70-412 Configuring Advanced Windows Server 2012 Servicesk

MCT USE ONLY.
STUDENT USE PROHIBITED

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20412A
Configuring Advanced Windows Server
2012 Services
MCT USE ONLY. STUDENT USE PROHIBITED
ii Configuring Advanced Windows Server 2012 Services
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at

http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of
the Microsoft group of companies. All other trademarks are property of their respective owners
Product Number: 20412A
Part Number: X18-48644
Released: 09/2012
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS
MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to
the Licensed Content named above, which includes the media on which you received it, if any. These license
terms also apply to any updates, supplements, internet based services and support services for the Licensed
Content, unless other terms accompany those items. If so, those terms apply.
BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT
THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy
Program Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only
MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or
exceeds the hardware level specified for the particular MOC Course located at your training facilities or
primary business location.
d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private
Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the MOC Course and any other content accompanying this agreement.
Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media.
f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft
Certification in the technology that is the subject of the training session.
g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy
Program.
h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in
good standing that currently holds the Learning Competency status.
i. Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructor-
led courseware that educates IT professionals or developers on Microsoft technologies.
j. Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner
Network program member in good standing.
k. Personal Device means one (1) device, workstation or other digital electronic device that you
personally own or control that meets or exceeds the hardware level specified for the particular MOC
Course.
l. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective. These classes are not advertised or
promoted to the general public and class attendance is restricted to individuals employed by or
contracted by the corporate customer.
m. Trainer Content means the trainer version of the MOC Course and additional content designated
solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include
Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta
feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not
include virtual hard disks or virtual machines.
2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is
licensed on a one copy per user basis, such that you must acquire a license for each individual that
accesses or uses the Licensed Content.
2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.
a. If you are a Authorized Learning Center:

i. If the Licensed Content is in digital format for each license you acquire you may either:
1. install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure
server located on your premises where the Authorized Training Session is held for access and
use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching
the Authorized Training Session, or
2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom
Device for access and use by one (1) End User attending the Authorized Training Session, or by
one (1) MCT teaching the Authorized Training Session.
ii. You agree that:
1. you will acquire a license for each End User and MCT that accesses the Licensed Content,
2. each End User and MCT will be presented with a copy of this agreement and each individual
will agree that their use of the Licensed Content will be subject to these license terms prior to
their accessing the Licensed Content. Each individual will be required to denote their
acceptance of the EULA in a manner that is enforceable under local law prior to their accessing
the Licensed Content,
3. for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable
competency to teach the particular MOC Course that is the subject of the training session,
4. you will not alter or remove any copyright or other protective notices contained in the
Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of the Authorized Training Session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
b. If you are a MPN Member.

i. If the Licensed Content is in digital format for each license you acquire you may either:
1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1)
Classroom Device, or (B) one (1) dedicated, secure server located at your premises where
the training session is held for use by one (1) of your employees attending a training session
provided by you, or by one (1) MCT that is teaching the training session, or
2. install one (1) copy of the Licensed Content in the form provided to you on one (1)
Classroom Device for use by one (1) End User attending a Private Training Session, or one (1)
MCT that is teaching the Private Training Session.
ii. You agree that:
1. you will acquire a license for each End User and MCT that accesses the Licensed Content,
2. each End User and MCT will be presented with a copy of this agreement and each individual
will agree that their use of the Licensed Content will be subject to these license terms prior
to their accessing the Licensed Content. Each individual will be required to denote their
acceptance of the EULA in a manner that is enforceable under local law prior to their
accessing the Licensed Content,
3. for all training sessions, you will only use qualified MCTs who hold the applicable
competency to teach the particular MOC Course that is the subject of the training session,
4. you will not alter or remove any copyright or other protective notices contained in the
Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of each training session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
c. If you are an End User:

You may use the Licensed Content solely for your personal training use. If the Licensed Content is in
digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in
the form provided to you on one (1) Personal Device and install another copy on another Personal
Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1)
copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device
you do not own or control.
d. If you are a MCT.
i. For each license you acquire, you may use the Licensed Content solely to prepare and deliver an
Authorized Training Session or Private Training Session. For each license you acquire, you may
install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal
Device and install one (1) additional copy on another Personal Device as a backup copy, which may
be used only to reinstall the Licensed Content. You may not install or use a copy of the Licensed
Content on a device you do not own or control.
ii. Use of Instructional Components in Trainer Content. You may customize, in accordance with the
most recent version of the MCT Agreement, those portions of the Trainer Content that are logically
associated with instruction of a training session. If you elect to exercise the foregoing rights, you
agree: (a) that any of these customizations will only be used for providing a training session, (b) any
customizations will comply with the terms and conditions for Modified Training Sessions and
Supplemental Materials in the most recent version of the MCT agreement and with this agreement.
For clarity, any use of customize refers only to changing the order of slides and content, and/or
not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you
may not separate the components and install them on different devices.
2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable

installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion
thereof (including any permitted modifications) to any third parties without the express written permission
of Microsoft.
2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These
license terms will apply to your use of those third party programs or services, unless other terms accompany
those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to that respective component and supplements the terms described in this Agreement.
3. PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other
provisions in this agreement, then these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the
same information and/or work the way a final version of the Licensed Content will. We may change it
for the final version. We also may not release a final version. Microsoft is under no obligation to
provide you with any further content, including the final release version of the Licensed Content.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the
beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for
using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content,
whichever is earliest (beta term). Upon expiration or termination of the beta term, you will
irretrievably delete and destroy all copies of same in the possession or under your control.
4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content,
which may change or be canceled at any time.
a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an
Internet-based wireless network. In some cases, you will not receive a separate notice when they
connect. Using the Licensed Content operates as your consent to the transmission of standard device
information (including but not limited to technical information about your device, system and
application software, and peripherals) for internet-based services.
b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could
harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access
to any service, data, account or network by any means.
5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights
to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
install more copies of the Licensed Content on devices than the number of licenses you acquired;
allow more individuals to access the Licensed Content than the number of licenses you acquired;
publicly display, or make the Licensed Content available for others to access or use;
install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend,
make available or distribute the Licensed Content to any third party, except as expressly permitted
by this Agreement.
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation;
access or use any Licensed Content for which you are not providing a training session to End Users
using the Licensed Content;
access or use any Licensed Content that you have not been authorized by Microsoft to access and
use; or
transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.
6. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in
this agreement. The Licensed Content is protected by copyright and other intellectual property laws and
treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that
appear on the Licensed Content or any components thereof, as delivered to you.
7. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You
must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, End Users and end use. For additional
information, see www.microsoft.com/exporting.
8. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or
sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement.
9. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
10. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you
agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed
Content in your possession or under your control.
11. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content.
The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the
contents of any third party sites, any links contained in third party sites, or any changes or updates to third
party sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any third party sites. Microsoft is providing these links to third party sites to you only as a convenience,
and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are
the entire agreement for the Licensed Content.
13. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of
your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE
AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO
THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS
WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS,
MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR
CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NON-INFRINGEMENT.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY
LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT
DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING
CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT
CORPORATION AND ITS RESPECTIVE SUPPLIERS.
This limitation applies to

o anything related to the Licensed Content, services made available through the Licensed Content, or
content (including code) on third party Internet sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce
contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous

pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement
hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y
compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage.
Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects,
accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera
pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus
par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays
si celles-ci ne le permettent pas.
Revised December 2011

x Configuring Advanced Windows Server 2012 Services
Configuring Advanced Windows Server 2012 Services xi
Acknowledgments
Microsoft Learning wants to acknowledge and thank the following for their contribution toward
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Stan Reimer Content Developer

Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author.
Stan has extensive experience consulting on Active Directory and Microsoft Exchange Server
deployments for some of the largest companies in Canada. Stan is the lead author for two Active
Directory books for Microsoft Press. For the last nine years, Stan has been writing courseware for
Microsoft Learning, specializing in Active Directory and Exchange Server courses. Stan has been a
Microsoft Certified Trainer (MCT) for 12 years.
Damir Dizdarevic Subject Matter Expert/Content Developer

Damir Dizdarevic is an MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology
Specialist (MCTS), and a Microsoft Certified Information Technology Professional (MCITP). He is a manager
and trainer of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir has
more than 17 years of experience on Microsoft platforms, and he specializes in Windows Server,
Exchange Server, security, and virtualization. He has worked as a subject matter expert and technical
reviewer on many Microsoft Official Courses (MOC) courses, and has published more than 400 articles in
various IT magazines, such as Windows ITPro and INFO Magazine. He's also a frequent and highly rated
speaker on most of Microsoft conferences in Eastern Europe. Additionally, Damir is a Microsoft Most
Valuable Professional (MVP) for Windows Server Infrastructure Management.
Orin Thomas Content Developer

Orin Thomas is an MVP, an MCT and has a string of Microsoft MCSE and MCITP certifications. He has
written more than 20 books for Microsoft Press, and is a contributing editor at Windows IT Pro magazine.
Orin has been working in IT since the early 1990s. He is a regular speaker at events such as TechED in
Australia, and around the world on Windows Server, Windows Client, Microsoft System Center, and
security topics. Orin founded and runs the Melbourne System Center Users Group.
Vladimir Meloski Content Developer

Vladimir Meloski is an MCT, an MVP on Exchange Server, and consultant providing unified
communications and infrastructure solutions based on Microsoft Exchange Server, Microsoft Lync Server,
and System Center. Vladimir has 16 years of professional IT experience, and has been involved in
Microsoft conferences in Europe and the United States as a speaker, moderator, proctor for hands-on
labs, and technical expert. He has also been involved as a subject matter expert and technical reviewer for
several MOC courses.
Nick Portlock Author

Nick Portlock has been an MCT for 15 years. He is a self-employed IT trainer, consultant and author. Last
year, Nick taught in more than 20 countries. He specializes in Active Directory, Group Policy, and Domain
Name System, and has consulted with a variety of companies over the last decade. Nick has reviewed
more than 100 Microsoft courses, and is a member of the Windows 7 STEP program.
xii Configuring Advanced Windows Server 2012 Services
Gary Dunlop Subject Matter Expert

Gary Dunlop is based in Winnipeg, Canada, and is a technical consultant and trainer for Broadview
Networks. Gary has authored a number of Microsoft Learning titles, and has been an MCT since 1997.
Ulf B. Simon-Weidner Technical Reviewer

Ulf B. Simon-Weidner is a senior consultant with a European provider for infrastructure solutions in
Germany. He also is an independent author, consultant, speaker and trainer. Ulf has been repeatedly
awarded MVP for Windows Server Directory Services for the past decade, and has been an MCT for more
than 10 years. Throughout his professional career, Ulf has had several consulting engagements with major
European or Global corporations. He also published multiple books and magazine articles about Active
Directory, Windows Server, Windows client operating systems, and security. Ulf is a frequently visiting
speaker for conferences including Microsoft TechEd North America and Europe, or The Experts
Conference. Ulf provides his technical and from-the-field experience in multiple Windows Server
coursewares as a technical reviewer.
Configuring Advanced Windows Server 2012 Services xiii
Contents
Module 1: Implementing Advanced Network Services
Lesson 1: Configuring Advanced DHCP Features 1-2
Lesson 2: Configuring Advanced DNS Settings 1-11
Lesson 3: Implementing IPAM 1-21
Lab: Implementing Advanced Network Services 1-31
Module 2: Implementing Advanced File Services

Lesson 1: Configuring iSCSI Storage 2-2
Lesson 2: Configuring BranchCache 2-9
Lesson 3: Optimizing Storage Usage 2-16
Lab A: Implementing Advanced File Services 2-22
Lab B: Implementing BranchCache 2-28
Module 3: Implementing Dynamic Access Control

Lesson 1: Overview of Dynamic Access Control 3-2
Lesson 2: Planning for Dynamic Access Control 3-8
Lesson 3: Deploying Dynamic Access Control 3-13
Lab: Implementing Dynamic Access Control 3-22
Module 4: Implementing Network Load Balancing

Lesson 1: Overview of NLB 4-2
Lesson 2: Configuring an NLB Cluster 4-5
Lesson 3: Planning an NLB Implementation 4-10
Lab: Implementing Network Load Balancing 4-16
Module 5: Implementing Failover Clustering

Lesson 1: Overview of Failover Clustering 5-2
Lesson 2: Implementing a Failover Cluster 5-14
Lesson 3: Configuring Highly Available Applications and Services
on a Failover Cluster 5-20
Lesson 4: Maintaining a Failover Cluster 5-25
Lesson 5: Implementing a Multi-Site Failover Cluster 5-30
Lab: Implementing Failover Clustering 5-36
Module 6: Implementing Failover Clustering with Hyper-V

Lesson 1: Overview of Integrating Hyper-V with Failover Clustering 6-2
Lesson 2: Implementing Hyper-V Virtual Machines on Failover
Clusters 6-7
Lesson 3: Implementing Hyper-V Virtual Machine Movement 6-15
Lesson 4: Managing Hyper-V Virtual Environments by Using VMM 6-21
xiv Configuring Advanced Windows Server 2012 Services
Lab: Implementing Failover Clustering with Hyper-V 6-31
Module 7: Implementing Disaster Recovery

Lesson 1: Overview of Disaster Recovery 7-2
Lesson 2: Implementing Windows Server Backup 7-7
Lesson 3: Implementing Server and Data Recovery 7-16
Lab: Implementing Windows Server Backup and Restore 7-20
Module 8: Implementing Distributed Active Directory Domain Services Deployments

Lesson 1: Overview of Distributed AD DS Deployments 8-2
Lesson 2: Deploying a Distributed AD DS Environment 8-9
Lesson 3: Configuring AD DS Trusts 8-18
Lab: Implementing Complex AD DS Deployments 8-23
Module 9: Implementing Active Directory Domain Services Sites and Replication

Lesson 1: Overview of AD DS Replication 9-2
Lesson 2: Configuring AD DS Sites 9-10
Lesson 3: Configuring and Monitoring AD DS Replication 9-16
Lab: Implementing AD DS Sites and Replication 9-22
Module 10: Implementing Active Directory Certificate Services

Lesson 1: PKI Overview 10-2
Lesson 2: Deploying CAs 10-10
Lesson 3: Deploying and Managing Certificate Templates 10-16
Lesson 4: Implementing Certificate Distribution and Revocation 10-21
Lesson 5: Managing Certificate Recovery 10-29
Lab: Implementing Active Directory Certificate Services 10-33
Module 11: Implementing Active Directory Rights Management Services

Lesson 1: AD RMS Overview 11-2
Lesson 2: Deploying and Managing an AD RMS Infrastructure 11-7
Lesson 3: Configuring AD RMS Content Protection 11-13
Lesson 4: Configuring External Access to AD RMS 11-19
Lab: Configuring AD RMS 11-24
Module 12: Implementing Active Directory Federation Services

Lesson 1: Overview of AD FS 12-2
Lesson 2: Deploying AD FS 12-11
Lesson 3: Implementing AD FS for a Single Organization 12-17
Lesson 4: Deploying AD FS in a B2B Federation Scenario 12-23
Lab: Implementing AD FS 12-28
Configuring Advanced Windows Server 2012 Services xv
Lab Answer Keys

Module 1 Lab: Implementing Advanced Network Services L1-1
Module 2 Lab A: Implementing Advanced File Services L2-11
Module 2 Lab B: Implementing BranchCache L2-18
Module 3 Lab: Implementing Dynamic Access Control L3-25
Module 4 Lab: Implementing Network Load Balancing L4-35
Module 5 Lab: Implementing Failover Clustering L5-41
Module 6 Lab: Implementing Failover Clustering with Hyper-V L6-49
Module 7 Lab: Implementing Windows Server Backup and Restore L7-55
Module 8 Lab: Implementing Complex AD DS Deployments L8-61
Module 9 Lab: Implementing AD DS Sites and Replication L9-67
Module 10 Lab: Implementing Active Directory Certificate Services L10-71
Module 11 Lab: Configuring AD RMS L11-85
Module 12 Lab: Implementing AD FS L12-95
About This Course xvii
About This Course

This section provides a brief description of the course, audience, suggested prerequisites, and course
objectives.
Course Description
Note: This first release (A) MOC version of course 20412A has been developed on
prerelease software (Release Candidate (RC)). Microsoft Learning will release a B version of this
course after the RTM version of the software is available.
This course will provide you with the knowledge and skills you need to provision advanced services in a
Windows Server 2012 enterprise environment. This course will teach you how to configure and manage
high availability features, file and storage solutions, and network services in Windows Server 2012. You will
also learn about configuring the Active Directory Domain Services (AD DS) infrastructure, and
implementing backups and disaster recovery.
Audience
This course is intended for IT Professionals who have real-world hands-on experience implementing,
managing and maintaining a Windows Server 2012 infrastructure in an existing Enterprise environment,
and wish to acquire the skills and knowledge necessary to carry out advanced management and
provisioning of services within that Windows Server 2012 environment.
The secondary audience for this course will be candidates aspiring to acquire the Microsoft Certified
Systems Administrator (MCSA) credential either in its own right or in order to proceed in acquiring the
Microsoft Certified System Engineer (MCSE) credentials, for which this is a prerequisite. IT professionals
seeking certification in the 70-412: Configuring Advanced Windows Server 2012 Services exam also may
take this course.
Student Prerequisites
This course requires that you meet the following prerequisites:
At least two years hands-on experience working in a Windows Server 2008 or Windows Server 2012
environment
Equivalent knowledge of 20410A: Installing and Configuring Windows Server 2012 course
Installing and configuring Windows Server 2012 into existing enterprise environments, or as
standalone installations
Configuring local storage
Configuring roles and features
Configuring file and print services

Configuring Windows Server 2012 servers for local and remote administration
Configuring IPv4 and IPv6 addresses
Configuring Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP)
services
Installing domain controllers

xviii About This Course
Creating and configuring users, groups, computers and organizational units (OUs)
Creating and managing group policies
Configuring local security policies
Configuring Windows Firewall
Configuring Windows Server 2012 Hyper-V
Equivalent knowledge of 20411A: Administering Windows Server 2012 course
Deploying and managing Windows Server images
Installing and configuring Update Services

Monitoring the Windows Server 2012 environment
Installing and configuring Distributed Files System (DFS)
Installing and configuring File Server Resource Manager (FSRM)
Configuring file and disk access, and audit policies
Configuring DNS security and integration with AD DS
Maintaining network integrity by configuring Network Access using Network Policy Server (NPS)
and Network Access Protection (NAP)
Configuring Remote Access using virtual private networks (VPNs) and Windows 7 DirectAccess
Configuring Domain Controllers

Managing and maintaining the Active Directory environment
Managing and maintaining the Windows Server 2012 domain environment using Group Policy
Course Objectives
After completing this course, students will be able to:
Configure advanced features for DHCP and DNS, and configure IP Address Management (IPAM).
Configure file services to meet advanced business requirements.
Configure Dynamic Access Control (DAC) to manage and audit access to shared files.
Provide high availability and load balancing for web-based applications by implementing Network
Load Balancing (NLB).
Provide high availability for network services and applications by implementing failover clustering.
Deploy and manage Hyper-V virtual machines in a failover cluster.
Implement a backup and disaster recovery solution based on business and technical requirements.
Plan and implement an AD DS deployment that includes multiple domains and forests.
Plan and implement an AD DS deployment that includes multiple locations.
Implement an Active Directory Certificate Services (AD CS) deployment.
Implement an Active Directory Rights Management Services (AD RMS) deployment.

Implement an Active Directory Federation Services (AD FS) deployment.
About This Course xix
Course Outline
The course outline is as follows:
Module 1, Implementing Advanced Network Services" describes how to configure advanced DHCP
features and DNS settings, and implement IPAM, which is a new Windows Server 2012 feature.
Module 2, Implementing Advanced File Services" describes how to configure Internet Small Computer
System Interface (iSCSI) storage and Windows BranchCache. The module also describes how to
implement Windows Server 2012 features that optimize storage utilization.
Module 3, Implementing Dynamic Access Control" describes DAC, which is a new Windows Server 2012
feature. It also explains how to plan for a DAC implementation, and how to configure DAC.
Module 4, Implementing Network Load Balancing" describes the features and working of network load
balancing (NLB). It also explains how to configure an NLB cluster and plan an NLB implementation.
Module 5, Implementing Failover Clustering" describes failover clustering features in Windows Server
2012. The module also describes how to implement and maintain failover clusters, and how to configure
highly available applications and services on a failover cluster.
Module 6, Implementing Failover Clustering with Hyper-V" describes options to make virtual machines
highly available, and covers the implementation of Hyper-V virtual machines on failover clusters and
Hyper-V virtual machine movement.
Module 7, Implementing Disaster Recovery" describes disaster recovery, server and data recovery, and
the planning and implementation of a backup solution for Windows Server 2012.
Module 8, Implementing Distributed Active Directory Domain Services Deployments" provides an
overview of distributed AD DS deployments and the process of implementation for the same. It also
describes how to configure AD DS trusts, and implement complex AD DS deployments.
Module 9, Implementing Active Directory Domain Services Sites and Replication" describes how
replication works in AD DS in a Windows Server 2012 AD DS environment, and how to configure AD DS
sites to optimize AD DS network traffic. It also shows how to configure and monitor AD DS replication.
Module 10, Implementing Active Directory Certificate Services" provides an overview of Public Key
Infrastructure (PKI), and describes how to deploy certification authorities (CAs) and certificate templates. It
also covers certificate distribution and revocation, and management of certificate recovery.
Module 11, Implementing Active Directory Rights Management Services" describes AD RMS and how
you can use it to achieve content protection. It also explains how to deploy and manage an AD RMS
infrastructure, and configure AD RMS content protection and external access to AD RMS.
Module 12, Implementing Active Directory Federation Services" describes the identity federation
business scenarios, and how you can use AD FS to address the scenarios. It also describes how to deploy
AD FS, and how to implement it for a single organization, and in a business-to-business (B2B) scenario.
xx About This Course
Exam/Course Mapping
This course, 20412A: Configuring Advanced Windows Server 2012 Services, has a direct mapping of its
content to the objective domain for the Microsoft exam 70-412: Configuring Advanced Windows Server
2012 Services.
The table below is provided as a study aid that will assist you in preparation for taking this exam, and to
show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam, but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directly
covered in the examination, and will utilize the unique experience and skills of your qualified Microsoft
Certified Trainer.
Exam 70-412: Configuring Advanced Windows Server 2012 Services

Exam Objective Domain Course Content
Configure and Manage High Availability (16%) Module Lesson Lab
Configure This objective may include but is not limited to: Mod 4 Lesson Mod 4 Ex
Network Load Install NLB nodes; configure NLB prerequisites; 1/2/3 1/2/3
Balancing configure affinity; configure port rules; configure
(NLB). cluster operation mode; upgrade an NLB cluster
This objective may include but is not limited to: Mod 5 Lesson Mod 5 Ex
Configure Configure Quorum; configure cluster networking; 2/5 2/4
failover restore single node or cluster configuration;
clustering. configure cluster storage; implement Cluster Aware
Updating; upgrade a cluster
This objective may include but is not limited to: Mod 5 Lesson Mod 5 Ex 1
Manage
Configure role-specific settings including 1/4
failover
continuously available shares; configure VM
clustering
monitoring; configure failover and preference
roles.
settings
Manage Mod 5 Lesson Mod 5 Ex
This objective may include but is not limited to:
Virtual 3/4 3
Perform Live Migration; perform quick migration;
Machine
perform storage migration; import, export, and copy
(VM)
VMs; migrate from other platforms (P2V and V2V)
movement.
Configure File and Storage Solutions (15%)
Configure Configure NFS data store; configure BranchCache; 2/3 2/3
advanced file configure File Classification Infrastructure (FCI) using
services. File Server Resource Manager (FSRM); configure file
access auditing
About This Course xxi
(continued)

Configure File and Storage Solutions (15%)
Implement Mod 3 Lesson Mod 3 Ex
Dynamic 1/2/3 1/2/3/4/5/6
Configure user and device claim types; implement
Access
policy changes and staging; perform access-denied
Control
remediation; configure file classification
(DAC).
Configure and Configure iSCSI Target and Initiator; configure 1/3
optimize Internet Storage Name server (iSNS); implement
storage. thin provisioning and trim; manage server free
space using Features on Demand
Implement Business Continuity and Disaster Recovery (18%)
Configure and Configure Windows Server backups; configure 2/3 1/2/3/4
manage Windows Online backups; configure role-specific
backups. backups; manage VSS settings using VSSAdmin;
create System Restore snapshots
Restore from backups; perform a Bare Metal 2/3 1/2/3/4
Recover Restore (BMR); recover servers using Windows
servers. Recovery Environment (Win RE) and safe mode;
apply System Restore snapshots; configure the Boot
Configuration Data (BCD) store
This objective may include but is not limited to: Mod 6 Lessons Mod 6 Ex 1
Configure
Configure Hyper-V Replica including Hyper-V Replica 1/3
site-level
Broker and VMs; configure multi-site clustering Mod 5 Lesson 1
fault
including network settings, Quorum, and failover
tolerance.
settings
Configure Network Services (17%)
Implement an Mod 1 Lesson 1 Mod 1 Ex 1
advanced This objective may include but is not limited to:
Dynamic Host Create and configure superscopes and multicast
Configuration scopes; implement DHCPv6; configure high
Protocol availability for DHCP including DHCP failover and
(DHCP) split scopes; configure DHCP Name Protection
solution.
xxii About This Course
(continued)

Configure Network Services (17%)
This objective may include but is not limited to: Mod 1 Lesson 2 Mod 1 Ex 2
Configure security for DNS including DNSSEC, DNS
Implement an
Socket Pool, and cache locking; configure DNS
advanced
logging; configure delegated administration;
DNS solution.
configure recursion; configure netmask ordering;
configure a GlobalNames zone
Configure IPAM manually or by using Group Policy;
Deploy and
configure server discovery; create and manage IP
manage
blocks and ranges; monitor utilization of IP address
IPAM.
space; migrate to IPAM; delegate IPAM
administration; manage IPAM collections
Configure the Active Directory Infrastructure (18%)
Implement multi-domain and multi-forest Active 1/2
Configure a Directory environments including interoperability
forest or a with previous versions of Active Directory; upgrade
domain existing domains and forests including environment
preparation and functional levels; configure multiple
user principal name (UPN) suffixes
Configure Configure external, forest, shortcut, and realm
trusts. trusts; configure trust authentication; configure SID
filtering; configure name suffix routing
This objective may include but is not limited to: Mod 9 Lesson Mod Ex 1/2
Configure sites and subnets; create and configure 2/3
Configure
site links; manage site coverage; manage
sites.
registration of SRV records; move domain
controllers between sites
Manage
Configure replication to Read-Only Domain 1/3
Active
Controllers (RODCs); configure Password Replication
Directory and
Policy (PRP) for RODCs; monitor and manage
SYSVOL
replication; upgrade SYSVOL replication to
replication.
Distributed File System Replication (DFSR)
About This Course xxiii
(continued)

Configure Identity and Access Solutions (15%)
Implement
Implement claims-based authentication including 1/2/3/4 1/2/3/4
Active
Relying Party Trusts; configure Claims Provider Trust
Directory
rules; configure attribute stores including Active
Federation
Directory Lightweight Directory Services (AD LDS);
Services 2.1
manage AD FS certificates; configure AD FS proxy;
(AD FSv2.1).
integrate with Cloud Services
Install and Mod 10 Lesson Mod 10 Ex
configure 1/2/3/4/5 1/2/3/4/5/6
Install an Enterprise Certificate Authority (CA);
Active
configure CRL distribution points; install and
Directory
configure Online Responder; implement
Certificate
administrative role separation; configure CA backup
Services (AD
and recovery
CS).
This objective may include but is not limited to: Mod 10 Lesson Mod 10 EX
Manage certificate templates; implement and 3/4/5 3/4/5/6
manage certificate deployment, validation, and
Manage
revocation; manage certificate renewal; manage
certificates.
certificate enrollment and renewal to computers
and users using Group Policies; configure and
manage key archival and recovery
Install and Mod 11 Lesson Mod 11 Ex
configure 1/2/3/4 1/2/3/4
Install a licensing or certificate AD RMS server;
Active
manage AD RMS Service Connection Point (SCP);
Directory
manage AD RMS client deployment; manage
Rights
Trusted User Domains; manage Trusted Publishing
Management
Domains; manage Federated Identity support;
Services (AD
manage RMS templates; configure Exclusion Policies
RMS).
Important: Attending this course in itself will not successfully prepare you to pass any
associated certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In
addition to attendance at this course, you should also have the following:
Real world, hands-on experience Implementing, Managing and Configuring Active Directory and
Networking infrastructure, working in a Windows Server 2008, Windows Server 2008 R2 or Windows
Server 2012 Enterprise environment.
Additional study outside of the content in this handbook
xxiv About This Course
There may also be additional study and preparation resources, such as practice tests, available for you to
prepare for this exam. Details of these are available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-412&locale=en-us#tab3
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam is
available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-412&locale=en-us#tab1
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to
change at any time and Microsoft bears no responsibility for any discrepancies between the version
published here and the version available online and will provide no notification of such changes.
Course Materials
The following materials are included with your kit:
Course Handbook: a succinct classroom learning guide that provides the critical technical
information in a crisp, tightly-focused format, which is essential for an effective in-class learning
experience.
Lessons: guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge
and skills retention.
Lab Answer Keys: provide step-by-step lab solution guidance.
Course Companion Content: searchable, easy-to-browse digital content with integrated premium
online resources that supplement the Course Handbook.
Modules: include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and
answers and Module Reviews and Takeaways sections, which contain the review questions and
answers, best practices, common issues and troubleshooting tips with answers, and real-world
issues and scenarios with answers.
Resources: include well-categorized additional resources that give you immediate access to the
most current premium content on TechNet, MSDN, or Microsoft Press.
Note: For this version of the Courseware on Prerelease Software (specify RC0/Beta etc.),
Companion Content is not available. However, the Companion Content will be published when
the next (B) version of this course is released, and students who have taken this course will be
able to download the Companion Content at that time from the
http://www.microsoft.com/learning/companionmoc site. Please check with your instructor
when the B version of this course is scheduled to release to learn when you can access
Companion Content for this course.
About This Course xxv
Student Course files: includes the Allfiles.exe, a self-extracting executable file that contains all
required files for the labs and demonstrations.
Note: For this version of the Courseware on Prerelease Software (specify RC0/Beta etc.),
Allfiles.exe file is not available. However, this file will be published when the next (B) version of
this course is released, and students who have taken this course will be able to download the
Allfiles.exe at that time from the http://www.microsoft.com/learning/companionmoc site.
Course evaluation: at the end of the course, you will have the opportunity to complete an
online evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send an email to

support@mscourseware.com. To inquire about the Microsoft Certification Program, send an
email to mcphelp@microsoft.com.
xxvi About This Course
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Hyper-V to perform the labs.
Important: At the end of each lab, you must close the virtual machine and must not save
any changes. To close a virtual machine (VM) without saving the changes, perform the following
steps:
1. On the virtual machine, on the Action menu, click Close.
2. In the Close dialog box, in the What do you want the virtual machine to do? list, click
Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine that is used in this course:
Virtual machine Role

20412A-LON-DC1/-B Windows Server 2012
Domain controller in the Adatum.com domain
20412A-LON-CA1 Windows Server 2012
Standalone server
20412A-LON-CL1 Windows 8 client computer
Member of the Adatum.com domain
20412A-LON-CL2 Windows 8 client computer
Member of the Adatum.com domain
20412A-LON-CORE Windows Server 2012
Member server in the Adatum.com domain
20412A-LON-SVR1/-B Windows Server 2012
20412A-LON-SVR2 Windows Server 2012
20412A-MUN-CL1 Windows 8 client computer
Member of the Treyresearch.net domain
20412A-MUN-DC1 Windows Server 2012
Domain controller in the TreyResearch.net domain
About This Course xxvii
(continued)
Virtual machine Role

20412A-LON-HOST1 Windows Server 2012
20412A-LON-HOST2 Windows Server 2012
20412A-TOR-DC1 Windows Server 2012
Software Configuration
The following software is installed on the VMs:
Windows Server 2012 Datacenter Edition, Release Candidate
Windows 8, Release Preview
Office 2010, SP1
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware is taught.
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better*
8 GB random access memory (RAM)
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
*Striped
In addition, the instructor computer must be connected to a projection display device that supports SVGA
1024 x 768 pixels, 16-bit colors.
1-1
Module 1
Implementing Advanced Network Services
Contents:
Module Overview 1-1
Lesson 1: Configuring Advanced DHCP Features 1-2
Lesson 2: Configuring Advanced DNS Settings 1-11
Lesson 3: Implementing IPAM 1-21
Lab: Implementing Advanced Network Services 1-31
Module Review and Takeaways 1-36
Module Overview
In Windows Server 2012, network services such as Domain Name System (DNS) provide critical support for
name resolution of network and Internet resources. Within DNS, DNS Security Extensions (DNSSEC) is an
advanced feature that provides a means of securing DNS responses to client queries so that malicious
users cannot tamper with them. With Dynamic Host Configuration Protocol (DHCP), you can manage and
distribute IP addresses to client computers. DHCP is essential for managing IP-based networks. DHCP
failover is an advanced feature that can prevent clients from losing access to the network in case of a
DHCP server failure. IP Address Management (IPAM) provides a unified means of controlling IP
addressing.
This module introduces DNS and DHCP improvements, IP address management, and provides details
about how to implement these features.
Objectives
After completing this module you will be able to:
Configure advanced DHCP features.
Configure advanced DNS settings.
Implement IPAM.
1-2 Implementing Advanced Netwoork Services
Lesson 1
Config
guring Advance
A ed DHC
CP Featu
ures
DHC CP plays an immportant role in n the Window
ws Server 2012 operating systtem infrastructture. It is the
prim
mary means off distributing im mportant netw
work configuraation information to networkk clients, and it
provvides configurration informattion to other network-enabl
n led services, in
ncluding Windoows Deployme ent
Servvices (WDS) an nd Network Acccess Protectioon (NAP). To suupport a Wind dows Server-baased network
infra
astructure, it iss important that you understtand the DHC P server role. WWindows Server 2012 impro oves
the functionality ofo DHCP by prroviding failover capabilities..
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
CP componentts.
Describe DHC
Explain how to
t configure DHCP
D interactio
on with DNS.
Describe supe
er scopes and multicast scop
pes.
Explain how DHCP
D works with
w IPv6.
Describe DHC
CP name prote
ection.
Describe DHC
CP failover.
Ov
verview of DHCP Com
mponentss
DHC CP is a server role
r that you can
c install on
Winndows Server 2012.
2 With the e DHCP server role,
you can ensure th hat all clients have
h appropria ate IP
adddresses and nettwork configuration informa ation,
which can help eliminate human error during g
configuration. A DHCP
D client is any device run nning
DHC CP client softw
ware that can request
r and retrieve
netwwork settings from
f a DHCP server
s service.
DHC CP clients mayy be computers, mobile devices,
prin
nters, or switch
hes. DHCP mayy also provide IP
adddress information to network k boot clients.
Whe en key networrk configuratio

on information n
changes in the ne etwork, such ass the default gateway addresss, you can up pdate the confiiguration using
g the
DHC CP server role without having to change th he informationn directly on eeach computerr. DHCP is alsoo a key
servvice for mobile
e users who change network ks often. You caan install the D ole on a standalone
DHCP server ro
servver, a domain member
m serve
er, or a domainn controller.
DHC
CP consists of the componen
nts that are listted in the follo
owing table.
Co
omponent Description
D
DHCP server service After installing

g the DHCP ro ole, the DHCP sserver is impleemented as a
service. This se
ervice can disttribute IP addrresses and otheer network
configuration information to o clients who request it.
DHCP scopes The DHCP adm ministrator co nfigures the raange of IP add dresses and related
information allotted to the sserver for distrribution to req
questing clientts.
Each scope ca
an only be assoociated with a single IP subn net. A scope m
must
Configuring Advanced Windows Server 2012 Services 1-3
Component Description
consist of:
A name and description
A range of addresses that can be distributed
A subnet mask
A scope can also define:
IP addresses that should be excluded from distribution
The duration of the IP address lease
DHCP options
You can configure a single DHCP server with multiple scopes, but the
server must be either connected directly to each subnet that it serves, or
have a DHCP relay agent in place. Scopes also provide the primary way
for the server to manage and distribute any related configuration
parameters (DHCP options) to clients on the network.
DHCP options When you assign the IP address inform, you can simultaneously assign
many other network configuration parameters. The most common DHCP
options include:
Default Gateway IP address
DNS server IP address
DNS domain suffix
Windows Internet Name Service (WINS) server IP address
You can apply the options at different levels. They can be applied:
Globally to all scopes
Specifically to particular scopes
To specific clients based on a Class ID value
To clients that have specific IP address reservations configured
Note: IPv6 scopes are slightly different, and will be discussed later in
this lesson.
DHCP database The DHCP database contains configuration data about the DHCP server,
and stores information about the IP addresses that have been distributed.
By default, the DHCP database files are stored in the
%systemroot%\System32\Dhcp folder.
DHCP console The DHCP console is the main administrative tool for managing all aspects
of the DHCP server. This management console is installed automatically on
any server that has the DHCP role installed. However, you can also install it
on a remote server or Windows 8 client by using the Remote Server
Administration Tools (RSAT) and by connecting to the DHCP server for
remote management.
How Clients Acquire IP Addresses

When you configure a Windows client to use the DHCP service, upon startup the client will use an IP
broadcast in its subnet to request IP configuration from any DHCP server that may receive the request.
Because DHCP uses IP broadcasts to initiate communications, DHCP servers are limited to communication
within their IP subnets. This means that there must either be a DHCP server on each IP subnet, or a DHCP
relay agent configured on the remote subnet. The DHCP relay service can relay DHCP broadcast packets
as directed messages into other IP subnets across a router. The relay agent acquires an IP address
configuration on behalf of the requesting

r clie
ent on the rem
mote subnet, an
nd then forwards that
configuration to the
t client.
DH
HCP Leases
DHC CP allocates IP
P addresses on a dynamic ba asis. This is kno
own as a lease.. You can conffigure the duraation
of the lease. The default
d lease tiime for wired clients
c is eightt days.
Whe en the DHCP lease has reach nt attempts to renew the leasse.
hed 50 percent of the lease ttime, the clien
Thiss automatic process occurs inn the background. Computeers might havee the same IP aaddress for a lo ong
periiod of time if they
t operate continually on a network with hout being shut down. Clien nt computers aalso
atte
empt renewal during
d the starrtup process.
DH
HCP Server Authorizatio
A on
If th
he server is a domain membe er, you must authorize the WWindows Serveer 2012 DHCP server role in
Actiive Directory Domain
D Service
es (AD DS) beffore it can beg
gin leasing IP aaddresses. Youu must be an
Enteerprise Adminiistrator to auth
horize the DHCCP server. Stan
ndalone Micro osoft servers ve
erify whether tthere
is a DHCP server on o the network, and do not start the DHC P service if this is the case.
Co
onfiguring DHCP Inte
eraction With
W DNS
Durring dynamic IP address alloccation, the DH HCP
ource records automatically for
servver creates reso
DHC CP clients in th
he DNS databa ase. However, those
recoords may not beb deleted auttomatically wh hen
the client DHCP le Y can configure
ease expires. You
DHC CP options to allow the DHC CP server to ow
wn
and fully control the
t creation an nd deletion of
thosse DNS resource records.
Con
nfiguring DHCP
D Option
n 081
Youu can configure e DHCP option n 081 to control
the way that resource records are updated in the
DNS S database. Th his option permmits the client to
provvide its fully qualified domain name (FQDN) and instrucctions to the D DHCP server abbout how it wo ould
like the server to process DNS dynamic
d updattes on its behaalf. You configure option 0811 on the DNS tab
of the Properties window
w for the protocol nod de, or per scop
pe in the DHC CP console. Youu can also configure
DHC CP to perform updates on behalf of its clie ents to any DN NS servers thatt support dynaamic updates.
By default,
d the DH
HCP server beh
haves in the fo
ollowing mann
ner:
The DHCP server dynamically updates DN NS address ho st (A) resourcee records and pointer (PTR)
resource recoords only if req
quested by the
e DHCP clients . By default, th ests that the DHCP
he client reque
server registe
er the DNS PTR ord, while the client registerrs its own DNS A resource record.
R resource reco
The DHCP server discards the A and PTR resource reco rds when the cclients lease iss deleted.
You his option so that it instructss the DHCP serrver to always dynamically u
u can modify th update DNS A
reso
ource records and
a PTR resou urce records no o matter what the client requests. In this w
way, the DHCPP
servver becomes th
he owner of thhe resource reccord because tthe DHCP servver performed the registratio on of
the resource records. Once the DHCP server becomes
b owner of the cllient computers A and PTR
the o
reso
ource records, only that DHCCP server can update
u the DNNS resource reccords for the cclient compute
er
baseed on the dura
ation and reneewal of the DH HCP lease.
Configurinng Advanced Window
ws Server 2012 Serrvices 1-5
Configuring
C g Advance
ed DHCP Scope
S Desiigns
Yoou can configu
ure advanced DHCP scope designsd
ca
alled superscoppes. A superscoope is a collection of
in
ndividual scopees that are gro
ouped togethe er for
ad
dministrative purposes.
p This allows client
co
omputers to reeceive an IP ad ddress from multiple
lo
ogical subnets even when the e clients are lo
ocated
onn the same phhysical subnet. You can only create
a superscope if you have two or more IP sco opes
already created in DHCP. You u can use the New
N
Su
uperscope Wizzard to select the
t scopes tha at you
wish
w to combine together to create a superrscope.
Benefits
B of Superscopes
S s
A superscope iss useful in seveeral situations. For example, if a scope runss out of addresses and you ccannot
ad
dd more addre esses from the
e subnet, you can
c instead ad d a new subneet to the DHCP P server. This sscope
w lease addresses to clients in the same physical networrk, but the clieents will be in a separate nettwork
will
ogically. This is known as mu
lo ultinetting. Oncce you add a n
new subnet, yoou must config gure routers too
re
ecognize the newn subnet so that you ensure local comm munications in the physical network.
A superscope iss also useful wh

hen you need to move clien nts gradually innto a new IP nuumbering scheeme.
Having both nu umbering schemes coexist foor the original leases duratio
on means that you can move e clients
in
nto the new subnet transpare ently. When yo
ou have renew wed all client leeases in the ne
ew subnet, you
u can
re
etire the old su
ubnet.
Multicast
M Sco
opes
A multicast scop pe is a collection of multicasst addresses froom the class D IP address raange of 224.0.00.0 to
23 39.255.255.255 5 (224.0.0.0/3)). These addressses are used w when applicatiions need to ccommunicate w with
nu umerous clients efficiently and simultaneo ously. This is acccomplished wwith multiple h
hosts that listen
n to
trraffic for the sa
ame IP addresss.
pe is commonly known as a Multicast Add

A multicast scop dress Dynamic Client Allocattion Protocol
(M
MADCAP) scop pe. Application
ns that requestt addresses fro
om these scopees need to sup
pport the MAD DCAP
ap
pplication prog
gramming inte erface (API). Windows
W Deplooyment Servicees is an examp
ple of an appliccation
th
hat supports multicast
m transm
missions.
Multicast
M scope
es allow applica
ations to reserrve a multicastt IP address forr data and con
ntent delivery.
DHCP
D Integ
gration With IPv6
IP
Pv6 can configure itself withoout DHCP. IPv6 6
en
nabled clients have a self-assigned link-loccal IPv6
ddress. A link-local address is
ad i intended only for
co
ommunication ns within the loocal network. It is
eq
quivalent to thhe 169.254.0.0 self-assigned
ddresses used by IPv4. IPv6-enabled netwo
ad ork
in
nterfaces can, and
a often do, have more tha an one
IP
Pv6 address. Foor example, ad ddresses mightt
in
nclude a self-asssigned link-lo
ocal address an
nd a
DHCP-assigned global addresss. By using DH HCP for
IP
Pv6 (DHCPv6), an IPv6 host canc obtain sub bnet
prefixes, global addresses, and d other IPv6
1-6 Implementing Advanced Network Services
configuration settings.
Note: You should obtain a block of IPv6 addresses from a Regional Internet Registry. There
are five regional internet registries in the world. They are:
African Network Information Centre (AfriNIC) for Africa
Asia-Pacific Network Information Centre (APNIC) for Asia, Australia, New Zealand, and neighboring
countries
American Registry for Internet Numbers (ARIN) for Canada, many Caribbean and North Atlantic
islands, and the United States
Latin America and Caribbean Network Information Centre (LACNIC) for Latin America and parts of
the Caribbean region
Rseaux IP Europens Network Coordination Centre (RIPE NCC) for Europe, Russia, the Middle East,
and Central Asia
Stateful and Stateless Configuration

Whenever you add the DHCP server role to a Windows Server 2012 computer, you also automatically
install a DHCPv6 server. Windows Server 2012 supports both DHCPv6 stateful and stateless configurations:
Stateful configuration. Occurs when the DHCPv6 server assigns the IPv6 address to the client along
with additional DHCP data.
Stateless configuration. Occurs when the subnet router assigns IPv6 automatically, and the DHCPv6
server only assigns other IPv6 configuration settings.
DHCPv6 Scopes for IPv6

DHCPv6 scopes for IPv6 must be created separately from IPv4 scopes. IPv6 scopes have an enhanced lease
mechanism and several different options. When configuring a DHCPv6 scope, you must define the
properties listed in the following table.
Property Use
Name and description This property identifies the scope.
Prefix The IPv6 address prefix is analogous to the IPv4 address range. It defines
the network portion of the IP address.
Preference This property informs DHCPv6 clients as to which server to use if you
have multiple DHCPv6 servers.
Exclusions This property defines single addresses or blocks of addresses that fall
within the IPv6 prefix but will not be offered for lease.
Valid and Preferred This property defines how long leased addresses are valid.
lifetimes
DHCP options As with IPv4, there are many available options.
Configuring an IPv6 Scope

You can use the New Scope Wizard to create IPv6 scopes:
1. In the DHCP console, right-click the IPv6 node, and then click New Scope.
2.. Configure a scope prefix and preferencce.
3.. Define the starting and ending IP addre

esses, and anyy exclusions.
4.. Configure the
t Preferred and Valid life
etime propertiees.
5.. Activate the

e scope to ena
able it.
What
W Is DH
HCP Name Protection?
Yoou must prote ect the names that
t DHCP reggisters
in
n DNS on beha alf of systems from
f being
ovverwritten by non-Microsoft
n t systems that use the
ame names. In addition, you must protect the
sa
na ames from beiing overwritten by systems thatt use
sttatic addressess that conflict with
w DHCP-asssigned
adddresses when n they use unse ecure DNS and d DHCP
is not configureed for conflict detections. For
exxample, a UNIX X-based system m named Client1
coould potentially overwrite th he DNS addresss that
was
w assigned an nd registered byb DHCP on behalf of
a Windows-based system also o named Client1. A
ne ew feature in Windows
W Serveer 2012, DHCP P Name Protecction, addressees this issue.
Name
N squattingg is the term used to describe the conflict tthat occurs whhen one client registers a naame with
DNS but that na ame is alreadyy used by another client. Thiss problem cau uses the originaal machine to become
in
naccessible, and it typically occurs
o with systtems that havee the same na mes as Windo ows operating
syystems. DHCP Name Protecttion addresses this by using a resource reccord known as a Dynamic Ho ost
Configuration Iddentifier (DHC CID) to track which machiness originally req
quested which names. The D DHCP
se
erver provides the DHCID record, which is stored in DNSS. When the DHCP server recceives a request by a
machine
m with an existing nam me for an IP ad
ddress, the DHC CP server can refer to the DHCID in DNS tto verify
th
hat the machinne that is reque esting the nam
me is the origin
nal machine thhat used the name. If it is no
ot the
sa
ame machine, then the DNS resource reco ord is not updaated.
Yoou can implemment name pro otection for bo

oth IPv4 and IP
Pv6. You can cconfigure DHC CP Name Prote ection at
th
he server level and the scope
e level. Implem
mentation at th
he server level will only applyy for newly cre
eated
sccopes.
To
o enable DHCP Name Protection for an IP
Pv4 or IPv6 nod
de:
1.. Open the DHCP

D console.
2.. Right-click the IPv4 or IP

Pv6 node, and then open thee Property paage.
3.. Click DNS, click Advance

ed, and then se
elect the Enab
ble Name Pro
otection checkk box.
To
o enable DHCP Name Protection for a sco
ope:
1.. Open the DHCP

D Microsofft Managemen MC).
nt Console (MM
2.. e IPv4 or IPv6 node, right-click the scope, and the open
Expand the n the Property
y page.
3.. Click DNS, click Advance
ed, and then se
elect the Enab
ble Name Pro
otection checkk box.
Wh
hat Is DHC
CP Failoverr?
DHC CP manages th he distributionn of IP addresses in
TCP P/IP networks of o all sizes. Wh
hen this servicee
failss, clients lose connectivity
c to the network and
a
all of
o its resourcess. A new featurre in Windowss
Servver 2012, DHC CP failover, adddresses this issu
ue.
DH
HCP Failoverr
DHC CP clients reneew their leases on their IP
adddresses at regular, configurabble intervals. When
W
the DHCP service fails, the leasees time out and d
cliennts no longer have IP addressses. In the passt,
DHC CP failover was not possible because DHCP
servvers were independent and unaware
u of eacch
othe er. Therefore, configuring
c tw
wo separate DH HCP servers to
o distribute thee same pool off addresses could
leadd to duplicate addresses. Add ditionally, provviding redund ant DHCP servvices required you to configure
clusstering, and peerform a significant amount of manual con nfiguration andd monitoring.
The new DHCP failover feature enables two DHCP D servers t o provide IP aaddresses and optional
configurations to the same subn nets or scopess. Therefore, yoou can now co onfigure two D DHCP servers to o
repllicate lease information. If on
ne of the serve
ers fails, the otther server servvices the clients for the entirre
subnet.
Note: In Windows Server 2012, you can ure two DHCP servers for failover and
n only configu
onlyy for IPv4 scop
pes and subnetts.
Con
nfiguring DHCP
D Failove
er
To configure
c DHC
CP failover, you u need to establish a failove r relationship between the ttwo DHCP servvers
servvices. You must also give thiss relationship a unique namee. The failoverr partners exch
hange this nam
me
during configurattion. This enabbles a single DH HCP server to have multiple failover relatio
onships with o
other
DHC CP servers so long as they all have unique names. To co nfigure failoveer, use the Con nfiguration Faiilover
wizaard that you caan launch by right-clicking
r the
t IP node orr the scope nod de.
Note: DHCP failover is tim me sensitive. You

Y must synch hronize time bbetween the paartners in
the relationship. Iff the time diffe
erence is greatter than one m
minute, the faillover process w
will halt
with
h a critical erro
or.
You
u can configure
e failover in on
ne of the two following
f mod
des.
Mode Characteristiccs
Hot Standby In this mode,, one server is the primary seerver and the oother is the
secondary se
erver. The prim mary server actiively assigns IP
P configuration ns for
the scope or subnet. The seecondary DHC CP server only assumes this rrole if
the primary server
s becomees unavailable. A DHCP serve er can
simultaneoussly act as the pprimary for onee scope or sub bnet, and be th he
secondary for another. Adm must configure a percentage of the
ministrators m
scope addressses to be assiggned to the standby server. These addressses are
supplied duriing the Maxim mum Client Leaad Time (MCLT T) interval if th
he
primary serve
er is down. Thee default MCLLT value is 5 pe ercent of the sccope.
The secondarry server takess control of thee whole IP rannge after the M MCLT
Mode Characteristics
interval has passed.
Hot Standby mode is best suited to deployments in which a disaster
recovery site is located at a different location. That way the DHCP server
will not service clients unless there is a main server outage.
Load Sharing This is the default mode. In this mode both servers simultaneously supply
IP configuration to clients. The server that responds to IP configuration
requests depends on how the administrator configures the load
distribution ratio. The default ratio is 50:50.
MCLT
The administrator configures the MCLT parameter to determine the amount of time a DHCP server should
wait when a partner is unavailable, before assuming control of the address range. This value cannot be
zero, and the default is one hour.
Auto State Switchover Interval

A communication interrupted state occurs when a server loses contact with its partner. Because the server
has no way of knowing what is causing the communication loss, it remains in this state until the
administrator manually changes it to a partner down state. The administrator can also enable automatic
transition to partner down state by configuring the auto state switchover interval. The default value for
this interval is 10 minutes.
Message Authentication
Windows Server 2012 enables you to authenticate the failover message traffic between the replication
partners. The administrator can establish a shared secretmuch like a passwordin the Configuration
Failover Wizard for DHCP failover. This validates that the failover message comes from the failover
partner.
Firewall Considerations
DHCP uses TCP port 647 to listen for failover traffic. The DHCP installation creates the following inbound
and outbound firewall rules:
Microsoft-Windows-DHCP-Failover-TCP-In
Microsoft-Windows-DHCP-Failover-TCP-Out
Demonstration: Configuring DHCP Failover

In this demonstration, you will see how to configure a DHCP failover relationship.
Demonstration Steps
Configure a DHCP failover relationship

1. Log on to LON-SVR1 as Adatum\Administrator. Note that the server is authorized, but that no
scopes are configured.
2. Switch to LON-DC1. In Server Manager, click Tools, and then on the drop-down list, click DHCP.
3. In the DHCP console, launch the Configure Failover Wizard.
4. Configure failover replication with the following settings:
o Partner server: 172.16.0.21

o Relationship Name: Adatum
o Maximum Client Lead Time: 15 minutes
o Mode: Load balance
o Load Balance Percentage: 50%
o State Switchover Interval: 60 minutes
o Message authentication shared secret: Pa$$w0rd
5. Complete the Configure Failover Wizard.
6. Switch back to LON-SVR1, and note that the IPv4 node is active and the Adatum scope is configured.
Configuringg Advanced Windowss Server 2012 Serviices 1-11
Lesson
n2
Configuring Advancced DNS Settin
ngs
In
n TCP/IP netwo orks of any size
e, certain serviices are essenttial. DNS is onee of the most ccritical networrk
se
ervices for any network, beca ause many oth her applicationns and servicessincluding A AD DSrely on n DNS
to
o resolve resou
urce names to IP addresses. Without
W nd network-based
DNS, user authenticcations fail, an
re
esources and applications
a may become ina accessible. For this reasons, yyou need to m manage and prrotect
DNS. This lessonn discusses ma anagement tecchniques and o options for op ptimizing DNS resolution. Wiindows
Se
erver 2012 imp plements DNSSEC to protectt DNS responsses. Windows SServer 2012 also supports global
naame zones to provide single e-label name re esolution.
Le
esson Objecctives
After completin y will be able to:
ng this lesson you
Manage DN
NS services.
Optimize DNS
D name reso
olution.
Describe global name zones.
ptions for implementing DNS security.

Describe op
Explain how
w DNSSEC worrks.
Describe th C features for Windows Servver 2012.
he new DNSSEC
Managing
M DNS Services
Like other impoortant network
k services, you must
manage
m DNS. DNS
D managemment consists of the
fo
ollowing tasks:
Delegating DNS administtration,
Configuring
g logging for DNS,
D
Aging and scavenging,

Backing up the DNS data
abase,
Delegating
D Administrat
A ion of DNS
Byy default, the Domain
D Admins group has fullf
pe
ermissions to manage
m all asp
pects of the DNS
se
erver in its hom
me domain, an nd the Enterpriise Admins gro oup has full peermissions to m
manage all asp
pects of
all DNS servers in any domain n in the forest. If you need to
o delegate thee administratio
on of a DNS seerver to
a different user or group, then you can add d that user or g
global group t o the DNS Admins group fo or a
giiven domain in n the forest. Members
M e DNS Admins group can vieew and modifyy all DNS data,,
of the
se
ettings, and co o DNS servers in their homee domain.
onfigurations of
Th
he DNS Admin
ns group is a Domain
D Local security
s group
p, and by defau
ult has no mem
mbers in it.
Configuring
C DNS Loggin
ng
Byy default, DNS
S maintains a DNS
D server log
g, which you caan view in the Event Viewer. This event log
g is
lo
ocated in the Applications
A an gs folder in Evvent Viewer. It records comm
nd Services Log mon events succh as:
Starting and stopping of the DNS service.

Background loading and zone signing events.
Changes to DNS configuration settings.
Various warnings and error events.
For more verbose logging, you can enable debug logging. Debug logging options are disabled by default,
but can be selectively enabled. Debug logging options include the following:
Direction of packets
Contents of packets
Transport protocol
Type of request
Filtering based on IP address
Specifying the name and location of the log file, which is located in the %windir%\System32\DNS
directory
Log file maximum size limit
Debug logging can be resourceintensive. It can affect overall server performance and consume disk
space. Therefore, you should only enable it temporarily when you require more detailed information
about server performance. To enable debug logging on the DNS server, do the following:
1. Open the DNS console.

2. Right-click the applicable DNS server, and then click Properties.
3. Click the Debug Logging tab.
4. Select Log packets for debugging, and then select the events for which you want the DNS server to
record debug logging.
Aging and Scavenging

DNS dynamic updates add resource records to the zone automatically, but in some cases those records
are not deleted automatically when they are no longer required. For example, if a computer registers its
own A resource record and is improperly disconnected from the network, the A resource record might not
be deleted. These records, known as stale records, take up space in the DNS database and may result in an
incorrect query response being returned. Windows Server 2012 can search for those stale records and,
based on the aging of the record, scavenge them from the DNS database.
Aging and scavenging is disabled by default. You can enable aging and scavenging in the Advanced
properties of the DNS server, or you can enable it for selected zones in the zones Properties window.
Aging is determined by using parameters known as the Refresh interval and the No-refresh interval. The
Refresh interval is the date and time that the record is eligible to be refreshed by the client. The default is
seven days. The No-refresh interval is the period of time that the record is not eligible to be refreshed. By
default, this is seven days. In the normal course of events, a client host record cannot be refreshed in the
database for seven days after it is first registered or refreshed. However, it then must be refreshed within
the next seven days after the No-refresh interval, or the record becomes eligible to be scavenged out of
the database. A client will attempt to refresh its DNS record at startup, and every 24 hours while the
system is running.
Note: Records that are added dynamically added to the database are time stamped. Static
records that are you entered manually have a time stamp value of zero 0, and will not be affected
by aging and therefore will not be scavenged out of the database.
Backing
B Up the
t DNS Database
How you back up u the DNS da atabase depends on how DN NS was implem mented into yoour organizatio on. If
yo
our DNS zone was implemen nted as an Acttive Directory iintegrated zon ne, then your D
DNS zone is in ncluded
in
n the Active Directory databa ase ntds.dit file
e. If the DNS zzone is a primaary zone and iss not stored in
n AD DS,
th
hen the file is stored
s as a .dns file in the %SSystemRoot%\\System32\Dn ns folder.
Backing Up Active
A Directo
ory Integrate
ed Zones
Active Directoryy integrated zo d in AD DS an d are backed u
ones are stored up as part of a System State
e or a
fu up. Additionally, you can back up just the Active Directo
ull server backu ory integrated zone by using
g the
dnscmd command-line tool.
To
o back up an Active
A Directorry integrated zone,
z perform the following steps:
1.. Launch an elevated

e comm
mand prompt..
2.. Run the following comma
and:
dnscmd /Z
ZoneExport <z
zone name> <zone file na
ame>
where <zon ne name> is th

he name of your DNS zone, and <zone filee name> is the
e file that you w
want to
create to ho
old the backup
p information.
Th ool exports the zone data to the file name that you desig
he dnscmd to gnate in the co
ommand, to th
he
%windir%\Syste
% em32\DNS dire ectory.
Backing Up Primary Zone

es
Baacking up a prrimary zone th
hat is not store
ed in AD DS is simply a matteer of copying or backing up the
ndividual zone file, zonename.dns, which iss located in thee %windir%\Syystem32\DNS directory. For
in
exxample, if your DNS primaryy zone is name ed Adatum.com NS zone file will be named
m, then the DN
Adatum.com.dn ns.
Optimizing
O g DNS Nam
me Resoluttion
In
n a typical DNS S query event, a client comp puter
atttempts to reso olve a FQDN to t an IP addresss. For
exxample, if a user tries to go to t the FQDN
www.microsoft.
w com, the clien nt computer wiill
peerform a recurrsive query to the t DNS serve er that
it is configured to discover the IP address
asssociated with that FQDN. The local DNS server s
must
m then respo
ond with an au uthoritative response.
If the local DNS S server has no o copy of the DNS
D
naamespace for which it was queried,
q it will
re
espond with an n authoritative e answer to the e client
coomputer. If thee local DNS server does not have
th
hat information n, it will perforrm recursion. Recursion
R referrs to the proceess of having tthe local DNS sserver
itsself make a reccursive query to t another DN NS server until it finds the au
uthoritative ansswer and returrns that
annswer to the client that mad de the original request. By deefault, this servver will be one
e of the serverss on the
nternet that is listed as a root hint. When the local DNS sserver receivess a response, itt will return that
In
in
nformation to thet original requesting client computer.
There are a number of options available for optimizing DNS name resolution. They include features such
as:
Forwarding
Conditional forwarding
Stub zones
Netmask ordering
Forwarding
A forwarder is a network DNS server that you configure to forward DNS queries for host names that it
cannot resolve to other DNS servers for resolution. In a typical environment, the internal DNS server
forwards queries for external DNS host names to DNS servers on the Internet. For example, if the local
network DNS server cannot authoritatively resolve a query for www.microsoft.com, then the local DNS
server can forward the query to the internet service providers (ISPs) DNS server for resolution.
Conditional Forwarding
You also can use conditional forwarders to forward queries according to specific domain names. A
conditional forwarder is a DNS server on a network that forwards DNS queries according to the querys
DNS domain name. For example, you can configure a DNS server to forward all queries that it receives for
names ending with corp.adatum.com to the IP address of a specific DNS server or to the IP addresses of
multiple DNS servers. This can be useful when you have multiple DNS namespaces in a forest. For
example, suppose Contoso.com and Adatum.com are merged. Rather than each domain having to host a
complete replica of the other domains DNS database, you could create conditional forwarders so that
they point to each others specific DNS servers for resolution of internal DNS names.
Stub Zones
A stub zone is a copy of a zone that contains only those resource records necessary to identify that zones
authoritative DNS servers. A stub zone resolves names between separate DNS namespaces, which might
be necessary when you want a DNS server that is hosting a parent zone to remain aware of all the
authoritative DNS servers for one of its child zones. A stub zone that is hosted on a parent domain DNS
server will receive a list of all new DNS servers for the child zone, when it requests an update from the
stub zone's master server. By using this method, the DNS server that is hosting the parent zone maintains
a current list of the authoritative DNS servers for the child zone as they are added and removed.
A stub zone consists of the following:
The delegated zones start of authority (SOA) resource record, name server (NS) resource records, and
A resource records
The IP address of one or more master servers that you can use to update the stub zone
Stub zones have the following characteristics:
Stub zones are created using the New Zone Wizard.
Stub zones can be stored in AD DS.
Stub zones can be replicated either in the domain only, or throughout the entire forest.
Stub zone master servers are one or more DNS servers that are responsible for the initial copy of the
zone information, and are usually the DNS server that is hosting the primary zone for the delegated
domain name.
Netmask
N Ord
dering
Netmask ordering returns add dresses for typ
pe A (address rrecords) DNS q queries that prrioritize resourrces on
th
he client comp
puters local subnet to the cliient. In other wwords, addressses of hosts thaat are on the ssame
su
ubnet as the re
equesting cliennt will have a higher
h e client computer.
priorityy in the DNS reesponse to the
Lo
ocalization is based
b on IP adddresses. For exxample, if therre are multiplee A records thaat are associate
ed with
th
he same DNS name,
n and eacch of the A records are locateed on a differeent IP subnet, netmask orde ering
eturns an A reccord that is on the same IP subnet as the cclient computeer that made the request.
re
What
W Is the
e GlobalNa
ame Zone??
Thhe DNS Serverr Service in Windows Server 2012
provides the Glo obalName zon ne, which you can use
o contain single-label namess that are unique
to
accross an entire
e forest. This elliminates the need
n to
usse the NetBIOS-based WINS S to provide su
upport
fo
or single-label names. GlobalName zones provide
p
single-label namme resolution forf large enterrprise
ne d not deploy WINS and that have
etworks that do
multiple
m DNS domain environ nments. GlobalName
zo
ones are create ed manually and do not sup pport
dyynamic record d registration.
When
W clients tryy to resolve sh
hort names, the
ey
au
utomatically append their DNS domain na ame. Dependinng on the conffiguration, the ey also try to find the
na
ame in upper--level domain name, or work k through thei r name suffix llist. Therefore, short names aare
esolved in the same domain..
re
Yo
ou use a Globa alName zone tot maintain a list of DNS seaarch suffixes fo
or resolving naames among m multiple
DNS domain en nvironments. For
F example, if an organizatio on supports tw wo DNS domaains, such as
ad
datum.com an nd contoso.com m, users in the adatum.com DNS domain n need to use a FQDN such ass
da
ata.contoso.coom to locate thhe servers in co Otherwise, the domain admin
ontoso.com. O nistrator needs to add
a DNS search suuffix for contosso.com on all the
t systems inn the adatum.ccom domain. Iff the clients just
se
earch for the server name ddata, then the search would fail.
Global names are based on crreating alias (C

CNAME) resouurce records in
n a special forw
ward lookup zo one that
usses single nam
mes to point to FQDNs. For example,
e GlobaalName zones would enable e clients in both the
ad
datum.com do omain and the contoso.com domain to usee a single labeel name, such aas data, to locaate a
se
erver whose FQQDN is data.coontoso.com without having tto use the FQD
DN.
Creating
C a GlobalName Zone
To
o create a GlobalName zone
e, do the follow
wing:
1.. Use the dnscmd tool to enable

e GlobalN
Name zones s upport.
2.. Create a ne
ew forward loookup zone nam
med GlobalNam
me (not case ssensitive). Do n
not allow dynaamic
updates forr this zone.
3.. Manually create CNAME records that point

p to record
ds that alreadyy exist in the otther zones thaat are
hosted on your
y DNS servvers.
Fo
or example, yoou could create
e a CNAME record in the Glo
obalName zon ne named Data, that points tto
Data.contoso.coom. This enables clients from
m any DNS dom ganization to find this server by the
main in the org
single label nam
me of Data.
1-16 Implemennting Advanced Netw
work Services
Op
ptions for Implemen
I ting DNS Security
Because DNS is a critical networrk service, you
musst protect it as much as posssible. A numbeer of
options are available for protecting the DNS
servver, including:
DNS cache lo
ocking
DNS socket pool

p
DNSSEC
DN
NS Cache Loccking
Cache locking is a security featu ure available with
w
Win ndows Server 2012
2 that allow
ws you to conttrol
whe en information n in the DNS ca ache can be ovverwritten. Wh hen a recursivee DNS server rresponds to a q query,
it ca
aches the results so that it ca
an respond quickly if it receivves another qu uery requestinng the same
infoormation. The period
p of time
e the DNS servver keeps infor mation in its ccache is determmined by the T Time
to Live
L (TTL) value e for a resource record. Inforrmation in thee cache can be overwritten b before the TTL
expires if updated d information about
a that resource record iis received. If aan attacker succcessfully overrwrites
infoormation in thee cache, the atttacker might be
b able to red irect your netw work traffic to a malicious site.
Whe en you enable e cache lockingg, the DNS servver prohibits ccached recordss from being o overwritten forr the
dura ation of the TT
TL value.
You
u configure cacche locking as a percentage value. For exaample, if the caache locking value is set to 550,
then erwrite a cached entry for haalf of the duraation of the TT
n the DNS servver will not ove TL. By default, tthe
cachhe locking perrcentage value
e is 100. This means
m that cach
hed entries will not be overw written for the
e
entiire duration off the TTL.
You
u can configure
e cache locking
g with the dnsscmd tool as ffollows:
1. Launch an ele
evated comma
and prompt.
2. Run the follow
wing comman
nd:
dnscmd /Config /CacheLockingPercen

nt <percent>
3. Restart the DNS service to apply

a the chan
nges.
DN
NS Socket Po
ool
The DNS socket pool
p enables a DNS server to o use source po ort randomiza tion when issu uing DNS querries.
Whe en the DNS se ervice starts, the server choosses a source poort from a poo
ol of sockets th
hat are availab
ble for
issuing queries. In
nstead of using g a predicable source port, thhe DNS serverr uses a randomm port numbe er that
it se
elects from the
e DNS socket pool.
p The DNS socket pool m makes cache-taampering attacks more difficcult
because an attack ker must correctly guess both the source p port of a DNS q
query and a raandom transacction
ID to successfully run the attack k. The DNS soccket pool is en abled by default in Window ws Server 2012..
The default size of
o the DNS socket pool is 2,500. When you u configure thee DNS socket p pool, you can
choose a size valu
ue from 0 to 10 ger the value, tthe greater thee protection yyou will have against
0,000. The larg
DNSS spoofing attaacks. If the DN
NS server is run
nning Window ws Server 2012,, you can also configure a DNS
sock
ket pool exclussion list.
You
u can configure
e the DNS socket pool size by
b using the dn
nscmd tool ass follows:
1. Launch an ele
evated comma
and prompt.
2.. Run the following comma

and:
dnscmd /C
Config /Socke
etPoolSize <value>
3.. Restart the DNS service to

o apply the ch
hanges
DNSSEC
D
DNSSEC enable es a DNS zone and all record
ds in the zone tto be signed ccryptographicaally such that cclient
co
omputers can validate the DNS
D response. DNS is often ssubject to vario
ous attacks, su
uch as spoofing g and
ca
ache-tamperin ng. DNSSEC heelps protect ag
gainst these th reats and provvides a more secure DNS
in
nfrastructure.
How
H DNSSEC Works
In
ntercepting and tampering with w an organizzations
DNS query resp ponse is a common attack method.
If attackers can alter response es from DNS se ervers,
orr send spoofed d responses to o point client
coomputers to thheir own serve ers, they can ga
ain
acccess to sensitive information. Any service that
re
elies on DNS fo or the initial co
onnectionsu uch as
e--commerce we eb servers and email servers are
vuulnerable. DNS SSEC protects clients that are e
making
m DNS qu ueries from acccepting false DNSD
re
esponses.
When
W a DNS se osting a digitally
erver that is ho
signed zone recceives a query, it returns the digital signatu
ures along wit h the requesteed records. A rresolver
orr another serve t public keyy of the public//private key paair from a trusst anchor, and then
er can obtain the
va
alidate that the
e responses arre authentic annd have not beeen tampered with. To do th his, the resolve
er or
se
erver must be configured witth a trust anch hor for the sign
ned zone or fo
or a parent of tthe signed zon ne.
Trust Anchorrs
A trust anchor is an authoritative entity that is representeed by a public key. The TrusttAnchors zone stores
preconfigured public
p keys thaat are associate ed with a speccific zone. In D
DNS, the trust aanchor is the D
DNSKEY
orr DS resource record. Client computers use e these record
ds to build trusst chains. You mmust configure a trust
an
nchor from the e zone on every domain DNS server to vallidate responses from that signed zone. If the
DNS server is a domain contro oller, then Acttive Directory iintegrated zonnes can distribute the trust aanchors.
Name
N Resolu
ution Policy
y Table
Th
he Name Reso olution Policy Table
T (NRPT) contains
c rules tthat control th
he DNS client b
behavior for se
ending
DNS queries and processing thet responses from those qu ueries. For exammple, a DNSSEEC rule promp pts the
client computerr to check for validation
v of the response foor a particular DNS domain suffix. As a besst
practice, Group Policy is the preferred
p methhod of configuuring the NRPTT. If there is no
o NRPT presennt, the
client computerr accepts respoonses without validating theem.
Deploying
D DNSSEC
D
To
o deploy DNSS
SEC:
1.. Install Wind

dows Server 20012 and assign n the DNS rolee to the server.. Typically, a domain controlller also
acts as the DNS server. However, this iss not a require ment.
2.. Sign the DN
NS zone by using the DNSSE
EC Configurati on Wizard, wh
hich is located in the DNS co
onsole.
3. Configure trust anchor distribution points.
4. Configure the NRPT on the client computers.
Assigning the DNS Server Role

To assign the DNS server role, in the Server Manager Dashboard, use the Add Roles and Features Wizard.
You can also add this role can when you add the AD DS role. Configure the primary zones on the DNS
server. After a zone is signed, any new DNS servers in Windows Server 2012 automatically receive the
DNSSEC parameters.
Signing the Zone

The following signing options are available:
Configure the zone signing parameters. This option guides you through the steps and enables you
to set all values for the key signing key (KSK) and the zone signing key (ZSK).
Sign the zone with parameters of an existing zone. This option enables you to keep the same
values and options as another signed zone.
Use recommended settings. This option signs the zone by using the default values.
Note: Zones can also be unsigned by using the DNSSEC management user interface to
remove zone signatures.
Configuring Trust Anchor Distribution Points

If the zone is Active Directoryintegrated, you should select to distribute the trust anchors to all the
servers in the forest. If trust anchors are required on computers that are not joined to the domainfor
example, a DNS server in the perimeter network (also known as DMZ, demilitarized zone, and screened
subnetthen you should enable automated key rollover.
Note: A key rollover is the act of replacing one key pair with another at the end of a keys
effective period.
Configuring NRPT on Client Computers

The DNS client computer only performs DNSSEC validation on domain names where the DNS client
computer is configured to do so by the NRPT. A client computer running Windows 7 is DNSSECaware,
but it does not perform validation. Instead, it relies on the security-aware DNS server to perform
validation on its behalf.
New
N DNSSEC Feature
es for Windows Servver 2012
DNSSEC implem mentation was simplified for
Windows
W Server 2012. Althouugh DNSSEC was
w
su
upported in Windows
W Serverr 2008 R2, mosst of
th on and administration tasks were
he configuratio
pe
erformed man nes were signed when
nually, and zon
th
hey were offlin
ne.
DNSSEC
D Zon
ne Signing Wizard
W
Windows
W Server 2012 includees a DNSSEC Zone
Siigning Wizard to simplify thee configuration and
signing process, and to enable online signin ng. The
wizard
w allows yo
ou to choose the
t zone signin ng
paarameters as in
ndicated in thee previous top
pic. If
yo
ou choose to configure
c the zone
z signing settings
s rather than using paarameters from
m an existing zzone or
ussing default va
alues, you can use the wizardd to configuree settings such as:
KSK options
ZSK options
Trust ancho
or distribution options
Signing and
d polling param
meters
New
N Resourcce Records
DNS response validation
v is acchieved by asso
ociating a privvate/public keyy pair (as gene
erated by the
ad
dministrator) with
w a DNS zon ne, and then defining
d additi onal DNS resoource records tto sign and pu ublish
ke
eys. Resource records
r distrib
bute the publicc key while thee private key reemains on thee server. When the
client requests validation,
v DNSSEC adds datta to the respo onse that enabbles the client tto authenticatte the
re
esponse.
Th
he following ta
able describes the new resou
urce records in
n Windows Serrver 2012.
Resource reco
ord Purp
pose
DNSKEY Thiss record publisshes the publicc key for the zo

one. It checks the
authhority of a resp
ponse against the private keey held by the DNS
servver. These keyss require perio
odic replacemeent through ke ey
rollo
overs. Window ws Server 20122 supports auto omated key roollovers.
DS Thiss record is a de
elegation reco ord that contai ns the hash off the
pub
blic key of a ch hild zone. This record is signeed by the pare ent
zones private keyy. If a child zon ne of a signed parent is also signed,
the DS records fro om the child m must be manuaally added to tthe
pareent so that a chain
c of trust ccan be created
d.
RRSIG Thiss record holds a signature fo

or a set of DNSS records. It is used to
check the authority of a respon se.
NSEC Wheen the DNS reesponse has no o data to proviide to the clien
nt, this
reco
ord authentica
ates that the ho
ost does not eexist.
Other
O New Enhancemen
E nts
Other
O enhancem
ments for Windows Server 2012 include:
Support forr DNS dynamicc updates in DNSSEC

D signed
d zones.
Automated trust anchor distribution through AD DS.
Windows PowerShellbased command-line interface for management and scripting.
Demonstration: Configuring DNSSEC

In this demonstration, you will see how to use the Zone Signing Wizard in the DNS console to configure
DNSSEC
Demonstration Steps
Configure DNSSEC
1. Log on to LON-DC1 as Adatum\Administrator.
2. Start the DNS console.
3. Use the DNSSEC Zone Signing Wizard to sign the Adatum.com zone. Accept all default settings.
4. Verify that the DNSKEY resource records were created in the Trust Points zone.
5. Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix and that requires DNS client computers to verify that the name and address
data is validated.
Lesson
n3
Imple
ementin
ng IPAM
M
With
W the develo opment of IPv6 6 and more annd more devicees requiring IP P addresses, neetworks have b
become
co
omplex and difficult to manaage. Maintaining an updated d list of static IP addresses th
hat have been
n issued
ha
as often been a manual taskk, which can lea
ad to errors. TTo help organizzations manag ge IP addresses,
Windows
W Server 2012 provide
es the IPAM toool.
Le
esson Objecctives
ng this lesson you
Describe IP
PAM.
Describe IP
PAM architectu
ure.
Describe th
he requirementts for IPAM im
mplementation s.
Manage IP addressing ussing IPAM.
Install and configure

c IPAM
M.
Describe co
onsiderations for
f implementing IPAM.
What
W Is IPA
AM?
IP
P address mana agement is a difficult
d task in
n large
neetworks, becau P address usage is
use tracking IP
la
argely a manua al operation. Windows
W Serve
er 2012
in
ntroduces IPAM M, which is a frramework for
diiscovering, moonitoring utilization, auditing
g, and
managing
m the IP address spacce in a network.
IP
PAM enables th he administrattion and monittoring
off DHCP and DNS, and provid des a compreh hensive
view of where IP addresses arre used. IPAM collects
in
nformation from domain con ntrollers and Network
N
Poolicy Servers (N
NPSs) and storres that inform
mation
in
n the Windowss Internal Database.
IP
PAM assists in the
t areas of IP
P administratio
on as shown in the following
g table.
IP administrattion area IPAM capab

bilities
Planning Provides a tool

t set that caan reduce the time and expe
ense of the plaanning
process wheen changes occcur in the netw work.
Managing Provides a single

s point off managementt and assists in
n optimizing
utilization and
a capacity p lanning for DH
HCP and DNS.
Tracking Enables traccking and foreecasting of IP aaddress utilizattion.
Auditing Assists with compliance reequirements, ssuch as HIPAA A and Sarbaness-Oxley

act of 2002,, and providess reporting forr forensics and change
management.
work Services
Cha
aracteristicss of IPAM
Cha
aracteristics of IPAM include::
M server can su
A single IPAM upport up to 150
1 DHCP servvers and 500 D
DNS servers.
A single IPAM
M server can su
upport up to 6,000
6 opes and 150 DNS zones.
DHCP sco
IPAM stores three

t C addresses, u
years of forensics data (IP address leaases, host MAC user login and logoff
information) for 100,000 ussers in a Windoows Internal DDatabase. Theree is no databaase purge policcy
provided, and
d the administrator must purge the data m manually as neeeded.
IPAM supports only Windows Internal Da

atabase. No exxternal databasse is supported
d.
IP address utiilization trendss are provided
d only for IPv4..
IP address recclamation support is provide

ed only for IPvv4.
IPAM does no
ot check for IP
P address consistency with ro
outers and switches.
Ben
nefits of IPA
AM
IPAM
M benefits include:
IPv4 and IPv6

6 address space
e planning and
d allocation.
ace utilization statistics and trend monitorring.
IP address spa
ntory management, lifetime managementt, and DHCP an

Static IP inven nd DNS record
d creation and
deletion.
Service and zone monitorin
ng of DNS servvices.
IP address lea
ase and logon event tracking
g.
Role based acccess control (RBAC).

Remote admiinistration support through RSAT.
Note: IPAM
M does not sup
pport managem non-Microsoft network
ment and conffiguration of n
elem
ments.
IPA
AM Archite
ecture
IPAM
M architecture e consists of fo
our main modu
ules,
which are listed in
n the followingg table.
Module Description
IPAM discovery You use AD DS to discover servers running Windows Server 2008 and newer
that have DNS, DHCP, or AD DS installed. Administrators can define the scope
of discovery to a subset of domains in the forest. They can also add servers
manually.
IP address space You can use this module to view, monitor, and manage the IP address space.
management (ASM) You can dynamically issue or statically assign addresses. You can also track
address utilization and detect overlapping DHCP scopes.
Multi-server You can manage and monitor multiple DHCP servers. This enables tasks to
management and execute across multiple servers. For example, you can configure and edit DHCP
monitoring properties and scopes and track the status of DHCP and scope utilization. You
can also monitor multiple DNS servers, and monitor the health and status of
DNS zones across authoritative DNS servers.
Operational auditing You can use the auditing tools to track potential configuration problems. You
and IP address can also collect, manage, and view details of configuration changes from
tracking managed DHCP servers. You can also collect address lease tracking from DHCP
lease logs, and collect logon event information from NPS and domain
controllers.
The IPAM server can only manage one Active Directory forest. IPAM is deployed in one of three
topologies:
Distributed. An IPAM server is deployed to every site in the forest.

Centralized. Only one IPAM server is deployed in the forest.
Hybrid. A central IPAM server is deployed together with a dedicated IPAM server in each site.
Note: IPAM servers do not communicate with one another or share database information.
If you deploy multiple IPAM servers, you must customize each servers discovery scope.
IPAM has two main components:
IPAM server. The IPAM server performs the data collection from the managed servers. It also manages
the Windows Internal Database and provides RBAC.
IPAM client. The IPAM client provides the client computer user interface, interacts with the IPAM
server, and invokes Windows PowerShell to perform DHCP configuration tasks, DNS monitoring, and
remote management.
IPAM Security Groups

The following table describes the local security groups that are created automatically when you install
IPAM.
Group Description
IPAM Users Members of this group can view all information that is located in server
discovery, IP address space, and server management. They can view IPAM and
DHCP server operational events, but they cannot view IP address tracking
information.
IPAM MSM IPAM multi-server management (MSM) administrators have IPAM users
privileges, and can perform IPAM common management tasks and server
work Services
Grroup Description
Administrators management tasks.
IP
PAM ASM IPA
AM ASM admin
nistrators havee IPAM users p
privileges, and can perform IPAM
Administrators com
mmon manageement tasks an nd IP address sspace tasks.
IP
PAM IP Audit Meembers of this group have IP
PAM users privvileges, can perform IPAM
Administrators com
mmon manage ement tasks, a nd can view IP
P address trackking informatio
on.
IP
PAM Administrrators IPA
AM Administrators can view aall IPAM data and perform aall IPAM tasks..
Requirementts for IPAM

M Implementation
To ensure
e a succe
essful IPAM implementation, you
musst meet several prerequisitess:
The IPAM serrver must be a domain member,

but cannot bee a domain co
ontroller.
The IPAM serrver should be a single purpo ose

ot install other network roles such
server. Do no
as DHCP or DNS
D on the samme server.
To manage thhe IPv6 addresss space, IPv6 must

m
be enabled on the IPAM seerver.
Log on to the
e IPAM server with
w a domain
n
account, and not a local acccount.
You must be a member of the
t correct IPA
AM local securrity group on tthe IPAM serve
er.
Enable loggin
ng of account logon events on NPS servers for IPAMs IP add
o domain co ntroller and N dress
tracking and auditing featu
ure.
IPA
AM Hardware and Softw
ware Requirements
The IPAM hardwa
are and software requiremen
nts are as follow
ws:
Dual core pro

ocessor of 2.0 gigahertz
g (GHz) or higher
Windows Servver 2012 operating system
4 or more gig
gabytes (GB) of
o random acce
ess memory (R
RAM)
80 GB of free hard disk space

In addition to the previously me
entioned requirements, Win dows Server 2
2008 and 2008
8 R2 require the
follo
owing:
Service Pack 2 (SP2) must be

b installed on Windows Servver 2008.
ET Framework 4.0 full installa
Microsoft .NE ation must be installed.
Windows Management Framework 3.0 Be

eta must be in
nstalled (KB250
06146).
For Windows Server 2008 SP2,

S Windows Management Framework Co 0) is also required.
ore (KB968930
Windows Rem
mote Managem
ment (Window
ws RM) must bee enabled.
Verify that Se
ervice principal names (SPNs) are written.
Managing
M IP Addresssing Using
g IPAM
IP
P address space e managemen nt allows
ad
dministrators to t manage, traack, audit, and report
onn an organizattions IPv4 andd IPv6 address spaces.
Thhe IPAM IP address space co onsole providees
ad
dministrators with
w IP address utilization staatistics
an
nd historical trrend data so th
hat they can make
m
in
nformed planning decisions for f dynamic, static,
an
nd virtual addrress spaces. IPAAM periodic taasks
au
utomatically discover the address space an nd
uttilization data as configured on the DHCP servers
hat are managed in IPAM. Yo
th ou can also immport IP
ad
ddress informa ation from com
mma separated d
va
alues (.csv) files.
IP
PAM also enabbles administraators to detect overlapping I P address rang
ges that are deefined on diffe
erent
dresses within a range, creatte DHCP reservvations, and crreate DNS reco
DHCP servers, find free IP add ords.
IP
PAM provides a number of ways
w to filter th
he view of the IP address spaace. You can ccustomize how
w you
view and managge the IP addrress space usin ng any of the fo
ollowing viewss:
IP address blocks
b
IP address ranges
r
IP addresse
es
IP address inventory
i
IP address range
r groups
IP
P Address Blocks
B
IP
P address block ks are the high on. Conceptually, an
hest-level entitties within an IIP address spaace organizatio
IP
P block is an IP
P subnet marke ed by a start and an end IP aaddress, and itt is typically assigned to an
orrganization byy various Regioonal Internet Registries
R (RIRss). Network ad ministrators use IP address bblocks
o create and alllocate IP addrress ranges to DHCP. They caan add, imporrt, edit, and de
to elete IP address
blocks. IPAM au utomatically maps
m IP addresss ranges to thee appropriate IP address blo ock based on the
booundaries of the range. You can add and import
i IP addrress blocks in tthe IPAM conssole.
IP
P Address Ranges
R
IP
P address ranges are the nexxt hierarchical level
l dress space enttities after IP address blocks..
of IP add
Conceptually, an IP address ra ange is an IP subnet marked d by a start and d end IP addreess, and it typiccally
co
orresponds to a DHCP scope e, or a static IP
Pv4 or IPv6 adddress range or address pool that is used to o assign
ad
ddresses to ho osts. An IP address range is uniquely
u identiifiable by the vvalue of the m
mandatory Man naged
Byy Service and Service Insta ance options, which
w help IPA
AM manage an nd maintain ovverlapping or
duuplicate IP add
dress ranges frrom the same console. You ccan add or imp port IP addresss ranges from within
th
he IPAM conso ole.
IP
P Addressess
IP
P addresses are
e the addresses that make up the IP addreess range. IPAM M enables end d-to-end life cyycle
management
m of IPv4 and IPv66 addresses, in
ncluding record d synchronizattion with DHCCP and DNS servers.
IP
PAM automaticcally maps an address to the e appropriate rrange based o d end address of the
on the start and
ange. An IP address is unique
ra ely identifiable
e by the value of mandatoryy Managed By y Service and Service
In
nstance optionns that help IP
PAM manage and a maintain d duplicate IP ad
ddresses from tthe same conssole.
Yoou can add or import IP adddresses from within
w the IPAM
M console.
IP Address Inventory
In this view, you can view a list of all IP addresses in the enterprise along with their device names and
type. IP address inventory is a logical group defined by the Device Type option within the IP addresses
view. These groups allow you to customize the way your address space displays for managing and
tracking IP usage. You can add or import IP addresses from within the IPAM console. For example, you
could add the IP addresses for printers or routers, assign IP address the appropriate device type of printer
or router, and then view your IP inventory filtered by the device type you assigned.
IP Address Range Groups

IPAM enables you to organize IP address ranges into logical groups. For example, you might organize IP
address ranges geographically or by business division. Logical groups are defined by selecting the
grouping criteria from built-in or user-defined custom fields.
Monitoring and Managing

IPAM enables automated, periodic service monitoring of DHCP and DNS servers across a forest.
Monitoring and managing is organized into the views listed in the following table.
View Description
DNS and DHCP By default, managed DHCP and DNS servers are arranged by
Servers their network interface in /16 subnets for IPv4 and /48 subnets
for IPv6. You can select the view to see just DHCP scope
properties, just DNS server properties, or both.
DHCP scopes The DHCP scope view enables scope utilization monitoring.
Utilization statistics are collected periodically and automatically
from a managed DHCP server. You can track important scope
properties such as Name, ID, Prefix Length, and Status.
DNS Zone Zone monitoring is enabled for forward and reverse lookup
Monitoring zones. Zone status is based on events collected by IPAM. The
status of each zone is summarized.
Server Groups You can organize your managed DHCP and DNS servers into
logical groups. For example, you might organize servers by
business unit or geography. Groups are defined by selecting the
grouping criteria from built-in fields or user-defined fields.
Demonstration: Installing and Configuring IPAM

In this demonstration, you will see how to install and configure IPAM management.
Demonstration Steps
Install and Configure IPAM

1. Log on to LON-SVR2 as Adatum\Administrator.
2. In Server Manager, add the IPAM feature and all required supporting features.
3. In the IPAM Overview pane, provision the IPAM server using Group Policy.
4. Enter IPAM as the Group Policy Object (GPO) name prefix, and provision IPAM.
5. In the IPAM Overview pane, configure server discovery for the Adatum domain.
6. In the IPAM Overview pane, start the server discovery process.

7.. In the IPAM

M Overview pane, add the se
ervers to be maanaged.
8.. Verify that IPAM access iss currently blo

ocked.
9.. Use Window ws PowerShelll to grant the IPAM
I server peermission to m
manage LON-D
DC1 by using tthe
following command:
Invoke-Ip
pamGpoProvisi
ioning Domain Adatum.co
om GpoPrefix
xName IPAM I
IpamServerFqd
dn
LON-SVR2.adatum.com DelegatedGp
oUser Admini strator
10
0. Set the man
nageability sta
atus to Manag
ged.
11
1. Switch to LON-DC1.
12
2. Force the update
u of Grou
up Policy.
13
3. Switch back
k to LON-SVR2
2 and refresh the
t IPv4 view.
14
4. In the IPAM
M Overview pane, retrieve da
ata from the m
managed serveer.
IP
PAM Mana
agement and
a Monittoring
Thhe IPAM ASM feature allowss you to efficie ently
view, monitor, and
a manage th he IP address space
s
onn the network. ASM supportts IPv4 public and a
private addressees, and IPv6 gllobal and uniccast
adddresses. Using
g the DNS and d DHCP server view,
yoou can view annd monitor health and
coonfiguration of all the DNS and
a DHCP servvers
th
hat are being managed
m by IP
PAM. IPAM use es
sccheduled taskss to periodicallly collect data from
managed
m servers. You can alsso retrieve dataa on
deemand by usin ng the Retriev ve All Server Data
D
opption.
Utilization
U Monitoring
M
Utilization data is maintained for IP addresss ranges, IP ad dress blocks, aand IP range ggroups within IIPAM.
Yo
ou can configu ure thresholds for the percenntage of the IPP address spacce that is utilized, and then u
use
th
hose thresholdds to determinee under-utiliza
ation and overr-utilization.
Yo
ou can perform a reporting for IPv4 addreess ranges, blo
m utilization trrend building and ocks, and range
groups. The utillization trend window
w allowss you to view ttrends over tim
me periods succh as daily, weekly,
monthly
m or annually, or you can
c view trends over custom m date ranges. Utilization datta from manag ged
DHCP scopes is auto-discoverred, and you canc view this d ata.
Monitoring
M DHCP
D and DNS
D
Using IPAM, you can monitorr DHCP and DN NS servers from
m any physica l location of th
he enterprise. One of
th
he primary ben nefits of IPAM is its ability to
o simultaneoussly manage mu ultiple DHCP sservers or DHC CP
sccopes that are spread across one or more DHCP servers.
he IPAM monitoring view allows you to vie

Th ew the status aand health of selected sets o
of Microsoft DDNS and
DHCP servers frrom a single co
onsole. IPAMss monitoring vview displays th he basic healthh of servers an
nd
re
ecent configuration events thhat occurred ono these serverrs. The monito oring view also
o allows you too
orrganize the maanaged serverrs into logical sever
s groups.
Foor DHCP serveers, the server view

v allows yo
ou to track variious server setttings, server o
options, the nu
umber of
sccopes, and the
e number of acctive leases tha
at are configurred on the servver. For DNS servers, this vieew
work Services
allows you to tracck all zones tha

at are configurred on the servver, along with
h details of the
e zone type. Th
he
view
w also allows you
y to see the total number of zones that aare configured d on the server, and the overall
zone health statuss as derived fro
om the zone status
s of indivi dual zones on
n the server.
DH
HCP Server Managemen
M nt
From
m the IPAM co
onsole, you can manage DHCP servers and
d perform the following actions:
Edit DHCP server properties
Edit DHCP server options
Create DHCP scopes

Configure pre
edefined optio
ons and valuess
Configure the
e user class acrross multiple servers
s simultaaneously
Create and ed
dit new and exxisting user cla ultiple servers simultaneously
asses across mu
Configure the
e vendor class across multiplle servers simu
ultaneously
Start the man

nagement conssole for a seleccted DHCP serrver
Retrieve serve
er data from multiple
m serverss
DN
NS Server Ma
anagementt
Youu can start the DNS managem ment console forf any manag ged DNS serveer from a centrral console in the
IPAMM server and retrieve
r server data from the of servers. Thee DNS Zone Monitoring view
e selected set o w
plays all the forward lookup and reverse lo
disp ookup zones o n all the DNS servers that IP PAM is currently
mannaging. For the e forward lookkup zones, IPA AM also displayys all the serveers that are hosting the zone
e, and
the aggregate hea alth of the zon
ne across all th
hese servers an
nd the zone prroperties.
The
e Event Cata
alog
The IPAM event catalog
c provide
es a centralized repository foor auditing all configuration
n changes that are
perfformed on DH HCP servers thaat are managed from a singl e IPAM manag gement conso ole. The IPAM
configuration eve ents console gaathers all of the configuratio
on events. Thesse configuratio
on event catalo
ogs
allows you to view w, query, and generate
g reports of the conssolidated confiiguration chan
nges, along witth
detaails specific to each record.
Co
onsideratio
ons for Imp
plementing IPAM
IPAMM is an agentless technology that uses
Winndows remote management protocols to
mannage, monitor,, and collect data from
distributed servers in the enviro
onment. As succh,
you should be awware of some im mplementation n
considerations.
Installation Co
onsideration
ns
Alth
hough IPAM is relatively simple to install, there
t
are certain consid
derations:
IPAM should not be installeed on a domaiin

controller, DH
HCP server, or DNS server.
The installatio
on wizard in Se
erver Managerr automaticallyy installs the feeatures require
ed to support
IPAM. There are
a no extra stteps required of
o the adminisstrator.
The IPAM client is installed automatically on Windows Server 2012 along with the IPAM server, but
you can uninstall the client separately.
You can uninstall IPAM by using Server Manager. All dependencies, local security groups, and
scheduled tasks will be deleted. The IPAM database will be detached from the Windows Internal
Database.
Functional Considerations
Consider the following IPAM functional specifications:
IPAM does not support multiple forest topologies.
IPAM can only use Windows Internal Database; it cannot use any other type of database.
The IPAM server must collect DHCP lease information to enable address tracking. Ensure that the
DHCP audit log file size is configured so that it is large enough to contain audit events for the entire
day.
For domain controllers and network policy servers, enable the required events for logging. You can
use Group Policy security settings to perform this task.
Administrative Considerations
Domain and enterprise administrators have full access to IPAM administration. You can delegate
administrative duties to other users or groups by using the IPAM security groups. The installation process
creates local security groups (which have no members by default) on the IPAM server. The local security
groups provide the permissions that are required for administering and using the multiple services that
IPAM employs.
IPAM installation automatically creates the local user groups listed it the following table.
Group Description
IPAM Users Members of this group can view all information in IPAM server
inventory, IP address space, and IPAM server management
consoles. They can view IPAM and DHCP server operational
events, but they cannot view IP address tracking information.
IPAM MSM Members of this group have all the privileges of the IPAM
Administrators Users group, and they can perform IPAM monitoring and
management tasks.
IPAM ASM Members of this group have all the privileges of IPAM Users
Administrators group, and they can perform IPAM IP address space tasks.
IPAM IP Audit Members of this group have all the privileges of IPAM Users
Administrators group, and they can view IP address tracking information.
IPAM Administrators Members of this group can view all IPAM information and
perform all IPAM tasks.
Migrating Existing IP Data Into IPAM

Many organizations use Microsoft Office Excel spreadsheets to document the IP address space allocation
for static addresses and network devices. Because these spreadsheets must be updated manually, they are
prone to error. You can migrate the existing data from these spreadsheets into IPAM by converting the
spreadsheets to .csv files, and then importing the information into IPAM.
Lab: Implementing Advanced Network Services

Scenario
A. Datum Corporation has grown rapidly over the last few years. The company has deployed several new
branch offices, and it has significantly increased the number of users in the organization. Additionally, it
has expanded the number of partner organizations and customers that are accessing A. Datum websites
and applications. Because of this expansion, the complexity of the network infrastructure has increased,
and the organization now needs to be much more aware of network level security.
As one of the senior network administrators at A. Datum, you are responsible for implementing some of
the advanced networking features in Windows Server 2012 to manage the networking infrastructure. You
need to implement new features in DHCP and DNS, with the primary goal of providing higher levels of
availability while increasing the security of these services. You also need to implement IPAM so that you
can simplify and centralize the management of the IP address usage and configuration in an increasing
complex network.
Objectives
Configure advanced DHCP settings.
Configure advanced DNS settings.

Configure IP address management.
Lab Setup
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-SVR2
20412A-LON-CL1
Estimated time: 60 minutes
20412A-LON-DC1
20412A-LON-SVR1
Virtual Machine(s)
20412A-LON-SVR2
20412A-LON-CL1
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-LON-SVR2. Do not start 20412A-LON-CL1
until directed to do so.
Exercise 1: Configuring Advanced DHCP Settings

Scenario
With the expansion of the network, and the increased availability and security requirements at A. Datum
Corporation, you need to implement some additional DHCP features. Because of the recent business
expansion, the main office DHCP scope is almost completely utilized, which means you need to configure
a superscope. Additionally, you need to configure DHCP name protection and DHCP failover.
The main tasks for this exercise are as follows:
1. Configure a superscope
2. Configure DHCP name protection
3. Configure and verify DHCP failover
Task 1: Configure a superscope

1. On LON-DC1, configure a scope named Scope1, with a range of 192.168.0.50 192.168.0.100, and
with the following settings:
o Subnet mask: 255.255.255.0
o Router: 192.168.0.1
o DNS Suffix: Adatum.com
o Choose to activate the scope later

2. Configure a second scope named Scope2 with a range of 192.168.1.50 192.168.1.100, and with
the following settings:
o Subnet mask: 255.255.255.0
o Router: 192.168.1.1
o DNS Suffix: Adatum.com
o Choose to activate the scope later

3. Create a superscope called AdatumSuper that has Scope1 and Scope2 as members.
Task 2: Configure DHCP name protection

Switch to the DHCP console on LON-DC1, and enable DHCP Name Protection for the IPv4 node.
Task 3: Configure and verify DHCP failover

1. On LON-SVR1, start the DHCP console, and observe the current state of DHCP. Note that the server is
authorized, but no scopes are configured.
2. On LON-DC1, in the DHCP console, launch the Configure Failover Wizard.
3. Configure failover replication with the following settings:
o Partner server: 172.16.0.21
o Relationship Name: Adatum
o Maximum Client Lead Time: 15 minutes
o Mode: Load balance
o Load Balance Percentage: 50%
o State Switchover Interval: 60 minutes

o Message authentication shared secret: Pa$$w0rd
4. Complete the Configure Failover Wizard.
5. On LON-SVR1, refresh the IPv4 node, and then note that the IPv4 node is active, and that Scope
Adatum is configured.
6. Start 20412A-LON-CL1, and log on as Adatum\Administrator.

7. Configure LON-CL1 to obtain an IP address from the DHCP server.
8. Open a command prompt window, and record the IP address.
9. Switch to LON-DC1, and stop the DHCP server service.
10. Switch back to LON-CL1 and renew the IP address.
11. Shut down the LON-SVR1 server.
12. On LON-DC1, in the Services console, start the DHCP server service.
13. Close the Services console.
Results: After completing this exercise, you will have configured a superscope, DHCP Name Protection,
and configured and verified DHCP failover.
Exercise 2: Configuring Advanced DNS Settings

Scenario
To increase the level of security for the DNS zones at A. Datum, you need configure DNS security settings
such as DNSSEC, DNS socket pool, and cache locking. A. Datum has a business relationship with Contoso,
Ltd, and will host the Contoso.com DNS zone. A. Datum clients use an application that accesses a server
named App1 in the Contoso.com zone by using its NetBIOS name. You need to ensure that these
applications can resolve the names of the required servers correctly. You will employ a GlobalNames zone
to achieve this.
1. Configure DNSSEC.
2. Configure the DNS socket pool.
3. Configure DNS cache locking.
4. Configure a GlobalName Zone.
Task 1: Configure DNSSEC

1. On LON-DC1, start the DNS Manager.
2. Use the DNSSEC Zone Signing Wizard to sign the Adatum.com zone. Accept all the default settings.
3. Verify that the DNSKEY resource records have been created in the Trust Points zone.
4. Minimize the DNS console.
5. Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix, and that requires DNS clients to verify that the name and address data were
validated.
Task 2: Configure the DNS socket pool

1. On LON-DC1, start a command prompt with elevated credentials.
2. Run the following command to view the current size of the socket pool.
dnscmd /info /socketpoolsize
3. Run the following command to change the socket pool size to 3,000.
dnscmd /config /socketpoolsize 3000
4. Restart the DNS service.
5. Run dnscmd to confirm the new socket pool size.
Task 3: Configure DNS cache locking

1. Run the following command to view the current cache lock size.
dnscmd /info /CacheLockingPercent
2. Run the following command to change the cache lock value to 75 percent.
dnscmd /config /CacheLockingPercent 75
3. Restart the DNS service.
4. Run dnscmd to confirm the new cache lock value.
Task 4: Configure a GlobalName Zone

1. Create an Active Directory integrated forward lookup zone named Contoso.com, by running the
following command:
Dnscmd LON-DC1 /ZoneAdd Contoso.com /DsPrimary /DP /forest
2. Run the following command to enable support for GlobalName zones:
dnscmd lon-dc1 /config /enableglobalnamessupport 1
3. Create an Active Directory integrated forward lookup zone named GlobalNames by running the
following command:
Dnscmd LON-DC1 /ZoneAdd GlobalNames /DsPrimary /DP /forest
4. Open the DNS Manager console and add a new host record to the Contoso.com domain named
App1 with the IP address of 192.168.1.200.
5. In the GlobalNames zone, create a new alias named App1 using the FQDN of App1.Contoso.com.
6. Close DNS Manager and close the command prompt.
Results: After completing this exercise, you will have configured DNSSEC, the DNS socket pool, DNS
cache locking, and the GlobalName zone.
Exercise 3: Configuring IP Address Management

Scenario
A. Datum Corporation is evaluating solutions for simplifying IP management. Since implementing
Windows Server 2012, you have decided to implement IPAM.
1. Install the IPAM feature.
2. Configure IPAMrelated GPOs.
3. Configure IP management server discovery.
4. Configure managed servers.
5. Configure and verify a new DHCP scope with IPAM..
6. Configure IP address blocks, record IP addresses, and create DHCP reservations and DNS records
Task 1: Install the IPAM feature

On LON-SVR2, install the IP Address Management (IPAM) Server feature.
Task 2: Configure IPAMrelated GPOs

1. In Server Manager, in the IPAM Overview pane, provision the IPAM server using Group Policy.
2. Enter IPAM as the GPO name prefix, and provision IPAM using the Provision IPAM Wizard.
Task 3: Configure IP management server discovery

1. In the IPAM Overview pane, configure server discovery for the Adatum domain.
2. In the IPAM Overview pane, start the server discovery process.
Task 4: Configure managed servers

1. In the IPAM Overview pane, add the servers that you need to manage. Verify that IPAM access is
currently blocked.
2. Use Windows PowerShell to grant the IPAM server permission to manage LON-DC1 by running the
following command:
Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn

LON-SVR2.adatum.com DelegatedGpoUser Administrator
3. Set the manageability status to Managed.
4. Switch to LON-DC1, and force the update of Group Policy using the gpupdate /force.
5. Return to LON-SVR2 and refresh the server access status for LON-DC1 and the IPv4 console view. It
may take up to 10 minutes for the status to change. If necessary, repeat both refresh tasks as needed
until a green check mark displays next to LON-DC1 and the IPAM Access Status shows Unblocked.
6. In the IPAM Overview pane, retrieve data from the managed server.
Task 5: Configure and verify a new DHCP scope with IPAM

1. On LON-SVR2, use IPAM to create a new DHCP scope with the following parameters:
o Scope start address: 10.0.0.50
o Scope end address: 10.0.0.100

o Subnet mask: 255.0.0.0
o Default gateway: 10.0.0.1
2. On LON-DC1, verify the scope in the DHCP MMC.

Task 6: Configure IP address blocks, record IP addresses, and create DHCP

reservations and DNS records
1. On LON-SVR2, add an IP address block in the IPAM console with the following parameters:
o Network ID: 172.16.0.0
o Prefix length: 16
o Description: Head Office
2. Add IP addresses for the network router by adding to the IP Address Inventory with the following
parameters:
o IP address: 172.16.0.1
o MAC address: 112233445566
o Device type: Routers
o Description: Head Office Router
3. Use the IPAM console to create a DHCP reservation as follows:

o Device type: Host
o Reservation server name: LON-DC1.Adatum.com
o Reservation name: Webserver
o Reservation type: Both
4. Use the IPAM console to create the DNS host record as follows:
o Device name: Webserver
o Forward lookup zone: Adatum.com

o Forward lookup primary server: LON-DC1.adatum.com
5. Right-click the IPv4 entry and create the DHCP reservation and create the DNS Host record.
6. On LON-DC1, open the DHCP console and confirm that the reservation was created in the 172.16.0.0
scope.
7. On LON-DC1, open the DNS Manager console. Confirm that the DNS host record was created.
Results: After completing this exercise, you will have installed IPAM and configured IPAM with IPAM-
related GPOs, IP management server discovery, managed servers, a new DHCP scope, IP address blocks, IP
addresses, DHCP reservations, and DNS records.
To prepare for the next module

1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR2 and 20412A-LON-CL1.

Module Review and Takeaways

Question: What is one of the drawbacks to using IPAM?
Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip
Users can no longer access a vendors

website that they have always been able
to access in the past.
Managed servers are unable to connect to

the IPAM server.
Real-world Issues and Scenarios

Some network clients are receiving incorrect DHCP configuration. What tool should you use to start
troubleshooting?
Answer: The IPConfig /All command will tell you if the client is receiving DHCP configuration and the IP
address of the DHCP server from which the configuration came.
What are some possible causes of the incorrect configurations?
Answer: There may be a rogue DHCP server on the network. Common things to look for will be gateway
devicessuch as cable modems or PBX boxesthat have a DHCP component enabled. Another
possibility is that someone has manually configured the IP address on the client.
Best Practice
Implement DHCP failover to ensure that client computers can continue to receive IP configuration
information in the event of a server failure.
Ensure that there are at least two DNS servers hosting each zone.
Use IPAM to control IP address distribution and static address assignments.
Tools
Tool Use Location
Dnscmd Configure all aspects of %systemroot%\System32\dnscmd.exe

DNS management
DHCP console Control all aspects of %systemroot%\System32\dhcpmgmt.msc

DHCP management
from a user interface
DNS console Control all aspects of %systemroot%\System32\dnsmgmt.msc

DNS management
from a user interface
IPAM Management Control all aspects of Server Manager

console IPAM management
2-1
Module 2
Implementing Advanced File Services
Contents:
Module Overview 2-1
Lesson 1: Configuring iSCSI Storage 2-2
Lesson 2: Configuring BranchCache 2-9
Lesson 3: Optimizing Storage Usage 2-16
Lab A: Implementing Advanced File Services 2-22
Lab B: Implementing BranchCache 2-28
Module Overview
Storage space requirements have been increasing since the inception of server-based file shares. The
Windows Server 2012 and Windows 8 operating systems include two new features to reduce the disk
space that is required, and to manage physical disks effectively: Data deduplication, and Storage Spaces.
This module provides an overview of these features, and explains the steps required to configure them.
In addition to minimizing disk space, another storage concern is the connection between the storage and
the remote disks. Internet SCSI (iSCSI) storage in Windows Server 2012 is a cost-effective feature that
helps create a connection between the servers and the storage. To implement iSCSI storage in Windows
Server 2012, you must be familiar with the iSCSI architecture and components. In addition, you must be
familiar with the tools that are provided in Windows Server to implement an iSCSI-based storage. In
organizations with branch offices, you have to consider slow links and how to use these links efficiently
when sending data between your offices. The Windows BranchCache feature in Windows Server 2012
helps address the problem of slow connectivity. This module explains the BranchCache, feature, and the
steps to configure it.
Objectives
After completing this module, you will be able to:
Configure iSCSI storage.

Configure BranchCache.
Optimize storage usage.
Implement advanced file services.

