows
W er 2012, CSV has additional improvementss. It is now pos sible to use CSSV for other ro
Serve oles,
and not just Hype er-V. For example, you can nown configure the file serverr role in failove
er clustering in
n the
Scalle-Out File Serrver scenario. Scale-Out
S File Server is desig
gned to providde scale-out file shares that aare
continuously available for file-b based server ap
pplication storrage. Scale-outt file shares provide the abiliity to
sharre the same foolder from mulltiple nodes in the same clusster. In this conntext, CSV in W Windows Serve er
2012 introduces support
s for a read cache, whhich can improove performancce in certain sccenarios. In
adddition, a CSV fille system (CSVVFS) can perforrm Chkdsk witthout impactin ng application ns with open
handles on the file e system.
Oth
her important improvementss in CSV in Win
ndows Server 22012 are:
Multisubnet support
s SVs: CSVs have been enhanceed to integratee with SMB Multichannel to help
for CS
achieve fasterr throughput for
f CSV volumes.
Support for BitLocker
B volumme encryption: Windows Serrver 2012 supp ports BitLocker volume
encryption fo
or both traditio
onal clustered disks and CSV
Vs. Each node p
performs decryyption by usin
ng the
computer acccount for the cluster
c itself.
Support for SMB
S 3.0 storag
ge: SMB 3.0 sto
orage is suppoorted for Hyperr-V and appliccations such ass
Microsoft SQL Server. Thiis means that, for example, yyou can host H
Hyper-V virtual machine filess on a
shared folderr.
Im
mplementin
ng CSV
Yo
ou can configu
ure CSV only when
w you create a failover clluster. After yo
ou create the ffailover clusterr, you
ca V for the cluster, and then ad
an enable CSV dd storage to tthe CSV.
However, before you can add d storage to the CSV, you mu ust make the LLUN available as shared storage to
th en you create a failover clustter, all of the sshared disks th
he cluster. Whe hat you configured in Serverr
Manager
M are ad
dded to the clu
uster, and you can then add them to a CSV more LUNs to the
V. If you add m
sh
hared storage, you must firstt create volum
mes on the LUN N, add the storrage to the cluuster, and then
n add
th
he storage to the
t CSV.
You cannott add shared sttorage to CSV if it is in use. IIf you have a rrunning virtual machine thatt is
using a clusster disk, you must
m shut dow
wn the virtual m machine, and tthen add the d disk to CSV.
What
W Are Failover
F an
nd Failback
k?
Fa
ailover transfers from one no ode to another the
re
esponsibility foor providing acccess to resourrces in a
cluster. Failoverr can occur when an adminisstrator
in
ntentionally mo oves resourcess to another no ode for
maintenance,
m or due to unplaanned downtim me of a
noode due to hardware failure or other reaso ons. In
ad
ddition, servicee failure on an
n active node can
c
in
nitiate failover to another noode.
A failover attem
mpt consists of the following steps:
1.. The Clusterr service takes all the resourcces in
the instance offline, in an
n order that is
determined d by the instannces dependen ncy
hierarchy. This
T means tha at dependent resources
r by the resources on
are ttaken offline fiirst, followed b
which they depend. For example,
e if an application deepends on a physical disk ressource, the Clu uster
service take
es the applicattion offline first, which enablles the applicaation to write cchanges to thee disk
before the disk is taken offline.
o
Wh
hat Is a Qu
uorum?
A qu uorum is the number
n ments that must be
of elem
online for a cluste
er to continue running. Each
clusster node is an element, and in effect, each h
elemment can cast one vote to de etermine whetther
the cluster continues to run. If there
t is an even
nummber of nodes,, then an addittional elementt
which is known ass a witnessis assigned to th he
clusster. The witness element can n be either a disk
d or
a file share. Each voting
v elemen nt contains a co
opy
of the cluster configuration, and d the Cluster
servvice works to keep
k all copies synchronized at all
timees.
Conncurrent opera ation could occcur when netw work problems prevent one sset of nodes frrom communiccating
with
h another set ofo nodes. That is, a situation might occur w where more th han one node ttries to contro
ol
acceess to a resourrce. If that reso
ource is, for example, a datab base applicatioon, damage su uch as corruption of
the database coulld result. Imagine the conseq quence if two or more instan nces of the sam
me database aare
madde available on n the network,, or if data wass accessed and d written to a ttarget from mo ore than one ssource
at a time. If the ap
pplication itsellf is not damag ged, the data ccould easily beecome corruptted.
Note: A fully functioning cluster depends not just on quorum, but also on the capacity of
each h node to support the servicces and applica ations that faill over to that n
node. For exammple, a
clusster that has fivve nodes couldd still have quo
orum after two o nodes fail, but each remaining
clusster node woulld continue serving clients only
o nough capacityy (such as disk space,
if it has en
proccessing powerr, random acce ess memory (R RAM), or netwo ork bandwidth h) to support tthe services
and applications thatt failed ove portant part off the design prrocess is planning each
er to it. An imp
noddes failover capacity. A failovver node mustt be able to ru n its own load d and the load of
addditional resourcces that might fail over to it.
MCT USE ONLY. STUDENT USE PROHIBITED
Configurinng Advanced Window
ws Server 2012 Serrvices 5-9
Thhere are severa al phases a cluuster must commplete to achieeve a quorum.. As a given no ode comes online, it
deetermines whe ether there are e other cluster members, witth which it can n communicate e. This processs may be
in
n progress on multiple
m nodess simultaneoussly. After estab blishing comm munication with h other memb bers, the
members
m comp pare their mem mbership viewss of the clusterr until they agrree on one vie ew (based on
timestamps and d other information). A deterrmination is m made whether tthis collection of members h has a
quuorum, or has enough mem mbers the total of which creattes sufficient vvotes so that a split scenario cannot
enario means that another se
exxist. A split sce ning on a part of the
et of nodes thaat are in this cluster are runn
neetwork that is inaccessible to o these nodes. Therefore, mo ore than one n node could be e actively trying
g to
provide access to t the same clustered resourrce. If there aree not enough votes to achie eve quorum, th he
vooters (the curre ently recognizzed members of o the cluster) wait for more members to aappear. After aat least
th
he minimum vo ote total is attained, the Cluster service beegins to bring cluster resourcces and appliccations
nto service. Witth quorum attained, the clusster becomes ffully functionaal.
in
Quorum
Q Modes
M in Windows
W Se
erver 2012
2 Failover C
Clustering
g
Thhe quorum mo odes in Windo ows Server 201 12
fa
ailover clusterinng are the sam me modes thatt are
present in Wind dows Server 20 008. As before,, a
majority
m of vote
es determines whether a clusster
acchieves quorum m. Nodes can vote, and whe ere
apppropriate, either a disk in cluster storage (known
ass a disk witnesss) or a file sharre (known as a file
sh
hare witness) can
c vote. There e is also a quorrum
mode
m called Noo Majority: Disk Only, which
fu
unctions like thhe disk-based quorum in Windows
Seerver 2003. Other than the No N Majority: Disk
Only
O mode, theere is no single e point of failurre with
th
he quorum mo odes, because only the numb d not whetherr a particular element
ber of votes is important and
is available to vote.
Windows
W Server 2012 failoverr clustering has four quorum
m modes:
Node and Disk Majority. Each node plus the disk witness, which is a designated disk in the cluster
storage, can vote when they are available and in communication. The cluster functions only with a
majority (more than half) of the votes. This model is based on an even number of server nodes being
able to communicate with one another in the cluster, in addition to the disk witness.
Node and File Share Majority. Each node plus the file share witness, which is a designated file share
created by the administrator, can vote when they are available and in communication. The cluster
functions only with a majority (more than half) of the votes. This model is based on an even number
of server nodes being able to communicate with one another in the cluster, in addition to the file
share witness.
No Majority: Disk Only. The cluster has quorum if one node is available and in communication with a
specific disk in the cluster storage. Only the nodes that are also in communication with that disk can
join the cluster.
Except for the No Majority: Disk Only mode, all quorum modes in Windows Server 2012 failover clusters
are based on a simple majority vote model. As long as a majority of the votes are available, the cluster
continues to function. For example, if there are five votes in the cluster, the cluster continues to function
as long as there are at least three available votes. The source of the votes is not relevantthe vote could
be a node, a disk witness, or a file share witness. The cluster will stop functioning if a majority of votes is
not available.
In the No Majority: Disk Only mode, the quorum-shared disk can veto all other possible votes. In this
mode, the cluster will continue to function as long as the quorum-shared disk and at least one node are
available. This type of quorum also prevents more than one node from assuming the primary role.
Note: If the quorum-shared disk is not available, the cluster will stop functioning, even if all
nodes are still available. In the No Majority: Disk Only mode, the quorum-shared disk is a single
point of failure, so this mode is not recommended.
When you configure a failover cluster in Windows Server 2012, the Installation Wizard automatically
selects one of two default configurations. By default, failover clustering selects:
Node and Disk Majority configuration if there is an even number of nodes in the cluster.
Note: You should modify this setting only if you determine that a change is appropriate for
your cluster, and only once you understand the implications of making the change.
In addition to planning your quorum mode, you should also consider the capacity of the nodes in your
cluster, and their ability to support the services and applications that may fail over to that node. For
example, a cluster that has four nodes and a disk witness will still have quorum after two nodes fail.
However, if you have several applications or services deployed on the cluster, each remaining cluster node
may not have the capacity to provide services.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 5-11
Failover Clu
uster Netw
works
Networks and network
n adapters are importtant
pa
arts of each cluster impleme entation. You cannot
c
co
onfigure a clusster without coonfiguring the
ne
etworks that thhe cluster will use. A network can
erform one of the following roles in a clusster:
pe
Public netw
work. A public network
n provid
des client systeems with acceess to cluster ap
pplication servvices. IP
address resources are cre
eated on netwoorks that prov ide clients with
h access to thee Cluster servicce.
Public-and--private netwo
ork. A public-an
nd-private nettwork (also kno
own as a mixeed network) carrries
internal cluster communication and connects clients to cluster appplication service
es.
When
W you configure network ks in failover clusters, you sho
ould also deteermine which n
network to con nnect to
th
he shared stora
age. If you use
e iSCSI for the shared storagee connection, the network w will use an IP-b
based
Etthernet communications nettwork. Howeve er, you should not use this nnetwork for node or client
co
ommunication n. Sharing the iSCSI
i network in this manne r may result in n contention and latency issu
ues for
booth users and for the resource that is being provided byy the cluster.
Although not a best practice, you can use the private and d public netwo orks for both cclient and nodee
co
ommunication ns. Preferably, you
y should de edicate an isolaated network ffor the privatee node
co
ommunication n. The reasoninng for this is sim
milar to using a separate Eth hernet network for iSCSI, wh hich is to
avvoid resource bottleneck and d contention issues. The pub blic network iss configured too enable clientt
co
onnections to the failover cluuster. Although the public n network can prrovide backup for the private e
neetwork, a bette
er design pracctice is to defin
ne alternative nnetworks for t he primary priivate and publlic
neetworks, or at least team the
e network interfaces that aree used for thesse networks.
Th
he networking
g features in Windows
W Serverr 2012based clusters includ
de the followin
ng:
The nodes transmit and receive
r heartbe
eats by using U User Datagramm Protocol (UDDP) unicast, insstead of
UDP broadcast (which waas used in lega
acy clusters). T he messages aare sent on po
ort 3343.
The Failoveer Cluster Virtuual Adapter is a hidden devicce that is adde d to each nod
de when you in nstall
the failoverr clustering fea
ature. The adapter is assigneed a media acccess control (M
MAC) address b based
on the MAC C address thatt is associated with the first eenumerated phhysical networrk adapter in the
node.
Failover clu
usters fully support IPv6 for both
b node-to--node and nod
de-to-client co
ommunication..
You can use e Dynamic Ho ost Configuratioon Protocol (D
DHCP) to assig gn IP addressess, or you can aassign
static IP add
dresses to all nodes
n des have staticc IP addresses aand you
in the clluster. Howeveer, if some nod
configure others
o to use DHCP,
D the Validdate a Configuuration Wizardd will respond with an error. The
cluster IP ad
ddress resourcces are obtaineed based on th he configuratio work interface that is
on of the netw
supporting that cluster ne etwork.
MCT USE ONLY. STUDENT USE PROHIBITED
5-12 Implemennting Failover Clusterring
Sto
orage Requirements
Befo
ore choosing the
t storage sollution, you sho
ould also be aw
ware of the following storag
ge requirements:
To use the na
ative disk supp
port that is included in failovver clustering, u
use basic diskss and not dynaamic
disks.
You should fo TFS. For the dissk witness, thee partition musst be NTFS, because
ormat the parttitions with NT
FAT is not sup
pported.
You must isolate storage devices (one cluster per device). You should not allow servers that belong to
different clusters to access the same storage devices. You can achieve this by using LUN masking or
zoning. This prevents LUNs used on one cluster from being seen on another cluster. Consider using
multipath input/output (I/O) software. Cluster nodes commonly use multiple host bus adapters to
access storage, and this lets you achieve additional high availability. To be able to use multiple host
bus adapters, you must use multipath software. For Windows Server 2012, your multipath solution
must be based on Microsoft Multipath I/O (MPIO). Your hardware vendor usually supplies an MPIO
device-specific module (DSM) for your hardware, although Windows Server 2012 includes one or
more DSMs as part of the operating system.
MCT USE ONLY. STUDENT USE PROHIBITED
5-14 Implemennting Failover Clusterring
Lesson 2
Implem
menting
g a Failo
over Clu
uster
Failoover clusters inn Windows Server 2012 have e specific reco
ommended harrdware and so oftware
configurations tha at enable Micrrosoft to suppo
ort the cluster.. Failover clustters are intend
ded to provide a
high her level of serrvice than stan ers. Therefore, cluster hardwaare requirements are frequently
nd-alone serve
striccter than requiirements for sttand-alone serrvers.
Thiss lesson describ bes how to pre epare for clustter implementaation. In this leesson, you willl also discuss tthe
harddware, networrk, storage, infrrastructure, an nd software req quirements for Windows Serrver 2012 failo over
his lesson also outlines the stteps for using the Validate a Configuration
clussters. Finally, th n Wizard to en nsure
corrrect cluster con nfiguration, annd how to mig grate failover cclusters.
Lessson Objectiives
Afte ou will be able to:
er completing this lesson, yo
Explain how to
t prepare for implementing
g failover clusttering.
Describe hard
dware requirem over clustering..
ments for failo
Describe netw
work requirem
ments for failovver clustering.
Describe infra
astructure requ
uirements for failover
f cluste ring.
Describe softw
ware requirem
ments for failovver clustering.
Explain how to
t validate and
d configure a failover
f clusterr.
Explain how to
t migrate failo
over clusters.
Pre
eparing fo
or Failover Cluster Im
mplementaation
Befoore you implem ment failover clustering,
c you
u
musst identify servvices and applications that yo ou
wannt to make highly available. Failover
F cluste
ering
cannot be applied d to all applicaations, and
som
metimes, appliccations have th heir own
reduundancy mech hanisms. In add dition, you shoould
be aware
a that failover clusteringg does not pro ovide
proved scalability by adding nodes. You can
imp
onlyy obtain scalabbility by scaling
g up and using g
morre powerful ha ardware for the e individual no
odes.
Therefore, you should only use failover cluste ering
wheen your goal iss high availabillity, and not
scalability. In Windows Server 2012, there is one o exception to this: if you implement File
e Services on C
CSVs,
you can also achie eve a level of scalability.
s
Failo
over clustering d for stateful applications thaat are restricteed to a single sset of data. On
g is best suited ne
exammple of such ana application is a database. Data is stored d in a single lo
ocation and can n only be usedd by
onee database insttance. You can n also use failovver clustering for Hyper-V vvirtual machine es. The best ressults
for failover
f clustering occur whe en the client can reconnect tto the applicattion automaticcally after failo over. If
the client does noot reconnect au utomatically, then
t the user m
must restart th he client appliccation.
Failo
over clustering
g uses only IP--based protoco
ols and is, therrefore, suited o ed applications.
only to IP-base
Failo
over clustering
g now supportts both IPv4 annd IPv6.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 5-15
Ensure thatt each node ha as sufficient idle capacity to service the hig ghly available services or
applications that are alloccated to it wheen another no ode fails. This id
dle capacity sh
hould be a suffficient
buffer to avvoid nodes runnning at near capacity
c after a failure eventt. Failure to plaan resource uttilization
adequatelyy can result in a decrease in performance
p fo
ollowing nodee failure.
Use hardwa are with similar capacity for all nodes in a cluster. This simplifies the planning processs for
failover, because the failo
over load will be
b evenly distrributed among g the surviving
g nodes.
Use standby servers to sim mplify capacityy planning. W hen a passive node is includ ded in the clustter, then
all highly avvailable service
es or applications from a fai led node can ffail over to the e passive nodee. This
avoids the need for comp plex capacity planning.
p If thi s configuratio n is selected, it is important that
the standbyy server has su ufficient capaciity to run the lload from morre than one no ode failure.
ou should also
Yo o examine all cluster
c configuration compo nents to identtify single poin nts of failure. YYou can
emedy many single points off failure with simple solution
re ns, such as add ding storage co ontrollers to se eparate
an
nd stripe disks, or teaming network
n adapteers, and using multipathing software. Thesse solutions re educe
th o a single devvice will cause a failure in thee cluster. Typiccally, server claass
he probability that a failure of
co
omputer hardw ware has optio ons for multiple power supp lies for power redundancy, aand for creatin ng
re
edundant arrayy of independe D) sets for disk data redundan
ent disk (RAID ncy.
Hardware
H Requireme
R ents for Fa
ailover Clusster Imple
ementation
n
It is very importtant to make good
g decisionss when
yoou select hardw ware for cluste
er nodes. Failoover
clusters have to o satisfy the folllowing criteria
a to
meet
m availabilityy and support requirements:
You should
d install the sam
me or similar hardware
h on eaach failover cluster node. Foor example, if yyou
choose a sp
pecific model of
o network ada apter, you sho
ould install thiss adapter on each of the clusster
nodes.
Ne
etwork Req
quirementts for Failo
over Clusteer Impleme
entation
One e of the netwoork requiremen nts for failover
clusster implementtation is that failover cluster
netwwork compone ents must have e the Certified for
Winndows Server 2012
2 logo, andd must also pass the
tests in the Valida
ate a Configuraation Wizard.
Addditionally:
The network adapters in ea ach node should be
identical and have the same e IP protocol
version, speedd, duplex, and flow control
capabilities th
hat are availab
ble.
You must have the following network infrastructure for a failover cluster:
Network settings and IP addresses. When you use identical network adapters for a network, also use
identical communication settings such as speed, duplex mode, flow control, and media type on those
adapters. Also, compare the settings between the network adapter and the switch to which it
connects, and ensure that no settings are in conflict. Otherwise, network congestion or frame loss
might occur, which could adversely affect how the cluster nodes communicate among themselves,
with clients or with storage systems.
Unique subnets. If you have private networks that are not routed to the rest of the network
infrastructure, ensure that each of these private networks uses a unique subnet. This is necessary even
if you give each network adapter a unique IP address. In addition, these private network addresses
should not be registered in DNS. For example, if you have a cluster node in a central office that uses
one physical network, and another node in a branch office that uses a separate physical network, do
not specify 10.0.0.0/24 for both networks, even if you give each adapter a unique IP address. This
avoids routing loops and other network communications problems if, for example, the segments are
accidentally configured into the same collision domain because of incorrect virtual local area network
(VLAN) assignments.
DNS. The servers in the cluster typically use DNS for name resolution. DNS dynamic update protocol
is a supported configuration.
Domain role. All servers in the cluster must be in the same Active Directory domain. As a best
practice, all clustered servers should have the same domain role (either member server or domain
controller). The recommended role is member server because AD DS inherently includes its own
failover protection mechanism.
Account for administering the cluster. To be able to administer the cluster, you must have an account
with appropriate permissions. You must have local administrator rights on all nodes that participate in
the cluster. In addition, when you create the cluster, you must have the right to create new objects in
domains. You can do this with the Domain Admin account, or you can delegate these rights to
another domain account.
In Windows Server 2012, there is no cluster service account. Instead, the Cluster service automatically runs
in a special context that provides the specific permissions and credentials that are necessary for the service
(similar to the local system context, but with reduced credentials). When a failover cluster is created and a
corresponding computer object is created in AD DS, that object is configured to prevent accidental
deletion. In addition, the cluster Network Name resource has an additional health check logic, which
periodically verifies the health and properties of the computer object that represents the Network Name
resource.
MCT USE ONLY. STUDENT USE PROHIBITED
5-18 Implemennting Failover Clusterring
Sofftware Req
quirementts for Failo
over Clusteer Impleme
entation
Failoover clusters re
equire that each cluster nod de
musst run the same edition of Windows
W Serverr
2012. The edition can be either Windows Servver
2012 Standard or Windows Servver 2012
Datacenter. The nodes
n should also
a have the same
softtware updates and service pa acks. Dependin ng on
the role that will be
b clustered, a Windows Server
2012 Server Core installation may also meet the t
softtware requirem ments. In Windows Server 20 012,
Servver Core is the default installlation option, and
therrefore you sho ould consider itt as a cluster node.
n
How wever, Failoverr Clustering can also be insta alled
on a full GUI versiion.
It is also importan
nt that the samme version of se
ervice packs o
or any operatin
ng system updates exist on aall
nod des that are parts of a clusterr.
Each
h node must run the same processor
p means that eacch node must have the same
architecture. This m e
proccessor family, which might be,
b for examplee, the Intel Xeo
on processor ffamily with Exttended Memo
ory
64Technology, the AMD Optero on AMD64 fammily, or the Inteel Itaniumbassed processor family.
De
emonstration: Valida
ating and Configurin
C ng a Failovver Clusterr
The Validate a Co onfiguration Wizard
W runs testts that confirm
m if the hardwaare and softwaare settings are
e
commpatible with failover
f clusterring. Using the
e wizard, you ccan run the com mplete set of cconfiguration tests
or a subset of the tests. You shoould run the teests on servers and storage d devices before you configure e the
failo
over cluster, an
nd again after you make anyy major changees to the clustter. You can acccess the test rresults
in th
he %windir%\ccluster\Reportts directory.
Dem
monstration
n Steps
Migrating
M Failover
F Cllusters
In
n some scenarios, such as repplacing clusterr nodes,
orr upgrading too a newer version of a Windo ows
opperating system, you will need to migrate
clustered roles or
o services from
m one cluster to
annother. In Windows Server 2012,
2 it is possiible to
migrate
m clustere
ed roles and clluster configurration
from clusters ru
unning Window ws Server 2012 2,
Windows
W Server 2008 R2, or Windows
W Serveer 2008.
Yoou can migrate these roles and
a configurattions in
onne of two wayys:
Perform an in-place migrration on a two o-node clusterr: This is a morre complex sce enario, where yyou
want to mig grate a clusterr to a new verssion of the Win ndows operating system. In this scenario, yyou do
not have ad dditional comp puters for neww cluster nodess. For examplee, you may wan nt to upgrade a
cluster thatt is currently ru
unning on Win ndows Server 22008 R2 to a cluster running g Windows Serrver
2012. To acchieve this, you u must first rem
move resourcees from one no ode, and evict that node from a
cluster. Nexxt, you perform m a clean insta allation of Win dows Server 22012 on that se erver. After Wiindows
Server 2012 2 is installed, you
y create a on ne-node failovver cluster, mig
grate the clustered services aand
applications from the old d cluster node to that failoveer cluster, and then remove tthe old node ffrom
cluster. The
e last step is too install Windows Server 201 2 on another ccluster node, ttogether with failover
cluster feature, add the se erver to the fa
ailover cluster, and run validaation tests to cconfirm that th
he
overall configuration worrks correctly.
Th
he Cluster Miggration Wizard d is a tool that lets you perfo
orm the migrattion of clustereed roles. Becauuse the
Cluster Migratioon Wizard doe es not copy data from one sttorage locatio n to another, yyou must copyy or
move
m data or foolders (includin
ng shared foldder settings) duuring a migrattion. In additio
on, the Cluster
Migration
M Wizard does not migrate
m mount--point informaation (informattion about harrd disk drives tthat do
ot use drive letters, and are mounted in a folder on ano ther hard diskk drive). Howevver, it can migrate
no
physical disk ressource settings to and from disks that use mount pointss.
MCT USE ONLY. STUDENT USE PROHIBITED
5-20 Implemennting Failover Clusterring
Lesson 3
Configguring Highly
H Availabl
A le Appliicationss and Se
ervices on
a Failo
over Cluster
Afteer you have coonfigured yourr clustering infrastructure, yo ou should conffigure specific roles or servicces to
be highly
h ered. Thereforee, you should ffirst identify th
available. Not all roless can be cluste he resource that
you want to put in n a cluster, andd then verify whether
w that reesource is sup ported. In thiss lesson, you w
will
learrn about configguring roles annd applicationns in clusters, aand you will leaarn about configuring cluste er
settings.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Ide
entifying Cluster
C Ressources an
nd Servicess
Clusstered services are services or applications that
are made highly available
a by insstalling them on
o a
failo
over cluster. Cllustered services are active ono
onee node, but can n be moved to o another node e. A
clusstered service that
t contains an
a IP address
resoource and a ne etwork name resource (and other
o
resoources) is published to a client on the netw work
undder a unique se erver name. Be ecause this gro
oup of
resoources displayss as a single logical server to o
cliennts, it is called a clustered insstance.
Reso ources are phyysical or logical entitiessucch as a file sha re, disk, or IP aaddressthat the failover cluster
man nages. Resourcces are the mo ost basic and smmallest config urable units th hat may provid
de a service to
o
cliennts, or may bee important parts of the clustter. At any timme, a resource ccan run only oon a single nod de in a
clusster, and is online on a node when it provid des its service to that specifiic node.
It can be brou
ught online an
nd taken offline.
It can be man
naged in a servver cluster.
To
o manage reso ources, the Clu
uster service co
ommunicates tto a resource D DLL through a resource mon nitor.
When
W the Cluster service mak
kes a request for a resource, the resource m monitor calls tthe appropriatte entry
po
oint function in the resource
e DLL to check k and control tthe resource sttate.
Dependent
D Resources
R
A dependent ressource is one that
t requires another resourcce to operate. For example, because a nettwork
naame must be associated
a with
h an IP addresss, a network nname is consid ered a depend dent resource.
Beecause of this requirement, a network nam me resource deepends on an IP address resource. Depend dent
re
esources are taaken offline beefore the resou urces upon wh hich they depend are taken o offline. Similarly, they
arre brought online after the resources
r on which
w they dep
pend are broug ght online. A rresource can sp pecify
onne or more ressources on wh hich it is depen
ndent. Resourcce dependenciees also determ mine bindings. For
exxample, clientss will be bound network name resource depe
d to the particcular IP addres s on which a n ends.
When
W you creatte resource deependencies, co onsider the facct that althoug gh some depe endencies are sstrictly
re
equired, otherss are not requiired but are re
ecommended. For example, a file share thaat is not a Disttributed
File System (DFS S) root has no required depe endencies. How wever, if the d disk resource that holds the ffile
sh
hare fails, the file
f share will be
b inaccessible e to users. Therrefore, it is log
gical to make tthe file share
de
ependent on the t disk resourrce.
Process
P forr Clustering
g Server Roles
R
Fa
ailover clusteriing supports th
he clustering ofo
se
everal Window ws Server roles,, such as File Services,
DHCP, and Hyp per-V. To impleement clusterin ng for a
se
erver role, or fo
or external appplications suchh as
Microsoft
M SQL Server
S or Excha
ange Server, perform
p
th
he following procedure:
De
emonstration: Cluste
ering a File
e Server Ro
ole
Dem
monstration
n Steps
Clu
uster a File Server
S Role
1. On LON-SVR3, add Clusterr Disk 2 as cluster storage fo
or Cluster1.
Co
onfiguring Failover Cluster
C Pro
operties
Oncce you create a cluster, the newly
n created
clusster has many properties that you can
configure.
Configuring cluster
c quorum
m settings: By configuring
c qu
uorum settingss, you determiine the way in
which quorumm is achieved, as well as who
o can have votte in a cluster.
Migrating serrvices and app
plications to a cluster:
c You caan implement existing services to the clustter
and make theem highly avaiilable.
Configuring new
n services and application
ns to work in a cluster: You ccan implementt new services to
the cluster.
Removing a cluster:
c You can remove a cluuster if you deecide to stop u g, or if you want to
using clustering
move the cluster to anothe
er set of nodes.
You
u can perform most of these administrative e tasks by usin
ng the Failoverr Cluster Manaagement conso ole, or
by using
u Windows PowerShell. However,
H Clusster.exe, whichh was used forr some of thesse tasks in prevvious
Win
ndows Server operating
o syste
em versions, is no longer suppported in Win ndows Server 2012, and is not
partt of the default installation.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 5-23
Managing
M Cluster No
odes
Cluster nodes are mandatory for each cluster.
After you create
e a cluster and
d put it into
production, youu might have to
t manage cluster
no
odes occasionally.
Yo
ou can manag ge cluster node
es by using the
e
Fa
ailover Cluster Managementt console or Windows
W
Po
owerShell. Theere are three aspects to managing
cluster nodes:
You can pause a node to prevent resou urces from bei ng failed over or moved to tthe node. You
typically pa hen it is underrgoing mainte nance or troub
ause a node wh When you are pausing
bleshooting. W
a node, youu can choose to
t drain roles from
f that nodee.
You can evict a node, which is an irreve ersible processs for a cluster n
node. After yoou evict the node, it
must be re--added to the cluster. You evvict nodes wheen a node is d damaged beyo ond repair, or is no
longer need ded in the clusster. If you evicct a damaged node, you can place it, and then add
n repair or rep
it back to th
he cluster by using
u the Add Node Wizard..
Configuring
C g Applicattion Failov
ver Setting
gs
Yo
ou can adjust failover settinggs, including
preferred owners and failback k settings, to control
c
ho
ow the cluster responds whe en the applicattion or
se
ervice fails. You
u can configurre these settinggs on
th
he property sheet for the cluustered service or
ap
pplication (eithher on the Genneral tab or on the
Fa
ailover tab).
MCT USE ONLY. STUDENT USE PROHIBITED
5-24 Implementing Failover Clustering
The following table provides examples that show how these settings work.
Setting Result
Lesson
n4
Mainttaining a Failov
ver Clusster
Once
O your clustter infrastructuure running, it is important t hat you establlish monitoring
g to prevent p
possible
fa
ailures. In addittion, it is impo
ortant that you
u have backup and restore p procedures for cluster configuration.
Windows
W Server 2012 has new w technology that
t allows yo u to update clluster nodes w
without downtiime. In
his lesson, you will learn about monitoring failover clusteers, backing up
th p and restoring
g cluster
onfigurations, and updating cluster nodes.
co
Le
esson Objecctives
After completin y will be able to:
ng this lesson, you
Monitoring
M g Failover Clusters
Many
M tools are available in Windows
W Serverr 2012
to
o help you monitor failover clusters.
c You can use
sttandard Windo ows Server toools such as the Event
Viewer and the Performance and Reliabilityy
Monitor
M snap-inn to review clu
uster event log
gs and
pe erformance metrics. You can n also use
Trracerpt.exe to export data fo or analysis.
Additionally, yoou can use the Multipurpose
In
nternet Mail Exxtension Hyperrtext Markup
Laanguage (MHT TML)formatte ed cluster
coonfiguration reeports and thee Validate a
Configuration Wizard
W to troubleshoot probblems
w the cluster configuration
with n and hardware e changes. Sin
nce the cluster..exe command
d-line tool is
de eprecated in Windows
W Serveer 2012, you ca
an use Window ws PowerShell instead to perform similar ttasks.
Ev
vent Viewer
When
W problemss arise in the cluster, use thee Event Viewer to view eventts with a Criticaal, Error, or Waarning
everity level. Additionally, infformational-le
se evel events aree logged to thee failover clusttering Operatio
ons log,
which
w can be foound in the Eve t Applicatio ns and Servicees Logs\Microssoft\Windows folder.
ent Viewer in the
In
nformational-le evel events aree usually commmon cluster op h as cluster nodes leaving an
perations, such nd
jo
oining the clustter, or resources going offlin
ne or coming o online.
In
n previous Winndows Server versions,
v event logs were repplicated to each node in the cluster. This
simplified cluste
er troubleshoo oting, because you could revview all event llogs on a singlle cluster node e.
Windows
W Server 2012 does no ot replicate the event logs b
between nodess. However, the e Failover Clusster
Management
M sn
nap-in has a Cluster
C Events option that e nables you to view and filter events acrosss all
cluster nodes. This
T feature is helpful
h elating events across clusterr nodes. The Faailover Clusterr
in corre
Management
M sn
nap-in also proovides a Recen nt Cluster Eveents option thhat will query aall the Error an
nd
Warning
W eventss from all the cluster
c nodes in the last 24 h
hours. You can access additio onal logs, suchh as the
MCT USE ONLY. STUDENT USE PROHIBITED
5-26 Implemennting Failover Clusterring
Win
ndows Even
nt Tracing
Win ndows event trracing is a kernnel component that is availa ble early afterr startup, and late into shutd
down.
It is designed to allow
a for fast trracing and delivery of event s, to trace filess and to consu
umers. Because
e it is
desiigned to be fast, Windows event tracing enables only baasic in-processs filtering of evvents based on n
event attributes.
Perrformance and
a Reliability Monitorr Snap-In
The Performance and Reliabilityy Monitor snap
p-in lets you:
Trend applica
ation performa ance on each node.
n To deterrmine how an application is performing, yyou
can view and trend specificc information on
o system reso
ources that aree being used o
on each node.
Trend applica
ation failures and
a stability onn each node. Y You can pinpo int when appliication failuress
occur, and match the appliccation failures with other evvents on the no
ode.
Modify trace log settings. You
Y can start, stop,
s and adjusst trace logs, including theirr size and locattion.
Backing Up and
a Restoring Failov
ver Clusterr Configurration
Clusster configurattion can be a time-consumin
t ng
proccess with many details. Therefore, backingg up
your cluster configguration is imp
portant. You can
c
perfform cluster co
onfiguration backup
b and resstore
usin
ng Windows Se erver Backup oro a non-Micro osoft
backup tool.
Wheen you back up the cluster configuration,
c be
awa
are of the follo
owing:
You must first add the Winddows Server Backup feature , if you decidee to use it. You
u can do this by
using Server Manager,
M by using
u the dism.exe utility, or by using Wind
dows PowerSh hell.
Win
ndows Server Backup
B is the built-in
b backupp and recoveryy software for Windows Servver 2012. To
com
mplete a successsful backup, consider
c the fo
ollowing:
For a backup to succeed in a failover clusster, the clusteer must be run ning and mustt have quorum m. In
other words, enough nodess must be runn ning and comm municating (peerhaps with a witness disk o
or
witness file sh
haredepending on the quo orum configurration,) that thhe cluster has aachieved quorum.
If applicatio
on data must be
b backed up, the disks on wwhich you storre the data muust be made avvailable
to the backkup software. You
Y can achievve this by runnning the backu om the cluster node
up software fro
that owns the
t disk resourrce, or by runn
ning a backup against the clu
ustered resourrce over the ne
etwork.
If you are using
u CSVs, you
u can run backkup from any n
node that is atttached to the
e CSV volume.
The cluster service tracks which cluster configuration is the most reecent, and it re eplicates that
configuratio
on to all cluste
er nodes. If the
e cluster has a witness disk, tthe Cluster serrvice also replicates
the configu
uration to the witness
w disk.
Restoring
R a Cluster
C
Th
here are two tyypes of restore
e:
Non-authoritative restore e. Use a non-authoritative reestore when a single node in n the cluster is
damaged or o rebuilt, and the rest of the e cluster is opeerating correcttly. Perform a nnon-authoritattive
restore by restoring
r the system
s recoverry (system statte) information n to the damag ged node. Wh hen you
restart that node, it will jo
oin the cluster and receive th on automatically.
he latest clusteer configuratio
Maintainin
M g and Trou
ubleshootting Failovver Clusters
Cluster validatio
on functionalitty implemente ed in
Windows
W Server 2012 failoverr clustering, prrevents
misconfiguratio
m ons and non-w working clusters.
However, in som me cases you may
m still have tot
pe
erform mainte enance or clustter troubleshooting.
When
W troublesh
hooting failove
er clusters:
Identify the
e perceived pro
oblem by colle
ecting and doccumenting thee symptoms off the problem..
Identify the
e scope of the problem so thhat you can unnderstand whaat is being affected by the prroblem,
pplication and the clients.
and the impact of that efffect on the ap
MCT USE ONLY. STUDENT USE PROHIBITED
5-28 Implemennting Failover Clusterring
Collect informmation so that you can accurrately understaand and pinpo oint the possib ble problem. A
After
by the impact of a
you identify a list of possible problems, you can prioritiize them by prrobability, or b
repair. If you cannot pinpoiint the problemm, you should attempt to ree-create the prroblem.
Create a sche
edule for repairing the problem. For examp blem only affects a small sub
ple, if the prob bset of
users, you can
n delay the rep
pair to an off-p
peak time so tthat you can scchedule downtime.
Complete and
d test each rep
pair one at a tiime so that yo
ou can identifyy the fix.
To troubleshoot
t SAN
S issues, start by checking
g physical conn
nections and b
by checking eaach of the harddware
com
mponent logs. Additionally, run r the Validatte a Configuraation Wizard to he current cluster
o verify that th
configuration is sttill supportable e.
Tro
oubleshooting Group and
a Resourcce Failures
To troubleshoot
t group
g and reso
ource failures:
Determine wh
hether the pro ppens on a speecific node or nodes, by trying to re-creatte the
oblem only hap
problem on different
d nodess.
Wh
hat Is Cluster-Aware
e Updating
g?
Appplying Window ws operating syystem updatess to
noddes in a clusterr requires extra
a attention. If you
y
wannt to provide zero
z downtime e for a clustere
ed
role
e, you must update cluster no odes manuallyy one
afte
er another, andd you must mo ove resources
man nually from the e node that yoou are updatin ng to
anoother node. Thiis procedure can be very tim me-
consuming. In Windows Server 2012, Microso oft has
impplemented a ne ew feature for automatic update
of cluster
c nodes.
Remote-updating mode. In this mode, a computer that is running Windows Server 2012 or Windows 8
is called and configured as an orchestrator. To configure a computer as a CAU orchestrator, you must
install failover clustering administrative tools on it. The orchestrator computer is not a member of the
cluster that is updated during the procedure. From the orchestrator computer, the administrator
triggers on-demand updating by using a default or custom Updating Run profile. Remote-updating
mode is useful for monitoring real-time progress during the Updating Run, and for clusters that are
running on Server Core installations of Windows Server 2012.
Self-updating mode. In this mode, the CAU clustered role is configured as a workload on the failover
cluster that is to be updated, and an associated update schedule is defined. In this scenario, CAU does
not have a dedicated orchestrator computer. The cluster updates itself at scheduled times by using a
default or custom Updating Run profile. During the Updating Run, the CAU orchestrator process
starts on the node that currently owns the CAU clustered role, and the process sequentially performs
updates on each cluster node. In the self-updating mode, CAU can update the failover cluster by
using a fully automated, end-to-end updating process. An administrator can also trigger updates on
demand in this mode, or use the remote-updating approach, if desired. In the self-updating mode, an
administrator can access summary information about an Updating Run in progress by connecting to
the cluster and running the Get-CauRun Windows PowerShell cmdlet.
To use CAU, you must install the failover clustering feature in Windows Server 2012, and you must create
a failover cluster. The components that support CAU functionality are installed automatically on each
cluster node.
You must also install the CAU tools, which are included in the failover clustering Tools (which are also part
of the Remote Server Administration Tools (RSAT)). The CAU tools consist of the CAU user interface (UI)
and the CAU Windows PowerShell cmdlets. The failover clustering Tools are installed by default on each
cluster node when you install the failover clustering feature. You can also install these tools on a local or a
remote computer that is running Windows Server 2012 or Windows 8, and that has network connectivity
to the failover cluster.
Configure CAU
1. Make sure that the failover cluster is configured and running on LON-SVR3 and LON-SVR4.
7. After updates are applied, configure Add CAU Clustered Role with Self-Updating Enabled on
LON-SVR3.
MCT USE ONLY. STUDENT USE PROHIBITED
5-30 Implemennting Failover Clusterring
Lesson 5
Implem
menting
g a Multi-Site Failover
F r Cluste
er
In so
ome scenarioss, you may havve to deploy cluster nodes o n different sitees. Usually, you u do this when n you
build disaster recoovery solutionss. In this lesson
n, you will learrn about multii-site failover cclusters, and th
he
prerrequisites for implementing them. You will also learn ab bout synchronoous and asynchronous repliccation,
and the process ofo choosing a quorum
q mode for multi-site clusters.
Lessson Objectiives
Afte ou will be able to:
er completing this lesson, yo
Wh
hat Is a Mu
ulti-Site Fa
ailover Clu
uster?
A multi-site
m failovver cluster is a cluster that ha
as
been extended so o that differentt nodes in the same
clusster reside in seeparate physiccal locations. A
mullti-site failoverr cluster therebby provides higghly
avaiilable services in more than one location.
Mullti-site failoverr clusters can solve several sppecific
problems, but the ey also presentt specific
challenges.
A multi-site
m failovver cluster has three main ad
dvantages in a failover site, aas compared to
o a remote serrver:
otther processess, and can still achieve sufficient availabilityy with only a m
modest increasse in cost and
omplexity. Examples for this are SQL Serve
co er log shippingg, Exchange Seerver continuous replication,, and
DFS replication..
Th
he complexity of a multi-site
e cluster requirres more archiitectural and h
hardware plann
ning. It also re
equires
yo
ou to develop business processes to test thhe cluster funcctionality routiinely.
Prerequisit
P es for Imp
plementing
g a Multi-SSite Failovver Clusterr
Prrerequisites for implementattion of multi-site
cluster are diffe
erent from thosse for single-siite
cluster impleme entation. It is im
mportant to
un nderstand wha at you must prrepare before you
sttart implementtation of multii-site cluster.
Prrior to implem
menting multi-ssite failover clu
uster,
yo
ou must ensurre the following:
Syn
nchronouss and Asyn
nchronouss Replicatio
on
It is not possible for
f a geograph hically disperse
ed
failo
over cluster to use shared stoorage between n
phyysical locations. Wide area ne etwork (WAN) links
are too slow and have too much h latency to
support shared storage. This me eans that you must
have separate insttances of data. To have exacct
copies of data on both sides, ge eographically
disppersed failoverr clusters must synchronize data
d
betw ween locationss by using specialized hardw ware.
Mullti-site data repplication can be
b either
syncchronous or assynchronous:
When you use asynchronou us replication, the node receeives a write co omplete respo onse from the
storage after the data is written successfu ully on the prim
mary storage. The data is wrritten to the
secondary sto orage on a diffferent schedule, depending on the hardwaare or software e vendors
implementatiion. Asynchron nous replicatioon can be storaage-based, ho ost-based, or evven applicatio on-
based. Howevver, not all forms of asynchro onous replicattion are sufficieent for a multi-site cluster. FFor
example, DFS S Replication provides
p file-levvel asynchrono
ous replication n. However, it does not supp port
multi-site failover clustering
g replication. This
T is becausee DFS Replicatiion replicates smaller docum ments
that are not held
h open continuously, and was not desig gned for high--speed, open-ffile replication.
Wh
hen to Use Synchronou
S us or Asynch
hronous Rep
plication
Use synchronous replication wh hen data loss iss not acceptabble. Synchrono ous replication solutions requuire
low-disk write lateency, because the applicatioon waits for bo oth storage solutions to acknnowledge the d data
writtes. The require
ement for loww latency disk writes
w also limi ts the distancee between the
e storage systems,
because increased d distance can cause higher latency. If the disk latency iss high, the perrformance and d even
the stability of the
e application can
c be affected d.
Asynchronous rep plication overccomes latency and distance l imitations by acknowledging local disk wrrites
onlyy, and by reprooducing the disk write on the remote storaage system in a separate traansaction. Becaause
asyn
nchronous rep plication writess to the remote e storage systeem after it writtes to the locaal storage syste
em,
the possibility of data
d loss durin
ng a failure inccreases.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 5-33
You preservve the semantics of the SCSI commands accross the sites,, even if a com
mplete communication
failure occu
urs between sittes.
o number of nodes, then use the Node Majority quorrum. If there is an even number of
If there are an odd
noodes, which is typical in a ge dispersed clus ter, you can use the Node M
eographically-d Majority with FFile
Shhare Majority quorum.
q
If you are using Node Majoritty and the sites lose commu nication, you n need a mechanism to determ mine
which
w nodes remmain in the cluuster, and whicch nodes leavee the cluster. TThe second site
e requires ano
other
voote to obtain quorum
q after a failure. To ob
btain another vvote for quoru um, you must jjoin another n
node to
th
he cluster, or create a file sha
are witness.
Th
he Node and File F Share Majo ority mode can n help maintaiin quorum witthout adding aanother node tto the
cluster. To provvide for a singlee-site failure and enable auttomatic failoveer, the file sharre witness mig ght have
to ulti-site clusterr, a single serveer can host thee file share wittness. However, you
o exist at a thirrd site. In a mu
must
m create a se eparate file shaare for each clluster.
Th
here must be direct
d network
k connectivity between all th
hree locations. In this manne
er, if one site b
becomes
un
navailable, the
e two remainin
ng sites can still communicatte and have en
nough nodes ffor a quorum.
Note: In Windows
W Serve
er 2008 R2, ad
dministrators ccould configuree the quorum to include
noodes. However, if the quorum configuratio on included no odes, all nodess were treated equally
acccording to their votes. In Windows
W Serverr 2012, you ca n adjust clusteer quorum setttings so that
when
w the cluste
er determines whether
w it has quorum, som me nodes have a vote and some do not.
Thhis adjustmentt can be useful when you immplement soluttions across multiple sites.
MCT USE ONLY. STUDENT USE PROHIBITED
5-34 Implemennting Failover Clusterring
Pro
ocess for Configurin
C ng a Multi--Site Failovver Clusterr
Connfiguration of multi-site
m clustter is somewha at
diffe
erent from con nfiguring a single-site cluster.
Mullti-site clusterss are more commplex to config gure
and maintain, and d require moree administrativve
effo
ort to support. High-level ste eps to configurre a
mullti-site cluster are
a as follows:
1. Ensure that you have enoug gh cluster noddes on
each site. In addition,
a ensurre that cluster
nodes have similar hardwarre configuratio ons,
and have the same version of operating
system and se ervice pack.
3. Ensure that you have deplo oyed reliable sttorage replicattion mechanism between sittes. Also, choo
ose the
type of replication for use.
Challenges fo
or Implem
menting a Multi-Site
M Cluster
Impplementing mu ulti-site clusterrs is more complex
thann implementin ng single-site clusters,
c and ca
an
also
o present severral challenges to the
admministrator. Sto
orage and netw work issues aree the
mosst challenging aspects of imp plementing multi-
site clusters.
options for replicating data: block level hardware-based replication, software-based file replication
installed on the host, or application-based replication.
Multi-site data replication can be either synchronous or asynchronous. Synchronous replication does not
acknowledge data changes that are made in, for example, Site A until the data successfully writes to Site B.
With asynchronous replication, data changes that are made in Site A are eventually written to Site B.
When you deploy a multi-site cluster and run the Validate a Configuration Wizard, the disk tests will not
find any shared storage, and will therefore not run. However, you can still create a failover cluster. If you
follow the hardware manufacturers recommendations for Windows Server failover clustering hardware,
Microsoft will support the solution.
Windows Server 2012 enables cluster nodes to exist on different IP subnets, which enables a clustered
application or service to change its IP address based on that IP subnet. DNS updates the clustered
applications DNS record so that clients can locate the IP address change. Because clients rely on DNS to
find a service or application after a failover, you might have to adjust the DNS records Time to Live
setting, and the speed at which DNS data replicates. Additionally, when cluster nodes are in multiple sites,
network latency might require you to modify the inter-node communication (heartbeat) delay and time-
out thresholds.
MCT USE ONLY. STUDENT USE PROHIBITED
5-36 Implementing Failover Clustering
Objectives
Configure a failover cluster with CSV storage.
Deploy and configure a highly available file server on the failover cluster.
Lab Setup
Estimated Time: 60 minutes
20412-LON-DC1
20412-LON-SVR1
20412-LON-SVR3
20412-LON-SVR4
MSL-TMG1
Username: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
7. On LON-SVR4, open Disk Management, refresh the console and bring online the three new disks.
5. On the Summary page, remove the check mark next to Create the cluster now using the validated
nodes, click Finish.
2. Locate a disk that is assigned to Available Storage. (If possible use Cluster Disk 2).
Results: After this exercise, you will have installed and configured the failover clustering feature.
Results: After this exercise, you will have deployed and configured a highly available file server.
2. Validate the failover and quorum configuration for the file server role.
4. On LON-DC1, in Windows Explorer, verify that you can still access \\AdatumFS\ location.
Task 2: Validate the failover and quorum configuration for the file server role
1. On LON-SVR3, determine the current owner for the AdatumFS role.
2. Stop the Cluster service on the node that is the current owner of the AdatumFS role.
3. Verify that AdatumFS has moved to another node, and that the \\AdatumFS\ location is still
available from the LON-DC1 computer.
4. Start the Cluster service on the node in which you stopped it in step 2.
Results: After this exercise, you will have tested the failover and failback scenarios.
3. Connect to Cluster1.
2. After the process is complete, log on to LON-SVR3 with the username as Adatum\Administrator
and password as Pa$$w0rd.
Results: After this exercise, you will have configured Cluster-Aware Updating on the Failover Cluster.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
Lab Review
Question: What information will you have to collect as you plan a failover cluster
implementation and choose a quorum mode?
Question: After running the Validate a Configuration Wizard, how can you resolve the
network communication single point of failure?
Question: What is the main difference between synchronous and asynchronous replication in a
multi-site cluster scenario?
Question: What is the multi-site clusters enhanced feature in Windows Server 2012?
Tools
The tools for implementing failover clustering include:
Failover Cluster Manager console
Windows PowerShell
Server Manager
iSCSI initiator
Disk Management
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
6-1
Module 6
Implementing Failover Clustering with Hyper-V
Contents:
Module Overview 6-1
Module Overview
One benefit of implementing server virtualization is that it allows you to provide high availability, both for
applications or services that have built-in high availability functionality, and for applications or services
that do not provide high availability in any other way. With the Windows Server 2012 Hyper-V
technology, failover clustering, and Microsoft System Center 2012 - Virtual Machine Manager (VMM),
you can configure high availability by using several different options.
In this module, you will learn about how to implement failover clustering in a Hyper-V scenario to achieve
high availability for a virtual environment. You will also learn about basic virtual machine features.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of Integratting Hyper-V w
with Failover Clusterin
ng
Failo
over clusteringg is a Windowss Server 2012 feature
f that en
nables you to make applicattions or service
es
highhly available. To
T make virtua ghly available in a Hyper-V eenvironment, yyou must
al machines hig
imp
plement failove er clustering on Hyper-V hosst machines.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe new
w failover cluste
ering features for Hyper-V in
n Windows Server 2012.
Op
ptions for Making
M Viirtual Machines High
hly Availab
ble
Mosst organizationns have some applications th hat
are business critical and must be highly availaable.
To make
m an appliccation highly available,
a you must
dep
ploy it in an environment tha at provides
undancy for alll components that the
redu
plication requirres. For virtual machines to be
app b
high
hly available, you
y can choose e between sevveral
options:
Network Load
d Balancing (N
NLB) inside virttual machines
Host Clusterin
ng
Hosst clustering en
nables you to configure
c a faiilover cluster b
by using the Hyper-V host se ervers. When yyou
configure host cluustering for Hyyper-V, you co onfigure the virrtual machine as a highly avvailable resourcce.
Failo
over protection is implemen nted at the hosst server level. This means th hat the guest ooperating systeem
and applications that
t are runninng within the virtual
v machin e do not havee to be cluster--aware. Howevver,
the virtual machinne is still highlyy available. Some examples of non-clusterr-aware applications are prin nt
etary network-based applications such as aan accounting application. SShould the hosst
servver, or proprie
nodde that controls the virtual machine
m unexpectedly becom me unavailablee, the secondary host node
assuumes control and
a restarts the e virtual machine as quickly as possible.
You
u can also movve the virtual machine
m from one
o node in th he cluster to annother in a controlled mann
ner.
For example, you could move th he virtual machine from onee node to anotther while patcching the hostt
ope
erating system.. The applicatioons or servicess that are runn
ning in the virttual machine d
do not have to
o be
com
mpatible with failover
f clusterring, and they do not need t o be aware th at the virtual m machine is
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 6-3
clustered. Because the failover is at the virtual machine level, there are no dependencies on software that
is installed inside the virtual machine.
Guest Clustering
You configure guest failover clustering very similarly to physical server failover clustering, except that the
cluster nodes are multiple virtual machines. In this scenario, you create two or more virtual machines, and
enable failover clustering within the guest operating system. The application or service is then enabled for
high availability between the virtual machines by using failover clustering in each virtual machine. Because
you implement failover clustering within each virtual machine nodes guest operating system, you can
locate the virtual machines on a single host. This can be a quick and cost-effective configuration in a test
or staging environment.
For production environments, however, you can more robustly protect the application or service if you
deploy the virtual machines on separate failover clusteringenabled Hyper-V host computers. With
failover clustering implemented at both the host and virtual machine levels, you can restart the resource
regardless of whether the node that fails is a virtual machine or a host. This configuration is also known as
a Guest Cluster Across Hosts. It is considered an optimal high availability configuration for virtual machines
that are running critical applications in a production environment.
You should consider several factors when you implement guest clustering:
The application or service must be failover clusteraware. This includes any of the Windows Server
2012 services that are cluster-aware, and any applications, such as clustered Microsoft SQL Server
and Microsoft Exchange Server.
Hyper-V virtual machines can use Fibre Channelbased connections to shared storage (this is specific
only to Microsoft Hyper-V Server 2012), or you can implement internet small computer system
interface (iSCSI) connections from the virtual machines to the shared storage.
You should deploy multiple network adapters on the host computers and the virtual machines. Ideally,
when using an iSCSI connection you should dedicate a network connection to the iSCSI connection, to the
private network between the hosts, and to the network connection used by the client computers.
Therefore, NLB is an appropriate solution for resources that do not have to accommodate exclusive read
or write requests. Examples of NLB-appropriate applications are web-based front ends to database
applications, or Exchange Server Client Access servers.
When you configure an NLB cluster, you must install and configure the application on all virtual machines.
After you configure the application, you install the NLB feature in Windows Server 2012 within each
virtual machines guest operating system (not on the Hyper-V hosts), and then configure an NLB cluster
for the application. Earlier versions of Windows Server also support NLB, which means that the guest
operating system is not limited to only Windows Server 2012. Similar to a Guest Cluster Across Host, the
NLB resource typically benefits from overall increased input/output (I/O) performance when the virtual
machine nodes are located on different Hyper-V hosts.
MCT USE ONLY. STUDENT USE PROHIBITED
6-4 Implementing Failover Clusterinng with Hyper-V
Ho
ow Does a Failover Cluster
C Wo
ork with Hyyper-V No
odes?
Whe en you implem ment failover clustering
c and
configure virtual machines
m as hiighly availablee
reso
ources, the failover cluster treats the virtua al
macchines like anyy other applica ation or servicee.
Nammely, if a host fails, failover clustering
c will act
a to
restore access to the
t virtual macchine as quick kly as
possible on anoth her host within n the cluster. Only
O
onee node at a tim
me runs the virttual machine.
Howwever, you can n also move the virtual mach hine
to any
a other node e within the same cluster.
The failover proceess transfers th
he responsibilitty of
provviding access to
t resources within
w a cluster from
onee node to another. Failover can
c occur when n an administrrator moves reesources to anoother node forr
maintenance or other
o reasons, or
o when unpla anned downtim me of one nod de occurs becaause of hardwaare
failu
ure or for othe
er reasons.
2. Failover startss when the node hosting thee virtual mach ine does not ssend regular he eartbeat signaals
over the netwwork to the othher nodes. By default,
d this co
orresponds to five consecutively missed
heartbeats (or 5,000 milliseconds). Failove
er may occur b because of a n
node failure orr network failure.
By default, all nodes are poossible owners.. Therefore, rem moving a node as a possible e owner absolu utely
excludes it fro
om taking ove er the resource
e in a failure sittuation. For exxample, suppo ose that you
implement a failover cluste er by using threee nodes. How wever, only two o nodes are coonfigured as
preferred owners. During a failover eventt, the resourcee could still be taken over byy the third nod de if
neither of thee preferred owwners are online. Although th he third node is not configured as a preferrred
owner, as long as it is a posssible owner, the failover clu ster can use itt if necessary to
o restore access to
the resource.
Resources are e brought online in order of dependency. For example, iif the virtual m machine references
an iSCSI LUN,, access to the appropriate host
h bus adaptters (HBAs), neetwork(s), and LUNs will be sstored
in that order. Failover is commplete when all
a the resourcees are online o on the new no ode. For clientss
interacting with the resourcce, there is a sh
hort service in terruption, wh hich most userrs will not noticce.
MCT USE ONLY. STUDENT USE PROHIBITED
Configurinng Advanced Window
ws Server 2012 Serrvices 6-5
4.. You can alsso configure thhe cluster serviice to fail backk to the offlinee node after it again becomees
active. Whe en the cluster service
s fails ba
ack, it uses the same procedu ures that it performs during
failover. This means that the cluster serrvice takes offl ine all the resoources associated with that
instance, moves
m the instance, and then brings all the resources in tthe instance baack online.
What
W Is Ne
ew in Failov
ver Clustering for Hyper-V in Windows Server 2012
In
n Windows Serrver 2012, failo
over clustering is
much
m d with respect to Hyper-V clu
improved usters.
So
ome of the moost important improvementss are:
Failover clu
ustering now suupports up to 4,000
virtual machines, and thee improved Failover
Cluster Man nager snap-in simplifies man
naging
many virtua al machines.
Virtual macchine application monitoring g. You can now w monitor servvices that are rrunning on clu
ustered
virtual machines. In cluste
ers running Windows Serverr 2012, administrators can co onfigure monittoring
of services on clustered virtual
v machine
es that are also
o running Winndows Server 2 2012. This
functionalitty extends the high-level moonitoring of virrtual machiness that is implem
mented in Winndows
Server 20088 R2 failover cllusters.
You can no ow store virtual machines on server messag ge block (SMB n a file server cluster.
B) file shares in
w method for providing highly available vvirtual machinees. Instead of cconfiguring a ccluster
This is a new
between Hyyper-V nodes, you can now have Hyper-V V nodes out of cluster, but w with virtual macchine
files on a highly available
e file share. To make this worrk, you shouldd deploy a file server cluster in a
scale-out file server mode e. Scale-out file servers can aalso use CSV ffor storage.
MCT USE ONLY. STUDENT USE PROHIBITED
6-6 Implementing Failover Clusterinng with Hyper-V
Best Practice
es for Impllementing High Avaailability in
n a Virtual Environment
Afteer you determiine which applications you want
w
to deploy
d on high ailover clusters, you
hly available fa
can plan and deploy the failove er clustering
environment. Con nsider the follo
owing
recoommendationss when you im mplement the
failo
over cluster:
Use Windowss Server 2012 asa the Hyper-V V
host. Window ws Server 2012 provides
enhancementts such as Hyp per-V 3.0, imprroved
CSVs, virtual machine
m migra
ations, and oth
her
features that improve flexib
bility and
performance when you imp plement host
failover cluste
ering.