2-2 Implementing Advanced File Seervices
Lesson 1
Config
guring iSCSI Sto
orage
iSCSSI storage is an
n inexpensive and
a simple wa ay to configuree a connectionn to remote dissks. Many
appplication requirrements dictate that remote storage conneections must b be redundant in nature for faault
erance or high availability. In addition, man
tole ny companies already have ffault tolerant n networks, in w which
the networks are cheap to keep p redundant ass opposed to u using storage aarea networks (SANs). In thiss
lesson, you will leaarn how to creeate a connecttion between sservers and iSC CSI storage. Yo ou will performm
thesse tasks by using IP-based iS SCSI storage. You
Y will also leaarn how to creeate both single and redund dant
connections to an n iSCSI target. You ng the iSCSI in itiator softwarre that is availaable in
Y will practiice this by usin
Winndows Server 2012.
2
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe iSCS
SI and its comp
ponents.
erver and the iSCSI initiator.
Describe the iSCSI target se
Describe options for implem

menting high availability
a forr iSCSI.
Describe iSCS
SI security options.
Configure the
e iSCSI target.
Connect to iS
SCSI storage.
Describe conssiderations forr implementing

g the iSCSI sto
orage solution..
Wh
hat Is iSCSI?
iSCS
SI is a protocol that supportss access to rem mote,
SCSI-based storag ge devices ove er a TCP/IP nettwork.
iSCS
SI carries stand
dard SCSI commands over IP P
netw
works to facilittate data transsfers over intra
anets,
and to manage sttorage over lon ng distances. You
Y
can use iSCSI to trransmit data over
o local area
netw
works (LANs), wide
w area netwworks (WANs),, or
even over the Inteernet.
iSCS
SI relies on standard Etherne et networking
arch
hitecture. Speccialized hardwa are such as hoost
bus adapters (HBA A) or network switches are
optional. iSCSI usees TCP/IP (typiically, TCP porrt
3260). This meanss that iSCSI simmply enables tw wo hosts to neegotiate tasks (for example, session
esta
ablishment, floow control, andd packet size,), and then exc hange SCSI co ommands by u using an existin
ng
Ethe
ernet network.. By doing thiss, iSCSI uses a popular,
p high performance, local storage b bus subsystem
m
arch
hitecture, and emulates it ovver LANs and WANs,
W g a SAN. Unlikke some SAN ttechnologies, iSCSI
creating
requ
uires no specia alized cabling. You can run it over the exissting switching
g and IP infrasttructure. Howe
ever,
you can increase the
t performan nce of an iSCSI SAN deploym ment by operatting it on a deedicated netwo ork or
subnet, as best prractices recommend.
Note: Althoough you can use a standard d Ethernet netw

work adapter to connect the
e server to
the iSCSI storage device, you ca
an also use ded
dicated iSCSI H
HBAs.
An iSCSI SAN de
eployment inccludes the follo
owing:
TCP/IP netw work. You can use standard network interfface adapters and standard Ethernet proto ocol
network sw witches to connnect the serverrs to the storagge device. To p
provide sufficient performannce, the
network should provide speeds
s of at le
east 1 gigabit pper second (Gbbps), and shouuld provide muultiple
paths to the e iSCSI target. As a best pracctice, use a ded
dicated physiccal and logical network to acchieve
fast, reliable
e throughput.
iSCSI targetts. This is another method off gaining acceess to storage. iSCSI targets p present or advvertise
storage, sim
milar to contro d drives of llocally attacheed storage. However, this sto
ollers for hard disk orage is
accessed ovver a network, instead of loccally. Many sto orage vendors implement haardware-level iiSCSI
targets as part
p of their sto orage devicess hardware. Ot her devices orr appliancesssuch as Windo ows
Storage Serrver 2012 devicesimpleme ent iSCSI targeets by using a ssoftware driver together with at
least one Etthernet adapte er. Windows Server 2012 pro ovides the iSCSSI target serve
erwhich is efffectively
a driver for the iSCSI prottocolas a rolle service.
iSCSI initiattors. The iSCSI target displayys storage to th

he iSCSI initiator (also knownn as the client)), which
acts as a loccal disk contro
oller for the remmote disks. Al l versions of W
Windows Serve er starting from
m
Windows Server 2008 incclude the iSCSII initiator, and can connect tto iSCSI targets.
iSCSI Qualiffied Name (IQN). IQNs are unique

u identifieers that are ussed to address initiators and targets
on an iSCSI network. Whe en you configu ure an iSCSI taarget, you musst configure th he IQN for the iSCSI
initiators th
hat will be connecting to the onnect to the iSCSI
e target. iSCSI iinitiators also use IQNs to co
targets. However, if name n the iSCSI nettwork is a posssible issue, iSCSI endpoints (both
e resolution on
target and initiator) can always
a be idenntified by theirr IP addresses.
Question: Can you use your

y organizatiions internal TTCP/IP networrk to provide iSSCSI?
iS
SCSI Targe
et Server and iSCSI In
nitiator
Th
he iSCSI targett server and th
he iSCSI initiato
or are
de
escribed beloww.
iS
SCSI Target Server
Th
he iSCSI targett server role se
ervice providess for
so
oftware-based and hardware e-independentt iSCSI
diisk subsystemss. You can use the iSCSI target
se e iSCSI targets and iSCSI virtu
erver to create ual
diisks. You can then use Server Manager to
manage
m these iSCSI targets an
nd virtual disks.
he iSCSI targett server included in Window

Th ws
Se
erver 2012 proovides the folloowing function
nality:
Network/diiskless boot. Byy using boot-ccapable netwo ork adapters or a software lo oader, you can use
iSCSI targetts to deploy diiskless servers quickly. By usiing differencin
ng virtual diskss, you can save
e up to
90 percent of the storage e space for the e operating sysstem images. TThis is ideal for large deployyments
of identical operating sysstem images, such
s as a Hypeer-V server farm, or high-pe erformance
computing (HPC) clusterss.
Server application storage. Some appliccations such a s Hyper-V and d Microsoft Exchange Serve er
require block storage. The iSCSI target server can pro ovide these ap pplications withh continuouslyy
available bllock storage. Because
B the sto
orage is remottely accessible, it can also co
ombine block sstorage
for central or branch officce locations.
2-4 Implementing Advanced File Seervices
Heterogeneo
ous storage. iSC
CSI target server supports iSC
CSI initiators that are not baased on the
Windows op
perating systemm, so you can share storage on Windows sservers in mixe ed environmen
nts.
Lab environmments. The iSCS SI target server role enables your Window ws Server 2012 computers to be
network-acce essible block sttorage devicess. This is usefull in situations iin which you w
want to test
applications before
b deployiing them on SAN storage.
iSCSSI target servers that providee block storage net network; no additional
e utilize your eexisting Ethern
harddware is required. If high ava ailability is an important critterion, consideer setting up a high availability
gh availability cluster, you wiill need shared
clusster. With a hig d storage for the clustereitther hardware e Fibre
Chaannel storage, or a Serial Atta ached SCSI (SA AS) storage arrray. The iSCSI ttarget server integrates directly
into
o the failover cluster feature as a cluster role.
iSC
CSI Initiator
The iSCSI initiatorr service has be
een a standard
d component iinstalled by deefault since Wiindows Server 2008
and Windows Vistta. To connect your compute mply start the Microsoft iSCSSI
er to an iSCSI ttarget, you sim
Initiiator Service and configure it.
The new features in Windows Server 2012 incclude:
Authenticatioon. You can enable Challenge Handshake A Authentication n Protocol (CH HAP) to authennticate
nections, or you can enable reverse
initiator conn r CHAP tto allow the in
nitiator to auth
henticate the iSSCSI
target.
Query initiato
or computer fo
or ID. This is on ws Server 2012.
nly supported with Windowss 8 or Window
Additional Reading: Forr more informa

ation about th e introduction
n of iSCSI targe
ets in
Win
ndows Server 2012,
2 refer to:
http
p://blogs.techn
net.com/b/fileccab/archive/20
012/05/21/intrroduction-of-iiscsi-target-in--windows-
servver-2012.aspx
Question: When would you

u consider imp
plementing disskless booting
g from iSCSI targets?
Op
ptions for Implemen
I ting High Availabilitty for iSCSSI
In addition to connfiguring the basic
b iSCSI targ
get
servver and iSCSI in
nitiator setting
gs, you can
inte
egrate these seervices into mo ore advanced
configurations.
Con
nfiguring iS
SCSI for High Availabiliity
Creaating a single connection to iSCSI storage
mak ge available. However, it doe
kes that storag es not
mak ke that storage
e highly available. Losing the
e
connection resultss in the server losing access to its
storrage. Thereforee, most iSCSI storage
s
connections are made
m redundant through one of
twoo high availability technologies: Multiple
Connnection Sessioon (MCS) and Multipath I/O (MPIO).
Alth
hough similar in i results they achieve, these
e two technolo hes to achieve high
ogies use diffe rent approach
avaiilability for iSC
CSI storage connnections.
MCS
M is a feature
e of the iSCSI protocol
p that:
Enables mu
ultiple TCP/IP connections
c from the initiato
or to the targeet for the same
e iSCSI session.
Supports au
utomatic failovver. If a failure
e occurs, all ou tstanding iSCSSI commands aare reassigned
d to
another connection automatically.
Requires exxplicit support by iSCSI SAN devices, altho ugh the Wind ows Server 2012 iSCSI target server
role supporrts it.
MPIO
M provides redundancy differently. MPIIO:
If you have have multiple

e network interface cards (N ICs) in your iSC
CSI initiator an
nd iSCSI targett server,
you can use ovide failover redundancy du
e MPIO to pro uring network outages.
Requires a device-specificc module (DSMM) if you wantt to connect to

o a third-party SAN device th
hat is
connected to the iSCSI in
nitiator. The Windows operatting system inccludes a defauult MPIO DSM that is
installed as the MPIO feature within Server Manager..
Is widely su
upported. Man ny SANs can usse the default DSM without any additional software, while
others requuire a specialized DSM from the manufactu urer.
mplex to configure, and is no
Is more com ot as fully auto
omated during
g failover as M
MCS.
iS
SCSI Securrity Option
ns
Be ecause iSCSI iss a protocol that provides acccess to
sttorage devices over a TCP/IP P network, it is crucial
th
hat you secure your iSCSI sollution to prote ect it
from malicious users or attack ks. You can mitigate
rissks to your iSC
CSI solution byy providing seccurity at
vaarious infrastru
ucture layers. The
T term defen nse-in-
deepth is often used to describ be the use of multiple
m
se
ecurity technologies at differrent points
th
hroughout you ur organization n.
Defense-in-Dep
pth security strrategy includess:
Policies, pro
ocedures, and awareness. Ass a
security besst practice, seccurity policy
measures need
n to operatte within the co ontext of orgaanizational pollicies. For exam
mple, consider
enforcing a strong user password
p policy throughout the organizatiion, but having g an even stro
onger
administrattor password policy
p for accessing iSCSI sto
orage devices aand computers that have iSC CSI
manageme ent software installed.
Physical seccurity. If any unauthorized person

p can gain orage devices or a
n physical acceess to iSCSI sto
computer ono your netwo ork, then most other securityy measures aree not useful. Yo ou must ensuree that
iSCSI storag
ge devices, the e computers th hat manage th hem, and the servers to which they are con nnected
are physically secure, and d that access iss granted to au
uthorized perssonnel only.
Perimeter. Perimeter netw works mark the boundary beetween public and private networks. Proviiding
firewalls and reverse proxxy servers in th
he perimeter n
network enablees you to provvide more secuure
corporate services
s across the public nettwork, and to prevent possib
ble attacks on the iSCSI storaage
devices fromm the Internett.
Networks. Once
O you conn nect iSCSI storrage devices to
o a network, th hey are suscep ptible to a nummber of
threats. The
ese threats include eavesdro opping, spoofin ng, denial of seervice, and rep
play attacks. Yoou
should use authentication n such as CHA AP, to protect ccommunication between iSC CSI initiators an
nd iSCSI
2-6 Implementing Advanced File Services
targets. You might also consider implementing Internet Protocol security (IPsec) for encrypting the
traffic between iSCSI initiators and iSCSI targets. Isolating iSCSI traffic to its own virtual LAN (VLAN)
also strengthens security by not allowing malicious users that are connected on corporate VLAN
network to attack iSCSI storage devices that are connected to a different VLAN. You should also
protect network equipment such as routers and switches that are used by iSCSI storage devices, from
unauthorized access.
Host. The next layer of defense is the protection layer for the host computers that are connected to
iSCSI storage devices. You must maintain secure computers by using the latest security updates. You
should consistently use the Windows Update feature in Windows operating systems to keep your
operating system up-to-date. You also have to configure security policies such as password
complexity, configure the host firewall, and install antivirus software.
Application. Applications are only as secure as their latest security update. For applications that run
on your servers but do not integrate in Windows Update, you should regularly check for security
updates issued by the application vendor. You should also update the iSCSI management software
according to vendor recommendations and best practices.
Data. This is the final layer of security. To help protect your network, ensure that you are using file
user permissions properly. Do this by using BitLocker, Access Control Lists (ACLs), implementing the
encryption of confidential data with Encrypting File System (EFS), and performing regular backups of
data.
Demonstration: Configuring an iSCSI Target

In this demonstration. you will see how to:
Add the iSCSI target server role service.

Create two iSCSI virtual disks and an iSCSI target.
Demonstration Steps
Add the iSCSI Target Server Role Service

1. On LON-DC1, open Server Manager.
2. In the Add Roles and Features Wizard, install the following roles and features to the local server, and
accept the default values:
o File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
Create two iSCSI virtual disks and an iSCSI target

1. On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click iSCSI.
2. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New
iSCSI Virtual Disk. Create a virtual disk with the following settings:
o Name: iSCSIDisk1
o Disk size: 5 GB
o iSCSI target: New
o Target name: LON-SVR2
o Access servers: 172.16.0.22
3. On the View results page, wait until creation completes, and then close the View Results page.
4.. In the iSCSII VIRTUAL DISK KS pane, click TASKS, and th hen in the TAS
SKS drop-dow
wn list, click Ne
ew iSCSI
Virtual Dissk. Create a virrtual disk that has these settiings:
o Name: iSCSIDisk2
o Disk sizze: 5 GB
o iSCSI ta
arget: LON-SV
VR2
5.. On the View
w results page, wait until crreation compleetes, and then
n close the View
w Results pag
ge.
Demonstra
D ation: Conn
necting to the iSCSI Storage
In
n this demonsttration, you will see how to:
Connect to the iSCSI targ

get
Verify the presence

p of the
e iSCSI drive
Demonstrati
D ion Steps
Connect
C to the iSCSI tarrget
1.. Log on to LON-SVR2
L with
h username off Adatum\Adm
ministrator a nd password P
Pa$$w0rd.
2.. Open Serve

er Manager, an
nd on the Too
ols menu, open
n iSCSI Initiato
or.
3.. In the iSCSI Initiator Pro

operties dialog
g box, configu ng:
ure the followin
o Quick Connect:
C LON-DC1
o Discove
er targets: iqn
n.1991-05.com
m.microsoft:lo
on-dc1-lon-sv
vr2-target
Verify
V the prresence of the iSCSI driive
1.. In Server Manager,
M on the Tools menu, open Compu
uter Managem
ment.
2.. In the Computer Manage ement consolee, under Storag ge node, acceess Disk Mana agement. Notiice that
the new dissks are added. However, theyy all are curren
ntly offline and
d not formatte
ed.
3.. Close the Computer

C Man
nagement conssole.
Considerat
C ions for Im
mplementiing iSCSI SStorage
When
W designingg your iSCSI sttorage solution
n,
co
onsider following best practiices:
n on at least 1 Gbps
Deploy the iSCSI solution
networks.
High availability design fo or network

infrastructuure is crucial be
ecause data froom
servers to iSSCSI storage iss transferred th
hrough
network de evices and com mponents. (Hig gh
availability considerations were explain ned
earlier in th
his module.)
Design an appropriate
a se
ecurity strategyy for
the iSCSI storage solution
n. (Security connsiderations an explained earlier in
nd recommen dations were e
this modulee.)
Read the vendor-specific best practices for different types of deployments and applications that will
use iSCSI storage solution, such as Exchange Server and Microsoft SQL Server.
IT personnel who will be designing, configuring, and administering the iSCSI storage solution must
include IT administrators from different areas of specialization, such as Windows Server 2012
administrators, network administrators, storage administrators, and security administrators. This is
necessary so that the iSCSI storage solution has optimal performance and security, and has consistent
management and operations procedures.
When designing an iSCSI storage solution, the design team should also include application-specific
administrators, such as Exchange Server administrators and SQL server administrators, so that you can
implement the optimal configuration for the specific technology or solution.
Lesson
n2
Configuring Branch
hCache
Brranch offices have
h unique management
m ch
hallenges. A brranch office tyypically has slo
ow connectivityy to the
en
nterprise netw work and limite ed infrastructure for securing
g servers. Also,, you need to b back up data tthat you
maintain
m in you
ur remote bran nch offices, which is why org anizations preefer to centralizze data where e
poossible. Thereffore, the challe
enge is being able
a to providee efficient acceess to networkk resources forr users
in
n branch officees. The BranchC Cache helps yo ou overcome tthese problem ms by caching ffiles so they do
o not
haave to be transferred repeattedly over the network.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe ho
ow BranchCache works.
Describe BrranchCache requirements.
Explain how
w to configure
e BranchCache server setting
gs.
Explain how
w to configure
e BranchCache client settingss.
Explain how
w to configure
e BranchCache.
Explain how
w to monitor BranchCache.
B
How
H Does BranchCacche Work??
Th
he BranchCach he feature introduced with
Windows
W Server 2008 R2 and Windows 7 re educes
th
he network usee on WAN con nnections betw
ween
branch offices and
a headquartters by locally
ca
aching frequenntly used files on computers in the
branch office.
BrranchCache immproves the peerformance of

ap at use one of the following
pplications tha
protocols:
HTTP or HT
TTPS protocolss. These protoccols are
used by we
eb browsers an
nd other appliccations.
MB), including signed SMB trraffic protocoll. This protocol is used for acccessing
Server messsage block (SM
shared fold
ders.
Background d Intelligent Trransfer Service
e (BITS). A Win
ndows compon nent that distriibutes contentt from a
server to clients by using only idle netw work bandwidtth. BITS is also a componentt used by Syste em
Center Con nfiguration Manager.
BrranchCache re etrieves data frrom a server when
w the clientt requests the data. Because BranchCache is a
pa ease WAN use.. BranchCache only caches the read reque
assive cache, itt will not incre ests, and will no
ot
in
nterfere when a user saves a file.
BrranchCache im
mproves the reesponsiveness of
o common neetwork applicaations that acccess intranet se ervers
accross slow WA
AN links. Because BranchCachhe does not reequire addition
nal infrastructu
ure, you can im
mprove
th
he performancce of remote networks by deeploying Windo ows 7 or Winddows 8 to cliennt computers, and by
deeploying Wind
dows Server 20008 R2 and Wiindows Server 2012 to serveers, and then enabling the
BrranchCache fe
eature.
BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL),
SMB Signing, and end-to-end IPsec. You can use BranchCache to reduce network bandwidth use and to
improve application performance, even if the content is encrypted.
You can configure BranchCache to use hosted cache mode or distributed cache mode:
Hosted cache. This mode operates by deploying a computer that is running Windows Server 2008 R2
or newer versions as a hosted cache server in the branch office. Client computers are locating the host
computer so that they can retrieve content from the hosted cache when available. If the content is
not available in the hosted cache, the content is retrieved from the content server by using a WAN
link and then provided to the hosted cache so that the successive client requests can get it from
there.
Distributed cache. For smaller remote offices, you can configure BranchCache in the distributed cache
mode without requiring a server. In this mode, local client computers running Windows 7 or Windows
8 maintain a copy of the content and make it available to other authorized clients that request the
same data. This eliminates the need to have a server in the branch office. However, unlike the Hosted
Cache mode, this configuration works per subnet only. In addition, clients who hibernate or
disconnect from the network cannot provide content to other requesting clients.
Note: When using BranchCache, you may use both modes in your organization, but you
can configure only one mode per branch office.
BranchCache functionality in Windows Server 2012 has improved in the following ways:
BranchCache allows for more than one hosted cache server per location to allow for scale.
A new underlying database uses the Extensible Storage Engine (ESE) database technology from
Exchange Server. This enables a hosted cache server to store significantly more data (even up to
terabytes).
A simpler deployment means that you do not need a Group Policy Object (GPO) for each location. To
deploy BranchCache, you only need a single GPO that contains the settings. This also enables clients
to switch between hosted cache mode and distributed mode when they are traveling between
locations without the need to use site-specific GPOs, which should be avoided in multiple scenarios.
How Client Computers Retrieve Data by Using BranchCache

When BranchCache is enabled on a client computer and a server, the client computer performs the
following process to retrieve data when using the HTTP, HTTPS, or SMB protocol:
1. The client computer that is running Windows 8 connects to a content server that is running Windows
Server 2012 in the head office, and requests content similar to how it would retrieve content without
using BranchCache.
2. The content server in the head office authenticates the user and verifies that the user is authorized to
access the data.
3. Instead of sending the content itself, the content server in the head office returns identifiers or hashes
of the requested content to the client computer. The content server sends that data over the same
connection that the content would have typically been sent.
4. Using retrieved identifiers, the client computer does the following:
o If you configure it to use distributed cache, the client computer multicasts on the local subnet to
find other client computers that have already downloaded the content.
o If you configure it to use hosted cache, the client computer searches for the content on the
configured hosted cache.
5.. If the conte

ent is available
e in the branch
h office, either on one or mo ore clients or o
on the hosted ccache,
the client computer retrieeves the data from
f the brancch office. The client computter also ensure
es that
the data is updated and hash not been tampered
t with
h or corrupted .
6.. If the conteent is not available in the rem

mote office, thhen the client ccomputer retriieves the conteent
directly from the server across
a the WAN N link. The clieent computer tthen either maakes it availablle on
the local neetwork to othe er requesting client
c computeers (distributed d cache mode)) or sends it to
o the
hosted cach he, where it is made availablle to other clieent computers .
BranchCach
B he Require
ements
BrranchCache op ptimizes trafficc flow between n head
nch offices. Windows Server 2008
offfices and bran
R22, Windows Se erver 2012, and d client compu uters
ru
unning Window ws 7 and Wind dows 8 can benefit
from using Bran nchCache. (Earrlier versions of
o
Windows
W operaating systems dod not benefit from
th ou can use BranchCache to cache
his feature.) Yo c
onnly the conten d on file servers or
nt that is stored
w servers that are running Windows Servver
web
20008 R2 or Windows Server 2012.
2
Requirement
R ts for Using
g BranchCacche
To
o use BranchCCache for file se
ervices, you must
pe
erform the following tasks:
Install the BranchCache

B fe
eature or the BranchCache
B ffor Network Fiiles role service
e on the host sserver
that is runnning Windows Server 2012.
Configure client
c compute
ers either by using Group Po
olicy or the nettsh branchcacche set servicce
command.
If you want to use
u BranchCache to cache co
ontent from th orm following tasks:
he file server, yyou must perfo
Install BranchCache for th

he Network Filles role servicee on the file seerver.
Configure hash
h publicatio
on for BranchC
Cache.
Create Bran
nchCacheenabled file share
es.
If you want to use

u BranchCache for cachingg content from
m the web servver, you must install the
BrranchCache feeature on the web
w server. You do not need
d additional co
onfigurations.
BrranchCache is supported on the full installlation and Servver Core installation of Wind
dows Server 20
012. By
de
efault, BranchC nstalled on Windows Server 2012.
Cache is not in
Requirement
R ts for Distributed Cach
he Mode and
d Hosted Ca
ache Mode
In
n the Distribute
ed Cache mod de, BranchCach he works acrosss a single subnet only. If clie
ent computerss are
co
onfigured to use
u the Distribu uted Cache mo ode, any clientt computer ca n use a multicast protocol caalled
WS-Discovery
W to
o search locallly for the computer that hass already down nloaded and caached the con
ntent.
Yoou should connfigure the clie
ent firewall to enable
e incomin ng traffic, HTTTP, and WS-Disscovery.
In
n clients, however, they will search
s for a ho
osted cache se rver, and if on
ne is discovered
d, clients
au
utomatically seelf-configure as
a hosted cach he mode clientts. In the Hosteed Cache mod de, the client
co
omputers auto omatically self--configure as hosted
h cache m
mode clients, aand they will ssearch for the host
se
erver so that th
hey can retrievve content from m the Hosted Cache. Furthermore, you can use Group P Policy so
2-12 Implemennting Advanced File Services
S
thatt you can use the

t FQDN of the hosted cache servers or eenable automaatic Hosted Caache discoveryy by
Servvice Connectio
on Points (SCPss). You must co
onfigure a fireewall to enablee incoming HT
TTP traffic from
m the
Hossted Cache servver.
In both
b cache mo
odes, BranchCa ache uses the HTTP
H protocol for data transsfer between cclient compute
ers
ng the cached data.
and the computer that is hostin
Co
onfiguring BranchCache Serverr Settings
You
u can use BrancchCache to cache web conteent,
which is delivered
d by HTTP or HTTPS.
H You can
n also
use BranchCache to cache shareed folder content,
which is delivered
d by the SMB protocol.
p
The following table lists the servvers that you can
c
configure for Bran
nchCache.
Se
erver Description
Web
W server or BITS
B server To configure a Windo ws Server 2012 web server o or an
application server thatt uses the BITSS protocol, insttall
the BrannchCache featu ure. Ensure thaat the BranchC
Cache
service has
h started. Th hen, configure clients who will use
the BrannchCache featu ure. No additioonal web serveer
configurration is requirred.
File server You musst install the B ranchCache fo or the Networkk Files
role servvice of the Filee Services serveer role before yyou
enable BranchCache
B fo
for any file shaares. After you install
the BrannchCache for t he Network Fiiles role service e, use
Group Policy
P to enabl e BranchCachee on the serve er. You
must the en configure eeach file share to enable
BranchCCache.
Hosted cache se
erver For the Hosted
H Cache mode, you m ust add the
BranchC Cache feature tto the Window ws Server 20122
server th
hat you are co nfiguring as a Hosted Cache e
server.
To help secure commu nt computers use
unication, clien
Transport Layer Securiity (TLS) when communicating
with thee Hosted Cachee server.
By defauult, BranchCac he allocates fivve percent of the
disk space on the activve partition fo
or hosting cachhe
data. Hoowever, you caan change this value by using
Group Policy
P or the ne
etsh tool by ruunning netsh
branchccache set cach hesize commaand.
Configuring
C g BranchC
Cache Clien
nt Settingss
Yoou do not havve to install the
e BranchCache e
fe
eature on cliennt computers, because
b BrancchCache
is already includ
ded if the clien
nt is running
Windows
W 7 or Windows
W 8. Hoowever, Branch hCache
is disabled by default on cliennt computers. ToT
ennable and configure BranchC Cache, you mu ust
peerform the following steps:
1.. Enable Bran

nchCache.
2.. Enable the Distributed Ca

ache mode or the
Hosted Cacche mode. Win ndows 8 clients can
use either mode
m dynamiccally.
3.. Configure the

t client firew
wall to enable BranchCache
B p
protocols.
Enabling Bra
anchCache
Yo
ou can enable the BranchCa
ache feature on
n client compu
uters by using Group Policy, or by using th
he
ne
etsh branchcaache set serviice command.
To
o enable BrancchCache settin
ngs by using Group
G Policy, p
perform the folllowing steps ffor a domain-b
based
GPO:
1.. Open the Group

G Policy Management
M Console.
C
2.. Create a GP e linked to the organizationaal unit where cclient compute

PO that will be ers are located
d.
3.. In a GPO, browse

b to Com
mputer Config guration, Policcies, Adminisstrative Temp
plates: Policy
definitionss (ADMX filess) retrieved frrom the local computer, N etwork, and tthen click
BranchCacche.
4.. Enable Turn on BranchC

Cache setting in
i GPO.
Enabling the
e Distributed
d Cache Mo
ode or Hoste
ed Cache M
Mode
Yo
ou can configu
ure the Branch
hCache mode on puters by usin g Group Policyy, or by using the
o client comp
ne
etsh branchcaache set serviice command.
To
o configure BrranchCache mo
ode by using Group
G Policy, p
perform the fo
ollowing steps for a domain--based
GPO:
1.. Open the Group

G Policy Management
M Console.
C
2.. Create a GP e linked to the organizationaal unit where cclient compute

PO that will be ers are located
d.
3.. In a GPO, browse

b to Com
mputer Config guration, Policcies, Adminisstrative Temp
plates: Policy
definitionss (ADMX filess) retrieved frrom the local computer, N etwork, and tthen click
BranchCacche.
4.. Choose eith her the Distributed Cache orr the Hosted C Cache mode. Y You may also e enable both the
Distributed Cache mode and Automatic Hosted Cach he Discovery b by Service Connection Point policy
settings. Th
he client computers will operrate in distribu
uted cache mo ode unless theyy find a hostedd cache
server in the branch office. If they find a hosted cach e server in thee branch office
e, they will worrk in
hosted cach he mode.
To configure BranchCache settings by using the netsh branchcache set service command, open a
command-line interface window, and perform the following steps:
1. Use the following netsh syntax for the Distributed Cache mode:
netsh branchcache set service mode=distributed
2. Use the following netsh syntax for the hosted mode:
netsh branchcache set service mode=hostedclient location=<Hosted Cache server>
Configuring the Client Firewall to Enable BranchCache Protocols

In the Distributed Cache mode, BranchCache clients use the HTTP protocol for data transfer between
client computers, and the WS-Discovery protocol for cached content discovery. You should configure the
client firewall to enable the following incoming rules:
BranchCacheContent Retrieval (Uses HTTP)
BranchCachePeer Discovery (Uses WSDiscovery)
In Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between client
computers, but this mode does not use the WS-Discovery protocol. In the Hosted Cache mode, you
should configure the client firewall to enable the incoming rule, BranchCacheContent Retrieval (Uses
HTTP).
Additional Configuration Tasks for BranchCache

After you configure BranchCache, clients can access the cached data in BranchCacheenabled content
servers, which are available locally in the branch office. You can modify BranchCache settings and perform
additional configuration tasks, such as:
Setting the cache size.
Setting the location of the Hosted Cache server.
Clearing the cache.
Creating and replicating a shared key for using in a server cluster.
Demonstration: Configuring BranchCache

In this demonstration, you will see how to:
Add BranchCache for the Network Files role service.

Configure BranchCache in Local Group Policy Editor.
Enable BranchCache for a file share.
Demonstration Steps
Add BranchCache for the Network Files role service

1. Log on to LON-DC1 and open Server Manager.
2. In the Add Roles and Features Wizard, install the following roles and features to the local server:
o File And Storage Services (Installed)\File and iSCSI Services\BranchCache for Network Files
Enable BrancchCache forr the server

1.. On the Starrt screen, type gpedit.msc, and
a then presss Enter.
2.. Browse to Computer
C Configuration\A
Administrativ
ve Templates\\Network\Lan
nman Server, and do
the followin
ng:
o Enable Hash Publica

ation for Bran
nchCache
o Select Allow
A hash publication on
nly for shared folder on wh
hich BranchCa
ache is enable
ed
Enable BrancchCache forr a file share

e
1.. Open Wind
dows Explorer, and on drive C, create a fold
der named Sh
hare\.
2.. Configure the
t Share folder properties as
a follows:
o Enable Share this fo

older
o Check Enable BrancchCache in Offfline Settingss
Monitoring
M g BranchCa
ache
After the initial configuration,, you want to verify
v
th
hat BranchCache is configure ed correctly annd
fu
unctioning correctly. You can n use the netsh
branchcache sh how status all command to o
diisplay the BrannchCache service status. Thee client
an
nd Hosted Cacche servers display additiona al
in
nformation, succh as the locattion of the loca
al
ca
ache, the size of
o the local cache, and the sttatus of
th
he firewall rule
es for HTTP andd WS-Discoverry
protocols that BranchCache
B uses.
u
Yo
ou can also use the following tools to mon
nitor
BrranchCache:
Event Viewer. Use this too

ol to monitor BranchCache eevents reporteed in the Appliication log loccated in
the Window g located in the Application and Service
ws Logs folderr, and in the Operational Log
Logs\Micro
osoft\Windowss\BranchCache e folder.
Performancce counters. Usse this tool to monitor BrancchCache perfoormance monittor counters.
BranchCach he performancce monitor cou unters are usefful debugging
g tools for mon
nitoring BranchCache
effectiveness and health. You can also use
u BranchCacche performan nce monitoringg to determine e the
bandwidth savings in thee Distributed Cache mode orr in the Hosted d Cache mode e. If you have
implemente ed Microsoft System
S Center Operations M Manager 2012 iin the environment, you can n use the
Windows BranchCache
B Management
M Pack
P for Opera tions Manager 2012.
S
Lesson 3
Optimizing Sttorage Usage
U
Every organization stores data on o different sto orage systemss. As storage syystems processs more and more
data a at higher speeeds, the dema and for disk sp he large amount of
pace for storin g the data hass increased. Th
filess, folders, and information, and the way they are stored, organized, maanaged, and m maintained,
becomes a challen nge for organiizations. Furthermore, organ nizations must satisfy requireements for seccurity,
commpliance, and data
d leakage prevention
p for company con fidential inform mation.
Win
ndows Server 2012
2 introduce
es many technologies that caan help organizations respond to the
challenges of mannaging, maintaaining, securing, and optimizzing data that is stored on ddifferent storagge
devices. The techn
nologies includ
de the File Server Resource M
Manager, file cclassification in
nfrastructure, aand
Data deduplicatioon, each of which provides new features ass compared to o Windows Serrver 2008 R2.
Lessson Objectiives
Afte
ou will be able to:
Describe the File Server Ressource Manager.
Describe file classification.

c
Describe classsification ruless.

t configure file classification
Explain how to n.
Describe storage optimization options in Windows Servver 2012.
Explain how to
t configure Data
D deduplication.
Wh
hat Is File Server Ressource Manager?
Youu can use the File
F Server Reso ource Manage er
(FSR
RM) to manage e and classify data
d that is sto
ored
on file
f servers. FSRRM includes thhe following
feattures:
File classificattion infrastructture. This featu

ure
automates the data classificcation process. You
can dynamica ally apply acce ess policies to files
f
based on their classification n. Example pollicies
include Dynamic Access Co ontrol for restriicting
access to filess, file encryptioon, and file
expiration. Yo ou can classify files automatiically
by using file classification
c ru
ules, or manua ally
by modifying the propertie es of a selectedd file or folder.. We can modiify file propertties automaticaally
based on the application, tyype or contentt of the file, orr by manually setting option ns on the serve
er that
will trigger file classification
n.
File managem ment tasks. You u can use this feature to appply a conditionnal policy or acction to files, b
based
on their classification. The conditions
c of a file managem ment task incluude the file loccation, the
classification properties, thee date the file was created, tthe last modifi ed date of the
e file, and the llast
time that the file was accessed. The actions that a file m management ttask can take in nclude the abiility to
expire files, encrypt files, an
nd run a custom command.
Quota management. You can use this feature to limit the space that is allowed for a volume or folder.
You can apply quotas automatically to new folders that are created on a volume. You can also define
quota templates that you can apply to new volumes or folders.
File screening management. You can use this feature to control the types of files that users can store
on a file server. You can limit the extension that can be stored on your file shares. For example, you
can create a file screen that disallows files with an .mp3 extension from being stored in personal
shared folders on a file server.
Storage reports. You can use this feature to identify trends in disk usage, and identify how your data
is classified. You can also monitor attempts by users to save unauthorized files.
You can configure and manage the FSRM by using the File Server Resource Manager Microsoft
Management Console (MMC) snap-in, or by using the Windows PowerShell command-line interface.
The following FSRM features are new with Windows Server 2012:
Integration with Dynamic Access Control. Dynamic Access Control can use a file classification
infrastructure to help you centrally control and audit access to files on your file servers.
Manual classification. Manual classification enables users to classify files and folders manually without
the need to create automatic classification rules.
Access Denied Assistance. You can use Access Denied Assistance to customize the access denied error
message that displays for users in Windows 8 Consumer Preview when they do not have access to a
file or a folder.
File management tasks. The updates to file management tasks include Active Directory Domain
Services (AD DS) and Active Directory Rights Management Services (AD RMS) file management tasks,
continuous file management tasks, and dynamic namespace for file management tasks.
Automatic classification. The updates to automatic classification increase the level of control you have
over how data is classified on your file servers, including continuous classification, Windows
PowerShell for custom classification, updates to the existing content classifier, and dynamic
namespace for classification rules.
Additional Reading: For more information about FSRM, see:

http://technet.microsoft.com/en-us/library/hh831746.aspx
Question: Are you currently using the FSRM in Windows Server 2008 R2? If yes, for what
areas do you use it?
S
Wh
hat Is File Classification?
File classifications enable admin nistrators to
configure automa atic procedures for defining a
desiired property on o a file, based d on condition
ns
speccified in classiffication rules. For
F example, you
y
can set the Confid dentiality pro operty to Highh on
all documents
d wh
hose content co ontains the wo
ord
seccret.
In Windows
W Serve
er 2008 R2 and d Windows Serrver
2012, classification managemen nt and file
mannagement task ks enable administrators to
mannage groups of o files based on
o various file and
a
fold
der attributes. You
Y can autom mate file and fo
older
maintenance task ks, such as cleaning up stale data,
d or proteccting sensitivee information. For this reason
n, file
and folder mainte enance tasks are more efficieent as compareed to maintain ning the file syystem by navig
gating
ough its hierarchical view.
thro
Classsification mannagement is de esigned to easse the burden and managem ment of data th hat is spread across
the organization. You can classify files in a variety of ways. IIn most scenarrios, classification is perform
med
mannually. The filee classification infrastructure in Windows S erver 2012 enables organizaations to conve ert
thesse manual processes into automated policcies. Administraators can speccify file management policiess
baseed on a files classification,
c and
a apply corp porate requirem
ments for man naging data baased on busine ess
valu
ue.
You
u can use file classification to
o perform the following
f actio
ons:
1. Define classification properrties and value

es, which you ccan assign to fiiles by running
g classification
n rules.
2. Create, updatte, and run classification rulees. Each rule asssigns a singlee predefined property and vaalue
to files within
n a specified diirectory, based
d on installed cclassification p
plug-ins.
3. When running a classificatio on rule, reevalluate files thatt are already cllassified. You ccan choose to
overwrite exissting classification values, orr add the valuee to propertiess that support multiple value es.
You can also use classificatiion rules to deeclassify files th
hat are not in tthe classificatio
on criterion
anymore.
Wh
hat Are Cla
assification
n Rules?
The file classification infrastructure uses
classification ruless to scan files automatically,
a and
thenn to classify them according to the conten nts of
a file. You configuure file classificcations in the File
F
Servver Resource Manager
M conso ole. Classification
properties are deffined centrallyy in AD DS so that
thesse definitions can
c be shared across file servvers
withhin the organizzation. You can create
classification ruless that scan files for a standarrd
strin
ng, or for a string that match hes a pattern
(reggular expressioon). When a co onfigured
classification paraameter is found d in a file, thatt file
is classified as con
nfigured in the e classification rule.
When planning for file classifications, you should do following:
1. Identify which classification or classifications that you want to apply on documents.
2. Determine the method you to want to use to identify documents for classification.
3. Determine the schedule for automatic classifications.
4. Establish a review of classification success.
After you have a defined the classifications, you can plan the Dynamic Access Control implementation by
defining conditional expressions that enable you to control access to highly confidential documents based
on particular user attributes.
Demonstration: Configuring File Classification

In this demonstration, you will see how to:
Create a classification property.
Create a classification rule.
Demonstration Steps
Create a classification property
1. On LON-SVR1, the Server Manager console should open automatically. From Server Manager, start
the File Server Resource Manager.
2. In File Server Resource Manager, create a local property with the following settings:
o Name: Corporate Documentation
o Property Type: Yes/No
3. In File Server Resource Manager, create a classification rule with the following settings:
o General tab, Rule name: Corporate Documents Rule, and ensure that the rule is enabled.
o Scope tab: E:\Labfiles\Corporate Documentation
o Classification tab, Classification method: Folder Classifier
o Property-Choose a property to assign to files: Corporate Documentation
o Property-Specify a value: Yes.

o Evaluation type tab, Re-evaluate existing property values, and Aggregate the values.
4. Run the classification with all rules, and select Wait for classification to complete.
5. Review the Automatic classification report that displays in Windows Internet Explorer, and ensure
that report lists the same number of files classified as in the Corporate Documentation folder.
S
Op
ptions for Storage
S Optimizatio
on in Wind
dows Serve
er 2012
Winndows Server 2012
2 includes new
n options fo
or
storrage optimizattion that provid
de you with an n
efficcient way to de
eploy, adminisster, and securre
your storage soluttions. Storage optimization
feattures include:
File access auuditing. File acccess auditing in

Windows Servver 2012 creattes an audit evvent
whenever file es are accessedd by users. As
compared to previous Wind dows Server
versions, this audit event da ata contains
additional infformation about the attributtes of
the file that was
w accessed.
Features on Demand.
D Featuures on Deman nd enables you u to save on d isk space by allowing you to o
remove role and
a feature file es from the op perating system m. If these rolees and featuress need to be
installed on the server, the installation file
es will be retrieeved from remmote locations, installation mmedia,
or Windows Update.
U You ca an remove fea ature files from
m both physicaal and virtual computers, Win ndows
image (.wim) files, and offline virtual hardd disks (VHDs) .
Data dedupliccation. Data deduplication iddentifies and rremoves duplications within data without
compromising the integrityy of the data. Data
D deduplicaation is highly scalable, resource efficient, and
nonintrusive. It can run con arge volumes of primary data without affe
ncurrently on la ecting other
workloads onn the server. Lo
ow impact on the
t server worrkloads is main ntained by thro ottling the CPU
U and
memory resources that are consumed. Ussing Data ded uplication jobs, you can schedule when Data
deduplication
n should run, specify
s the reso
ources to dedu uplicate, and ffine-tune file sselection. When
combined witth BranchCach he, the same optimization teechniques are aapplied to datta that is transfferred
over the WANN to a branch office. This ressults in faster ffile download ttimes, and red duced bandwid dth
consumption.
NFS Data Store. The Netwo ork file system (NFS) Data Sto ore is the NFS server implem mentation in
Windows Servver 2012 operating systems. In Windows SServer 2012, th he NFS server ssupports high
availability, which
w means thhat you can de eploy the serveer in a failover clustering con nfiguration. When a
over cluster, a nd if that servver fails, the NFFS server will faail
client conneccts to a NFS serrver in the failo
over to anoth her node in the hat the client c an still connecct to the NFS sserver.
e cluster, so th
De
emonstration: Config
guring Datta Dedupliication
In th
his demonstration, you will see
s how to:
Add the Data

a deduplication
n role service.
Enable Data deduplication.

d
Dem
monstration
n Steps
Add the Data deduplicati

d on role serv
vice
1. Log on to LO
ON-SVR1 as Ad
datum\Admin
nistrator using
g the password
d Pa$$w0rd.
2. Open Server Manager.
o File And Storage Services (Installed)\File and iSCSI Services\Data Deduplication
Enable Data deduplication

1. In Server Manager, in the navigation pane, click File and Storage Services, and then click Volumes.
2. In the Volumes pane, right-click E:, and select Configure Data Deduplication.
3. Configure Data deduplication with the following settings:
o Enable Data deduplication: Enabled
o Deduplicate files older than (in days): 3
o Set Deduplication Schedule: Enable throughput optimization
o Start time: current time

Lab A: Implementing Advanced File Services

Scenario
As A. Datum Corporation has expanded, the requirements for managing storage and shared file access
has also expanded. Although the cost of storage has decreased significantly over the last few years, the
amount of data produced by the A. Datum business groups has increased even faster. The organization is
considering alternate ways to decrease the cost of storing data on the network, and is considering options
for optimizing data access in the new branch offices. The organization would also like to ensure that data
that is stored on the shared folders is limited to company data, and that it does not include unapproved
file types.
As a senior server administrator at A. Datum, you are responsible for implementing the new file storage
technologies for the organization. You will implement iSCSI storage to provide a less complicated option
for deploying large amounts of storage.
Objectives
Configure iSCSI storage.
Configure the file classification infrastructure.
Lab Setup
Estimated Time: 75 minutes
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-SVR2
20412A-LON-DC1
Virtual Machine(s) 20412A-LON-SVR1
20412A-LON-SVR2
Password Pa$$w0rd
5. Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-LON-SVR2.

Exercise 1: Configuring iSCSI Storage

Scenario
To decrease the cost and complexity of configuring centralized storage, A. Datum has decided to use
iSCSI to provide storage. To get started, you will install and configure the iSCSI target, and configure
access to the target by configuring the iSCSI initiators.
1. Install the iSCSI target feature.
2. Configure the iSCSI targets.
3. Configure MPIO.
4. Connect to and configure the iSCSI targets.
Task 1: Install the iSCSI target feature

1. Log on to LON-DC1 with username of Adatum\Administrator and the password Pa$$w0rd.
2. Open Server Manager.
o File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
Task 2: Configure the iSCSI targets

1. On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click iSCSI.
2. Create a virtual disk with the following settings:
o Storage location: C:
o Disk name: iSCSIDisk1
o Size: 5 GB
o iSCSI target: New
o Target name: lon-dc1
o Access servers: 172.16.0.22 and 131.107.0.2
3. On the View results page, wait until the creation completes, and then click Close.
4. Create a New iSCSI virtual disk with these settings:
o Size: 5 GB
o iSCSI target: lon-dc1

o Size: 5 GB
o Size: 5 GB

o Size: 5 GB
Task 3: Configure MPIO

1. On LON-SVR2, from Server Manager, open the Routing and Remote access console.
2. On the Enable DirectAccess Wizard, click Cancel.
3. Right-click LON-SVR2 and then click Disable Routing and Remote Access. Click Yes and then close
the Routing and Remote Access console.
4. In Server Manager, start the Add Roles and Features Wizard and install the Multipath I/O feature.
5. In Server Manager, on the Tools menu, open iSCSI Initiator, and configure the following:
o Enable the iSCSI Initiator service
o Quick Connect to target: LON-DC1
6. In Server Manager, on the Tools menu, open MPIO, and configure the following:
o Enable Add support for iSCSI devices on Discover Multi-paths

7. After the computer restarts, log on to LON-SVR2, with username of Adatum\Administrator and
password of Pa$$w0rd.
8. In Server Manager, on the Tools menu, click MPIO and verify that Device Hardware ID
MSFT2005iSCSIBusType_0x9 is added to the list.
Task 4: Connect to and configure the iSCSI targets

1. On LON-SVR2, in Server Manager, on the Tools menu, open iSCSI Initiator.
2. In the iSCSI Initiator Properties dialog box, perform the following steps:
o Disconnect all Targets.
o Connect and Enable multi-path.
o Set Advanced options as follows:

Local Adapter: Microsoft iSCSI Initiator
Initiator IP: 172.16.0.22
Target Portal IP: 172.16.0.10 / 3260
o Connect to another target, enable multi-path, and configure the following Advanced settings:
Local Adapter: Microsoft iSCSI Initiator
Initiator IP: 131.107.0.2
Target Portal IP: 131.107.0.1 / 3260

3. In the Targets list, open Devices for iqn.1991-05.com.microsoft:lon-dc1-lon-dc1-target, access
the MPIO information, and then verify that in Load balance policy, Round Robin is selected. Verify
that two paths are listed by looking at the IP addresses of both network adapters.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
Exercise 2: Configuring the File Classification Infrastructure

Scenario
A. Datum has noticed that many users are copying corporate documentation to their mapped drives on
the users or departmental file servers. As a result, there are many different versions of the same
documents on the network. To ensure that only the latest version of the documentation is available for
most users, you need to configure a file classification system that will delete specific files from user folders.
1. Create a classification property for corporate documentation.
2. Create a classification rule for corporate documentation.

3. Create a classification rule that applies to a shared folder.
4. Create a file management task to expire corporate documents.
5. Verify that corporate documents are expired.
Task 1: Create a classification property for corporate documentation

1. On LON-SVR1, from Server Manager, start the File Server Resource Manager.
2. In File Server Resource Manager, under Classification Management, create a local property with the
following settings:
o Name: Corporate Documentation
o Property Type: Yes/No
3. Leave the File Server Resource Manager open.
Task 2: Create a classification rule for corporate documentation

1. In the File Server Resource Manager console, create a classification rule with following settings:
o General tab, Rule name: Corporate Documents Rule, and ensure that the rule is enabled.
o Scope tab: E:\Labfiles\Corporate Documentation folder

o Classification tab:
Classification method: Folder Classifier
Property, Choose a property to assign to files: Corporate Documentation
Property, Specify a value: Yes
Evaluation type tab: Re-evaluate existing property values and Aggregate the values
2. Select both Run the classification with all rules and Wait for classification to complete.
3. Review the Automatic classification report that displays in Internet Explorer, and ensure that the
report lists the same number of classified files as in the Corporate Documentation folder.
4. Close Internet Explorer, but leave the File Server Resource Manager open.
Task 3: Create a classification rule that applies to a shared folder

1. In the File Server Resource Manager, create a local property with following settings:
o Name: Expiration Date
o Property Type: Date-Time
2. In the File Server Resource Manager console, create a classification rule with the following settings:
o General tab, Rule name: Expiration Rule, and ensure that the rule is enabled
o Classification tab, Classification method: Folder Classifier
o Property, Choose a property to assign to files: Expiration Date
o Evaluation type tab: Re-evaluate existing property values and Aggregate the values
3. Select both Run the classification with all rules and Wait for classification to complete.
4. Review the Automatic classification report that appears in Internet Explorer, and ensure that report
lists the same number of classified files as the Corporate Documentation folder.
Task 4: Create a file management task to expire corporate documents

1. In File Server Resource Manager, create a file management task with following settings:
o General tab, Task name: Expired Corporate Documents and ensure that the task is enabled
o Action tab, Type: File expiration is selected,
o Expiration directory: E:\Labfiles\Expired
o Notification tab: Event Log and Send warning to event log
o Condition tab, Days since the file was last modified: 1
Note: This value is for lab purposes only. In a real scenario, the value would be 365 days or more,
depending on each companys policy
o Schedule tab: Weekly and Sunday
o Leave the File Server Resource Manager console open.
Task 5: Verify that corporate documents are expired

1. In File Server Resource Manager, click Run File Management Task Now, and then click Wait for the
task to complete.
2. Review the File management task report that displays in Internet Explorer, and ensure that the report
lists the same number of classified files as the Corporate Documentation folder.
3. Start Event Viewer, and in the Event Viewer console, open the Application event log.
4. Review events with numbers 908 and 909. Notice that 908 FSRM started a file management job,
and 909 FSRM finished a file management job.
Results: After completing this exercise, you will have configured a file classification infrastructure so that
the latest version of the documentation is always available to users.
To prepare for the next lab

When you finish the lab, revert 20417A-LON-SVR2. To do this, complete the following steps.
2. In the Virtual Machines list, right-click 20417A-LON-SVR2, and then click Revert.
Keep all other virtual machines running for the next lab.
Lab B: Implementing BranchCache

Scenario
A Datum Corporation has deployed a new branch office, which has a single server. To optimize file access
in branch offices, you must configure BranchCache. To reduce WAN use out to the branch office, you
must configure BranchCache to retrieve data from the head office. You will also implement FSRM to assist
in optimizing file storage at A. Datum.
Objectives
Configure the main office servers for BranchCache.
Configure the branch office servers for BranchCache.
Configure client computers for BranchCache.

Monitor and verify BranchCache.
Lab Setup
Estimated Time: 30 Minutes
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-CL1
20412A-LON-CL2
20412A-LON-DC1
20412A-LON-SVR1
Virtual Machine(s)
20412A-LON-CL1
20412A-LON-CL2
Password Pa$$w0rd
5. Repeat steps 2-4 for 20412A-LON-SVR1, 20412A-LON-CL1, and 20412A-LON-CL2.
Exercise 1: Configuring the Main Office Servers for BranchCache

Scenario
Before you can configure the BranchCache feature for your branch offices, you must configure the
network components.
1. Configure LON-DC1 to use BranchCache.
2. Simulate a slow link to the branch office.
3. Enable a file share for BranchCache.
4. Configure client firewall rules for BranchCache.
Task 1: Configure LON-DC1 to use BranchCache

2. Open Server Manager, and install the BranchCache for network files role service.
3. Open the Local Group Policy Editor (gpedit.msc).

4. Navigate to and open Computer Configuration/Administrative Templates/Network/Lanman
Server/Hash Publication for BranchCache.
5. Enable the BranchCache setting, and then select Allow hash publication only for shared folders on
which BranchCache is enabled.
Task 2: Simulate a slow link to the branch office

1. In the Local Group Policy Editor console, navigate to Computer Configuration\Windows Settings
\Policy-based QoS.
2. Create a new policy with the following settings:
o Name: Limit to 100 Kbps
o Specify Outbound Throttle Rate: 100
Task 3: Enable a file share for BranchCache

1. In a Windows Explorer window, create a new folder named C:\Share.
2. Share this folder with the following properties:
o Share name: Share
o Permissions: default
o Caching: Enable BranchCache
3. Copy C:\Windows\System32\write.exe to the C:\Share folder.
Task 4: Configure client firewall rules for BranchCache

1. On LON-DC1, open Group Policy Management.
2. Navigate to Forest: Adatum.com\Domains\Adatum.com\Default Domain Policy, and then open

the policy for editing.
3. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Windows

Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules.
4. Create a new inbound firewall rule with the following properties:

a. Rule type: predefined
b. Use BranchCache Content Retrieval (Uses HTTP)
c. Action: Allow
5. Create a new inbound firewall rule with the following properties:

d. Rule type: predefined
e. Use BranchCache Peer Discovery (Uses WSD)
f. Action: Allow
6. Close the Group Policy Management Editor and Group Policy Management console.
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.
Exercise 2: Configuring the Branch Office Servers for BranchCache

Scenario
The next step you must perform is to configure a file server for the BranchCache feature. You will install
the BranchCache feature, request a certificate, and then link it to BranchCache.
1. Install the BranchCache feature on LON-SVR1.
2. Start the BranchCache host server.
Task 1: Install the BranchCache feature on LON-SVR1

On LON-SVR1, from Server Manager, add the BranchCache for Network Files role service and the
BranchCache feature.
Task 2: Start the BranchCache host server

1. On LON-DC1, open Active Directory Users and Computers, and create a new organizational unit (OU)
called BranchCacheHost.
2. Move LON-SVR1 into the BranchCacheHost OU.
3. Open Group Policy Management, and block GPO inheritance on the BranchCacheHost OU.
4. Restart LON-SVR1 and log on as Adatum\Administrator with the password Pa$$w0rd.
5. On LON-SVR1, open Windows PowerShell, and run the following cmdlet:
Enable-BCHostedServer
RegisterSCP
6. On LON-SVR1, in Windows PowerShell, run the following cmdlet:
Get-BCStatus
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
Exercise 3: Configuring Client Computers for BranchCache

Scenario
After configuring the network components, you must ensure that the client computers are configured
correctly. This is a preparatory task for using BranchCache.
The main task for this exercise is as follows:
1. Configure client computers to use BranchCache in Hosted Cache mode
Task 1: Configure client computers to use BranchCache in Hosted Cache mode

1. On LON-DC1, open Server Manager, and then open Group Policy Management.
2. Edit the Default Domain Policy.
3. In the Group Policy Management Editor, browse to Computer Configuration\Policies

\Administrative Templates\Network\BranchCache, and configure the following:
o Turn on BranchCache: Enabled
o Enable Automatic Hosted Cache Discovery by Service Connection Point: Enabled

o Configure BranchCache for network files: Enabled
o Type the maximum round trip network latency (milliseconds) after which caching begins:
0
4. Start 20412A-LON-CL1, open a command prompt window, and refresh the Group Policy settings
using the command gpupdate /force.
5. At the command prompt, type netsh branchcache show status all, and then press Enter.
6. Start the 20412A-LON-CL2, open the command prompt window, and refresh the Group Policy
settings using the command gpupdate /force.
7. At the command prompt, type netsh branchcache show status all, and then press Enter.
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
Exercise 4: Monitoring BranchCache

Scenario
Finally, you must test and verify that the BranchCache feature is working as expected.
1. Configure Performance Monitor on LON-SVR1.
2. View performance statistics on LON-CL1.
3. View performance statistics on LON-CL2.

4. Test BranchCache in the Hosted Cache mode.
Task 1: Configure Performance Monitor on LON-SVR1

1. On LON-SVR1, open Performance Monitor.
2. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click
Performance Monitor.
3. Remove existing counters, change to report view, and then add the BranchCache object counters to
the report.
Task 2: View performance statistics on LON-CL1

1. Switch to LON-CL1, and open the Performance Monitor.
2. In the navigation pane of the Performance Monitor console, under Monitoring Tools, click
3. In Performance Monitor, remove existing counters, change to a report view, and then add the
BranchCache object to the report.

1. Switch to LON-CL2, and open Performance Monitor.
3. In the Performance Monitor, remove existing counters, change to a report view, and then add the
BranchCache object to the report.
Task 4: Test BranchCache in the Hosted Cache mode

1. Switch to LON-CL1.
2. Open \\LON-DC1.adatum.com\share, and copy the executable file to the local desktop. This could
take several minutes because of the simulated slow link.
3. Read the performance statistics on LON-CL1. This file was retrieved from LON-DC1 (Retrieval: Bytes
from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes
Served).
5. Open \\LON-DC1.adatum.com\share, and copy the executable file to the local desktop. This should
not take as long, because the file is cached.
6. Read the performance statistics on LON-CL2. This file was obtained from the hosted cache (Retrieval:
Bytes from Cache).
7. Read the performance statistics on LON-SVR1. This server has offered cached data to clients (Hosted
Cache: Client file segment offers made).
Results: At the end of this exercise, you will have verified that BranchCache is working as expected.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps.
4. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-CL1, and 20412A-LON-CL2.


Question: How does BranchCache differ from the Distributed File System?
Question: Why would you want to implement BranchCache in Hosted Cache mode instead
of Distributed Cache mode?
Question: Can you configure Data deduplication on a boot volume?
Question: Why would you implement a file classification infrastructure?

Your organization is considering deploying an iSCSI solution. You are a Windows Server 2012
administrator who is responsible for designing and deploying the new solution. This new solution will be
used by different type of technologies, such as Windows Server 2012 file server, Exchange Server, and SQL
Server. You are facing a challenge of designing an optimal iSCSI solution, but at the same time you are
not sure whether the solution you are going to propose to your organization will meet the requirements
of all technologies that will be accessing the iSCSI storage. What should you do?
Answer: You should include on the team that will design and deploy the iSCSI solution experts from
different areas of specialization. Team members who will be involved in the project should include
Windows Server 2012 administrators, network administrators, storage administrators, and security
administrators. This is necessary so that the iSCSI storage solution has optimal performance and security,
and has consistent management and operations procedures.
Your organization is considering deploying a BranchCache solution. You are a Windows Server 2012
administrator in your organization, and are responsible for designing and deploying the new solution. The
organizations business managers are concerned about security of the data that will be stored in the
branch offices. They are also concerned about how the organization will address security risks such as data
tampering, information disclosure, and denial of service attacks. What should you do?
Answer: You should include a security expert on your design team. You should also consider the defense-
in-depth model of analyzing security risks. BranchCache addresses the security risks as follows:
Data tampering. The BranchCache technology uses hashes to confirm that during the communication,
the client and the server did not alter the data.
Information disclosure. BranchCache sends encrypted content to clients, but they must have the
encryption key to decrypt the content. Because potential malicious user would not have the
encryption key, if an attacker attempts to monitor the network traffic to access the data while it is in
transit between clients, the attempt will not be successful.
Denial of service. If an attacker tries to overload the client with requests for data, BranchCache
technology includes queue management counters and timers to prevent clients from being
overloaded.
Your organization is using large amounts of disk space for data storage and is facing a challenge of
organizing and managing the data. Furthermore, your organization must satisfy requirements for security,
compliance, and data leakage prevention for company confidential information. What should you do?
Answer: You should deploy the file classification infrastructure. Based on file classification, you can
configure file management tasks that will enable you to manage groups of files based on various file and
folder attributes. You can also automate file and folder maintenance tasks, such as cleaning up stale data
or protecting sensitive information.
Best Practice:
When considering an iSCSI storage solution for your organization, spend most of the time on the
design process. The design process is crucial because it allows you to optimize the solution for all
technologies that will be using iSCSI storage, such as file services, Exchange Server, and SQL Server.
The design should also accommodate future growth of your organizations business data. Successful
design processes guarantee a successful deployment of the solution that will meet your organizations
business requirements.
When planning for BranchCache deployment, ensure that you work closely with your network
administrators so that you can optimize network traffic across the WAN.
When planning for file classifications, ensure that you start with your organizations business
requirements. Identify the classifications that you will apply to documents, and then define a method
that you will use to identify documents for classification. Before you deploy the file classification
infrastructure, create a test environment and test the scenarios to ensure that your solution will result
in a successful deployment and that your organizations business requirements will be met.
Tools
Tool Use Where to find it
iSCSI target Configure iSCSI targets In Server Manager, under File and
server Storage Servers
iSCSI initiator Configure a client to connect In Server Manager, in the Tools drop-
to an iSCSI target virtual disk down list box
Deduplication Analyze a volume to find out C:\windows\system32

Evaluation tool the potential savings when
(DDPEval.exe) enabling data deduplication
File Server A set of features that allow Server Manager

Resource you to manage and classify
Manager data that is stored on file
servers
3-1
Module 3
Implementing Dynamic Access Control
Contents:
Module Overview 3-1
Lesson 1: Overview of Dynamic Access Control 3-2
Lesson 2: Planning for Dynamic Access Control 3-8
Lesson 3: Deploying Dynamic Access Control 3-13
Lab: Implementing Dynamic Access Control 3-22
Module Overview
The Windows Server 2012 operating system introduces a new feature for enhancing access control for
file-based and folder-based resources. This feature, called Dynamic Access Control, extends regular NTFS
file systembased access control by enabling administrators to use claims, resource properties, policies,
and conditional expressions to manage access. In this module, you will learn about Dynamic Access
Control, and how to plan for it and implement it.
Objectives
Describe Dynamic Access Control and its components.

Plan for Dynamic Access Control implementation.
Deploy Dynamic Access Control.

3-2 Implementing Dynamic Access Control
Lesson 1
Overviiew of Dynami
D c Accesss Contrrol
Dyn
namic Access Control
C is a new
w Windows Seerver 2012 featture that you ccan use for acccess managem ment.
Dyn
C offers a new way of securing
s and ccontrolling acccess to resourcces. Before you
u
imp
plement this feature, you sho ould understan
nd how it workks and which ccomponents it uses. This lessson
pressents an overvview of Dynamic Access Conttrol.
Lessson Objectiives
Afte ou will be able to:
Define Dynam
mic Access Con
ntrol.
Describe the foundation tecchnologies forr Dynamic Acccess Control.

Compare Dyn namic Access Control
C with alternative and similar techno
ologies such ass NTFS permisssions
and Active Diirectory Rightss Managementt Services (AD RMS).
Define identitty.
Define claim and claim type
es.
Define a centtral access policy.
Wh
hat Is Dyna
amic Acce
ess Controll?
Typically, most of an organizatio ons data is sto
ored
on file
f servers. Therefore, IT adm ministrators must
provvide proper se ecurity and acccess control to file
servver resources. In
I previous verrsions of Winddows
Servver, IT administrators controlled most acce ess to
file server resourcces by using NTTFS permission ns
and access contro ol lists.
Dyn namic Access Control

C in Wind
dows Server 2012
is a new access co ontrol mechanism for file sysstem
resoources. It enables administrators to define
centtral file access policies that can
c apply to evvery
file server in the organization.
o Dynamic
D Accesss
Con ntrol implemen hare and NTFSS permissions. It also
nts a safety net over file servvers, and over aany existing sh
ensu ures that regardless of how the
t share and NTFS permiss ions might chaange, this centtral overriding g
policy is still enforrced. Dynamicc Access Contro ol combines m
multiple criteriaa into the acce
ess decision; th
his is
sommething that NTFS permissions cannot do.
Dynnamic Access Control

C provide
es a flexible way to apply an nd manage acccess and auditting to domainn-
baseed file servers. Dynamic Acce
ess Control uses claims in th ource properties on
he authenticatiion token, reso
the resource, and conditional exxpressions with hin permission g entries. With this combinattion of
n and auditing
feattures, you can now grant acccess to files and folders baseed on Active D
Directory Dommain Services (AAD
DS) attributes.
Dyn
C provide
es:
Data identificcation. You can

n use automatic and manuall file classificattion to tag datta in file serverrs
across the orgganization.
Access conttrol to files. Ce

entral access policies enable organizationss to define, for example, who
o can
access health information n within an orgganization.
Auditing off file access. Yo
ou can use cenntral audit poliicies for compliance reportin
ng and forensic
analysis. Fo
or example, you u can identify who accessed highly sensitivve information n.
Optional RMMS protection integration. You

Y can use Rig ghts Managemment Services (RMS) encrypttion for
sensitive Microsoft Office documentss. For example,, you can conffigure RMS to encrypt all
documentss containing He ealth Insurance Portability a nd Accountab
bility Act (HIPA
AA) information.
Dynamic Accesss Control is de

esigned for fou
ur main end-to
o-end scenario
os:
Central access policy for access

a to files. Enables organ
nizations to seet safety net po
olicies that reflect
business an
nd regulatory compliance.
c
or compliance and analysis. Enables

Auditing fo E targeteed auditing accross file servers for compliance
reporting and forensic an
nalysis.
Protecting sensitive information. Identifies and proteects sensitive in

nformation witthin a Window
ws Server
2012 enviro
onment, and when
w it leaves the Windows Server 2012 en nvironment.
Access denied remediatio on. Improves the access-den
nied experiencee to reduce he
elp desk load aand
incident tim
me for troublesshooting.
Foundation
n Technolo
ogies for Dynamic
D A
Access Con
ntrol
Dynamic Accesss Control combines many Windows
W
Se
erver 2012 technologies to provide
p a flexib
ble and
granular authorrization and au
uditing experieence.
Dynamic Accesss Control uses the following
te
echnologies:
Network prrotocols, such as TCP/IP, Rem mote

Procedure Call
C (RPC), Server Message Block B
(SMB), and Lightweight Directory
D Accesss
Protocol (LDAP), for netwwork communications
between ho osts, and intera
action with file
e
system andd directory lookups.
Domain Na ame System (D

DNS) for host name
n
resolution.
AD DS and its dependentt technologies for enterprisee network man

nagement.
The Kerberos version 5 protocol, includ

ding FAST Searrch and Comp
pound Identity for secure
authenticattion.
Windows Security (local security

s authority (LSA), Net Logon servicee) for secure lo
ogon transactio
ons.
File classificcations for file categorization

n.
Auditing fo
or secure monitoring and acccountability.
everal compon
Se nents and tech
hnologies are updated
u in Wi ndows Server 2012 to suppo
ort Dynamic A
Access
Control. The mo
ost important updates are:
A new Wind dit engine that can process cconditional exp

dows authorizzation and aud pressions and ccentral
policies.
Kerberos au
uthentication support
s for user claims and device claims.
Improvementts to the file classification inffrastructure.
Optional RMSS extensibility support so tha

at partners can
n provide soluttions for encryypting files thaat are
not Microsoftt Office files.
Dy
ynamic Acccess Contrrol vs. Alternative Peermissions Technologies
C controls access to file
e-
baseed resources. ItI does not ove
erlap with olde er,
welll-known techn nologies that provide
p similar
ead, Dynamic Access Contro
funcctionality. Inste ol
ends the functionality of older technologie
exte es for
controlling file-baased resource access.
a
In previous
p versions of Window ws Server, the basic
b
mecchanism for file e and folder access control was
w
NTFFS permissions. By using NTFFS permissionss and
theiir access control lists (ACLs), administratorss can
control access to resources base ed on user namme
secu
urity identifierss (SIDs) or group membership
SIDss, and the leve
el of access succh as Read-onlly, Change, an d Full Control.. However, oncce you provide
e
som
meone with, for example, Rea ad Only accesss to a docume nt, you cannott prevent that person from
copying the conte ent of that doccument into a new documen nt or printing tthe documentt.
By implementing AD RMS, you can establish an a additional llevel of file control. Unlike, N
NTFS permissio ons,
which are not appplication-aware e, AD RMS sets a policy thatt can control ddocument acce ess inside the
app
plication that th
he user uses to
o open it. By im
mplementing A AD RMS, you eenable users to o protect
doccuments withinn applications.
Howwever, you can nnot set condittional access to

o files by usingg NTFS and AD D RMS. For exaample, you cannot
set NTFS permissions so that users can access documents iff they are mem mbers of speciffic groups and have
theiir EmployeeTy ype attributes set to Full Timme Employee e (FTE). Additio
onally, you can
nnot set
permmissions so thaat only users who
w have a department attriibute populateed with the sam me value as th
he
deppartment attribbute for the ressource can acccess the conte nt. However, yyou can use co onditional
expressions to acccomplish these e tasks. You ca
an use Dynami c Access Control to count atttribute valuess on
userrs or resource objects when providing or denying
d accesss.
Wh
hat Is Iden
ntity?
Idenntity is usually defined as a set of data thatt
uniqquely describe es a person or a thing (somettimes
refe
erred to as subjject or entity) anda contains
ormation about the subject's relationships to
info
othe er entities. Identity is usuallyy verified by ussing a
trussted source of information.
For example, whe en you go to th he airport, you

u
showw your passpoort. Your passp port contains your
y
nam
me, address, da ate of birth, an
nd photograph h.
Each
h item of persoonal informatiion is a claim that
t is
madde about you byb the countryy issuing your
passsport. Your country ensures that the
in
nformation tha at is published in a passport is accurate forr the passport owner. Becausse you usually use the
paassport outside of your coun ntry of residen
nce, other counntries must also trust the info
ormation in yo our
paassport. They must
m trust the organization that issued yo ur passport an nd consider it reliable. Basedd on
th ant you access to their territo
hat trust, otherr countries gra ories (which caan be considerred resources)..
Thherefore, in this example, to access resourcces in other coountries, each person is requuired to have a
do able and trusteed source and
ocument (passsport) that is isssued by a relia d that containss critical claimss that
deescribe the person.
Thhe Windows Server operatin ng system usess a similar conccept of identityy. An administtrator creates a user
acccount in AD DS
D for a person n controller pu blishes user acccount information, such as a
n. The domain
se
ecurity identifier and group membership attributes.
a Wheen a user accesses a resource e, Windows Se erver
crreates an authorization token.
To
o continue thee foreign trave u are the user, and the autho
el analogy, you orization token
n is the passpo
ort. Each
un
nique piece off information in the authorizzation token is a claim madee about your user account. DDomain
co ms. Domain-joined computeers and domain
ontrollers publish these claim n users trust domain controlllers to
provide authoritative informa ation.
We
W can then say that identityy, with respect to authenticattion and autho
orization, is infformation pubblished
ab
bout an entity from a trusted
d source. Furth
hermore, the i nformation is considered au uthoritative because
th
he source is tru
usted.
Eaarlier versions of Windows Server used the e security identtifier (SID) to rrepresent the iidentity of a user or
coomputer. Users authenticate e to the domain with a speciffic user name and password. The unique logon
na ame translatess into the SID. The domain controller valid ates the passw word and publishes the SID o of the
seecurity principaal and the SIDs of all the gro
oups within wh hich the princi pal is a memb ber. The domaiin
coontroller claim
ms the user's SID is valid and should be useed as the identtity of the userr. All domain m members
trrust their domaain controller; therefore, the
e response is trreated as authoritative.
dentity is not limited to the user's

Id u SID. Appplications can u
use any informmation about the user as a fo orm of
id
dentity, if the application
a trusts that the source of the infformation is au
uthoritative. Foor example, m
many
ap
pplications implement role based
b access control (RBAC).. RBAC limits aaccess to resouurces based onn
whether
w the useer is a member of a specific role. Microsoftt SharePoint Server is a goo od example off
so
oftware that im mplements role e-based securiity. Windows SServer 2012 caan also take ad dvantage of theese
opptions to extennd and enhancce the way ide entity is determ
mined for a seccurity principaal.
What
W Is a Claim?
C
Windows
W Server 2008 and Wiindows Server 2003
usse claims in Acctive Directoryy Federation Se ervices
(A
AD FS). In this context,
c claimss are statemen nts
made
m about useersfor example, name, identity,
keey, group, privvilege, or capabbilitywhich are
a
un nderstood by the
t partners in n an AD FS
fe
ederation. AD FS also provides AD DSbase ed
claims, and the ability to convvert the data from
hese claims into Security Assertions Markup
th
Laanguage (SAM ML) format. In previous
p versio
ons of
AD FS, the only attributes that could be retrieved
from AD DS and d incorporated d directly into a claim
was
w SID informa ation for user and
a group acccounts. All oth er claim inform mation was deefined within and
re
eferenced from m a separate da atabase, know wn as an attribu
ute store. Wind
dows Server 20012 now allow ws you
to
o read and use e any attribute directly from AD DS. You do o not need to use a separate e AD FS attribu
ute
his type of information for Acctive Directoryybased comp
sttore to hold th puter or user acccounts.
By definition,
d a cla
aim is somethiing that AD DSS states about a specific objeect (usually a uuser or compu
uter).
A claim provides information
i fro
om the trustedd source abou t an entity. So ome examples of claims are tthe
SID of a user or coomputer, the department
d assification of a file, and thee health state o
cla of a computer.. All
thesse claims state
e something abbout a specific object.
An entity
e ore than one claim. When co
normallyy contains mo onfiguring reso
ource access, any combinatio
on of
claim
ms can be used to authorize
e access to reso
ources.
In Windows
W Serve uthorization mechanism is exxtended. You ccan now use u
er 2012, the au user claims and d
device claims for file
f and folderr authorizationn in addition to
o NTFS permisssions that are based on userrs SID
or group
g SIDs. By using claims, you can now base
b your acceess control deccision on SID aand other attribute
ues. Note that Windows Servver 2012 still su
valu upports using group membeership for auth horization decisions.
Use
er Claim
A usser claim is infformation that is provided byy a Windows SServer 2012 do omain controlller about a useer.
Win
ndows Server 20122 domain controllers
c can use most AD DS user attrib butes as claim iinformation. T
This
provvides administtrators with a wide
w range of possibilities fo
or configuring and using claiims for access
control.
Dev
vice Claim
A deevice claimwwhich is often called
c a compuuter claimis information th hat is provided
d by a Window ws
Servver 2012 doma ain controller about
a a device
e that is repressented by a co
omputer accou unt in AD DS. A
As
with
h user claims, device
d claims can
c use most ofo the AD DS aattributes that are applicable e to computerr
objeects.
Wh
hat Is a Ce
entral Acce
ess Policy?
Onee of the fundam mental compo onents of Dyna amic
t central acccess policy. This
Access Control is the
2 feature enables
ministrators to create policiess that they can
adm n
app
ply to one or more
m file serverrs. You create
policies in the Acttive Directory Administrative
A e
Cen
nter, which then stores them in AD DS, and d you
then
n apply them by b using Group Policy. The
centtral access policy contains one or more central
acce
ess policy ruless. Each rule co
ontains settingss that
dete
ermine applica ability and perrmissions.
Befo
ore you create e a central acce
ess policy, you
ast one central access rule. Central access rrules define al l parameters aand conditionss that
musst create at lea
control access to specific resourrces.
A ce
entral access ru
ule has three configurable
c parts:
p
Name. For ea
ach central acccess rule, you should
s configu
ure a descriptivve name.
Target resourrce. This is a co
ondition that defines
d to whicch data the po
olicy applies. Yo ou define a
condition by specifying an attribute and its value. For eexample, a parrticular central policy rule might
apply to any data that you classify as sensitive. You cann also apply th e rule to all re
esources to wh
hich
the central acccess policy appplies.
Permissions. This is a list of one or more access control entries (ACEs) that define who can access data.
For example, you can specify Full Control Access to a user with attribute EmployeeType set to FTE
(full-time employee). This is the key component of each central access rule. You can combine and
group conditions that you place in the central access rule. You can set permissions either to
proposed (for staging purposes) or current.
After you configure one or more central access rules, you then add these rules to the central access policy,
which is then applied to the resources.
The central access policy enhances, but does not replace, the local access policies or discretionary access
control lists (DACLs) that are applied to files and folders on a specific server. For example, if a DACL on a
file allows access to a specific user, but a central access policy that is applied to the file restricts access to
the same user, the user will not be able to obtain access to the file. Likewise, if the central access policy
allows access but the DACL does not allow access, then the user will not be able to access the file.
Before implementing the central access policy, perform these steps:
1. Create a claim, and then connect it to users or computer objects by using attributes.
2. Create file property definitions.
3. Create one or more central access rules.
4. Create a Central Access Policy object and define its settings.
5. Use Group Policy to deploy the policy to file servers. By doing this, you make file servers aware that a
central access policy exists in AD DS.
6. On the file server, apply that policy to a specific shared folder.

Lesson 2
Planning for Dynami
D ic Accesss Contrrol
C requirees detailed planning prior too implementation. You shoulld identify reassons
for implementing Dynamic Acce ess Control, annd plan for cen olicy, file classifications, auditting,
ntral access po
and access-denied
d assistance. In
n this lesson, you
y will learn aabout planningg Dynamic Acccess Control.
Lessson Objectiives
Afte
ou will be able to:
Describe reassons for implem
menting Dynamic Access Co
ontrol.
Plan for centrral access policcy.
Plan for file classifications.

g.
Plan for file access auditing
Plan for accesss-denied assisstance.
Reasons for Implemen

nting Dyna
amic Accesss Control
Befoore you implemment Dynamicc Access Contrrol,
you should clearlyy identify the reasons
r for using
this feature. Dynamic Access Co ontrol should be
b
welll designed beffore you impleement it. An
impproperly planne ed implementation can causse
me users to be denied access to required data,
som
and other users too be granted access
a to restricted
dataa.
The most common reason to im mplement Dyna amic

Access Control is to
t extend funcctionality of ann
existing access control model. Most
M organizattions
use NTFS and share permissionss to implemen nt
acceess control for file and folder resources. In most cases, N
NFTS is sufficient, but in some scenarios, it does
not work. For example, you cannot use NFTS ACL to protecct a resource o on a file server,, which means that
a usser must simultaneously be a member of two groups to access the ressource. You mu ust use Dynammic
Access Control insstead of traditional methodss for implemen nting access co ontrol when yo ou want to use
e
morre specific info
ormation for au uthorization purposes. NTFSS and share peermissions use only user or group
objeects.
Planning
P fo
or Central Access Po
olicy
Im
mplementing central
c access policy is not
mandatory
m for Dynamic
D Access Control. Ho owever,
fo
or consistent co onfiguration of
o access contrrol on
all file servers, you
y should imp plement at least one
ceentral access policy.
p By doing g so, you enabble all
fille servers within a specific sccope to use a central
c
acccess policy wh hen protecting g content in sh
hared
fo
olders.
Beefore you implement a central access policcy,

crreate a detailed plan as follo
ows:
1.. Identify thee resources thaat you want to

o
protect. If all
a these resources are on on ne file
server or in just one foldeer, then you might
m not have to implementt a central acce ess policy. Insttead,
you can configure condittional access on the folders ACL. Howeverr, if resources aare distributed d across
several servvers or folders,, then you mayy benefit from
m deploying a ccentral access policy. Data th hat
might require additional protection ma ay include payyroll records, m
medical historyy data, employyee
personal information, and d company customer lists. YYou can also usse targeting within central acccess
rules to ide
entify resources to which you u want to appl y central access policy.
2.. Define the authorization policies. These

e policies are u
usually defined
d from your bu
usiness require
ements.
Some exammples are:
o All doccuments that have

h property confidentialityy set to high m
must be availab
ble only to managers.
o Marketting documentts from each country

c should
d be writable o
only by marketting people fro
om the
same country.
c
o Only fu
ull time employees should be able to acce ss technical do
ocumentation from previouss
projectts.
3.. Translate th on policies that you require into expressions. In the case
he authorizatio e of Dynamic A Access
Control, expressions are attributes
a that are associated
d with both thhe resources (fiiles and folderrs) and
the user or device that se
eeks access to the resources. These expresssions state addditional identiffication
requiremen nts that must be
b met to acce ess protected ddata. Values th
hat are associated with any
he user or deviice to producee the same value.
expressionss on the resource obligate th
4.. Next, you should break down
d the expreessions that yo ou have createed, and determ
mine what claim m types,
resource prroperties, and device claims that you mustt create to dep ploy your policcies. In other w
words,
dentify the attributes for acccess filtering.
you must id
Note: You must use use er claims to de

eploy central aaccess policies . You can use security
groups to repre
esent user iden
ntities.
3-10 Implemennting Dynamic Access Control
Pla
anning File
e Classifica
ations
Whe en planning yo our Dynamic Access
A Control
impplementation, youy should incclude file
classifications. Although file classsifications are
e not
manndatory for Dyynamic Access Control, they can
enhance the automation of the entire processs. For
exammple, if you reequire that all documents
d that
are classified Conffidentiality: High be accessib ble to
top management only, regardle ess of the serve er on
which the documents exist, you should ask
yourself how you identify these documents, and a
howw to classify theem appropriattely.
The file classification infrastructure uses

classification ruless to scan files automatically,
a and then classsify them acco ording to the ccontents of the e file.
Classsification and d Resource prroperties are defined
d centra lly in AD DS soo that these de efinitions can bbe
sharred across file servers in the organization. You can creatte classification n rules that scaan files for a
stan
ndard string orr for a string th hat matches a pattern (regullar expression)). When a conffigured
classification paraameter is found d in a file, thatt file is classifieed as configureed in the classification rule.
Whe
en planning fo
or file classifica
ations, do the following:
f
Identify which
h classification
n or classificatio want to apply tto documents.
ons that you w
t identify doccuments for classification.

Determine the method thatt you will use to
Define the schedule for auttomatic classifiications.

Establish periodic reviews to
o determine th
he success of tthe classificatio
ons.
You e classificationss in the File Server Resource Manager console.

u configure file
Oncce you have a defined the cla

assifications, you
y can plan thhe implementaation of Dynam mic Access Control
by defining
d conditional expressions which will enable you t o control acceess to high con
nfidential
doccuments basedd on particular user attributes.
Pla
anning File
e Access Auditing
A
In Windows
W Serveer 2008 R2 and d Windows Serrver
2012, you can use e advanced audit policies to
impplement detaile ed and more precise
p file systtem
auditing. In Windo ows Server 2012, you can alsso
impplement auditin ng together with
w Dynamic Access
A
Conntrol to utilize the new Windows security
auditing capabilities. By using conditional
expressions, you can
c configure auditing so that it
onlyy occurs in speecific cases. For example, you u
mayy want to audit attempts to openo shared
fold
ders by users inn countries oth her than the
country where the e shared folder is located. Yo ou
achieve this by immplementing proposed
p permmissions in the central access rules.
With Global Object Access auditing, administrators can defiine computer system accesss control lists
(SAC
CLs) according er the file systeem or registry. The specified SACL is then
g to the objectt type for eithe
app
plied automaticcally to every object
o of that type. You can use a Global O Object Access Audit policy to
enforce the Object Access Audit policy for a computer, file share, or registry without configuring and
propagating conventional SACLs. Configuring and propagating a SACL is a complex administrative task
that is difficult to verify, particularly if you must verify to an auditor that a security policy is being
enforced.
Note: Auditors can verify that every resource in the system is protected by an audit policy
by viewing the contents of the Global Object Access Auditing policy setting.
Resource SACLs are also useful for diagnostic scenarios. For example, setting a Global Object Access Audit
policy to log all activity for a specific user and enabling the Access Failures audit policies in a resource
such as a file system or registry can help administrators quickly identify which object in a system is
denying a user access.
Before you implement auditing you should prepare an audit plan. In the auditing plan, you should
identify resources, users, and activities that you want to track. You can implement auditing for several
scenarios, such as:
Tracking changes to user and machine attributes. As with files, users and machine objects can have
attributes, and changes to these can affect whether users can access files. Therefore, tracking changes
to user or machine attributes can be valuable. Users and machine objects are stored in AD DS, which
means that you can track their attributes using Directory Service Access auditing.
Obtaining more information from user logon events. In Windows Server 2012, a user logon event
(4624) contains information about the attributes of the file that was accessed. You can view this
additional information by using audit log management tools to correlate user logon events with
object access events, and by enabling event filtering based on both file attributes and user attributes.
Providing more information from object access auditing. In Windows Server 2008 R2 and Windows
Server 2012, file access events 4656 and 4663 now contain information about the attributes of the file
that was accessed. Event log filtering tools can use this additional information to help you identify the
most relevant audit events.
Tracking changes to central access policies, central access rules, and claims. Because theseobjects are
stored in AD DS, you can audit them just as you would any other securable object in AD DS by using
Directory Service Access auditing.
Tracking changes to file attributes. File attributes determine which central access policy applies to the
file. A change to the file attributes can potentially affect the access restrictions on the file. You can
track changes to file attributes on any machine by configuring Authorization Policy Change auditing
and Object Access auditing for file systems. Event 4911 is introduced in Windows Server 2012 to
differentiate this event from other Authorization policy change events.
Pla
anning Acccess Denie
ed Assistan
nce
Access Denied Assistance helps end users
deteermine why th hey cannot acccess a resource e. It
also
o allows IT stafff to properly diagnose
d a
problem, and then direct the re esolution. Wind dows
Servver 2012 enables you to custtomize messag ges
aboout denied acce ess and provid de users with the
ability to request access without contacting th he
help
p desk or IT tea am. In combin nation with
Dynnamic Access Control,
C Accesss Denied Assisttance
can inform the filee administrato or of user and
reso
ource claims, enabling
e the addministrator to
o
mak ke educated decisions aboutt how to adjust
policies or fix userr attributes (fo
or example,. if the
t departmen
nt is listed as H
HR instead of H
Human Resources).
Whe
en planning fo
or Access Denied Assistance, you should in
nclude the follo
owing :
Define messages that users will see when

n they try to acccess resourcess for which the
ey do not have
e
access rights. The message should be info
ormal and easyy to understan nd.
Create the em
mail text that users
u use to req
quest access. I f you allow ussers to requestt access to
resources, you can prepare text that is ad
dded to their eemail messages.
Determine the recipients fo or the Access Request
R email messages. You u can choose tto send email tto
folder ownerss, file server ad
dministrators, or
o any other sp
pecified recipi ent. Messagess should alwayys be
he proper persson. If you have a help desk ttool or monito
directed to th oring solution that allows emmail
messages, you can also dire ect those messsages to generrate user requeests in your he
elp desk solutio
on
automaticallyy.
Decide on the
e target opera
ating systems. Access
A Denied
d Assistance on
nly works with Windows 8 o
or
Windows Servver 2012.
Lesson
n3
Deplo
oying Dynamic
D c Accesss Contro
ol
Too deploy Dynaamic Access Co ontrol, you mu
ust perform sevveral steps and
d configure se
everal objects. In this
le
esson, you will learn about im
mplementing and
a configurin ng Dynamic Acccess Control.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe th
he prerequisite
es for impleme
enting Dynamicc Access Control.
Enable support in AD DS for Dynamic Access
A Controll.
Implement claims and resource properrty objects.
Implement central accesss rules and policies.

Implement file access aud
diting.
Implement Access Denied

d assistance.
Implement file classificatiions.

Implement Dynamic Acce
ess Control.
Prerequisit
P es for Imp
plementing
g Dynamicc Access Co
ontrol
Be
efore impleme enting Dynamiic Access Conttrol,
yo
ou must ensurre that your servers meet cerrtain
prerequisites. Claims-based authorization re
equires
th
he following in
nfrastructure:
Windows Server 2012 mu ust be installed

d on
the file servver that will ho
ost the resourcces that
Dynamic Acccess Control will w be protectting.
The file servver that will ho
ost the share must
m be
a Windows Server 2012 file server so th hat it
can read cla aims and devicce authorizatio on data
from a Kerb beros v5 tickett, translate tho
ose SIDs
and claims from the ticke et into an
authenticattion token, and d then comparre the authorizzation data in the token agaainst condition
nal
expressionss in the securitty descriptor.
At least onee Windows Server 2012 dom main controllerr must be acceessible by the W Windows cliennt
computer in the user's do omain. The new w authorizatioon and auditing mechanism requires exten nsions
to AD DS. These
T extensioons build the Windows
W claim dictionary, wh hich is where WWindows operrating
systems stoore claims for an
a Active Direcctory forest. Cllaims authorizzation also relie
es on the Kerb
beros
Key Distribuution Center (KDC). The Win ndows Server 22012 KDC conttains the Kerberos enhancem ments
that are req
quired to transsport claims within a Kerberoos ticket and ccompound ide entity. Windowws Server
2012 KDC also
a includes an a enhancement to support Kerberos armo oring. Kerberoos armoring is an
implementa ation of Flexib
ble Authenticattion Secure Tu
unneling. It proovides a proteccted channel bbetween
the Kerberoos client and thhe KDC.
Windows Server 2012 domain controlle

ers must be in each domain if you are usin
ng claims across a
forest trust..
You must havve a Windows 8 client if you are using devvice claims. Old
der Windows o
operating syste
ems
do not suppo
ort device claim
ms.
Alth
hough a Windo ows Server 201
12 domain con ntroller is requ
uired, there is n
no requiremen nt for having a
2 domain and
a forest funcctional level, u nless you wan nt to use claims across a fore
est
trusst. This means that
t a have domain controllerss on Windows Server 2008 aand Windows SServer
you can also
2008 R2 with the forest functionnal level locate
ed on Window ws Server 2008.
Note: Imple ementing Dyn

C in an e nvironment w
with multiple fo
orests has
add
ditional setup requirements.
r
Ena
abling Sup
pport in AD DS for Dynamic
D A
Access Con
ntrol
Afte
er fulfilling the
e software requ
uirements for
enabling Dynamicc Access Contrrol support, yo ou
musst enable claim m support for the
t Windows Server
S
2012 KDC. Kerberros support forr Dynamic Acccess
Conntrol provides a mechanism for f including user
u
claim
m and device authorization information in na
Winndows authenttication token. Access checkss
perfformed on resources (such as a files or folde
ers),
use this authorization information to verify
idenntity.
Youu should first use Group Policcy to enable AD A DS

for Dynamic Acce ess Control. Beccause this setting is
speccific to domain n controllers, you
y can create e a new Group Policy Object (GPO) and then link the settting
to the Domain Co ontrollers organizational unitt (OU), or by eediting the Deffault Domain C
Controllers GP
PO
thatt is already linkked to that OU U.
Whichever metho od you choose,, you should open
o the Grouup Policy Obje pand Computer
ect Editor, exp
Con
nfiguration, exxpand Policies, expand Adm Templates, expand System, and then expand
ministrative T
KDC
C. In this node
e, open a settin port Dynamic Access Contrrol and Kerbe
ng called Supp eros armoring
g.
To configure
c the Support
S mic Access Control and Kerb
Dynam beros armoring
g policy setting, choose one
e of
the four listed opttions:
Do not supp
port Dynamic Access Contrrol and Kerbe
eros armoring
g
Support Dyn
namic Access Control and Kerberos
K arm
moring
Always prov
vide claims an
nd FAST RFC behavior
b
Also fail una

armored authentication req
quests
Claims and Kerberos armoring support
s are disabled by defaault, which is eequivalent to tthis policy setting
not being configu
ured, or being configured as Do not suppoort Dynamic A ccess Control and Kerberos
arm
moring.
The Support Dynaamic Access Co

ontrol and Kerrberos armorinng policy settinng configures Dynamic Acceess
Con
ntrol and Kerbe
eros armoring in a mix-mod
de environmen ntwhen theree is a mixture o of Windows Se
erver
2012 domain controllers and do
omain controlllers running eaarlier versions of Windows SServer.
Youu use the remaining policy se a the domain controllers aree Windows Server 2012 dom
ettings when all main
controllers and th
he domain funcctional level is configured to
o Windows Serrver 2012. The Always provid
de
claim
ms and FAST RFC
R behavior policy
p a the Also faail unarmored authenticatio
setting and on requests policy
se
etting enable Dynamic
D Accesss Control and
d Kerberos armmoring for the domain. Howe ever, the latterr policy
se
etting requiress all Kerberos authentication
a service and ti cket-granting service (TGS) communicatio on to
usse Kerberos arrmoring. Windows Server 2012 domain co ntrollers read this configuration while oth her
doomain controllers ignore this setting.
Im
mplementting Claimss and Reso
ource Prop
perty Obje
ects
After you enable support for Dynamic Acceess
Control in AD DS,
D you must next
n create and
d
co e property objects.
onfigure claims and resource
Creating
C and
d Configurin
ng Claim Ty
ypes
Too create and configure claim
ms, you primarily use
he Active Direcctory Administtrative Center. You
th
usse the Active Directory
D Administrative Cen nter to
crreate attribute-based claims,, which are the e most
co
ommon type of o claim. Howe ever, you can also
a use
th
he Active Direcctory module for
f Windows
PoowerShell to create certificate-based claims. All

claims are storeed within the configuration

paartition in AD DS. Because thhis is a forest-w
wide partition,, all domains w est share the claim
within the fore
diictionary, and domain contro ollers from the e domains issuue claim informmation during user and computer
auuthentication.
Too create attribute-based claiims in Active Directory

D Adm inistrative Cen nter, navigate tto the Dynamiic
Access Control node, and then open the Cla aim Types con ntainer. By defaault, no claim types are defined
heere. In the Actions pane, you u can click Cre
eate Claim Typ pe to view thee list of attributes. These attrributes
arre used to source values for claims. When you create a cclaim, you asso ociate the claim m with the spe ecific
atttribute. The va
alue of that atttribute is popu
ulated as a cla im value. Therrefore, it is crucial that the
in
nformation con ntained within the Active Dirrectory attribuutes that are ussed to source cclaim types co ontain
acccurate informmation, or rema ain blank.
When
W you selecct the attribute
e that you wannt to use to creeate a claim, yo
ou also must p
provide a nam me for
th
he claim. The suggested
s nam
me for the claim
m is always thee same as the selected attribbute name. Ho owever,
yo
ou can also proovide an alternnate or more meaningful
m naame for the claaim. Optionallyy, you can also
o
provide suggestted values for a claim. This iss not mandato ory, but do thiss can reduce the possibility ffor
making
m mistakees.
Note: Claaim types are sourced

s A DS attributtes. For this reason, you musst configure
from AD
our computer and user accounts in AD DS with the inforrmation that iss correct for
atttributes for yo
th
he respective user
u or computter. Windows Server
S 2012 doomain controllers do not isssue a claim
fo
or an attribute-based claim type
t when the attribute for tthe authenticaating principal is empty.
Depending on the t configuration of the dataa files Resourcce Property O bject attribute
es, a null
va
alue in a claim may result in the user being
g denied accesss to Dynamic Access Contro ol-protected
daata.
Creating
C and
d Configurin
ng Resource
e Propertiess
Although resource propertiess are at the corre of Dynamic Access Contro ol, you should implement th hem
affter you have defined
d user and device claim
ms. Remembeer that if a claim
m does not maatch the speciffied
re
esource properrty value, then
n access to the data might no
ot be allowed.. Therefore, revversing the ord
der of
implementation would risk inadvertently blocking users from data that they otherwise should be able to
access.
When you use claims to control access to files and folders, you must also provide additional information
for those resources. You do this by configuring the resource property objects. You manage resource
properties in the Resource Properties container, which is located in the Dynamic Access Control node in
the Active Directory Administrative Center. You can create your own resource properties, or you can use
one of preconfigured properties, such as Project, Department, and Folder Usage. All predefined
resource property objects are disabled by default. If you want to use any of them, you should first enable
them. If you want to create your own resource property object, you can specify the property type, and the
allowed or suggested values.
When you create resource property objects, you can select properties to include in the files and folders.
When evaluating file authorization and auditing, the Windows operating system uses the values in these
properties along with the values from user and device claims.
After you have configured user and device claims and resource properties, you must then protect the files
and folders by using conditional expressions that evaluate user and device claims against constant values,
or values within resource properties. You can do this in any of the following three ways:
If you want to include only specific folders, you can use the Advanced Security Settings Editor to
create conditional expressions directly in the security descriptor.
To include several (or all) file servers, you can create central access policy rules, and then link those
rules to the Central Policy objects. You can then use Group Policy to deploy the Central Policy objects
to file servers, and then configure the share to use the Central Policy object. However, using central
access policies is the most efficient and preferred method for securing files and folders. This is
discussed further in the next topic.
You can use file classifications to include certain files with a common set of properties across various
folders or files.
You can use claims and resource property objects together in conditional expressions. Windows Server
2012 and Windows 8 support one or more conditional expressions within a permission entry. Conditional
expressions simply add another applicable layer to the permission entry. The results of all conditional
expressions must evaluate to True for Windows to grant the permission entry for authorization. For
example, suppose that you define a claim called Department for a user (with a source attribute
department), and that you define a resource property object called Dept. You can now define a
conditional expression that says that the user can access a folder (with the applied resource property
objects) only if the user attribute Department value is equal to the value of property Dept on the folder.
Note that if the Dept resource property object has not been applied to the file(s) in question, or if Dept is
a null value, then the user will be granted access to the data.
Note: Access is controlled not by the claim, but by the resource property object. The claim
must provide the correct value corresponding to the requirements set by the resource property
object. If the resource property object does not involve a particular attribute, then additional or
extra claim attributes associated with the user or device are ignored.
Im
mplementting Centra
al Access Rules
R and Policies
Central access policies
p enablee you manage and
de
eploy consisteent authorizatioon throughoutt the
orrganization byy using central access rules and
Central Access Policy
P objects.
Central access policies

p act as security
s nets that an
orrganization appplies across itss servers. You use
Group Policy to o deploy the po olicies, and you apply
th
he policies to all
a Windows Se erver 2012 file servers
hat will use Dynamic Access Control. A cen
th ntral
acccess policy en
nables you to deploy
d a consistent
co
onfiguration too several file se
ervers.
Thhe main comp ponent of a cen ntral access po

olicy is
ce
entral access ruule. Central Acccess Policy ob
bjects represen
nt a collection of central acceess rules. Befo
ore you
crreate a central access policy, you should crreate a centrall access rule beecause policess are comprised of
ru
ules.
A central accesss rule contains multiple criteria that the W

Windows operatting system usses when evalu uating
acccess. For exam
mple, a centrall access rule ca
an use conditioonal expressio ns to target sp
pecific files and
d
fo
olders. Each ceentral access ru
ule has multiple permission eentry lists that you use to maanage the rule e's
cu
urrent or proposed permissio on entries. You urn the rule's ccurrent permission entry list to its
u can also retu
la
ast known list of
o permission entries.
e Each central access rrule can be a mmember of one or more Cen ntral
Access Policy ob bjects.
Configuring
C Central Acccess Rules
Yo
ou typically cre
eate and confiigure central access
a rules in the Active Dirrectory Adminiistrative Cente
er.
However, you can also use Windows PowerrShell to perforrm the same task.
To
o create a new
w central access rule, do the following:
f
1.. Provide a name

n and desccription for the ould also choose to protect tthe rule againsst
e rule. You sho
accidental deletion.
d
2.. Configure the

t target reso ources. Use thee Target Reso ources section to create a scope for the acccess
rule. You crreate the scope by using reso ource propert ies within one or more cond ditional expressions.
To simplify the process, you
y can keep the default valu ue (All resourrces) and apply resource filteering.
You can join the conditio onal expressionns by using loggical operatorss, such as ANDD and OR.
Additionallyy, you can grooup conditiona al expressions ttogether to coombine the ressults of two orr more
joined cond ditional expresssions. The Tarrget Resource es section dispplays the currently configure
ed
conditionall expression thhat is being useed to control tthe rule's applicability.
3.. Configure permissions

p wiith either of th
he following op
ptions:
o Use foollowing perm missions as pro oposed perm missions. Use th his option to aadd the permisssions
entries in the permissions list to the list of propoosed permissio ns entries for tthe newly creaated
central access rule. You
Y can combine the propossed permission ns list with file system auditin
ng to
model the effective access
a that useers have to thee resource, without having to o change the
permissions entries inn the current permissions
p lisst. Proposed peermissions gen nerate a speciaal audit
event to
t the event loog that describbes the propossed effective acccess for the u users.
Note: Pro
oposed permisssions do not apply
a to resou rces; they exisst for simulatio
on purposes
on
nly.
o Use folloowing permisssions as curre ent permissio ons. Use this o ption to add tthe permission ns
entries in
n the permissio ns entries for tthe newly created
ons list to the list of the curreent permission
central acccess rule. The
e current permmissions list reppresents the addditional permmissions that thhe
Windowss operating sysstem considerss when you deeploy the central access rule to a file server.
Central access
a rules doo not replace thhe existing seccurity. When m making authoriization decisio ons,
Windowss evaluates perrmission entrie es from the ce ntral access ruule's current peermissions list,
NTFS, and share permissions lists.
Implementin
ng File Acccess Auditiing
The Global Objectt Access Auditing feature in
Winndows 8 and Windows
W Serve
er 2012 enables you
to configure
c objecct access auditting for every file
and folder in a co omputers file system.
s You usse
this feature to cen ntrally managee and configurre
Winndows operatin ng systems to monitor everyy file
and folder on the computer. To o enable objectt
acceess auditing inn previous verssions of Windo ows
Servver, you had to o configure this option in ba asic
audit policies (in GPOs),
G and turrn on auditing for a
speccific security principal
p in the objects SACLL.
Sommetimes this ap pproach did no ot easily recon
ncile
withh company policiessuch ass Log all administrative writte activity on sservers contain
ning financial
ormationbeccause you can turn on objectt access audit logging at thee object level, but not at the
info
servver level. The new
n audit category in Windo ows Server 20008 R2 and Win
ndows Server 22012 enables
admministrators to manage objecct access auditting using a m uch wider scope.

C enable es you to createe targeted aud dit policies usi ng resource properties, and
expressions based d on user and computer
c claim
ms. For examp ple, you could create an audit policy to traack all
Reaad and Write operations
o on High Confiden ntial files perfo
ormed by emp ployees who do not have a H High
Security Clearance attribute po opulated with the appropriaate value. You can author expression-based
audit policies dire
ectly on a file or
o folder, or ce
entrally via Gro oup Policy usinng Global Obje ect Access Audditing.
By using
u this apprroach, you do not prevent unauthorized a ccess; instead,, you register aattempts to acccess
the content by un nauthorized pe eople.
Youu configure Gloobal Object Acccess Auditing when you enaable object acccess auditing aand global objject
acceess auditing. Enabling this fe n auditing for the computer that applies the policy setting.
eature turns on
Howwever, enabling auditing alone does not always generatee auditing eveents. The resou urcein this
instance files and foldersmustt contain auditt entries.
You
u should configgure Global Ob bject Access Auditing for yo ur enterprise b by using the se
ecurity policy oof a
dom
main-based GP PO. The two se ecurity policy settings
s that arre required to enable globall object accesss
auditing are locatted in the follo
owing locations:
Computer Co onfiguration\W
Windows Settin ngs\Security Seettings\Advancced Audit Policcy\Audit
Policies\Object Access\Audit File System
Computer Co onfiguration\W
Windows Settin ngs\Security Seettings\Advancced Audit Policcy\Audit
Policy\Global Object Accesss Auditing\File
e System
Global Object Acccess Auditing includes a subccategory for fiile system and registry.
Note: If both
b a file or fo
older SACL and a Global Obj bject Access Au uditing policy (or a single
egistry setting SACL and a Global Object Access
re A Auditing
g policy) are co onfigured on a computer,
th
he effective SAACL is derived byb combining the file or fold der SACL and tthe Global Obj bject Access
Auditing policy.. This means th hat an audit evvent is generatted if an activiity matches eitther the file
orr folder SACL or
o the Global Object
O Access Auditing policcy.
Im
mplementting Accesss Denied Assistance
A
One
O of the mosst common errrors that users receive
when
w they try too access a file or folder on a
re
emote file servver is an accesss denied error.
Tyypically, this errror occurs whhen a user triess to
acccess a resourcce without havving proper
peermissions to dod so, or because of incorrecctly
co
onfigured perm missions or ressource ACLs. Using
U
Dynamic Accesss Control can createc further
co
omplications. ForF example, usersu with
peermissions willl not be grante ed access if a relevant
r
atttribute in theiir account is misspelled.
m
When
W users receive this error,, they usually try
t to
co
ontact the admministrator to obtain
o access. However, adm
ministrators usu
ually do not ap
pprove access to
re
esources, so they redirect the
e users to sommeone else for approval.
In
n Windows Serrver 2012, therre is a new featture to help bo oth users and administratorss in such situattions.
Thhis feature is called Access Denied
D Assistan
nce. It helps ussers respond to
o access denie
ed issues withoout
in
nvolving IT stafff. It does this by providing information ab bout the probl em and directting users to thhe
proper person.
Access
A Denie
ed Remediation
Thhe Access Den
nied Assistance
e feature provides three wayys for troublesh
hooting issues with access denied
errrors:
Self-remediation. Administrators can crreate customizzed access den

nied messages that are autho ored by
the server administrator.
a By using the information in these messages, users can ttry to self-remeediate
access deniied cases. The message can also
a include U RLs that directt users to self-remediation wwebsites
ovided by the organization. For example, tthe URL mightt direct the use
that are pro er to change the
password too an applicatio
on, or to down hed copy of the client-side software.
nload a refresh
Remediatio on by the data owner. Admin nistrators can ddefine owners for shared follders. This enables
users to sen
nd email messages to the da ata owners to rrequest accesss. For example, if a user is
accidentallyy left off a secu
urity group meembership, or the users dep partment attrib bute is misspelled, the
data ownerr might be able e to add the user
u to the grooup. If the dataa owner does n not know how w to
grant accesss to the user, the
t data owne er can forward this informatiion to the app propriate IT
administrattor. This is helppful because th
he number of user support rrequests escalaated to the sup pport
desk shouldd be limited to o specialized caases, or cases tthat are difficu
ult to resolve.
Remediatio on by the help desk and file server

s adminisstrators. If userrs cannot self-remediate issu
ues and
data ownerrs cannot resollve the issue either, then adm ministrators caan troubleshoo ot issues by accessing
a user interrface to view th
he effective pe
ermissions for the user. Exam mples of when an administraator
should be involved are ca ases where claims attributes or resource o bject attribute es are defined
incorrectly or contain incorrect informa ation, or when the data itselff seems to be corrupted.
Youu use Group Po olicy to enable

e the Access De enied Assistan ce feature. Op pen the Group Policy Object
Edittor and navigate to Compute er Configuratioon\Policies\Ad dministrative TTemplates\Systtem\Access-De enied
Assiistance. In the Access-Denied d Assistance node, you can eenable Access Denied Assistance, and you u can
also
o provide custo omized messag ges for users. Alternatively,
A yyou can also use the File Serrver Resource
Man nager console to enable Acccess Denied Asssistance. How wever, if this feaature is enable
ed in Group Poolicy,
the appropriate se ettings in the File
F Server Ressource Manageer console are disabled for cconfiguration.
Implementin
ng File Classsifications
To implement Dynamic Access Control effectively,
you must have we ell-defined claims and resource
properties. Althou ugh claims are defined by
attributes for a usser or a device,, resource
properties are mo ost often manu ually created and
defiined. File classifications enabble administrattors
to define
d automattic proceduress for defining a
desiired property ono the file, bassed on conditions
speccified in a classification rule. For example, you
can set the Confid dentiality pro operty to High h on
all documents
d whhose content co ontains the wo ord
seccret. You could then use this property in
Dyn namic Access Control
C to speccify that only employees
e wit h their emplo
oyeetype attrib
butes set to
Man nager can acccess those docu uments.
In Windows
W Serve
er 2008 R2 and d Windows Serrver 2012, classsification man
nagement and file managem ment
task
ks enable administrators to manage
m groupps of files based
d on various fiile and folder aattributes. Witth
thesse tasks, you can automate file
f and folder maintenance tasks, such as cleaning up sttale data or
prottecting sensitivve information
n.
Classsification man nagement is deesigned to easse the burden and managem ment of data th
hat is spread o
out in
the organization. You can classify files in a variety of ways. IIn most scenarrios, you classify files manuaally.
The file classification infrastructure in Windowws Server 20088 R2 enables organizations to o convert thesse
man nual processess into automated policies. Ad dministrators ccan specify filee managementt policies based on
a files classificatio
on, and then apply corporatee requirementts for managin ng data based on a business value.
You
u can use file classification to
o perform the following
f actio
ons:
es, which you ccan assign to fiiles by running
Define classification properrties and value g classification
n rules.
Create, updatte, and run classification rulees. Each rule asssigns a singlee predefined property and vaalue
n a specified diirectory based on installed cclassification pllug-ins.
to files within
When running a classificatio on rule, reevalluate files thatt are already cllassified. You ccan choose to
overwrite exissting classification values or add the valuee to properties that support multiple value es. You
can also use this
t to declassiify files that arre no longer in n the classificattion criteria.
Im
mplementting Centra
al Access Policy
P Changes
After you impleement Dynamic Access Contrrol, you
might
m have to make
m some changes. For exaample,
yo
ou might have e to update conditional expressions,
orr you might want to change claims. You must
m
ca
arefully plan any change to Dynamic
D Access
Control compon nents.
Changing a cen ntral access policy can drasticcally

afffect access. Fo
or example, a change
c could
pootentially grannt more accesss than desired, or, it
ould restrict a policy too much, resulting in
co n an
exxcessive numb ber of help dessk calls. As a be
est
practice, you sh hould test channges before
im
mplementing a central access policy updatte.
Foor this purposee, Windows Se erver 2012 introduces the co oncept of stagiing. Staging en nables users too verify
th
heir proposed policy updates before enforrcing them. To o use staging, yyou deploy the e proposed po olicies
along with the enforced
e policcies, but you do not actually grant or denyy permissions. Instead, the W Windows
op perating system logs an aud dit event (48188) any time thee result of the access check tthat is using th
he
sttaged policy differs from thee result of an access check thhat is using thee enforced pollicy.
Lab: Implementing Dynamic Access Control

Scenario
The Research team at A. Datum Corporation is involved in confidential work that provides a great deal of
value to the business. Additionally, other groups at A. Datum, such as the Executive department,
frequently store files containing business-critical information on the company file servers. The security
department in the organization wants to ensure that these confidential files are only accessible to
properly authorized personnel, and that all access to these files is audited.
As one of the senior network administrators at A. Datum, you are responsible for addressing these security
requirements by implementing Dynamic Access Control on the file servers. You will work closely with the
business groups and the security department to identify which files need to be secured, and who should
have access to these files. You will then implement Dynamic Access Control based on the company
requirements.
Objectives
Plan the Dynamic Access Control implementation.
Configure user and device claims.
Configure resource property definitions.
Configure central access rules and central access policies.
Validate and remediate Dynamic Access Control.
Implement new resource policies.
Lab Setup
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-CL1
20412A-LON-CL2
20412A-LON-DC1
20412A-LON-SVR1
Virtual Machine(s)
20412A-LON-CL1
20412A-LON-CL2
Password Pa$$w0rd
5. Repeat steps 2-4 for 20412A-LON-SVR1.
6. Do not start 20412A-LON-CL1 and 20412A-LON-CL2 until directed to do so.
Exercise 1: Planning the Dynamic Access Control Implementation

Scenario
A. Datum Corporation must ensure that documents used by the Research team and the Executive
department are secured. Most of the files used by these departments are currently stored in shared
folders dedicated to these departments, but confidential documents sometimes appear in other shared
folders. Only members of the Research team should be able to access Research team folders, and only
Executive department managers should be able to access highly confidential documents.
The security department is also concerned that managers are accessing files using their home computers,
which may not be highly secure. Therefore, you must create a plan for securing the documents regardless
of where they are located, and ensure that the documents can only be accessed from authorized
computers. Authorized computers for managers are members of the security group ManagersWks.
The support department reports that a high number of calls are generated by users who cannot access
resources. You must implement a feature that helps users understand error messages better, and that will
enable them to request access automatically.
1. Plan the Dynamic Access Control deployment.
2. Prepare AD DS to support Dynamic Access Control.
Task 1: Plan the Dynamic Access Control deployment

Based on the scenario, describe how you will design Dynamic Access Control to fulfill the
requirements for access control.
Task 2: Prepare AD DS to support Dynamic Access Control

1. On the LON-DC1, in Server Manager, open Active Directory Users and Computers.
2. Create a new OU named Test.
3. Move LON-CL1, LON-CL2, and LON-SVR1 computer objects into the Test OU.
4. On LON-DC1, from Server Manager, open the Group Policy Management Console.
5. Remove the Block Inheritance setting that is applied to the Managers OU. This is to remove the
block inheritance setting used in a later module in the course.
6. Edit the Default Domain Controllers Policy GPO.
7. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, and then click KDC.
8. Enable the KDC support for claims, compound authentication and Kerberos armoring policy
setting.
9. In the Options section, click Supported.
10. On LON-DC1, refresh Group Policy.

11. Open Active Directory Users and Computers, and in the Users container, create a security group
named ManagersWKS.
12. Add LON-CL1 to the ManagersWKS group.