Lesson
n2
Imple
ementin
ng Hype
er-V Virrtual Maachiness on Faillover
Cluste
ers
Im
mplementing highly
h available virtual machhines is somew what different ffrom implementing other ro oles in a
ailover cluster. Failover cluste
fa ering in Windoows Server 20112 provides maany features foor Hyper-V clu ustering,
in
n addition to toools for virtuall machine high
h availability m
management. In this lesson, yyou will learn h
how to
im
mplement high hly available virtual machines.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe co
omponents of a Hyper-V cluster.
Componen
C nts of Hype
er-V Cluste
ers
Hyper-V as a roole has some sp pecific require ements
fo
or cluster compponents. To fo
orm a Hyper-V V
cluster, you must have at leasst two physical nodes.
Whereas
W other clustered roless (such as Dynamic
Host Configurattion Protocol (DHCP)
( file serrver)
allow for nodes to be virtual machines,
m Hypper-V
odes must be composed of physical hosts. You
no
ca
annot run Hyp per-V inside a virtual
v machine on a
Hyper-V host.
In
n addition to having
h y must also have
nodes, you
physical and virrtual networks.. Failover clusttering
re
equires a network for internaal cluster
co
ommunication n, and also a neetwork for clieents. You can aalso implement a storage network separate ely,
deepending on the
t type of stoorage that you are using. Agaain, specific to o the Hyper-V role, you shou uld also
onsider virtual networks for clustered virtu
co ual machines. I t is important that you creatte the same virtual
neetworks on all physical hostss that participaate in one clusster. Failure to do this will caause a virtual m
machine
to
o lose networkk connectivity when
w moved from
f one host to another.
Sttorage is an im
mportant comp ponent of virtuual machine cluustering. You ccan use any tyype of storage that is
su
upported by Windows
W Server 2012 failover clustering. Ass a best practicce, you should
d configure sto
orage as
a CSV. This is discussed furthe
er in a followin
ng topic within
n this module.
Pre
erequisitess for Imple
ementing Hyper-V C
Clusters
To deploy
d Hyper--V on a failover cluster, you must
m
ensuure that you meet
m the hardw
ware, software,,
acco
ount, and netw work infrastruccture requirem
ments
as detailed
d in the following secttions.
Network adap pters. As with the other features in the faillover cluster so
olution, the ne
etwork hardwaare
must be mark ked as Certifieed for Window ws Server. To pprovide netwo ork redundanccy, you can con
nnect
cluster nodess to multiple, distinct
d networrks, or you can
n connect the n nodes to one nnetwork that u
uses
teamed netw work adapters, redundant swiitches, redund ant routers, orr similar hardw ware to removee
single points of failure. As a best practice
e, you should cconfigure multtiple network aadapters on thhe
host compute er that you con nfigure as a clu
uster node. Yoou should conn nect one netwwork adapter to
o the
private netwoork that the intter-host comm munications usses.
Storage adap e a Serial Attacched SCSI (SASS) or Fibre Chaannel, the masss-storage device
pters. If you use
controllers in all clustered servers
s should be identical a nd should usee the same firmmware version.. If
you are usingg iSCSI, each clustered serverr should have o one or more n network adaptters that are
dedicated to the cluster sto orage. The netw work adapterss that you use to connect to the iSCSI storaage
target should a you should use a gigab it Ethernet or faster networkk adapter.
d be identical, and
o Use eithe
er master boott record (MBR)) or GUID part ition table (GP
PT).
o If you are
e using a stora
age area netwo ork (SAN), the miniport driveer that the storage uses musst
work withh the Microsofft Storport storage driver.
MCT USE ONLY. STUDENT USE PROHIBITED
Configurinng Advanced Window
ws Server 2012 Serrvices 6-9
o Consider using multipath I/O softwware: If your SAAN uses a high hly available network design
n with
redunddant compone ents, you can deploy
d failoverr clusters with multiple host bus adapters b
by using
multipa
ath I/O softwa des the highestt level of redundancy and avvailability. For
are. This provid
Windows Server 2008 8 R2 and Wind dows Server 20012, your multtipath solution n must be baseed on
Multipath I/O (MPIOO).
Software Req
quirements for Using Hyper-V
H and
d Failover C
Clustering
Th
he following are the softwarre requirementts for using Hyyper-V and faillover clustering:
All the servvers in a failove based version of Windows Server 2012 Staandard
er cluster mustt run the x64-b
Edition or Windows
W Serve
er 2012 Datace enter Edition. TThe nodes in a single failove
er cluster cann
not run
different veersions.
Network
N Infrrastructure Requirements
Th
he following network
n infrasttructure is requ
uired for a failo nd an administtrative account with
over cluster an
th
he following do
omain permisssions:
Im
mplementting Failov
ver Clustering for Hyyper-V Virttual Machiines
To
o implement failover clustering for Hyper--V
virtual machines, you must co
omplete the fo
ollowing
hiigh-level stepss:
2. Configure the shared storage. You must use Disk Manager to create disk partitions on the shared
storage.
3. Install the Hyper-V and failover clustering features on the host servers. You can use Server Manager in
the Microsoft Management Console (MMC) or Windows PowerShell for this.
4. Validate the cluster configuration. The Validate This Cluster wizard checks all the prerequisite
components that are required to create a cluster, and provides warnings or errors if any components
do not meet the cluster requirements. Before you continue, resolve any issues that the Validate This
Cluster wizard identifies.
5. Create the cluster. Once the components pass the Validate This Cluster wizard, you can create a
cluster. When you configure the cluster, assign a cluster name and an IP address. A computer account
for the cluster name is created in the Active Directory domain, and the IP address is registered in DNS.
Note: You can enable clustered shared storage for the cluster only after you configure the
cluster. If you want to use CSV, you should configure CSV before you proceed to the next step.
6. Create a virtual machine on one of the cluster nodes. When you create the virtual machine, ensure
that all files that are associated with the virtual machineincluding both the virtual hard disk and
virtual machine configuration filesare stored on the shared storage. You can create and manage
virtual machines in either Hyper-V Manager or Failover Cluster Manager. When you create a virtual
machine by using Failover Cluster Manager, the virtual machine is made highly available
automatically.
7. Make the virtual machine highly available. To make the virtual machine highly available, in the
Failover Cluster Manager, select the option to make a new service or application highly available. The
Failover Cluster Manager then displays a list of services and applications that you can make highly
available. When you select the option to make virtual machines highly available, you can select the
virtual machine that you created on shared storage.
Note: When you make a virtual machine highly available, a list displays of all virtual
machines that are hosted on all cluster nodesincluding virtual machines that are not stored on
the shared storage. If you make a virtual machine that is not located on shared storage highly
available, you receive a warning, but Hyper-V will add the virtual machine to the services and
applications list. However, when you try to migrate the virtual machine to a different host, the
migration will fail.
8. Test virtual machine failover. After you make the virtual machine highly available, you can migrate the
computer to another node in the cluster. If you are running Windows Server 2008 R2 or Windows
Server 2012, you can select to perform a quick migration or a live migration.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 6-11
Configuring
C g CSVs
Yo
ou do not havve to configuree and use CSV when
ou implement high availability for virtual
yo
machines
m in Hyper-V. In fact, you can config
gure a
Hyper-V clusterr without usingg CSV. Howeve er as a
be
est practice, yo
ou use CSV duue to the follow
wing
ad
dvantages:
Reduced LU UNs for the dissks. You can usse CSV
to reduce the number of LUNs that you ur
virtual machines require. When you con nfigure
a CSV, you can store multiple virtual machines
on a single LUN, and multiple host com mputers
can access the same LUN N concurrently.
Better use of
o disk space. Instead of placcing each virtu
ual hard disk (..vhdx) file on a separate diskk with
empty spacce so that the .vhdx
. file can expand,
e you caan oversubscriibe disk space by storing mu ultiple
.vhdx files on
o the same LU UN.
Virtual macchine files storeed in a single logical locatio n. You can track the paths oof .vhdx files an
nd other
o using drive letters or GUIDs to identify disks, you can
files that virrtual machiness use. Instead of n specify
the path na ames. When yo ou implement CSV, all added d storage appeears in the \ClusterStorage ffolder.
The \Cluste erStorage folde er is created on the cluster nnodes system folder, and yo ou cannot movve it.
This means that all Hyperr-V hosts that are members of the cluster must use the ssame drive lettter as
their systemm drive, or virtual machine fa ailovers will fa il.
Increased resiliency. CSV increases resiliency becausee the cluster caan respond corrrectly even if
connectivityy between one e node and the SAN is interrrupted, or partt of a networkk is down. The cluster
reroutes the traffic to the
e CSV through an intact partt of the SAN or network.
Im
mplementin
ng CSV
After you create
e the failover cluster,
c you can enable CSV for the clusterr, and then add
d storage to th
he CSV.
Implementin
ng Highly Available
A Virtual
V Maachines on
n an SMB 3
3.0 File Shaare
In Windows
W Serve
er 2012, you caan use a new
techhnique to mak ke virtual machhines highly
avaiilable. Instead of using host or guest cluste ering,
you can now store e virtual machine files on a
highhly available SMB 3.0 file sha are. By using th his
appproach, high avvailability is achieved not by
clusstering Hyper-V V nodes, but by
b file servers that
t
hostt virtual machiine files on theeir file shares. With
W
this new capability, Hyper-V can n store all virtu
ual
macchine files, including configu uration, .vhdx files,
f
and snapshots, on n highly available SMB 3.0 fille
sharres.
Thiss technology re
equires the folllowing infrasttructure:
Domain memmbers in the Acctive Directoryy infrastructuree. The servers rrunning AD DSS do not need to
run Windowss Server 2012.
Befoore you implem ment virtual machines
m on ann SMB 3.0 file sshare, configure a file serverr cluster. To do
o this,
you should have at a least two clu
uster nodes, booth with file seervices and fai lover clusterin
ng installed on
themm. In the Failover Clustering console, creatte a scale-out file server clusster. After you configure thee
clusster, deploy thee new SMB file
e share for app
plications. Thiss share stores vvirtual machine files. When tthe
sharre is created, you
y can use the Hyper-V Ma anager to depl oy new virtuall machines on the SMB 3.0 ffile
sharre, or you can migrate existing virtual macchines to the SSMB file share by using the sstorage migrattion
metthod.
De
emonstration: Implem
menting Virtual
V Macchines on Clusters (o
optional)
In th
his demonstration, you will see
s how to imp
plement virtuaal machines on
n a failover clu
uster.
Note: Before starting thiss demonstratioon, ensure thatt LON-HOST1 is the owner o
of the
ClussterVMs disk. If it is not, then usterVMs reso urce to LON-H
n move the Clu HOST1 before doing this
proccedure.
Dem
monstration
n Steps
Mo
ove virtual machine
m sto
orage to the
e iSCSI targe
et
On LON-HOS es\Microsoft Learning
ST1, open Windows Explorerr, browse to E:\\Program File
\20412\2041 12A-LON-COR RE\Virtual Ha
ard Disks, and then move 20 0412A-LON-C CORE.vhd to tthe
C:\ClusterSto
orage\Volume1 location.
Con
nfigure the machine ass highly ava
ailable
1. In Failover Cluster Managerr, click Roles, and
a then start the New Virtu
ual Machine W
Wizard.
o Compu
uter name: TesstClusterVM
o or TestClusterV
RAM fo VM: 1536 MB
Considerat
C ions for Im
mplementiing Hyper--V Clusters
Byy implementin ng host failover clustering, yo
ou can
make
m virtual ma
achines highly available. How wever,
im
mplementing host
h failover clustering also adds
a
significant cost and complexitty to a Hyper-V V
deeployment. Yo ou must invest in additional server
haardware to proovide redunda ancy, and you should
s
im
mplement or have access to a shared stora age
in
nfrastructure.
Identify the
e applications or
o services tha
at
require high availability. Unless
U you havve the option of making all vvirtual machin
nes highly available,
you must develop
d priorities for which applications
a yo
ou will make highly availablee.
Identify thee components that must be highly availab le to make thee applications highly availab ble. In
some casess, the applicatioon might run ono a single serrver, and makiing that serverr highly availab
ble is all
that you ha ave to do. Otheer applicationss may require that several seervers and com
mponents such h as
storage or the
t network, beb made highlyy available. In addition, ensu ure that the do
omain controlllers are
highly availlable, and thatt you have at least one domaain controller on separate hardware or
on infrastructure.
virtualizatio
o What options
o are ava
ailable for mak
king the appliccation highly aavailable? You can make som me
applica
ations highly available through options oth her than host clustering. If o
other options aare
availab
ble, evaluate th
he benefits and
d disadvantagees of each opttion.
o What are
a the perform mance requirements for each h application?? Collect performance inform
mation
on the servers curren
ntly running th
he applicationss to gain an un
nderstanding o of the hardwarre
require
ements that are required when you virtual ize the server.
o What capacity
c uired to make the Hyper-V vvirtual machin
is requ nes highly available? As soonn as you
ou must make highly availab
identifyy all the appliccations that yo ble by using ho
ost clustering, yyou can
o design the acctual Hyper-V deployment. B
start to By identifying the performan nce requireme ents and
networrk and storage e requirementss for applicatioons, you can deefine the hardware that you have to
implem ment for all the e applications in a highly avaailable environ
nment.
MCT USE ONLY. STUDENT USE PROHIBITED
6-14 Implementing Failover Clustering with Hyper-V
Live migration is one of the most important aspects of Hyper-V clustering. You use the Live Migration
feature in Windows Server 2012 to perform live migrations of virtual machines. When implementing live
migration, consider the following:
Verify basic requirements. Live migration requires that all hosts be part of a Windows Server 2012
failover cluster, and that the host processors have the same architecture. All hosts in the cluster must
have access to shared storage, which meets the requirements for CSV.
Configure a dedicated network adapter for the private virtual network. When you implement failover
clustering, you should configure a private network for the cluster heartbeat traffic. You use this
network to transfer the virtual machine memory during a failover. To optimize this configuration,
configure for this network a network adapter that has a capacity of one gigabit per second (Gbps) or
higher.
Note: You must enable the Client for Microsoft Networks component, and the File and
Printer Sharing for Microsoft Networks component, for the network adapter that you want to use
for the private network.
Use similar host hardware. As a best practice, all failover cluster nodes should use the same hardware
for connecting to shared storage, and all cluster nodes must have processors that have the same
architecture. Whereas you can enable failover for virtual machines on a host with different processor
versions by configuring processor compatibility settings, the failover experience and performance is
more consistent if all servers have similar hardware.
Verify network configuration. All nodes in the failover cluster must connect through the same IP
subnet so that the virtual machine can continue communicating through the same IP address after
live migration. In addition, the IP addresses that are assigned to the private network on all nodes
must be on the same logical subnet. This means that multisite clusters must use a stretched virtual
local area network (VLAN), which is a subnet that spans a wide area network (WAN) connection.
Manage live migrations. In Windows Server 2008 R2, each node in the failover cluster can perform
only one live migration at a time. If you try to start a second live migration before the first migration
finishes, the migration fails. In Windows Server 2012, you can now run multiple live migrations
simultaneously.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 6-15
Lesson
n3
Imple
ementin
ng Hype
er-V Virrtual Maachine Movem
ment
Moving
M virtual machines from
m one location to another is a common prrocedure in Hyyper-V environ nments.
While
W moving virtual
v machinees in previous Windows Servver versions req
quired downtiime, Windows Server
20012 introducess new technolo movement. In this lesson, yo
ogies to enable seamless virrtual machine m ou will
le
earn about virtual machine movement
m andd migration op
ptions.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe migration
m optio
ons for virtual machines.
m
Explain how
w Hyper-V rep
plicas work.
Virtual
V Macchine Migration Opttions
Thhere are severaal scenarios in which you woould
want
w to migratee virtual machines from one
lo
ocation to anotther. For exam mple, you migh
ht want
to
o move a virtua al machine virtual hard disk from
onne physical driive to another on the same host.
h
Alternatively, yo
ou may need to t move a virtuual
machine
m from one
o node in a cluster
c to anotther, or
simply move a computer
c from
m one host serrver to
an
nother host se erver without the hosts beingg
members
m of a cluster.
c Compared with Wind dows
erver 2008 R2, Windows Servver 2012 provides
Se
significant enhaancements for this process inn
ad
ddition to simp plified procedures.
In
n Windows Serrver 2012, you can perform migration
m of v irtual machinees by using the
e following me
ethods:
age migration. With this meethod, you movve a powered--on virtual machine
Virtual macchine and stora
from one lo other (or from one host to an
ocation to ano nother) by usin ng a wizard in Hyper-V Man nager.
age migration do not requirre failover clus tering or any o
Virtual macchine and stora other high avaailability
technologyy. Additionally, you do not ne
eed shared sto
orage when yo ou move just the virtual macchine.
Exporting and d importing virtual machine. This is an estaablished meth hod of moving virtual machines
without usingg a cluster. Youu export a virtu
ual machine o n one host, an nd then physiccally move exp
ported
files to another host by perrforming an im mport operatioon. This is a tim
me-consuming operation thaat
requires you tot turn off thee virtual machines during exp port and impo ort. In Window
ws Server 2012,, this
migration me ethod is improved. You can import
i a virtuaal machine to a Hyper-V hosst without
exporting it before
b import. The Hyper-V role in Window ws Server 2012 2 is now capab
ble of configurring
all the necesssary settings duuring the impoort operation.
Ho
ow Does Virtual Macchine and Storage
S M
Migration W
Work?
There are many ca ases in which an
a administrattor
migght want to mo ove virtual macchine files to
anoother location. For example, if i the disk on which
w
a virtual machine hard disk resid des runs out of
o
spacce, you must move
m the virtual machine to
anoother drive or volume.
v Movinng virtual mach hines
to other
o hosts is a common pro ocedure.
In Windows
W Serve
er 2008 and Windows
W Serverr
2008 R2, moving a virtual mach hine resulted inn
dowwntime becausse the virtual machine
m had too be
turn
ned off. If you moved a virtual machine
betwween two hostts, then you also had to perfform
export and imporrt operations fo or that specificc virtual machiine. Export operations can b
be time-consum
ming,
deppending on the e size of the virtual hard diskks.
In Windows
W er 2012, virtuall machine and storage migraation enables yyou to move a virtual machiine
Serve
and its storage to another locattion on the sam
me host, or to another host computer, without having too turn
off the
t virtual macchine.
3. During the co
opy process, th
he virtual mach
hine is fully fun
nctional. Howeever, all chang
ges that occur
during the co
opy process are
e written to bo
oth the sourcee and destination locations. RRead operations are
performed onnly from the so
ource location.
4. As soon as the disk copy prrocess complettes, Hyper-V sw witches virtual machines to run on the
destination viirtual hard disk
k. In addition, if you are movving the virtuaal machine to aanother host, tthe
computer con nfiguration is copied
c and thee virtual mach
hine is associated with the hoost. If a failure
occurs on thee destination side, there is always a failbac k option to ru n back again oon the source
directory.
The time that is reequired to move a virtual ma achine depend ds on the sourrce and destinaation locationss, the
speeed of the hardd disks, storage a the size o f the virtual haard disks. The move process is
e, or network, and
faster if the source a on storagee, and the storrage supports .odx files . Insttead
e and destinattion locations are
of using
u buffered read and bufffered write opeerations, .the o
odx file starts tthe copy operation with an
offlo
oad read comm mand and retrrieves a token representing tthe data from the storage device. It then u uses
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 6-17
an
n offload write
e command wiith the token to
t request dataa movement from the sourcce disk to the
de
estination disk
k.
When
W you move a virtual macchines virtual hard disks to aanother location, the Virtual Machine Movve
wizard
w presentss three available options:
Move all th he virtual machines data tot a single loccation. Specifyy a single desttination locatio
on, such
as disk file, configuration, snapshot, and smart pagin g.
How
H Does Live Migra
ation Work?
Live migration enables
e you to
o move running
virtual machines from one failover cluster node
n to
an
nother node inn the same cluster. With live
migration,
m userss who are conn
nected to the virtual
machine
m d experience almost no serve
should er
ou
utage.
Yo
ou can initiate
e live migration
n through one
e of the followiing methods:
The Failove
er Cluster Manager console.
Liive Migratio
on Process
Th
he live migration process consists of four steps
s that occu
ur in the backg
ground:
2. Guest memorry transfer. The e guest memo ory is transferreed iteratively tto the target host while the vvirtual
machine is stiill running on the source host. Hyper-V on n the source physical host m monitors the paages
in the working set. As the syystem modifiees memory pag ges, it tracks a nd marks themm as being
modified. During this phase e of the migrattion, the migraating virtual m machine contin nues to run. Hyyper-
V iterates the
e memory copyy process several times, and each time a sm maller number of modified pages
are copied too the destinatio
on physical computer. A finaal memory cop py process cop pies the remain
ning
modified mem mory pages to o the destinatio
on physical hoost. Copying stops as soon ass the number o of
pages that haave been modified in physica al memory butt not yet rewriitten to disk often called ddirty
pagesdropss below a threshold, or afterr 10 iterations are complete.
Ho
ow Does Hyper-V Re
eplica Worrk?
In so
ome cases, you might want to have a sparre
copy of one virtuaal machine tha at you can run if
the original virtua
al machine failss. However, wh hen
you implement hiigh availabilityy, you have only
onee instance of a virtual machin ne. High availa
ability
doees not prevent corruption of software that is
runn e virtual machine. One way to
ning inside the t
adddress the issue of corruption is to copy the
virtu
ual machine. You
Y can also ba ack up the virttual
macchine and its sttorage. Althou ugh this solutio
on
achieves the desirred result, it is resource-intennsive
and time-consum ming.
To resolve
r oblem and to enable administrators to havve an up-to-date copy of a single virtual
this pro
macchine, Microso oft has implemented Hyper-V V Replica, a feaature in Windo ows Server 2012. This featurre
enables virtual ma achines that arre running at a primary site location or hoost to be repliccated to a seco
ondary
site location or ho ost across a WAAN or LAN link. Hyper-V rep plica enables yyou to have tw
wo instances off a
singgle virtual machine residing ono different hoosts: one as th
he primary (livee) copy, and thhe other as a replica
(offline) copy. The ese copies are synchronized, and you can p perform failovver at any time e. In the event of a
failu
ure at a primarry site, you can
n use Hyper-V Replica to exeecute a failoveer of the produ uction workloaads to
repllica servers at a secondary loocation within minutes, thus incurring min nimal downtim me.
Hyp
per-V Replica technology
t consists of severa
al componentss:
Replication engine: The rep plication enginne manages thee replication cconfiguration d details and
manages initiial replication, delta replicatiion, failover, a nd test-failoveer operations. It also tracks vvirtual
machine and storage mobility events, and d takes approp priate actions as needed. Th hat is, it pausess
replication evvents until mig
gration events complete, and d then resumees where they left off.
Network module: The network module e provides a seecure and efficient way to traansfer virtual m
machine
replicas bettween primaryy hosts and repplica hosts. It u
uses data comp pression, which is enabled bby
default. The
e transfer operration is secure
e because it reelies on HTTPSS and certificattion-based
authenticattion.
Hyper-V Re eplica Broker server role: This is a new servver role that is implemented in Windows SServer
y configure it during failovver clustering.. This server ro
2012, and you ole enables you u to have Hype er-V
Replica functionality evenn when the virtual machine b being replicateed is highly avvailable and caan move
from one cluster node to another. The Hyper-V Repliica Broker servver redirects all virtual mach hine
specific eve
ents to the apppropriate nodee in the replicaa cluster. The BBroker queries the cluster daatabase
to determinne which node e should handlle which eventts. This ensuress that all eventts are redirecte ed to
the correct node in the cluster in the evvent that a qu ick migration, live migration n, or storage
migration process
p was exxecuted.
Configuring
C g Hyper-V
V Replica
Be
efore you implement Hyper-V Replica, enssure
th
hat your infrasttructure meetss the following
g
prerequisites:
The server hardware supp ports the Hype er-V
role on Winndows Server 2012.
2 Also, enssure
that the serrver hardware has sufficient
capacity to run all of the virtual machinnes to
which you replicate it.
Network co
onnectivity exissts between th
he locations th
hat are hosting
g the primary aand replica serrvers.
Connectivitty can be throu
ugh a WAN orr LAN link.
Firewall rule
es are configured correctly to
t enable repliication betweeen the primaryy and replica siites. By
default, trafffic uses TCP port
p 80 or portt 443.
If you wantt to use certificcate-based autthentication, eensure that an X.509v3 certifficate exists to support
mutual authentication wiith certificates..
Yoou do not havve to install Hyper-V Replica separately. Hyyper-V Replica is implemented as part of tthe
Hyper-V server role. You can use it on Hype hat are standal one or serverss that are part of a
er-V servers th
fa
ailover cluster (in which case, you should configure the H Hyper-V Replicca Broker serve er role). Unlike
e
fa
ailover clusterinng, a Hyper-V role is not dependent on AD D DS. You cann use it with Hyyper-V servers that
arre standalone, or that are me Directory domaains (except in case when servers
embers of diffferent Active D
arre part of a failover cluster).
To
o enable Hype er-V Replica, first configure the
t Hyper-V seerver settings. In the Replica ation Configu uration
group of option ns, enable the Hyper-V serve er as a replica sserver, and sellect the authen
ntication and pport
op
ptions. You should also conffigure authorizzation options . You can choo ose to enable replication fro
om any
se
erver that succcessfully authenticates, whichh is convenientt in scenarios w ers are part of same
where all serve
do
omain. Alterna atively, you can type fully quualified domain n names (FQD DNs) of servers that you acce ept as
eplica servers. In addition, yo
re ou must config gure the locatio on for replica files. You shou
uld configure tthese
se
ettings on each h server that will
w serve as a replica
r server.
After you config
gure options at
a the server level, enable rep
plication on a virtual machin
ne. During thiss
co y must specify the replica server name aand options fo
onfiguration, you or the connectiion. If the virtu
ual
MCT USE ONLY. STUDENT USE PROHIBITED
6-20 Implementing Failover Clustering with Hyper-V
machine has more than one virtual hard disk, you can select which virtual hard disk drives that you want
to replicate. You can also configure the recovery history and the initial replication method. Start the
replication process after you configure these options.
Demonstration Steps
Configure a replica
1. On LON-HOST1 and LON-HOST2, configure each server to be a Hyper-V Replica server.
2. Enable the firewall rule named Hyper-V Replica HTTP Listener (TCP-In) on both hosts.
Configure replication
1. On LON-HOST1, enable replication for the 20412A-LON-CORE virtual machine.
2. Wait for initial replication to finish and ensure that the 20412A-LON-CORE virtual machine appears in
Hyper-V Manager on LON-HOST2.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 6-21
Lesson
n4
Mana
aging Hyper-V Virtual Environmentss by Using VMM
VMM is membe er of the System
m Center 20122 family of pro
oducts. It is a s uccessor of Syystem Center VVirtual
Machine
M Manag ger 2008 R2. VMM
V extends management
m ffunctionality foor Hyper-V ho osts and virtual
machines,
m and it provides dep ployment and provisioning ffor virtual macchines and servvices. In this le
esson,
yo
ou will learn th
he basics of VMMM.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe VM
MM.
Describe th
he prerequisite
es for installing
g VMM.
Describe prrivate cloud infrastructure co
omponents.
Describe ho
ow to manage
e hosts and hosst groups with
h VMM.
Describe ho
ow to deploy virtual
v machines with VMM.
Describe se
ervices and service templatess.
Describe ph
hysical-to-virtu
ual (P2V) and virtual-to-virtu
v ual (V2V) migrrations.
Describe co
onsiderations for
f deploying a highly availaable VMM servver.
What
W Is Sysstem Center 2012 - Virtual
V Maachine Manager?
VMM is a mana agement solutiion for a virtuaalized
da
ata center. VMMM enables yo ou to create annd
de
eploy virtual machines
m and services
s to privvate
clouds by config guring and ma anaging your
virtualization ho
ost, networkingg, and storagee
re
esources. You can
c also use VMM to manag ge
VMware ESX an nd Citrix XenSe
erver hosts.
VMM is a comp ponent of Syste em Center 201 12 that
diiscovers, captu
ures, and aggre egates knowle edge of
th
he virtualizatio
on infrastructurre. VMM also
manages
m policie
es, processes, and
a best practtices by
diiscovering, cappturing, and agggregating
kn
nowledge of th he virtualizatio
on infrastructu
ure.
VMM succeeds VMM 2008 R2 2, and is a key component in n enabling privvate cloud infrrastructures, w
which
he
elps transition enterprise IT from
f an infrastructure-focussed deploymen nt model into a service-oriented,
usser-centric envvironment.
VMM management console e. The manage ement consolee is a program that you use tto connect to a
VMM management server, to view and managem physic al and virtual resources, including virtual
machine hostts, virtual mach
hines, services,, and library reesources.
Self-Service Portal.
P The Selff-Service Porta
al is a website tthat users who
o are assigned to a self-service
user role can use to deployy and manage their own virtu ual machines.
Pre
erequisitess for Installling VMM
M 2012
Befoore you deployy VMM and itss components,,
ensu ure that your system
s t hardware and
meets the
softtware requiremments. While sooftware
requ uirements do not
n change ba ased on the
num
mber of hosts that
t VMM man nages, hardwa are
prerrequisites mayy vary. In addition, not all VM
MM
com
mponents have e the same harrdware and
softtware requiremments.
Virtual Machin
ne Managerr Server
In addition to havving Windows Server 2008 R2 R or Windowss Server 2012 i nstalled, the fo
ollowing softw
ware
musst be installed on the server that will run th
he Virtual Macchine Manager server:
Microsoft .NE
ET Framework 3.5 Service Pack 1 (SP1) or n
newer
Virtual
V Mach
hine Manager Database
e
Thhe Virtual Macchine Managerr database stores all VMM co onfiguration in
nformation, which you can aaccess
annd modify by using
u the VMMM managemen nt console. Thee Virtual Mach
hine Manager database requ uires
SQQL Server 20088 SP2 or newe
er. Because of this,
t the base h
hardware requuirements for tthe Virtual Machine
Manager
M database are equal to the minimuum system req uirements for installing SQLL Server. Additionally,
if you are manaaging more thaan 150 hosts, you
y should havve at least 4 G GB of RAM on tthe database sserver.
Sooftware requirements for the
e Virtual Mach
hine Manager d database are tthe same as fo
or SQL Server.
Virtual
V Mach
hine Manager Library
Thhe Virtual Macchine Managerr library is the server that ho osts resources ffor building virtual machines,
seervices, and private clouds. In
n smaller envirronments, you u usually install the Virtual M
Machine Manag ger
lib
brary on the VMM
V managem ment server. If this is the casee, the hardwarre and softwarre requirementts are
he same as for the VMM management servver. In larger aand more com plex environm
th ments, we recommend
th
hat you mainta ain Virtual Macchine Manager library on a sseparate serveer in a highly available
coonfiguration. Iff you want to deploy anothe er Virtual Mach hine Managerr library server,, the server sho
ould
meet
m the follow
wing requireme ents:
RAM: at lea
ast 2 GB
Hard disk space: varies ba
ased on the nu
umber and sizee of files that aare stored
Private
P Cloud Infrastructure Co
omponentts in VMM
Thhe key architecctural conceptt in VMM is the
private cloud innfrastructure. Similar
S to public
cloud solutions,, such as in Windows Azure , the
private cloud innfrastructure in
n VMM is an
ab
bstraction layeer that shields the underlyingg
echnical complexities and allows you to manage
te
deefined resourcce pools that consist of serveers,
neetworking, and d storage, in th
he enterprise
in
nfrastructure.
Yo
ou can configu
ure the followiing resources from
f the Fabriic workspace i n the VMM management co
onsole:
Servers. In the
t Servers no ode, you can co onfigure and m
manage severaal types of servvers. Host grou
ups
contain virttualization hossts, which are the
t destinationns you can usee to deploy virrtual machines. Library
MCT USE ONLY. STUDENT USE PROHIBITED
6-24 Implemennting Failover Clusterring with Hyper-V
servers are th
he repositories of building blockssuch ass images, .iso ffiles, and temp
platesfor creaating
virtual machinnes.
Networking. The
T Networkin ng node is whe ere you can deefine logical neetworks, assign pools of stattic IPs
and media acccess control (M MAC) addresse es, and integraate load balan cers. Logical n
networks are user-
defined groupings of IP sub bnets and virtu ual local area nnetworks (VLA ANs) that organnize and simpllify
network assiggnments. Logiccal networks provide
p an absttraction of thee underlying physical
infrastructure
e, and they enaable you to pro ovision and isoolate network traffic based oon selected criteria
such as conne ectivity properrties and servicce level agreemments (SLAs).
Storage. You can discover, classify, and provision remotte storage on supported sto
orage arrays. V
VMM
uses the Micrrosoft Storage Management Servicethatt is enabled byy default during the installatiion of
VMM to co ommunicate with
w external arrrays.
Ma
anaging Hosts, Host Clusters, and Host G
Groups wiith VMM
In addition to virtual machine management,
m VMM
V
can also help you manage and deploy Hyper--V
hostts. In VMM, yo ou can use techhnologies suchh as
Winndows Deploym ment Services (Windows DS)) to
depploy Hyper-V hosts
h on bare-m metal machine es
and then manage e them with VM MM. When hossts
are associated witth VMM, you canc configure
seveeral options, su
uch as host resserves, quotas,,
permmissions, and cloud
c memberships. VMM can c
o manage Hyper-V failover clusters.
also c
You
u use host grou
ups in the follo
owing scenario
os:
Provide basicc organization when you are managing maany hosts and virtual machin nes. You can crreate
custom viewss within the Ho t Virtual Ma chines view to
osts view and the o provide easy monitoring and
access to a ho
ost. For exampple, you might create a host group for each branch officce in your
organization.
Reserving resources for usee by hosts. Hosst reserves are useful when p placing virtual machines on a
host. Host resserves determiine the CPU, memory,
m disk s pace, disk I/O capacity, and network capaacity
that are contiinuously availa
able to the hosst operating syystem.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 6-25
Deploying
D Virtual Ma
achines wiith VMM
One
O of the adva antages of usinng VMM to manage
a virtualized envvironment is the flexibility th
hat
VMM provides to create and deploy new virtual
machines
m quick
kly.
A Virtual Machine
M Manag
ger library
Creating
C a New
N Virtual Machine fro
om an Existting VHD
Yoou can create a new virtual machine
m based
d on either a b
blank virtual haard disk (VHD)) or a preconfiigured
VHD that conta ains a guest op
perating system
m. VMM provid des two blank VHD template es that you can use to
crreate new disk
ks:
In this scenario, the source VHD must meet the following requirements:
Leave the Administrator password blank on the VHD as part of the System Preparation Tool (Sysprep)
process.
Note: VMM 2012 will support the .vhdx virtual hard drive format when VMM 2012 SP1 is
released.
The following requirements apply if you want to deploy a new virtual machine from a template:
You must install a supported operating system on the VHD.
You must leave the Administrator password blank on the VHD as part of the Sysprep process.
However, you do not have to leave the Administrator password blank for the guest operating system
profile.
For customized templates, you must prepare the operating system on the VHD by removing the
computer identity information. For Windows operating systems, you can prepare the VHD by using
the Sysprep tool.
The host for deployment. The template that you use provides a list of potential hosts and their
ratings.
The virtual networks used for the virtual machine. A list of existing virtual networks on the host will
display.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 6-27
What
W Are Services
S an
nd Service Templatess?
Se
ervices are a new concept in n VMM. You must
un
nderstand servvices fully befo
ore you deployy a
private cloud in
nfrastructure.
Traditional Services
S Scenario
Seervices usuallyy refer to appliccations or setss of
appplications thaat provide servvices to end ussers. For
exxample, you ca an deploy various types of web-
w
baased services, but you can also implementt a
se
ervice such as email.
e n-cloud computing
In a non
sccenario, deployyment of any type
t of service
e
ussually requiress users, developers, and
addministrators tot work togeth her through th he
phases of creatiing a service, deploying
d a service, testing tthe service, an d maintaining
g the service.
A service freque ently includes several compu uters that mustt work togetheer to provide a service to en nd users.
Foor example, a web-based
w serrvice is usuallyy an applicatio n that deployss on a web serrver, connects to a
daatabase serverr that might be e hosted on an nother computter, and performs authenticaation on an Acctive
Directory doma ain controller. Enabling
E this application
a reqquires three ro
oles, and possibbly three comp puters:
a web server, a database serve er, and a domain controller. Deploying a ttest environme ent for a servicce such
ass this can be time consuming g and resource e consuming. Ideally, develoopers work witth IT administrrators to
crreate an enviroonment where e they can deploy and test th heir web appliccation.
Concept
C of a Service in a Private Clloud Scenarrio
With
W the concept of a private e cloud, how yoou deal with seervices can change significantly. You can p prepare
th
he environmennt for a service ng a self-servicce application such as
e, and then let developers deeploy it by usin
Syystem Center 2012
2 - App Coontroller.
In
n VMM, a serviice is a set of one
o or more virtual machiness that you dep ploy and manaage together aas a
single entity. Yo
ou configure thhese machiness to run togethher to provide a service. In WWindows Serve er 2008,
ussers could depploy new virtuaal machines byy using the Sel f-Service Portaal. In VMM, en
nd users can deploy
neew services. Byy deploying a service,
s a actually deeploying the e ntire infrastruccture, including the
users are
virtual machines, network con nnections, and applications tthat are requirred to make thhe service workk.
However, you can also use services to deplooy only a singl e virtual mach
hine without any specific purrpose.
In
nstead of deplo
oying virtual machines
m e historic way, you can now create a servicce that will deploy a
in the
mple, Windowss Server 2008 R2, and with sseveral roles an
virtual machine with, for exam nd features
preinstalled and main. This simplifies the pro
d joined to dom ocess of creatin
ng and later up
pdating new vvirtual
machines.
m
Deploying a new w service requ uires a high levvel of automattion and predeefined compon nents, and requires
management
m so
oftware suppo ort. This is why VMM providees service temp plates. A servicce template is a
te
emplate that encapsulates evverything that is required to o deploy and ruun a new instaance of an app plication.
Ju
ust as a private
e cloud user caan create new virtual machin nes on demand d, the user cann also use service
emplates to insstall and start new applicatio
te ons on demand d.
Process
P for Deploying
D a New Servicce
Yo
ou use the folllowing proced
dure when you use VMM serrvice templatess to deploy a n
new service or
ap
pplication:
1.. The system administratorr creates and configures
c VM M service tem
mplates by usin
ng the Service
Template Designer.
D
MCT USE ONLY. STUDENT USE PROHIBITED
6-28 Implemennting Failover Clusterring with Hyper-V
5. The user application ownerr gains control over service vvirtual machinees through Ap
pp Controller, o
or by
Remote Deskktop Protocol (RDP).
(
Info
ormation In
ncluded in the
t Service Template
T
The service template includes in nformation abo out the virtuall machines thaat are deployed
d as part of thhe
servvice, which app
plications to in
nstall on the virtual machiness, and the netwworking configguration needed for
the service (includ
ding the use off an NLB). The service templ ate can use exxisting virtual m
machine temp plates.
While you can define the service without usin g virtual machiine templates, it is easier to build
ng any existing
a te
emplate if you have already created
c virtual machine tem plates. After yyou create a se
ervice template e, you
configure it for de
eployment usin ng the Config gure Deploym ment option.
Durring a P2V conversion processs, VMM generates disk ima ges of the harrd disks on the e physical computer.
es for the new virtual machin
It crreates VHD file ne using the d isk images as a basis. In add
dition, it create
es a
hard dware configuration for the virtual machinne similar to, o
or the same as,, the hardware
e in the physicaal
commputer.
The new virtual machine
m has thee same compu uter identity ass the physical computer on wwhich it is based.
Because of this, ass a best practicce you should not use both a physical com mputer and its virtual replicaa
concurrently. Afteer the P2V conversion complletes, you typiccally disconneect the physical computer fro om
the network and decommission
d n it.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 6-29
P2
2V conversion is finished in either
e online or
o offline modee. In online mo
ode, the sourcce operating syystem
ru
uns during the conversion prrocess. In offlin operating systtem does not rrun and conversion
ne mode, the o
occcurs through the Windows Preinstallation n Environmentt (Windows PEE). Later topics in this lesson
de
escribe these modes
m in furth
her detail.
In
n addition to converting und derused physiccal computers, VMM supportts the manage ement, migration, and
co
onversions of other
o virtual machines
m that were
w created i n the VMwaree environment. You can convvert
th
hese virtual maachines to Hypper-V virtual machines,
m placee them on Hyp per-V hosts, an
nd then managge them
unnder the Virtual Machine Ma anager Administrator Conso ole. In addition
n, VMM and Hyyper-V supporrt
migrating
m virtua
al machines fro
om one host to another with h minimal or zzero downtime e.
VMM allows you to copy existing VMware virtualv machin es and create Hyper-V virtual machines. Y You can
co
opy VMware virtual
v machine ated on ESX seerver hosts, in Virtual Machin
es that are loca ne Manager lib braries,
orr on Windows shares. Althou on, V2V is a reead-only operaation that doess not
ugh V2V is callled a conversio
de
elete or affect the original so
ource virtual machine.
m In adddition, the term
m conversion is dedicated o only to
th
he process of converting
c VMMware virtual machines.
m The tterm migratio n is used for vvirtual server
machines.
m
Considerat
C ions for Deploying a Highly A
Available V
Virtual Macchine Man
nager
Server
VMM now supp ports a highly available
a Virtual
Machine
M Manag ger server. You
u can use failovver
clustering to achieve high avaailability for VM
MM
be
ecause VMM is now a cluste er-aware appliccation.
However, you should conside er several thinggs
be
efore you deploy a VMM clu uster.
You are preepared to use distributed keyy managemennt to store encryption keys in
n AD DS. You must
use distribu
uted key manaagement for a highly availab
ble Virtual Macchine Managerr server.
MCT USE ONLY. STUDENT USE PROHIBITED
6-30 Implementing Failover Clustering with Hyper-V
You have a computer with a supported SQL Server version installed and running. Unlike VMM 2008
R2, VMM will not install a SQL Server Express Edition automatically.
During a planned failover, ensure that there are no tasks actively running on the Virtual Machine Manager
server. Any tasks that are executing during a failover will be stopped and will not restart automatically.
Any connections to a highly available Virtual Machine Manager server from the Virtual Machine Manager
Administrator Console or the Virtual Machine Manager Self-Service Portal will also be lost during a
failover. However, the Virtual Machine Manager Administrator Console can reconnect automatically to the
highly available Virtual Machine Manager server after a failover if the console was open before you
performed the failover.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 6-31
As one of the senior network administrators at A. Datum, you are responsible for integrating Hyper-V with
failover clustering to ensure that the virtual machines that are deployed on Hyper-V are highly available.
You are responsible for planning the virtual machine and storage configuration, and for implementing the
virtual machines as highly available services on the failover cluster. In addition, you are considering some
other techniques for virtual machine high availability, such as Hyper-V Replica.
Objectives
Configure Hyper-V Replica.
Configure a failover cluster for Hyper-V.
Lab Setup
20412A-LON-DC1-B
20412A-LON-SVR1-B
20412A-LON-HOST1
20412A-LON-HOST2
20412A-LON-DC1-B
20412A-LON-SVR1-B
Virtual Machine(s)
20412A-LON-HOST1
20412A-LON-HOST2
Password Pa$$w0rd
You should perform this lab with a partner. To perform this lab, you must boot the host computers to
Windows Server 2012. Ensure that you and your partner have booted into different hosts (one should
boot to 20412A-LON-HOST1 and the other should boot to 20412A-LON-HOST2) and then log on as
Adatum\Administrator with the password of Pa$$w0rd. Once you have booted into the Windows
Server 2012 environment, perform the following setup tasks:
1. On the host computer, in Server Manager, click Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click start the following virtual machines based upon your host:
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
b. Password: Pa$$w0rd
Note: For this lab, verify that the classroom is configured so that only LON-HOST1 and
LON-HOST2 can communicate. Each pair of host computers must be isolated from the rest of the
classroom.
Note: The drive letter may differ based on the number of drives on the physical host machine.
o Create and use folder E:\VMReplica as a default location to store replica files
2. Enable the firewall rule named Hyper-V Replica HTTP Listener (TCP-In) on both hosts.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 6-33
2. Wait for initial replication to finish, and verify that the 20412A-LON-CORE virtual machine displays in
the Hyper-V Manager console on LON-HOST2.
Results: After completing this exercise, you will have configured a Hyper-V Replica.
2. Use 172.16.0.21 for the address that will be used to discover and connect to the iSCSI target.
5. On LON-HOST2, navigate to Disk Management, and initialize and bring online all iSCSI drives:
6. On LON-HOST1, navigate to Disk Management, and bring online all three iSCSI drives.
MCT USE ONLY. STUDENT USE PROHIBITED
6-34 Implementing Failover Clustering with Hyper-V
2. Verify that all three iSCSI disks appear available for cluster storage.
4. From the VMCluster.adatum.com node, select More Actions, and then configure the Cluster
Quorum Settings to use typical settings.
Results: After completing this exercise, you will have configured a failover cluster for Hyper-V.
o Connect machine to existing virtual hard disk drive 20412A-LON-CORE.vhd, which is located at
C:\ClusterStorage\Volume1.
2. Connect to TestClusterVM, and ensure that you can operate the virtual machine while it is migrating
to another host.
4. When the migration completes, shut down all running virtual machines.
Results: After completing this exercise, you will have configured a highly available virtual machine.
2. When you are prompted with the boot menu, select Windows Server 2008 R2, and then press Enter.
Best Practice
Develop standard configurations before you implement highly available virtual machines. The host
computers should be configured as close to identical as possible. To ensure that you have a consistent
Hyper-V platform, configure standard network names, and use consistent naming standards for CSV
volumes.
Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster
Manager that can block you from making mistakes when you manage highly available virtual
machines. For example, it blocks you from creating virtual machines on storage that is inaccessible
from all nodes in the cluster.
MCT USE ONLY. STUDENT USE PROHIBITED
7-1
Module 7
Implementing Disaster Recovery
Contents:
Module Overview 7-1
Module Overview
Organizations are vulnerable to losing some of their data for reasons such as unintentional deletion of
critical data, file system corruption, hardware failures, malicious users, and natural disasters. Because of
this, organizations must have well-defined and tested recovery strategies that will help them to bring their
servers and data back to a healthy and operational state, and in the fastest time possible.
In this module, you will learn how to identify security risks for your organization. You will also learn about
disaster recovery, and disaster recovery requirements. You will also learn how to plan backup across your
organization, and what steps you can take to recover data.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of Disaster
D r Recove
ery
Disa
aster recovery is a methodology that descrribes all the steeps that you nneed to perform once a disaster
has occurred, to bring
b ers back to an operational sttate. An effecttive disaster
data, servvices and serve
reco
overy plan add dresses the orgganizations neeeds without p providing an unnecessary levvel of coverage e.
While absolute prrotection may seem desirable, it is unlikelyy to be econom mically feasible e. In creating a
disa
aster recovery plan, you need d to balance th of a particular disaster, with the
he cost to the organization o
costt to the organiization of prottection from thhat disaster.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Identify disaster recovery re
equirements.
Describe ente
erprise disasterr recovery strategies.
Describe disaster mitigation
n strategies.
Ide
entifying Disaster
D Re
ecovery Re
equiremen
nts
Befo
ore developing
g a disaster reccovery strategy,
anizations must identify their disaster reco
orga overy
requ
uirements to ensure
e that theey will provide
app
propriate prote
ection for criticcal resources.
4. Develop a reccovery strategyy. Based on the previous steeps, organizatio ons will define
e a service leve
el
agreement th hat will include
e information such
s as servicee levels and service hours. Organizations should
develop a dissaster recoveryy strategy that will help themm minimize thee risks, and at the same time e,
recover their critical resourcces within the minimum tim me acceptable ffor their business requireme ents.
sh
hould be evalu
uated and updated on a regu ular basisfor example oncee every few mo onths. It is
also important that
t administrators test the disaster recoveery strategies on a regular b
basis. The
te b performed in an isolated, non-productiion environmeent by using a copy of the
esting should be
production dataa.
What
W Are Service
S Lev
vel Agreem
ments?
A service level agreement
a (SLA
A) is a docume ent that
de
escribes the re o the IT department
esponsibilities of
orr IT service pro
ovider, with resspect to a speccific set
off objectives. In
n terms of dataa protection SLLAs,
th
hese agreemen nts usually speecify precisely which
w
pa
arts of the IT innfrastructure and
a data will be b
protected, and how quickly th hey will return to
se
ervice after a faailure.
In
n some organizzations, SLAs are
a formalized,, and
th
he performancce of the IT dep partment is
measured
m again
nst the objectivves that are sp
pelled
ouut in the SLA. These
T metrics form part of the IT
deepartments pe erformance evvaluation, and have a direct influence on ittems such as b budgets and saalaries.
Fo
or managed se ervices or cloud providers, SLAs are criticall for billing pu
urposes. In other organizations, SLAs
arre guidelines and
a are less forrmalized. The key to develop ping an SLA is that it needs to be realistic and
her than an unachievable sta
acchievable, rath andard, which may be imposssible to reach.
So
ome of the ele
ements of an SLA
S include:
Hours of op n defines how much time thee data and serrvices are available to
peration. Hourrs of operation
users, and how
h much planned downtim me there will b e due to systeem maintenancce.
Service availability. Servicce availability is defined as a percentage o f time per year that data and
services will be available tot users. For example,
e a servvice availabilityy of 99.9 perce
ent per year m
means
that data and services willl have unplanned downtimee not more thaan 0.1 percentt per year, or 8 8.75
hours per year
y on a 24 ho ours a day, sevven days a weeek basis.
You can configure backup software to take backups every hour, offfering a theorretical RPO of 6 60
minutes. When
W calculatin
ng RPO, it is alsso important tto take into account the timee it takes to peerform
the backup p. For example,, suppose it takes 15 minutees to perform a backup and yyou back up e every
ailure occurs during the back
hour. If a fa kup process, yo be 1 hour and 15
our best possible RPO will b
minutes. A realistic RPO must
m always ba alance the dessired recovery time with the realities of thee
network inffrastructure. Yo ou should not aim for an RP PO of 2 hours w when a backup p itself takes th
hree
hours to co omplete.
The RPO also depends on n the backup software
s techn
nology. For exaample, when yyou use the snaapshot
feature in Windows
W Serveer Backup, or other
o backup ssoftware that u uses volume shhadow copy se ervice
(VSS), you are
a backing up p to the point in time when tthe backup waas started.
different RTOO than the loss of a disk on a critical serverr, because one of these comp
ponents takes
significantly longer to repla
ace than the otther.
Retention objjectives. Reten
ntion is a measure of the leng ou need to store backed-up data.
gth of time yo
For example, you may need d to recover da
ata quickly fro
om up to a mo onth ago, but n
need to store d
data
in some form
m for several yeears. The speedd at which youu agree to recoover data in yo
our SLA will de
epend
on the age off the data, with
h some data being
b quickly reecoverable and other data nneeding to be
recovered fro
om the archive es.
Ov
verview of Enterprise
e Disaster Recovery Strategiess
Wheen planning fo or backup for your
y enterprise
e,
you need to develop strategies for recovering g
data
a, services, servvers, and sites,, and you needd to
makke some provission for offsite e backup.
Datta Recovery
y Strategies
Data is the most commonly
c recoovered catego ory in
an enterprise
e environment. Thiss is because it is
morre likely that users will deletee files accidenttally,
thann it is for serve
er hardware too fail or for
appplications to cause data corru uption. Therefo ore,
in developing
d an enterprise disa
aster recovery
strategy, take into o account small disasters, succh as
dataa deletion, in addition
a to big
g disasters, succh as server or site failure.
Serrvice Recove
ery Strategiies
The functionality of the network k depends on the availabilityy of certain criitical network services. Altho
ough
welll-designed nettworks build re edundancy intto core service s such as Dom main Name Sysstem (DNS) and
Actiive Directory Domain Services (AD DS), even those servvices might haave issues, such h as when a major
fault is replicated that requires a restore from
m backup. In ad
ddition, an entterprise backup p solution musst
ensuure that services such as Dynnamic Host Co onfiguration Prrotocol (DHCP P) and Active D Directory Certifficate
Servvices (AD CS), and
a importantt resources succh as file sharees can be resto ored in a timelyy and up-to-d date
man nner.
ha
ave both serve ers capable of full server reco overy with a 1 5 minute RPO O? Or is it only necessary for one
se en that either server will be aable to provid
erver to be reccovered quicklyy if it fails, give de the same neetwork
se
ervice and ensure business continuity?
In
n developing the full server recovery
r compponent of yourr organization s enterprise b
backup plan,
deetermine whicch servers are required
r to ensure business continuity, and
d ensure that they are regularly
baacked up.
Site Recovery
y Strategiess
Most
M larger org
ganizations havve branch officce sites. While it might be deesirable to bacck up all the
coomputers at thhose locations,, it may not be
e economicallyy feasible to do o so. Developing a site recovvery
sttrategy involve
es determiningg which data, services,
s and seervers at a speecific site must be recoverable to
ennsure businesss continuity.
Offsite
O Backu
up Strategie
es
Many
M organizattions that do not
n store offsite backups do not recover frrom a primary site disaster. Iff your
orrganizations head
h office site
e has a fire, is subject
s to a on
nce-in-a-100-yyear flood, a cyclone, or a to
ornado,
it will not matte
er what backup ps strategies you have in plaace if all those backups are stored at the loocation
th
hat was destroyyed by the dissaster.
Disaster
D Miitigation Strategies
S
No matter how prepared organizations are,, they
ca
annot prevent disasters from m occurring.
Thherefore, organizations must also develop p
mitigation
m strategies that will minimize the impact
off an unexpecte ed loss of dataa, server, servicce, or
sittes. To preparee mitigation sttrategies,
orrganizations must
m create risk
k assessments that
an
nalyze all posssible disaster sccenarios, and how
h to
mitigate
m each of
o those scenarrios.
Thhe following ta
able lists some
e of the risks
asssociated with data or services loss, and th
he
ap
ppropriate mittigation strateggies.
Risk of disaste
er Mitigation
n strategy
The media wh here a copy off the backup Have at leeast two copiees of your backkup data, and
data is located becomes corrupted. validate yyour backups oon a regular basis.
An administra
ator has accide
entally deletedd Protect O
OUs from accid
dental deletion
n, especially aftter
an organizatio
onal unit (OU)) that contains migration
ns.
many user and computer objects.
A file server in
n a branch offiice where Use Distriibuted File Sysstem Replicatioon (DFS-R) to
important filees are located has failed. replicate files from brannch offices to central data
centers.
MCT USE ONLY. STUDENT USE PROHIBITED
7-6 Implementing Disaster Recoverry
Th
he virtualizatio
on infrastructure where Avoid deplo oying all criticaal servers, such
h as domain
bu
usiness serverss are located iss controllers, on the same vvirtual infrastructure.
un
navailable.
A major outage
e in a data centter has Deploy a seecondary data center that will contain
occcurred. replicas of tthe critical servvers in your prrimary data
center.
Best Practice
es for Impllementing a Disasterr Recoveryy
Wheen implementing a disaster recovery strate egy,
orga
anizations sho
ould follow the
ese best practicces:
Lesson
n2
Imple
ementin
ng Wind
dows Se
erver Baackup
To
o protect criticcal data, every organization must perform regular backu ups. Having a wwell-defined and
te
ested backup strategy
s ensurees that companies can resto re data if unexxpected failure
es or data loss occur.
his lesson desccribes the Windows Server Backup featuree in Windows SServer 2012 aand the Microssoft
Th
Online
O Backup Service
S for Winndows Server 2012.
Le
esson Objecctives
After completin y will be able to:
ng this lesson, you
Describe da
ata and service
e information that
t needs to be backed up in a Windowss Server enviro
onment.
Describe th
he backup type
es.
Describe ba
ackup technolo
ogies.
Describe ba
ackup capacityy.
ackup security.
Describe ba
Describe Windows
W Serverr Backup.
Explain how
w to configure
e a scheduled backup
b using W
Windows Servver Backup.
What
W Need
ds to Be Ba
acked Up?
When
W planning backups across your organiization,
en
nsure that you
u protect resou urces that are
co
onsidered misssion critical. Co
onsider the folllowing:
Critical reso
ources
Backup verification
Backup security
Compliance
e and regulato
ory requiremen
nts
Determining
D g Critical Ressources to Back
B
Up
U
In
n an ideal scenario, you would back up
evverything and instantly resto ore data as it existed
e at a parrticular point i n time from any point in the
e last
se
everal years. In n reality, such a backup strateegy would pro oduce expensivve cost of own nership. Thereffore, the
firrst step in plan
nning backup across the enterprise is to deetermine whatt exactly needss to be backed d up.
Fo
or example, sh hould you backk up every dom main controlleer in the doma in, given that A Active Directoory
in
nformation will be replicated
d back to a rep placement dom main controllerr as soon as it is promoted? Is it
neecessary to back up every file server in all file shares if evvery file is rep licated to multiple servers th
hrough
a distributed file
e system?
MCT USE ONLY. STUDENT USE PROHIBITED
7-8 Implementing Disaster Recovery
You also need to distinguish between technical reasons and regulatory reasons for backing up data. Due
to legal requirements, you may need to be able to provide your business with business-critical data for
the past ten years or even longer.
If the data is only stored in one place, ensure that it is backed up.
If data is replicated, it may not be necessary to back up each replica. However, you must back up at
least one location to ensure that the backup can be restored.
Many organizations ensure the availability of critical services and data through redundancy. For example,
Exchange Server 2010 provides continuous replication of mailbox databases to other servers through a
technology called Database Availability Groups (DAGs). While DAGs do not mean that an organization
should not back up its Exchange Server 2010 Mailbox servers, it does change how an organization should
think about backing up its Mailbox servers or centralizing its backup strategies.
One way of verifying backups is to perform regular testing of the recovery procedures, in which you
simulate a particular failure. This allows you to verify not only the integrity of the data that you are using
to perform a recovery, but also that the recovery procedures that you have in place effectively resolve the
failure. It is better to discover that you need to add steps to your recovery procedure during a test, rather
than during an actual failure.
When developing an enterprise backup strategy, ensure that backup data is stored in a secure location.
You might also consider using backup software that allows you to split the backup and restore roles so
that users who have permissions to back up data do not have permissions to restore that data, and users
who have permissions to restore data do not have permissions to back it up.
yo
our organizatio
ons data protection strategyy, you should schedule a meeeting with your organizatio
ons
le etermine precisely which data needs to bee stored, and ffor how long.
egal team to de
Backup
B Typ
pes
n Windows Serrver 2012, you can perform the
In t
ollowing types of backups:
fo
Backup
B Tecchnologiess
Most
M backup prroducts in use today use the
e VSS
in
nfrastructure th
hat is present in
i Windows Seerver
20012. Some older applications, however, usse
sttreaming backup. It may be necessary to support
su
uch applicationns in complex heterogeneou us
ennvironments.
VSS
V
VSSa technology that Micro osoft included with Window ws Server 2003 R2, and which h is present in all
neewer server opperating system
mssolves the e consistency p
problem at thee disk-block le
evel by creating g what
is known as a sh hadow copy. A shadow copyy is a collectionn of blocks on a volume thatt is frozen at a specific
pooint in time. Changes can still be made to the disk, but w
when a backup p occurs, the ccollection of frrozen
blocks are back ked up, which means
m that any changes tha t might have ooccurred since e the freeze are e not
baacked up.
Creating a shad
dow copy tells the operating system first too put all files, ssuch as DHCP databases and d Active
Directory datab
base files, in a consistent
c state for a momen
nt. Then the cu urrent state off the file system
m is
MCT USE ONLY. STUDENT USE PROHIBITED
7-10 Implemennting Disaster Recoveery
reco
orded at that specific
s point in time. After VSS
V creates thee shadow copyy, all write accesses that wou uld
overwrite data, stoore the previous data blockss first. Therefo re, a shadow ccopy is small in
n the beginnin ng,
and it grows over the time as da ata changes. By
B default, the operating systtem is configu ured to reserve e 12
perccent of the vollume for VSS data,
d and VSS automatically
a deletes older snapshots whe en this limit is
reacched. You can change this default value, and you can ch hange the defaault location of the VSS dataa. This
ensuures that the backup
b has a snapshot of the e system in a cconsistent state, no matter hhow long it acttually
es to write the backup data to
take t the backup storage devicce.
Streaming Bacckup
Stre
eaming backup p is often used
d by older appllications that d do not use VSSS. You back up p applications that
are not VSSaware by using a method
m knownn as a streamin ng backup. In ccontrast to VSSS where the
opeerating system ensures that data
d is kept in a consistent sttate and at a ccurrent point in time, when yyou
use streaming bacckup, the application or the data protectio on application is responsible
e for ensuring tthat
the data remains in a consistentt state. In addition, after streeaming backup p completes, some files havee the
state they had in the
t beginning of the backup p, while other files have the state of the ennd of the backkup
window.
Pla
anning Bacckup Capa
acity
Whe en you develoop an enterprisse recovery
strategy, you need d to determinee how much
storrage capacity your
y organizattion will requirre for
backups. The folloowing factors affect
a the amo ount
of space that is re
equired to store backup data a:
Space require
ements for a fu
ull backup
ements for an incremental
Space require
backup
Amount of tim
me required to
o back up
Backup frequency
Backup retention
Full Backup Re
equirements
To calculate
c the space required for a full back
kup, determinee how much sp pace from all vvolumes you w
will
need to back up. If the server ha
as a dedicatedd drive for bac kups, you wou
uld not performm a backup on
n that
drivve.
With products thaat perform imaage-based bacckups, such as Windows Servver Backup, this data is not
com
mpressed. On some
s types of servers, notab
bly file servers, the amount o
of space requirred for a full baackup
growws over time. You
Y can lessen n this tendencyy by using file expiration policies such as tthose found inn File
Servver Resource Manager
M (FSRMM).
Inccremental Ba
ackup Requ
uirements
An incremental
i baackup on Wind
dows Server Backup stores aall of the hard disk blocks that have chang ged
o incremental backup. Incre
sincce the last full or emental backuups are substan ntially faster th
han full backups
and require less space. The dow wnside of incre
emental backu ps is that theyy can require g greater recoverry
time e.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 7-11
Amount
A of Time
T Requirred to Back up
Th
he amount of time required to write data from the serveer being backeed up to the b
backup storage
e device
ca
an have an imppact on projeccted RPO, becaause it is not reecommended to begin a ne
ew backup opeeration
prior to the com
mpletion of the
e current one.
Backup
B Frequency
Ba
ackup frequency is a measurre of how often n backups are taken. With in ncremental blo ock-level backups, no
su
ubstantial diffe
erence will exisst between thee amount of daata written ov er the sum of four 30-minutte
se
essions and onne 2-hour incre emental sessioons on the samme server. This is because ove er the two houurs, the
sa
ame number of o blocks will have changed on o the server aas the four 30--minute sessio ons. However, tthe four
30
0-minute sessiions have brok ken it up into smaller
s parts. W
When backupss occur more ffrequently, the ey
re
educe the time e required to perform
p the baackup by splittting it into smaaller parts. The
e overall total w
will be
ab
bout the same e.
Backup
B Rete
ention
When
W attemptinng to determinne the required backup capaacity, you shou uld determine precisely howw long
yo
ou need to rettain backup daata. For exampple, if you need
d to be able to
o recover to anny backup poin nt in the
la
ast 28 days, and
d you have reccovery points generated
g eveery hour, you w
will need moree space than iff you
haave recovery points
p generated once a dayy and you onlyy need to resto ore from the laast 14 days.
Planning
P Backup Security
When
W planning your backup security, consider the
fo
ollowing:
Wh
hat Is Wind
dows Serv
ver Backup
p?
The Windows Servver Backup fea ature in Windo
ows
Servver 2012 consists of a Microssoft Managemment
Connsole (MMC) sn nap-in, the commmand wbadm min,
and Windows Pow werShell com mmands. You ca an
use wizards in the
e Windows Serrver Backup fea ature
to guide
g you thro
ough running backups
b and
reco
overies.
You
u can use Wind
dows Server Ba
ackup 2012 to back
up:
Selected volu
umes.
Perform a bare-metal resto ore. A bare-me etal backup con ntains at least all critical volu
umes, and allo
ows
you to restore
e without first installing an operating
o systeem. You do this by using the e product med dia on
a DVD or USB B key, and the Windows Recovery Environ ment (Window ws RE). You can n use this backkup
type together with the Win ndows RE to recover from a h hard disk failure, or if you haave to recoverr the
whole compu uter image to new
n hardware.
up contains all information tto roll back a sserver to a spe
Use system sttate. The backu ecific point in ttime.
However, youu need an operating system installed priorr to recovering g the system sttate.
If th
here are disaste
ers such as harrd disk failuress, you can perfform system reecovery by using a full serve
er
backup and Wind dows REthis will
w restore your complete syystem onto th he new hard disk.
De
emonstration: Config
guring a Sccheduled Backup
In th
his demonstration, you will sees how to con nfigure Windo 12 to perform a scheduled backup
ows Server 201
of specific folders, with a filter to exclude speccific file types.
Dem
monstration
n Steps
1. On LON-SVR1, start Windo
ows Server Backup.
2. Configure the
e backup schedule with the following
f opti ons:
o Backup Configuration:
C Custom and C:\HR
C Data fo
older is backed
d up, with the e
exception of C
C:\HR
Data\Old
d HR file.txt
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 7-13
o Backup
p Time: Once a day, 1:00 AM
M
What
W Is On
nline Backu
up?
Th
he Microsoft Online
O Backup Service is a clooud-
ased backup solution for Windows Server 2012
ba
th
hat is managed d by Microsoftt. You can use this
se
ervice to back up files and fo
olders, and to recover
r
th
hem from the public or priva ate cloud to prrovide
offf-site protection against datta loss caused by
diisasters. You ca
an use Microsooft Online Bacckup
ervice to back up and protecct critical data from
Se
an
ny location.
Microsoft
M Onlinne Backup Servvice is built on the
Windows
W Azuree platform, annd uses Windo ows
Azure blob storrage for storing
g customer da ata.
Windows
W Server 2012 uses the downloadab ble Microsoft OOnline Backup Service Agentt to transfer fille and
fo
older data secu
urely to the Miicrosoft Onlinee Backup Serviice. After you iinstall the Microsoft Online Backup
Se
ervice Agent, the
t agent integ grates its functtionality throu
ugh the Windoows Server Bacckup interface.
Key
K Featuress
Thhe key feature
es that Window
ws Server 2012
2 provides thro
ough the Micro
osoft Online B
Backup Service
in
nclude:
o Integra
ated recovery experience
e to recover files a nd folders fro m local disk or from a cloud
d
platform.
o Easy da
ata recoverability for data th
hat was backed
d up onto any server of yourr choice.
o Scriptin
ng capability that is provided dows PowerSheell command-line interface.
d by the Wind
Data compression, encryp ottling. The M icrosoft Onlinee Backup Service Agent ensu
ption, and thro ures
that data iss compressed and
a encrypted d on the serverr before it is seent to the Micrrosoft Online B
Backup
Service on the
t network. Therefore,
T the Microsoft Onl ine Backup Seervice only storres encrypted data in
cloud storage. The encrypption passphraase is not availlable to the M icrosoft Onlinee Backup Service, and
MCT USE ONLY. STUDENT USE PROHIBITED
7-14 Implemennting Disaster Recoveery
therefore, the
e data is neverr decrypted in the cloud. In aaddition, userss can set up throttling and
configure howw the Microsoft Online Back kup Service usees the networkk bandwidth w when backing uup or
restoring info
ormation.
Co
onsideratio
ons for an Enterprise
e Backup SSolution
Winndows Server Backup
B is a single-server bacckup
ution. When planning backup for an enterprise,
solu
consider the following points:
Is the backup
p solution compatible with yo our applicatio ns? For examp
ple, a new upd
date to a produ
uct
makes the baackup solution incompatible.. Check with th he application vendor to dettermine wheth
her
the enterprise
e backup soluttion is supportted.
Recovery point capacity. De etermine whatt the recovery point capacityy of the product is. How man ny
restore pointss does the enterprise data protection soluttion offer, and
d is this adequaate for your
organizations needs?
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 7-15
What
W Is Data Protecttion Manag
ger?
DPM is a Microssoft enterprise
e data protection and
re
ecovery product with the following featurees:
Supports Microsoft
M worklloads. DPM waas designed sp
pecifically by M
Microsoft to su
upport Microso oft
applications such as Exchhange Server, SQL
S Server, and
d Hyper-V. Ho owever, DPM h has not been
specifically designed to support non-M
Microsoft serve r applications that do not haave consistentt states
on disk, or that do not su
upport VSS.
Disk-based backup. DPM can perform scheduled bacckups to disk aarrays and storrage area netw works
(SANs). You
u can also conffigure DPM to
o export specif ic backup dataa to tape for re
etention and
compliancee related tasks..
Remote sitee backup. DPMM uses an architecture that aallows it to bacck up clients thhat are located
d in
remote sitees. This means that a DPM seerver that is loccated in a head office site caan perform backups
of servers and
a clients thatt are located across
a wide areea network (W WAN) links.
Lesson 3
Implem
menting
g Server and Data
D Reccovery
Recovering serverrs and data reqquires well-deffined and docu umented proccedures that addministrators ccan
follo
ow when failurres occur. The recovery proccess also requirres knowledgee of the backup and restore
harddware and softtware, such as DPM, and tap pe library devicces.
Op
ptions for Server
S Reccovery
Win
ndows Server Backup
B in Winddows Server 2012
provvides the following recoveryy options:
Applications and
a data. You can recover
applications and
a data if the e application has
h a
VSS writer, an
nd is registered
d with Window ws
Server Backupp.
Operating sysstem. You can recover the operating systeem through W indows RE, the
e product DVD
D, or a
USB flash drivve.
o Overwritte existing ve
ersion with recovered versiion.
o Do not recover
r items if they alread
dy exist in the
e recovery loccation.
Options
O forr Server Re
estore
Yoou perform server restore byy starting the
omputer from the Windows Server 2012
co
in
nstallation meddia, selecting the computer repair
r
opption, and then selecting the e full server restore
opption. Alternattively, you can use the installation
media
m on a USBB flash drive, or using Windo ows RE.
When
W you perfo
orm full serverr restore, consiider the
fo
ollowing:
Importing to
t Hyper-V. Be ecause server backup
b data iss written to thee VHD format (which is also the
format thatt is used for virrtual machine hard disks), if you are carefu
ul it is possible
e, to use full se
erver
backup datta as the basis for creating a virtual machin ne. Doing this ensures business continuity while
he appropriate replacement hardware.
sourcing th
Options
O forr Data Reccovery
Data is the mosst frequently re ecovered comp ponent
off an IT infrastructure. This is due to users
acccidently deletting data, and needing you to t
re
ecover it. There e are several sttrategies that you
y
ca
an pursue whe en you are devveloping a data a
re
ecovery proced dure. You can:
Perform a recovery
r to an alternative loccation.
Perform a recovery
r to the
e original locattion.
Perform a full
f volume reccovery.
Users
U Recove
er Their Ow
wn Data
Th
he most comm mon form of da ata recovery performed
p by I T departments is the recove ery of files and folders
th o in some way corrupted. TThe Previous V
hat users have deleted, lost, or Versions of Fiiles functionality that
was
w introduced in Windows ServerS 2003, (w
which you can also enable on n all computerrs running Win ndows
Se
erver 2012,) lets users recoveer their own filles using the f ile or folder prroperties rightt from their
workstation.
w Aftter end-users are
a trained how to do this, t he IT departm ment spends lesss time recove ering
h allows them to focus on more
usser data, which m valuable ttasks.
MCT USE ONLY. STUDENT USE PROHIBITED
7-18 Implementing Disaster Recovery
From a planning perspective, you should consider increasing the frequency at which snapshots for
previous versions of files are generated. This gives users more options when they try to recover their files.
When you perform a recovery to an alternative location, always ensure that permissions are also restored.
A common problem is administrators recovering data that includes restricted material, to a location where
permissions are not applied, thereby enabling unintended access to data for users that should not have it.
Recover a Volume
If a disk fails, the quickest way to recover the data could be to perform a volume recovery, instead of a
selective recovery of files and folders. When you perform a volume recovery, you must check whether any
shared folders are configured for the disks, and whether the quotas and FSRM management policies are
still in effect.
Note: During the restore process, you should copy event logs before you start the restore
process. If you overwrite the event log filesfor example with a system recoveryyou will be not
able to read event log information that occurred before the restore started. That event log data
could lead you to information about what caused the issue.
Demonstration Steps
1. On LON-SVR1, delete the C:\HR Data folder.
2. In Windows Server Backup, run Recovery Wizard and specify the following information:
3. In Windows Explorer, browse to C:\, and ensure that the HR Data folder is restored.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 7-19
Restoring
R with
w an On
nline Backu
up Solutio
on
Yo
ou can use thee Microsoft On
nline Backup Service
o back up onlyy Windows Server 2012 serve
to ers.
However, you do
d not have to restore data on
o to
th
he same serverr from which you
y backed it up.
u
o Create copies so thatt you have botth the restoredd file and origiinal file in the same location
n. The
restore
ed file has its name
n in the folllowing formatt: Recovery Daate+Copy of+Original File N Name.
A. Datum is considering backing up critical data to a cloud-based service. A. Datum is also considering this
as an option for small branch offices that do not have a full data center infrastructure.
As one of the senior network administrators at A. Datum, you are responsible for planning and
implementing a disaster recovery solution that will ensure that critical data and services can be recovered
in the event of any type of failure. You need to implement a backup and restore process that can recover
lost data and services.
Objectives
Back up data on a Windows Server 2012 server.
Restore files using Windows Server Backup.
Lab Setup
20412A-LON-DC1
20412A-LON-SVR1
MSL-TMG1
20412A-LON-DC1
Virtual 20412A-LON-SVR1
Machine(s) MSL-TMG1
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
Results: After completing this exercise, you will have configured the Windows Server Backup feature,
scheduled a backup task, and completed an on-demand backup.
2. Open drive C:\, and ensure that the Financial Data folder is restored.
Results: After completing this exercise, you will have tested and validated the procedure for restoring a
file from backup
2. Start installing Microsoft Online Backup Agent by double-clicking the installation file
OBSInstaller.exe.
4. Verify the installation and ensure that you receive the following message: Microsoft Online Backup
Service Agent installation has completed successfully.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 7-23
5. Clear the Check for newer updates check box, and then click Finish.
6. On the Start screen, verify the installation by clicking Microsoft Online Backup Service and
Microsoft Online Backup Service Shell.
1. In the Server Manager window, rename LON-SVR1 as YOURCITYNAME-YOURNAME, and then restart
YOURCITYNAME-YOURNAME.
3. In the Microsoft Online Backup Service console, register LON-SVR1 by specifying the following
information:
o Username: holuser@onlinebackupservice.onmicrosoft.com
o Password: Pa$$w0rd
Note: In a real-life scenario, you would type the username and password of your Microsoft Online
Backup Service subscription account.
o Enter passphrase: Pa$$w0rdPa$$w0rd Confirm passphrase: Pa$$w0rdPa$$w0rd
4. Verify that you receive the following message: Microsoft Online Backup Service is now available for
this server.
3. Restore files and folders by using the Recover Data option, and specify the following information:
o Identify the server on which the backup was originally created: This server
o Select Volume and Date: C:\ and date and time of the latest backup
o Specify Recovery Options: Original location and Create copies so that you have both versions
4. In Windows Explorer, expand drive C:\, and ensure that the Financial Data folder is restored to drive
C.
MCT USE ONLY. STUDENT USE PROHIBITED
7-24 Implementing Disaster Recovery
Task 5: Unregister the server from the Microsoft Online Backup Service
1. Switch to the Microsoft Online Backup Service console.
2. Unregister the server from the Microsoft Online Backup Service using the following credentials:
o Username: holuser@onlinebackupservice.onmicrosoft.com
o Password: Pa$$w0rd
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.
Answer: Your company should develop backup and restore strategies based on multiple parameters, such
as business continuity needs, risk assessment procedures, and resource and critical data identification. You
must develop strategies that should be evaluated and tested. These strategies should take into
consideration the dynamic changes occurring with new technologies, and changes that occur with the
organizations growth.
Best Practice:
Analyze your important infrastructure resources and mission-critical and business-critical data. Based
on that analysis, create a backup strategy that will protect the company's critical infrastructure
resources and business data.
Identify with the organizations business managers the minimum recovery time for business-critical
data. Based on that information, create an optimal restore strategy.
Always test backup and restore procedures regularly. Perform testing in a non-production and
isolated environment.
Tools
Tool Use Where to find it
Module 8
Implementing Distributed Active Directory Domain Services
Deployments
Contents:
Module Overview 8-1
Module Overview
For most organizations, the Active Directory Domain Services (AD DS) deployment may be the single
most important component in the IT infrastructure. When organizations deploy AD DS or any of the other
Active Directorylinked services within the Windows Server 2012 operating system, they are deploying a
central authentication and authorization service that provides Single Sign On (SSO) access to many other
network services in the organization. AD DS provides the primary security mechanism for authentication
and authorization within most organizations, and enables policy-based management for user and
computer accounts. With other AD DS services, you can extend some of this functionality to users who are
external to the organization.
This module will describe the key components of a complex AD DS environment, and how to install and
configure a highly complex AD DS deployment.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of Distribu
D uted AD
D DS Deployme
ents
Befoore starting to configure a co
omplex AD DS S deployment, it is importan
nt to know the components tthat
com a how they interact with eeach other to h
mprise the AD DS structure, and help provide a scalable and more
secu
ure IT environm ment. The lesson starts by exxamining the vvarious compo
onents of an A
AD DS environm ment,
in particular,
p dom
mains, trees andd forests.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Explain how AD
A DS domain
ns and forests form
f boundarries for securityy and administtration.
Explain reasons for having more than one
e domain in an
n AD DS enviro
onment.
Explain the im
mportance of Domain
D Name
e System (DNS)) in a complexx AD DS structu
ure.
Outline the options
o for upg
grade and coexxistence with p
previous AD D
DS versions.
Disscussion: Overview
O of
o AD DS Componen
C nts
An AD
A DS environ nment has variious components,
and it is importannt for you to unnderstand the
purpose of each component,
c an
nd how they
inte
eract with eachh other. Some of the AD DS
environment com mponents are domains,
d trees,, and
fore
ests. There is one global cataalog in each fo orest,
and there are trusst relationshipss. It is also
impportant to unde erstand the puurpose and benefit
of these compone ents.
Question: What is an AD DS
D domain?
Question: What is an AD DS
D domain tree
e?
Question: What is an AD DS
D forest?
Question: What are trust re
elationships?
Overview
O of
o Domain and Foresst Bounda ries in an A
AD DS Stru
ucture
As already discuussed, domains and forests provide
p
booundaries withhin the AD DS namespace. An A
unnderstanding ofo the differen
nt types of bou
undaries
is essential to managing
m a com
mplex AD DS
ennvironment.
Boundaries
B and
a Limits in AD DS
Domains
D andd Forests
Th
he AD DS dom main forms bou
undaries and liimits
fo
or several items:
All AD DS objects
o that exxist in a single domain
d
are stored in
i the AD DS database
d on eaach
domain con ntroller in the domain. The replication
r proocess ensures tthat all originaating updates aare
replicated to
t all of the other domain co ontrollers in thhe same domain. In large org ganizations whhere
there are a large numberr of changes, th he replication traffic can havve a noticeable e effect on nettwork
bandwidth between the domain
d contro
ollers. This is o ne of many fa ctors that youu must conside er when
designing an
a AD DS dom main structure.
Auditing is centrally managed by using g GPOs. The m aximum scopee of these settings is at the AAD DS
domain levvel. It is possible to have the same audit se ttings in differrent AD DS do
omains, but the
en they
must be ma anaged separa ately in each domain.
Group Policcies can be linked at the following levels: l ocal, site, dom
main, and orgaanizational unitt (OU).
Apart from site-level Group Policies, the scope of Gro oup Policies is the AD DSd domainthere e is no
inheritance
e of Group Poliicies from one AD DS domaiin to another, even if one AD D DS domain iis lower
than another in the DNS namespace.
The DNS se ervices work be est to support an AD DS envvironment wheen it is Active D DirectoryInte egrated.
This means that instead ofo the DNS reccords being sto ored locally onn each DNS Se erver in text file
es, they
are stored and
a replicated d in the AD DS database. Beccause it is the d database for the AD DS dom main, it
becomes th he limit of repllication of thosse records. Thee administrato or can then decide whether tto
replicate th
he DNS information to all do omain controlleers in the dom main (regardlesss of whether tthey are
DNS servers), to all doma ain controllers that are DNS sservers in the domain, or to all domain
controllers that are DNS servers
s in the forest.
f For thee last two optio
ons, separate rreplication parrtitions
(domainDn nsZones and fo orestDnsZones) exist. Alternaatively, it is posssible to createe a custom partition
where the administrator
a has to select manually
m which pate in its replication,
h domain conttrollers particip
but this meethod is not offten used.
Th
he AD DS forest acts as a bo
oundary for cerrtain replicatio
on and management areas:
The configu
uration partitioon contains the details of thee AD DS domaain layout, including: domains,
domain conntrollers, repliccation partnerss, site and sub
bnet informatio
on, and Dynam
mic Host
Configuratiion Protocol (DDHCP) authorization or the cconfiguration of Dynamic Acccess Control. The
MCT USE ONLY. STUDENT USE PROHIBITED
8-4 Implementing Distributed Activve Directory Domain Services Deploymentts
configuration
n partition also
o contains information aboutt applications that are integrated with the
e
AD DS databa ase. An examp ple of one of th
hese applicatio
ons is Exchang
ge Server 2010.
The global caatalog is the re
ead-only list coontaining everyy object in thee entire AD DSS forest. To keeep it
to a managea able size the global catalog contains
c only some attributees for each objbject, but it can
n still
grow very large depending on the extentt of the organiization. The sizze of the globaal catalog and the
number of on ngoing change es to it are imp
portant factorss in the allocattion of which A
AD DS domain n
controllers wiill hold a copy of the global catalog. In ad dition, networrk bandwidth iis also an impo ortant
factor to take
e into account..
In an AD DS forest
f with mu ultiple AD DS domains,
d theree is a DNS zonee with forest-w
wide replicatioon.
This enables clients
c to locatte records for AD
A DS domain n controllers in
n other AD DSS domains. The ere
will be some DNS records that must be available to clieents in every d domainfor exxample, domain
controllers that store a copy of the globa al catalog. Wheen AD DS dom main controllerrs start up, they
register severral server (SRV)) resource reco
ords in the DNNS database. So ome of these rrecords must b be
replicated to every DNS serrver in the AD DS forest, nott just restricted d to the AD DSS domainwh hich
would be the e case if they were
w added to a regular Activve Directoryinntegrated DNSS zone. For thiis
reason, a speccial forest-leve
el DNS zone na amed forestDn nsZones is creaated, and the replication of this is
to all DNS serrvers in the ADD DS forest, ratther than to evvery DNS serveer or AD DS do omain controller in
the domain.
Wh
hy Implem
ment Multiple Domains?
Man ny organizatio
ons can functio
on adequately with
a sin
ngle AD DS do omain. Howeve er, some entitiies
requuire multiple domains
d for se
everal reasons:
The AD DS forest root do omain has two groupsthe Schema Admi ns group and the Enterprise e
Admins gro oupthat do notn exist in anyy other domaiin in the AD DDS forest. Becau
use these grouups have
far-reaching rights in the AD DS forest,, you may wan
nt to restrict th
he use of these
e groups by onnly using
the AD DS forest root domain to store them. In earlyy implementatiions of Active Directory, thiss model
was often referred
r t empty root domain mod
to as the del.
Compliance e: It may be de
esirable to havve all active do
omains at the ssame level in tthe namespace e, so
that your organization ca an utilize the empty
e root dom main model. Inn certain organizations, it may be
unacceptab ns in the same AD DS domain. The reason for this is thatt the
ble to have diffferent division
Domain Ad dmins in any AD DS domain have full cont rol over every object in the domain, and tthis may
violate certain corporate security policies. For examp ple, different deepartments wiithin an organization
may be req quired for legal compliance reasons
r to nott be in the sam
me AD DS dom main. In that case,
there is the ast to create a separate AD D
e need to at lea DS domain forr each departmment, if not a sseparate
AD DS forest.
Why
W Implement Multiple Foressts?
Organizations
O may
m sometime es require that their
AD DS design comprises more e than one forrest.
Th
here are severa
al reasons whyy one AD DS foorest
may
m not be suffficient:
Security bo
oundaries: If twwo or more inddependent org ganizations want to share ressources, but arre not in
a position where
w they are e prepared to trust
t the domaain administraators of the partners organizzations,
then separaate forests are needed. Havin ng an AD DS sstructure with multiple foressts provides seccurity
boundariess. Although do omains in different forests caan share resourrces, they rely on manually
implemente ed trust relatio
onships and addditional admiinistration. Eacch forest mainttains its own issolated
security dattabases and ru ules.
Politics: Som
me countries have
h strict controls over the ownership of enterprises within the counttry.
Having a se eparate AD DSS forest may prrovide the adm ministrative iso
olation to meet that need.
MCT USE ONLY. STUDENT USE PROHIBITED
8-6 Implementing Distributed Activve Directory Domain Services Deploymentts
DN
NS Require
ements forr Complex
x AD DS En
nvironmen
nts
For an AD DS dom main to functio on, it requires DNS.
There are many operations thatt rely on DNS
look t take place. Name resolution is
kups in order to
onee of the origina
al uses for Dom main Name System.
With name resolu ution, clients ca
an connect to
servvice points by using the DNS S name, which
reso
olves to an IP address.
a Howeever, because sos
man ny operations involve connecting to an AD D DS
dommain controllerr that offers a particular servvice.
AD DS requires se ervice (SRV) ressource recordss. If a
userr wants to log on to their AD D DS user acco ount,
thenn their system uses DNS look kups to find SRRV
reco main controller that is running the Kerbero
ords for a dom os service. Wheen AD DS dom main controllerss
need to communicate with each h other, they use
u SRV record ds in DNS. If th
he AD DS foresst contains mo ore
thann one domain,, then it is impportant to ensu ookups are succcessful for ressources that are in a
ure that DNS lo
diffe
erent domain from the DNS resolver (the clientc perform
ming the DNS lo ookup).
There are several important con
nfiguration are
eas that you neeed to addresss when deployying a DNS stru
ucture
to support a complex AD DS en nvironment:
Event escalatiion options: If you have a monitoring soluution such as MMicrosoft Systtem Center 20 012 -
Operations Manager,
M ensurre that the eve
ents raised by IIPAM are escaalated in your gglobal monitoring
M will not provvide the same escalation opttions as a mon
solution. IPAM nitoring infrasttructure (for
example, notifications).
Verification: Verify
V that all of
o your compu uters, including
g domain conttrollers, are ab
ble to perform
successful DNNS lookups for key resourcess. Apart from rroutine name rresolution for host to IP
resolutions, all computers must
m be able to
o locate the SR
RV records forr domain contrrollers in the A
AD DS
domain and thet AD DS fore est.
Som
me of the wayss to enable succcessful DNS lo
ookups within a multi-domaain AD DS enviironment are:
CL1, the DNS resolver in the adatum.comm DNS domain can perform ssuccessful que eries for DNS
records in thee DNS domainn adatum.com by contacting DNS 1. This iss because DNSS 1 stores the zzone
file for the ad
datum.com DNNS domain. If DNS
D 1 receivess a DNS query for a node ou
utside of the lo
ocal
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 8-7
DNS domain, and if DNS 1 does not have the answer already cached in memory, it will by default
contact a DNS server from the Internet root DNS domain by using the root level hints configured by
default on the DNS server.
In order to speed up this process, you can configure DNS 1 to forward any queries that it cannot
resolve by itself to one or more specific DNS servers. In this case, it could forward any query that it
cannot resolve by itself to the DNS server for the Internet Service Provider (ISP). DNS 1 will utilize the
fact that DNS-ISP will have cached a large number of DNS lookup replies and can answer (non-
authoritatively) out of memory.
In a multi domain setting, you can configure DNS servers that receive DNS queries that they are
unable to resolve themselves, to forward these queries to other DNS server in the network. By using
forwarding, DNS servers can forward all their Internet DNS queries through a central DNS server,
which streamlines the process and speeds up the resolution time. This can greatly reduce the DNS
resolution traffic through the firewall.
If there are one or more separate DNS namespaces within your organization than can only be
resolved by internal corporate DNS servers, you can facilitate this process by configuring conditional
forwarders. The slide shows a separate DNS namespace for fabrikam.net, with its own DNS server,
DNS 4. DNS 1 can be configured with a conditional forwarder so that queries for records in the
fabrikam.net DNS namespace are directed to DNS 4, and all other queries are still forwarded to the
ISP-DNS server.
When there is a DNS domain that is lower in the DNS namespace (for instance the atl.adatum.com
domain), you must configure the DNS servers for the parent DNS domain to enable DNS resolution
for DNS records in the child domain. By default, DNS 1 has no knowledge of DNS 2. A delegated
domain record in DNS creates a special subdomain in the adatum.com DNS domain that lists one or
more DNS servers that store DNS records for the atl.adatum.com DNS domain. In this case, it will
enable DNS 1 to pass DNS queries for atl.adatum.com to DNS 2
Another option to allow DNS resolution in a disjointed DNS domain environment is to use a
secondary zone. In this example, DNS 1 will store a complete read-only copy of all the records in the
unix.net DNS zone. Because the records in the unix.net zone are updated regularly, the secondary
zone will contain an up-to-date copy of all of the records in the unix.net DNS zone. In a large
organization, this may involve a large amount of replication traffic, and if that traffic has a detrimental
effect on network connections, then it may not be the optimum solution. Note that in this scenario,
there will be virtually no DNS lookup traffic over the network to DNS 3, but there will be regular zone
transfer traffic.
The stub zone is another option for this case. The stub zone is a special type of secondary zone that
only stores read-only records for the DNS servers in the remote DNS domain. However, like a
standard secondary zone, the records are updated on a regular basis. The stub zone contains only the
DNS records for the DNS server names and their IP addresses. This solution will often be the preferred
option, because although there will be DNS lookup traffic over the network link, the stub zone update
traffic will be low, and it may be a better solution.
Op
ptions for Upgrading
U g and Coex
xistence w
with Previo
ous AD DS Versions
If yo
our current AD
D DS environmment is runningg on
Win ndows Server 2003
2 or Windo ow Server 2008 8
leveel AD DS domaain controllers,, you may wannt to
consider upgradinng to Window Server 2012.
AD DS has new fe eatures that are
e available onlly in
AD DS domains ru unning at Window Server 20 012
leveel.
2. Joining one or
o more Windo ows Server 201 12 servers to th
he AD DS dom main, and prom moting them too be
AD DS domaiin controllers. The Windows Server 2012 s ervers will be able to join th he domain, butt
c be promoted to AD DS domain
before they can d controollers, there willl be some schema updates tthat
need to be peerformed. Agaain, the Server Manager AD D DS Installation
n wizard will peerform
automaticallyy. The AD DS domain
d and forest functiona l levels must b
be at least Winndows Server 2
2003
Native mode..
Lesson 2
Deploying a Distributed AD DS Environment
This lesson outlines different ways to install an AD DS domain, and describes the different functional levels
of AD DS domains and forests. In this lesson, you will learn about some of the important points that you
must address when deploying a complex AD DS environment, and you will see how to upgrade from a
previous version of AD DS.
Lesson Objectives
After completing this lesson, you will be able to:
Demonstration Steps
3. Use the AD DS Installation Wizard to install and configure LON-SVR1 as an AD DS domain controller
in a new domain, atl.adatum.com.
2. Reboot and log on as Adatum\Administrator with the password Pa$$w0rd, on the newly created
AD DS domain controller LON-SVR1.
MCT USE ONLY. STUDENT USE PROHIBITED
8-10 Implemennting Distributed Active Directory Domainn Services Deployments
AD
D DS Doma
ain Functio
onal Levels
AD DS domains ca an run at diffe
erent functionaal
leveels. Generally, upgrading
u the
e domain to a
highher functional level will intro
oduce additionnal
feattures. Some of the domain fu unctional levels are
liste
ed in the follow
wing table.
Doomain functio
onal
Fe
eatures
lev
vels
Windows
W 2000 Server Universal gro
oups
na
ative
Group nestin
ng
Security iden
ntifier (SID) histtory
nstall Domain
In n Controllers from Media
In
nstall from Me edia allows thee installation off an AD DS do omain controlle er
without
w impactting the netwo ork connection n, because mosst of the new A AD DS
database
d is resttored locally frrom an ntdsuttil backup on a USB drive or DVD.
In
nstall from Me edia could also o be accessed o over the netwo ork when the
network
n is not busy. Once thee new AD DS d domain contro oller is installed and
re
ebooted, it willl use the netw work to retrievee AD DS originnating updatess that
were
w made sincce the ntdsutil backup was m made. This will be a small am mount
of
o replication, unless
u there haave been manyy originating u updates to the e
AD
A DS database, which the n new AD DS dom main controlleer needs to bring up
to
o date.
Note: Wiindows Server 2012 domain controllers cannot be installed in
a domain running at Window ws 2000 Serverr native level.
Windows
W Server 2003 LastLogonTiimestamp att ribute remem bers time of laast domain log gon
for users, and
d replicates thiis to other AD DS domain co
ontrollers in th
he
AD DS doma ain.
Constrained Delegation maakes it possible for applications to take
advantage off the secure deelegation of usser credentialss by using Kerb
beros-
based authen
ntication.
Selective authentication alllows you to sp
pecify the users and groups tthat
are allowed to
t authenticatee to specific reesource serverss in a trusting
forest.
You can storee DNS zones in
n application ppartitions, which allows them
m to
be replicated
d on domain coontrollers thatt are also DNS servers in the
domain, or even across thee forest.
Group attribuutes and otherr multi-valued attributes are e replicated at the
attribute leve
el, instead of th
he object leveel. In previous vversions of AD
D DS,
group memb bership was co onsidered part of the object, and the group p
would be rep plicated as a si ngle object. Th
his meant thatt if two
administrators changed thee membership p of the same g group in the same
replication peeriod, the last write would wwin. The first ch
hanges made w would
be lost, because the new veersion of the g group would replace the pre evious
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 8-11
Domain functional
Features
levels
one entirely. With multivalued replication, group membership is treated
at the attribute level, and therefore all originating updates are merged
together. This also greatly reduces the replication traffic that would occur.
An additional benefit from this is the removal of the previous group
membership restriction that limited the maximum number of members to
5,000.
Windows Server 2008 Distributed File System Replication (DFS-R) is available as a more
efficient and robust file replication service for the SYSVOL folders. DFS-R
can replace the file replication service NT File Replication Service (NTFRS).
A large amount of interactive logon information is stored for each user,
instead of just last logon time.
Fine-grained password settings allow account policies to be set for users
and groups, which replaces the default domain settings for those users or
group members.
Personal virtual desktops are available for users to connect to, by using
RemoteApp and Remote Desktop.
Advanced Encryption Services (AES 128 and 256) support for Kerberos is
available.
Read-only domain controllers (RODCs) provide a secure and economic
way to provide AD DS logon services in remote sites, without storing
confidential information such as passwords in untrusted environments.
Group and other multivalue attributes are replicated on a per-value level,
instead of being replicated together (which removed the limit of 5,000
users per group).
Windows Server 2008 Authentication mechanism assurance, which packages information about
R2 a users logon method, can be used in conjunction with application
authenticationfor example, with Active Directory Federation Services
(AD FS). In another example, a user logging on by using a smart card can
be granted access to more resources than when they log on with a
username and password.
Managed services accounts allow account passwords to be managed by
the Windows operating system, and provide service principal name (SPN)
management.
Windows Server 2012 Instead of the Windows PowerShell command-line interface, you can
use Server Manager for setting up and managing the AD DS Recycle Bin.
In Windows Server 2008, fine-grained password settings were
complicated to set up and deploy. In Windows Server 2012, you can use
Server Manager to deploy and manage these settings more conveniently.
Support for Dynamic Access Control and Kerberos armoring
Note: Generally, you cannot roll back AD DS domain functional levels. However, in
Windows Server 2012 and Windows Server 2008 R2, you are able to roll back to a minimum of
Windows Server 2008, as long as you do not have optional features (such as the Recycle Bin)
enabled. If you have implemented a feature that is only available in a higher domain functional
level, you cannot rollback to an earlier state.
MCT USE ONLY. STUDENT USE PROHIBITED
8-12 Implemennting Distributed Active Directory Domainn Services Deployments
AD
D DS Forest Function
nal Levels
The AD DS forest can run at diffferent function nal
leve
els, and sometiimes raising th
he AD DS foresst
funcctional level makes
m additional features
avaiilable. The most noticeable additional
a feattures
comme with the up pgrade to a Windows Server 2003
est functional level. Additional features tha
fore at are
madde available with Windows Server
S 2003 incclude:
Linked-value replication: Th
his feature
improved Windows 2000 Se erver replicatio
on, and impro
oved how grou
up membership
p was handled
d.
Alth
hough the Win ndows Server 2008
2 R2 AD DSS forest functio
onal level intro
oduced AD DSS Recycle Bin, tthe
Recyycle Bin had to
o be managed d with Windowws PowerShell. However, the version of Rem mote Server
Admministration To
ools (RSAT) tha at comes with Windows Servver 2012 has th he ability to m
manage the ADD DS
Recyycle Bin by usiing GUI tools.
Upgrading
U a Previous Version of AD DS tto Window
ws Server 2012
To
o upgrade a previous versionns of AD DS too
Windows
W Server 2012 AD DS , you can use either
off the following
g two methodss:
Upgrade th
he operating syystem on the existing
e
ntrollers to Windows Server 2012.
domain con
Introduce Windows
W Serve
er 2012 serverss as
domain con e existing domain.
ntrollers in the
You can theen decommisssion AD DS domain
controllers running earlieer versions of AD
A DS.
Of
O these two methods, the se econd is preferrred,
be ecause there will
w be no old or o disused codde and
filles remaining. Instead, you will
w have a clea an installation of the Window
ws Server 2012
2 operating syystem
annd AD DS data abase.
Upgrading
U to
o Windows Server 2012
To
o upgrade an AD DS domain n from Window ws Server 20088 functional leevel to Window
ws Server 2012
2
fu
unctional level,, you must first upgrade all the
t domain co ontrollers from
m the Window Server 2008
perating system to the Wind
op dows Server 20 012 operating system. You ccan achieve thiis by upgradin
ng all of
th
he existing dom
main controlle ers to Windowss Server 2012, or by introduccing new dom main controllerss
ru
unning Window ws Server 2012 2, and then ph
hasing out the existing domaain controllerss.
Th
here is no reasson to preventt Windows Servver 2012 serveers from being g part of a Winndows Server 22008
do
omain. Howevver, before you u can install the first domain controller thaat is running W
Windows Serve er 2012,
yo
ou must upgra ade the schema. In versions of o AD DS priorr to Windows Server 2012, yyou would run the
ad
dprep.exe tooll to perform thhe schema upg grades. In a W
Windows Serverr 2012 environ nment, the Active
Directory Doma ain Services Insstallation Wiza
ard that is inclu
uded in Serverr Manager inco orporates the
co
ommands nece essary to upgrrade the AD DS forest schem ma.
Note: Win
ndows Server 2012 still provvides a 64-bit vversion of ADP Prep, so you caan run
Adprep.exe separately. For exxample, if the administrator
a iinstalling the ffirst Windows Server 2012
do
omain controller is not a meember of the Enterprise
E Admmins group, theen you might need to run
th
he command separately.
s Youu only have to run adprep.exxe if you are planning to do an in-place
up e first Windows Server 2012 domain contro
pgrade for the oller in the do
omain.
The
T Upgrade
e Process
To
o upgrade the
e operating sysstem of a Wind ontroller to Windows Server 2012:
dows Server 20008 domain co
3.. After the opperating system selection wiindow and thee license accep
ptance page, o
on the Which ttype of
installation do you want?? window, chooose Upgrade: Install Windo ows and keepp files, setting
gs, and
apps.
With
W this type of o upgrade, AD D DS on the doomain controlller is upgradedd to Windows Server 2012 A AD DS. .
As a best practice, you shouldd check for harrdware and so ftware compa tibility before doing an upgrade.
Fo
ollowing the operating
o syste
em upgrade, reemember to u pdate your drrivers and othe er services (succh as
monitoring
m ageents), and checck for updates for both Micro
osoft applicatiions and non-Microsoft softw ware.
MCT USE ONLY. STUDENT USE PROHIBITED
8-14 Implemennting Distributed Active Directory Domainn Services Deployments
The
e Clean Insttallation Pro
ocess
To introduce a cle
ean install of Windows
W Serve
er 2012 as a do
omain membeer:
Migrating to
o Windowss Server 20
012 AD DSS from a Previous Ve
ersion
As part
p of deployiing AD DS, you u might choosse to
restructure your environment
e fo
or the followin
ng
reassons:
To optimize the
t arrangeme ent of elementts
within the log
gical Active Directory structu
ure.
To assist in co
ompleting a buusiness merger,
acquisition, or
o divestiture.
Resttructuring invoolves the migration of resources
betwween AD DS domains
d in eith
her the same fo
orest
or in
n different fore
ests. After you deploy AD DS S, you
migght decide to further reduce the complexitty of
your environmentt by either resttructuring AD D S domains b
between AD D
DS forests or re
estructuring
dommains within a single AD DS forest.
You
u can use the la atest version of
o the Active Directory
D Migraation Tool to p
perform objectt migrations an
nd
secu
urity translatio
on as necessaryy, so that userss can maintain
n access to netw
work resource
es during the
mig
gration processs.
Pre
e-Migration
n Steps
Befo
ore performing
g the migratioon, you must perform severa l tasks to prep
pare the source
e and target
dom
mains. These ta
asks include:
For domain member
m computers that are pre-Windows Vista Servicee Pack 1 (SP1) or Windows Server
2008 R2, conffigure a registry on the targe main controller to allow crypttography
et AD DS dom
algorithms th
hat are compattible with the Microsoft
M Win dows NT Serrver 4.0 operatting system.
Enable firewa
alls rules on source and targe
et AD DS dom ain controllerss to allow file aand printer shaaring.
Configure sou
urce and targe ains to enable SID History m
et AD DS doma migration.
Specify servicce accounts forr the migration
n.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 8-15
Perform a test
t migration,, and fix any errrors that are rreported.
Migration
M Stteps
When
W you are confident
c that all pre-migrattion steps havee been compleeted, you can ccomplete the
migration.
m During this process, you will mig
grate user accoounts, group accounts and ccomputer acco ounts to
th
he new domain n. You will also
o assign permissions to netw
work resources using the accounts in the nnew
do
omain.
Post-Migrati
P ion Steps
Thhe new accoun nts (SIDs) will still
s have accesss to resourcess, because theyy retain an attribute called SSID
History.
H For exaample, a user uses
u a new useer account to aattempt to acccess a resourcee to which the
ey had
e user being d enied becausee their SID is not referenced in the
acccess with theiir old account.. Instead of the
peermissions, the
ey can presentt their previous SID by using the SID Histo ory attribute. TThe migration tools
ca
an re-permit th he resources so the new SIDs are entered into the perm issions on the resource, and the old
SIID can be remo oved.
Once
O you have tested everyth
hing and verified that it is wo
orking in the n
new AD DS do
omain, you can
n
de t old domain controllers.
ecommission the
Note: The
e entire processs may involvee running the m
migration seveeral times. For example, the
usser accounts would
w be migraated early in th
he process, bu ounts profile m
ut the user acco migration
would
w be accom
mplished in another pass of the
t migration tool.
Additionaal Reading: Download
D the Active
A Directo ry Migration TTool version 3.2 from
htttp://www.miccrosoft.com/en
n-us/download d/details.aspx??id=8377.
Yo
ou can downlo oad the Active
e Directory Miggration Tool G uide from
htttp://www.miccrosoft.com/en
n-us/download d/details.aspx??id=19188.
Considerat
C ions for Im
mplementiing a Complex AD D
DS Environment
Be
efore impleme enting a complex AD DS
en
nvironment, it is important to
t consider
mplications of the design if the deploymen
im nt is to
be
e successful. With
W proper pla anning, you ca
an
de
esign an AD DSD model to prrovide the
ad
dministrative and
a security re equirements foor your
orrganization.
MCT USE ONLY. STUDENT USE PROHIBITED
8-16 Implementing Distributed Active Directory Domain Services Deployments
Some of the key points for consideration are listed in the following table.
DNS resolution for host Must support resolution throughout the organization
records and SRV records
Note: Details are discussed earlier in this module, and more information is available in
Module 9.
For this reason, the AD DS forest root domain must be treated with extra caution, particularly as the
Enterprise Admins group and the Domain Admins group in the AD DS forest root domain have full
control over every AD DS domain and object in the entire AD DS forest.
DNS Services
You should configure DNS services at the beginning of the deployment process, as all subsequent
operations will depend on DNS functioning correctly. This also means that all computers should be
configured with the IP addresses of at least two DNS servers so that they can successfully perform DNS
lookups. In a complex environment, it will be necessary to decide how to make DNS records accessible to
DNS resolvers (client computers).
Trust Relationships
You will also need to consider trust relationships for several reasons, such as:
Facilitating fast and reliable authentication traffic between AD DS domains in the same forest
(shortcut trusts).
Lesson 3
Config
guring AD
A DS Trusts
T
Thiss lesson examines trust relatiionships and how
h they proviide functionaliity for accessin ng resources and
loggging on to the
e domain. Therre are several types
t of trust rrelationships, aand this lesson
n describes the
em in
turn
n.
Wheen an AD DS multi-domain
m forest
f is create
ed, then trusts are automaticcally created to o link all of the
e
AD DS domains in n the AD DS fo orest. In additio
on, there are oother trusts thaat you can estaablish to proviide
add
ditional functio
onality. These trusts
t include shortcut,
s exterrnal, realm, andd forest trusts..
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
Describe the types of trustss that can be configured in a Windows Serrver 2012 environment.
Describe how
w to configure a forest trust.
Ov
verview of Different AD DS Tru
ust Types
In a multi-domain n AD DS forestt, two-way tran nsitive
trusst relationshipss are generated d automaticallly
betwween the AD DS D domains, so o that there is a
pathh of trust betwween all of the AD DS domains.
These trusts are ca alled parent-child trusts. The e
trussts that are auttomatically cre eated in the forest
are all transitive trrusts. That mea ans that if A trrusts
B, and B trusts C, then A trusts C. C However, th his
mayy not be the most
m w to provide an
efficient way
authhentication connection betw ween all of the
AD DS domains, and a you can im mprove
perfformance by setting up shorrtcut trusts.
Pa
arent and Transitive Two
o-way When a neew AD DS dom main is added to
ch
hild an existing AD DS tree, n new parent and
d
child trustss are created.
Trust
T type Transitiv
vity Diirection Descriptio
on
forest. Th
hese may also be set up to
provide a framework foor a migrationn.
How
H Trustss Work Within a Fore
est
When
W you set up
u trusts betwe een domains either
e
within
w the same e forest, acrosss forests, or witth an
exxternal realm, information ab bout these trusts is
sttored in AD DS S so you can re etrieve it whenn
ne ecessary. A tru
usted domain object
o stores this
in
nformation.
How
H Trusts Enable
E Userrs to Access Resources in a Forest
When
W a user atttempts to acce
ess a resource in another do main, the Kerbberos authentiication protocol must
de
etermine whetther the trustin
ng domain hass a trust relatio
onship with th e trusted dom
main.
To
o determine th his relationshipp, the Kerberos V5 protocol travels the tru ust path, utilizin
ng trust inform
mation
an
nd DNS lookup ps to obtain a referral to thee target domaiins domain co ontroller. The ttarget domain
co
ontroller issuess a service tick
ket for the requ est path in the trust
uested service.. The trust pat h is the shorte
hiierarchy.
When
W the user in the trusted domain attem mpts to access tthe resource in
n the other doomain, the users
co
omputer first contacts
c the doomain controller in its domaain to get authhentication to the resource. IIf the
esource is not in the users domain, the do
re omain controlleer uses the tru
ust relationship
p with its paren
nt, and
re
efers the userss computer to a domain controller in its paarent domain. This attempt to locate a ressource
co
ontinues up thhe trust hierarcchy, possibly to ot domain, an
o the forest roo nd down the trrust hierarchy, until
co
ontact occurs with
w a domain t domain w here the resou
n controller in the urce is located.
MCT USE ONLY. STUDENT USE PROHIBITED
8-20 Implemennting Distributed Active Directory Domainn Services Deployments
Ho
ow Trusts Work
W Betw
ween Foressts
If th
he AD DS envirronment conta ains more than
n one
foreest, then it is possible to set up
u trust
relationships betw ween the AD DS D forest roots..
These forest trustss can be eitherr complete tru usts or
seleective trusts. Fo n be one-way or
orest trusts can
two o-way.
A single forest truust relationship
p allows users who
w
are authenticated by a domain in one forest to t
acce
ess resources that
t are in the other forest, as
a
long
g as they have e been granted d access rights.. If
the forest trust is one-way, dom main controllerrs in
the trusting forestt can authenticcate users in any
dommain in the trusted forest. Fo orest trusts are significantly eeasier to estab
blish, maintain, and administe
er
n separate trusst relationships between eacch of the domaains in the foreests.
than
Fore
est trusts are particularly
p use
eful in scenario
os that involvee cross-organizzation collaborration or merg
gers
o within a single organization that has m ore than one fforest in which
and acquisitions, or h to isolate Acttive
Dire
ectory data and services. Forrest trusts are also
a useful for application seervice providerrs, for collaborrative
business extranetss, and for commpanies seeking g a solution foor administrativve autonomy.
Fore
est trusts provide the followiing benefits:
Simplified ma
anagement of resources acro oss two Windo ows Server 200
08 forests by re
educing the
number of exxternal trusts necessary
n to sh
hare resources..
Complete two
o-way trust relationships witth every domaain in each foreest.
Flexibility of administration
a n. Administrativve tasks can bee unique to eaach forest.
In AD
A DS in Windows Server 2008, you can lin nk two Window ws Server 2003
3 or Windows Server 2008 fo orests
togeether to form a one-way or two-way trust relationship. Y
You can use a two-way forest trust to form
ma
nsitive trust relationship betw
tran ween every domain in both fforests.
You
u must addresss several requirrements before you can imp
plement a foreest trust, includ
ding that the fo
orest
funcctional level must
m be Windows Server 2003 or newer, an
nd you must haave DNS name e resolution
betw
ween the foressts.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 8-21
Configuring
C g Advance
ed AD DS Trust
T Settiings
In
n some cases, trusts
t can present security issues.
y do not configure a trustt
Additionally, if you
properly, users who
w belong to o another dommain can
gaain unwanted access to som me resources. There
hnologies that you can use to
arre several tech o help
ontrol and manage security in a trust.
co
SID Filtering
Byy default, when you establish h a forest or domain
trrust, you enablle a domain quuarantine, which is
also known as SIDS filtering. When
W a user
auuthenticates inn a trusted dom
main, the user
presents authorrization data thhat includes thhe SIDs
off all of the gro
oups to which the
t user belon ngs. Additionallly, the users aauthorization d
data includes SSIDs
from other attributes of the user
u and the ussers groups.
AD DS sets SID filtering by de efault to prevent malicious u users who havee access at the domain or en nterprise
ad
dministrator leevel in a trusted forest or domain, from graanting (to the mselves or to other user acccounts
n their forest or domain) elevvated user righ
in hts to a trustin g forest or do ering prevents misuse
omain. SID filte
off the attributess that contain SIDs on securiity principals ((including InettOrgPerson obj bjects) in the trrusted
orest or domain. One commo
fo on example off an attribute tthat contains a SID is the SID D history attribbute
(S
SIDHistory) on n a user account object. Dom main administrrators typicallyy use the SID hhistory attributte to
se
eamlessly migrrate the user and group acco ounts that are held by a secu urity principal from one dom main to
an
nother. All SIDD filtering activvities occur in the
t backgroun nd, and adminiistrators do no ot need to exp plicitly
co
onfigure anyth hing unless the ey want to disa able SID filterin
ng.
When
W security principals
p are created
c in a do
omain, the SID D of the princippal includes thhe domain SID,, so that
yo
ou can identifyy in which dommain it was cre eated. The dom main SID is imp portant, becau use the Window
ws
se
ecurity subsysttem uses it to verify
v the idenntity of the sec urity principal, which in turn
n determines w
which
do
omain resourcces the user can access.
Authenticati
A on
When
W you creatte an external trust or a fore
est trust, you caan manage thee scope of autthentication off trusted
se
ecurity principa
als. There are two
t modes of authenticatio n for an extern nal or forest trrust:
Selective au
uthentication
If,, however, you u choose selecttive authenticaation, all userss in the trusted
d domain are ttrusted identitiies.
However, they are a allowed to authenticate only for servicces on computters that you specify. For exaample,
im
magine that yo ou have an external trust with a partner orrganizations d omain. You want to ensure that
on nly users from the partner organizations marketing
m grooup can access shared folderrs on only one of your
many
m file serverrs. You can con
nfigure selectivve authenticattion for the truust relationship
p, and then givve the
trrusted users the right to auth henticate only for that one ffile server.
MCT USE ONLY. STUDENT USE PROHIBITED
8-22 Implementing Distributed Active Directory Domain Services Deployments
AD DS routes all names that are subordinate to unique name suffixes implicitly. For example, if your forest
uses fabrikam.com as a unique name suffix, authentication requests for all child domains of fabrikam.com
(childdomain.fabrikam.com) are routed, because the child domains are part of the fabrikam.com name
suffix. Child names appear in the Active Directory Domains and Trusts snap-in. If you want to exclude
members of a child domain from authenticating in the specified forest, you can disable name suffix
routing for that name. You also can disable routing for the forest name itself.
Demonstration Steps
As one of the senior network administrators at A. Datum, you are responsible for implementing an AD DS
infrastructure that will meet the company requirements. You are responsible for planning an AD DS
domain and forest deployment that will provide optimal services for both internal and external users,
while addressing the security requirements at A. Datum.
Objectives
Implement child domains in AD DS.
Lab Setup
Estimated Time: 45 minutes
20412A-LON-DC1
20412A-TOR-DC1
20412A-LON-SVR1
20412A-MUN-DC1
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
5. Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-TOR-DC1.
2. When the AD DS binaries have installed, use the Active Directory Domain Services Configuration
Wizard to install and configure TOR-DC1 as an AD DS domain controller for a new child domain
named na.adatum.com.
3. When prompted, use Pa$$w0rd as the Directory Services Restore Mode (DSRM) password.
2. When Server Manager opens, click Local Server. Verify that Windows Firewall shows Domain: On. If
it does not, then next to Local Area Connection click 172.16.0.25, IPv6 enabled. Right-click Local
Area Connection and then click Disable. Right-click Local Area Connection and then click Enable.
The Local Area Connection should now show Adatum.com.
3. From Server Manager, launch the Active Directory Domains and Trusts management console and
verify the parent child trusts.
Note: If you receive a message that the trust cannot be validated, or that the secure channel (SC)
verification has failed, ensure that you have completed step 2 and then wait for at least 10-15 minutes.
You can continue with the lab and come back later to verify this step.
Results: After completing this exercise, you will have implemented child domains in AD DS.
2. Using the DNS management console, configure a DNS stub zone for treyresearch.net.
6. Using the DNS management console, configure a DNS stub zone for adatum.com.
3. On LON-SVR1, create a shared folder IT-Data and grant access to members of the treyresearch.net\it
group. If you are prompted for credentials, type Treyresearch\administrator with the password of
Pa$$w0rd.
Results: After completing this exercise, you will have implemented forest trusts.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
Lab Review
Question: Why did you configure a delegated subdomain record in DNS on LON-DC1 before
adding the child domain na.adatum.com?
Question: What are the alternatives to creating a delegated subdomain record in Q1?
Question: When you are creating a forest trust, why would you create a selective trust instead of
a complete trust?
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 8-27
The Domain Name Service is crucial to the satisfactory functioning of an AD DS system, and students saw
different ways to provide a robust DNS record resolution process in a multi-domain situation. The
different DNS resolution methods were discussed, including forwarders, conditional forwarders,
delegation, secondary zones, and stub zones. Students also saw how trust relationships can provide an
effectual authentication mechanism in various environments.
Module 9
Implementing Active Directory Domain Services Sites and
Replication
Contents:
Module Overview 9-1
Module Overview
When you deploy Active Directory Domain Services (AD DS), it is important to provide an efficient logon
infrastructure and a highly available directory service. Implementing multiple domain controllers
throughout the infrastructure helps you meet both of these goals. However, you must ensure that AD DS
replicates Active Directory information between each domain controller in the forest. In this module, you
will learn how AD DS replicates information between domain controllers within a single site and
throughout multiple sites. You also will learn how to create multiple sites and monitor replication to help
optimize AD DS replication and authentication traffic.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of AD
A DS Replicat
R tion
Within an AD DS infrastructure, standard dom main controllerrs replicate Active Directory information b
by
usin
ng a multimastter replication model. This means
m that if a change is madde on one dom main controlle
er, that
change then replicates to all oth
her domain co ontrollers in th e domain, and
d potentially to
o all domain
controllers throug
ghout the entirre forest. This lesson providees an overvieww of how AD D DS replicates
info
ormation between both stand dard and read d-only domain controllers (RODC).
Lessson Objectiives
Afte ou will be able to:
er completing this lesson, yo
Describe how
w you generate
e the replicatio
on topology.
Describe how
w read-only do
omain controlle
er replication w
works.
Wh
hat Are AD
D DS Partittions?
The Active Directo ory data store contains
info
ormation that ADA DS distribu utes to all dom
main
controllers throug ghout the forest infrastructure.
Mucch of the inforrmation that thhe data store
contains is distributed within a single
s domain.
Howwever, some in nformation ma ay be related to
o,
and replicated thrroughout, the entire forest,
regaardless of the domain
d bound daries.
To help
h provide re
eplication efficciency and
scalability betweeen domain con ntrollers, the Acctive
Dire
ectory data is separated
s logically into seveeral
parttitions. Each pa
artition is a un
nit of replicatio
on,
and each partition n has its own replication
r toppology. The deefault partitions include the ffollowing:
schema to provide appliccation-specific configurationn enhancements. These chan nges target the
e
domain conntroller that co
ontains the forrests schema m
master role. O nly the schema master is pe
ermitted
to make ad
dditions to classses and attributes.
Domain partition. When youy create a new n domain, AAD DS automattically creates and replicatess an
instance of the domain partition
p to all of
o the domain ns domain conntrollers. The ddomain partitio
on
contains infformation aboout all domain--specific objeccts, including u
users, groups, ccomputers,
organizatioonal units (OUss), and domain n-related systeem settings. All objects in eveery domain paartition
in a forest are
a stored in thhe global catalog, with only a subset of th heir attribute vvalues.
Application n partition. The
e application partition
p storess nondomain, application-re elated information
that may ha ave a tendencyy to be update or have a speccified lifetime. An application
ed frequently o n is
typically programed to determine how it stores, cate gorizes, and u uses application-specific infoormation
stored in thhe Active Direcctory database e. To prevent u
unnecessary reeplication of an n application
partition, yoou can designate which dom main controllerrs in a forest w
will host the sp
pecific applications
partition. Unlike
U a domain partition, an n application p
partition does n not store security principal o
objects,
such as use er accounts. Addditionally, the ogue does not store data con
e global catalo ntained in appplication
partitions.