13. Verify that user Aidan Delaney is a member of Managers department, and that Allie Bellew is the
member of the Research department. Department entries should be filled into the appropriate
attribute for each user profile.
Results: After completing this exercise, you will have planned for Dynamic Access Control deployment,
and you will have prepared AD DS for Dynamic Access Control implementation.
Exercise 2: Configuring User and Device Claims

Scenario
The first step in implementing Dynamic Access Control is to configure the claims for the users and devices
that access the files. In this exercise, you will review the default claims, and then create new claims based
on the department and computer description attributes. For users, you will create a claim for a
department attribute. For computers, you will create a claim for a description attribute.
1. Review the default claim types.
2. Configure claims for users.
3. Configure claims for devices.
Task 1: Review the default claim types

1. On LON-DC1, in Server Manager, open the Active Directory Administrative Center.
2. In the Active Directory Administrative Center, click the Dynamic Access Control node.
3. Open the Claim Types container, and verify that there are no default claims defined.
4. Open the Resource Properties container, and note that all properties are disabled by default.
5. Open the Resource Property Lists container, and then open the properties of the Global Resource
Property List.
6. In the Resource Properties section, review available resource properties, and then click Cancel.
Task 2: Configure claims for users

1. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control.
2. Open the Claim Types container, and create a new claim type for users and computers using the
following settings:
o Source Attribute: Department
o Display name: Company Department
Task 3: Configure claims for devices

1. In the Active Directory Administrative Center, in the Tasks pane click New, and then select Claim
Type.
2. Create a new claim type for computers using the following settings:
o Source Attribute: description
o Display name: description

Results: After completing this exercise, you will have reviewed the default claim types, configured claims
for users, and configured claims for devices.
Exercise 3: Configuring Resource Property Definitions

Scenario
The second step in implementing Dynamic Access Control is to configure the resource property lists and
resource property definitions. After you do this, you should make a new classification rule that classifies all
files containing the word secret. These files should be assigned a value of High for the Confidentiality
attribute. You should also assign the department property to the folder that belongs to the Research
team.
1. Configure resource property definitions.
2. Classify files.
3. Assign properties to a folder.
Task 1: Configure resource property definitions

1. In the Active Directory Administrative Center, click Dynamic Access Control, and then open the
Resource Properties container.
2. Enable the Department and Confidentiality Resource properties.
3. Open Properties for Department.

4. Add Research as suggested value.
5. Open the Global Resource Property List, ensure that Department and Confidentiality are included
in the list, and then click Cancel.
6. Close the Active Directory Administrative Center.
Task 2: Classify files

1. On LON-SVR1, open File Server Resource Manager.
2. Refresh Classification Properties, and verify that Confidentiality and Department properties are
listed.
3. Create a Classification rule with following values:
o Name: Set Confidentiality
o Scope: C:\Docs
o Classification method: Content Classifier
o Property: Confidentiality
o Value: High
o Classification Parameters: String secret
o Evaluation Type: Re-evaluate existing property values, and then click Overwrite the existing
value
4. Run the classification rule.
5. Open a Windows Explorer window, browse to the C:\Docs folder, and then open the Properties
window for files Doc1.txt, Doc2.txt, and Doc3.txt.
6. Verify values for Confidentiality. Doc1.txt and Doc2.txt should have confidentiality set to High.
Task 3: Assign properties to a folder

1. On LON-SVR1, open Windows Explorer.
2. Browse to C:\Research, and open its properties.
3. On the Classification tab, set the Department value to Research.
Results: After completing this exercise, you will have configured resource properties for files, classified
files, and assigned properties to a folder.
Exercise 4: Configuring Central Access Rules and Central Access Policies

Scenario
Now that you have configured your resource property definitions, you need to configure the central
access rules and policies that will link the claims and property definitions.
1. Configure central access rules.
2. Create a central access policy.
3. Publish a central access policy by using Group Policy.
4. Apply the central access policy to resources.
5. Configure access denied remediation settings.
Task 1: Configure central access rules

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. Click Dynamic Access Control, and then open the Central Access Rules container.
3. Create a new Central Access Rule with the following values:
o Name: Department Match
o Target Resource: use condition Resource-Department-Equals-Value-Research
o Permissions: Remove Administrators, and then add Authenticated Users, Modify, with
condition User-Company Department-Equals-Resource-Department
4. Create another Central Access Rule with the following values:
o Name: Access Confidential Docs
o Target Resource: use condition Resource-Confidentiality-Equals-Value-High
o Permissions : Set first condition to: User-Group-Member of each-Value-Managers
o Permissions: Set second condition to: Device-Group-Member of each-Value-ManagersWKS
Task 2: Create a central access policy

1. On LON-DC1, in the Active Directory Administrative Center, create a new Central Access Policy with
following values:
Name: Protect confidential docs

Rules included: Access Confidential Docs
2. Create another Central Access Policy with following values:
Name: Department Match

Rules included: Department Match
Task 3: Publish a central access policy by using Group Policy

1. On LON-DC1, from the Server Manager, open the Group Policy Management Console.
2. Create new GPO named DAC Policy, and in the Adatum.com domain, link it to Test OU.
3. Edit the DAC Policy, browse to Configuration/Policies/Windows Settings/Security Settings

/File System, and then right-click Central Access Policy.
4. Click Manage Central Access Policies.
5. Click both Department Match and Protect confidential docs, click Add, and then click OK.
6. Close both the Group Policy Management Editor and the Group Policy Management Console.
Task 4: Apply the central access policy to resources

1. On LON-SVR1, start Windows PowerShell.
2. Refresh Group Policy on LON-SVR1.
3. Open Windows Explorer, and browse to the C:\Docs folder.
4. Apply the Protect confidential docs central policy to the C:\Docs folder.
5. Browse to the C:\Research folder.
6. Apply the Department Match Central Policy to the C:\Research folder.
Task 5: Configure access denied remediation settings

1. On LON-DC1, open the Group Policy Management Console.
2. In the Group Policy Management Console, browse to Group Policy objects.
3. Edit the DAC Policy.
4. Under the Computer Configuration node, browse to Policies\Administrative Templates\System,

and then click Access-Denied Assistance.
5. In the right pane, double-click Customize Message for Access Denied errors.
6. In the Customize Message for Access Denied errors window, click Enabled.
7. In the Display the following message to users who are denied access text box, type You are
denied access because of permission policy. Please request access.
8. Select the Enable users to request assistance check box, and then click OK.
9. Double-click Enable access-denied assistance on client for all file types, enable it, and click OK.
11. Switch to LON-SVR1, and refresh Group Policy.
Results: After completing this exercise, you will have configured central access rules and central access
policies for Dynamic Access Control.
Exercise 5: Validating and Remediating Dynamic Access Control

Scenario
To ensure that the Dynamic Access Control settings are configured correctly, you need to test various
access scenarios. You will test both approved users and devices, and unapproved users and devices. You
will also validate the access remediation configuration.
The main task for this exercise is as follows:
1. Validate Dynamic Access Control functionality.
Task 1: Validate Dynamic Access Control functionality

1. Start and then log on to LON-CL1 as Adatum\April with the password Pa$$w0rd.
2. Click the Desktop tile, and then open Windows Explorer.
3. Browse to \\LON-SVR1\Docs, and verify that you can only open Doc3.
4. Try to access \\LON-SVR1\Research. You should be unable to access it.
5. Log off LON-CL1.
6. Log on to LON-CL1 as Adatum\Allie with the password Pa$$w0rd.
7. Open Windows Explorer, and try to access \\LON-SVR1\Research. You should be able to access it
and open files in it.
8. Log off LON-CL1.

9. Log on to LON-CL1 as Adatum\Aidan with the password Pa$$w0rd.
10. Open Windows Explorer and try to access \\LON-SVR1\Docs. You should be able to open all files in
this folder.
11. Log off LON-CL1.
12. Start and then log on to LON-CL2 as Adatum\Aidan with the password Pa$$w0rd.
13. Open Windows Explorer and try to access \\LON-SVR1\Docs. You should be unable to see Doc1 and
Doc2, because the LON-CL2 is not permitted to view secret documents.
Results: After completing this exercise, you will have validated Dynamic Access Control functionality.
Exercise 6: Implementing New Resource Policies

Scenario
As a final step in implementing Dynamic Access Control, you will test the effect of implementing a new
resource policy.
1. Configure staging for a central access policy.
2. Configure staging permissions.
3. Verify staging.
4. Use effective permissions to test Dynamic Access Control.
Task 1: Configure staging for a central access policy

2. Open the Group Policy Management Editor for DAC Policy.
3. Browse to Computer Configuration\Policies\Windows Settings

\Security Settings Advanced Audit Policy Configuration\Audit Policies, and then select Object
Access.
4. Double-click Audit Central Access Policy Staging, select all three check boxes, and then click OK.
5. Double-click Audit File System, select all three check boxes, and then click OK.
6. Close the Group Policy Management Editor and the Group Policy Management console.
Task 2: Configure staging permissions

1. On LON-DC1, open Active Directory Administrative Center, and then open the properties for the
Department Match central access rule.
2. In the Proposed permissions section, configure the condition for Authenticated Users as follows:
User-Company Department-Equals-Value-Marketing.
Task 3: Verify staging

1. Log on to LON-CL1 as Adatum\Adam with the password Pa$$w0rd.
2. In Windows Explorer, try to access \\LON-SVR1\Research, and the files within it.
3. Switch to LON-SVR1.
4. Open Event Viewer, open Security Log, and then look for events with Event ID 4818.
Task 4: Use effective permissions to test Dynamic Access Control

1. On LON-SVR1, open the properties for the C:\Research folder.
2. Open the Advanced options for Security, and then click Effective Access.
3. Click select a user.
4. In the Select User, Computer, Service Account, or Group window, type April, click Check Names, and
then click OK.
5. Click View effective access.
6. Review the results. The user should not have access to this folder.
7. Click Include a user claim.
8. On the drop-down list, select Company Department.
9. In the Value text box, type Research.
10. Click View Effective access. The user should now have access.
11. Close all open windows.
Results: After completing this exercise, you will have implemented new resource policies.



Question: What is a claim?
Question: What is the purpose of a central access policy?
Question: What is Access Denied Assistance?

Claims are not populated with the

appropriate values.
A conditional expression does not allow

access.
Best Practices
Use central access policies instead of configuring conditional expressions on resources.
Enable Access Denied Assistance settings.

Always test changes that you have made to central access rules and central access policies before
implementing them.
Use file classifications to assign properties to files.
Tools
Tool Use Location
Active Directory Administrative For administering and creating Administrative tools

Center claims, resource properties,
rules and policies
Group Policy Management Managing group policy Administrative tools

Console
Group Policy Management Editing Group Policy Objects Group Policy Management
Editor Console
4-1
Module 4
Implementing Network Load Balancing
Contents:
Module Overview 4-1
Lesson 1: Overview of NLB 4-2
Lesson 2: Configuring an NLB Cluster 4-5
Lesson 3: Planning an NLB Implementation 4-10
Lab: Implementing Network Load Balancing 4-16
Module Overview
Network Load Balancing (NLB) is a Windows Server network component. NLB uses a distributed algorithm
to balance IP traffic load across multiple hosts. It helps to improve the scalability and availability of
business-critical, IP-based services. NLB also provides high availability, because it detects host failures and
automatically redistributes traffic to surviving hosts. To effectively deploy NLB, you must understand its
functionality and the scenarios where its deployment is appropriate. The main change to NLB in Windows
Server 2012 is the inclusion of a comprehensive set of Windows PowerShell cmdlets. These cmdlets
enhance your ability to automate the management of Windows Server 2012 NLB clusters. The Network
Load Balancing console, which is also available in Windows Server 2008 and Windows Server 2008 R2, is
also present in Windows Server 2012
This module introduces you to NLB, and shows you how to deploy this technology, the situations for
which NLB is appropriate, how to configure and manage NLB clusters, and how to perform maintenance
tasks on NLB clusters.
Objectives
Describe NLB.
Explain how to configure an NLB cluster.
Explain how to plan an NLB implementation.

4-2 Implementing Network Load Baalancing
Lesson 1
Overviiew of NLB
N
Befoore you deployy NLB, you nee ed to have a fiirm understan ding of the types of server wworkloads for w which
this high availability technologyy is appropriate. If you do no
ot understand the functionality of NLB, it iis
possible that you will deploy it in a manner thhat does not a ccomplish you ur overall objectives. For exaample,
you need to unde erstand why NLB is appropria ate for web appplications, but not for Micro
osoft SQL Serrver
dataabases.
Thiss lesson provid
des an overview
w of NLB, and the features n o
new to NLB in Windows Servver 2012. It also
desccribes how NLLB works normally, and durinng server failurre and server rrecovery.
Lessson Objectiives
Afte
ou will be able to:
Describe NLB
B technology.
Describe how
w NLB works.
Explain how NLB
N accommo
odates server fa
ailures and reccovery.
Describe new
w NLB features in Windows Server 2012.
Wh
hat Is NLB?
NLBB is a scalable, high availability feature thatt you
can install on all editions
e of Winndows Server 2012.
2
A sccalable technollogy is one whhere you can ad dd
addditional compo onents (in this case
c additiona al
clusster nodes) to meet increasinng demand. A node
in a Windows Servver 2012 NLB cluster is a
commputer, either physical or virttual, that is run
nning
the Windows Servver 2012 opera ating system.
Winndows Server 20122 NLB clustters can have
betwween two and 32 nodes. Wh hen you create e an
NLBB cluster, it creates a virtual network
n addre ess
and virtual network adapter. Th he virtual network
adapter has an IP address and a media accesss control (MAC o this address is
C) address. Nettwork traffic to
evenly distributed d across the noodes in the cluster. In a basicc NLB configurration, each noode in an NLB
clusster will service
e requests at a rate that is ap
pproximately eequal to that o of all other nod
des in the clustter.
Whe en an NLB clusster receives a request, it will forward that request to thee node that is currently leastt
utilized. You can configure
c NLB to preference e some nodes o over others.
NLB are. This means that if one of the nodes in the NLB clustter goes offline
B is failure-awa e, requests willl no
long
ger be forward ded to that node, but other nodes in the ccluster will conntinue to accep pt requests. When
the failed node reeturns to servicce, incoming re
equests will bee redirected un
ntil traffic is baalanced acrosss all
noddes in the clustter.
How
H NLB Works
W
When
W you configure an application to use NLB,
N
clients address the
t application n using the NLLB
cluster address rather than the address of nodes
n
th
hat participate in the NLB cluuster. The NLBB cluster
ad
ddress is a virtual address that is shared be
etween
he hosts in the NLB cluster.
th
NLB directs trafffic in the following manner: All
ho osts in the NLBB cluster receivve the incomin
ng
t cluster, which is
trraffic, but only one node in the
de etermined thro ough the NLB process, will accept
a
th
hat traffic. All other
o nodes in the NLB clustter will
drop the traffic..
Which
W node in the
t NLB cluste er accepts the traffic depend
ds on the confiiguration of po ort rules and aaffinity
se
ettings. Throug
gh these settin etermine if tra ffic that uses a particular po
ngs, you can de ort and protoco ol will
e accepted by a particular node, or whether any node in
be n the cluster w will be able to aaccept and resspond.
NLB also sends traffic to node es based on cu urrent node uttilization. New traffic is directed to nodes tthat are
be
eing least utilizzed. For example, if you havve a four node cluster wheree three of the n nodes are resp
ponding
to
o requests from m 10 clients an
nd one node iss responding to he node that has fewer
o requests fro m 5 clients, th
clients will receiive more incom
ming traffic unntil utilization iis more evenlyy balanced across the nodes..
How
H NLB Works
W with
h Server Fa
ailures and
d Recoveryy
NLB is able to detect
d the failu
ure of cluster nodes.
n
When
W a cluster node is in a fa
ailed state, it is
re
emoved from the t cluster, and d the cluster does
d not
diirect new traffic to the node. Failure is detected
byy using heartbbeats. NLB clusster heartbeatss are
trransmitted eveery second between nodes in na
cluster. A node is automaticallly removed fro om a
NLB cluster if it misses five coonsecutive heartbeats.
When
W a node iss added or remmoved from a cluster,
c
a process known as convergence occurs.
Convergence allows the cluste er to determin ne its
cuurrent configuration. Converrgence can only occur
if each node is configured
c witth the same po ort rules.
Nodes can be configured to rejoin

r a clusterr automaticallyy by setting th e Initial host sstate setting on
n the
noodes properties using the Network
N Load Balancing
B Man nager. By defa ult, a host that is a member of a
cluster will attem
mpt to rejoin that
t cluster automatically. Fo or example, if you reboot a sserver that is a
member
m of an NLB
N cluster aftter applying a software updaate, the server will rejoin the e cluster autommatically
affter the reboott process comppletes.
Administrators can manually add or remove e nodes from NLB clusters. W When an admiinistrator remo oves a
no ode, they can choose to perform a Stop or a Drainstop aaction. The Sto op action termminates all existting
coonnections to the cluster node and stops the
t NLB servic e. The Drainstop action bloccks all new
co essions. Once aall current sesssions end, the NLB service iss
onnections witthout terminatting existing se
sttopped.
NLB B can only dete ect server failu

ure; it cannot detect
d applicattion failure. Th
his means that if a web appliccation
failss but the serve
er remains operational, the NLBN cluster willl continue to fforward traffic to the cluster node
thatt hosts the faile
ed application n. One method d of managing this problem is to implement a monitorin ng
soluution such as Microsoft
M Syste
em Center 201 12 - Operation s Manager. W With Operationss Manager, you can
mon nitor functionaality of applica
ations. You cann also configurre Operations Manager to generate an ale ert in
the event that an application on n a cluster nodde fails. An ale rt in turn can cconfigure a remediation action,
such h as restarting services, resta
arting the serveer, or withdrawwing the nodee from the NLB B cluster so thaat it
doees not receive further
f incoming traffic.
NLLB Features in Windo

ows Serverr 2012
The most substantial change to NLB features in
Win
ndows Server 20122 is the inclusion of Winddows
Pow
werShell suppo ort. The
NetworkLoadBala ancingClusters module conta ains
35 NLBrelated
N cm
mdlets. This module become es
avaiilable on a servver when the NLB
N Remote Server
S
Admministration To ools (RSAT) aree installed. The
e
Win
ndows PowerSh hell cmdlets ha ave the follow
wing
nou
uns:
NlbClusterNode. Lets you manage a cluster

node. Include
es the Add, Ge et, Remove,
Resume, Set,, Start, Stop, and
a Suspend verbs.
v
y configure the cluster no

NlbClusterNodeDip. Lets you odes dedicated nt IP. Includes the
d managemen
Add, Get, Remove, and Se
et verbs.
NlbClusterPoortRule. Lets you

y manage port
p rules. Inclu
udes the Add, Disable, Enab
ble, Get, Remo
ove,
and Set verbss.
NlbClusterViip. Lets you manage the NLB
B clusters virtu
ual IP. Includes the Add, Ge
et, Remove, an
nd Set
verbs.
NlbCluster. Lets
L you manage the NLB clu
uster. Includess the Get, New
w, Remove, Re
esume, Set, Sttart,
Stop, and Suspend verbs.
NlbClusterDriverInfo. Provides informattion about thee NLB cluster d

driver. Includess the Get verb.
NlbClusterNodeNetworkIInterface. Letss you retrieve information ab

bout a cluster nodes network
interface driver. Includes th
he Get verb.
gure the clusteers IPv6 addresss. Includes the New verb.

pv6Address. Lets you config
NlbClusterIp
NlbClusterPo ortRuleNodeH
HandlingPrio
ority. Lets you set priority on ule basis. Supports
n a per-port ru
the Set ver.,
NlbClusterPo
ortRuleNodeW
Weight. Lets you
y set node w
weight on a peer-port rule baasis. Supports tthe
Set verb.
ee the list of Windows

Note: To se W PowerrShell cmdlets for NLB, you ccan use the ge
et-
com
mmand module NetworkL LoadBalancingClusters commmand.
Lesson
n2
Configuring an NLB
B Cluste
er
To
o deploy NLB successfully, you must first haveh a firm un derstanding o
of its deployme ent requirements. You
must
m also have planned the manner
m in whicch you are goi ng to use portt rules and affiinity settings tto
nsure that trafffic to the application that is being hosted on the NLB clluster is handle
en ed appropriate ely.
his lesson provvides you with information about

Th a the infraastructure requ
uirements thatt you must con
nsider
prior to deployiing NLB. It also
o provides you
u with importaant informationn on how to coonfigure NLB cclusters
an
nd nodes to be est suit your objectives.
o
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
Describe NLB deploymen

nt requirementts.
Describe ho
ow to impleme
ent NLB.
Explain con
nfiguration opttions for NLB.
Explain how
w to configure
e NLB affinity and
a port rules.
Describe ne
etwork conside
erations for NLLB.
Deploymen
D nt Require
ements forr NLB
NLB requires that all hosts in the NLB cluste er
re
eside on the sa ame TCP/IP subnet. Although
TC CP/IP subnets can be configured to span multiple
m
ge eographic locaations, NLB clu
usters are unlikkely to
acchieve converg gence successffully if the late
ency
be etween nodes exceeds 250 milliseconds
m (m
ms).
When
W you are designing
d geoggraphically disspersed
NLB clusters, yo ead choose to deploy
ou should inste
ann NLB cluster at
a each site, an
nd then use Do omain
Name System (D DNS) round ro obin to distribuute
trraffic between sites.
All network ada apters within an NLB cluster must

be a either unicast or multicastt. You cannot cconfigure an N
e configured as here there is a mixture
NLB cluster wh
off unicast and multicast
m adappters. When using unicast mo ork adapter must support ch
ode, the netwo hanging
itss MAC addresss.
Yoou can only usse TCP/IP protocol with netwwork adapters that participatte in NLB clustters. NLB suppports
IP
Pv4 and IPv6. The
T IP addresses of servers th hat participatee in an NLB clu
uster must be sstatic and musst not
bee dynamically allocated. When you install NLB, Dynamicc Host Configu uration Protocool (DHCP) is disabled
onn each interfacce that you configure to parrticipate in thee cluster.
All editions of Windows

W er 2012 support NLB. Microssoft supports N
Serve NLB clusters with nodes thatt are
ru
unning differennt editions of Windows
W Server 2012. Howeever, as a best practice, NLB cluster nodes should
be
e computers with
w similar harrdware specificcations, and th
hat are running
g the same eddition of the W
Windows
Se
erver 2012 ope erating system
m.
De
emonstration: Deplo
oying NLB
Thiss demonstratio
on shows how to create a Windows Serverr 2012 NLB cluster.
Dem
monstration
n Steps
Cre
eate a Windows Server 2012 NLB Cluster
C
1. Log on to LO g the Adatum\\Administrat or account.
ON-SVR1 using
2. From the Too

ols menu, open ntegrated Scri pting Environm
n the Windowss PowerShell In ment (ISE).
3. Enter the follo

owing comma
ands, and then press Enter:
Invoke-Command -Computername LON-S

SVR1,LON-SVR2
2 -command {I
Install-Windo
owsFeature
NLB,RSAT-NLB}
New-NlbCluster -Interf
faceName "Loc
cal Area Conn
nection" -Ope
erationMode M
Multicast -
ClusterPrimaryIP 172.16.0.42 -Clus
sterName LON-
-NLB
Add-NlbClusterNode -InterfaceName "Local Area Connection" -NewNodeName
e "LON-SVR2" -
NewNodeInterface "Local Area Conne
ection"
4. Open Networrk Load Balanccing Manager from the Tool s menu and viiew the clusterr.
Co
onfiguratio
on Optionss for NLB
Connfiguring NLB clusters
c involvves specifying how
h
hostts in the cluste
er will respondd to incoming
netw
work traffic. How NLB directts traffic depen nds
on the
t port and protocol
p that itt is using, and
wheether the clientt has an existin ng network session
h a host in the cluster. You can configure these
with t
settings by using port rules and affinity settings.
Porrt Rules
With port rules, yo ou can configu ure how reque ests to
speccific IP addressses and ports are
a directed byy the
NLB B cluster. You can
c load balan nce traffic on
Trannsmission Control Protocol (TCP)
( port 80 across
a
all nodes
n in an NLLB cluster, whille directing all requests to TC
CP port 25 to a specific hostt.
To specify
s how yoou want to disttribute requestts across nodees in the clusteer, you configu
ure a filtering m
mode
wheen creating a port
p rule. You can
c do this in the Add/Edit Port Rule diaalog box, which h you can use to
configure one of the
t following filtering
f modees:
Multiple hossts. When you configure thiss mode, all NL B nodes respo ond according to the weight
assigned to each
e node. Nod de weight is caalculated autoomatically, baseed on the perfformance
I a node fails, other nodes in
characteristics of the host. If n the cluster ccontinue to resspond to incomming
requests. Mulltiple host filte
ering increases availability an
nd scalability, aas you can increase capacityy by
adding nodess, and the cluster continues to t function in the event of n node failure.
Single host. When

W you connfigure this mo ode, the NLB ccluster directs traffic to the n
node that is
assigned the highest prioritty. In the event that the nod e assigned thee highest priorrity is unavailable,
the host assiggned the next highest prioritty handles the incoming trafffic. Single hosst rules increase
availability, but do not incre
ease scalabilityy.
Note: Highest priority is the lowest number, with a priority of 1 being higher priority than a
priority of 10.
Disable this port range. When you configure this option, all packets for this port range are dropped,
without being forwarded to any cluster nodes. If you do not disable a port range and there is no
existing port rule, the traffic is forwarded to the host with the lowest priority number.
You can use the following Windows PowerShell cmdlets to manipulate port rules:
Add-NlbClusterPortRule. Use this cmdlet to add a new port rule.
Disable-NlbClusterPortRule. Use this cmdlet to disable an existing port rule.
Enable-NlbClusterPortRule. Use this cmdlet to enable a disabled port rule.
Set-NlbClusterPortRule. Use this cmdlet to modify the properties of an existing port rule.
Remove-NlbClusterPortRule. Use this cmdlet to remove an existing port rule.
Note: Each node in a cluster must have identical port rules. The exception to this is the load
weight (in multiple-hosts filter mode) and handling priority (in single-host filter mode).
Otherwise, if the port rules are not identical, the cluster will not converge.
Affinity
Affinity determines how the NLB cluster distributes requests from a specific client. Affinity settings only
come into effect when you are using the multiple hosts filtering mode. You can select from the following
affinity modes:
None. In this mode, any cluster node responds to any client request, even if the client is reconnecting
after an interruption. For example, the first webpage on a web application might be retrieved from
the third node, the second web page from the first node, and the third web page from the second
node. This affinity mode is suitable for stateless applications.
Single. When you use this affinity mode, a single cluster node handles all requests from a single client.
For example, if the third node in a cluster handles a clients first request, then all subsequent requests
are also handled by that node. This affinity mode is useful for stateful applications.
Class C. When you set this mode, a single node will respond to all requests from a class C network
(one that uses the 255.255.255.0 subnet mask). This mode is useful for stateful applications where the
client is accessing the NLB cluster through load-balanced proxy servers. These proxy servers will have
different IP addresses, but will be within the same class C (24 bit) subnet block.
Host Parameters
You configure the host parameters for a host by clicking the host in the Network Load Balancing
Manager console, and then from the Host menu, clicking Properties. You can configure the following
host settings for each NLB node:
Priority. Each NLB node is assigned a unique priority value. If no existing port rule matches the traffic
that is addressed to the cluster, traffic will be assigned to the NLB node that is assigned the lowest
priority value.
Dedicated IP address. You can use this parameter to specify an address the host uses for remote
management tasks. When you configure a dedicated IP address, NLB configures port rules so that
they do not affect traffic to that address.
4-8 Implementing Network Load Balancing
Subnet Mask. When you are selecting a subnet mask, ensure that there are enough host bits to
support the number of servers in the NLB cluster, and any routers that connect the NLB cluster to the
rest of the organizational network. For example, if you plan to have a cluster that has 32 nodes and
supports two routes to the NLB cluster, you will need to set a subnet mask that supports 34 host bits
or moresuch as 255.255.255.192.
Initial host state. You can use this parameter to specify the actions the host will take after a reboot.
The default Started state will have the host rejoin the NLB cluster automatically. The Suspended state
pauses the host, allowing you to perform operations that require multiple reboots without triggering
cluster convergence. The Stopped state stops the node.
Demonstration: Configuring NLB Affinity and Port Rules

This demonstration shows how to configure affinity for NLB cluster nodes, and how to configure NLB port
rules.
Demonstration Steps
Configure Affinity for NLB Cluster Nodes
1. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.
2. In Windows PowerShell, enter each of the following commands, pressing Enter after each command:
Cmd.exe
Mkdir c:\porttest
Xcopy /s c:\inetpub\wwwroot c:\porttest
Exit
New-Website Name PortTest PhysicalPath C:\porttest Port 5678
New-NetFirewallRule DisplayName PortTest Protocol TCP LocalPort 5678
Configure NLB Port Rules

1. On LON-SVR1, open the Network Load Balancing Manager.
2. Remove the All port rule.
3. In Network Load Balancing Manager, edit the properties of the LON-NLB cluster.
4. Add a port rule with the following properties:
o Port range: 80 to 80
o Protocols: Both
o Filtering mode: Multiple Host
o Affinity: None
5. Create a port rule with the following properties:
o Protocols: Both
o Filtering mode: Single Host
6. Edit the host properties of LON-SVR1.
7. Configure the port rule for port 5678 and set handling priority to 10.
Network
N Co
onsiderations for NLLB
Yo
ou must consid der several facctors when youu are
de
esigning a nettwork to suppo ort an NLB cluster.
Th
he primary deccision is whethher you want to
co
onfigure the NLB
N cluster to useu Unicast or
Multicast
M er operation mode.
cluste
Unicast
U Mod
de
When
W you configure a NLB cluster to use unicast
mode,
m all cluste
er hosts use thee same unicastt MAC
ad
ddress. Outgoing traffic usess a modified MAC M
ad
ddress that is determined
d byy the cluster ho
osts
priority setting. This prevents the switch tha at
ha
andles outbou m having problems
und traffic from
with
w all cluster hosts
h using the e same MAC address.
a
When
W you use unicast
u mode with
w a single network
n adapt er on each node, only comp puters that use e the
ame subnet can communicatte with the node using the n
sa nodes assigneed IP address. IIf you have to
pe
erform any no
ode manageme ent tasks, such g using Remotte Desktop to apply software
h as connecting e
up
pdates, you wiill need to perfform these tassks from a com
mputer that is o
on the same TTCP/IP subnet as the
no
ode.
When
W you use unicast
u mode with
w two or more network aadapters, one aadapter will be e used for dedicated
cluster commun nication, and the other adappter or adapterrs can be used
d for managemment tasks. When you
usse unicast mod
de with multipple network addapters, you caan perform clu ster managem
ment tasks such
h as
co
onnecting usinng Remote Pow werShell to add or remove r oles and featu
ures.
Unicast mode can also minim mize problems that

t occur wheen cluster nod other non-NLB related
des also host o
ro
oles or servicess. For example, using unicastt mode meanss that a server that participattes in a web se
erver
cluster on port 80 may also host another se ervice such as D
DNS or DHCP.. Although thiss is possible, M
Microsoft
re
ecommends th hat all cluster nodes
n have the
e same configu uration.
Multicast
M Mo
ode
When
W you configure an NLB cluster
c to use multicast modde, each cluster host keeps itts original MACC
ad
ddress, but also is assigned an
a additional multicast
m MAC h node in the ccluster is assigned the
C address. Each
sa
ame additional MAC multica ast address. Muulticast mode requires netwoork switches and routers thaat
su
upport multicaast MAC addre esses.
In
nternet Group Manage
ement Proto
ocol Multica
ast
In
nternet Group Management Protocol (IGM MP) multicast m mode is a speccial form of muulticast mode tthat
prevents the ne etwork switch from
f being flo
ooded with trafffic. When you u deploy IGMP P multicast mo
ode,
trraffic is forward
ded only throu
ugh switch porrts that particip
pate in the NLLB cluster. IGM
MP multicast m
mode
re
equires switch hardware thatt supports this functionality.
Network
N Con
nsiderationss
Yo ou can improvve NLB cluster performance whenw using un nicast mode byy using separaate virtual locaal area
ne etworks (VLAN Ns) for cluster traffic
t and management trafffic. Using VLAANs segments traffic, therebyy
preventing man nagement trafffic from affecting cluster trafffic. When you
u host NLB nod des on virtual
machines
m using Windows Servver 2012, you can also use n network virtuallization to segment manage ement
trraffic from clusster traffic.
4-10 Implemennting Network Load Balancing
B
Lesson 3
Planning an NLB
N Imp
plementtation
Wheen you are plaanning an NLB implementatiion, you must ensure that th he applicationss that you dep ploy
are appropriate fo
or NLB. Not alll applications are
a suitable fo
or deployment on NLB cluste ers, and it is
imp
portant for youu to be able to identify whichh ones can ben
nefit from thiss technology. Y
You also need to
kno
ow what steps you
y can take to t secure NLB, and be familiaar with the op
ptions that youu have to scale NLB,
should the applicaation hosted on
o the NLB cluster require grreater capacityy.
Lessson Objectiives
Afte
u will be able to:
t
Explain how to
t design application and sto
orage supportt for NLB.
eploying NLB cclusters on vir tual machines.

Describe the special considerations for de
Describe the options that you

y can implem
ment to securee NLB.
Describe the options for sca

aling NLB.
Describe the meth
hod you can use to upgrade
e an NLB clusteer to Windowss Server 2012.
De
esigning Application
ns and Storrage Supp ort for NLLB
Because clients ca
an be redirecteed to any nodee in
an NLB
N cluster, ea ach node in thee cluster must be
able
e to provide a consistent expperience. Thereefore,
wheen you are dessigning applicaations and storrage
support for NLB applications,
a yo
ou must ensurre that
you configure eacch node in thee same way, an nd
thatt each node ha
as access to the same data.
Whe en a highly available applica

ation has multiiple
tiersssuch as a web
w application n that includess an
SQLL Server databa w application tier
ase tierthe web
is hoosted on an NLB cluster. SQL Server, as a
stateful applicatio
on, is not madee highly available
usin
ng NLB. Instead d, you use tech
hnologies such h as failover cl ustering, mirro
oring, or AlwayysOn Availabillity
Groups, to make thet SQL Serverr database tierr highly availab ble.
All hosts
h in an NLB cluster should run the sam me applicationss and be confiigured in the ssame way. Whe en
you are using web b applications,, you can use Internet Inform
mation Services (IIS) 8.0s shaared configuraation
funcctionality to en
nsure that all nodes
n N cluster are configured in
in the NLB n the same manner.
Reference Links:
L You can n find out morre about IIS 8.00s shared conffiguration with
h Windows
Servver 2012 at htttp://learn.iis.ne
et/page.aspx/2264/shared-co onfiguration/
You
u can also use technologies
t such
s as file sha
ares that are ho
osted on Clustter Shared Volumes (CSV) to o host
app
plication config
guration inform
mation. File shares hosted on n CSVs allow mmultiple hosts to have accesss to
app
plication data and
a configurattion informatio on. File shares that are hosteed on CSVs are
e a feature of
Win
ndows Server 2012.
2
Considerat
C ions for Deploying an
a NLB Clu
uster on V
Virtual Macchines
As organization ns transition fro

om physical too virtual
deeployments, administrators must considerr several
fa
actors when de etermining the e placement off NLB
cluster nodes on Hyper-V hossts. This includes the
neetwork configu ual machines, the
uration of virtu
onfiguration of the Hyper-V hosts, and the
co e
beenefits of using Hyper-V's hiigh availabilityy
fe
eatures in conjunction with NLB.
N
Virtual
V Mach
hine Placem
ment
Yo
ou should placce NLB cluster nodes on separate
ha
ard disks on thhe Hyper-V host.
h That way, should
a disk or disk arrray fail, even if
i one node be
ecomes unavaiilable, other N NLB cluster nod
des that are ho osted on
th
he same Hyperr-V host will re emain online. As
A a best practtice, you should configure thhe Hyper-V ho ost with
re
edundant hard dware, includin ng redundant disks,
d networkk adapters, and d power suppliies. This will m
minimize
he chance thatt hardware failure on the Hyper-V host willl lead to all no
th odes in an NLB
B cluster becom ming
un
navailable. Wh hen you are ussing multiple network
n ming to ensure that
adapteers, configure network team
virtual machines are able to maintain
m ork even in thee event that individual netwo
access to the netwo ork
ad
dapter hardwa are suffers a failure.
Where
W possible, deploy NLB virtual
v machine e nodes on se parate hyper-V V hosts. When n you are plann ning
th
his type of con
nfiguration, enssure that the virtual
v machinees that particip
pate in the NLLB cluster are lo
ocated
onn the same TCCP/IP subnet. This
T protects th he NLB cluster from other tyypes of server ffailure, such ass the
fa
ailure of a motherboard or any other single e point of failu
ure.
Virtual
V Mach
hine Networrk Configurration
Be ecause addingg additional virrtual network adapters
a is a sttraightforward
d process, you can configure e the
NLB cluster to use
u unicast mo ode, and then deploy
d each vvirtual machinee with multiplee network adapters.
Yo ate separate viirtual switches for cluster traaffic and node management traffic, becausse
ou should crea
seegmenting trafffic can improvve performancce. You can alsso use networkk virtualization n to partition ccluster
trraffic from nod
de managemen nt traffic. You can use VLAN tags as a metthod of partitio oning cluster ttraffic
from node man nagement trafffic.
When
W you are using
u unicast mode,
m ensure that
t you enablle MAC addresss spoofing for the virtual ne etwork
ad
dapter on the Hyper-V host.. You can do thhis by editing the virtual nettwork adapters settings on tthe
Virtual Machinne Settings diaalog box, whicch is available through the HHyper-V Manag ger. Enabling MAC
ad
ddress spoofin
ng allows unicaast mode to co
onfigure MAC address assign nment on the virtual networrk
ad
dapter.
NLB
N Cluster vs.
v Virtual Machine
M Hig
gh Availabi lity
Virtual machine e high availability is the proccess of placing virtual machin nes on failoverr clusters. Whe
en a
fa
ailover cluster node fails, the virtual machin ne fails over, s o that it is hossted on anothe er node. Though
fa
ailover clusterinng and NLB arre both high availability tech hnologies, theyy serve different purposes. FFailover
clustering suppo pplications succh as SQL Servver, whereas N LB is suited to
orts stateful ap o stateless appllications
su
uch as websites. Highly available virtual ma achines do no t allow an app plication to scaale, because yo
ou
ca
annot add nod des to increase e capacity. Howwever, it is posssible to deplo oy NLB cluster nodes as high hly
avvailable virtuall machines. In this scenario, the
t NLB clusteer nodes fail ovver to a new H Hyper-V host in n the
evvent that the original
o Hyper--V host fails.
B
The degree of ava ailability and re

edundancy req quired will flucctuate, dependding on the appplication. A
business-critical application that costs an orga anization milli ons of dollars when it is dow
wn requires an n
avaiilability that diiffers from that of an applica
ation that causses minimal inconvenience iff it is offline.
Co
onsideratio
ons for Seccuring NLB
B
NLBB clusters are almost
a always used
u to host web
w
appplications that are
a important to the
orgaanization. Beca ause of this im
mportance, you u
should take steps to secure NLB B, both by
restricting the trafffic that can ad
ddress the clusster,
and by ensuring that
t appropriate permissionss are
appplied.
Con
nfigure Port Rules
Whe en securing NLB clusters, you must first en nsure
thatt you create po ock traffic to all
ort rules to blo
portts other than those
t used by applications hosted
h
on the
t NLB cluste er. When you do d this, all inco
oming
trafffic that is not specifically
s add
dressed to app plications that are running o on the NLB cluster will be
dropped, before beingb forwardeed to cluster nodes.
n If you d o not do this ffirst step, all in
ncoming trafficc that
is no
ot managed by a port rule will w be forward ded to the clus ter node with the lowest clu uster priority vaalue.
Con
nfigure Fire
ewall Rules
You
u should also ensure
e ndows Firewall with Advanceed Security is cconfigured on
that Win n each NLB cluster
nod
de. When you enable
e NLB on
n a cluster nod ng firewall rulees are created and enabled
de, the followin
auto
omatically. Thiis allows NLB to
t function and d communicatte with other n nodes in the clluster:
Network Load
d Balancing (D
DCOM-In)
Network Load
d Balancing (IC
CMP4-ERQ-In))
Network Load
d Balancing (IC
CMP6-ERQ-In))
Network Load
d Balancing (R
RPCSS)
Network Load
d Balancing (W
WinMgmt-In)
Network Load
d Balancing (IC
CMP4-DU-In)
Network Load
d Balancing (IC
CMP4-ER-In)
Network Load
d Balancing (IC
CMP6-DU-In)
Network Load
d Balancing (IC
CMP6-EU-In)
Whe en created, the onments, you would

ese firewall rulles do not include scope setttings. In high--security enviro
configure an apprropriate local IP
I address or IP address rang ge, and a remo ote IP address for each of th
hese
rule
es. The remote IP address or address range e should includ
de the addressses that are use ed by other hoosts in
the cluster.
Whe
en you are con
nfiguring additional firewall rules, rememb
ber the followiing:
When you are e using multipple network adapters in unicaast mode, con nfigure differennt firewall rules for
each network k interface. Forr the interface used for manaagement taskss, you should cconfigure the
firewall rules to allow inbouund managem ment traffic onlyy. For examplee, enabling the
e use of remotte
Windows Pow werShell, Wind dows Remote Manager
M (Win dows RM), and d Remote Desktop for
management tasks. You should configure the firewall rules on the network interface the cluster node
uses, to provide an application to the cluster, and to allow access to that application. For example,
allow incoming traffic on TCP ports 80 and 443 on an application that uses the HTTP and HTTPS
protocols.
When you are using multiple network adapters in multicast mode, configure firewall rules that allow
access to applications that are hosted on the cluster, but block access to other ports.
Configure Applications to Respond Only to Traffic Addressed to the Cluster

You should configure applications on each node to respond only to traffic that is addressed to the cluster,
and to ignore application traffic that is addressed to the individual node. For example, if you deploy a web
application that is designed to respond to traffic addressed to www.adatum.com, there will be a website
on each node that will accept traffic on port 80. Depending on the NLB cluster configuration, it is possible
that traffic that is addressed to the node on port 80 will generate a direct response. For example, getting
the Adatum web application by entering the address http://nlb-node-3.adatum.com in a browser instead
of entering the address http://www.adatum.com. You can secure applications from this type of direct
traffic by configuring them to respond only to traffic that uses the NLB cluster address. For web
applications, you can do this by configuring the website to use a host header. Each application that runs
on an NLB cluster will have its own unique method of allowing you to configure the application to
respond only to traffic directed at the cluster, rather than at the individual cluster node.
Securing Traffic with SSL

NLB websites must all use the same website name. When you are securing websites that you make highly
available using NLB, you need to ensure that each website has an SSL certificate that matches the website
name. You can use host headers on each node. In most cases, you will install the same website certificate
on each node in the NLB cluster, because this is simpler than procuring separate certificates for each
cluster node. In some cases, you will need to procure certificates that support subject alternative names
(SANs). Certificates that support SANs allow a server to be identified by multiple names, such as the name
used by the clustered application and the name of the cluster node. For example, a certificate with a SAN
might support the names www.adatum.com, node1.adatum.com, node2.adatum.com, node3.adatum.com,
and node4.adatum.internal.
Principle of Least Privilege

Ensure that users are only delegated permissions for tasks that they need to perform on the NLB node.
Members of the local Administrators group on any single node are able to add and remove cluster nodes,
even if they are not members of the local Administrators group on those nodes. Applications that run on
NLB clusters should be configured in such a way that they do not require application administrators to
have local Administrator privileges on the servers that host the application. Only users whose job role
requires them to be able to make remote management connections to NLB cluster nodes should be able
to make those connections.
B
Co
onsideratio
ons for Sca
aling NLB
Scalling is the proccess of increassing the capaciity of
an NLB
N cluster. Fo or example, if you
y have a fou ur-
nodde NLB cluster and each node in the cluste er is
beinng heavily utiliized to the point where the
clusster cannot ma anage more tra affic, you can add
a
addditional nodes. Adding nodess will spread th he
sam
me load across more computers, reducing the t
loadd on each currrent cluster node. Capacity
incrreases because e a larger number of similarlyy
configured compu uters can manage a higher
worrkload than a smaller
s numbe er of similarly
configured compu uters.
An NLB cluster supports up to 323 nodes. This means that yo ou can scale-oout a single NLLB cluster so thhat 32
sepa
arate nodes paarticipate in th
hat cluster. Wh
hen you considder scaling an aapplication so that it is hoste
ed on
a 32
2-node NLB cluster, rememb ber that each node
n in the clu
uster must be o on the same TTCP/IP subnet.
An alternative
a to building singlee NLB clusters is to build mu ultiple NLB clu sters, and then
n to use DNS rround
robin to share traffic between th hem. DNS round robin is a ttechnology thaat allows a DN NS server to pro ovide
requuesting clientss with differentt IP addresses to the same h ostname in seequential order. For example e, if
ddresses associated with a ho
therre are three ad ostname, the ffirst requestingg host receivess the first addrress,
the second receives the second address, the thirdt receives tthe third, and so forth. Whenn you use DNSS
round robin with NLB, you asso ociate the IP adddresses of eacch cluster withh the hostname e that is used by
the application.
Disttributing trafficc between NLBB clusters usingg DNS round rrobin also allo ows you to dep ploy NLB cluste ers
acro
oss multiple sittes. DNS round d robin supports netmask orrdering. This teechnology enssures that clien nts on
ubnet are provvided with an IP address of a host on the saame network, if one is availaable. For exam
a su mple,
you might deployy three four-no ode NLB cluste ers in the citiess of Sydney, M
Melbourne, and d Canberra, and use
DNS S round robin to distribute traffic
t between n them. With n netmask ordering, a client thhat is accessingg the
appplication in Syddney will be dirrected to the NLB
N cluster ho osted in Sydneyy. A client thatt is not on the same
subnet as the NLB B cluster nodess, such as a clie
ent in the city of Brisbane, w
would be direccted by DNS ro ound
robin to the Sydney, Melbourne e, or Canberra NLB cluster.
Co
onsideratio
ons for Upg
grading NLB
N Clusterrs
Upg grading NLB cllusters involves moving clustter
noddes from one host
h operating systemfor
exam mple Windows Server 2003 or Windows Server
2008to Window ws Server 2012 2. Upgrading th he
clusster might not involve perforrming an operrating
system upgrade on o each node, because in som me
casees the original host operating system migh ht not
support a direct upgrade
u to Winndows Server 2012.
In cases where the e original hostt operating sysstem
doees not support a direct upgra ade to Window ws
Servver 2012, you can
c perform a migration.
A keey consideratio a upgrading NLB

on when you are
clussters is to reme ng a mixture of operating systems.
ember that NLLB supports having clusters t hat are runnin
Thiss means that you can have a cluster runnin
ng a mixture o of Windows Server 2003, Win ndows Server 22008,
and Windows Server 2012. Keep in mind that while mixed operating system NLB clusters are supported,
they are not recommended. You should configure the NLB cluster so that all hosts are running the same
operating system as soon as possible.
Note: In some situations, it will not be possible to upgrade the operating system of a
cluster node.
When you are performing an upgrade, you can use one of the following strategies:
Piecemeal Upgrade. During this type of upgrade, you add new Windows Server 2012 nodes to an
existing cluster, and then remove the nodes that are running earlier versions of the Windows Server
operating system. This type of upgrade is appropriate when the original hardware and operating
system does not support a direct upgrade to Windows Server 2012.
Rolling upgrade. During this type of upgrade, you upgrade one node in the cluster at a time. You do
this by taking the node offline, performing the upgrade, and then rejoining the node back to the
cluster.
Reference Links: You can learn more about upgrading NLB clusters at the following link:
http://technet.microsoft.com/en-us/library/cc731691(WS.10).aspx
Lab: Implementing Network Load Balancing

Scenario
A. Datum Corporation is an engineering and manufacturing company. The organization is based in
London, England, and is quickly expanding into Australia. As the company expands, the need for scalable
web applications has increased. With this in mind, you are developing a pilot program to test the
deployment of Windows NLB on hosts running the Windows Server 2012 operating system.
As you intend to automate the process of deploying Windows NLB clusters, you will use Windows
PowerShell to perform many of the cluster setup and configuration tasks. You will also configure port
rules and affinity, which will allow you to deploy multiple load-balanced web applications on the same
Windows NLB clusters.
Objectives
Create a Windows NLB cluster.
Configure and manage an NLB cluster.

Validate high availability for the NLB cluster.
Lab Setup
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-SVR2
Username: Adatum\Administrator
Password: Pa$$w0rd
5. Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-LON-SVR2.
Exercise 1: Implementing an NLB Cluster

Scenario
You eventually want to automate the process of deploying Windows Server 2012 NLB clusters. With this in
mind, you will be using Windows PowerShell to perform the majority of the NLB cluster deployment tasks.
1. Verify website functionality for standalone servers.
2. Install the Windows Network Load Balancing feature.
3. Create a new Windows Server 2012 NLB cluster.

4. Add a second host to the cluster.
5. Validate the NLB cluster.
Task 1: Verify website functionality for standalone servers

1. On LON-SVR1, navigate to the folder c:\inetpub\wwwroot.
2. Open iis-8.png in Microsoft Paint, and use the Paint Brush tool and the color red to mark the IIS
Logo in a distinctive manner.
3. Close Windows Explorer.
4. Switch to LON-DC1 and then click to the Start screen.
5. Open Internet Explorer.

6. Navigate to http://LON-SVR1. Verify that the web page is marked in a distinctive manner with the
color red.
7. Navigate to http://LON-SVR2. Verify that the website is not marked in a distinctive manner.
8. Close Internet Explorer.
Task 2: Install the Windows Network Load Balancing feature

1. On LON-SVR1, open Windows PowerShell ISE.
2. Type the following command, and then press Enter:
Invoke-Command -Computername LON-SVR1,LON-SVR2 -command {Install-WindowsFeature

NLB,RSAT-NLB}
Task 3: Create a new Windows Server 2012 NLB cluster

1. On LON-SVR1, in Windows PowerShell ISE, type the following command, and then press Enter:
New-NlbCluster -InterfaceName "Local Area Connection" -OperationMode Multicast -

ClusterPrimaryIP 172.16.0.42 -ClusterName LON-NLB
2. In Windows PowerShell ISE, type the following command, and then press Enter:
Invoke-Command -Computername LON-DC1 -command {Add-DNSServerResourceRecordA

zonename adatum.com name LON-NLB Ipv4Address 172.16.0.42}
Task 4: Add a second host to the cluster

On LON-SVR1, in the Windows PowerShell ISE window, type the following command, and then press
Enter:
Add-NlbClusterNode -InterfaceName "Local Area Connection" -NewNodeName "LON-SVR2" -

NewNodeInterface "Local Area Connection"
Task 5: Validate the NLB cluster

1. On LON-SVR1, open the Network Load Balancing Manager, and verify that nodes LON-SVR1 and
LON-SVR2 display with the status of Converged.
2. View the properties of the LON-NLB cluster, and verify the following:
o The cluster is set to use the Multicast operations mode.
o There is a single port rule named All that starts at port 0 and ends at port 65535 for both TCP
and UDP protocols, and that it uses Single affinity.
Results: After this exercise, you should have successfully implemented an NLB cluster.
Exercise 2: Configuring and Managing the NLB Cluster

Scenario
As you will want to deploy multiple separate websites to the NLB cluster and differentiate these websites
based on port address, you want to ensure that you are able to configure and validate port rules. You also
want to experiment with affinity settings to ensure that requests are distributed evenly across hosts.
1. Configure port rules and affinity.
2. Validate port rules.
3. Manage host availability in the NLB Cluster.
Task 1: Configure port rules and affinity

1. On LON-SVR2, open Windows PowerShell.
2. In Windows PowerShell, enter the following commands, pressing Enter after each command:
Cmd.exe
Mkdir c:\porttest
Exit
New-Website -Name PortTest -PhysicalPath "C:\porttest" -Port 5678
New-NetFirewallRule -DisplayName PortTest -Protocol TCP -LocalPort 5678
3. Open Windows Explorer and then browse to and open c:\porttest\iis-8.png in Microsoft Paint.
4. Use the Blue paintbrush to mark the IIS Logo in a distinctive manner.
6. Open Internet Explorer and navigate to http://LON-SVR2:5678.
7. Verify that the IIS Start page with the image marked with blue displays.
9. On LON-SVR1, open Network Load Balancing Manager, and view the cluster properties of LON-NLB.
10. Remove the All port rule.

11. Add a port rule with the following properties:
o Protocols: Both
o Affinity: None
12. Create a new port rule with the following properties:
o Protocols: Both

13. Click OK to close the Cluster Properties dialog box.
14. Edit the host properties of LON-SVR1.
15. Configure the Handling Priority value of the port rule for port 5678 as 10.
Task 2: Validate port rules

2. Using Internet Explorer, navigate to http://lon-nlb, refresh the Web page 20 times, and verify that
web pages with and without the distinctive red marking display.
3. On LON-DC1, navigate to address http://LON-NLB:5678, refresh the web page 20 times, and verify
that only the web page with the distinctive blue marking displays.
Task 3: Manage host availability in the NLB Cluster

2. Use the Network Load Balancing Manager on LON-SVR1 to suspend LON-SVR1.
3. Verify that node LON-SVR1 displays as Suspended, and that node LON-SVR2 displays as Converged.
4. Resume and then start LON-SVR1.

5. Verify that both node LON-SVR1 and LON-SVR2 now display as Converged.
Results: After this exercise, you should have successfully configured and managed an NLB cluster.
Exercise 3: Validating High Availability for the NLB Cluster

Scenario
As part of preparing for the deployment of NLB in your organizations environment, you want to ensure
that it is possible to perform maintenance tasks such as reboot operations, without affecting the
availability of the websites that are hosted on the cluster. With this in mind, you will verify availability by
rebooting one of the hosts while attempting to access the clustered website. You will also explore the
Drainstop functionality.
1. Validate website availability when the host is unavailable.

2. Configure and validate Drainstop.
Task 1: Validate website availability when the host is unavailable

1. Restart LON-SVR1.
3. On LON-DC1, open Internet Explorer, and navigate to http://LON-NLB.
4. Refresh the website 20 times. Verify that the website is available, but that it does not display the
distinctive red mark on the IIS logo until LON-SVR1 has restarted.
Task 2: Configure and validate Drainstop

1. On LON-SVR1, open Network Load Balancing Manager and initiate a Drainstop on LON-SVR2.
2. On LON-DC1, navigate to http://lon-nlb and verify that only the welcome page with the red IIS logo
displays.
Results: After this exercise, you should have successfully validated high availability for the NLB cluster.

When you finish the lab, revert the virtual machines to their initial state.
4. Repeat steps 2 and 3 for 20412-LON-SVR1 and 20412-LON-SVR2.
Lab Review
Question: How many additional nodes can you add to the LON-NLB cluster?
Question: What steps would you take to ensure that LON-SVR1 always manages requests for
web traffic on port 5678, given the port rules that exist at the end of this exercise?
Question: What is the difference between a Stop and a Drainstop action?


Question: You have created a four-node Windows Server 2012 NLB cluster. The cluster hosts a
website that is hosted on IIS. What happens to the cluster if you shut down the World Wide Web
publishing service on one of the nodes?
Question: You want to host the www.contoso.com, www.adatum.com, and www.fabrikam.com

websites on a four-node NLB cluster. The cluster IP address will be a public IP address, and each
fully qualified domain name (FQDN) is mapped in DNS to the cluster's public IP address. What
steps should you take on each node to ensure that traffic is directed to the appropriate site?
Question: You have an eight-node Windows NLB cluster that hosts a web application. You want
to ensure that traffic from a client that uses the cluster remains with the same node throughout
their session, but that traffic from separate clients is distributed equitably across all nodes. Which
option do you configure to accomplish this goal?

To become a true high availability solution, use a monitoring solution with NLB that will detect
application failure. This is because NLB clusters will continue to direct traffic to nodes with failed
applications as long as NLBwhich is independent of the applicationcontinues to send heartbeat
traffic.
5-1
Module 5
Implementing Failover Clustering
Contents:
Module Overview 5-1
Lesson 1: Overview of Failover Clustering 5-2
Lesson 2: Implementing a Failover Cluster 5-14
Lesson 3: Configuring Highly Available Applications and Services on a

Failover Cluster 5-20
Lesson 4: Maintaining a Failover Cluster 5-25
Lesson 5: Implementing a Multi-Site Failover Cluster 5-30

Lab: Implementing Failover Clustering 5-36
Module Overview
Providing high availability is important for any organization that wants to provide continuous services to
its users. High availability is a term that denotes the capability of a system or device to be usable when it
is required. You can express high availability as a percentage, which is calculated by dividing the actual
service time by the required service time. High availability does not mean that the system will be free of
any downtime. However, a network that has an uptime of 99.999 percent often is considered highly
available. Failover clustering is one of the main technologies in Windows Server 2012 that can provide
high availability for various applications and services. In this module, you will learn about failover
clustering, its components, and implementation techniques.
Objectives
Describe failover clustering.

Implement a failover cluster.
Configure highly available applications and services.
Maintain a failover cluster.
Implement multi-site failover clustering.

5-2 Implementing Failover Clusterinng
Lesson 1
Overviiew of Failover
F r Clusterring
Failoover clustering g is a high availability processs, wherein an instance of a service or app plication that iss
runn ning over one machine can fail-over onto a different maachine in the ffailover clusterr if the first maachine
failss. Failover clustters in Windowws Server 2012 2 provide a hig gh availability solution for mmany server roles
and applications. By implementting failover clu usters, you can
n maintain app plication or service availabiliity if
onee or more computers in the failover
f clusterr fail.
Befo
ore you implemment failover clustering,
c you
u should be fam
miliar with genneral high availability concepts.
You
u must also undderstand clustering terminology, and how w failover clusteers work. Finallly, you must b
be
miliar with new clustering feattures in Windo
fam ows Server 20112.
Lessson Objectiives
Afte
ou will be able to:
Describe high
h availability.
over clustering improvementts in Windows Server 2012.
Describe failo
Describe failo
over cluster components.
Describe Clusster Shared Vo

olumes (CSV).
Define failove
er and failback
k.
Describe a qu
uorum.
Describe quorum modes in

n Windows Servver 2012 failovver clusters.
Describe failo
over cluster networks.
Describe failo
over cluster sto
orage.
Wh
hat Is High
h Availability?
Availability refers to a level of se
ervice that
appplications, serviices, or system
ms provide.
Availability is exprressed as the percentage
p of time
thatt a service or system is availaable. Highly
avaiilable systems have minimal downtime
whe ether planned or unplanned and are available
morre than 99 percent of the tim me, depending g on
an organizations
o needs and budget. For exam mple,
a syystem that is unavailable for 8.75 hours per year
wou uld have a 99.99 percent availlability rating, and
wou uld be conside ered highly ava ailable.
To improve availaability, you must implement fault-

tole
erance mechan nisms that massk or minimize e how failures o
of the servicess components and depende encies
affe
ect the system. You can achieeve fault tolera
ance by implemmenting redun ndancy to sing
gle points of faailure.
Misscommunicatio on about serviice-level expecctations betweeen the custom mer and the IT organization can
resu
ult in poor bussiness decisions, such as unsuuitable investmment levels andd customer disssatisfaction. B
Be
sure
e to express avvailability requirements clearrly, so that the re are no misu
understandings about the
impplications.
Thhe availability measurement period can alsso have a sign nificant effect o
on the definitio
on of availability. For
exxample, a requ uirement for 99.9 percent avvailability over a one-year peeriod allows foor 8.75 hours o
of
doowntime, whereas a requirem ment for 99.9 percent availaability over a roolling four-weeek window allows for
onnly 40 minutess of downtime e per period.
Foor high availabbility, you also should identiffy and negotiaate planned ou utages, service
e and support hhours,
maintenance
m acctivities, service
e pack updates, and softwarre updates. Theese are schedu uled outages, aand
tyypically not inccluded as downtime; you typ based on unplaanned outages only.
pically calculatte availability b
However, you haveh to negotia ate exactly which planned o utages you wiill consider as d downtime.
Failover Clu
ustering in
n Windowss Server 20
012
While
W most of the failover cluustering feature
es and
ad
dministration techniques
t om Windows Server
fro
20008 R2 are pre esent in Windo ows Server 20112,
so
ome new featu ures and technnologies in Winndows
erver 2012 increase scalabilitty and cluster storage
Se
avvailability, and provide bette er and easier
management
m an
nd faster failovver.
Th
he important new
n features in
n Windows Server
20
012 failover clustering includ
de:
Increased scalability. In Windows

W Serve
er 2012,
a failover cluster can have e 64 physical nodes
n
and can run n 4,000 virtual machines on each
cluster. Thiss is a significan
nt improvemen nt over Windo ows Server 200 08 R2, which suupports only 1 16
physical noodes and 1,000 0 virtual machines per cluste r. Each cluster you create is now available from
the Server Manager
M console. Server Ma anager in Wind dows Server 20 012 can discovver and manag ge all
clusters tha
at are created in i an Active Directory Dom main Services ((AD DS) domaain. If you deploy the
cluster in a multi-site scenario, the adm ministrator can now control w which nodes in n a cluster havve votes
for establishing quorum. Failover cluste ering scalabilitty is also impro
oved for virtuaal machines thaat are
running on clusters. This will be discusssed in more deetail in Module 6: Implemen nting Hyper-V V
Availability.
Improved CSVs.
C This tech
hnology was in ntroduced in W
Windows Serveer 2008 R2, and d it became veery
popular forr providing virttual machine storage.
s In Winndows Server 2 2012, CSVs ap ppear as CSV file
systems, an
nd they supporrt server messa age block (SM B) version 3.0 storage for Hyyper-V and o other
applications. In addition, CSV can use the Server Messsage Block (SM MB) Multichan nnel and SMB Direct
features to enable traffic to stream acro oss multiple neetworks in a clluster. It is also
o possible to
implement file server on CSVs, in scale--out mode. Fo or additional seecurity, you can use Window ws
BitLocker drive encrypttion for CSV diisks, and you ccan make CSV storage visible e only to a sub
bset of
nodes in a cluster. For reliability, you ca
an scan and reepair CSV volumes with zero offline time.
Cluster-Aware Updating. In earlier versions of Windo ows Server, upd dating cluster nodes to miniimize or
avoid down ntime requiredd significant prreparation andd planning. In aaddition, updaating cluster nodes
was a mosttly manual procedure, which caused additiional administ rative effort. W Windows Serve er 2012
introduces Cluster-Aware e Updating, a new
n technolog gy for this purp
pose. Cluster-A Aware Updatin ng
automatica ally updates clu
uster nodes with the Window ws Update hottfix, while keep ping the cluste
er online
and minimiizing downtim me. This techno ology will be exxplained in moore detail in LLesson 4: Mainntaining
a Failover Cluster.
C
Active Directo
ory integration n improvemen nts. In Window ws Server 2008,, failover cluste
ering is integraated
in AD DS. Winndows Server 20122 improvess on this integ
gration. Administrators can n now create clusster
computer objjects in targete ed organizatio
onal units (OUss), or by defau
ult in the same OUs as the clu uster
nodes. This alligns failover cluster
c dencies on AD DS with the d elegated dom
depend main administraation
model that is used in manyy IT organizatioons. In additio n, you can noww deploy failover clusters wiith
access only to
o read-only do omain controllers.
Managementt improvementts. Although fa ailover clusteriing in Windowws Server 2012 still uses almo
ost
the same man nagement con nsole and the same
s administtrative techniques, Windows Server 2012 b brings
some importa ant manageme ent improvements. In the Vaalidation wizarrd, the validation speed for large
failover cluste
ers is improved
d and new testts for CSVs, thee Hyper-V rolee, and virtual mmachines are
added. In add dition, new Windows PowerS Shell cmdletts are availablee for managing g clusters,
monitoring clustered virtua al machine app plications, and creating highhly available Internet Small
Computer System Interface e (iSCSI) targets.
Rem
moved and Deprecated
d Features
In Windows
W er 2012 clusterring, some of the features fro
Serve om older failovver clustering versions are
rem
moved or depre
ecated. If you are
a upgrading g from an olde r version, you should be awaare of these
changes:
The Cluster.exxe command-line tool is dep precated. How
wever, you can still optionallyy install it with the
failover cluste
ering tools. Faiilover clusterin
ng Windows PoowerShell cmddlets provide a functionality that
is generally th
he same as cluuster.exe commands.
The Cluster Automation

A Server (MSClus) Component O Object Model ((COM) interfacce is deprecate
ed,
but you can optionally
o insta
all it with the failover
f clusterring tools.
The Support forf 32-bit cluster resource dynamic-link lib braries (DLLs) is deprecated, but you can
optionally insstall 32-bit DLLLs. Cluster reso
ource DLLs sho
ould be updateed to 64-bit.
The Print Servver role is removed from the bility Wizard, and it cannot b
e High Availab be configured iin the
Failover Clustter Manager.
The Add-ClusterPrintServ
verRole cmdlet is deprecated
d, and it is nott supported in Windows Servver
2012.
Faiilover Clusster Components

As a failover cluster, a group of independent
com
mputers work together
t to inccrease the
avaiilability of app
plications and services.
s Physiccal
cables and softwa are connect the e clustered serrvers.
Servvers that particcipate in the cluster are also
own as nodes. If one of the clluster nodes fa
kno ails,
ano
other node beg gins to provide e services. Thiss
proccess is known as failover. With failover, use ers
experience minim mal to no servicce disruptions.
A fa
ailover clusterin
ng solution co
onsists of severral
com
mponents, whicch include:
Nodes. These are computerrs that are mem mbers
of a failover cluster.
c These computers
c n Cluster servicce, and resourcces and appliccations associated to
run
cluster.
Network. This is a network across which cluster nodes can communicate with one another, and with
clients. There are three types of networks that can be used in a cluster: public, private, and public-
and-private. These networks are discussed in more detail in the Failover Cluster Networks topic.
Resource. This is an entity that is hosted by a node. It is managed by the Cluster service, and can be
started, stopped, and moved to another node.
Cluster storage. This is a storage system that is usually shared between cluster nodes. In some
scenarios, such as clusters of servers running Microsoft Exchange Server, shared storage is not
required.
Clients. These are computers (or users) that are using the Cluster service.
Service or application. This is a software entity that is presented to clients and used by clients.
In a failover cluster, each node in the cluster:

Has full connectivity and communication with the other nodes in the cluster.
Is aware when another node joins or leaves the cluster. In addition, each node is aware when a node
or resource is failing, and has the ability to take those services over.
Is connected to a network through which client computers can access the cluster.
Is usually connected through a shared bus or iSCSI connection to shared storage.
Is aware of the services or applications that are running locally, and the resources that are running on
all other cluster nodes.
Cluster storage usually refers to logical devicestypically hard disk drives or logical unit numbers
(LUNs)to which all the cluster nodes attach through a shared bus. This bus is separate from the bus that
contains the system and boot disks. The shared disks store resources such as applications and file shares
that the cluster will manage.
A failover cluster typically defines at least two data communications networks: one network enables the
cluster to communicate with clients, and the second isolated network enables the cluster node members
to communicate directly with one another. If a directly-connected shared storage is not being used, then
a third network segment (for iSCSI or Fibre Channel) can exist between the cluster nodes and a data
storage network.
Most clustered applications and their associated resources are assigned to one cluster node at a time. The
node that provides access to those cluster resources is the active node. If the nodes detect the failure of
the active node for a clustered application, or if the active node is taken offline for maintenance, the
clustered application is started on another cluster node. To minimize the impact of the failure, client
requests are immediately and transparently redirected to the new cluster node.
Wh
hat Are CS
SVs?
In classic failover cluster deployyment, only a single
s
nodde at a time co ontrols a LUN ono the shared
storrage. This means that anothe er node canno ot see
sharred storage, un ntil it becomess an active nod de.
CSVV is a new technology introduced in Windo ows
Servver 2008 R2, which
w enables multiple
m nodess to
sharre a single LUNN concurrentlyy. Each node
obta ains exclusive access to indivvidual files on the
LUNN instead of to o the entire LUN. In other wo ords,
CSVV provides a so olution so that multiple node es in
the cluster can access the same NTFS file syste em
simu ultaneously.
In th
he first version
n in Windows Server
S 2008 R2 2, CSV was dessigned only for hosting virtu ual machines thhat
are running on a Hyper-V serve er in a failover cluster. This ennabled administrators to havve a single LUN
thatt hosts multiple virtual mach hines in a failovver cluster. Mu
ultiple cluster n
nodes have acccess to the LUUN,
but each virtual machine
m runs only
o on one no ode at a time. IIf the node onn which a virtual machine is
runnning fails, CSVV enables the virtual
v machine e to restart on a different noode in the failo
over cluster.
Addditionally, this provides simplified disk man nagement for hosting virtual machines, as compared to each
virtu
ual machine re equiring a sepa
arate LUN.
In Windows
W er 2012, CSV has additional improvementss. It is now pos sible to use CSSV for other ro
Serve oles,
and not just Hype er-V. For example, you can nown configure the file serverr role in failove
er clustering in
n the
Scalle-Out File Serrver scenario. Scale-Out
S File Server is desig
gned to providde scale-out file shares that aare
continuously available for file-b based server ap
pplication storrage. Scale-outt file shares provide the abiliity to
sharre the same foolder from mulltiple nodes in the same clusster. In this conntext, CSV in W Windows Serve er
2012 introduces support
s for a read cache, whhich can improove performancce in certain sccenarios. In
adddition, a CSV fille system (CSVVFS) can perforrm Chkdsk witthout impactin ng application ns with open
handles on the file e system.
Oth
her important improvementss in CSV in Win
ndows Server 22012 are:
CSV proxy file k Managemen t console, CSV

e system (CSVFFS): In the Disk V volumes now
w appear as CSSVFS.
f system. The underlying ttechnology is sstill the NTFS ffile system, and
However, thiss is not a new file
CSVFS volumes are still form
matted with NTFS. However,, because volu umes appear ass CSVFS,
applications can
c discover thhat they are ru unning on CSVVs, which helpss improve com mpatibility.
Additionally, because of the amespace, all ffiles have the ssame name and path on anyy node
e single file na
in a cluster.
Multisubnet support
s SVs: CSVs have been enhanceed to integratee with SMB Multichannel to help
for CS
achieve fasterr throughput for
f CSV volumes.
Support for BitLocker
B volumme encryption: Windows Serrver 2012 supp ports BitLocker volume
encryption fo
or both traditio
onal clustered disks and CSV
Vs. Each node p
performs decryyption by usin
ng the
computer acccount for the cluster
c itself.
Support for SMB
S 3.0 storag
ge: SMB 3.0 sto
orage is suppoorted for Hyperr-V and appliccations such ass
Microsoft SQL Server. Thiis means that, for example, yyou can host H
Hyper-V virtual machine filess on a
shared folderr.
w SMB Multichannel and SMB

Integration with S his integration allows CSV traaffic to stream
Direct: Th
across multip
ple networks in nd to leverage network adap
n the cluster an pters that suppport Remote D Direct
Memory Acce ess (RDMA).
Integration with the Storaage Spaces feaature in Windoows Server 201

12: This integraation can provvide
virtualized storage on clu
usters of inexpe
ensive disks.
Reduced do
owntime: CSV in Windows Server 2012 let s you scan and
d repair volum
mes with zero o
offline
time.
Im
mplementin
ng CSV
Yo
ou can configu
ure CSV only when
w you create a failover clluster. After yo
ou create the ffailover clusterr, you
ca V for the cluster, and then ad
an enable CSV dd storage to tthe CSV.
However, before you can add d storage to the CSV, you mu ust make the LLUN available as shared storage to
th en you create a failover clustter, all of the sshared disks th
he cluster. Whe hat you configured in Serverr
Manager
M are ad
dded to the clu
uster, and you can then add them to a CSV more LUNs to the
V. If you add m
sh
hared storage, you must firstt create volum
mes on the LUN N, add the storrage to the cluuster, and then
n add
th
he storage to the
t CSV.
As a best practice, you should

d configure CSV before you make any virtu ual machines h
highly availablle.
However, you can convert fro om regular disk
k access to CSV
V after deployyment. The folllowing consideerations
ap
pply:
When you convert from regular

r disk acccess to CSV, t his removes th
he LUNs drivee letter or mouunt
point. This means that yoou must recrea ate all virtual m
machines that aare stored on tthe shared sto
orage. If
you must re etain the same
e virtual machiine settings, coonsider exportting the virtual machines, swwitching
to CSV, andd then importing the virtual machines in H Hyper-V.
You cannott add shared sttorage to CSV if it is in use. IIf you have a rrunning virtual machine thatt is
using a clusster disk, you must
m shut dow
wn the virtual m machine, and tthen add the d disk to CSV.
What
W Are Failover
F an
nd Failback
k?
Fa
ailover transfers from one no ode to another the
re
esponsibility foor providing acccess to resourrces in a
cluster. Failoverr can occur when an adminisstrator
in
ntentionally mo oves resourcess to another no ode for
maintenance,
m or due to unplaanned downtim me of a
noode due to hardware failure or other reaso ons. In
ad
ddition, servicee failure on an
n active node can
c
in
nitiate failover to another noode.
A failover attem
mpt consists of the following steps:
1.. The Clusterr service takes all the resourcces in
the instance offline, in an
n order that is
determined d by the instannces dependen ncy
hierarchy. This
T means tha at dependent resources
r by the resources on
are ttaken offline fiirst, followed b
which they depend. For example,
e if an application deepends on a physical disk ressource, the Clu uster
service take
es the applicattion offline first, which enablles the applicaation to write cchanges to thee disk
before the disk is taken offline.
o
2.. After all thee resources are

e offline, the Cluster
C service attempts to trransfer the insttance to the no
ode
that is listed
d next on the instances list of
o preferred ow wners.
3.. If the Cluste
er service succcessfully movess the instance to another no
ode, it attemptts to bring all tthe
resources online.
o This timme, it starts at the
t lowermost part of the deependency hieerarchy. Failove er is
complete when
w all the resources are on nline on the neew node.
Oncce the offline node

n becomess active again, the Cluster serrvice can fail bback instances that were orig ginally
hostted on the offline node. When the Clusterr service fails bback an instancce, it uses the ssame procedu ures
thatt it performs during failover. The Cluster se
ervice takes al l the resourcess in the instancce offline, movves
the instance, and then brings all the resources in the instan ce back onlinee.
Wh
hat Is a Qu
uorum?
A qu uorum is the number
n ments that must be
of elem
online for a cluste
er to continue running. Each
clusster node is an element, and in effect, each h
elemment can cast one vote to de etermine whetther
the cluster continues to run. If there
t is an even
nummber of nodes,, then an addittional elementt
which is known ass a witnessis assigned to th he
clusster. The witness element can n be either a disk
d or
a file share. Each voting
v elemen nt contains a co
opy
of the cluster configuration, and d the Cluster
servvice works to keep
k all copies synchronized at all
timees.
The cluster will sto

op providing failover
f protection if most off the nodes faiil, or if there iss a problem wiith
commmunication between
b the clu
uster nodes. Without
W a quorrum mechanism m, each set off nodes could
continue to opera ate as a failove
er cluster. This results in a paartition within tthe cluster. Qu
uorum preventts two
or more
m nodes froom concurrenttly operating a failover clusteer resource. If a clear majority is not achie eved
betwween the node e members, th hen the vote off the witness b becomes cruciaal to maintain the validity off the
clusster.
Conncurrent opera ation could occcur when netw work problems prevent one sset of nodes frrom communiccating
with
h another set ofo nodes. That is, a situation might occur w where more th han one node ttries to contro
ol
acceess to a resourrce. If that reso
ource is, for example, a datab base applicatioon, damage su uch as corruption of
the database coulld result. Imagine the conseq quence if two or more instan nces of the sam
me database aare
madde available on n the network,, or if data wass accessed and d written to a ttarget from mo ore than one ssource
at a time. If the ap
pplication itsellf is not damag ged, the data ccould easily beecome corruptted.
Because a given cluster

c has a sppecific set of noodes and a speecific quorum configuration n, the cluster caan
calcculate the num
mber of votes that are require ed for it to conntinue providing failover pro otection. If the
e
nummber of votes drops
d below th he majority, th he cluster stopss running, whiich means it w will not provide e
failo
over protection
n if there is a node
n failure. Nodes
N will still listen for the p
presence of otther nodes, in ccase
anoother node app pears again on n the network. However, the nodes will nott function as a cluster until a
majority consensu us or quorum is i achieved.
Note: A fully functioning cluster depends not just on quorum, but also on the capacity of
each h node to support the servicces and applica ations that faill over to that n
node. For exammple, a
clusster that has fivve nodes couldd still have quo
orum after two o nodes fail, but each remaining
clusster node woulld continue serving clients only
o nough capacityy (such as disk space,
if it has en
proccessing powerr, random acce ess memory (R RAM), or netwo ork bandwidth h) to support tthe services
and applications thatt failed ove portant part off the design prrocess is planning each
er to it. An imp
noddes failover capacity. A failovver node mustt be able to ru n its own load d and the load of
addditional resourcces that might fail over to it.
The Process of Achievin

ng Quorum
Be ecause a givenn cluster has a specific set off nodes and a sspecific quoru m configuratio
on, the clusterr
sooftware on eacch node storess information about
a how maany votes consttitute a quorum for that clusster. If
th
he number of votes
v drops beelow the majority, the clusteer stops providing services. N
Nodes will conttinue to
ming connections from other nodes on porrt 3343, in casee they appear again on the n
lissten for incom network,
bu ut the nodes will
w not begin to t function as a cluster until quorum is ach hieved.
Thhere are severa al phases a cluuster must commplete to achieeve a quorum.. As a given no ode comes online, it
deetermines whe ether there are e other cluster members, witth which it can n communicate e. This processs may be
in
n progress on multiple
m nodess simultaneoussly. After estab blishing comm munication with h other memb bers, the
members
m comp pare their mem mbership viewss of the clusterr until they agrree on one vie ew (based on
timestamps and d other information). A deterrmination is m made whether tthis collection of members h has a
quuorum, or has enough mem mbers the total of which creattes sufficient vvotes so that a split scenario cannot
enario means that another se
exxist. A split sce ning on a part of the
et of nodes thaat are in this cluster are runn
neetwork that is inaccessible to o these nodes. Therefore, mo ore than one n node could be e actively trying
g to
provide access to t the same clustered resourrce. If there aree not enough votes to achie eve quorum, th he
vooters (the curre ently recognizzed members of o the cluster) wait for more members to aappear. After aat least
th
he minimum vo ote total is attained, the Cluster service beegins to bring cluster resourcces and appliccations
nto service. Witth quorum attained, the clusster becomes ffully functionaal.
in
Quorum
Q Modes
M in Windows
W Se
erver 2012
2 Failover C
Clustering
g
Thhe quorum mo odes in Windo ows Server 201 12
fa
ailover clusterinng are the sam me modes thatt are
present in Wind dows Server 20 008. As before,, a
majority
m of vote
es determines whether a clusster
acchieves quorum m. Nodes can vote, and whe ere
apppropriate, either a disk in cluster storage (known
ass a disk witnesss) or a file sharre (known as a file
sh
hare witness) can
c vote. There e is also a quorrum
mode
m called Noo Majority: Disk Only, which
fu
unctions like thhe disk-based quorum in Windows
Seerver 2003. Other than the No N Majority: Disk
Only
O mode, theere is no single e point of failurre with
th
he quorum mo odes, because only the numb d not whetherr a particular element
ber of votes is important and
is available to vote.
he Windows Server 2012 faillover clustering quorum mo

Th ode is flexible. Y
You can choosse the mode b best
su
uited to your cluster.
c Be aware that most of
o the time it iss best to use th
he quorum mo ode that the cluster
so
oftware selectss. If you run the Quorum Configuration W izard, the quo orum mode thaat the wizard lists as
ecommended is the quorum mode that the cluster softw
re ware will choosse. You should d change the qquorum
onfiguration only if you have
co e determined that
t the changge is appropriaate for your clu
uster.
Windows
W Server 2012 failoverr clustering has four quorum
m modes:
Node Majo ority. Each node that is availaable and in com

mmunication w with other nod des can vote. T
The
cluster funcctions only witth a majority (m
more than halff) of the votes. This model iss preferred wh
hen the
cluster conssists of an odd
d number of se erver nodes, an
nd no witness is needed to m maintain or achieve
quorum.
5-10 Implementing Failover Clustering
Node and Disk Majority. Each node plus the disk witness, which is a designated disk in the cluster
storage, can vote when they are available and in communication. The cluster functions only with a
majority (more than half) of the votes. This model is based on an even number of server nodes being
able to communicate with one another in the cluster, in addition to the disk witness.
Node and File Share Majority. Each node plus the file share witness, which is a designated file share
created by the administrator, can vote when they are available and in communication. The cluster
functions only with a majority (more than half) of the votes. This model is based on an even number
of server nodes being able to communicate with one another in the cluster, in addition to the file
share witness.
No Majority: Disk Only. The cluster has quorum if one node is available and in communication with a
specific disk in the cluster storage. Only the nodes that are also in communication with that disk can
join the cluster.
Except for the No Majority: Disk Only mode, all quorum modes in Windows Server 2012 failover clusters
are based on a simple majority vote model. As long as a majority of the votes are available, the cluster
continues to function. For example, if there are five votes in the cluster, the cluster continues to function
as long as there are at least three available votes. The source of the votes is not relevantthe vote could
be a node, a disk witness, or a file share witness. The cluster will stop functioning if a majority of votes is
not available.
In the No Majority: Disk Only mode, the quorum-shared disk can veto all other possible votes. In this
mode, the cluster will continue to function as long as the quorum-shared disk and at least one node are
available. This type of quorum also prevents more than one node from assuming the primary role.
Note: If the quorum-shared disk is not available, the cluster will stop functioning, even if all
nodes are still available. In the No Majority: Disk Only mode, the quorum-shared disk is a single
point of failure, so this mode is not recommended.
When you configure a failover cluster in Windows Server 2012, the Installation Wizard automatically
selects one of two default configurations. By default, failover clustering selects:
Node Majority configuration if there is an odd number of nodes in the cluster.
Node and Disk Majority configuration if there is an even number of nodes in the cluster.
Note: You should modify this setting only if you determine that a change is appropriate for
your cluster, and only once you understand the implications of making the change.
In addition to planning your quorum mode, you should also consider the capacity of the nodes in your
cluster, and their ability to support the services and applications that may fail over to that node. For
example, a cluster that has four nodes and a disk witness will still have quorum after two nodes fail.
However, if you have several applications or services deployed on the cluster, each remaining cluster node
may not have the capacity to provide services.
Failover Clu
uster Netw
works
Networks and network
n adapters are importtant
pa
arts of each cluster impleme entation. You cannot
c
co
onfigure a clusster without coonfiguring the
ne
etworks that thhe cluster will use. A network can
erform one of the following roles in a clusster:
pe
Private netwwork. A private

e network carrries
internal cluster communication. By usin ng this
network, cluster nodes exxchange heartbeats
and check for
f another no ode or nodes. The
T
failover cluster authenticaates all interna
al
communica ation. However, administrato ors who
are especially concerned about securityy may
want to restrict internal communication
c n to physicallyy secure netwo
orks.
Public netw
work. A public network
n provid
des client systeems with acceess to cluster ap
pplication servvices. IP
address resources are cre
eated on netwoorks that prov ide clients with
h access to thee Cluster servicce.
Public-and--private netwo
ork. A public-an
nd-private nettwork (also kno
own as a mixeed network) carrries
internal cluster communication and connects clients to cluster appplication service
es.
When
W you configure network ks in failover clusters, you sho
ould also deteermine which n
network to con nnect to
th
he shared stora
age. If you use
e iSCSI for the shared storagee connection, the network w will use an IP-b
based
Etthernet communications nettwork. Howeve er, you should not use this nnetwork for node or client
co
ommunication n. Sharing the iSCSI
i network in this manne r may result in n contention and latency issu
ues for
booth users and for the resource that is being provided byy the cluster.
Although not a best practice, you can use the private and d public netwo orks for both cclient and nodee
co
ommunication ns. Preferably, you
y should de edicate an isolaated network ffor the privatee node
co
ommunication n. The reasoninng for this is sim
milar to using a separate Eth hernet network for iSCSI, wh hich is to
avvoid resource bottleneck and d contention issues. The pub blic network iss configured too enable clientt
co
onnections to the failover cluuster. Although the public n network can prrovide backup for the private e
neetwork, a bette
er design pracctice is to defin
ne alternative nnetworks for t he primary priivate and publlic
neetworks, or at least team the
e network interfaces that aree used for thesse networks.
Th
he networking
g features in Windows
W Serverr 2012based clusters includ
de the followin
ng:
The nodes transmit and receive
r heartbe
eats by using U User Datagramm Protocol (UDDP) unicast, insstead of
UDP broadcast (which waas used in lega
acy clusters). T he messages aare sent on po
ort 3343.
You can incclude clustered

d servers on diifferent IP subn
nets, which red
duces the com
mplexity of settting up
multi-site clusters.
c
The Failoveer Cluster Virtuual Adapter is a hidden devicce that is adde d to each nod
de when you in nstall
the failoverr clustering fea
ature. The adapter is assigneed a media acccess control (M
MAC) address b based
on the MAC C address thatt is associated with the first eenumerated phhysical networrk adapter in the
node.
Failover clu
usters fully support IPv6 for both
b node-to--node and nod
de-to-client co
ommunication..
You can use e Dynamic Ho ost Configuratioon Protocol (D
DHCP) to assig gn IP addressess, or you can aassign
static IP add
dresses to all nodes
n des have staticc IP addresses aand you
in the clluster. Howeveer, if some nod
configure others
o to use DHCP,
D the Validdate a Configuuration Wizardd will respond with an error. The
cluster IP ad
ddress resourcces are obtaineed based on th he configuratio work interface that is
on of the netw
supporting that cluster ne etwork.
5-12 Implemennting Failover Clusterring
Faiilover Clusster Storag

ge
Mosst failover clustering scenario
os require shared
storrage to providee consistent da
ata to a highlyy
avaiilable service or
o application after failover. There
T
are three shared-sstorage option ns for a failove
er
clusster:
Shared serial attached SCSI (SAS). Shared SAS

is the lowest--cost option. However,
H share
ed
SAS is not verry flexible for deployment
d
because the two
t cluster noddes must be
physically close together. In n addition, the
e
shared storagge devices thatt are supportin ng
shared SAS ha ave a limited number
n of
connections for
f cluster nod des.
iSCSI. iSCSI is a type of storage area netwwork (SAN) tha t transmits sm

mall computer ssystem interface
(SCSI) comma ands over IP neetworks. Perfo
ormance is acceeptable for moost scenarios w
when the physsical
medium for data
d transmissiion is between
n 1 gigabit perr second (Gbpss) and 10 Gbps Ethernet. Thiis
type of SAN is fairly inexpensive to imple ement, becausee no specializeed networking hardware is
required. In Windows
W Serve
er 2012, you caan implement iSCSI target sooftware on anyy server, and
present local storage over iSCSI interface to clients.
Fibre Channel. Fibre Channel SANs typica

ally have betteer performancee than iSCSI SA
ANs, but are m
more
expensive. Sp
pecialized know
wledge and haardware are re quired to imp lement a Fibree Channel SANN.
Note: The Microsoft

M iSCSI Software Targ get is now an integrated feaature in Windo ows Server
2012. This feature e can provide storage
s from a server over a TCP/IP netwo ork, including sshared
storrage for appliccations that are
e hosted in a failover clusterr. In addition, in Windows Se erver 2012,
you can configure e a highly available iSCSI Tarrget Server as a clustered rolle by using Faiilover
Clusster Manager or o Windows Po owerShell.
Sto
orage Requirements
Befo
ore choosing the
t storage sollution, you sho
ould also be aw
ware of the following storag
ge requirements:
To use the na
ative disk supp
port that is included in failovver clustering, u
use basic diskss and not dynaamic
disks.
You should fo TFS. For the dissk witness, thee partition musst be NTFS, because
ormat the parttitions with NT
FAT is not sup
pported.
For the partition style of the disk, you can

n use either m aster boot reccord (MBR) or globally uniqu
ue
identifier (GU
UID) partition table (GPT).
Because imprrovements in failover

f clusterring require th at the storagee respond correectly to specifiic
SCSI comman ge must follow the SCSI Prim
nds, the storag mary Command ds-3 (SPC-3) sttandard. In
particular, the
e storage mustt support Persistent Reservattions, as speciffied in the SPC
C-3 standard.
The miniport driver used fo

or the storage must work witth the Storportt storage drive
er. Storport offfers a
higher perforrmance archite
ecture and bettter Fiber Chan
nnel compatib ility in Windowws operating
systems.
You must isolate storage devices (one cluster per device). You should not allow servers that belong to
different clusters to access the same storage devices. You can achieve this by using LUN masking or
zoning. This prevents LUNs used on one cluster from being seen on another cluster. Consider using
multipath input/output (I/O) software. Cluster nodes commonly use multiple host bus adapters to
access storage, and this lets you achieve additional high availability. To be able to use multiple host
bus adapters, you must use multipath software. For Windows Server 2012, your multipath solution
must be based on Microsoft Multipath I/O (MPIO). Your hardware vendor usually supplies an MPIO
device-specific module (DSM) for your hardware, although Windows Server 2012 includes one or
more DSMs as part of the operating system.
Lesson 2
Implem
menting
g a Failo
over Clu
uster
Failoover clusters inn Windows Server 2012 have e specific reco
ommended harrdware and so oftware
configurations tha at enable Micrrosoft to suppo
ort the cluster.. Failover clustters are intend
ded to provide a
high her level of serrvice than stan ers. Therefore, cluster hardwaare requirements are frequently
nd-alone serve
striccter than requiirements for sttand-alone serrvers.
Thiss lesson describ bes how to pre epare for clustter implementaation. In this leesson, you willl also discuss tthe
harddware, networrk, storage, infrrastructure, an nd software req quirements for Windows Serrver 2012 failo over
his lesson also outlines the stteps for using the Validate a Configuration
clussters. Finally, th n Wizard to en nsure
corrrect cluster con nfiguration, annd how to mig grate failover cclusters.
Lessson Objectiives
Explain how to
t prepare for implementing
g failover clusttering.
Describe hard
dware requirem over clustering..
ments for failo
Describe netw
work requirem
ments for failovver clustering.
Describe infra
astructure requ
uirements for failover
f cluste ring.
Describe softw
ware requirem
ments for failovver clustering.
Explain how to
t validate and
d configure a failover
f clusterr.
Explain how to
t migrate failo
over clusters.
Pre
eparing fo
or Failover Cluster Im
mplementaation
Befoore you implem ment failover clustering,
c you
u
musst identify servvices and applications that yo ou
wannt to make highly available. Failover
F cluste
ering
cannot be applied d to all applicaations, and
som
metimes, appliccations have th heir own
reduundancy mech hanisms. In add dition, you shoould
be aware
a that failover clusteringg does not pro ovide
proved scalability by adding nodes. You can
imp
onlyy obtain scalabbility by scaling
g up and using g
morre powerful ha ardware for the e individual no
odes.
Therefore, you should only use failover cluste ering
wheen your goal iss high availabillity, and not
scalability. In Windows Server 2012, there is one o exception to this: if you implement File
e Services on C
CSVs,
you can also achie eve a level of scalability.
s
Failo
over clustering d for stateful applications thaat are restricteed to a single sset of data. On
g is best suited ne
exammple of such ana application is a database. Data is stored d in a single lo
ocation and can n only be usedd by
onee database insttance. You can n also use failovver clustering for Hyper-V vvirtual machine es. The best ressults
for failover
f clustering occur whe en the client can reconnect tto the applicattion automaticcally after failo over. If
the client does noot reconnect au utomatically, then
t the user m
must restart th he client appliccation.
Failo
over clustering
g uses only IP--based protoco
ols and is, therrefore, suited o ed applications.
only to IP-base
Failo
over clustering
g now supportts both IPv4 annd IPv6.
Consider the following guidelines when pla

anning node caapacity in a fa ilover cluster:
Spread out the highly ava

ailable applications from a faailed node. W hen all nodes in a failover clluster
are active, the
t highly available services or application
ns from a failed
d node shouldd be spread ou ut
among the remaining no odes to prevent a single nodee from being o overloaded.
Ensure thatt each node ha as sufficient idle capacity to service the hig ghly available services or
applications that are alloccated to it wheen another no ode fails. This id
dle capacity sh
hould be a suffficient
buffer to avvoid nodes runnning at near capacity
c after a failure eventt. Failure to plaan resource uttilization
adequatelyy can result in a decrease in performance
p fo
ollowing nodee failure.
Use hardwa are with similar capacity for all nodes in a cluster. This simplifies the planning processs for
failover, because the failo
over load will be
b evenly distrributed among g the surviving
g nodes.
Use standby servers to sim mplify capacityy planning. W hen a passive node is includ ded in the clustter, then
all highly avvailable service
es or applications from a fai led node can ffail over to the e passive nodee. This
avoids the need for comp plex capacity planning.
p If thi s configuratio n is selected, it is important that
the standbyy server has su ufficient capaciity to run the lload from morre than one no ode failure.
ou should also
Yo o examine all cluster
c configuration compo nents to identtify single poin nts of failure. YYou can
emedy many single points off failure with simple solution
re ns, such as add ding storage co ontrollers to se eparate
an
nd stripe disks, or teaming network
n adapteers, and using multipathing software. Thesse solutions re educe
th o a single devvice will cause a failure in thee cluster. Typiccally, server claass
he probability that a failure of
co
omputer hardw ware has optio ons for multiple power supp lies for power redundancy, aand for creatin ng
re
edundant arrayy of independe D) sets for disk data redundan
ent disk (RAID ncy.
Hardware
H Requireme
R ents for Fa
ailover Clusster Imple
ementation
n
It is very importtant to make good
g decisionss when
yoou select hardw ware for cluste
er nodes. Failoover
clusters have to o satisfy the folllowing criteria
a to
meet
m availabilityy and support requirements:
All hardwarre that you select for a failovver

cluster shou uld meet the Certified
C for Windows
W
Server 2012 2 logo requirements. Hardwa are that
has this log go has been independently tested t
to meet the e highest techn nical bar for
reliability, availability,
a stability, security,, and
platform co ompatibility. This logo also means
m
that officiall support optio ons exist in casse
malfunction ns arise.
You should
d install the sam
me or similar hardware
h on eaach failover cluster node. Foor example, if yyou
choose a sp
pecific model of
o network ada apter, you sho
ould install thiss adapter on each of the clusster
nodes.
If you are using

u SAS or Fiber Channel sttorage connecctions, the masss storage devvice controllerss that
are dedicatted to the clustter storage sho
ould be identi cal in all clusteered servers. T
They should alsso use
the same firmware versio on.
If you are using

u iSCSI storrage connectio
ons, each clusttered server m
must have one o or more netwo ork
adapters orr host bus adapters dedicateed to the clusteer storage. Thee network thatt you use for iSSCSI
storage connnections shou uld not be used for network communicatio ered servers, the
on. In all cluste
network ad ou use to connect to the iSCSSI storage targ
dapters that yo get should be identical, and we
recommend d that you usee 1 Gbps Ethernet or more.
After you con

nfigure the servvers with the hardware,
h all t ests provided in the Validate
e a Configurattion
Wizard must be passed beffore the cluster is considered d a configuratiion that will be
e supported byy
Microsoft.
Ne
etwork Req
quirementts for Failo
over Clusteer Impleme
entation
One e of the netwoork requiremen nts for failover
clusster implementtation is that failover cluster
netwwork compone ents must have e the Certified for
2 logo, andd must also pass the
tests in the Valida
ate a Configuraation Wizard.
Addditionally:
The network adapters in ea ach node should be
identical and have the same e IP protocol
version, speedd, duplex, and flow control
capabilities th
hat are availab
ble.
The networkss and network equipment to o

which you co
onnect the noddes should be
redundant so nue communiccating with one
o that even a siingle failure allows for the n odes to contin
another. You can use netwoork adapter teaming to provvide single nettwork redundaancy. We
recommend multiple
m netwoorks to provide e multiple pat hs between no odes for inter--node
communication. Otherwise,, a warning will generate du ring the validaation process.
The network adapters in a cluster

c networrk must have th he same IP address assignment method, w
which
means either that they all use ddresses, or thaat they all use DHCP.
u static IP ad
Note: If you u connect clustter nodes with

h a single netw
work, the netwo
ork passes the e
redu
undancy requiirement in the Validate a Co onfiguration W
Wizard. Howeveer, the report ffrom the
wiza
ard will include
e a warning th
hat the network should not h have single po
oints of failure.
Inffrastructurre Requirements for Failover C

Cluster Imp
plementattion
Failo
over clusters depend
d on infrrastructure servvices.
Eachh server node must be in the e same Active
Direectory domain, and if you usse Domain Nam me
Systtem (DNS), thee nodes shouldd use the same e DNS
servvers for name resolution.
r
We recommend that you installl the same

Win
ndows Server 2012
2 features and
a roles on each
nod
de. Inconsistent configurationn on cluster no odes
can cause instability and performance issues. In
add
dition, you should not install the AD DS rolle on
any of the cluster nodes, becausse AD DS has itsi
ownn fault-tolerance mechanism m. If you install the
AD DS role on one of the nodess, you must insstall it on all no
odes. Howeveer, this is not re
ecommended.
You must have the following network infrastructure for a failover cluster:
Network settings and IP addresses. When you use identical network adapters for a network, also use
identical communication settings such as speed, duplex mode, flow control, and media type on those
adapters. Also, compare the settings between the network adapter and the switch to which it
connects, and ensure that no settings are in conflict. Otherwise, network congestion or frame loss
might occur, which could adversely affect how the cluster nodes communicate among themselves,
with clients or with storage systems.
Unique subnets. If you have private networks that are not routed to the rest of the network
infrastructure, ensure that each of these private networks uses a unique subnet. This is necessary even
if you give each network adapter a unique IP address. In addition, these private network addresses
should not be registered in DNS. For example, if you have a cluster node in a central office that uses
one physical network, and another node in a branch office that uses a separate physical network, do
not specify 10.0.0.0/24 for both networks, even if you give each adapter a unique IP address. This
avoids routing loops and other network communications problems if, for example, the segments are
accidentally configured into the same collision domain because of incorrect virtual local area network
(VLAN) assignments.
DNS. The servers in the cluster typically use DNS for name resolution. DNS dynamic update protocol
is a supported configuration.
Domain role. All servers in the cluster must be in the same Active Directory domain. As a best
practice, all clustered servers should have the same domain role (either member server or domain
controller). The recommended role is member server because AD DS inherently includes its own
failover protection mechanism.
Account for administering the cluster. To be able to administer the cluster, you must have an account
with appropriate permissions. You must have local administrator rights on all nodes that participate in
the cluster. In addition, when you create the cluster, you must have the right to create new objects in
domains. You can do this with the Domain Admin account, or you can delegate these rights to
another domain account.
In Windows Server 2012, there is no cluster service account. Instead, the Cluster service automatically runs
in a special context that provides the specific permissions and credentials that are necessary for the service
(similar to the local system context, but with reduced credentials). When a failover cluster is created and a
corresponding computer object is created in AD DS, that object is configured to prevent accidental
deletion. In addition, the cluster Network Name resource has an additional health check logic, which
periodically verifies the health and properties of the computer object that represents the Network Name
resource.
Sofftware Req
quirementts for Failo
over Clusteer Impleme
entation
Failoover clusters re
equire that each cluster nod de
musst run the same edition of Windows
W Serverr
2012. The edition can be either Windows Servver
2012 Standard or Windows Servver 2012
Datacenter. The nodes
n should also
a have the same
softtware updates and service pa acks. Dependin ng on
the role that will be
b clustered, a Windows Server
2012 Server Core installation may also meet the t
softtware requirem ments. In Windows Server 20 012,
Servver Core is the default installlation option, and
therrefore you sho ould consider itt as a cluster node.
n
How wever, Failoverr Clustering can also be insta alled
on a full GUI versiion.
It is also importan
nt that the samme version of se
ervice packs o
or any operatin
ng system updates exist on aall
nod des that are parts of a clusterr.
Note: Wind dows Server 20 012 provides Cluster-Aware

C U
Updating techhnology that caan help
you maintain upddates on cluste
er nodes. This feature
f more detail in Lesson 4:
will be discussed in m
Maintaining a Failover Cluster.
Each
h node must run the same processor
p means that eacch node must have the same
architecture. This m e
proccessor family, which might be,
b for examplee, the Intel Xeo
on processor ffamily with Exttended Memo
ory
64Technology, the AMD Optero on AMD64 fammily, or the Inteel Itaniumbassed processor family.
De
emonstration: Valida
ating and Configurin
C ng a Failovver Clusterr
The Validate a Co onfiguration Wizard
W runs testts that confirm
m if the hardwaare and softwaare settings are
e
commpatible with failover
f clusterring. Using the
e wizard, you ccan run the com mplete set of cconfiguration tests
or a subset of the tests. You shoould run the teests on servers and storage d devices before you configure e the
failo
over cluster, an
nd again after you make anyy major changees to the clustter. You can acccess the test rresults
in th
he %windir%\ccluster\Reportts directory.
Dem
monstration
n Steps
Vallidate and Configure

C a Cluster
1. Start the Failo
over Cluster Manager
M on the
e LON-SVR3.
2. Start the Valid

date Configura
ation Wizard.
3. Review the re
eport.
4. Create a new cluster. Add LON-SVR3

L and
d LON-SVR4 aas cluster nodees.
5. Name the clu

uster Cluster1..
6. Use 172.16.0
0.125 as the IP
P address.
Migrating
M Failover
F Cllusters
In
n some scenarios, such as repplacing clusterr nodes,
orr upgrading too a newer version of a Windo ows
opperating system, you will need to migrate
clustered roles or
o services from
m one cluster to
annother. In Windows Server 2012,
2 it is possiible to
migrate
m clustere
ed roles and clluster configurration
from clusters ru
unning Window ws Server 2012 2,
Windows
W Server 2008 R2, or Windows
W Serveer 2008.
Yoou can migrate these roles and
a configurattions in
onne of two wayys:
Migrate froom an existing cluster to a neew

cluster thatt is running Wiindows Server 2012:
In this scenario, you havee two new cluster nodes runn ning Windowss Server 2012, and you then
perform miigration from an a existing clu ndows Server 2008 or later.
uster with nodees running Win
Perform an in-place migrration on a two o-node clusterr: This is a morre complex sce enario, where yyou
want to mig grate a clusterr to a new verssion of the Win ndows operating system. In this scenario, yyou do
not have ad dditional comp puters for neww cluster nodess. For examplee, you may wan nt to upgrade a
cluster thatt is currently ru
unning on Win ndows Server 22008 R2 to a cluster running g Windows Serrver
2012. To acchieve this, you u must first rem
move resourcees from one no ode, and evict that node from a
cluster. Nexxt, you perform m a clean insta allation of Win dows Server 22012 on that se erver. After Wiindows
Server 2012 2 is installed, you
y create a on ne-node failovver cluster, mig
grate the clustered services aand
applications from the old d cluster node to that failoveer cluster, and then remove tthe old node ffrom
cluster. The
e last step is too install Windows Server 201 2 on another ccluster node, ttogether with failover
cluster feature, add the se erver to the fa
ailover cluster, and run validaation tests to cconfirm that th
he
overall configuration worrks correctly.
Th
he Cluster Miggration Wizard d is a tool that lets you perfo
orm the migrattion of clustereed roles. Becauuse the
Cluster Migratioon Wizard doe es not copy data from one sttorage locatio n to another, yyou must copyy or
move
m data or foolders (includin
ng shared foldder settings) duuring a migrattion. In additio
on, the Cluster
Migration
M Wizard does not migrate
m mount--point informaation (informattion about harrd disk drives tthat do
ot use drive letters, and are mounted in a folder on ano ther hard diskk drive). Howevver, it can migrate
no
physical disk ressource settings to and from disks that use mount pointss.
Lesson 3
Configguring Highly
H Availabl
A le Appliicationss and Se
ervices on
a Failo
over Cluster
Afteer you have coonfigured yourr clustering infrastructure, yo ou should conffigure specific roles or servicces to
be highly
h ered. Thereforee, you should ffirst identify th
available. Not all roless can be cluste he resource that
you want to put in n a cluster, andd then verify whether
w that reesource is sup ported. In thiss lesson, you w
will
learrn about configguring roles annd applicationns in clusters, aand you will leaarn about configuring cluste er
settings.
Lessson Objectiives
Afte
ou will be able to:
Describe and identify cluste

er resources an
nd services.
Describe the process for clu

ustering serverr roles.
Cluster a file server
s role.
Explain how to ailover cluster properties.

t configure fa
t manage cluster nodes.

Explain how to
Explain how to
t configure application failo
over settings.
Ide
entifying Cluster
C Ressources an
nd Servicess
Clusstered services are services or applications that
are made highly available
a by insstalling them on
o a
failo
over cluster. Cllustered services are active ono
onee node, but can n be moved to o another node e. A
clusstered service that
t contains an
a IP address
resoource and a ne etwork name resource (and other
o
resoources) is published to a client on the netw work
undder a unique se erver name. Be ecause this gro
oup of
resoources displayss as a single logical server to o
cliennts, it is called a clustered insstance.
Users access appliications or servvices on an

instance in the same manner ass they would iff the
appplications or services were on ually, applications or users do not know th
n a non-clusterred server. Usu hat
theyy are connecting to a clusterr, or the node to which they are connected d.
Reso ources are phyysical or logical entitiessucch as a file sha re, disk, or IP aaddressthat the failover cluster
man nages. Resourcces are the mo ost basic and smmallest config urable units th hat may provid
de a service to
o
cliennts, or may bee important parts of the clustter. At any timme, a resource ccan run only oon a single nod de in a
clusster, and is online on a node when it provid des its service to that specifiic node.
Serrver Cluster Resources

A clluster resource is any physica
al or logical co
omponent thatt has the follow
wing characterristics:
It can be brou
ught online an
nd taken offline.
It can be man
naged in a servver cluster.
It can be hostted (owned) by only one nod

de at a time.
To
o manage reso ources, the Clu
uster service co
ommunicates tto a resource D DLL through a resource mon nitor.
When
W the Cluster service mak
kes a request for a resource, the resource m monitor calls tthe appropriatte entry
po
oint function in the resource
e DLL to check k and control tthe resource sttate.
Dependent
D Resources
R
A dependent ressource is one that
t requires another resourcce to operate. For example, because a nettwork
naame must be associated
a with
h an IP addresss, a network nname is consid ered a depend dent resource.
Beecause of this requirement, a network nam me resource deepends on an IP address resource. Depend dent
re
esources are taaken offline beefore the resou urces upon wh hich they depend are taken o offline. Similarly, they
arre brought online after the resources
r on which
w they dep
pend are broug ght online. A rresource can sp pecify
onne or more ressources on wh hich it is depen
ndent. Resourcce dependenciees also determ mine bindings. For
exxample, clientss will be bound network name resource depe
d to the particcular IP addres s on which a n ends.
When
W you creatte resource deependencies, co onsider the facct that althoug gh some depe endencies are sstrictly
re
equired, otherss are not requiired but are re
ecommended. For example, a file share thaat is not a Disttributed
File System (DFS S) root has no required depe endencies. How wever, if the d disk resource that holds the ffile
sh
hare fails, the file
f share will be
b inaccessible e to users. Therrefore, it is log
gical to make tthe file share
de
ependent on the t disk resourrce.
A resource can also specify a list of nodes on

o which it can
n run. Possible nodes and de
ependencies arre
im
mportant considerations whe en administrattors organize rresources into groups.
Process
P forr Clustering
g Server Roles
R
Fa
ailover clusteriing supports th
he clustering ofo
se
everal Window ws Server roles,, such as File Services,
DHCP, and Hyp per-V. To impleement clusterin ng for a
se
erver role, or fo
or external appplications suchh as
Microsoft
M SQL Server
S or Excha
ange Server, perform
p
th
he following procedure:
1.. Install the failover

f clusterring feature. Use
Server Man nager, dism.exe e, or Windows
PowerShell to install the failover
f clusterring
feature on all computers that will be cluster
members. In Windows Se erver 2012, you u can
install roless and features on multiple se ervers
simultaneously from single Server Manager console.
2.. Verify confiiguration and create a clusteer with the app

propriate nodees. Use the Failover Cluster
Manager sn nap-in to first validate
v d then create a cluster with selected node
a configuration, and es.
3.. Install the role

r on all cluster nodes. Usee Server Managger, dism.exe, or Windows P
PowerShell to iinstall
the server role
r that you want
w to use in the cluster.
4.. Create a clu ation by using the Failover C

ustered applica Cluster Manag
ger snap-in.
5.. Configure the n. Configure options on the application th

t application hat is being use
ed in the cluster.
6.. Test failove

er. Use the Failover Cluster Management
M sn
nap-in to test failover by inttentionally mo
oving
the service from one nod de to another.
After you create
e the cluster, you
y can monito
or its status byy using the Failover Cluster M
Management cconsole,
an
nd manage avvailable options.
De
emonstration: Cluste
ering a File
e Server Ro
ole
Dem
monstration
n Steps
Clu
uster a File Server
S Role
1. On LON-SVR3, add Clusterr Disk 2 as cluster storage fo
or Cluster1.
2. Configure File Server as a clustered

c role. Configure a FFile Server forr general use..
3. For the Client Access Poin

nt name, type AdatumFS
A witth the addresss of 172.16.0.5
55.
4. Use Cluster Disk

D 2 for the storage for Ad
datumFS.
Co
onfiguring Failover Cluster
C Pro
operties
Oncce you create a cluster, the newly
n created
clusster has many properties that you can
configure.
Wheen you open Cluster

C Propertties, you can
configure cluster name or change the name, you y
can add various tyypes of resources such as IP
add
dress and netwwork name to the cluster, and d you
can also configuree cluster permissions. By
configuring permissions, you de etermine who can
have full control over
o that speciific cluster and
d who
can just read the cluster
c configu
uration.
In addition, you can perform so

ome standard
man nagement taskks on each clusster periodically, or on demaand. These tasks range from adding and
rem
moving cluster nodes, to mod difying the quoorum settings. Some of the m most frequenttly used
configuration taskks include:
Managing clu uster nodes: Fo

or each node in a cluster, yo u can stop clu
uster service temporarily, pau
use
nitiate remote desktop to the
the service, in e node, or evicct the node froom the clusterr.
Managing cluuster networkss: You can add or remove clu

uster networkss, and configurre networks th
hat will
be dedicated to inter-cluste
er communication.
Managing pe
ermissions: By managing
m perrmissions, you can delegate rights to admiinister a cluster.
Configuring cluster
c quorum
m settings: By configuring
c qu
uorum settingss, you determiine the way in
which quorumm is achieved, as well as who
o can have votte in a cluster.
Migrating serrvices and app
plications to a cluster:
c You caan implement existing services to the clustter
and make theem highly avaiilable.
Configuring new
n services and application
ns to work in a cluster: You ccan implementt new services to
the cluster.
Removing a cluster:
c You can remove a cluuster if you deecide to stop u g, or if you want to
using clustering
move the cluster to anothe
er set of nodes.
You
u can perform most of these administrative e tasks by usin
ng the Failoverr Cluster Manaagement conso ole, or
by using
u Windows PowerShell. However,
H Clusster.exe, whichh was used forr some of thesse tasks in prevvious
Win
ndows Server operating
o syste
em versions, is no longer suppported in Win ndows Server 2012, and is not
partt of the default installation.
Managing
M Cluster No
odes
Cluster nodes are mandatory for each cluster.
After you create
e a cluster and
d put it into
production, youu might have to
t manage cluster
no
odes occasionally.
Yo
ou can manag ge cluster node
es by using the
e
Fa
ailover Cluster Managementt console or Windows
W
Po
owerShell. Theere are three aspects to managing
cluster nodes:
You can add a node to an n established failover

f
cluster by selecting
s Add Node in the Failover
F
Cluster Man nagement Acttions pane in the
uster Managerr console. The Add
Failover Clu
Node Wizard prompts yo ou for informattion about thee additional no
ode.
You can pause a node to prevent resou urces from bei ng failed over or moved to tthe node. You
typically pa hen it is underrgoing mainte nance or troub
ause a node wh When you are pausing
bleshooting. W
a node, youu can choose to
t drain roles from
f that nodee.
You can evict a node, which is an irreve ersible processs for a cluster n
node. After yoou evict the node, it
must be re--added to the cluster. You evvict nodes wheen a node is d damaged beyo ond repair, or is no
longer need ded in the clusster. If you evicct a damaged node, you can place it, and then add
n repair or rep
it back to th
he cluster by using
u the Add Node Wizard..
Configuring
C g Applicattion Failov
ver Setting
gs
Yo
ou can adjust failover settinggs, including
preferred owners and failback k settings, to control
c
ho
ow the cluster responds whe en the applicattion or
se
ervice fails. You
u can configurre these settinggs on
th
he property sheet for the cluustered service or
ap
pplication (eithher on the Genneral tab or on the
Fa
ailover tab).
The following table provides examples that show how these settings work.
Setting Result
Example 1: If the service or application fails over from Node1

General tab, Preferred owner: Node1 to Node2, when Node1 is once again available, the
service or application will fail back to Node1.
Failover tab, Failback setting: Allow failback
(Immediately)
Example 2: In a six-hour period, if the application or service

Failover tab, Maximum failures in the fails no more than two times, it will be restarted or
specified period: 2 failed over every time. If the application or service
fails a third time in the six-hour period, it will be
Failover tab, Period (hours): 6
left in the failed state.
The default value for the maximum number of
failures is n-1, where n is the number of nodes.
You can change the value, but we recommend a
fairly low value so that if multiple node failures
occur, the application or service will not be moved
between nodes indefinitely.
Lesson
n4
Mainttaining a Failov
ver Clusster
Once
O your clustter infrastructuure running, it is important t hat you establlish monitoring
g to prevent p
possible
fa
ailures. In addittion, it is impo
ortant that you
u have backup and restore p procedures for cluster configuration.
Windows
W Server 2012 has new w technology that
t allows yo u to update clluster nodes w
without downtiime. In
his lesson, you will learn about monitoring failover clusteers, backing up
th p and restoring
g cluster
onfigurations, and updating cluster nodes.
co
Le
esson Objecctives
ng this lesson, you
w to monitor failover clusters.

Explain how
Explain how
w to back up and
a restore a fa
ailover cluster configuration
n.
w to maintain and troubleshoot failover cl usters.

Explain how
Describe Cluster-Aware Updating.

U
Configure Cluster-Aware
C Updating.
Monitoring
M g Failover Clusters
Many
M tools are available in Windows
W Serverr 2012
to
o help you monitor failover clusters.
c You can use
sttandard Windo ows Server toools such as the Event
Viewer and the Performance and Reliabilityy
Monitor
M snap-inn to review clu
uster event log
gs and
pe erformance metrics. You can n also use
Trracerpt.exe to export data fo or analysis.
Additionally, yoou can use the Multipurpose
In
nternet Mail Exxtension Hyperrtext Markup
Laanguage (MHT TML)formatte ed cluster
coonfiguration reeports and thee Validate a
Configuration Wizard
W to troubleshoot probblems
w the cluster configuration
with n and hardware e changes. Sin
nce the cluster..exe command
d-line tool is
de eprecated in Windows
W Serveer 2012, you ca
an use Window ws PowerShell instead to perform similar ttasks.
Ev
vent Viewer
When
W problemss arise in the cluster, use thee Event Viewer to view eventts with a Criticaal, Error, or Waarning
everity level. Additionally, infformational-le
se evel events aree logged to thee failover clusttering Operatio
ons log,
which
w can be foound in the Eve t Applicatio ns and Servicees Logs\Microssoft\Windows folder.
ent Viewer in the
In
nformational-le evel events aree usually commmon cluster op h as cluster nodes leaving an
perations, such nd
jo
oining the clustter, or resources going offlin
ne or coming o online.
In
n previous Winndows Server versions,
v event logs were repplicated to each node in the cluster. This
simplified cluste
er troubleshoo oting, because you could revview all event llogs on a singlle cluster node e.
Windows
W Server 2012 does no ot replicate the event logs b
between nodess. However, the e Failover Clusster
Management
M sn
nap-in has a Cluster
C Events option that e nables you to view and filter events acrosss all
cluster nodes. This
T feature is helpful
h elating events across clusterr nodes. The Faailover Clusterr
in corre
Management
M sn
nap-in also proovides a Recen nt Cluster Eveents option thhat will query aall the Error an
nd
Warning
W eventss from all the cluster
c nodes in the last 24 h
hours. You can access additio onal logs, suchh as the
Anaalytic and Debu

ug logs, in the
e Event Viewer. To display th ese logs, modify the view on
n the top men
nu by
sele
ecting the Show
w Analytic an nd Debug Log gs option.
Win
ndows Even
nt Tracing
Win ndows event trracing is a kernnel component that is availa ble early afterr startup, and late into shutd
down.
It is designed to allow
a for fast trracing and delivery of event s, to trace filess and to consu
umers. Because
e it is
desiigned to be fast, Windows event tracing enables only baasic in-processs filtering of evvents based on n
event attributes.
The event trace lo

og contains a comprehensive
c e accounting oof the failover cluster actionss. Depending o
on
how
w you want to view the data,, use Windowss PowerShell o r Tracerpt.exe to access the information in
n the
event trace log.
Traccerpt.exe will parse

p the event trace logs on
nly on the nodde on which it is run. All the individual logss are
colle
ected in a central location. To
T transform thhe XML file intto a text file or an HTML file
e that can be
opeened in Windows Internet Exxplorer, you can parse the XM ML-based file by using the M Microsoft XSL
parssing command d an XSL style sheet.
d prompt msxssl.exe tool, and
Perrformance and
a Reliability Monitorr Snap-In
The Performance and Reliabilityy Monitor snap
p-in lets you:
Trend applica
ation performa ance on each node.
n To deterrmine how an application is performing, yyou
can view and trend specificc information on
o system reso
ources that aree being used o
on each node.
Trend applica
ation failures and
a stability onn each node. Y You can pinpo int when appliication failuress
occur, and match the appliccation failures with other evvents on the no
ode.
Modify trace log settings. You
Y can start, stop,
s and adjusst trace logs, including theirr size and locattion.
Backing Up and
a Restoring Failov
ver Clusterr Configurration
Clusster configurattion can be a time-consumin
t ng
proccess with many details. Therefore, backingg up
your cluster configguration is imp
portant. You can
c
perfform cluster co
onfiguration backup
b and resstore
usin
ng Windows Se erver Backup oro a non-Micro osoft
backup tool.
Wheen you back up the cluster configuration,
c be
awa
are of the follo
owing:
You must testt your backup and recovery

process beforre putting a clu
uster into
production.
You must first add the Winddows Server Backup feature , if you decidee to use it. You
u can do this by
using Server Manager,
M by using
u the dism.exe utility, or by using Wind
dows PowerSh hell.
Win
ndows Server Backup
B is the built-in
b backupp and recoveryy software for Windows Servver 2012. To
com
mplete a successsful backup, consider
c the fo
ollowing:
For a backup to succeed in a failover clusster, the clusteer must be run ning and mustt have quorum m. In
other words, enough nodess must be runn ning and comm municating (peerhaps with a witness disk o
or
witness file sh
haredepending on the quo orum configurration,) that thhe cluster has aachieved quorum.
You must bacck up all cluste

ered applicatio
ons. If you clus ter a SQL Servver database, yyou must have
ea
backup plan for
f the databa ases and config
guration outsid de the cluster configuration.
If applicatio
on data must be
b backed up, the disks on wwhich you storre the data muust be made avvailable
to the backkup software. You
Y can achievve this by runnning the backu om the cluster node
up software fro
that owns the
t disk resourrce, or by runn
ning a backup against the clu
ustered resourrce over the ne
etwork.
If you are using
u CSVs, you
u can run backkup from any n
node that is atttached to the
e CSV volume.
The cluster service tracks which cluster configuration is the most reecent, and it re eplicates that
configuratio
on to all cluste
er nodes. If the
e cluster has a witness disk, tthe Cluster serrvice also replicates
the configu
uration to the witness
w disk.
Restoring
R a Cluster
C
Th
here are two tyypes of restore
e:
Non-authoritative restore e. Use a non-authoritative reestore when a single node in n the cluster is
damaged or o rebuilt, and the rest of the e cluster is opeerating correcttly. Perform a nnon-authoritattive
restore by restoring
r the system
s recoverry (system statte) information n to the damag ged node. Wh hen you
restart that node, it will jo
oin the cluster and receive th on automatically.
he latest clusteer configuratio
Authoritativve restore. Usee an authoritattive restore wh

hen the clusterr configuration
n must be rolleed back
to a previouus point in tim
me. For example, use an auth horitative resto
ore if an admin
nistrator accide
entally
removed clustered resources or modifie ed other clusteer settings. Perform the auth
horitative resto
ore by
stopping thhe cluster resource on each node,
n and thenn performing a system recovvery (system sttate) on
a single nodde by using Windows
W Serverr Backup interfface. After thee restored node restarts the ccluster
service, the
e remaining cluuster nodes can also start thee cluster servicce.
Maintainin
M g and Trou
ubleshootting Failovver Clusters
Cluster validatio
on functionalitty implemente ed in
Windows
W Server 2012 failoverr clustering, prrevents
misconfiguratio
m ons and non-w working clusters.
However, in som me cases you may
m still have tot
pe
erform mainte enance or clustter troubleshooting.
ome common maintenance tasks can help

So p you
prevent problem
ms in cluster co
onfiguration:
Use the Vallidate a Config

guration Wizarrd to
onfiguration isssues that might
highlight co
cause cluste
er problems.
Review clusster events and

d trace logs to
identify app
plication or ha
ardware issues that might ca use an unstab
ble cluster.
Review harddware events and

a logs to he pecific hardware componentts that might ccause an
elp pinpoint sp
unstable clu
uster.
Review SANN componentss, switches, ada
apters, and sto
orage controlleers to help identify any pote
ential
problems.
When
W troublesh
hooting failove
er clusters:
Identify the
e perceived pro
oblem by colle
ecting and doccumenting thee symptoms off the problem..
Identify the
e scope of the problem so thhat you can unnderstand whaat is being affected by the prroblem,
pplication and the clients.
and the impact of that efffect on the ap
Collect informmation so that you can accurrately understaand and pinpo oint the possib ble problem. A
After
by the impact of a
you identify a list of possible problems, you can prioritiize them by prrobability, or b
repair. If you cannot pinpoiint the problemm, you should attempt to ree-create the prroblem.
Create a sche
edule for repairing the problem. For examp blem only affects a small sub
ple, if the prob bset of
users, you can
n delay the rep
pair to an off-p
peak time so tthat you can scchedule downtime.
Complete and
d test each rep
pair one at a tiime so that yo
ou can identifyy the fix.
To troubleshoot
t SAN
S issues, start by checking
g physical conn
nections and b
by checking eaach of the harddware
com
mponent logs. Additionally, run r the Validatte a Configuraation Wizard to he current cluster
o verify that th
configuration is sttill supportable e.
Note: When n you run the Validate

V a Connfiguration Wiizard, ensure that the storage tests that
you select can be run on an online failover clu of the storage tests cause loss of
uster. Several o
servvice on the clustered disk wh
hen the tests are run.
Tro
oubleshooting Group and
a Resourcce Failures
To troubleshoot
t group
g and reso
ource failures:
Use the Depe

endency Viewe
er in the Failovver Cluster Man
nagement snaap-in to identiffy dependent
resources.
Check the Eve
ent Viewer and
d trace logs fo
or errors from tthe dependent resources.
Determine wh
hether the pro ppens on a speecific node or nodes, by trying to re-creatte the
oblem only hap
problem on different
d nodess.
Wh
hat Is Cluster-Aware
e Updating
g?
Appplying Window ws operating syystem updatess to
noddes in a clusterr requires extra
a attention. If you
y
wannt to provide zero
z downtime e for a clustere
ed
role
e, you must update cluster no odes manuallyy one
afte
er another, andd you must mo ove resources
man nually from the e node that yoou are updatin ng to
anoother node. Thiis procedure can be very tim me-
consuming. In Windows Server 2012, Microso oft has
impplemented a ne ew feature for automatic update
of cluster
c nodes.
Clusster-Aware Uppdating (CAU) is a Windows

Servver 2012 feature that lets administrators update
clusster nodes auto oss in availabillity during thee update proce
omatically, witth little or no lo ess. During an
upddate procedure e, CAU transpaarently takes each cluster no ode offline, insttalls the updattes and any
deppendent updates, performs a restart if nece essary, brings tthe node backk online, and th hen moves to
upddate the next node
n in a cluster.
For many clustere ed roles, this au

utomatic updaate process trig
ggers a planneed failover, and d it can cause a
tran
nsient service interruption foor connected clients. Howeveer, for continuo ously available
e workloads in
n
Winndows Server 2012such
2 as Hyper-V with live migrationn or file server with SMB Transparent Failo over
CAUU can orchestrate cluster upd dates with no effect on serviice availability.
Cluster Updating Modes

CAU can orchestrate the complete cluster updating operation in two modes:
Remote-updating mode. In this mode, a computer that is running Windows Server 2012 or Windows 8
is called and configured as an orchestrator. To configure a computer as a CAU orchestrator, you must
install failover clustering administrative tools on it. The orchestrator computer is not a member of the
cluster that is updated during the procedure. From the orchestrator computer, the administrator
triggers on-demand updating by using a default or custom Updating Run profile. Remote-updating
mode is useful for monitoring real-time progress during the Updating Run, and for clusters that are
running on Server Core installations of Windows Server 2012.
Self-updating mode. In this mode, the CAU clustered role is configured as a workload on the failover
cluster that is to be updated, and an associated update schedule is defined. In this scenario, CAU does
not have a dedicated orchestrator computer. The cluster updates itself at scheduled times by using a
default or custom Updating Run profile. During the Updating Run, the CAU orchestrator process
starts on the node that currently owns the CAU clustered role, and the process sequentially performs
updates on each cluster node. In the self-updating mode, CAU can update the failover cluster by
using a fully automated, end-to-end updating process. An administrator can also trigger updates on
demand in this mode, or use the remote-updating approach, if desired. In the self-updating mode, an
administrator can access summary information about an Updating Run in progress by connecting to
the cluster and running the Get-CauRun Windows PowerShell cmdlet.
To use CAU, you must install the failover clustering feature in Windows Server 2012, and you must create
a failover cluster. The components that support CAU functionality are installed automatically on each
cluster node.
You must also install the CAU tools, which are included in the failover clustering Tools (which are also part
of the Remote Server Administration Tools (RSAT)). The CAU tools consist of the CAU user interface (UI)
and the CAU Windows PowerShell cmdlets. The failover clustering Tools are installed by default on each
cluster node when you install the failover clustering feature. You can also install these tools on a local or a
remote computer that is running Windows Server 2012 or Windows 8, and that has network connectivity
to the failover cluster.
Demonstration: Configuring CAU

Demonstration Steps
Configure CAU
1. Make sure that the failover cluster is configured and running on LON-SVR3 and LON-SVR4.
2. Add failover clustering Feature to LON-DC1.
3. Run Cluster-Aware Updating on LON-DC1, and configure it to connect to Cluster1.

4. Preview updates that are available for nodes LON-SVR3 and LON-SVR4.
5. Review available options for the Updating Run profile.
6. Apply available updates to Cluster1 from LON-DC1.
7. After updates are applied, configure Add CAU Clustered Role with Self-Updating Enabled on
LON-SVR3.
Lesson 5
Implem
menting
g a Multi-Site Failover
F r Cluste
er
In so
ome scenarioss, you may havve to deploy cluster nodes o n different sitees. Usually, you u do this when n you
build disaster recoovery solutionss. In this lesson
n, you will learrn about multii-site failover cclusters, and th
he
prerrequisites for implementing them. You will also learn ab bout synchronoous and asynchronous repliccation,
and the process ofo choosing a quorum
q mode for multi-site clusters.
Lessson Objectiives
Describe a multi-site failove

er cluster.
Describe prerrequisites for im

mplementing a multi-site clu
uster.
Describe syncchronous and asynchronous replication.
Explain how to uorum mode for multi-site cclusters.

t choose a qu
Describe the process for de

eploying multi--site clusters.
Describe the challenges forr implementing
g multi-site clu
usters.
Wh
hat Is a Mu
ulti-Site Fa
ailover Clu
uster?
A multi-site
m failovver cluster is a cluster that ha
as
been extended so o that differentt nodes in the same
clusster reside in seeparate physiccal locations. A
mullti-site failoverr cluster therebby provides higghly
avaiilable services in more than one location.
Mullti-site failoverr clusters can solve several sppecific
problems, but the ey also presentt specific
challenges.
In a multi-site failover cluster, each site usually has

a se
eparate storage e system with replication
betwween the sites. Multi-site cluuster storage
repllication enablees each site to be independe ent,
orage systems, you cannot sh
and provides fast access to the local disk. With separate sto hare a single d
disk
betwween sites.
A multi-site
m failovver cluster has three main ad
dvantages in a failover site, aas compared to
o a remote serrver:
When a site fails,

f a multi-sitte cluster auto
omatically fails over the clusttered service o
or application tto
another site.
Because the cluster

c configu
uration is repliccated automattically to each cluster node iin a multi-site
cluster, there is less adminisstrative overhe d standby servver, which requ
ead than a cold uires you to
replicate channges manuallyy.
The automateed processes in

n a multi-site cluster
c reduce the possibilityy of human error, which is present
in manual pro
ocesses.
Because of increased cost and complexity

c of a multi-site faiilover cluster, iit might not be an ideal solu
ution
for every
e application or businesss. When you are
a considering g whether to d deploy a multi-site cluster, you
should evaluate thhe importance e of the applica
ations to the bbusiness, the tyype of applications, and anyy
alternative solutio
ons. Some applications can easily
e provide m multi-site redu undancy with llog shipping o or
otther processess, and can still achieve sufficient availabilityy with only a m
modest increasse in cost and
omplexity. Examples for this are SQL Serve
co er log shippingg, Exchange Seerver continuous replication,, and
DFS replication..
Th
he complexity of a multi-site
e cluster requirres more archiitectural and h
hardware plann
ning. It also re
equires
yo
ou to develop business processes to test thhe cluster funcctionality routiinely.
Prerequisit
P es for Imp
plementing
g a Multi-SSite Failovver Clusterr
Prrerequisites for implementattion of multi-site
cluster are diffe
erent from thosse for single-siite
cluster impleme entation. It is im
mportant to
un nderstand wha at you must prrepare before you
sttart implementtation of multii-site cluster.
Prrior to implem
menting multi-ssite failover clu
uster,
yo
ou must ensurre the following:
You must have

h enough nodes
n and vote
es on
each site, so
o that the clusster can be onlline
T setup requires
even if one site is down. This
additional hardware,
h and can come witth
significant financial
f costs.
All nodes must

m have the same
s operatin
ng system and service pack vversion.
You must provide

p at leastt one low-latency and reliabble network coonnection betw ween sites. Thiss is
f cluster heartbeats. By deffault, regardleess of subnet co
important for onfiguration, h
heartbeat freq
quency
(also known n as subnet deelay) is once evvery second (11,000 milliseco nds). The rang
ge for heartbeaat
frequency is once every 250-2000
2 millisseconds on a ccommon subn net, and 250-4,000 millisecon nds
across subnnets. By default, when a node misses a seriies of 5 heartb beats, another node will initiaate
failover. The range for this value (also known
k as subnnet threshold) is from 3 through 10.
You must provide

p a stora n mechanism. FFailover clustering does not provide any sttorage
age replication
replication mechanism, soo you must provide anotherr solution. Thiss also requires that you have
e
multiple sto
orage solutions, one for each
h cluster you ccreate.
You must ensure

e that all other necessary services for cluster, such aas AD DS and DNS are also
available onn a second sitee.
You must ensure

e that clie
ent connection
ns can be redirrected to a new e when failover
w cluster node
happens.
Syn
nchronouss and Asyn
nchronouss Replicatio
on
It is not possible for
f a geograph hically disperse
ed
failo
over cluster to use shared stoorage between n
phyysical locations. Wide area ne etwork (WAN) links
are too slow and have too much h latency to
support shared storage. This me eans that you must
have separate insttances of data. To have exacct
copies of data on both sides, ge eographically
disppersed failoverr clusters must synchronize data
d
betw ween locationss by using specialized hardw ware.
Mullti-site data repplication can be
b either
syncchronous or assynchronous:
When you use synchronouss replication, the

host receives a write compleete response from the primaary storage aftter the data is written successsfully
on both stora
age systems. If the data is no
ot written succ essfully to botth storage systtems, the
application must
m attempt too write to the disk again. Wiith synchronou us replication, both storage
systems are id
dentical.
When you use asynchronou us replication, the node receeives a write co omplete respo onse from the
storage after the data is written successfu ully on the prim
mary storage. The data is wrritten to the
secondary sto orage on a diffferent schedule, depending on the hardwaare or software e vendors
implementatiion. Asynchron nous replicatioon can be storaage-based, ho ost-based, or evven applicatio on-
based. Howevver, not all forms of asynchro onous replicattion are sufficieent for a multi-site cluster. FFor
example, DFS S Replication provides
p file-levvel asynchrono
ous replication n. However, it does not supp port
multi-site failover clustering
g replication. This
T is becausee DFS Replicatiion replicates smaller docum ments
that are not held
h open continuously, and was not desig gned for high--speed, open-ffile replication.
Wh
hen to Use Synchronou
S us or Asynch
hronous Rep
plication
Use synchronous replication wh hen data loss iss not acceptabble. Synchrono ous replication solutions requuire
low-disk write lateency, because the applicatioon waits for bo oth storage solutions to acknnowledge the d data
writtes. The require
ement for loww latency disk writes
w also limi ts the distancee between the
e storage systems,
because increased d distance can cause higher latency. If the disk latency iss high, the perrformance and d even
the stability of the
e application can
c be affected d.
Asynchronous rep plication overccomes latency and distance l imitations by acknowledging local disk wrrites
onlyy, and by reprooducing the disk write on the remote storaage system in a separate traansaction. Becaause
asyn
nchronous rep plication writess to the remote e storage systeem after it writtes to the locaal storage syste
em,
the possibility of data
d loss durin
ng a failure inccreases.
Selecting a Quorum Mode for Multi-Sitee Clusters

Ea
ach failover cluuster must havve quorum mo ode
de ote can be easily
efined, so thatt a majority vo
de a time. For a geographically
etermined at any
er, you cannot use quorum
diispersed cluste
co
onfigurations that
t require a shared disk, because
eographically dispersed clussters do not usse
ge
sh
hared disks. Booth the Node anda Disk Majority and
No Majority: Disk Only quorum modes requ uire a
sh
hared witness disk
d to provide e a vote for
de
etermining qu uorum. You sho ould only use these
t
tw
wo quorum mo odes if the harrdware vendorr
sp
pecifically reco
ommends and supports them m.
To
o use the Node and Disk Ma
ajority and No Majority: Diskk Only modes in a multi-site cluster, the sh
hared
diisk requires that:
You preservve the semantics of the SCSI commands accross the sites,, even if a com
mplete communication
failure occu
urs between sittes.
You replicate the witness disk in real-time synchrono

ous mode acro
oss all sites.
Beecause multi-ssite clusters can have WAN failures

f in addiition to node aand local netwwork failures, N Node
Majority
M and No ode and File Share Majority are better soluutions for multi-site clusters. If there is a W
WAN
fa
ailure that causses the primaryy and seconda
ary sites to losee communicattion, a majorityy must still be
avvailable to con
ntinue operatio ons.
o number of nodes, then use the Node Majority quorrum. If there is an even number of
If there are an odd
noodes, which is typical in a ge dispersed clus ter, you can use the Node M
eographically-d Majority with FFile
Shhare Majority quorum.
q
If you are using Node Majoritty and the sites lose commu nication, you n need a mechanism to determ mine
which
w nodes remmain in the cluuster, and whicch nodes leavee the cluster. TThe second site
e requires ano
other
voote to obtain quorum
q after a failure. To ob
btain another vvote for quoru um, you must jjoin another n
node to
th
he cluster, or create a file sha
are witness.
Th
he Node and File F Share Majo ority mode can n help maintaiin quorum witthout adding aanother node tto the
cluster. To provvide for a singlee-site failure and enable auttomatic failoveer, the file sharre witness mig ght have
to ulti-site clusterr, a single serveer can host thee file share wittness. However, you
o exist at a thirrd site. In a mu
must
m create a se eparate file shaare for each clluster.
Yoou must use th

hree locations to enable autoomatic failoveer of a highly aavailable servicce or applicatio
on.
Lo
ocate one nodde in the primaary location tha
at runs the hig
ghly available sservice or appplication. Locatte a
se
econd node in a disaster-reccovery site, and
d locate the th
hird node for t he file share w
witness in a diffferent
lo
ocation.
Th
here must be direct
d network
k connectivity between all th
hree locations. In this manne
er, if one site b
becomes
un
navailable, the
e two remainin
ng sites can still communicatte and have en
nough nodes ffor a quorum.
Note: In Windows
W Serve
er 2008 R2, ad
dministrators ccould configuree the quorum to include
noodes. However, if the quorum configuratio on included no odes, all nodess were treated equally
acccording to their votes. In Windows
W Serverr 2012, you ca n adjust clusteer quorum setttings so that
when
w the cluste
er determines whether
w it has quorum, som me nodes have a vote and some do not.
Thhis adjustmentt can be useful when you immplement soluttions across multiple sites.
Pro
ocess for Configurin
C ng a Multi--Site Failovver Clusterr
Connfiguration of multi-site
m clustter is somewha at
diffe
erent from con nfiguring a single-site cluster.
Mullti-site clusterss are more commplex to config gure
and maintain, and d require moree administrativve
effo
ort to support. High-level ste eps to configurre a
mullti-site cluster are
a as follows:
1. Ensure that you have enoug gh cluster noddes on
each site. In addition,
a ensurre that cluster
nodes have similar hardwarre configuratio ons,
and have the same version of operating
system and se ervice pack.
2. Ensure that networking bettween sites is

operational, and
a that netwo ork latency is acceptable
a forr configuring t he cluster. (Yo
ou can validate
e this
by using Valid ation Wizard in Failover Clusster Manager.))
date Configura
3. Ensure that you have deplo oyed reliable sttorage replicattion mechanism between sittes. Also, choo
ose the
type of replication for use.
4. Ensure that key infrastructu

ure services succh as AD DS, D
DNS, and DHC
CP, are present on each site.
5. Run the Valid

date a Configuration Wizard on all of the ccluster nodes tto determine iff your configu
uration
is acceptable for creating a cluster.
6. Determine the role that you

u will configurre in a cluster.
7. Determine the cluster quorrum mode thatt you will use.

8. Create a clusttered role.
9. Configure failover/failback settings.
10. Validate failover and failbacck.

Youu should be awware that multi-site clusters require
r more aadministrative effort during ffailover and
failb
back. While sin
ngle-site cluste back is mostly automatic, witth multi-site clusters this is n
er failover/failb not
the case.
Challenges fo
or Implem
menting a Multi-Site
M Cluster
Impplementing mu ulti-site clusterrs is more complex
thann implementin ng single-site clusters,
c and ca
an
also
o present severral challenges to the
admministrator. Sto
orage and netw work issues aree the
mosst challenging aspects of imp plementing multi-
site clusters.
In a multi-site cluster, there is no shared stora age

thatt the cluster no
ode uses. This means that evvery
nodde on each site e must have itss own storage
instance. On the other
o hand, faiilover clusterin
ng
doees not include any
a built-in functionality to
repllicate data bettween sites. Thhere are three
options for replicating data: block level hardware-based replication, software-based file replication
installed on the host, or application-based replication.
Multi-site data replication can be either synchronous or asynchronous. Synchronous replication does not
acknowledge data changes that are made in, for example, Site A until the data successfully writes to Site B.
With asynchronous replication, data changes that are made in Site A are eventually written to Site B.
When you deploy a multi-site cluster and run the Validate a Configuration Wizard, the disk tests will not
find any shared storage, and will therefore not run. However, you can still create a failover cluster. If you
follow the hardware manufacturers recommendations for Windows Server failover clustering hardware,
Microsoft will support the solution.
Windows Server 2012 enables cluster nodes to exist on different IP subnets, which enables a clustered
application or service to change its IP address based on that IP subnet. DNS updates the clustered
applications DNS record so that clients can locate the IP address change. Because clients rely on DNS to
find a service or application after a failover, you might have to adjust the DNS records Time to Live
setting, and the speed at which DNS data replicates. Additionally, when cluster nodes are in multiple sites,
network latency might require you to modify the inter-node communication (heartbeat) delay and time-
out thresholds.
Lab: Implementing Failover Clustering

Scenario
As A. Datum Corporations business grows, it is becoming increasingly important that many of the
applications and services on the network be available at all times. A. Datum has many services and
applications that need to be available to their internal and external users who are working in different
time zones around the world. Because many of these applications cannot be made highly available by
using Network Load Balancing, you will need to use a different technology.
As one of the senior network administrators at A. Datum Corporation, you are responsible for
implementing failover clustering on the Windows Server 2012 servers, to provide high availability for
network services and applications. You will be responsible for planning the Failover Cluster configuration,
and deploying applications and services on the Failover Cluster.
Objectives
Configure a failover cluster with CSV storage.
Deploy and configure a highly available file server on the failover cluster.
Validate the high availability of the failover cluster and storage.
Configure Cluster-Aware Updating on the failover cluster.
Lab Setup
20412-LON-DC1
20412-LON-SVR1
20412-LON-SVR3
20412-LON-SVR4
MSL-TMG1
Username: Adatum\Administrator
Password: Pa$$w0rd
User name: Adatum\Administrator
Password: Pa$$w0rd
5. Repeat steps 2-4 for 20412A-LON-SVR1, 20412A-LON-SVR3 and 20412A-LON-SVR4.
6. For MSL-TMG1, just repeat step 2.

Exercise 1: Configuring a Failover Cluster

Scenario
A. Datum Corporation has some critical applications and services that they want to make highly available.
Some of these services cannot use Network Load Balancing. Therefore, you have decided to implement
failover clustering with the use of iSCSI storage, which is already in place. To start this process, you need
to implement the core components for failover clustering, validate the cluster, and then create the failover
cluster.
1. Connect cluster nodes to the iSCSI targets.
2. Install the failover clustering feature.
3. Validate the servers for failover clustering.
4. Create the failover cluster.
5. Configure Cluster Shared Volumes.
Task 1: Connect cluster nodes to the iSCSI targets

1. On LON-SVR3, start iSCSI Initiator, and configure Discover Portal with IP address 172.16.0.21.
2. Connect to the discovered target in the Targets list.
3. Repeat steps 1 and 2 on LON-SVR4.
4. Open Disk Management on LON-SVR3.
5. Bring online and initialize the three new disks.
6. Make a simple volume on each disk and format it with NTFS.
7. On LON-SVR4, open Disk Management, refresh the console and bring online the three new disks.
Task 2: Install the failover clustering feature

1. On LON-SVR3, install the failover clustering feature by using Server Manager.
2. On LON-SVR4, install the failover clustering feature by using Server Manager.
Task 3: Validate the servers for failover clustering

1. On LON-SVR3, open the Failover Cluster Manager console.
2. Start the Validate a Configuration Wizard.
3. Use LON-SVR3 and LON-SVR4 as nodes for test.
4. Review the report and then close the report.
5. On the Summary page, remove the check mark next to Create the cluster now using the validated
nodes, click Finish.
Task 4: Create the failover cluster

1. On LON-SVR3, in the Failover Cluster Manager, start the Create Cluster Wizard.
2. Use LON-SVR3 and LON-SVR4 as cluster nodes.
3. Specify Cluster1 as the Access Point name.

4. Specify the IP address as 172.16.0.125.
Task 5: Configure Cluster Shared Volumes

1. In the Failover Cluster Manager console on LON-SVR3, navigate to Storage->Disks.
2. Locate a disk that is assigned to Available Storage. (If possible use Cluster Disk 2).
3. Add this to Cluster Shared Volumes.
Results: After this exercise, you will have installed and configured the failover clustering feature.
Exercise 2: Deploying and Configuring a Highly Available File Server

Scenario
In A. Datum Corporation, File Services is one of the important services that must be highly available,
because it hosts very important data that is being used all the time. After you have created a cluster
infrastructure, you decide to configure a highly available file server and implement settings for failover
and failback.
1. Add the File Server application to the failover cluster.
2. Add a shared folder to a highly available file server.

3. Configure failover and failback settings.
4. Validate cluster quorum settings.
Task 1: Add the File Server application to the failover cluster

1. Add the File Server role service to LON-SVR3 and LON-SVR4.
2. On LON-SVR3, open the Failover Cluster Manager console.
3. Add File Server as a cluster role.
4. Choose to implement Scale-Out File Server for application data.

5. Specify AdatumFS as Client Access Name.
Task 2: Add a shared folder to a highly available file server

1. On LON-SVR3, in the Failover Cluster Manager, start a New Share Wizard to add a new shared folder
to the AdatumFS cluster role.
2. Specify the profile for the share as SMB Share Quick.
3. Name the shared folder as Data.
4. Enable continuous availability.
Task 3: Configure failover and failback settings

1. On LON-SVR3, in the Failover Cluster Manager, open the Properties for the AdatumFS cluster role.
2. Enable failback between 4 and 5 hours.
3. Select both LON-SVR3 and LON-SVR4 as the preferred owners.

4. Move LON-SVR4 to be first in the Preferred Owners list.
Task 4: Validate cluster quorum settings

In the Failover Cluster Manager console, review settings for Quorum Configuration. It should be set
to Node and Disk Majority.
Results: After this exercise, you will have deployed and configured a highly available file server.
Exercise 3: Validating the Deployment of the Highly Available File Server

Scenario
In the process of implementing a failover cluster, you want to ensure that cluster s performing correctly,
by performing failover and failback tests.
1. Validate the highly available file server deployment.
2. Validate the failover and quorum configuration for the file server role.
Task 1: Validate the highly available file server deployment

1. On LON-DC1, open Windows Explorer, and attempt to access the \\AdatumFS\ location. Make sure
that you can access the Data folder.
2. Create a test text document inside this folder.

3. On LON-SVR3, in the Failover Cluster Manager, move AdatumFS to the second node.
4. On LON-DC1, in Windows Explorer, verify that you can still access \\AdatumFS\ location.
Task 2: Validate the failover and quorum configuration for the file server role
1. On LON-SVR3, determine the current owner for the AdatumFS role.
2. Stop the Cluster service on the node that is the current owner of the AdatumFS role.
3. Verify that AdatumFS has moved to another node, and that the \\AdatumFS\ location is still
available from the LON-DC1 computer.
4. Start the Cluster service on the node in which you stopped it in step 2.
5. From the Disks node, take the disk witness offline.
6. Verify that the \\AdatumFS\ location is still available from LON-DC1.
7. Bring the disk witness back online.
Results: After this exercise, you will have tested the failover and failback scenarios.
Exercise 4: Configuring Cluster-Aware Updating on the Failover Cluster

Scenario
Earlier, implementing updates to servers with critical service was causing unwanted downtime. To enable
seamless and zero-downtime cluster updating, you want to implement the Cluster-Aware Updating
feature and test updates for cluster nodes.

1. Configure Cluster-Aware Updating.
2. Update the failover cluster and configure self-updating.
Task 1: Configure Cluster-Aware Updating

1. On LON-DC1, install the Failover Clustering feature.
2. From Server Manager, open Cluster-Aware Updating.
3. Connect to Cluster1.
4. Preview the updates available for nodes in Cluster1.
Task 2: Update the failover cluster and configure self-updating

1. On LON-DC1, start the update process for Cluster1.
2. After the process is complete, log on to LON-SVR3 with the username as Adatum\Administrator
and password as Pa$$w0rd.
3. On LON-SVR3, open Cluster-Aware Updating and configure self-updating for Cluster1, to be

performed weekly, on Sundays at 4:00A.M.
Results: After this exercise, you will have configured Cluster-Aware Updating on the Failover Cluster.


4. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR3, 20412A-LON-SVR4 and
MSL-TMG1.
Lab Review
Question: What information will you have to collect as you plan a failover cluster
implementation and choose a quorum mode?
Question: After running the Validate a Configuration Wizard, how can you resolve the
network communication single point of failure?
Question: In which situations might it be important to enable failback of a clustered

application only during a specific time?

Question: Why is using a No Majority: Disk-Only quorum configuration generally not a good
idea?
Question: What is the purpose of CAU?
Question: What is the main difference between synchronous and asynchronous replication in a
multi-site cluster scenario?
Question: What is the multi-site clusters enhanced feature in Windows Server 2012?

Question: Your organization is considering the use of a geographically dispersed cluster that includes an
alternative data center. Your organization has only a single physical location together with an alternative
data center. Can you provide an automatic failover in this configuration?
Tools
The tools for implementing failover clustering include:
Failover Cluster Manager console
Cluster-Aware Updating console
Windows PowerShell
Server Manager
iSCSI initiator
Disk Management
6-1
Module 6
Implementing Failover Clustering with Hyper-V
Contents:
Module Overview 6-1
Lesson 1: Overview of Integrating Hyper-V with Failover Clustering 6-2
Lesson 2: Implementing Hyper-V Virtual Machines on Failover Clusters 6-7
Lesson 3: Implementing Hyper-V Virtual Machine Movement 6-15
Lesson 4: Managing Hyper-V Virtual Environments by Using VMM 6-21
Lab: Implementing Failover Clustering with Hyper-V 6-31
Module Overview
One benefit of implementing server virtualization is that it allows you to provide high availability, both for
applications or services that have built-in high availability functionality, and for applications or services
that do not provide high availability in any other way. With the Windows Server 2012 Hyper-V
technology, failover clustering, and Microsoft System Center 2012 - Virtual Machine Manager (VMM),
you can configure high availability by using several different options.
In this module, you will learn about how to implement failover clustering in a Hyper-V scenario to achieve
high availability for a virtual environment. You will also learn about basic virtual machine features.
Objectives
Describe how Hyper-V integrates with failover clustering.
Implement Hyper-V virtual machines on failover clusters.
Implement Hyper-V virtual machine movement.
Manage a Hyper-V virtual environment by using VMM.

6-2 Implementing Failover Clusterinng with Hyper-V
Lesson 1
Overviiew of Integratting Hyper-V w
with Failover Clusterin
ng
Failo
over clusteringg is a Windowss Server 2012 feature
f that en
nables you to make applicattions or service
es
highhly available. To
T make virtua ghly available in a Hyper-V eenvironment, yyou must
al machines hig
imp
plement failove er clustering on Hyper-V hosst machines.
Thiss lesson summarizes the high h availability options

o for Hyp
per-Vbased vvirtual machinees, and then fo
ocuses
on how
h failover cllustering work
ks, and how to design and im mplement failo
over clustering for Hyper-V.
Lessson Objectiives
Afte
ou will be able to:
Describe options for making virtual mach

hines highly avvailable.
Explain how failover

f clusterring works with
h Hyper-V nod
des.
Describe new
w failover cluste
ering features for Hyper-V in
n Windows Server 2012.
Describe bestt practices for implementing

g high availabillity in a virtuall environment..
Op
ptions for Making
M Viirtual Machines High
hly Availab
ble
Mosst organizationns have some applications th hat
are business critical and must be highly availaable.
To make
m an appliccation highly available,
a you must
dep
ploy it in an environment tha at provides
undancy for alll components that the
redu
plication requirres. For virtual machines to be
app b
high
hly available, you
y can choose e between sevveral
options:
Host clusterinng, in which yoou implement

virtualization hosts as a clusstered role
Guest clusteriing, in which you
y implementt
clustering inside virtual machines
Network Load
d Balancing (N
NLB) inside virttual machines
Host Clusterin
ng
Hosst clustering en
nables you to configure
c a faiilover cluster b
by using the Hyper-V host se ervers. When yyou
configure host cluustering for Hyyper-V, you co onfigure the virrtual machine as a highly avvailable resourcce.
Failo
over protection is implemen nted at the hosst server level. This means th hat the guest ooperating systeem
and applications that
t are runninng within the virtual
v machin e do not havee to be cluster--aware. Howevver,
the virtual machinne is still highlyy available. Some examples of non-clusterr-aware applications are prin nt
etary network-based applications such as aan accounting application. SShould the hosst
servver, or proprie
nodde that controls the virtual machine
m unexpectedly becom me unavailablee, the secondary host node
assuumes control and
a restarts the e virtual machine as quickly as possible.
You
u can also movve the virtual machine
m from one
o node in th he cluster to annother in a controlled mann
ner.
For example, you could move th he virtual machine from onee node to anotther while patcching the hostt
ope
erating system.. The applicatioons or servicess that are runn
ning in the virttual machine d
do not have to
o be
com
mpatible with failover
f clusterring, and they do not need t o be aware th at the virtual m machine is
clustered. Because the failover is at the virtual machine level, there are no dependencies on software that
is installed inside the virtual machine.
Guest Clustering
You configure guest failover clustering very similarly to physical server failover clustering, except that the
cluster nodes are multiple virtual machines. In this scenario, you create two or more virtual machines, and
enable failover clustering within the guest operating system. The application or service is then enabled for
high availability between the virtual machines by using failover clustering in each virtual machine. Because
you implement failover clustering within each virtual machine nodes guest operating system, you can
locate the virtual machines on a single host. This can be a quick and cost-effective configuration in a test
or staging environment.
For production environments, however, you can more robustly protect the application or service if you
deploy the virtual machines on separate failover clusteringenabled Hyper-V host computers. With
failover clustering implemented at both the host and virtual machine levels, you can restart the resource
regardless of whether the node that fails is a virtual machine or a host. This configuration is also known as
a Guest Cluster Across Hosts. It is considered an optimal high availability configuration for virtual machines
that are running critical applications in a production environment.
You should consider several factors when you implement guest clustering:
The application or service must be failover clusteraware. This includes any of the Windows Server
2012 services that are cluster-aware, and any applications, such as clustered Microsoft SQL Server
and Microsoft Exchange Server.
Hyper-V virtual machines can use Fibre Channelbased connections to shared storage (this is specific
only to Microsoft Hyper-V Server 2012), or you can implement internet small computer system
interface (iSCSI) connections from the virtual machines to the shared storage.
You should deploy multiple network adapters on the host computers and the virtual machines. Ideally,
when using an iSCSI connection you should dedicate a network connection to the iSCSI connection, to the
private network between the hosts, and to the network connection used by the client computers.
Network Load Balancing

NLB works with virtual machines in the same manner with which it works with physical hosts. It distributes
IP traffic to multiple instances of a TCP/IP service, such as a web server that is running on a host within the
NLB cluster. NLB transparently distributes client requests among the hosts, and it enables the clients to
access the cluster by using a virtual host name or a virtual IP addresses. From the client computers point
of view, the cluster seems to be a single server that answers these client requests. As enterprise traffic
increases, you can add another server to the cluster.
Therefore, NLB is an appropriate solution for resources that do not have to accommodate exclusive read
or write requests. Examples of NLB-appropriate applications are web-based front ends to database
applications, or Exchange Server Client Access servers.
When you configure an NLB cluster, you must install and configure the application on all virtual machines.
After you configure the application, you install the NLB feature in Windows Server 2012 within each
virtual machines guest operating system (not on the Hyper-V hosts), and then configure an NLB cluster
for the application. Earlier versions of Windows Server also support NLB, which means that the guest
operating system is not limited to only Windows Server 2012. Similar to a Guest Cluster Across Host, the
NLB resource typically benefits from overall increased input/output (I/O) performance when the virtual
machine nodes are located on different Hyper-V hosts.
Note: As with earlier verssions of Windo

ows Server, you
u should not im
mplement NLBB and
failo
over clustering
g within the same guest operrating system because the twwo technologiies conflict
withh one another..
Ho
ow Does a Failover Cluster
C Wo
ork with Hyyper-V No
odes?
Whe en you implem ment failover clustering
c and
configure virtual machines
m as hiighly availablee
reso
ources, the failover cluster treats the virtua al
macchines like anyy other applica ation or servicee.
Nammely, if a host fails, failover clustering
c will act
a to
restore access to the
t virtual macchine as quick kly as
possible on anoth her host within n the cluster. Only
O
onee node at a tim
me runs the virttual machine.
Howwever, you can n also move the virtual mach hine
to any
a other node e within the same cluster.
The failover proceess transfers th
he responsibilitty of
provviding access to
t resources within
w a cluster from
onee node to another. Failover can
c occur when n an administrrator moves reesources to anoother node forr
maintenance or other
o reasons, or
o when unpla anned downtim me of one nod de occurs becaause of hardwaare
failu
ure or for othe
er reasons.
The failover proce

ess consists of the following steps:
1. The node where the virtual machine is running owns th he clustered innstance of the virtual machinne,
controls access to the shareed bus or iSCSI connection to o the cluster storage, and haas ownership o of any
disks, or logiccal unit numbe
ers (LUNs), assiigned to the vvirtual machinee. All the node
es in the cluste
er use
a private netw work to send regular
r signals,, known as heaartbeat signalss, to one anoth
her. The heartbbeat
signals that a node is functiioning and com mmunicating o on the networrk. The defaultt heartbeat
configurationn specifies thatt each node seend a heartbeaat over TCP/UD DP port 3343 e each second (o or
1,000 millisecconds).
2. Failover startss when the node hosting thee virtual mach ine does not ssend regular he eartbeat signaals
over the netwwork to the othher nodes. By default,
d this co
orresponds to five consecutively missed
heartbeats (or 5,000 milliseconds). Failove
er may occur b because of a n
node failure orr network failure.
3. When heartbeat signals sto op arriving from

m the failed no
ode, one of th e other nodess in the cluster
begins takingg over the reso
ources that thee virtual machi nes use. You d
define the nod de(s) that could
d take
over by configuring the Pre eferred and Possible
P Owneers properties.. The preferredd owner speciffies
the hierarchyy of ownership if there is morre than one po
ossible failoverr node for a re
esource.
By default, all nodes are poossible owners.. Therefore, rem moving a node as a possible e owner absolu utely
excludes it fro
om taking ove er the resource
e in a failure sittuation. For exxample, suppo ose that you
implement a failover cluste er by using threee nodes. How wever, only two o nodes are coonfigured as
preferred owners. During a failover eventt, the resourcee could still be taken over byy the third nod de if
neither of thee preferred owwners are online. Although th he third node is not configured as a preferrred
owner, as long as it is a posssible owner, the failover clu ster can use itt if necessary to
o restore access to
the resource.
Resources are e brought online in order of dependency. For example, iif the virtual m machine references
an iSCSI LUN,, access to the appropriate host
h bus adaptters (HBAs), neetwork(s), and LUNs will be sstored
in that order. Failover is commplete when all
a the resourcees are online o on the new no ode. For clientss
interacting with the resourcce, there is a sh
hort service in terruption, wh hich most userrs will not noticce.
4.. You can alsso configure thhe cluster serviice to fail backk to the offlinee node after it again becomees
active. Whe en the cluster service
s fails ba
ack, it uses the same procedu ures that it performs during
failover. This means that the cluster serrvice takes offl ine all the resoources associated with that
instance, moves
m the instance, and then brings all the resources in tthe instance baack online.
What
W Is Ne
ew in Failov
ver Clustering for Hyper-V in Windows Server 2012
In
n Windows Serrver 2012, failo
over clustering is
much
m d with respect to Hyper-V clu
improved usters.
So
ome of the moost important improvementss are:
Failover clu
ustering now suupports up to 4,000
virtual machines, and thee improved Failover
Cluster Man nager snap-in simplifies man
naging
many virtua al machines.
Administrattors can now perform

p multisselect
actions to queue
q grations of multiple
live mig
virtual machines, instead of one by one e as in
earlier versiions.
Administrattors can also configure

c the virtual
v machinee priority attrib
bute to contro ol the order in which
virtual machines are startted. Priority is also used to e nsure that lowwer-priority virrtual machines
automaticaally release reso
ources to high her priority virttual machines as needed.
The Clusterr Shared Volumme (CSV) featuure, which simp d operation of virtual
plifies the conffiguration and
machines, can
c help impro ove security an
nd performancce. It now supp ports scalable file-based servver
application storage, incre
eased backup and
a restore an nd single consiistent file namespace. In adddition,
you can now protect CSV V volumes by using
u Windowss BitLocker Drive Encryptiion, and by
configuring
g the CSV volumes to make storage
s visiblee to only a sub
bset of nodes.
Virtual macchine application monitoring g. You can now w monitor servvices that are rrunning on clu
ustered
virtual machines. In cluste
ers running Windows Serverr 2012, administrators can co onfigure monittoring
of services on clustered virtual
v machine
es that are also
o running Winndows Server 2 2012. This
functionalitty extends the high-level moonitoring of virrtual machiness that is implem
mented in Winndows
Server 20088 R2 failover cllusters.
You can no ow store virtual machines on server messag ge block (SMB n a file server cluster.
B) file shares in
w method for providing highly available vvirtual machinees. Instead of cconfiguring a ccluster
This is a new
between Hyyper-V nodes, you can now have Hyper-V V nodes out of cluster, but w with virtual macchine
files on a highly available
e file share. To make this worrk, you shouldd deploy a file server cluster in a
scale-out file server mode e. Scale-out file servers can aalso use CSV ffor storage.
Best Practice
es for Impllementing High Avaailability in
n a Virtual Environment
Afteer you determiine which applications you want
w
to deploy
d on high ailover clusters, you
hly available fa
can plan and deploy the failove er clustering
environment. Con nsider the follo
owing
recoommendationss when you im mplement the
failo
over cluster:
Use Windowss Server 2012 asa the Hyper-V V
host. Window ws Server 2012 provides
enhancementts such as Hyp per-V 3.0, imprroved
CSVs, virtual machine
m migra
ations, and oth
her
features that improve flexib
bility and
performance when you imp plement host
failover cluste
ering.
Plan for failovver scenarios. When

W you dessign the hardw ware requiremeents for the Hyyper-V hosts, m make
sure that you include the hardware capaccity that is req uired when ho osts fail. For exxample, if you
deploy a six-nnode cluster, you
y must deterrmine the num mber of host faailures that you want to
accommodate. If you decid de that the clusster must sustaain the failure of two nodes,, then the fourr
remaining no odes must have e the capacity to run all of th
he virtual macchines in the cluster.
Plan the netwwork design for failover clusttering. To optimmize the failovver cluster perrformance and
d
failover, you should
s dedicatte a fast netwoork connection n for internodee communicattion. As with eaarlier
versions, this network should be logicallyy and physicallyy separate from the networkk segment(s) u used
by clients to communicate
c with the clusteer. You can alsso use this netwwork connectiion to transferr
virtual machin ne memory duuring a live mig gration. If you
u are using iSC SI for any virtu
ual machines, aalso
dedicate a ne etwork connection to the iSCCSI network co onnection.
Plan the share ed storage forr failover cluste
ering. When yo ou implementt failover cluste ering for Hype
er-V,
the shared sto orage must bee highly availab ble. If the sharred storage fails, the virtual m
machines will aall
fail, even if th
he physical noddes are functio onal. To ensuree storage availlability, plan foor redundant
connections to t the shared storage
s and reedundant arrayy of independeent disks (RAID D) redundancyy on
the storage device.
d
Use the recommmended failo over cluster qu

uorum mode. IIf you deploy a cluster with an even numb ber of
nodes, and sh he Failover Cluster Manager automatically
hared storage is available to the cluster, th
selects the Noode and Disk Majority
M quoruum mode. If yo ou deploy a cluster with an o
odd number o of
nodes, the Faailover Cluster Manager auto omatically sele cts the Node MMajority quoruum mode. You u
should not modify
m the defaault configurattion unless you
u understand tthe implicationns of doing thiis.
Deploy standardized Hyperr-V hosts. To simplify the de ployment and

d managementt of the failove er
cluster and Hyper-V nodes,, develop a sta
andard server h
hardware and software platfform for all no
odes.
Develop standard managem ment practicess. When you deeploy multiplee virtual machiines in a failovver
cluster, you in
ncrease the risk that a single e mistake may shut down a large part of th he server
deployment. For example, if i an administrrator accidentaally configuress the failover ccluster incorrecctly,
and the clusteer fails, all virtu
ual machines in the cluster w will be offline. To avoid this, develop and
thoroughly te est standardize ed instructionss for all adminiistrative tasks.
Lesson
n2
Imple
ementin
ng Hype
er-V Virrtual Maachiness on Faillover
Cluste
ers
Im
mplementing highly
h available virtual machhines is somew what different ffrom implementing other ro oles in a
ailover cluster. Failover cluste
fa ering in Windoows Server 20112 provides maany features foor Hyper-V clu ustering,
in
n addition to toools for virtuall machine high
h availability m
management. In this lesson, yyou will learn h
how to
im
mplement high hly available virtual machines.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe co
omponents of a Hyper-V cluster.
Describe prrerequisites for implementing Hyper-V faillover clusters.
ering for Hyper-V virtual ma chines.

Implement failover cluste
Configure CSVs.
C
ble virtual machines on SMB 3.0 file sharess.

Implement highly availab
Describe co f implementing Hyper-V vvirtual machinees in a cluster.

onsiderations for
Componen
C nts of Hype
er-V Cluste
ers
Hyper-V as a roole has some sp pecific require ements
fo
or cluster compponents. To fo
orm a Hyper-V V
cluster, you must have at leasst two physical nodes.
Whereas
W other clustered roless (such as Dynamic
Host Configurattion Protocol (DHCP)
( file serrver)
allow for nodes to be virtual machines,
m Hypper-V
odes must be composed of physical hosts. You
no
ca
annot run Hyp per-V inside a virtual
v machine on a
Hyper-V host.
In
n addition to having
h y must also have
nodes, you
physical and virrtual networks.. Failover clusttering
re
equires a network for internaal cluster
co
ommunication n, and also a neetwork for clieents. You can aalso implement a storage network separate ely,
deepending on the
t type of stoorage that you are using. Agaain, specific to o the Hyper-V role, you shou uld also
onsider virtual networks for clustered virtu
co ual machines. I t is important that you creatte the same virtual
neetworks on all physical hostss that participaate in one clusster. Failure to do this will caause a virtual m
machine
to
o lose networkk connectivity when
w moved from
f one host to another.
Sttorage is an im
mportant comp ponent of virtuual machine cluustering. You ccan use any tyype of storage that is
su
upported by Windows
W Server 2012 failover clustering. Ass a best practicce, you should
d configure sto
orage as
a CSV. This is discussed furthe
er in a followin
ng topic within
n this module.
Virtual machine es are components of a Hype er-V cluster. In

n the Failover CCluster Manag ger, you can crreate
ne
ew highly available virtual machines,
m or yo
ou can make eexisting virtual machines high hly available. In both
ca al machine storage location must be on sh
ases, the virtua hared storage tthat all nodes can access. Ho owever,
yo
ou might not want
w to make all virtual macchines highly aavailable. In Failover Cluster Manager, you can
se
elect which virttual machines that you wantt to be part off a cluster conffiguration.
Pre
erequisitess for Imple
ementing Hyper-V C
Clusters
To deploy
d Hyper--V on a failover cluster, you must
m
ensuure that you meet
m the hardw
ware, software,,
acco
ount, and netw work infrastruccture requirem
ments
as detailed
d in the following secttions.
Hardware Req quirements for

f Failoverr
ustering with Hyper-V
Clu
You
u must have the following ha
ardware for a two-
t
nod
de failover clusster:
Server hardware. Hyper-V requires

r an x644-
based processor, hardware--assisted
virtualization,, and hardware
e-enforced Da ata
Execution Pre evention (DEP)). As a best pra
actice, the servvers should havve similar hard
dware. If you aare
using Window ws Server 20088, the processoors on the servvers must be thhe same versio on. If you are u
using
Windows Servver 2008 R2 or Windows Serrver 2012, the processors mu ust use the samme architecturre.
Note: Micro osoft supportss a failover clusster solution o

only if all the hardware featuures are
marrked as Certifiied for Windowws Server. Additionally, the complete con nfiguration (servers,
netwwork, and storrage) must passs all tests in th
he Validate Thiis Configuratio on wizard, which is
included in the Fa
ailover Cluster Manager snap p-in.
Network adap pters. As with the other features in the faillover cluster so
olution, the ne
etwork hardwaare
must be mark ked as Certifieed for Window ws Server. To pprovide netwo ork redundanccy, you can con
nnect
cluster nodess to multiple, distinct
d networrks, or you can
n connect the n nodes to one nnetwork that u
uses
teamed netw work adapters, redundant swiitches, redund ant routers, orr similar hardw ware to removee
single points of failure. As a best practice
e, you should cconfigure multtiple network aadapters on thhe
host compute er that you con nfigure as a clu
uster node. Yoou should conn nect one netwwork adapter to
o the
private netwoork that the intter-host comm munications usses.
Storage adap e a Serial Attacched SCSI (SASS) or Fibre Chaannel, the masss-storage device
pters. If you use
controllers in all clustered servers
s should be identical a nd should usee the same firmmware version.. If
you are usingg iSCSI, each clustered serverr should have o one or more n network adaptters that are
dedicated to the cluster sto orage. The netw work adapterss that you use to connect to the iSCSI storaage
target should a you should use a gigab it Ethernet or faster networkk adapter.
d be identical, and
Storage. You must use sharred storage tha at is compatib

ble with Windo ows Server 20112. If you deplo
oy a
failover cluste
er that uses a witness
w disk, th
he storage muust contain at l east two separate volumes ((or
LUNs). One volume functions as the witness disk, and aadditional volu umes contain tthe virtual macchine
files that are shared
s betwee en the cluster nodes.
n Storagee consideratio
ons and recommendations in nclude
the following:
o Use basicc disks, not dyn

namic disks. Fo
ormat the diskks with the NTFS file system.
o Use eithe
er master boott record (MBR)) or GUID part ition table (GP
PT).
o If you are
e using a stora
age area netwo ork (SAN), the miniport driveer that the storage uses musst
work withh the Microsofft Storport storage driver.
o Consider using multipath I/O softwware: If your SAAN uses a high hly available network design
n with
redunddant compone ents, you can deploy
d failoverr clusters with multiple host bus adapters b
by using
multipa
ath I/O softwa des the highestt level of redundancy and avvailability. For
are. This provid
Windows Server 2008 8 R2 and Wind dows Server 20012, your multtipath solution n must be baseed on
Multipath I/O (MPIOO).
Software Req
quirements for Using Hyper-V
H and
d Failover C
Clustering
Th
he following are the softwarre requirementts for using Hyyper-V and faillover clustering:
All the servvers in a failove based version of Windows Server 2012 Staandard
er cluster mustt run the x64-b
Edition or Windows
W Serve
er 2012 Datace enter Edition. TThe nodes in a single failove
er cluster cann
not run
different veersions.
All the servvers should havve the same so

oftware updatees and service packs.
All the servvers must be in

nstalled as a Fu
ull installationss or Server Corre installationss.
Network
N Infrrastructure Requirements
Th
he following network
n infrasttructure is requ
uired for a failo nd an administtrative account with
over cluster an
th
he following do
omain permisssions:
Network seettings and IP addresses.

a Use
e identical com
mmunication seettings on all n
network adaptters,
including th
he speed, duplex mode, floww control, and media type seettings. Ensure
e that all netwo
ork
hardware supports the saame settings.
If you use private

p networrks that are nott routed to yo
our whole netw
work infrastruccture for
communica ation between cluster nodes, ensure that eeach of these p
private networrks uses a uniq
que
subnet.
ervers in the cluster must use Domain Nam

DNS. The se me System (DN
NS) for name rresolution. You
u should
use the DNS dynamic upd date protocol..
Domain rolle. All servers in the cluster must
m be in the same Active DDirectory Dom main Services (AD DS)
domain. Ass a best practicce, all clustered
d servers shou ld have the same domain ro ole, either mem
mber
server or do
omain controller. The recom mmended role is member serrver. You should avoid installling
cluster nodes on domain controllers be ecause AD DS has its own hig gh availability mechanism.
Account for administering the cluster. When

W you firstt create a clustter or add servvers to a cluste
er, you
must be log
gged on to the e domain withh an administraators account on all the clussters servers.
Additionallyy, if the account is not a Dom
main Admins aaccount, the a ccount must h have the Creatte
Computer Objects perm mission in the domain.
d
Im
mplementting Failov
ver Clustering for Hyyper-V Virttual Machiines
To
o implement failover clustering for Hyper--V
virtual machines, you must co
omplete the fo
ollowing
hiigh-level stepss:
1.. Install and configure

c the required versions of
Windows Server 2012. Affter you compllete the
installation,, configure the
e network settings,
join the commputers to an Active Directo ory
domain, an nd configure th he connection to the
shared storrage.
6-10 Implementing Failover Clustering with Hyper-V
2. Configure the shared storage. You must use Disk Manager to create disk partitions on the shared
storage.
3. Install the Hyper-V and failover clustering features on the host servers. You can use Server Manager in
the Microsoft Management Console (MMC) or Windows PowerShell for this.
4. Validate the cluster configuration. The Validate This Cluster wizard checks all the prerequisite
components that are required to create a cluster, and provides warnings or errors if any components
do not meet the cluster requirements. Before you continue, resolve any issues that the Validate This
Cluster wizard identifies.
5. Create the cluster. Once the components pass the Validate This Cluster wizard, you can create a
cluster. When you configure the cluster, assign a cluster name and an IP address. A computer account
for the cluster name is created in the Active Directory domain, and the IP address is registered in DNS.
Note: You can enable clustered shared storage for the cluster only after you configure the
cluster. If you want to use CSV, you should configure CSV before you proceed to the next step.
6. Create a virtual machine on one of the cluster nodes. When you create the virtual machine, ensure
that all files that are associated with the virtual machineincluding both the virtual hard disk and
virtual machine configuration filesare stored on the shared storage. You can create and manage
virtual machines in either Hyper-V Manager or Failover Cluster Manager. When you create a virtual
machine by using Failover Cluster Manager, the virtual machine is made highly available
automatically.
7. Make the virtual machine highly available. To make the virtual machine highly available, in the
Failover Cluster Manager, select the option to make a new service or application highly available. The
Failover Cluster Manager then displays a list of services and applications that you can make highly
available. When you select the option to make virtual machines highly available, you can select the
virtual machine that you created on shared storage.
Note: When you make a virtual machine highly available, a list displays of all virtual
machines that are hosted on all cluster nodesincluding virtual machines that are not stored on
the shared storage. If you make a virtual machine that is not located on shared storage highly
available, you receive a warning, but Hyper-V will add the virtual machine to the services and
applications list. However, when you try to migrate the virtual machine to a different host, the
migration will fail.
8. Test virtual machine failover. After you make the virtual machine highly available, you can migrate the
computer to another node in the cluster. If you are running Windows Server 2008 R2 or Windows
Server 2012, you can select to perform a quick migration or a live migration.
Configuring
C g CSVs
Yo
ou do not havve to configuree and use CSV when
ou implement high availability for virtual
yo
machines
m in Hyper-V. In fact, you can config
gure a
Hyper-V clusterr without usingg CSV. Howeve er as a
be
est practice, yo
ou use CSV duue to the follow
wing
ad
dvantages:
Reduced LU UNs for the dissks. You can usse CSV
to reduce the number of LUNs that you ur
virtual machines require. When you con nfigure
a CSV, you can store multiple virtual machines
on a single LUN, and multiple host com mputers
can access the same LUN N concurrently.
Better use of
o disk space. Instead of placcing each virtu
ual hard disk (..vhdx) file on a separate diskk with
empty spacce so that the .vhdx
. file can expand,
e you caan oversubscriibe disk space by storing mu ultiple
.vhdx files on
o the same LU UN.
Virtual macchine files storeed in a single logical locatio n. You can track the paths oof .vhdx files an
nd other
o using drive letters or GUIDs to identify disks, you can
files that virrtual machiness use. Instead of n specify
the path na ames. When yo ou implement CSV, all added d storage appeears in the \ClusterStorage ffolder.
The \Cluste erStorage folde er is created on the cluster nnodes system folder, and yo ou cannot movve it.
This means that all Hyperr-V hosts that are members of the cluster must use the ssame drive lettter as
their systemm drive, or virtual machine fa ailovers will fa il.
No specific hardware requirements. CSV

V implementaation does not have specific hardware
requiremennts. You can im
mplement CSV on any suppo
orted disk conffiguration, and
d on either the
e Fibre
Channel or iSCSI SANs.
Increased resiliency. CSV increases resiliency becausee the cluster caan respond corrrectly even if
connectivityy between one e node and the SAN is interrrupted, or partt of a networkk is down. The cluster
reroutes the traffic to the
e CSV through an intact partt of the SAN or network.
Im
mplementin
ng CSV
After you create
e the failover cluster,
c you can enable CSV for the clusterr, and then add
d storage to th
he CSV.
Beefore you can add storage to o the CSV, the

e LUN must bee available as s hared storagee for the cluster. When
yoou create a failover cluster, all
a the shared disks
d that are cconfigured in Server Manager are added tto the
cluster, and youu can then add d them to a CS SV. If you add m more LUNs to the shared stoorage, you mu ust first
crreate volumes on the LUN, add a the storage to the clusteer, and then ad dd the storage
e to the CSV.
As a best practice, you should

d configure CSV before you make any virtu ual machines h
highly availablle.
However, you can convert fro om regular disk V after deployyment. When implementing CSV,
k access to CSV
th
he following co
onsiderations apply:
a
The LUNs drive

d letter or mount point is removed wh hen you convert from regulaar disk access tto CSV.
This means that you must re-create all virtual machin nes that are sto
ored on the shhared storage. If you
must keep the same virtu ual machine se he virtual machines, switchin
ettings, consideer exporting th ng to
CSV, and th
hen importing the virtual ma achines in Hyp
per-V. Addition nally, consider using the storrage
migration option
o that is available
a in the
e Hyper-V rolee in Windows SServer 2012.
You cannott convert shareed storage to CSV.

C If you havve any single rrunning virtual machine thatt uses a
cluster disk
k, you must shu
ut down the viirtual machinee, and then add d the disk to C
CSV.
6-12 Implemennting Failover Clusterring with Hyper-V
Implementin
ng Highly Available
A Virtual
V Maachines on
n an SMB 3
3.0 File Shaare
In Windows
W Serve
er 2012, you caan use a new
techhnique to mak ke virtual machhines highly
avaiilable. Instead of using host or guest cluste ering,
you can now store e virtual machine files on a
highhly available SMB 3.0 file sha are. By using th his
appproach, high avvailability is achieved not by
clusstering Hyper-V V nodes, but by
b file servers that
t
hostt virtual machiine files on theeir file shares. With
W
this new capability, Hyper-V can n store all virtu
ual
macchine files, including configu uration, .vhdx files,
f
and snapshots, on n highly available SMB 3.0 fille
sharres.
Thiss technology re
equires the folllowing infrasttructure:
One or more computers that are running

g Windows Serrver 2012 with the Hyper-V rrole installed.
One or more computers that are running

g Windows Serrver 2012 with the File and SStorage Service
es role
installed.
Domain memmbers in the Acctive Directoryy infrastructuree. The servers rrunning AD DSS do not need to
run Windowss Server 2012.
Befoore you implem ment virtual machines
m on ann SMB 3.0 file sshare, configure a file serverr cluster. To do
o this,
you should have at a least two clu
uster nodes, booth with file seervices and fai lover clusterin
ng installed on
themm. In the Failover Clustering console, creatte a scale-out file server clusster. After you configure thee
clusster, deploy thee new SMB file
e share for app
plications. Thiss share stores vvirtual machine files. When tthe
sharre is created, you
y can use the Hyper-V Ma anager to depl oy new virtuall machines on the SMB 3.0 ffile
sharre, or you can migrate existing virtual macchines to the SSMB file share by using the sstorage migrattion
metthod.
De
emonstration: Implem
menting Virtual
V Macchines on Clusters (o
optional)
In th
s how to imp
plement virtuaal machines on
n a failover clu
uster.
Note: Before starting thiss demonstratioon, ensure thatt LON-HOST1 is the owner o
of the
ClussterVMs disk. If it is not, then usterVMs reso urce to LON-H
n move the Clu HOST1 before doing this
proccedure.
Dem
monstration
n Steps
Mo
ove virtual machine
m sto
orage to the
e iSCSI targe
et
On LON-HOS es\Microsoft Learning
ST1, open Windows Explorerr, browse to E:\\Program File
\20412\2041 12A-LON-COR RE\Virtual Ha
ard Disks, and then move 20 0412A-LON-C CORE.vhd to tthe
C:\ClusterSto
orage\Volume1 location.
Con
nfigure the machine ass highly ava
ailable
1. In Failover Cluster Managerr, click Roles, and
a then start the New Virtu
ual Machine W
Wizard.
2. In the New Virtual Machine

e Wizard, use the
t following ssettings:
o Cluster node: LON-HO

OST2.
o Compu
uter name: TesstClusterVM
o Store the file at C:\ClusterStorage

e\Volume1.
o or TestClusterV
RAM fo VM: 1536 MB
o Connecct machine to existing virtua

al hard disk driive 20412A-LO
ON-CORE.vhd located at
C:\ClussterStorage\V
Volume1.
3.. From the Roles
R node, sta
art the virtual machine.
m
Considerat
C ions for Im
mplementiing Hyper--V Clusters
Byy implementin ng host failover clustering, yo
ou can
make
m virtual ma
achines highly available. How wever,
im
mplementing host
h failover clustering also adds
a
significant cost and complexitty to a Hyper-V V
deeployment. Yo ou must invest in additional server
haardware to proovide redunda ancy, and you should
s
im
mplement or have access to a shared stora age
in
nfrastructure.
Consider the following recom mmendations to o

en ering strategy meets
nsure that the failover cluste
th
he organizations requiremen nts:
Identify the
e applications or
o services tha
at
require high availability. Unless
U you havve the option of making all vvirtual machin
nes highly available,
you must develop
d priorities for which applications
a yo
ou will make highly availablee.
Identify thee components that must be highly availab le to make thee applications highly availab ble. In
some casess, the applicatioon might run ono a single serrver, and makiing that serverr highly availab
ble is all
that you ha ave to do. Otheer applicationss may require that several seervers and com
mponents such h as
storage or the
t network, beb made highlyy available. In addition, ensu ure that the do
omain controlllers are
highly availlable, and thatt you have at least one domaain controller on separate hardware or
on infrastructure.
virtualizatio
e application characteristics. You must und

Identify the derstand severral aspects abo
out the applicaation.
o Is virtualizing the serrver that is running the appliication an optiion? Some app
plications are n
not
supporrted in or recommended for a virtual envirronment.
o What options
o are ava
ailable for mak
king the appliccation highly aavailable? You can make som me
applica
ations highly available through options oth her than host clustering. If o
other options aare
availab
ble, evaluate th
he benefits and
d disadvantagees of each opttion.
o What are
a the perform mance requirements for each h application?? Collect performance inform
mation
on the servers curren
ntly running th
he applicationss to gain an un
nderstanding o of the hardwarre
require
ements that are required when you virtual ize the server.
o What capacity
c uired to make the Hyper-V vvirtual machin
is requ nes highly available? As soonn as you
ou must make highly availab
identifyy all the appliccations that yo ble by using ho
ost clustering, yyou can
o design the acctual Hyper-V deployment. B
start to By identifying the performan nce requireme ents and
networrk and storage e requirementss for applicatioons, you can deefine the hardware that you have to
implem ment for all the e applications in a highly avaailable environ
nment.
Live migration is one of the most important aspects of Hyper-V clustering. You use the Live Migration
feature in Windows Server 2012 to perform live migrations of virtual machines. When implementing live
migration, consider the following:
Verify basic requirements. Live migration requires that all hosts be part of a Windows Server 2012
failover cluster, and that the host processors have the same architecture. All hosts in the cluster must
have access to shared storage, which meets the requirements for CSV.
Configure a dedicated network adapter for the private virtual network. When you implement failover
clustering, you should configure a private network for the cluster heartbeat traffic. You use this
network to transfer the virtual machine memory during a failover. To optimize this configuration,
configure for this network a network adapter that has a capacity of one gigabit per second (Gbps) or
higher.
Note: You must enable the Client for Microsoft Networks component, and the File and
Printer Sharing for Microsoft Networks component, for the network adapter that you want to use
for the private network.
Use similar host hardware. As a best practice, all failover cluster nodes should use the same hardware
for connecting to shared storage, and all cluster nodes must have processors that have the same
architecture. Whereas you can enable failover for virtual machines on a host with different processor
versions by configuring processor compatibility settings, the failover experience and performance is
more consistent if all servers have similar hardware.
Verify network configuration. All nodes in the failover cluster must connect through the same IP
subnet so that the virtual machine can continue communicating through the same IP address after
live migration. In addition, the IP addresses that are assigned to the private network on all nodes
must be on the same logical subnet. This means that multisite clusters must use a stretched virtual
local area network (VLAN), which is a subnet that spans a wide area network (WAN) connection.
Manage live migrations. In Windows Server 2008 R2, each node in the failover cluster can perform
only one live migration at a time. If you try to start a second live migration before the first migration
finishes, the migration fails. In Windows Server 2012, you can now run multiple live migrations
simultaneously.
Lesson
n3
Imple
ementin
ng Hype
er-V Virrtual Maachine Movem
ment
Moving
M virtual machines from
m one location to another is a common prrocedure in Hyyper-V environ nments.
While
W moving virtual
v machinees in previous Windows Servver versions req
quired downtiime, Windows Server
20012 introducess new technolo movement. In this lesson, yo
ogies to enable seamless virrtual machine m ou will
le
earn about virtual machine movement
m andd migration op
ptions.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe migration
m optio
ons for virtual machines.
m
Describe storage migratio

on.
Describe livve migration.
Explain how
w Hyper-V rep
plicas work.
Configure a Hyper-V replica.
Virtual
V Macchine Migration Opttions
Thhere are severaal scenarios in which you woould
want
w to migratee virtual machines from one
lo
ocation to anotther. For exam mple, you migh
ht want
to
o move a virtua al machine virtual hard disk from
onne physical driive to another on the same host.
h
Alternatively, yo
ou may need to t move a virtuual
machine
m from one
o node in a cluster
c to anotther, or
simply move a computer
c from
m one host serrver to
an
nother host se erver without the hosts beingg
members
m of a cluster.
c Compared with Wind dows
erver 2008 R2, Windows Servver 2012 provides
Se
significant enhaancements for this process inn
ad
ddition to simp plified procedures.
In
n Windows Serrver 2012, you can perform migration
m of v irtual machinees by using the
e following me
ethods:
age migration. With this meethod, you movve a powered--on virtual machine
Virtual macchine and stora
from one lo other (or from one host to an
ocation to ano nother) by usin ng a wizard in Hyper-V Man nager.
age migration do not requirre failover clus tering or any o
Virtual macchine and stora other high avaailability
technologyy. Additionally, you do not ne
eed shared sto
orage when yo ou move just the virtual macchine.
Quick Migrration. This me ethod is also avvailable in Win ndows Server 2

2008. It require es you have faailover
clustering e installed and configured. The
T quick migrration process saves the state e of the virtual
machine be efore the failovver, and then restarts
r the virrtual machine after failover ccompletes.
Live Migrattion. This featu

ure is an impro
ovement over Q Quick Migratio on, and is also available in W
Windows
Server 2008 8 R2. The Live Migration featture enables yyou to migratee a virtual machine from one e host to
another witthout downtim me. Unlike the quick migratio on process, Livve Migration ddoes not save tthe state
of virtual machine;
m instea
ad, it synchronizes the state d
during failoverr.
Hyper-V Re eplica. This new
w feature in Windows
W Serverr 2012 enabless you to replicate rather than move
a virtual ma es from the primary
achine to anotther host, and to synchronizee all virtual maachine change
host to the host that conttains the replicca.
Exporting and d importing virtual machine. This is an estaablished meth hod of moving virtual machines
without usingg a cluster. Youu export a virtu
ual machine o n one host, an nd then physiccally move exp
ported
files to another host by perrforming an im mport operatioon. This is a tim
me-consuming operation thaat
requires you tot turn off thee virtual machines during exp port and impo ort. In Window
ws Server 2012,, this
migration me ethod is improved. You can import
i a virtuaal machine to a Hyper-V hosst without
exporting it before
b import. The Hyper-V role in Window ws Server 2012 2 is now capab
ble of configurring
all the necesssary settings duuring the impoort operation.
Ho
ow Does Virtual Macchine and Storage
S M
Migration W
Work?
There are many ca ases in which an
a administrattor
migght want to mo ove virtual macchine files to
anoother location. For example, if i the disk on which
w
a virtual machine hard disk resid des runs out of
o
spacce, you must move
m the virtual machine to
anoother drive or volume.
v Movinng virtual mach hines
to other
o hosts is a common pro ocedure.
In Windows
W Serve
er 2008 and Windows
W Serverr
2008 R2, moving a virtual mach hine resulted inn
dowwntime becausse the virtual machine
m had too be
turn
ned off. If you moved a virtual machine
betwween two hostts, then you also had to perfform
export and imporrt operations fo or that specificc virtual machiine. Export operations can b
be time-consum
ming,
deppending on the e size of the virtual hard diskks.
In Windows
W er 2012, virtuall machine and storage migraation enables yyou to move a virtual machiine
Serve
and its storage to another locattion on the sam
me host, or to another host computer, without having too turn
off the
t virtual macchine.
Virtual machine and storage migration works as follows:
1. To copy a virttual hard disk, start live stora

age migration by using the Hyper-V conso
ole. Optionallyy, you
can use Winddows PowerShe ell cmdlets.
2. n process creates a new virtu
The migration ual hard disk in nd starts the copy
n the destinatiion location an
process.
3. During the co
opy process, th
he virtual mach
hine is fully fun
nctional. Howeever, all chang
ges that occur
during the co
opy process are
e written to bo
oth the sourcee and destination locations. RRead operations are
performed onnly from the so
ource location.
4. As soon as the disk copy prrocess complettes, Hyper-V sw witches virtual machines to run on the
destination viirtual hard disk
k. In addition, if you are movving the virtuaal machine to aanother host, tthe
computer con nfiguration is copied
c and thee virtual mach
hine is associated with the hoost. If a failure
occurs on thee destination side, there is always a failbac k option to ru n back again oon the source
directory.
5. After the virtu

ual machine co
ompletes migrration, the pro
ocess deletes th
he source virtu
ual hard disks.
The time that is reequired to move a virtual ma achine depend ds on the sourrce and destinaation locationss, the
speeed of the hardd disks, storage a the size o f the virtual haard disks. The move process is
e, or network, and
faster if the source a on storagee, and the storrage supports .odx files . Insttead
e and destinattion locations are
of using
u buffered read and bufffered write opeerations, .the o
odx file starts tthe copy operation with an
offlo
oad read comm mand and retrrieves a token representing tthe data from the storage device. It then u uses
an
n offload write
e command wiith the token to
t request dataa movement from the sourcce disk to the
de
estination disk
k.
When
W you move a virtual macchines virtual hard disks to aanother location, the Virtual Machine Movve
wizard
w presentss three available options:
Move all th he virtual machines data tot a single loccation. Specifyy a single desttination locatio
on, such
as disk file, configuration, snapshot, and smart pagin g.
Move the virtual

v machines data to a different loccation. Specifyy individual lo
ocations for eacch
virtual machine item.
y the virtual machines
Move only m virttual hard disk
k. Move only th
he virtual hard
d disk file.
How
H Does Live Migra
ation Work?
Live migration enables
e you to
o move running
virtual machines from one failover cluster node
n to
an
nother node inn the same cluster. With live
migration,
m userss who are conn
nected to the virtual
machine
m d experience almost no serve
should er
ou
utage.
Note: Wh hereas you cann also performm live

migration
m of virrtual machiness by using the virtual
v
machine
m and storage migratio on method de escribed
in
n the previous topic, you sho ould be aware that
livve migration iss based on failover clustering
g.
Unlike the stora age migration scenario, you can only perfo
orm live migraation if the virttual machines
arre highly availaable.
Yo
ou can initiate
e live migration
n through one
e of the followiing methods:
The Failove
er Cluster Manager console.
The Virtual Machine Man MM to manage your physicaal hosts.

nager Administtrator Consolee, if you use VM
A Windowss Managementt Instrumentattion (WMI) or W

Windows Pow
werShell script.
Note: Livve migration en

nables you to significantly reeduce the percceived outage of a virtual
machine
m during g a planned faiilover. During a planned failoover, you startt the failover m
manually. Live
migration
m does not apply durring an unplan nned failover, ssuch as when tthe node hostiing the
virtual machine fails.
Liive Migratio
on Process
Th
he live migration process consists of four steps
s that occu
ur in the backg
ground:
1.. Migration setup.

s When you start the failover of the vvirtual machinee, the source nnode creates a
Transmissioon Control Prootocol (TCP) co
onnection with h the target ph hysical host. Th
his connection is used
to transfer the virtual machine configurration data to the target phyysical host. Livve migration crreates a
temporary virtual machin ne on the targeet physical hosst, and allocatees memory to the destinatioon
virtual machine. The migration prepara ation also veriffies that the virrtual machine can be migratted.
2. Guest memorry transfer. The e guest memo ory is transferreed iteratively tto the target host while the vvirtual
machine is stiill running on the source host. Hyper-V on n the source physical host m monitors the paages
in the working set. As the syystem modifiees memory pag ges, it tracks a nd marks themm as being
modified. During this phase e of the migrattion, the migraating virtual m machine contin nues to run. Hyyper-
V iterates the
e memory copyy process several times, and each time a sm maller number of modified pages
are copied too the destinatio
on physical computer. A finaal memory cop py process cop pies the remain
ning
modified mem mory pages to o the destinatio
on physical hoost. Copying stops as soon ass the number o of
pages that haave been modified in physica al memory butt not yet rewriitten to disk often called ddirty
pagesdropss below a threshold, or afterr 10 iterations are complete.
3. State transferr. To actually migrate

m the virttual machine tto the target h
host, Hyper-V sstops the sourrce
partition, tran
nsfers the state
e of the virtual machine (inclluding the remmaining dirty m
memory pagess) to
the target host, and then re estores the virttual machine o
on the target hhost. The virtual machine paauses
during the finnal state transffer.
4. e cleanup stage finishes the migration by d

Clean up. The dismantling th
he virtual mach
hine on the source
host, terminating the worke
er threads, and
d signaling thee completion o
of the migratio
on.
Ho
ow Does Hyper-V Re
eplica Worrk?
In so
ome cases, you might want to have a sparre
copy of one virtuaal machine tha at you can run if
the original virtua
al machine failss. However, wh hen
you implement hiigh availabilityy, you have only
onee instance of a virtual machin ne. High availa
ability
doees not prevent corruption of software that is
runn e virtual machine. One way to
ning inside the t
adddress the issue of corruption is to copy the
virtu
ual machine. You
Y can also ba ack up the virttual
macchine and its sttorage. Althou ugh this solutio
on
achieves the desirred result, it is resource-intennsive
and time-consum ming.
To resolve
r oblem and to enable administrators to havve an up-to-date copy of a single virtual
this pro
macchine, Microso oft has implemented Hyper-V V Replica, a feaature in Windo ows Server 2012. This featurre
enables virtual ma achines that arre running at a primary site location or hoost to be repliccated to a seco
ondary
site location or ho ost across a WAAN or LAN link. Hyper-V rep plica enables yyou to have tw
wo instances off a
singgle virtual machine residing ono different hoosts: one as th
he primary (livee) copy, and thhe other as a replica
(offline) copy. The ese copies are synchronized, and you can p perform failovver at any time e. In the event of a
failu
ure at a primarry site, you can
n use Hyper-V Replica to exeecute a failoveer of the produ uction workloaads to
repllica servers at a secondary loocation within minutes, thus incurring min nimal downtim me.
The site configuraations do not have

h to use the
e same server or storage harrdware. Hyperr-V Replica enaables
an administrator
a to
t restore virtu
ualized worklooads to a pointt in time depen
nding on the R
Recovery Histoory
sele
ections for the virtual machin
ne.
Hyp
per-V Replica technology
t consists of severa
al componentss:
Replication engine: The rep plication enginne manages thee replication cconfiguration d details and
manages initiial replication, delta replicatiion, failover, a nd test-failoveer operations. It also tracks vvirtual
machine and storage mobility events, and d takes approp priate actions as needed. Th hat is, it pausess
replication evvents until mig
gration events complete, and d then resumees where they left off.
Change track king: This comp

ponent tracks changes that o occur on the p
primary copy oof the virtual
machine. It is designed to track
t the chang
ges regardlesss of where the virtual machin
ne .vhdx files rreside.
Network module: The network module e provides a seecure and efficient way to traansfer virtual m
machine
replicas bettween primaryy hosts and repplica hosts. It u
uses data comp pression, which is enabled bby
default. The
e transfer operration is secure
e because it reelies on HTTPSS and certificattion-based
authenticattion.
Hyper-V Re eplica Broker server role: This is a new servver role that is implemented in Windows SServer
y configure it during failovver clustering.. This server ro
2012, and you ole enables you u to have Hype er-V
Replica functionality evenn when the virtual machine b being replicateed is highly avvailable and caan move
from one cluster node to another. The Hyper-V Repliica Broker servver redirects all virtual mach hine
specific eve
ents to the apppropriate nodee in the replicaa cluster. The BBroker queries the cluster daatabase
to determinne which node e should handlle which eventts. This ensuress that all eventts are redirecte ed to
the correct node in the cluster in the evvent that a qu ick migration, live migration n, or storage
migration process
p was exxecuted.
Configuring
C g Hyper-V
V Replica
Be
efore you implement Hyper-V Replica, enssure
th
hat your infrasttructure meetss the following
g
prerequisites:
The server hardware supp ports the Hype er-V
role on Winndows Server 2012.
2 Also, enssure
that the serrver hardware has sufficient
capacity to run all of the virtual machinnes to
which you replicate it.
Sufficient sttorage exists on

o both the primary
and replica servers to hosst the files thatt
replicated virtual
v machines use.
Network co
onnectivity exissts between th
he locations th
hat are hosting
g the primary aand replica serrvers.
Connectivitty can be throu
ugh a WAN orr LAN link.
Firewall rule
es are configured correctly to
t enable repliication betweeen the primaryy and replica siites. By
default, trafffic uses TCP port
p 80 or portt 443.
If you wantt to use certificcate-based autthentication, eensure that an X.509v3 certifficate exists to support
mutual authentication wiith certificates..
Yoou do not havve to install Hyper-V Replica separately. Hyyper-V Replica is implemented as part of tthe
Hyper-V server role. You can use it on Hype hat are standal one or serverss that are part of a
er-V servers th
fa
ailover cluster (in which case, you should configure the H Hyper-V Replicca Broker serve er role). Unlike
e
fa
ailover clusterinng, a Hyper-V role is not dependent on AD D DS. You cann use it with Hyyper-V servers that
arre standalone, or that are me Directory domaains (except in case when servers
embers of diffferent Active D
arre part of a failover cluster).
To
o enable Hype er-V Replica, first configure the
t Hyper-V seerver settings. In the Replica ation Configu uration
group of option ns, enable the Hyper-V serve er as a replica sserver, and sellect the authen
ntication and pport
op
ptions. You should also conffigure authorizzation options . You can choo ose to enable replication fro
om any
se
erver that succcessfully authenticates, whichh is convenientt in scenarios w ers are part of same
where all serve
do
omain. Alterna atively, you can type fully quualified domain n names (FQD DNs) of servers that you acce ept as
eplica servers. In addition, yo
re ou must config gure the locatio on for replica files. You shou
uld configure tthese
se
ettings on each h server that will
w serve as a replica
r server.
After you config
gure options at
a the server level, enable rep
plication on a virtual machin
ne. During thiss
co y must specify the replica server name aand options fo
onfiguration, you or the connectiion. If the virtu
ual
machine has more than one virtual hard disk, you can select which virtual hard disk drives that you want
to replicate. You can also configure the recovery history and the initial replication method. Start the
replication process after you configure these options.
Demonstration: Implementing Hyper-V Replica (optional)

In this demonstration, you will see learn how to implement Hyper-V Replica.
Demonstration Steps
Configure a replica
1. On LON-HOST1 and LON-HOST2, configure each server to be a Hyper-V Replica server.
o Authentication: Kerberos (HTTP)
o Allow replication from any authenticated server

o Create and use folder E:\VMReplica as a default location to store replica files.
2. Enable the firewall rule named Hyper-V Replica HTTP Listener (TCP-In) on both hosts.
Configure replication
1. On LON-HOST1, enable replication for the 20412A-LON-CORE virtual machine.
o Select to have only the latest recovery point available.
o Start replication immediately.
2. Wait for initial replication to finish and ensure that the 20412A-LON-CORE virtual machine appears in
Hyper-V Manager on LON-HOST2.
Lesson
n4
Mana
aging Hyper-V Virtual Environmentss by Using VMM
VMM is membe er of the System
m Center 20122 family of pro
oducts. It is a s uccessor of Syystem Center VVirtual
Machine
M Manag ger 2008 R2. VMM
V extends management
m ffunctionality foor Hyper-V ho osts and virtual
machines,
m and it provides dep ployment and provisioning ffor virtual macchines and servvices. In this le
esson,
yo
ou will learn th
he basics of VMMM.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe VM
MM.
Describe th
he prerequisite
es for installing
g VMM.
Describe prrivate cloud infrastructure co
omponents.
Describe ho
ow to manage
e hosts and hosst groups with
h VMM.
Describe ho
ow to deploy virtual
v machines with VMM.
Describe se
ervices and service templatess.
Describe ph
hysical-to-virtu
ual (P2V) and virtual-to-virtu
v ual (V2V) migrrations.
Describe co
onsiderations for
f deploying a highly availaable VMM servver.
What
W Is Sysstem Center 2012 - Virtual
V Maachine Manager?
VMM is a mana agement solutiion for a virtuaalized
da
ata center. VMMM enables yo ou to create annd
de
eploy virtual machines
m and services
s to privvate
clouds by config guring and ma anaging your
virtualization ho
ost, networkingg, and storagee
re
esources. You can
c also use VMM to manag ge
VMware ESX an nd Citrix XenSe
erver hosts.
VMM is a comp ponent of Syste em Center 201 12 that
diiscovers, captu
ures, and aggre egates knowle edge of
th
he virtualizatio
on infrastructurre. VMM also
manages
m policie
es, processes, and
a best practtices by
diiscovering, cappturing, and agggregating
kn
nowledge of th he virtualizatio
on infrastructu
ure.
VMM succeeds VMM 2008 R2 2, and is a key component in n enabling privvate cloud infrrastructures, w
which
he
elps transition enterprise IT from
f an infrastructure-focussed deploymen nt model into a service-oriented,
usser-centric envvironment.
he VMM architecture consistts of several in

Th nterrelated com
mponents. Theese componen
nts are:
Virtual Macchine Managerr server. The Virtual

V Machinee Manager serrver is the com mputer on whicch the
VMM servicce runs. The Virtual Machine e Manager servver processes ccommands an nd controls
communica ations with thee Virtual Machine Manager d database, the library server, and the virtuaal
machine ho osts. The Virtua
al Machine Ma anager server is the hub of a VMM deployyment through h which
all other VM
MM componen nts interact an
nd communica te. The Virtuall Machine Man nager server also
connects too a Microsoft SQL
S Server daatabase that sttores all VMM configuration n information.
Virtual Machiine Manager database.

d VMM M uses a SQL SServer database to store the information th hat
you view in th
he VMM mana agement conso ole, such as m anaged virtua l machines, virrtual machine hosts,
virtual machin
ne libraries, jobs, and other virtual
v machinne-related dataa.
VMM management console e. The manage ement consolee is a program that you use tto connect to a
VMM management server, to view and managem physic al and virtual resources, including virtual
machine hostts, virtual mach
hines, services,, and library reesources.
Virtual Machiine Manager liibrary. A library

ry is a catalog oof resources, ssuch as virtual hard disks,
templates, annd profiles, which are used to
o deploy virtuaal machines an nd services. A library server aalso
hosts shared folders that store file-based resources. Thee VMM manag gement serverr is always the
default libraryy server, but you can add ad
dditional librarry servers laterr.
Command sh hell. Windows PowerShell

P t command--line interface that you use tto execute cmdlets
is the
that perform all available VMM
V functionss. You can use these VMM-specific cmdletts to manage aall the
actions in a VMM
V environm
ment.
Self-Service Portal.
P The Selff-Service Porta
al is a website tthat users who
o are assigned to a self-service
user role can use to deployy and manage their own virtu ual machines.
Pre
erequisitess for Installling VMM
M 2012
Befoore you deployy VMM and itss components,,
ensu ure that your system
s t hardware and
meets the
softtware requiremments. While sooftware
requ uirements do not
n change ba ased on the
num
mber of hosts that
t VMM man nages, hardwa are
prerrequisites mayy vary. In addition, not all VM
MM
com
mponents have e the same harrdware and
softtware requiremments.
Note: Wind dows Server 20 008 R2 and

Win
ndows Server 2012
2 are the only supported
ope
erating systemss for VMM 201 12.
Virtual Machin
ne Managerr Server
In addition to havving Windows Server 2008 R2 R or Windowss Server 2012 i nstalled, the fo
ollowing softw
ware
musst be installed on the server that will run th
he Virtual Macchine Manager server:
Microsoft .NE
ET Framework 3.5 Service Pack 1 (SP1) or n
newer
Windows Auttomated Installation Kit (AIK

K)
werShell 2.0, if the VMM management con
Windows Pow nsole will run o
on the same se
erver
Windows Rem mote Managem ment 2.0. Notee that this is in

nstalled by defaault in Window
ws Server 2008
8 R2,
so you should
d just verify that the service is running.
SQL Server 20 008 Service Pack 2 (SP2) (Sta R2 SP1 Standard,
andard or Enteerprise) or SQLL Server 2008 R
Enterprise, orr Datacenter. This
T is necessarry only when yyou install the VMM manage ement server aand
SQL Server on n same compu uter.
Hardware requirements vary de
epending on number of hostts, and have th
he following lim
mits:
CPU: Single core CPU 2 gigahertz (GHz), Dual core CPU

U 2.8 GHz
Random acccess memory (RAM): 48 gig

gabytes (GB)
Disk space: 40 GB 150 GB,G depending g on whether yyou install a SQ

QL Server dataabase on the saame
server. In ad
ddition, if the library is on th
he same serverr, then disk spaace will also de
epend on libraary
content.
Virtual
V Mach
hine Manager Database
e
Thhe Virtual Macchine Managerr database stores all VMM co onfiguration in
nformation, which you can aaccess
annd modify by using
u the VMMM managemen nt console. Thee Virtual Mach
hine Manager database requ uires
SQQL Server 20088 SP2 or newe
er. Because of this,
t the base h
hardware requuirements for tthe Virtual Machine
Manager
M database are equal to the minimuum system req uirements for installing SQLL Server. Additionally,
if you are manaaging more thaan 150 hosts, you
y should havve at least 4 G GB of RAM on tthe database sserver.
Sooftware requirements for the
e Virtual Mach
hine Manager d database are tthe same as fo
or SQL Server.
Virtual
V Mach
hine Manager Library
Thhe Virtual Macchine Managerr library is the server that ho osts resources ffor building virtual machines,
seervices, and private clouds. In
n smaller envirronments, you u usually install the Virtual M
Machine Manag ger
lib
brary on the VMM
V managem ment server. If this is the casee, the hardwarre and softwarre requirementts are
he same as for the VMM management servver. In larger aand more com plex environm
th ments, we recommend
th
hat you mainta ain Virtual Macchine Manager library on a sseparate serveer in a highly available
coonfiguration. Iff you want to deploy anothe er Virtual Mach hine Managerr library server,, the server sho
ould
meet
m the follow
wing requireme ents:
Supported operating systtem: Windows Server 2008 o

or Windows Seerver 2008 R2
Hardware management:
m Windows Rem
mote Managem
ment 2.0
CPU: at leasst 2.8 GHz
RAM: at lea
ast 2 GB
Hard disk space: varies ba
ased on the nu
umber and sizee of files that aare stored
Private
P Cloud Infrastructure Co
omponentts in VMM
Thhe key architecctural conceptt in VMM is the
private cloud innfrastructure. Similar
S to public
cloud solutions,, such as in Windows Azure , the
private cloud innfrastructure in
n VMM is an
ab
bstraction layeer that shields the underlyingg
echnical complexities and allows you to manage
te
deefined resourcce pools that consist of serveers,
neetworking, and d storage, in th
he enterprise
in
nfrastructure.
Byy using the VMMM management console usser

in
nterface (UI), yo
ou can create a private cloudd from
Hyper-V, VMwa are ESX, and Citrix XenServerr hosts.
Yoou can also beenefit from cloud computing g attributes, inccluding self-seervicing, resource pooling, and
ellasticity.
Yo
ou can configu
ure the followiing resources from
f the Fabriic workspace i n the VMM management co
onsole:
Servers. In the
t Servers no ode, you can co onfigure and m
manage severaal types of servvers. Host grou
ups
contain virttualization hossts, which are the
t destinationns you can usee to deploy virrtual machines. Library
servers are th
he repositories of building blockssuch ass images, .iso ffiles, and temp
platesfor creaating
virtual machinnes.
Networking. The
T Networkin ng node is whe ere you can deefine logical neetworks, assign pools of stattic IPs
and media acccess control (M MAC) addresse es, and integraate load balan cers. Logical n
networks are user-
defined groupings of IP sub bnets and virtu ual local area nnetworks (VLA ANs) that organnize and simpllify
network assiggnments. Logiccal networks provide
p an absttraction of thee underlying physical
infrastructure
e, and they enaable you to pro ovision and isoolate network traffic based oon selected criteria
such as conne ectivity properrties and servicce level agreemments (SLAs).
Storage. You can discover, classify, and provision remotte storage on supported sto
orage arrays. V
VMM
uses the Micrrosoft Storage Management Servicethatt is enabled byy default during the installatiion of
VMM to co ommunicate with
w external arrrays.
Ma
anaging Hosts, Host Clusters, and Host G
Groups wiith VMM
In addition to virtual machine management,
m VMM
V
can also help you manage and deploy Hyper--V
hostts. In VMM, yo ou can use techhnologies suchh as
Winndows Deploym ment Services (Windows DS)) to
depploy Hyper-V hosts
h on bare-m metal machine es
and then manage e them with VM MM. When hossts
are associated witth VMM, you canc configure
seveeral options, su
uch as host resserves, quotas,,
permmissions, and cloud
c memberships. VMM can c
o manage Hyper-V failover clusters.
also c
VMM provides tw wo new feature es that help

optimize power and resource usage on hosts that
are managed by VMM:
V dynamicc optimizationn and power op ptimization. D
Dynamic optim
mization balancces
the virtual machin
ne load within a host cluster,, while power optimization eenables VMM to evacuate
bala
anced cluster hosts,
h and then
n turn them offf to save powwer.
The recommende ed way to orga anize hosts in VMM

V is to creaate host group
ps. This simpliffies manageme ent
task
ks. A host grou up enables you u to apply settiings to multip le hosts or hosst clusters with
h a single actio
on. By
defaault, there is a single host grroup in VMM named
n All Hossts. However, i f necessary, yo
ou can create
addditional groupss for your environment.
Hosst groups are hierarchical.

h When
W you create a new child host group, it inherits the se
ettings from th
he
pareent host groupp. When a child d host group moves
m to a neww parent host group, the chhild host group
p
maintains its origiinal settings exxcept for Perfo
ormance and R Resource Optimmization (PROO) settings, whiich
are managed sepa arately. When the settings in n a parent hos t group chang
ge, you can appply those channges
to child
c host grouups.
You
u use host grou
ups in the follo
owing scenario
os:
Provide basicc organization when you are managing maany hosts and virtual machin nes. You can crreate
custom viewss within the Ho t Virtual Ma chines view to
osts view and the o provide easy monitoring and
access to a ho
ost. For exampple, you might create a host group for each branch officce in your
organization.
Reserving resources for usee by hosts. Hosst reserves are useful when p placing virtual machines on a
host. Host resserves determiine the CPU, memory,
m disk s pace, disk I/O capacity, and network capaacity
that are contiinuously availa
able to the hosst operating syystem.
Use the Host Group prop perties action for

f the root ho ost group All H
Hosts, to set de
efault host rese
erves for
all hosts tha
at VMM mana ages. If you want to use moree of the resources on some hosts instead of on
other hostss, you can set host
h reserves differently
d for eeach host grou
up.
Designating g hosts on whiich users can create

c and opeerate their own n virtual mach hines. When a VVMM
administrattor adds self-se
ervice user role
es, one part off role creation is to identify tthe hosts on w
which
self-service users or groups in that role can create, op
perate, and maanage their ow wn virtual macchines.
As a best practice, you sh
hould designatte a specific hoost group for tthis purpose.
Deploying
D Virtual Ma
achines wiith VMM
One
O of the adva antages of usinng VMM to manage
a virtualized envvironment is the flexibility th
hat
VMM provides to create and deploy new virtual
machines
m quick
kly.
Using VMM, you can manuallly create a new w

virtual machine with new connfiguration setttings
an
nd a new hardd disk. You can then deploy the
t new
virtual machine from one of following
f sourcces:
An existing .vhd or .vhdx file, either blank or
preconfigured
A virtual machine templa

ate
A Virtual Machine
M Manag
ger library
Yo achines either by converting

ou can create new virtual ma g an existing p
physical compu
uter, or by clon
ning an
exxisting virtual machine.
m
Creating
C a New
N Virtual Machine fro
om an Existting VHD
Yoou can create a new virtual machine
m based
d on either a b
blank virtual haard disk (VHD)) or a preconfiigured
VHD that conta ains a guest op
perating system
m. VMM provid des two blank VHD template es that you can use to
crreate new disk
ks:
Blank Disk Small
Blank Disk Large

Yo
ou can also use a blank VHD D when you wa ant to use an o operating systeem with a preb boot execution n
en
nvironment (PXE). Alternativvely, you can place
p an .iso im
mage on a virtu ual DVD-ROM,, and then insttall an
opperating system from scratch. This is an efffective way to o build a virtuaal machines soource image, wwhich
yo
ou can then usse as a future template.
t To innstall the operrating system o on such a virtu
ual machine, yyou can
usse an .iso imag
ge file from the
e library or fro
om a local diskk, then map a p physical drive from the host
co
omputer, or start the guest operating
o systeem setup thro ough a networkk service boot..
If you have a lib

brary of VHDs that you wantt to use in you r VMM enviro nment, you caan create a virttual
machine
m from ana existing VHD. You can also select existin
ng VHDs when n you deploy aany operating system
from which VMM cannot crea ate a template
e, such as an opperating system that is not W
Windows-base ed.
When
W you creatte a new virtua
al machine using an existing
g VHD, you aree essentially creeating a new vvirtual
machine
m configuration that iss associated with the VHD fil e. VMM will crreate a copy o
of the source V
VHD so
th
hat you do nott have to move e or modify the original.
In this scenario, the source VHD must meet the following requirements:
Leave the Administrator password blank on the VHD as part of the System Preparation Tool (Sysprep)
process.
Install the Virtual Machine Additions on the virtual machine.
Use Sysprep to prepare the operating system for duplication.
Note: VMM 2012 will support the .vhdx virtual hard drive format when VMM 2012 SP1 is
released.
Deploying from a Template

You can create a new virtual machine based on a template from the Virtual Machine Manager library. The
template is a library resource, which links to a virtual hard disk drive that has a generalized operating
system, hardware settings, and guest operating system settings. You use the guest operating system
settings to configure operating system settings such as the computer name, local administrator password,
and domain membership.
The deployment process does not modify the template, which you can reuse multiple times. If you are
creating virtual machines in the Self-Service Portal, you must use a template.
The following requirements apply if you want to deploy a new virtual machine from a template:
You must install a supported operating system on the VHD.
You must leave the Administrator password blank on the VHD as part of the Sysprep process.
However, you do not have to leave the Administrator password blank for the guest operating system
profile.
For customized templates, you must prepare the operating system on the VHD by removing the
computer identity information. For Windows operating systems, you can prepare the VHD by using
the Sysprep tool.
Deploying from the Virtual Machine Manager Library

If you deploy a virtual machine from the Virtual Machine Manager library, the virtual machine is removed
from the library, and then placed on the selected host. When you use this method, you must provide the
following details in the Deploy Virtual Machine wizard:
The host for deployment. The template that you use provides a list of potential hosts and their
ratings.
The path of the virtual machine files on the host.
The virtual networks used for the virtual machine. A list of existing virtual networks on the host will
display.
What
W Are Services
S an
nd Service Templatess?
Se
ervices are a new concept in n VMM. You must
un
nderstand servvices fully befo
ore you deployy a
private cloud in
nfrastructure.
Traditional Services
S Scenario
Seervices usuallyy refer to appliccations or setss of
appplications thaat provide servvices to end ussers. For
exxample, you ca an deploy various types of web-
w
baased services, but you can also implementt a
se
ervice such as email.
e n-cloud computing
In a non
sccenario, deployyment of any type
t of service
e
ussually requiress users, developers, and
addministrators tot work togeth her through th he
phases of creatiing a service, deploying
d a service, testing tthe service, an d maintaining
g the service.
A service freque ently includes several compu uters that mustt work togetheer to provide a service to en nd users.
Foor example, a web-based
w serrvice is usuallyy an applicatio n that deployss on a web serrver, connects to a
daatabase serverr that might be e hosted on an nother computter, and performs authenticaation on an Acctive
Directory doma ain controller. Enabling
E this application
a reqquires three ro
oles, and possibbly three comp puters:
a web server, a database serve er, and a domain controller. Deploying a ttest environme ent for a servicce such
ass this can be time consuming g and resource e consuming. Ideally, develoopers work witth IT administrrators to
crreate an enviroonment where e they can deploy and test th heir web appliccation.
Concept
C of a Service in a Private Clloud Scenarrio
With
W the concept of a private e cloud, how yoou deal with seervices can change significantly. You can p prepare
th
he environmennt for a service ng a self-servicce application such as
e, and then let developers deeploy it by usin
Syystem Center 2012
2 - App Coontroller.
In
n VMM, a serviice is a set of one
o or more virtual machiness that you dep ploy and manaage together aas a
single entity. Yo
ou configure thhese machiness to run togethher to provide a service. In WWindows Serve er 2008,
ussers could depploy new virtuaal machines byy using the Sel f-Service Portaal. In VMM, en
nd users can deploy
neew services. Byy deploying a service,
s a actually deeploying the e ntire infrastruccture, including the
users are
virtual machines, network con nnections, and applications tthat are requirred to make thhe service workk.
However, you can also use services to deplooy only a singl e virtual mach
hine without any specific purrpose.
In
nstead of deplo
oying virtual machines
m e historic way, you can now create a servicce that will deploy a
in the
mple, Windowss Server 2008 R2, and with sseveral roles an
virtual machine with, for exam nd features
preinstalled and main. This simplifies the pro
d joined to dom ocess of creatin
ng and later up
pdating new vvirtual
machines.
m
Deploying a new w service requ uires a high levvel of automattion and predeefined compon nents, and requires
management
m so
oftware suppo ort. This is why VMM providees service temp plates. A servicce template is a
te
emplate that encapsulates evverything that is required to o deploy and ruun a new instaance of an app plication.
Ju
ust as a private
e cloud user caan create new virtual machin nes on demand d, the user cann also use service
emplates to insstall and start new applicatio
te ons on demand d.
Process
P for Deploying
D a New Servicce
Yo
ou use the folllowing proced
dure when you use VMM serrvice templatess to deploy a n
new service or
ap
pplication:
1.. The system administratorr creates and configures
c VM M service tem
mplates by usin
ng the Service
Template Designer.
D
2. The end-userr application ownerfor exam mple, a develo

oper who has tto deploy the aapplication
environmentopens App Controller
C and requests a new w service depl oyment based d on the available
service templates that the developer
d can access. The deeveloper can ddeploy the servvice to a private
cloud where a user has acceess. As an alternative to App
p Controller, th
he user can alsso use the VMM M
Manager connsole.
3. The Virtual Machine
M Manag ger server evaluates the subm
mitted requestt. VMM searchhes for available
resources in the has
t private cloud, then calculates the user quota and verrifies that the private cloud h
enough resou urces for the re
equested serviice deploymen nt.
4. matically, the vvirtual machin es and applicaations (if any) aare
Whereas the new service is created autom
deployed on the host that is
i selected by VMM.
V
5. The user application ownerr gains control over service vvirtual machinees through Ap
pp Controller, o
or by
Remote Deskktop Protocol (RDP).
(
6. If you need manual

m approvval for resource
e creation, youu can use Micrrosoft System C
Center 2012 -
Service Manaager to create workflows
w for this purpose.
Info
ormation In
ncluded in the
t Service Template
T
The service template includes in nformation abo out the virtuall machines thaat are deployed
d as part of thhe
servvice, which app
plications to in
nstall on the virtual machiness, and the netwworking configguration needed for
the service (includ
ding the use off an NLB). The service templ ate can use exxisting virtual m
machine temp plates.
While you can define the service without usin g virtual machiine templates, it is easier to build
ng any existing
a te
emplate if you have already created
c virtual machine tem plates. After yyou create a se
ervice template e, you
configure it for de
eployment usin ng the Config gure Deploym ment option.
P2V and V2V

V Migratio
ons
Man ny organizatioons have physiccal servers that
theyy do not use fuully. VMM can convert existing
phyysical computers into virtual machines thro ough
a prrocess known asa P2V conversion. VMM
simplifies P2V by providing a ta
ask-based wiza ard to
autoomate much of o the conversion process.
Because the P2V process
p suppo
orts scripts, you
u can
start large-scale P2V
P conversion ns through the e
Winndows PowerSh hell commandd line interface.
VMM converts an n operating sysstem that is

runnning on physiccal hardware to
o an operating
g
system that is running in a Hypeer-V virtual
macchine environmment. VMM prrovides a conve ersion wizard, which automaates much of tthe conversion
n
proccess.
Durring a P2V conversion processs, VMM generates disk ima ges of the harrd disks on the e physical computer.
es for the new virtual machin
It crreates VHD file ne using the d isk images as a basis. In add
dition, it create
es a
hard dware configuration for the virtual machinne similar to, o
or the same as,, the hardware
e in the physicaal
commputer.
The new virtual machine
m has thee same compu uter identity ass the physical computer on wwhich it is based.
Because of this, ass a best practicce you should not use both a physical com mputer and its virtual replicaa
concurrently. Afteer the P2V conversion complletes, you typiccally disconneect the physical computer fro om
the network and decommission
d n it.
P2
2V conversion is finished in either
e online or
o offline modee. In online mo
ode, the sourcce operating syystem
ru
uns during the conversion prrocess. In offlin operating systtem does not rrun and conversion
ne mode, the o
occcurs through the Windows Preinstallation n Environmentt (Windows PEE). Later topics in this lesson
de
escribe these modes
m in furth
her detail.
In
n addition to converting und derused physiccal computers, VMM supportts the manage ement, migration, and
co
onversions of other
o virtual machines
m that were
w created i n the VMwaree environment. You can convvert
th
hese virtual maachines to Hypper-V virtual machines,
m placee them on Hyp per-V hosts, an
nd then managge them
unnder the Virtual Machine Ma anager Administrator Conso ole. In addition
n, VMM and Hyyper-V supporrt
migrating
m virtua
al machines fro
om one host to another with h minimal or zzero downtime e.
VMM allows you to convert existing

e VMwarre virtual mach hines to virtuaal machines run
nning on the H Hyper-V
platform. This process
p is know
wn as a V2V coonversion. With h V2V conversion, administraators can conssolidate
a virtual environ
nment that is running
r variou
us virtual platfo
orms without moving data o or rebuilding vvirtual
machines
m from scratch.
VMM allows you to copy existing VMware virtualv machin es and create Hyper-V virtual machines. Y You can
co
opy VMware virtual
v machine ated on ESX seerver hosts, in Virtual Machin
es that are loca ne Manager lib braries,
orr on Windows shares. Althou on, V2V is a reead-only operaation that doess not
ugh V2V is callled a conversio
de
elete or affect the original so
ource virtual machine.
m In adddition, the term
m conversion is dedicated o only to
th
he process of converting
c VMMware virtual machines.
m The tterm migratio n is used for vvirtual server
machines.
m
During the convversion processs, the VMM coonverts the VM

Mware .vmdk ffiles to .vhd file es, and makes the
op
perating system on the virtu
ual machine coompatible withh Microsoft virttualization tecchnologies. The
e virtual
machine
m that th
he wizard creattes matches VMware virtual machine prop perties, including name, desccription,
memory,
m and disk-to-bus assiignments.
Considerat
C ions for Deploying a Highly A
Available V
Virtual Macchine Man
nager
Server
VMM now supp ports a highly available
a Virtual
Machine
M Manag ger server. You
u can use failovver
clustering to achieve high avaailability for VM
MM
be
ecause VMM is now a cluste er-aware appliccation.
However, you should conside er several thinggs
be
efore you deploy a VMM clu uster.
Be g a highly available VMM

efore installing
management
m erver, ensure that:
se
You have in nstalled and co

onfigured a faiilover
cluster thatt is running Wiindows Server 2008
R2, Window ws Server 2008 8 R2 SP1, or Windows
W
Server 2012 2.
y install the highly availab

All computers on which you ble Virtual Macchine Managerr server meet tthe
minimum hardware
h requirements, and all prerequisitte software is iinstalled on alll computers.
You have created a doma ain account to be used by th
he VMM servicce. You must u
use a domain u
user
account forr a highly availlable Virtual Machine
M Manag
ger server.
You are preepared to use distributed keyy managemennt to store encryption keys in
n AD DS. You must
use distribu
uted key manaagement for a highly availab
ble Virtual Macchine Managerr server.
You have a computer with a supported SQL Server version installed and running. Unlike VMM 2008
R2, VMM will not install a SQL Server Express Edition automatically.
Highly Available Databases and Library Servers

To achieve full redundancy, you should use a highly available SQL Server. Install a highly available SQL
Server on a separate failover cluster from the failover cluster on which you are installing the highly
available Virtual Machine Manager server. Similarly, you should also use a highly available file server for
hosting your library shares.
Self Service Portal and Clustered Virtual Machine Manager Server

As a best practice, do not install the Virtual Machine Manager Self-Service Portal on the same computer
as the highly available Virtual Machine Manager server. If your Virtual Machine Manager Self-Service
Portal currently resides on the same computer as the Virtual Machine Manager server, we recommend
that you uninstall the Virtual Machine Manager Self-Service Portal for VMM 2008 R2 SP1 before
upgrading to VMM. We also recommend that you install the Virtual Machine Manager Self-Service Portal
on a highly available web server to achieve redundancy and NLB.
Failover Cluster Manager

You cannot perform a planned failoverfor example, to install a security update or perform maintenance
on a cluster nodeby using the Virtual Machine Manager Administrator Console. Instead, to perform a
planned failover, use the Failover Cluster Manager.
During a planned failover, ensure that there are no tasks actively running on the Virtual Machine Manager
server. Any tasks that are executing during a failover will be stopped and will not restart automatically.
Any connections to a highly available Virtual Machine Manager server from the Virtual Machine Manager
Administrator Console or the Virtual Machine Manager Self-Service Portal will also be lost during a
failover. However, the Virtual Machine Manager Administrator Console can reconnect automatically to the
highly available Virtual Machine Manager server after a failover if the console was open before you
performed the failover.
Lab: Implementing Failover Clustering with Hyper-V

Scenario
The A. Datum Corporations initial virtual machine deployment on Hyper-V has been successful. As a next
step in the deployment, A. Datum is now considering ways to ensure that the services and applications
that are deployed on the virtual machines are highly available. As part of the implementation, A. Datum is
also considering options for making the virtual machines that run on Hyper-V highly available.
As one of the senior network administrators at A. Datum, you are responsible for integrating Hyper-V with
failover clustering to ensure that the virtual machines that are deployed on Hyper-V are highly available.
You are responsible for planning the virtual machine and storage configuration, and for implementing the
virtual machines as highly available services on the failover cluster. In addition, you are considering some
other techniques for virtual machine high availability, such as Hyper-V Replica.
Objectives
Configure Hyper-V Replica.
Configure a failover cluster for Hyper-V.
Configure a highly available virtual machine.
Lab Setup
20412A-LON-DC1-B
20412A-LON-SVR1-B
20412A-LON-HOST1
20412A-LON-HOST2
20412A-LON-DC1-B
20412A-LON-SVR1-B
Virtual Machine(s)
20412A-LON-HOST1
20412A-LON-HOST2
Password Pa$$w0rd
You should perform this lab with a partner. To perform this lab, you must boot the host computers to
Windows Server 2012. Ensure that you and your partner have booted into different hosts (one should
boot to 20412A-LON-HOST1 and the other should boot to 20412A-LON-HOST2) and then log on as
Adatum\Administrator with the password of Pa$$w0rd. Once you have booted into the Windows
Server 2012 environment, perform the following setup tasks:
1. On the host computer, in Server Manager, click Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click start the following virtual machines based upon your host:
o For LON-HOST1, start 20412A-LON-DC1-B.

o For LON-HOST2, start 20412A-LON-SVR1-B.
a. User name: Adatum\Administrator

b. Password: Pa$$w0rd
Note: For this lab, verify that the classroom is configured so that only LON-HOST1 and
LON-HOST2 can communicate. Each pair of host computers must be isolated from the rest of the
classroom.
Exercise 1: Configuring Hyper-V Replicas

Scenario
Before you begin cluster deployment, you need to evaluate the new technology in Hyper-V 3.0 for
replicating virtual machines between hosts. You want to be able to mount a copy of a virtual machine on
another host manually if the active copy (or host) fails.
1. Boot the physical host machines from VHD.
2. Import the LON-CORE virtual machine on LON-HOST1.
3. Configure a replica on both host machines.
4. Configure replication for the LON-CORE virtual machine.