Characteris
C stics of AD
D DS Repliccation
An effective ADD DS replication n design ensurres that
ea
ach partition on
o a domain co ontroller is con
nsistent
with
w the replicas of that partittion hosted on n other
doomain controllers. Typically, not all domain
co
ontrollers havee exactly the sa ame information in
th
heir replicas at any one mom ment because
hanges are occcurring to the direction consstantly.
ch
However, Active e Directory rep plication ensurres that
all changes to a partition are transferred to all
re
eplicas of the partition.
p Activve Directory
eplication balances accuracy (or integrity) and
re
onsistency (called convergen
co nce) with performance
(k
keeping replicaation traffic to a reasonable level).
Th
he key charactteristics of Actiive Directory replication
r are::
Collision dete
ection and management. On n rare occasionns, you can moodify an attribu
ute on two diffferent
domain contrrollers during a single replica
ation window. If this occurs, you must recooncile the two
o
changes. AD DS has resoluttion algorithms that satisfy aalmost all scenarios.
Ho
ow AD DS Replicatio
on Works Within
W a Siite
AD DS replication n within a singlle site is called
d
intra
asite replicatio
on, which takess place
autoomatically. However, you can configure it to
occuur manually, as necessary. Th he following
concepts are relatted to intrasitee replication:
Connection objects
o
The knowledg
ge consistencyy checker (KCC
C)
Notification
Polling
Con
nnection Ob
bjects
A doomain controller that replicaates changes from another d domain contro
oller is called a replication paartner.
Repplication partne
ers are linked by
b connection nnection objecct represents a replication p
n objects. A con path
from
m one domain controller to another. Conn nection objectss are one-way,, representing inbound-onlyy pull
repllication.
To view
v and confiigure connection objects, op pen Active Direectory Sites annd Services, and then select tthe
NTDDS Settings container of a do omain controlllers server objject. You can fforce replicatio
on between tw wo
dom nection object, and then seleecting Replicatte Now. Note that
main controllerrs by right-cliccking the conn
repllication is inbo
ound-only, so ifi you want to replicate bothh domain conttrollers, you ne eed to replicate the
inbo
ound connection object of each e domain controller.
The
e Knowledg
ge Consisten
ncy Checkerr
The replication pa aths built betw
ween domain controllers
c by cconnection obbjects create th
he forests
repllication topolo
ogy. You do no ot have to creaate the replicattion topology manually. By default, AD DSS
crea
ates a topology that ensures effective replication. The to opology is twoo-way, which mmeans that if any
onee domain contrroller fails, replication contin
nues uninterru pted. The topoology also enssures that there are
no more
m than thre
ee hops betwe een any two do omain control lers.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 9-5
On each domain controller, a component of AD DS called the knowledge consistency checker (KCC) helps
generate and optimize the replication automatically between domain controllers within a site. The KCC
evaluates the domain controllers in a site, and then creates connection objects to build the two-way,
three-hop topology described earlier. If you add or remove a domain controller, or if a domain controller
is not responsive, the KCC rearranges the topology dynamically, adding and deleting connection objects
to rebuild an effective replication topology. The KCC runs at specified intervals (every 15 minutes by
default) and designates replication routes between domain controllers that are the most favorable
connections available at the time.
You can create connection objects manually to specify replication paths that should persist. However,
creating a connection object manually is not typically required or recommended because the KCC does
not verify or use the manual connection object for failover. The KCC will also not remove manual
connection objects, which means that you must delete connection objects that you create manually.
Notification
When a change is made to an Active Directory partition on a domain controller, the domain controller
queues the change for replication to its partners. By default, the source server waits 15 seconds to notify
its first replication partner of the change. Notification is the process by which an upstream partner informs
its downstream partners that a change is available. By default, the source domain controller then waits
three seconds between notifications to additional partners. These delays, called the initial notification
delay and the subsequent notification delay, are designed to stagger the network traffic that intrasite
replication can cause.
Upon receiving the notification, the downstream partner requests the changes from the source domain
controller, and the directory replication agent pulls the changes from the source domain controller. For
example, suppose domain controller DC01 makes an initial change to AD DS. It is the originating domain
controller, and the change that it makes, that originates the change. When DC02 receives the change
from DC01, it makes the change to its directory. DC02 then queues the change for replication to its own
downstream partners.
Then, suppose DC03 is a downstream replication partner of DC02. After 15 seconds, DC02 notifies DC03
that it has a change. DC03 makes the replicated change to its directory, and then notifies its downstream
partners. The change has made two hops, from DC01 to DC02, and then from DC02 to DC03. The
replication topology ensures that no more than three hops occur before all domain controllers in the site
receive the change. At approximately 15 seconds per hop, the change fully replicates in the site within
one minute.
Polling
At times, a domain controller may not make any changes to its replicas for an extended time, particularly
during off hours. Suppose this is the case with DC01. This means that DC02, its downstream replication
partner, will not receive notifications from DC01. DC01 also might be offline, which would prevent it from
sending notifications to DC02.
It is important for DC02 to know that its upstream partner is online and simply does not have any
changes. This is achieved through a process called polling. During polling, the downstream replication
partner contacts the upstream replication partner with queries as to whether any changes are queued for
replication. By default, the polling interval for intrasite replication is once per hour. You can configure the
polling frequency from a connection objects properties by clicking Change Schedule, although we do
not recommend it If an upstream partner fails to respond to repeated polling queries, the downstream
partner launches the KCC to check the replication topology. If the upstream server is indeed offline, the
KCC rearranges the sites replication topology to accommodate the change.
MCT USE ONLY. STUDENT USE PROHIBITED
9-6 Implementing Active Directory Domain Services Sitees and Replication
Resolving Re
eplication Conflicts
Because AD DS su upports a multtimaster replica ation
mod del, replication
n conflicts mayy occur. Typicaally,
therre are three types of replicattion conflicts that
mayy occur in AD DS:
D
Timestamp. The
T timestamp p is the updates originating ttime and datee according to the system clo
ock of
the domain controller
c wherre the change is made.
Ressolving Rep
plication Con
nflicts
The table below outlines
o severa
al conflicts and
d how AD DS reesolves the isssue:
Co
onflict Resolution
How
H Repliccation Top
pology Is Generated
G
Re
eplication topo ology is the ro
oute by which replication datta travels thro
ough a networkk. To create a
re
eplication topo ology, AD DS must
m determinne which domaain controllers replicate dataa with other doomain
co
ontrollers. AD DS creates a re eplication topo
ology based oon the informaation that AD DDS contains. Beecause
ach AD DS parrtition may be replicated to different dom ain controllerss in a site, the replication top
ea pology
ca
an differ for scchema, configu uration, domaiin, and applicaation partitionss.
Beecause all dom main controllerrs within a fore est share schem ma and config guration partitiions, AD DS re
eplicates
scchema and con nfiguration partitions to all domain
d controollers. Domain controllers in the same dom main
also replicate thhe domain parrtition. Additionally, domain controllers thaat host an app plication partition also
re
eplicate the ap pplication partiition. To optimmize replication main controller may have sevveral
n traffic, a dom
re
eplication partners for differe ent partitions. In a single sitee, the replication topology wwill be fault tollerant
annd redundant. This means th hat if the site contains
c more than two dom main controllerrs, each domaiin
coontroller will have
h wo replication partners for eaach AD DS parrtition.
at least tw
How
H the Sch
hema and Co
onfiguration Partitionss Are Repliccated
Re
eplication of the schema and d configuration partitions foollows the samme process as aall other directo
ory
pa
artitions. Howe ever, because these partition
ns are forest-w
wide rather thaan domain-wid de, connectionn objects
or these partitions may exist between any two
fo t domain co ontrollers regaardless of the d
domain contro ollers
omain. Furthermore, the rep
do plication topolo
ogy for these partitions incluudes all domain controllers in the
fo
orest.
How
H the Glo
obal Catalog
g Affects Re
eplication
Th
he configuratioon partition co
ontains inform
mation about th he site topologgy and other g global data forr all
do
omains that arre members off the forest. ADD DS replicatess the configuraation partitionn to all domainn
co
ontrollers through normal fo orest-wide replication. Each g
global catalog g server obtainns domain info ormation
byy contacting a domain contrroller for that domain
d and o
obtaining the p partial replica iinformation. The
co
onfiguration partition also provides the doomain controll ers with a list of the forests global catalogg
se
ervers.
How
H RODC
C Replicatio
on Works
As previously mentioned,
m dommain controllers
re
eplicate data by
b pulling channges from othe er
orriginating dommain controllerrs. A RODC does not
allow any non-rreplicated chan nges to be wriitten to
itss database and
d never replica
ates any informmation
ouut to other domain controlleers. Since channges are
neever written to
o an RODC dire ectly, other do
omain
coontrollers do not
n have to pull directory cha anges
from an RODC. Restricting RO ODCs from
orriginating channges prevents any changes or o
coorruption that a malicious usser or applicattion
might
m make fro
om replicating to the rest of the
t
fo
orest.
MCT USE ONLY. STUDENT USE PROHIBITED
9-8 Implementing Active Directory Domain Services Sitees and Replication
The RODC responds to the client and proovides a referraal to a writablee domain conttroller. The
application ca
an then commmunicate directtly with a writaable domain co ontroller. Lightweight Directtory
Access Protoccol (LDAP) and
d DNS record updates
u are exxamples of accceptable RODC C referrals.
Whe en you implem ment an RODC C, the KCC dete ects that the d
domain controller is configurred with a readd-only
repllica of all appliicable domain partitions. Because of this, tthe KCC createes one-way on nly connection
n
ects from one or more sourcce Windows Se
obje erver 2008 or h higher domain n controllers to
o the RODC.
For some tasks, an n RODC perforrms inbound replication
r usin
ng a replicate--single-object (RSO) operatio
on.
Thiss is initiated on andard replicattion schedule. These tasks in
n-demand outside of the sta nclude:
Password cha
anges.
DNS updates when a client is referred to a writable DN
NS server by the RODC. The R RODC then
attempts to pull
p the change es back using an RSO operattion. This onlyy occurs for Active Directory--
integrated DN
NS zones.
Ho
ow SYSVOLL Replication Works
The SYSVOL is a collection
c of files and folderss on
each
h domain conttroller that is linked to
%SyystemRoot%\S SYSVOL locatioon. SYSVOL
contains logon scripts and objects related to
Group Policy suchh as Group Po olicy templatess. The
contents of the SY
YSVOL folder replicate
r to eveery
dom
main controllerr in the domain using the
connection objectt topology and d schedule thaat the
KCC
C creates.
In Windows
W Serve
er 2008 and ne ewer domains, you can use D Distributed Filee System Repliication to repliicate
the contents of SYYSVOL. Distributed File Syste em Replication n supports rep lication scheduling and
ban es a compression algorithm known as Rem
ndwidth throttlling, and it use mote Differentiial Compressio on
(RDC). Using RDC, Distributed FileF System Rep plication repliccates only the differences (or changes withhin
filess) between the
e two servers, resulting
r in low
wer bandwidth h use during reeplication.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 9-9
Note: You can use the dfsrmig.exe tool to migrate SYSVOL replication from the File
Replication Service to Distributed File System Replication . For the migration to succeed, the
domain functional level must be at least Windows Server 2008.
MCT USE ONLY. STUDENT USE PROHIBITED
9-10 Implemennting Active Directoryy Domain Services Sites and Replication
Lesson 2
Config
guring AD
A DS Sites
S
Within a single sitte, AD DS repliication occurs automaticallyy without regarrd for networkk utilization.
How wever, some organizations have h multiple lo
ocations that aare connectedd by wide area network (WAN)
connections. If thiis is the case, you
y must ensure that AD DSS replication do oes not impactt network
utilization negativvely between locations. You also may need d to localize neetwork service
es to a specific
locaation. For exammple, you may want users at a branch officce to authenticcate to a domaain controller
locaated in their lo
ocal office, rath
her than over the
t WAN conn nection to a do omain controlller located in tthe
main office. You can
c implementt AD DS sites to t help manag ge bandwidth o over slow or unreliable netw work
connections, and to assist in serrvice localizatioon for authenttication as well as many othe er site-aware
servvices on the neetwork.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe AD DS sites.
Configure additional AD DS
S sites.
Describe how
w AD DS replica
ation works be
etween sites.
Describe how
w Service Locattor (SRV) recorrds are used to
o locate doma in controllers.
Describe how
w client compu
uters locate domain controlleers.
Wh
hat Are AD
D DS Sites??
To most
m administrators, a site iss a physical
loca e, or a city typically separated
ation, an office d by
a WAN
W connectio on. These sites are physically
connected by network links that might be as basic
as dial-up
d connecctions or as sop phisticated as fiber
links. Together, thhe physical locations and link ks
mak ke up the physsical network infrastructure.
Manage replication traffic. Typically, there are two typees of network LAN connectio ons within an
enterprise environment: higghly connected d and less highhly connected. Conceptuallyy, a change maade to
AD DS should d replicate imm
mediately to other domain ccontrollers with hin the highly connected ne etwork
in which the change
c was made.
m Howeverr, you might no ot want the ch hange to repliccate immediately
over a slowerr, more expenssive, or less reliable link to an
nother site. Insstead, you migght want to
optimize perfformance, redu uce costs, and manage band dwidth, you caan manage rep plication over less
highly conneccted segmentss of your enterrprise. An Activve Directory siite represents a highly conne ected
portion of your enterprise. When you deffine a site, the domain contrrollers within the site replicate
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 9-11
changes alm
most instantly.. However, you
u can manage and schedule replication be
etween sites ass
needed.
Provide serrvice localizatioon. Active Direectory sites hellp you localizee services, inclu
uding those prrovided
by domain controllers. Du uring logon, Windows
W clientts are automattically directed d to domain
controllers in their sites. If domain conttrollers are nott available in ttheir sites, theyy are directed to
domain con ntrollers in the e nearest site that can authen nticate the clieent efficiently. Many other se ervices
plicated Distributed File Syste
such as rep em (DFS) resou urces are also site-aware to e ensure that ussers are
directed to a local copy of o the resource e.
What
W Are Su
ubnet Objects?
Su
ubnet objects identify the neetwork addresses that map ccomputers to A AD DS sites. A subnet is a se
egment
work to which a set of logica
off a TCP/IP netw al IP addressess are assigned.. Because the ssubnet objectss map to
th
he physical nettwork, so do th
he sites. A site can consist off one or more subnets. For e example, if youur
etwork has thrree subnets in New York and
ne d two in Londo New York and one in
on, you can creeate a site in N
Lo
ondon, respecttively, and the
en add the sub bnets to the resspective sites.
Note: Wh hen designing your AD DS site configurati on, it is critica l that you corrrectly map IP
ubnets to sites. Likewise, if th
su he underlying network confi guration chan nges, you mustt ensure that
th
hese changes are a updated to o reflect the cu
urrent IP subneet to site mappping. Domain controllers
usse the IP subne et informationn in AD DS to map
m client com mputers and seervers to the ccorrect AD DS
sitte. If this mapp
ping is not acccurate, AD DS operations succh as logon traaffic and applyying Group
Poolicies are likely to happen across
a WAN linnks and may b be disrupted.
Default
D First Site
AD DS creates a default site when
w all a forests firsst domain con
you insta ntroller. By deffault, this site is called
Default-First-Sit
D te-Name. You can rename th his site to a mo ore descriptivee name. When you install the e
fo
orests first dom
main controller, AD DS placees it in the defaault site autom
matically. If youu have a single e site, it
is not necessaryy to configure subnets or addditional sites s ince all machines will be covvered by the d default-
firrst-site-name default
d site. Ho ple sites need to have subneets associated tto them as nee
owever, multip eded.
Why
W Implement Add
ditional Sites?
Evvery Active Dirrectory forest includes
i at least one
sitte. You should
d create additioonal sites when:
A slow link separates partt of the netwo ork. As
previously mentioned,
m a site
s is characte erized
by a locatioon with fast, re
eliable, inexpennsive
connectivityy. If two locations are conne ected
by a slow link, you should d configure each
location as a separate AD D DS site. A slo
ow link
typically is one that has a connection of o less
than 512 kiilobits per seco ond (Kbps).
A part of th
he network hass enough users to
warrant hossting domain controllers
c or other
services in that
t location. Concentration
C ns of users can also influencee your site design. If a netwoork
location has a sufficient number
n of users for whom th he inability to authenticate wwould be
problematic, place a dom main controllerr in the locatio
on to support aauthentication n within the loccation.
After you place
p a domainn controller or other distribu ted service in a location that will support those
MCT USE ONLY. STUDENT USE PROHIBITED
9-12 Implemennting Active Directoryy Domain Services Sites and Replication
De
emonstration: Config
guring AD DS Sites
In th
his demonstration, you will see
s how to con
nfigure AD DSS sites.
Dem
monstration
n Steps
1. From Server Manager,
M open
n Active Directtory Sites and Services.
2. Rename the Default-First-S
D ite-Name site,, as needed.
Ho
ow Replication Work
ks Between
n Sites
The main characte eristics or assu
umptions abou
ut
repllication within sites are:
Th
he main characteristics or asssumptions abo
out replication
n between sitees are:
Replication between sitess occurs autom matically after yyou have defin
ned configurable values, succh as a
schedule orr a replication interval. You can
c schedule rreplication for inexpensive o or off-peak houurs. By
anges are repliicated between sites accordiing to a sched
default, cha dule that you d
define, and nott
according to
t when chang ges occur. The schedule deteermines when replication can occur. The in nterval
specifies ho
ow often doma ain controllers check for chaanges during the time that reeplication can occur.
What
W Is the
e Inter-Site
e Topology Generator?
When
W you configure multiple e sites, the KCCC on
onne domain con ntroller in each
h site is design
nated
ass the sites Inte
er-Site Topolog gy Generator (ISTG).
(
Thhere is only on ne ISTG per sitee, regardless of
o how
many
m domains or other directtory partitionss the
sitte has. ISTG is responsible fo or calculating the
t
sittes ideal replication topolog gy.
When
W you add a new site to the
t forest, each h sites
STG determines which directory partitions are
IS
present in the new
n site. The IS
STG then calcu ulates
hoow many new connection ob bjects are neceessary
to
o replicate the new sites req quired information. In
so
ome networks,, you might wa ant to specify that
t only certaain domain controllers are reesponsible for
in
ntersite replicattion. You can dod this by specifying bridge head servers. TThe bridgeheaad servers are
esponsible for all replication into, and out of, the site. ISTTG creates thee required connection agreement in
re
itss directory, and this information is then re eplicated to thee bridgehead server. The briidgehead server then
crreates a replicaation connection with the brridgehead servver in the remo ote site, and re
eplication beg
gins. If a
eplication partner becomes unavailable,
re u th
he ITSG autom atically selectss another dommain controller,, if
poossible. If bridg
gehead serverrs have been manually
m assignned, and they become unavailable, ISTG w will not
auutomatically se elect other serrvers.
Ov
verview of SRV Records for Do
omain Con
ntrollers
Whe en you add a domain
d contro
oller to a doma ain,
the domain controller advertise es its services by
b
creaating SRV recoords (also knowwn as locator
recoords) in DNS. Unlike
U host A records, which map
hostt names to IP addresses,
a SRV
V records map
servvices to host na
ames. For exammple, to publissh its
ability to provide authentication n and directory
acceess, a domain controller regiisters Kerbeross
verssion 5 protocool and LDAP SR RV records. The ese
SRVV records are added to severa al folders within
the forests DNS zones.
z
Protocol. The
e TCP or UDP iss indicated as a transport prrotocol for thee service. The same service caan use
both protocools in separate SRV records. Kerberos
K recorrds, for examp le, are registerred for both TCCP
and UDP. Miccrosoft clients use only TCP, but UNIX clien nts can use booth UDP and T TCP.
The service name in an SRV reco ord follows thee standard DNNS hierarchy w with componen
nts separated b
by
dotss. For examplee, a domain controllers Kerb
beros service iss registered as::
kerb
beros._tcp.siten
name._sites.do
omainname, wh here:
kerberos: A Kerberos
K Key Distribution
D Center (KDC)thatt uses TCP as i ts transport prrotocol
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 9-15
How
H Clientt Compute
ers Locate Domain C
Controllerss Within Siites
When
W you join a Windows clie ent to a domaain and
re
estart it, it goes through a do omain controlller
lo
ocation and reg gistration proccess. The goal of this
re
egistration pro ocess is to locatte the domain
n
co
ontroller with the
t most efficiient and closesst
lo
ocation to the clients locatioon based on IPP subnet
in
nformation.
Th
he process for locating a domain controlle
er is:
Automatic
A Site Coverag
ge
As mentioned previously,
p youu can configure plicated resources,
e sites to direcct users to locaal copies of rep
su
uch as shared folders
f replicated within a DFS
D namespacee. There may b be scenarios in n which you on nly
re
equire service localization wiith no need for a domain co ontroller locateed within the site. In this case
e, a
ne
earby domain controller willl register its SR
RV records in tthe site by usin ng a process caalled site coverage.
A site without a domain contrroller generallyy is covered byy a domain co ontroller in a siite with the low
west
sitte-link cost to the site that requires
r age. You also ccan configure site coverage and SRV record
covera
priority manually if you want to control autthentication in sites without domain controllers.
Lesson 3
Config
guring and
a Monitoring
g AD DSS Repliccation
Afte
er you configure the sites tha at represent yo
our network innfrastructure, tthe next step is to determinee if
any additional site
e links are necessary to help control AD D S replication. A AD DS providees several optio
ons
thatt you can conffigure to contrrol how replica
ation occurs ovver site links. Y
You also need to understand d the
tools that you can
n use to monitor and manag ge replication iin an AD DS neetwork environ nment.
Lessson Objectiives
Afte ou will be able to:
er completing this lesson, yo
Explain the co
oncept of site link bridging.
Describe Univversal Group Membership
M ca
aching.
Configure AD
D DS intersite replication.
r
Describe options for config
guring passworrd replication p
policies for RO
ODCs.
Wh
hat Are AD
D DS Site Links?
L
For two sites to exxchange repliccation data, a site
s
link must connectt them. A site link is a logicall
pathh that the KCC C\ISTG uses to establish
repllication between sites. When n you create
addditional sites, yoou must selectt at least one site
s
link that will conn nect the new siite to an existinng
site.. Unless a site link is in place
e, the KCC cannnot
mak ke connectionss between com mputers at diffferent
sitess, nor can replication occur between
b sites.
To better
b understand this conceept, consider the following eexample. When n you create a forest, one sitte link
objeect is created: DEFAULTIPSIT TELINK. By defa w site that you add is associaated with the
ault, each new
DEFFAULTIPSITELIN NK. Consider an
a organization with a data ccenter at the h headquarters aand three bran nch
officces. The three branch officess are each connected to the data center w with a dedicate
ed link. You cre
eate
nch office: Seattle (SEA), Amsterdam (AMSS), and Beijing (PEK). Each off the sites, inclu
sitess for each bran uding
headquarters, is associated with h the DEFAULT TIPSITELINK sitte link object
Because all four siites are on the k, you are instrructing AD DS that all four sites can replicate
e same site link
with
h each other. That
T means tha at Seattle mayy replicate channges from Ammsterdam; Amsterdam may
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 9-17
re
eplicate changes from Beijingg; and Beijing may replicate changes from m the headquarters, which in n turn
re
eplicates changges from Seatttle. In several of
o these replicaation paths, th
he replication ttraffic on the n
network
flo
ows from one branch throug gh the headqu uarters on its w
way to anotherr branch. Withh a single site liink, you
doo not create a hub-and-spoke replication topology even n though yourr network topo ology is hub-and-
sp
poke.
Too align your ne
etwork topoloogy with Active e Directory rep plication, you m
must create sp
pecific site linkss. That
is,, you can manually create sitte links that re
eflect your inteended replication topology. Continuing th he
preceding exam mple, you woulld create three e site links as fo
ollows:
HQ-AMS in
ncludes the He
eadquarters an
nd Amsterdam sites.
What
W Is Site
e Link Brid
dging?
After you have created site lin nks and the IST TG
ge enerates connection objectss to replicate
pa artitions betweeen domain co ontrollers that share a
sitte link, your work
w might be complete. In many
m
ennvironments, particularly
p thoose with
sttraightforward network topo ologies, site links
might
m be sufficient to managee intersite replication.
In
n more comple ex networks, ho
owever, you ca an
coonfigure additional components and repliccation
properties.
Automatic
A Site Link Brid
dging
Byy default, all siite links are bridged. For exa
ample,
if the Amsterdam and Headquarters sites arre linked, and the Headquarrters and Seatttle sites are linked,
Amsterdam and d Seattle are linnked with a higher cost. Thiss means, theorretically, that tthe ISTG could
d create
a connection ob bject directly between
b a dommain controllerr in Seattle and
d a domain co ontroller in
Amsterdam whe en a domain controller
c is no
ot available at tthe headquartters for replicaation, again wo
orking
arround the hub b-and-spoke network topolo ogy.
Th
he figure on th
he slide illustra
ates the use off a site link brid
dge in a forestt in which auto
omatic site-link
bridging has beeen disabled. ByB creating a siite link bridge,, AMS-HQ-SEA A, that includees the HQ-AMSS and
MCT USE ONLY. STUDENT USE PROHIBITED
9-18 Implemennting Active Directoryy Domain Services Sites and Replication
Wh
hat Is Univ
versal Grou
up Membe
ership Cacching?
One e of the issues that you may need to addre ess
whe en configuring g AD DS replica
ation is whethe er to
depploy global catalog servers inn each site. Beccause
globbal catalog serrvers are required when userrs log
t the domain, deploying a global
on to g catalog
g
servver in each site
e optimizes the
e user experien nce.
How wever, deploying a global ca atalog server in
na
site might result in additional re
eplication trafffic,
which may be an issue if the network connecttion
betwween AD DS siites has limitedd bandwidth. In I
thesse scenarios, you can deployy domain
controllers runnin ng Windows Se erver 2008 or
newwer, and then enable
e universal group mem mbership cachin
ng for the sitee.
By default,
d niversal group membership information co
the un ontained by eaach domain co ontrollers cach
he is
eshed every eiight hours. To refresh the ca
refre ache, domain ccontrollers sen
nd a universal g
group membe ership
confirmation requuest to a designated global catalog
c server..
You
u can configure
e universal gro
oup membersh
hip caching fro
om the properrties of the NT
TDS Site Settin
ngs
nod
de.
Co
ontrolling Intersite
I Replication
n
Whe en you create a site link, you
u have a numbber of
configuration opttions that you can use to help
control inter-site replication. Th
hese options
include:
Demonstra
D ation: Conffiguring AD DS Interrsite Repliccation
In
n this demonsttration, you will see how to configure
c AD D
DS intersite rep
plication.
Demonstrati
D ion Steps
1.. From Serve
er Manager, op
pen Active Dire
ectory Sites an
nd Services.
4.. Modify the Cost, Replicattion interval, and Schedule aas needed.
5.. If necessaryy, open the pro e IP node, and then modify tthe Bridge all site links opttion.
operties of the
Options
O forr Configurring Passw
word Repliccation Policies for RO
ODCs
ROODCs have un nique AD DS re eplication
re
equirements re elated to cache ed users credeentials.
Thhey use password replication n policies to
deetermine whicch users credentials might be
ca
ached on the server.
s If a passsword replicattion
poolicy allows an
n RODC to cache a user's
crredentials, the RODC can pro ocess that userrs
au a service-ticcket activities . If a
uthentication and
usser's credentia
als are not allowwed to be cached on
th
he RODC, the RODC
R refers thhe authenticattion
annd service-tick
ket activities to
o a writable doomain
co
ontroller.
To e managementt of password replication po licy, two domaain local security groups are created
o facilitate the
in
n the Users con ntainer of AD DS.
D The first on ne, the Alloweed RODC Passw word Replicatioon Group, is added to
th
he Allowed Listt for each neww RODC. By deffault, the grou up has no mem mbers. Therefoore, by default,, a new
ROODC will not cache
c want to be cached by
any userrs credentials. If there are ussers whose creedentials you w
all domain ROD DCs, add those users to the Allowed
A RODC C Password Rep plication Group. As a best prractice,
yo
ou can create one Allow List per site, and configure
c onlyy the users assigned to that ssite in the Allo
ow List.
MCT USE ONLY. STUDENT USE PROHIBITED
9-20 Implemennting Active Directoryy Domain Services Sites and Replication
De
emonstration: Config
guring Passsword Rep
plication P
Policies
In th
his demonstration, you will see
s how to con
nfigure passwo
ord replication
n policies.
Dem
monstration
n Steps
1. Run Active Diirectory Users and Compute
ers.
8. Click OK.
Tools for Mo
onitoring and
a Manag
ging Repliication
Afte
er you have im mplemented yo our replication
configuration, you u must be able e to monitor
repllication for ong
going supportt, optimization n, and
trou
ubleshooting. Two
T tools are particularly usseful
for reporting and analyzing rep plication: the
Repplication Diagnnostics tool (Re
epadmin.exe) anda
the Directory Servver Diagnosis (Dcdiag.exe)
( to
ool.
The
e Repadmin
n.exe Tool
The Replication Diagnostics
D too
ol, Repadmin.exe, is
a co
ommand-line toolt that enables you to repoort
the status of replication on eachh domain
controller. The infformation thatt Repadmin.exe
prod
duces can help p you spot a potential
p problem with repliccation in the foorest. You can view levels of detail
dowwn to the repliccation metadaata for specific objects and aattributes, enab
bling you to id
dentify where aand
wheen a problematic change was made to AD DS. You can eeven use Repad dmin.exe to crreate the repliccation
topo
ology and forcce replication between
b doma ain controllerss.
Rep
padmin.exe sup
pports a numb nds that perforrm specific tassks. You can learn about each
ber of comman
com
mmand by typing repadmin /?:command d. Most commaands require a rguments. Maany commandss take
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 9-21
a DC_LIST parameter, which is simply a network label (DNS, NetBIOS name, or IP address) of a domain
controller. Some of the replication monitoring tasks you can perform by using Repadmin are:
Display the replication partners for a domain controller. To display the replication connections of a
domain controller, type repadmin /showrepl DC_LIST. By default, Repadmin.exe shows only intersite
connections. Add the /repsto argument to see intersite connections, as well.
Display connection objects for a domain controller. Type repadmin /showconn DC_LIST to show the
connection objects for a domain controller.
Display metadata about an object, its attributes, and replication. You can learn a lot about replication
by examining an object on two different domain controllers to find out which attributes have or have
not replicated. Type repadmin /showobjmeta DC_LIST Object, where DC_LIST indicates the domain
controller(s) to query. (You can use an asterisk [*] to indicate all domain controllers.) Object is a
unique identifier for the object, its distinguished name or GUID, for example.
You can also make changes to your replication infrastructure by using Repadmin. Some of the
management tasks you can perform are:
Launching the KCC. Type repadmin /kcc to force the KCC to recalculate the inbound replication
topology for the server.
Forcing replication between two partners. You can use Repadmin to force replication of a partition
between a source and a target domain controller. Type repadmin /replicate Destination_DC_LIST
Source_DC_Name Naming_Context.
Synchronizing a domain controller with all replication partners. Type repadmin /syncall DC/A /e to
synchronize a domain controller with all its partners, including those in other sites.
Intersite. Checks for failures that would prevent or delay intersite replication.
Topology. Checks that the replication topology is connected fully for all domain controllers.
VerifyReplicas. Verifies that all application directory partitions are instantiated fully on all domain
controllers hosting replicas.
MCT USE ONLY. STUDENT USE PROHIBITED
9-22 Implementing Active Directory Domain Services Sites and Replication
As one of the senior network administrators, you are responsible for planning and implementing an AD
DS infrastructure that will help address the business requirements for the organization. You are
responsible for configuring AD DS sites and replication to optimize the user experience and network
utilization within the organization.
Objectives
Configure the default site created in AD DS.
Lab Setup
20412A-LON-DC1
20412A-TOR-DC1
Estimated time: 60 minutes
20412A-LON-DC1
Virtual machines
20412A-TOR-DC1
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
b. Password: Pa$$w0rd
to the site. You have been asked to change the name of the default site to LondonHQ and associate it
with the IP subnet 172.16.0.0/24, which is the subnet range used for the London head office.
2. When the AD DS binaries have installed, use the Active Directory Domain Services Configuration
Wizard to install and configure TOR-DC1 as an additional domain controller for Adatum.com.
3. After the server restarts, log on as Adatum\Administrator with the password of Pa$$w0rd.
3. Verify that both LON-DC1 and TOR-DC1 are members of the LondonHQ site.
Results: After completing this exercise, you will have reconfigured the default site and assigned IP address
subnets to the site.
o Name: Toronto
o Name: TestSite
o Prefix: 172.16.1.0/24
4. In the navigation pane, click the Subnets folder. Verify that the three subnets were created and
associated with their appropriate site as displayed in the details pane.
Results: After this exercise, you will have created two additional sites representing the IP subnet addresses
located in Toronto.
Replication should not be available from the Toronto site to the TestSite during the working hours of 9
A.M. and 3 P.M. You then will use tools to monitor replication between the sites.
o Name: TOR-TEST
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 9-25
o Modify the schedule to only allow replication from Monday 9am to Friday 3pm
o Name: LON-TOR
3. Verify that TOR-DC1 is located under the Servers node in the Toronto site.
Repadmin /kcc
This command recalculates the inbound replication topology for the server:
Repadmin /showrepl
Repadmin /bridgeheads
This command displays the bridgehead servers for the site topology:
Repadmin /replsummary
This command displays a summary of replication tasks. Verify that no errors appear:
DCDiag /test:replications
3. Switch to TOR-DC1, and then repeat the commands to view information from the TOR-DC1
perspective.
Results: After this exercise, you will have configured site links and monitored replication.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
Question: What are the advantages and disadvantages of reducing the intersite replication
interval?
Best Practice
You should implement the following best practices when you manage Active Directory sites and
replication in your environment:
Always provide at least one or more global catalog servers per site.
Do not setup long intervals without replication when you configure replication schedules for intersite
replication.
Module 10
Implementing Active Directory Certificate Services
Contents:
Module Overview 10-1
Module Overview
Public key infrastructure (PKI) consists of several components that help you secure corporate
communications and transactions. One such component is the Certification Authority (CA). You can use
CAs to manage, distribute, and validate digital certificates that are used to secure information. You can
install Active Directory Certificate Services (AD CS) as a root CA or a subordinate CA in your organization.
In this module, you will learn about implementing AD CS server role and certificates.
Objectives
After completing this module, you will be able to:
Describe PKI.
Deploy CAs.
Lesson 1
PKI Ov
verview
PKI helps you veriify and authen nticate the iden
ntity of each p
party involved in an electronic transaction.. It
also
o helps you esttablish trust be
etween compu uters and the ccorresponding applications tthat are hosted d on
appplication serverrs. A common example includes the use off PKI technolog gy to secure wwebsites. Digitaal
certtificates are key PKI components that conttain electronic credentials, wwhich are used to authenticatte
userrs or computers. Moreover, certificates
c n be validated using certificaate discovery, path validation,
can
and revocation ch hecking processses. Windows Server 2012 supports build ding a certificaate services
infra
astructure in your
y organization using AD CS
C componentts.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe PKI.
Describe com
mponents of a PKI solution.
Describe CAs.
Describe new
w features in AD
D CS in Windo
ows Server 20112.
Explain the difference betw
ween public and private CAs.
Wh
hat Is PKI??
PKI is a combinatiion of software e, encryption
techhnologies, processes, and services that assiist an
orga anization with securing its co ommunication ns
and business transactions. It is a system of dig gital
certtificates, certification authoriities, and other
regiistration autho orities. When an
a electronic
nsaction takes place, PKI verifies and
tran
authhenticates the validity of eacch party involvved.
PKI standards are still evolving, but they are widely
w
impplemented as an a essential component of
elecctronic comme erce.
Gen
neral conce
epts of PKI
In general,
g a PKI solution
s relies on several technologies and
d components.. When you plaan to impleme
ent
PKI, you should coonsider and un nderstand the following:
Infrastructure
e: The meaningg in this contexxt is the same as in any otheer context, such as electricityy,
pply. Each of these elementss does a speciffic job, and has requirementts that
transportation, or water sup
must be met for it to functiion efficiently. The sum of th
hese elements allows for the e efficient and safe
use of PKI. So
ome of the elements that ma ake up a PKI arre the followin
ng:
o A CA
o A certificate repositoryy
o A registra
ation authorityy
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 10-3
o Client-side processing
Most of these components will be discussed in later topics and lessons of this module.
Public/Private Keys: In general, there are two methods for encrypting and decrypting data:
o Symmetric encryption: The methods to encrypt and decrypt data are identical, or mirrors of each
other. Data is encrypted by using a particular method or key. To decrypt the data, you must have
the same, identical method or key. Therefore, anyone who has the key can decrypt the data. The
key must remain private to maintain the integrity of the encryption.
o Asymmetric encryption: In this case, the methods to encrypt and decrypt data are not identical or
mirrors of each other. Data is encrypted by using a particular method or key. However, a different
key is used to decrypt data. This is achieved by using a pair of keys. Each person gets a key pair,
which consists of a public key and a private key. These keys are unique, and data that the public
key encrypts can be decrypted by using the private key, and vice versa. In this situation, the keys
are sufficiently different and knowing or possessing one does not allow you to determine the
other. Therefore, one of the keys (public) can be made publicly available without reducing the
security of the data, as long as the other key (private) remains privatehence the name Public
Key Infrastructure.
Algorithms that use symmetric encryption are fast and efficient for large amount of data. However,
because they use a symmetric key, they are not considered secure enough, because you always must
transport the key to the other party. Alternatively, algorithms that use asymmetric encryption are secure,
but very slow. Because of this, it is common to use hybrid approach, which means that data is encrypted
by using symmetric encryption, while the symmetric encryption key is protected with asymmetric
encryption.
When you implement a PKI solution, your entire system, especially the security aspect, can benefit. The
benefits of using PKI include:
Confidentiality: A PKI solution enables you to encrypt both stored and transmitted data.
Integrity: You can use PKI to sign data digitally. A digital signature identifies whether any data was
modified while information was transmitted.
Authenticity and non-repudiation: Authentication data passes through hash algorithms such as
Secure Hash Algorithm 1 (SHA-1) to produce a message digest. The message digest is then digitally
signed using the senders private key to prove that the message digest was produced by the sender.
Non-repudiation is digitally signed data in which the digital signature provides both proof of the
integrity of signed data, and proof of the origin of data.
Standards-based approach: PKI is standards-based, which means that multiple technology vendors
are compelled to support PKI-based security infrastructures. It is based on industry standards defined
in RFC 2527, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices
Framework.
MCT USE ONLY. STUDENT USE PROHIBITED
10-4 Implemennting Active Directoryy Certificate Services
Co
omponentss of a PKI Solution
S
There are many co omponents that are requiredd to
worrk together to provide a com
mplete PKI solu
ution.
The PKI compone ents in Window
ws Server 20122 are:
Certificate tem
mplates: This component
c de
escribes the co ontent and purrpose of a digital certificate.
When requessting a certificaate from an AD D CS enterprisee CA, the certiificate requestor will, depend ding
on his or her access rights, be able to sele
ect from a variiety of certificaate types base
ed on certificatte
templates, such as User and d Code Signing g. The certificaate template saaves users fromm low-level,
technical decisions about thhe type of certtificate they neeed. In additio
on, they allow aadministratorss to
distinguish who might requ uest which certtificates.
o Certificatte revocation lists (CRLs) are complete, diggitally signed liists of certificaates that have been
revoked. These lists aree published pe eriodically and can be retrievved and cached by clients (b based
on the coonfigured lifetime of the CRLL). The lists aree used to verifyy a certificates revocation sttatus.
Public keyba
ased applicatio
ons and service es: This relatess to application
ns or services tthat support p
public
key encryptio
on. In other wo
ords, the appliccation or servi ces must be able to supportt public key
implementatiions to gain th
he benefits fromm it.
o Recover archived
a private keys
Authority innformation acccess (AIA) and CRL distributiion points (CD DPs): AIA points determine thhe
location whhere CA certificcates can be fo ound and valid dated, and CD DP locations de etermine the ppoints
where certificate revocatiion lists can be e found during g certificate vaalidation proce
ess. Because CRRLs can
become larrge, (dependin ng on the number of certificaates issued and d revoked by a CA), you cann also
publish sma aller, interim CRLs
C called dellta CRLs. Delta CRLs contain only the certifficates revoked d since
the last reg
gular CRL was published.
p Thiss allows clientss to retrieve thhe smaller deltta CRLs and moore
quickly build a complete list of revoked d certificates. TThe use of deltta CRLs also allows revocatioon data
to be published more frequently, becau use the size off a delta CRL m means that it usually does noot
require as much
m time to transfer
t as a fu
ull CRL.
Hardware security
s modulle (HSM): A ha ardware securitty module is a n optional seccure cryptographic
hardware device
d ographic proc essing for man
that acccelerates crypto naging digital keys. It is a hig
gh
security, specialized storaage that is connected to the CA for manag ging the certifiicates. An HSM M is
typically atttached to a co
omputer physiccally. This is an
n optional addd-on in your PK KI, and is mostt widely
used in high security environments whe ere there wou ld be a significcant impact if a key were
compromissed.
Note: The e most importa ant componen nt of any securrity infrastruct ure is physical security. A
ust the PKI implementation. Other elemen
ecurity infrastructure is not ju
se ntssuch as physical
se
ecurity and ade equate securitty policiesaree also importaant parts of a hholistic securityy
in
nfrastructure.
What
W Are CAs?
C
A CA is a well-d designed and highly
h trusted service
in
n an enterprise e, which provid des users and
co
omputers with h certificates, maintains
m the CRLs,
C
an
nd optionally responds
r to OCSP requests. You
an install a CA in your enviro
ca onment by dep ploying
th
he AD CS role on Windows Server S 2012. When
W
th
he first CA is in
nstalled, it establishes the PK
KI in the
neetwork, and it provides the highest
h point in
i the
whole
w structuree. You can have e one or more e
ce
ertification autthorities in one e network, butt only
onne CA can be at a the highest point on the CA C
hiierarchy (that CA
C is called the root CA, whiich will
bee discussed latter in this mod dule).
One
O of the main n purposes of the CA is to issue certificatees, revoke certificates, and pu
ublish AIA and
d CRL
he CA ensures that users, serrvices, and com
nformation. By doing that, th
in mputers are isssued certificate
es that
ca
an be validated
d.
Verifying th
he identity of the
t certificate requestor.
Managing certificate
c revo
ocation.
When
W ur network, it issues a certifi cate for itself. After that, oth
you deploy a first CA (rroot CA) in you her CAs
re
eceive certificates from the first CA. You ca
an also choosee to issue a cerrtificate for you ur CA by using g one of
pu
ublic CAs.
MCT USE ONLY. STUDENT USE PROHIBITED
10-6 Implemennting Active Directoryy Certificate Services
Ov
verview of the AD CS
S Server Ro
ole in Win
ndows Servver 2012
All PKI-related
P components are deployed as role r
servvices of the AD
D CS server role e. This role is made
m
up of
o several com mponents that are known as role
servvices. Each role
e service is respponsible for a
speccific portion off the certificate infrastructurre,
while working tog gether to form m a complete
solu
ution.
Online Respo onder. You can use this comp ponent to conffigure and maanage OCSP vaalidation and
revocation ch hecking. Onlinee Responder decodes
d revocaation status reequests for speecific certificate
es,
evaluates the status of thosse certificates, and returns a signed respon nse containing the requested d
certificate status informatio
on. Unlike in Windows
W Serve r 2008 R2, youu can install Onnline Responder on
any version ofo Windows Server 2012. The e certificate revvocation data can come from m a CA on a
computer tha at is running Windows
W Serve
er 2003, Windo ows Server 200 08, or from a nnon-Microsoft CA.
o Retrieve CRLs
Certificate Au
uthority Policy Web Service. This componeent is new to W Windows Serve er 2008 R2 andd
Windows Servver 2012. It ennables users to obtain certificcate enrollmen
nt policy inform
mation. Combbined
with the Certificate Enrollm
ment Web Service, it enables policy-based ccertificate enroollment when the
client computter is not a meember of a dommain, or when n a domain meember is not co onnected to th
he
domain.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 10-7
What
W Is Ne
ew in AD CS
C in Windows Serveer 2012
Like many other Windows Serrver roles, AD CS is
im
mproved and enhanced
e in Windows
W Server 2012.
he AD CS role in Windows Server 2012 stilll has
Th
he same six role services, as described
th d in th
he
previous topic. In addition, it now provides
multiple
m new feeatures and cap pabilities comp pared
to
o previous verssions.
In
n Windows Serrver 2008 R2, some
s of the ADD CS
ro
ole services req
quire a specificc Windows Serrver
ve
ersion. For exaample, Network Device Enrollment
Se
ervice (NDES) does not work k on the Windo ows
Se
erver 2008 Standard edition,, but only on thet
Windows
W Server 2008 Enterprrise edition). In
n Windows Serrver 2012, all rrole services arre available on
n all
Windows
W Server versions.
Th
he AD CS Servver role, in addition to all rela
ated role servi ces, can run o n Windows Se
erver 2012 with h full
GUI, Minimal Se
erver Interface, or on a Serve er Core installaation. You can deploy AD CSS role services in
Windows
W Server 2012 using Server
S Manage er, or Windowss PowerShell cmdlets, while e working locaally at
th
he computer or
o remotely ove er the network k.
Frrom a manage ement perspecctive, AD CS annd its events, aand the Best Prractices Analyzzer tool are no
ow fully
in
ntegrated into the Server Ma anager console
e, which mean s that you can options directly from
n access all its o
Seerver Managerr. AD CS is also
o fully manage
eable by using the Windows PowerShell co ommand-line
in
nterface.
Th
he Windows Server 2012 verrsion of AD CSS also introducces a new certificate templatte versionverrsion
4
which provid
des some new T will be disccussed separately in Lesson 3.
w capabilities. This
Virtual
V Smarrt Cards
mart cards, as an option for multi-factor authentication,, have been ussed since Wind
Sm dows Server 20 000.
Thhey provide en nhanced securrity over passw words, as it is m
much more diffficult for an unnauthorized usser to
gaain and mainta ain access to a system. In addition, access to a smart carrd-protected system requires that a
usser both have a valid card an nd know the PIN
P that provid des access to t hat card. By deefault, only on
ne copy
off the smart carrd exists, so onnly one individual can be usi ng their login credentials att a time. In add dition, a
usser will quicklyy notice if theirr card has been lost or stole n, especially w
when their cardd is combined with
acccess to doors or other functtions. This greatly reduces th he risk window w of credential theft in comp parison
to
o passwords.
MCT USE ONLY. STUDENT USE PROHIBITED
10-8 Implemennting Active Directoryy Certificate Services
To address
a these issues, Window
ws Server 2012 2 AD CS introd duces a techno ology that provvides the security of
smaart cards while reducing matterial and suppport costs. Thiss is done by prroviding Virtuaal Smart Cards.
Virtual Smart Cardds emulate the
e functionality of traditional smart cards, bbut instead of requiring the
purcchase of additional hardware, they utilize technology thhat users alread dy own and arre more likely tto
have with them att all times.
Virtual Smart Cardds in Windowss Server 2012 leverage the caapabilities of tthe TPM chip tthat is present on
mosst of the compputer motherboards produce ed in the past ttwo years. Beccause the chip is already in tthe
commputer, there iss no cost for buying
b smart cards and smarrt card readerss. However, un nlike traditionaal
smaart cards, wherre the user wass in a physical possession of the card, in th he Virtual Smart Card scenarrio, a
commputer (or to be
b more speciffic, TPM chip on o its motherb board) acts likee a smart card. By using this
appproach, two-facctor authentica ation similar to
o traditional sm
mart cards is aachieved. A useer must have h his or
her computer (wh hich has been sets up with the e Virtual Smarrt Card), and allso know the PPIN necessary to use
his or
o her Virtual Smart
S Card.
It is important to understand ho ow Virtual Sma art Cards proteect private keyys. Traditional smart cards haave
theiir own storage e and cryptographic mechanism for proteccting the private keys. In the e Virtual Smart Card
scen nario, private keys
k are proteccted not by isoolation of physsical memory, but rather by the cryptograaphic
capabilities of the e TPM: all sensitive information that is storred on a smartt card is encryp pted using the
e TPM,
and then stored on o the hard driive in its encryypted form. Altthough privatee keys are storred on a hard d drive
(in encrypted
e form
m), all cryptographic operations occur in th he secure, isolated environm ment of the TPM.
Privvate keys neverr leave this envvironment in unencrypted
u foorm. If the harrd drive of the machine is
com mpromised in anya way, privatte keys cannott be accessed, because they are protected and encrypted by
TPM M. To provide more
m security, you can also encrypt
e the drrive with Wind dows BitLockerr Drive Encryp ption.
To deploy
d Virtual Smart Cards, you
y need Windows Server 2 012 AD CS an d a Windows 8 client machine
withh a TPM chip on o motherboard.
CA
A type Adv
vantages Disadvanttages
CA
C type Advantages
A Disadvaantages
sloweer
So
ome organizattions have starrted using a hyybrid approach h to their PKI aarchitecture. A hybrid appro oach
usses an external public CA forr the root CA, and a hierarch hy of internal CCAs for distribution of certificates.
Th
his gives organ nizations the advantage
a of having
h their intternally issued
d certificates trrusted by exterrnal
clients, while stiill providing th
he advantages of an internal CA. The only disadvantage is cost. A hybrrid
ap
pproach is typically the mostt expensive ap pproach, becau use public certtificates for CAAs are very exp
pensive.
In
n addition, youu can also chooose to deploy internal PKI fo or internal purpposes such as Encrypting Filee
Syystem (EFS), an
nd digital signa
atures. For extternal purposees, such as prottecting web orr mail servers wwith
Se
ecure Socket Layer
L (SSL), you
u must buy a public
p certificaate. This appro
oach is not veryy expensive, an
nd is
probably the most cost-effecttive solution.
What
W Is a Cross-Certi
C ification Hierarchy?
H
As cross-certificcation implies, in cross-certification
hiierarchy the rooot CA in each CA hierarchy
provides a crosss-certification certificate to the
t root
CAA in the other CA hierarchy. The other hie erarchy
oot CA then installs the supp
ro plied certificate
e. By
dooing so, the trust flows down to all the
su
ubordinate CA As below the le evel where the cross-
ce
ertification cerrtificate was insstalled.
Cross-Certifi
C cation Bene
efits
A cross-certifica
ation hierarchyy provides the
fo
ollowing beneffits:
Assumes co
omplete trust of
o a foreign CA
A hierarchy
Question: Your
Y companyy is currently acquiring anoth
her company. Both companies run their
own PKI. What
W u do to minimize disruption and continue to provide PKI services
could you
seamlessly??
MCT USE ONLY. STUDENT USE PROHIBITED
10-10 Implementing Active Directoory Certificate Servicees
Lesson 2
Deploy
ying CA
As
The first CA that you
y install will be a root CA. After you inst all the root CA A, you can opttionally install a
subordinate CA to o apply policy restrictions an
nd distribute ceertificates. Youu can also use a CAPolicy.inff file
to automate
a additional CA insta
allations and provide
p additioonal configuration settings that are not
avaiilable with the
e standard GUIbased installa ation. In this leesson, you will learn about d
deploying CAs in the
Winndows Server 2012
2 environm
ment.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe how
w to use CAPolicy.inf file for installing
i the C
CA.
Op
ptions for Implemen
I ting CA Hierarchies
Whe en you decidee to implementt PKI in your
orga anization, one
e of the first deecisions you must
mak ke is how to de esign your CA hierarchy. CA
hierrarchy determiines the core design
d of your
inte
ernal PKI, and also
a determine es the purpose e of
eachh CA in the hie erarchy. Each CAC hierarchy
includes two or more
m CAs. Usuaally, the secondd CA
(andd all others aftter that) is dep
ployed with a
speccific purpose, because only the t root CA is
man ndatory.
Policy CA: Policy CAs are a type of subord dinate CA thatt are located d
directly below tthe root CA in n a CA
hierarchy. You utilize policyy CAs to issue CA certificatess to subordinate CAs that aree located direcctly
below the poolicy CA in the hierarchy. Use e policy CAs wh hen different d
divisions, secto
ors, or location
ns of
your organizaation require different
d issuan
nce policies annd procedures..
Cross-certifica
ation trust: In this scenario, two
t independeent CA hierarcchies interoperrate when a CA A in
one hierarchyy issues a CA certificate
c to a CA in the otheer hierarchy. C
Cross-certification trusts are
discussed in more
m detail latter in this mod dule.
Two-tier hiera
archy: In a two
o-tier hierarchyy, there is a ro
oot CA and at l east one suboordinate CA. In
n this
scenario, the subordinate CA
C is responsibble for policies,, and for issuin
ng certificates to requestors..
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 10-11
Standalone
e vs. Enterp
prise CAs
In
n Windows Serrver 2012, you can deploy tw wo types
off CAs: standaloone CA and en nterprise CA. These
tyypes are not ab bout hierarchyy, but about
fu
unctionality an nd configuratioon storage. Thee most
im
mportant differrence between n these two CAA types
is Active Directoory integrationn and depende ency. A
sttandalone CA canc work without AD DS, an nd does
no ot depend on it in any way. An enterprise CA
re
equires AD DS,, but it also pro ovides several
be enefits, such as autoenrollment.
Th
he following taable details the
e most significcant
diifferences betw
ween standalo one and enterpprise
CAAs.
Characteristic
C Standalone
e CA Enterprrise CA
Typical usage
e A standalo
one CA is typiccally An entterprise CA is ttypically
used for offline
o CAs, butt it used too issue certificates to
can be useed for a CA thaat is users, ccomputers, an nd
consistently available on
n servicees, and is not tyypically
the netwoork. used as an offline CA A.
Active Directo
ory A standalo
one CA does nnot An entterprise CA req quires
dependenciess depend on n AD DS and ccan AD DS , which can be e used as
be deployyed in nonActtive a confiiguration and
Directory environments.
e . registration database e. An
enterpprise CA also provides
a publ ication point ffor
certificcates issued to users
and co omputers.
Certificate req
quest Users can only request Userrs can request
methods certificatess from a certiificates from an
standalone e CA by using a enteerprise CA usinng the
manual prrocedure or weeb owing methods:
follo
enrollmen nt.
Man
nual Enrollmen
nt
Web
b Enrollment
Auto
oenrollment
Enro
ollment agent
Most
M commonlyy, the root CA (which is the first f CA deployyed) is deployeed as standalo one CA, and it is taken
offfline after it isssues a certifica nd for a suborrdinate CA. Altternatively, a subordinate CA
ate for itself an A is
ussually deploye ed as an enterp prise CA, and is configured in n one of scenaarios describedd in the previo
ous
to
opic.
MCT USE ONLY. STUDENT USE PROHIBITED
10-12 Implementing Active Directoory Certificate Servicees
Co
onsideratio
ons for Dep
ploying a Root CA
Befoore you deployy a root CA, thhere are severa al
decisions that youu should make e. First, you sho
ould
decide if you will be deploying an offline roott CA
or not.
n Based on that
t y will also decide
decision, you
ou will be deplloying a standalone root CA
if yo A or
an enterprise
e roott CA.
Usually, if you are
e deploying a single-layer
s CA
A
hierrarchywhich means that yo ou deploy onlyy a
singgle CAit is most
m common to t choose
enteerprise root CAA. However, if you are deplo
oying
a twwo-layer hierarrchy, the most common scen nario
is to
o deploy a stanndalone root CA
C and an
enteerprise subordinate CA.
Co
onsideration Descriptio
on
A cryptographicc service provider (CSP) that The deffault CSP is thee Microsoft Strong
is used to generrate a new keyy Cryptog
graphic Provid er.
Any pro
ovider whose n name starts with a
numberr sign (#) is a ccryptography N
Next
Generattion (CNG) pro ovider.
Th
he key charactter length The defau
ult key length ffor the Microsoft
Strong Cryyptographic P Provider is 2,04
48
characterss. This is the m
minimum
recommen nded value forr a root CA.
Th
he hash algorithm that is use
ed to sign The defau
ult value of thee hash algorith
hm is
ce
ertificates issue
ed by a CA SHA-1.
Th
he validity perriod for certificcates issued byy The defau
ult value for ceertificates is five
a CA years.
Th
he status of the root server (online
( or The root sserver should bbe deployed aas an
offfline) offline CA
A. This enhancees security andd
safeguardds the root certtificate (because it is
not availa ble to attack o
over the netwo ork).
Specifically, if you
u decide to dep
ploy an offline
e standalone ro
oot CA, there aare some speccific considerattions
thatt you should have
h in mind:
Publish roo
ot CA certificate to a trusted root certificat ion authority sstore on all serrver and clientt
machines, by
b using Group p Policy. You must
m do this mmanually, beca use a standalo one CA cannott do it
automaticaally, unlike an enterprise
e CA. You can also p publish the root CA certificaate to AD DS b by using
the certutil command-lin ne tool.
Demonstra
D ation: Deplloying a Ro
oot CA
In
n this demonsttration, you will see how to deploy
d an Enteerprise root CA
A.
Demonstrati
D ion Steps
Deploy
D a Roo
ot CA
1.. In Server Manager,
M add the Active Dire
ectory Certifiicate Servicess role.
Considerat
C ions for Deploying a Subordin
nate CA
Yo
ou can use a subordinate CA A to implemennt policy
re
estrictions for PKI,
P and to disstribute certificcates to
clients. After insstalling a root CA for the
orrganization, yoou can install one
o or more
su
ubordinate CA As.
When
W you are using
u a subord
dinate CA to diistribute
ce
ertificates to users or compuuters that have
e an
acccount in an ADA DS environm ment, you can install
th
he subordinate erprise CA. Then, you
e CA as an ente
ca
an use the data from the clieent accounts inn AD DS
o distribute and manage certtificates, and to
to
puublish certifica
ates to AD DS. However, to
co
omplete this procedure,
p you must be a me ember of the lo
ocal Administrrators group, o
or have equivaalent
peermissions. If the
t subordinatte CA will be an enterprise C
CA, you also neeed to be a me ember of the DDomain
Admins group or o have equiva
alent permissio
ons.
A su
ubordinate CA
A is usually dep
ployed to achie
eve some of th
he following fu
unctionalities:
Geographic divisions:
d Organizations oftenn have entitiess at multiple p
physical sites. LLimited networrk
connectivity between
b these
e sites may req
quire individuaal subordinate CAs for many or all sites.
Backup and fault tolerance: Multiple CAs increase the ppossibility thatt your networkk will always haave
operational CAs
C available too respond to user
u requests.
Ho
ow to Use the
t CAPolicy.inf File
e for Installlation
If yo
ou want to dep ploy root or suubordinate CA A, and
you want to both predefine som me values for use u
during installation n and define soome additiona al
paraameters, you can
c use the CA APolicy.inf file tot
commplete these stteps. The CAPo olicy.inf file is a
plain text file thatt contains vario
ous settings th hat
are used when insstalling the AD D CS role, or when
reneewing the CA certificate. The e CAPolicy.inf file is
not required to in nstall AD CS, bu ut without it, the
t
defaault settings will
w be applied, and in many cases, c
the default setting gs are insufficient. You can useu
the CAPolicy.inf fiile to configure e CAs in more
commplicated deployments.
Eachh CAPolicy.inf file is divided into sections, and has a sim ple structure, w
which can be described as
follo
ows:
A section is an area in the .inf file that contains a logicaal group of keyys. A section always appears in
brackets in th
he .inf file.
A value is the
e parameter that is to the rig
ght of the equaal sign.