5. Validate a planned failover to the replica site.
Task 1: Boot the physical host machines from VHD

1. Restart the classroom computer, and in the Windows Boot Manager, select either
20412A-LON-HOST1 or 20412A-LON-HOST2.
Note: If you start LON-HOST1, your partner must start LON-HOST2.
2. Log on to the server as Adatum\Administrator with password Pa$$w0rd.

3. On LON-HOST1, make sure that virtual machine 20412A-LON-DC1 is running.
4. On LON-HOST2, make sure that virtual machine 20412A-LON-SVR1 is running.
Task 2: Import the LON-CORE virtual machine on LON-HOST1

On LON-HOST1, open Hyper-V Manager, and import the 20412A-LON-CORE virtual machine using
the following settings:
o Path: E:\Program Files\Microsoft Learning\20412\Drives\20412A-LON-CORE
o Accept default values
Note: The drive letter may differ based on the number of drives on the physical host machine.
Task 3: Configure a replica on both host machines

1. On LON-HOST1 and LON-HOST2, configure each server to be a Hyper-V Replica server.
o Allow replication from any authenticated server
o Create and use folder E:\VMReplica as a default location to store replica files
2. Enable the firewall rule named Hyper-V Replica HTTP Listener (TCP-In) on both hosts.
Task 4: Configure replication for the LON-CORE virtual machine

1. On LON-HOST1, enable replication for the 20412A-LON-CORE virtual machine.
o Replica server: LON-HOST2
o Authentication: Kerberos authentication (HTTP)
o Configure Recovery History: Only the latest recovery point
o Start replication immediately
2. Wait for initial replication to finish, and verify that the 20412A-LON-CORE virtual machine displays in
the Hyper-V Manager console on LON-HOST2.
Task 5: Validate a planned failover to the replica site

1. On LON-HOST2, view replication health for 20412A-LON-CORE.
2. On LON-HOST1, perform planned failover to LON-HOST2. Verify that 20412A-LON-CORE is running

on LON-HOST2.
3. On LON-HOST1, remove replication for 20412A-LON-CORE.

4. On LON-HOST2, shut down 20412A-LON-CORE.
Results: After completing this exercise, you will have configured a Hyper-V Replica.
Exercise 2: Configuring a Failover Cluster for Hyper-V

Scenario
A. Datum has several virtual machines that are hosting important services that must be highly available.
Because these services are not cluster-aware, A. Datum decided to implement Failover cluster on the
Hyper-V host level. You plan to use iSCSI drives as storage for these virtual machines.
1. Connect to the iSCSI target from both host machines.
2. Configure failover clustering on both host machines.
3. Configure disks for the failover cluster.
Task 1: Connect to the iSCSI target from both host machines

1. On LON-HOST1, start iSCSI initiator.
2. Use 172.16.0.21 for the address that will be used to discover and connect to the iSCSI target.
3. On LON-HOST2, start iSCSI initiator.

4. Use 172.16.0.21 for the address that will be used to discover and connect to the iSCSI target.
5. On LON-HOST2, navigate to Disk Management, and initialize and bring online all iSCSI drives:
o Format the first drive, and name it ClusterDisk.
o Format the second drive, and name it ClusterVMs.
o Format the third drive, and name it Quorum.
6. On LON-HOST1, navigate to Disk Management, and bring online all three iSCSI drives.
Task 2: Configure failover clustering on both host machines

1. On LON-HOST1 and LON-HOST2, install the failover clustering feature.
2. On LON-HOST1, create a failover cluster:
o Add LON-HOST1 and LON-HOST2
o Name the cluster VMCluster
o Assign the 172.16.0.126 address
o Deselect the option to Add all eligible storage to the cluster
Task 3: Configure disks for the failover cluster

1. On LON-HOST1, in the Failover Cluster Manager, add all three iSCSI disks to the cluster.
2. Verify that all three iSCSI disks appear available for cluster storage.
3. Add the disk named ClusterVMs to Cluster Shared Volumes.
4. From the VMCluster.adatum.com node, select More Actions, and then configure the Cluster
Quorum Settings to use typical settings.
Results: After completing this exercise, you will have configured a failover cluster for Hyper-V.
Exercise 3: Configuring a Highly Available Virtual Machine

Scenario
After you configuring the Hyper-V failover cluster, you want to add virtual machines as highly available
resources. Additionally, you want to evaluate live migration and test storage migration.
1. Move virtual machine storage to the iSCSI target.
2. Configure the virtual machine as highly available.
3. Perform live migration for the virtual machine.
4. Perform storage migration for the virtual machine.
Task 1: Move virtual machine storage to the iSCSI target

1. In the Failover Cluster Manager, verify that LON-HOST1 is the owner of the ClusterVMs disk. If it is
not, move the ClusterVMs disk to LON-HOST1.
2. On LON-HOST1, open a Windows Explorer window, and browse to E:\Program Files

\Microsoft Learning\20412\Drives\20412A-LON-CORE\Virtual Hard Disks.
3. Move 20412A-LON-CORE.vhd to the C:\ClusterStorage\Volume1 location.
Task 2: Configure the virtual machine as highly available

1. On LON-HOST1, in Failover Cluster Manager, click Roles, and then start the New Virtual Machine
Wizard.
2. Configure a virtual machine with the following settings:
o Cluster node: LON-HOST1.
o Computer name: TestClusterVM

o Store the file at C:\ClusterStorage\Volume1
o RAM for TestClusterVM: 1536 MB
o Connect machine to existing virtual hard disk drive 20412A-LON-CORE.vhd, which is located at
C:\ClusterStorage\Volume1.
3. From the Roles node, start the virtual machine.
Task 3: Perform live migration for the virtual machine

1. On LON-HOST1, in the Failover Cluster Manager, start Live Migration failover of TestClusterVM
from LON-HOST1 to LON-HOST2.
2. Connect to TestClusterVM, and ensure that you can operate the virtual machine while it is migrating
to another host.
Task 4: Perform storage migration for the virtual machine

1. On LON-HOST2, open Hyper-V Manager.
2. Move 20412A-LON-SVR1-B from its current location to C:\LON-SVR1.

3. Determine whether machine is operational during move process.
4. When the migration completes, shut down all running virtual machines.
Results: After completing this exercise, you will have configured a highly available virtual machine.
To prepare for next module

1. Restart LON-HOST1.
2. When you are prompted with the boot menu, select Windows Server 2008 R2, and then press Enter.
3. Log on to the host machine as directed by your instructor.
4. Repeat steps 1-3 on LON-HOST2.


Question: In Windows Server 2008 R2, do you have to implement CSV in order to provide high availability
for virtual machines in VMM?

Virtual machine failover fails after

implementing CSV and migrating the
shared storage to CSV
A virtual machine fails over to another

node in the host cluster, but loses all
network connectivity
Four hours after restarting a Hyper-V host

that is a member of a host cluster, there
are still no virtual machines running on the
host.
Best Practice
Develop standard configurations before you implement highly available virtual machines. The host
computers should be configured as close to identical as possible. To ensure that you have a consistent
Hyper-V platform, configure standard network names, and use consistent naming standards for CSV
volumes.
Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster
Manager that can block you from making mistakes when you manage highly available virtual
machines. For example, it blocks you from creating virtual machines on storage that is inaccessible
from all nodes in the cluster.
7-1
Module 7
Implementing Disaster Recovery
Contents:
Module Overview 7-1
Lesson 1: Overview of Disaster Recovery 7-2
Lesson 2: Implementing Windows Server Backup 7-7
Lesson 3: Implementing Server and Data Recovery 7-16
Lab: Implementing Windows Server Backup and Restore 7-20
Module Overview
Organizations are vulnerable to losing some of their data for reasons such as unintentional deletion of
critical data, file system corruption, hardware failures, malicious users, and natural disasters. Because of
this, organizations must have well-defined and tested recovery strategies that will help them to bring their
servers and data back to a healthy and operational state, and in the fastest time possible.
In this module, you will learn how to identify security risks for your organization. You will also learn about
disaster recovery, and disaster recovery requirements. You will also learn how to plan backup across your
organization, and what steps you can take to recover data.
Objectives
Describe disaster recovery concepts.
Implement Windows Server Backup.
Implement server and data recovery.

7-2 Implementing Disaster Recoverry
Lesson 1
Overviiew of Disaster
D r Recove
ery
Disa
aster recovery is a methodology that descrribes all the steeps that you nneed to perform once a disaster
has occurred, to bring
b ers back to an operational sttate. An effecttive disaster
data, servvices and serve
reco
overy plan add dresses the orgganizations neeeds without p providing an unnecessary levvel of coverage e.
While absolute prrotection may seem desirable, it is unlikelyy to be econom mically feasible e. In creating a
disa
aster recovery plan, you need d to balance th of a particular disaster, with the
he cost to the organization o
costt to the organiization of prottection from thhat disaster.
Lessson Objectiives
Afte
ou will be able to:
Identify disaster recovery re
equirements.
Describe servvice level agree

ements.
Describe ente
erprise disasterr recovery strategies.
Describe disaster mitigation
n strategies.
Describe bestt practices for implementing

g a disaster reccovery.
Ide
entifying Disaster
D Re
ecovery Re
equiremen
nts
Befo
ore developing
g a disaster reccovery strategy,
anizations must identify their disaster reco
orga overy
requ
uirements to ensure
e that theey will provide
app
propriate prote
ection for criticcal resources.
The following is a high-level listt of steps that you

can use to identifyy disaster reco
overy requirem ments:
1. Define organization critical resources. Theese

resources include data, servvices, and the
servers upon which the datta and servicess run.
2. Identify risks associated witth those criticaal

resources. For example, datta can be
accidentally or
o intentionallyy deleted, and a hard drive o or storage con data is stored might
ntroller where d
fail. Additiona
ally, services th
hat use critical data might faail due to manyy reasons such
h as network
problems, and d servers migh ht fail because of hardware ffailures. Major power outage es could also ccause
entire sites to
o shut down.
3. Identify the tiime needed to

o perform the recovery. Baseed on their bussiness requirem
ments,
organizationss should decide how much time is acceptaable for recoveering critical re
esources. Scenaarios
may vary fromm minutes to hours,
h or even a day.
4. Develop a reccovery strategyy. Based on the previous steeps, organizatio ons will define
e a service leve
el
agreement th hat will include
e information such
s as servicee levels and service hours. Organizations should
develop a dissaster recoveryy strategy that will help themm minimize thee risks, and at the same time e,
recover their critical resourcces within the minimum tim me acceptable ffor their business requireme ents.
Note: Orgaanization will have

h differing disaster
d recoveery requirements based on ttheir
business requirem
ments and goals. Disaster reccovery requirem ments should not be static, b
but they
sh
hould be evalu
uated and updated on a regu ular basisfor example oncee every few mo onths. It is
also important that
t administrators test the disaster recoveery strategies on a regular b
basis. The
te b performed in an isolated, non-productiion environmeent by using a copy of the
esting should be
production dataa.
What
W Are Service
S Lev
vel Agreem
ments?
A service level agreement
a (SLA
A) is a docume ent that
de
escribes the re o the IT department
esponsibilities of
orr IT service pro
ovider, with resspect to a speccific set
off objectives. In
n terms of dataa protection SLLAs,
th
hese agreemen nts usually speecify precisely which
w
pa
arts of the IT innfrastructure and
a data will be b
protected, and how quickly th hey will return to
se
ervice after a faailure.
In
n some organizzations, SLAs are
a formalized,, and
th
he performancce of the IT dep partment is
measured
m again
nst the objectivves that are sp
pelled
ouut in the SLA. These
T metrics form part of the IT
deepartments pe erformance evvaluation, and have a direct influence on ittems such as b budgets and saalaries.
Fo
or managed se ervices or cloud providers, SLAs are criticall for billing pu
urposes. In other organizations, SLAs
arre guidelines and
a are less forrmalized. The key to develop ping an SLA is that it needs to be realistic and
her than an unachievable sta
acchievable, rath andard, which may be imposssible to reach.
So
ome of the ele
ements of an SLA
S include:
Hours of op n defines how much time thee data and serrvices are available to
peration. Hourrs of operation
users, and how
h much planned downtim me there will b e due to systeem maintenancce.
Service availability. Servicce availability is defined as a percentage o f time per year that data and
services will be available tot users. For example,
e a servvice availabilityy of 99.9 perce
ent per year m
means
that data and services willl have unplanned downtimee not more thaan 0.1 percentt per year, or 8 8.75
hours per year
y on a 24 ho ours a day, sevven days a weeek basis.
Recovery point objective (RPO). An RPO O sets a limit o

on how much data can be lo ost due to failuure,
measured asa a unit of tim me. For examplle, if an organiization sets an RPO of six ho ours, it would bbe
necessary to take a backu up every six ho ours, or to creaate a replicatio
on copy on diffferent location
ns at
six-hour inttervals. In the event
e of a failu
ure, it would bbe necessary to he most recent
o go back to th
backup, wh hich, in the worst-case scenario, assuming that the failur e occurred jusst before (or du uring)
the next baackup, would be b six hours ag go.
You can configure backup software to take backups every hour, offfering a theorretical RPO of 6 60
minutes. When
W calculatin
ng RPO, it is alsso important tto take into account the timee it takes to peerform
the backup p. For example,, suppose it takes 15 minutees to perform a backup and yyou back up e every
ailure occurs during the back
hour. If a fa kup process, yo be 1 hour and 15
our best possible RPO will b
minutes. A realistic RPO must
m always ba alance the dessired recovery time with the realities of thee
network inffrastructure. Yo ou should not aim for an RP PO of 2 hours w when a backup p itself takes th
hree
hours to co omplete.
The RPO also depends on n the backup software
s techn
nology. For exaample, when yyou use the snaapshot
feature in Windows
W Serveer Backup, or other
o backup ssoftware that u uses volume shhadow copy se ervice
(VSS), you are
a backing up p to the point in time when tthe backup waas started.
Recovery time objective (RTO).

( An RTOO is the amoun nt of time it takkes to recover from failure. TThe RTO
will vary de
epending on th
he type of failu
ure. The loss o f a motherboaard on a criticaal server will haave a
different RTOO than the loss of a disk on a critical serverr, because one of these comp
ponents takes
significantly longer to repla
ace than the otther.
Retention objjectives. Reten
ntion is a measure of the leng ou need to store backed-up data.
gth of time yo
For example, you may need d to recover da
ata quickly fro
om up to a mo onth ago, but n
need to store d
data
in some form
m for several yeears. The speedd at which youu agree to recoover data in yo
our SLA will de
epend
on the age off the data, with
h some data being
b quickly reecoverable and other data nneeding to be
recovered fro
om the archive es.
System performance. Altho ough not directtly related to d

disaster recoveery, system performance is aalso an
important component of SLLAs, because applications
a hat are included in an SLA sh
th hould be availaable,
and they should also have acceptable
a ressponse times too users requeests. If the syste
em performannce is
slow, then bu
usiness requirements will nott be met.
Note: Each organizations data protection SLA depen

nds on the com
mponents thatt are
portant to the organization.
imp o
Ov
verview of Enterprise
e Disaster Recovery Strategiess
Wheen planning fo or backup for your
y enterprise
e,
you need to develop strategies for recovering g
data
a, services, servvers, and sites,, and you needd to
makke some provission for offsite e backup.
Datta Recovery
y Strategies
Data is the most commonly
c recoovered catego ory in
an enterprise
e environment. Thiss is because it is
morre likely that users will deletee files accidenttally,
thann it is for serve
er hardware too fail or for
appplications to cause data corru uption. Therefo ore,
in developing
d an enterprise disa
aster recovery
strategy, take into o account small disasters, succh as
dataa deletion, in addition
a to big
g disasters, succh as server or site failure.
Whe g data recoverry strategies, backup is not th

en considering he only techno ology for data recovery. You u can
add dress many file and folder reccovery scenarios by implemeenting previou us versions of ffile functionaliity on
file shares. You ca
an also replicatte data in diffe
erent physical locations, or to
o a public or p
private cloud. Y You
could also use Microsoft System Center 2012 2 - Data Proteection Manageer.
Serrvice Recove
ery Strategiies
The functionality of the network k depends on the availabilityy of certain criitical network services. Altho
ough
welll-designed nettworks build re edundancy intto core service s such as Dom main Name Sysstem (DNS) and
Actiive Directory Domain Services (AD DS), even those servvices might haave issues, such h as when a major
fault is replicated that requires a restore from
m backup. In ad
ddition, an entterprise backup p solution musst
ensuure that services such as Dynnamic Host Co onfiguration Prrotocol (DHCP P) and Active D Directory Certifficate
Servvices (AD CS), and
a importantt resources succh as file sharees can be resto ored in a timelyy and up-to-d date
man nner.
Full Server Reccovery Strattegies

Devveloping a full--server recovery strategy invvolves determi ning which servers that you need to be ab ble to
over, the RPO for critical servvers, and the RTO
reco R for criticall servers. Supp have a site with two
pose that you h
com
mputers functio oning as doma ain controllers.. When develo oping your bacckup strategy, should you aim to
ha
ave both serve ers capable of full server reco overy with a 1 5 minute RPO O? Or is it only necessary for one
se en that either server will be aable to provid
erver to be reccovered quicklyy if it fails, give de the same neetwork
se
ervice and ensure business continuity?
In
n developing the full server recovery
r compponent of yourr organization s enterprise b
backup plan,
deetermine whicch servers are required
r to ensure business continuity, and
d ensure that they are regularly
baacked up.
Site Recovery
y Strategiess
Most
M larger org
ganizations havve branch officce sites. While it might be deesirable to bacck up all the
coomputers at thhose locations,, it may not be
e economicallyy feasible to do o so. Developing a site recovvery
sttrategy involve
es determiningg which data, services,
s and seervers at a speecific site must be recoverable to
ennsure businesss continuity.
Offsite
O Backu
up Strategie
es
Many
M organizattions that do not
n store offsite backups do not recover frrom a primary site disaster. Iff your
orrganizations head
h office site
e has a fire, is subject
s to a on
nce-in-a-100-yyear flood, a cyclone, or a to
ornado,
it will not matte
er what backup ps strategies you have in plaace if all those backups are stored at the loocation
th
hat was destroyyed by the dissaster.
A comprehensivve enterprise data

d protection
n strategy invo
olves moving b backed-up datta to a safe offfsite
lo
ocation so thatt you can recovver it no matte
er what kind oof disaster occu
urs. This does not need to haappen
evvery day. The RPO
R for recove
ery at the offsiite locationo
often called th
he disaster reco
overy siteis u
usually
diifferent from the RPO at the
e primary site.
Disaster
D Miitigation Strategies
S
No matter how prepared organizations are,, they
ca
annot prevent disasters from m occurring.
Thherefore, organizations must also develop p
mitigation
m strategies that will minimize the impact
off an unexpecte ed loss of dataa, server, servicce, or
sittes. To preparee mitigation sttrategies,
orrganizations must
m create risk
k assessments that
an
nalyze all posssible disaster sccenarios, and how
h to
mitigate
m each of
o those scenarrios.
Thhe following ta
able lists some
e of the risks
asssociated with data or services loss, and th
he
ap
ppropriate mittigation strateggies.
Risk of disaste
er Mitigation
n strategy
The media wh here a copy off the backup Have at leeast two copiees of your backkup data, and
data is located becomes corrupted. validate yyour backups oon a regular basis.
An administra
ator has accide
entally deletedd Protect O
OUs from accid
dental deletion
n, especially aftter
an organizatio
onal unit (OU)) that contains migration
ns.
many user and computer objects.
A file server in
n a branch offiice where Use Distriibuted File Sysstem Replicatioon (DFS-R) to
important filees are located has failed. replicate files from brannch offices to central data
centers.
Rissk of disaster Mitigation sstrategy
Th
he virtualizatio
on infrastructure where Avoid deplo oying all criticaal servers, such
h as domain
bu
usiness serverss are located iss controllers, on the same vvirtual infrastructure.
un
navailable.
A major outage
e in a data centter has Deploy a seecondary data center that will contain
occcurred. replicas of tthe critical servvers in your prrimary data
center.
Best Practice
es for Impllementing a Disasterr Recoveryy
Wheen implementing a disaster recovery strate egy,
orga
anizations sho
ould follow the
ese best practicces:
Perform a risk k assessment plan

p first. This will
help you iden ntify all of the risks associate ed
with the availlability of yourr organization data,
servers, servicces, and sites.
Discuss the risks you evalua ated with yourr

business man nagers, and tog gether decide
which resourcces should be protected with h the
disaster recovvery plan, and which resourcces
should be pro otected with disaster
d mitigattion,
and at which level. The high her the
requirementss for disaster reecovery are, th
he more expen
nsive they are. You also wantt to have a low
w-level
disaster recovvery plan for re a protected with disaster m
esources that are mitigation.
Each organiza
ation should have
h its own diisaster recoverry plan.
Document in detail all of th

he steps that sh
hould be perfo
ormed in a dissaster scenario
o.
Test your disa

aster recovery plan on a regular basis in an
n isolated, non
n-production e
environment.
Evaluate yourr disaster recovvery plan on a regular basis,, and update yyour disaster re
ecovery plan b
based
on your evalu
uation.
Lesson
n2
Imple
ementin
ng Wind
dows Se
erver Baackup
To
o protect criticcal data, every organization must perform regular backu ups. Having a wwell-defined and
te
ested backup strategy
s ensurees that companies can resto re data if unexxpected failure
es or data loss occur.
his lesson desccribes the Windows Server Backup featuree in Windows SServer 2012 aand the Microssoft
Th
Online
O Backup Service
S for Winndows Server 2012.
Le
esson Objecctives
ng this lesson, you
Describe da
ata and service
e information that
t needs to be backed up in a Windowss Server enviro
onment.
Describe th
he backup type
es.
Describe ba
ackup technolo
ogies.
Describe ba
ackup capacityy.
ackup security.
Describe ba
Describe Windows
W Serverr Backup.
Explain how
w to configure
e a scheduled backup
b using W
Windows Servver Backup.
Describe th erver 2012 online backup so lution.

he Windows Se
Describe th
he consideratio
ons for an ente
erprise backup
p solution.
Summarize the features available

a with System Centerr 2012 Data Protection Maanager.
What
W Need
ds to Be Ba
acked Up?
When
W planning backups across your organiization,
en
nsure that you
u protect resou urces that are
co
onsidered misssion critical. Co
onsider the folllowing:
Critical reso
ources
Backup verification
Backup security
Compliance
e and regulato
ory requiremen
nts
Determining
D g Critical Ressources to Back
B
Up
U
In
n an ideal scenario, you would back up
evverything and instantly resto ore data as it existed
e at a parrticular point i n time from any point in the
e last
se
everal years. In n reality, such a backup strateegy would pro oduce expensivve cost of own nership. Thereffore, the
firrst step in plan
nning backup across the enterprise is to deetermine whatt exactly needss to be backed d up.
Fo
or example, sh hould you backk up every dom main controlleer in the doma in, given that A Active Directoory
in
nformation will be replicated
d back to a rep placement dom main controllerr as soon as it is promoted? Is it
neecessary to back up every file server in all file shares if evvery file is rep licated to multiple servers th
hrough
a distributed file
e system?
7-8 Implementing Disaster Recovery
You also need to distinguish between technical reasons and regulatory reasons for backing up data. Due
to legal requirements, you may need to be able to provide your business with business-critical data for
the past ten years or even longer.
To determining what to back up, consider the following:
If the data is only stored in one place, ensure that it is backed up.
If data is replicated, it may not be necessary to back up each replica. However, you must back up at
least one location to ensure that the backup can be restored.
Is the server or data a mission-critical component?

If this server or disk failed, or if this data became corrupted, what steps would need to be taken to
recover it?
Many organizations ensure the availability of critical services and data through redundancy. For example,
Exchange Server 2010 provides continuous replication of mailbox databases to other servers through a
technology called Database Availability Groups (DAGs). While DAGs do not mean that an organization
should not back up its Exchange Server 2010 Mailbox servers, it does change how an organization should
think about backing up its Mailbox servers or centralizing its backup strategies.
Verifying Your Backups

Performing a backup, and ensuring that the backup contains everything that you need, are two different
tasks. You need to have a method for verifying that each backup has completed successfully. You also
need to know when backups have failed. At a minimum, this will mean checking the logs on each server
to determine whether a failure has occurred. If you have configured backups to occur on each server
every six hours, how often should you check the logs? A better solution is to employ an alert
mechanismsuch as that which is available in System Center 2012 - Operations Managerto alert you in
the event that a backup fails. The point is to avoid discovering that your backups for a particular server
have failed just when you need those backups to perform a recovery.
One way of verifying backups is to perform regular testing of the recovery procedures, in which you
simulate a particular failure. This allows you to verify not only the integrity of the data that you are using
to perform a recovery, but also that the recovery procedures that you have in place effectively resolve the
failure. It is better to discover that you need to add steps to your recovery procedure during a test, rather
than during an actual failure.
Confirming That Backups Are Secure

By definition, a good set of backups contains all of your organizations critical data. This data needs to be
protected from unauthorized access. Although data might be protected by permissions and access
controls while it is hosted on servers in a production environment, anyone who has access to the media
that hosts that backup data can restore it. For example, some products, such as Windows Server Backup,
do not allow administrators to encrypt backup data. This means that physical security is the only way that
you can ensure that critical data does not fall into the hands of unauthorized users.
When developing an enterprise backup strategy, ensure that backup data is stored in a secure location.
You might also consider using backup software that allows you to split the backup and restore roles so
that users who have permissions to back up data do not have permissions to restore that data, and users
who have permissions to restore data do not have permissions to back it up.
Ensuring That Compliance and Regulatory Responsibilities Are Met

Systems administrators should be aware of what the organizations regulatory and compliance
responsibilities are with respect to the archiving of data. For example, some jurisdictions require that
business-relevant email message data be retained for a period of up to seven years. Unfortunately,
regulatory requirements vary from country to country, and even from state to state. When developing
yo
our organizatio
ons data protection strategyy, you should schedule a meeeting with your organizatio
ons
le etermine precisely which data needs to bee stored, and ffor how long.
egal team to de
Backup
B Typ
pes
n Windows Serrver 2012, you can perform the
In t
ollowing types of backups:
fo
Full backupp. A full backup

p is a block-levvel
replica of all blocks on all the servers
volumes. Ra ather than coppying files and folders
to backup media,
m the undderlying block ks are
copied acrooss to the backkup media.
Incrementa al backup. An incremental ba ackup is
a copy of only
o those bloccks that have
changed sin nce the last full or incremental
backup. Du uring an incremmental backup p, these
blocks are copied
c across to the backup p media.
When this process
p complletes, the block ks are then maarked as backeed up. During recovery, the o original
set of block
ks is restored. Then,
T each sett of incrementaal blocks are aapplied, bringing the recovered data
back to thee appropriate state
s in a consistent manner .
Backup
B Tecchnologiess
Most
M backup prroducts in use today use the
e VSS
in
nfrastructure th
hat is present in
i Windows Seerver
20012. Some older applications, however, usse
sttreaming backup. It may be necessary to support
su
uch applicationns in complex heterogeneou us
ennvironments.
O of the challenges of perfforming backups is

One
ennsuring the co onsistency of thhe data that yo ou are
baacking up. Bacckups do not occur
o instantly, they
ca
an take second ds, minutes, orr hours.
Unfortunately, servers
s are nott static and thee state
off a server at th
he beginning ofo a backup miight
noot be the same e state that the
e server is in when
w up completes.. If you do not take consisten
the backu ncy
acccount, this can cause proble ems during resstoration becaause the config
guration of the e server may h
have
ch
hanged during g the backup.
VSS
V
VSSa technology that Micro osoft included with Window ws Server 2003 R2, and which h is present in all
neewer server opperating system
mssolves the e consistency p
problem at thee disk-block le
evel by creating g what
is known as a sh hadow copy. A shadow copyy is a collectionn of blocks on a volume thatt is frozen at a specific
pooint in time. Changes can still be made to the disk, but w
when a backup p occurs, the ccollection of frrozen
blocks are back ked up, which means
m that any changes tha t might have ooccurred since e the freeze are e not
baacked up.
Creating a shad
dow copy tells the operating system first too put all files, ssuch as DHCP databases and d Active
Directory datab
base files, in a consistent
c state for a momen
nt. Then the cu urrent state off the file system
m is
7-10 Implemennting Disaster Recoveery
reco
orded at that specific
s point in time. After VSS
V creates thee shadow copyy, all write accesses that wou uld
overwrite data, stoore the previous data blockss first. Therefo re, a shadow ccopy is small in
n the beginnin ng,
and it grows over the time as da ata changes. By
B default, the operating systtem is configu ured to reserve e 12
perccent of the vollume for VSS data,
d and VSS automatically
a deletes older snapshots whe en this limit is
reacched. You can change this default value, and you can ch hange the defaault location of the VSS dataa. This
ensuures that the backup
b has a snapshot of the e system in a cconsistent state, no matter hhow long it acttually
es to write the backup data to
take t the backup storage devicce.
Streaming Bacckup
Stre
eaming backup p is often used
d by older appllications that d do not use VSSS. You back up p applications that
are not VSSaware by using a method
m knownn as a streamin ng backup. In ccontrast to VSSS where the
opeerating system ensures that data
d is kept in a consistent sttate and at a ccurrent point in time, when yyou
use streaming bacckup, the application or the data protectio on application is responsible
e for ensuring tthat
the data remains in a consistentt state. In addition, after streeaming backup p completes, some files havee the
state they had in the
t beginning of the backup p, while other files have the state of the ennd of the backkup
window.
Pla
anning Bacckup Capa
acity
Whe en you develoop an enterprisse recovery
strategy, you need d to determinee how much
storrage capacity your
y organizattion will requirre for
backups. The folloowing factors affect
a the amo ount
of space that is re
equired to store backup data a:
Space require
ements for a fu
ull backup
ements for an incremental
Space require
backup
Amount of tim
me required to
o back up
Backup frequency
Backup retention
Full Backup Re
equirements
To calculate
c the space required for a full back
kup, determinee how much sp pace from all vvolumes you w
will
need to back up. If the server ha
as a dedicatedd drive for bac kups, you wou
uld not performm a backup on
n that
drivve.
With products thaat perform imaage-based bacckups, such as Windows Servver Backup, this data is not
com
mpressed. On some
s types of servers, notab
bly file servers, the amount o
of space requirred for a full baackup
growws over time. You
Y can lessen n this tendencyy by using file expiration policies such as tthose found inn File
Servver Resource Manager
M (FSRMM).
Inccremental Ba
ackup Requ
uirements
An incremental
i baackup on Wind
dows Server Backup stores aall of the hard disk blocks that have chang ged
o incremental backup. Incre
sincce the last full or emental backuups are substan ntially faster th
han full backups
and require less space. The dow wnside of incre
emental backu ps is that theyy can require g greater recoverry
time e.
Amount
A of Time
T Requirred to Back up
Th
he amount of time required to write data from the serveer being backeed up to the b
backup storage
e device
ca
an have an imppact on projeccted RPO, becaause it is not reecommended to begin a ne
ew backup opeeration
prior to the com
mpletion of the
e current one.
Backup
B Frequency
Ba
ackup frequency is a measurre of how often n backups are taken. With in ncremental blo ock-level backups, no
su
ubstantial diffe
erence will exisst between thee amount of daata written ov er the sum of four 30-minutte
se
essions and onne 2-hour incre emental sessioons on the samme server. This is because ove er the two houurs, the
sa
ame number of o blocks will have changed on o the server aas the four 30--minute sessio ons. However, tthe four
30
0-minute sessiions have brok ken it up into smaller
s parts. W
When backupss occur more ffrequently, the ey
re
educe the time e required to perform
p the baackup by splittting it into smaaller parts. The
e overall total w
will be
ab
bout the same e.
Backup
B Rete
ention
When
W attemptinng to determinne the required backup capaacity, you shou uld determine precisely howw long
yo
ou need to rettain backup daata. For exampple, if you need
d to be able to
o recover to anny backup poin nt in the
la
ast 28 days, and
d you have reccovery points generated
g eveery hour, you w
will need moree space than iff you
haave recovery points
p generated once a dayy and you onlyy need to resto ore from the laast 14 days.
Planning
P Backup Security
When
W planning your backup security, consider the
fo
ollowing:
Backups co ontain all organ

nizational data a. By
nature, bacckups will contain all the data
necessary to ensure your organizationss
continued ability
a to functtion in the eveent of
failure. Because this data is likely to con
ntain
sensitive infformation, you
u should prote ect it
with the same level of diligence as it is
protected with
w when hosted on the serrver.
Access to backup
b media means access to all
data. If feassible, use administrative role
e
separation to ensure thatt the users who o back up the data are not tthe users who can restore it. In high
security envvironments, en nsure that backup and resto re operations are properly aaudited so thatt you
can track backups, and re estore functionn activity.
Windows Server Backup does

d not encryypt backups. W Windows Serveer Backup writes backups in VHD
format. This means that anyone
a who ha Windows 8 or Windows Servver 2012 can m
as access to W mount
those backuups as volumees, and then exxtract data from
m them. An evven more sophhisticated attacck
might inclu
ude booting into the backup p VHD to impeersonate the baacked up systeem on the
organizatio
onal network.
Keep backu up media in a secure

s location. At a minimu um, backups should be keptt locked up in a secure
location. If your organization is backingg up to disk drrives that are aattached to servers by USB ccable,
ensure thatt those disk drives are lockedd in place, eve n if they are lo
ocated in a seccure server roo
om, and
even if your organizationns server roomm has a securityy camera.
Wh
hat Is Wind
dows Serv
ver Backup
p?
The Windows Servver Backup fea ature in Windo
ows
Servver 2012 consists of a Microssoft Managemment
Connsole (MMC) sn nap-in, the commmand wbadm min,
and Windows Pow werShell com mmands. You ca an
use wizards in the
e Windows Serrver Backup fea ature
to guide
g you thro
ough running backups
b and
reco
overies.
You
u can use Wind
dows Server Ba
ackup 2012 to back
up:
Full server (all volumes).
Selected volu
umes.
Select specificc items for bacckup, such as specific

s folderss or the system
m state.
In addition, Windows Server Backup 2012 allo
ows you to:
Perform a bare-metal resto ore. A bare-me etal backup con ntains at least all critical volu
umes, and allo
ows
you to restore
e without first installing an operating
o systeem. You do this by using the e product med dia on
a DVD or USB B key, and the Windows Recovery Environ ment (Window ws RE). You can n use this backkup
type together with the Win ndows RE to recover from a h hard disk failure, or if you haave to recoverr the
whole compu uter image to new
n hardware.
up contains all information tto roll back a sserver to a spe
Use system sttate. The backu ecific point in ttime.
However, youu need an operating system installed priorr to recovering g the system sttate.
Recover indivvidual files and

d folders or vollumes. The Ind dividual files and folders o option enabless you
to select to back up and resstore specific files,
f folders, o
or volumes, or yyou can add specific files, fo
olders,
or volumes to o the backup when
w you use an option such h as critical vo
olume or system
m state.
Exclude selected files or file

e types. For exa
ample, you ca n exclude tem
mporary files fro
om the backup
p.
Select from more
m storage lo
ocations. You can
c store backkups on remotte shares or no
on-dedicated
volumes.
Use the Micro

osoft Online Backup Service.. The Microsofft Online Backuup Service is a cloud-based
backup solutiion for Window
ws Server 2012
2 that enabless files and foldeers to be backked up and
recovered fro
om the public or
o private clou
ud to provide ooff-site backupp.
If th
here are disaste
ers such as harrd disk failuress, you can perfform system reecovery by using a full serve
er
backup and Wind dows REthis will
w restore your complete syystem onto th he new hard disk.
De
guring a Sccheduled Backup
In th
his demonstration, you will sees how to con nfigure Windo 12 to perform a scheduled backup
ows Server 201
of specific folders, with a filter to exclude speccific file types.
Dem
monstration
n Steps
1. On LON-SVR1, start Windo
ows Server Backup.
2. Configure the
e backup schedule with the following
f opti ons:
o Backup Configuration:
C Custom and C:\HR
C Data fo
older is backed
d up, with the e
exception of C
C:\HR
Data\Old
d HR file.txt
o Backup
p Time: Once a day, 1:00 AM
M
o Destina ack up to a shared network

ation Type: Ba k folder
o Remote Shared Folde
er: \\LON-DC1\Backup:
Re
egister Backup Schedule: Use
ername: Admi nistrator
Password: Pa$$w
w0rd
3.. Run the Bacckup Once Wizard using the
e scheduled baackup options..
4.. Close Wind

dows Server Ba
ackup.
What
W Is On
nline Backu
up?
Th
he Microsoft Online
O Backup Service is a clooud-
ased backup solution for Windows Server 2012
ba
th
hat is managed d by Microsoftt. You can use this
se
ervice to back up files and fo
olders, and to recover
r
th
hem from the public or priva ate cloud to prrovide
offf-site protection against datta loss caused by
diisasters. You ca
an use Microsooft Online Bacckup
ervice to back up and protecct critical data from
Se
an
ny location.
Microsoft
M Onlinne Backup Servvice is built on the
Windows
W Azuree platform, annd uses Windo ows
Azure blob storrage for storing
g customer da ata.
Windows
W Server 2012 uses the downloadab ble Microsoft OOnline Backup Service Agentt to transfer fille and
fo
older data secu
urely to the Miicrosoft Onlinee Backup Serviice. After you iinstall the Microsoft Online Backup
Se
ervice Agent, the
t agent integ grates its functtionality throu
ugh the Windoows Server Bacckup interface.
Key
K Featuress
Thhe key feature
es that Window
ws Server 2012
2 provides thro
ough the Micro
osoft Online B
Backup Service
in
nclude:
Simple configuration and

d managementt. Integration wwith the Windows Server Backup tool provvides a
seamless ba
ackup and recovery experien
nce to a local d
disk, or to a clo
oud platform. Other feature
es
include:
o Simple user interface

e to configure and monitor b
backups.
o Integra
ated recovery experience
e to recover files a nd folders fro m local disk or from a cloud
d
platform.
o Easy da
ata recoverability for data th
hat was backed
d up onto any server of yourr choice.
o Scriptin
ng capability that is provided dows PowerSheell command-line interface.
d by the Wind
Block-level incremental backups.

b The Microsoft
M Onlinne Backup Ageent performs incremental baackups
by tracking file and block
k-level changes, and only traansferring the changed blocks, which reduuces the
storage andd bandwidth usage.
u Differen me versions of tthe backups use storage efficiently
nt point-in-tim
by only storing the changged blocks bettween these veersions.
Data compression, encryp ottling. The M icrosoft Onlinee Backup Service Agent ensu
ption, and thro ures
that data iss compressed and
a encrypted d on the serverr before it is seent to the Micrrosoft Online B
Backup
Service on the
t network. Therefore,
T the Microsoft Onl ine Backup Seervice only storres encrypted data in
cloud storage. The encrypption passphraase is not availlable to the M icrosoft Onlinee Backup Service, and
therefore, the
e data is neverr decrypted in the cloud. In aaddition, userss can set up throttling and
configure howw the Microsoft Online Back kup Service usees the networkk bandwidth w when backing uup or
restoring info
ormation.
Data integrityy verified in the cloud. In add

dition to the s ecure backupss, the backed u up data is also
o
checked autoomatically for integrity after the backup co ompletes. Therrefore, any corrruptions that may
e of data transffer can be easiily identified. TThese corrupti ons are fixed aautomatically in the
arise because
next backup.
Configurable retention poliicies for storing

g data in the ccloud. The Miccrosoft Online Backup Servicce
accepts and implements rettention policie es to recycle baackups that exxceed the desired retention
range, thereb
by meeting bussiness policies and managing g backup costts.
Reference Links: You can

n find out morre about Wind
dows Azure at:
p://www.windo
http owsazure.com//en-us/home/features/stora ge/
Co
onsideratio
ons for an Enterprise
e Backup SSolution
Winndows Server Backup
B is a single-server bacckup
ution. When planning backup for an enterprise,
solu
consider the following points:
Maximum am mount of data lost. What is th he

theoretical RP PO of the prodduct? Productss that
offer restoration closer to the point of the e
failure are like
ely to cost mo
ore than produ ucts
that offer 15 minute or 30 minute
m RPOs. You
need to deterrmine your org ganizations neeeds.
Does your org ganization nee ed to be able to
t
recover to the e last SQL Servver transaction
n, or
is a 15-minute recovery win ndow an
acceptable co ompromise?
How quick is RTO recovery?? How long do oes it take to g

go from failuree to restored fu unctionality? B
Being
able to restorre to the last SQL Server trannsaction is the optimal solutiion, but if it taakes two days tto
recover to thaat point, the soolution is not looking
l as goo
od.
Does the solu

ution provide centralized
c bacckup? Does th
he product allo
ow you to centtralize your backup
solution on one
o server, or must
m backups be performed directly on eaach server in th
he organization?
n supported by vendors? Some vendors usse undocumen

Is the solution nted applicatio
on programmiing
interfaces (APPIs) to back up
p and recover specific
s produccts, or to backk up files witho
out ensuring th
hat
the service is at a consistent state.
Is the backup
p solution compatible with yo our applicatio ns? For examp
ple, a new upd
date to a produ
uct
makes the baackup solution incompatible.. Check with th he application vendor to dettermine wheth
her
the enterprise
e backup soluttion is supportted.
Recovery point capacity. De etermine whatt the recovery point capacityy of the product is. How man ny
restore pointss does the enterprise data protection soluttion offer, and
d is this adequaate for your
organizations needs?
What
W Is Data Protecttion Manag
ger?
DPM is a Microssoft enterprise
e data protection and
re
ecovery product with the following featurees:
Backup cen ntralization. DP

PM uses a
er architecture, where the client
client/serve
software is installed on alll the compute ers that
are to be backed up. Tho ose clients strea
am
backup datta to the DPM server. This allows
each DPM server
s to suppport entire sma all to
medium-sizzed organizations. You can also a
manage mu ultiple DPM se ervers from one
centralized DPM console.
15-minute RPO. DPM allo

ows 15-minute e
snapshots of
o supported products.
p This includes most of the Microssoft enterprise suite of produ
ucts,
including Windows
W er with its roless and services, Exchange Serrver, Hyper-V
Serve , and SQL Serrver.
Supports Microsoft
M worklloads. DPM waas designed sp
pecifically by M
Microsoft to su
upport Microso oft
applications such as Exchhange Server, SQL
S Server, and
d Hyper-V. Ho owever, DPM h has not been
specifically designed to support non-M
Microsoft serve r applications that do not haave consistentt states
on disk, or that do not su
upport VSS.
Disk-based backup. DPM can perform scheduled bacckups to disk aarrays and storrage area netw works
(SANs). You
u can also conffigure DPM to
o export specif ic backup dataa to tape for re
etention and
compliancee related tasks..
Remote sitee backup. DPMM uses an architecture that aallows it to bacck up clients thhat are located
d in
remote sitees. This means that a DPM seerver that is loccated in a head office site caan perform backups
of servers and
a clients thatt are located across
a wide areea network (W WAN) links.
Supports Ba ackup to Cloud strategies. DPM

D supports backup of DPM M servers. Thiss means that a DPM
server at a cloud-based hosting
h facility can be used tto back up thee contents of a head office D
DPM
server. For disaster redun
ndancy, you can also configu ure DPM servers to back up e each other.
Lesson 3
Implem
menting
g Server and Data
D Reccovery
Recovering serverrs and data reqquires well-deffined and docu umented proccedures that addministrators ccan
follo
ow when failurres occur. The recovery proccess also requirres knowledgee of the backup and restore
harddware and softtware, such as DPM, and tap pe library devicces.
Thiss lesson describ d servers by usiing the Windo

bes how to resstore data and ows Server Bacckup feature in
n
Win
ndows Server 2012,
2 and Micrrosoft Online Backup
B Servicee in Windows SServer 2012.
Op
ptions for Server
S Reccovery
Win
ndows Server Backup
B in Winddows Server 2012
provvides the following recoveryy options:
Files and folders. You can back

b up individ
dual
files or folderrs as long as th
he backup is on
n
separate volu ume or in a rem mote shared foolder.
Applications and
a data. You can recover
applications and
a data if the e application has
h a
VSS writer, an
nd is registered
d with Window ws
Server Backupp.
Volumes. Restoring a volum me always resto

ores
all the conten
nts of the volume. When you u
choose to resstore a volumee, you cannot restore
r ders.
individ ual files or fold
Operating sysstem. You can recover the operating systeem through W indows RE, the
e product DVD
D, or a
USB flash drivve.
ou can recoverr the full server through Win

Full server. Yo ndows RE.
System state. System state creates

c a pointt-in-time backkup that you caan use to resto
ore a server to
oa
previous workking state.
The Recovery Wizzard in Window

ws Server Back
kup provides s everal optionss for managing
g file and folde
er
reco
overy. They are
e:
Recovery De
estination. Under Recovery Destination, yo
ou can select aany one of the
e following opttions:
o Original location. The

e original locattion restores th
he data to the location to wh
hich it was baccked
up origin
nally.
o Anotherr location. Ano

other location restores the d
data to a differrent location.
Conflict Reso olution. Restooring data from

m a backup freequently confliicts with existin
ng versions of the
data. Conflictt resolution allo etermine how tto handle thosse conflicts. When these con
ows you to de nflicts
occur, you haave the following options:
o Create copies and rettain both verssions.
o Overwritte existing ve
ersion with recovered versiion.
o Do not recover
r items if they alread
dy exist in the
e recovery loccation.
Security Setttings. Use this option to resttore permissio

ons to the dataa that is being recovered.
Options
O forr Server Re
estore
Yoou perform server restore byy starting the
omputer from the Windows Server 2012
co
in
nstallation meddia, selecting the computer repair
r
opption, and then selecting the e full server restore
opption. Alternattively, you can use the installation
media
m on a USBB flash drive, or using Windo ows RE.
When
W you perfo
orm full serverr restore, consiider the
fo
ollowing:
Bare-metal restore. Bare--metal restore is the

process durring which you u restore an exxisting
server in itss entirety to ne
ew or replacemment
hardware. When
W you perfform a bare-mmetal
restore, thee restore proce eeds and the seerver restarts. Later, the servver becomes o
operational. In some
cases, you may
m have to re eset the computers Active D Directory accou unt, because these accountss can
sometimes become desyn nchronized.
Same or larrger disk drives. The server hardware

h to whhich you are reestoring must have disk drivves that
are the sam me size or large er than the drives of the orig
ginal host servver. If this is no
ot the case, the
e restore
will fail. It iss possible, alth
hough not advisable, to succcessfully restor e to hosts thatt have slower
processors and less rando om access mem mory (RAM).
Importing to
t Hyper-V. Be ecause server backup
b data iss written to thee VHD format (which is also the
format thatt is used for virrtual machine hard disks), if you are carefu
ul it is possible
e, to use full se
erver
backup datta as the basis for creating a virtual machin ne. Doing this ensures business continuity while
he appropriate replacement hardware.
sourcing th
Options
O forr Data Reccovery
Data is the mosst frequently re ecovered comp ponent
off an IT infrastructure. This is due to users
acccidently deletting data, and needing you to t
re
ecover it. There e are several sttrategies that you
y
ca
an pursue whe en you are devveloping a data a
re
ecovery proced dure. You can:
Allow userss to recover their own data.
Perform a recovery
r to an alternative loccation.
Perform a recovery
r to the
e original locattion.
Perform a full
f volume reccovery.
Users
U Recove
er Their Ow
wn Data
Th
he most comm mon form of da ata recovery performed
p by I T departments is the recove ery of files and folders
th o in some way corrupted. TThe Previous V
hat users have deleted, lost, or Versions of Fiiles functionality that
was
w introduced in Windows ServerS 2003, (w
which you can also enable on n all computerrs running Win ndows
Se
erver 2012,) lets users recoveer their own filles using the f ile or folder prroperties rightt from their
workstation.
w Aftter end-users are
a trained how to do this, t he IT departm ment spends lesss time recove ering
h allows them to focus on more
usser data, which m valuable ttasks.
From a planning perspective, you should consider increasing the frequency at which snapshots for
previous versions of files are generated. This gives users more options when they try to recover their files.
Recover Data to an Alternative Location

A common recovery problem is the unintentional replacement of important data when recovering from
backup. This can occur when recovery is performed to a location with live data, instead of to a separate
location where the necessary data can be retrieved and the unnecessary data discarded.
When you perform a recovery to an alternative location, always ensure that permissions are also restored.
A common problem is administrators recovering data that includes restricted material, to a location where
permissions are not applied, thereby enabling unintended access to data for users that should not have it.
Recover Data to the Original Location

During some types of failures, such as data corruption or deletion, you will have to restore data to the
original location. This is the case when applications or users who access the data are preconfigured with
information about where the data is located.
Recover a Volume
If a disk fails, the quickest way to recover the data could be to perform a volume recovery, instead of a
selective recovery of files and folders. When you perform a volume recovery, you must check whether any
shared folders are configured for the disks, and whether the quotas and FSRM management policies are
still in effect.
Note: During the restore process, you should copy event logs before you start the restore
process. If you overwrite the event log filesfor example with a system recoveryyou will be not
able to read event log information that occurred before the restore started. That event log data
could lead you to information about what caused the issue.
Demonstration: Using Windows Server Backup to Restore a Folder

In this demonstration, you will see how to use the Recovery Wizard to restore a folder.
Demonstration Steps
1. On LON-SVR1, delete the C:\HR Data folder.
2. In Windows Server Backup, run Recovery Wizard and specify the following information:
o Getting Started: A backup stored on another location
o Specify Location type: Remote Shared Folder
o Specify Remote Folder: \\LON-DC1\Backup
o Select Backup Date: Default value, Today
o Select Recovery Type: Default value, Files and Folders
o Select Items to Recover: LON-SVR1\Local Disk (C:)\HR Data
o Specify Recovery Options: Another Location (C:)
3. In Windows Explorer, browse to C:\, and ensure that the HR Data folder is restored.
Restoring
R with
w an On
nline Backu
up Solutio
on
Yo
ou can use thee Microsoft On
nline Backup Service
o back up onlyy Windows Server 2012 serve
to ers.
However, you do
d not have to restore data on
o to
th
he same serverr from which you
y backed it up.
u
Yoou can recover files and fold

ders by using both
b
Microsoft
M Onlin
ne Backup MM MC in Server Ma anager,
orr by using the Windows Pow werShell comm
mand-
lin
ne interface. To use the Micrrosoft Online Backup
B
MMC,
M perform the following steps:
1.. Select the server
s on which backup data a was
created orig erver could be a local
ginally. This se
nother server. If you select th
server or an he
option for another
a serverr, you must pro
ovide your Miccrosoft Onlinee Backup Servicce administrattor
credentials..
2.. Browse for files that have

e to be restored, or you can ssearch for them in the Micro
osoft Online Backup
Service.
3.. ocate the files, select them fo

After you lo or recovery, an e the files will be
nd select a loccation to where
restored.
4.. When resto

oring files, sele
ect one of the following
f opti ons:
o Create copies so thatt you have botth the restoredd file and origiinal file in the same location
n. The
restore
ed file has its name
n in the folllowing formatt: Recovery Daate+Copy of+Original File N Name.
o Overwrrite the existing versions with the recovereed version.
o Do nott recover the ittems that alrea

ady exist on th
he recovery deestination.
After you comp t files will bee restored on to the Window

plete the restorre procedure, the ws Server 2012
2 server
th
hat is located in your site.
Lab: Implementing Windows Server Backup and Restore

Scenario
Much of the data that is stored on the A. Datum Corporations network is extremely valuable to the
organization. Losing this data would be a significant loss to the organization. Additionally, many of the
servers that are running on the network provide extremely valuable services for the organization, which
means that losing these servers for a significant period of time would also result in losses to the
organization. Because of the significance of the data and services, it is critical that they can be restored in
the event of disaster.
A. Datum is considering backing up critical data to a cloud-based service. A. Datum is also considering this
as an option for small branch offices that do not have a full data center infrastructure.
As one of the senior network administrators at A. Datum, you are responsible for planning and
implementing a disaster recovery solution that will ensure that critical data and services can be recovered
in the event of any type of failure. You need to implement a backup and restore process that can recover
lost data and services.
Objectives
Back up data on a Windows Server 2012 server.
Restore files using Windows Server Backup.
Implement Microsoft Online Backup and Restore.
Lab Setup
20412A-LON-DC1
20412A-LON-SVR1
MSL-TMG1
20412A-LON-DC1
Virtual 20412A-LON-SVR1
Machine(s) MSL-TMG1
Password Pa$$w0rd
5. Repeat steps 2-4 for 20412A-LON-SVR1.

6. Repeat step 2 for MSL-TMG1.
Exercise 1: Backing Up Data on a Windows Server 2012 Server

Scenario
The LON-SVR1 server contains financial data that must be backed up on a regular basis. This data is
critical to the organization. You decided to use Windows Server Backup to back up critical data. You will
to install this feature and configure scheduled backups.
1. Install Windows Server Backup.
2. Configure a scheduled backup.
3. Complete an on-demand backup.
Task 1: Install Windows Server Backup

2. From Server Manager, install the Windows Server Backup feature. Accept the default values on the
Add Roles and Features Wizard.
Task 2: Configure a scheduled backup

1. On LON-SVR1, start Windows Server Backup.
2. Configure the backup schedule with the following options:
o Backup Configuration: Full server (recommended)
o Backup Time: Once a day, 1:00 AM

o Destination Type: Back up to a shared network folder
o Remote Shared Folder: \\LON-DC1\Backup

Register Backup Schedule: Username: Administrator
Password: Pa$$w0rd
Task 3: Complete an on-demand backup

1. On LON-SVR1, start Windows Server Backup.
2. Run the Backup Once Wizard to back up the C:\Financial Data folder to the remote folder, \\LON-
DC1\Backup.
Results: After completing this exercise, you will have configured the Windows Server Backup feature,
scheduled a backup task, and completed an on-demand backup.
Exercise 2: Restoring Files Using Windows Server Backup

Scenario
To ensure that the financial data can be restored, you must validate the procedure for restoring the data
to an alternate location.
1. Delete a file from the server.
2. Restore a file from backup.

Task 1: Delete a file from the server

On LON-SVR1, open Windows Explorer and then delete the C:\Financial Data folder.
Task 2: Restore a file from backup

1. In the Windows Server Backup MMC, run the Recovery Wizard and specify the following information:
o Getting Started: A backup stored on another location
o Specify Location type: Remote Shared Folder
o Specify Remote Folder: \\LON-DC1\Backup
o Select Backup Date: Default value, Today
o Select Recovery Type: Default value, Files and Folders
o Select Items to Recover: LON-SVR1\Local Disk (C:)\Financial Data
o Specify Recovery Options: Another Location (C:)
2. Open drive C:\, and ensure that the Financial Data folder is restored.
Results: After completing this exercise, you will have tested and validated the procedure for restoring a
file from backup
Exercise 3: Implementing Microsoft Online Backup and Restore

Scenario
A. Datum has to protect critical data in small branch offices. These offices do not have backup hardware
and full data center infrastructures. Therefore, A. Datum has decided to back up the critical data in branch
offices to a cloud-based service by using Microsoft Online Backup Service in Windows Server 2012.
1. Install the Microsoft Online Backup Service component.
2. Register the server with Microsoft Online Backup Service.
3. Configure an online backup and start a backup.
4. Restore files using the online backup.

5. Unregister the server from the Microsoft Online Backup Service.
Task 1: Install the Microsoft Online Backup Service component

1. On LON-SVR1, in drive E, locate the installation file of the Microsoft Online Backup Agent,
OBSInstaller.exe.
2. Start installing Microsoft Online Backup Agent by double-clicking the installation file
OBSInstaller.exe.
3. Complete the setup by specifying the following information:
o Installation Folder: C:\Program Files
o Cache Location: C:\Program Files\Microsoft Online Backup Service Agent
o Microsoft Update Opt-In: I don't want to use Microsoft Update
4. Verify the installation and ensure that you receive the following message: Microsoft Online Backup
Service Agent installation has completed successfully.
5. Clear the Check for newer updates check box, and then click Finish.
6. On the Start screen, verify the installation by clicking Microsoft Online Backup Service and
Microsoft Online Backup Service Shell.
Task 2: Register the server with Microsoft Online Backup Service

Before you register the server, you must rename LON-SVR1 to YOURCITYNAME-YOURNAME. For
example: NEWYORK-ALICE. This is because you will perform this exercise online, and therefore the
computer names used in this lab should be unique. If there is more than one student in the classroom
with the same name, add a number at the end of the computer name, such as NEWYORK-ALICE-1.
1. In the Server Manager window, rename LON-SVR1 as YOURCITYNAME-YOURNAME, and then restart
YOURCITYNAME-YOURNAME.
2. Wait until YOURCITYNAME-YOURNAME has restarted, and then log on as Adatum\Administrator

with password Pa$$w0rd.
3. In the Microsoft Online Backup Service console, register LON-SVR1 by specifying the following
information:
o Username: holuser@onlinebackupservice.onmicrosoft.com
Note: In a real-life scenario, you would type the username and password of your Microsoft Online
Backup Service subscription account.
o Enter passphrase: Pa$$w0rdPa$$w0rd Confirm passphrase: Pa$$w0rdPa$$w0rd
4. Verify that you receive the following message: Microsoft Online Backup Service is now available for
this server.
Task 3: Configure an online backup and start a backup

1. Switch to the Microsoft Online Backup Service console.
2. Configure an online backup by using the following options:
o Select Items to back up: C:\Financial Data
o Specify Backup Time: Saturday, 1:00AM
o Specify Retention Setting: Default values
3. In the Microsoft Online Backup Service console, click Backup Now.
Task 4: Restore files using the online backup

1. On LON-SVR1, open Windows Explorer and delete C:\Financial Data.
3. Restore files and folders by using the Recover Data option, and specify the following information:
o Identify the server on which the backup was originally created: This server
o Select Recovery Mode: Browse for files
o Select Volume and Date: C:\ and date and time of the latest backup
o Select Items to Recover: C:\Financial Data
o Specify Recovery Options: Original location and Create copies so that you have both versions
4. In Windows Explorer, expand drive C:\, and ensure that the Financial Data folder is restored to drive
C.
Task 5: Unregister the server from the Microsoft Online Backup Service
2. Unregister the server from the Microsoft Online Backup Service using the following credentials:
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.

4. Repeat steps 2 and 3 for 20412A-LON-SVR1, and MSL-TMG1.


Question: You want to create a strategy the covers how to back up different technologies
that are used in your organization such as DHCP, DNS, AD DS, and SQL Server. What should
you do?
Question: How frequently should you perform backup on critical data?

The server has suffered a major failure on

its components.

If a failure were to occur, your organization needs information about which data to back up, how
frequently to back up different types of data and technologies, where to store backed up data (onsite or
in the cloud), and how fast it can restore backed-up data. How would you improve your organizations
ability to restore data efficiently when it is necessary?
Answer: Your company should develop backup and restore strategies based on multiple parameters, such
as business continuity needs, risk assessment procedures, and resource and critical data identification. You
must develop strategies that should be evaluated and tested. These strategies should take into
consideration the dynamic changes occurring with new technologies, and changes that occur with the
organizations growth.
Best Practice:
Analyze your important infrastructure resources and mission-critical and business-critical data. Based
on that analysis, create a backup strategy that will protect the company's critical infrastructure
resources and business data.
Identify with the organizations business managers the minimum recovery time for business-critical
data. Based on that information, create an optimal restore strategy.
Always test backup and restore procedures regularly. Perform testing in a non-production and
isolated environment.
Tools
Tool Use Where to find it
Windows Server Performing on demand or scheduled Server Manager - Tools

Backup backup and restoring data and servers
Microsoft Performing on-demand or scheduled Server Manager - Tools

Online Backup backup to the cloud, and restoring data
Service from the backup located in the cloud
8-1
Module 8
Implementing Distributed Active Directory Domain Services
Deployments
Contents:
Module Overview 8-1
Lesson 1: Overview of Distributed AD DS Deployments 8-2
Lesson 2: Deploying a Distributed AD DS Environment 8-9

Lesson 3: Configuring AD DS Trusts 8-18
Lab: Implementing Complex AD DS Deployments 8-23
Module Overview
For most organizations, the Active Directory Domain Services (AD DS) deployment may be the single
most important component in the IT infrastructure. When organizations deploy AD DS or any of the other
Active Directorylinked services within the Windows Server 2012 operating system, they are deploying a
central authentication and authorization service that provides Single Sign On (SSO) access to many other
network services in the organization. AD DS provides the primary security mechanism for authentication
and authorization within most organizations, and enables policy-based management for user and
computer accounts. With other AD DS services, you can extend some of this functionality to users who are
external to the organization.
This module will describe the key components of a complex AD DS environment, and how to install and
configure a highly complex AD DS deployment.
Objectives
Describe the components of distributed AD DS deployments.

Explain how to deploy a distributed AD DS deployment.
Explain how to configure AD DS trusts.
Explain how to implement complex AD DS deployments.

8-2 Implementing Distributed Activve Directory Domain Services Deploymentts
Lesson 1
Overviiew of Distribu
D uted AD
D DS Deployme
ents
Befoore starting to configure a co
omplex AD DS S deployment, it is importan
nt to know the components tthat
com a how they interact with eeach other to h
mprise the AD DS structure, and help provide a scalable and more
secu
ure IT environm ment. The lesson starts by exxamining the vvarious compo
onents of an A
AD DS environm ment,
in particular,
p dom
mains, trees andd forests.
Lessson Objectiives
Afte
ou will be able to:
Describe the components of

o an AD DS en
nvironment.
Explain how AD
A DS domain
ns and forests form
f boundarries for securityy and administtration.
Explain reasons for having more than one
e domain in an
n AD DS enviro
onment.
Explain reasons for having more than one

e forest in an A
AD DS environ
nment.
Explain the im
mportance of Domain
D Name
e System (DNS)) in a complexx AD DS structu
ure.
Outline the options
o for upg
grade and coexxistence with p
previous AD D
DS versions.
Disscussion: Overview
O of
o AD DS Componen
C nts
An AD
A DS environ nment has variious components,
and it is importannt for you to unnderstand the
purpose of each component,
c an
nd how they
inte
eract with eachh other. Some of the AD DS
environment com mponents are domains,
d trees,, and
fore
ests. There is one global cataalog in each fo orest,
and there are trusst relationshipss. It is also
impportant to unde erstand the puurpose and benefit
of these compone ents.
Question: What is an AD DS
D domain?
D domain tree
e?
D forest?
Question: What are trust re
elationships?
Question: What is a global catalog?

Overview
O of
o Domain and Foresst Bounda ries in an A
AD DS Stru
ucture
As already discuussed, domains and forests provide
p
booundaries withhin the AD DS namespace. An A
unnderstanding ofo the differen
nt types of bou
undaries
is essential to managing
m a com
mplex AD DS
ennvironment.
Boundaries
B and
a Limits in AD DS
Domains
D andd Forests
Th
he AD DS dom main forms bou
undaries and liimits
fo
or several items:
All AD DS objects
o that exxist in a single domain
d
are stored in
i the AD DS database
d on eaach
domain con ntroller in the domain. The replication
r proocess ensures tthat all originaating updates aare
replicated to
t all of the other domain co ontrollers in thhe same domain. In large org ganizations whhere
there are a large numberr of changes, th he replication traffic can havve a noticeable e effect on nettwork
bandwidth between the domain
d contro
ollers. This is o ne of many fa ctors that youu must conside er when
designing an
a AD DS dom main structure.
The managgement of acce ess to resourcees is usually strraightforward within a single

e AD DS domaain.
Although you
y can grant users
u access too resources thrroughout the A AD DS forest, it is simpler to
o
manage pe ermission withiin the AD DS domain
d bound dary. This way, the administrators for the ddomain
have the peermission to do this in their own AD DS do omain.
Auditing is centrally managed by using g GPOs. The m aximum scopee of these settings is at the AAD DS
domain levvel. It is possible to have the same audit se ttings in differrent AD DS do
omains, but the
en they
must be ma anaged separa ately in each domain.
Group Policcies can be linked at the following levels: l ocal, site, dom
main, and orgaanizational unitt (OU).
Apart from site-level Group Policies, the scope of Gro oup Policies is the AD DSd domainthere e is no
inheritance
e of Group Poliicies from one AD DS domaiin to another, even if one AD D DS domain iis lower
than another in the DNS namespace.
The DNS se ervices work be est to support an AD DS envvironment wheen it is Active D DirectoryInte egrated.
This means that instead ofo the DNS reccords being sto ored locally onn each DNS Se erver in text file
es, they
are stored and
a replicated d in the AD DS database. Beccause it is the d database for the AD DS dom main, it
becomes th he limit of repllication of thosse records. Thee administrato or can then decide whether tto
replicate th
he DNS information to all do omain controlleers in the dom main (regardlesss of whether tthey are
DNS servers), to all doma ain controllers that are DNS sservers in the domain, or to all domain
controllers that are DNS servers
s in the forest.
f For thee last two optio
ons, separate rreplication parrtitions
(domainDn nsZones and fo orestDnsZones) exist. Alternaatively, it is posssible to createe a custom partition
where the administrator
a has to select manually
m which pate in its replication,
h domain conttrollers particip
but this meethod is not offten used.
Th
he AD DS forest acts as a bo
oundary for cerrtain replicatio
on and management areas:
The schema a partition conntains the ruless and syntax fo

or the AD DS d database. This is replicated tto all the
domain con ntrollers in the
e AD DS forest. Because the sschema may h have to be modified to supp port
certain app
plications that are
a integrated d with the AD D e to be careful control
DS database, tthere will have
over the schema modifica e allowed, partticularly to make sure that none of the upd
ations that are dates
adversely affect the opera ation of other applications oor the AD DS ddatabase itself..
The configu
uration partitioon contains the details of thee AD DS domaain layout, including: domains,
domain conntrollers, repliccation partnerss, site and sub
bnet informatio
on, and Dynam
mic Host
Configuratiion Protocol (DDHCP) authorization or the cconfiguration of Dynamic Acccess Control. The
configuration
n partition also
o contains information aboutt applications that are integrated with the
e
AD DS databa ase. An examp ple of one of th
hese applicatio
ons is Exchang
ge Server 2010.
The global caatalog is the re
ead-only list coontaining everyy object in thee entire AD DSS forest. To keeep it
to a managea able size the global catalog contains
c only some attributees for each objbject, but it can
n still
grow very large depending on the extentt of the organiization. The sizze of the globaal catalog and the
number of on ngoing change es to it are imp
portant factorss in the allocattion of which A
AD DS domain n
controllers wiill hold a copy of the global catalog. In ad dition, networrk bandwidth iis also an impo ortant
factor to take
e into account..
In an AD DS forest
f with mu ultiple AD DS domains,
d theree is a DNS zonee with forest-w
wide replicatioon.
This enables clients
c to locatte records for AD
A DS domain n controllers in
n other AD DSS domains. The ere
will be some DNS records that must be available to clieents in every d domainfor exxample, domain
controllers that store a copy of the globa al catalog. Wheen AD DS dom main controllerrs start up, they
register severral server (SRV)) resource reco
ords in the DNNS database. So ome of these rrecords must b be
replicated to every DNS serrver in the AD DS forest, nott just restricted d to the AD DSS domainwh hich
would be the e case if they were
w added to a regular Activve Directoryinntegrated DNSS zone. For thiis
reason, a speccial forest-leve
el DNS zone na amed forestDn nsZones is creaated, and the replication of this is
to all DNS serrvers in the ADD DS forest, ratther than to evvery DNS serveer or AD DS do omain controller in
the domain.
Wh
hy Implem
ment Multiple Domains?
Man ny organizatio
ons can functio
on adequately with
a sin
ngle AD DS do omain. Howeve er, some entitiies
requuire multiple domains
d for se
everal reasons:
The organizattion is decentrralized and can nnot

support the numbers
n of use
ers by using a
centralized AD DS model: In this case, AD D DS
replication ovver network linnks may put an n
undo strain on
o the network k connections. For
this reason, itt might be better to install a
separate AD DS D domain forr the remote
location. In practice, you wo ould not do thhis
unless there were
w a large number of acco ounts
that needed to t access the AD
A DS domain n controllers.
de a large AD DS database i nto more man

It may be neccessary to divid ons. By doing so,
nageable sectio
you can also reduce the impact of AD DS S replication tr affic on the neetwork.
There is a req
quirement for different
d DNS namespaces: SSometimes theere is a require ement to have
e more
than one DNS S namespace in
i an AD DS foorest. This is tyypically the casse when one coompany acquiires
another comp pany, or merges with anothe
er organization n, and there iss need to prese
erve the domaain
names from the
t existing ennvironment.
Security: Therre may exist se

ecurity or polittical requiremeents to have different parts oof the AD DS
database in different
d doma ains. If a compa up a facility in a foreign country and there
any is setting u e are
political or leg
gal reasons wh
hy the new org ganization hass to have a verry distinct secu
urity base, theyy may
need to imple ement separatte AD DS domains.
ot domain: It is best practice

Dedicated roo e to separate t he AD DS foreest root domaiin from the daay-to-
day AD DS se his model is sometimes referrred to as an e mpty root dom
erver usage. Th main or a dediicated
root domain. Other variants are the peer--root domain, and the desig gnated domain n.
The AD DS forest root do omain has two groupsthe Schema Admi ns group and the Enterprise e
Admins gro oupthat do notn exist in anyy other domaiin in the AD DDS forest. Becau
use these grouups have
far-reaching rights in the AD DS forest,, you may wan
nt to restrict th
he use of these
e groups by onnly using
the AD DS forest root domain to store them. In earlyy implementatiions of Active Directory, thiss model
was often referred
r t empty root domain mod
to as the del.
Compliance e: It may be de
esirable to havve all active do
omains at the ssame level in tthe namespace e, so
that your organization ca an utilize the empty
e root dom main model. Inn certain organizations, it may be
unacceptab ns in the same AD DS domain. The reason for this is thatt the
ble to have diffferent division
Domain Ad dmins in any AD DS domain have full cont rol over every object in the domain, and tthis may
violate certain corporate security policies. For examp ple, different deepartments wiithin an organization
may be req quired for legal compliance reasons
r to nott be in the sam
me AD DS dom main. In that case,
there is the ast to create a separate AD D
e need to at lea DS domain forr each departmment, if not a sseparate
AD DS forest.
Resource domains: For co

ompanies that have made th he decision to utilize multiple domains, it m
might
be more ap
ppropriate to provide
p separa
ate resource do
omains for ressources shared across the oth her
domains.
Why
W Implement Multiple Foressts?
Organizations
O may
m sometime es require that their
AD DS design comprises more e than one forrest.
Th
here are severa
al reasons whyy one AD DS foorest
may
m not be suffficient:
Security: If your organization requires isolated

security, theen you shouldd implement a
separate AD D DS forest. Th
he AD DS foresst root
domain hass the Schema Admins
A and
Enterprise Admins
A groupswhich can affect
all the dommains in the ADD DS forest. Separate
AD DS forests are often deployed
d by
governmen nt defense contractors and other
o
organizatioons where the isolation of security is a requ
uirement.
Schema mo odifications: Within

W your entterprise, there may be organ
nizational grouups that need sseparate
control of their
t Active Dirrectory schema. Because thee schema is shaared between the domains,
ntities within a common fore
multiple en est must agree to those channges, which miight take a largge
amount timme, or not be possible.
p There
efore, you mayy need to deplooy different fo
orests for those
e
groups.
Security bo
oundaries: If twwo or more inddependent org ganizations want to share ressources, but arre not in
a position where
w they are e prepared to trust
t the domaain administraators of the partners organizzations,
then separaate forests are needed. Havin ng an AD DS sstructure with multiple foressts provides seccurity
boundariess. Although do omains in different forests caan share resourrces, they rely on manually
implemente ed trust relatio
onships and addditional admiinistration. Eacch forest mainttains its own issolated
security dattabases and ru ules.
Politics: Som
me countries have
h strict controls over the ownership of enterprises within the counttry.
Having a se eparate AD DSS forest may prrovide the adm ministrative iso
olation to meet that need.
Note: The global

g catalog is available on
nly within a sin
ngle forest, so that when the
ere is
reso
ource sharing between
b moree than one foreest, there will b ookups in two or more
be directory lo
glob
bal catalogs.
Best Practicce: As a best practice,
p choosse the simplestt design that aachieves the re
equired
goa
al, as it will be less
l costly to im
mplement and
d more straigh
htforward to ad dminister.
DN
NS Require
ements forr Complex
x AD DS En
nvironmen
nts
For an AD DS dom main to functio on, it requires DNS.
There are many operations thatt rely on DNS
look t take place. Name resolution is
kups in order to
onee of the origina
al uses for Dom main Name System.
With name resolu ution, clients ca
an connect to
servvice points by using the DNS S name, which
reso
olves to an IP address.
a Howeever, because sos
man ny operations involve connecting to an AD D DS
dommain controllerr that offers a particular servvice.
AD DS requires se ervice (SRV) ressource recordss. If a
userr wants to log on to their AD D DS user acco ount,
thenn their system uses DNS look kups to find SRRV
reco main controller that is running the Kerbero
ords for a dom os service. Wheen AD DS dom main controllerss
need to communicate with each h other, they use
u SRV record ds in DNS. If th
he AD DS foresst contains mo ore
thann one domain,, then it is impportant to ensu ookups are succcessful for ressources that are in a
ure that DNS lo
diffe
erent domain from the DNS resolver (the clientc perform
ming the DNS lo ookup).
There are several important con
nfiguration are
eas that you neeed to addresss when deployying a DNS stru
ucture
to support a complex AD DS en nvironment:
DNS Client co onfiguration: Configure

C all co
omputers in thhe AD DS dom main with at leaast two addressses of
functional DN NS servers. All computers mu ust have good network conn DNS servers. Servers
nectivity with D
will usually bee configured statically, thus you should mo onitor their neetwork configuuration and
reconfigure asa necessary too meet any cha anges in the in
nfrastructure.
IP Address Management (IP PAM) monitoring: A recomm mended option n is to use IPAMM to monitor the IP
addressing, and the correctt functioning and
a availabilityy of DNS and D DHCP servers iin the AD DS fforest.
IPAM is new in i Windows Seerver 2012, and d it allows the central monittoring, reportin
ng, and
administration of decentralized DHCP and DNS servicees. When you aare installing IP PAM, you cannnot
install it on a domain controller, only on a domain mem mber server.
Event escalatiion options: If you have a monitoring soluution such as MMicrosoft Systtem Center 20 012 -
Operations Manager,
M ensurre that the eve
ents raised by IIPAM are escaalated in your gglobal monitoring
M will not provvide the same escalation opttions as a mon
solution. IPAM nitoring infrasttructure (for
example, notifications).
Verification: Verify
V that all of
o your compu uters, including
g domain conttrollers, are ab
ble to perform
successful DNNS lookups for key resourcess. Apart from rroutine name rresolution for host to IP
resolutions, all computers must
m be able to
o locate the SR
RV records forr domain contrrollers in the A
AD DS
domain and thet AD DS fore est.
Som
me of the wayss to enable succcessful DNS lo
ookups within a multi-domaain AD DS enviironment are:
CL1, the DNS resolver in the adatum.comm DNS domain can perform ssuccessful que eries for DNS
records in thee DNS domainn adatum.com by contacting DNS 1. This iss because DNSS 1 stores the zzone
file for the ad
datum.com DNNS domain. If DNS
D 1 receivess a DNS query for a node ou
utside of the lo
ocal
DNS domain, and if DNS 1 does not have the answer already cached in memory, it will by default
contact a DNS server from the Internet root DNS domain by using the root level hints configured by
default on the DNS server.
In order to speed up this process, you can configure DNS 1 to forward any queries that it cannot
resolve by itself to one or more specific DNS servers. In this case, it could forward any query that it
cannot resolve by itself to the DNS server for the Internet Service Provider (ISP). DNS 1 will utilize the
fact that DNS-ISP will have cached a large number of DNS lookup replies and can answer (non-
authoritatively) out of memory.
In a multi domain setting, you can configure DNS servers that receive DNS queries that they are
unable to resolve themselves, to forward these queries to other DNS server in the network. By using
forwarding, DNS servers can forward all their Internet DNS queries through a central DNS server,
which streamlines the process and speeds up the resolution time. This can greatly reduce the DNS
resolution traffic through the firewall.
If there are one or more separate DNS namespaces within your organization than can only be
resolved by internal corporate DNS servers, you can facilitate this process by configuring conditional
forwarders. The slide shows a separate DNS namespace for fabrikam.net, with its own DNS server,
DNS 4. DNS 1 can be configured with a conditional forwarder so that queries for records in the
fabrikam.net DNS namespace are directed to DNS 4, and all other queries are still forwarded to the
ISP-DNS server.
When there is a DNS domain that is lower in the DNS namespace (for instance the atl.adatum.com
domain), you must configure the DNS servers for the parent DNS domain to enable DNS resolution
for DNS records in the child domain. By default, DNS 1 has no knowledge of DNS 2. A delegated
domain record in DNS creates a special subdomain in the adatum.com DNS domain that lists one or
more DNS servers that store DNS records for the atl.adatum.com DNS domain. In this case, it will
enable DNS 1 to pass DNS queries for atl.adatum.com to DNS 2
Another option to allow DNS resolution in a disjointed DNS domain environment is to use a
secondary zone. In this example, DNS 1 will store a complete read-only copy of all the records in the
unix.net DNS zone. Because the records in the unix.net zone are updated regularly, the secondary
zone will contain an up-to-date copy of all of the records in the unix.net DNS zone. In a large
organization, this may involve a large amount of replication traffic, and if that traffic has a detrimental
effect on network connections, then it may not be the optimum solution. Note that in this scenario,
there will be virtually no DNS lookup traffic over the network to DNS 3, but there will be regular zone
transfer traffic.
The stub zone is another option for this case. The stub zone is a special type of secondary zone that
only stores read-only records for the DNS servers in the remote DNS domain. However, like a
standard secondary zone, the records are updated on a regular basis. The stub zone contains only the
DNS records for the DNS server names and their IP addresses. This solution will often be the preferred
option, because although there will be DNS lookup traffic over the network link, the stub zone update
traffic will be low, and it may be a better solution.
Note: Forwarders, conditional forwarders, and delegation are set up by an administrator,

and point to IP addresses of one or more DNS servers. These are entered manually, but the DNS
servers to which they refer may have changes and these will not update the DNS records
automatically. If you decide to use delegation, forwarding, or conditional forwarding, then there
will need to be a system for regularly checking that the IP addresses entered for those server
referrals are still valid. This would not be necessary if you use stub zones as the solution, because
they are regularly updated with fresh information.
Op
ptions for Upgrading
U g and Coex
xistence w
with Previo
ous AD DS Versions
If yo
our current AD
D DS environmment is runningg on
2 or Windo ow Server 2008 8
leveel AD DS domaain controllers,, you may wannt to
consider upgradinng to Window Server 2012.
AD DS has new fe eatures that are
e available onlly in
AD DS domains ru unning at Window Server 20 012
leveel.
ou decide to upgrade your existing

If yo e AD DSS
dom main controllerrs, you can upggrade them in
n
placce if they are running Windo ows Server 200
08 or
2 R2. Howeever, you cannot
upg grade previouss versions in place.
There are three op
ptions for upg
grading your Active
A Directoryy domain conttrollers:
1. Upgrading th he existing AD DS domain co Windows Serverr 2012. This op

ontrollers to W ption involves
performing an in-place upg grade. The exissting AD DS do omain controlllers will be up
pgraded directly to
Windows Servver 2012. If thee AD DS forestt functional levvel is lower thaan Windows SServer 2012 levvel
then some schema upgrade es will need to
o be made befo ore starting th
he upgrade of the operating
systems. The version of Servver Manager that
t comes witth Windows Seerver 2012 is able to detect tthe
schema upda ates that are ne
ecessary, and will
w update thee schema as paart of the Servver Manager A AD DS
Installation wizard.
w
2. Joining one or
o more Windo ows Server 201 12 servers to th
he AD DS dom main, and prom moting them too be
AD DS domaiin controllers. The Windows Server 2012 s ervers will be able to join th he domain, butt
c be promoted to AD DS domain
before they can d controollers, there willl be some schema updates tthat
need to be peerformed. Agaain, the Server Manager AD D DS Installation
n wizard will peerform
automaticallyy. The AD DS domain
d and forest functiona l levels must b
be at least Winndows Server 2
2003
Native mode..
3. This third opttion does not immediately

i ra
aise the AD DSS domain to W Windows Server 2012, but rellies on
introducing one
o or more AD DS domainss that are runn ning Windows Server 2012. In this scenario o, one
or more AD DSD domains fro om another pa art of the foresst or even a different forest w
will be conneccted
to the origina
al domain withh trust relationships. This willl allow the diffferent AD DS ddomains to coexist
and share ressources. At som
me point in the e future, they ccan be consoliidated into on ne or more AD DS
domains runn ning at the Windows Server 2012 level.
Lesson 2
Deploying a Distributed AD DS Environment
This lesson outlines different ways to install an AD DS domain, and describes the different functional levels
of AD DS domains and forests. In this lesson, you will learn about some of the important points that you
must address when deploying a complex AD DS environment, and you will see how to upgrade from a
previous version of AD DS.
Lesson Objectives
After completing this lesson, you will be able to:
Explain how to install a domain controller in a new domain in a forest.
Describe AD DS domain functional levels.

Describe AD DS forest functional levels.
Explain how to upgrade a previous version of AD DS to a Windows Server 2012 version.
Explain how to migrate to Windows Server 2012 AD DS from a previous version.
Describe some important considerations for implementing a complex AD DS environment.
Demonstration: Installing a Domain Controller in a New Domain in a

Forest
In this demonstration, you will see how to install a domain controller in a new domain in a forest.
Demonstration Steps
Configure LON-SVR1 as an AD DS Domain Controller in atl.adatum.com

1. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. On LON-DC1, in Server Manager, use the AD DS Installation Wizard to remotely install AD DS on
LON-SVR1.
3. Use the AD DS Installation Wizard to install and configure LON-SVR1 as an AD DS domain controller
in a new domain, atl.adatum.com.
Access LON-SVR1 as Adatum\Administrator

1. Select options to install DNS and global catalog, and set the password for the Directory Services
Restore Mode administrator account.
2. Reboot and log on as Adatum\Administrator with the password Pa$$w0rd, on the newly created
AD DS domain controller LON-SVR1.
8-10 Implemennting Distributed Active Directory Domainn Services Deployments
AD
D DS Doma
ain Functio
onal Levels
AD DS domains ca an run at diffe
erent functionaal
leveels. Generally, upgrading
u the
e domain to a
highher functional level will intro
oduce additionnal
feattures. Some of the domain fu unctional levels are
liste
ed in the follow
wing table.
Doomain functio
onal
Fe
eatures
lev
vels
Windows
W 2000 Server Universal gro
oups
na
ative
Group nestin
ng
Security iden
ntifier (SID) histtory
nstall Domain
In n Controllers from Media
In
nstall from Me edia allows thee installation off an AD DS do omain controlle er
without
w impactting the netwo ork connection n, because mosst of the new A AD DS
database
d is resttored locally frrom an ntdsuttil backup on a USB drive or DVD.
In
nstall from Me edia could also o be accessed o over the netwo ork when the
network
n is not busy. Once thee new AD DS d domain contro oller is installed and
re
ebooted, it willl use the netw work to retrievee AD DS originnating updatess that
were
w made sincce the ntdsutil backup was m made. This will be a small am mount
of
o replication, unless
u there haave been manyy originating u updates to the e
AD
A DS database, which the n new AD DS dom main controlleer needs to bring up
to
o date.
Note: Wiindows Server 2012 domain controllers cannot be installed in
a domain running at Window ws 2000 Serverr native level.
Windows
W Server 2003 LastLogonTiimestamp att ribute remem bers time of laast domain log gon
for users, and
d replicates thiis to other AD DS domain co
ontrollers in th
he
AD DS doma ain.
Constrained Delegation maakes it possible for applications to take
advantage off the secure deelegation of usser credentialss by using Kerb
beros-
based authen
ntication.
Selective authentication alllows you to sp
pecify the users and groups tthat
are allowed to
t authenticatee to specific reesource serverss in a trusting
forest.
You can storee DNS zones in
n application ppartitions, which allows them
m to
be replicated
d on domain coontrollers thatt are also DNS servers in the
domain, or even across thee forest.
Group attribuutes and otherr multi-valued attributes are e replicated at the
attribute leve
el, instead of th
he object leveel. In previous vversions of AD
D DS,
group memb bership was co onsidered part of the object, and the group p
would be rep plicated as a si ngle object. Th
his meant thatt if two
administrators changed thee membership p of the same g group in the same
replication peeriod, the last write would wwin. The first ch
hanges made w would
be lost, because the new veersion of the g group would replace the pre evious
Domain functional
Features
levels
one entirely. With multivalued replication, group membership is treated
at the attribute level, and therefore all originating updates are merged
together. This also greatly reduces the replication traffic that would occur.
An additional benefit from this is the removal of the previous group
membership restriction that limited the maximum number of members to
5,000.
Windows Server 2008 Distributed File System Replication (DFS-R) is available as a more
efficient and robust file replication service for the SYSVOL folders. DFS-R
can replace the file replication service NT File Replication Service (NTFRS).
A large amount of interactive logon information is stored for each user,
instead of just last logon time.
Fine-grained password settings allow account policies to be set for users
and groups, which replaces the default domain settings for those users or
group members.
Personal virtual desktops are available for users to connect to, by using
RemoteApp and Remote Desktop.
Advanced Encryption Services (AES 128 and 256) support for Kerberos is
available.
Read-only domain controllers (RODCs) provide a secure and economic
way to provide AD DS logon services in remote sites, without storing
confidential information such as passwords in untrusted environments.
Group and other multivalue attributes are replicated on a per-value level,
instead of being replicated together (which removed the limit of 5,000
users per group).
Windows Server 2008 Authentication mechanism assurance, which packages information about
R2 a users logon method, can be used in conjunction with application
authenticationfor example, with Active Directory Federation Services
(AD FS). In another example, a user logging on by using a smart card can
be granted access to more resources than when they log on with a
username and password.
Managed services accounts allow account passwords to be managed by
the Windows operating system, and provide service principal name (SPN)
management.
Windows Server 2012 Instead of the Windows PowerShell command-line interface, you can
use Server Manager for setting up and managing the AD DS Recycle Bin.
In Windows Server 2008, fine-grained password settings were
complicated to set up and deploy. In Windows Server 2012, you can use
Server Manager to deploy and manage these settings more conveniently.
Support for Dynamic Access Control and Kerberos armoring
Note: Generally, you cannot roll back AD DS domain functional levels. However, in
Windows Server 2012 and Windows Server 2008 R2, you are able to roll back to a minimum of
Windows Server 2008, as long as you do not have optional features (such as the Recycle Bin)
enabled. If you have implemented a feature that is only available in a higher domain functional
level, you cannot rollback to an earlier state.
Additional Reading: To learn

l more about the AD DSS domain functional levels, refer to the
follo
owing link:
http
p://technet.miccrosoft.com/en nderstanding- active-directo
n-us/library/un ory-functional-
leve
els(v=ws.10).asspx
AD
D DS Forest Function
nal Levels
The AD DS forest can run at diffferent function nal
leve
els, and sometiimes raising th
he AD DS foresst
funcctional level makes
m additional features
avaiilable. The most noticeable additional
a feattures
comme with the up pgrade to a Windows Server 2003
est functional level. Additional features tha
fore at are
madde available with Windows Server
S 2003 incclude:
Forest Trusts: AD DS forestss can have trussts set

up between them,
t which en nables resourcce
sharing. Theree are full trusts and selective
e
trusts.
Linked-value replication: Th
his feature
improved Windows 2000 Se erver replicatio
on, and impro
oved how grou
up membership
p was handled
d.
Improved AD D DS replicationn calculation algorithms:

a Knoowledge Conssistency Checkker (KCC) and
intersite topo
ology generato or (ISTG) use im
mproved algorrithms to spee d up the calcu
ulation of the A
AD DS
replication infrastructure, and provide mu uch faster site link calculatio
ons.
Support for Read

R Only Dommain Controlleers (RODCs). ROODCs are suppported at the W
Windows Serve
er
2003 forest fu
unctional levell. The RODC must
m be runnin g Windows Seerver 2008 or later.
Conversion of inetOrgPerso on objects to user
u objects. Yo
ou can converrt an instance o
of an
inetOrgPerson object, used d for compatibility with certaain non-Microssoft directory sservices, into aan
instance of class user. You can
c also conve ert a user objecct to an inetOrgPerson objeect.
Deactivation and redefinitiion of attributees and object classes. Althou
ugh you canno ot delete an
attribute or object
o t schema at the Windows Server 2003 fu
class in the unctional level, you can
deactivate or redefine attribbutes or objecct classes.
The Windows Servver 2008 foresst functional le evel does not aadd new forestt-wide featurees. The Window ws
Servver 2008 R2 foorest functional level adds the Active Direcctory Recycle B
Bin feature. This feature allow
ws the
ability to restore deleted
d Active Directory objects.
Alth
hough the Win ndows Server 2008
2 R2 AD DSS forest functio
onal level intro
oduced AD DSS Recycle Bin, tthe
Recyycle Bin had to
o be managed d with Windowws PowerShell. However, the version of Rem mote Server
Admministration To
ools (RSAT) tha at comes with Windows Servver 2012 has th he ability to m
manage the ADD DS
Recyycle Bin by usiing GUI tools.
Wheen you raise th

he forest functtional level, you limit possibl e domain funcctional levels ffor domains th
hat
you add to the forest. For exam
mple, if you raisse the forest fu
unctional level to Window Se erver 2012, yo
ou
cannot add a neww domain runn ning at Window ws Server 20088 R2 domain fu unctional level.
Upgrading
U a Previous Version of AD DS tto Window
ws Server 2012
To
o upgrade a previous versionns of AD DS too
Windows
W Server 2012 AD DS , you can use either
off the following
g two methodss:
Upgrade th
he operating syystem on the existing
e
ntrollers to Windows Server 2012.
domain con
Introduce Windows
W Serve
er 2012 serverss as
domain con e existing domain.
ntrollers in the
You can theen decommisssion AD DS domain
controllers running earlieer versions of AD
A DS.
Of
O these two methods, the se econd is preferrred,
be ecause there will
w be no old or o disused codde and
filles remaining. Instead, you will
w have a clea an installation of the Window
ws Server 2012
2 operating syystem
annd AD DS data abase.
Upgrading
U to
o Windows Server 2012
To
o upgrade an AD DS domain n from Window ws Server 20088 functional leevel to Window
ws Server 2012
2
fu
unctional level,, you must first upgrade all the
t domain co ontrollers from
m the Window Server 2008
perating system to the Wind
op dows Server 20 012 operating system. You ccan achieve thiis by upgradin
ng all of
th
he existing dom
main controlle ers to Windowss Server 2012, or by introduccing new dom main controllerss
ru
unning Window ws Server 2012 2, and then ph
hasing out the existing domaain controllerss.
Th
here is no reasson to preventt Windows Servver 2012 serveers from being g part of a Winndows Server 22008
do
omain. Howevver, before you u can install the first domain controller thaat is running W
Windows Serve er 2012,
yo
ou must upgra ade the schema. In versions of o AD DS priorr to Windows Server 2012, yyou would run the
ad
dprep.exe tooll to perform thhe schema upg grades. In a W
Windows Serverr 2012 environ nment, the Active
Directory Doma ain Services Insstallation Wiza
ard that is inclu
uded in Serverr Manager inco orporates the
co
ommands nece essary to upgrrade the AD DS forest schem ma.
Note: Win
ndows Server 2012 still provvides a 64-bit vversion of ADP Prep, so you caan run
Adprep.exe separately. For exxample, if the administrator
a iinstalling the ffirst Windows Server 2012
do
omain controller is not a meember of the Enterprise
E Admmins group, theen you might need to run
th
he command separately.
s Youu only have to run adprep.exxe if you are planning to do an in-place
up e first Windows Server 2012 domain contro
pgrade for the oller in the do
omain.
The
T Upgrade
e Process
To
o upgrade the
e operating sysstem of a Wind ontroller to Windows Server 2012:
dows Server 20008 domain co
1.. Insert the in

nstallation disk
k for Windowss Server 2012, aand run Setup
p.
2.. After the language selecttion page, sele

ect Install now
w.
3.. After the opperating system selection wiindow and thee license accep
ptance page, o
on the Which ttype of
installation do you want?? window, chooose Upgrade: Install Windo ows and keepp files, setting
gs, and
apps.
With
W this type of o upgrade, AD D DS on the doomain controlller is upgradedd to Windows Server 2012 A AD DS. .
As a best practice, you shouldd check for harrdware and so ftware compa tibility before doing an upgrade.
Fo
ollowing the operating
o syste
em upgrade, reemember to u pdate your drrivers and othe er services (succh as
monitoring
m ageents), and checck for updates for both Micro
osoft applicatiions and non-Microsoft softw ware.
The
e Clean Insttallation Pro
ocess
To introduce a cle
ean install of Windows
W Serve
er 2012 as a do
omain membeer:
1. Deploy and configure

c a new
w installation of
o Windows Seerver 2012, and then join it tto the domain
n.
2. Promote the new server to be a domain controller

c in th
he domain by using Server M
Manager.
Note: You can

c upgrade directly
d from Windows
W Serve r 2008 and Wiindows Server 2008 R2
to Windows
W er 2012. To upgrade servers that are runni ng a version o
Serve of Windows Seerver that is
olde
er than Windoows Server 2008, you must eiither perform an interim upg grade to Wind
dows Server
2008 or Windows Server 2008 R2,R or perform a clean installl. Note that W Windows Serverr 2012
AD DS domain co ontrollers are able
a to coexist as domain co ntrollers in thee same domainn as
2 domain controllers
c or newer.
n
Migrating to
o Windowss Server 20
012 AD DSS from a Previous Ve
ersion
As part
p of deployiing AD DS, you u might choosse to
restructure your environment
e fo
or the followin
ng
reassons:
To optimize the
t arrangeme ent of elementts
within the log
gical Active Directory structu
ure.
To assist in co
ompleting a buusiness merger,
acquisition, or
o divestiture.
Resttructuring invoolves the migration of resources
betwween AD DS domains
d in eith
her the same fo
orest
or in
n different fore
ests. After you deploy AD DS S, you
migght decide to further reduce the complexitty of
your environmentt by either resttructuring AD D S domains b
between AD D
DS forests or re
estructuring
dommains within a single AD DS forest.
You
u can use the la atest version of
o the Active Directory
D Migraation Tool to p
perform objectt migrations an
nd
secu
urity translatio
on as necessaryy, so that userss can maintain
n access to netw
work resource
es during the
mig
gration processs.
Pre
e-Migration
n Steps
Befo
ore performing
g the migratioon, you must perform severa l tasks to prep
pare the source
e and target
dom
mains. These ta
asks include:
For domain member
m computers that are pre-Windows Vista Servicee Pack 1 (SP1) or Windows Server
2008 R2, conffigure a registry on the targe main controller to allow crypttography
et AD DS dom
algorithms th
hat are compattible with the Microsoft
M Win dows NT Serrver 4.0 operatting system.
Enable firewa
alls rules on source and targe
et AD DS dom ain controllerss to allow file aand printer shaaring.
Prepare the source and targ

get AD DS dom
mains to manaage how the users, groups and user profile
es will
be handled.
Create a rollb
back plan.
Establish trustt relationshipss that are required for the m igration.
Configure sou
urce and targe ains to enable SID History m
et AD DS doma migration.
Specify servicce accounts forr the migration
n.
Perform a test
t migration,, and fix any errrors that are rreported.
Migration
M Stteps
When
W you are confident
c that all pre-migrattion steps havee been compleeted, you can ccomplete the
migration.
m During this process, you will mig
grate user accoounts, group accounts and ccomputer acco ounts to
th
he new domain n. You will also
o assign permissions to netw
work resources using the accounts in the nnew
do
omain.
Post-Migrati
P ion Steps
Thhe new accoun nts (SIDs) will still
s have accesss to resourcess, because theyy retain an attribute called SSID
History.
H For exaample, a user uses
u a new useer account to aattempt to acccess a resourcee to which the
ey had
e user being d enied becausee their SID is not referenced in the
acccess with theiir old account.. Instead of the
peermissions, the
ey can presentt their previous SID by using the SID Histo ory attribute. TThe migration tools
ca
an re-permit th he resources so the new SIDs are entered into the perm issions on the resource, and the old
SIID can be remo oved.
Once
O you have tested everyth
hing and verified that it is wo
orking in the n
new AD DS do
omain, you can
n
de t old domain controllers.
ecommission the
Note: The
e entire processs may involvee running the m
migration seveeral times. For example, the
usser accounts would
w be migraated early in th
he process, bu ounts profile m
ut the user acco migration
would
w be accom
mplished in another pass of the
t migration tool.
Additionaal Reading: Download
D the Active
A Directo ry Migration TTool version 3.2 from
htttp://www.miccrosoft.com/en
n-us/download d/details.aspx??id=8377.
Yo
ou can downlo oad the Active
e Directory Miggration Tool G uide from
htttp://www.miccrosoft.com/en
n-us/download d/details.aspx??id=19188.
Considerat
C ions for Im
mplementiing a Complex AD D
DS Environment
Be
efore impleme enting a complex AD DS
en
nvironment, it is important to
t consider
mplications of the design if the deploymen
im nt is to
be
e successful. With
W proper pla anning, you ca
an
de
esign an AD DSD model to prrovide the
ad
dministrative and
a security re equirements foor your
orrganization.
8-16 Implementing Distributed Active Directory Domain Services Deployments
Some of the key points for consideration are listed in the following table.
Scenario Key Points to Consider
More than one AD DS Security, politics, multiple schemas, administrative separation

forest?
More than one AD DS tree? Multiple namespaces, acquisition, merger
Number of AD DS domains Security, politics, administrative separationfor example,

different departments in a governmental organization
DNS namespace design Must support the proposed AD DS domain structure
DNS resolution for host Must support resolution throughout the organization
records and SRV records
OUs Structure to support administrative delegation and Group Policy

deployment
Number and location of Number of active accounts, network bandwidth, AD DS services

AD DS domain controllers availability, AD DS replication traffic
Sites and replication AD DS replication requirements, network bandwidth, slow links,

topology application support
Note: Details are discussed earlier in this module, and more information is available in
Module 9.
AD DS Forest Root Domain

Each new AD DS forest starts with an AD DS forest root domain. This root domain has some unique
features that do not exist in any other AD DS domain in the AD DS forest, including the following:
The Schema Operations Master

The Domain Naming Master
The Schema Admins group
The Enterprise Admins group
For this reason, the AD DS forest root domain must be treated with extra caution, particularly as the
Enterprise Admins group and the Domain Admins group in the AD DS forest root domain have full
control over every AD DS domain and object in the entire AD DS forest.
DNS Services
You should configure DNS services at the beginning of the deployment process, as all subsequent
operations will depend on DNS functioning correctly. This also means that all computers should be
configured with the IP addresses of at least two DNS servers so that they can successfully perform DNS
lookups. In a complex environment, it will be necessary to decide how to make DNS records accessible to
DNS resolvers (client computers).
Trust Relationships
You will also need to consider trust relationships for several reasons, such as:
Enabling authentication between AD DS domain and external domains or realms.