For example, if yo
ou want to spe
ecify Authority Information A n the CAPolicy..inf file, you will use
Access point in
follo
owing syntax:
[AuthorityInformationAccess]
URL=http://pki.adatum.com/CertData
a/adatumCA.cr
rt
In th
his example, AuthorityInform
A mationAccess is
i a section, URRL is the key, aand
httpp://pki.adatum.com/CertD Data/adatumC CA.crt is the vaalue.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 10-15
You can also specify some CA server settings in the CAPolicy.inf file. One example of the section that
specifies these settings is :
[certsrv_server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=Days
CRLPeriodUnits=2
CRLDeltaPeriod=Hours
CRLDeltaPeriodUnits=4
ClockSkewMinutes=20
LoadDefaultTemplates=True
AlternateSignatureAlgorithm=0
ForceUTF8=0
EnableKeyCounting=0
You can also use the CAPolicy.inf file when installing AD CS to define the following:
Certification practice statement (CPS): Describes the practices that the CA uses to issue certificates.
This includes the types of certificates issued, information for issuing, renewing, and recovering
certificates, and other details about the CAs configuration.
CRL publication intervals: Defines the interval between publications for the base CRL.
o Certificate validity period: Defines the validity period for a root CA certificate.
o CDP and AIA paths: Provides the path used for root CA installations and renewals.
Once you have created your CAPolicy.inf file, you must copy it into the %systemroot% folder of your
server (for example, C:\Windows) before you install the AD CS role, or before you renew the CA certificate.
Note: The CAPolicy.inf file is processed for both the root and subordinate CA installations
and renewals.
MCT USE ONLY. STUDENT USE PROHIBITED
10-16 Implementing Active Directoory Certificate Servicees
Lesson 3
Deploy
ying and Mana
aging Certificatte Templates
Certtificate templa
ates define how w a certificate can be requessted and for w
what it can be u used. Template es are
configured on the e CA, and theyy are stored in the Active Dirrectory databa se. There are d different versio
ons of
tem
mplates: the Microsoft Windo ows 2000 Serve er Enterprise C
CA supports veersion 1 certificcate templatess, the
Win
ndows Server 2003
2 Enterprise
e Edition supp ports versions 1 and 2 templaates, and Wind dows Server 20 008
Ente 2 and 3 certificate templatees. Windows Seerver 2012 intrroduces version 4
erprise supporrts versions 1, 2,
tem
mplates, yet still also supportss all three prevvious templatee versions.
Two
o types of certiificate templatte categories are
a users and ccomputers, and d each can be used for multtiple
purposes. You can n assign Full Control, Read, Write,
W Enroll, aand Autoenrolll permissions tto certificate
tem
mplates. You caan update certificate templattes by modifyi ng the originaal certificate te emplate, copying a
mplate, or superseding existin
tem ng certificate templates. In thhis lesson, you
u will learn how
w to manage aand
dep
ploy certificate templates.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Wh
hat Are Ce
ertificate Templates?
T ?
Certtificate templaates allow adm
ministrators to
custtomize the distribution meth hod of certificaates,
defiine certificate purposes, and mandate the type
of usage
u allowed by a certificate
e. Administrators
can easily create templates,
t and
d can then quicckly
depploy them to th he enterprise by
b using the bu uilt-in
GUI or command--line managem ment utilities.
Note: Prio
or to Windowss Server 2008 R2,
R only the En nterprise versio
on of Window
ws Server
su
upported management of ce ertificate tempplates. In Wind ows Server 20 008 R2 and Win
ndows Server
20
012, you can also
a manage ce ertificate temp
plates in the Sttandard editio ns.
Certificate
C Template Versions in Window
ws Server 2
2012
Windows
W Server 2012 Certificcation Authoritty
su
upports four veersions of certificate templattes.
Certificate tempplates versionss 1, 2 and 3 are
e legacy
from previous versions
v of Winndows Server, while
ve w to Windows Server 2012.
ersion 4 is new
Windows 2000 Advanced d Server operating system prrovides support for version 1 certificate
templates. The only modification allow wed to version 1 templates is changing perrmissions to eitther
allow or dissallow enrollment of the certtificate templaate. When you install an enteerprise CA, verrsion 1
certificate templates
t are created
c by deffault. As of Julyy 13, 2010, Wiindows 2000 SServer is no lon
nger
supported by Microsoft.
Windows Server 2003 Entterprise Edition operating syystems providee support for vversion 1 and vversion
2 templatess. You can custtomize several settings in thhe version 2 templates. The ddefault installaation
provides seeveral preconfigured version 2 templates. Y You can add vversion 2 temp plates based on n the
requiremen nts of your org
ganization. Alte
ernatively, you
u can duplicatee a version 1 certificate tempplate to
create a new version 2 off the template.. You can then n modify and ssecure the new wly created verrsion 2
certificate template.
t Whe en new templates are added to a Windowss Server 2003 e enterprise CA, they
are version 2 by default.
Windows Server 2008 Entterprise operating systems b bring support ffor new, versioon 3 certificate
e
templates. Additionally,
A support
s for verrsion 1 and ve rsion 2 is provvided. Version 3 certificate
templates support
s severaal features of a Windows Serv rver 2008 enterprise CA, such h as CNG. CNG G
upport for Suite B cryptograp
provides su phic algorithm
ms such as ellipptic curve crypttography (ECC C). In
Windows Server 2008 Entterprise, you can c duplicate d default version n 1 and version
n 2 templates tto bring
them up too version 3. Windows Server 2008 providess two new certtificate templates by default::
Kerberos Authentication and OCSP Ressponse Signing g. In Windows Server 2008 R R2, the Standarrd
version wass also able to support
s certificcate templatess. When you use version 3 ce ertificate tempplates,
you can usee CNG encrypttion and hash algorithms forr the certificate requests, issued certificate es, and
protection of private keyss for key excha ange and key archival scenarios.
Windows Server 2012 operating system ms provide suppport for versio on 4 certificate
e templates, an nd for
all other ve
ersions from ea
arlier editions of
o Windows Seerver. These ceertificate temp plates are available
only to Winndows Server 2012
2 and Wind dows 8. To hellp administrato ors separate w
what features aare
supported by which operrating system version,
v the Co
ompatibility ttab was added d to the certificcate
template properties tab. It marks options as unavaila ble in the certtificate template properties,
depending upon the sele ected operating g system versi ons of certificaate client and CA. Version 4
MCT USE ONLY. STUDENT USE PROHIBITED
10-18 Implementing Active Directoory Certificate Servicees
certificate tem
mplates also su
upport both CSPs and KSPs. They can also be configured
d to require re
enewal
with a same key.
k
Upggrading certificcate templatess is a process that applies on
nly in situations where the CAA has been
upg
graded from Windows
W Server 2008 or 2008 8 R2 to Windo ows Server 201 12. After the up
pgrade, you caan
upg
grade the certifficate templates by launchin ng the CA Man nager console and accepting g the upgrade
prompt by clicking Yes.
Co
onfiguring Certificate
e Template
e Permissiions
To configure
c certiificate templatte permissions, you
need to define the e DACL for eacch certificate
tem
mplate in the Seecurity tab. Th he permissionss that
are assigned to a certificate temmplate will defiine
which users or grooups can read,, modify, enroll, or
auto
oenroll for that certificate te
emplate.
You
u can assign the following pe
ermissions to
certtificate templates:
Read: The Re ead permissionn allows a userr or computer to view the ceertificate temp plate when enrrolling
es. The Read permission is also required byy the certificatte server to find the certificatte
for certificate
templates in ADA DS.
ad permission allocated to th
As a best practice, keep the Rea he Authentica ted Users grouup. This permission
allocation allows all
a users and computers to view
v the certifi cate templates in AD DS. Th
his permission
assignment also allows
a the CA that
t is running
g under the Sysstem context o of a computerr account to vie
ew
the certificate tem
mplates when assigning
a certificates.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 10-19
Configuring
C g Certifica
ate Templa
ate Setting
gs
Beesides configu uring security settings
s for cerrtificate
te
emplates, you can also config gure several other
se
ettings for each template. Be e aware howevver, that
th
he number of configurable
c options
o depend ds on
th
he certificate teemplate versioon. For examplle,
ve
ersion 1certificcate templates do not allow
modification
m of any settings, except
e for secuurity,
while
w certificatee templates froom higher verssions
allow you to configure most of o the available
opptions. Window ws Server 2012 2 provides sevveral
deefault certificate templates for
f purposes th hat
in
nclude code sig gning (for digitally signing
oftware), EFS (ffor encrypting data), and the
so e ability for us ers to log on w
with a smart caard. To custommize a
te
emplate for yo our company, duplicate
d the template
t and tthen modify th he certificate cconfiguration.
Fo
or example, yo
ou can configu
ure the followin
ng:
Format and
d content of a certificate bassed on the certtificates intend
ded use
Note: . Th
he intended usse of a certifica
ate may relatee to users or to
o computers, b
based on the
tyypes of securityy implementattions that are required
r to usse the PKI.
Process of creating
c and submitting a va
alid certificate request
CSP supporrted
Key length
Validity perriod
Yo
ou can also de
efine certificate
e purpose in ce
ertificate settin
ngs. Certificatee templates caan have the folllowing
pu
urposes:
Multiple Pu urposes: A multi-purpose cerrtificate servess more than on ne purpose (offten unrelated)) at the
same time. While some te emplates (such h as the User ttemplate) servee multiple purrposes by default,
organizatioons will often modify
m templates to serve ad dditional purposes. For exammple, if a comp
pany
intends on issuing certificcates for three purposes, thoose purposes ccan be combin ned into a single
certificate template
t to ea
ase the administrative effort and maintenaance.
MCT USE ONLY. STUDENT USE PROHIBITED
10-20 Implementing Active Directoory Certificate Servicees
Op
ptions for Updating
U a Certifica
ate Templaate
The CA hierarchy in most organ nizations has one
o
certtificate template for each job
b function. Forr
exam mple, there may be a certificcate template for
file encryption and another for code signing.
Add ditionally, there
e may be a few
w templates thhat
cove er functions fo
or most of the common grou ups of
subjjects.
As an
a IT administrrator, you mayy need to mod dify an
existing certificate
e template beccause of incorrrect
settings or other issues
i in the original certifica
ate
tem
mplate. You ma ay also need to
o merge multip ple
existing certificate
e templates intto a single
tem
mplate.
You
u can update a certificate tem
mplate by either modifying tthe template, o
or superseding
g the existing
tem
mplate:
De
emonstration: Modiffying and Enabling
E a Certificatte Templatte
In th
his demonstration, you will see
s how to mo
odify and enab
ble a certificatee template.
Dem
monstration
n Steps
Mo
odify and en
nable a certificate temp
plate
1. On LON-SVR1, open the Ce
ertificate Temp
plates console..
6. Publish the te
emplate on LO
ON-SVR1.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 10-21
Lesson
n4
Imple
ementin
ng Certiificate Distribu
D ution an
nd Revo
ocation
One
O step in dep ploying PKI in your
y organization will be to define metho ods for certificaate distributionn and
ennrollment. In addition,
a durinng the certificate managemeent process, theere will be tim mes that you may need
to
o revoke certifiicates. There may
m be a numb ber of reasons for revoking ccertificates, such as if a key
beecomes compromised, or if someone leaves the organizzation. You neeed to ensure that network clients
caan determine which
w certifica
ates are revokeed before acceepting authenttication requessts. To ensure
sccalability and high
h availabilitty, you can depploy the AD CSS Online Respo onder, which ccan be used to o
provide certificaate revocation status. In this lesson, you wwill learn aboutt methods for ccertificate disttribution
annd certificate revocation.
r
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe op
ptions for certiificate enrollm
ment.
Describe ho
ow autoenrollm
ment works.
Explain how
w to configure
e the Restricted
d Enrollment A
Agent.
Describe th
he Network De
evice Enrollment Service.
Explain how
w certificate re
evocation work
ks.
Configure Online
O Respon
nder.
Options
O forr Certificatte Enrollm
ment
In
n Windows Serrver 2012, seve eral methods canc be
ussed to enroll fo
or a user or co
omputer certifiicate.
Thhe use of thesee methods dep pends on speccific
sccenarios. For example, autoe enrollment will
probably be use ed to mass-deploy certificate es to a
la
arge number of o users or com mputers, while manual
ennrollment will be used for ce ertificates dediicated
ju
ust to specific security
s princip
pals.
Th
he following list describes th
he different
en
nrollment metthods, and whe en to use them
m:
CA Web en nrollment: Usinng this methodd, you can ena ble a website CA so that use ers can obtain
certificates.. To use CA Weeb enrollmentt, you must insstall Internet In
nformation Serrver (IIS) and the web
enrollment role on the CA A of AD CS. To questor logs on to the websiite,
o obtain a certtificate, the req
selects the appropriate ceertificate temp
plate, and thenn submits a req quest. The certtificate is issue
ed
MCT USE ONLY. STUDENT USE PROHIBITED
10-22 Implementing Active Directoory Certificate Servicees
Ho
ow Does Autoenrollm
ment Work?
One e of the most common
c methhods for deploying
certtificates in an Active
A Directorry environmen nt is
to use
u autoenrollm ment. This metthod provides an
autoomated way to o deploy certifficates to both users
and computers within the PKI. You Y can use
autooenrollment in n environmentts that meet sp pecific
requuirements, succh as the use of
o certificate
tem
mplates and Gro oup Policy in AD
A DS. It is
impportant to note e, however, thaat you cannot use
auto w a standalone CA. You must
oenrollment with
have an enterprise e CA available to make use of o
autooenrollment.
Youu can use autoe enrollment to deploy public keybased ceertificates auto omatically to users and comp puters
in an organizationn. The Certifica
ate Services ad
dministrator duuplicates a cerrtificate templaate, and then
configures the permissions to allow Enroll and d Autoenroll p
permissions forr the users who o will receive tthe
certtificates. Doma
ain-based Grou up Policies, succh as computeer-based and u user-based po olicies, can activvate
and manage auto oenrollment.
By default,
d Group Policy is applied when you restart compuuters, or at logon for users. A
Also by defaultt,
Group Policy is refreshed every 90 minutes on n domain mem
mbers. This Gro oup Policy settting is named
Certtificate Service
es Client - Auto
o-Enrollment.
An internal
i timer triggers autoe
enrollment eve ery eight hourss after the last autoenrollme
ent activation. The
certtificate template might speciify user interacction for each request. For suuch a request, a pop-up win
ndow
app
pears approxim mately 60 seconnds after the user
u logs on.
Man ny certificates can be distributed without the n being aware that enrollment is taking plaace.
t client even
These include mo ost types of cerrtificates that are omputers and
a issued to co d services, as w
well as many
certtificates issued to users.
To enroll
e clients automatically for certificates in a domain eenvironment, yyou must:
Have membe ership in Doma mins, (or equivvalent), which is the minimum
ain Admins or Enterprise Adm
required to co
omplete this procedure.
p
Configure a certificate
c temp
plate with Auttoenroll permisssions.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 10-23
Configure an
a autoenrollm
ment policy forr the domain.
What
W Is Cred
dential Roam
ming?
Credential Roamming allows orrganizations to
o store certificaates and privatte keys in AD DS, separatelyy from
ap
pplication state or configura
ation informatiion.
Credential Roam ming uses existting logon and d autoenrollm ent mechanism ms to downloaad certificates and
ke
eys to a local computer
c whenever a user lo ogs on and, if desired, remove them when n the user logss off. In
ddition, the inttegrity of these credentials is maintained u
ad under any connditions, such aas when certifiicates
arre updated, orr when users loog on to more than one com mputer at a tim
me. This avoidss the scenario wwhere a
usser is autoenro
olled for a certtificate on each
h new machinee to which he or she logs on n.
Credential Roam
ming is triggerred any time a private key orr certificate in the user's locaal certificate sttore
ch
hanges, wheneever the user lo ks the computeer, and wheneever Group Pollicy is refreshed.
ocks or unlock
All certificate-re
elated communication betweeen componen nts on the locaal computer and between th
he local
co
omputer and AD A DS is signed and encryptted. Credentiall Roaming is suupported in W
Windows 7 and
d newer
Windows
W operaating systems.
What
W Is the
e Restricte
ed Enrollment Agentt?
In
n earlier versions of Windowss Server CA, su uch as
Windows
W Server 2003, it is no
ot possible to permit
p
an
n Enrollment Agent
A to enroll only a certain
n group
off users. As a re
esult, every use
er with an Enroollment
Agent certificate is able to enroll on behalf of any
usser in an organnization.
Tyypically, one or
o more authorrized individua als within an o rganization arre designated aas Enrollment Agents.
Th
he Enrollment Agent needs to t be issued an Enrollment A Agent certificaate, which enables the agentt to
en
nroll for smart card certificattes on behalf of
o users. Enrolllment agents aare typically m members of corrporate
se
ecurity, IT secu
urity, or help desk teams, beccause these inddividuals havee already been entrusted witth
sa
afeguarding va aluable resourcces. In some organizations, ssuch as banks that have man ny branches, hhelp
deesk and security workers mig ght not be con
nveniently locaated to perform m this task. In this case, desiignating
a branch manag ger or other trrusted employeee to act as ann Enrollment AAgent is required to enable ssmart
ca
ard credentialss to be issued from
f multiple locations.
On
O a Windows Server 2012 CA A, the restricte
ed Enrollment Agent featurees allow an Enrrollment Agen nt to be
ate templates. For each certiificate templatte, you can cho
ussed for one or many certifica oose on behalf of
which
w users or security
s group
ps the Enrollme ent Agent can enroll. You caannot constrain n an Enrollmen
nt
Agent based on n a certain Active Directory organizational
o unit (OU) or ccontainer. Inste
ead, you mustt use
se
ecurity groups.
MCT USE ONLY. STUDENT USE PROHIBITED
10-24 Implementing Active Directoory Certificate Servicees
Note: Using g restricted Enrollment Agen nts will affect t he performancce of the CA. T
To
optimize performance, you should minimize the t number off accounts that are listed as Enrollment
Age
ents. You minim mize the numb ber of accountts in the Enroll ment Agents permissions list. As a
bestt practice, use group accoun nts in both listss instead of ind
dividual user aaccounts.
De
emonstration: Config
guring the
e Restricted
d Enrollme
ent Agent
In th
his demonstration, you will see
s how to con
nfigure the Reestricted Enrollment Agent.
Dem
monstration
n Steps
Con
nfigure the Restricted Enrollment Agent
1. On LON-SVR1, open the Ce
ertificate Temp
plates console..
3. Publish the En
nrollment Age
ent certificate template.
t
4. Log on to LON-CL1 as Ada
atum\Allie witth the passworrd Pa$$w0rd.
5. Open a MMC
C console and add
a the Certificates snap-in..
8. Configure the
e Restricted En nt so that Alliee can only issue certificates b
nrollment Agen based on the U
User
template, and
d only for the Marketing security group.
Wh
hat Is Netw
work Devicce Enrollm
ment Servicce?
The Network Device Enrollmentt Service (NDES) is
the Microsoft imp plementation of
o Simple Certiificate
Enroollment Protoccol (SCEP). SCE
EP is a
com
mmunication protocol
p that makes
m it possib
ble for
softtware that is ru
unning on netw
work devices such
s
as roouters and switcheswhich cannot otherw wise
be authenticated
a on the networrkto enroll for
X.5009 certificates from a CA.
Thiss feature applie es to organizations that have PKIs with on ne or more Win ndows Server 2012based C CAs,
and that want to enhance
e the security of their network devvices. Port secu
urity, based onn 802.1x, requirres
certtificates be insttalled on switcches and accesss points. Secu re Shell (SSH), instead of Tellnet, requires a
certtificate on the router, switch,, or access point. NDES is thee service that aallows adminisstrators to insttall
certtificates on devvices using SCEP.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 10-25
Adding supportt for NDES can n enhance the flexibility and scalability of aan organizatio
on's PKI. Therefore,
th
his feature should interest PK
KI architects, planners,
p and aadministrators..
Be
efore installing
g NDES, you must
m decide:
o set up a dedicated user acccount for the sservice, or use the Network SService accoun
Whether to nt.
How
H Does Certificate
e Revocatio
on Work?
Re
evocation is th
he process in which
w you disable
va o more certificates. By initia
alidity of one or ating
th
he revoke proccess, you actua
ally publish a
ce
ertificate thum
mbprint in the corresponding
c g CRL.
A certificate
e is revoked from the CA MM MC
snap-in. Duuring revocatioon, a reason coode and
a date and time are speciified. This is op
ptional,
but recomm mended to fill.
The CRL is published usinng the CA MMC snap-
ocation list is published autom
in (or the sccheduled revo matically baseed on the configured value). CRLs
can be pub blished in AD DS,
D some share ed folder locattion, or on a w
website.
When Wind dows client computers are presented
p with a certificate, tthey use a process to verify
revocation status by querrying the issuin ocess determines whether th
ng CA. This pro he certificate is
revoked, an
nd then presennts the informa ation to the ap
pplication requ uesting the verification. The
Windows client computer uses one of the t CRL locatio ons specified i n certificate to
o check its validity.
Th
he Windows operating
o syste
ems include a CryptoAPI,
C wh ich is responsiible for the cerrtificate revocaation
an API utilizes thee following phaases in the certificate checking
nd status checking processess. The CryptoA
process:
Co
onsideratio
ons for Pub
blishing AIIAs and CD
DPs
Whe en you are ma anaging and issuing certificates, it
ery important to properly co
is ve onfigure certificate
exteensions that arre used to verify the certificaate of
the CA, and the ce ertificate that is being used by
the user. These exxtensions, calle ed AIA and CD DP, are
partt of each certifficate. They mu ust point to prroper
locaations, or PKI may
m not function correctly.
Wh
hat Is AIA?
AIA addresses are e the URLsad ddresses that
uniqquely identify each location on the Interne et or
anetin the certificates thatt a CA issues. These
intra T
adddresses tell the verifier of a ce
ertificate wherre to
retrieve the CA's certificate.
c AIA
A access URLs can
c be HTTP, FFile Transfer Prrotocol (FTP), LLightweight
Dire
ectory Addresss Protocol (LDA AP), or FILE addresses.
Wh
hat Is CDP?
CDPP is a certificate extension th
hat indicates from where thee certificate revvocation list fo
or a CA can be
retrieved. It can coontain none, one,
o or many HTTP,
H FILE, or LLDAP URLs.
AIA
A and CDP Publishing
P
If yo
ou use only ann online CA, these values are configured byy default local ly on the CA. H However, if yo
ou
wan nt to deploy an
n offline root CA
C or if you wa ant to publish AIA and CDP to an internett facing locatio on,
you must reconfig gure these valu ey apply to all certificates isssued by the root CA. The AIA
ues so that the A and
CDP P extensions define where client applicatioons can locate AIA and CDP information fo or the root CA
A. The
formmatting and pu ublishing of AIIA and CDP exxtension URLs aare generally tthe same for root CAs and
subordinate CAs. You can publish the root CA A certificate an
nd the CRL to tthe following llocations:
Active Directo
ory
Web servers
File servers
Pub
blication Po
oints
To ensure
e accessib
bility to all com
mputers in thee forest, publis h the offline ro
oot CA certificcate and the offfline
roott CAs CRL to Active
A Directorry by using the
e Certutil commmand. This plaaces the root C CA certificate and
CRLL in the Configuration namin ng context, which Active Direectory replicattes to all domaain controllers in the
fore
est.
ne
etwork if exterrnal client com
mputers (or inteernal clients frrom external n
networks) require access. Thiss is very
im
mportant if youu are using intternally issued certificates ouutside your com
mpany.
Yo
ou can also pu
ublish certificattes and CRLs to ftp:// and FI LE:// URLs, but it is recommended that yo ou use
on
nly LDAP and HTTP URLs, be ecause they are the most wid dely supported d URL formatss for interoperaability
pu
urposes. The order
o in which you list the CDDP and AIA exxtensions is im portant becau use the certificaate
ch
haining engine
e searches the URLs sequenttially. Place thee LDAP URL firrst in the list if your certificattes are
mostly
m used inte
ernally.
What
W Is an Online Re
esponder?
Byy using OCSP, an Online Ressponder provid des
clients with an efficient
e way to o determine th
he
re
evocation statu us of a certifica
ate. OCSP subm
mits
ce
ertificate status requests usin ng HTTP.
Yo
ou can use a single Online Responder
R to
etermine revocation status information for
de
ertificates that are issued by a single CA, or
ce o by multiple C
CAs. However,, you can use m
more than one
e Online
esponder to distribute CA re
Re evocation inforrmation.
Yo
ou can install an
a Online Respponder on anyy computer thaat runs Windo ows Server 200 08 Enterprise o
or
Windows
W Server 2012. You sh
hould install an
n Online Respo
onder and a CA A on different computers. Th he
fo
ollowing operaating systems can
c use Online e Responder fo
or validation o
of certificate staatus:
Windows Vista
V
Windows 7
Windows 8
Fo
or scalability and high availa
ability, you can
n deploy the O Online Respond der in a load-b
balanced arrayy using
Network Load Balancing
B (NLBB), which proce esses certificatte status requeests. You can m
monitor and mmanage
ea
ach member of o the array ind
dependently. ToT configure th he Online Resp ponder, you mmust use the Online
Re
esponder man nagement conssole.
Yo
ou must config gure the CAs tot include the URL of the On nline Respondeer in the AIA eextension of isssued
ce
ertificates. The
e OCSP client uses
u o validate the certificate stattus. You must also issue the OCSP
this URL to
Re
esponse Signin ng certificate template,
t hat the Online Responder caan also enroll tthat certificate.
so th
How
H to Insta
all and Conffigure Onlin
ne Responde
er
Yo
ou can install Online
O Respon
nders on comp puters that aree running Winddows Server 20 008 R2 or Windows
Se
erver 2012. Yo
ou should insta
all Online Resp
ponders after t he CAs, but beefore issuing aany client certifficates.
MCT USE ONLY. STUDENT USE PROHIBITED
10-28 Implementing Active Directory Certificate Services
The certificate revocation data is derived from a published CRL that can come from a CA on a computer
that is running Windows Server 2008 or newer, or Windows Server 2003, or from a non-Microsoft CA.
Before configuring a CA to support the Online Responder service, the following must be present:
IIS must be installed on the computer during the Online Responder installation. The correct
configuration of IIS for the Online Responder is installed automatically when you install an Online
Responder.
An OCSP Response Signing certificate template must be configured on the CA, and autoenrollment
used to issue an OCSP Response Signing certificate to the computer on which the Online Responder
will be installed.
The URL for the Online Responder must be included in the AIA extension of certificates issued by the
CA. This URL is used by the Online Responder client to validate certificate status.
After an Online Responder has been installed, you need to create a revocation configuration for each CA
and CA certificate that is served by an Online Responder. A revocation configuration includes all of the
settings that are needed to respond to status requests regarding certificates that have been issued using a
specific CA key. These configuration settings include:
CA certificate. This certificate can be located on a domain controller, in the local certificate store, or
imported from a file.
Signing certificate for the Online Responder. This certificate can be selected automatically for you,
selected manually (which involves a separate import step after you add the revocation configuration),
or you can use the selected CA certificate.
Revocation provider that will provide the revocation data used by this configuration. This information
is entered as one or more URLs where the valid base and delta CRLs can be obtained.
Demonstration Steps
Configure an Online Responder
1. On LON-SVR1, use Server Manager to add an Online Responder role service to the existing AD CS
role.
3. On AdatumRootCA, publish the OCSP Response signing certificate template, and allow
Authenticated users to enroll.
Lesson
n5
Mana
aging Ce
ertificatte Reco
overy
Certificate or ke
ey recovery is one
o of the mo ost important m management ttasks during th he certificate liife cycle.
Yoou use a key archival and reccovery agent for
f data recoveery if you losee your public and private keyys. You
ca
an also use auttomatic or manual key archival and key reecovery metho ods to ensure tthat you can gain
acccess to data in the event that your keys are lost. In this lesson, you wiill learn how to
o manage keyy
C in Windows Server 2012 A
arrchival and reccovery in AD CS AD CS.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Configure CA
C for Key Arcchival.
Overview
O of
o Key Arch
hival and Recovery
R
If you lose yourr public and prrivate keys, you u will
noot be able to access
a any data that is encryypted by
ussing the certifiicates public key.
k This data can c
in
nclude Encryptting File System m (EFS) and
Seecure/Multipurpose Internett Mail Extensio ons
(S
S/MIME). There efore, archival and recovery of
puublic and priva ate keys are im
mportant.
Conditions
C fo
or Losing Keys
K
Yo
ou may lose ke
ey pairs due to
o the following
g
co
onditions:
User profile
e is deleted or corrupted. A CSP
C
encrypts a private key and stores the enncrypted privaate key in the llocal file systemm and registryy in the
user profile
e folder. Deletion or corruption of the proffile results in th
he loss of the private key maaterial.
Operating system
s is reinsstalled. When you
y reinstall th
he operating ssystem, the pre
evious installattions of
ofiles are lost, including the private key m aterial.
the user pro
Disk is corrupted. If the hard
h disk becom d and the userr profile is unavvailable, the private
mes corrupted
key materia al is lost autom
matically.
Computer isi stolen. If a users compute with the private key material is
er is stolen, thee user profile w
unavailable
e.
Key
K Archival and Recovery Agents
Yo
ou use key arcchival and Key Recovery Age ents (KRA) for ddata recovery. You can ensuure that CA
ad
dministrators can
c recover prrivate keys by archiving
a themm. KRAs are deesignated userss who are ablee to
re
etrieve the orig
ginal certificate
e, private key, and public keey that were ussed to encrypt the data, from
m the
CAA database. A specific certifiicate templatee is applied to a KRA. When yyou enable key archival in a version
2 certificate tem
mplate, the CA encrypts and stores that priivate key in itss database. In ssituations whe
ere the
MCT USE ONLY. STUDENT USE PROHIBITED
10-30 Implementing Active Directoory Certificate Servicees
CA has stored the e subjects private key in the CA database, you can use kkey recovery to
o recover a
corrrupted or lost key.
Durring the key recovery process, the certificatte manager reetrieves the encrypted file that contains the
certtificate and private key from the CA database. Next, a KR he private key from the encryypted
RA decrypts th
file and returns th
he certificate and private keyy to the user.
Seccurity for Ke
ey Archival
Wheen you have a configured CA A to issue a KR
RA certificate, aany user with Read and Enrroll permission
n on
the KRA certificate
e template can
n enroll and beecome a KRA. As a result, Do omain Adminss and Enterprisse
Admmins receive peermission by default.
d Howevver, you must eensure the folllowing:
Understanding
g Key Archiv
val and Reccovery
Key recovery implies that the prrivate key porttion of a publi c-private key p
pair may be arrchived and
reco
overed. Privatee key recovery does not recoover any data o or messages. Itt merely enables a user to
retrieve lost or damaged keys, or
o for an administrator to as sume the role of a user for d data access or data
reco
overy purposes. In many app a recovery can not occur with
plications, data hout first perfo
orming key
reco
overy.
1. The user requ uests a certificaate from a CA and provides a copy of the private key ass part of the re
equest.
The CA, which g the request, archives the e ncrypted privaate key in the C
h is processing CA database aand
equesting user.
issues a certifficate to the re
4. After the userr stores the reccovered privatte key in the u sers local keyss store, it once
e again can be
e used
ation such as EFS to decrypt previously enccrypted files orr to encrypt ne
by an applica ew ones.
Co
onfiguring Automatic Key Arch
hival
Befoore you can usse key archival, you must perform
seveeral configurattion steps. The
e key archival
featture is not enabled by default, and you sho ould
configure both CA A and certificate templates for
f
key archival and key
k recovery.
The following stepps describe the
e automatic ke
ey
arch
hival process:
b. A CA Officer is defined as a Certificate Manager. This user has the security permission to issue and
manage certificates. The security permissions are configured on a CA in the Certification
Authority MMC snap-in, in the CA Properties dialog box, from the Security tab.
c. A KRA is not necessarily a CA Officer or a Certificate Manager. These roles may be segmented as
separate roles. A KRA is a person who holds a private key for a valid KRA certificate.
3. Enable KRA:
b. In the CA console, right-click the CA name, and then click Properties. To enable key archival, on
the Recovery Agents tab, click Archive the key.
c. By default, the CA uses one KRA. However, you must first select the KRA certificate for the CA to
begin archival by clicking Add.
d. The system finds valid KRA certificates, and then displays available KRA certificates. These are
generally published to AD DS by an enterprise CA during enrollment. KRA certificates are stored
under the KRA container in the Public Key Services branch of the configuration partition in
AD DS. Because CA issues multiple KRA certificates, each KRA certificate will be added to the
multivalued user attribute of the CA object.
e. Select one certificate, and then click OK. Ensure that you have selected the intended certificate.
f. After you have added one or more KRA certificates, click OK. KRA certificates are only processed
at service start.
a. In the Certificate Templates MMC, right-click the key archival template, and then click
Properties.
b. To always enforce key archival for the CA, in the Properties dialog box, on the Request
Handling tab, select the Archive subjects encryption private key check box. In Windows
Server 2008 or later CAs, select the Use advanced symmetric algorithm to send the key to the
CA option.
Demonstration Steps
5. Configure adatumRootCA
A to allow key archival.
a
2. Retrieve PKCS
S #7 BLOB from m the databasse. This is the ffirst half of thee key recovery step. A Certificate
Manager or a CA Administrrator retrieves the correct BLLOB from the C The certificate and
CA database. T
d private key to be recovered are present in PKCS #7 BLLOB. The privatte key is encryypted
the encrypted
e public key off one or more KRAs.
alongside the
De
emonstration: Recov
vering a Lo
ost Private Key (optio
onal)
In th
his demonstration, you will see
s how to reccover a lost priivate key.
Dem
monstration
n Steps
Objectives
Deploy a standalone root CA, and an enterprise subordinate CA.
Lab Setup
Estimated Time: 120 minutes
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-SVR2
20412A-LON-CA1
20412A-LON-CL1
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
implement a standalone root CA. This CA will be taken offline after it issues a certificate for a subordinate
CA.
1. Install the Active Directory Certificate Services (AD CS) server role on non-domain joined server.
Task 1: Install the Active Directory Certificate Services (AD CS) server role on non-
domain joined server
1. Log on to LON-CA1 as Administrator using the password Pa$$w0rd.
2. Use the Add Roles and Features Wizard to install the Active Directory Certificate Services role.
3. After installation completes successfully, click the text Configure Active Directory Certificate
Services on the destination server.
5. Set the key length to 4096, accept all other values as default.
4. Select options: Include in the CDP extensions of issued certificates and Include in CRLs. Clients
use this to find Delta CRL locations.
5. Configure new locations for AIA to be on http://lon-svr1.adatum.com/CertData
/<ServerDNSName>_<CaName><CertificateName>.crt
6. Select the Include in the AIA extension of issued certificates check box.
8. Export the root CA certificate, and copy the .cer file to \\lon-svr1\C$.
Results: After completing this exercise, you will have installed and configured a standalone root CA.
2. Install the Active Directory Certificate Services role on LON-SVR1. Include the Certification
Authority and Certification Authority Web Enrollment role services.
3. After installation is successful, click Configure Active Directory Certificate Services on the
destination server.
4. Select the Certification Authority and Certification Authority Web Enrollment role services.
4. Switch to LON-CA1.
5. From the Certification Authority console on LON-CA1, submit a new certificate request, by using .req
file that you copied in step 3.
6. Issue the certificate and export it to p7b format with complete chain. Save the file to
\\lon-svr1\C$\SubCA.p7b.
7. Switch to LON-SVR1.
8. Install the SubCA certificate on LON-SVR1 using the Certification Authority console.
3. Publish the RootCA.cer file from \\lon-svr1\C$ to Trusted Root Certification Authorities store in
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
Results: After completing this exercise, you will have deployed and configured an enterprise subordinate
CA
2. Create a new template for users that includes smart card logon.
Task 2: Create a new template for users that includes smart card logon
1. In the Certificate Templates Console, duplicate the User certificate template.
2. Name the new template Adatum Smart Card User.
3. On the Subject Name tab, clear both the Include e-mail name in subject name and the E-mail
name check boxes.
4. Add Smart Card Logon to Application Policies of the new certificate template.
6. Allow Authenticated Users to Read, Enroll, and Autoenroll for this certificate.
Task 4: Update the Web server certificate on the LON-SVR2 Web Server
1. Log on to LON-SVR2 as Adatum\Administrator with the password of Pa$$w0rd.
3. From Server Manager, open the Internet Information Services (IIS) Manager.
o Organization: Adatum
o Organizational Unit: IT
o City/locality: Seattle
o State/province: WA
o Country/region: US
5. Create HTTPS binding for Default Web Site, and associate it with new certificate.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 10-37
Results: After completing this exercise, you will have created and published new certificate templates.
2. Verify autoenrollment.
3. Navigate to User Configuration, expand Policies, expand Windows Settings, expand Security
Settings, and then click to highlight Public Key Policies.
4. Enable the Certificate Services Client Auto-Enrollment option, and enable Renew expired
certificates, update pending certificates, and remove revoked certificates and Update
certificates that use certificate templates.
6. Close Group Policy Management Editor and Group Policy Management console.
2. Open an mmc.exe console and add the Certificates snap-in focused on the user account.
3. Verify that you have been issued a certificate based on the Adatum Smart Card User template.
Results: After completing this exercise, you will have configured and verified autoenrollment for users,
and configured an enrollment agent for smart cards.
MCT USE ONLY. STUDENT USE PROHIBITED
10-38 Implementing Active Directory Certificate Services
2. Set the CRL publication interval to 1 Day, and set the Delta CRL publication interval to 1 hour.
2. When the message displays that installation succeeded, click Configure Active Directory Certificate
Services on the destination server. Configure the online responder.
5. On Adatum-IssuingCA, publish the OCSP Response signing certificate template, and allow
Authenticated users to enroll.
Results: After completing this exercise, you will have configured certificate revocation settings.
2. In the Certificates Templates console, open the Key Recovery Agent certificate properties dialog
box.
3. On the Issuance Requirements tab, clear the CA certificate manager approval check box.
4. On the Security tab, notice that only Domain Admins and Enterprise Admins groups have the Enroll
permission.
5. Right-click the Certificates Templates folder, and enable the Key Recovery Agent template.
2. Use the Certificate Enrollment Wizard to request a new certificate, and enroll the KRA certificate.
3. Refresh the console window, and view the KRA in the personal store.
2. On the Recovery Agents tab, click Archive the key, and then add the certificate by using the Key
Recovery Agent Selection dialog box.
3. On the Request Handling tab, set the option for the Archive subject's encryption private key. Using
the archive key option, the KRA can obtain the private key from the certificate store.
4. Click the Subject Name tab, clear the E-mail name and Include e-mail name in subject name
check boxes.
6. Switch to LON-SVR1.
7. Open the Certification Authority console, expand Adatum-IssuingCA, and then click Issued
Certificates store.
8. In the Certificate Authority Console, note the serial number of the certificate that has been issued for
Alan Brewer.
MCT USE ONLY. STUDENT USE PROHIBITED
10-40 Implementing Active Directory Certificate Services
Note: Replace serial number with the serial number that you wrote down.
10. Verify that the Outputblob file has appeared in the C:\Users\Administrator folder.
11. To convert the Outputblob file into an importable .pfx file, at the command prompt, type Certutil
recoverkey outputblob aidan.pfx.
13. Verify the creation of the recovered key in the C:\Users\Administrator folder.
14. Cut and paste the aidan.pfx file to the root of drive C on LON-CL1.
Results: After completing this exercise, you will have implemented key archival, and tested private key
recovery.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
Lab Review
Question: Why is it not recommended to install just an Enterprise root CA?
Question: What are some reasons that an organization would use an enterprise root CA?
2. What kind of certificates should Contoso use for EFS and digital signing?
Best Practice
When deploying CA infrastructure, deploy a standalone (non-domain joined) root CA, and an
enterprise subordinate CA (issuing CA). After the enterprise subordinate CA receives a certificate from
RootCA, take RootCA offline.
Issue a certificate for RootCA for a long period of time such as 15 or 20 years.
MCT USE ONLY. STUDENT USE PROHIBITED
10-42 Implementing Active Directory Certificate Services
Tools
Certificate Authority console
Certificates console
Certutil.exe
MCT USE ONLY. STUDENT USE PROHIBITED
11-1
Module 11
Implementing Active Directory Rights Management Services
Contents:
Module Overview 11-1
Module Overview
Active Directory Rights Management Services (AD RMS) provides a method for protecting content that
goes beyond simply encrypting storage devices using Windows BitLocker Drive Encryption, or
individual files using Encrypting File System (EFS). AD RMS provides a method to protect data in transit
and at rest, and ensures that it is accessible only to authorized users for a specific duration.
This module introduces you to AD RMS, and describes how to deploy it, how to configure content
protection, and how to make AD RMSprotected documents available to external users.
Objectives
After completing this module, you will be able to:
Lesson 1
AD RM
MS Overrview
Prio
or to deploying
g AD RMS, you u need to knoww how AD RM S works, what components are included in n an
AD RMS deploym ment, and how you should de eploy AD RMS . You must als o understand the concepts
behhind various AD
D RMS certifica
ates and licensses.
Thiss lesson provid w of AD RMS, and the scenaarios in which yyou can use it to protect an
des an overview
orgaanization's con
nfidential data
a.
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
Describe AD RMS.
List the AD RM
MS componen
nts.
Wh
hat Is AD RMS?
R
AD RMS is an info ormation prote ection technolo ogy
thatt is designed to
o minimize the e possibility off data
leak
kage. Data leak kage is the unaauthorized
nsmission of information, either to people
tran
with
hin the organizzation or peop ple outside the e
orgaanization, whoo should not be able to acce ess
thatt information. AD RMS integ grates with exissting
Microsoft productts and operating systems
including Exchang ge, SharePointt, and the Micrrosoft
Office Suite.
Usage
U Scen
narios for AD
A RMS
Thhe primary use e for AD RMS is i to control th
he
diistribution of sensitive
s inform
mation. You ca an use
AD RMS in com mbination with encryption
te
echniques to se ecure data when it is in stora age or
in e can be many reasons to control
n transit. There
he distribution of sensitive in
th nformation, succh as
neeeding to ensu ure that only authorized
a stafff
members
m have access to a file
e, ensuring thaat
se
ensitive email messages
m cann
not be forward ded, or
en
nsuring that details of an un nreleased proje ect are
noot made public. Consider the following sce enarios.
Scenario 1
Thhe CEO copiess a spreadsheet file containinng the compen nsation packagges of an orgaanization's executives
from a protecteed folder on a file server to the CEOs perso
onal USB drivee. During the ccommute hom me, the
CEO leaves the USB drive on the
t train, wherre someone w with no connection to the org ganization find
ds it.
Without
W AD RM
MS, whoever finnds the USB drrive can open the file. With AAD RMS, it is p
possible to enssure that
th b opened by unauthorized users.
he file cannot be
Scenario 2
An internal document should be viewable by b a group of aauthorized pe ople within th he organization
n. These
pe
eople should not
n be able to edit or print the document.. While it is po ossible to use the native
unctionality of Microsoft Offfice Word to restrict
fu r these ffeatures, doing
g so requires eeach person to
o have a
Windows
W Live account. Withh AD RMS, you u can configuree these permisssions based o on existing acco
ounts in
AD DS.
Overview
O of
o the AD RMS
R Comp
ponents
Th he AD RMS root certification n cluster is the first
AD RMS server that you deplo oy in a forest. The
AD RMS root ce ertification clusster manages all
liccensing and ce ertification trafffic for the dommain in
which
w it is installed. AD RMS stores
s configuration
in
nformation eith her in a Microssoft SQL Serve er
da t Windows Internal Database. In
atabase or in the
la
arge environme ents, the SQL Server
S databasse is
ho osted on a server that is separate from the e server
th
hat hosts the AD A RMS role.
AD RMS licensin ng-only clusters are used in
diistributed enviironments. Lice
ensing-only clusters
do
o not provide certification, but
b do allow th he distribution
n of licenses th
hat are used fo
or content
co
onsumption an nd publishing. Licensing-only clusters are ooften deployeed to large branch offices in
orrganizations th
hat use AD RM MS.
MCT USE ONLY. STUDENT USE PROHIBITED
11-4 Implemennting Active Directoryy Rights Managemennt Services
AD
D RMS Serve
er
AD RMS servers must
m be memb bers of an AD DS
D domain. W hen you installl AD RMS, info ormation abouut the
loca
ation of the clu
uster is publish
hed to AD DS to
t a location kknown as the sservice connection point.
Commputers that are members of the domain queryq the servvice connectionn point to dete
ermine the loccation
of AD
A RMS service es.
AD
D RMS Clientt
AD RMS client is built
b into the Windows
W Vistaa, Windows 7, aand Windows 8 operating syystems. The AD D
RMSS client allows AD RMS-enab ons to enforce the functionality dictated b
bled applicatio by the AD RMSS
mplate. Without the AD RMS client, AD RMS-enabled app
tem uld be unable tto interact with AD
plications wou
RMSS-protected coontent.
AD
D RMS Enablled Applicattions
AD RMS-enabled applications allow
a users to create
c and con nsume AD RMS-protected co ontent. For
exammple, Microsooft Outlook allo
ows users to viiew and createe protected em
mail messages.. Microsoft Wo
ord
allows uses to view
w and create protected
p word d processing ddocuments.
AD
D RMS Certtificates an
nd License
es
To understand
u hoow AD RMS wo orks, you need to
be familiar
f with its different certificates and license
typees. Each of theese certificates and licenses
funcctions in a diffferent way. Somme certificatess, such
as the server licennsor certificate (SLC), are critically
impportant and you must back them up on a
reguular basis.
SLC
C
The SLC is generated when you create the AD D RMS
clusster. It has a va
alidity of 250 years.
y The SLC
allows the AD RM MS cluster to isssue:
Publishing liccenses.
Use licenses.
Rights policy template.
AD
D RMS Mach
hine Certificate
The AD RMS machine certificate e is used to ide
entify a trusted
d computer orr device. The ccertificate iden
ntifies
the client computter's lockbox. The
T machine certificate publlic key encryptts the Rights A Account Certificcate
privvate key. The machine
m certificate private keey decrypts thee Rights Accou
unt Certificate
es.
Rig
ghts Accoun
nt Certificate
e
The Rights Account Certificate (RAC)
( identifie
es a specific useer. The defaultt validity time for a RAC is 365
days. RACs can on
nly be issued to
o users in AD DS whose userr accounts havve email addre esses that are
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 11-5
asssociated with them. A RAC is issued the fiirst time a userr attempts to aaccess AD RMS-protected co ontent.
Yoou can adjust the default validity time usin
ng the Rights AAccount Certifficate Policies node of the Active
Directory Rightss Management Services conssole.
Two types of o Windows Live ID RAC are supported. Windows Livee ID RACs used d on private
computers have a validityy of six months. Windows Livve ID RACs useed on public ccomputers are valid
until the usser logs off.
Client
C Licenssor Certifica
ate
A client licensorr certificate allows a user to publish AD RM MS-protected ccontent when the client com mputer
is not connected to the same network as th he AD RMS clu ster. The client licensor certiificate public kkey
en ncrypts the symmmetric conte ent key and inccludes it in thee publishing liccense that it issues. The clien
nt
liccensor certifica
ate private keyy signs any pubblishing licens es that are issuued when the client is not
coonnected to th he AD RMS clu uster.
Publishing
P License
A publishing license (PL) deteermines the rigghts that applyy to AD RMS-p protected conttent. For example, the
pu
ublishing licen
nse determiness if the user can edit, print, o
or save a docu ment. The pub blishing license e
ontains the content key, which is encrypted using the pu
co ublic key of th e licensing serrvice. It also co
ontains
th
he URL and the e digital signatture of the AD
D RMS server.
How
H AD RM
MS Works
AD RMS works in the followin
ng manner:
3. This symmetric key is encrypted to the public key of the AD RMS server that is used by the author.
4. The recipient of the file opens it using an AD RMS application or browser. It is not possible to open
AD RMS-protected content unless the application or browser supports AD RMS. If the recipient does
not have an account certificate on the current device, one will be issued to the user at this point. The
application or browser transmits a request to the author's AD RMS server for a Use License.
5. The AD RMS server determines if the recipient is authorized. If the recipient is authorized, the AD RMS
server issues a Use License.
6. The AD RMS server decrypts the symmetric key that was encrypted in step 3, using its private key.
7. The AD RMS server re-encrypts the symmetric key using the recipient's public key and adds the
encrypted session key to the Use License.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 11-7
Lesson
n2
Deplo
oying and Man
naging an
a AD R
RMS Inffrastructure
Be
efore deployin ng AD RMS, it is important too have a deplo oyment plan th hat is appropriate for your
orrganization's environment.
e AD
A RMS deplo oyment in a sin ngle-domain fo orest is different from AD RMMS
de
eployment in scenarios
s where you need too support the publication an nd consumptio on of content aacross
multiple
m forests, to trusted pa
artner organiza
ations, or acro ss the public I nternet. Beforee deploying A
AD RMS,
yo
ou also need to have an und derstanding off the client req uirements, and d an appropriaate strategy fo
or
ba
acking up and d recovering AD D RMS.
his lesson provvides an overview of deployiing AD RMS, aand the steps yyou need to taake to back up
Th p,
re
ecover, and deecommission an AD RMS infrrastructure.
Le
esson Objecctives
After completin y will be able to:
ng this lesson you
Describe AD
D RMS deployyment scenario
os.
Configure the
t AD RMS cluster.
Explain how
w to install the
e first server off an AD RMS c luster.
Describe AD
D RMS client requirements.
r
Explain how nt an AD RMS backup and reecovery strateg
w to implemen gy.
AD
A RMS De
eploymentt Scenarios
An AD RMS dep ployment conssists of one or more
se
ervers known as a a cluster. Ann AD RMS clustter is
noot a high-availability failover cluster. When
n you
arre deploying ADA RMS, you should host the e server
so
o that it is high
hly available. AD
A RMS is com mmonly
deeployed as a highly
h e virtual machine.
available
When
W you deploy AD RMS in a single forestt, you
ha
ave a single ADD RMS cluster.. This is the mo
ost
co
ommon form of o AD RMS deployment. You u add
se
ervers to the AD
A RMS clusterr as needed, to o
provide additional capacity.
When
W you deploy AD RMS accross multiple forests,
f
ea
ach forest musst have its own
n AD RMS roott cluster. It is n
necessary to co
onfigure AD RMMS Trusted Puublishing
Domains to enssure that AD RMS content caan be protecteed and consum med across the
e multiple foressts.
Yoou can also deeploy AD RMS to extranet locations. In thiss deployment, the AD RMS licensing serve er is
acccessible to ho ernet. You use this type of d eployment to support collab
osts on the inte boration with external
ussers.
ou can deployy AD RMS with Active Directo
Yo ory Federation
n Services (AD FS) or the Miccrosoft Federattion
Gateway. In thiss scenario, users leverage fed
derated identitty to publish aand consume rrights-protecte
ed
co
ontent.
As a best practice, you should d not deploy AD
A RMS on a d domain controoller. You can o
only deploy AD
D RMS
on
n a domain co ontroller if the service accoun
nt is a membeer of the Domaain Admins grooup.
MCT USE ONLY. STUDENT USE PROHIBITED
11-8 Implemennting Active Directoryy Rights Managemennt Services
Co
onfiguring the AD RM
MS Clusterr
Oncce you have de eployed the ADD RMS server role,
you need to confiigure the AD RMSR cluster be
efore
it is possible to usse AD RMS. Coonfiguring the
AD RMS cluster in nvolves perform
ming the followwing
stepps:
5. Cluster key sttorage: Choosee where the clu ored. You can either have it stored within
uster key is sto
u a special crryptographic service provideer (CSP). If you choose to use
AD RMS, or use e a CSP, you need
to manually distribute
d the key
k if you wan nt to add addittional servers.
6. Cluster key pa
assword: This password
p encrrypts the clusteer key, and is rrequired if you
u want to join other
AD RMS serve ers to the clustter, or if you want
w to restoree the cluster froom backup.
Demonstration Steps
2. Use the Active Directory Administrative Center to create an Organizational Unit (OU) named Service
Accounts in the adatum.com domain.
3. Create a new user account in the Service Accounts OU with the following properties:
Prepare DNS
Use the DNS Manager console to create a host (A) resource record in the adatum.com zone with the
following properties:
o Name: adrms
o IP Address: 172.16.0.21
2. Use the Add Roles and Features Wizard to add the AD RMS role to LON-SVR1 using the following
option:
o Role services: Active Directory Rights Management Server
Configure AD RMS
1. In Server Manager, from the AD RMS node, click More to start post deployment configuration of
AD RMS.
o Port: 80
MCT USE ONLY. STUDENT USE PROHIBITED
11-10 Implementing Active Directoory Rights Managemeent Services
o Licensor Certificate: Ad
datum AD RM
MS
o Register AD
A RMS Servicce Connection
n Point: Registter the SCP No
ow
3. Log off from LON-SVR1.
AD
D RMS Clie
ent Require
ements
AD RMS content canc only be pu ublished and
consumed by com mputers that are running the e
AD RMS client. All versions of Windows
W Vista
,
Winndows 7, and Windows
W 8 clie
ent operating
A RMS client software. Wind
systems include AD dows
Servver 2008, Wind
dows Server 20 008 R2, and
Winndows Server 2012
2 operatingg systems also
include the AD RMMS client. Thesse operating
systems do not reequire additionnal configuration to
consume and pub blish AD RMS protected con ntent.
AD RMS client sofftware is availaable for download
to computers
c thatt are running the
t Windows XP X
opeerating system,, and Mac OS X. X This client software must be installed beefore it is posssible for users of
thesse operating syystems to be able
a to consum me and publish
h AD RMSpro otected conten nt.
SharePoint Se
erver 2013
Client applications, such as thosse included in Microsoft Offiice 2007, Officce 2010, and O
Office 2013 can
n
pubblish and consuume AD RMS protected con ntent. You can use the AD RM MS Software DDevelopment K Kit
(SDK) to create ap
pplications thaat can publish and
a consume AD RMSprottected contentt. Microsoft XP PS
view
wer and Windo ows Internet Exxplorer are also able to view w AD RMSprrotected conte ent.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 11-11
Im
mplementting an AD
D RMS Back
kup and R
Recovery Strategy
Too prevent data a loss, you musst ensure that the AD
RMS server is ba uch a way that it can
acked up in su
bee recovered in f corruption or
n the event of file
se
erver failure. If the AD RMS server
s becomees
naccessible, all AD RMS-protected content also
in
beecomes inacce essible.
A simple strateggy for implemeenting AD RMS
ba
ackup and recovery is to runn AD RMS servver as a
virtual machine, and then usee an enterprisee
ba
ackup productt such as Micro osoft System Center
C
20
012 - Data Pro otection Manager to perform m
re
egular virtual machine
m backu
ups. Some of the
im
mportant comp ponents that require backup ps are the privaate key, certificcates, the AD RMS database
e, and
emplates. You can also perfo
te orm a full serve
er backup, by rrunning AD RM MS server on a virtual machine.
When
W you are performing
p A RMS role, itt may be neceessary to delete
reccovery of the AD e the
Se
erviceConnecctionPoint objject from AD DS. D You need tto do this if yo ou are recoveriing an AD RMS root
co
onfiguration se
erver, and the server attemppts to provision
n itself as a liceensing-only se
erver.
Decommiss
D sioning an
nd Removing AD RM
MS
Prrior to removin
ng an AD RMS S server, you sh
hould
deecommission that
t server. Deecommissionin ng
AD RMS puts th he cluster into a state where
coonsumers of AD
A RMSproteccted content are a able
to
o obtain specia ecrypts that content,
al keys that de
t existing resstrictions that were
irrespective of the
placed on the use
u of that con ntent. If you doo not
haave a decomm missioning period, and if you simply
emove the AD RMS server, th
re hen the AD RM MS
protected conte ent will becomme inaccessible.
Too decommissio
on AD RMS, pe
erform the folllowing
stteps:
1.. t server that is hosting AD RMS, and thaat you wish to decommission
Log on to the n.
6. When prompted to confirm that you want to decommission the server, click Yes.
After the AD RMS decommissioning process is complete, you should export the server licensor certificate
prior to uninstalling the AD RMS role.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 11-13
Lesson
n3
Configuring AD RM
MS Conte
ent Pro
otection
n
AD RMS uses rig ghts policy tem
mplates to enfforce a consisteent set of policcies when prottecting contennt.
When
W configuring AD RMS, youy also need to t develop straategies to ensu ure that users can still access
protected conte ent from a commputer that is not connected d to the AD RM MS cluster. Youu also need to o
de gies for excludiing some userss from being aable to access AD RMSprotected content, and
evelop strateg
sttrategies to ensure that proteected content can be recoveered in the eveent that it has expired, the te emplate
ha ed, or if the author of the content is no lon
as been delete nger available..
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
Describe th
he function of rights policy te
emplates.
Explain how
w to create a rights policy te
emplate.
Implement an AD RMS su
uper users group.
What
W Are Rights
R Policy Templa
ates?
Riights policy templates allow you to configure
sttandard metho ods of impleme enting AD RM MS
po olicies across the
t organizatio on. For example, you
caan configure sttandard templates that gran nt view-
on nly rights, blocck the ability to edit, save, an
nd
print, or if used with Microsofft Exchange Se erver,
block the abilityy to forward, re eply, and replyy all to
messages.
m
Save. Allows a user to use the Save function with an AD RMSprotected document.
Export (Save as). Allows a user to use the Save As function with an AD RMSprotected document.
Forward. Used with Exchange Server. Allows the recipient of an AD RMSprotected message to
forward that message.
Reply. Used with Exchange Server. Allows the recipient of an AD RMSprotected message to reply to
that message.
Reply All. Used with Exchange Server. Allows the recipient of an AD RMSprotected message to use
the Reply All function to reply to that message.
Extract. Allows the user to copy data from the file. If this right is not granted, the user cannot copy
data from the file.
Rights can only be granted, and cannot be explicitly denied. For example, to ensure that a user cannot
print a document, the template associated with the document must not include the Print right.
Administrators are also able to create custom rights that can be used with custom AD RMSaware
applications.
AD RMS templates can also be used to configure documents with the following properties:
Content Expiration. Determines when the content expires. The options are:
o Expires after. The content expires a particular number of days after it is created.
Use license expiration. Determines the time interval in which the use license will expire, and a new
one will need to be acquired.
Enable users to view protected content using a browser add-on. Allows content to be viewed
using a browser add-on. Does not require the user have an AD RMSaware application.
Require a new use license each time content is consumed. When you enable this option, client-
side caching is disabled. This means that the document cannot be consumed when the computer is
offline.
Revocation policies. Allows the use of a revocation list. This allows an author to revoke permission to
consume content. You can specify how often the revocation list is checked, with the default being
once every 24 hours.
Once an AD RMS policy template is applied to a document, any updates to that template will also be
applied to that document. For example, if you have a template without a content expiration policy that is
used to protect documents, and you modify that template to include a content expiration policy, those
protected documents will now have an expiration policy. Template changes are reflected when the EUL is
acquired. If EULs are configured not to expire and the user who is accessing the document already has a
license, then they may not receive the updated template.
You should avoid deleting templates, because documents that use those templates will become
inaccessible to everyone except for members of the super users group. As a best practice, archive
templates instead of deleting them.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 11-15
Yo
ou can view th
he rights assocciated with a te
emplate by sel ecting the tem
mplate within tthe Active Dire
ectory
Riights Managem
ment Services console, and then
t in the Acctions menu, cclicking View RRights Summary.
Demonstra
D ation: Creating a Rights Policy Template
e
In
n this demonsttration, you will create a righ
hts policy temp
plate that allow ew a document, but
ws users to vie
noot to perform other actions.