Enabling authentication between AD DS forests (forest trustscomplete or selective).
Facilitating fast and reliable authentication traffic between AD DS domains in the same forest
(shortcut trusts).
Multiple UPN Suffixes

Multiple User Principal Name (UPN) suffixes may be required to allow users to log on to their user
accounts using an email account name from a different DNS namespace. For example, a user named Holly
in the adatum.com AD DS domain could log on to that user account by using a UPN such as
holly@fabrikam.com.
Lesson 3
Config
guring AD
A DS Trusts
T
Thiss lesson examines trust relatiionships and how
h they proviide functionaliity for accessin ng resources and
loggging on to the
e domain. Therre are several types
t of trust rrelationships, aand this lesson
n describes the
em in
turn
n.
Wheen an AD DS multi-domain
m forest
f is create
ed, then trusts are automaticcally created to o link all of the
e
AD DS domains in n the AD DS fo orest. In additio
on, there are oother trusts thaat you can estaablish to proviide
add
ditional functio
onality. These trusts
t include shortcut,
s exterrnal, realm, andd forest trusts..
Lessson Objectiives
Afte
u will be able to:
t
Describe the types of trustss that can be configured in a Windows Serrver 2012 environment.
Explain how trusts

t work witthin an AD DS forest.
Explain how trusts

t work bettween AD DS forests.
f
Describe how
w to configure advanced trusst settings.
Describe how
w to configure a forest trust.
Ov
verview of Different AD DS Tru
ust Types
In a multi-domain n AD DS forestt, two-way tran nsitive
trusst relationshipss are generated d automaticallly
betwween the AD DS D domains, so o that there is a
pathh of trust betwween all of the AD DS domains.
These trusts are ca alled parent-child trusts. The e
trussts that are auttomatically cre eated in the forest
are all transitive trrusts. That mea ans that if A trrusts
B, and B trusts C, then A trusts C. C However, th his
mayy not be the most
m w to provide an
efficient way
authhentication connection betw ween all of the
AD DS domains, and a you can im mprove
perfformance by setting up shorrtcut trusts.
There are other tyypes of trust th

hat you can de mple, you can set up a realm
eploy. For exam m trust with a n
non-
Microsoft organizzation that is ru
unning Kerberros V5 and Winndows NT 4.0 domains can b be connected by
usin
ng an external trust. The follo hows the main trust types.
owing table sh
Trust type Transitivity

y Dire
ection Description
n
Pa
arent and Transitive Two
o-way When a neew AD DS dom main is added to
ch
hild an existing AD DS tree, n new parent and
d
child trustss are created.
Trree-root Transitive Two

o-way When a neew AD DS tree is created in aan
existing AD D DS forest, a n
new tree-root
trust is creaated.
Exxternal Non-transsitive One

e-way or External tru
usts enable ressource access tto
two
o-way be grantedd with a Windo ows NT 4.0
domain or an AD DS dom main in anothe er
Trust
T type Transitiv
vity Diirection Descriptio
on
forest. Th
hese may also be set up to
provide a framework foor a migrationn.
Realm Transitivve or One-way

O or Realm tru
usts establish aan authenticattion
non-transitive tw
wo-way path betw
ween a Windo ows Server AD DS
domain aand a Kerberos V5 realm.
Forest Transitivve One-way

O or Trusts beetween AD DS forests allow ttwo
(Complete or tw
wo-way forests to
o share resourcces.
Selective)
Shortcut Transitivve One-way

O or Shortcut trusts improve e authenticatio
on
tw
wo-way times bettween AD DS domains that are
in differeent parts of an AD DS forest.
How
H Trustss Work Within a Fore
est
When
W you set up
u trusts betwe een domains either
e
within
w the same e forest, acrosss forests, or witth an
exxternal realm, information ab bout these trusts is
sttored in AD DS S so you can re etrieve it whenn
ne ecessary. A tru
usted domain object
o stores this
in
nformation.
Thhe trusted dommain object stoores informatio on

ab ust transitivity and
bout the trust such as the tru
tyype. Wheneverr you create a trust, a new trrusted
do i created and stored in the System
omain object is
coontainer in the
e trusts domaiin.
How
H Trusts Enable
E Userrs to Access Resources in a Forest
When
W a user atttempts to acce
ess a resource in another do main, the Kerbberos authentiication protocol must
de
etermine whetther the trustin
ng domain hass a trust relatio
onship with th e trusted dom
main.
To
o determine th his relationshipp, the Kerberos V5 protocol travels the tru ust path, utilizin
ng trust inform
mation
an
nd DNS lookup ps to obtain a referral to thee target domaiins domain co ontroller. The ttarget domain
co
ontroller issuess a service tick
ket for the requ est path in the trust
uested service.. The trust pat h is the shorte
hiierarchy.
When
W the user in the trusted domain attem mpts to access tthe resource in
n the other doomain, the users
co
omputer first contacts
c the doomain controller in its domaain to get authhentication to the resource. IIf the
esource is not in the users domain, the do
re omain controlleer uses the tru
ust relationship
p with its paren
nt, and
re
efers the userss computer to a domain controller in its paarent domain. This attempt to locate a ressource
co
ontinues up thhe trust hierarcchy, possibly to ot domain, an
o the forest roo nd down the trrust hierarchy, until
co
ontact occurs with
w a domain t domain w here the resou
n controller in the urce is located.
Ho
ow Trusts Work
W Betw
ween Foressts
If th
he AD DS envirronment conta ains more than
n one
foreest, then it is possible to set up
u trust
relationships betw ween the AD DS D forest roots..
These forest trustss can be eitherr complete tru usts or
seleective trusts. Fo n be one-way or
orest trusts can
two o-way.
A single forest truust relationship
p allows users who
w
are authenticated by a domain in one forest to t
acce
ess resources that
t are in the other forest, as
a
long
g as they have e been granted d access rights.. If
the forest trust is one-way, dom main controllerrs in
the trusting forestt can authenticcate users in any
dommain in the trusted forest. Fo orest trusts are significantly eeasier to estab
blish, maintain, and administe
er
n separate trusst relationships between eacch of the domaains in the foreests.
than
Fore
est trusts are particularly
p use
eful in scenario
os that involvee cross-organizzation collaborration or merg
gers
o within a single organization that has m ore than one fforest in which
and acquisitions, or h to isolate Acttive
Dire
ectory data and services. Forrest trusts are also
a useful for application seervice providerrs, for collaborrative
business extranetss, and for commpanies seeking g a solution foor administrativve autonomy.
Fore
est trusts provide the followiing benefits:
Simplified ma
anagement of resources acro oss two Windo ows Server 200
08 forests by re
educing the
number of exxternal trusts necessary
n to sh
hare resources..
Complete two
o-way trust relationships witth every domaain in each foreest.
Use of UPN authentication

a across two forrests.
Use of both the Kerberos V5

V protocol and d NTLM autheentication prottocols to impro
ove the
trustworthine
ess of authoriza
ation data that is transferred
d between foreests.
Flexibility of administration
a n. Administrativve tasks can bee unique to eaach forest.
In AD
A DS in Windows Server 2008, you can lin nk two Window ws Server 2003
3 or Windows Server 2008 fo orests
togeether to form a one-way or two-way trust relationship. Y
You can use a two-way forest trust to form
ma
nsitive trust relationship betw
tran ween every domain in both fforests.
Youu can create a forest

f trust only between tw wo AD DS foressts, and you caannot extend tthe trust impliccitly
to a third forest. This
T means tha at, if you create
e a forest trustt between Foreest 1 and Foreest 2, and you ccreate
a fo
orest trust betwween Forest 2 anda Forest 3, Forest
F 1 does n not have an im
mplicit trust with Forest 3. Fo
orest
trussts are not tran
nsitive.
You
u must addresss several requirrements before you can imp
plement a foreest trust, includ
ding that the fo
orest
funcctional level must
m be Windows Server 2003 or newer, an
nd you must haave DNS name e resolution
betw
ween the foressts.
Configuring
C g Advance
ed AD DS Trust
T Settiings
In
n some cases, trusts
t can present security issues.
y do not configure a trustt
Additionally, if you
properly, users who
w belong to o another dommain can
gaain unwanted access to som me resources. There
hnologies that you can use to
arre several tech o help
ontrol and manage security in a trust.
co
SID Filtering
Byy default, when you establish h a forest or domain
trrust, you enablle a domain quuarantine, which is
also known as SIDS filtering. When
W a user
auuthenticates inn a trusted dom
main, the user
presents authorrization data thhat includes thhe SIDs
off all of the gro
oups to which the
t user belon ngs. Additionallly, the users aauthorization d
data includes SSIDs
from other attributes of the user
u and the ussers groups.
AD DS sets SID filtering by de efault to prevent malicious u users who havee access at the domain or en nterprise
ad
dministrator leevel in a trusted forest or domain, from graanting (to the mselves or to other user acccounts
n their forest or domain) elevvated user righ
in hts to a trustin g forest or do ering prevents misuse
omain. SID filte
off the attributess that contain SIDs on securiity principals ((including InettOrgPerson obj bjects) in the trrusted
orest or domain. One commo
fo on example off an attribute tthat contains a SID is the SID D history attribbute
(S
SIDHistory) on n a user account object. Dom main administrrators typicallyy use the SID hhistory attributte to
se
eamlessly migrrate the user and group acco ounts that are held by a secu urity principal from one dom main to
an
nother. All SIDD filtering activvities occur in the
t backgroun nd, and adminiistrators do no ot need to exp plicitly
co
onfigure anyth hing unless the ey want to disa able SID filterin
ng.
When
W security principals
p are created
c in a do
omain, the SID D of the princippal includes thhe domain SID,, so that
yo
ou can identifyy in which dommain it was cre eated. The dom main SID is imp portant, becau use the Window
ws
se
ecurity subsysttem uses it to verify
v the idenntity of the sec urity principal, which in turn
n determines w
which
do
omain resourcces the user can access.
Authenticati
A on
When
W you creatte an external trust or a fore
est trust, you caan manage thee scope of autthentication off trusted
se
ecurity principa
als. There are two
t modes of authenticatio n for an extern nal or forest trrust:
Selective au
uthentication
Domain-wide authenticattion (for an exxternal trust) o r forest-wide aauthentication

n (for a forest ttrust)
If you choose domain-wide or forest-wide authentication

a ers to authenticate for
n, this enables all trusted use
se
ervices and acccess on all com
mputers in the trusting domaain. Trusted ussers can, thereffore, be given
peermission to access resourcees anywhere in n the trusting d
domain. If you use this authe entication modde, you
must
m have confidence in yourr enterprises security
s proced
dures and in thhe administrattors who imple ement
th
hose procedure es that trusted
d users will nott receive inapp
propriate accesss to services. Remember, foor
exxample, that users from a tru
usted domain or forest are cconsidered Autthenticated Ussers in the trussting
doomain. Therefoore, if you cho
oose domain-w wide or forest- wide authentication, any ressource that haas
peermissions gra
anted to Authe enticated Userss is accessible immediately tto trusted dom main users.
If,, however, you u choose selecttive authenticaation, all userss in the trusted
d domain are ttrusted identitiies.
However, they are a allowed to authenticate only for servicces on computters that you specify. For exaample,
im
magine that yo ou have an external trust with a partner orrganizations d omain. You want to ensure that
on nly users from the partner organizations marketing
m grooup can access shared folderrs on only one of your
many
m file serverrs. You can con
nfigure selectivve authenticattion for the truust relationship
p, and then givve the
trrusted users the right to auth henticate only for that one ffile server.
Name Suffix Routing

Name suffix routing is a mechanism for managing how authentication requests are routed across
Windows Server 2008 forests and Windows Server 2003 forests that are joined by forest trusts. To simplify
the administration of authentication requests, when you create a forest trust, AD DS routes all unique
name suffixes by default. A unique name suffix is a name suffix within a forest, such as a UPN suffix, SPN
suffix, or DNS forest or domain tree name that is not subordinate to any other name suffix. For example,
the DNS forest name fabrikam.com is a unique name suffix within the fabrikam.com forest.
AD DS routes all names that are subordinate to unique name suffixes implicitly. For example, if your forest
uses fabrikam.com as a unique name suffix, authentication requests for all child domains of fabrikam.com
(childdomain.fabrikam.com) are routed, because the child domains are part of the fabrikam.com name
suffix. Child names appear in the Active Directory Domains and Trusts snap-in. If you want to exclude
members of a child domain from authenticating in the specified forest, you can disable name suffix
routing for that name. You also can disable routing for the forest name itself.
Demonstration: Configuring a Forest Trust

In this demonstration, you will see how to configure DNS name resolution by using a conditional forward.
You will also see how to configure a two-way selective forest trust.
Demonstration Steps
Configure DNS name resolution by using a conditional forwarder

Configure DNS name resolution between adatum.com and treyresearch.net by creating a conditional
forwarder so that LON-DC1 has a referral to MUN-DC1 as the DNS server for the DNS domain
treyresearch.net.
Configure a two-way selective forest trust

On LON-DC1, in Active Directory Domains and Trusts, create a two-way selective forest trust between
adatum.com and treyresearch.net, by supplying the credentials of the treyresearch.net domain
Administrator account.
Lab: Implementing Complex AD DS Deployments

Scenario
A. Datum Corporation has deployed a single AD DS domain with all the domain controllers located in its
London data center. As the company has grown and added branch offices with large numbers of users, it
is becoming increasingly apparent that the current AD DS environment is not meeting company
requirements. The network team is concerned about the amount of AD DS-related network traffic that is
crossing WAN links, which are becoming highly utilized.
The company has also become increasingly integrated with partner organizations, some of whom need
access to shared resources and applications that are located on the A. Datum internal network. The
security department at A. Datum wants to ensure that the access for these external users is as secure as
possible.
As one of the senior network administrators at A. Datum, you are responsible for implementing an AD DS
infrastructure that will meet the company requirements. You are responsible for planning an AD DS
domain and forest deployment that will provide optimal services for both internal and external users,
while addressing the security requirements at A. Datum.
Objectives
Implement child domains in AD DS.
Implement forest trusts in AD DS.
Lab Setup
20412A-LON-DC1
20412A-TOR-DC1
20412A-LON-SVR1
20412A-MUN-DC1
Password: Pa$$w0rd
Password: Pa$$w0rd
5. Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-TOR-DC1.
6. Start 20412A-MUN-DC1 and log on as Treyresearch\Administrator with the password of

Pa$$w0rd.
Exercise 1: Implementing Child Domains in AD DS

Scenario
A. Datum has decided to deploy a new domain in the adatum.com forest for the North American region.
The first domain controller will be deployed in Toronto, and the domain name will be na.adatum.com.
You need to configure and install the new domain controller.
1. Configure Domain Name System (DNS) for domain delegation.
2. Install a domain controller in a child domain.
3. Verify the default trust configuration.
Task 1: Configure Domain Name System (DNS) for domain delegation

On LON-DC1, open DNS Manager and configure a delegated zone record for na.adatum.com. Specify
TOR-DC1 as the authoritative DNS server.
Task 2: Install a domain controller in a child domain

1. On TOR-DC1, use Server Manager to install AD DS.
2. When the AD DS binaries have installed, use the Active Directory Domain Services Configuration
Wizard to install and configure TOR-DC1 as an AD DS domain controller for a new child domain
named na.adatum.com.
3. When prompted, use Pa$$w0rd as the Directory Services Restore Mode (DSRM) password.
Task 3: Verify the default trust configuration

1. Log on to TOR-DC1 as NA\Administrator using the password Pa$$w0rd.
2. When Server Manager opens, click Local Server. Verify that Windows Firewall shows Domain: On. If
it does not, then next to Local Area Connection click 172.16.0.25, IPv6 enabled. Right-click Local
Area Connection and then click Disable. Right-click Local Area Connection and then click Enable.
The Local Area Connection should now show Adatum.com.
3. From Server Manager, launch the Active Directory Domains and Trusts management console and
verify the parent child trusts.
Note: If you receive a message that the trust cannot be validated, or that the secure channel (SC)
verification has failed, ensure that you have completed step 2 and then wait for at least 10-15 minutes.
You can continue with the lab and come back later to verify this step.
Results: After completing this exercise, you will have implemented child domains in AD DS.
Exercise 2: Implementing Forest Trusts

Scenario
A. Datum is working on several high-priority projects with a partner organization named Trey Research.
To simplify the process of enabling access to resources located in the two organizations, they have
deployed a dedicated wide area network (WAN) between London and Munich, where Trey Research is
located. You now need to implement and validate a forest trust between the two forests, and configure
the trust to allow access to only selected servers in London.
1. Configure stub zones for DNS name resolution.
2. Configure a forest trust with selective authentication.
3. Configure a server for selective authentication.
Task 1: Configure stub zones for DNS name resolution

1. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. Using the DNS management console, configure a DNS stub zone for treyresearch.net.
3. Use 172.16.10.10 as the Master DNS server.
4. Close DNS Manager.
5. Log on to MUN-DC1 as TreyResearch\Administrator with the password Pa$$w0rd.
6. Using the DNS management console, configure a DNS stub zone for adatum.com.
7. Use 172.16.0.10 as the Master DNS server.
Task 2: Configure a forest trust with selective authentication

1. On LON-DC1, create a one-way: outgoing trust between the treyresearch.net AD DS forest and the
adatum.com forest. Configure the trust to use Selective authentication.
2. Confirm and validate the trust from treyresearch.net.
3. Close Active Directory Domains and Trusts.
Task 3: Configure a server for selective authentication

1. On LON-DC1, from Server Manager open Active Directory Users and Computers.
2. On LON-SVR1, configure the members of treyresearch.com\it group with the Allowed to
authenticate permission. If you are prompted for credentials, type Treyresearch\administrator with
the password of Pa$$w0rd.
3. On LON-SVR1, create a shared folder IT-Data and grant access to members of the treyresearch.net\it
group. If you are prompted for credentials, type Treyresearch\administrator with the password of
Pa$$w0rd.
4. Log off of MUN-DC1.
5. Log on to MUN-DC1 as treyresearch\alice, and access the shared folder on LON-SVR1.
Results: After completing this exercise, you will have implemented forest trusts.

following steps.
4. Repeat steps 2 and 3 for 20412A-TOR-DC1, 20412-MUN-DC1, and 20412-LON-SVR1.

Lab Review
Question: Why did you configure a delegated subdomain record in DNS on LON-DC1 before
adding the child domain na.adatum.com?
Question: What are the alternatives to creating a delegated subdomain record in Q1?
Question: When you are creating a forest trust, why would you create a selective trust instead of
a complete trust?

To design and implement a reliable and efficient AD DS environment, it is important to have an
understanding of which components are required and how they interact. This module covered the
constituent parts of an AD DS design and also demonstrated the different ways to deploy AD DS in a
complex scenario.
The Domain Name Service is crucial to the satisfactory functioning of an AD DS system, and students saw
different ways to provide a robust DNS record resolution process in a multi-domain situation. The
different DNS resolution methods were discussed, including forwarders, conditional forwarders,
delegation, secondary zones, and stub zones. Students also saw how trust relationships can provide an
effectual authentication mechanism in various environments.

You receive error messages such as: DNS

lookup failure, RPC server unavailable,
domain does not exist, domain controller
could not be found.
User cannot be authenticated to access

resources on another AD DS domain or
Kerberos realm.
9-1
Module 9
Implementing Active Directory Domain Services Sites and
Replication
Contents:
Module Overview 9-1
Lesson 1: Overview of AD DS Replication 9-2
Lesson 2: Configuring AD DS Sites 9-10

Lesson 3: Configuring and Monitoring AD DS Replication 9-16
Lab: Implementing AD DS Sites and Replication 9-22
Module Overview
When you deploy Active Directory Domain Services (AD DS), it is important to provide an efficient logon
infrastructure and a highly available directory service. Implementing multiple domain controllers
throughout the infrastructure helps you meet both of these goals. However, you must ensure that AD DS
replicates Active Directory information between each domain controller in the forest. In this module, you
will learn how AD DS replicates information between domain controllers within a single site and
throughout multiple sites. You also will learn how to create multiple sites and monitor replication to help
optimize AD DS replication and authentication traffic.
Objectives
Describe how AD DS replication works.
Configure AD DS sites to help optimize authentication and replication traffic.
Configure and monitor AD DS replication.

9-2 Implementing Active Directory Domain Services Sitees and Replication
Lesson 1
Overviiew of AD
A DS Replicat
R tion
Within an AD DS infrastructure, standard dom main controllerrs replicate Active Directory information b
by
usin
ng a multimastter replication model. This means
m that if a change is madde on one dom main controlle
er, that
change then replicates to all oth
her domain co ontrollers in th e domain, and
d potentially to
o all domain
controllers throug
ghout the entirre forest. This lesson providees an overvieww of how AD D DS replicates
info
ormation between both stand dard and read d-only domain controllers (RODC).
Lessson Objectiives
Describe the AD DS partitio

ons.
Describe the characteristicss of AD DS replication.
ocess within a single site.

Describe the replication pro
w AD DS resolvves replication conflicts.

Describe how
Describe how
w you generate
e the replicatio
on topology.
Describe how
w read-only do
omain controlle
er replication w
works.
Describe System Volume (S

SYSVOL) replica
ation.
Wh
hat Are AD
D DS Partittions?
The Active Directo ory data store contains
info
ormation that ADA DS distribu utes to all dom
main
controllers throug ghout the forest infrastructure.
Mucch of the inforrmation that thhe data store
contains is distributed within a single
s domain.
Howwever, some in nformation ma ay be related to
o,
and replicated thrroughout, the entire forest,
regaardless of the domain
d bound daries.
To help
h provide re
eplication efficciency and
scalability betweeen domain con ntrollers, the Acctive
Dire
ectory data is separated
s logically into seveeral
parttitions. Each pa
artition is a un
nit of replicatio
on,
and each partition n has its own replication
r toppology. The deefault partitions include the ffollowing:
Configuration n partition. Thee configuration partition is ccreated autom

matically when you create the e first
domain of a forest.
f The connfiguration parrtition containns information about the fore est-wide AD D DS
structure, inclluding which domains
d and sites
s exist and wwhich domainn controllers exxist in each do
omain.
The configura ation partition also stores infformation abo out forest-widee services such
h as DHCP
authorizationn and certificatte templates. This
T partition reeplicates to all domain conttrollers in the fforest.
Schema partition. The schema partition contains

c definittions of all thee objects and aattributes that you
can create in the data storee, and the ruless for creating aand manipulatting them. Sch hema informattion
replicates to all
a domain con ntrollers in the
e forest. Thereffore, all objectts must complyy with the sche ema
D contains a default set of classes and attributes that yyou
object and atttribute definition rules. AD DS
cannot modiffy. However, iff you have Schema Admins ccredentials, yo u can extend tthe schema byy
adding new attributes
a and classes to reprresent applicattion-specific classes. Many aapplications such as
Microsoft Excchange Server and Microsoftt System Centeer Configuratio on Manager m may extend the e
schema to provide appliccation-specific configurationn enhancements. These chan nges target the
e
domain conntroller that co
ontains the forrests schema m
master role. O nly the schema master is pe
ermitted
to make ad
dditions to classses and attributes.
Domain partition. When youy create a new n domain, AAD DS automattically creates and replicatess an
instance of the domain partition
p to all of
o the domain ns domain conntrollers. The ddomain partitio
on
contains infformation aboout all domain--specific objeccts, including u
users, groups, ccomputers,
organizatioonal units (OUss), and domain n-related systeem settings. All objects in eveery domain paartition
in a forest are
a stored in thhe global catalog, with only a subset of th heir attribute vvalues.
Application n partition. The
e application partition
p storess nondomain, application-re elated information
that may ha ave a tendencyy to be update or have a speccified lifetime. An application
ed frequently o n is
typically programed to determine how it stores, cate gorizes, and u uses application-specific infoormation
stored in thhe Active Direcctory database e. To prevent u
unnecessary reeplication of an n application
partition, yoou can designate which dom main controllerrs in a forest w
will host the sp
pecific applications
partition. Unlike
U a domain partition, an n application p
partition does n not store security principal o
objects,
such as use er accounts. Addditionally, the ogue does not store data con
e global catalo ntained in appplication
partitions.
Note: You can use ADS

SI Edit to connect to and view
w the partition
ns.
Characteris
C stics of AD
D DS Repliccation
An effective ADD DS replication n design ensurres that
ea
ach partition on
o a domain co ontroller is con
nsistent
with
w the replicas of that partittion hosted on n other
doomain controllers. Typically, not all domain
co
ontrollers havee exactly the sa ame information in
th
heir replicas at any one mom ment because
hanges are occcurring to the direction consstantly.
ch
However, Active e Directory rep plication ensurres that
all changes to a partition are transferred to all
re
eplicas of the partition.
p Activve Directory
eplication balances accuracy (or integrity) and
re
onsistency (called convergen
co nce) with performance
(k
keeping replicaation traffic to a reasonable level).
Th
he key charactteristics of Actiive Directory replication
r are::
Multimasteer replication. Any

A domain co pt RODCs can initiate and co
ontroller excep ommit a chang ge to
AD DS. Thiss provides faullt tolerance, an
nd eliminates d
dependency o
on a single dom main controller to
maintain th
he operations ofo the directorry store.
Pull replication. A domain om other domaain controllers. Even

n controller requests, or pullls, changes fro
though a domain controlller can notify its replication partners that it has changess to the directo ory, or
poll its parttners to see if they
t have changes to the di rectory, in thee end, the targe
et domain conntroller
requests annd pulls the changes themselves.
Store-and-fforward replication. A doma ain controller ccan pull chang

ges from one ppartner, and thhen
make those e changes available to anothher partner. Fo
or example, domain controlle er B can pull changes
initiated byy domain contrroller A. Then, domain contrroller C can puull the changess from domain n
controller B.
B This helps ba
alance the repplication load ffor domains th
hat contain sevveral domain
controllers.
Data store paartitioning. A domains

d doma ain controllers only host the domain-namiing context for their
domains, which helps minim mize replicatio on, particularlyy in multidomaain forests. By default, other data,
including appplication directtory partitions and the partiaal attribute sett (global catalo
og), do not
replicate to every domain controller
c in th
he forest.
Automatic ge n efficient and robust replicaation topologyy. By default, A

eneration of an AD DS configures an
effective, two
o-way replicatio
on topology so that the losss of one doma in controller d does not imped
de
replication. AD
A DS automattically updatess this topologyy as domain co ontrollers are aadded, removeed, or
moved betwe een sites.
Attribute-leve el replication. When
W an attrib
bute of an objject changes, o bute, and minimal
only that attrib
metadata tha at describes tha at attribute, re
eplicates. The eentire object d
does not repliccate, except up
pon its
initial creation.
Distinct contrrol of intrasite replication and intersite rep plication within a
plication. You ccan control rep
single site and between site es.
Collision dete
ection and management. On n rare occasionns, you can moodify an attribu
ute on two diffferent
domain contrrollers during a single replica
ation window. If this occurs, you must recooncile the two
o
changes. AD DS has resoluttion algorithms that satisfy aalmost all scenarios.
Ho
ow AD DS Replicatio
on Works Within
W a Siite
AD DS replication n within a singlle site is called
d
intra
asite replicatio
on, which takess place
autoomatically. However, you can configure it to
occuur manually, as necessary. Th he following
concepts are relatted to intrasitee replication:
Connection objects
o
The knowledg
ge consistencyy checker (KCC
C)
Notification
Polling
Con
nnection Ob
bjects
A doomain controller that replicaates changes from another d domain contro
oller is called a replication paartner.
Repplication partne
ers are linked by
b connection nnection objecct represents a replication p
n objects. A con path
from
m one domain controller to another. Conn nection objectss are one-way,, representing inbound-onlyy pull
repllication.
To view
v and confiigure connection objects, op pen Active Direectory Sites annd Services, and then select tthe
NTDDS Settings container of a do omain controlllers server objject. You can fforce replicatio
on between tw wo
dom nection object, and then seleecting Replicatte Now. Note that
main controllerrs by right-cliccking the conn
repllication is inbo
ound-only, so ifi you want to replicate bothh domain conttrollers, you ne eed to replicate the
inbo
ound connection object of each e domain controller.
The
e Knowledg
ge Consisten
ncy Checkerr
The replication pa aths built betw
ween domain controllers
c by cconnection obbjects create th
he forests
repllication topolo
ogy. You do no ot have to creaate the replicattion topology manually. By default, AD DSS
crea
ates a topology that ensures effective replication. The to opology is twoo-way, which mmeans that if any
onee domain contrroller fails, replication contin
nues uninterru pted. The topoology also enssures that there are
no more
m than thre
ee hops betwe een any two do omain control lers.
On each domain controller, a component of AD DS called the knowledge consistency checker (KCC) helps
generate and optimize the replication automatically between domain controllers within a site. The KCC
evaluates the domain controllers in a site, and then creates connection objects to build the two-way,
three-hop topology described earlier. If you add or remove a domain controller, or if a domain controller
is not responsive, the KCC rearranges the topology dynamically, adding and deleting connection objects
to rebuild an effective replication topology. The KCC runs at specified intervals (every 15 minutes by
default) and designates replication routes between domain controllers that are the most favorable
connections available at the time.
You can create connection objects manually to specify replication paths that should persist. However,
creating a connection object manually is not typically required or recommended because the KCC does
not verify or use the manual connection object for failover. The KCC will also not remove manual
connection objects, which means that you must delete connection objects that you create manually.
Notification
When a change is made to an Active Directory partition on a domain controller, the domain controller
queues the change for replication to its partners. By default, the source server waits 15 seconds to notify
its first replication partner of the change. Notification is the process by which an upstream partner informs
its downstream partners that a change is available. By default, the source domain controller then waits
three seconds between notifications to additional partners. These delays, called the initial notification
delay and the subsequent notification delay, are designed to stagger the network traffic that intrasite
replication can cause.
Upon receiving the notification, the downstream partner requests the changes from the source domain
controller, and the directory replication agent pulls the changes from the source domain controller. For
example, suppose domain controller DC01 makes an initial change to AD DS. It is the originating domain
controller, and the change that it makes, that originates the change. When DC02 receives the change
from DC01, it makes the change to its directory. DC02 then queues the change for replication to its own
downstream partners.
Then, suppose DC03 is a downstream replication partner of DC02. After 15 seconds, DC02 notifies DC03
that it has a change. DC03 makes the replicated change to its directory, and then notifies its downstream
partners. The change has made two hops, from DC01 to DC02, and then from DC02 to DC03. The
replication topology ensures that no more than three hops occur before all domain controllers in the site
receive the change. At approximately 15 seconds per hop, the change fully replicates in the site within
one minute.
Polling
At times, a domain controller may not make any changes to its replicas for an extended time, particularly
during off hours. Suppose this is the case with DC01. This means that DC02, its downstream replication
partner, will not receive notifications from DC01. DC01 also might be offline, which would prevent it from
sending notifications to DC02.
It is important for DC02 to know that its upstream partner is online and simply does not have any
changes. This is achieved through a process called polling. During polling, the downstream replication
partner contacts the upstream replication partner with queries as to whether any changes are queued for
replication. By default, the polling interval for intrasite replication is once per hour. You can configure the
polling frequency from a connection objects properties by clicking Change Schedule, although we do
not recommend it If an upstream partner fails to respond to repeated polling queries, the downstream
partner launches the KCC to check the replication topology. If the upstream server is indeed offline, the
KCC rearranges the sites replication topology to accommodate the change.
Resolving Re
eplication Conflicts
Because AD DS su upports a multtimaster replica ation
mod del, replication
n conflicts mayy occur. Typicaally,
therre are three types of replicattion conflicts that
mayy occur in AD DS:
D
Simultaneoussly modifying the

t same attrib
bute
value of the same
s object on
n two domain
controllers.
Adding or moodifying the sa ame object on one

domain contrroller at the same time that thet
container objject for the objject is deleted on
another domain controller.
Adding objeccts with the sam

me relative disstinguished naame into the saame containerr.
To help
h minimize conflicts, all domain
d controllers in the forrest record and
d replicate object changes att the
attribute level rath
her than at thee object level. Therefore, chaanges to two d
different attrib
butes of an objject,
suchh as the users password and d postal code, do not cause a conflict even n if you change e them at the same
timee from differennt locations.
Wheen an originating update is applied

a to a domain controlller, a stamp iss created that ttravels with the
date as it repliccates to other domain contro
upd ollers. The stam
mp contains thhe following coomponents:
Version numbber. The versio ncreases by one for

on number starts at one for eeach object at tribute, and in
each update. When perform nating update, the version off the updated attribute is on
ming an origin ne
number higher than the version of the atttribute that is being overwritten.
Timestamp. The
T timestamp p is the updates originating ttime and datee according to the system clo
ock of
the domain controller
c wherre the change is made.
Server globally unique iden

ntifier (GUID). The
T server GU ID identifies th
he domain con
ntroller that
performed thhe originating update.
Ressolving Rep
plication Con
nflicts
The table below outlines
o severa
al conflicts and
d how AD DS reesolves the isssue:
Co
onflict Resolution
Attribute value If the version

n number valuee is the same, but the attribu
ute value is
different, the
en the timestammp is evaluateed. The updatee operation
that has the higher stamp vvalue replacess the attribute value of the
update opera ation with the lower stamp vvalue.
Add or move un nder a After resolutiion occurs at aall replicas, AD

D DS deletes th
he container
de
eleted contain ner object, object, and the leaf object is made a chilld of the folde ers special
orr the deletion of a LostAndFoun nd container. SStamps are nott involved in this
co
ontainer objecct resolution.
Adding objects with the The object with

w the larger stamp keeps tthe relative disstinguished
sa
ame relative name. AD DS S assigns the s ibling object a unique relativve
diistinguished name distinguished
d name by thee domain contrroller. The nam me
assignment is the relative d distinguished nname + CNF: + a reserved
character (the asterisk,) + tthe objects GU
UID. This name e assignment
ensures that the generated d name does n not conflict witth any other
objects name.
How
H Repliccation Top
pology Is Generated
G
Re
eplication topo ology is the ro
oute by which replication datta travels thro
ough a networkk. To create a
re
eplication topo ology, AD DS must
m determinne which domaain controllers replicate dataa with other doomain
co
ontrollers. AD DS creates a re eplication topo
ology based oon the informaation that AD DDS contains. Beecause
ach AD DS parrtition may be replicated to different dom ain controllerss in a site, the replication top
ea pology
ca
an differ for scchema, configu uration, domaiin, and applicaation partitionss.
Beecause all dom main controllerrs within a fore est share schem ma and config guration partitiions, AD DS re
eplicates
scchema and con nfiguration partitions to all domain
d controollers. Domain controllers in the same dom main
also replicate thhe domain parrtition. Additionally, domain controllers thaat host an app plication partition also
re
eplicate the ap pplication partiition. To optimmize replication main controller may have sevveral
n traffic, a dom
re
eplication partners for differe ent partitions. In a single sitee, the replication topology wwill be fault tollerant
annd redundant. This means th hat if the site contains
c more than two dom main controllerrs, each domaiin
coontroller will have
h wo replication partners for eaach AD DS parrtition.
at least tw
How
H the Sch
hema and Co
onfiguration Partitionss Are Repliccated
Re
eplication of the schema and d configuration partitions foollows the samme process as aall other directo
ory
pa
artitions. Howe ever, because these partition
ns are forest-w
wide rather thaan domain-wid de, connectionn objects
or these partitions may exist between any two
fo t domain co ontrollers regaardless of the d
domain contro ollers
omain. Furthermore, the rep
do plication topolo
ogy for these partitions incluudes all domain controllers in the
fo
orest.
How
H the Glo
obal Catalog
g Affects Re
eplication
Th
he configuratioon partition co
ontains inform
mation about th he site topologgy and other g global data forr all
do
omains that arre members off the forest. ADD DS replicatess the configuraation partitionn to all domainn
co
ontrollers through normal fo orest-wide replication. Each g
global catalog g server obtainns domain info ormation
byy contacting a domain contrroller for that domain
d and o
obtaining the p partial replica iinformation. The
co
onfiguration partition also provides the doomain controll ers with a list of the forests global catalogg
se
ervers.
Global catalog servers

s er DNS service records in thee DNS zone thaat corresponds to the forest root
registe
doomain. These records,
r whichh are registeredd only in the FForest Root DNNS zone, help cclients and serrvers
lo
ocate global ca
atalog servers throughout
t th
he forest to proovide client log
gon services.
How
H RODC
C Replicatio
on Works
As previously mentioned,
m dommain controllers
re
eplicate data by
b pulling channges from othe er
orriginating dommain controllerrs. A RODC does not
allow any non-rreplicated chan nges to be wriitten to
itss database and
d never replica
ates any informmation
ouut to other domain controlleers. Since channges are
neever written to
o an RODC dire ectly, other do
omain
coontrollers do not
n have to pull directory cha anges
from an RODC. Restricting RO ODCs from
orriginating channges prevents any changes or o
coorruption that a malicious usser or applicattion
might
m make fro
om replicating to the rest of the
t
fo
orest.
Wheen a user or appplication atte

empts to perfo
orm a write req
quest to a ROD
DC, one of the following actiions
typically occurs:
The RODC forwards the wriite request to a writable dom main controller, which is then replicated back to
the RODC. Exxamples of thiss type of reque
est includes paassword changges, service principal name (SSPN)
updates, and computer\domain memberr attribute chan nges.
The RODC responds to the client and proovides a referraal to a writablee domain conttroller. The
application ca
an then commmunicate directtly with a writaable domain co ontroller. Lightweight Directtory
Access Protoccol (LDAP) and
d DNS record updates
u are exxamples of accceptable RODC C referrals.
The write ope eration fails be

ecause it is nott referred or fo
orwarded to a writable domaain controller.
Remote proce C) writes are an example of ccommunicatio
edure call (RPC on that may be
e prohibited frrom
referrals or fo
orwarded to an nother domain n controller.
Whe en you implem ment an RODC C, the KCC dete ects that the d
domain controller is configurred with a readd-only
repllica of all appliicable domain partitions. Because of this, tthe KCC createes one-way on nly connection
n
ects from one or more sourcce Windows Se
obje erver 2008 or h higher domain n controllers to
o the RODC.
For some tasks, an n RODC perforrms inbound replication
r usin
ng a replicate--single-object (RSO) operatio
on.
Thiss is initiated on andard replicattion schedule. These tasks in
n-demand outside of the sta nclude:
Password cha
anges.
DNS updates when a client is referred to a writable DN
NS server by the RODC. The R RODC then
attempts to pull
p the change es back using an RSO operattion. This onlyy occurs for Active Directory--
integrated DN
NS zones.
Updates for various

v client attributes
a inclu
uding client naame, DnsHosttName, OsNa ame,
OsVersionInffo, supported encryption types, and the LLastLogontime eStamp attrib
bute.
Ho
ow SYSVOLL Replication Works
The SYSVOL is a collection
c of files and folderss on
each
h domain conttroller that is linked to
%SyystemRoot%\S SYSVOL locatioon. SYSVOL
contains logon scripts and objects related to
Group Policy suchh as Group Po olicy templatess. The
contents of the SY
YSVOL folder replicate
r to eveery
dom
main controllerr in the domain using the
connection objectt topology and d schedule thaat the
KCC
C creates.
Deppending on the e domain conttroller operatinng

system version, do omains functioonal level, and
d
miggration status of
o SYSVOL, the e File Replicatioon
uted File System Replication replicates SYSSVOL changes between dom
Servvice or Distribu main controllerrs. The
File Replication Seervice was used d primarily in Windows Servver 2003 R2 an
nd older domaain structures. T
The
File Replication Se h capacity and performance which has led to the adoption of
ervice has limittations in both
Disttributed File Syystem Replicattion.
In Windows
W Serve
er 2008 and ne ewer domains, you can use D Distributed Filee System Repliication to repliicate
the contents of SYYSVOL. Distributed File Syste em Replication n supports rep lication scheduling and
ban es a compression algorithm known as Rem
ndwidth throttlling, and it use mote Differentiial Compressio on
(RDC). Using RDC, Distributed FileF System Rep plication repliccates only the differences (or changes withhin
filess) between the
e two servers, resulting
r in low
wer bandwidth h use during reeplication.
Note: You can use the dfsrmig.exe tool to migrate SYSVOL replication from the File
Replication Service to Distributed File System Replication . For the migration to succeed, the
domain functional level must be at least Windows Server 2008.
9-10 Implemennting Active Directoryy Domain Services Sites and Replication
Lesson 2
Config
guring AD
A DS Sites
S
Within a single sitte, AD DS repliication occurs automaticallyy without regarrd for networkk utilization.
How wever, some organizations have h multiple lo
ocations that aare connectedd by wide area network (WAN)
connections. If thiis is the case, you
y must ensure that AD DSS replication do oes not impactt network
utilization negativvely between locations. You also may need d to localize neetwork service
es to a specific
locaation. For exammple, you may want users at a branch officce to authenticcate to a domaain controller
locaated in their lo
ocal office, rath
her than over the
t WAN conn nection to a do omain controlller located in tthe
main office. You can
c implementt AD DS sites to t help manag ge bandwidth o over slow or unreliable netw work
connections, and to assist in serrvice localizatioon for authenttication as well as many othe er site-aware
servvices on the neetwork.
Lessson Objectiives
Afte
ou will be able to:
Describe AD DS sites.
Explain why organizations

o might
m implement additionall sites.
Configure additional AD DS
S sites.
Describe how
w AD DS replica
ation works be
etween sites.
Describe the Inter-site Topo

ology Generattor.
Describe how
w Service Locattor (SRV) recorrds are used to
o locate doma in controllers.
Describe how
w client compu
uters locate domain controlleers.
Wh
hat Are AD
D DS Sites??
To most
m administrators, a site iss a physical
loca e, or a city typically separated
ation, an office d by
a WAN
W connectio on. These sites are physically
connected by network links that might be as basic
as dial-up
d connecctions or as sop phisticated as fiber
links. Together, thhe physical locations and link ks
mak ke up the physsical network infrastructure.
AD DS represents the physical network

n
infra h objects called sites. AD DS site
astructure with
objeects are stored
d in the Config
guration container
(CN=Sites, CN=Co onfiguration, DC=forest
D roott
dommain) and are used
u to achievve two primaryy
servvice management tasks:
Manage replication traffic. Typically, there are two typees of network LAN connectio ons within an
enterprise environment: higghly connected d and less highhly connected. Conceptuallyy, a change maade to
AD DS should d replicate imm
mediately to other domain ccontrollers with hin the highly connected ne etwork
in which the change
c was made.
m Howeverr, you might no ot want the ch hange to repliccate immediately
over a slowerr, more expenssive, or less reliable link to an
nother site. Insstead, you migght want to
optimize perfformance, redu uce costs, and manage band dwidth, you caan manage rep plication over less
highly conneccted segmentss of your enterrprise. An Activve Directory siite represents a highly conne ected
portion of your enterprise. When you deffine a site, the domain contrrollers within the site replicate
changes alm
most instantly.. However, you
u can manage and schedule replication be
etween sites ass
needed.
Provide serrvice localizatioon. Active Direectory sites hellp you localizee services, inclu
uding those prrovided
by domain controllers. Du uring logon, Windows
W clientts are automattically directed d to domain
controllers in their sites. If domain conttrollers are nott available in ttheir sites, theyy are directed to
domain con ntrollers in the e nearest site that can authen nticate the clieent efficiently. Many other se ervices
plicated Distributed File Syste
such as rep em (DFS) resou urces are also site-aware to e ensure that ussers are
directed to a local copy of o the resource e.
What
W Are Su
ubnet Objects?
Su
ubnet objects identify the neetwork addresses that map ccomputers to A AD DS sites. A subnet is a se
egment
work to which a set of logica
off a TCP/IP netw al IP addressess are assigned.. Because the ssubnet objectss map to
th
he physical nettwork, so do th
he sites. A site can consist off one or more subnets. For e example, if youur
etwork has thrree subnets in New York and
ne d two in Londo New York and one in
on, you can creeate a site in N
Lo
ondon, respecttively, and the
en add the sub bnets to the resspective sites.
Note: Wh hen designing your AD DS site configurati on, it is critica l that you corrrectly map IP
ubnets to sites. Likewise, if th
su he underlying network confi guration chan nges, you mustt ensure that
th
hese changes are a updated to o reflect the cu
urrent IP subneet to site mappping. Domain controllers
usse the IP subne et informationn in AD DS to map
m client com mputers and seervers to the ccorrect AD DS
sitte. If this mapp
ping is not acccurate, AD DS operations succh as logon traaffic and applyying Group
Poolicies are likely to happen across
a WAN linnks and may b be disrupted.
Default
D First Site
AD DS creates a default site when
w all a forests firsst domain con
you insta ntroller. By deffault, this site is called
Default-First-Sit
D te-Name. You can rename th his site to a mo ore descriptivee name. When you install the e
fo
orests first dom
main controller, AD DS placees it in the defaault site autom
matically. If youu have a single e site, it
is not necessaryy to configure subnets or addditional sites s ince all machines will be covvered by the d default-
firrst-site-name default
d site. Ho ple sites need to have subneets associated tto them as nee
owever, multip eded.
Why
W Implement Add
ditional Sites?
Evvery Active Dirrectory forest includes
i at least one
sitte. You should
d create additioonal sites when:
A slow link separates partt of the netwo ork. As
previously mentioned,
m a site
s is characte erized
by a locatioon with fast, re
eliable, inexpennsive
connectivityy. If two locations are conne ected
by a slow link, you should d configure each
location as a separate AD D DS site. A slo
ow link
typically is one that has a connection of o less
than 512 kiilobits per seco ond (Kbps).
A part of th
he network hass enough users to
warrant hossting domain controllers
c or other
services in that
t location. Concentration
C ns of users can also influencee your site design. If a netwoork
location has a sufficient number
n of users for whom th he inability to authenticate wwould be
problematic, place a dom main controllerr in the locatio
on to support aauthentication n within the loccation.
After you place
p a domainn controller or other distribu ted service in a location that will support those
users, you might want to manage

m Active Directory repl ication to the location or loccalize service u
use by
configuring an
a Active Direcctory site to represent the lo cation.
You want to control
c service
e localization. By
B establishing g AD DS sites, you can ensurre that clients use
domain contrrollers that are
e nearest to theem for authen ntication, which
h reduces auth
hentication lattency
and traffic on
n WAN connecctions. In most scenarios, eacch site will conntain a domainn controller.
However, you u might config uthentication, ssuch as Distrib
gure sites to localize services other than au buted
File System, BranchCache,
B a Exchange Server servicees. In this case, some sites might be configu
and ured
without a dommain controlleer present in thhe site.
You want to control

c replica
ation between domain contrrollers. There mmay be scenariios in which twwo
well-connecte ed domain con ntrollers are alllowed to com mes of the day.
mmunicate onlyy at certain tim
Creating sitess allows you to
o control how anda when rep lication takes place between n domain
controllers.
De
guring AD DS Sites
In th
s how to con
nfigure AD DSS sites.
Dem
monstration
n Steps
1. From Server Manager,
M open
n Active Directtory Sites and Services.
2. Rename the Default-First-S
D ite-Name site,, as needed.
3. Right-click the Sites node, and then click

k New Site. Sp ociate the new site
pecify a name, and then asso
with the default site link.
4. Create additio
onal sites, as needed.
n
5. In the navigattion pane, righ

ht-click Subne
ets, and then cclick New Subnet.
6. Provide the prefix,

p and then e IP prefix to aan available site object.
n associate the
7. If required, move
m n controller to the new site.
a domain
Ho
ow Replication Work
ks Between
n Sites
The main characte eristics or assu
umptions abou
ut
repllication within sites are:
The network connections within

w a site are
e
both reliable, cheap, and ha
ave sufficient
available bandwidth.
Replication trraffic within a site

s is not
compressed, because a site e assumes fast,
highly reliablee network con nnections. Not
compressing replication tra affic helps redu
uce
the processing load on the domain
controllers. However, uncom mpressed trafffic
may increase the network bandwidth.
b
A change nottification proce

ess initiates rep
plication withiin a site.
Th
he main characteristics or asssumptions abo
out replication
n between sitees are:
The networrk links betwee

en sites have liimited availab le bandwidth, may have a higher cost, and
d may
not be relia
able.
Replication traffic betwee en sites can be e designed to o

optimize banddwidth by com mpressing all
replication traffic. Replica
ation traffic is compressed
c to
o 10 to 15 perccent of its orig
ginal size beforre it is
transmittedd. Although co ompression opttimizes netwo rk bandwidth, it imposes an n additional
processing load on doma ain controllers,, when it comppresses and deecompresses re eplication dataa.
Replication between sitess occurs autom matically after yyou have defin
ned configurable values, succh as a
schedule orr a replication interval. You can
c schedule rreplication for inexpensive o or off-peak houurs. By
anges are repliicated between sites accordiing to a sched
default, cha dule that you d
define, and nott
according to
t when chang ges occur. The schedule deteermines when replication can occur. The in nterval
specifies ho
ow often doma ain controllers check for chaanges during the time that reeplication can occur.
What
W Is the
e Inter-Site
e Topology Generator?
When
W you configure multiple e sites, the KCCC on
onne domain con ntroller in each
h site is design
nated
ass the sites Inte
er-Site Topolog gy Generator (ISTG).
(
Thhere is only on ne ISTG per sitee, regardless of
o how
many
m domains or other directtory partitionss the
sitte has. ISTG is responsible fo or calculating the
t
sittes ideal replication topolog gy.
When
W you add a new site to the
t forest, each h sites
STG determines which directory partitions are
IS
present in the new
n site. The IS
STG then calcu ulates
hoow many new connection ob bjects are neceessary
to
o replicate the new sites req quired information. In
so
ome networks,, you might wa ant to specify that
t only certaain domain controllers are reesponsible for
in
ntersite replicattion. You can dod this by specifying bridge head servers. TThe bridgeheaad servers are
esponsible for all replication into, and out of, the site. ISTTG creates thee required connection agreement in
re
itss directory, and this information is then re eplicated to thee bridgehead server. The briidgehead server then
crreates a replicaation connection with the brridgehead servver in the remo ote site, and re
eplication beg
gins. If a
eplication partner becomes unavailable,
re u th
he ITSG autom atically selectss another dommain controller,, if
poossible. If bridg
gehead serverrs have been manually
m assignned, and they become unavailable, ISTG w will not
auutomatically se elect other serrvers.
Thhe ISTG selectss bridgehead servers

s automa atically, and crreates the inteersite replicatio
on topology to o ensure
th
hat changes re eplicate effectivvely between bridgeheads
b s haring a site liink. Bridgeheads are selectedd per
paartition, so it iss possible thatt one domain controller
c in a site might be the bridgeheaad server for th he
scchema, while another
a t configuratiion. However, you usually w
is for the will find that onne domain con ntroller
is the bridgehea ad server for all partitions in a site, unless tthere are dom main controllerrs from other d domains
orr application directory
d partittions. In this sccenario, bridgeeheads will be chosen for tho ose partitions.
Ov
verview of SRV Records for Do
omain Con
ntrollers
Whe en you add a domain
d contro
oller to a doma ain,
the domain controller advertise es its services by
b
creaating SRV recoords (also knowwn as locator
recoords) in DNS. Unlike
U host A records, which map
hostt names to IP addresses,
a SRV
V records map
servvices to host na
ames. For exammple, to publissh its
ability to provide authentication n and directory
acceess, a domain controller regiisters Kerbeross
verssion 5 protocool and LDAP SR RV records. The ese
SRVV records are added to severa al folders within
the forests DNS zones.
z
Und der the domain n zone, a folde

er exists that iss
nammed name_tcp.. This folder co ontains the SRV V records for aall domain con ntrollers in the
e domain.
Addditionally, unde er the domain zone exists a folder called n name_sites, wh hich contains ssubfolders for e each
site configured in the domain. Each
E site-speciific folder conttains SRV reco
ords that represent services
avaiilable in the sitte. For example, if a domain controller is lo ocated in a sit e, a SRV record will be locatted at
the path _sites\sitename\_tcp, where
w sitenamee is the name of the site.
A tyypical SRV reco

ord contains th
he following in
nformation:
The service naame and port.. This portion of

o the SRV recoord indicates a service with a fixed port. Itt does
not have to be
b a well-know wn port. SRV re
ecords in Wind
dows Server 20 012 include LD DAP (port 389),
Kerberos (porrt 88), Kerbero
os Password prrotocol (KPASSSWD, port 464 4), and global ccatalog servicees
(port 3268).
Protocol. The
e TCP or UDP iss indicated as a transport prrotocol for thee service. The same service caan use
both protocools in separate SRV records. Kerberos
K recorrds, for examp le, are registerred for both TCCP
and UDP. Miccrosoft clients use only TCP, but UNIX clien nts can use booth UDP and T TCP.
T host name corresponds to

Host name. The t the A record d for the serveer hosting the service. When a
er returns the SSRV record and associated A records, so th
client queriess for a service, the DNS serve he
client does noot need to sub bmit a separate
e query to reso olve the IP adddress of a service.
The service name in an SRV reco ord follows thee standard DNNS hierarchy w with componen
nts separated b
by
dotss. For examplee, a domain controllers Kerb
beros service iss registered as::
kerb
beros._tcp.siten
name._sites.do
omainname, wh here:
domainNamee: The domain or zone, for exxample contosso.com
_sites: All sites registered with DNS

sitename: The omain controller registering the service
e site of the do
_tcp: Any TCP

P-based service
es in the site
kerberos: A Kerberos
K Key Distribution
D Center (KDC)thatt uses TCP as i ts transport prrotocol
How
H Clientt Compute
ers Locate Domain C
Controllerss Within Siites
When
W you join a Windows clie ent to a domaain and
re
estart it, it goes through a do omain controlller
lo
ocation and reg gistration proccess. The goal of this
re
egistration pro ocess is to locatte the domain
n
co
ontroller with the
t most efficiient and closesst
lo
ocation to the clients locatioon based on IPP subnet
in
nformation.
Th
he process for locating a domain controlle
er is:
1.. The new cliient queries fo or all domain

controllers in the domain n. As the new domain
d
client restarts, it receives an IP address from a
DHCP serve er, and is readyy to authenticaate to
the domain n. However, the client does notn know wherre to find a do omain controlle
er. Therefore, the
client queriies for a domain controller by which contains the SRV reco
b querying th e _tcp folder, w ords for
all domain controllers in the domain.
2.. The client attempts

a DAP ping to all domain conttrollers in a seq
an LD quence . DNS returns a list o of all
matching domain
d controllers, and the client
c attempt s to contact alll of them on its first startup.
3.. The first do

omain controlle er responds. The first domai n controller th
hat responds to the client exxamines
the clients IP address, cro
oss-referencess that address w
with subnet ob bjects, and informs the cliennt of the
site to whicch the client be
elongs. The client stores the site name in iits registry, and
d then queriess for
domain con ntrollers in the
e site-specific _tcp
_ folder.
4.. The client queries

q for all domain
d contro
ollers in the sitte. DNS returns a list of all domain controlllers in
the site.
5.. The client attempts

a LDAPP ping sequenttially to all dom
main controlleers in the site. T
The domain co
ontroller
that responnds first authen
nticates the client.
6.. The client forms

f an affinitty. The client forms
f an affiniity with this do
omain controlller, and then aattempts
to authenticate with the same
s domain controller in t he future. If thhe domain conntroller is unavvailable,
the client queries
q the site
es _tcp folder again,
a and agaain attempts to o bind with the first domain
controller that responds ini the site.
If the client movves to anotherr site, such as the

t case for a mobile compu uter, the clientt attempts to
auuthenticate to its preferred domain
d contro
oller. The dom ain controller notices that thhe clients IP address
is associated witth a different site,
s and then refers the clien
nt to the new site. The clientt then queries DNS
fo
or domain controllers in the local site
Automatic
A Site Coverag
ge
As mentioned previously,
p youu can configure plicated resources,
e sites to direcct users to locaal copies of rep
su
uch as shared folders
f replicated within a DFS
D namespacee. There may b be scenarios in n which you on nly
re
equire service localization wiith no need for a domain co ontroller locateed within the site. In this case
e, a
ne
earby domain controller willl register its SR
RV records in tthe site by usin ng a process caalled site coverage.
A site without a domain contrroller generallyy is covered byy a domain co ontroller in a siite with the low
west
sitte-link cost to the site that requires
r age. You also ccan configure site coverage and SRV record
covera
priority manually if you want to control autthentication in sites without domain controllers.
Addition mation about how site coverage is evaluatted see:

nal Reading: For more inform
htttp://go.microsoft.com/fwlin
nk/?LinkId=168
8550.
Lesson 3
Config
guring and
a Monitoring
g AD DSS Repliccation
Afte
er you configure the sites tha at represent yo
our network innfrastructure, tthe next step is to determinee if
any additional site
e links are necessary to help control AD D S replication. A AD DS providees several optio
ons
thatt you can conffigure to contrrol how replica
ation occurs ovver site links. Y
You also need to understand d the
tools that you can
n use to monitor and manag ge replication iin an AD DS neetwork environ nment.
Lessson Objectiives
Describe AD DS site links.
Explain the co
oncept of site link bridging.
Describe Univversal Group Membership
M ca
aching.
w to control inttersite replication.

Describe how
Configure AD
D DS intersite replication.
r
Describe options for config
guring passworrd replication p
policies for RO
ODCs.
Configure password replica

ation policies.
Describe tools used for monitoring and managing

m repl ication.
Wh
hat Are AD
D DS Site Links?
L
For two sites to exxchange repliccation data, a site
s
link must connectt them. A site link is a logicall
pathh that the KCC C\ISTG uses to establish
repllication between sites. When n you create
addditional sites, yoou must selectt at least one site
s
link that will conn nect the new siite to an existinng
site.. Unless a site link is in place
e, the KCC cannnot
mak ke connectionss between com mputers at diffferent
sitess, nor can replication occur between
b sites.
The important thing to rememb ber about a sitte link

is th
hat it representts an available
e path for
repllication. A sing
gle site link doe
es not control the
netwwork routes th hat are used. When
W you create a site link a nd add sites to o it, you are te
elling AD DS th
hat it
can replicate betw ween any of th he sites associa ated with the ssite link. The ISSTG creates connection objects,
and those objectss will determine the actual re eplication pathh. Although th e replication ttopology that tthe
ISTGG builds doe reeplicate AD DS S effectively, it might not be efficient, giveen your network topology.
To better
b understand this conceept, consider the following eexample. When n you create a forest, one sitte link
objeect is created: DEFAULTIPSIT TELINK. By defa w site that you add is associaated with the
ault, each new
DEFFAULTIPSITELIN NK. Consider an
a organization with a data ccenter at the h headquarters aand three bran nch
officces. The three branch officess are each connected to the data center w with a dedicate
ed link. You cre
eate
nch office: Seattle (SEA), Amsterdam (AMSS), and Beijing (PEK). Each off the sites, inclu
sitess for each bran uding
headquarters, is associated with h the DEFAULT TIPSITELINK sitte link object
Because all four siites are on the k, you are instrructing AD DS that all four sites can replicate
e same site link
with
h each other. That
T means tha at Seattle mayy replicate channges from Ammsterdam; Amsterdam may
re
eplicate changes from Beijingg; and Beijing may replicate changes from m the headquarters, which in n turn
re
eplicates changges from Seatttle. In several of
o these replicaation paths, th
he replication ttraffic on the n
network
flo
ows from one branch throug gh the headqu uarters on its w
way to anotherr branch. Withh a single site liink, you
doo not create a hub-and-spoke replication topology even n though yourr network topo ology is hub-and-
sp
poke.
Too align your ne
etwork topoloogy with Active e Directory rep plication, you m
must create sp
pecific site linkss. That
is,, you can manually create sitte links that re
eflect your inteended replication topology. Continuing th he
preceding exam mple, you woulld create three e site links as fo
ollows:
HQ-AMS in
ncludes the He
eadquarters an
nd Amsterdam sites.
HQ-SEA inccludes the Hea

adquarters and
d Seattle sites.
HQ-PEK inccludes the Hea

adquarters and
d Beijing sites.
After you create e ISTG will use the topology to build an inttersite replicattion topology that
e site links, the
co
onnects each site,
s and then creates
c connecction objects aautomatically tto configure th he replication paths.
As a best practice, you should s topology ccorrectly and aavoid creating connection ob
d set up your site bjects
manually.
m
What
W Is Site
e Link Brid
dging?
After you have created site lin nks and the IST TG
ge enerates connection objectss to replicate
pa artitions betweeen domain co ontrollers that share a
sitte link, your work
w might be complete. In many
m
ennvironments, particularly
p thoose with
sttraightforward network topo ologies, site links
might
m be sufficient to managee intersite replication.
In
n more comple ex networks, ho
owever, you ca an
coonfigure additional components and repliccation
properties.
Automatic
A Site Link Brid
dging
Byy default, all siite links are bridged. For exa
ample,
if the Amsterdam and Headquarters sites arre linked, and the Headquarrters and Seatttle sites are linked,
Amsterdam and d Seattle are linnked with a higher cost. Thiss means, theorretically, that tthe ISTG could
d create
a connection ob bject directly between
b a dommain controllerr in Seattle and
d a domain co ontroller in
Amsterdam whe en a domain controller
c is no
ot available at tthe headquartters for replicaation, again wo
orking
arround the hub b-and-spoke network topolo ogy.
Yoou can disable

e automatic site-link bridging g by opening tthe propertiess of the IP tran
nsport in the In
nter-Site
Trransports conttainer, and the
en clearing thee Bridge All Siite Links check box. Before yyou do this in a
production environment, read d the technical resources ab out replication
n in the Windo ows Server technical
lib
braries on Microsoft TechNe et at http://technet.microsoftt.com.
Site Link Brid

dges
A site link bridg
ge connects tw
wo or more site
e links in a wayy that creates a transitive link. Site link brid
dges are
ne
ecessary only when
w you have cleared the Bridge
B All Sit e Links check box for the trransport proto ocol.
Re
emember thatt automatic site-link bridgingg is enabled byy default, in wwhich case, sitee link bridges aare not
re
equired.
Th
he figure on th
he slide illustra
ates the use off a site link brid
dge in a forestt in which auto
omatic site-link
bridging has beeen disabled. ByB creating a siite link bridge,, AMS-HQ-SEA A, that includees the HQ-AMSS and
HQ--SEA site links,, those two site

e links become
e transitive, so
o a replication connection caan be made
betw
ween a domain controller in a a domain ccontroller in SSeattle.
n Amsterdam and
Wh
hat Is Univ
versal Grou
up Membe
ership Cacching?
One e of the issues that you may need to addre ess
whe en configuring g AD DS replica
ation is whethe er to
depploy global catalog servers inn each site. Beccause
globbal catalog serrvers are required when userrs log
t the domain, deploying a global
on to g catalog
g
servver in each site
e optimizes the
e user experien nce.
How wever, deploying a global ca atalog server in
na
site might result in additional re
eplication trafffic,
which may be an issue if the network connecttion
betwween AD DS siites has limitedd bandwidth. In I
thesse scenarios, you can deployy domain
controllers runnin ng Windows Se erver 2008 or
newwer, and then enable
e universal group mem mbership cachin
ng for the sitee.
How Universal Group Membership Caching

C Wo rks
A do
omain controller in a site tha at has enabled
d universal gro
oup membersh hip caching, sto
ores the unive ersal
group information n locally after a user attempts to log on fo
or the first timee. The domainn controller obtains
the users universa
al group membership inform mation from a global catalog other site, it then
g server in ano
cach
hes the inform
mation indefinittely and perioddically refreshees it. The next time that the user tries to lo
og on,
the domain controller obtains the universal group memberrship informatiion from its local cache with hout
contacting a globbal catalog servver.
By default,
d niversal group membership information co
the un ontained by eaach domain co ontrollers cach
he is
eshed every eiight hours. To refresh the ca
refre ache, domain ccontrollers sen
nd a universal g
group membe ership
confirmation requuest to a designated global catalog
c server..
You
u can configure
e universal gro
oup membersh
hip caching fro
om the properrties of the NT
TDS Site Settin
ngs
nod
de.
Co
ontrolling Intersite
I Replication
n
Whe en you create a site link, you
u have a numbber of
configuration opttions that you can use to help
control inter-site replication. Th
hese options
include:
Site Link Cossts. Site link co osts manage th he

flow of replication traffic when there is morem
than one routte for replication traffic. You u can
configure site e link costs to indicate
i that a link
is faster, more e reliable, or iss preferred. Hig
gher
costs are used d for slow linkss, and lower co osts
are used for fast
f links. AD DS
D replicates by b
using the con nnection with the t lowest cost. By
default, all sitte links are connfigured with a cost of 100.
Replication n Frequency. Intersite repliccation is based

d only on polling. By default,, every three h
hours a
replication partner polls its
i upstream re mine whether changes are available.
eplication parttners to determ
This replica
ation interval may
m be too lon ng for organizaations that wa nt changes to the directory to
replicate more quickly. Yoou can change e the polling innterval by acceessing the properties of the site link
object. The minimum pollling interval iss 15 minutes.
Replication n Schedules. ByB default, repplication occurrs 24 hours a d
day. However, yyou can restricct
intersite rep
plication to specific times byy changing thee schedule attrributes of a site
e link.
Demonstra
D ation: Conffiguring AD DS Interrsite Repliccation
In
n this demonsttration, you will see how to configure
c AD D
DS intersite rep
plication.
Demonstrati
D ion Steps
1.. From Serve
er Manager, op
pen Active Dire
ectory Sites an
nd Services.
2.. Rename the

e DEFAULTIPSITELINK as nee
eded.
3.. Right-click the site link, and then click Properties.

P
4.. Modify the Cost, Replicattion interval, and Schedule aas needed.
5.. If necessaryy, open the pro e IP node, and then modify tthe Bridge all site links opttion.
operties of the
Options
O forr Configurring Passw
word Repliccation Policies for RO
ODCs
ROODCs have un nique AD DS re eplication
re
equirements re elated to cache ed users credeentials.
Thhey use password replication n policies to
deetermine whicch users credentials might be
ca
ached on the server.
s If a passsword replicattion
poolicy allows an
n RODC to cache a user's
crredentials, the RODC can pro ocess that userrs
au a service-ticcket activities . If a
uthentication and
usser's credentia
als are not allowwed to be cached on
th
he RODC, the RODC
R refers thhe authenticattion
annd service-tick
ket activities to
o a writable doomain
co
ontroller.
Too access the paassword repliccation policy, open

o the propeerties of the R ODC in the Do omain Controlllers OU,
annd then click the Password Replication Policy
P tab. An RODCs passw word replicatioon policy is
deetermined by two multivalue ed attributes of
o the RODC's computer acccount. These atttributes are known
co
ommonly as th he Allowed Listt and the Denied List. If a usser's account iss on the Allowwed List, the user's
crredentials are cached.
c You ca an include grooups on the Al lowed List, in w which case all users who bellong to
th
he group can have
h their creddentials cachedd on the RODC C. If the user iss on the Allowed List and thee
Denied List, thee RODC does not
n cache the user's
u credenti als. The Denieed List takes prrecedence.
To e managementt of password replication po licy, two domaain local security groups are created
o facilitate the
in
n the Users con ntainer of AD DS.
D The first on ne, the Alloweed RODC Passw word Replicatioon Group, is added to
th
he Allowed Listt for each neww RODC. By deffault, the grou up has no mem mbers. Therefoore, by default,, a new
ROODC will not cache
c want to be cached by
any userrs credentials. If there are ussers whose creedentials you w
all domain ROD DCs, add those users to the Allowed
A RODC C Password Rep plication Group. As a best prractice,
yo
ou can create one Allow List per site, and configure
c onlyy the users assigned to that ssite in the Allo
ow List.
The second group p, the Denied RODC

R Passworrd Replication Group, is added to the Den nied List for eacch
new
w RODC. If you u want to ensure that domainn RODCs neveer cache certain n users creden
ntials, you can
n add
thosse users to the
e Denied RODC C Password Reeplication Grouup. By default, this group co
ontains securityy-
senssitive accountss that are mem
mbers of group
ps including Doomain Adminss, Enterprise A Admins, Schema
Admmins, Cert Publishers, and Grroup Policy Cre
eator Owners.
De
guring Passsword Rep
plication P
Policies
In th
s how to con
nfigure passwo
ord replication
n policies.
Dem
monstration
n Steps
1. Run Active Diirectory Users and Compute
ers.
2. Precreate an RODC computter object nam

med LON-ROD
DC1.
3. In the Domaiin Controllerss OU, open the
e properties off LON-RODC1
1.
4. ation Policy tab, and view tthe default pollicy.

Click the Passsword Replica
5. Close the LON

N-RODC1 Prop
perties.
6. In the Active Directory Userrs and Computers console trree, click the U
Users containe
er.
7. Double-click Allowed ROD

DC Password Replication
R G
Group, and theen go to the M
Members tab aand
examine the default
d memb
bership of Allow
wed RODC Paassword Repllication Groupp. There should be
no members by default.
8. Click OK.
9. Double-click Denied RODC

C Password Rep
plication Grou p, and then go
o to the Memb
bers tab.
10. Click Cancel to enied RODC Password Repliccation Group p
t close the De properties.
Tools for Mo
onitoring and
a Manag
ging Repliication
Afte
er you have im mplemented yo our replication
configuration, you u must be able e to monitor
repllication for ong
going supportt, optimization n, and
trou
ubleshooting. Two
T tools are particularly usseful
for reporting and analyzing rep plication: the
Repplication Diagnnostics tool (Re
epadmin.exe) anda
the Directory Servver Diagnosis (Dcdiag.exe)
( to
ool.
The
e Repadmin
n.exe Tool
The Replication Diagnostics
D too
ol, Repadmin.exe, is
a co
ommand-line toolt that enables you to repoort
the status of replication on eachh domain
controller. The infformation thatt Repadmin.exe
prod
duces can help p you spot a potential
p problem with repliccation in the foorest. You can view levels of detail
dowwn to the repliccation metadaata for specific objects and aattributes, enab
bling you to id
dentify where aand
wheen a problematic change was made to AD DS. You can eeven use Repad dmin.exe to crreate the repliccation
topo
ology and forcce replication between
b doma ain controllerss.
Rep
padmin.exe sup
pports a numb nds that perforrm specific tassks. You can learn about each
ber of comman
com
mmand by typing repadmin /?:command d. Most commaands require a rguments. Maany commandss take
a DC_LIST parameter, which is simply a network label (DNS, NetBIOS name, or IP address) of a domain
controller. Some of the replication monitoring tasks you can perform by using Repadmin are:
Display the replication partners for a domain controller. To display the replication connections of a
domain controller, type repadmin /showrepl DC_LIST. By default, Repadmin.exe shows only intersite
connections. Add the /repsto argument to see intersite connections, as well.
Display connection objects for a domain controller. Type repadmin /showconn DC_LIST to show the
connection objects for a domain controller.
Display metadata about an object, its attributes, and replication. You can learn a lot about replication
by examining an object on two different domain controllers to find out which attributes have or have
not replicated. Type repadmin /showobjmeta DC_LIST Object, where DC_LIST indicates the domain
controller(s) to query. (You can use an asterisk [*] to indicate all domain controllers.) Object is a
unique identifier for the object, its distinguished name or GUID, for example.
You can also make changes to your replication infrastructure by using Repadmin. Some of the
management tasks you can perform are:
Launching the KCC. Type repadmin /kcc to force the KCC to recalculate the inbound replication
topology for the server.
Forcing replication between two partners. You can use Repadmin to force replication of a partition
between a source and a target domain controller. Type repadmin /replicate Destination_DC_LIST
Source_DC_Name Naming_Context.
Synchronizing a domain controller with all replication partners. Type repadmin /syncall DC/A /e to
synchronize a domain controller with all its partners, including those in other sites.
The Dcdiag.exe Tool

The Directory Service Diagnosis tool, Dcdiag.exe, performs a number of tests and reports on the overall
health of replication and security for AD DS. Run by itself, dcdiag.exe performs summary tests and reports
the results. On the other extreme, dcdiag.exe /c performs almost every test. The output of tests can be
redirected to files of various types, including XML. Type dcdiag /? for full usage information.
You can also specify one or more tests to perform using the /test:Test Name parameter. Tests that are
directly related to replication include:
FrsEvent. Reports any operation errors in the File Replication System.

DFSREvent. Reports any operation errors in the Distributed File System Replication system.
Intersite. Checks for failures that would prevent or delay intersite replication.
KccEvent. Identifies errors in the knowledge consistency checker.

Replications. Checks for timely replication between domain controllers.
Topology. Checks that the replication topology is connected fully for all domain controllers.
VerifyReplicas. Verifies that all application directory partitions are instantiated fully on all domain
controllers hosting replicas.
9-22 Implementing Active Directory Domain Services Sites and Replication
Lab: Implementing AD DS Sites and Replication

Scenario
A. Datum has deployed a single AD DS domain with all the domain controllers located in the London data
center. As the company has grown and added branch offices with large numbers of users, it has become
apparent that the current AD DS environment is not meeting the company requirements. Users in some of
the branch offices report that it can take a long time for them to log on to their computers. Access to
network resources such as the companys Microsoft Exchange 2010 servers and the Microsoft SharePoint
servers can be slow, and they sporadically fail.
As one of the senior network administrators, you are responsible for planning and implementing an AD
DS infrastructure that will help address the business requirements for the organization. You are
responsible for configuring AD DS sites and replication to optimize the user experience and network
utilization within the organization.
Objectives
Configure the default site created in AD DS.
Create and configure additional sites in AD DS.
Configure and monitor replication between AD DS sites.
Lab Setup
20412A-LON-DC1
20412A-TOR-DC1
20412A-LON-DC1
Virtual machines
20412A-TOR-DC1
Password Pa$$w0rd
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
5. Repeat steps 2 through 4 for 20412A-TOR-DC1.
Exercise 1: Modifying the Default Site

Scenario
A. Datum has decided to implement additional AD DS sites to optimize the network utilization for AD DS
network traffic. The first step in implementing the new environment is to install a new domain controller
for the Toronto site. You will then reconfigure the default site and assign appropriate IP address subnets
to the site. You have been asked to change the name of the default site to LondonHQ and associate it
with the IP subnet 172.16.0.0/24, which is the subnet range used for the London head office.
1. Install the Toronto domain controller
2. Rename the default site

3. Configure IP subnets associated with the default site
Task 1: Install the Toronto domain controller

1. On TOR-DC1, use Server Manager to install Active Directory Domain Services.
2. When the AD DS binaries have installed, use the Active Directory Domain Services Configuration
Wizard to install and configure TOR-DC1 as an additional domain controller for Adatum.com.
3. After the server restarts, log on as Adatum\Administrator with the password of Pa$$w0rd.
Task 2: Rename the default site

1. If necessary, on LON-DC1, open the Server Manager console.
2. Open Active Directory Sites and Services, and then rename the Default-First-Site-Name site to
LondonHQ.
3. Verify that both LON-DC1 and TOR-DC1 are members of the LondonHQ site.
Task 3: Configure IP subnets associated with the default site

1. If necessary, on LON-DC1, open the Server Manager console, and then open Active Directory Sites
and Services.
2. Create a new subnet with the following configuration:

o Prefix: 172.16.0.0/24
o Site object: LondonHQ
Results: After completing this exercise, you will have reconfigured the default site and assigned IP address
subnets to the site.
Exercise 2: Creating Additional Sites and Subnets

Scenario
The next step in implementing the AD DS site design is to configure the new AD DS site. The first site that
you need to implement is the Toronto site for the North American data center. The network team in
Toronto would also like to dedicate a site called TestSite in the Toronto data center. You have been
instructed that the Toronto IP subnet address is 172.16.1.0/24. The test network IP subnet address is
172.16.100.0/24.
1. Create the AD DS sites for Toronto
2. Create IP subnets associated with the Toronto sites
Task 1: Create the AD DS sites for Toronto

1. If necessary, on LON-DC1 open the Server Manager console, and then open Active Directory Sites
and Services.
2. Create a new site with the following configuration:
o Name: Toronto
o Site link object: DEFAULTIPSITELINK
3. Create another new site with the following configuration:
o Name: TestSite
o Site link object: DEFAULTIPSITELINK
Task 2: Create IP subnets associated with the Toronto sites

1. If necessary, on LON-DC1 open Active Directory Sites and Services.
2. Create a new subnet with the following configuration:
o Prefix: 172.16.1.0/24
o Site object: Toronto
3. Create another new subnet with the following configuration:

o Prefix: 172.16.100.0/24
o Site object: TestSite
4. In the navigation pane, click the Subnets folder. Verify that the three subnets were created and
associated with their appropriate site as displayed in the details pane.
Results: After this exercise, you will have created two additional sites representing the IP subnet addresses
located in Toronto.
Exercise 3: Configuring AD DS Replication

Scenario
Now that the AD DS sites have been configured for Toronto, the next step is to configure the site links to
manage replication between the sites, and then to move the TOR-DC1 domain controller to the Toronto
site. Currently all sites belong to DEFAULTIPSITELINK. You need to modify site linking so that LondonHQ
and Toronto belong to one common site link called LON-TOR. You should configure this link to replicate
every hour. Additionally, you should link the TestSite site only to the Toronto site using a site link named
TOR-TEST.
Replication should not be available from the Toronto site to the TestSite during the working hours of 9
A.M. and 3 P.M. You then will use tools to monitor replication between the sites.
1. Configure site links between AD DS sites
2. Move TOR-DC1 to the Toronto site
3. Monitor AD DS site replication
Task 1: Configure site links between AD DS sites

1. If necessary, on LON-DC1, open Active Directory Sites and Services.
2. Create a new IP-based site link with the following configuration:
o Name: TOR-TEST
o Sites: Toronto, TestSite
o Modify the schedule to only allow replication from Monday 9am to Friday 3pm
3. Rename DEFAULTIPSITELINK and configure it with the following settings:
o Name: LON-TOR
o Sites: LondonHQ, Toronto
o Replication: Every 60 minutes
Task 2: Move TOR-DC1 to the Toronto site

1. If necessary, on LON-DC1 open Active Directory Sites and Services.
2. Move TOR-DC1 from the LondonHQ site to the Toronto site.
3. Verify that TOR-DC1 is located under the Servers node in the Toronto site.
Task 3: Monitor AD DS site replication

1. On LON-DC1, on the taskbar, click the Windows PowerShell button.
2. Use the following commands to monitor site replication:
Repadmin /kcc
This command recalculates the inbound replication topology for the server:
Repadmin /showrepl
Verify that the last replication with TOR-DC1 was successful:
Repadmin /bridgeheads
This command displays the bridgehead servers for the site topology:
Repadmin /replsummary
This command displays a summary of replication tasks. Verify that no errors appear:
DCDiag /test:replications
Verify that all connectivity and replication tests pass successfully.
3. Switch to TOR-DC1, and then repeat the commands to view information from the TOR-DC1
perspective.
Results: After this exercise, you will have configured site links and monitored replication.

following steps.
4. Repeat steps 2 and 3 for 20412A-TOR-DC1.


Question: Why is it important that all subnets are identified and associated with a site in a
multisite enterprise?
Question: What are the advantages and disadvantages of reducing the intersite replication
interval?
Question: What is the purpose of a bridgehead server?

Client cannot locate domain controller in

its site.
Replication between sites does not work.
Replication between two domain

controllers in the same site does not work.
Best Practice
You should implement the following best practices when you manage Active Directory sites and
replication in your environment:
Always provide at least one or more global catalog servers per site.
Ensure that all sites have appropriate subnets associated.
Do not setup long intervals without replication when you configure replication schedules for intersite
replication.
Avoid using SMTP as a protocol for replication.

10-1
Module 10
Implementing Active Directory Certificate Services
Contents:
Module Overview 10-1
Lesson 1: PKI Overview 10-2
Lesson 2: Deploying CAs 10-10
Lesson 3: Deploying and Managing Certificate Templates 10-16
Lesson 4: Implementing Certificate Distribution and Revocation 10-21
Lesson 5: Managing Certificate Recovery 10-29
Lab: Implementing Active Directory Certificate Services 10-33
Module Overview
Public key infrastructure (PKI) consists of several components that help you secure corporate
communications and transactions. One such component is the Certification Authority (CA). You can use
CAs to manage, distribute, and validate digital certificates that are used to secure information. You can
install Active Directory Certificate Services (AD CS) as a root CA or a subordinate CA in your organization.
In this module, you will learn about implementing AD CS server role and certificates.
Objectives
Describe PKI.
Deploy CAs.
Deploy and manage certificate templates.
Implement certificate distribution and revocation.
Manage certificate recovery.

10-2 Implemennting Active Directoryy Certificate Services
Lesson 1
PKI Ov
verview
PKI helps you veriify and authen nticate the iden
ntity of each p
party involved in an electronic transaction.. It
also
o helps you esttablish trust be
etween compu uters and the ccorresponding applications tthat are hosted d on
appplication serverrs. A common example includes the use off PKI technolog gy to secure wwebsites. Digitaal
certtificates are key PKI components that conttain electronic credentials, wwhich are used to authenticatte
userrs or computers. Moreover, certificates
c n be validated using certificaate discovery, path validation,
can
and revocation ch hecking processses. Windows Server 2012 supports build ding a certificaate services
infra
astructure in your
y organization using AD CS
C componentts.
Lessson Objectiives
Afte
ou will be able to:
Describe PKI.
Describe com
mponents of a PKI solution.
Describe CAs.
Describe the AD CS server role

r in Window
ws Server 20122.
Describe new
w features in AD
D CS in Windo
ows Server 20112.
Explain the difference betw
ween public and private CAs.
Describe crosss-certification hierarchy.
Wh
hat Is PKI??
PKI is a combinatiion of software e, encryption
techhnologies, processes, and services that assiist an
orga anization with securing its co ommunication ns
and business transactions. It is a system of dig gital
certtificates, certification authoriities, and other
regiistration autho orities. When an
a electronic
nsaction takes place, PKI verifies and
tran
authhenticates the validity of eacch party involvved.
PKI standards are still evolving, but they are widely
w
impplemented as an a essential component of
elecctronic comme erce.
Gen
neral conce
epts of PKI
In general,
g a PKI solution
s relies on several technologies and
d components.. When you plaan to impleme
ent
PKI, you should coonsider and un nderstand the following:
Infrastructure
e: The meaningg in this contexxt is the same as in any otheer context, such as electricityy,
pply. Each of these elementss does a speciffic job, and has requirementts that
transportation, or water sup
must be met for it to functiion efficiently. The sum of th
hese elements allows for the e efficient and safe
use of PKI. So
ome of the elements that ma ake up a PKI arre the followin
ng:
o A CA
o A certificate repositoryy
o A registra
ation authorityy
o An ability to revoke certificates
o An ability to back up, recover, and update keys
o An ability to regulate and track time
o Client-side processing
Most of these components will be discussed in later topics and lessons of this module.
Public/Private Keys: In general, there are two methods for encrypting and decrypting data:
o Symmetric encryption: The methods to encrypt and decrypt data are identical, or mirrors of each
other. Data is encrypted by using a particular method or key. To decrypt the data, you must have
the same, identical method or key. Therefore, anyone who has the key can decrypt the data. The
key must remain private to maintain the integrity of the encryption.
o Asymmetric encryption: In this case, the methods to encrypt and decrypt data are not identical or
mirrors of each other. Data is encrypted by using a particular method or key. However, a different
key is used to decrypt data. This is achieved by using a pair of keys. Each person gets a key pair,
which consists of a public key and a private key. These keys are unique, and data that the public
key encrypts can be decrypted by using the private key, and vice versa. In this situation, the keys
are sufficiently different and knowing or possessing one does not allow you to determine the
other. Therefore, one of the keys (public) can be made publicly available without reducing the
security of the data, as long as the other key (private) remains privatehence the name Public
Key Infrastructure.
Algorithms that use symmetric encryption are fast and efficient for large amount of data. However,
because they use a symmetric key, they are not considered secure enough, because you always must
transport the key to the other party. Alternatively, algorithms that use asymmetric encryption are secure,
but very slow. Because of this, it is common to use hybrid approach, which means that data is encrypted
by using symmetric encryption, while the symmetric encryption key is protected with asymmetric
encryption.
When you implement a PKI solution, your entire system, especially the security aspect, can benefit. The
benefits of using PKI include:
Confidentiality: A PKI solution enables you to encrypt both stored and transmitted data.
Integrity: You can use PKI to sign data digitally. A digital signature identifies whether any data was
modified while information was transmitted.
Authenticity and non-repudiation: Authentication data passes through hash algorithms such as
Secure Hash Algorithm 1 (SHA-1) to produce a message digest. The message digest is then digitally
signed using the senders private key to prove that the message digest was produced by the sender.
Non-repudiation is digitally signed data in which the digital signature provides both proof of the
integrity of signed data, and proof of the origin of data.
Standards-based approach: PKI is standards-based, which means that multiple technology vendors
are compelled to support PKI-based security infrastructures. It is based on industry standards defined
in RFC 2527, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices
Framework.
Co
omponentss of a PKI Solution
S
There are many co omponents that are requiredd to
worrk together to provide a com
mplete PKI solu
ution.
The PKI compone ents in Window
ws Server 20122 are:
CA: CA issuess and managess digital certificcates

for users, servvices, and com
mputers. By
deploying CA A, you establishh the PKI in yo
our
organization.
Digital certificcates: Digital certificates

c are
similar in funcction to an ele ectronic passpo ort. A
digital certificcate is used to prove the identity
of the user (oor other entity)). Digital certificates
contain the electronic crede entials that are
e
associated with a public keyy and a private e key, which a re used to autthenticate userrs and other devices
such as Web servers and mail servers. Dig gital certificatees also ensure tthat software or code is run from
a trusted source. Digital cerrtificates conta ain various fiel ds, such as Subject, Issuer, and Common n
Name. These e fields are used to determine the specific use of the certtificate. For example, a Web
server certificcate might con ntain the Comm mon Name fieeld of web01..contoso.com m, which would d
make that certificate valid only
o for that web
w server. If a n attempt werre made to use e that certificaate on
a web server named web02 2.contoso.com m, the user of that server wo ould receive a warning.
Certificate tem
mplates: This component
c de
escribes the co ontent and purrpose of a digital certificate.
When requessting a certificaate from an AD D CS enterprisee CA, the certiificate requestor will, depend ding
on his or her access rights, be able to sele
ect from a variiety of certificaate types base
ed on certificatte
templates, such as User and d Code Signing g. The certificaate template saaves users fromm low-level,
technical decisions about thhe type of certtificate they neeed. In additio
on, they allow aadministratorss to
distinguish who might requ uest which certtificates.
CRLs and Onlline Responders:
o Certificatte revocation lists (CRLs) are complete, diggitally signed liists of certificaates that have been
revoked. These lists aree published pe eriodically and can be retrievved and cached by clients (b based
on the coonfigured lifetime of the CRLL). The lists aree used to verifyy a certificates revocation sttatus.
o Online Re esponders are part of the On nline Certificatte Status Proto

ocol (OCSP) ro
ole service in
Windowss Server 2008 and a Windows Server 2012. A An Online Resp ponder can recceive a requesst to
check forr revocation off a certificate without
w requirring the client to download tthe entire CRL. This
speeds up certificate re evocation checcking, and red uces the netw work bandwidth h. It also increaases
scalabilityy and fault tolerance, by allo
owing for arrayy configuratio n of Online Re
esponders.
Public keyba
ased applicatio
ons and service es: This relatess to application
ns or services tthat support p
public
key encryptio
on. In other wo
ords, the appliccation or servi ces must be able to supportt public key
implementatiions to gain th
he benefits fromm it.
Certificate and CA management tools: Management to

ools provide co
ommand-line aand GUI-based
d
tools to:
o Configure CAs
o Recover archived
a private keys
o Import and export keyss and certificattes

o Publish CA
C certificates and CRLs
o Manage issued certifica

ates
Authority innformation acccess (AIA) and CRL distributiion points (CD DPs): AIA points determine thhe
location whhere CA certificcates can be fo ound and valid dated, and CD DP locations de etermine the ppoints
where certificate revocatiion lists can be e found during g certificate vaalidation proce
ess. Because CRRLs can
become larrge, (dependin ng on the number of certificaates issued and d revoked by a CA), you cann also
publish sma aller, interim CRLs
C called dellta CRLs. Delta CRLs contain only the certifficates revoked d since
the last reg
gular CRL was published.
p Thiss allows clientss to retrieve thhe smaller deltta CRLs and moore
quickly build a complete list of revoked d certificates. TThe use of deltta CRLs also allows revocatioon data
to be published more frequently, becau use the size off a delta CRL m means that it usually does noot
require as much
m time to transfer
t as a fu
ull CRL.
Hardware security
s modulle (HSM): A ha ardware securitty module is a n optional seccure cryptographic
hardware device
d ographic proc essing for man
that acccelerates crypto naging digital keys. It is a hig
gh
security, specialized storaage that is connected to the CA for manag ging the certifiicates. An HSM M is
typically atttached to a co
omputer physiccally. This is an
n optional addd-on in your PK KI, and is mostt widely
used in high security environments whe ere there wou ld be a significcant impact if a key were
compromissed.
Note: The e most importa ant componen nt of any securrity infrastruct ure is physical security. A
ust the PKI implementation. Other elemen
ecurity infrastructure is not ju
se ntssuch as physical
se
ecurity and ade equate securitty policiesaree also importaant parts of a hholistic securityy
in
nfrastructure.
What
W Are CAs?
C
A CA is a well-d designed and highly
h trusted service
in
n an enterprise e, which provid des users and
co
omputers with h certificates, maintains
m the CRLs,
C
an
nd optionally responds
r to OCSP requests. You
an install a CA in your enviro
ca onment by dep ploying
th
he AD CS role on Windows Server S 2012. When
W
th
he first CA is in
nstalled, it establishes the PK
KI in the
neetwork, and it provides the highest
h point in
i the
whole
w structuree. You can have e one or more e
ce
ertification autthorities in one e network, butt only
onne CA can be at a the highest point on the CA C
hiierarchy (that CA
C is called the root CA, whiich will
bee discussed latter in this mod dule).
One
O of the main n purposes of the CA is to issue certificatees, revoke certificates, and pu
ublish AIA and
d CRL
he CA ensures that users, serrvices, and com
nformation. By doing that, th
in mputers are isssued certificate
es that
ca
an be validated
d.
A CA performs multiple functtions or roles in

n a PKI. In a la rge PKI, separation of CA ro
oles among mu
ultiple
se
ervers is comm
mon. A CA provvides several management
m taasks, including
g:
Verifying th
he identity of the
t certificate requestor.
Issuing certtificates to requesting users, computers, an

nd services.
Managing certificate
c revo
ocation.
When
W ur network, it issues a certifi cate for itself. After that, oth
you deploy a first CA (rroot CA) in you her CAs
re
eceive certificates from the first CA. You ca
an also choosee to issue a cerrtificate for you ur CA by using g one of
pu
ublic CAs.
Ov
verview of the AD CS
S Server Ro
ole in Win
ndows Servver 2012
All PKI-related
P components are deployed as role r
servvices of the AD
D CS server role e. This role is made
m
up of
o several com mponents that are known as role
servvices. Each role
e service is respponsible for a
speccific portion off the certificate infrastructurre,
while working tog gether to form m a complete
solu
ution.
Role he AD CS role are:

e services of th
CA. This component issues certificates to

users, computers, and services. It also
manages certtificate validityy. Multiple CAss can
be chained to
o form a PKI hierarchy.
CA Web enro ollment. This co

omponent pro ovides a metho
od to issue and
d renew certificates for userss,
computers, and devices tha at are not joine
ed to the dom
main, are not co
onnected direcctly to the netwwork,
or are for use
ers of non-Winndows operatting systems.

Online Respo onder. You can use this comp ponent to conffigure and maanage OCSP vaalidation and
revocation ch hecking. Onlinee Responder decodes
d revocaation status reequests for speecific certificate
es,
evaluates the status of thosse certificates, and returns a signed respon nse containing the requested d
certificate status informatio
on. Unlike in Windows
W Serve r 2008 R2, youu can install Onnline Responder on
any version ofo Windows Server 2012. The e certificate revvocation data can come from m a CA on a
computer tha at is running Windows
W Serve
er 2003, Windo ows Server 200 08, or from a nnon-Microsoft CA.
Network Device Enrollmentt Service. With h this componeent, routers, sw

witches, and otther network
devices can obtain
o certificates from AD CS.
C On Window ws Server 20088 R2, this comp
ponent is only
available on the
t Enterprise and Datacente ut on Windowss Server 2012, you can installl this
er editions, bu
role service on any version of Windows Server.
Certificate Enrollment Web Service. This component

c woorks as a proxyy between Win ndows 7 and
Windows 8 cllient computerrs and the CA. This componeent is new to W Windows Serve er 2008 R2 andd
Windows Servver 2012, and requires that the
t Active Direectory forest b
be at least at th
he Server 20088 R2
level. It enables users to connect to a CA by means of a web browserr to perform th he following:
o Request, renew, and install issued certificates
o Retrieve CRLs
o Download a root certifficate
o Enroll over the internett or across fore

ests (new to W
Windows Server 2008 R2)
Certificate Au
uthority Policy Web Service. This componeent is new to W Windows Serve er 2008 R2 andd
Windows Servver 2012. It ennables users to obtain certificcate enrollmen
nt policy inform
mation. Combbined
with the Certificate Enrollm
ment Web Service, it enables policy-based ccertificate enroollment when the
client computter is not a meember of a dommain, or when n a domain meember is not co onnected to th
he
domain.
What
W Is Ne
ew in AD CS
C in Windows Serveer 2012
Like many other Windows Serrver roles, AD CS is
im
mproved and enhanced
e in Windows
W Server 2012.
he AD CS role in Windows Server 2012 stilll has
Th
he same six role services, as described
th d in th
he
previous topic. In addition, it now provides
multiple
m new feeatures and cap pabilities comp pared
to
o previous verssions.
In
n Windows Serrver 2008 R2, some
s of the ADD CS
ro
ole services req
quire a specificc Windows Serrver
ve
ersion. For exaample, Network Device Enrollment
Se
ervice (NDES) does not work k on the Windo ows
Se
erver 2008 Standard edition,, but only on thet
Windows
W Server 2008 Enterprrise edition). In
n Windows Serrver 2012, all rrole services arre available on
n all
Windows
W Server versions.
Th
he AD CS Servver role, in addition to all rela
ated role servi ces, can run o n Windows Se
erver 2012 with h full
GUI, Minimal Se
erver Interface, or on a Serve er Core installaation. You can deploy AD CSS role services in
Windows
W Server 2012 using Server
S Manage er, or Windowss PowerShell cmdlets, while e working locaally at
th
he computer or
o remotely ove er the network k.
Frrom a manage ement perspecctive, AD CS annd its events, aand the Best Prractices Analyzzer tool are no
ow fully
in
ntegrated into the Server Ma anager console
e, which mean s that you can options directly from
n access all its o
Seerver Managerr. AD CS is also
o fully manage
eable by using the Windows PowerShell co ommand-line
in
nterface.
Th
he Windows Server 2012 verrsion of AD CSS also introducces a new certificate templatte versionverrsion
4
which provid
des some new T will be disccussed separately in Lesson 3.
w capabilities. This
Certificate Enrollment Web Se ervices is also enhanced

e in W
Windows Serveer 2012. This fe eature, introdu
uced in
Windows
W 7 and Windows Servver 2008 R2, allows
a online c ertificate requ
uests to come ffrom untrustedd Active
Directory Doma ain Services (AD DS) domains or even from m computers o or devices that are not joined
d to a
do
omain. AD CS in Windows Server 2012 adds the ability tto renew certifficates automaatically for com mputers
hat are part of untrusted AD DS domains, or
th o are not join
ned to a domain.
Frrom a security perspective, AD A CS in Windows Server 20012 provides th he ability to re

equire the rene
ewal of
a certificate with the same key. Windows Se erver 2012 also o supports gen nerating trusteed platform module
(T
TPM)protecte ed keys using TPM-based
T keyy storage provviders (KSPs). TThe benefit of using a TPM-b based
KSSP is true non--exportability of keys that arre backed up b by the anti-ha mmering mecchanism of TPM Ms (for
exxample, if a user enters a wro ong PIN too many
m times). To
o enhance seccurity even furtther, you can nnow
fo
orce encryption n of all certificcate requests that come to A AD CS in Windo ows Server 2012.
Virtual
V Smarrt Cards
mart cards, as an option for multi-factor authentication,, have been ussed since Wind
Sm dows Server 20 000.
Thhey provide en nhanced securrity over passw words, as it is m
much more diffficult for an unnauthorized usser to
gaain and mainta ain access to a system. In addition, access to a smart carrd-protected system requires that a
usser both have a valid card an nd know the PIN
P that provid des access to t hat card. By deefault, only on
ne copy
off the smart carrd exists, so onnly one individual can be usi ng their login credentials att a time. In add dition, a
usser will quicklyy notice if theirr card has been lost or stole n, especially w
when their cardd is combined with
acccess to doors or other functtions. This greatly reduces th he risk window w of credential theft in comp parison
to
o passwords.
Howwever, implementation of sm mart card infrastructure has h

historically som
metimes been too expensivee. To
imp
plement smart cards, compan nies had to buy hardware, inncluding smartt card readers and smart carrds.
e cases, prevented the deployyment of multti-factor autheentication.
Thiss cost, in some
To address
a these issues, Window
ws Server 2012 2 AD CS introd duces a techno ology that provvides the security of
smaart cards while reducing matterial and suppport costs. Thiss is done by prroviding Virtuaal Smart Cards.
Virtual Smart Cardds emulate the
e functionality of traditional smart cards, bbut instead of requiring the
purcchase of additional hardware, they utilize technology thhat users alread dy own and arre more likely tto
have with them att all times.
Virtual Smart Cardds in Windowss Server 2012 leverage the caapabilities of tthe TPM chip tthat is present on
mosst of the compputer motherboards produce ed in the past ttwo years. Beccause the chip is already in tthe
commputer, there iss no cost for buying
b smart cards and smarrt card readerss. However, un nlike traditionaal
smaart cards, wherre the user wass in a physical possession of the card, in th he Virtual Smart Card scenarrio, a
commputer (or to be
b more speciffic, TPM chip on o its motherb board) acts likee a smart card. By using this
appproach, two-facctor authentica ation similar to
o traditional sm
mart cards is aachieved. A useer must have h his or
her computer (wh hich has been sets up with the e Virtual Smarrt Card), and allso know the PPIN necessary to use
his or
o her Virtual Smart
S Card.
It is important to understand ho ow Virtual Sma art Cards proteect private keyys. Traditional smart cards haave
theiir own storage e and cryptographic mechanism for proteccting the private keys. In the e Virtual Smart Card
scen nario, private keys
k are proteccted not by isoolation of physsical memory, but rather by the cryptograaphic
capabilities of the e TPM: all sensitive information that is storred on a smartt card is encryp pted using the
e TPM,
and then stored on o the hard driive in its encryypted form. Altthough privatee keys are storred on a hard d drive
(in encrypted
e form
m), all cryptographic operations occur in th he secure, isolated environm ment of the TPM.
Privvate keys neverr leave this envvironment in unencrypted
u foorm. If the harrd drive of the machine is
com mpromised in anya way, privatte keys cannott be accessed, because they are protected and encrypted by
TPM M. To provide more
m security, you can also encrypt
e the drrive with Wind dows BitLockerr Drive Encryp ption.
To deploy
d Virtual Smart Cards, you
y need Windows Server 2 012 AD CS an d a Windows 8 client machine
withh a TPM chip on o motherboard.
Public vs. Priivate CAs

Whe en you are plaanning PKI imp plementation for
f
your organization n, one of the first choices you
u
should make is be etween private e and public CAAs. It
is po
ossible for you u to establish PKI
P by using eiither
of these approach hes. If you decide to use a prrivate
CA, then you deploy the AD CS server role, an nd
thenn establish an internal PKI. Iff you decide to
o use
an external
e PKI, yo
ou do not havve to deploy an ny
servvice internally.
Both approaches have advantag ges and

disa
advantages, as specified in th
he following ta
able.
CA
A type Adv
vantages Disadvanttages
Exxternal Public CA Trusted

T by maany external Higherr cost as comp
pared
clients
c (web brrowsers, to an in
nternal CA
operating
o systtems)
Cost is based per
Requires minim
mal certificcate
administration
a n
Certificcate procurem
ment is
CA
C type Advantages
A Disadvaantages
sloweer
Internal Privatte CA Provides greeater control o

over By deefault, not trussted by
certificate management
m exterrnal clients (weeb
browwsers, operatin ng
Lower cast as
a compared to
oa
systeems)
public CA
Requ
uires greater
Customized templates
administration
ment
Autoenrollm
So
ome organizattions have starrted using a hyybrid approach h to their PKI aarchitecture. A hybrid appro oach
usses an external public CA forr the root CA, and a hierarch hy of internal CCAs for distribution of certificates.
Th
his gives organ nizations the advantage
a of having
h their intternally issued
d certificates trrusted by exterrnal
clients, while stiill providing th
he advantages of an internal CA. The only disadvantage is cost. A hybrrid
ap
pproach is typically the mostt expensive ap pproach, becau use public certtificates for CAAs are very exp
pensive.
In
n addition, youu can also chooose to deploy internal PKI fo or internal purpposes such as Encrypting Filee
Syystem (EFS), an
nd digital signa
atures. For extternal purposees, such as prottecting web orr mail servers wwith
Se
ecure Socket Layer
L (SSL), you
u must buy a public
p certificaate. This appro
oach is not veryy expensive, an
nd is
probably the most cost-effecttive solution.
What
W Is a Cross-Certi
C ification Hierarchy?
H
As cross-certificcation implies, in cross-certification
hiierarchy the rooot CA in each CA hierarchy
provides a crosss-certification certificate to the
t root
CAA in the other CA hierarchy. The other hie erarchy
oot CA then installs the supp
ro plied certificate
e. By
dooing so, the trust flows down to all the
su
ubordinate CA As below the le evel where the cross-
ce
ertification cerrtificate was insstalled.
Cross-Certifi
C cation Bene
efits
A cross-certifica
ation hierarchyy provides the
fo
ollowing beneffits:
Provides interoperability between busin

nesses and bettween PKI pro
oducts
Joins disparrate PKIs
Assumes co
omplete trust of
o a foreign CA
A hierarchy
Companies usually deploy cro

oss-certificatio
ons to establish
h a mutual trusst on PKI level, and also to
im
mplement som
me other appliccations that relly on PKI, such
h as Active Direectory Rights M
Management Services
(A
AD RMS).
Question: Your
Y companyy is currently acquiring anoth
her company. Both companies run their
own PKI. What
W u do to minimize disruption and continue to provide PKI services
could you
seamlessly??
10-10 Implementing Active Directoory Certificate Servicees
Lesson 2
Deploy
ying CA
As
The first CA that you
y install will be a root CA. After you inst all the root CA A, you can opttionally install a
subordinate CA to o apply policy restrictions an
nd distribute ceertificates. Youu can also use a CAPolicy.inff file
to automate
a additional CA insta
allations and provide
p additioonal configuration settings that are not
avaiilable with the
e standard GUIbased installa ation. In this leesson, you will learn about d
deploying CAs in the
2 environm
ment.
Lessson Objectiives
Afte
ou will be able to:
Describe options for implem

menting CA hierarchies.
Explain differences between

n standalone and
a enterprisee CAs.
Describe conssiderations forr deploying a root

r CA.
Deploy a roott CA.

Describe conssiderations forr deploying a subordinate
s CA
A.
Describe how
w to use CAPolicy.inf file for installing
i the C
CA.
Op
ptions for Implemen
I ting CA Hierarchies
Whe en you decidee to implementt PKI in your
orga anization, one
e of the first deecisions you must
mak ke is how to de esign your CA hierarchy. CA
hierrarchy determiines the core design
d of your
inte
ernal PKI, and also
a determine es the purpose e of
eachh CA in the hie erarchy. Each CAC hierarchy
includes two or more
m CAs. Usuaally, the secondd CA
(andd all others aftter that) is dep
ployed with a
speccific purpose, because only the t root CA is
man ndatory.
The following points describe so

ome scenarioss for
imp
plementing a CA
C hierarchy.
Policy CA: Policy CAs are a type of subord dinate CA thatt are located d
directly below tthe root CA in n a CA
hierarchy. You utilize policyy CAs to issue CA certificatess to subordinate CAs that aree located direcctly
below the poolicy CA in the hierarchy. Use e policy CAs wh hen different d
divisions, secto
ors, or location
ns of
your organizaation require different
d issuan
nce policies annd procedures..
Cross-certifica
ation trust: In this scenario, two
t independeent CA hierarcchies interoperrate when a CA A in
one hierarchyy issues a CA certificate
c to a CA in the otheer hierarchy. C
Cross-certification trusts are
discussed in more
m detail latter in this mod dule.
Two-tier hiera
archy: In a two
o-tier hierarchyy, there is a ro
oot CA and at l east one suboordinate CA. In
n this
scenario, the subordinate CA
C is responsibble for policies,, and for issuin
ng certificates to requestors..
Configuring AAdvanced Windows SServer 2012 Servicees 10-11
Standalone
e vs. Enterp
prise CAs
In
n Windows Serrver 2012, you can deploy tw wo types
off CAs: standaloone CA and en nterprise CA. These
tyypes are not ab bout hierarchyy, but about
fu
unctionality an nd configuratioon storage. Thee most
im
mportant differrence between n these two CAA types
is Active Directoory integrationn and depende ency. A
sttandalone CA canc work without AD DS, an nd does
no ot depend on it in any way. An enterprise CA
re
equires AD DS,, but it also pro ovides several
be enefits, such as autoenrollment.
Th
he following taable details the
e most significcant
diifferences betw
ween standalo one and enterpprise
CAAs.
Characteristic
C Standalone
e CA Enterprrise CA
Typical usage
e A standalo
one CA is typiccally An entterprise CA is ttypically
used for offline
o CAs, butt it used too issue certificates to
can be useed for a CA thaat is users, ccomputers, an nd
consistently available on
n servicees, and is not tyypically
the netwoork. used as an offline CA A.
Active Directo
ory A standalo
one CA does nnot An entterprise CA req quires
dependenciess depend on n AD DS and ccan AD DS , which can be e used as
be deployyed in nonActtive a confiiguration and
Directory environments.
e . registration database e. An
enterpprise CA also provides
a publ ication point ffor
certificcates issued to users
and co omputers.
Certificate req
quest Users can only request Userrs can request
methods certificatess from a certiificates from an
standalone e CA by using a enteerprise CA usinng the
manual prrocedure or weeb owing methods:
follo
enrollmen nt.
Man
nual Enrollmen
nt
Web
b Enrollment
Auto
oenrollment
Enro
ollment agent
Certificate issuance All requestts must be Requessts can be

methods manually approved
a by a automatically issued or
certificate administratorr. denied
d, based on the e
templaates discretion
nary
access control list (D
DACL).
Most
M commonlyy, the root CA (which is the first f CA deployyed) is deployeed as standalo one CA, and it is taken
offfline after it isssues a certifica nd for a suborrdinate CA. Altternatively, a subordinate CA
ate for itself an A is
ussually deploye ed as an enterp prise CA, and is configured in n one of scenaarios describedd in the previo
ous
to
opic.
Co
onsideratio
ons for Dep
ploying a Root CA
Befoore you deployy a root CA, thhere are severa al
decisions that youu should make e. First, you sho
ould
decide if you will be deploying an offline roott CA
or not.
n Based on that
t y will also decide
decision, you
ou will be deplloying a standalone root CA
if yo A or
an enterprise
e roott CA.
Usually, if you are
e deploying a single-layer
s CA
A
hierrarchywhich means that yo ou deploy onlyy a
singgle CAit is most
m common to t choose
enteerprise root CAA. However, if you are deplo
oying
a twwo-layer hierarrchy, the most common scen nario
is to
o deploy a stanndalone root CA
C and an
enteerprise subordinate CA.
The next factor too consider is th

he operating syystem installattion type. AD C CS is supported in both the ffull
installation and th
he Server Core e installation sccenarios. Serveer Core providees a smaller atttack surface and
less administrative
e overhead, an nd therefore sh hould be stronngly considered for AD CS in n an enterprisee
environment. In Windows
W Serve er 2012, you ca an also use Wi ndows PowerSShell to deployy and manage e the
AD CS role.
You u should also be y cannot change computeer names or co

b aware that you omputer domaain memberships
afteer you deploy on
o that compuuter a CA of an name. Therefore, it
ny type, nor caan you changee the domain n
is im
mportant to deetermine these
e attributes before installing a CA.
The following table details additional conside

erations.
Co
onsideration Descriptio
on
A cryptographicc service provider (CSP) that The deffault CSP is thee Microsoft Strong
is used to generrate a new keyy Cryptog
graphic Provid er.
Any pro
ovider whose n name starts with a
numberr sign (#) is a ccryptography N
Next
Generattion (CNG) pro ovider.
Th
he key charactter length The defau
ult key length ffor the Microsoft
Strong Cryyptographic P Provider is 2,04
48
characterss. This is the m
minimum
recommen nded value forr a root CA.
Th
he hash algorithm that is use
ed to sign The defau
ult value of thee hash algorith
hm is
ce
ertificates issue
ed by a CA SHA-1.
Th
he validity perriod for certificcates issued byy The defau
ult value for ceertificates is five
a CA years.
Th
he status of the root server (online
( or The root sserver should bbe deployed aas an
offfline) offline CA
A. This enhancees security andd
safeguardds the root certtificate (because it is
not availa ble to attack o
over the netwo ork).
Specifically, if you
u decide to dep
ploy an offline
e standalone ro
oot CA, there aare some speccific considerattions
thatt you should have
h in mind:
Before you isssue a subordinnate certificate

e from root CA A, make sure th hat you provid de at least one CDP
and AIA locattion that will be
b available to all clients. Thi s is because, b
by default, a sttandalone roott CA
has the CDP and AIA loca ated on itself. Therefore,

T wheen you take th he Root CA offf the network,
revocation check will fail, as the CDP an nd AIA locatio ns will be inacccessible. When you define tthese
locations, you
y should manually copy CR RL and AIA infformation to th hat location.
Set a validitty period for CRLs

C that root CA publishes tto a long perio od of time (forr example, one
e year).
This means that you will have to turn on o root CA oncce per year to publish a new w CRL, and thenn copy
it to a locattion that is ava
ailable to clients. If you fail to
o do so, after tthe CRL on thee root CA expiires,
revocation check for all certificates
c will also fail.
Publish roo
ot CA certificate to a trusted root certificat ion authority sstore on all serrver and clientt
machines, by
b using Group p Policy. You must
m do this mmanually, beca use a standalo one CA cannott do it
automaticaally, unlike an enterprise
e CA. You can also p publish the root CA certificaate to AD DS b by using
the certutil command-lin ne tool.
Demonstra
D ation: Deplloying a Ro
oot CA
In
n this demonsttration, you will see how to deploy
d an Enteerprise root CA
A.
Demonstrati
D ion Steps
Deploy
D a Roo
ot CA
1.. In Server Manager,
M add the Active Dire
ectory Certifiicate Servicess role.
2.. Select the Certification

C Authority
A role
e service.
3.. After the in

nstallation com
mpletes successsfully, click thee text Configu
ure Active Dire
ectory Certifiicate
Services onn the destination server.
4.. Select to install Enterprisse Root CA.
5.. Set the Keyy length to 409

96.
6.. Name the CA

C AdatumRo
ootCA.
Considerat
C ions for Deploying a Subordin
nate CA
Yo
ou can use a subordinate CA A to implemennt policy
re
estrictions for PKI,
P and to disstribute certificcates to
clients. After insstalling a root CA for the
orrganization, yoou can install one
o or more
su
ubordinate CA As.
When
W you are using
u a subord
dinate CA to diistribute
ce
ertificates to users or compuuters that have
e an
acccount in an ADA DS environm ment, you can install
th
he subordinate erprise CA. Then, you
e CA as an ente
ca
an use the data from the clieent accounts inn AD DS
o distribute and manage certtificates, and to
to
puublish certifica
ates to AD DS. However, to
co
omplete this procedure,
p you must be a me ember of the lo
ocal Administrrators group, o
or have equivaalent
peermissions. If the
t subordinatte CA will be an enterprise C
CA, you also neeed to be a me ember of the DDomain
Admins group or o have equiva
alent permissio
ons.
Frrom a security perspective, a recommende

ed scenario wo
ould be to havve an offline ro
oot standalone
e CA and
ann Enterprise su
ubordinate CA.
A su
ubordinate CA
A is usually dep
ployed to achie
eve some of th
he following fu
unctionalities:
Usage: You may

m issue certifficates for a nu
umber of purpposes, such as ssecure email and network
authentication. The issuing policy for these uses may b e distinct, and
d separation prrovides a basiss for
administering
g these policess.
Organizational divisions: Yoou may have different

d policiees for issuing ccertificates, de
epending upon
n an
entitys role in
n the organiza
ation. You can create suborddinate CAs to sseparate and aadminister thesse
policies.
Geographic divisions:
d Organizations oftenn have entitiess at multiple p
physical sites. LLimited networrk
connectivity between
b these
e sites may req
quire individuaal subordinate CAs for many or all sites.
Load balancin b using your PKI to issue an

ng: If you will be nd manage a llarge number of certificates,,
o CA can ressult in considerable networkk load for that single CA. Usin
having only one ng multiple
subordinate CAs
C to issue th he same kind of
o certificates d
divides the nettwork load bettween CAs.
Backup and fault tolerance: Multiple CAs increase the ppossibility thatt your networkk will always haave
operational CAs
C available too respond to user
u requests.
Ho
ow to Use the
t CAPolicy.inf File
e for Installlation
If yo
ou want to dep ploy root or suubordinate CA A, and
you want to both predefine som me values for use u
during installation n and define soome additiona al
paraameters, you can
c use the CA APolicy.inf file tot
commplete these stteps. The CAPo olicy.inf file is a
plain text file thatt contains vario
ous settings th hat
are used when insstalling the AD D CS role, or when
reneewing the CA certificate. The e CAPolicy.inf file is
not required to in nstall AD CS, bu ut without it, the
t
defaault settings will
w be applied, and in many cases, c
the default setting gs are insufficient. You can useu
the CAPolicy.inf fiile to configure e CAs in more
commplicated deployments.
Eachh CAPolicy.inf file is divided into sections, and has a sim ple structure, w
which can be described as
follo
ows:
A section is an area in the .inf file that contains a logicaal group of keyys. A section always appears in
brackets in th
he .inf file.
A key is the parameter

p thatt is to the left of
o the equal (=
=) sign.
A value is the
e parameter that is to the rig
ght of the equaal sign.
For example, if yo
ou want to spe
ecify Authority Information A n the CAPolicy..inf file, you will use
Access point in
follo
owing syntax:
[AuthorityInformationAccess]
URL=http://pki.adatum.com/CertData
a/adatumCA.cr
rt
In th
his example, AuthorityInform
A mationAccess is
i a section, URRL is the key, aand
httpp://pki.adatum.com/CertD Data/adatumC CA.crt is the vaalue.
You can also specify some CA server settings in the CAPolicy.inf file. One example of the section that
specifies these settings is :
[certsrv_server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=Days
CRLPeriodUnits=2
CRLDeltaPeriod=Hours
CRLDeltaPeriodUnits=4
ClockSkewMinutes=20
LoadDefaultTemplates=True
AlternateSignatureAlgorithm=0
ForceUTF8=0
EnableKeyCounting=0
Note: All parameters from the previous examples are optional.
You can also use the CAPolicy.inf file when installing AD CS to define the following:
Certification practice statement (CPS): Describes the practices that the CA uses to issue certificates.
This includes the types of certificates issued, information for issuing, renewing, and recovering
certificates, and other details about the CAs configuration.
Object identifier (also known as OID): Identifies a specific object or attribute.
CRL publication intervals: Defines the interval between publications for the base CRL.
CA renewal settings: Defines renewal settings as follows:

o Key size: Defines the length of the key pair used during the root CA renewal.
o Certificate validity period: Defines the validity period for a root CA certificate.
o CDP and AIA paths: Provides the path used for root CA installations and renewals.
Once you have created your CAPolicy.inf file, you must copy it into the %systemroot% folder of your
server (for example, C:\Windows) before you install the AD CS role, or before you renew the CA certificate.
Note: The CAPolicy.inf file is processed for both the root and subordinate CA installations
and renewals.
Lesson 3
Deploy
ying and Mana
aging Certificatte Templates
Certtificate templa
ates define how w a certificate can be requessted and for w
what it can be u used. Template es are
configured on the e CA, and theyy are stored in the Active Dirrectory databa se. There are d different versio
ons of
tem
mplates: the Microsoft Windo ows 2000 Serve er Enterprise C
CA supports veersion 1 certificcate templatess, the
Win
ndows Server 2003
2 Enterprise
e Edition supp ports versions 1 and 2 templaates, and Wind dows Server 20 008
Ente 2 and 3 certificate templatees. Windows Seerver 2012 intrroduces version 4
erprise supporrts versions 1, 2,
tem
mplates, yet still also supportss all three prevvious templatee versions.
Two
o types of certiificate templatte categories are
a users and ccomputers, and d each can be used for multtiple
purposes. You can n assign Full Control, Read, Write,
W Enroll, aand Autoenrolll permissions tto certificate
tem
mplates. You caan update certificate templattes by modifyi ng the originaal certificate te emplate, copying a
mplate, or superseding existin
tem ng certificate templates. In thhis lesson, you
u will learn how
w to manage aand
dep
ploy certificate templates.
Lessson Objectiives
Afte
ou will be able to:
Describe certificate templattes.
Describe certificate templatte versions in Windows

W Serveer 2012.
Configure cerrtificate templa

ate permission
ns.
Configure cerrtificate templa

ate settings.
Describe options for updating a certificatte template.
Modify and enable

e a certificate template.
Wh
hat Are Ce
ertificate Templates?
T ?
Certtificate templaates allow adm
ministrators to
custtomize the distribution meth hod of certificaates,
defiine certificate purposes, and mandate the type
of usage
u allowed by a certificate
e. Administrators
can easily create templates,
t and
d can then quicckly
depploy them to th he enterprise by
b using the bu uilt-in
GUI or command--line managem ment utilities.
Assoociated with each certificate template is itss

DACCL, which definnes what securrity principals have
permmissions to rea
ad and configu ure the templa ate,
and to enroll or autoenroll for certificates
c bassed
on the
t template. The
T certificate templates and d
theiir permissions are defined in
n AD DS and arre valid within the forest. If m
more than one
e enterprise CA
A is
runnning in the Active Directory forest, permission changes wwill affect all C
CAs.
Whe en you define a certificate te
emplate, the definition
d of th
he certificate teemplate must be available too all
CAss in the forest. This is accompplished by storring the certifi cate template information in
n the Configurration
namming context, where
w CN=Con nfiguration, annd DC=ForestR RootName. Th he replication o
of this informaation
deppends on the Active
A Directoryy replication schedule, and tthe certificate template mayy not be available to
all CAs
C until repliccation complettes. Storage an nd replication are accomplisshed automaticcally.
Note: Prio
or to Windowss Server 2008 R2,
R only the En nterprise versio
on of Window
ws Server
su
upported management of ce ertificate tempplates. In Wind ows Server 20 008 R2 and Win
ndows Server
20
012, you can also
a manage ce ertificate temp
plates in the Sttandard editio ns.
Certificate
C Template Versions in Window
ws Server 2
2012
Windows
W Server 2012 Certificcation Authoritty
su
upports four veersions of certificate templattes.
Certificate tempplates versionss 1, 2 and 3 are
e legacy
from previous versions
v of Winndows Server, while
ve w to Windows Server 2012.
ersion 4 is new
Certificate tempplate versions correspond

c to
o the
Windows
W Server operating system version.
Windows
W 2000 Server, Windo ows Server 200 03,
Windows
W Server 2008, and Windows
W Serverr 2012
co
orrespond to version
v 1, versiion 2, version 3,
3 and
ve
ersion 4 respecctively.
Aside from corrresponding witth Windows Se erver
op
perating system versions, certificate templlate versions a lso have somee functional differences as fo
ollows:
Windows 2000 Advanced d Server operating system prrovides support for version 1 certificate
templates. The only modification allow wed to version 1 templates is changing perrmissions to eitther
allow or dissallow enrollment of the certtificate templaate. When you install an enteerprise CA, verrsion 1
certificate templates
t are created
c by deffault. As of Julyy 13, 2010, Wiindows 2000 SServer is no lon
nger
supported by Microsoft.
Windows Server 2003 Entterprise Edition operating syystems providee support for vversion 1 and vversion
2 templatess. You can custtomize several settings in thhe version 2 templates. The ddefault installaation
provides seeveral preconfigured version 2 templates. Y You can add vversion 2 temp plates based on n the
requiremen nts of your org
ganization. Alte
ernatively, you
u can duplicatee a version 1 certificate tempplate to
create a new version 2 off the template.. You can then n modify and ssecure the new wly created verrsion 2
certificate template.
t Whe en new templates are added to a Windowss Server 2003 e enterprise CA, they
are version 2 by default.
Windows Server 2008 Entterprise operating systems b bring support ffor new, versioon 3 certificate
e
templates. Additionally,
A support
s for verrsion 1 and ve rsion 2 is provvided. Version 3 certificate
templates support
s severaal features of a Windows Serv rver 2008 enterprise CA, such h as CNG. CNG G
upport for Suite B cryptograp
provides su phic algorithm
ms such as ellipptic curve crypttography (ECC C). In
Windows Server 2008 Entterprise, you can c duplicate d default version n 1 and version
n 2 templates tto bring
them up too version 3. Windows Server 2008 providess two new certtificate templates by default::
Kerberos Authentication and OCSP Ressponse Signing g. In Windows Server 2008 R R2, the Standarrd
version wass also able to support
s certificcate templatess. When you use version 3 ce ertificate tempplates,
you can usee CNG encrypttion and hash algorithms forr the certificate requests, issued certificate es, and
protection of private keyss for key excha ange and key archival scenarios.
Windows Server 2012 operating system ms provide suppport for versio on 4 certificate
e templates, an nd for
all other ve
ersions from ea
arlier editions of
o Windows Seerver. These ceertificate temp plates are available
only to Winndows Server 2012
2 and Wind dows 8. To hellp administrato ors separate w
what features aare
supported by which operrating system version,
v the Co
ompatibility ttab was added d to the certificcate
template properties tab. It marks options as unavaila ble in the certtificate template properties,
depending upon the sele ected operating g system versi ons of certificaate client and CA. Version 4
certificate tem
mplates also su
upport both CSPs and KSPs. They can also be configured
d to require re
enewal
with a same key.
k
Upggrading certificcate templatess is a process that applies on
nly in situations where the CAA has been
upg
graded from Windows
W Server 2008 or 2008 8 R2 to Windo ows Server 201 12. After the up
pgrade, you caan
upg
grade the certifficate templates by launchin ng the CA Man nager console and accepting g the upgrade
prompt by clicking Yes.
Co
onfiguring Certificate
e Template
e Permissiions
To configure
c certiificate templatte permissions, you
need to define the e DACL for eacch certificate
tem
mplate in the Seecurity tab. Th he permissionss that
are assigned to a certificate temmplate will defiine
which users or grooups can read,, modify, enroll, or
auto
oenroll for that certificate te
emplate.
You
u can assign the following pe
ermissions to
certtificate templates:
Full Control:: The Full Control permissio on

allows a security principal to modify all
attributes of a certificate te
emplate, which h
includes permmissions for the e certificate
template itself. It also includ
des permission he security desccriptor of the certificate tem
n to modify th mplate.
Read: The Re ead permissionn allows a userr or computer to view the ceertificate temp plate when enrrolling
es. The Read permission is also required byy the certificatte server to find the certificatte
for certificate
templates in ADA DS.
Write: The Write

W permissio
on allows a use
er or computeer to modify th he attributes off a certificate
template, which includes pe
ermissions assigned to the ccertificate tempplate itself.
Enroll: The Enroll permission allows a user or computeer to enroll forr a certificate bbased on the
certificate tem
mplate. Howevver, to enroll fo
or a certificatee, you must als o have Read p
permissions fo
or the
certificate tem
mplate.
Autoenroll: The
T Autoenro oll permission allows a user o
or computer too receive a cerrtificate throug
gh the
autoenrollme
ent process. Ho
owever, the Auutoenroll perm mission requir es the user or computer to aalso
have both Re
ead and Enrolll permissions for
f a certificatee template.
As a best practice, you should assign
a certificatte template peermissions to g
global or unive
ersal groups oonly.
Thiss is because the certificate te
emplate objectts are stored inn the configuraation naming context in AD DS.
You
u cannot assign n permissions by using doma ain local groupps that are fou
und within an AActive Directo
ory
dom
main. You shou uld never assig gn certificate te
emplate perm issions to indivvidual user or computer acccounts.
ad permission allocated to th
As a best practice, keep the Rea he Authentica ted Users grouup. This permission
allocation allows all
a users and computers to view
v the certifi cate templates in AD DS. Th
his permission
assignment also allows
a the CA that
t is running
g under the Sysstem context o of a computerr account to vie
ew
the certificate tem
mplates when assigning
a certificates.
Configuring
C g Certifica
ate Templa
ate Setting
gs
Beesides configu uring security settings
s for cerrtificate
te
emplates, you can also config gure several other
se
ettings for each template. Be e aware howevver, that
th
he number of configurable
c options
o depend ds on
th
he certificate teemplate versioon. For examplle,
ve
ersion 1certificcate templates do not allow
modification
m of any settings, except
e for secuurity,
while
w certificatee templates froom higher verssions
allow you to configure most of o the available
opptions. Window ws Server 2012 2 provides sevveral
deefault certificate templates for
f purposes th hat
in
nclude code sig gning (for digitally signing
oftware), EFS (ffor encrypting data), and the
so e ability for us ers to log on w
with a smart caard. To custommize a
te
emplate for yo our company, duplicate
d the template
t and tthen modify th he certificate cconfiguration.
Fo
or example, yo
ou can configu
ure the followin
ng:
Format and
d content of a certificate bassed on the certtificates intend
ded use
Note: . Th
he intended usse of a certifica
ate may relatee to users or to
o computers, b
based on the
tyypes of securityy implementattions that are required
r to usse the PKI.
Process of creating
c and submitting a va
alid certificate request
CSP supporrted
Key length
Validity perriod
Enrollment process or enrollment requirements
Yo
ou can also de
efine certificate
e purpose in ce
ertificate settin
ngs. Certificatee templates caan have the folllowing
pu
urposes:
Single Purppose: A single purpose

p wing users to log on
certifiicate serves a ssingle purposee, such as allow
with a smarrt card. Organizations utilize e single purposse certificates in cases where e the certificate
configuratioon differs from
m other certificcates that are b being deployeed. For examplle, if all users w
will
receive a ce
ertificate for sm
mart card logo on but only a ccouple of grou ups will receivee a certificate ffor EFS,
organizatio
ons will genera ally keep these certificates an nd templates sseparate to ensure that userss only
receive the required certiificates.
Multiple Pu urposes: A multi-purpose cerrtificate servess more than on ne purpose (offten unrelated)) at the
same time. While some te emplates (such h as the User ttemplate) servee multiple purrposes by default,
organizatioons will often modify
m templates to serve ad dditional purposes. For exammple, if a comp
pany
intends on issuing certificcates for three purposes, thoose purposes ccan be combin ned into a single
certificate template
t to ea
ase the administrative effort and maintenaance.
Op
ptions for Updating
U a Certifica
ate Templaate
The CA hierarchy in most organ nizations has one
o
certtificate template for each job
b function. Forr
exam mple, there may be a certificcate template for
file encryption and another for code signing.
Add ditionally, there
e may be a few
w templates thhat
cove er functions fo
or most of the common grou ups of
subjjects.
As an
a IT administrrator, you mayy need to mod dify an
existing certificate
e template beccause of incorrrect
settings or other issues
i in the original certifica
ate
tem
mplate. You ma ay also need to
o merge multip ple
existing certificate
e templates intto a single
tem
mplate.
You
u can update a certificate tem
mplate by either modifying tthe template, o
or superseding
g the existing
tem
mplate:
Modify the original certificaate template: To

T modify a ceertificate temp
plate of versionn 2, 3, or 4, you
need to makee changes and then apply th hem to that tem
mplate. After tthis, any certifiicate issued byy a CA
based on thatt certificate template will incclude the mod
difications thatt you made.
Supersede exxisting certifica

ate templates: The
T CA hierarcchy of an orgaanization may have multiple
certificate tem
mplates that provide the sam me or similar fu n such a scenario, you can
unctionality. In
supersede or replace the multiple
m certificate templates by using a sin ngle certificate
e template. You
u can
make this rep placement in thhe Certificate Templates
T con
nsole by design nating that a n
new certificate
e
template supersedes, or rep places, the exissting certificat e templates.
De
emonstration: Modiffying and Enabling
E a Certificatte Templatte
In th
s how to mo
odify and enab
ble a certificatee template.
Dem
monstration
n Steps
Mo
odify and en
nable a certificate temp
plate
1. On LON-SVR1, open the Ce
ertificate Temp
plates console..
2. Review the lisst of available templates.
3. Open Propertties of IPSec ce

ertificate temp
plate and revieew available seettings.
4. Duplicate thee Exchange Usser certificate template. Nam

me it Exchang
ge User Test1, and then con
nfigure
de the Exchange User temp
it to supersed plate.
5. Allow Authen
nticated Users to enroll for th
he Exchange U
User Test1 tem
mplate.
6. Publish the te
emplate on LO
ON-SVR1.
Lesson
n4
Imple
ementin
ng Certiificate Distribu
D ution an
nd Revo
ocation
One
O step in dep ploying PKI in your
y organization will be to define metho ods for certificaate distributionn and
ennrollment. In addition,
a durinng the certificate managemeent process, theere will be tim mes that you may need
to
o revoke certifiicates. There may
m be a numb ber of reasons for revoking ccertificates, such as if a key
beecomes compromised, or if someone leaves the organizzation. You neeed to ensure that network clients
caan determine which
w certifica
ates are revokeed before acceepting authenttication requessts. To ensure
sccalability and high
h availabilitty, you can depploy the AD CSS Online Respo onder, which ccan be used to o
provide certificaate revocation status. In this lesson, you wwill learn aboutt methods for ccertificate disttribution
annd certificate revocation.
r
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe op
ptions for certiificate enrollm
ment.
Describe ho
ow autoenrollm
ment works.
he Restricted Enrollment Age

Describe th ent.
Explain how
w to configure
e the Restricted
d Enrollment A
Agent.
Describe th
he Network De
evice Enrollment Service.
Explain how
w certificate re
evocation work
ks.
Describe co f publishing AIAs and CDP

onsiderations for Ps.
Describe an
n Online Respo
onder.
Configure Online
O Respon
nder.
Options
O forr Certificatte Enrollm
ment
In
n Windows Serrver 2012, seve eral methods canc be
ussed to enroll fo
or a user or co
omputer certifiicate.
Thhe use of thesee methods dep pends on speccific
sccenarios. For example, autoe enrollment will
probably be use ed to mass-deploy certificate es to a
la
arge number of o users or com mputers, while manual
ennrollment will be used for ce ertificates dediicated
ju
ust to specific security
s princip
pals.
Th
he following list describes th
he different
en
nrollment metthods, and whe en to use them
m:
Autoenrollm ment: Using th his method, thee

administrattor defines thee permissions and
a the
configuratioon of a certificcate template. These definiti ons help the rrequestor to au
utomatically re
equest,
retrieve, and renew certifficates withoutt end-user inteeraction. This mmethod is usedd for AD DS doomain
computers. The certificate e must be connfigured for au
utoenrollment through Grou up Policy.
CA Web en nrollment: Usinng this methodd, you can ena ble a website CA so that use ers can obtain
certificates.. To use CA Weeb enrollmentt, you must insstall Internet In
nformation Serrver (IIS) and the web
enrollment role on the CA A of AD CS. To questor logs on to the websiite,
o obtain a certtificate, the req
selects the appropriate ceertificate temp
plate, and thenn submits a req quest. The certtificate is issue
ed
automaticallyy if the user ha

as the appropriate permissio ns to enroll fo or the certificatte. The CA Web
enrollment method
m should be used to isssue certificatess when autoen nrollment cann not be used. Th
his
can happen in the case of ana Advanced Certificate
C requuest. Howeverr, there can also be cases where
autoenrollmeent can be used d for certain certificates, butt not for all certificates.
Manual enrolllment: Using this

t method, th he private keyy and a certificaate request are e generated on a
a a web servicce or a computer. The certifiicate request is then transpo
device, such as orted to the CAA to
generate the certificate that is requested.. The certificatte is then transsported back tto the device fo
or
installation. Use
U this method when the re equestor canno ot communicate directly with the CA, or iff the
device does not
n support au utoenrollment.
Enrollment on n behalf (Enrollment Agent): Using this meethod, a CA ad dministrator crreates an

Enrollment Agent account for f a user. The e user with Enrrollment Agent rights can th
hen enroll for
certificates on
n behalf of othher users. For example,
e use tthis method if you need to aallow a manageer to
preload logon o new employyees on smart ccards
n certificates of
Ho
ow Does Autoenrollm
ment Work?
One e of the most common
c methhods for deploying
certtificates in an Active
A Directorry environmen nt is
to use
u autoenrollm ment. This metthod provides an
autoomated way to o deploy certifficates to both users
and computers within the PKI. You Y can use
autooenrollment in n environmentts that meet sp pecific
requuirements, succh as the use of
o certificate
tem
mplates and Gro oup Policy in AD
A DS. It is
impportant to note e, however, thaat you cannot use
auto w a standalone CA. You must
oenrollment with
have an enterprise e CA available to make use of o
autooenrollment.
Youu can use autoe enrollment to deploy public keybased ceertificates auto omatically to users and comp puters
in an organizationn. The Certifica
ate Services ad
dministrator duuplicates a cerrtificate templaate, and then
configures the permissions to allow Enroll and d Autoenroll p
permissions forr the users who o will receive tthe
certtificates. Doma
ain-based Grou up Policies, succh as computeer-based and u user-based po olicies, can activvate
and manage auto oenrollment.
By default,
d Group Policy is applied when you restart compuuters, or at logon for users. A
Also by defaultt,
Group Policy is refreshed every 90 minutes on n domain mem
mbers. This Gro oup Policy settting is named
Certtificate Service
es Client - Auto
o-Enrollment.
An internal
i timer triggers autoe
enrollment eve ery eight hourss after the last autoenrollme
ent activation. The
certtificate template might speciify user interacction for each request. For suuch a request, a pop-up win
ndow
app
pears approxim mately 60 seconnds after the user
u logs on.
Man ny certificates can be distributed without the n being aware that enrollment is taking plaace.
t client even
These include mo ost types of cerrtificates that are omputers and
a issued to co d services, as w
well as many
certtificates issued to users.
To enroll
e clients automatically for certificates in a domain eenvironment, yyou must:
Have membe ership in Doma mins, (or equivvalent), which is the minimum
ain Admins or Enterprise Adm
required to co
omplete this procedure.
p
Configure a certificate
c temp
plate with Auttoenroll permisssions.
Configure an
a autoenrollm
ment policy forr the domain.
What
W Is Cred
dential Roam
ming?
Credential Roamming allows orrganizations to
o store certificaates and privatte keys in AD DS, separatelyy from
ap
pplication state or configura
ation informatiion.
Credential Roam ming uses existting logon and d autoenrollm ent mechanism ms to downloaad certificates and
ke
eys to a local computer
c whenever a user lo ogs on and, if desired, remove them when n the user logss off. In
ddition, the inttegrity of these credentials is maintained u
ad under any connditions, such aas when certifiicates
arre updated, orr when users loog on to more than one com mputer at a tim
me. This avoidss the scenario wwhere a
usser is autoenro
olled for a certtificate on each
h new machinee to which he or she logs on n.
Credential Roam
ming is triggerred any time a private key orr certificate in the user's locaal certificate sttore
ch
hanges, wheneever the user lo ks the computeer, and wheneever Group Pollicy is refreshed.
ocks or unlock
All certificate-re
elated communication betweeen componen nts on the locaal computer and between th
he local
co
omputer and AD A DS is signed and encryptted. Credentiall Roaming is suupported in W
Windows 7 and
d newer
Windows
W operaating systems.
What
W Is the
e Restricte
ed Enrollment Agentt?
In
n earlier versions of Windowss Server CA, su uch as
Windows
W Server 2003, it is no
ot possible to permit
p
an
n Enrollment Agent
A to enroll only a certain
n group
off users. As a re
esult, every use
er with an Enroollment
Agent certificate is able to enroll on behalf of any
usser in an organnization.
Thhe Restricted Enrollment

E Agent allows you u to
mit the permisssions for userss who are designated
lim
ass Enrollment Agents,
A to enro
oll for smart ca
ard
ceertificates on behalf
b of otherr users. The Re
estricted
Ennrollment Age ent is a functionality that wass
in
ntroduced in th he Windows Se erver 2008 Entterprise
opperating system.
Tyypically, one or
o more authorrized individua als within an o rganization arre designated aas Enrollment Agents.
Th
he Enrollment Agent needs to t be issued an Enrollment A Agent certificaate, which enables the agentt to
en
nroll for smart card certificattes on behalf of
o users. Enrolllment agents aare typically m members of corrporate
se
ecurity, IT secu
urity, or help desk teams, beccause these inddividuals havee already been entrusted witth
sa
afeguarding va aluable resourcces. In some organizations, ssuch as banks that have man ny branches, hhelp
deesk and security workers mig ght not be con
nveniently locaated to perform m this task. In this case, desiignating
a branch manag ger or other trrusted employeee to act as ann Enrollment AAgent is required to enable ssmart
ca
ard credentialss to be issued from
f multiple locations.
On
O a Windows Server 2012 CA A, the restricte
ed Enrollment Agent featurees allow an Enrrollment Agen nt to be
ate templates. For each certiificate templatte, you can cho
ussed for one or many certifica oose on behalf of
which
w users or security
s group
ps the Enrollme ent Agent can enroll. You caannot constrain n an Enrollmen
nt
Agent based on n a certain Active Directory organizational
o unit (OU) or ccontainer. Inste
ead, you mustt use
se
ecurity groups.
Note: Using g restricted Enrollment Agen nts will affect t he performancce of the CA. T
To
optimize performance, you should minimize the t number off accounts that are listed as Enrollment
Age
ents. You minim mize the numb ber of accountts in the Enroll ment Agents permissions list. As a
bestt practice, use group accoun nts in both listss instead of ind
dividual user aaccounts.
De
guring the
e Restricted
d Enrollme
ent Agent
In th
s how to con
nfigure the Reestricted Enrollment Agent.
Dem
monstration
n Steps
Con
nfigure the Restricted Enrollment Agent
1. On LON-SVR1, open the Ce
ertificate Temp
plates console..
2. Configure Alllie Bellew perrmissions to en

nroll for an Enrrollment Agen
nt certificate.
3. Publish the En
nrollment Age
ent certificate template.
t
4. Log on to LON-CL1 as Ada
atum\Allie witth the passworrd Pa$$w0rd.
5. Open a MMC
C console and add
a the Certificates snap-in..
6. Request the Enrollment

E Agent certificate..
7. Switch to LON
N-SVR1, and open
o the prope
erties of Adatu
umRootCA.
8. Configure the
e Restricted En nt so that Alliee can only issue certificates b
nrollment Agen based on the U
User
template, and
d only for the Marketing security group.
Wh
hat Is Netw
work Devicce Enrollm
ment Servicce?
The Network Device Enrollmentt Service (NDES) is
the Microsoft imp plementation of
o Simple Certiificate
Enroollment Protoccol (SCEP). SCE
EP is a
com
mmunication protocol
p that makes
m it possib
ble for
softtware that is ru
unning on netw
work devices such
s
as roouters and switcheswhich cannot otherw wise
be authenticated
a on the networrkto enroll for
X.5009 certificates from a CA.
You u can use NDES S as an Interne

et Server API (IISAPI)
er on IIS to perrform the following functions:
filte
Create and prrovide one-tim

me enrollment
passwords to administratorrs.
Retrieve awaiting requests from

f the CA.
Collect and process

p SCEP enrollment requ
uests for the s oftware that r uns on networrk devices.
Thiss feature applie es to organizations that have PKIs with on ne or more Win ndows Server 2012based C CAs,
and that want to enhance
e the security of their network devvices. Port secu
urity, based onn 802.1x, requirres
certtificates be insttalled on switcches and accesss points. Secu re Shell (SSH), instead of Tellnet, requires a
certtificate on the router, switch,, or access point. NDES is thee service that aallows adminisstrators to insttall
certtificates on devvices using SCEP.
Adding supportt for NDES can n enhance the flexibility and scalability of aan organizatio
on's PKI. Therefore,
th
his feature should interest PK
KI architects, planners,
p and aadministrators..
Be
efore installing
g NDES, you must
m decide:
o set up a dedicated user acccount for the sservice, or use the Network SService accoun
Whether to nt.
The name ofo the NDES re

egistration authority and wh hat country/reg
gion to use. Th
his information
n is
included in any SCEP certtificates that are issued.
The CSP to use for the sig

gnature key th
hat is used to eencrypt communication betw
ween the CA aand the
registration
n authority.
The CSP to use for the enncryption key that
t is used to encrypt comm
munication be
etween the
registration d the network device.
n authority and
The key len

ngth for each of
o these keys.
In
n addition, you ure the certificaate templates for the certificcates that are used in
u need to creatte and configu
co
onjunction witth NDES.
nstalling NDES on a compute

In er creates a ne
ew registration
n authority and d deletes any p preexisting
re
egistration authority certifica
ates on the com DES on a computer
mputer. There fore, if you plaan to install ND
where
w another registration auuthority has alrready been co
onfigured, any pending certifficate requestss should
bee processed annd any unclaim es should be cl aimed before you install ND
med certificate DES.
How
H Does Certificate
e Revocatio
on Work?
Re
evocation is th
he process in which
w you disable
va o more certificates. By initia
alidity of one or ating
th
he revoke proccess, you actua
ally publish a
ce
ertificate thum
mbprint in the corresponding
c g CRL.
e revocation life cycle

An overview of the certificate
is outlined as fo
ollows:
A certificate
e is revoked from the CA MM MC
snap-in. Duuring revocatioon, a reason coode and
a date and time are speciified. This is op
ptional,
but recomm mended to fill.
The CRL is published usinng the CA MMC snap-
ocation list is published autom
in (or the sccheduled revo matically baseed on the configured value). CRLs
can be pub blished in AD DS,
D some share ed folder locattion, or on a w
website.
When Wind dows client computers are presented
p with a certificate, tthey use a process to verify
revocation status by querrying the issuin ocess determines whether th
ng CA. This pro he certificate is
revoked, an
nd then presennts the informa ation to the ap
pplication requ uesting the verification. The
Windows client computer uses one of the t CRL locatio ons specified i n certificate to
o check its validity.
Th
he Windows operating
o syste
ems include a CryptoAPI,
C wh ich is responsiible for the cerrtificate revocaation
an API utilizes thee following phaases in the certificate checking
nd status checking processess. The CryptoA
process:
Certificate Discovery: Cerrtificate discovery collects CA A certificates, A

AIA informatio
on in issued
certificates,, and details off the certificate
e enrollment p
process.
Path validation: Path valid
dation is the process
p h the CA chain (or
of veriffying the certifficate through
path) until the
t root CA ce ertificate is rea
ached.
Revocation ch hecking: Each certificate in the certificate cchain is verifieed to ensure th

hat none of the
e
certificates arre revoked.
Network retriieval and caching: Network retrieval
r is perrformed by usiing OCSP. Cryp ptoAPI is
responsible fo
or checking the local cache first
f for revocaation informat ion and if therre is no match,,
making a call using OCSP, which
w is based
d on the URL p provided by thee issued certifiicate.
Co
onsideratio
ons for Pub
blishing AIIAs and CD
DPs
Whe en you are ma anaging and issuing certificates, it
ery important to properly co
is ve onfigure certificate
exteensions that arre used to verify the certificaate of
the CA, and the ce ertificate that is being used by
the user. These exxtensions, calle ed AIA and CD DP, are
partt of each certifficate. They mu ust point to prroper
locaations, or PKI may
m not function correctly.
Wh
hat Is AIA?
AIA addresses are e the URLsad ddresses that
uniqquely identify each location on the Interne et or
anetin the certificates thatt a CA issues. These
intra T
adddresses tell the verifier of a ce
ertificate wherre to
retrieve the CA's certificate.
c AIA
A access URLs can
c be HTTP, FFile Transfer Prrotocol (FTP), LLightweight
Dire
ectory Addresss Protocol (LDA AP), or FILE addresses.
Wh
hat Is CDP?
CDPP is a certificate extension th
hat indicates from where thee certificate revvocation list fo
or a CA can be
retrieved. It can coontain none, one,
o or many HTTP,
H FILE, or LLDAP URLs.
AIA
A and CDP Publishing
P
If yo
ou use only ann online CA, these values are configured byy default local ly on the CA. H However, if yo
ou
wan nt to deploy an
n offline root CA
C or if you wa ant to publish AIA and CDP to an internett facing locatio on,
you must reconfig gure these valu ey apply to all certificates isssued by the root CA. The AIA
ues so that the A and
CDP P extensions define where client applicatioons can locate AIA and CDP information fo or the root CA
A. The
formmatting and pu ublishing of AIIA and CDP exxtension URLs aare generally tthe same for root CAs and
subordinate CAs. You can publish the root CA A certificate an
nd the CRL to tthe following llocations:
Active Directo
ory
Web servers
File Transfer Protocol

P (FTP) servers
File servers
Pub
blication Po
oints
To ensure
e accessib
bility to all com
mputers in thee forest, publis h the offline ro
oot CA certificcate and the offfline
roott CAs CRL to Active
A Directorry by using the
e Certutil commmand. This plaaces the root C CA certificate and
CRLL in the Configuration namin ng context, which Active Direectory replicattes to all domaain controllers in the
fore
est.
For computers tha

at are not mem CRL on web servers
mbers of Activve Directory, pllace the CA ceertificate and C
by using
u the HTTP
P protocol. Loccate the web servers
s on the internal netwo ork, and also oon the external
ne
etwork if exterrnal client com
mputers (or inteernal clients frrom external n
networks) require access. Thiss is very
im
mportant if youu are using intternally issued certificates ouutside your com
mpany.
Yo
ou can also pu
ublish certificattes and CRLs to ftp:// and FI LE:// URLs, but it is recommended that yo ou use
on
nly LDAP and HTTP URLs, be ecause they are the most wid dely supported d URL formatss for interoperaability
pu
urposes. The order
o in which you list the CDDP and AIA exxtensions is im portant becau use the certificaate
ch
haining engine
e searches the URLs sequenttially. Place thee LDAP URL firrst in the list if your certificattes are
mostly
m used inte
ernally.
What
W Is an Online Re
esponder?
Byy using OCSP, an Online Ressponder provid des
clients with an efficient
e way to o determine th
he
re
evocation statu us of a certifica
ate. OCSP subm
mits
ce
ertificate status requests usin ng HTTP.
Clients access CRLs

C to determ
mine the revocaation
sttatus of a certifficate. CRLs might be large, and
clients might uttilize a large ammount of time e to
se
earch through these CRLs. An Online Responder
caan dynamicallyy search these CRLs for the clients
c
annd respond on nly to the requuested certifica
ate.
Yo
ou can use a single Online Responder
R to
etermine revocation status information for
de
ertificates that are issued by a single CA, or
ce o by multiple C
CAs. However,, you can use m
more than one
e Online
esponder to distribute CA re
Re evocation inforrmation.
Yo
ou can install an
a Online Respponder on anyy computer thaat runs Windo ows Server 200 08 Enterprise o
or
Windows
W Server 2012. You sh
hould install an
n Online Respo
onder and a CA A on different computers. Th he
fo
ollowing operaating systems can
c use Online e Responder fo
or validation o
of certificate staatus:
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Vista
V
Windows 7
Windows 8
Fo
or scalability and high availa
ability, you can
n deploy the O Online Respond der in a load-b
balanced arrayy using
Network Load Balancing
B (NLBB), which proce esses certificatte status requeests. You can m
monitor and mmanage
ea
ach member of o the array ind
dependently. ToT configure th he Online Resp ponder, you mmust use the Online
Re
esponder man nagement conssole.
Yo
ou must config gure the CAs tot include the URL of the On nline Respondeer in the AIA eextension of isssued
ce
ertificates. The
e OCSP client uses
u o validate the certificate stattus. You must also issue the OCSP
this URL to
Re
esponse Signin ng certificate template,
t hat the Online Responder caan also enroll tthat certificate.
so th
How
H to Insta
all and Conffigure Onlin
ne Responde
er
Yo
ou can install Online
O Respon
nders on comp puters that aree running Winddows Server 20 008 R2 or Windows
Se
erver 2012. Yo
ou should insta
all Online Resp
ponders after t he CAs, but beefore issuing aany client certifficates.
10-28 Implementing Active Directory Certificate Services
The certificate revocation data is derived from a published CRL that can come from a CA on a computer
that is running Windows Server 2008 or newer, or Windows Server 2003, or from a non-Microsoft CA.
Before configuring a CA to support the Online Responder service, the following must be present:
IIS must be installed on the computer during the Online Responder installation. The correct
configuration of IIS for the Online Responder is installed automatically when you install an Online
Responder.
An OCSP Response Signing certificate template must be configured on the CA, and autoenrollment
used to issue an OCSP Response Signing certificate to the computer on which the Online Responder
will be installed.
The URL for the Online Responder must be included in the AIA extension of certificates issued by the
CA. This URL is used by the Online Responder client to validate certificate status.
After an Online Responder has been installed, you need to create a revocation configuration for each CA
and CA certificate that is served by an Online Responder. A revocation configuration includes all of the
settings that are needed to respond to status requests regarding certificates that have been issued using a
specific CA key. These configuration settings include:
CA certificate. This certificate can be located on a domain controller, in the local certificate store, or
imported from a file.
Signing certificate for the Online Responder. This certificate can be selected automatically for you,
selected manually (which involves a separate import step after you add the revocation configuration),
or you can use the selected CA certificate.
Revocation provider that will provide the revocation data used by this configuration. This information
is entered as one or more URLs where the valid base and delta CRLs can be obtained.
Demonstration: Configuring an Online Responder

In this demonstration, you will see how to configure an Online Responder.
Demonstration Steps
Configure an Online Responder
1. On LON-SVR1, use Server Manager to add an Online Responder role service to the existing AD CS
role.
2. Configure a new AIA distribution location on AdatumRootCA to be http://lon-svr1/ocsp.
3. On AdatumRootCA, publish the OCSP Response signing certificate template, and allow
Authenticated users to enroll.
4. Open the Online Responder Management console.
5. Add revocation configuration for AdatumRootCA.
6. Enroll for OCSP Response signing certificate.
7. Ensure that the revocation configuration status displays as working.

Lesson
n5
Mana
aging Ce
ertificatte Reco
overy
Certificate or ke
ey recovery is one
o of the mo ost important m management ttasks during th he certificate liife cycle.
Yoou use a key archival and reccovery agent for
f data recoveery if you losee your public and private keyys. You
ca
an also use auttomatic or manual key archival and key reecovery metho ods to ensure tthat you can gain
acccess to data in the event that your keys are lost. In this lesson, you wiill learn how to
o manage keyy
C in Windows Server 2012 A
arrchival and reccovery in AD CS AD CS.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe th k archival and recovery.

he process of key
Configure Automatic
A Keyy Archival.
Configure CA
C for Key Arcchival.
Explain keyy recovery.

Recover a lost key.
Overview
O of
o Key Arch
hival and Recovery
R
If you lose yourr public and prrivate keys, you u will
noot be able to access
a any data that is encryypted by
ussing the certifiicates public key.
k This data can c
in
nclude Encryptting File System m (EFS) and
Seecure/Multipurpose Internett Mail Extensio ons
(S
S/MIME). There efore, archival and recovery of
puublic and priva ate keys are im
mportant.
Conditions
C fo
or Losing Keys
K
Yo
ou may lose ke
ey pairs due to
o the following
g
co
onditions:
User profile
e is deleted or corrupted. A CSP
C
encrypts a private key and stores the enncrypted privaate key in the llocal file systemm and registryy in the
user profile
e folder. Deletion or corruption of the proffile results in th
he loss of the private key maaterial.
Operating system
s is reinsstalled. When you
y reinstall th
he operating ssystem, the pre
evious installattions of
ofiles are lost, including the private key m aterial.
the user pro
Disk is corrupted. If the hard
h disk becom d and the userr profile is unavvailable, the private
mes corrupted
key materia al is lost autom
matically.
Computer isi stolen. If a users compute with the private key material is
er is stolen, thee user profile w
unavailable
e.
Key
K Archival and Recovery Agents
Yo
ou use key arcchival and Key Recovery Age ents (KRA) for ddata recovery. You can ensuure that CA
ad
dministrators can
c recover prrivate keys by archiving
a themm. KRAs are deesignated userss who are ablee to
re
etrieve the orig
ginal certificate
e, private key, and public keey that were ussed to encrypt the data, from
m the
CAA database. A specific certifiicate templatee is applied to a KRA. When yyou enable key archival in a version
2 certificate tem
mplate, the CA encrypts and stores that priivate key in itss database. In ssituations whe
ere the
CA has stored the e subjects private key in the CA database, you can use kkey recovery to
o recover a
corrrupted or lost key.
Durring the key recovery process, the certificatte manager reetrieves the encrypted file that contains the
certtificate and private key from the CA database. Next, a KR he private key from the encryypted
RA decrypts th
file and returns th
he certificate and private keyy to the user.
Seccurity for Ke
ey Archival
Wheen you have a configured CA A to issue a KR
RA certificate, aany user with Read and Enrroll permission
n on
the KRA certificate
e template can
n enroll and beecome a KRA. As a result, Do omain Adminss and Enterprisse
Admmins receive peermission by default.
d Howevver, you must eensure the folllowing:
Only trusted users are allow

wed to enroll for this certificaate.
The KRAs reccovery key is sttored in a secu

ure manner.
The server wh a archived is in a separate physical securre location.
here the keys are
Understanding
g Key Archiv
val and Reccovery
Key recovery implies that the prrivate key porttion of a publi c-private key p
pair may be arrchived and
reco
overed. Privatee key recovery does not recoover any data o or messages. Itt merely enables a user to
retrieve lost or damaged keys, or
o for an administrator to as sume the role of a user for d data access or data
reco
overy purposes. In many app a recovery can not occur with
plications, data hout first perfo
orming key
reco
overy.
The key recovery procedure is as

a follows:
1. The user requ uests a certificaate from a CA and provides a copy of the private key ass part of the re
equest.
The CA, which g the request, archives the e ncrypted privaate key in the C
h is processing CA database aand
equesting user.
issues a certifficate to the re
2. ertificate can be used by an application

The issued ce a succh as EFS to en
ncrypt sensitivve files.
3. If, at some po
oint, the privatte key is lost orr damaged, th e user can con ntact the comp
panys Certificaate
Manager to recover
r the private key. The Certificate Maanager, with thhe help of the KRA, recovers the
private key, sttores it in a protected file fo
ormat, and sen ds it back to t he user.
4. After the userr stores the reccovered privatte key in the u sers local keyss store, it once
e again can be
e used
ation such as EFS to decrypt previously enccrypted files orr to encrypt ne
by an applica ew ones.
Co
onfiguring Automatic Key Arch
hival
Befoore you can usse key archival, you must perform
seveeral configurattion steps. The
e key archival
featture is not enabled by default, and you sho ould
configure both CA A and certificate templates for
f
key archival and key
k recovery.
The following stepps describe the
e automatic ke
ey
arch
hival process:
1. Configure the e KRA certificate template. Only

O
Enterprise Ad dministrators or
o Domain
Administrators are allowed to request a KRA K
certificate. If you
y want to en nroll some oth
her
user with a KR RA certificate, you must speccify it
on the templa ate DACL.
2. Configure Certificate Managers:
a. CA enforces a person to be a Certificate Manager, if defined. The Certificate Manager usually

holds a private key for valid KRA certificates. By default, the CA Administrator is a Certificate
Manager for all users, except for cases with another explicit definition. However, as a best
practice, you should separate these two roles if possible.
b. A CA Officer is defined as a Certificate Manager. This user has the security permission to issue and
manage certificates. The security permissions are configured on a CA in the Certification
Authority MMC snap-in, in the CA Properties dialog box, from the Security tab.
c. A KRA is not necessarily a CA Officer or a Certificate Manager. These roles may be segmented as
separate roles. A KRA is a person who holds a private key for a valid KRA certificate.
3. Enable KRA:
a. Log on as Administrator of the server, or as CA Administrator if role separation is enabled.
b. In the CA console, right-click the CA name, and then click Properties. To enable key archival, on
the Recovery Agents tab, click Archive the key.
c. By default, the CA uses one KRA. However, you must first select the KRA certificate for the CA to
begin archival by clicking Add.
d. The system finds valid KRA certificates, and then displays available KRA certificates. These are
generally published to AD DS by an enterprise CA during enrollment. KRA certificates are stored
under the KRA container in the Public Key Services branch of the configuration partition in
AD DS. Because CA issues multiple KRA certificates, each KRA certificate will be added to the
multivalued user attribute of the CA object.
e. Select one certificate, and then click OK. Ensure that you have selected the intended certificate.
f. After you have added one or more KRA certificates, click OK. KRA certificates are only processed
at service start.
4. Configure user templates:
a. In the Certificate Templates MMC, right-click the key archival template, and then click
Properties.
b. To always enforce key archival for the CA, in the Properties dialog box, on the Request
Handling tab, select the Archive subjects encryption private key check box. In Windows
Server 2008 or later CAs, select the Use advanced symmetric algorithm to send the key to the
CA option.
Demonstration: Configuring CA for Key Archival

In this demonstration, you will see how to configure automatic key archival.
Demonstration Steps
Configure automatic key archival

1. Configure adatumRootCA to issue Key Recovery Agent certificates without approval.
2. Enroll Administrator for Key Recovery Agent certificate.
3. Configure adatumRootCA to use certificate enrolled in step 2 as Key Recovery Agent.
4. Configure Exchange User Test 1 certificate template to allow key archival.

5. Configure adatumRootCA
A to allow key archival.
a
Recovering a Lost Key

Key recovery conssists of several steps, and you
musst strictly follow
w the proceduure to recover
archhived keys. The e procedure fo
or key recoveryy is as
follo
ows:
1. Find recoveryy candidates. You

Y will require e two
pieces of info
ormation to pe erform key reco overy.
First, the Certtificate Manager or the CA
Administrator locates the correct certifica ate
entry in the CA
C database. Then,
T the Certifficate
Manager or the CA Administrator obtainss the
serial numberr of the correcct certificate en
ntry
and the KRA certificate required for key
recovery.
2. Retrieve PKCS
S #7 BLOB from m the databasse. This is the ffirst half of thee key recovery step. A Certificate
Manager or a CA Administrrator retrieves the correct BLLOB from the C The certificate and
CA database. T
d private key to be recovered are present in PKCS #7 BLLOB. The privatte key is encryypted
the encrypted
e public key off one or more KRAs.
alongside the
3. Recover key material

m ave to PKCS #12 (.pfx). This is the second half of the keyy recovery step
and sa p. The
e of the KRA private keys deccrypts the privvate key to be recovered. In addition, the h
holder of one holder
generates a password-prote
p ected .pfx file that contains tthe certificate and private ke
ey.
Impport recovered keys. The password-protectted .pfx file is d delivered to th

he end user. Th
his user importts the
.pfx file into the lo dministrator caan perform this part
ocal user certifficate store. Altternatively, thee KRA or an ad
of the procedure on behalf of th he user.
De
emonstration: Recov
vering a Lo
ost Private Key (optio
onal)
In th
s how to reccover a lost priivate key.
Dem
monstration
n Steps
Reccover a lost private key

y
1. Enroll Administrator for Excchange User Te
est1 certificatee.
2. Delete the ce
ertificate from Administrator
A personal storee to simulate kkey loss.
3. On LON-SVR1 in CA console, retrieve the

e serial numbeer of lost certifiicate.
4. Use command Certutil -ge

etkey <serialn
number> outp
putblob to geenerate blob fiile.
5. Use command Certutil -reccoverkey outputblob reco
over.pfx, to reccover the privaate key.
6. Import the prrivate key back

k to administra
ator personal sstore.
Lab: Implementing Active Directory Certificate Services

Scenario
As A. Datum Corporation has expanded, its security requirements have also increased, and the security
department is particularly interested in enabling secure access to critical web sites, and in providing
additional security for features such as EFS, smart cards, and the Windows 7 and Windows 8 DirectAccess
feature. To address these and other security requirements, A. Datum Corporation has decided to
implement a PKI using the AD CS role in Windows Server 2012.
As one of the senior network administrators at A. Datum Corporation, you are responsible for
implementing the AD CS deployment. You will be deploying the CA hierarchy, developing the procedures
and process for managing certificate templates, and deploying and revoking certificates.
Objectives
Deploy a standalone root CA, and an enterprise subordinate CA.
Configure certificate templates.

Configure certificate enrollment.
Configure certificate revocation.
Configure and perform private key archival and recovery.
Lab Setup
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-SVR2
20412A-LON-CA1
20412A-LON-CL1
User Name: Adatum\Administrator
Password: Pa$$w0rd

Password: Pa$$w0rd
5. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR2, 20412A-LON-CA1 and 20412A-

LON-CL1. Do not log on until instructed to do so.
Exercise 1: Deploying a standalone root CA

Scenario
A. Datum Corporation wants to start using certificates for various purposes, and you now need to install
the appropriate CA infrastructure. Because they are using AD DS with Windows Server 2012 AD DS, you
decided to implement the AD CS role. When you were reviewing available designs, you decided to
implement a standalone root CA. This CA will be taken offline after it issues a certificate for a subordinate
CA.
1. Install the Active Directory Certificate Services (AD CS) server role on non-domain joined server.
2. Configure a new certificate revocation location.
Task 1: Install the Active Directory Certificate Services (AD CS) server role on non-
domain joined server
1. Log on to LON-CA1 as Administrator using the password Pa$$w0rd.
2. Use the Add Roles and Features Wizard to install the Active Directory Certificate Services role.
3. After installation completes successfully, click the text Configure Active Directory Certificate
Services on the destination server.
4. Configure the AD CS role as a standalone root CA. Name it AdatumRootCA.
5. Set the key length to 4096, accept all other values as default.
Task 2: Configure a new certificate revocation location

1. On LON-CA1, open the Certification Authority console.
2. Open the Properties window for AdatumRootCA.
3. Configure new locations for CDP to be on

http://lon-svr1.adatum.com/CertData/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
4. Select options: Include in the CDP extensions of issued certificates and Include in CRLs. Clients
use this to find Delta CRL locations.
5. Configure new locations for AIA to be on http://lon-svr1.adatum.com/CertData
/<ServerDNSName>_<CaName><CertificateName>.crt
6. Select the Include in the AIA extension of issued certificates check box.
7. Publish the certificate revocation list on LON-CA1.
8. Export the root CA certificate, and copy the .cer file to \\lon-svr1\C$.
9. Copy the content of folder C:\Windows\System32\CertSrv\CertEnroll to \\lon-svr1\C$.
Results: After completing this exercise, you will have installed and configured a standalone root CA.
Exercise 2: Deploying an Enterprise Subordinate CA

Scenario
After deploying the standalone root CA, the next step is to deploy an enterprise subordinate CA. A. Datum
Corporation wants to use an enterprise subordinate CA to utilize AD DS integration. In addition, because
root CA is standalone, you want to publish its certificate to all clients.
1. Install and configure AD CS role on LON-SVR1.
2. Install a subordinate Certification Authority (CA) certificate.
3. Publish the RootCA certificate through Group Policy.

Task 1: Install and configure AD CS role on LON-SVR1

1. Log on to LON-SVR1 as Adatum\Administrator with the password of Pa$$w0rd.
2. Install the Active Directory Certificate Services role on LON-SVR1. Include the Certification
Authority and Certification Authority Web Enrollment role services.
3. After installation is successful, click Configure Active Directory Certificate Services on the
destination server.
4. Select the Certification Authority and Certification Authority Web Enrollment role services.
5. Configure LON-SVR1 to be an Enterprise CA.
6. Configure the CA Type to be a Subordinate CA.
7. For the CA Name type Adatum-IssuingCA.
8. Save the request file to the local drive.
Task 2: Install a subordinate Certification Authority (CA) certificate

1. On LON-SVR1, install the RootCA.cer certificate in the Trusted Root Certification Authority store.
2. Navigate to Local Disk (C:) and copy the AdatumRootCA.crl and LON-CA1 _AdatumRootCA.crt
files to C:\inetpub\wwwroot\CertData.
3. Copy the LON-SVR1.Adatum.com_Adatum- IssuingCA.req request file to \\lon-ca1\C$\.
4. Switch to LON-CA1.
5. From the Certification Authority console on LON-CA1, submit a new certificate request, by using .req
file that you copied in step 3.
6. Issue the certificate and export it to p7b format with complete chain. Save the file to
\\lon-svr1\C$\SubCA.p7b.
8. Install the SubCA certificate on LON-SVR1 using the Certification Authority console.
9. Start the service.
Task 3: Publish the RootCA certificate through Group Policy

1. On LON-DC1, from Server Manager open the Group Policy Management Console.
3. Publish the RootCA.cer file from \\lon-svr1\C$ to Trusted Root Certification Authorities store in
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
Results: After completing this exercise, you will have deployed and configured an enterprise subordinate
CA
Exercise 3: Configuring Certificate Templates

Scenario
After deploying the CA infrastructure, the next step is to deploy the certificate templates that are required
in the organization. For the beginning, A. Datum Corporation wants to implement a new Web server
certificate and implement smart card certificates for users. They also want to implement new certificates
on the LON-SVR2 web server.
1. Create a new template based on the Web server template.
2. Create a new template for users that includes smart card logon.
3. Configure the templates so they can be issued.
4. Update the Web server certificate on the LON-SVR2 Web Server.
Task 1: Create a new template based on the Web server template

1. On LON-SVR1, from the Certification Authority console, open the Certificate Templates Console.
2. Duplicate the Web Server template.
3. Create a new template and name it Adatum Web Server.

4. Configure validity for 3 years.
5. Configure the private key as exportable.
Task 2: Create a new template for users that includes smart card logon
1. In the Certificate Templates Console, duplicate the User certificate template.
2. Name the new template Adatum Smart Card User.
3. On the Subject Name tab, clear both the Include e-mail name in subject name and the E-mail
name check boxes.
4. Add Smart Card Logon to Application Policies of the new certificate template.
5. Configure this new template to supersede the User template.
6. Allow Authenticated Users to Read, Enroll, and Autoenroll for this certificate.
7. Close the Certificate Templates Console.
Task 3: Configure the templates so they can be issued

Configure LON-SVR1 to issue certificates based on the Adatum Smart Card User and Adatum Web
Server templates.
Task 4: Update the Web server certificate on the LON-SVR2 Web Server
2. Refresh the Group Policy and restart server if needed.
3. From Server Manager, open the Internet Information Services (IIS) Manager.
4. Enroll for a domain certificate using the following parameters:
o Common name: lon-svr2.adatum.com
o Organization: Adatum
o Organizational Unit: IT
o City/locality: Seattle
o State/province: WA
o Country/region: US
5. Create HTTPS binding for Default Web Site, and associate it with new certificate.
Results: After completing this exercise, you will have created and published new certificate templates.
Exercise 4: Configuring Certificate Enrollment

Scenario
The next step in implementing the PKI at A. Datum Corporation is configuring certificate enrollment. A.
Datum wants to enable different options for distributing the certificates. Users should be able to enroll
automatically, and smart card users should get their smart cards from Enrollment Agents. Adatum has
delegated enrollment agent rights for the Marketing department group to Allie Bellew.
1. Configure autoenrollment for users.
2. Verify autoenrollment.
3. Configure the Enrollment Agent for smart card certificates.
Task 1: Configure autoenrollment for users

3. Navigate to User Configuration, expand Policies, expand Windows Settings, expand Security
Settings, and then click to highlight Public Key Policies.
4. Enable the Certificate Services Client Auto-Enrollment option, and enable Renew expired
certificates, update pending certificates, and remove revoked certificates and Update
certificates that use certificate templates.
5. Enable the Certificate Services Client Certificate Enrollment Policy.
6. Close Group Policy Management Editor and Group Policy Management console.
Task 2: Verify autoenrollment

1. On LON-SVR1, open Windows PowerShell and use gpupdate /force to refresh Group Policy.
2. Open an mmc.exe console and add the Certificates snap-in focused on the user account.
3. Verify that you have been issued a certificate based on the Adatum Smart Card User template.
Task 3: Configure the Enrollment Agent for smart card certificates

1. On LON-SVR1, from the Certification Authority console, open the Certificate Templates console.
2. Allow Allie Bellew to enroll for an Enrollment Agent certificate.
3. Publish the Enrollment Agent certificate template.

4. Log on to LON-CL1 as Allie, and enroll for an Enrollment Agent certificate.
5. On LON-SVR1, open properties of Adatum-IssuingCA, and configure Restricted Enrollment Agent so

that Allie can only issue certificates based on Adatum Smart Card User, for security group
Marketing.
Results: After completing this exercise, you will have configured and verified autoenrollment for users,
and configured an enrollment agent for smart cards.
Exercise 5: Configuring Certificate Revocation

Scenario
As part of configuring the certificate infrastructure, A. Datum Corporation wants to configure revocation
components on newly established CAs. You will configure CRL and Online Responder components.
1. Configure Certified Revocation List (CRL) distribution.
2. Install and configure an Online Responder.
Task 1: Configure Certified Revocation List (CRL) distribution

1. On LON-SVR1, in the Certification Authority console, right-click Revoked Certificates, and then click
Properties.
2. Set the CRL publication interval to 1 Day, and set the Delta CRL publication interval to 1 hour.
3. Review CDP locations on Adatum-IssuingCA.
Task 2: Install and configure an Online Responder

1. On LON-SVR1, use Server Manager to add an Online Responder role service to the existing AD CS
role.
2. When the message displays that installation succeeded, click Configure Active Directory Certificate
Services on the destination server. Configure the online responder.
3. On LON-SVR1, open the Certification Authority console.
4. Configure the new AIA distribution location on Adatum-IssuingCA to be http://lon-svr1/ocsp.
5. On Adatum-IssuingCA, publish the OCSP Response signing certificate template, and allow
Authenticated users to enroll.
6. Open the Online Responder Management console.
7. Add revocation configuration for Adatum-IssuingCA.
8. Enroll for an OCSP Response signing certificate.

9. Ensure that revocation configuration is working.
Results: After completing this exercise, you will have configured certificate revocation settings.
Exercise 6: Configuring Key Recovery

Scenario
As a part of establishing a PKI, you want to configure and test procedures for recovery of private keys. You
want to assign a KRA certificate for an administrator, and configure CA and specific certificate templates
to allow key archiving. In addition, you want to test a procedure for key recovery.
1. Configure the CA to issue Key Recovery Agent (KRA) certificates.
2. Acquire the KRA certificate.
3. Configure the CA to allow key recovery.
4. Configure a custom template for key archival.
5. Verify key archival functionality.

Task 1: Configure the CA to issue Key Recovery Agent (KRA) certificates

1. On LON-SVR1, in the Certification Authority console, right-click the Certificates Templates folder,
and then click Manage.
2. In the Certificates Templates console, open the Key Recovery Agent certificate properties dialog
box.
3. On the Issuance Requirements tab, clear the CA certificate manager approval check box.
4. On the Security tab, notice that only Domain Admins and Enterprise Admins groups have the Enroll
permission.
5. Right-click the Certificates Templates folder, and enable the Key Recovery Agent template.
Task 2: Acquire the KRA certificate

1. Create an MMC console window that includes having the Certificates snap-in for the current user
loaded.
2. Use the Certificate Enrollment Wizard to request a new certificate, and enroll the KRA certificate.
3. Refresh the console window, and view the KRA in the personal store.
Task 3: Configure the CA to allow key recovery

1. On LON-SVR1, in the Certification Authority console window, open the Adatum-IssuingCA
Properties dialog box.
2. On the Recovery Agents tab, click Archive the key, and then add the certificate by using the Key
Recovery Agent Selection dialog box.
3. Restart Certificate Services when prompted.
Task 4: Configure a custom template for key archival

1. On LON-SVR1, open the Certificates Templates console.
2. Duplicate the User template, and name it Archive User.
3. On the Request Handling tab, set the option for the Archive subject's encryption private key. Using
the archive key option, the KRA can obtain the private key from the certificate store.
4. Click the Subject Name tab, clear the E-mail name and Include e-mail name in subject name
check boxes.
5. Add the Archive User template as a new certificate template to issue.
Task 5: Verify key archival functionality

1. Log on to LON-CL1 as Adatum\Aidan, using the password Pa$$w0rd.
2. Create an MMC console window that includes the Certificates snap-in.

3. Request and enroll a new certificate based on the Archive User template.
4. From the personal store, locate the Archive User certificate.
5. Delete the certificate for Alan Brewer to simulate a lost key.
7. Open the Certification Authority console, expand Adatum-IssuingCA, and then click Issued
Certificates store.
8. In the Certificate Authority Console, note the serial number of the certificate that has been issued for
Alan Brewer.
9. On LON-SVR1, open a command prompt, and type:

certutil getkey <serial number> outputblob
Note: Replace serial number with the serial number that you wrote down.
10. Verify that the Outputblob file has appeared in the C:\Users\Administrator folder.
11. To convert the Outputblob file into an importable .pfx file, at the command prompt, type Certutil
recoverkey outputblob aidan.pfx.
12. Enter the password Pa$$w0rd for the certificate.
13. Verify the creation of the recovered key in the C:\Users\Administrator folder.
14. Cut and paste the aidan.pfx file to the root of drive C on LON-CL1.
15. Switch to LON-CL1, and import the aidan.pfx certificate.
16. Verify that the certificate appears in the Personal store.
Results: After completing this exercise, you will have implemented key archival, and tested private key
recovery.

following steps.
4. Repeat steps 2 and 3 for 20412A-LON-CL1, 20412A-LON-SVR1, 20412A-LON-CA1 and 20412A-

LON-SVR2.
Lab Review
Question: Why is it not recommended to install just an Enterprise root CA?
Question: What is the main benefit of OCSP over CRL?
Question: What must you do to recover private keys?


Question: What are some reasons that an organization would utilize PKI?
Question: What are some reasons that an organization would use an enterprise root CA?
Question: List the requirements to use autoenrollment for certificates.

Question: What are the steps to configure an Online Responder?

The location of the CA certificate that is

specified in the authority information
access extension is not configured to
include the certificate name suffix. Clients
may not be able to locate the correct
version of the issuing CA's certificate to
build a certificate chain, and certificate
validation may fail.
CA is not configured to include CRL

distribution point locations in the
extensions of issued certificates. Clients
may not be able to locate a CRL to check
the revocation status of a certificate, and
certificate validation may fail.
CA was installed as an enterprise CA, but

Group Policy settings for user
autoenrollment have not been enabled. An
enterprise CA can use autoenrollment to
simplify certificate issuance and renewal. If
autoenrollment is not enabled, certificate
issuance and renewal may not occur as
expected.

Contoso, Ltd wants to deploy PKI for supporting and securing several services. They have decided to use
Windows Server 2012 Certificate Services as a platform for PKI. Certificates will be primarily used for EFS,
digital signing, and for Web servers. Because documents that will be encrypted are important, it is crucial
to have a disaster recovery strategy in case of key loss. In addition, clients that will access secure parts of
the company website must not receive any warning in their browsers.
1. What kind of deployment should Contoso, Ltd choose?
2. What kind of certificates should Contoso use for EFS and digital signing?
3. What kind of certificates should Contoso use for a website?

4. How will Contoso ensure that EFSencrypted data is not lost if a user loses a certificate?
Best Practice
When deploying CA infrastructure, deploy a standalone (non-domain joined) root CA, and an
enterprise subordinate CA (issuing CA). After the enterprise subordinate CA receives a certificate from
RootCA, take RootCA offline.
Issue a certificate for RootCA for a long period of time such as 15 or 20 years.
Use autoenrollment for certificates that are widely used.
Use a Restricted Enrollment Agent whenever possible.
Use Virtual Smart Cards for improving logon security.
Tools
Certificate Authority console
Certificate Templates console
Certificates console
Certutil.exe
11-1
Module 11
Implementing Active Directory Rights Management Services
Contents:
Lesson 1: AD RMS Overview 11-2
Lesson 2: Deploying and Managing an AD RMS Infrastructure 11-7
Lesson 3: Configuring AD RMS Content Protection 11-13
Lesson 4: Configuring External Access to AD RMS 11-19
Lab: Implementing AD RMS 11-24
Module Overview
Active Directory Rights Management Services (AD RMS) provides a method for protecting content that
goes beyond simply encrypting storage devices using Windows BitLocker Drive Encryption, or
individual files using Encrypting File System (EFS). AD RMS provides a method to protect data in transit
and at rest, and ensures that it is accessible only to authorized users for a specific duration.
This module introduces you to AD RMS, and describes how to deploy it, how to configure content
protection, and how to make AD RMSprotected documents available to external users.
Objectives
Provide an overview of AD RMS.
Deploy and manage an AD RMS infrastructure.
Configure AD RMS content protection.
Configure external access to AD RMS.

11-2 Implemennting Active Directoryy Rights Managemennt Services
Lesson 1
AD RM
MS Overrview
Prio
or to deploying
g AD RMS, you u need to knoww how AD RM S works, what components are included in n an
AD RMS deploym ment, and how you should de eploy AD RMS . You must als o understand the concepts
behhind various AD
D RMS certifica
ates and licensses.
Thiss lesson provid w of AD RMS, and the scenaarios in which yyou can use it to protect an
des an overview
orgaanization's con
nfidential data
a.
Lessson Objectiives
Afte
u will be able to:
t
Describe AD RMS.
Explain the sccenarios in which you can usse AD RMS.
List the AD RM
MS componen
nts.
List the different AD RMS certificates and

d licenses.
Explain how AD
A RMS workss.
Wh
hat Is AD RMS?
R
AD RMS is an info ormation prote ection technolo ogy
thatt is designed to
o minimize the e possibility off data
leak
kage. Data leak kage is the unaauthorized
nsmission of information, either to people
tran
with
hin the organizzation or peop ple outside the e
orgaanization, whoo should not be able to acce ess
thatt information. AD RMS integ grates with exissting
Microsoft productts and operating systems
including Exchang ge, SharePointt, and the Micrrosoft
Office Suite.
AD RMS can prote ect data in transit and at rest. For

exam mple, AD RMS S can protect documents
d sen
nt as
ema ail messages, ensuring
e that a message cannot be opened d even if it is aaccidentally adddressed to the e
wro Y can also use AD RMS to protect data sstored on devices such as re
ong recipient. You emovable USB
drivves. A drawbacck of file and fo
older permissio ons is that oncce the file is co
opied to anoth her location, thhe
orig
ginal permissioons no longer apply.
a A file th
hat is copied to
o a USB drive w will inherit the
e permissions o on the
desttination devicee. Once copied d, a file that wa as read-only ccan be made e ditable by alte ering the file and
fold
der permissions. With AD RM MS, the file can be protected in any locatio on, irrespectivee of file and folder
perm missions that grant
g W AD RMS, only the userss who are auth
access. With horized to open the file will b be
ablee to view the contents
c of tha
at file.
Usage
U Scen
narios for AD
A RMS
Thhe primary use e for AD RMS is i to control th
he
diistribution of sensitive
s inform
mation. You ca an use
AD RMS in com mbination with encryption
te
echniques to se ecure data when it is in stora age or
in e can be many reasons to control
n transit. There
he distribution of sensitive in
th nformation, succh as
neeeding to ensu ure that only authorized
a stafff
members
m have access to a file
e, ensuring thaat
se
ensitive email messages
m cann
not be forward ded, or
en
nsuring that details of an un nreleased proje ect are
noot made public. Consider the following sce enarios.
Scenario 1
Thhe CEO copiess a spreadsheet file containinng the compen nsation packagges of an orgaanization's executives
from a protecteed folder on a file server to the CEOs perso
onal USB drivee. During the ccommute hom me, the
CEO leaves the USB drive on the
t train, wherre someone w with no connection to the org ganization find
ds it.
Without
W AD RM
MS, whoever finnds the USB drrive can open the file. With AAD RMS, it is p
possible to enssure that
th b opened by unauthorized users.
he file cannot be
Scenario 2
An internal document should be viewable by b a group of aauthorized pe ople within th he organization
n. These
pe
eople should not
n be able to edit or print the document.. While it is po ossible to use the native
unctionality of Microsoft Offfice Word to restrict
fu r these ffeatures, doing
g so requires eeach person to
o have a
Windows
W Live account. Withh AD RMS, you u can configuree these permisssions based o on existing acco
ounts in
AD DS.
Peeople within thhe organizatio on should not be

b able to forw
ward sensitive e-mail messag ges that have been
asssigned a partiicular classifica
ation. With AD
D RMS, you cann allow a sender to assign a particular
classification to a new e-mail message, and that classifica tion will ensurre that the recipient cannot forward
th
he message.
Overview
O of
o the AD RMS
R Comp
ponents
Th he AD RMS root certification n cluster is the first
AD RMS server that you deplo oy in a forest. The
AD RMS root ce ertification clusster manages all
liccensing and ce ertification trafffic for the dommain in
which
w it is installed. AD RMS stores
s configuration
in
nformation eith her in a Microssoft SQL Serve er
da t Windows Internal Database. In
atabase or in the
la
arge environme ents, the SQL Server
S databasse is
ho osted on a server that is separate from the e server
th
hat hosts the AD A RMS role.
AD RMS licensin ng-only clusters are used in
diistributed enviironments. Lice
ensing-only clusters
do
o not provide certification, but
b do allow th he distribution
n of licenses th
hat are used fo
or content
co
onsumption an nd publishing. Licensing-only clusters are ooften deployeed to large branch offices in
orrganizations th
hat use AD RM MS.
AD
D RMS Serve
er
AD RMS servers must
m be memb bers of an AD DS
D domain. W hen you installl AD RMS, info ormation abouut the
loca
ation of the clu
uster is publish
hed to AD DS to
t a location kknown as the sservice connection point.
Commputers that are members of the domain queryq the servvice connectionn point to dete
ermine the loccation
of AD
A RMS service es.
AD
D RMS Clientt
AD RMS client is built
b into the Windows
W Vistaa, Windows 7, aand Windows 8 operating syystems. The AD D
RMSS client allows AD RMS-enab ons to enforce the functionality dictated b
bled applicatio by the AD RMSS
mplate. Without the AD RMS client, AD RMS-enabled app
tem uld be unable tto interact with AD
plications wou
RMSS-protected coontent.
AD
D RMS Enablled Applicattions
AD RMS-enabled applications allow
a users to create
c and con nsume AD RMS-protected co ontent. For
exammple, Microsooft Outlook allo
ows users to viiew and createe protected em
mail messages.. Microsoft Wo
ord
allows uses to view
w and create protected
p word d processing ddocuments.
AD
D RMS Certtificates an
nd License
es
To understand
u hoow AD RMS wo orks, you need to
be familiar
f with its different certificates and license
typees. Each of theese certificates and licenses
funcctions in a diffferent way. Somme certificatess, such
as the server licennsor certificate (SLC), are critically
impportant and you must back them up on a
reguular basis.
SLC
C
The SLC is generated when you create the AD D RMS
clusster. It has a va
alidity of 250 years.
y The SLC
allows the AD RM MS cluster to isssue:
SLCs to otherr servers in the

e cluster.
Rights Account Certificates to clients.

Client licenso
or certificates.
Publishing liccenses.
Use licenses.
Rights policy template.
The SLC public ke ey encrypts the

e content key in
i a publishingg license. This allows the AD RMS server to
o
extrract the conten
nt key and issu
ue end use lice
enses (EULs) ag
gainst the pubblishing key.
AD
D RMS Mach
hine Certificate
The AD RMS machine certificate e is used to ide
entify a trusted
d computer orr device. The ccertificate iden
ntifies
the client computter's lockbox. The
T machine certificate publlic key encryptts the Rights A Account Certificcate
privvate key. The machine
m certificate private keey decrypts thee Rights Accou
unt Certificate
es.
Rig
ghts Accoun
nt Certificate
e
The Rights Account Certificate (RAC)
( identifie
es a specific useer. The defaultt validity time for a RAC is 365
days. RACs can on
nly be issued to
o users in AD DS whose userr accounts havve email addre esses that are
asssociated with them. A RAC is issued the fiirst time a userr attempts to aaccess AD RMS-protected co ontent.
Yoou can adjust the default validity time usin
ng the Rights AAccount Certifficate Policies node of the Active
Directory Rightss Management Services conssole.
A temporary RA AC has a validitty time of 15 minutes.

m Temp porary RACs arre issued when
n a user is acceessing
AD RMS-proteccted content frrom a compute er that is not a member of tthe same or tru
usted forest ass the
AD RMS clusterr. You can adju ust the default validity time uusing the Righ
hts Account Ceertificate Policies node
off the Active Directory Rightss Managementt Services conssole.
AD RMS supporrts the followin

ng additional RACs:
R
Active Directory Federatio

on Services (AD FS) RACs aree issued to fed
derated users. They have a validity
of seven da
ays.
Two types of o Windows Live ID RAC are supported. Windows Livee ID RACs used d on private
computers have a validityy of six months. Windows Livve ID RACs useed on public ccomputers are valid
until the usser logs off.
Client
C Licenssor Certifica
ate
A client licensorr certificate allows a user to publish AD RM MS-protected ccontent when the client com mputer
is not connected to the same network as th he AD RMS clu ster. The client licensor certiificate public kkey
en ncrypts the symmmetric conte ent key and inccludes it in thee publishing liccense that it issues. The clien
nt
liccensor certifica
ate private keyy signs any pubblishing licens es that are issuued when the client is not
coonnected to th he AD RMS clu uster.
Client licensor certificates

c are tied to a speccific user's RAC
C. If another usser who has no
ot been issuedd a RAC
atttempts to pubblish AD RMS protected con ntent from thee same client, tthey will be un
nable to until tthe
client is connected to the AD RMS cluster and can issue t hat user with a RAC.
Publishing
P License
A publishing license (PL) deteermines the rigghts that applyy to AD RMS-p protected conttent. For example, the
pu
ublishing licen
nse determiness if the user can edit, print, o
or save a docu ment. The pub blishing license e
ontains the content key, which is encrypted using the pu
co ublic key of th e licensing serrvice. It also co
ontains
th
he URL and the e digital signatture of the AD
D RMS server.
End Use Lice

ense
An EUL is requirred to consum
me AD RMSprotected conteent. The AD RM
MS server issue
es one EUL perr user
pe
er document. EULs are cache ed by default.
How
H AD RM
MS Works
AD RMS works in the followin
ng manner:
1.. An author receives

r a clien
nt licensor certtificate
from the AD RMS server the
t first time heh or
she configu
ures rights protection for
information
n.
2.. The author is able to defiine a collection

n of
usage rightts and conditio
ons for the file. When
the author does this, the application en ncrypts
the file with
h a symmetric key.
11-6 Implementing Active Directory Rights Management Services
3. This symmetric key is encrypted to the public key of the AD RMS server that is used by the author.
4. The recipient of the file opens it using an AD RMS application or browser. It is not possible to open
AD RMS-protected content unless the application or browser supports AD RMS. If the recipient does
not have an account certificate on the current device, one will be issued to the user at this point. The
application or browser transmits a request to the author's AD RMS server for a Use License.
5. The AD RMS server determines if the recipient is authorized. If the recipient is authorized, the AD RMS
server issues a Use License.
6. The AD RMS server decrypts the symmetric key that was encrypted in step 3, using its private key.
7. The AD RMS server re-encrypts the symmetric key using the recipient's public key and adds the
encrypted session key to the Use License.
Lesson
n2
Deplo
oying and Man
naging an
a AD R
RMS Inffrastructure
Be
efore deployin ng AD RMS, it is important too have a deplo oyment plan th hat is appropriate for your
orrganization's environment.
e AD
A RMS deplo oyment in a sin ngle-domain fo orest is different from AD RMMS
de
eployment in scenarios
s where you need too support the publication an nd consumptio on of content aacross
multiple
m forests, to trusted pa
artner organiza
ations, or acro ss the public I nternet. Beforee deploying A
AD RMS,
yo
ou also need to have an und derstanding off the client req uirements, and d an appropriaate strategy fo
or
ba
acking up and d recovering AD D RMS.
his lesson provvides an overview of deployiing AD RMS, aand the steps yyou need to taake to back up
Th p,
re
ecover, and deecommission an AD RMS infrrastructure.
Le
esson Objecctives
ng this lesson you
Describe AD
D RMS deployyment scenario
os.
Configure the
t AD RMS cluster.
Explain how
w to install the
e first server off an AD RMS c luster.
Describe AD
D RMS client requirements.
r
Explain how nt an AD RMS backup and reecovery strateg
w to implemen gy.
w to decommission and remove AD RMS.

Explain how
AD
A RMS De
eploymentt Scenarios
An AD RMS dep ployment conssists of one or more
se
ervers known as a a cluster. Ann AD RMS clustter is
noot a high-availability failover cluster. When
n you
arre deploying ADA RMS, you should host the e server
so
o that it is high
hly available. AD
A RMS is com mmonly
deeployed as a highly
h e virtual machine.
available
When
W you deploy AD RMS in a single forestt, you
ha
ave a single ADD RMS cluster.. This is the mo
ost
co
ommon form of o AD RMS deployment. You u add
se
ervers to the AD
A RMS clusterr as needed, to o
provide additional capacity.
When
W you deploy AD RMS accross multiple forests,
f
ea
ach forest musst have its own
n AD RMS roott cluster. It is n
necessary to co
onfigure AD RMMS Trusted Puublishing
Domains to enssure that AD RMS content caan be protecteed and consum med across the
e multiple foressts.
Yoou can also deeploy AD RMS to extranet locations. In thiss deployment, the AD RMS licensing serve er is
acccessible to ho ernet. You use this type of d eployment to support collab
osts on the inte boration with external
ussers.
ou can deployy AD RMS with Active Directo
Yo ory Federation
n Services (AD FS) or the Miccrosoft Federattion
Gateway. In thiss scenario, users leverage fed
derated identitty to publish aand consume rrights-protecte
ed
co
ontent.
As a best practice, you should d not deploy AD
A RMS on a d domain controoller. You can o
only deploy AD
D RMS
on
n a domain co ontroller if the service accoun
nt is a membeer of the Domaain Admins grooup.
Co
onfiguring the AD RM
MS Clusterr
Oncce you have de eployed the ADD RMS server role,
you need to confiigure the AD RMSR cluster be
efore
it is possible to usse AD RMS. Coonfiguring the
AD RMS cluster in nvolves perform
ming the followwing
stepps:
1. AD RMS clustter: Choose wh

hether to creatte a
new AD RMS root cluster, or
o join an existting
cluster.
2. Configurationn database: Select whether to use

an existing SQ
QL Server instaance in which to
t
store the AD RMS configura ation databasee, or
to configure and
a install the e Windows Inteernal
Database loca u SQL Server 2008, SQL Serrver 2008 R2, o
ally. You can use or SQL Server 2012 to suppoort an
AD RMS deployment in Windows Server 2012. As a b
best practice, u
use a SQL Servver database th
hat is
hosted on a separate
s server.
3. unt: Microsoft recommends using

Service accou u a standaard domain us er account witth additional
Y can use a managed servvice account a s the AD RMS service account.
permissions. You
4. ose the strengtth of the crypt ography used with AD RMS.

Cryptographic mode: Choo
o Cryptogrraphic Mode 2 uses RSA 204

48-bit keys and
d SHA-256 hasshes.
o Cryptogrraphic Mode 1 uses RSA 104

45-bit keys and
d SHA-1 hashees.
5. Cluster key sttorage: Choosee where the clu ored. You can either have it stored within
uster key is sto
u a special crryptographic service provideer (CSP). If you choose to use
AD RMS, or use e a CSP, you need
to manually distribute
d the key
k if you wan nt to add addittional servers.
6. Cluster key pa
assword: This password
p encrrypts the clusteer key, and is rrequired if you
u want to join other
AD RMS serve ers to the clustter, or if you want
w to restoree the cluster froom backup.
7. Cluster website: Choose wh

hich website on
n the local servver will host th
he AD RMS clu
uster website.
8. Cluster addreess: Specify the

e fully qualified
d domain nam me (FQDN) used d with the clusster. You have the
option of chooosing between an Secure So ockets Layer (SSSL)encrypted
d and non-SSLL-encrypted
website. If you choose non--SSL-encrypted d, you will be unable to add
d support for Id
dentity Federaation.
Once you set the cluster ad ddress and porrt, you cannot change them without comp pletely removinng
AD RMS.
9. Licensor certificate: Choose

e is the friendlyy name used b
by the SLC. It should represent the function
n of
the certificate
e.
10. Service conne egistration: Choose whether the service co
ection point re onnection poinnt is registered in
AD DS when the AD RMS cluster is create ed. The servicee connection p omputers that are
point allows co
members of the
t domain to locate the AD D RMS cluster aautomatically. Only users thaat are members of
the Enterprise
e Admins grou u can perform this
up are able to register the seervice connection point. You
step after the
e AD RMS clustter is createdyou do not haave to performm it during the configuration
process.
Demonstration: Installing the First Server of an AD RMS Cluster

In this demonstration, you will deploy AD RMS on a computer that is running Windows Server 2012.
Demonstration Steps
Configure Service Account

1. Log on to LON-DC1 with the Adatum\Administrator account and the password Pa$$w0rd.
2. Use the Active Directory Administrative Center to create an Organizational Unit (OU) named Service
Accounts in the adatum.com domain.
3. Create a new user account in the Service Accounts OU with the following properties:
o First name: ADRMSSVC
o User UPN logon: ADRMSSVC

o Password never expires: Enabled
o User cannot change password: Enabled
Prepare DNS
Use the DNS Manager console to create a host (A) resource record in the adatum.com zone with the
following properties:
o Name: adrms
o IP Address: 172.16.0.21
Install the AD RMS role

1. Log on to LON-SVR1 with the Adatum\Administrator account using the password Pa$$w0rd.
2. Use the Add Roles and Features Wizard to add the AD RMS role to LON-SVR1 using the following
option:
o Role services: Active Directory Rights Management Server
Configure AD RMS
1. In Server Manager, from the AD RMS node, click More to start post deployment configuration of
AD RMS.
2. In the AD RMS Configuration Wizard, provide the following information:
o Create a new AD RMS root cluster
o Use Windows Internal Database on this server
o Use Adatum\ADRMSSVC as the service account
o Cryptographic Mode: Cryptographic Mode 2
o Cluster Key Storage: Use AD RMS centrally managed key storage
o Cluster Key Password: Pa$$w0rd
o Cluster Web Site: Default Web Site
o Connection Type: Use an unencrypted connection
o Fully Qualified Domain Name: http://adrms.adatum.com
o Port: 80
11-10 Implementing Active Directoory Rights Managemeent Services
o Licensor Certificate: Ad
datum AD RM
MS
o Register AD
A RMS Servicce Connection
n Point: Registter the SCP No
ow
3. Log off from LON-SVR1.
Note: You must

m sign out before you can manage AD RMS
AD
D RMS Clie
ent Require
ements
AD RMS content canc only be pu ublished and
consumed by com mputers that are running the e
AD RMS client. All versions of Windows
W Vista
,
Winndows 7, and Windows
W 8 clie
ent operating
A RMS client software. Wind
systems include AD dows
Servver 2008, Wind
dows Server 20 008 R2, and
2 operatingg systems also
include the AD RMMS client. Thesse operating
systems do not reequire additionnal configuration to
consume and pub blish AD RMS protected con ntent.
AD RMS client sofftware is availaable for download
to computers
c thatt are running the
t Windows XP X
opeerating system,, and Mac OS X. X This client software must be installed beefore it is posssible for users of
thesse operating syystems to be able
a to consum me and publish
h AD RMSpro otected conten nt.
AD RMS requires compatible ap

pplications. Serrver applicatio ort AD RMS incclude the following:
ons that suppo
Microsoft Excchange Server 2007

Exchange Serrver 2010
Exchange Serrver 2013
Microsoft Offfice SharePointt Server 2007

SharePoint Se
erver 2010
SharePoint Se
erver 2013
Client applications, such as thosse included in Microsoft Offiice 2007, Officce 2010, and O
Office 2013 can
n
pubblish and consuume AD RMS protected con ntent. You can use the AD RM MS Software DDevelopment K Kit
(SDK) to create ap
pplications thaat can publish and
a consume AD RMSprottected contentt. Microsoft XP PS
view
wer and Windo ows Internet Exxplorer are also able to view w AD RMSprrotected conte ent.
Im
mplementting an AD
D RMS Back
kup and R
Recovery Strategy
Too prevent data a loss, you musst ensure that the AD
RMS server is ba uch a way that it can
acked up in su
bee recovered in f corruption or
n the event of file
se
erver failure. If the AD RMS server
s becomees
naccessible, all AD RMS-protected content also
in
beecomes inacce essible.
A simple strateggy for implemeenting AD RMS
ba
ackup and recovery is to runn AD RMS servver as a
virtual machine, and then usee an enterprisee
ba
ackup productt such as Micro osoft System Center
C
20
012 - Data Pro otection Manager to perform m
re
egular virtual machine
m backu
ups. Some of the
im
mportant comp ponents that require backup ps are the privaate key, certificcates, the AD RMS database
e, and
emplates. You can also perfo
te orm a full serve
er backup, by rrunning AD RM MS server on a virtual machine.
As a best practice, you need to

t back up the e AD RMS privaate key and all certificates used by AD RM MS. The
simplest method of doing this is to export the
t certificatess to a safe locaation. You musst also back up
p the
AD RMS databa ase on a regula
ar basis. The method
m you usee to do this deepends on whe ether AD RMS uses
SQ
QL Server or thhe Windows In nternal Databaase. To back upp templates, co onfigure the te
emplates to bee
exxported to a sh
hared folder, and
a then back up these temp plates.
When
W you are performing
p A RMS role, itt may be neceessary to delete
reccovery of the AD e the
Se
erviceConnecctionPoint objject from AD DS. D You need tto do this if yo ou are recoveriing an AD RMS root
co
onfiguration se
erver, and the server attemppts to provision
n itself as a liceensing-only se
erver.
Decommiss
D sioning an
nd Removing AD RM
MS
Prrior to removin
ng an AD RMS S server, you sh
hould
deecommission that
t server. Deecommissionin ng
AD RMS puts th he cluster into a state where
coonsumers of AD
A RMSproteccted content are a able
to
o obtain specia ecrypts that content,
al keys that de
t existing resstrictions that were
irrespective of the
placed on the use
u of that con ntent. If you doo not
haave a decomm missioning period, and if you simply
emove the AD RMS server, th
re hen the AD RM MS
protected conte ent will becomme inaccessible.
Too decommissio
on AD RMS, pe
erform the folllowing
stteps:
1.. t server that is hosting AD RMS, and thaat you wish to decommission
Log on to the n.
2.. Modify the access contro

ol list (ACL) of the
t file decom mmissioning.aasmx. Grant th
he Everyone grroup
Read & Exeecute permission on the file e. This file is sto
ored in the
%systemdrive%\inetpub\\wwwroot\_wm mcs\decomissio on folder.
3.. ment Services console, expan

In the Activve Directory Rights Managem nd the Securitty Policies node, and
then click the Decommisssioning node e.
4.. In the Actio
ons pane, selecct Enable Decommissionin g.
5.. Click Decom

mmission.
6. When prompted to confirm that you want to decommission the server, click Yes.
After the AD RMS decommissioning process is complete, you should export the server licensor certificate
prior to uninstalling the AD RMS role.
Lesson
n3
Configuring AD RM
MS Conte
ent Pro
otection
n
AD RMS uses rig ghts policy tem
mplates to enfforce a consisteent set of policcies when prottecting contennt.
When
W configuring AD RMS, youy also need to t develop straategies to ensu ure that users can still access
protected conte ent from a commputer that is not connected d to the AD RM MS cluster. Youu also need to o
de gies for excludiing some userss from being aable to access AD RMSprotected content, and
evelop strateg
sttrategies to ensure that proteected content can be recoveered in the eveent that it has expired, the te emplate
ha ed, or if the author of the content is no lon
as been delete nger available..
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
Describe th
he function of rights policy te
emplates.
Explain how
w to create a rights policy te
emplate.
Implement strategies to ensure

e rights policy
p templatees are availablle for offline use.
Describe exxclusion policie
es.
w to create an exclusion poliicy to exclude an application

Explain how n.
Implement an AD RMS su
uper users group.
What
W Are Rights
R Policy Templa
ates?
Riights policy templates allow you to configure
sttandard metho ods of impleme enting AD RM MS
po olicies across the
t organizatio on. For example, you
caan configure sttandard templates that gran nt view-
on nly rights, blocck the ability to edit, save, an
nd
print, or if used with Microsofft Exchange Se erver,
block the abilityy to forward, re eply, and replyy all to
messages.
m
Riights policy templates are crreated using th

he
Active Directoryy Rights Management Servicces
co
onsole. They are stored in thhe AD RMS dattabase,
an
nd can also be e stored in XML format. Whe en
co
ontent is consu umed, the client checks with
h AD RMS to veerify that it haas the most reccent version off the
te
emplate.
A document author can choo ose to protect content

c by app
plying an existting template. This is done uusing an
AD RMSaware application. For
F example, in n Office Word, you apply a t emplate by ussing the Prote ect
Document
D funcction. When yoou do this, Offfice Word que ries AD DS to determine the e location of th
he
AD RMS server. Once the locaation of the ADD RMS server iis acquired, tem
mplates that aare available to
o the
co
ontent author can be used.
AD RMS templa he following rights:
ates support th
ol. Gives a user full control over

Full Contro o an AD RM
MSprotected d
document.
View. Givess a user the ab

bility to view an
n AD RMSpro
otected docum
ment.
Edit. Allowss a user to mo
odify an AD RM
MSprotected d
document.
Save. Allows a user to use the Save function with an AD RMSprotected document.
Export (Save as). Allows a user to use the Save As function with an AD RMSprotected document.
Print. Allows an AD RMSprotected document to be printed.
Forward. Used with Exchange Server. Allows the recipient of an AD RMSprotected message to
forward that message.
Reply. Used with Exchange Server. Allows the recipient of an AD RMSprotected message to reply to
that message.
Reply All. Used with Exchange Server. Allows the recipient of an AD RMSprotected message to use
the Reply All function to reply to that message.
Extract. Allows the user to copy data from the file. If this right is not granted, the user cannot copy
data from the file.
Allow Macros. Allows the user to utilize macros.
View Rights. Allows the user to view assigned rights.
Edit Rights. Allows the user to modify the assigned rights.
Rights can only be granted, and cannot be explicitly denied. For example, to ensure that a user cannot
print a document, the template associated with the document must not include the Print right.
Administrators are also able to create custom rights that can be used with custom AD RMSaware
applications.
AD RMS templates can also be used to configure documents with the following properties:
Content Expiration. Determines when the content expires. The options are:
o Never. The content never expires.
o Expires on a particular date. Content expires at a particular date and time.
o Expires after. The content expires a particular number of days after it is created.
Use license expiration. Determines the time interval in which the use license will expire, and a new
one will need to be acquired.
Enable users to view protected content using a browser add-on. Allows content to be viewed
using a browser add-on. Does not require the user have an AD RMSaware application.
Require a new use license each time content is consumed. When you enable this option, client-
side caching is disabled. This means that the document cannot be consumed when the computer is
offline.
Revocation policies. Allows the use of a revocation list. This allows an author to revoke permission to
consume content. You can specify how often the revocation list is checked, with the default being
once every 24 hours.
Once an AD RMS policy template is applied to a document, any updates to that template will also be
applied to that document. For example, if you have a template without a content expiration policy that is
used to protect documents, and you modify that template to include a content expiration policy, those
protected documents will now have an expiration policy. Template changes are reflected when the EUL is
acquired. If EULs are configured not to expire and the user who is accessing the document already has a
license, then they may not receive the updated template.
You should avoid deleting templates, because documents that use those templates will become
inaccessible to everyone except for members of the super users group. As a best practice, archive
templates instead of deleting them.
Yo
ou can view th
he rights assocciated with a te
emplate by sel ecting the tem
mplate within tthe Active Dire
ectory
Riights Managem
ment Services console, and then
t in the Acctions menu, cclicking View RRights Summary.
Demonstra
D ation: Creating a Rights Policy Template
e
In
n this demonsttration, you will create a righ
hts policy temp
plate that allow ew a document, but
ws users to vie
noot to perform other actions.
Demonstrati
D ion Steps
In the Activve Directory Rights Managem he Rights Policcy Template node to
ment Services console, use th
create a Disstributed Rights Policy Temp
plate with the following prop
perties:
o Langua
age: English (U
United Statess)
o Name: ReadOnly
o Descrip
ption: Read-on
nly access. No
o copy or prin
nt.
o Users and
a rights: exe
ecutives@ada
atum.com
o Rights for Anyone: View

V
o Grant owner (autho
or) full contro
ol right with n
no expiration
n
o Conten
nt Expiration: Expires
E after 7 days
o ense expiration: Expires after 7 days

Use lice
o Require
e a new use liccense every tim
me content is cconsumed (dissable client-sid
de caching): En
nabled
Providing
P Rights
R Poliicy Templa
ates for Offfline Use
If users are goin
ng to publish AD
A RMSconnected
te
emplates when n they are not connected to the
neetwork, you neeed to ensure that they have e access
to
o a local copy of
o the available rights policyy
te
emplates.
Yo
ou can configu ure computerss to acquire an nd store
puublished rightss policy templates automaticcally, so
th
hat they are avvailable offline. To enable this
fe
eature, computters must be running the folllowing
Windows
W operaating systems:
Windows Vista
V SP1 or new
wer
Windows 7
Windows 8
Windows Server 2008
Windows Server 2008 R2

Windows Server 2012
To
o enable this functionality,
f in
n the Task Scheduler, enablee the AD RMS S Rights Policy y Template
Management
M (Automated)
( Scheduled Ta ask, and then edit the follow
wing registry kkey:
HKE
EY_CURRENT__USER\Softwa
are\Microsoftt\Office\12.0\\Common\DR
RM
Provvide the follow

wing location for
f templates to
t be stored:
%Lo
ocalAppData%
%\Microsoft\DR
RM\Templates
Whe en computers that are runniing these operrating systems are connected d to the domaain, the AD RM
MS
clien
nt polls the AD
D RMS cluster for new templlates, or updattes to existing templates.
You
u can configure
e a shared fold
der for templattes by perform
ming the follow
wing steps:
1. In the Active Directory Righ

hts Manageme
ent Services co
onsole, right-cllick the Rightss Policy Temp
plates
node, and theen click Propeerties.
2. On the Rightts Policy Tempplates Properrties dialog bo

ox, specify the location of the shared folde
er to
which templa
ates will be pub
blished.
Wh
hat Are Exclusion Po
olicies?
Excllusion policies allow you to prevent
p specifiic
userr accounts, clie
ent software, or
o applicationss from
usin
ng AD RMS.
Use
er Exclusion
n
The User Exclusion policy allowss you to config gure
AD RMS so that specific user accountswhich h are
iden
ntified based on
o email addre essesare una able
to obtain
o Use Lice
enses. You do this
t by adding g each
userr's RAC to the exclusion list. User Exclusion
n is
disa
abled by defau ult. Once you have
h enabled User
U
Excllusion, you can
n exclude speccific RACs.
You
u can use user exclusion in th
he event that you
y needed to o lock a specificc user out of A
AD RMSprote ected
content. For exammple, when useers leave the organization, yo
ou might exclu ude their RACss to ensure thaat
theyy are unable to
o access protected content. You
Y can blockk the RACs tha t are assigned to both intern nal
userrs and external users.
Application Ex
xclusion
Appplication Exclussion allows you
u to block spe
ecific applicatio
onssuch as OOffice PowerPo ointfrom creeating
or consuming
c AD RMSprotecte ed content. Yo
ou specify app lications based
d on executab ble names. Youu also
speccify a minimumm and a maxim mum version of
o the applicatiion. Applicatio
on Exclusion is disabled by
defa
ault.
Note: It is possible
p to circcumvent Appliccation Exclusio
on by renamin
ng an executab
ble file.
Locckbox Exclu
usion
Lockbox exclusionn allows you to
o exclude AD RMS
R uch as those ussed with specific operating
clients, su
systems such as Windows
W XP annd Windows Vista. Lockbox vversion exclusiion is disabled by default. Once
you have enabledd Lockbox version exclusion, you must spe cify the minimmum lockbox vversion that can be
usedd with the AD RMS cluster.
Additiona
al Reading: To
o find out more about enab bling exclusion policies, referr to the
fo Net webpage: http://technett.microsoft.com
ollowing TechN m/en-us/librarry/cc730687.asspx
Demonstra
D ation: Creating an Ex
xclusion Po
olicy to Exclude an A
Application
n
In
n this demonsttration, you will see how to exclude
e a speccific application
n from AD RM
MS.
Demonstrati
D ion Steps
1.. ment Services console, enab le Application exclusion.
In the Activve Directory Rights Managem
2.. ude Application dialog boxx, enter the fol lowing inform
In the Exclu mation:
o Applica
ation File name: Powerpnt.e
exe
o Minimu
um version: 14
4.0.0.0
o Maximum version: 16
6.0.0.0
AD
A RMS Su
uper Users Group
Th
he AD RMS super users grou up provides a data
d
re
ecovery mecha anism for AD RMSprotected
R d
co
ontent. This mechanism is usseful in the eve
ent that
AD RMSproteccted data need ds to be recove ered,
su
uch as when coontent has exp
pired, when a
te
emplate has beeen deleted, or when you do o not
ha
ave access.
Members
M of the
e super users group
g are assig
gned
Owner
O Use Licenses for all content that is
protected by th he AD RMS cluster on which that
articular superr users group is enabled. Me
pa embers
off the super useers group are able
a to reset thhe
AD RMS server's private key password.
p
As members of the super users group can access
a any AD RMSprotecteed content, you must be esp pecially
ca
areful when yo ou are managing the membe ership of this g
group. If you cchoose to use tthe AD RMS su uper
ussers group, you should consider implemen nting restricted
d groups policcy and auditing g to limit grou
up
membership,
m an
nd audit any changes that arre made. Supeer User activityy is written to tthe Applicationn event
lo
og.
Th
he super userss group is disab
bled by defaullt.
Yo
ou enable the super users grroup by perforrming the follo
owing steps:
1.. ment Services console, expan

In the Activve Directory Rights Managem node, and then click
nd the server n
Security Po olicies.
2.. In the Secu
urity Policies area,
a under Su
uper Users, clicck Change Su
uper User Setttings.
3.. In the Actio

ons pane, click
k Enable Super Users.
To he super users group:

o set a particular group as th
1.. In the Secu
urity Policies\\Super Users Super
S Users a rea, click Chan
nge super use
er group.
2.. Provide the

e e-mail address associated with
w the superr users group.
Lesson 4
Config
guring External
E l Accesss to AD RMS
It is often necessa
ary to allow useers that are no
ot a part of thee organization access to AD RMSprotecte ed
content. This could be a situatioon where an exxternal user is a contractor w who requires aaccess to sensittive
matterials, or a parrtner organization where your users will reequire access tto protected content publish hed
by their
t AD RMS server.
s AD RMS provides a number
n of diffeerent options for granting e
external users aaccess
to protected
p conttent.
Lessson Objectiives
Afte
ou will be able to:
Describe the options available for making

g AD RMSpro
otected conten
nt accessible to
o external userrs.
Explain how to
t implement Trusted
T User Domains.
D
List the steps necessary to deploy

d Trusted
d Publishing D
Domains.
Describe the steps necessarry to configure

e AD RMS to s hare protected
d content to u
users with Wind
dows
Live IDs.
Determine the appropriate solution for sh

haring AD RM Sprotected ccontent with exxternal users.
Op
ptions for Enabling
E External
E Ussers to Acccess AD RM
MS
Trusst policies allow
w users who are external to the
orgaanization the ability
a to consume AD RMS
prottected contentt. For example e, a trust policyy can
allow users in Brin ng Your Own Device
D (BYOD))
environments to consume
c AD RMSprotected
R d
content, even tho ough those com mputers are no ot
mem mbers of the organization's
o AD
A DS domain n.
AD RMS trusts are e disabled by default,
d and ne eed
to be
b enabled beffore being use ed. AD RMS
supports the follo owing trust pollicies.
Tru
usted User Domains
D
Trussted User Dom mains (TUD) allows an AD RM MS
clusster to process requests for client
c licensor certificates,
c or use licenses frrom people who have RACs
issued by a differeent AD RMS cluster. For exam mple, A. Datum m Corporation n and Trey Research are sepaarate
orga anizations that have each deeployed AD RM MS. TUD allow ws each organizzation to publish and consume
AD RMSprotecte ed content to and
a from the partner
p organiization withou ut having to im
mplement AD DDS
trussts or AD FS.
Tru
usted Publisshing Doma
ains
Trussted Publishing
g Domains (TP PD) allows onee AD RMS clustter to issue EU
ULs to content that uses
pubblishing license
es that are issued by a differe
ent AD RMS clluster. TPD connsolidates exissting AD RMS
infra
astructure.
Fed
deration Tru
ust
Federation Trust provides
p Single
e Sign On (SSO
O) for partner technologies. Federated parrtners can consume
AD RMSprotecte ed content without deploying their own A D RMS infrastrructure. Federation Trust reqquires
dep
ployment of AD D FS.
Windows
W Liv
ve ID Trust
Yoou can use Windows Live ID to allow stand dalone users th
hat have Wind
dows Live IDs tto consume AD
D RMS
protected conte ent generated by users in yo
our organizatio
on. However, W
Windows Live ID users are un
nable to
crreate content that
t is protected by the AD RMS cluster.
Microsoft
M Fe
ederation Ga
ateway
Microsoft
M Federration Gatewayy allows an AD
D RMS cluster tto process req
quests to publish and consumme
AD RMSproteccted content frrom external organizations,
o by accepting cclaims-based aauthentication
n tokens
from the Microssoft Federation
n Gateway. Rather than conffiguring a Fed eration Trust, each organizaation has
a relationship with
w the Microssoft Federation n Gateway. Thee Microsoft Feederation Gateeway acts as a trusted
broker.
Additionaal Reading: You can learn more

m about AD
D RMS Trust Po ollowing link:
olicies at the fo
htttp://technet.m
microsoft.com//en-us/library//cc755156.asp x
Im
mplementting TUD
TU
UD allows AD RMS to service e requests from
m users
who
w have RACs issued by diffferent AD RMS S
de
eployments. You can use excclusions with each
e
TU
UD to block acccess to specific users and groups.
Too configure AD D RMS to supp port service reqquests

from users who have RACs isssued by differe ent
AD RMS deployyments, you ad dd the organizzation
to
o the list of TUDs. TUDS can be one-way, where w
orrganization A is a TUD of org ganization B, or
o bi-
diirectional, whe
ere organizatio on A and organization
B are TUDs of each
e other. In one-way
o
deeployments, itt is possible forr the users of the
t TUD
to
o consume the e content of thhe local AD RM MS deploymentt, but they can
nnot publish A
AD RMSproteccted
co
ontent by using the local AD D RMS cluster.
Yoou need to enable anonymo ous access to the AD RMS liccensing servicee in Internet In
nformation Serrvices
(IIS) when using
g TUD, as by de
efault, accessin
ng the service requires autheenticating usin
ng Integrated
Windows
W Autheentication.
To
o add a TUD, perform
p the fo
ollowing steps:
1.. The TUD off the AD RMS deployment

d th
hat you want tto trust must h
have already b
been exported, and
the file musst be available
e. (TUD files use the .bin exteension.)
2.. In the AD RMS

R console, expand
e Trust Policies,
P and tthen click Trussted User Dom
mains.
3.. In the Actio
ons pane, click
k Import Trustted User Dom
main.
4.. In the Trusted User Dom

main dialog bo
ox, enter the p
path to the exp
ported TUD file
e with the .bin
n
extension.
5.. Provide a name

n to identiffy this TUD. If you have conffigured federaation, you can also choose to
o extend
the trust to
o federated use
ers of the impo orted server.
Yo
ou can use the
e Import-RmssTUD PowerSh
hell cmdlet, w
which is part off the ADRMSADMIN PowerSShell
module,
m to add a TUD.
To export
e a TUD, perform the fo
ollowing stepss:

hts Manageme
ent Services co
onsole, expand
d Trust Policie
es, and then click
Trusted Userr Domains.
2. In the Actionss pane, click Ex

xport Trusted
d User Domaiin.
3. Save the TUD

D file with a descriptive name
e.
You
u can also use the msTUD cmdlet to export an AD RMS serveer TUD.
t Export-Rm
Implementin
ng TPD
Youu can use TPD tot set up a tru
ust relationship
p
betwween two AD RMS deployments. An AD RMS
D, which is a local AD RMS de
TPD eployment, can
grannt EULs for con
ntent publisheed using the Trrusted
Pubblishing domain's AD RMS de eployment. Foor
exammple, Contoso o, Ltd and A. Datum
D Corporaation
are set up as TPD partners. TPD allows users ofo the
Conntoso AD RMS deployment to t consume co ontent
pubblished using th
he A. Datum ADA RMS
dep
ployment, by using EULs thatt are granted by b the
Conntoso AD RMS deployment.
Youu can remove a TPD at any tiime. When youu do

this,, clients of the remote AD RM
MS deploymen
nt will not be aable to issue EEULs to access content prote
ected
by your
y AD RMS cluster.
c
Wheen you are connfiguring a TPD, you import the SLC of an other AD RMSS cluster. TPDss are stored in XML
mat, and are protected by pa
form asswords.
To export
e ollowing steps:
a TPD, perform the fo
1. In the AD RM
MS console, exp
pand Trust Po
olicies, and theen click Truste
ed Publishing
g Domains.
2. In the Resultss pane, choosee the certificate
e for the AD R MS domain th
hat you want to
o export, and then
in the Actionss pane, click Ex
xport Trusted d Publishing DDomain.
3. Choose a stro
ong password and a filename
e for the TPD.
Whe en you are expporting a TPD, it is possible to V1compatible trusted publishing domain
t save it as a V n file.
PD to be imporrted into organizations that are using AD RMS clusters o
Thiss allows the TP on earlier versiions
of the Windows Server operatin ng system, such on available in Windows Servver 2003. You can
h as the versio
use the Export-RmsTPD cmdle et to export a TPD.
T
To import a TPD, perform the fo

ollowing stepss:

hts Manageme
ent Services co
onsole, expand es, and then click
d Trust Policie
Trusted Publishing Doma ains.
2. In the Actionss pane, click Im

mport Trusted
d Publishing Domain.
3. Specify the pa g Domain file that you wantt to import.

ath of the Trussted Publishing
4. Enter the password to open
n the Trusted Publishing
P Dom
main file, and enter a displayy name that
identifies the TPD.
You
u can also use the
t Import-Rm
msTPD cmdle
et to import a TTPD.
Additionaal Reading: You can learn more

m about im
mporting TPDs on the followiing Microsoft
Te nce: http://technet.microsoftt.com/en-us/li brary/cc77146
echNet referen 60.aspx
Sharing AD
D RMSPro
otected Do
ocuments b
by Using W
Windows LLive ID
Yo
ou can use Windows Live ID as a method ofo
providing RACs to users who are not part of
o your
orrganization.
To
o trust Windowws Live IDbassed RACs, perfo
orm the
fo
ollowing steps::
1.. In the Activve Directory Rights Managem

ment
Services console, expand Trust Policies, and
then click Trusted
T User Domains.
D
2.. In the Actio

ons pane, click
k Trust Windo
ows
Live ID.
To
o exclude speccific Windows Live ID email
omains, right-click the Wind
do dows Live ID ceertificate, clickk Properties, aand then click tthe Excluded
Windows
W Live IDs tab. You can
c then enterr the Windowss Live IDs that yyou want to exxclude from being
ab
ble to procure RACs.
To
o allow users with
w Windows Live IDs to ob btain RACs from
m your AD RM MS cluster, you need to configure IIS
to
o support anonnymous accesss. To do this, perform
p the folllowing steps:
1.. Open the IIIS Manager co
onsole on the AD
A RMS serverr.
2.. Navigate too the Sites\De de, right-click tthe Licensing virtual directo
efault Web Sitte\_wmcs nod ory, and
then click Switch
S to Con
ntent View.
3.. Right-click license.asmx,, and then click Switch to C ontent View.
4.. Double-clicck Authentication, and then

n enable Anon
nymous Authentication.
5.. Repeat this step for the fiile ServiceLoccator.asmx.
Additiona al Reading: You can learn more

m about us ing Windows Live ID to estaablish RACs
or users at the following link: http://techne
fo et.microsoft.co
om/en-us/libraary/cc753056.aaspx
Co
onsideratio
ons for Imp
plementing Externall User Acce
ess to AD RMS
The type of extern
nal access thatt you configure
e
dep
pends on the tyypes of external users that need
acce
ess to your org
ganization's co
ontent.
Wheen you are dettermining whicch method to use,
consider the following question
ns:
Does the exte

ernal user belo
ong to an
organization that has an exxisting AD RMS
S
deployment?
Does the exteernal user's orgganization havve an

existing federrated trust with the internal
organization??
Has the exterrnal user's orga

anization estab
blished a relatiionship with th
he Microsoft FFederation
Gateway?
Does the exte

ernal user need
d to publish AD RMSproteccted content t hat is accessib
ble to internal R
RAC
holders?
It is possible that organizations may use one solution
s beforre settling on aanother. For exxample, during
g
initial stages, onlyy a small numb
ber of external users may req quire access too AD RMSpro otected conten nt, in
which case, using Windows Live e IDs for RACs may be appro opriate. When larger numbers of external u users
fromm a single orga anization requ
uire access, a different solutio
on may be app propriate. The financial bene
efit a
solu o an organization must excee
ution brings to ed the cost of implementing g that solution.
Lab: Implementing AD RMS

Scenario
Because of the highly confidential nature of the research that is performed at A. Datum Corporation, the
security team at A. Datum wants to implement additional security for some of the documents that the
Research department creates. The security team is concerned that anyone with Read access to the
documents can modify and distribute the documents in any way that they choose. The security team
would like to provide an extra level of protection that stays with the document even if it is moved around
the network or outside the network.
As one of the senior network administrators at A. Datum, you need to plan and implement an AD RMS
solution that will provide the level of protection requested by the security team. The AD RMS solution
must provide many different options that can be adapted for a wide variety of business and security
requirements.
Objectives
Install and configure AD RMS.
Configure AD RMS Templates.
Implement AD RMS Trust Policies.
Verify AD RMS Deployment.
Lab Setup
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-CL1
20412A-MUN-DC1
20412A-MUN-CL1
User Name: Adatum\Administrator
Password: Pa$$w0rd
Password: Pa$$w0rd
5. Repeat step 2 for 20412A-LON-SVR1, 20412A-MUN-DC1, 20412A-LON-CL1, and

20412A-MUN-CL1. Do not log on until directed to do so.
Exercise 1: Installing and Configuring AD RMS

Scenario
The first step in deploying AD RMS at A. Datum Corporation is to deploy a single server in an AD RMS
cluster. You will begin by configuring the appropriate DNS records and the AD RMS service account, and
then will continue with installing and configuring the first AD RMS server. You will also enable the
AD RMS super users group.
1. Configure Domain Name System (DNS) and the Active Directory Rights Management Services
(AD RMS) service account.
2. Install and configure the AD RMS server role.
3. Configure the AD RMS Super Users group.
Task 1: Configure Domain Name System (DNS) and the Active Directory Rights
Management Services (AD RMS) service account
2. Use Active Directory Administrative Center to create an OU named Service Accounts in the
adatum.com domain.
3. Create a new user account in the Service Accounts OU with the following properties:
4. Create a new Global security group in the Users container named ADRMS_SuperUsers. Set the email
address of this group as ADRMS_SuperUsers@adatum.com.
5. Create a new global security group in the Users container named Executives. Set the email address of
this group as executives@adatum.com.
6. Add the user accounts Aidan Delaney and Bill Malone to the Executives group.
7. Use the DNS Manager console to create a host (A) resource record in the adatum.com zone with the
following properties:
o Name: adrms
o IP Address: 172.16.0.21
Task 2: Install and configure the AD RMS server role

1. Log on to LON-SVR1 with the Adatum\Administrator account and the password Pa$$word.
2. Use the Add Roles and Features Wizard to add the Active Directory Rights Management Services role
to LON-SVR1 using the following option:
o Role services: Active Directory Rights Management Services
3. From the AD RMS node in Server Manager, click More to start post deployment configuration of
AD RMS.
4. On the AD RMS Configuration Wizard, provide the following information:

o Create a new AD RMS root cluster
o Use Windows Internal Database on this server
o Service account: Adatum\ADRMSSVC
o Cryptographic Mode: Cryptographic Mode 2
o Cluster Key Storage: Use AD RMS centrally managed key storage
o Cluster Key Password: Pa$$w0rd
o Cluster Web Site: Default Web Site
o Connection Type: Use an unencrypted connection

o Fully Qualified Domain Name: http://adrms.adatum.com
o Port: 80
o Licensor Certificate: Adatum AD RMS
o Register AD RMS Service Connection Point: Register the SCP Now
5. Log off LON-SVR1.
Note: You must sign out before you can manage AD RMS. This lab uses port 80 for convenience. In
production environments, you would protect AD RMS using an encrypted connection.
Task 3: Configure the AD RMS Super Users group

1. Log on to LON-SVR1 with the Adatum\Administrator account and the password Pa$$w0rd.
2. Open the Active Directory Rights Management Services console.

3. From the Active Directory Rights Management Services console, enable Super Users.
4. Set the ADRMS_SuperUsers group as the Super Users group.
Results: After completing this exercise, you should have installed and configured AD RMS.
Exercise 2: Configuring AD RMS Templates

Scenario
After deploying the AD RMS server, the next step is to configure the rights policy templates and exclusion
policies for the organization. You will deploy both components.
1. Configure a new rights policy template.
2. Configure the rights policy template distribution.
3. Configure an exclusion policy.
Task 1: Configure a new rights policy template

On LON-SVR1, use the Rights Policy Template node of the Active Directory Rights Management
Services console to create a Distributed Rights Policy Template with the following properties:
o Language: English (United States)
o Name: ReadOnly
o Description: Read only access. No copy or print

o Users and rights: executives@adatum.com
o Rights for Anyone: View
o Grant owner (author) full control right with no expiration
o Content Expiration: 7 days
o Use license expiration: 7 days
o Require a new use license every time content is consumed (disable client-side caching)
Task 2: Configure the rights policy template distribution

1. On LON-SVR1, open a Windows PowerShell prompt and issue the following commands each followed
by Enter:
Cmd.exe
mkdir c:\rmstemplates
net share RMSTEMPLATES=C:\rmstemplates /GRANT:ADATUM\ADRMSSVC,FULL
mkdir c:\docshare
net share docshare=c:\docshare /GRANT:Everyone,FULL
2. In the Active Directory Rights Management Services console, set the Rights Policy Templates file
location to \\LON-SVR1\RMSTEMPLATES.
3. In Windows Explorer, view the c:\rmstemplates folder. Verify that the ReadOnly.xml template is
present.
Task 3: Configure an exclusion policy

1. In the Active Directory Rights Management Services console, enable Application exclusion.
2. In the Exclude Application dialog box, enter the following information:
o Application File name: Powerpnt.exe
o Minimum version: 14.0.0.0

o Maximum version: 16.0.0.0
Results: After completing this exercise, you should have configured AD RMS templates.
Exercise 3: Implementing the AD RMS Trust Policies

Scenario
As part of the deployment, you need to ensure that AD RMS functionality is extended to the Trey
Research AD RMS deployment. You will configure the required trust policies, and then validate that you
can share protected content between the two organizations.
1. Export the Trusted User Domains policy.
2. Export the Trusted Publishing Domains policy.
3. Import the Trusted User Domain policy from the partner domain.
4. Import the Trusted Publishing Domains policy from the partner domain.
5. Configure anonymous access to the AD RMS licensing server.

Task 1: Export the Trusted User Domains policy

1. On LON-SVR1, open a Windows PowerShell prompt and issue the following commands:
Cmd.exe
mkdir c:\export
net share export=c:\export /GRANT:Everyone,FULL
2. Use the Active Directory Rights Management Services console to export the Trusted User Domains
policy to the \\LON-SVR1\export share as ADATUM-TUD.bin.
3. Log on to MUN-DC1 with the TREYRESEARCH\Administrator account and the password

Pa$$w0rd.
4. On MUN-DC1, open the Active Directory Rights Management Services console.
5. Export the Trusted User domains policy to the \\LON-SVR1\export share as

TREYRESEARCH-TUD.bin.
Task 2: Export the Trusted Publishing Domains policy

2. Use the Active Directory Rights Management Services console to export the Trusted Publishing
Domains policy to the \\LON-SVR1\export share as ADATUM-TPD.xml. Protect this file using the
password Pa$$w0rd.
3. Switch to MUN-DC1.
4. Use the Active Directory Rights Management Services console to export the Trusted Publishing
Domains policy to the \\LON-SVR1\export share as TREYRESEARCH-TPD.xml. Protect this file
using the password Pa$$w0rd.
Task 3: Import the Trusted User Domain policy from the partner domain
2. Import the Trusted User Domain policy for Treyresearch by importing the file
\\LON-SVR1\export\treyresearch-tud.bin. Use the display name TreyResearch.
4. Import the Trusted User Domain policy for Trey Research by importing the file
\\LON-SVR1\export\adatum-tud.bin. Use the display name Adatum.
Task 4: Import the Trusted Publishing Domains policy from the partner domain
2. Import the Trey Research Trusted Publishing Domain by importing the file
\\LON-SVR1\export\treyresearch-tpd.xml using the password Pa$$w0rd and the display name
Trey Research.
3. Switch to MUN-SVR1.
4. Import the Adatum Trusted Publishing Domain by importing the file

\\LON-SVR1\export\adatum-tpd.xml using the password Pa$$w0rd and the display name
Adatum.
Task 5: Configure anonymous access to the AD RMS licensing server

On LON-SVR1, use Internet Information Services (IIS) to enable anonymous authentication on the
following two files under Defaut Web Site\_wmcs\Licensing
o license.asmx
o ServiceLocator.asmx
Results: After completing this exercise, you should have implemented the AD RMS trust policies.
Exercise 4: Verifying the AD RMS Deployment

Scenario
As a final step in the deployment, you will validate that the configuration is working correctly.
1. Create a rights-protected document.
2. Verify internal access to protected content.
3. Open the rights-protected document as an unauthorized user.