Demonstrati
D ion Steps
In the Activve Directory Rights Managem he Rights Policcy Template node to
ment Services console, use th
create a Disstributed Rights Policy Temp
plate with the following prop
perties:
o Langua
age: English (U
United Statess)
o Name: ReadOnly
o Descrip
ption: Read-on
nly access. No
o copy or prin
nt.
o Users and
a rights: exe
ecutives@ada
atum.com
o Conten
nt Expiration: Expires
E after 7 days
o Require
e a new use liccense every tim
me content is cconsumed (dissable client-sid
de caching): En
nabled
Providing
P Rights
R Poliicy Templa
ates for Offfline Use
If users are goin
ng to publish AD
A RMSconnected
te
emplates when n they are not connected to the
neetwork, you neeed to ensure that they have e access
to
o a local copy of
o the available rights policyy
te
emplates.
Yo
ou can configu ure computerss to acquire an nd store
puublished rightss policy templates automaticcally, so
th
hat they are avvailable offline. To enable this
fe
eature, computters must be running the folllowing
Windows
W operaating systems:
Windows Vista
V SP1 or new
wer
Windows 7
Windows 8
To
o enable this functionality,
f in
n the Task Scheduler, enablee the AD RMS S Rights Policy y Template
Management
M (Automated)
( Scheduled Ta ask, and then edit the follow
wing registry kkey:
MCT USE ONLY. STUDENT USE PROHIBITED
11-16 Implementing Active Directoory Rights Managemeent Services
HKE
EY_CURRENT__USER\Softwa
are\Microsoftt\Office\12.0\\Common\DR
RM
%Lo
ocalAppData%
%\Microsoft\DR
RM\Templates
Whe en computers that are runniing these operrating systems are connected d to the domaain, the AD RM
MS
clien
nt polls the AD
D RMS cluster for new templlates, or updattes to existing templates.
You
u can configure
e a shared fold
der for templattes by perform
ming the follow
wing steps:
Wh
hat Are Exclusion Po
olicies?
Excllusion policies allow you to prevent
p specifiic
userr accounts, clie
ent software, or
o applicationss from
usin
ng AD RMS.
Use
er Exclusion
n
The User Exclusion policy allowss you to config gure
AD RMS so that specific user accountswhich h are
iden
ntified based on
o email addre essesare una able
to obtain
o Use Lice
enses. You do this
t by adding g each
userr's RAC to the exclusion list. User Exclusion
n is
disa
abled by defau ult. Once you have
h enabled User
U
Excllusion, you can
n exclude speccific RACs.
You
u can use user exclusion in th
he event that you
y needed to o lock a specificc user out of A
AD RMSprote ected
content. For exammple, when useers leave the organization, yo
ou might exclu ude their RACss to ensure thaat
theyy are unable to
o access protected content. You
Y can blockk the RACs tha t are assigned to both intern nal
userrs and external users.
Application Ex
xclusion
Appplication Exclussion allows you
u to block spe
ecific applicatio
onssuch as OOffice PowerPo ointfrom creeating
or consuming
c AD RMSprotecte ed content. Yo
ou specify app lications based
d on executab ble names. Youu also
speccify a minimumm and a maxim mum version of
o the applicatiion. Applicatio
on Exclusion is disabled by
defa
ault.
Note: It is possible
p to circcumvent Appliccation Exclusio
on by renamin
ng an executab
ble file.
Locckbox Exclu
usion
Lockbox exclusionn allows you to
o exclude AD RMS
R uch as those ussed with specific operating
clients, su
systems such as Windows
W XP annd Windows Vista. Lockbox vversion exclusiion is disabled by default. Once
you have enabledd Lockbox version exclusion, you must spe cify the minimmum lockbox vversion that can be
usedd with the AD RMS cluster.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 11-17
Additiona
al Reading: To
o find out more about enab bling exclusion policies, referr to the
fo Net webpage: http://technett.microsoft.com
ollowing TechN m/en-us/librarry/cc730687.asspx
Demonstra
D ation: Creating an Ex
xclusion Po
olicy to Exclude an A
Application
n
In
n this demonsttration, you will see how to exclude
e a speccific application
n from AD RM
MS.
Demonstrati
D ion Steps
1.. ment Services console, enab le Application exclusion.
In the Activve Directory Rights Managem
2.. ude Application dialog boxx, enter the fol lowing inform
In the Exclu mation:
o Applica
ation File name: Powerpnt.e
exe
o Minimu
um version: 14
4.0.0.0
o Maximum version: 16
6.0.0.0
AD
A RMS Su
uper Users Group
Th
he AD RMS super users grou up provides a data
d
re
ecovery mecha anism for AD RMSprotected
R d
co
ontent. This mechanism is usseful in the eve
ent that
AD RMSproteccted data need ds to be recove ered,
su
uch as when coontent has exp
pired, when a
te
emplate has beeen deleted, or when you do o not
ha
ave access.
Members
M of the
e super users group
g are assig
gned
Owner
O Use Licenses for all content that is
protected by th he AD RMS cluster on which that
articular superr users group is enabled. Me
pa embers
off the super useers group are able
a to reset thhe
AD RMS server's private key password.
p
As members of the super users group can access
a any AD RMSprotecteed content, you must be esp pecially
ca
areful when yo ou are managing the membe ership of this g
group. If you cchoose to use tthe AD RMS su uper
ussers group, you should consider implemen nting restricted
d groups policcy and auditing g to limit grou
up
membership,
m an
nd audit any changes that arre made. Supeer User activityy is written to tthe Applicationn event
lo
og.
Th
he super userss group is disab
bled by defaullt.
Yo
ou enable the super users grroup by perforrming the follo
owing steps:
Lesson 4
Config
guring External
E l Accesss to AD RMS
It is often necessa
ary to allow useers that are no
ot a part of thee organization access to AD RMSprotecte ed
content. This could be a situatioon where an exxternal user is a contractor w who requires aaccess to sensittive
matterials, or a parrtner organization where your users will reequire access tto protected content publish hed
by their
t AD RMS server.
s AD RMS provides a number
n of diffeerent options for granting e
external users aaccess
to protected
p conttent.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Explain how to
t implement Trusted
T User Domains.
D
Op
ptions for Enabling
E External
E Ussers to Acccess AD RM
MS
Trusst policies allow
w users who are external to the
orgaanization the ability
a to consume AD RMS
prottected contentt. For example e, a trust policyy can
allow users in Brin ng Your Own Device
D (BYOD))
environments to consume
c AD RMSprotected
R d
content, even tho ough those com mputers are no ot
mem mbers of the organization's
o AD
A DS domain n.
AD RMS trusts are e disabled by default,
d and ne eed
to be
b enabled beffore being use ed. AD RMS
supports the follo owing trust pollicies.
Tru
usted User Domains
D
Trussted User Dom mains (TUD) allows an AD RM MS
clusster to process requests for client
c licensor certificates,
c or use licenses frrom people who have RACs
issued by a differeent AD RMS cluster. For exam mple, A. Datum m Corporation n and Trey Research are sepaarate
orga anizations that have each deeployed AD RM MS. TUD allow ws each organizzation to publish and consume
AD RMSprotecte ed content to and
a from the partner
p organiization withou ut having to im
mplement AD DDS
trussts or AD FS.
Tru
usted Publisshing Doma
ains
Trussted Publishing
g Domains (TP PD) allows onee AD RMS clustter to issue EU
ULs to content that uses
pubblishing license
es that are issued by a differe
ent AD RMS clluster. TPD connsolidates exissting AD RMS
infra
astructure.
Fed
deration Tru
ust
Federation Trust provides
p Single
e Sign On (SSO
O) for partner technologies. Federated parrtners can consume
AD RMSprotecte ed content without deploying their own A D RMS infrastrructure. Federation Trust reqquires
dep
ployment of AD D FS.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 11-19
Windows
W Liv
ve ID Trust
Yoou can use Windows Live ID to allow stand dalone users th
hat have Wind
dows Live IDs tto consume AD
D RMS
protected conte ent generated by users in yo
our organizatio
on. However, W
Windows Live ID users are un
nable to
crreate content that
t is protected by the AD RMS cluster.
Microsoft
M Fe
ederation Ga
ateway
Microsoft
M Federration Gatewayy allows an AD
D RMS cluster tto process req
quests to publish and consumme
AD RMSproteccted content frrom external organizations,
o by accepting cclaims-based aauthentication
n tokens
from the Microssoft Federation
n Gateway. Rather than conffiguring a Fed eration Trust, each organizaation has
a relationship with
w the Microssoft Federation n Gateway. Thee Microsoft Feederation Gateeway acts as a trusted
broker.
Im
mplementting TUD
TU
UD allows AD RMS to service e requests from
m users
who
w have RACs issued by diffferent AD RMS S
de
eployments. You can use excclusions with each
e
TU
UD to block acccess to specific users and groups.
Yoou need to enable anonymo ous access to the AD RMS liccensing servicee in Internet In
nformation Serrvices
(IIS) when using
g TUD, as by de
efault, accessin
ng the service requires autheenticating usin
ng Integrated
Windows
W Autheentication.
To
o add a TUD, perform
p the fo
ollowing steps:
Yo
ou can use the
e Import-RmssTUD PowerSh
hell cmdlet, w
which is part off the ADRMSADMIN PowerSShell
module,
m to add a TUD.
MCT USE ONLY. STUDENT USE PROHIBITED
11-20 Implementing Active Directoory Rights Managemeent Services
To export
e a TUD, perform the fo
ollowing stepss:
Implementin
ng TPD
Youu can use TPD tot set up a tru
ust relationship
p
betwween two AD RMS deployments. An AD RMS
D, which is a local AD RMS de
TPD eployment, can
grannt EULs for con
ntent publisheed using the Trrusted
Pubblishing domain's AD RMS de eployment. Foor
exammple, Contoso o, Ltd and A. Datum
D Corporaation
are set up as TPD partners. TPD allows users ofo the
Conntoso AD RMS deployment to t consume co ontent
pubblished using th
he A. Datum ADA RMS
dep
ployment, by using EULs thatt are granted by b the
Conntoso AD RMS deployment.
Wheen you are connfiguring a TPD, you import the SLC of an other AD RMSS cluster. TPDss are stored in XML
mat, and are protected by pa
form asswords.
To export
e ollowing steps:
a TPD, perform the fo
1. In the AD RM
MS console, exp
pand Trust Po
olicies, and theen click Truste
ed Publishing
g Domains.
2. In the Resultss pane, choosee the certificate
e for the AD R MS domain th
hat you want to
o export, and then
in the Actionss pane, click Ex
xport Trusted d Publishing DDomain.
3. Choose a stro
ong password and a filename
e for the TPD.
Whe en you are expporting a TPD, it is possible to V1compatible trusted publishing domain
t save it as a V n file.
PD to be imporrted into organizations that are using AD RMS clusters o
Thiss allows the TP on earlier versiions
of the Windows Server operatin ng system, such on available in Windows Servver 2003. You can
h as the versio
use the Export-RmsTPD cmdle et to export a TPD.
T
You
u can also use the
t Import-Rm
msTPD cmdle
et to import a TTPD.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 11-21
Sharing AD
D RMSPro
otected Do
ocuments b
by Using W
Windows LLive ID
Yo
ou can use Windows Live ID as a method ofo
providing RACs to users who are not part of
o your
orrganization.
To
o trust Windowws Live IDbassed RACs, perfo
orm the
fo
ollowing steps::
To
o allow users with
w Windows Live IDs to ob btain RACs from
m your AD RM MS cluster, you need to configure IIS
to
o support anonnymous accesss. To do this, perform
p the folllowing steps:
1.. Open the IIIS Manager co
onsole on the AD
A RMS serverr.
2.. Navigate too the Sites\De de, right-click tthe Licensing virtual directo
efault Web Sitte\_wmcs nod ory, and
then click Switch
S to Con
ntent View.
3.. Right-click license.asmx,, and then click Switch to C ontent View.
Co
onsideratio
ons for Imp
plementing Externall User Acce
ess to AD RMS
The type of extern
nal access thatt you configure
e
dep
pends on the tyypes of external users that need
acce
ess to your org
ganization's co
ontent.
Wheen you are dettermining whicch method to use,
consider the following question
ns:
As one of the senior network administrators at A. Datum, you need to plan and implement an AD RMS
solution that will provide the level of protection requested by the security team. The AD RMS solution
must provide many different options that can be adapted for a wide variety of business and security
requirements.
Objectives
Install and configure AD RMS.
Lab Setup
Estimated Time: 60 minutes
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-CL1
20412A-MUN-DC1
20412A-MUN-CL1
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
Password: Pa$$w0rd
1. Configure Domain Name System (DNS) and the Active Directory Rights Management Services
(AD RMS) service account.
Task 1: Configure Domain Name System (DNS) and the Active Directory Rights
Management Services (AD RMS) service account
1. Log on to LON-DC1 with the Adatum\Administrator account and the password Pa$$w0rd.
2. Use Active Directory Administrative Center to create an OU named Service Accounts in the
adatum.com domain.
3. Create a new user account in the Service Accounts OU with the following properties:
o Password: Pa$$w0rd
4. Create a new Global security group in the Users container named ADRMS_SuperUsers. Set the email
address of this group as ADRMS_SuperUsers@adatum.com.
5. Create a new global security group in the Users container named Executives. Set the email address of
this group as executives@adatum.com.
6. Add the user accounts Aidan Delaney and Bill Malone to the Executives group.
7. Use the DNS Manager console to create a host (A) resource record in the adatum.com zone with the
following properties:
o Name: adrms
o IP Address: 172.16.0.21
2. Use the Add Roles and Features Wizard to add the Active Directory Rights Management Services role
to LON-SVR1 using the following option:
3. From the AD RMS node in Server Manager, click More to start post deployment configuration of
AD RMS.
o Port: 80
Note: You must sign out before you can manage AD RMS. This lab uses port 80 for convenience. In
production environments, you would protect AD RMS using an encrypted connection.
Results: After completing this exercise, you should have installed and configured AD RMS.
o Name: ReadOnly
o Require a new use license every time content is consumed (disable client-side caching)
Cmd.exe
mkdir c:\rmstemplates
net share RMSTEMPLATES=C:\rmstemplates /GRANT:ADATUM\ADRMSSVC,FULL
mkdir c:\docshare
net share docshare=c:\docshare /GRANT:Everyone,FULL
2. In the Active Directory Rights Management Services console, set the Rights Policy Templates file
location to \\LON-SVR1\RMSTEMPLATES.
3. In Windows Explorer, view the c:\rmstemplates folder. Verify that the ReadOnly.xml template is
present.
Results: After completing this exercise, you should have configured AD RMS templates.
3. Import the Trusted User Domain policy from the partner domain.
4. Import the Trusted Publishing Domains policy from the partner domain.
Cmd.exe
mkdir c:\export
net share export=c:\export /GRANT:Everyone,FULL
2. Use the Active Directory Rights Management Services console to export the Trusted User Domains
policy to the \\LON-SVR1\export share as ADATUM-TUD.bin.
3. Switch to MUN-DC1.
4. Use the Active Directory Rights Management Services console to export the Trusted Publishing
Domains policy to the \\LON-SVR1\export share as TREYRESEARCH-TPD.xml. Protect this file
using the password Pa$$w0rd.
Task 3: Import the Trusted User Domain policy from the partner domain
1. Switch to LON-SVR1.
2. Import the Trusted User Domain policy for Treyresearch by importing the file
\\LON-SVR1\export\treyresearch-tud.bin. Use the display name TreyResearch.
3. Switch to MUN-DC1.
4. Import the Trusted User Domain policy for Trey Research by importing the file
\\LON-SVR1\export\adatum-tud.bin. Use the display name Adatum.
Task 4: Import the Trusted Publishing Domains policy from the partner domain
1. Switch to LON-SVR1.
2. Import the Trey Research Trusted Publishing Domain by importing the file
\\LON-SVR1\export\treyresearch-tpd.xml using the password Pa$$w0rd and the display name
Trey Research.
3. Switch to MUN-SVR1.
o license.asmx
o ServiceLocator.asmx
Results: After completing this exercise, you should have implemented the AD RMS trust policies.
3. When prompted, provide the credentials, Adatum\Bill with the password of Pa$$w0rd.
3. Verify that Carol does not have permission to open the document.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 11-29
Task 4: Open and edit the rights-protected document as an authorized user at Trey
Research.
1. Log on to LON-CL1 with the Adatum\Aidan account using the password Pa$$w0rd.
o Username: April
o Password: Pa$$w0rd
10. Verify that you can open the document, but that you cannot make modifications to this document.
11. View the permissions that the april@treyresearch.com account has for the document.
Results: After completing this exercise, you should have verified that the AD RMS deployment is
successful.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
Lab Review
Question: What steps can you take to ensure that Information Rights Management can be used
with the AD RMS role?
MCT USE ONLY. STUDENT USE PROHIBITED
11-30 Implementing Active Directory Rights Management Services
Question: You need to provide access to AD RMSprotected content to five users who are
unaffiliated contractors, and are not members of your organization. Which method should you
use to provide this access?
Question: You want to block users from protecting Office PowerPoint content using AD RMS
templates. What steps should you take to accomplish this goal?
Best Practice
Prior to deploying AD RMS, you must analyze your organizations business requirements and create the
necessary templates. You should meet with users to inform them of AD RMS functionality and also ask for
feedback on the types of templates that they would like to have available.
Strictly control membership of the Super Users group. Users in this group can access all protected content.
Granting a user membership of this group gives them complete access to all AD RMS protected content.
MCT USE ONLY. STUDENT USE PROHIBITED
12-1
Module 12
Implementing Active Directory Federation Services
Contents:
Module Overview 12-1
Module Overview
Active Directory Federation Services (AD FS) in Windows Server 2012 provides flexibility for organizations
who want to enable their users to log on to applications that may be located on the local network, at a
partner company, or in an online service. With AD FS, an organization can manage its own user accounts,
and users only have to remember one set of credentials. However those credentials can be used to
provide access to a variety of applications, which can be located in a variety of places.
This module provides an overview of AD FS, and then details how to configure AD FS in both a single
organization scenario and in a partner organization scenario.
Objectives
After completing this module, you will be able to:
Describe AD FS.
Lesson 1
Overviiew of AD
A FS
AD FS is the Microosoft implemeentation of an identity federaation framewoork that enablees organizationns to
esta
ablish federatio
on trusts and share
s resource
es across organnizational and Active Directoory Domain Se ervices
(AD
D DS) boundaries. AD FS is co ompliant with common web services stand dards, so as to enable
inte
eroperability with
w identity fed deration solutiions provided by other venddors.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe Iden
ntity Federation.
Describe claim
ms-based iden
ntity.
Describe web
b services.
Describe AD FS.
Explain how AD
A FS enables single sign-on
n (SSO) within a single organ
nization.
A FS enables SSO between business part ners.
Explain how AD
Wh
hat Is Iden
ntity Federration?
Iden
ntity federation enables the distribution off
ntification, authentication, an
iden nd authorization
acro
oss organizatio onal and platfoorm boundarie es.
Youu can implement identity fed deration within
na
sing
gle organizatioon to enable acccess to diversse
webb applications, or between tw wo organizatioons
thatt have a relatio
onship of trustt between themm.
To establish
e an identity federatiion partnership
p,
both partners agrree to create a federated trust
relationship. This federated trusst is based on an
a
onggoing business relationship, and
a enables th he
orgaanizations to implement bussiness processe es
iden
ntified in the business
b relatio
onship.
As a part of the fe
ederated trust, each partner defines what rresources are aaccessible to tthe other
anization, and how access to
orga o the resources is enabled. FFor example, to
o update a sale es forecast, a ssales
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 12-3
re
epresentative may
m need to collect information from a su upplier's databbase that is hossted on the supplier's
ne
etwork. The addministrator off the domain for
f the sales reepresentative is responsible ffor ensuring th hat the
ap
ppropriate sale
es representatives are memb bers of the grooup requiring aaccess to the ssuppliers database.
Th
he administrattor of the orga o ensure that the
anization wherre the databasee is located is responsible to
pa
artners emplo
oyees only havve access to thee data they reqquire.
In ederation soluttion, user identities and thei r associated crredentials are stored, owned
n an identity fe d, and
managed
m by thee organization
n where the usser is located. A As part of the identity federaation trust, eacch
orrganization alsso defines how
w the user iden o restrict access to resources.. Each
ntities are sharred securely to
pa artner must de
efine the servicces that it makkes available too trusted partnners and custoomers, and which
otther organizattions and userss it trusts. Each
h partner mustt also define w what types of credentials and d
re
equests it accepts, and its priivacy policies to
t ensure that private inform mation is not aaccessible acrooss the
trrust.
What
W Is Cla
aims-Based
d Identity??
Claims-based authentication is designed to
ad
ddress issues by
b extending tyypical authenttication
an
nd authorizatio on mechanism ms outside the
booundaries thatt are associated with that
mechanism.
m Forr example, in most
m organizattions,
when
w users log on to the netwwork, they are
au
uthenticated byb an AD DS domain controller. A
usser who providdes the right credentials to the
t
doomain controller is granted a security tokeen.
Applications tha at are running on servers in the
sa
ame AD DS environment trust the securityy tokens
th
hat are provideed by the AD DSD domain
co
ontrollers, because the serve ers can commu unicate with th
he same doma in controllers where the use
ers are
au
uthenticated.
Claims-based authentication provides a me echanism for seeparating userr authenticatio on and authoriization
from individual applications. With
W claims-ba ased authenticcation, users caan authenticatte to a directo
ory
se
ervice that is lo
ocated within their
t organizattion, and be g ranted a claimm based on thaat authentication. The
claim can then be presented to t an applicatiion that is run ning in a diffeerent organizattion. The appliication
is designed to enable
e ormation or feeatures, based on the claims presented. All
user acccess to the info
coommunication n also occurs over HTTPS.
MCT USE ONLY. STUDENT USE PROHIBITED
12-4 Implemennting Active Directoryy Federation Servicess
We
eb Services Overview
w
For claims-based authentication n to work,
orgaanizations havve to agree on the format for
exchhanging claims. Rather than have each business
defiine this formatt, a set of specifications broa
adly
ntified as web services has be
iden een developed d. Any
orgaanization interrested in impleementing a
erated identityy solution can use this set of
fede
speccifications.
To enhance
e intero eb services are defined by a sset of industryy standards. W
operability, we Web services are
e
base
ed on the follo
owing standard ds:
Most web serrvices use XMLL to transmit data through H HTTP(S). With X
XML, develope ers can create ttheir
own customizzed tags, there
eby facilitating
g the definition
n, transmission
n, validation, and interpretattion of
data between
n applications and between organizations.
o .
Web services expose usefull functionality to web users tthrough a stan ndard web pro otocol. In mostt
cases, the prootocol used is SOAP,
S which iss the commun
nications proto ocol for XML w web services. SO
OAP
is a specification that definees the XML forrmat for messaages, and esseentially describ
bes what a validd
XML docume ent looks like.
Web services provide a wayy to describe their interfacess in enough deetail to enable a user to build
da
client application to communicate with thhe service. Thi s description is usually provided in an XML
document called a WSDL document. In other
o words, a WSDL file is an n XML document that descrribes a
set of SOAP messages,
m and how the messsages are exch hanged.
WS
S-* Security Specificatio
ons
There are many co omponents inccluded in web b services speciifications (also
o known as W
WS-* specifications).
How
wever, the mosst relevant spe ecifications for an AD FS envvironment are tthe WS-Securiity specificatioons.
The specificationss that are part of the WS-Seccurity specificaations include the following:
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 12-5
WS-Trust: WS-Trust
W nes extensions that build on WS-Security t o request and issue security tokens
defin
and to mannage trust relattionships.
WS-Federation: WS-Fede eration definess mechanisms tthat WS-Securrity can use to enable attribu
ute-
based identtity, authentica
ation, and authorization fed eration acrosss different trust realms.
WS-Federation Passive Re equestor Profile: This WS-Seecurity extensio on describes hhow passive clients
such as webb browsers cann be authenticcated and auth horized, and ho ow the clients can submit claaims in
a federation scenario. Passsive requestors of this profi le are limited to the HTTP oor HTTPS protoocol.
Security Asse
ertion Mark
kup Languag
ge
Thhe Security Asssertion Markup Language (S SAML) is an XM ML-based standard for exchaanging claims
beetween an identity provider and a service or application n provider. SAM ML assumes th hat a user has b
been
au
uthenticated byb an identity provider,
p and that
t the identiity provider haas populated tthe appropriate claim
in
nformation in the
t security token. When the e user is autheenticated, the IIdentity Provid
der passes a SA
AML
asssertion to the
e service provid
der. On the basis of this asseertion, the servvice provider can make
au
uthorization an nd personalizaation decisionss within an app plication. The communicatio on between fed deration
se
ervers is based around an XM ML document that stores thee X.509 certificcate for token--signing, and tthe
SA
AML 1.1 or 2.0 0 token.
What
W Is AD
D FS?
(A
AD FS is the Microsoft implemmentation of ana
id
dentity federation solution th
hat uses claimss-based
au
uthentication. AD FS provide es the mechan nisms to
im
mplement both h the identity provider
p and the
t
se
ervice providerr components in an identity
ederation deployment.
fe
Enterprise claims
c provideer for claims-ba
ased
applications: You can con nfigure an AD FS
server as a claims provideer, which mean ns that
it can issue claims about authenticated users.
This enablees an organizattion to providee its
users with access
a to claim
ms-aware appliications in ano
other organizattion by using SSO.
Note: The
e Windows Serrver 2012 verrsion of AD FS is built on AD D FS version 2.0
0, which is
th
he second generation of AD FS released byy Microsoft. Th
he first version
n, AD FS 1.0, re
equired
MCT USE ONLY. STUDENT USE PROHIBITED
12-6 Implementing Active Directory Federation Services
AD FS web agents to be installed on all web servers that were using AD FS, and provided both
claims-aware and NT token-based authentication. AD FS 1.0 did not support active clients or
SAML.
AD FS Features
The following are some of the key features of AD FS:
Web SSO: Many organizations have deployed AD DS. After authenticating to AD DS through
Integrated Windows authentication, users can access all other resources that they have permission to
access within the AD DS forest boundaries. AD FS extends this capability to intranet or Internet-facing
applications, enabling customers, partners, and suppliers to have a similar, streamlined user
experience when they access an organizations web-based applications.
Web services interoperability: AD FS is compatible with the web services specifications. AD FS employs
the federation specification of WS-*, called WS-Federation. WS-Federation makes it possible for
environments that do not use the Windows identity model to federate with Windows environments.
Passive and smart client support: Because AD FS is based on the WS-* architecture, it supports
federated communications between any WSenabled endpoints, including communications between
servers and passive clients, such as browsers. AD FS on Windows Server 2012 also enables access for
SOAPbased smart clients, such as servers, mobile phones, personal digital assistants (PDAs), and
desktop applications. AD FS implements the WS-Federation Passive Requestor Profile and WS-
Federation Active Requestor Profile standards for client support.
Extensible architecture: AD FS provides an extensible architecture that supports various security token
types, including SAML and Kerberos authentication, and the ability to perform custom claims
transformations. For example, AD FS can convert from one token type to another, or add custom
business logic as a variable in an access request. Organizations can use this extensibility to modify
AD FS to coexist with their current security infrastructure and business policies.
Additional Reading: For information on the different identity federation products that can
interoperate with AD FS, and for stepby-step guides on how to configure the products, see the
AD FS 2.0 Step-by-Step and How To Guides, located at http://technet.microsoft.com/en-
us/library/adfs2-step-by-step-guides%28v=ws.10%29.aspx.
Integration with the Windows Server 2012 operating system. In Windows Server 2012, AD FS is
included as a server role that you can install using Server Manager. When you install the server role,
all required operating system components are installed automatically.
Integration with Dynamic Access Control (DAC). When you deploy DAC, you can configure user and
device claims that are issued by AD DS domain controllers. AD FS can consume the AD DS claims that
the domain controllers issue. This means that AD FS can make authorization decisions based on both
user accounts and computer accounts.
Windows PowerShell cmdlets for administering AD FS. Windows Server 2012 provides several new
cmdlets that you can use to install and configure the AD FS server role.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuringg Advanced Windowss Server 2012 Serviices 12-7
How
H AD FS
S Enables SSO
S in a Single Orgaanization
Fo
or many organ nizations, configuring accesss to
ap
pplications andd services mayy not require an
AD FS deployment. If all userss are memberss of the
sa
ame AD DS forrest, and if all applications
a arre
ru
unning on servvers that are members
m of the
e same
fo
orest, you can usually just use AD DS
au
uthentication to
t provide acccess to the
ap
pplication. Howwever, there are several scennarios
where
w you can use AD FS to optimize
o the user
exxperience by enabling
e SSO:
The applica
ations may nott be running on
o
Windows se ervers or on an
ny servers thatt
support ADD DS authentication, or on Windows
W Serve r servers that aare not domainjoined. The
applications may require SAML or web services for au
uthentication and authorization.
Note: Imp plementing AD D FS does not necessarily meean that users are not prompted for
au
uthentication when
w they acccess applications. Depending g on the scenaario, users mayy be
prompted for th heir credentials. However, ussers always autthenticate usinng their intern
nal credentials
in
n the trusted acccount domain, and they ne ever need to reemember alterrnate credentiaals for the
ap
pplication. In addition,
a the in
nternal credenntials are neverr presented to the applicatio
on or to the
paartner AD FS server.
s
Organizations
O can
c use AD FS to enable SSO O in these scen arios. Becausee all users and the applicatio
on are in
th
he same AD DS S forest, the orrganization on nly has to depl oy a single fed
deration server. This server ccan
opperate as the claims
c provide er so that it autthenticates useer requests an d issues the claims. The sam
me server
is also the relyin
ng party, or the consumer off the claims to o provide autho orization for application acccess.
Note: The e slide and thee following desscription use t he terms fede ration server aand
fe
ederation service proxy to de escribe AD FS server roles. Th he federation sserver is respo
onsible for
issuing claims, and
a in this scen nario, is also re
esponsible for consuming thhe claims. The Federation
Seervice Proxy is a proxy comp ponent that is recommended
r d for deploymeents where use ers outside
th
he network nee he AD FS envirronment. Thesse componentss are covered in more
ed access to th
deetail in the nexxt lesson.
Th
he following stteps describe the
t communiccation flow in tthis scenario.
4. The Federatio
on Service Proxxy passes on th d the credentials to the fede
he request and eration server.
5. The federatio
on server uses AD
A DS to auth
henticate the u
user.
6. If authenticattion is successfful, the federattion server col lects AD DS in
nformation abo
out the user, w
which
is then used to
t generate the users claimss.
Ho
ow AD FS Enables
E SS
SO in a Bussiness-to-B
Business Fe
ederation
Onee of the most common
c scena
arios for deplo
oying
AD FS is to providde SSO in a business-to-business
(B2B
B) federation. In the scenarioo, the organizaation
thatt requires acce
ess to another organizationss
app
plication or servvice can mana age their own user
acco
ounts and defiine their own authentication
a n
mecchanisms. The other organization can define
whaat applications and services are
a exposed to o
userrs outside the organization, and what claim ms it
acceepts to providee access to the
e application. To
T
enable applicationn or service sharing in this
scen
nario, the orgaanizations havee to establish a
fede a then define the rules forr exchange cla ims between tthe two organizations.
eration trust, and
7.. The AD DS domain contrroller authenticcates the user,, and sends thee success messsage back to the
federation server, along with
w other info
ormation abou ut the user thatt can be used to generate thhe users
claims.
8.. The federattion server creates the claim for the user b
based on the ru ules defined fo
or the federation
partner. The claims data is
i placed in a digitally-signe
d d security tokeen, and then sent to the clie
ent
computer, which
w posts it back to A. Dattum Corporatiions federatioon server.
11
1. The applicaation on the web server rece eives the requeest and validat es the signed tokens. The web
server issue
es the client a session
s e indicating thaat it has been successfully au
cookie uthenticated, aand a
file-based persistent
p cook kie is issued byy the federatio
on server (good d for 30 days b
by default) to
eliminate th
he home realm m discovery ste ep during the cookie lifetimee. The server then provides aaccess
to the application, based on the claims provided by tthe user.
How
H AD FS
S Enables SSO
S with Online
O Servvices
As organization ns move service es and applica
ations to
cloud-based serrvices, it is incrreasingly impo
ortant
th
hat these organizations have e some way to
simplify the autthentication an nd authorizatio
on
exxperience for their
t users as they
t consume the
cloud-based serrvices. Cloud-b based services add
an
nother level off complexity to o the IT enviro
onment,
ass they are located outside th he direct
ad
dministrative control
c of the IT administrato ors, and
may
m be running g on many diffferent platform ms.
th
hose domain credentials.
AD FS can also provide SSO to o non-Microsooft cloud prov iders. Becausee AD FS is base
ed on open staandards,
it can interoperate with any compliant claim
ms-based systeem.
The following steps describe what happens when a user tries to access their online mailbox using a web
browser:
1. The user opens a web browser and sends an HTTPS request to the Exchange Online Microsoft
Outlook Web App server.
2. The Outlook Web App server receives the request and verifies whether the user is part of a hybrid
Exchange Server deployment. If this is the case, the server redirects the client computer to the
Microsoft Online Services federation server.
3. The client computer sends an HTTPS request to the Microsoft Online Services federation server.
5. The client computer sends an HTTPS request to the on-premises federation server.
6. If the client computer is already logged on to the domain, the on-premises federation server can take
the users Kerberos ticket and request authentication from AD DS on the users behalf, using
Integrated Windows authentication. If the user is logging on from outside the network or from a
computer that is not a member of the internal domain, the user is prompted for credentials.
7. The AD DS domain controller authenticates the user, and sends the success message back to the
federation server, along with other information about the user that the federation server can use to
generate the users claims.
8. The federation server creates the claim for the user based on the rules defined during the AD FS
server setup. The claims data is placed in a digitally-signed security token, and then sent to the client
computer, which posts it back to the Microsoft Online Services federation server.
9. The Microsoft Online Services federation server validates that the security token came from a trusted
federation partner. This trust is configured when you configure the hybrid Exchange Server
environment.
10. The Microsoft Online Services federation server creates and signs a new token, which it sends to the
client computer, which then sends the token back to the Outlook Web App server.
11. The Outlook Web App server receives the request and validates the signed tokens. The server issues
the client a session cookie indicating that it has authenticated successfully. The user is then granted
access to their Exchange Server mailbox.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 12-11
Lesson
n2
Deplo
oying AD
A FS
After you underrstand how AD D FS works, the e next step is d
deploying the service. Beforee deploying AD FS,
yo
ou must underrstand the com mponents that you will need to deploy, an nd the prerequ uisites that you
u must
meet,
m particularrly in regard to
o certificates. This
T lesson pro ovides an overvview of deployying the AD FSS server
ro
ole in Windows Server 2012.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe th
he AD FS federration server ro
oles.
Install the AD
A FS server ro
ole.
AD
A FS Com
mponents
AD FS is installe
ed as a server role
r in Window
ws
Se
erver 2012. Ho owever, there are
a many diffeerent
co
omponents tha a configure in an
at you install and
AD FS deployment.
Th
he following ta A FS components.
able lists the AD
Component
C Wha
at does it do?
Federation se
erver Thee federation seerver issues, m anages, and vvalidates reque
ests involving
identity claims. All
A implementaations of AD FSS require at leaast one Federaation
Serrvice for each participating
p fo
orest.
Federation se
erver Thee federation se
erver proxy is aan optional co
omponent thatt you usually d deploy
proxy in a perimeter neetwork. It doess not add any ffunctionality to
o the AD FS
depployment, but is deployed ju ust to provide a layer of secu
urity for conne
ections
from the Internett to the federaation server.
Claims A claim
c is a statement that is m
made by a trustted entity abo out an object such as
a user. The claim could includee the users namme, job title, o
or any other factor
tha
at might be use ed in an autheentication scen
nario. With Win ndows Server 2012,
the
e object can alsso be a devicee used in a DAC C deploymentt.
Claim rules Claim rules deterrmine how claiims are processsed by the fed deration servers. For
exaample, a claim rule may statee that an emaiil address is acccepted as a vaalid
claiim, or that a group name fro om one organization is transslated into an
appplication-speciific role in the other organizzation. The rule
es are usually
MCT USE ONLY. STUDENT USE PROHIBITED
12-12 Implementing Active Directoory Federation Services
Co
omponent What does it do?
proce
essed in real time as claims aare made.
Re
elying parties The relying party iss where the ap
pplication is loccated, and it enables the seccond
side of
o the AD FS authentication and authorizaation process. T The relying paarty
is a web
w service tha at consumes cllaims from thee claims provid der. The relying
g
partyy server must have
h the Micro
osoft Windowss Identity Foun ndation installe
ed,
or usee the AD FS 1.0 claims-awarre agent.
Claims providerr Confiiguration data that defines rrules under wh hich a client may request claims
trrust from a claims proviider and subseequently subm mit them to a re
elying party. T
The
trust consists of varrious identifierrs such as nam
mes, groups andd various ruless.
Re
elying party trust The AD
A FS configurration data thaat is used to prrovide claims aabout a user o or
clientt to a relying party.
p It consistts of various id
dentifiers, such
h as names,
group ps, and variouss rules.
En
ndpoints Endpoints are mech hanisms that eenable access tto the AD FS technologies
ding token issu
includ uance and meetadata publish hing. AD FS co
omes with builtt-in
endpoints that are responsible fo
or a specific functionality.
AD
D FS Prereq
quisites
Befo
ore deploying AD FS, you must ensure tha at
your internal netwwork meets som me basic
prerrequisites. The
e configuration n of the following
netw
work services isi critical for a successful AD FS
dep
ployment:
o The clien
nt computer must be able to
communicate with the web application,
the resou
urce federationn server or
federatio
on server proxyy, and the acco
ount
federatio
on server or fed
deration proxyy
using HTTTPS.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 12-13
o The federation server proxies must be able to communicate with the federation servers in the
same organization using HTTPS
o Federation servers and internal client computers must be able to communicate with domain
controllers for authentication.
AD DS: AD DS is a critical piece of AD FS. Domain controllers should be running Windows Server 2003
Service Pack 1 (SP1) as a minimum. Federation servers must be joined to an AD DS domain. The
Federation Service proxy does not have to be domain-joined. Although you can install AD FS on a
domain controller, it is not recommended due to security implications.
Attribute stores: AD FS uses an attribute store to build claim information. The attribute store contains
information about users, which is extracted from the store by the AD FS server after the user has been
authenticated. AD FS supports the following attribute stores:
o Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008, Windows
Server 2008 R2, and Windows Server 2012
Note: AD DS can be used both as the authentication provider and as an attribute store.
AD FS can also use AD LDS as an attribute store. In AD FS 1.x, AD LDS can be used as an
authentication store, but in the current version of AD FS, AD LDS can only be used as an attribute
store.
DNS: Name resolution allows clients to find federation servers. The client computers must resolve the
DNS names for all federation servers to which they connect, and the web applications that the client
computer is trying to use. If the client computer is external to the network, the client computer must
resolve the DNS name for the Federation Service Proxy, not the internal federation server. The
Federation Service Proxy must resolve the name of the internal federation server. If internal users
have to access the internal federation server directly, and external users have to connect through the
federation server proxy, you will need to configure different DNS records in the internal and external
DNS zones.
Operating system prerequisites: You can only deploy the Windows Server 2012 version of AD FS as a
server role on a Windows Server 2012 server.
MCT USE ONLY. STUDENT USE PROHIBITED
12-14 Implementing Active Directoory Federation Services
PK
KI and Certtificate Req
quirementts
AD FS is designed d to enable com mputers to
com
mmunicate securely, even tho ough they mayy be
locaated in differen n this scenario, most
nt locations. In
of the communica ations between n computers passes
p
thro
ough the Internet. To provide security for the t
netwwork traffic, all communicatiions are proteccted
usin
ng Secure Sock kets Layer (SSLL). This factor means
m
thatt it is importan
nt to correctly choose and asssign
SSL certificates to the AD FS serrvers. To provid de
SSL security, AD FSF servers use certificates
c as
servvice communiccation certifica ates, token-signing
certtificates, and to
oken-decryptin ng certificates.
Serrvice Comm
munication Certificates
C
You
u use a service communicatio on certificate to
t secure SSL ccommunications to the webssites running o on the
AD FS server. Thiss certificate is bound
b to the default
d websitee on the AD FSS server. You ccan choose wh hich
certtificate to use when
w you configure the AD FS server role on the server,, and can chan nge the assigned
eployment by using the AD FS console. Th
certtificate after de his certificate iss also called a server
authhentication certificate.
Tok
ken-Signing
g Certificate
es
The token-signing g certificate is used to sign every
e token thaat a federation n server issues.. This certificatte is
critical in an AD FS deploymentt because the token t signaturre indicates wh hich federation n server issued d the
tokeen. This certificcate is used byy the claims prrovider to iden
ntify itself, and it is used by tthe relying parrty to
verify that the tokken is coming from a trusted d federation paartner.
The relying party also requires a token-signing certificate too sign the tokeens that it prep
pares for other
AD FS components, such as web b applications and clients. Th
hese tokens mmust be signed by the relying g
parttys token-sign
ning certificate ed by the desttination applications.
e to be validate
Tok
ken-Decryp
pting Certificcates
Tokken-decrypting g certificates arre used to encrypt the entiree user token before transmittting the token n
acrooss the networrk. To provide this functionality, the publicc key from the relying party federation serrver
certtificate must be provided to the claims pro ovider federatiion server. Thee certificate is ssent without the
privvate key. The claims providerr server uses th he public key ffrom the certifficate to encryypt the user tokken.
Whe en the token is returned to the
t relying parrty federation server, it uses the private ke ey from the
certtificate to decrrypt the token.. This providess an extra layerr of security w
when transmittiing the certificcates
acrooss the Interneet.
se
erver proxy do oes not issue an
ny tokens, it does not need tthe other two types of certifficates. Web
se
ervers that are deployed as part
p of an AD FS F deploymen be configured with SSL
nt should also b
se
erver certificate
es to enable se
ecure commun nications with client computters.
Choosing
C a Certification
C n Authority
AD FS federatio
on servers can use self-signed d certificates, ccertificates fro
om an internal,, private Certiffication
Authority (CA), or certificates that have bee
en purchased ffrom an extern nal, public CA.
In
n most AD FS deployments,
d the
t most impo when choosing the certificate
ortant factor w es is that the
ce
ertificates be trusted by all parties
p d. This means that if you aree configuring aan AD FS deplo
involved oyment
th w other organizations, you are almost ceertainly going tto use a publicc CA for the SSSL
hat interacts with
ce
ertificate on fe
ederation serveer proxy, becauuse the certificcates issued byy the public CA
A are trusted bby all
paartners automatically.
If you are deplooying AD FS just for your org ganization, and d all servers an
nd client compputers are under your
coontrol, conside
er using a certiificate from an n internal, privaate CA. If you deploy an inteernal Enterprisse CA on
Windows
W Server 2012, you can use Group PolicyP to ensurre that all com puters in the o
organization
auutomatically trrust the certificcates issued byy the internal C
CA. Using an i nternal CA can n significantly
deecrease the coost of the certifficates.
Note: Deploying an inte ernal CA using g Active Directtory Certificatee Services (AD CS) is a
sttraightforward process, but it is critical that the deploym
ment be planneed and implem mented
caarefully.
Federation Server Ro
oles
When
W you insta
all the AD FS server
s role, you
u can
co
onfigure the seerver as either a federation server
s
erver proxy. Affter installing the
orr federation se
fe
ederation serveer role, you can configure th he
erver as either a Claims Provider, a Relying
se g Party,
orr both. These server
s function
ns are as followws:
Note: A single AD FS server can operate as both a claims provider and a relying party, even
with the same partner organizations. The AD FS server functions as a claims provider when it is
authenticating users and providing tokens for another organization, but it can also accept tokens
from the same or another organization in a relying party role.
Federation Server Proxy: A federation server proxy provides an extra level of security for AD FS traffic
that is coming from the Internet to the internal AD FS federation servers. Federation server proxies
can be deployed in both the claims provider and relying party organizations. On the claims provider
side, the proxy collects the authentication information from client computers and passes it to the
claims provider federation server for processing. The federation server issues a security token to the
proxy, which sends it to the relying party proxy. The relying party federation server proxy accepts
these tokens, and then passes them on to the internal federation server. The relying party federation
server then issues a security token for the web application, and then sends the token to the federation
server proxy, which then forwards the token to the client. The federation server proxy does not
provide any tokens or create claims; it only forwards requests from clients to internal AD FS servers.
All communication between the federation server proxy and the federation server uses HTTPS.
Demonstration Steps
Lesson
n3
Imple
ementin
ng AD FS
F for a Single O
Organizzation
Thhe simplest de
eployment scen nario for AD FS is within a si ngle organization. In this scenario, a single AD FS
erver can operate both as the claims provider and as thee relying partyy. All users in th
se his scenario are
in
nternal to the organization,
o as
a is the appliccation that thee users are acceessing.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe AD
D FS claims.
Describe AD
D FS claim rule
es.
Configure claims
c provide
er and relying party
p trusts.
What
W Are AD
A FS Claim
ms?
AD FS claims prrovide the link between the claims
c
provider and re elying party rolles in an AD FSS
de eployment. An n AD FS claim is a statement made
abbout a particular subject (succh as a user) by
b a
trrusted entity (ssuch as a claim
ms provider). Thhe
claims provider creates the cla aims and the relying
r
pa arty consumess the claims. AD FS claims prrovide a
sttandards-based d and flexible way for claimss
provider organiizations to pro ovide specific
in
nformation abo out users in their organizatio
ons, and
a way for relying parties to de efine exactly what
w
in
nformation the ey require to provide applica ation
acccess. The claimm information n provides the details requireed by applicatiions to enable
e access to claims-
awware applicatio ons.
Claim
C Types
ach AD FS claim has a claim type, such as email
Ea e address,, UPN, or last n name. Users caan be issued claims
ased on any defined claim tyype. Therefore
ba e, a user mightt be issued a c laim with a typpe of Last Namme and
a value of, for example,
e Webe
er. AD FS proviides several bu
uilt-in claim tyypes. Optionallly, you can cre
eate new
on
nes based on thet organizatio
on requiremen nts.
Note: In AD
A FS 1.0, you could configu
ure claims as id
dentity claims,, group claims, or custom
claims. These claim types do not
n apply to AD
A FS 2.0 or latter. Essentially,, all claims are
e now
co
onsidered custtom claims.
provider organization and the relying party organization decide to use a claim type of AccountNumber,
both organizations must configure a claim type with this name. The claim type is published and the claim
type URI must be identical on both AD FS servers.
The claim can be retrieved from an attribute store. Frequently, the information required for the claim
is already stored in an attribute store that is available to the federation server. For example, an
organization might decide that the claim should include the users UPN, email address, and specific
group memberships. This information is already stored in AD DS, so the federation server can just
retrieve this information from AD DS when creating the claim. Because AD FS can use AD DS, AD LDS,
SQL Server, a non-Microsoft Lightweight Directory Access Protocol (LDAP) directory, or a custom
attribute store to populate claims, you can define almost any value within the claim.
The claim can be calculated based on collected information. Claims provider federation servers can
also calculate information based on information that is gathered from an attribute store. For example,
you may want to provide information about a persons salary within a claim. This information is likely
stored in a Human Resources database, but the actual value may be considered confidential. You can
define a claim that categorizes salaries within an organization, and then have the AD FS server
calculate to which category a specific user belongs. In this way, the claim only includes the salary
category information, not the actual user salary.
The claim can be transformed from one value to another. In some cases, the information that is
stored in an attribute store does not exactly match the information required by the application when
making authorization information. For example, the application may have different user roles defined
that do not directly match the attributes that are stored in any attribute store. However, the
application role may correlate to AD DS group membership. For example, users in the Sales group
may correlate to one application role, while users in the Sales Management group may correlate to a
different application role. To establish the correlation in AD FS, you can configure a claims
transformation that takes the value provided by the claims provider and translates the value into to a
claim that is useful to the application in the relying party.
If you have deployed DAC, a DAC device claim can be transformed into an AD FS claim. This can be
used to ensure that users can access AD FS Web site only from trusted workstations that have been
issued a valid device claim.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 12-19
What
W Are AD
A FS Claim
m Rules?
Claim rules define how claimss are sent and
co
onsumed by AD A FS servers. Claim
C rules deffine the
buusiness logic that is applied to claims that are
provided by claims providers,, and to claimss that
arre accepted byy the relying parties. You cann use
claim rules to:
Claim rules on an
a AD FS claimms provider aree all considere d acceptance transform rule es. These rules
de
etermine whatt claim types are
a accepted frrom the claimss provider, and d then sent to a relying partyy trust.
When
W configuring AD FS withhin a single org
ganization, theere is a defaultt claims provid
der trust that iss
co
onfigured with
h the local AD DS domain. Th his rule set deffines the claim
ms that are acceepted from AD D DS.
Issuance Auuthorization Ru ules: These rules define whicch users are peermitted or de enied access to o the
relying partty defined in the relying party trust. This ru
ule set can incclude rules that explicitly perrmit
access to a relying party, and/or rules that explicitly ddeny access too a relying partty.
Delegation Authorization n Rules: These rules define thhe claims that specify which users can act on
behalf of otther users whe he relying partty. This rule set can include rrules that explicitly
en accessing th
permit deleegates for a relying party, or rules that exp
plicitly deny deelegates to a re
elying party.
Note: A single claim rulle can only be associated witth a single fed
derated trust re
elationship.
Th
his means thatt you cannot create
c a set of rules for one ttrust and then re-use those rrules for
otther trusts that you configurre on your federation server..
Wh
hat Is a Cla
aims Provider Trust??
A claims provider trust is configgured on the reelying
partty federation server.
s The claiims provider trrust
idenntifies the claim
ms provider, and describes how
h
the relying party consumes
c the claims that the
claim
ms provider issues. You musst configure a
ms provider trust for each claims provider.
claim
By default,
d an AD FS server is coonfigured with ha
ms provider trust named Acttive Directory. This
claim
trusst defines the claim
c rules, wh
hich are all
acceeptance transfform rules thatt define how th he
AD FS server acce epts AD DS cre edentials. For
exam mple, the defaault claim ruless on the claimss
provvider trust incllude rules thatt pass through the user nam es, security ideentifiers (SIDs)) and group SIDs to
the relying party. In a single orgganization AD FS deploymen nt, where AD D DS authenticattes all users, th
he
defaault claims proovider trust maay be the only required claim
ms provider tru ust.
What
W Is a Relying
R Parrty Trust?
A relying party trust is defined
d on the claim
ms
provider federation server. Th he relying partyy trust
id
dentifies the re
elying party, an
nd also definess the
claims rules that define how the
t relying parrty
acccepts and proocesses claims from the claimms
provider.
n a single organization scena
In ario, the relying
g party
trrust defines ho
ow the AD FS server interactss with
th
he applicationss deployed witthin the appliccation.
When
W you configure the relying party trust in a
single organizattion, you provide the URL fo or the
in
nternal application, and conffigure settings such as
whether
w ports SAML 2.0 or whether it requires AD FFS 1.0 tokens, tthe SSL certificcate and
the application supp
URL used by the e web server, and
a the issuan nce authorizati on rules for th
he application.
Import data a about the relying party thrrough the fedeeration metadata. If the AD FS federation server
or federatioon proxy serveer is accessible through the nnetwork from yyour AD FS fed deration serve
er, you
can enter th he host name or URL for the e partner federration server. Y
Your AD FS fedderation serve
er
connects to o the partner server,
s and theen downloads tthe federation n metadata froom the server. The
federation metadata inclu o configure the relying partyy trust.
udes all the infformation thatt is required to
As part of the
t federation metadata dow wnload, your ffederation servver also downloads the SSL
certificate that
t the partne
er federation server
s uses.
Import dataa about the relying party froom a file. Use tthis option if th
he partner fed
deration serverr is not
accessible from
f your fede
eration server directly. In thiss case, the parrtner organizattion can exporrted its
configuratioon information
n to a file, and
d then provide it to you. Thee configuration n file must include the
configuratioon information
n for the partnner organizatio on, and the SSL certificate th
hat the partnerr
federation server uses.
Manually
M config
gure the claims provider trusst. Use this opttion if you wan
nt to configure
e all of the setttings
fo
or the claims provide
p trust diirectly.
Demonstra
D ation: Conffiguring Cllaims Provvider and R
Relying Paarty Trusts
In
n this demonsttration, you will see how to configure
c claim
ms provider truusts and relying party trusts. The
in
nstructor will sh
how how to ed ory claims provvider trust. The instructor will also
dit the default Active Directo
crreate a new relying party tru
ust, and demonnstrate how to o configure thee trust.
Demonstrati
D ion Steps
Configure
C a Claims Prov
vider Trust
1.. In the AD FS usts, highlight the Active Diirectory store,, and
F console, go to the Claimss Provider Tru
then click Edit
E Claim Rulles.
6. In the Mapping of LDAP attributes to outgoing claim types select the following values:
o User-Principal-Name to UPN
o Select No encryption.
2. Complete the Add Relying Party Wizard with the following settings:
o Select Import data about the relying party published online or on a local network, and type
https://lon-svr1.adatum.com/adatumtestapp.
o Ensure that the Edit Claim Rules for ADatum Test App check box is selected when the wizard is
complete.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 12-23
Lesson
n4
Deplo
oying AD
A FS in a B2B Federattion Sce
enario
A second comm mon scenario foor implementiing AD FS is inn a B2B federattion scenario. In this scenario
o, users
in
n one organiza
ation require access to an ap
pplication in an
nother organizzation. AD FS in this scenarioo
en
nables SSO. Th
his way, users always
a log on to their home AD DS enviro onment, but arre granted acce ess to
th
he partner app
plication based
d on the claimss acquired from
m their local A
AD FS server.
Le
esson Objecctives
After completin y will be able to:
ng this lesson, you
Configure the
t account pa
artner in a B2B
B federation sccenario.
Configure the
t resource partner
p in a B2B
B federation sccenario.
Ex
xplain how to configurre claims ru
ules for a B2
2B federatio
on scenario..
Explain how
w home realm discovery worrks.
Configure claims
c rules.
Configuring
C g an Account Partne
er
In
n a B2B AD FS scenario, the terminology
t th
hat you
usse to describe the two partners involved in n the
AD FS deployment changes slightly. In this
sccenario, the cla
aims provider organization is also
caalled the accouunt partner org
ganization. An n
acccount partnerr organization is the organiza ation in
which
w the user accounts
a are stored
s in an atttribute
sttore. An account partner hanndles the follow wing
ta
asks:
Gather cred
dentials from users
u who are using a
web-based service, and then authenticaating
those crede
entials.
Build up cla
aims for users, and then package the claim ms into securityy tokens. The ttokens can theen be
presented across
a a federa
ation trust to gain
g access to federation ressources that arre located at th
he
resource paartner organizaation.
1.. Implement the physical topology for thhe account parrtner deploym
ment. This step could include
deciding on
n the number of federation servers and fe deration serveer proxies to deploy the locaations to
deploy them equired DNS reecords and cerrtificates.
m to, and conffiguring the re
2.. Add an attrribute store. Use the AD FS management
m cconsole to add d the attribute store. In mostt cases,
you use the
e default Active Directory atttribute store (wwhich must bee used for auth hentication), but you
can also add other attribuute stores if re
equired to buil d the user claiims.
3.. Connect to a resource pa artner organiza
ation by creati ng a relying p
party trust. The
e easiest way to
o do
this is to usse the federatio
on metadata URL
U that is proovided by the rresource partn ner organizatio
on. With
MCT USE ONLY. STUDENT USE PROHIBITED
12-24 Implementing Active Directoory Federation Services
Co
onfiguring a Resourcce Partner
The resource parttner organizatiion is the relyin
ng
partty in a B2B fed
deration scenario. The resourrce
parttner organization is where th
he resources exist
and are made acccessible to accoount partner
orgaanizations. The
e resource parrtner handles the
t
follo
owing tasks:
Configuring thee resource parttner organization is similar tto configuring the account p
partner organizzation
an
nd consists of the following steps:
1.. Implement the physical topology for th he resource paartner deploym
ment. The plan
nning and
implementa ation steps are
e the same as the he addition of planning the w
t account paartner, with th web
server locattion and config
guration.
2.. Add an attrribute store. On
O the resource opulate the claims that
e partner, the aattribute storee is used to po
are offered to the client to
t present to the web serverr.
Configuring
C g Claims Rules
R for B2B
B Scenarrios
In
n a single organization deplo oyment of AD FS, it
may
m be quite ea asy to design and
a implemen nt claims
ru
ules. In many cases,
c you mayy need to provide
on ame or group name that is
nly the user na
co t claim and presented to the
ollected from the t web
erver. In a B2B scenario, it is more likely that you
se
will
w have to con nfigure more complicated cla aims
ru
ules to define user
u access between widely varying
v
syystems.
Permit or Den ny Users Basedd on an Incoming Claim rulee template. Thiis template is aavailable only when
you are configuring Issuancce Authorizatio on Rules or Deelegation Auth horization Rule
es on a relying party
trust. Use thiss template to create
c rules tha
at enable or d eny access by users to a relyying party, bassed on
the type and value of an incoming claim. This claim rul e template all ows you to pe erform an
authorizationn check on the claims provider before claim ms are sent to a relying partyy. For example e, you
can use this rule template tot create a rulee that only perrmits users fro
om the Sales grroup to accesss a
relying party, while authenttication requessts from memb bers of other ggroups are nott sent to the re
elying
party.
If no e templates prrovide the funcctionality that you require, yyou can create more
one of the built-in claim rule
commplex rules usin
ng the AD FS claim
c rule lang
guage. By creaating a customm rule, you can extract claimss
info
ormation from multiple attrib bute stores andd also combinne claim types into a single cclaim rule.
Ho
ow Home Realm
R Disccovery Wo
orks
Somme resource pa artner organizaations that aree
hostting claims-aw ware applicatioons may want to t
enable multiple account partners to access th heir
appplications. In th
his scenario, wh
hen users conn nect
to the web application, there must
m be some
mecchanism for directing the use ers to the AD FS
fedeeration server in their home domain, rathe er
thann to another organizations
o federation
f servver.
The process for diirecting clientss to the appropriate
accoount partner iss called home realm discoverry.
3. If the remote application is SAML 2.0-com mpliant, users can use a SAM ML profile calle ed IdPInitiated
d SSO.
This SAML profile configure es users to acccess their local claims provid er first, which can prepare thhe
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 12-27
users token with the claims required to access the partners web application. This process changes the
normal process for accessing the web application, by having the users log on to the claims provider
federation server first, and then prompting them to select which application they want to access, so
that their token can be created with the appropriate information.
Note: The home realm discovery process occurs the first time the user tries to access a web
application. After the user authenticates successfully, a home realm discovery cookie is issued to
the client so that the user does not have to go through the process the next time. This home
realm discovery cookie expires after a month, unless the cookie cache is cleared prior to
expiration.
Demonstration Steps
2. Delete the Issuance Authorization Rule that grants access to all users.
3. Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Permit Production Group Rule, an Incoming claim type of
Group, an Incoming claim value of Production, and select the option to Permit access to users
with this incoming claim
4. Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Allow A Datum Users, an Incoming claim type of UPN, an
Incoming claim value, of @adatum.com, and select the option to Permit access to users with this
incoming claim, and then click Finish.
5. Open the Allow A Datum Users rule properties, and show the claims rule language to the students.
MCT USE ONLY. STUDENT USE PROHIBITED
12-28 Implementing Active Directory Federation Services
Lab: Implementing AD FS
Scenario
A. Datum Corporation has set up a variety of business relationships with other companies and customers.
Some of these partner companies and customers must access business applications that are running on
the A. Datum network. The business groups at A. Datum want to provide a maximum level of functionality
and access to these companies. The Security and Operations departments want to ensure that the
partners and customers can only access the resources to which they require access, and that
implementing the solution does not significantly increase the workload for the Operations team. A. Datum
is also working on migrating some parts of their network infrastructure to online services, including
Windows Azure and Office 365.
To meet these business requirements, A. Datum plans to implement AD FS. In the initial deployment, the
company plans to use AD FS to implement SSO for internal users who access an application on a web
server. A. Datum also has entered into a partnership with another company, Trey Research. Trey Research
users must be able to access the same application.
As one of the senior network administrators at A. Datum, it is your responsibility to implement the AD FS
solution. As a proof of concept, you plan to deploy a sample claims-aware application, and configure
AD FS to enable both internal users and Trey Research users to access the same application.
Objectives
Configure the AD FS prerequisites.
Install and configure AD FS.
Lab Setup
Estimated Time: 90 minutes
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-CL1
20412A-MUN-DC1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
4. Bind the certificate to the claims-aware application on the web server, and verify application access.
2. On MUN-DC1, create a new conditional forwarder for the Adatum.com domain, using the DNS server
IP address of 172.16.0.10.
2. Create a new MMC, and add the Group Policy Management Editor.
3. Edit the Default Domain Policy Group Policy Object and import the copied root certificate to the
Trusted Root Certification Authorities folder.
4. On MUN-DC1, copy the LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt from
\\LON-DC1.Adatum.com\certenroll to the Documents folder.
5. Create a new MMC, and add the Certificates snap-in focused on the Local Computer.
6. Import the copied root certificate to the Trusted Root Certification Authorities folder.
2. Request a new domain certificate for the server using the following parameters:
o Common name: LON-SVR1.adatum.com
o Organization: A. Datum
o Organization unit: IT
o City/locality: London
o State/province: England
o Country/region: GB
Task 4: Bind the certificate to the claims-aware application on the web server, and
verify application access
1. On LON-SVR1, in IIS, create a new HTTPS site binding, and then select the newly created certificate.
3. Verify that you can connect to the site, but that you receive a 401 access denied error. This is
expected, because you have not yet configured AD FS for authentication.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum
and Trey Research, and you exchanged root certificates between the two organizations. You also installed
and configured a web certificate on the application server.
2. Create a standalone federation server using the AD FS Federation Server Configuration Wizard.
4. Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06
/federationmetadata.xml.
5. Verify that the xml file opens successfully, and then scroll through its contents.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 12-31
Results: In this exercise, you installed and configured the AD FS server role, and verified a successful
installation by viewing the Federation Meta Data .xml contents.
3. Configure the claims application to trust incoming claims by running the Windows Identity
Foundation Federation Utility.
4. Configure a relying party trust for the claims-aware application.
3. Make the new certificate the primary certificate, and remove the old certificate.
2. In the Edit Claim Rules for Active Directory dialog box, on the Acceptance Transform Rules tab,
launch the Add Transform Claim Rule Wizard and complete the wizard with the following settings:
3. In the Mapping of LDAP attributes to outgoing claim types select the following values:
o User-Principal-Name to UPN
o Display-Name to Name
MCT USE ONLY. STUDENT USE PROHIBITED
12-32 Implementing Active Directory Federation Services
Task 3: Configure the claims application to trust incoming claims by running the
Windows Identity Foundation Federation Utility
1. On LON-SVR1, from the Start screen, launch the Windows Identity Foundation Federation Utility.
o Point to the web.config file of the Windows Identity Foundation sample application by pointing
to C:\Inetpub\wwwroot\ AdatumTestApp \web.config.
2. Complete the Add Relying Party Wizard with the following settings:
o Choose to Import data about the relying party published online or on a local network, and
then type https://lon-svr1.adatum.com/adatumtestapp.
o When the wizard completes, accept the option to open the Edit Claims Rules for ADatum Test
App.
2. Complete the Add Transform Claim Rule Wizard with the following settings:
o In the Claim rule template drop-down list, click Pass through or Filter an Incoming Claim.
o Name the claim rule Pass through Windows Account name rule.
o In the Incoming claim type drop-down list, click Windows account name.
3. Create three more rules to pass through E-Mail Address, UPN, and Name type claim.
Results: In this exercise, you configured a Token signing certificate and configured a claims provider trust
for Adatum.com. You also should have configured the sample application to trust incoming claims, and
configured a relying party trust and associated claim rules. You also tested access to the sample Windows
Identity Foundation application in a single organization scenario.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 12-33
2. Configure a relying party trust on MUN-DC1 for the A. Datum claims-aware application.
3. Verify access to the A. Datum test application for Trey Research users.
4. Configure claim rules for the claim provider trust and the relying party trust to allow access only for a
specific group.
2. Complete the Add Claims Provider Trust Wizard with the following settings:
o Choose Import data about the claims provider published online or on a local network, and
enter https://mun-dc1.treyresearch.net as the data source.
o In Display Name, type mun-dc1.treyresearch.net.
3. In the Edit Claim Rules for the mun-dc1.treyresearch.net properties dialog box, use the following
values:
o Choose Pass Through or Filter an Incoming Claim in the Claim rule template list.
o Use Pass through Windows account name rule as the claim rule name.
o Choose Windows account name as the incoming claim type, and then choose to Pass through
all claim values.
Note: You should disable certificate revocation checking only in test environments. In a production
environment, certificate revocation checking should be enabled.
Task 2: Configure a relying party trust on MUN-DC1 for the A. Datum claims-aware
application
1. On MUN-DC1, in the AD FS Management console, open the Add Relying Party Trust Wizard, and
complete it with the following settings:
MCT USE ONLY. STUDENT USE PROHIBITED
12-34 Implementing Active Directory Federation Services
o Choose to Import data about the relying party published online or on a local network and
type in https:// lon-dc1.adatum.com .
o Accept the option to open the Edit Claim Rules for Adatum TestApp when the wizard completes.
2. In the Edit Claim Rules for Adatum TestApp properties dialog box, on the Issuance Transform
Rules tab, click to add a rule with the following settings:
o In the claim rule template list, choose Pass Through or Filter an Incoming claim.
o In the Claim rule name box, type Pass through Windows account name rule.
Task 3: Verify access to the A. Datum test application for Trey Research users
1. On MUN-DC1, open Internet Explorer and connect to
https://lon-svr1.adatum.com/adatumtestapp/
2. Select mun-dc1.treyresearch.net as the home realm, and log on as TreyResearch\April, with the
password Pa$$w0rd.
4. Close Internet Explorer, and connect to the same web site. Verify that this time you are not prompted
for a home realm.
Note: You are not prompted for a home realm again. Once users have selected a home realm and
been authenticated by a realm authority, they are issued an _LSRealm cookie by the relying party
federation server. The default lifetime for the cookie is 30 days. Therefore, to log on multiple times, you
should delete that cookie after each logon attempt to return to a clean state.
Task 4: Configure claim rules for the claim provider trust and the relying party trust
to allow access only for a specific group
1. On MUN-DC1, open the AD FS Management Console, access the Adatum TestApp relying party trust.
2. Add a new Issuance Transform Rule that sends the group membership as a claim. Name the rule
Permit Production Group Rule, configure the Users Group as Production, configure the Outgoing
claim type as Group, and the Outgoing claim value as Production.
4. Edit the Adatum Test App relying party trust by creating a new Issuance Transform Rule that passes
through or filters an incoming claim. Name the rule Send TreyResearch Group Name Rule, and
configure the rule to use an incoming claim type of Group.
5. Delete the Issuance Authorization Rule that grants access to all users.
6. Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Permit TreyResearch Production Group Rule, an
Incoming claim type of Group, an Incoming claim value of Production, and select the option to
Permit access to users with this incoming claim.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services 12-35
7. Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Temp, an Incoming claim type of UPN, an Incoming claim
value, of @adatum.com, and select the option to Permit access to users with this incoming
claim, and then click Finish.
8. Edit the Temp rule and copy the claim rule language into the clipboard.
10. Create a new rule that sends claims using a custom rule named ADatum User Access Rule.
11. Click in the Custom rule box, and then press Crtl + V to paste the clipboard contents into the box.
Edit the first URL to match the following text, and then click Finish.
2. Verify that TreyResearch\April no longer has access to the A. Datum test app.
3. Clear the browsing history in Internet Explorer.
4. Connect to https://lon-svr1.adatum.com/adatumtestapp/.
5. Verify that TreyResearch\Morgan does have access to the A. Datum test app. Morgan is a member
of the Production group.
Results: In this exercise, you configured a claims provider trust for TreyResearch on Adatum.com. and a
relying party trust for Adatum on TreyResearch. You verified access to the A. Datum claim-aware
application. Then you configured the application to restrict access from TreyResearch to specific groups,
and you verified appropriate access.
2. In the Virtual Machines list, right-click 20412A-MUN-DC1, and then click Revert.
Lab Review
Question: In this lab, you implemented access to a claims-aware application for both internal and
external users. What extra steps did you have to take in the relying party to enable access for
external users?
Question: How can you identify which claims are used to provide user access to the sample
Windows Identity Foundation application that you used in the lab?
MCT USE ONLY. STUDENT USE PROHIBITED
12-36 Implementing Active Directory Federation Services
Question: Under what circumstances would you choose to deploy a federation proxy server?
Under what circumstances, do you not need to deploy a federation proxy server?
2. Question: Fabrikam, Inc. is examining the requirements for AD FS. The company wants to use a
federation proxy server for maximum security. Fabrikam, Inc. currently has an internal network with
internal DNS servers, and their internet-facing DNS is hosted by a hosting company. The perimeter
network uses the hosting companys DNS servers for DNS resolution. What must the company do to
prepare for the deployment?
Answer:
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring AAdvanced Windows SServer 2012 Servicees 12-37
Coursse Evalu
uation
Yo
our evaluation
n of this course
e will help Microsoft understtand the qualitty of your learning experience.
2. In the DHCP console, click LON-DC1.adatum.com, select and then right-click IPv4, and then click
New Scope.
4. On the Scope Name page, in the Name box, type Scope1, and then click Next.
5. On the IP Address Range page, in the Start IP address box, type 192.168.0.50, and then in the End
IP address box, type 192.168.0.100.
6. In the Subnet mask box, ensure that 255.255.255.0 is entered, and then click Next.
7. On the Add Exclusions and Delay page, click Next.
9. On the Configure DHCP Options page, select Yes, I want to configure these options now, and
then click Next.
10. On the Router (Default Gateway) page, in the IP address box, type 192.168.0.1, click Add, and
then click Next.
11. On the Domain Name and DNS Servers page, ensure the parent domain is Adatum.com, and then
click Next.
14. On the Completing the New Scope Wizard page, click Finish.
17. On the Scope Name page, in the Name box, type Scope2, and then click Next.
18. On the IP Address Range page, in the Start IP address box, type 192.168.1.50, and then in the End
IP address box, type 192.168.1.100.
19. In the Subnet mask box, ensure that 255.255.255.0 is entered, and then click Next.
22. On the Configure DHCP Options page, select Yes, I want to configure these options now, and
then click Next.
23. On the Router (Default Gateway) page, in the IP address box, type 192.168.1.1, click Add, and
then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-2 Module 1: Implementing Advanced Network Services
24. On the Domain Name and DNS servers page, ensure the parent domain is Adatum.com, and then
click Next.
26. On the Activate Scope page, click No, I will activate this scope later, and then click Next.
27. On the Completing the New Scope Wizard page, click Finish.
28. Right-click the IPv4 node, and then click New Superscope.
30. On the Superscope Name page, in the Name box, type AdatumSuper, and then click Next.
31. On the Select Scopes page, select Scope1, hold down the Ctrl key, select Scope2, and then click
Next.
32. On the Completing the New Superscope Wizard page, click Finish.
5. Select the Enable Name Protection check box, and then click OK.
6. Click OK again.
2. On LON-DC1, in the DHCP console, right-click the IPv4 node, and then click Configure Failover.
3. In the Configure Failover Wizard, click Next.
4. On the Specify a partner server to use for failover page, in the Partner Server box, enter
172.16.0.21, and then click Next.
5. On the Create a new failover relationship page, in the Relationship Name box, enter Adatum.
6. In the Maximum Client Lead Time field, set the hours to 0, and set the minutes to 15.
7. Ensure that the Mode field is set to Load balance, and that the Load Balance Percentage is set to
50%.
8. Select the State Switchover Interval check box. Keep the default value of 60 minutes.
9. In the Enable Message Authentication Shared Secret box, type Pa$$w0rd, and then click Next.
10. Click Finish, and then click Close.
11. On LON-SVR1, refresh the IPv4 node, and then note that the IPv4 node is active.
12. Expand the IPv4 node, expand Scope Adatum, click the Address Pool node, and note that the
address pool is configured.
13. Click the Scope Options node, and note that the scope options are configured.
17. In Control Panel, click Network and Internet, click Network and Sharing Center, click Change
adapter settings, and then right-click Local Area Connection, and then click Properties.
18. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4),
and then click Properties.
19. In the Properties window, select the Obtain an IP address automatically radio button, click Obtain
DNS server address automatically, and then click OK.
20. In the Local Area Connection Properties dialog box, click Close.
21. Hover over the bottom right corner to expose the fly-out menu, and then click Search Charm.
22. In the Apps search box, type Cmd, and then press Enter.
23. In the command prompt window, type ipconfig, and then press Enter. Record your IP address.
26. In the Services window, locate the DHCP Server service, and then click Stop the service.
27. Close the Services window, and close the DHCP console.
28. On LON-CL1, in the command prompt window, type ipconfig /release, and then press Enter.
30. Type ipconfig, and then press Enter. What is your IP address? Answers may vary.
32. On LON-DC1, in the Services console, start the DHCP server service.
Results: After completing this exercise, you will have configured a superscope, DHCP Name Protection,
and configured and verified DHCP failover.
2. Expand LON-DC1, expand Forward Lookup Zones, click Adatum.com, and then right-click
Adatum.com.
5. On the Signing options page, click Customize zone signing parameters, and then click Next.
6. On the Key Master page, ensure that LON-DC1 is the Key Master, and then click Next.
13. On the New Zone Signing Key (ZSK) page, click OK.
16. On the Trust Anchors page, select the Enable the distribution of trust anchors for this zone
check box. Click Next.
18. On the DNS Security Extensions page, click Next, and then click Finish.
19. In the DNS console, expand Trust Points, expand com, and then click Adatum. Ensure that the
DNSKEY resource records display, and that their status is valid.
20. Minimize the DNS Manager.
21. In Server Manager, click Tools, and then on the drop-down list, click Group Policy Management.
22. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain
Policy, and then click Edit.
23. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, and then click Name Resolution Policy.
24. In the right pane, under Create Rules, in the Suffix box, type Adatum.com to apply the rule to the
suffix of the namespace.
25. Select the Enable DNSSEC in this rule check box, select the Require DNS clients to check that the
name and address data has been validated by the DNS server check box, click Create.
26. Close the Group Policy Management Editor and Group Policy Management Console.
3. In the command prompt window, type the following command, and then press Enter to view the
current size of the DNS socket pool. Note that the current size is 2,500.
4. Type the following command, and then press Enter to change the socket pool size to 3,000.
5. Type the following command, and then press Enter to stop the DNS server.
6. Type the following command, and then press Enter to restart the DNS server.
7. Type the following command, and then press Enter to confirm the new socket pool size.
2. Type the following command, and then press Enter to change the cache lock value to 75 percent.
3. Type the following command, and then press Enter to stop the DNS server.
4. Type the following command, and then press Enter to restart the DNS server.
5. Type the following command, and then press Enter to display the current percentage value of the
DNS cache lock.
6. Leave the command prompt window open for the next task.
2. In the command prompt window, type the following command, and then press Enter to enable
support for GlobalName zones:
3. Create an Active Directory integrated forward lookup zone named GlobalNames by running the
following command:
6. In the DNS console, click Action, and then click Refresh to refresh the view.
7. In the DNS console, expand Forward Lookup Zones, click the Contoso.com zone, right-click
Contoso.com, and then click New Host (A or AAAA).
8. In the New Host dialog box, in the Name box, type App1.
Note: The Name box uses the parent domain name if it is left blank.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-6 Module 1: Implementing Advanced Network Services
9. In the IP address box, type 192.168.1.200, and then click Add Host.
11. Right-click the GlobalNames zone, and then click New Alias (CNAME).
12. In the New Resource Record dialog box, in the Alias name box, type App1.
13. In the Fully qualified domain name (FQDN) for target host box, type App1.Contoso.com, and
then click.
Results: After completing this exercise, you will have configured DNSSEC, the DNS socket pool, DNS
cache locking, and the GlobalName zone.
6. On the Select features page, select the IP Address Management (IPAM) Server check box.
7. In the Add features that are required for IP Address Management (IPAM) Server popup, click
Add Features, and then click Next.
2. In the IPAM Overview pane, click Connect to IPAM server, and then select
LON-SVR2.Adatum.com and then click OK.
5. On the Select provisioning method page, ensure that the Group Policy Based method is selected,
in the GPO name prefix box, type IPAM, and then click Next.
6. On the Confirm the Settings page, click Apply. Provisioning will take a few moments to complete.
7. When provisioning completes, click Close.
2. In the Configure Server Discovery settings dialog box, click Add, and then click OK.
3. In the IPAM Overview pane, click Start server discovery. Discovery may take 5-10 minutes to run.
The yellow bar will indicate when discovery is complete.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L1-7
2. Scroll down to the Details view, and note the status report, which is that the IPAM server has not yet
been granted permission to manage LON-DC1 via Group Policy.
3. On the taskbar, right-click the Windows PowerShell icon, right-click Windows PowerShell and then
click Run as Administrator.
4. At the command prompt, type the following command, and then click Enter:
5. When you are prompted to confirm the action, type Y, and then press Enter. The command will take a
few moments to complete.
7. In Server Manager, in the details pane, right-click LON-DC1, and then click Edit Server.
8. In the Add or Edit Server dialog box, set the Manageability status to Managed, and then click OK.
12. Switch to LON-SVR2, in Server Manager, in the IPAM console, right-click the LON-DC1 entry, and
then click Refresh Server Access Status. After the refresh completes, click the IPv4 console refresh
button. It may take up to 10 minutes for the status to change. If necessary, repeat both refresh tasks
as needed until a green check mark displays next to LON-DC1 and the IPAM Access Status shows
Unblocked.
13. In the IPAM Overview pane, click Retrieve data from managed servers. This action will take a few
moments to complete.
2. In the details pane, right-click the instance of LON-DC1.Adatum.com that holds the DHCP server
role, and then click Create DHCP Scope.
3. In the Create DHCP Scope dialog box, in the Scope Name box, type TestScope.
8. In the Configure options pane, click the Option drop-down arrow, and then select 003 Router.
9. Under Values, in the IP Address box, type 10.0.0.1, click Add to list, and then click OK.
10. On LON-DC1, in the Server Manager toolbar, click Tools, and then click DHCP.
11. In the DHCP console, expand LON-DC1, expand IPv4, and confirm that the TestScope exists.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-8 Module 1: Implementing Advanced Network Services
2. In the right pane, click the Tasks drop-down arrow, and then click Add IP Address Block.
3. In the Add or Edit IPv4 Address Block dialog box, provide the following values, and then click OK:
o Prefix length: 16
5. In the right pane, click the Tasks drop-down arrow, and then click Add IP Address.
6. In the Add IP Address dialog box, under Basic Configurations, provide the following values, and
then click OK:
o IP address: 172.16.0.1
7. Click the Tasks drop-down arrow, and then click Add IP Address.
8. In the Add IP Address dialog box, under Basic Configuration, provide the following values:
o IP address: 172.16.0.10
10. In the Add IPv4 Address pane, click DNS Record, enter the following values, and then click OK:
11. When the entry displays in the IPv4 details pane, right-click the entry, and then click Create DHCP
Reservation.
12. Right-click the entry again, and then click Create DNS Host Record.
13. On LON-DC1, open the DHCP console, expand IPv4, expand Scope (172.16.0.0) Adatum, and then
click Reservations. Ensure that the 172.16.0.10 Webserver reservation displays.
14. Open the DNS console, expand Forward Lookup Zones, and then click Adatum.com. Ensure that a
host record displays for Webserver.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L1-9
Results: After completing this exercise, you will have installed IPAM and configured IPAM with IPAM-
related GPOs, IP management server discovery, managed servers, a new DHCP scope, IP address blocks, IP
addresses, DHCP reservations, and DNS records.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
3. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
5. On the Select destination server page, ensure that Select server from the server pool is selected,
and then click Next.
6. On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, select the iSCSI Target Server check box, and then click Next.
7. On the Select features page, click Next.
3. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New
iSCSI Virtual Disk.
4. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
5. On the Specify iSCSI virtual disk name page, in the Name text box, type iSCSIDisk1, and then click
Next.
6. On the Specify iSCSI virtual disk size page, in the Size text box, type 5, ensure GB is selected in the
drop-down list box, and then click Next.
7. On the Assign iSCSI target page, click New iSCSI target, and then click Next.
8. On the Specify target name page, in the Name box, type LON-DC1, and then click Next.
10. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list box, click IP Address, in the Value text box, type 172.16.0.22, and
then click OK.
12. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list box, click IP Address, in the Value text box, type 131.107.0.2, and
then click OK.
16. On the View results page, wait until creation completes, and then click Close.
17. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New
iSCSI Virtual Disk.
18. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
19. On the Specify iSCSI virtual disk name page, in the Name box, type iSCSIDisk2, and then click
Next.
20. On the Specify iSCSI virtual disk size page, in the Size box, type 5, in the drop-down list box, ensure
GB is selected, and then click Next.
21. On the Assign iSCSI target page, click lon-dc1, and then click Next.
22. On the Confirm selection page, click Create.
23. On the View results page, wait until creation completes, and then click Close.
24. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New
iSCSI Virtual Disk.
25. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage,
click C:, and then click Next.
26. On the Specify iSCSI virtual disk name page, in the Name text box, type iSCSIDisk3, and then click
Next.
27. On the Specify iSCSI virtual disk size page, in the Size text box, type 5, in the drop-down list box,
ensure GB is selected, and then click Next.
28. On the Assign iSCSI target page, click lon-dc1, and then click Next.
31. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New
iSCSI Virtual Disk.
32. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage,
click C:, and then click Next.
33. On the Specify iSCSI virtual disk name page, in the Name text box, type iSCSIDisk4, and then click
Next.
34. On the Specify iSCSI virtual disk size page, in the Size text box, type 5, in the drop-down list box,
ensure GB is selected, and then click Next.
35. On the Assign iSCSI target page, click lon-dc1, and then click Next.
37. On the View results page, wait until creation completes, and then click Close.
38. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New
iSCSI Virtual Disk.
39. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage,
click C:, and then click Next.
40. On the Specify iSCSI virtual disk name page, in the Name text box, type iSCSIDisk5, and then click
Next.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L2-13
41. On the Specify iSCSI virtual disk size page, in the Size text box, type 5, in the drop-down list box,
ensure GB is selected, and then click Next.
42. On the Assign iSCSI target page, click lon-dc1, and then click Next.
44. On the View results page, wait until creation completes, and then click Close.
2. In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select Routing
and Remote access.
3. In the Enable DirectAccess Wizard, click Cancel, and then click OK on the Confirmation dialog box.
4. Right-click LON-SVR2 and then click Disable Routing and Remote Access. Click Yes and then
close the Routing and Remote Access console.
5. In Server Manager click Add roles and features.
6. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
8. On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
10. On the Select features page, click Multipath I/O, and then click Next.
17. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO.
18. In MPIO Properties dialog box, click the Discover Multi-Paths tab.
19. Select the Add support for iSCSI devices check box, and then click Add. When you are prompted to
reboot the computer, click Yes.
20. After the computer restarts, log on to LON-SVR2 with username of Adatum\Administrator and
password of Pa$$w0rd.
21. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO.
22. In the MPIO Properties dialog box, on the MPIO Devices tab, notice that additional Device
Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.
2. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Disconnect.
4. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
5. In the Connect to Target window, click Enable multi-path, verify that the Add this connection to
the list of Favorite Targets check box is selected, and then click the Advanced button.
6. In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default
to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, click 172.16.0.22 and in the Target
Portal IP drop-down list, click 172.16.0.10 / 3260.
9. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
10. In Connect to Target window, click Enable multi-path, verify that the Add this connection to the
list of Favorite Targets check box is selected, and then click the Advanced button.
11. In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default
to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, select 131.107.0.2 and in the Target
Portal IP drop-down list, select 131.107.0.1 / 3260.
14. In the iSCSI Initiator Properties dialog box, click the Volumes and Devices tab.
15. In the iSCSI Initiator Properties dialog box, on the Volumes and Devices tab, click Auto
Configure.
16. In the iSCSI Initiator Properties dialog box, click the Targets tab.
19. Verify that in Load balance policy, Round Robin is selected. Under This device has the following
paths, notice that two paths are listed. Select the first path and then click the Details button.
20. Note the IP address of the Source and Target portals, and then click OK.
21. Select the second path and then click the Details button.
22. Verify that the Source IP address is of the second network adapter, and then click OK.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L2-15
2. In the File Server Resource Manager window, expand Classification Management, select and then
right-click Classification Properties, and then click Create Local Property.
3. In the Create Local Classification Property window, in the Name text box, type Corporate
Documentation, in the Property Type drop-down list box ensure that Yes/No is selected, and then
click OK.
2. In the Create Classification Rule window, on the General tab, in the Rule name text box, type
Corporate Documents Rule, and then ensure that the Enable checkbox is selected.
4. In the Browse For Folder window, expand Allfiles (E:\), expand Labfiles, click Corporate
Documentation, and then click OK.
5. In the Create Classification Rule window, on the Classification tab, in the Classification method
drop-down list box, click Folder Classifier, in the Property-Choose a property to assign to files
drop-down list box, click Corporate Documentation, and then in the Property-Specify a value
drop-down list box, click Yes.
6. Click the Evaluation type tab, click Re-evaluate existing property values, ensure that the
Aggregate the values radio button is selected, and then click OK.
7. In File Server Resource Manager, in the Actions pane, click Run classification with all rules now.
8. In the Run classification window, select the Wait for classification to complete radio button, and
then click OK.
9. Review the Automatic classification report that displays in Windows Internet Explorer, and ensure
that the report lists the same number of classified files as in the Corporate Documentation folder.
10. Close Internet Explorer, but leave the File Server Resource Manager open.
2. In the Create Local Classification Property window, in the Name text box, type Expiration Date, in
the Property Type drop-down list box, ensure that Date-Time is selected, and then click OK.
3. In File Server Resource Manager, expand Classification Management, click Classification Rules, and
then in the Actions pane, click Create Classification Rule.
4. In the Create Classification Rule window, on the General tab, in the Rule name text box, type
Expiration Rule, and ensure that the Enable check box is selected.
6. In the Browse For Folder window, expand Allfiles (E:\), expand Labfiles, click Corporate
Documentation, and then click OK.
7. Click the Classification tab, in the Classification method drop-down list box, click Folder Classifier,
and then in the Property-Choose a property to assign to files drop-down list box, click Expiration
Date.
8. Click the Evaluation type tab, click Re-evaluate existing property values, ensure that the
Aggregate the values radio button is selected, and then click OK.
9. In File Server Resource Manager, in the Actions pane, click Run classification with all rules now.
10. In the Run classification window, select the Wait for classification to complete radio button, and
then click OK.
11. Review the Automatic classification report that displays in Internet Explorer, and ensure that the
report lists the same number of classified files as in the Corporate Documentation folder.
12. Close Internet Explorer, but leave the File Server Resource Manager open.
2. In the Create File Management Task window, on the General tab, in the Task name text box, type
Expired Corporate Documents, and then ensure that the Enable check box is selected.
4. In the Browse For Folder window, select E:\Labfiles\Corporate Documentation, and then click OK.
5. In the Create File Management Task window, on the Action tab, in the Type drop-down list box,
ensure that File expiration is selected, and then in the Expiration directory box, type
E:\Labfiles\Expired.
8. Click the Condition tab, select the Days since the file was last modified check box, and then in the
same row, replace the default value of 0 with 1.
Note: This value is for lab purposes only. In a real scenario, the value would be 365 days or
more, depending on the companys policy.
9. Click the Schedule tab, ensure that the Weekly radio button is selected, select the Sunday check
box, and then click OK.
2. In the Run File Management Task window, click Wait for the task to complete, and then click OK.
3. Review the File management task report that displays in Internet Explorer, and ensure that report lists
the same number of classified files as in the Corporate Documentation folder.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L2-17
5. In the Event Viewer console, expand Windows Logs, and then click Application.
6. Review events with numbers 908 and 909. Notice that 908 FSRM started a file management job,
and 909 FSRM finished a file management job.
Results: After completing this exercise, you will have configured a file classification infrastructure so that
the latest version of the documentation is always available to users.
2. In the Virtual Machines list, right-click 20417A-LON-SVR2, and then click Revert.
Keep all other virtual machines running for the next lab.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-18 Module 2: Implementing Advanced File Services
3. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, ensure that Select server from the server pool is selected,
and then click Next.
6. On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, select the BranchCache for Network Files check box, and then click Next.
10. Point to the lower-right corner of the screen, click Search, in the Search text box, type gpedit.msc,
and then press Enter.
11. In the Local Group Policy Editor console, in the navigation pane, under Computer Configuration,
expand Administrative Templates, expand Network, and then click Lanman Server.
12. On the Lanman Server result pane, in the Setting list, right-click Hash Publication for BranchCache,
and then click Edit.
13. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication
actions list, select the Allow hash publication only for shared folders on which BranchCache is
enabled check box, and then click OK.
2. In the Policy-based QoS Wizard, on the Create a QoS policy page, in the Policy name text box, type
Limit to 100 Kbps, click the Specify Outbound Throttle Rate check box, and in the Specify
Outbound Throttle Rate text box type 100, and then click Next.
4. On the Specify the source and destination IP addresses page, click Next.
5. On the Specify the protocol and port numbers page, click Finish.
3. In the Local Disk (C:) window, on the menu, click the Home tab, and then click New Folder.
6. In the Share Properties dialog box, on the Sharing tab, click Advanced Sharing.
7. Select the Share this folder check box, and then click Caching.
8. In the Offline Settings dialog box, select the Enable BranchCache check box, and then click OK.
11. Point to the lower-right corner of the screen, click Search, in the Search text box, type cmd, and then
press Enter.
12. At the command prompt, type the following command, and then press Enter:
2. In Server Manager, on the menu bar, click Tools, and then from the Tools drop-down list box, click
Group Policy Management.
3. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, right-click Default Domain Policy, and then click Edit.
4. In the Group Policy Management Editor, in the navigation pane, under Computer Configuration,
expand Policies, expand Windows Settings, expand Security Settings, and then expand Windows
Firewall with Advanced Security.
5. In Windows Firewall with Advanced Security, in the navigation pane, expand Windows Firewall with
Advanced Security, and then click Inbound Rules.
6. In the Group Policy Management Editor, on the Action menu, click New Rule.
7. In the New Inbound Rule Wizard, on the Rule Type page, click Predefined, click BranchCache
Content Retrieval (Uses HTTP), and then click Next.
9. On the Action page, click Finish to create the firewall inbound rule.
10. In the Group Policy Management Editor, in the navigation pane, click Inbound Rules, and then in the
Group Policy Management Editor console, on the Action menu, click New Rule.
11. On the Rule Type page, click Predefined, click BranchCache Peer Discovery (Uses WSD), and
then click Next.
14. Close the Group Policy Management Editor and Group Policy Management console.
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-20 Module 2: Implementing Advanced File Services
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
5. On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, and then select the BranchCache for Network Files check box.
7. On the Select features page, click BranchCache, and then click Next.
9. Click Close.
3. In Active Directory Users and Computers, right-click Adatum.com, point to New, and then click
Organizational Unit.
4. In the New Object - Organization Unit window, type BranchCacheHost, and then click OK.
9. In Server Manager, on the menu bar, click Tools, and then from the Tools drop-down list, click
Group Policy Management.
10. In Group Policy Management, under Domains, expand Adatum.com, right-click BranchCacheHost,
and then click Block Inheritance.
12. Restart LON-SVR1 and log on as Adatum\Administrator with the password Pa$$w0rd.
14. In the Windows PowerShell window, type the following cmdlet, and then press Enter:
Enable-BCHostedServer
RegisterSCP
15. In the Windows PowerShell window, type the following cmdlet, and then press Enter:
Get-BCStatus
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
2. In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select Group
Policy Management.
3. In the Group Policy Management console, in the navigation pane, expand Forest: Adatum.com,
expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit.
4. In the Group Policy Management Editor, in the navigation pane, under Computer Configuration,
expand Policies, expand Administrative Templates, expand Network, and then click BranchCache.
5. In the BranchCache results pane, in the Setting list, right-click Turn on BranchCache, and then click
Edit.
6. In the Turn on BranchCache dialog box, click Enabled, and then click OK.
7. In the BranchCache results pane, in the Setting list, right-click Enable Automatic Hosted Cache
Discovery by Service Connection Point, and then click Edit.
8. In the Enable Automatic Hosted Cache Discovery by Service Connection Point dialog box, click
Enabled, and then click OK.
9. In the BranchCache results pane, in the Setting list, right-click Configure BranchCache for network
files, and then click Edit.
10. In the Configure BranchCache for network files dialog box, click Enabled, in the Type the
maximum round trip network latency (milliseconds) after which caching begins text box, type
0, and then click OK. This setting is required to simulate access from a branch office and is not
typically required.
11. Close the Group Policy Management Editor.
13. Start 20412A-LON-CL1, and log on as Adatum\Administrator with the password Pa$$w0rd.
14. On the Start screen, in the lower-right corner of the screen, click Search, in the Search text box, type
cmd, and then press Enter.
15. At the command prompt, type the following command, and then press Enter:
gpupdate /force
16. At the command prompt, type the following command, and then press Enter:
17. Start 20412A-LON-CL2, and log on as Adatum\Administrator with the password Pa$$w0rd.
18. On the Start screen, in the lower-right corner of the screen, click Search, in the Search text box, type
cmd, and then press Enter.
19. At the command prompt, type the following command, and then press Enter:
MCT USE ONLY. STUDENT USE PROHIBITED
L2-22 Module 2: Implementing Advanced File Services
gpupdate /force
20. At the command prompt, type the following command, and then press Enter:
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
2. In Server Manager, on the menu bar, click Tools, and then from the Tools drop-down list box, click
Performance Monitor.
3. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click
Performance Monitor.
4. In the Performance Monitor results pane, click the Delete (Delete Key) icon.
5. In the Performance Monitor results pane, click the Add (Ctrl+N) icon.
6. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click
Add, and then click OK.
2. Point to the lower-right corner of the screen, click Search, in the Search text box, type perfmon, and
then press Enter.
3. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click
Performance Monitor.
4. In the Performance Monitor results pane, click the Delete (Delete Key) icon.
5. In the Performance Monitor results pane, click the Add (Ctrl+N) icon.
6. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click
Add, and then click OK.
7. Change graph type to Report. Notice that the value of all performance statistics is zero.
2. Point to the lower-right corner of the screen, click Search, in the Search text box, type perfmon, and
then press Enter.
3. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click
Performance Monitor.
4. In the Performance Monitor results pane, click the Delete (Delete Key) icon.
5. In the Performance Monitor results pane, click the Add (Ctrl+N) icon.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L2-23
6. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click
Add, and then click OK.
7. Change graph type to Report. Notice that the value for all performance statistics is zero.
4. In the Share window, in the Name list, right-click write.exe, and then click Copy.
7. Read the performance statistics on LON-CL1. This file was retrieved from LON-DC1 (Retrieval: Bytes
from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes
Served)
8. Switch to LON-CL2.
11. In the Share window, in the Name list, right-click write.exe, and then click Copy.
14. Read the performance statistics on LON-CL2. This file was obtained from the hosted cache (Retrieval:
Bytes from Cache).
15. Read the performance statistics on LON-SVR1. This server has offered cached data to clients (Hosted
Cache: Client file segment offers made).
Results: At the end of this exercise, you will have verified that BranchCache is working as expected.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
1. Folders that belong to the Research team should be accessible and modifiable only by employees
that belong to the Research team.
3. Managers should access confidential files only from workstations that belong to the ManagersWKS
security group.
You can meet these requirements by implementing claims, resource properties, and file classifications, as
follows:
1. Create the appropriate claims for users and devices. The user claim uses department as the source
attribute, and the device claim uses description as source attribute.
4. Apply a central access policy to folders in which files for the research departments and managers are
located.
5. As a solution for users who receive error messages, you should implement Access Denied Assistance.
3. In the New Object Organizational Unit dialog box, in the Name field, type Test, and then click
OK.
5. Press and hold the Ctrl key, click the LON-SVR1, LON-CL1, and LON-CL2 computers, right-click, and
then select Move.
10. Right-click the Managers OU, and then click Block Inheritance. This is to remove the block
inheritance setting used in a later module in the course.
12. In the results pane, right-click Default Domain Controllers Policy, and then click Edit.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-26 Module 3: Implementing Dynamic Access Control
13. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, and then click KDC.
14. In the right pane, double-click KDC support for claims, compound authentication and Kerberos
armoring.
15. In the KDC support for claims, compound authentication and Kerberos armoring window, select
Enabled, in the Options section, click the drop-down list, select Supported, and then click OK.
16. Close the Group Policy Management Editor console and Group Policy Management Console.
18. At the Windows PowerShell command-line interface, type gpupdate /force, and then press Enter.
After Group Policy updates, close the Windows PowerShell window.
19. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
20. Expand Adatum.com, right-click Users, click New, and then click Group.
21. In the Group name field, type ManagersWKS, and then click OK.
25. In the Select Groups window, type ManagersWKS, click Check Names, click OK, and then click OK
again.
31. Click the Organization tab. Ensure that the Department field is populated with the value Research,
and then click Cancel.
Results: After completing this exercise, you will have planned for Dynamic Access Control deployment,
and you will have prepared AD DS for Dynamic Access Control implementation.
2. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control.
5. In the navigation pane, click Dynamic Access Control, and then double-click Resource Properties.
6. Review the default resource properties. Note that all properties are disabled by default.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L3-27
7. In the navigation pane, click Dynamic Access Control, and then double-click Resource Property
Lists.
8. In the central pane, right-click Global Resource Property List, and then click Properties.
9. In the Global Resource Property List, in the Resource Properties section, review the available resource
properties, and then click Cancel.
2. In the Claim Types container, in the Tasks pane, click New, and then click Claim Type.
3. In the Create Claim Type window, in the Source Attribute section, select department.
5. Select both User and Computer check boxes, and then click OK.
2. In the Create Claim Type window, in the Source Attribute section, click description.
3. Clear the User check box, select the Computer check box, and then click OK.
Results: After completing this exercise, you will have reviewed the default claim types, configured claims
for users, and configured claims for devices.
3. In the Resource Properties list, right-click Department, and then click Enable.
4. In the Resource Properties list, right-click Confidentiality, and then click Enable.
5. In the Global Resource Property List, ensure that both the Department and Confidentiality
properties are enabled.
6. Double-click Department.
7. Scroll down to the Suggested Values section, and then click Add.
8. In the Add a suggested value window, in both Value and Display name text boxes, type Research,
and then click OK two times.
9. Click Dynamic Access Control, and then double-click Resource Property Lists.
10. In the central pane, double-click Global Resource Property List, ensure that both Department and
Confidentiality display and then click Cancel. If they do not display, click Add, add these two
properties, and then click OK.
3. Select and then right-click Classification Properties, and then click Refresh.
7. In the Create Classification Rule window, for the Rule name, type Set Confidentiality.
o Property: Confidentiality
o Value: High
12. In the Classification Parameters dialog box, click the Regular expression drop-down list, and then
click String.
13. In the Expression field (next to the word String,) type secret, and then click OK.
14. Click the Evaluation Type tab, select Re-evaluate existing property values, click Overwrite the
existing value, and then click OK.
15. In the File Server Resource Manager, in the Actions pane, click Run Classification with all rules now.
16. Click Wait for classification to complete, and then click OK.
17. After the classification is complete, you will be presented with a report. Verify that two files were
classified. You can confirm this in the Report Totals section.
19. Open a Windows Explorer window, and browse to the C:\Docs folder.
20. Right-click Doc1.txt, click Properties, and then click the Classification tab. Verify that
Confidentiality is set to High.
21. Repeat step 20 on files Doc2.txt and Doc3.txt. Doc2.txt should have same Confidentiality as
Doc1.txt, while Doc3.txt should have no value. This is because only Doc1 and Doc2 have the word
secret in their content.
3. Click the Classification tab, and then click Department. In the Value section, click Research, click
Apply, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L3-29
Results: After completing this exercise, you will have configured resource properties for files, classified
files, and assigned properties to a folder.
2. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Central Access Rules.
3. In the Tasks pane, click New, and then click Central Access Rule.
4. In the Central Access Rule dialog box, in the Name field, type Department Match.
13. In the Select User, Computer, Service Account or Group window, type Authenticated Users, click
Check Names, and then click OK.
14. In the Basic permissions section, select the Modify, Read and Execute, Read and Write check boxes.
15. Click Add a condition.
16. Click the Group drop-down list, and then click Company Department.
17. Click the Value drop-down list, and then select Resource.
20. In the tasks pane, click New, and then click Central Access Rule.
21. For the name of rule, type Access Confidential Docs.
26. In the Permissions section, click Use following permissions as current permissions.
31. In the Select User, Computer, Service Account or Group window, type Authenticated Users, click
Check Names, and then click OK.
32. In the Basic permissions section, select the Modify, Read and Execute, Read and Write check boxes.
Note: If you cannot find Managers in the last drop-down list, click Add items. Then in the
Select User, Computer, Service Account or Group window, type Managers, click Check Names,
and then click OK.
Note: If you cannot find ManagersWKS in the last drop-down list, click Add items. Then in
the Select User, Computer, Service Account or Group window, type ManagersWKS, click Check
Names, and then click OK.
2. In the tasks pane, click New, and then click Central Access Policy.
3. In the Name field, type Protect confidential docs, and then click Add.
4. Click the Access Confidential Docs rule, click >>, and then click OK twice.
5. In the tasks pane, click New, and then click Central Access Policy.
6. In the Name field, type Department Match, and then click Add.
7. Click the Department Match rule, click >>, and then click OK twice.
2. In the Group Policy Management Console, under Domains, expand Adatum.com, right click Test,
and then click Create a GPO in this domain, and link it here.
5. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security
Settings, expand File System, right-click Central Access Policy, and then click Manage Central
Access Policies.
6. Click both Department Match and Protect confidential docs, click Add, and then click OK.
4. Open Windows Explorer, browse to drive C, right-click the Docs folder, and then click Properties.
5. In the Properties dialog box, click the Security tab, and then click Advanced.
6. In the Advanced Security Settings for Docs window, click the Central Policy tab, and then click
Change.
7. On the drop-down list, select Protect confidential docs, and then click OK two times.
9. In the Properties dialog box, click the Security tab, and then click Advanced.
10. In the Advanced Security Settings for Research window, click the Central Policy tab, and then click
Change.
11. In the drop-down list, select Department Match, and then click OK two times.
2. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy objects.
3. Right-click DAC Policy, and then select Edit.
5. In the right pane, double-click Customize Message for Access Denied errors.
6. In the Customize Message for Access Denied errors window, click Enabled.
7. In the Display the following message to users who are denied access text box, type You are
denied access because of permission policy. Please request access.
9. Review other options but do not make any changes, and then click OK.
10. In the right pane of the Group Policy Management Editor, double-click Enable access-denied
assistance on client for all file types.
12. Close both the Group Policy Management Editor and the Group Policy Management Console.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-32 Module 3: Implementing Dynamic Access Control
13. Switch to LON-SVR1, on the taskbar click the Windows PowerShell icon.
14. At the Windows PowerShell command-line interface, type gpupdate /force, and then press Enter.
Results: After completing this exercise, you will have configured central access rules and central access
policies for Dynamic Access Control.
2. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon.
3. In the Windows Explorer address bar, type \\LON-SVR1\Docs, and then press Enter.
4. In the Docs folder, try to open Doc3. You should be able to open that document. Close notepad.
5. In the Windows Explorer address bar, type \\LON-SVR1\Research, and then press Enter. You should
be unable to access folder.
6. Click Request assistance. Review options for sending messages, and then click Close.
9. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon.
10. In the Windows Explorer address bar, type \\LON-SVR1\Research, and then press Enter.
11. Verify that you can access this folder and open documents inside, because Allie is a member of the
Research team.
14. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon.
16. Verify that you can access this folder and open all files inside.
18. Start and then log on to LON-CL2 as Adatum\Aidan with the password Pa$$w0rd.
19. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon. In the Windows
Explorer address bar, type \\LON-SVR1\Docs. You should be unable to view Doc1 or Doc2, because
the LON-CL2 is not permitted to view secret documents.
Results: After completing this exercise, you will have validated Dynamic Access Control functionality.
2. In the Group Policy Management Console, expand Forest:adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy object.
4. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration,
expand Audit Policies, and then click Object Access.
5. Double-click Audit Central Access Policy Staging, select all three check boxes, and then click OK.
6. Double-click Audit File System, select all three check boxes, and then click OK.
7. Close the Group Policy Management Editor and the Group Policy Management console.
5. Scroll down to the Proposed Permissions section, click Enable permission staging configuration,
and then click Edit.
7. Change the condition to: User-Company Department-Equals-Value-Marketing, and then click OK.
2. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon. In the Windows
Explorer address bar, click the yellow icon, and then type \\LON-SVR1\Research.
3. Try to open the Research folder and its files. You will not be able to open it.
4. Switch to LON-SVR1.
5. Open Server Manager, click Tools, and then select Event Viewer.
2. In the Windows Explorer window, navigate to C:\Research, right-click Research, and then click
Properties.
3. In the Properties dialog box, click the Security tab, click Advanced, and then click Effective Access.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-34 Module 3: Implementing Dynamic Access Control
5. In the Select User, Computer, Service Account, or Group window, type April, click Check Names, and
then click OK.
7. Review the results. The user April should not have access to this folder.
8. Click Include a user claim.
11. Click View Effective access. The user should now have access.
Results: After completing this exercise, you will have implemented new resource policies.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
3. Double-click the file iis-8.png. This will open the file in Microsoft Paint.
4. Ensure that the Paint Brush tool is selected, and then in the palette, click the color Red.
5. Use the mouse to mark the IIS Logo distinctively, using the color red.
6. Save the changes that you made to iis-8.png, and then close Microsoft Paint.
8. Switch to LON-DC1.
11. In the Internet Explorer address bar, type the address http://LON-SVR1 and then press Enter. Verify
that the web page displays the IIS logo with the distinctive color red mark that you added.
12. In the Internet Explorer address bar, enter the address http://LON-SVR2 and then press Enter. Verify
that the web page does not display the marked IIS logo.
13. Close Internet Explorer.
2. In the Server Manager console, click the Tools menu, and then click Windows PowerShell ISE.
3. In the blue PowerShell ISE window, enter the following command and then press Enter:
2. In the Windows PowerShell ISE window, type the following command, and then press Enter:
2. In the Network Load Balancing Manager, verify that nodes LON-SVR1 and LON-SVR2 display with the
status of Converged for the LON-NLB cluster.
4. On the Cluster Parameters tab, verify that the cluster is set to use the Multicast operations mode.
5. On the Port Rules tab, verify that there is a single port rule named All that starts at port 0 and ends
at port 65535 for both TCP and UDP protocols, and that it uses Single affinity.
6. Click OK to close the Cluster Properties dialog box.
Results: After this exercise, you should have successfully implemented an NLB cluster.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L4-37
2. In Windows PowerShell, type each of the following commands, pressing Enter after each command:
Cmd.exe
Mkdir c:\porttest
Xcopy /s c:\inetpub\wwwroot c:\porttest
Exit
New-Website Name PortTest PhysicalPath C:\porttest Port 5678
New-NetFirewallRule DisplayName PortTest Protocol TCP LocalPort 5678
4. Click drive C, double-click the porttest folder, and then double-click iis-8.png. This will open
Microsoft Paint.
6. Use the Blue paintbrush to mark the IIS Logo in a distinctive manner.
8. Switch to LON-DC1.
11. In the Internet Explorer address bar, type http://LON-SVR2:5678 and then press Enter.
12. Verify that the IIS Start page with the IIS logo distinctively marked with blue displays in Internet
Explorer.
16. In the Cluster Properties dialog box, on the Port Rules tab, select the All port rule, and then click
Remove.
18. In the Add/Edit Port Rule dialog box, enter the following information, and then click OK:
o Port range: 80 to 80
o Protocols: Both
o Affinity: None
19. Click OK.
21. In the Add/Edit Port Rule dialog box, enter the following information, and then click OK:
o Port range: 5678 to 5678
o Protocols: Both
23. In the Network Load Balancing Manager, right click LON-SVR1, and then click Host Properties.
24. In the Port Rules tab, click the port rule that has 5678 as the Start and End value, and then click Edit.
26. Click OK twice to close both the Add/Edit Port Rule dialog box and the Host Properties dialog box.
5. Click the Refresh icon 20 times. Verify that you see web pages with and without the distinctive red
marking.
6. On LON-DC1, verify that you have Internet Explorer open.
7. In the address bar, enter the address http://LON-NLB:5678, and press Enter.
8. In the address bar, click the Refresh icon 20 times. Verify that you are able to view only the web page
with the distinctive blue marking.
4. Click the LON-NLB node. Verify that node LON-SVR1 displays as Suspended, and that node
LON-SVR2 displays as Converged.
5. Right-click LON-SVR1, click Control Host, and then click Resume.
7. Click the LON-NLB node. Verify that both nodes LON-SVR1 and LON-SVR2 now display as
Converged. You may have to refresh the view.
Results: After this exercise, you should have successfully configured and managed an NLB cluster.
Shutdown /r /t 5
3. Switch to LON-DC1.
5. In the Internet Explorer address bar, type the address http://LON-NLB, and then press Enter.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L4-39
6. Refresh the website 20 times. Verify that the website is available while LON-SVR1 reboots, but that it
does not display the distinctive red mark on the IIS logo until LON-SVR1 has completed the reboot
cycle.
2. In Server Manager, click the Tools menu, and then click Network Load Balancing Manager.
3. In the Network Load Balancing Manager console, right-click LON-SVR2, click Control Host, and then
click Drainstop.
4. Switch to LON-DC1.
5. In Internet Explorer, in the address bar, type http://lon-nlb, and then press Enter.
6. Refresh the site 20 times, and verify that only the welcome page with the red IIS logo displays.
Results: After this exercise, you should have successfully validated high availability for the NLB cluster.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
5. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
7. Click Refresh.
9. Select Add this connection to the list of Favorite Targets, and then click OK two times.
10. On LON-SVR4, in Server Manager, click Tools, and then click iSCSI Initiator.
11. In the Microsoft iSCSI dialog box, click Yes.
14. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
18. Select Add this connection to the list of Favorite Targets, and then click OK two times.
19. On LON-SVR3, in Server Manager, click Tools, and then click Computer Management.
22. Right-click Disk 1, and then click Initialize disk. In the Initialize Disk dialog box, click OK.
23. Right-click the unallocated space next to Disk 1, and then click New Simple Volume.
27. On the Format Partition page, in the Volume Label box, type Data. Select the Perform a quick
format check box, and then click Next.
28. Click Finish. (Note: If the Microsoft Windows window pops up with prompt to format the disk, click
Cancel.)
MCT USE ONLY. STUDENT USE PROHIBITED
L5-42 Module 5: Implementing Failover Clustering
29. Repeat steps 21 through 28 for Disk 2 and Disk 3. (Note: Use Data2 and Data3 for Volume Labels).
31. On LON-SVR4, in Server Manager, click Tools, and then click Computer Management.
4. On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
5. On the Select server roles page, click Next.
6. On the Select features page, in the Features list, click Failover Clustering. In the Add features that
are required for Failover Clustering? window, click Add Features. Click Next.
7. On the Confirm installation selections page, click Install.
2. In the Actions pane of the Failover Cluster Manager, click Validate Configuration.
4. In the Enter Name box, type LON-SVR3, and then click Add.
7. Verify that Run all tests (recommended) is selected, and then click Next.
9. Wait for the validation tests to finish (it might take up to 5 minutes), and then on the Summary page,
click View Report.
10. Verify that all tests completed without errors. Some warnings are expected.
12. On the Summary page, remove the check mark next to Create the cluster now using the validated
nodes, click Finish.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L5-43
2. In the Create Cluster Wizard on the Before You Begin page, read the information.
3. Click Next, in the Enter server name box, type LON-SVR3, and then click Add. Type LON-SVR4,
and then click Add.
5. In Access Point for Administering the Cluster, in the Cluster Name box, type Cluster1.
7. In the Confirmation dialog box, verify the information, and then click Next.
8. On the Summary page, click Finish to return to the Failover Cluster Manager.
2. In the right pane, locate a disk that is assigned to Available Storage (you can see this is in Assigned
To column). Right-click that disk, and select the Add to Cluster Shared Volumes option. (If possible
use Cluster Disk 2).
Results: After this exercise, you will have installed and configured the failover clustering feature.
5. On the Select server roles page, expand File and Storage Services (Installed), expand File and
iSCSI services and select File Server.
10. On LON-SVR3, open the Failover Cluster Manager, and then expand Cluster1.Adatum.com.
13. On the Select Role page, select File Server, and then click Next.
14. On the File Server Type page, click Scale-Out File Server for application data, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-44 Module 5: Implementing Failover Clustering
15. On the Client Access Point page, in the Client Access Name box, type AdatumFS, and then click
Next.
2. In the New Share Wizard, on the Select the profile for this share page, click SMB Share Quick,
and then click Next.
3. On the Select the server and the path for this share page, click Select by volume, and then click
Next.
4. On the Specify share name page, in the Share name box, type Data, and then click Next.
5. On the Configure share settings page, verify that Enable continuous availability is selected, and
then click Next.
7. Click OK.
Results: After this exercise, you will have deployed and configured a highly available file server.
2. Verify that you can access the location and that you can open the Data folder. Create a test text
document inside this folder.
4. Expand Cluster1.adatum.com, and then click Roles. Note the current owner of AdatumFS.
Note: You can view the owner in the Owner node column. It will be either LON-SVR3 or
LON-SVR4.
5. Right-click AdatumFS, and then click Move, and then click Select Node.
8. Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
Task 2: Validate the failover and quorum configuration for the file server role
1. On LON-SVR3, in the Failover Cluster Manager, click Roles.
2. Verify the current owner for the AdatumFS role.
Note: You can view the owner in the Owner node column, which will be either LON-SVR3
or LON-SVR4.
3. Expand Nodes, and then select the node that is the current owner of the AdatumFS role.
4. Right-click the node, click More Actions, and then click Stop Cluster Service. In the Stop Cluster
Service dialog box, click Yes.
5. Verify that AdatumFS has moved to another node. To do this, click the other node, and verify that
AdatumFS is running.
6. Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
7. Switch to the LON-SVR3 computer. In the Failover Cluster Manager, right-click the stopped node,
click More Actions, and then click Start Cluster Service.
8. Expand Storage and then click Disks. In the center pane, right-click the disk that is assigned to Disk
Witness in.
Note: You can view can view this in the Assigned to column.
10. Switch to LON-DC1, and verify that you can still access the \\AdatumFS\ location. By doing this, you
verify that the cluster is still running, even if the witness disk is offline.
11. Switch to LON-SVR3, and in the Failover Cluster Manager console, click Storage, right-click the disk
that is in Offline status, and then click Bring Online.
Results: After this exercise, you will have tested the failover and failback scenarios.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-46 Module 5: Implementing Failover Clustering
2. In the Add roles and features Wizard, on the Before you begin page, click Next.
9. On LON-DC1, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
10. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, select
Cluster1. Click Connect.
11. In the Cluster Actions pane, click Preview updates for this cluster.
12. In the Cluster1-Preview Updates window, click Generate Update Preview List. After several minutes,
updates will be shown in the list. Review updates and then click Close.
Note: An Internet connection is required for this step to complete successfully. Make sure
that MSL-TMG1 server is up and running and that you can access Internet from LON-DC1.
6. In the Cluster nodes pane, you can review the progress of updating.
Note: Remember that one node of the cluster is in Waiting state and the other node is
restarting after it is updated.
7. Wait until the process is finished. Process is finished when both nodes have Succeeded in Last Run
status column.
9. On LON-SVR3, in the Server Manager, click Tools, and then click Cluster-Aware Updating.
10. In the Cluster-Aware Updating dialog box, in the Connect to a failover cluster drop-down list,
select Cluster1. Click Connect.
11. Click the Configure cluster self-updating options in the Cluster Actions pane.
14. On the Specify self-updating schedule page, click Weekly, in the Time of day box, select 4:00 AM,
and then in the Day of the week box, select Sunday. Click Next.
Results: After this exercise, you will have configured Cluster-Aware Updating on the Failover Cluster.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
3. On LON-HOST1, from Server Manager, click Tools, and then click Hyper-V manager.
5. Repeat steps 3 and 4 on LON-HOST2, and ensure that virtual machine 20412A-LON-SVR1 is running.
3. In the Import Virtual Machine Wizard, on the Before You Begin page, click Next.
Note: The drive letter may differ based on the number of drives on the physical host
machine.
6. On the Select Virtual Machine page, click 20412A-LON-CORE, and then click Next.
4. In the Replication Configuration pane, click Enable this computer as a Replica server.
6. In the Authorization and storage section, click Allow replication from any authenticated server,
and then click Browse.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-50 Module 6: Implementing Failover Clustering with Hyper-V
7. Click Computer, double-click Local Disk (E), click New folder, in the Name text box, type
VMReplica, and then press Enter.
10. In the Settings dialog box, read the notice, and then click OK.
11. Point to the lower left-hand corner of the desktop, and then click Settings.
12. Click Control Panel, click System and Security, and then click Windows Firewall.
15. In the right pane, in the rule list, find the rule named Hyper-V Replica HTTP Listener (TCP-In).
Right-click the rule, and then click Enable Rule.
16. Close the Windows Firewall with Advanced Security console, and then close Windows Firewall.
5. On the Specify Connection Parameters page, review settings, ensure that Use Kerberos
authentication (HTTP) is selected, and then click Next.
6. On the Choose Replication VHDs page, ensure that 20412A-LON-CORE.vhd is selected, and then
click Next.
7. On the Configure Recovery History page, select Only the latest recovery point, and then click
Next.
8. On the Choose Initial Replication Method page, click Send initial copy over the network, select
Start replication immediately, and then click Next.
10. Wait 10-15 minutes. In the Hyper-V Manager console, you can monitor the progress of the initial
replication in the Status column.
11. When replication completes, ensure that 20412A-LON-CORE appears on LON-HOST2 in Hyper-V
Manager.
2. Review the content in the window that appears, ensure that there are no errors, and then click Close.
3. On LON-HOST1, open Hyper-V Manager, and verify that 20412A-LON-CORE is turned off.
5. In the Planned Failover window, ensure that Start the Replica virtual machine after failover is
selected, and then click Fail Over.
11. In the Shut Down Machine dialog box, click Shut Down.
Results: After completing this exercise, you will have configured a Hyper-V Replica.
4. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
8. On LON-HOST2, from the taskbar, click the Server Manager icon to open Server Manager, click
Tools, and then click iSCSI Initiator.
10. Click the Discovery tab, and then click Discover Portal.
11. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
14. Select Add this connection to the list of Favorite Targets, and then click OK twice.
15. On LON-HOST2, in Server Manager, click Tools, and then click Computer Management.
16. Expand Storage, click Disk Management, right-click Disk 2, and then click Online.
19. Right-click the unallocated space next to Disk 2, and then click New Simple Volume.
23. On the Format Partition page, in the Volume label box, type ClusterDisk, select the Perform a
quick format check box, and then click Next.
26. On LON-HOST1, in Server Manager, click Tools, and then click Computer Management.
7. On the Select features page, in the Features list, click Failover Clustering.
8. At the Add features that are required for failover clustering prompt, click Add Features, and
then click Next.
13. In the Failover Cluster Manager, in the center pane, under Management, click Create Cluster.
14. In the Create Cluster Wizard, on the Before You Begin page, read the information, and then click
Next.
15. On the Select Servers page, in the Enter server name box, type LON-HOST1, and then click Add.
16. In the Enter server name box, type LON-HOST2, and then click Add.
17. Verify the entries, and then click Next.
18. On the Validation Warning page, click No. I dont require support from Microsoft for this
cluster, and then click Next.
19. In the Access Point for Administering the Cluster page, in the Cluster Name box, type VMCluster.
20. In the IP address name box, under Address, type 172.16.0.126, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L6-53
21. In the Confirmation dialog box, verify the information, clear the Add all eligible storage to the
cluster check box, and then click Next.
2. In the Add Disks to a Cluster dialog box, verify that all disks are selected, and then click OK.
3. In the Failover Cluster Manager, verify that all disks appear available for cluster storage.
4. Select the ClusterVMs disk, right-click ClusterVMs, and then select Add to Cluster Shared
Volumes.
Results: After completing this exercise, you will have configured a failover cluster for Hyper-V.
5. On the Specify Name and Location page, in the Name text box, type TestClusterVM, click Store
the virtual machine in a different location, and then click Browse.
6. Browse to and select C:\ClusterStorage\Volume1, click Select Folder, and then click Next.
7. On the Assign Memory page, type 1536, and then click Next.
8. On the Configure Networking page, click select External Network, and then click Next.
9. On the Connect Virtual Hard Disk page, click Use an existing virtual hard disk, and then click
Browse.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-54 Module 6: Implementing Failover Clustering with Hyper-V
12. In the High Availability Wizard, on the Summary page, click Finish.
13. In Failover Cluster Manager, from the Roles node, right-click the TestClusterVM, and then click Start.
2. Right-click TestClusterVM, click Move, click Live Migration, and then click Select Node.
5. Ensure that you can access and operate the virtual machine while it is migrating to another host.
6. Wait until migration completes.
5. On the Choose Move Type page, click Move the virtual machine's storage, and then click Next.
6. On the Choose Options for Moving Storage page, click Move all of the virtual machines data to
a single location, and then click Next.
7. On the Choose a new location for virtual machine page, click Browse.
8. Browse to C:\, create a new folder called LON-SVR1, click Select Folder, and then click Next.
9. On the Summary page, click Finish. While the virtual machine is migrating, connect to it and verify
that it is fully operational.
10. After the move process completes, click Close.
Results: After completing this exercise, you will have configured a highly available virtual machine.
2. When you are prompted with the boot menu, select Windows Server 2008 R2, and then press Enter.
2. In Server Manager, in the Welcome pane, click Add roles and features.
3. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
7. On the Select features page, select Windows Server Backup, and then click Next.
4. In the Backup Schedule Wizard, on the Getting Started page, click Next.
5. On the Select Backup Configuration page, click Full server (recommended), and then click Next.
6. On the Specify Backup Time page, next to Select time of day, select 1:00 AM, and then click Next.
7. On the Specify Destination Type page, click Backup to a shared network folder, and then click
Next. Review the warning, and then click OK.
8. On the Specify Remote Shared Folder page, in the Location text box, type \\LON-DC1\Backup,
and then click Next.
9. In the Register Backup Schedule dialog box, in the Username text box, type Administrator, in the
Password text box, type Pa$$w0rd, and then click OK.
3. In the Backup Once Wizard, on the Backup Options page, click Different options, and then click
Next.
4. On the Select Backup Configuration page, click Custom, and then click Next.
6. Expand Local disk (C:), select the Financial Data check box, click OK, and then click Next.
7. On the Specify Destination Type page, click Remote shared folder, and then click Next.
8. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
10. On the Backup Progress page, after the backup is complete, click Close.
Results: After completing this exercise, you will have configured the Windows Server Backup feature,
scheduled a backup task, and completed an on-demand backup.
2. In Windows Explorer, browse to Local Disk (C:), right-click Financial Data, and then click Delete.
2. On the Getting Started page, click A backup stored on another location, and then click Next.
3. On the Specify Location Type page, click Remote shared folder, and then click Next.
4. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
7. On the Select Items to Recover page, expand LON-SVR1, click Local Disk (C:), and on the right
pane, select Financial Data, and then click Next.
8. On the Specify Recovery Options page, under Another Location, type C:\, and then click Next.
9. On the Confirmation page, click Recover.
11. Open drive C:\, and ensure that the Financial Data folder is restored.
Results: After completing this exercise, you will have tested and validated the procedure for restoring a
file from backup
2. In Allfiles (E:), in the details pane, double-click OBSInstaller.exe, and then click Run.
3. In the Microsoft Online Service Pre-Release Agreement dialog box, select I accept the Service
Agreement terms and conditions, and then click OK.
5. On the Installation Settings page, specify the settings (if not default), and then click Next:
6. On the Microsoft Update Opt-In page, select I don't want to use Microsoft Update, and then
click Install.
7. On the Installation page, ensure that the Microsoft Online Backup Service Agent installation has
completed successfully message displays, clear the Check for newer updates check box, and then
click Finish.
8. On LON-SVR1, click Start, and then click Microsoft Online Backup Service.
9. On LON-SVR1, click Start, and then click Microsoft Online Backup Service Shell.
2. In the Server Manager window, on the Local Server page, click LON-SVR1.
3. In the System Properties window, click Change, in the Computer Name box, type YOURCITYNAME-
YOURNAME, click OK twice, and then click Close.
4. In a window that displays the message that you should restart your computer, click Restart Now.
6. Start the Microsoft Online Backup Service console, and then click Register Server.
7. In the Register Server Wizard, on the Account Credentials page, in the Username box, type
holuser@onlinebackupservice.onmicrosoft.com, in the Password box, type Pa$$w0rd, and then
click Next.
Note: In a real-life scenario, you would type the username and password of your Microsoft
Online Backup Service subscription account.
9. On the Encryption Settings page, in the Enter passphrase and Confirm passphrase boxes, type
Pa$$w0rdPa$$w0rd, and then click Register.
10. On the Server Registration page, ensure that the Microsoft Online Backup Service is now
available for this server message displays, and then click Close.
4. In the Select Items dialog box, expand C:, select Financial Data, click OK, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-58 Module 7: Implementing Disaster Recovery
5. On the Specify Backup Time page, select Saturday, click 1:00 AM, click Add, and then click Next.
6. On the Specify Retention Setting page, accept the default settings, and then click Next.
10. In the Back Up Now Wizard, on the Confirmation page, click Back Up.
11. On the Backup progress page, wait until Backup is successfully completed message displays, and
then click Close.
2. In the Local Disk (C:) window, right-click Financial Data, and then click Delete.
3. Switch to the Microsoft Online Backup Service console, and then click Recover Data.
4. In the Recover Data Wizard, on the Getting Started page, select This server, and then click Next.
5. On the Select Recovery Mode page, select Browse for files, and then click Next.
6. On the Select Volume and Date page, in the Select the volume drop-down list box, select C:\. In
the calendar, click the date when you performed the backup, in the Time drop-down list, click the
time when you performed backup, and then click Next.
7. On the Select Items to Recover page, expand C:\, click the Financial Data folder, and then click
Next.
8. On the Specify Recovery Options page, select Original location and Create copies so that you
have both versions, and then click Next.
10. On the Recovery Progress page, ensure that File(s) recovery job succeeded status message
displays, and then click Close.
11. In Windows Explorer, expand drive C:\, and ensure that the Financial Data folder is restored to drive
C.
Task 5: Unregister the server from the Microsoft Online Backup Service
1. Switch to the Microsoft Online Backup Service console, and then click Unregister Server.
2. On the Getting started page, click Unregister this server, and then click Next.
o Password: Pa$$w0rd
4. Click Unregister.
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, select and then right-click
Adatum.com, and then click New Delegation.
3. In the New Delegation Wizard, click Next, in the Delegated domain text box, type na, and then click
Next.
5. In the Server fully qualified domain name (FQDN) text box, type TOR-DC1.adatum.com, clear
<Click here to add an IP Address>, type 172.16.0.25, and then click OK.
4. On the Select destination server page, ensure that Select a server from the server pool is
selected, and that TOR-DC1.adatum.com is highlighted, and then click Next.
5. On the Select server roles page, click Active Directory Domain Services.
6. On the Add features that are required for Active Directory Domain Services? page, click Add
Features.
10. On the Confirm installation selections page, click Install. (This may take a few minutes to
complete.)
11. When the Active Directory Domain Services (AD DS) binaries have installed, click the blue Promote
this server to a domain controller link.
12. In the Deployment Configuration window, click Add a new domain to an existing forest.
13. Verify that Select domain type is set to Child Domain, and that Parent domain name is set to
Adatum.com. In the New domain name text box, type na.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-62 Module 8: Implementing Distributed Active Directory Domain Services Deployments
14. Confirm that Supply the credentials to perform this operation is set to ADATUM\Administrator
(Current user), and then click Next. (If this is not the case, then use the Change button to enter the
credentials Adatum\Administrator, and the password Pa$$w0rd).
15. In the Domain Controller Options window, ensure that Domain functional level is set to Windows
Server 2012 Release Candidate.
16. Ensure that both the Domain Name system (DNS) server and Global Catalog (GC) check boxes are
selected.
18. Under Type the Directory Services Restore Mode (DSRM) password, type Pa$$w0rd in both text
boxes and then click Next.
23. On the Prerequisites Check window, confirm that there are no issues, and then click Install.
2. When Server Manager opens, click Local Server. Verify that Windows Firewall shows Domain: On. If
it does not, then next to Local Area Connection click 172.16.0.25, IPv6 enabled. Right-click Local
Area Connection and then click Disable. Right-click Local Area Connection and then click Enable.
The Local Area Connection should now show Adatum.com.
3. In Server Manager, from the Tools menu, click Active Directory Domains and Trusts.
4. In the Active Directory Domains and Trusts console, expand Adatum.com, right-click
na.adatum.com and then click Properties.
6. In the Domain trusted by this domain (outgoing trusts) box, click Adatum.com, and then click
Properties.
7. In the Adatum.com Properties window, click Validate and select Yes, validate the incoming trust.
8. In the User name text box, type administrator, and in the Password text box, type Pa$$w0rd, and
then click OK.
9. A message will display: The trust has been validated. It is in place and active.
Note: If you receive a message that the trust cannot be validated, or that the secure channel (SC)
verification has failed, ensure that you have completed step 2 and then wait for at least 10-15 minutes.
You can continue with the lab and come back later to verify this step.
Results: After completing this exercise, you will have implemented child domains in AD DS.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L8-63
2. In the DNS tree pane, expand LON-DC1, right-click Forward Lookup Zones, and then click New
Zone.
4. On the Zone Type window, click Stub zone, and then click Next.
5. On the Active Directory Zone Replication Scope window, click To all DNS servers running on
domain controllers in this forest: adatum.com, and then click Next.
6. In the Zone name: text box, type treyresearch.net, and then click Next.
7. On the Master DNS Servers window, click <Click here to add an IP Address or DNS Name>, type
172.16.10.10, click on the free space, and then click Next.
8. On the Completing the New Zone Wizard window, click Next and then Finish.
9. Select and then right-click the new stub zone treyresearch.net and then click Transfer from Master.
11. Confirm that the treyresearch.net stub zone has some records.
13. In Server Manager, click the Tools menu, and from the drop-down menu, click DNS.
14. In the tree pane, expand MUN-DC1, select and then right-click Forward Lookup Zones, and then
click New Zone.
16. On the Zone Type window, click Stub zone, and then click Next.
17. In the Active Directory Zone Replication Scope window, select To all DNS servers running on
domain controllers in this forest: Treyresearch.net and then click Next.
18. In the Zone name: text box, type adatum.com, and then click Next.
19. In the Master DNS Servers window, click <Click here to add an IP Address or DNS Name>, type
172.16.0.10, click on the free space, and then click Next.
20. In the Completing the New Zone Wizard window, click Next and then click Finish.
21. Select and then right-click the new stub zone adatum.com, and then click Transfer from Master.
23. Confirm that the adatum.com stub zone has some records.
2. In the Active Directory Domains and Trusts management console window, right-click Adatum.com,
and then click Properties.
3. In the Adatum.com Properties window, click the Trusts tab, and then click New Trust.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-64 Module 8: Implementing Distributed Active Directory Domain Services Deployments
5. In the Name text box, type treyresearch.net and then click Next.
6. In the Trust Type window, select Forest trust and click Next.
7. In the Direction of Trust window, select One-way: outgoing, and then click Next.
8. In the Sides of Trust window, select Both this domain and the specified domain and then click
Next.
9. In the User Name and Password window type Administrator as the user name and Pa$$w0rd as the
password in the appropriate boxes, and then click Next.
10. In the Outgoing Trust Authentication Level-Local Forest window, select Selective authentication,
and then click Next.
16. On the Trusts tab, under Domains trusted by this domain (outgoing trusts), select
treyresearch.net and click Properties.
18. Review the message that appears: The trust has been validated. It is in place and active.
2. In the Active Directory Users and Computers console, from the View menu, click Advanced Features.
6. On the Select Users, Computers, Service Accounts, or Groups window, click Locations.
8. In the Enter the object name to select (examples:) text box, type treyresearch\it, and then click
Check Names. When prompted for credentials, type treyresearch\administrator with the password
of Pa$$w0rd. Click OK.
9. On the Select Users, Computers, Service Accounts, or Groups window, click OK.
10. In the LON-SVR1 Properties window, ensure that treyresearch\it is highlighted, and select the Allow
checkbox that is in line with Allowed to authenticate.
15. Right-click in the details pane, click New, and then click Folder.
16. In the Name text box, type IT-Data, and then press Enter.
18. In the IT-Data Properties window, click the Security tab, and then click Edit.
21. In the Permissions for IT-Data window, select treyresearch\it, click the Allow that is opposite the
Modify permission and then click OK.
22. Click the Sharing tab, select Advanced Sharing, and then click Share this folder.
23. Click Permissions, confirming that Everyone is highlighted, and then click Full Control.
27. Hover your pointer in the lower-right corner of the desktop, and when the sidebar displays, click
Search.
28. In the Search text box, type \\LON-SVR1\IT-Data. The folder will open.
Results: After completing this exercise, you will have implemented forest trusts.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
3. On the Select installation type page, confirm that Role-based or feature-based installation is
selected, and then click Next.
4. On the Select destination server page, ensure that Select a server from the server pool is
selected, and that TOR-DC1.adatum.com is highlighted, and then click Next.
5. On the Select server roles page, click Active Directory Domain Services.
6. On the Add features that are required for Active Directory Domain Services? page, click Add
Features. Click Next.
9. On the Confirm installation selections page, click Install. (This may take a few minutes to
complete.)
10. When the AD DS binaries have installed, click the blue Promote this server to a domain controller
link.
11. In the Deployment Configuration window, click Add a domain controller to an existing domain.
Click Next.
12. In the Domain Controller Options window, ensure that both the Domain Name system (DNS)
server and Global Catalog (GC) check boxes are selected.
13. Confirm that Site name: is set to Default-First-Site-Name, and then under Type the Directory
Services Restore Mode (DSRM) password, type Pa$$w0rd in both the Password and Confirm
password boxes. Click Next.
14. On the DNS Options page, click Next.
18. On the Prerequisites Check window, confirm that there are no issues, and then click Install. The server
will automatically restart.
19. After TOR-DC1 restarts, log on as Adatum\Administrator with the password Pa$$w0rd.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-68 Module 9: Implementing Active Directory Domain Services Sites and Replication
2. In Server Manager, click Tools, and then click Active Directory Sites and Services.
3. In the Active Directory Sites and Services console, in the navigation pane, expand Sites.
6. Expand LondonHQ. expand the Servers folder, and then verify that both LON-DC1 and TOR-DC1
belong to the LondonHQ site.
3. In the New Object Subnet dialog box, under Prefix, type 172.16.0.0/24.
4. Under Select a site object for this prefix, select LondonHQ, and then click OK.
Results: After completing this exercise, you will have reconfigured the default site and assigned IP address
subnets to the site.
2. In the New Object Site dialog box, next to Name, type Toronto.
3. Under Select a site link object for this site, select DEFAULTIPSITELINK, and then click OK.
4. In the Active Directory Domain Services dialog box, click OK. The Toronto site displays in the
navigation pane.
5. In the Active Directory Sites and Services console, in the navigation pane, right-click Sites, and then
click New Site.
6. In the New Object Site dialog box, next to Name, type TestSite.
7. Under Select a site link object for this site, select DEFAULTIPSITELINK, and then click OK. The
TestSite site displays in the navigation pane.
3. In the New Object Subnet dialog box, under Prefix, type 172.16.1.0/24.
4. Under Select a site object for this prefix, select Toronto, and then click OK.
6. In the New Object Subnet dialog box, under Prefix, type 172.16.100.0/24.
7. Under Select a site object for this prefix, select TestSite, and then click OK.
8. In the navigation pane, click the Subnets folder. Verify the three subnets were created and associated
with their appropriate site as displayed in the details pane.
Results: After this exercise, you will have created two additional sites representing the IP subnet addresses
located in Toronto.
3. In the New Object Site Link dialog box, next to Name, type TOR-TEST.
4. Under Sites not in this site link, select Toronto, select TestSite, click Add, and then click OK.
7. In the Schedule for TOR-TEST dialog box, highlight the range from Monday 9am to Friday 3pm.
13. Under Sites in this link, click TestSite, and then click Remove.
14. Next to Replicate Every, change the value to 60 minutes, and then click OK.
3. In the Move Server dialog box, click Toronto, and then click OK.
4. In the navigation pane, expand the Toronto site, expand Servers, and then click TOR-DC1.
2. At the command prompt, type the following, and then press Enter:
Repadmin /kcc
This command recalculates the inbound replication topology for the server.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-70 Module 9: Implementing Active Directory Domain Services Sites and Replication
3. At the command prompt, type the following, and then press Enter:
Repadmin /showrepl
4. At the command prompt, type the following, and then press Enter:
Repadmin /bridgeheads
This command displays the bridgehead servers for the site topology.
5. At the command prompt, type the following, and then press Enter:
Repadmin /replsummary
This command displays a summary of replication tasks. Verify that no errors appear.
6. At the command prompt, type the following, and then press Enter:
DCDiag /test:replications
Results: After this exercise, you will have configured site links and monitored replication.
6. On the Select server roles page, select Active Directory Certificate Services. When Add Roles and
Features Wizard window displays, click Add Features, and then click Next.
9. On the Select role services page, ensure that Certification Authority is selected, and then click
Next.
11. On the Installation progress page, after installation completes successfully, click the text Configure
Active Directory Certificate Services on the destination server.
13. On the Role Services page, select Certification Authority. Click Next.
14. On the Setup Type page, select Standalone CA, and then click Next.
15. On the CA Type page, ensure that Root CA is selected, and then click Next.
16. On the Private Key page, ensure that Create a new private key is selected, and then click Next.
17. On the Cryptography for CA page, keep the default selections for Cryptographic Service Provider
(CSP) and Hash Algorithm, but set the Key length to 4096, and then click Next.
18. On the CA Name page, in the Common name for this CA box, type AdatumRootCA, and then click
Next.
2. In the certsrv [Certification Authority (Local)] console, right-click AdatumRootCA, and then click
Properties.
4. In the Extensions tab, in the Select extension: drop-down list, select CRL Distribution Point (CDP)
and then click the Add button.
6. In the Variable drop-down list box, click <CRLNameSuffix>, and then click Insert. In the Variable
drop-down list box, click <DeltaCRLAllowed>, and then click Insert.
7. In the Location text box, position the cursor at the end of URL, type .crl, and then click OK.
8. Select options: Include in the CDP extensions of issued certificates and Include in CRLs. Clients
use this to find Delta CRL locations. Click Apply. In the Certification Authority pop-up window,
click No.
9. In the Select extension: drop-down list box, click Authority Information Access (AIA), and then
click Add.
11. In the Location text box, type an underscore (_), in the Variable drop-down list box, click
<CaName>, and then click Insert.
12. In the Variable drop-down list box, click <CertificateName>, and then click Insert.
13. In the Location text box, position the cursor at the end of URL, type .crt, and then click OK.
14. Select the Include in the AIA extension of issued certificates check box, and then click OK.
16. In the Certification Authority console, expand AdatumRootCA, right-click Revoked Certificates,
point to All Tasks, and then click Publish.
23. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.
24. On the File to Export page, click Browse. In the File name text box, type \\lon-svr1\C$, and then
press Enter.
25. In the File name text box, type RootCA, click Save, and then click Next.
28. In the Cert Enroll folder, select both files, right-click the highlighted files, and then click Copy.
29. In the Windows Explorer address bar, type \\lon-svr1\C$, and then press Enter.
Results: After completing this exercise, you will have installed and configured a standalone root CA.
6. On the Select server roles page, select Active Directory Certificate Services.
7. When the Add Roles and Features Wizard window displays, click Add Features, and then click Next.
10. On the Select role services page, ensure that Certification Authority is selected already, and select
Certificate Authority Web Enrollment.
11. When the Add Roles and Features Wizard window displays, click Add Features, and then click Next.
13. On the Installation progress page, after installation is successful, click the text Configure Active
Directory Certificate Services on the destination server.
15. On the Role Services page, select both Certification Authority and Certification Authority Web
Enrollment, and then click Next.
16. On the Setup Type page, select Enterprise CA, and then click Next.
17. On the CA Type page, click Subordinate CA, and then click Next.
18. On the Private Key page, ensure that Create a new private key is selected, and then click Next.
19. On the Cryptography for CA page, keep the default selections, and then click Next.
20. On the CA Name page, in the Common name for this CA text box, type Adatum-IssuingCA,, and
then click Next.
21. On the Certificate Request page, ensure that Save a certificate request to file on the target
machine is selected, and then click Next.
3. In the Certificate Import Wizard, click Local Machine, and then click Next.
4. On the Certificate Store page, click Place all certificates in the following store, and then click
Browse.
8. Double-click inetpub.
9. Double-click wwwroot.
13. Right-click the file LON-SVR1.Adatum.com_Adatum- IssuingCA.req, and then click Copy.
14. In the Windows Explorer address bar, type \\LON-CA1\C$, and then press Enter.
15. In the Windows Explorer window, right-click an empty space, and then click Paste. Make sure that
request file is copied to LON-CA1.
18. In the Open Request File window, navigate to Local Disk (C:), select file
LON-SVR1.Adatum.com_Adatum- IssuingCA.req, and then click Open.
19. In the Certification Authority console, click the Pending Requests container. Right click Pending
Requests item and click Refresh.
20. In the right pane, right-click the request (with ID 2), point to All Tasks, and then click Issue.
22. In the right pane, double-click the certificate, and then click the Details tab.
25. On the Export File Format page, select Cryptographic Message Syntax Standard PKCS #7
Certificates (.P7B), select Include all certificates in the certification path if possible and then
click Next.
27. In the File name text box, type \\lon-svr1\C$, and then press Enter.
28. In the File name text box, type SubCA, click Save, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Service L10-75
31. In Server Manager, click Tools, and then click Certification Authority.
32. In the Certification Authority console, right-click Adatum-IssuingCA, point to All Tasks, and then
click Install CA Certificate.
33. Navigate to Local Disk (C:), click the SubCA.p7b file, and then click Open.
34. Wait for 15-20 seconds, and then on the toolbar, click the green icon to start the CA service.
2. In the Group Policy Management Console, expand Forest:Adatum.com, expand Domains, expand
Adatum.com, right-click Default Domain Policy, and then click Edit.
3. In the Computer Configuration node, expand Policies, expand Windows Settings, expand
Security Settings, expand Public Key Policies, right-click Trusted Root Certification Authorities,
and then click Import.
4. Click Next.
6. In the file name text field, type \\lon-svr1\C$, and then press Enter.
9. Click OK.
Results: After completing this exercise, you will have deployed and configured an enterprise subordinate
CA
2. In the Certificate Templates Console, locate the Web Server template in the list, right-click it, and
then select Duplicate Template.
4. In the Template display name field, type Adatum Web Server, and set the Validity period to 3
years
5. Click the Request Handling tab, select Allow private key to be exported, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-76 Module 10: Implementing Active Directory Certificate Services
Task 2: Create a new template for users that includes smart card logon
1. In the Certificate Templates Console, right-click the User certificate template, and then click
Duplicate Template.
2. In the Properties of New Template dialog box, click the General tab, and in the Template display
name text box, type Adatum Smart Card User.
3. On the Subject Name tab, clear both the Include e-mail name in subject name and the E-mail
name check boxes.
4. On the Extensions tab, click Application Policies, and then click Edit.
9. On the Security tab, click Authenticated Users. Under Permissions for Authenticated Users, select
the Allow check box for Read, Enroll and Autoenroll, and then click OK.
2. In the Enable Certificate Templates window, select Adatum Smart Card User and Adatum Web
Server, and then click OK.
Task 4: Update the Web server certificate on the LON-SVR2 Web Server
1. Log on to LON-SVR2 as Adatum\Administrator with the password of Pa$$w0rd.
2. Open Windows PowerShell window from taskbar and type gpupdate /force and press Enter. If
prompted to do so, restart the server, and logon with same credentials as in step 1.
3. From Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
4. In the IIS console, click LON-SVR2, click No at the Internet Information Services (IIS) Manager
prompt, and then in the central pane, double-click Server Certificates.
6. On the Distinguished Name Properties page, complete the following fields, and then click Next::
o Common name: lon-svr2.adatum.com
o Organization: Adatum
o Organizational Unit: IT
o City/locality: Seattle
o State/province: WA
o Country/region: US
9. In the friendly name text box, type lon-svr2, and then click Finish.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Service L10-77
10. Ensure that the certificate displays in the Server Certificates console.
11. In the IIS console, expand LON-SVR2, expand Sites, and then click Default Web Site.
15. In the SSL certificate drop-down list box, click lon-svr2, click OK, and then click Close.
Results: After completing this exercise, you will have created and published new certificate templates.
3. Expand User Configuration, expand Policies, expand Windows Settings, expand Security Settings,
and then click to highlight Public Key Policies.
9. In the right pane, double-click the Certificate Services Client Certificate Enrollment Policy
object.
10. On the Enrollment Policy tab, set the Configuration Model to Enabled, and ensure that the
certificate enrollment policy list displays the Active Directory Enrollment Policy (it should have a
checkmark next to it, and a status of Enabled).
12. Close both the Group Policy Management Editor and the Group Policy Management console.
3. After the policy is refreshed, type mmc.exe, and then press Enter.
4. In Console1, click File, and then in the File menu, click Add/Remove Snap-in.
7. Expand Certificates Current User, expand Personal, and then click Certificates.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-78 Module 10: Implementing Active Directory Certificate Services
8. Verify that certificate based on Adatum Smart Card User template is issued for administrator.
9. Close Console1.
2. In the certsrv console, expand Adatum-IssuingCA, right-click Certificate Templates, and then click
Manage.
5. In the Select Users, Computers, Service Accounts, or Groups window, type Allie, click Check Names,
and then click OK.
6. On the Security tab, click Allie Bellew, select Allow for Read and Enroll permissions, and then click
OK.
7. Close the Certificate Templates Console.
8. In the certsrv console, right-click Certificate Templates, point to New, and then click Certificate
Template to Issue.
9. In the list of templates, click Enrollment Agent, and then click OK.
10. Switch to LON-CL1, and log on as Adatum\Allie with the password Pa$$w0rd.
11. Open a command prompt window, and at a command prompt, type mmc.exe, and then press Enter.
14. Click OK
15. Expand Certificates Current User, expand Personal, click Certificates, right-click Certificates,
point to All Tasks, and then click Request New Certificate.
16. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
18. On the Request Certificates page, select Enrollment Agent, and then click Enroll.
21. In the Certification Authority console, right-click Adatum-IssuingCA, and then click Properties.
30. In the Certificate Templates section, click <All>, and then click Remove.
32. In the Select User, Computer or Group field, type Marketing, click Check Names, and then click
OK.
33. In the Permission section, click Everyone, and then click Remove.
34. Click OK.
Results: After completing this exercise, you will have configured and verified autoenrollment for users,
and configured an enrollment agent for smart cards.
2. In the Revoked Certificates Properties window, set the CRL publication interval to 1 Day and the
Delta CRL publication interval to 1 hour, and then click OK.
4. On the Select server roles page, expand Active Directory Certificate Services (Installed), and then
select Online Responder.
5. Click Add Features.
7. When the message displays that installation succeeded, click Configure Active Directory Certificate
Services on the destination server.
12. In the Certification Authority console, right-click Adatum-IssuingCA, and then click Properties.
13. In the Adatum-IssuingCA Properties dialog box, on the Extensions tab, in the Select extension
list, click Authority Information Access (AIA), and then click Add.
14. In the Add Location dialog box, type http://LON-SVR1/ocsp, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-80 Module 10: Implementing Active Directory Certificate Services
15. Select the Include in the AIA extension of issued certificates check box.
16. Select the Include in the online certificate status protocol (OCSP) extension check box, and then
click OK.
18. In the certsrv console, expand Adatum-IssuingCA, right-click the Certificate Templates folder, and
then click Manage.
19. In the Certificate Templates console, double-click the OCSP Response Signing template.
20. In the OCSP Response Signing Properties dialog box, click the Security tab, under Permissions for
Authenticated Users, select the Allow for Enroll check box, and then click OK.
22. In the Certification Authority console, right-click the Certificate Templates folder, point to New, and
then click Certificate Template to Issue.
23. In the Enable Certificate Templates dialog box, select the OCSP Response Signing template, and
then click OK.
24. On LON-SVR1, in Server Manager, click Tools, and then click Online Responder Management.
25. In the ocsp Management console, right-click Revocation Configuration, and then click Add
Revocation Configuration.
26. In the Add Revocation Configuration Wizard, click Next.
27. On the Name the Revocation Configuration page, in the Name box, type AdatumCA Online
Responder, and then click Next.
29. On the Choose CA Certificate page, click Browse, click the Adatum-IssuingCA certificate, click OK,
and then click Next.
30. On the Select Signing Certificate page, verify that Automatically select a signing certificate is
selected, and Auto-Enroll for an OCSP signing certificate are both selected, and then click Next.
31. On the Revocation Provider page, click Finish. The revocation configuration status will appear as
Working.
Results: After completing this exercise, you will have configured certificate revocation settings.
2. In the Certification Authority console, expand the Adatum-IssuingCA node, right-click the
Certificates Templates folder, and then click Manage.
3. In the Details pane, right-click the Key Recovery Agent certificate, and then click Properties.
4. In the Key Recovery Agent Properties dialog box, click the Issuance Requirements tab.
6. Click the Security tab. Notice that Domain Admins and Enterprise Admins are the only groups that
have the Enroll permission, and then click OK.
8. In the Certification Authority console, right-click Certificate Templates, point to New, and then click
Certificate Template to Issue.
9. In the Enable Certificate Templates dialog box, select the Key Recovery Agent template, and then
click OK.
2. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add.
4. In the Certificates snap-in dialog box, select My user account, click Finish, and then click OK.
7. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
10. Refresh the console, and view the KRA in the personal store; that is, scroll across the certificate
properties and verify that the Certificate Template Key Recovery Agent is present.
2. In the Adatum-IssuingCA Properties dialog box, click the Recovery Agents tab, and then select
Archive the key.
4. In the Key Recovery Agent Selection dialog box, click the certificate that is for Key Recovery Agent
purpose (it will most likely be last on the list), and then click OK twice.
2. In the Certificate Templates console, right-click the User certificate, and then click Duplicate
Template.
3. In the Properties of New Template dialog box, on the General tab, in the Template display name
box, type Archive User.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-82 Module 10: Implementing Active Directory Certificate Services
4. On the Request Handling tab, select the Archive subject's encryption private key check box. Click
OK on the popup window.
5. Click the Subject Name tab, clear the E-mail name and Include e-mail name in subject name
check boxes, and then click OK.
7. In the Certification Authority console, right-click the Certificates Templates folder, point to New,
and then click Certificate Template to Issue.
8. In the Enable Certificate Templates dialog box, select the Archive User template, and then click
OK.
3. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. Click OK.
5. Expand the Certificates - Current User node, right click Personal, click All Tasks, and then click
Request New Certificate.
6. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
7. Click Next.
8. On the Request Certificate page, select the Archive User check box, click Enroll, and then click
Finish.
9. Refresh the console, and view that a certificate is issued to Aidan, based on the Archive User
certificate template.
10. Simulate the loss of a private key by deleting the certificate. In the central pane, right-click the
certificate that you just enrolled, select Delete, and then click Yes to confirm.
12. Open the Certification Authority console, expand Adatum-IssuingCA, and then click Issued
Certificates store.
13. In the details pane, double-click a certificate with Requestor Name Adatum\Aidan, and Certificate
Template name of Archive User.
14. Click the Details tab, copy the Serial Number, and then click OK. (You may either copy the number
to Notepad (select it and press CTRL+C), or write it down on paper.)
16. In the command prompt window that appears, type the following command (where <serial number>
is the serial number that you copied), and then press Enter:
Note: If you paste the serial number from Notepad, remove spaces between numbers.
17. Verify that outputblob file now displays in the C:\Users\Administrator.Adatum folder.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Service L10-83
18. To convert the outputblob file into a .pfx file, in the command prompt window, type the following
command, and press Enter:
19. When prompted, type Pa$$w0rd as the new password, and then confirm the password.
20. After the command executes, close the Windows PowerShell window.
21. Browse to C:\Users\Administrator.ADATUM, and then verify that aidan.pfxthe recovered keyis
created.
23. Switch to LON-CL1, and ensure that you are still logged on as Aidan.
24. Browse to drive C and double-click the aidan.pfx file.
25. On the Welcome to the Certificate Import Wizard page, click Next.
28. On the certificate store page, click Next, click Finish, and then click Ok.
29. Expand the Certificates - Current User node, expand Personal, and then click Certificates.
30. Refresh the console, and verify that the certificate for Aidan is restored.
Results: After completing this exercise, you will have implemented key archival, and tested private key
recovery.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
2. In Server Manager, click Tools, and then click Active Directory Administrative Center.
3. Select and then right-click Adatum (local), click New, and then click Organizational Unit.
4. In the Create Organizational Unit dialog box, in the Name field, type Service Accounts, and then
click OK.
5. Right-click the Service Accounts OU, click New, and then click User.
6. On the Create User dialog box, enter the following details, and then click OK:
o Password: Pa$$w0rd
o Password never expires: Enabled
7. Right-click the Users container, click New, and then click Group.
8. In the Create Group dialog box, enter the following details, and then click OK:
o E-mail: ADRMS_SuperUsers@adatum.com
9. Right-click the Users container, click New, and then click Group.
10. In the Create Group dialog box, enter the following details, and then click OK.
o E-mail: executives@adatum.com
12. Hold down the Ctrl key, and click the following users:
o Aidan Delaney
o Bill Malone
18. Select and then right-click Adatum.com, and click New Host (A or AAAA).
19. In the New Host dialog box, enter the following information, and then click Add Host:
o Name: adrms
o IP address: 172.16.0.21
20. Click OK, and then click Done, and close the DNS Manager console.
2. In Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next three times.
4. On the Server Roles page, click Active Directory Rights Management Services.
5. In the Add Roles and Features dialog box, click Add Features, and then click Next four times.
8. Next to Configuration required for Active Directory Rights Management Services at LON-SVR1, click
More.
9. On the All Servers Task Details page, click Perform Additional Configuration.
11. On the AD RMS Cluster page, click Create a new AD RMS root cluster, and then click Next.
12. On the Configuration Database page, click Use Windows Internal Database on this server, and
then click Next.
14. In the Windows Security dialog box, enter the following details, click OK, and then click Next:
o Username: ADRMSSVC
o Password: Pa$$w0rd
15. On the Cryptographic Mode page, click Cryptographic Mode 2, and then click Next.
16. On the Cluster Key Storage page, click Use AD RMS centrally managed key storage, and then
click Next.
17. On the Cluster Key Password page, enter the password Pa$$w0rd twice, and then click Next.
18. On the Cluster Web Site page, verify that Default Web Site is selected, and then click Next.
19. On the Cluster Address page, provide the following information, and then click Next:
o Port: 80
20. On the Licensor Certificate page, type Adatum AD RMS, and then click Next.
21. On the SCP Registration page, click Register the SCP now, and then click Next.
Note: You must sign out before you can manage AD RMS.
2. In Server Manager, click Tools, and then click Active Directory Rights Management Services.
3. In the Active Directory Rights Management Services console, expand the LON-SVR1 node, and then
click Security Policies.
4. In the Security Policies area, under Super Users, click Change super user settings.
7. In the Super Users dialog box, in the Super user group text box, type
ADRMS_Superusers@adatum.com, and then click OK.
Results: After completing this exercise, you should have installed and configured AD RMS.
2. In the Active Directory Rights Management Services console, click the LON-SVR1\Rights Policy
Templates node.
3. In the Actions pane, click Create Distributed Rights Policy Template.
4. In the Create Distributed Rights Policy Template Wizard, on the Add Template Identification
information page, click Add.
5. On the Add New Template Identification Information page, enter the following information, and
then click Add:
o Name: ReadOnly
6. Click Next.
8. On the Add User or Group page enter executives@adatum.com, and then click OK.
9. When executives@adatum.com is selected, under Rights, click View. Verify that Grant owner
(author) full control right with no expiration is selected, and then click Next.
10. On the Specify Expiration Policy page, choose the following settings and then click Next:
11. On the Specify Extended Policy page, click Require a new use license every time content is
consumed (disable client-side caching), click Next, and then click Finish.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-88 Module 11: Implementing Active Directory Rights Management Services
2. In the Windows PowerShell window, issue the following commands, each followed by Enter:
Cmd.exe
mkdir c:\rmstemplates
net share RMSTEMPLATES=C:\rmstemplates /GRANT:ADATUM\ADRMSSVC,FULL
mkdir c:\docshare
net share docshare=c:\docshare /GRANT:Everyone,FULL
5. Click the Rights Policy Templates node, and in the Distributed Rights Policy Templates area, click
Change distributed rights policy templates file location.
2. Click the Exclusion Policies node, and then click Manage application exclusion list.
3. In the Actions pane, click Enable Application Exclusion.
5. In the Exclude Application dialog box, enter the following information, and then click Finish:
o Application File name: Powerpnt.exe
Results: After completing this exercise, you should have configured AD RMS templates.
2. In the Windows PowerShell window, issue the following commands, and then press Enter:
Cmd.exe
mkdir c:\export
net share export=c:\export /GRANT:Everyone,FULL
4. In the Active Directory Rights Management Services console, expand the Trust Policies node, and
then click the Trusted User Domains node.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L11-89
6. In the Export Trusted User Domains As dialog box, navigate to \\LON-SVR1\export, set the file
name to ADATUM-TUD.bin, and then click Save.
8. In Server Manager, click Tools, and then click Active Directory Rights Management.
9. In the Active Directory Rights Management Services console, expand MUN-DC1, expand the Trust
Policies node, and then click the Trusted User Domains node.
10. In the Actions pane, click Export Trusted User Domains.
11. In the Export Trusted User Domains As dialog box, navigate to \\LON-SVR1\export, set the file
name to TREYRESEARCH-TUD.bin, and then click Save.
2. In the Active Directory Rights Management Services console, under the Trust Policies node, click the
Trusted Publishing Domains node.
3. In the Actions pane, click Export Trusted Publishing Domains.
4. In the Export Trusted Publishing Domain dialog box, click Save As.
5. In the Export Trusted Publishing Domain File As dialog box, navigate to \\LON-SVR1\export, set
the file name to ADATUM-TPD.xml, and then click Save.
6. In the Export Trusted Publishing Domain dialog box, enter the password Pa$$w0rd twice, and
then click Finish.
7. Switch to MUN-DC1.
8. In the Active Directory Rights Management Services console, under the Trust Policies node, click the
Trusted Publishing Domains node.
10. In the Export Trusted Publishing Domain dialog box, click Save As.
11. In the Export Trusted Publishing Domain File As dialog box, navigate to \\LON-SVR1\export, set
the file name to TREYRESEARCH-TPD.xml, and then click Save.
12. In the Export Trusted Publishing Domain dialog box, enter the password Pa$$w0rd twice, and
then click Finish.
Task 3: Import the Trusted User Domain policy from the partner domain
1. Switch to LON-SVR1.
2. In the Active Directory Rights Management Services console, under the Trust Policies node, click the
Trusted User Domains node.
4. In the Import Trusted User Domain dialog box, enter the following details, and then click Finish:
5. Switch to MUN-DC1.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-90 Module 11: Implementing Active Directory Rights Management Services
6. In the Active Directory Rights Management Services console, under the Trust Policies node, click the
Trusted User Domains node.
8. In the Import Trusted User Domain dialog box, enter the following details, and then click Finish:
Task 4: Import the Trusted Publishing Domains policy from the partner domain
1. Switch to LON-SVR1.
2. In the Active Directory Rights Management Services console, under the Trust policies node, click the
Trusted Publishing Domains node.
4. In the Import Trusted Publishing Domain dialog box, enter the following information, and then
click Finish:
o Password: Pa$$w0rd
o Display Name: Trey Research
5. Switch to MUN-DC1.
6. In the Active Directory Rights Management Services console, under the Trust policies node, click the
Trusted Publishing Domains node.
8. In the Import Trusted Publishing Domain dialog box, provide the following information, and then
click Finish:
o Password: Pa$$w0rd
2. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
3. In Internet Information Services (IIS) Manager, expand LON-SVR1\Sites\Default Web Site\_wmcs.
6. Double-click Authentication, click Anonymous Authentication, and in the Actions pane, click
Enable.
9. Double-click Authentication, click Anonymous Authentication, and in the Actions pane, click
Enable.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L11-91
Results: After completing this exercise, you should have implemented the AD RMS trust policies.
2. On the Start screen, type Word. In the Results area, click Microsoft Word 2010.
4. In the Welcome to Microsoft Office 2010 dialog box, click Don't make changes, and then click
OK.
6. Click File, click Protect Document, click Restrict Permission by People, and then click Manage
Credentials.
o Password: Pa$$w0rd
10. In the Permission dialog box, enable Restrict Permission to this document.
11. In the Read text box, type bill@adatum.com, and then click OK.
12. Click Save.
13. In the Save As dialog box, save the document to the \\lon-svr1\docshare location as Executives
Only.docx.
14. Click to the Start screen, click the Aidan Delaney icon, and then click Sign out.
8. In the Windows Security dialog box, enter the following credentials, select Remember my
credentials, and then click OK.
o Username: Bill
MCT USE ONLY. STUDENT USE PROHIBITED
L11-92 Module 11: Implementing Active Directory Rights Management Services
o Password: Pa$$w0rd
9. In the Select User dialog box, ensure that bill@adatum.com is selected, and then click OK.
11. In the Welcome to Microsoft Office 2010 dialog box, click Don't make changes, and then click
OK.
12. When the document opens, verify that you are unable to modify or save the document.
14. Right-click the text, and verify that you cannot make changes.
15. Click View Permission, review the permissions, and then click OK.
16. Click to the Start screen, click the Bill Malone icon, and then click Sign out.
7. Click to the Start screen, click the Carol Troup icon, and then click Sign out.
Task 4: Open and edit the rights-protected document as an authorized user at Trey
Research.
1. Log on to LON-CL1 as Adatum\Aidan using the password Pa$$w0rd.
2. On the Start screen, type Word. In the Results area, click Microsoft Word 2010.
4. Click File, click Protect Document, click Restrict Permission by People, and then click Manage
Credentials.
5. In the Select User dialog box, click OK.
7. In the Read text box, enter april@treyresearch.net, click OK, and then click Save.
8. In the Save As dialog box, save the document to the \\lon-svr1\docshare location as
TreyResearch-Confidential.docx.
9. Click to the Start screen, click the Aidan Delaney icon, and then click Sign Out.
14. In the Windows Security dialog box, enter the following credentials, and then click OK:
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L11-93
o Username: Adatum\Administrator
o Password: Pa$$w0rd
19. In the Windows Security dialog box, enter the following credentials, select Remember my
credentials, and then click OK:
o Username: April
o Password: Pa$$w0rd
20. In the Select User dialog box, ensure that april@treyresearch.com is selected, and then click OK.
21. In the Microsoft Office dialog box, click OK.
22. In the Welcome to Microsoft Office 2010 dialog box, click Don't make changes, and then click
OK.
23. When the document opens, verify that you are unable to modify or save the document.
25. Right-click the text, and verify that you cannot make changes.
26. Click View Permission, review the permissions, and then click OK.
Results: After completing this exercise, you should have verified that the AD RMS deployment is
successful.
5. Click in the IP address column, and type 172.16.10.10. Press Enter, and then click OK.
4. In the left pane, click Documents, and then paste the file into the Documents folder.
5. Open a Windows PowerShell command prompt, type MMC, and then press Enter.
6. In the Console1 window, click File, and then click Add/Remove Snap-in.
7. Click Group Policy Management Editor, and then click Add.
11. Double-click Default Domain Policy. In the console tree, expand Computer Configuration >
Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root
Certification Authorities.
12. Right-click Trusted Root Certification Authorities, and then click Import.
13. On the Welcome to the Certificate Import Wizard page, click Next.
14. On the File to Import page, click Browse.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-96 Module 12: Implementing Active Directory Federation Services
15. In the Open window, click MUN-DC1.TreyResearch.net_TreyResearchCA.crt, click Open, and then
click Next.
16. On the Certificate Store page, verify that Place all certificates in the following store is selected,
verify that the Trusted Root Certification Authorities store is listed, and then click Next.
17. On the Completing the Certificate Import Wizard page, click Finish, and then click OK.
18. Close the Group Policy Management Editor without saving changes.
22. In the left pane, click Documents, and paste the file into the Documents folder.
23. Open a Windows PowerShell command prompt, type MMC, and then press Enter.
24. In the Console1 window, click File, and then click Add/Remove Snap-in.
27. Verify that Local computer is selected, click Finish, and then click OK.
28. Expand Certificates, and then click Trusted Root Certification Authorities.
29. Right-click Trusted Root Certification Authorities, point to All Tasks, and then click Import.
30. On the Welcome to the Certificate Import Wizard page, click Next.
33. On the Certificate Store page, verify that Place all certificates in the following store is selected,
verify that the Trusted Root Certification Authorities store is listed, and then click Next.
34. On the Completing the Certificate Import Wizard page, click Finish, and then click OK.
2. In the console tree, click LON-SVR1 (Adatum\Administrator). Click No to dismiss the message that
displays.
o Organization: A. Datum
o Organization unit: IT
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L12-97
o City/locality: London
o State/province: England
o Country/region: GB
6. On the Online Certification Authority page, in Specify Online Certification Authority, click Select
to search for a certification authority (CA) server in the domain.
7. Select Adatum-LON-DC1-CA, and then click OK.
Task 4: Bind the certificate to the claims-aware application on the web server, and
verify application access
1. On LON-SVR1, in Internet Information Services (IIS) Manager, expand Sites, click Default Web Site,
and then in the Actions pane, click Bindings.
3. In the Add Site Binding dialog box, under Type, select https, and under Port, verify that 443 is
selected. In the SSL Certificate drop-down list, click LON-SVR1.adatum.com, and then click OK.
4. Click Close, and then close Internet Information Services (IIS) Manager.
6. Connect to https://lon-svr1.adatum.com/adatumtestapp.
7. Verify that you can connect to the site, but that you receive a 401 access denied error. This is
expected because you have not yet configured AD FS for authentication.
8. Close Internet Explorer.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum
and Trey Research, and you exchanged root certificates between the two organizations. You also installed
and configured a web certificate on the application server.
5. On the Select server roles page, select the Active Directory Federation Services check box, click
Add Features, and then click Next.
6. On the Select features page, click Next.
7. On the Active Directory Federation Services (AD FS) page, click Next.
2. In the Overview pane, click the AD FS Federation Server Configuration Wizard link.
3. On the Welcome page, ensure that Create a new Federation Service is selected, and then click
Next.
4. On the Select Stand-Alone or Farm Deployment page, click Stand-alone federation server, and
then click Next.
5. On the Specify the Federation Service Name page, ensure that the SSL certificate selected is LON-
DC1.Adatum.com, the Port is 443, and the Federation Service name is LON-DC1.Adatum.com,
and then click Next.
6. On the Ready to Apply Settings page, verify that the correct configuration settings are listed, and
then click Next.
7. Wait for the configuration to finish, and then click Close.
5. Click Sites, and clear the Automatically detect intranet network check box.
6. Click Advanced, and in the Add this website to the zone box, type
https://lon-dc1.adatum.com, and then click Add.
8. Click OK twice.
9. Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06
/federationmetadata.xml.
10. Verify that the xml file opens successfully, and scroll through its contents.
Results: In this exercise, you installed and configured the AD FS server role, and verified a successful
installation by viewing the Federation Meta Data .xml contents.
2. At the prompt, type set-ADFSProperties AutoCertificateRollover $False, and then press Enter.
This step is required so that you can modify the certificates that AD FS uses.
5. In the AD FS console, in the left pane, expand Service, and then click Certificates.
7. In the Select a token signing certificate dialog box, click the first certificate with the name LON-
DC1.Adatum.com, and then click Click here to view certificate properties.
8. Verify that the certificate purposes includes Proves your identity to a remote computer and
Ensures the identity of a remote computer, and click OK. The certificate may also have other
purposes, but these two are required. If the certificate does not have the intended purposes, view the
properties of the other certificates until you find one with the intended purposes. Click OK.
10. Right-click the newly-added certificate, and then click Set as Primary. Review the warning message,
and then click Yes.
11. Select the certificate that has just been superseded, right-click the certificate, and then click Delete.
Click Yes to confirm the deletion.
2. In the middle pane, right-click Active Directory, and then click Edit Claim Rules.
3. In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.
4. In the Add Transform Claim Rule Wizard, in the Select Rule Template page, under Claim rule
template, select Send LDAP Attributes as Claims, and then click Next.
5. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
7. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type:
o E-Mail-Addresses = E-Mail Address
o User-Principal-Name = UPN
o Display-Name = Name
Task 3: Configure the claims application to trust incoming claims by running the
Windows Identity Foundation Federation Utility
1. On LON-SVR1, click to the Start screen, and then click Windows Identity Foundation Federation
Utility.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-100 Module 12: Implementing Active Directory Federation Services
2. On the Welcome to the Federation Utility wizard page, in Application configuration location,
type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the web.config file of
the Windows Identity Foundation sample application.
4. On the Security Token Service page, select Use an existing STS, type
https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml for the STS
WS-Federation metadata document location, and then click Next to continue.
5. On the Security token encryption page, select No encryption, and then click Next.
6. On the Offered claims page, review the claims that will be offered by the federation server, and then
click Next.
7. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility wizard, scroll through the items to understand what each item is doing, and then
click Finish.
8. Click OK.
3. In the Add Relying Party Trust Wizard, on the Welcome page, click Start.
4. On the Select Data Source page, select Import data about the relying party published online or
on a local network, and then type https://lon-svr1.adatum.com/adatumtestapp.
5. Click Next to continue. This action prompts the wizard to check for the Metadata of the application
that the web server role hosts.
6. On the Specify Display Name page, in the Display name box, type ADatum Test App, and then
click Next.
7. On the Choose Issuance Authorization Rules page, ensure that the Permit all users to access this
relying party is selected, and then click Next.
8. On the Ready to Add Trust page, review the relying party trust settings, and then click Next.
9. On the Finish page, click Close. The Edit Claim Rules for ADatum Test App window opens.
2. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, under Claim rule
template, select Pass Through or Filter an Incoming Claim, and then click Next. This action passes
an incoming claim through to the user by means of Integrated Windows authentication.
3. On the Configure Rule page, in Claim rule name, type Pass through Windows Account name
rule. In the Incoming claim type drop-down list, select Windows account name, and then click
Finish.
5. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L12-101
6. On the Configure Rule page, in Claim rule name, type Pass through E-mail Address rule, in the
Incoming claim type drop-down list, select E-mail Address, and then click Finish.
8. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
9. On the Configure Rule page, in Claim rule name, type Pass through UPN rule, in the Incoming
claim type drop-down list, select UPN, and then click Finish.
12. On the Configure Rule page, in Claim rule name, type Pass through Name rule, in the Incoming
claim type drop-down list, select Name, and then click Finish.
Note: Ensure that you type the trailing forward slash (/).
3. If you are prompted for credentials, type Adatum\Brad with password Pa$$w0rd, and then press
Enter. The page renders, and you see the claims that were processed to allow access to the web site.
Results: In this exercise, you configured a Token signing certificate and configured a claims provider trust
for Adatum.com. You also should have configured the sample application to trust incoming claims, and
configured a relying party trust and associated claim rules. You also tested access to the sample Windows
Identity Foundation application in a single organization scenario.
2. In the AD FS console, expand Trust Relationships, and then click Claims Provider Trusts.
5. On the Select Data Source page, select Import data about the claims provider published online
or on a local network, type https://mun-dc1.treyresearch.net, and then click Next.
7. On the Ready to Add Trust page, review the claims provider trust settings, and then click Next to
save the configuration.
9. In the Edit Claim Rules for mun-dc1.treyresearch.net properties dialog box, on the Acceptance
Transform Rules tab, click Add Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming Claim, and then click
Next.
11. In the Claim rule name text box, type Pass through Windows account name rule.
12. In the Incoming claim type drop-down list, select Windows account name.
13. Select Pass through all claim values, and then click Finish. Click Yes.
16. At the command prompt, type the following command, and then press Enter:
Task 2: Configure a relying party trust on MUN-DC1 for the A. Datum claims-aware
application
1. On the MUN-DC1, in Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS console, on the Overview page, click Required: Add a trusted relying party.
3. On the Welcome page, click Start.
4. On the Select Data Source page, select Import data about the relying party published online or
on a local network, type https://lon-dc1.adatum.com, and then click Next.
5. On the Specify Display Name page, in the Display name text box, type Adatum TestApp, and then
click Next.
6. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying
party, and then click Next.
7. On the Ready to Add Trust page, review the relying party trust settings, and then click Next to save
the configuration.
8. On the Finish page, click Close. The Edit Claim Rules for Adatum TestApp window opens.
9. In the Edit Claim Rules for Adatum TestApp window, on the Issuance Transform Rules tab, click Add
Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming claim, and then click
Next.
11. In the Claim rule name box, type Pass through Windows account name rule, in the Incoming
Claim type drop-down list, select Windows account name.
12. Select Pass through all claim values, and then click Finish.
Task 3: Verify access to the A. Datum test application for Trey Research users
1. On MUN-DC1, open Internet Explorer, and connect to
https://lon-svr1.adatum.com/adatumtestapp/.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L12-103
Note: The logon process has changed, and you must now select an authority that can
authorize and validate the access request. The Home Realm Discovery page (the Sign In page)
appears and you must select an authority.
2. On the Sign In page, select mun-dc1.treyresearch.net, and then click Continue to Sign in.
3. When prompted for credentials, type TreyResearch\April with the password Pa$$w0rd, and then
press Enter. You should be able to access the application.
6. When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press
Enter. You should be able to access the application.
7. Close Internet Explorer.
Note: You are not prompted for a home realm again. Once users have selected a home
realm and been authenticated by a realm authority, they are issued an _LSRealm cookie by the
relying party federation server. The default lifetime for the cookie is 30 days. Therefore, to log on
multiple times, you should delete that cookie after each logon attempt to return to a clean state.
Task 4: Configure claim rules for the claim provider trust and the relying party trust
to allow access only for a specific group
1. On MUN-DC1, open the AD FS console, expand Trust Relationships, and then click Relying Party
Trusts.
2. Select Adatum TestApp, and in the Actions pane, click Edit Claim Rules.
3. On the Edit Claim Rules for Adatum TestApp window, on the Issuance Transform Rules tab, click
Add Rule.
4. On the Select Rule Template page, under Claim rule template, select Send Group Membership as
a Claim, and then click Next.
5. On the Configure Rule page, in the Claim rule name field, type Permit Production Group Rule.
6. Next to Users Group, click Browse, type Production, and then click OK.
8. Under Outgoing claim value, type Production, and then click Finish. Click OK.
11. Select mun-dc1.treyresearch.net, and in the Actions pane, click Edit Claim Rules.
13. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
14. On the Configure Rule page, in Claim rule name, type Send Production Group Rule.
15. In the Incoming claim type drop-down list, click Group, and then click Finish. Click Yes, and then
click OK.
16. In the AD FS console, under Trust Relationships, click Relying Party Trusts.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-104 Module 12: Implementing Active Directory Federation Services
17. Select the Adatum Test App, and in the Actions pane, click Edit Claim Rules.
19. Under Claim rule template, click Pass Through or Filter an Incoming Claim, and then click Next.
20. Under Claim rule name, type Send TreyResearch Group Name Rule.
21. In the Incoming claim type drop-down list, click Group, and then click Finish.
22. On the Edit Claim Rules for Adatum Test App window, on the Issuance Authorization Rules tab,
select the rule named Permit Access to All Users, and then click Remove Rule. Click Yes to confirm.
With no rules, no users are permitted access.
24. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based
on an Incoming Claim, and then click Next.
25. On the Configure Rule page, in Claim rule name, type Permit TreyResearch Production Group
Rule, in the Incoming claim type drop-down list, select Group, in Incoming claim value, type
Production, select the option to Permit access to users with this incoming claim, and then click
Finish.
27. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based
on an Incoming Claim, and then click Next.
28. On the Configure Rule page, in the Claim rule name field, type Temp, in the Incoming claim type
drop-down list, select UPN, in the Incoming claim value field, type @adatum.com, select the
option to Permit access to users with this incoming claim, and then click Finish.
30. In the Edit Rule Temp dialog box, click View Rule Language.
31. Press Ctrl + C to copy the rule language to the clipboard, and then click OK.
33. Click the Temp rule, click Remove Rule, and then click Yes.
35. On the Select Rule Template page, under Claim rule template, select Send Claims Using a
Custom Rule, and then click Next.
36. On the Configure Rule page, in the Claim rule name field, type ADatum User Access Rule.
37. Click in the Custom rule box, and then press Crtl + V to paste the clipboard contents into the box.
Edit the first URL to match the following text, and then click Finish.
Note: This rule enables access to anyone who presents a claim that includes the User
Principal Name (UPN) of @adatum.com. The Value line in the first URL defines the attribute that
much be matched in the claim. In this line, ^ indicates the beginning of the string to match, (?i)
means that the text is case insensitive, .+ means that one or more characters will be added, and $
means the end of the string.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Advanced Windows Server 2012 Services L12-105
38. Click OK to close the property page, and save the changes to the relying party trust.
2. When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press
Enter. April is not a member of the Production group, so she should not be able to access the
application.
4. Re-open Internet Explorer, click the Tools icon in the top right corner, and then click Internet
options.
5. Under Browsing history, click Delete, click Delete again, and then click OK.
6. Connect to https://lon-svr1.adatum.com/adatumtestapp/.
7. On the Sign In page, click mun-dc1.treyresearch.net and then click Continue to Sign in.
8. When prompted for credentials, type TreyResearch\Morgan with password Pa$$w0rd, and then
press ENTER. Morgan is a member of the Production group, and should be able to access the
application.
Results: In this exercise, you configured a claims provider trust for TreyResearch on Adatum.com. and a
relying party trust for Adatum on TreyResearch. You verified access to the A. Datum claim-aware
application. Then you configured the application to restrict access from TreyResearch to specific groups,
and you verified appropriate access.
2. In the Virtual Machines list, right-click 20412A-MUN-DC1, and then click Revert.