4. Open and edit the rights-protected document as an authorized user at Trey Research.
Task 1: Create a rights-protected document

1. Log on to LON-CL1 with the Adatum\Aidan account and the password Pa$$w0rd.
2. Open Microsoft Word 2010.

3. Create a document named Executives Only.
4. In the document, type the following text:
This document is for executives only, it should not be modified.

5. From the Permissions item, choose to restricted access. Grant bill@adatum.com permission to read
the document.
6. Save the document in the share \\lon-svr1\docshare.
7. Log off from LON-CL1.
Task 2: Verify internal access to protected content

1. Log on to LON-CL1 with the Adatum\Bill account using the password Pa$$w0rd.
2. In the \\lon-svr1\docshare folder, open the Executives Only document.
3. When prompted, provide the credentials, Adatum\Bill with the password of Pa$$w0rd.
4. Verify that you are unable to modify or save the document.
5. Select a line of text in the document.

6. Right-click the line of text. Verify that you cannot modify this text.
7. View the document permissions.
Task 3: Open the rights-protected document as an unauthorized user

1. Log on to LON-CL1 as Adatum\Carol using the password Pa$$w0rd.
2. In the \\lon-svr1\docshare folder, attempt to open the Executives Only document.
3. Verify that Carol does not have permission to open the document.
Task 4: Open and edit the rights-protected document as an authorized user at Trey
Research.
1. Log on to LON-CL1 with the Adatum\Aidan account using the password Pa$$w0rd.
2. Open Microsoft Word 2010.
3. Create a new document named \\LON-SVR1\docshare\TreyResearch-Confidential.docx.
This document is for Trey Research only, it should not be modified.
5. Restrict the permission so that april@treyresearch.net is able to open the document.
6. Log on to MUN-CL1 as TREYRESEARCH\April.
7. Use Windows Explorer to navigate to \\LON-SVR1\docshare. Use the credentials

Adatum\Administrator and Pa$$w0rd to connect.
8. Copy the TreyReserch-Confidential.docx document to the desktop.

9. Attempt to open the document. When prompted enter the following credentials, select Remember
my credentials, and then click OK:
o Username: April
10. Verify that you can open the document, but that you cannot make modifications to this document.
11. View the permissions that the april@treyresearch.com account has for the document.
Results: After completing this exercise, you should have verified that the AD RMS deployment is
successful.

following steps.
4. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-MUN-DC1, 20412A-LON-CL1, and

20412A-MUN-CL1.
Lab Review
Question: What steps can you take to ensure that Information Rights Management can be used
with the AD RMS role?

Question: What are the benefits of having an SSL certificate installed on the AD RMS server when
you are performing AD RMS configuration?
Question: You need to provide access to AD RMSprotected content to five users who are
unaffiliated contractors, and are not members of your organization. Which method should you
use to provide this access?
Question: You want to block users from protecting Office PowerPoint content using AD RMS
templates. What steps should you take to accomplish this goal?
Best Practice
Prior to deploying AD RMS, you must analyze your organizations business requirements and create the
necessary templates. You should meet with users to inform them of AD RMS functionality and also ask for
feedback on the types of templates that they would like to have available.
Strictly control membership of the Super Users group. Users in this group can access all protected content.
Granting a user membership of this group gives them complete access to all AD RMS protected content.
12-1
Module 12
Implementing Active Directory Federation Services
Contents:
Lesson 1: Overview of AD FS 12-2
Lesson 2: Deploying AD FS 12-11
Lesson 3: Implementing AD FS for a Single Organization 12-17
Lesson 4: Deploying AD FS in a B2B Federation Scenario 12-23
Lab: Implementing AD FS 12-28
Module Overview
Active Directory Federation Services (AD FS) in Windows Server 2012 provides flexibility for organizations
who want to enable their users to log on to applications that may be located on the local network, at a
partner company, or in an online service. With AD FS, an organization can manage its own user accounts,
and users only have to remember one set of credentials. However those credentials can be used to
provide access to a variety of applications, which can be located in a variety of places.
This module provides an overview of AD FS, and then details how to configure AD FS in both a single
organization scenario and in a partner organization scenario.
Objectives
Describe AD FS.
Explain how to configure the AD FS prerequisites, and deploy the AD FS services.
Describe how to implement AD FS for a single organization.
Deploy AD FS in a business-to-business federation scenario.

12-2 Implemennting Active Directoryy Federation Servicess
Lesson 1
Overviiew of AD
A FS
AD FS is the Microosoft implemeentation of an identity federaation framewoork that enablees organizationns to
esta
ablish federatio
on trusts and share
s resource
es across organnizational and Active Directoory Domain Se ervices
(AD
D DS) boundaries. AD FS is co ompliant with common web services stand dards, so as to enable
inte
eroperability with
w identity fed deration solutiions provided by other venddors.
AD FS is designed d to address a variety

v of busiiness scenarioss, where the tyypical authentiication mechanisms
usedd in a single organization do
o not work. This lesson proviides an overvieew of the conccepts and stan ndards
thatt are implemen nted in AD FS, and also the business
b scenaarios that can bbe addressed w with AD FS.
Lessson Objectiives
Afte
ou will be able to:
Describe Iden
ntity Federation.
Describe claim
ms-based iden
ntity.
Describe web
b services.
Describe AD FS.
Explain how AD
A FS enables single sign-on
n (SSO) within a single organ
nization.
A FS enables SSO between business part ners.
Explain how AD
A FS enables SSO between on-premises aand cloud-bassed services.

Explain how AD
Wh
hat Is Iden
ntity Federration?
Iden
ntity federation enables the distribution off
ntification, authentication, an
iden nd authorization
acro
oss organizatio onal and platfoorm boundarie es.
Youu can implement identity fed deration within
na
sing
gle organizatioon to enable acccess to diversse
webb applications, or between tw wo organizatioons
thatt have a relatio
onship of trustt between themm.
To establish
e an identity federatiion partnership
p,
both partners agrree to create a federated trust
relationship. This federated trusst is based on an
a
onggoing business relationship, and
a enables th he
orgaanizations to implement bussiness processe es
iden
ntified in the business
b relatio
onship.
Note: A fedderated trust iss not the same as a forest tru

ust that organiizations can co
onfigure
betwween Active Directory
D Doma d trust, the AD FS servers
ain Services (AD DS) forests. In a federated
in tw
wo organizatioons never have e to communiccate directly wwith each otherr. In addition, all
commmunication in n a federation deployment occurs
o over HTTTPS, so you do o not need to open
mulltiple ports on any firewalls to
t enable fede eration.
As a part of the fe
ederated trust, each partner defines what rresources are aaccessible to tthe other
anization, and how access to
orga o the resources is enabled. FFor example, to
o update a sale es forecast, a ssales
re
epresentative may
m need to collect information from a su upplier's databbase that is hossted on the supplier's
ne
etwork. The addministrator off the domain for
f the sales reepresentative is responsible ffor ensuring th hat the
ap
ppropriate sale
es representatives are memb bers of the grooup requiring aaccess to the ssuppliers database.
Th
he administrattor of the orga o ensure that the
anization wherre the databasee is located is responsible to
pa
artners emplo
oyees only havve access to thee data they reqquire.
In ederation soluttion, user identities and thei r associated crredentials are stored, owned
n an identity fe d, and
managed
m by thee organization
n where the usser is located. A As part of the identity federaation trust, eacch
orrganization alsso defines how
w the user iden o restrict access to resources.. Each
ntities are sharred securely to
pa artner must de
efine the servicces that it makkes available too trusted partnners and custoomers, and which
otther organizattions and userss it trusts. Each
h partner mustt also define w what types of credentials and d
re
equests it accepts, and its priivacy policies to
t ensure that private inform mation is not aaccessible acrooss the
trrust.
dentity federattion can also be used within a single organ

Id nization. For exxample, an orgganization may plan
o deploy several web-based applications th
to hat require au thentication. BBy using AD FSS, the organizaation
an implement one authenticcation solution
ca n for all of the applications, m
making it easyy for users in m
multiple
in
nternal domain ns or forests to
o access the ap
pplication. The solution can aalso be extend ded to external
paartners in the future,
f without changing the e application.
What
W Is Cla
aims-Based
d Identity??
Claims-based authentication is designed to
ad
ddress issues by
b extending tyypical authenttication
an
nd authorizatio on mechanism ms outside the
booundaries thatt are associated with that
mechanism.
m Forr example, in most
m organizattions,
when
w users log on to the netwwork, they are
au
uthenticated byb an AD DS domain controller. A
usser who providdes the right credentials to the
t
doomain controller is granted a security tokeen.
Applications tha at are running on servers in the
sa
ame AD DS environment trust the securityy tokens
th
hat are provideed by the AD DSD domain
co
ontrollers, because the serve ers can commu unicate with th
he same doma in controllers where the use
ers are
au
uthenticated.
Th on is that it do es not easily eextend outside

he problem wiith this type off authenticatio e the boundaries of
he AD DS foresst. Although it is possible to implement Keerberos or NTLLM-based trusts between tw
th wo
AD DS forests, client
c compute ers and domain controllers o on both sides o of the trust muust communicaate with
do omain controllers in the other forest to maake decisions aabout authenttication and au uthorization. T
This
coommunication n requires netw
work traffic tha
at is sent on m ultiple ports, sso these ports must be open n on all
firrewalls betwee
en the domain n controllers an
nd other comp puters. The pro oblem become es even more
coomplicated wh hen users havee to access reso
ources that aree hosted in clo oud-based systtems, such as
Windows
W Azur
re or Microso oft Office 365
5.
Claims-based authentication provides a me echanism for seeparating userr authenticatio on and authoriization
from individual applications. With
W claims-ba ased authenticcation, users caan authenticatte to a directo
ory
se
ervice that is lo
ocated within their
t organizattion, and be g ranted a claimm based on thaat authentication. The
claim can then be presented to t an applicatiion that is run ning in a diffeerent organizattion. The appliication
is designed to enable
e ormation or feeatures, based on the claims presented. All
user acccess to the info
coommunication n also occurs over HTTPS.
The claim that is used

u in claims--based authenntication is a sttatement abouut a user that is defined in on
ne
orgaanization or te
echnology, and d trusted in an
nother organizzation or techn nology. The claaim could incluude a
variety of informaation. For exam
mple, the claim
m could define the users e-m mail address, UUser Principal NName
(UPN), and informmation about specific groupss to which the user belongs. This informatiion is collected d
from
m the authentiication mechanism when the e user successffully authenticcates.
The organization that manages the applicatio on defines whaat types of clai ms will be acccepted by the
appplication. For exxample, the ap
pplication mayy require the eemail address o
of the user to vverify the userr
iden
ntity, and it maay then use the group membership that iss presented insside the claim to determine what
leve
el of access thee user should have
h within the
e application.
We
eb Services Overview
w
For claims-based authentication n to work,
orgaanizations havve to agree on the format for
exchhanging claims. Rather than have each business
defiine this formatt, a set of specifications broa
adly
ntified as web services has be
iden een developed d. Any
orgaanization interrested in impleementing a
erated identityy solution can use this set of
fede
speccifications.
Web b services are a set of specifiications that are

usedd for building connected applications and
servvices, whose fu
unctionality and interfaces arre
exposed to potential users through web
techhnology standards such as Exxtensible Mark kup Languagee (XML), SOAP, Web Servicess Description
Language (WSDL)), and HTTP(S). The goal for creating web aapplications using web serviices is to simplify
inte
eroperability fo
or applicationss across multip ple developme nt platforms, ttechnologies, aand networks.
To enhance
e intero eb services are defined by a sset of industryy standards. W
operability, we Web services are
e
base
ed on the follo
owing standard ds:
Most web serrvices use XMLL to transmit data through H HTTP(S). With X
XML, develope ers can create ttheir
own customizzed tags, there
eby facilitating
g the definition
n, transmission
n, validation, and interpretattion of
data between
n applications and between organizations.
o .
Web services expose usefull functionality to web users tthrough a stan ndard web pro otocol. In mostt
cases, the prootocol used is SOAP,
S which iss the commun
nications proto ocol for XML w web services. SO
OAP
is a specification that definees the XML forrmat for messaages, and esseentially describ
bes what a validd
XML docume ent looks like.
Web services provide a wayy to describe their interfacess in enough deetail to enable a user to build
da
client application to communicate with thhe service. Thi s description is usually provided in an XML
document called a WSDL document. In other
o words, a WSDL file is an n XML document that descrribes a
set of SOAP messages,
m and how the messsages are exch hanged.
Web services are registeredd so that poten ne with Universal

ntial users can find them eassily. This is don
Discovery Description and Integration
I (UDDI). A UDDI directory entryy is an XML file that describe es a
business and the services it offers.
WS
S-* Security Specificatio
ons
There are many co omponents inccluded in web b services speciifications (also
o known as W
WS-* specifications).
How
wever, the mosst relevant spe ecifications for an AD FS envvironment are tthe WS-Securiity specificatioons.
The specificationss that are part of the WS-Seccurity specificaations include the following:
WS-Security - SOAP Messsage Security and

a X.509 Cerrtificate Token Profile: WS-Se ecurity describ
bes
enhanceme ents to SOAP messaging
m that provide quallity of protecti on through m message integriity,
message coonfidentiality, and
a single message authenttication. WS-Seecurity also pro ovides a general-
purposeyyet extensible mechanism for
f associating g security tokeens with messaages and a mecchanism
to encode binary
b securityy tokensspeccifically X.509 ccertificates and Kerberos ticketsin SOAP P
messages.
WS-Trust: WS-Trust
W nes extensions that build on WS-Security t o request and issue security tokens
defin
and to mannage trust relattionships.
WS-Federation: WS-Fede eration definess mechanisms tthat WS-Securrity can use to enable attribu
ute-
based identtity, authentica
ation, and authorization fed eration acrosss different trust realms.
WS-Federation Passive Re equestor Profile: This WS-Seecurity extensio on describes hhow passive clients
such as webb browsers cann be authenticcated and auth horized, and ho ow the clients can submit claaims in
a federation scenario. Passsive requestors of this profi le are limited to the HTTP oor HTTPS protoocol.
WS-Federation Active Requestor Profile e: This WS-Seccurity extension describes ho

ow active clien
nts, such
as SOAP-ba
ased mobile de evice applicatiions, can be au
uthenticated aand authorized
d, and how thee clients
can submit claims in a fed
deration scenaario.
Security Asse
ertion Mark
kup Languag
ge
Thhe Security Asssertion Markup Language (S SAML) is an XM ML-based standard for exchaanging claims
beetween an identity provider and a service or application n provider. SAM ML assumes th hat a user has b
been
au
uthenticated byb an identity provider,
p and that
t the identiity provider haas populated tthe appropriate claim
in
nformation in the
t security token. When the e user is autheenticated, the IIdentity Provid
der passes a SA
AML
asssertion to the
e service provid
der. On the basis of this asseertion, the servvice provider can make
au
uthorization an nd personalizaation decisionss within an app plication. The communicatio on between fed deration
se
ervers is based around an XM ML document that stores thee X.509 certificcate for token--signing, and tthe
SA
AML 1.1 or 2.0 0 token.
What
W Is AD
D FS?
(A
AD FS is the Microsoft implemmentation of ana
id
dentity federation solution th
hat uses claimss-based
au
uthentication. AD FS provide es the mechan nisms to
im
mplement both h the identity provider
p and the
t
se
ervice providerr components in an identity
ederation deployment.
fe
AD FS provides the following features:
Enterprise claims
c provideer for claims-ba
ased
applications: You can con nfigure an AD FS
server as a claims provideer, which mean ns that
it can issue claims about authenticated users.
This enablees an organizattion to providee its
users with access
a to claim
ms-aware appliications in ano
other organizattion by using SSO.
Federation Service for ide

entity federatio
on across dommains: This servvice offers fede
erated web SSO
across dom
mains, thereby enhancing
e seccurity and redu
uces overheadd for IT adminisstrators.
Note: The
e Windows Serrver 2012 verrsion of AD FS is built on AD D FS version 2.0
0, which is
th
he second generation of AD FS released byy Microsoft. Th
he first version
n, AD FS 1.0, re
equired
12-6 Implementing Active Directory Federation Services
AD FS web agents to be installed on all web servers that were using AD FS, and provided both
claims-aware and NT token-based authentication. AD FS 1.0 did not support active clients or
SAML.
AD FS Features
The following are some of the key features of AD FS:
Web SSO: Many organizations have deployed AD DS. After authenticating to AD DS through
Integrated Windows authentication, users can access all other resources that they have permission to
access within the AD DS forest boundaries. AD FS extends this capability to intranet or Internet-facing
applications, enabling customers, partners, and suppliers to have a similar, streamlined user
experience when they access an organizations web-based applications.
Web services interoperability: AD FS is compatible with the web services specifications. AD FS employs
the federation specification of WS-*, called WS-Federation. WS-Federation makes it possible for
environments that do not use the Windows identity model to federate with Windows environments.
Passive and smart client support: Because AD FS is based on the WS-* architecture, it supports
federated communications between any WSenabled endpoints, including communications between
servers and passive clients, such as browsers. AD FS on Windows Server 2012 also enables access for
SOAPbased smart clients, such as servers, mobile phones, personal digital assistants (PDAs), and
desktop applications. AD FS implements the WS-Federation Passive Requestor Profile and WS-
Federation Active Requestor Profile standards for client support.
Extensible architecture: AD FS provides an extensible architecture that supports various security token
types, including SAML and Kerberos authentication, and the ability to perform custom claims
transformations. For example, AD FS can convert from one token type to another, or add custom
business logic as a variable in an access request. Organizations can use this extensibility to modify
AD FS to coexist with their current security infrastructure and business policies.
Enhanced security: AD FS also increases the security of federated solutions by delegating

responsibility of account management to the organization closest to the user. Each individual
organization in a federation continues to manage its own identities, and is capable of securely sharing
and accepting identities and credentials from other members sources.
Additional Reading: For information on the different identity federation products that can
interoperate with AD FS, and for stepby-step guides on how to configure the products, see the
AD FS 2.0 Step-by-Step and How To Guides, located at http://technet.microsoft.com/en-
us/library/adfs2-step-by-step-guides%28v=ws.10%29.aspx.
New Features in Windows Server 2012 AD FS

The version of AD FS that is shipping with Windows Server 2012 includes several new features:
Integration with the Windows Server 2012 operating system. In Windows Server 2012, AD FS is
included as a server role that you can install using Server Manager. When you install the server role,
all required operating system components are installed automatically.
Integration with Dynamic Access Control (DAC). When you deploy DAC, you can configure user and
device claims that are issued by AD DS domain controllers. AD FS can consume the AD DS claims that
the domain controllers issue. This means that AD FS can make authorization decisions based on both
user accounts and computer accounts.
Windows PowerShell cmdlets for administering AD FS. Windows Server 2012 provides several new
cmdlets that you can use to install and configure the AD FS server role.
How
H AD FS
S Enables SSO
S in a Single Orgaanization
Fo
or many organ nizations, configuring accesss to
ap
pplications andd services mayy not require an
AD FS deployment. If all userss are memberss of the
sa
ame AD DS forrest, and if all applications
a arre
ru
unning on servvers that are members
m of the
e same
fo
orest, you can usually just use AD DS
au
uthentication to
t provide acccess to the
ap
pplication. Howwever, there are several scennarios
where
w you can use AD FS to optimize
o the user
exxperience by enabling
e SSO:
The applica
ations may nott be running on
o
Windows se ervers or on an
ny servers thatt
support ADD DS authentication, or on Windows
W Serve r servers that aare not domainjoined. The
applications may require SAML or web services for au
uthentication and authorization.
Large organnizations frequ ns and forests that may be th

uently have multiple domain he results of m
mergers
t security requirements. Useers in multiplee forests mightt require accesss to the
and acquisiitions, or due to
same appliccations.
Users from outside the offfice might req

quire access to
o applications tthat are runnin
ng on internal servers.
The externaal users may be logging on to
t the applicattions from commputers that are not part of the
internal domain.
Note: Imp plementing AD D FS does not necessarily meean that users are not prompted for
au
uthentication when
w they acccess applications. Depending g on the scenaario, users mayy be
prompted for th heir credentials. However, ussers always autthenticate usinng their intern
nal credentials
in
n the trusted acccount domain, and they ne ever need to reemember alterrnate credentiaals for the
ap
pplication. In addition,
a the in
nternal credenntials are neverr presented to the applicatio
on or to the
paartner AD FS server.
s
Organizations
O can
c use AD FS to enable SSO O in these scen arios. Becausee all users and the applicatio
on are in
th
he same AD DS S forest, the orrganization on nly has to depl oy a single fed
deration server. This server ccan
opperate as the claims
c provide er so that it autthenticates useer requests an d issues the claims. The sam
me server
is also the relyin
ng party, or the consumer off the claims to o provide autho orization for application acccess.
Note: The e slide and thee following desscription use t he terms fede ration server aand
fe
ederation service proxy to de escribe AD FS server roles. Th he federation sserver is respo
onsible for
issuing claims, and
a in this scen nario, is also re
esponsible for consuming thhe claims. The Federation
Seervice Proxy is a proxy comp ponent that is recommended
r d for deploymeents where use ers outside
th
he network nee he AD FS envirronment. Thesse componentss are covered in more
ed access to th
deetail in the nexxt lesson.
Th
he following stteps describe the
t communiccation flow in tthis scenario.
1.. The client computer,

c whicch is located outside
o the nettwork, must acccess a web-baased applicatio
on on
the web serrver. The clientt computer sends an HTTPS request to thee web server.
2.. The web se

erver receives the
t request, an nd identifies th
hat the client ccomputer doess not have a cllaim.
The web se
erver redirects the client com
mputer to the FFederation Serrvice Proxy.
3. The client com

mputer sends an HTTPS requ uest to the Fed
deration Servicce Proxy. Depe
ending on the
scenario, the Federation Service Proxy ma ay prompt thee user for auth entication, or use Integrated
d
Windows authentication to o collect the usser credentials..
4. The Federatio
on Service Proxxy passes on th d the credentials to the fede
he request and eration server.
5. The federatio
on server uses AD
A DS to auth
henticate the u
user.
6. If authenticattion is successfful, the federattion server col lects AD DS in
nformation abo
out the user, w
which
is then used to
t generate the users claimss.
7. If the authenttication is succcessful, the autthentication in

nformation and
d other inform
mation is colleccted in
a security tok
ken and passed d back to the client
c computeer, through thee Federation SService Proxy.
8. The client the

en presents the
e token to the web server. T he web resourrce receives th he request, valiidates
the signed tookens, and usess the claims in the users tokken to provide access to the application.
Ho
ow AD FS Enables
E SS
SO in a Bussiness-to-B
Business Fe
ederation
Onee of the most common
c scena
arios for deplo
oying
AD FS is to providde SSO in a business-to-business
(B2B
B) federation. In the scenarioo, the organizaation
thatt requires acce
ess to another organizationss
app
plication or servvice can mana age their own user
acco
ounts and defiine their own authentication
a n
mecchanisms. The other organization can define
whaat applications and services are
a exposed to o
userrs outside the organization, and what claim ms it
acceepts to providee access to the
e application. To
T
enable applicationn or service sharing in this
scen
nario, the orgaanizations havee to establish a
fede a then define the rules forr exchange cla ims between tthe two organizations.
eration trust, and
The slide for this topic

t demonsttrates the flow
w of traffic in a federated B2B
B scenario usinng a claims-awware
web
b application. In this scenario
o, users at Treyy Research havve to access a w
web-based ap pplication at A..
Datum Corporatio on. The AD FS authentication n process for this scenario is as follows:
1. A user at Treyy Research use
es a web browsser to establish
h an HTTPS co he web server at A.
onnection to th
Datum Corpo oration.
2. The web application receivees the request and verifies th

hat the user dooes not have a valid token sstored
in a cookie byy the web brow
wser. Because the user is nott authenticateed, the web application redirrects
t federation server at A. Datum (by usin g an HTTP 302
the client to the 2 redirect messsage).
3. The client com

mputer sends an HTTPS requuest to the A. Datum Corporations federaation server. Th he
federation server determine ealm for the u ser. In this casse, the home re
es the home re ealm is Trey
Research.
4. The client com

mputer is redirrected again to
o the federatio
on server in th
he users home
e realm, Trey
Research.
5. The client com

mputer sends an HTTPS requ
uest to the Treey Research fed
deration serve
er.
6. If the user is already

a logged
d on to the do
omain, the fedeeration server can take the u
users Kerbeross
ticket and req quest authentication from AD DS on the uusers behalf, using Integrate
ed Windows
authentication. If the user is not logged onto
o their dom
main, the user is prompted fo or credentials.
7.. The AD DS domain contrroller authenticcates the user,, and sends thee success messsage back to the
federation server, along with
w other info
ormation abou ut the user thatt can be used to generate thhe users
claims.
8.. The federattion server creates the claim for the user b
based on the ru ules defined fo
or the federation
partner. The claims data is
i placed in a digitally-signe
d d security tokeen, and then sent to the clie
ent
computer, which
w posts it back to A. Dattum Corporatiions federatioon server.
9.. A. Datum Corporations

C federation
f hat the securit y token came from a trusted
servver validates th d
federation partner.
10
0. A. Datum Corporations
C federation
f d signs a new ttoken, which it sends to the client
servver creates and
computer, which
w then sennds the token back to the orriginal URL req
quested.
11
1. The applicaation on the web server rece eives the requeest and validat es the signed tokens. The web
server issue
es the client a session
s e indicating thaat it has been successfully au
cookie uthenticated, aand a
file-based persistent
p cook kie is issued byy the federatio
on server (good d for 30 days b
by default) to
eliminate th
he home realm m discovery ste ep during the cookie lifetimee. The server then provides aaccess
to the application, based on the claims provided by tthe user.
How
H AD FS
S Enables SSO
S with Online
O Servvices
As organization ns move service es and applica
ations to
cloud-based serrvices, it is incrreasingly impo
ortant
th
hat these organizations have e some way to
simplify the autthentication an nd authorizatio
on
exxperience for their
t users as they
t consume the
cloud-based serrvices. Cloud-b based services add
an
nother level off complexity to o the IT enviro
onment,
ass they are located outside th he direct
ad
dministrative control
c of the IT administrato ors, and
may
m be running g on many diffferent platform ms.
Yoou can use AD D FS to providee an SSO experrience

to
o users across the
t various clooud-based plattforms
avvailable. For exxample, once users
u are authe
enticated with
h AD DS credenntials, they cou
uld then accesss
Microsoft
M Onlin
ne Services, succh as hosted Microsoft
M Exchaange Online o r SharePoint Online, by usiing

th
hose domain credentials.
AD FS can also provide SSO to o non-Microsooft cloud prov iders. Becausee AD FS is base
ed on open staandards,
it can interoperate with any compliant claim
ms-based systeem.
Thhe process for accessing a cloud-based ap pplication is qu

uite similar to tthe B2B scenario. One example of a
cloud-based serrvice that usess AD FS for autthentication is a hybrid Exchhange Online d deployment. Inn this
tyype of deploym
ment, an organ nization deploys some or all of their mailb boxes in an Offfice 365 and Exxchange
Online
O ment. However, the organiza
environm ation managess all of their usser accounts in
n their on-prem
mises
AD DS environm ment. The deployment uses the t Microsoft Online Servicees Directory Syynchronization n Tool to
syynchronize use
er account infoormation from the on-premiises deploymeent to the Exch hange Online
deeployment.
When
W users try to log on to th
heir Exchange Online mailbo ox, the user m ust be authenticated using ttheir
nternal AD DS credentials. If users try to log
in g on directly tto the Exchangge Online environment, theyy are
re
edirected backk to the internaal AD FS deplooyment to auth henticate befo
ore they are givven access.
The following steps describe what happens when a user tries to access their online mailbox using a web
browser:
1. The user opens a web browser and sends an HTTPS request to the Exchange Online Microsoft
Outlook Web App server.
2. The Outlook Web App server receives the request and verifies whether the user is part of a hybrid
Exchange Server deployment. If this is the case, the server redirects the client computer to the
Microsoft Online Services federation server.
3. The client computer sends an HTTPS request to the Microsoft Online Services federation server.
4. The client computer is redirected again to the on-premises federation server.
5. The client computer sends an HTTPS request to the on-premises federation server.
6. If the client computer is already logged on to the domain, the on-premises federation server can take
the users Kerberos ticket and request authentication from AD DS on the users behalf, using
Integrated Windows authentication. If the user is logging on from outside the network or from a
computer that is not a member of the internal domain, the user is prompted for credentials.
7. The AD DS domain controller authenticates the user, and sends the success message back to the
federation server, along with other information about the user that the federation server can use to
generate the users claims.
8. The federation server creates the claim for the user based on the rules defined during the AD FS
server setup. The claims data is placed in a digitally-signed security token, and then sent to the client
computer, which posts it back to the Microsoft Online Services federation server.
9. The Microsoft Online Services federation server validates that the security token came from a trusted
federation partner. This trust is configured when you configure the hybrid Exchange Server
environment.
10. The Microsoft Online Services federation server creates and signs a new token, which it sends to the
client computer, which then sends the token back to the Outlook Web App server.
11. The Outlook Web App server receives the request and validates the signed tokens. The server issues
the client a session cookie indicating that it has authenticated successfully. The user is then granted
access to their Exchange Server mailbox.
Lesson
n2
Deplo
oying AD
A FS
After you underrstand how AD D FS works, the e next step is d
deploying the service. Beforee deploying AD FS,
yo
ou must underrstand the com mponents that you will need to deploy, an nd the prerequ uisites that you
u must
meet,
m particularrly in regard to
o certificates. This
T lesson pro ovides an overvview of deployying the AD FSS server
ro
ole in Windows Server 2012.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
he componentss that you can include in an AD FS deployyment.

Describe th
List the pre a AD FS deployment.

erequisites for an
Describe th
he Public Key Infrastructure (PKI)
( and certifficate requirem
ments for the A
AD FS deploym
ment.
Describe th
he AD FS federration server ro
oles.
Install the AD
A FS server ro
ole.
AD
A FS Com
mponents
AD FS is installe
ed as a server role
r in Window
ws
Se
erver 2012. Ho owever, there are
a many diffeerent
co
omponents tha a configure in an
at you install and
AD FS deployment.
Th
he following ta A FS components.
able lists the AD
Component
C Wha
at does it do?
Federation se
erver Thee federation seerver issues, m anages, and vvalidates reque
ests involving
identity claims. All
A implementaations of AD FSS require at leaast one Federaation
Serrvice for each participating
p fo
orest.
Federation se
erver Thee federation se
erver proxy is aan optional co
omponent thatt you usually d deploy
proxy in a perimeter neetwork. It doess not add any ffunctionality to
o the AD FS
depployment, but is deployed ju ust to provide a layer of secu
urity for conne
ections
from the Internett to the federaation server.
Claims A claim
c is a statement that is m
made by a trustted entity abo out an object such as
a user. The claim could includee the users namme, job title, o
or any other factor
tha
at might be use ed in an autheentication scen
nario. With Win ndows Server 2012,
the
e object can alsso be a devicee used in a DAC C deploymentt.
Claim rules Claim rules deterrmine how claiims are processsed by the fed deration servers. For
exaample, a claim rule may statee that an emaiil address is acccepted as a vaalid
claiim, or that a group name fro om one organization is transslated into an
appplication-speciific role in the other organizzation. The rule
es are usually
12-12 Implementing Active Directoory Federation Services
Co
omponent What does it do?
proce
essed in real time as claims aare made.
Attribute store AD FS S uses an attrib

bute store to l ook up claim vvalues. AD DS is a common
attrib
bute store and is available byy default if AD
D FS is installed
d on a domain--
joinedd server.
Claims providerrs The claims

c provider is the server that issues claims and authe enticates users. A
claim
ms provider enaables one side of the AD FS aauthentication n and
authoorization proce
ess. The claimss provider man nages the userr authenticatio
on,
and then
t issues the
e claims that th
he user presen nts to a relying party.
Re
elying parties The relying party iss where the ap
pplication is loccated, and it enables the seccond
side of
o the AD FS authentication and authorizaation process. T The relying paarty
is a web
w service tha at consumes cllaims from thee claims provid der. The relying
g
partyy server must have
h the Micro
osoft Windowss Identity Foun ndation installe
ed,
or usee the AD FS 1.0 claims-awarre agent.
Claims providerr Confiiguration data that defines rrules under wh hich a client may request claims
trrust from a claims proviider and subseequently subm mit them to a re
elying party. T
The
trust consists of varrious identifierrs such as nam
mes, groups andd various ruless.
Re
elying party trust The AD
A FS configurration data thaat is used to prrovide claims aabout a user o or
clientt to a relying party.
p It consistts of various id
dentifiers, such
h as names,
group ps, and variouss rules.
Certificates AD FSS uses digital certificates

c wh en communicaating over SSLL or as part of tthe
token
n issuing proce ess, the token receiving proccess, and the m metadata
publishing process.. Digital certificcates are also used for token
n signing.
En
ndpoints Endpoints are mech hanisms that eenable access tto the AD FS technologies
ding token issu
includ uance and meetadata publish hing. AD FS co
omes with builtt-in
endpoints that are responsible fo
or a specific functionality.
Note: Manyy of these com

mponents are described
d in m ore detail thro
oughout the re
emainder
of this module.
AD
D FS Prereq
quisites
Befo
ore deploying AD FS, you must ensure tha at
your internal netwwork meets som me basic
prerrequisites. The
e configuration n of the following
netw
work services isi critical for a successful AD FS
dep
ployment:
Network conn nectivity: The following

f netw
work
connectivity is required:
o The clien
nt computer must be able to
communicate with the web application,
the resou
urce federationn server or
federatio
on server proxyy, and the acco
ount
federatio
on server or fed
deration proxyy
using HTTTPS.
o The federation server proxies must be able to communicate with the federation servers in the
same organization using HTTPS
o Federation servers and internal client computers must be able to communicate with domain
controllers for authentication.
AD DS: AD DS is a critical piece of AD FS. Domain controllers should be running Windows Server 2003
Service Pack 1 (SP1) as a minimum. Federation servers must be joined to an AD DS domain. The
Federation Service proxy does not have to be domain-joined. Although you can install AD FS on a
domain controller, it is not recommended due to security implications.
Attribute stores: AD FS uses an attribute store to build claim information. The attribute store contains
information about users, which is extracted from the store by the AD FS server after the user has been
authenticated. AD FS supports the following attribute stores:
o Active Directory Application Mode (ADAM) in Windows Server 2003
o Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008, Windows
Server 2008 R2, and Windows Server 2012
o Microsoft SQL Server 2005 (all editions)
o Microsoft SQL Server 2008 (all editions)
o A custom attribute store
Note: AD DS can be used both as the authentication provider and as an attribute store.
AD FS can also use AD LDS as an attribute store. In AD FS 1.x, AD LDS can be used as an
authentication store, but in the current version of AD FS, AD LDS can only be used as an attribute
store.
DNS: Name resolution allows clients to find federation servers. The client computers must resolve the
DNS names for all federation servers to which they connect, and the web applications that the client
computer is trying to use. If the client computer is external to the network, the client computer must
resolve the DNS name for the Federation Service Proxy, not the internal federation server. The
Federation Service Proxy must resolve the name of the internal federation server. If internal users
have to access the internal federation server directly, and external users have to connect through the
federation server proxy, you will need to configure different DNS records in the internal and external
DNS zones.
Operating system prerequisites: You can only deploy the Windows Server 2012 version of AD FS as a
server role on a Windows Server 2012 server.
PK
KI and Certtificate Req
quirementts
AD FS is designed d to enable com mputers to
com
mmunicate securely, even tho ough they mayy be
locaated in differen n this scenario, most
nt locations. In
of the communica ations between n computers passes
p
thro
ough the Internet. To provide security for the t
netwwork traffic, all communicatiions are proteccted
usin
ng Secure Sock kets Layer (SSLL). This factor means
m
thatt it is importan
nt to correctly choose and asssign
SSL certificates to the AD FS serrvers. To provid de
SSL security, AD FSF servers use certificates
c as
servvice communiccation certifica ates, token-signing
certtificates, and to
oken-decryptin ng certificates.
Serrvice Comm
munication Certificates
C
You
u use a service communicatio on certificate to
t secure SSL ccommunications to the webssites running o on the
AD FS server. Thiss certificate is bound
b to the default
d websitee on the AD FSS server. You ccan choose wh hich
certtificate to use when
w you configure the AD FS server role on the server,, and can chan nge the assigned
eployment by using the AD FS console. Th
certtificate after de his certificate iss also called a server
authhentication certificate.
Tok
ken-Signing
g Certificate
es
The token-signing g certificate is used to sign every
e token thaat a federation n server issues.. This certificatte is
critical in an AD FS deploymentt because the token t signaturre indicates wh hich federation n server issued d the
tokeen. This certificcate is used byy the claims prrovider to iden
ntify itself, and it is used by tthe relying parrty to
verify that the tokken is coming from a trusted d federation paartner.
The relying party also requires a token-signing certificate too sign the tokeens that it prep
pares for other
AD FS components, such as web b applications and clients. Th
hese tokens mmust be signed by the relying g
parttys token-sign
ning certificate ed by the desttination applications.
e to be validate
Whe en you configu ure a federatio

on server, the server
s assigns a self-signed ccertificate as the token-signing
certtificate. Becausse no other parties trust the self-signed ceertificate, you m
might choose to replace the e self-
ned certificate with a trusted certificate. Ass an alternativee, you can con
sign nfigure all fedeeration servers in
parttner organizations to trust thhe self-signed certificate. Yo
ou can have mu ultiple token-ssigning certificcates
configured on the e federation seerver, but only the primary ccertificate is us ed to sign tokkens.
Tok
ken-Decryp
pting Certificcates
Tokken-decrypting g certificates arre used to encrypt the entiree user token before transmittting the token n
acrooss the networrk. To provide this functionality, the publicc key from the relying party federation serrver
certtificate must be provided to the claims pro ovider federatiion server. Thee certificate is ssent without the
privvate key. The claims providerr server uses th he public key ffrom the certifficate to encryypt the user tokken.
Whe en the token is returned to the
t relying parrty federation server, it uses the private ke ey from the
certtificate to decrrypt the token.. This providess an extra layerr of security w
when transmittiing the certificcates
acrooss the Interneet.
Wheen you configu ure a federatio

on server, the server
s assigns a self-signed ccertificate as the token-
decrypting certificcate. Because no
n other partie es have to trusst this certificaate, it is possible to continue
e to
use this certificate
e without repla
acing it with a trusted certificcate.
Note: Federration server proxies

p only require a servicee communicatiion certificate.. The
certtificate is used to enable SSL communicatio nt connections . Because the federation
on for all clien
se
erver proxy do oes not issue an
ny tokens, it does not need tthe other two types of certifficates. Web
se
ervers that are deployed as part
p of an AD FS F deploymen be configured with SSL
nt should also b
se
erver certificate
es to enable se
ecure commun nications with client computters.
Choosing
C a Certification
C n Authority
AD FS federatio
on servers can use self-signed d certificates, ccertificates fro
om an internal,, private Certiffication
Authority (CA), or certificates that have bee
en purchased ffrom an extern nal, public CA.
In
n most AD FS deployments,
d the
t most impo when choosing the certificate
ortant factor w es is that the
ce
ertificates be trusted by all parties
p d. This means that if you aree configuring aan AD FS deplo
involved oyment
th w other organizations, you are almost ceertainly going tto use a publicc CA for the SSSL
hat interacts with
ce
ertificate on fe
ederation serveer proxy, becauuse the certificcates issued byy the public CA
A are trusted bby all
paartners automatically.
If you are deplooying AD FS just for your org ganization, and d all servers an
nd client compputers are under your
coontrol, conside
er using a certiificate from an n internal, privaate CA. If you deploy an inteernal Enterprisse CA on
Windows
W Server 2012, you can use Group PolicyP to ensurre that all com puters in the o
organization
auutomatically trrust the certificcates issued byy the internal C
CA. Using an i nternal CA can n significantly
deecrease the coost of the certifficates.
Note: Deploying an inte ernal CA using g Active Directtory Certificatee Services (AD CS) is a
sttraightforward process, but it is critical that the deploym
ment be planneed and implem mented
caarefully.
Federation Server Ro
oles
When
W you insta
all the AD FS server
s role, you
u can
co
onfigure the seerver as either a federation server
s
erver proxy. Affter installing the
orr federation se
fe
ederation serveer role, you can configure th he
erver as either a Claims Provider, a Relying
se g Party,
orr both. These server
s function
ns are as followws:
Claims provvider: A claimss provider is a

federation server that proovides to userss signed
tokens thatt contain claim
ms. Claims provvider
federation servers are deployed in
organizatioons where userr accounts are
located. Wh hen a user requests a token, the
claims provvider federation server verifiees the user autthentication using AD DS, an nd then colleccts
informationn from an attriibute store, succh as AD DS oor AD LDS, to p populate the u
user claim with h the
attributes required by thee partner orga anization. The sserver issues to
okens in SAMLL format. The cclaims
provider federation serve er also protectss the contents of security tokens in transitt, by signing annd
optionally encrypting
e the
em.
Relying Parrty: A relying party

p is a federration server th
hat receives seecurity tokens ffrom a trusted
d claims
provider. Th
he relying partty federation servers
s are depployed in orgaanizations thatt provide application
access to claims provider organizationss. The relying p party accepts aand validates tthe claim, and then
issues new security token ns that the web b server can usse to provide aappropriate acccess to the
application.
Note: A single AD FS server can operate as both a claims provider and a relying party, even
with the same partner organizations. The AD FS server functions as a claims provider when it is
authenticating users and providing tokens for another organization, but it can also accept tokens
from the same or another organization in a relying party role.
Federation Server Proxy: A federation server proxy provides an extra level of security for AD FS traffic
that is coming from the Internet to the internal AD FS federation servers. Federation server proxies
can be deployed in both the claims provider and relying party organizations. On the claims provider
side, the proxy collects the authentication information from client computers and passes it to the
claims provider federation server for processing. The federation server issues a security token to the
proxy, which sends it to the relying party proxy. The relying party federation server proxy accepts
these tokens, and then passes them on to the internal federation server. The relying party federation
server then issues a security token for the web application, and then sends the token to the federation
server proxy, which then forwards the token to the client. The federation server proxy does not
provide any tokens or create claims; it only forwards requests from clients to internal AD FS servers.
All communication between the federation server proxy and the federation server uses HTTPS.
Note: A federation server proxy cannot be configured as a claims provider or a relying

party. The claims provider and relying party must be members of an AD DS domain. The
federation server proxy can be configured as a member of a workgroup, or as a member of an
extranet forest, and deployed in a perimeter network.
Demonstration: Installing the AD FS Server Role

In this demonstration, you will see how to install and complete the initial configuration of the AD FS
server role in Windows Server 2012. The instructor will install the server role, and then run the AD FS
Federation Server Configuration Wizard to configure the server as a standalone federation server.
Demonstration Steps
Install the AD FS Server Role

On LON-DC1, in Server Manager, add the Active Directory Federation Services server role.
Configure the AD FS Server Role

1. Run the AD FS Federation Server Configuration Wizard using the following parameters:
o Create a new federation service
o Create a stand-alone deployment
o Use the LON-DC1.Adatum certificate.
o Choose the service name LON-DC1.Adatum.com
2. Open Internet Explorer and connect to

https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml.
Lesson
n3
Imple
ementin
ng AD FS
F for a Single O
Organizzation
Thhe simplest de
eployment scen nario for AD FS is within a si ngle organization. In this scenario, a single AD FS
erver can operate both as the claims provider and as thee relying partyy. All users in th
se his scenario are
in
nternal to the organization,
o as
a is the appliccation that thee users are acceessing.
Th n the components that are rrequired to co nfigure AD FS in a single

his lesson provvides details on
orrganization de
eployment of AD A FS. These components
c in
nclude configuuring claims, claim rules, claim
ms
provider trusts, and relying paarty trusts.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe AD
D FS claims.
Describe AD
D FS claim rule
es.
aims provider trusts.

Describe cla
Describe re
elying party tru
usts.
Configure claims
c provide
er and relying party
p trusts.
What
W Are AD
A FS Claim
ms?
AD FS claims prrovide the link between the claims
c
provider and re elying party rolles in an AD FSS
de eployment. An n AD FS claim is a statement made
abbout a particular subject (succh as a user) by
b a
trrusted entity (ssuch as a claim
ms provider). Thhe
claims provider creates the cla aims and the relying
r
pa arty consumess the claims. AD FS claims prrovide a
sttandards-based d and flexible way for claimss
provider organiizations to pro ovide specific
in
nformation abo out users in their organizatio
ons, and
a way for relying parties to de efine exactly what
w
in
nformation the ey require to provide applica ation
acccess. The claimm information n provides the details requireed by applicatiions to enable
e access to claims-
awware applicatio ons.
Claim
C Types
ach AD FS claim has a claim type, such as email
Ea e address,, UPN, or last n name. Users caan be issued claims
ased on any defined claim tyype. Therefore
ba e, a user mightt be issued a c laim with a typpe of Last Namme and
a value of, for example,
e Webe
er. AD FS proviides several bu
uilt-in claim tyypes. Optionallly, you can cre
eate new
on
nes based on thet organizatio
on requiremen nts.
Note: In AD
A FS 1.0, you could configu
ure claims as id
dentity claims,, group claims, or custom
claims. These claim types do not
n apply to AD
A FS 2.0 or latter. Essentially,, all claims are
e now
co
onsidered custtom claims.
Ea ely identifies the

ach AD FS claim type is identified by a Uniiform Resourcee Identifier (U RI) that unique
claim type. This information iss provided as part of the AD
D FS server mettadata. For exaample, if the cclaims
provider organization and the relying party organization decide to use a claim type of AccountNumber,
both organizations must configure a claim type with this name. The claim type is published and the claim
type URI must be identical on both AD FS servers.
How Claim Values are Populated

The claims issued by a claims provider contain the information that is required by the relying party to
enable appropriate application access. One of the first steps in planning an AD FS deployment is to define
exactly what information the applications must have about each user, to provide that user access to the
application. Once this information is defined, the claims are then defined on the claims provider
federation server. The information required to populate the claim can be obtained in several ways:
The claim can be retrieved from an attribute store. Frequently, the information required for the claim
is already stored in an attribute store that is available to the federation server. For example, an
organization might decide that the claim should include the users UPN, email address, and specific
group memberships. This information is already stored in AD DS, so the federation server can just
retrieve this information from AD DS when creating the claim. Because AD FS can use AD DS, AD LDS,
SQL Server, a non-Microsoft Lightweight Directory Access Protocol (LDAP) directory, or a custom
attribute store to populate claims, you can define almost any value within the claim.
The claim can be calculated based on collected information. Claims provider federation servers can
also calculate information based on information that is gathered from an attribute store. For example,
you may want to provide information about a persons salary within a claim. This information is likely
stored in a Human Resources database, but the actual value may be considered confidential. You can
define a claim that categorizes salaries within an organization, and then have the AD FS server
calculate to which category a specific user belongs. In this way, the claim only includes the salary
category information, not the actual user salary.
The claim can be transformed from one value to another. In some cases, the information that is
stored in an attribute store does not exactly match the information required by the application when
making authorization information. For example, the application may have different user roles defined
that do not directly match the attributes that are stored in any attribute store. However, the
application role may correlate to AD DS group membership. For example, users in the Sales group
may correlate to one application role, while users in the Sales Management group may correlate to a
different application role. To establish the correlation in AD FS, you can configure a claims
transformation that takes the value provided by the claims provider and translates the value into to a
claim that is useful to the application in the relying party.
If you have deployed DAC, a DAC device claim can be transformed into an AD FS claim. This can be
used to ensure that users can access AD FS Web site only from trusted workstations that have been
issued a valid device claim.
What
W Are AD
A FS Claim
m Rules?
Claim rules define how claimss are sent and
co
onsumed by AD A FS servers. Claim
C rules deffine the
buusiness logic that is applied to claims that are
provided by claims providers,, and to claimss that
arre accepted byy the relying parties. You cann use
claim rules to:
Define whicch incoming claims are accepted

o more claims providers.
from one or
Define whicch outbound claims

c are provvided to
one or morre relying partiies.
Apply authorization ruless to enable acccess to a

specific relyying party for one
o or more users
u or groupss of users.
Yo
ou can define two types of claim
c rules:
Claim rules for a claims provider

p trust. A claims provi der trust is thee AD FS trust rrelationship that is
configured between an AD A FS server an ovider. You caan configure claim rules to define
nd a claims pro
how the cla
aims provider processes and issues claims.
Claim rules for a relying party

p trust. A relying
r party trrust is the AD FS trust relatio
onship that is
configured between an AD A FS server an nd a relying paarty. You can cconfigure claim m rules that deefine
how the rellying party acccepts claims froom the claimss provider.
Claim rules on an
a AD FS claimms provider aree all considere d acceptance transform rule es. These rules
de
etermine whatt claim types are
a accepted frrom the claimss provider, and d then sent to a relying partyy trust.
When
W configuring AD FS withhin a single org
ganization, theere is a defaultt claims provid
der trust that iss
co
onfigured with
h the local AD DS domain. Th his rule set deffines the claim
ms that are acceepted from AD D DS.
here are three types of claim

Th m rules for a relying party tru
ust:
Issuance Transform Ruless: These rules define

d the claim
ms that are se nt to the relyin
ng party that h
has
been defineed in the relyin
ng party trust.
Issuance Auuthorization Ru ules: These rules define whicch users are peermitted or de enied access to o the
relying partty defined in the relying party trust. This ru
ule set can incclude rules that explicitly perrmit
access to a relying party, and/or rules that explicitly ddeny access too a relying partty.
Delegation Authorization n Rules: These rules define thhe claims that specify which users can act on
behalf of otther users whe he relying partty. This rule set can include rrules that explicitly
en accessing th
permit deleegates for a relying party, or rules that exp
plicitly deny deelegates to a re
elying party.
Note: A single claim rulle can only be associated witth a single fed
derated trust re
elationship.
Th
his means thatt you cannot create
c a set of rules for one ttrust and then re-use those rrules for
otther trusts that you configurre on your federation server..
AD FS servers are preconfigurred with a set of

o default rulees and several default templaates that you ccan use
to
o create the most common claim
c rules. You can also creaate custom claaim rules using
g the AD FS claaim rule
la
anguage.
Wh
hat Is a Cla
aims Provider Trust??
A claims provider trust is configgured on the reelying
partty federation server.
s The claiims provider trrust
idenntifies the claim
ms provider, and describes how
h
the relying party consumes
c the claims that the
claim
ms provider issues. You musst configure a
ms provider trust for each claims provider.
claim
By default,
d an AD FS server is coonfigured with ha
ms provider trust named Acttive Directory. This
claim
trusst defines the claim
c rules, wh
hich are all
acceeptance transfform rules thatt define how th he
AD FS server acce epts AD DS cre edentials. For
exam mple, the defaault claim ruless on the claimss
provvider trust incllude rules thatt pass through the user nam es, security ideentifiers (SIDs)) and group SIDs to
the relying party. In a single orgganization AD FS deploymen nt, where AD D DS authenticattes all users, th
he
defaault claims proovider trust maay be the only required claim
ms provider tru ust.
Whe en you expandd the AD FS de eployment to include

i other o
organizations,, you must create additional
claim
ms provider trusts for each federated
f orga
anization. Wheen configuring
g a claims provvider trust, you
u have
thre
ee options:
Import data about

a the claim
ms provider through the fed deration metad data. If the AD FS federation
server or fedeeration proxy server
s is accesssible through tthe network frrom your AD FFS federation sserver,
you can enter the host nam me or URL for the
t partner fed deration server. Your AD FS federation serrver
connects to the partner serrver, and down nloads the fedeeration metadata from the sserver. The
federation me etadata includ des all the information that iss required to cconfigure the cclaims provide
er
trust. As part of the federattion metadata download, yo our federation server also doownloads the SSSL
certificate tha
at is used by thhe partner federation server..
Import data about

a the claim
ms provider froom a file. Use tthis option if tthe partner fed
deration server is
not directly accessible from
m your federation server, butt the partner o organization haas exported itss
configurationn and provided d you the inforrmation in a fille. The configu uration file mu
ust include the
e
configurationn information for
f the partnerr organization,, as well as thee SSL certificate that the parttner
federation server uses.
Manually con nfigure the claiims provider trrust. Use this o
option if you w
want to configure all of the
settings for th
he claims provvide trust direcctly. When youu choose this ooption, you muust provide thee
features that the claims proovider supports, the URL useed to access the claims provider AD FS servvers,
and add the SSL
S certificate that the partn ner organizatio on uses.
What
W Is a Relying
R Parrty Trust?
A relying party trust is defined
d on the claim
ms
provider federation server. Th he relying partyy trust
id
dentifies the re
elying party, an
nd also definess the
claims rules that define how the
t relying parrty
acccepts and proocesses claims from the claimms
provider.
n a single organization scena
In ario, the relying
g party
trrust defines ho
ow the AD FS server interactss with
th
he applicationss deployed witthin the appliccation.
When
W you configure the relying party trust in a
single organizattion, you provide the URL fo or the
in
nternal application, and conffigure settings such as
whether
w ports SAML 2.0 or whether it requires AD FFS 1.0 tokens, tthe SSL certificcate and
the application supp
URL used by the e web server, and
a the issuan nce authorizati on rules for th
he application.
Th elying party trust is similar to

he process for configuring re o that for the claims provide er trust. When you
exxpand the AD FS deploymen nt to include other
o organizattions, you musst create addittional relying pparty
trrusts for each federated
f orgaanization. Wheen configuring g a relying partty trust, you haave three options:
Import data a about the relying party thrrough the fedeeration metadata. If the AD FS federation server
or federatioon proxy serveer is accessible through the nnetwork from yyour AD FS fed deration serve
er, you
can enter th he host name or URL for the e partner federration server. Y
Your AD FS fedderation serve
er
connects to o the partner server,
s and theen downloads tthe federation n metadata froom the server. The
federation metadata inclu o configure the relying partyy trust.
udes all the infformation thatt is required to
As part of the
t federation metadata dow wnload, your ffederation servver also downloads the SSL
certificate that
t the partne
er federation server
s uses.
Import dataa about the relying party froom a file. Use tthis option if th
he partner fed
deration serverr is not
accessible from
f your fede
eration server directly. In thiss case, the parrtner organizattion can exporrted its
configuratioon information
n to a file, and
d then provide it to you. Thee configuration n file must include the
configuratioon information
n for the partnner organizatio on, and the SSL certificate th
hat the partnerr
federation server uses.
Manually
M config
gure the claims provider trusst. Use this opttion if you wan
nt to configure
e all of the setttings
fo
or the claims provide
p trust diirectly.
Demonstra
D ation: Conffiguring Cllaims Provvider and R
Relying Paarty Trusts
In
n this demonsttration, you will see how to configure
c claim
ms provider truusts and relying party trusts. The
in
nstructor will sh
how how to ed ory claims provvider trust. The instructor will also
dit the default Active Directo
crreate a new relying party tru
ust, and demonnstrate how to o configure thee trust.
Demonstrati
D ion Steps
Configure
C a Claims Prov
vider Trust
1.. In the AD FS usts, highlight the Active Diirectory store,, and
F console, go to the Claimss Provider Tru
then click Edit
E Claim Rulles.
2.. f Active Dirrectory dialog box, on the A

In the Edit Claim Rules for Acceptance Trransform Rule es tab,
start the Ad
dd Transform
m Claim Rule Wizard
W and co
omplete the w izard with the following setttings:
3.. Under Claim
m rule templatte select Send LDAP Attribu
utes as Claim
ms.
4. Name the claim rule Outbound LDAP Attribute Rule.
5. Choose Active Directory as the Attribute Store.
6. In the Mapping of LDAP attributes to outgoing claim types select the following values:
o E-Mail-Addresses to E-Mail Address
o User-Principal-Name to UPN
Configure a Windows Identity Foundation Application for AD FS

1. On LON-SVR1, from the Start screen, start the Windows Identity Foundation Federation Utility.
2. Complete the wizard with the following settings:
o Point to the web.config file sample application by browsing to

C:\Inetpub\wwwroot\AdatumTestApp\web.config.
o Specify an Application URI box by typing

https://lon-svr1.adatum.com/AdatumTestApp/.
o Select Use an existing STS, and then enter the path

o Disable certificate chain validation.
o Select No encryption.
Configure a Relying Party Trust

1. In the AD FS Management console, in the middle pane, click Required: Add a trusted relying party,
2. Complete the Add Relying Party Wizard with the following settings:
o Select Import data about the relying party published online or on a local network, and type
https://lon-svr1.adatum.com/adatumtestapp.
o Specify a Display name of ADatum Test App.
o Select Permit all users to access this relying party.
o Ensure that the Edit Claim Rules for ADatum Test App check box is selected when the wizard is
complete.
Lesson
n4
Deplo
oying AD
A FS in a B2B Federattion Sce
enario
A second comm mon scenario foor implementiing AD FS is inn a B2B federattion scenario. In this scenario
o, users
in
n one organiza
ation require access to an ap
pplication in an
nother organizzation. AD FS in this scenarioo
en
nables SSO. Th
his way, users always
a log on to their home AD DS enviro onment, but arre granted acce ess to
th
he partner app
plication based
d on the claimss acquired from
m their local A
AD FS server.
Configuring AD D FS in a B2B fe nario is quite siimilar to configuring AD FS in a single

ederation scen
orrganization sceenario. The primary difference is that noww both the claim ms provider trrusts and the re
elying
pa
arty trusts refe
er to external organizations,
o rather than in ternal AD DS o or application.
Le
esson Objecctives
ng this lesson, you
Configure the
t account pa
artner in a B2B
B federation sccenario.
Configure the
t resource partner
p in a B2B
B federation sccenario.
Ex
xplain how to configurre claims ru
ules for a B2
2B federatio
on scenario..
Explain how
w home realm discovery worrks.
Configure claims
c rules.
Configuring
C g an Account Partne
er
In
n a B2B AD FS scenario, the terminology
t th
hat you
usse to describe the two partners involved in n the
AD FS deployment changes slightly. In this
sccenario, the cla
aims provider organization is also
caalled the accouunt partner org
ganization. An n
acccount partnerr organization is the organiza ation in
which
w the user accounts
a are stored
s in an atttribute
sttore. An account partner hanndles the follow wing
ta
asks:
Gather cred
dentials from users
u who are using a
web-based service, and then authenticaating
those crede
entials.
Build up cla
aims for users, and then package the claim ms into securityy tokens. The ttokens can theen be
presented across
a a federa
ation trust to gain
g access to federation ressources that arre located at th
he
resource paartner organizaation.
e account partner organization to prepare for federation

Configuring the n involves the following step
ps:
1.. Implement the physical topology for thhe account parrtner deploym
ment. This step could include
deciding on
n the number of federation servers and fe deration serveer proxies to deploy the locaations to
deploy them equired DNS reecords and cerrtificates.
m to, and conffiguring the re
2.. Add an attrribute store. Use the AD FS management
m cconsole to add d the attribute store. In mostt cases,
you use the
e default Active Directory atttribute store (wwhich must bee used for auth hentication), but you
can also add other attribuute stores if re
equired to buil d the user claiims.
3.. Connect to a resource pa artner organiza
ation by creati ng a relying p
party trust. The
e easiest way to
o do
this is to usse the federatio
on metadata URL
U that is proovided by the rresource partn ner organizatio
on. With
this option, your AD FS servver automatica

ally collects thee information required for the relying parrty
trust.
4. Add a claim description.

d he claim description lists the claims that yo
Th our organizatio
on provides to
o the
relying partne mation may include user nam
er. This inform mes, email addrresses, group m
membership
o other identifying information about a u
information, or user.
5. Prepare clientt computers fo

or federation. This
T may invollve two steps:
a. Add the account partner federation server.

s In the bbrowser of clieent computers, add the accoount
partner federation servver to the Locaal Intranet list. By adding thee account partner federation n
server to the Local Intra
anet list on the
e client compu uters, you enable Integratedd Windows
authenticcation, which means
m that use
ers are not pro ompted for authentication iff they are alreaady
logged innto the domain. You can use e Group Policyy Objects (GPO he URL to the Local
Os) to assign th
Intranet site
s list.
b. Configure certificate trusts. This is an

n optional stepp that is requireed only if one or more of the
servers th ess do not havve trusted cert ificates. The client computerr may have to
hat clients acce
connect tot the accountt federation se ervers, resourcee federation seervers, or fede eration proxy
servers, and
a the destina ation web servvers. If any of tthese certificattes are not from a trusted pu ublic
CA, you may
m have to add the approp priate certificatte or root certtificate to the ccertificate store on
the clientts. You can do this by using GPOs.
Co
onfiguring a Resourcce Partner
The resource parttner organizatiion is the relyin
ng
partty in a B2B fed
deration scenario. The resourrce
parttner organization is where th
he resources exist
and are made acccessible to accoount partner
orgaanizations. The
e resource parrtner handles the
t
follo
owing tasks:
Accepts securrity tokens tha

at the account
partner federration server produces, and
validates them
m.
Consumes the e claims from the security to

okens,
and then provvides new claims to its web
servers after making
m an autthorization deccision.
The web servers must

m have either Windows Id dentity Foundaation or the AD D FS 1.x Claims-Aware Web
Age
ent role service
es installed to externalize
e the
e identity logicc and accept cclaims.
Note: Winddows Identity Foundation

F ovides a set off consistent deevelopment tools that
pro
enable developers to integrate claims-based authentication
a n and authorizzation into their
appplications. Wind
dows Identity Foundation also includes a SSoftware Deveelopment Kit (SSDK) and
mple applications. You use a Windows
sam W Iden
ntity Foundatioon sample app plication in the
e lab for
this module.
Configuring thee resource parttner organization is similar tto configuring the account p
partner organizzation
an
nd consists of the following steps:
1.. Implement the physical topology for th he resource paartner deploym
ment. The plan
nning and
implementa ation steps are
e the same as the he addition of planning the w
t account paartner, with th web
server locattion and config
guration.
2.. Add an attrribute store. On
O the resource opulate the claims that
e partner, the aattribute storee is used to po
are offered to the client to
t present to the web serverr.
3.. Connect to an account pa

artner organizzation by creatting a claims p
provider trust.
4.. Create claim
m rule sets for the claims pro
ovider trust.
Configuring
C g Claims Rules
R for B2B
B Scenarrios
In
n a single organization deplo oyment of AD FS, it
may
m be quite ea asy to design and
a implemen nt claims
ru
ules. In many cases,
c you mayy need to provide
on ame or group name that is
nly the user na
co t claim and presented to the
ollected from the t web
erver. In a B2B scenario, it is more likely that you
se
will
w have to con nfigure more complicated cla aims
ru
ules to define user
u access between widely varying
v
syystems.
Claim rules define how account partners (cllaims

providers) creatte claims, and how resource
pa
artners (relying
g parties) conssume claims. AD
A FS
provides several templates that you can use uring claim ru les:
e when configu
Send LDAP Attributes as Claims rule tem mplate. Use th

his template wwhen you selectt specific attrib
butes in
an LDAP atttribute store to populate cla aims. You can cconfigure mulltiple LDAP atttributes as individual
claims in a single claim ru u can create a rule
ule that you crreate from thiss template. Forr example, you
that extractts the sn (surname) and give enName AD D nticated users, and
DS attributes frrom all authen
then send these
t values ass outgoing claims to be sentt to a relying pparty.
Send Group p Membership p as a Claim rule template. U
Use this templaate to send a p
particular claim
m type
and associa ated claim valu ue that is based
d on the userss AD DS securrity group memmbership. For
example, yo ou might use this
t template to t create a rulee that sends a group claim ttype with a value of
SalesAdmin n, if the user is a member of the Sales Man nager security group within ttheir AD DS do omain.
This rule isssues only a single claim, baseed on the AD DS group thatt you select as a part of the
template.
Pass Throug gh or Filter an Incoming Claim rule templaate. Use this teemplate to sett additional
restrictions on which claimms are submitted to relying parties. For exxample, you m might want to uuse a
user email address
a as a cllaim, but only forward the e mail address iff the domain ssuffix on the email
address is adatum.com.
a When
W using this template, yo
ou can either p pass through w whatever claimm you
extract from
m the attribute e claim is passed on
e store, or you can configuree rules that filt er whether the
based on va arious criteria.
Transform an
a Incoming Claim
C rule template. Use thiss template to mmap the value of an attribute in the
claims provvider attribute store to a different value in the relying paarty attribute sstore. For exam
mple,
you may wa e all members of the Marketiing departmen
ant to provide nt at A. Datumm Corporation limited
access to a purchasing ap pplication at Trey Research. AAt Trey Researrch, the attribu ute used to deefine the
limited acce
ess level may have
h an attribuute of LimiteddPurchaser. To o address this scenario, you can
configure a claims rule thatt transforms an

n outgoing claaim where the Department vvalue is Marketting,
to an incominng claim where e the ApplicattionAccess atttribute is LimiitedPurchaserr. Rules created
from this tem
mplate must ha ave a one-to-oone relationshi p between thee claim at the claims provide er and
the claim at the relying parrtner.
Permit or Den ny Users Basedd on an Incoming Claim rulee template. Thiis template is aavailable only when
you are configuring Issuancce Authorizatio on Rules or Deelegation Auth horization Rule
es on a relying party
trust. Use thiss template to create
c rules tha
at enable or d eny access by users to a relyying party, bassed on
the type and value of an incoming claim. This claim rul e template all ows you to pe erform an
authorizationn check on the claims provider before claim ms are sent to a relying partyy. For example e, you
can use this rule template tot create a rulee that only perrmits users fro
om the Sales grroup to accesss a
relying party, while authenttication requessts from memb bers of other ggroups are nott sent to the re
elying
party.
If no e templates prrovide the funcctionality that you require, yyou can create more
one of the built-in claim rule
commplex rules usin
ng the AD FS claim
c rule lang
guage. By creaating a customm rule, you can extract claimss
info
ormation from multiple attrib bute stores andd also combinne claim types into a single cclaim rule.
Ho
ow Home Realm
R Disccovery Wo
orks
Somme resource pa artner organizaations that aree
hostting claims-aw ware applicatioons may want to t
enable multiple account partners to access th heir
appplications. In th
his scenario, wh
hen users conn nect
to the web application, there must
m be some
mecchanism for directing the use ers to the AD FS
fedeeration server in their home domain, rathe er
thann to another organizations
o federation
f servver.
The process for diirecting clientss to the appropriate
accoount partner iss called home realm discoverry.
Hom me realm discoovery occurs after the client

connects to the reelying partys website
w and th
he
clien edirected to the relying partyys federation sserver. At this point, the relyying partys
nt has been re
fede he federation server in the cclients home rrealm so that tthe
eration server must redirect the client to th
userr can be authe ere are multiple claims provviders configurred on the relyying party
enticated. If the
fedeeration server, it has to knoww to which federation serverr to redirect the client.
At a high level, there are three ways

w in which to implementt home realm d
discovery:
1. Ask users to select

s their homme realm. With this option, when the userr is redirected to the relying
partys federa
ation server, thhe federation server
s can dispplay a web pag
ge requesting tthat the user
identify for which
w companyy they work. Once the user s elects the app propriate comppany, the federation
server can use e that informa omputer to thee appropriate home federation
ation to redirecct the client co
server for autthentication.
2. Modify the lin

nk for the web b application too include a WH HR string that specifies the u
users home re
ealm.
The relying partys federatioon server uses this string to redirect the usser to the appropriate homee
realm automa atically. This means
m that the user does nott have to be prrompted to select the home e
realm, becausse the WHR string in the URL that the userr clicks relays tthe needed infformation to tthe
relying partys federation seerver. The mod dified link mig
ght look sometthing like
https://www.aadatum.com/O OrderApp/?wh hr=urn:federattion:TreyResea rch.
3. If the remote application is SAML 2.0-com mpliant, users can use a SAM ML profile calle ed IdPInitiated
d SSO.
This SAML profile configure es users to acccess their local claims provid er first, which can prepare thhe
users token with the claims required to access the partners web application. This process changes the
normal process for accessing the web application, by having the users log on to the claims provider
federation server first, and then prompting them to select which application they want to access, so
that their token can be created with the appropriate information.
Note: The home realm discovery process occurs the first time the user tries to access a web
application. After the user authenticates successfully, a home realm discovery cookie is issued to
the client so that the user does not have to go through the process the next time. This home
realm discovery cookie expires after a month, unless the cookie cache is cleared prior to
expiration.
Demonstration: Configuring Claims Rules

In this demonstration, you will see how to configure claims rules on a relying party trust that forwards a
group name as part of the claim. You will also see how to configure a claims rule that limits access to the
application only to members of a particular group.
Demonstration Steps
Configure Claims Rules

1. On LON-DC1, edit the Adatum Test App relying party trust by creating a new Issuance Transform
Rule that passes through or filters an incoming claim. Name the rule Send Group Name Rule, and
configure the rule to use an incoming claim type of group.
2. Delete the Issuance Authorization Rule that grants access to all users.
3. Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Permit Production Group Rule, an Incoming claim type of
Group, an Incoming claim value of Production, and select the option to Permit access to users
with this incoming claim
claim. Configure the rule with the name Allow A Datum Users, an Incoming claim type of UPN, an
Incoming claim value, of @adatum.com, and select the option to Permit access to users with this
incoming claim, and then click Finish.
5. Open the Allow A Datum Users rule properties, and show the claims rule language to the students.
Lab: Implementing AD FS
Scenario
A. Datum Corporation has set up a variety of business relationships with other companies and customers.
Some of these partner companies and customers must access business applications that are running on
the A. Datum network. The business groups at A. Datum want to provide a maximum level of functionality
and access to these companies. The Security and Operations departments want to ensure that the
partners and customers can only access the resources to which they require access, and that
implementing the solution does not significantly increase the workload for the Operations team. A. Datum
is also working on migrating some parts of their network infrastructure to online services, including
Windows Azure and Office 365.
To meet these business requirements, A. Datum plans to implement AD FS. In the initial deployment, the
company plans to use AD FS to implement SSO for internal users who access an application on a web
server. A. Datum also has entered into a partnership with another company, Trey Research. Trey Research
users must be able to access the same application.
As one of the senior network administrators at A. Datum, it is your responsibility to implement the AD FS
solution. As a proof of concept, you plan to deploy a sample claims-aware application, and configure
AD FS to enable both internal users and Trey Research users to access the same application.
Objectives
Configure the AD FS prerequisites.
Install and configure AD FS.
Configure AD FS for single organization.
Configure and validate SSO for a business federation scenario.
Lab Setup
20412A-LON-DC1
20412A-LON-SVR1
20412A-LON-CL1
20412A-MUN-DC1
Password: Pa$$w0rd
Password: Pa$$w0rd
5. Repeat steps 2 to 3 for 20412A-LON-SVR1, 20412A-LON-CL1, and 20412A-MUN-DC1.
a. Log on to 20412A-LON-SVR1 as Adatum\Administrator.

b. Do not log on to 20412A-LON-CL1 at this point.
c. On 20412A-MUN-DC1, log in as TreyResearch\Administrator with the password Pa$$w0rd.
Exercise 1: Configuring AD FS Prerequisites

Scenario
To deploy AD FS at A. Datum Corporation, you must verify that all required components are configured.
You plan to verify that AD CS is deployed in the organization, and then configure the certificates required
for AD FS on the AD FS server and on the web servers. You also plan to configure the DNS forwarders to
enable communication between Adatum.com and TreyResearch.net.
1. Configure DNS forwarders.
2. Exchange root certificates to enable certificate trusts.
3. Request and install a certificate for the web server.
4. Bind the certificate to the claims-aware application on the web server, and verify application access.
Task 1: Configure DNS forwarders

1. On LON-DC1, create a new conditional forwarder for the TreyResearch.net domain, using the DNS
server IP address of 172.16.10.10.
2. On MUN-DC1, create a new conditional forwarder for the Adatum.com domain, using the DNS server
IP address of 172.16.0.10.
Task 2: Exchange root certificates to enable certificate trusts

1. On LON-DC1, copy MUN-DC1.TreyResearch.net_TreyResearchCA.crt from
\\MUN-DC1.treyresearch.net\certenroll to the Documents folder.
2. Create a new MMC, and add the Group Policy Management Editor.
3. Edit the Default Domain Policy Group Policy Object and import the copied root certificate to the
Trusted Root Certification Authorities folder.
4. On MUN-DC1, copy the LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt from
\\LON-DC1.Adatum.com\certenroll to the Documents folder.
5. Create a new MMC, and add the Certificates snap-in focused on the Local Computer.
6. Import the copied root certificate to the Trusted Root Certification Authorities folder.
Task 3: Request and install a certificate for the web server

1. On LON-SVR1, open the Internet Information Services (IIS) Manager.
2. Request a new domain certificate for the server using the following parameters:
o Common name: LON-SVR1.adatum.com
o Organization: A. Datum
o Organization unit: IT
o City/locality: London
o State/province: England
o Country/region: GB
3. Request the certificate from Adatum-LON-DC1-CA.

Task 4: Bind the certificate to the claims-aware application on the web server, and
verify application access
1. On LON-SVR1, in IIS, create a new HTTPS site binding, and then select the newly created certificate.
2. On LON-DC1, open Internet Explorer and connect to

https://lon-svr1.adatum.com/adatumtestapp.
3. Verify that you can connect to the site, but that you receive a 401 access denied error. This is
expected, because you have not yet configured AD FS for authentication.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum
and Trey Research, and you exchanged root certificates between the two organizations. You also installed
and configured a web certificate on the application server.
Exercise 2: Installing and Configuring AD FS

Scenario
To start the AD FS implementation, you plan to install AD FS on the A. Datum Corporations domain
controller, and configure the server as a standalone federation server. You also plan to configure the
server to use a CA-signed token signing certificate.
1. Install and configure AD FS.
2. Create a standalone federation server using the AD FS Federation Server Configuration Wizard.
3. Verify that FederationMetaData.xml is present and contains valid data.
Task 1: Install and configure AD FS

On LON-DC1, in Server Manager, add the Active Directory Federation Services server role.
Task 2: Create a standalone federation server using the AD FS Federation Server

On LON-DC1, run the AD FS Federation Server Configuration Wizard using the following parameters:
o Create a new federation service.
o Create a standalone deployment.
o Use the LON-DC1.Adatum.com certificate.
o Choose a service name of LON-DC1.Adatum.com
Task 3: Verify that FederationMetaData.xml is present and contains valid data

1. On LON-CL1, log on as Adatum\Brad, using the password Pa$$w0rd.
2. Open Internet Explorer.
3. Open Internet Options, and add https://LON-DC1.Adatum.com, and

https://LON-SVR1.adatum.com to the Local intranet zone.
4. Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06
/federationmetadata.xml.
5. Verify that the xml file opens successfully, and then scroll through its contents.
Results: In this exercise, you installed and configured the AD FS server role, and verified a successful
installation by viewing the Federation Meta Data .xml contents.
Exercise 3: Configuring AD FS for a Single Organization

Scenario
The first scenario for implementing the proof of concept AD FS application is to ensure that internal users
can use SSO to access the web application. You plan to configure the AD FS server and a web application
to enable this scenario. You also want to verify that internal users can access the application.
1. Configure a Token-signing certificate for LON-DC1.Adatum.com.
2. Configure the Active Directory claims provider trust.
3. Configure the claims application to trust incoming claims by running the Windows Identity
Foundation Federation Utility.
4. Configure a relying party trust for the claims-aware application.
5. Configure claim rules for the relying party trust.
6. Test access to the claims-aware application.
Task 1: Configure a Token-signing certificate for LON-DC1.Adatum.com

1. On LON-DC1, use the set-ADFSProperties AutoCertificateRollover $False command to enable
modification of the assigned certificates.
2. In the AD FS Management console, add the LON-DC1.Adatum.com certificate as a new token-signing

certificate. Verify that the certificate has a subject of CN=LON-DC1.Adatum.com, and purposes of
Proves your identity to a remote computer and Ensures the identity of a remote computer.
3. Make the new certificate the primary certificate, and remove the old certificate.
Task 2: Configure the Active Directory claims provider trust

1. On LON-DC1, in the AD FS Management console, go to the Claims Provider Trusts, highlight the
Active Directory store and then go to Edit Claim Rules.
2. In the Edit Claim Rules for Active Directory dialog box, on the Acceptance Transform Rules tab,
launch the Add Transform Claim Rule Wizard and complete the wizard with the following settings:
o Select Send LDAP Attributes as Claims under Claim rule template.
o Name the claim rule Outbound LDAP Attribute Rule.
o Choose Active Directory as the Attribute Store.
3. In the Mapping of LDAP attributes to outgoing claim types select the following values:
o E-Mail-Addresses to E-Mail Address
o User-Principal-Name to UPN
o Display-Name to Name
Task 3: Configure the claims application to trust incoming claims by running the
Windows Identity Foundation Federation Utility
1. On LON-SVR1, from the Start screen, launch the Windows Identity Foundation Federation Utility.
2. Complete the wizard with the following settings:
o Point to the web.config file of the Windows Identity Foundation sample application by pointing
to C:\Inetpub\wwwroot\ AdatumTestApp \web.config.
o Specify an Application URI box by typing

https://lon-svr1.adatum.com/AdatumTestApp/.
o Select to Use an existing STS, and enter a path

o Select No encryption.
Task 4: Configure a relying party trust for the claims-aware application

1. In the AD FS Management console, in the middle pane, click Required: Add a trusted relying party.
2. Complete the Add Relying Party Wizard with the following settings:
o Choose to Import data about the relying party published online or on a local network, and
then type https://lon-svr1.adatum.com/adatumtestapp.
o Specify a Display name of ADatum Test App.
o Choose to Permit all users to access this relying party.
o When the wizard completes, accept the option to open the Edit Claims Rules for ADatum Test
App.
Task 5: Configure claim rules for the relying party trust

1. In the Edit Claim Rules for Adatum Test App properties dialog box, choose to add a rule on the
Issuance Transform Rules tab.
2. Complete the Add Transform Claim Rule Wizard with the following settings:
o In the Claim rule template drop-down list, click Pass through or Filter an Incoming Claim.
o Name the claim rule Pass through Windows Account name rule.
o In the Incoming claim type drop-down list, click Windows account name.
3. Create three more rules to pass through E-Mail Address, UPN, and Name type claim.
Task 6: Test access to the claims-aware application

1. On LON-CL1, open Internet Explorer, and connect to https://lon-
svr1.adatum.com/AdatumTestApp/
2. Verify that you can access the application.
Results: In this exercise, you configured a Token signing certificate and configured a claims provider trust
for Adatum.com. You also should have configured the sample application to trust incoming claims, and
configured a relying party trust and associated claim rules. You also tested access to the sample Windows
Identity Foundation application in a single organization scenario.
Exercise 4: Configuring AD FS for Federated Business Partners

Scenario
The second deployment scenario is to enable TreyResearch users to access the web application. You plan
to configure the integration of AD FS at TreyResearch with AD FS at A. Datum Corporation, and then
verify that TreyResearch users can access the application. You also want to confirm that you can configure
access that is based on user groups. You must ensure that all users at A. Datum, and only users who are in
the Production group at TreyResearch, can access the application.
1. Add a claims provider trust for the TreyResearch.net AD FS server.
2. Configure a relying party trust on MUN-DC1 for the A. Datum claims-aware application.
3. Verify access to the A. Datum test application for Trey Research users.
4. Configure claim rules for the claim provider trust and the relying party trust to allow access only for a
specific group.
5. Verify restrictions and accessibility to the claims-aware application.
Task 1: Add a claims provider trust for the TreyResearch.net AD FS server

1. On LON-DC1, in the AD FS Management console, go to Trust Relationships, go to Claims Provider
Trusts, and then choose to Add Claims Provider Trust.
2. Complete the Add Claims Provider Trust Wizard with the following settings:
o Choose Import data about the claims provider published online or on a local network, and
enter https://mun-dc1.treyresearch.net as the data source.
o In Display Name, type mun-dc1.treyresearch.net.
o Complete the wizard.
3. In the Edit Claim Rules for the mun-dc1.treyresearch.net properties dialog box, use the following
values:
o Add a Rule to the Acceptance Transform Rules.
o Choose Pass Through or Filter an Incoming Claim in the Claim rule template list.
o Use Pass through Windows account name rule as the claim rule name.
o Choose Windows account name as the incoming claim type, and then choose to Pass through
all claim values.
o Complete the rule.
4. On LON-DC1, run the following command in Windows PowerShell.
Set-ADFSClaimsProviderTrust TargetName mun-dc1.treyresearch.net

SigningCertificateRevocationCheck None
Note: You should disable certificate revocation checking only in test environments. In a production
environment, certificate revocation checking should be enabled.
Task 2: Configure a relying party trust on MUN-DC1 for the A. Datum claims-aware
application
1. On MUN-DC1, in the AD FS Management console, open the Add Relying Party Trust Wizard, and
complete it with the following settings:
o Choose to Import data about the relying party published online or on a local network and
type in https:// lon-dc1.adatum.com .
o Specify a Display name of Adatum TestApp.
o Choose to Permit all users to access this relying party.
o Accept the option to open the Edit Claim Rules for Adatum TestApp when the wizard completes.
2. In the Edit Claim Rules for Adatum TestApp properties dialog box, on the Issuance Transform
Rules tab, click to add a rule with the following settings:
o In the claim rule template list, choose Pass Through or Filter an Incoming claim.
o In the Claim rule name box, type Pass through Windows account name rule.
o Choose Windows account name in Incoming claim type.
o Choose to Pass through all claim values.

o Complete the wizard.
Task 3: Verify access to the A. Datum test application for Trey Research users
1. On MUN-DC1, open Internet Explorer and connect to
https://lon-svr1.adatum.com/adatumtestapp/
2. Select mun-dc1.treyresearch.net as the home realm, and log on as TreyResearch\April, with the
password Pa$$w0rd.
3. Verify that you can access the application.
4. Close Internet Explorer, and connect to the same web site. Verify that this time you are not prompted
for a home realm.
Note: You are not prompted for a home realm again. Once users have selected a home realm and
been authenticated by a realm authority, they are issued an _LSRealm cookie by the relying party
federation server. The default lifetime for the cookie is 30 days. Therefore, to log on multiple times, you
should delete that cookie after each logon attempt to return to a clean state.
Task 4: Configure claim rules for the claim provider trust and the relying party trust
to allow access only for a specific group
1. On MUN-DC1, open the AD FS Management Console, access the Adatum TestApp relying party trust.
2. Add a new Issuance Transform Rule that sends the group membership as a claim. Name the rule
Permit Production Group Rule, configure the Users Group as Production, configure the Outgoing
claim type as Group, and the Outgoing claim value as Production.
3. On LON-DC1, in the AD FS Management Console, edit the mun-dc1.treyresearch.net Claims Provider

Rule to create a new rule that passes through or filters an incoming claim with the rule name of Send
Production Group Rule. Configure the rule with an incoming claim type of Group.
4. Edit the Adatum Test App relying party trust by creating a new Issuance Transform Rule that passes
through or filters an incoming claim. Name the rule Send TreyResearch Group Name Rule, and
configure the rule to use an incoming claim type of Group.
5. Delete the Issuance Authorization Rule that grants access to all users.
claim. Configure the rule with the name Permit TreyResearch Production Group Rule, an
Incoming claim type of Group, an Incoming claim value of Production, and select the option to
Permit access to users with this incoming claim.
claim. Configure the rule with the name Temp, an Incoming claim type of UPN, an Incoming claim
value, of @adatum.com, and select the option to Permit access to users with this incoming
claim, and then click Finish.
8. Edit the Temp rule and copy the claim rule language into the clipboard.
9. Delete the Temp rule.
10. Create a new rule that sends claims using a custom rule named ADatum User Access Rule.
11. Click in the Custom rule box, and then press Crtl + V to paste the clipboard contents into the box.
Edit the first URL to match the following text, and then click Finish.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~

"^(?i).+@adatum\.com$"]=> issue(Type =
http://schemas.microsoft.com/authorization/claims/permit, Value = PermitUsersWithClaim);
Task 5: Verify restrictions and accessibility to the claims-aware application

1. On MUN-DC1, open Internet Explorer, and connect to
https://lon-svr1.adatum.com/adatumtestapp/
2. Verify that TreyResearch\April no longer has access to the A. Datum test app.
3. Clear the browsing history in Internet Explorer.
4. Connect to https://lon-svr1.adatum.com/adatumtestapp/.
5. Verify that TreyResearch\Morgan does have access to the A. Datum test app. Morgan is a member
of the Production group.
Results: In this exercise, you configured a claims provider trust for TreyResearch on Adatum.com. and a
relying party trust for Adatum on TreyResearch. You verified access to the A. Datum claim-aware
application. Then you configured the application to restrict access from TreyResearch to specific groups,
and you verified appropriate access.
To shut down the virtual machines

2. In the Virtual Machines list, right-click 20412A-MUN-DC1, and then click Revert.
4. Repeat steps 2 and 3 for 20412A-LON-CL1, 20412A-LON-SVR1, and 20412A-LON-DC1.
Lab Review
Question: In this lab, you implemented access to a claims-aware application for both internal and
external users. What extra steps did you have to take in the relying party to enable access for
external users?
Question: How can you identify which claims are used to provide user access to the sample
Windows Identity Foundation application that you used in the lab?

Question: What are the benefits of deploying AD FS with a cloud-based application or service?
Question: Under what circumstances would you choose to deploy a federation proxy server?
Under what circumstances, do you not need to deploy a federation proxy server?

Certificate errors on the federation server
Certificate errors on the client
Client application failed to authenticate

with AD FS

1. Question: Tailspin Toys is deploying a new claims-based web application. The web application needs
to be accessible to both Tailspin Toys users and to TreyResearch users. What AD FS components will
you need to deploy at Tailspin Toys to enable this level of access?
Answer:
2. Question: Fabrikam, Inc. is examining the requirements for AD FS. The company wants to use a
federation proxy server for maximum security. Fabrikam, Inc. currently has an internal network with
internal DNS servers, and their internet-facing DNS is hosted by a hosting company. The perimeter
network uses the hosting companys DNS servers for DNS resolution. What must the company do to
prepare for the deployment?
Answer:
Coursse Evalu
uation
Yo
our evaluation
n of this course
e will help Microsoft understtand the qualitty of your learning experience.
Pllease work with your training

g provider to access
a the cou
urse evaluation
n form.
Microsoft
M will ke
eep your answ nd confidentiall and will use yyour responsess to
wers to this surrvey private an
im
mprove your fu uture learning experience. Yo our open and honest feedbaack is valuable e and appreciaated.
L1-1
Module 1: Implementing Advanced Network Services

Lab: Implementing Advanced Network
Services
Exercise 1: Configuring Advanced DHCP Settings
Task 1: Configure a superscope
1. On LON-DC1, in Server Manager, click Tools, and then click DHCP.
2. In the DHCP console, click LON-DC1.adatum.com, select and then right-click IPv4, and then click
New Scope.
3. In the New Scope Wizard, click Next.
4. On the Scope Name page, in the Name box, type Scope1, and then click Next.
5. On the IP Address Range page, in the Start IP address box, type 192.168.0.50, and then in the End
IP address box, type 192.168.0.100.
6. In the Subnet mask box, ensure that 255.255.255.0 is entered, and then click Next.
7. On the Add Exclusions and Delay page, click Next.
8. On the Lease Duration page, click Next.
9. On the Configure DHCP Options page, select Yes, I want to configure these options now, and
then click Next.
10. On the Router (Default Gateway) page, in the IP address box, type 192.168.0.1, click Add, and
then click Next.
11. On the Domain Name and DNS Servers page, ensure the parent domain is Adatum.com, and then
click Next.
12. On the WINS Servers page, click Next.

13. On the Activate Scope page, click No, I will activate this scope later, and then click Next.
14. On the Completing the New Scope Wizard page, click Finish.
15. Right-click IPv4, and then click New Scope.
16. In the New Scope Wizard, click Next.
17. On the Scope Name page, in the Name box, type Scope2, and then click Next.
18. On the IP Address Range page, in the Start IP address box, type 192.168.1.50, and then in the End
IP address box, type 192.168.1.100.
19. In the Subnet mask box, ensure that 255.255.255.0 is entered, and then click Next.
20. On the Add Exclusions and Delay page, click Next.
21. On the Lease Duration page, click Next.
22. On the Configure DHCP Options page, select Yes, I want to configure these options now, and
then click Next.
23. On the Router (Default Gateway) page, in the IP address box, type 192.168.1.1, click Add, and
then click Next.
L1-2 Module 1: Implementing Advanced Network Services
24. On the Domain Name and DNS servers page, ensure the parent domain is Adatum.com, and then
click Next.
25. On the WINS Servers page, click Next.
26. On the Activate Scope page, click No, I will activate this scope later, and then click Next.
27. On the Completing the New Scope Wizard page, click Finish.
28. Right-click the IPv4 node, and then click New Superscope.
29. In the New Superscope Wizard, click Next.
30. On the Superscope Name page, in the Name box, type AdatumSuper, and then click Next.
31. On the Select Scopes page, select Scope1, hold down the Ctrl key, select Scope2, and then click
Next.
32. On the Completing the New Superscope Wizard page, click Finish.
Task 2: Configure DHCP name protection

1. On LON-DC1, in the DHCP console, expand Lon-DC1.adatum.com.
2. Right-click IPv4, and then click Properties.
3. Click the DNS tab.
4. In the Name Protection pane, click Configure.
5. Select the Enable Name Protection check box, and then click OK.
6. Click OK again.
Task 3: Configure and verify DHCP failover

1. On LON-SVR1, in Server Manager, click Tools, and then from the drop-down list, click DHCP. Note
that the server is authorized, but that no scopes are configured.
2. On LON-DC1, in the DHCP console, right-click the IPv4 node, and then click Configure Failover.
3. In the Configure Failover Wizard, click Next.
4. On the Specify a partner server to use for failover page, in the Partner Server box, enter
172.16.0.21, and then click Next.
5. On the Create a new failover relationship page, in the Relationship Name box, enter Adatum.
6. In the Maximum Client Lead Time field, set the hours to 0, and set the minutes to 15.
7. Ensure that the Mode field is set to Load balance, and that the Load Balance Percentage is set to
50%.
8. Select the State Switchover Interval check box. Keep the default value of 60 minutes.
9. In the Enable Message Authentication Shared Secret box, type Pa$$w0rd, and then click Next.
10. Click Finish, and then click Close.
11. On LON-SVR1, refresh the IPv4 node, and then note that the IPv4 node is active.
12. Expand the IPv4 node, expand Scope Adatum, click the Address Pool node, and note that the
address pool is configured.
13. Click the Scope Options node, and note that the scope options are configured.
14. Start 20412A-LON-CL1 and log on as Adatum\Administrator with a password of Pa$$w0rd.
15. On the Start screen, type Control Panel.

Configuring Advanced Windows Server 2012 Services L1-3
16. In the Apps Results box, click Control Panel.
17. In Control Panel, click Network and Internet, click Network and Sharing Center, click Change
adapter settings, and then right-click Local Area Connection, and then click Properties.
18. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4),
and then click Properties.
19. In the Properties window, select the Obtain an IP address automatically radio button, click Obtain
DNS server address automatically, and then click OK.
20. In the Local Area Connection Properties dialog box, click Close.
21. Hover over the bottom right corner to expose the fly-out menu, and then click Search Charm.
22. In the Apps search box, type Cmd, and then press Enter.
23. In the command prompt window, type ipconfig, and then press Enter. Record your IP address.
24. On LON-DC1, on the taskbar, click the Server Manager icon.
25. In Server Manager, click Tools, and then click Services.
26. In the Services window, locate the DHCP Server service, and then click Stop the service.
27. Close the Services window, and close the DHCP console.
28. On LON-CL1, in the command prompt window, type ipconfig /release, and then press Enter.
29. Type ipconfig /renew, and then press Enter.
30. Type ipconfig, and then press Enter. What is your IP address? Answers may vary.
31. Shut down the LON-SVR1 server.
32. On LON-DC1, in the Services console, start the DHCP server service.
33. Close the Services console.
Results: After completing this exercise, you will have configured a superscope, DHCP Name Protection,
and configured and verified DHCP failover.
Exercise 2: Configuring Advanced DNS Settings

Task 1: Configure DNSSEC
1. On LON-DC1, in Server Manager, click Tools, and then in the drop-down list, click DNS.
2. Expand LON-DC1, expand Forward Lookup Zones, click Adatum.com, and then right-click
Adatum.com.
3. On the menu, click DNSSEC>Sign the Zone.
4. In the Zone Signing Wizard, click Next.
5. On the Signing options page, click Customize zone signing parameters, and then click Next.
6. On the Key Master page, ensure that LON-DC1 is the Key Master, and then click Next.
7. On the Key Signing Key (KSK) page, click Next.
8. On the Key Signing Key (KSK) page, click Add.
9. On the New Key Signing Key (KSK) page, click OK.
10. On the Key Signing Key (KSK) page, click Next.

11. On the Zone Signing Key (ZSK) page, click Next.
12. On the Zone Signing Key (ZSK) page, click Add.
13. On the New Zone Signing Key (ZSK) page, click OK.
14. On the Zone Signing Key (ZSK) page, click Next.
15. On the Next Secure (NSEC) page, click Next.
16. On the Trust Anchors page, select the Enable the distribution of trust anchors for this zone
check box. Click Next.
17. On the Signing and Polling Parameters page, click Next.
18. On the DNS Security Extensions page, click Next, and then click Finish.
19. In the DNS console, expand Trust Points, expand com, and then click Adatum. Ensure that the
DNSKEY resource records display, and that their status is valid.
20. Minimize the DNS Manager.
21. In Server Manager, click Tools, and then on the drop-down list, click Group Policy Management.
22. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain
Policy, and then click Edit.
Windows Settings, and then click Name Resolution Policy.
24. In the right pane, under Create Rules, in the Suffix box, type Adatum.com to apply the rule to the
suffix of the namespace.
25. Select the Enable DNSSEC in this rule check box, select the Require DNS clients to check that the
name and address data has been validated by the DNS server check box, click Create.
26. Close the Group Policy Management Editor and Group Policy Management Console.
Task 2: Configure the DNS socket pool

1. On LON-DC1, hover over the bottom right corner to expose the fly-out menu, and then click Search.
2. In the Apps search box, type Cmd, and then press Enter.
3. In the command prompt window, type the following command, and then press Enter to view the
current size of the DNS socket pool. Note that the current size is 2,500.
4. Type the following command, and then press Enter to change the socket pool size to 3,000.
dnscmd /config /socketpoolsize 3000
5. Type the following command, and then press Enter to stop the DNS server.
net stop dns
6. Type the following command, and then press Enter to restart the DNS server.
net start dns
7. Type the following command, and then press Enter to confirm the new socket pool size.

Task 3: Configure DNS cache locking

1. In the command prompt window, type the following command, and then press Enter to display the
current percentage value of the DNS cache lock.
Note that the current value is 100 percent.
2. Type the following command, and then press Enter to change the cache lock value to 75 percent.
dnscmd /config /CacheLockingPercent 75
3. Type the following command, and then press Enter to stop the DNS server.
net stop dns
4. Type the following command, and then press Enter to restart the DNS server.
net start dns
5. Type the following command, and then press Enter to display the current percentage value of the
DNS cache lock.
Note the new value is 75 percent.
6. Leave the command prompt window open for the next task.
Task 4: Configure a GlobalName Zone

1. Create an Active Directory integrated forward lookup zone named Contoso.com by running the
following command:
Dnscmd LON-DC1 /ZoneAdd Contoso.com /DsPrimary /DP /forest
2. In the command prompt window, type the following command, and then press Enter to enable
support for GlobalName zones:
dnscmd lon-dc1 /config /enableglobalnamessupport 1
3. Create an Active Directory integrated forward lookup zone named GlobalNames by running the
following command:
Dnscmd LON-DC1 /ZoneAdd GlobalNames /DsPrimary /DP /forest
4. Minimize the command prompt window.
5. Restore the DNS console from the taskbar.
6. In the DNS console, click Action, and then click Refresh to refresh the view.
7. In the DNS console, expand Forward Lookup Zones, click the Contoso.com zone, right-click
Contoso.com, and then click New Host (A or AAAA).
8. In the New Host dialog box, in the Name box, type App1.
Note: The Name box uses the parent domain name if it is left blank.
9. In the IP address box, type 192.168.1.200, and then click Add Host.
10. Click OK, and then click Done.
11. Right-click the GlobalNames zone, and then click New Alias (CNAME).
12. In the New Resource Record dialog box, in the Alias name box, type App1.
13. In the Fully qualified domain name (FQDN) for target host box, type App1.Contoso.com, and
then click.
14. Close DNS Manager and close the command prompt.
Results: After completing this exercise, you will have configured DNSSEC, the DNS socket pool, DNS
cache locking, and the GlobalName zone.
Exercise 3: Configuring IP Address Management

Task 1: Install the IPAM feature
1. On LON-SVR2, in the Server Manager Dashboard, click Add roles and features.
2. In the Add Roles and Features Wizard, click Next.
3. On the Select installation type page, click Next.
4. On the Select destination server page, click Next.
5. On the Select server roles page, click Next.
6. On the Select features page, select the IP Address Management (IPAM) Server check box.
7. In the Add features that are required for IP Address Management (IPAM) Server popup, click
Add Features, and then click Next.
8. On the Confirm installation selections page, click Install.

9. Close the Add Roles and Features Wizard when complete.
Task 2: Configure IPAMrelated GPOs

1. In the Server Manager navigation pane, click IPAM.
2. In the IPAM Overview pane, click Connect to IPAM server, and then select
LON-SVR2.Adatum.com and then click OK.
3. Click Provision the IPAM server.
4. In the Provision IPAM Wizard, click Next.
5. On the Select provisioning method page, ensure that the Group Policy Based method is selected,
in the GPO name prefix box, type IPAM, and then click Next.
6. On the Confirm the Settings page, click Apply. Provisioning will take a few moments to complete.
7. When provisioning completes, click Close.
Task 3: Configure IP management server discovery

1. On the IPAM Overview pane, click Configure server discovery.
2. In the Configure Server Discovery settings dialog box, click Add, and then click OK.
3. In the IPAM Overview pane, click Start server discovery. Discovery may take 5-10 minutes to run.
The yellow bar will indicate when discovery is complete.
Task 4: Configure managed servers

1. In the IPAM Overview pane, click Select or add servers to manage and verify IPAM access. Notice
that the IPAM Access Status is blocked.
2. Scroll down to the Details view, and note the status report, which is that the IPAM server has not yet
been granted permission to manage LON-DC1 via Group Policy.
3. On the taskbar, right-click the Windows PowerShell icon, right-click Windows PowerShell and then
click Run as Administrator.
4. At the command prompt, type the following command, and then click Enter:
Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn

LON-SVR2.adatum.com DelegatedGpoUser Administrator
5. When you are prompted to confirm the action, type Y, and then press Enter. The command will take a
few moments to complete.
6. Close Windows PowerShell.
7. In Server Manager, in the details pane, right-click LON-DC1, and then click Edit Server.
8. In the Add or Edit Server dialog box, set the Manageability status to Managed, and then click OK.
9. Switch to LON-DC1, open the PowerShell prompt from the Taskbar.

10. Type Gpupdate /force, and then press Enter.
11. Close the command prompt window.
12. Switch to LON-SVR2, in Server Manager, in the IPAM console, right-click the LON-DC1 entry, and
then click Refresh Server Access Status. After the refresh completes, click the IPv4 console refresh
button. It may take up to 10 minutes for the status to change. If necessary, repeat both refresh tasks
as needed until a green check mark displays next to LON-DC1 and the IPAM Access Status shows
Unblocked.
13. In the IPAM Overview pane, click Retrieve data from managed servers. This action will take a few
moments to complete.
Task 5: Configure and verify a new DHCP scope with IPAM

1. On LON-SVR2, in the IPAM navigation pane, under MONITOR AND MANAGE, click DNS and DHCP
Servers.
2. In the details pane, right-click the instance of LON-DC1.Adatum.com that holds the DHCP server
role, and then click Create DHCP Scope.
3. In the Create DHCP Scope dialog box, in the Scope Name box, type TestScope.
4. In the Start IP address box, type 10.0.0.50.
5. In the End IP address box, type 10.0.0.100.
6. Ensure the subnet mask is 255.0.0.0
7. In the Create scope pane, click Options.
8. In the Configure options pane, click the Option drop-down arrow, and then select 003 Router.
9. Under Values, in the IP Address box, type 10.0.0.1, click Add to list, and then click OK.
10. On LON-DC1, in the Server Manager toolbar, click Tools, and then click DHCP.
11. In the DHCP console, expand LON-DC1, expand IPv4, and confirm that the TestScope exists.
12. Minimize the DHCP console.
Task 6: Configure IP address blocks, record IP addresses, and create DHCP

reservations and DNS records
1. On LON-SVR2, in Server Manager, in the IPAM console tree, click IP Address Blocks.
2. In the right pane, click the Tasks drop-down arrow, and then click Add IP Address Block.
3. In the Add or Edit IPv4 Address Block dialog box, provide the following values, and then click OK:
o Network ID: 172.16.0.0
o Prefix length: 16
o Description: Head Office
4. In the IPAM console tree, click IP Address Inventory.
5. In the right pane, click the Tasks drop-down arrow, and then click Add IP Address.
6. In the Add IP Address dialog box, under Basic Configurations, provide the following values, and
then click OK:
o Device type: Routers
o Description: Head Office Router
7. Click the Tasks drop-down arrow, and then click Add IP Address.
8. In the Add IP Address dialog box, under Basic Configuration, provide the following values:
o Device type: Host

9. In the Add IPv4 Address pane, click DHCP Reservation, and then enter the following values:
o Reservation server name: LON-DC1.Adatum.com
o Reservation name: Webserver
o Reservation type: Both
10. In the Add IPv4 Address pane, click DNS Record, enter the following values, and then click OK:
o Device name: Webserver
o Forward lookup zone: Adatum.com
o Forward lookup primary server: LON-DC1.adatum.com
11. When the entry displays in the IPv4 details pane, right-click the entry, and then click Create DHCP
Reservation.
12. Right-click the entry again, and then click Create DNS Host Record.
13. On LON-DC1, open the DHCP console, expand IPv4, expand Scope (172.16.0.0) Adatum, and then
click Reservations. Ensure that the 172.16.0.10 Webserver reservation displays.
14. Open the DNS console, expand Forward Lookup Zones, and then click Adatum.com. Ensure that a
host record displays for Webserver.
Results: After completing this exercise, you will have installed IPAM and configured IPAM with IPAM-
related GPOs, IP management server discovery, managed servers, a new DHCP scope, IP address blocks, IP
addresses, DHCP reservations, and DNS records.

4. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR2 and 20412A-LON-CL1.

L2-11
Module 2: Implementing Advanced File Services

Lab A: Implementing Advanced File Services
Exercise 1: Configuring iSCSI Storage
Task 1: Install the iSCSI target feature
1. Log on to LON-DC1 with username of Adatum\Administrator and the password Pa$$w0rd.
2. In Server Manager, click Add roles and features.
3. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
5. On the Select destination server page, ensure that Select server from the server pool is selected,
and then click Next.
6. On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, select the iSCSI Target Server check box, and then click Next.
7. On the Select features page, click Next.
9. When the installation completes, click Close.
Task 2: Configure the iSCSI targets

1. On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services.
2. In the File and Storage Services pane, click iSCSI.
iSCSI Virtual Disk.
4. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
5. On the Specify iSCSI virtual disk name page, in the Name text box, type iSCSIDisk1, and then click
Next.
6. On the Specify iSCSI virtual disk size page, in the Size text box, type 5, ensure GB is selected in the
drop-down list box, and then click Next.
7. On the Assign iSCSI target page, click New iSCSI target, and then click Next.
8. On the Specify target name page, in the Name box, type LON-DC1, and then click Next.
9. On the Specify access servers page, click Add.
10. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list box, click IP Address, in the Value text box, type 172.16.0.22, and
then click OK.
11. On the Specify access servers page, click Add.
12. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list box, click IP Address, in the Value text box, type 131.107.0.2, and
then click OK.
13. On the Specify access servers page, click Next.

14. On the Enable Authentication page, click Next.
L2-12 Module 2: Implementing Advanced File Services
15. On the Confirm selections page, click Create.
16. On the View results page, wait until creation completes, and then click Close.
iSCSI Virtual Disk.
18. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
19. On the Specify iSCSI virtual disk name page, in the Name box, type iSCSIDisk2, and then click
Next.
20. On the Specify iSCSI virtual disk size page, in the Size box, type 5, in the drop-down list box, ensure
GB is selected, and then click Next.
21. On the Assign iSCSI target page, click lon-dc1, and then click Next.
22. On the Confirm selection page, click Create.
iSCSI Virtual Disk.
25. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage,
click C:, and then click Next.
Next.
27. On the Specify iSCSI virtual disk size page, in the Size text box, type 5, in the drop-down list box,
ensure GB is selected, and then click Next.

iSCSI Virtual Disk.
Next.
iSCSI Virtual Disk.
Next.
Task 3: Configure MPIO

1. Log on to LON-SVR2 with username of Adatum\Administrator and the password of Pa$$w0rd.
2. In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select Routing
and Remote access.
3. In the Enable DirectAccess Wizard, click Cancel, and then click OK on the Confirmation dialog box.
4. Right-click LON-SVR2 and then click Disable Routing and Remote Access. Click Yes and then
close the Routing and Remote Access console.
5. In Server Manager click Add roles and features.
8. On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
10. On the Select features page, click Multipath I/O, and then click Next.
12. When installation is complete, click Close.

13. In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select iSCSI
Initiator.
14. In the Microsoft iSCSI dialog box, click Yes.

15. In the iSCSI Initiator Properties dialog box, on the Targets tab, in the Target box, type LON-DC1,
and then click Quick Connect. In the Quick Connect box, click Done.
16. Click OK to close the iSCSI Initiator Properties dialog box.
17. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO.
18. In MPIO Properties dialog box, click the Discover Multi-Paths tab.
19. Select the Add support for iSCSI devices check box, and then click Add. When you are prompted to
reboot the computer, click Yes.
20. After the computer restarts, log on to LON-SVR2 with username of Adatum\Administrator and
password of Pa$$w0rd.
21. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO.
22. In the MPIO Properties dialog box, on the MPIO Devices tab, notice that additional Device
Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.
23. Click OK to close the MPIO Properties dialog box.

Task 4: Connect to and configure the iSCSI targets

1. On LON-SVR2, in Server Manager, on the menu bar, click Tools and then in the Tools drop-down list,
select iSCSI Initiator.
2. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Disconnect.
3. In the Disconnect From All Sessions dialog box, click Yes.
4. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
5. In the Connect to Target window, click Enable multi-path, verify that the Add this connection to
the list of Favorite Targets check box is selected, and then click the Advanced button.
6. In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default
to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, click 172.16.0.22 and in the Target
Portal IP drop-down list, click 172.16.0.10 / 3260.
7. In the Advanced Settings dialog box, click OK.

8. In the Connect to Target window, click OK.
9. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
10. In Connect to Target window, click Enable multi-path, verify that the Add this connection to the
list of Favorite Targets check box is selected, and then click the Advanced button.
11. In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default
to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, select 131.107.0.2 and in the Target
Portal IP drop-down list, select 131.107.0.1 / 3260.
12. In the Advanced Settings dialog box, click OK.
13. In the Connect to Target window, click OK.
14. In the iSCSI Initiator Properties dialog box, click the Volumes and Devices tab.
15. In the iSCSI Initiator Properties dialog box, on the Volumes and Devices tab, click Auto
Configure.
16. In the iSCSI Initiator Properties dialog box, click the Targets tab.
17. In the Targets list, select iqn.1991-05.com.microsoft:lon-dc1-lon-dc1-target, and then click

Devices.
18. In the Devices dialog box, click the MPIO button.
19. Verify that in Load balance policy, Round Robin is selected. Under This device has the following
paths, notice that two paths are listed. Select the first path and then click the Details button.
20. Note the IP address of the Source and Target portals, and then click OK.
21. Select the second path and then click the Details button.
22. Verify that the Source IP address is of the second network adapter, and then click OK.
23. Click OK to close the Device Details dialog box.
24. Click OK to close the Devices dialog box.
25. Click OK to close the iSCSI Initiator Properties dialog box.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
Exercise 2: Configuring the File Classification Infrastructure

Task 1: Create a classification property for corporate documentation
1. On LON-SVR1, in Server Manager, in the upper-right corner, click Tools, and then click File Server
Resource Manager.
2. In the File Server Resource Manager window, expand Classification Management, select and then
right-click Classification Properties, and then click Create Local Property.
3. In the Create Local Classification Property window, in the Name text box, type Corporate
Documentation, in the Property Type drop-down list box ensure that Yes/No is selected, and then
click OK.
4. Leave the File Server Resource Manager console open.
Task 2: Create a classification rule for corporate documentation

1. In File Server Resource Manager, expand Classification Management, click Classification Rules, and
then in the Actions pane, click Create Classification Rule.
2. In the Create Classification Rule window, on the General tab, in the Rule name text box, type
Corporate Documents Rule, and then ensure that the Enable checkbox is selected.
3. Click the Scope tab, and then click Add.
4. In the Browse For Folder window, expand Allfiles (E:\), expand Labfiles, click Corporate
Documentation, and then click OK.
5. In the Create Classification Rule window, on the Classification tab, in the Classification method
drop-down list box, click Folder Classifier, in the Property-Choose a property to assign to files
drop-down list box, click Corporate Documentation, and then in the Property-Specify a value
drop-down list box, click Yes.
6. Click the Evaluation type tab, click Re-evaluate existing property values, ensure that the
Aggregate the values radio button is selected, and then click OK.
7. In File Server Resource Manager, in the Actions pane, click Run classification with all rules now.
8. In the Run classification window, select the Wait for classification to complete radio button, and
then click OK.
9. Review the Automatic classification report that displays in Windows Internet Explorer, and ensure
that the report lists the same number of classified files as in the Corporate Documentation folder.
Task 3: Create a classification rule that applies to a shared folder

1. In File Server Resource Manager, expand Classification Management, right-click Classification
Properties, and then click Create Local Property.
2. In the Create Local Classification Property window, in the Name text box, type Expiration Date, in
the Property Type drop-down list box, ensure that Date-Time is selected, and then click OK.
3. In File Server Resource Manager, expand Classification Management, click Classification Rules, and
then in the Actions pane, click Create Classification Rule.
4. In the Create Classification Rule window, on the General tab, in the Rule name text box, type
Expiration Rule, and ensure that the Enable check box is selected.

6. In the Browse For Folder window, expand Allfiles (E:\), expand Labfiles, click Corporate
Documentation, and then click OK.
7. Click the Classification tab, in the Classification method drop-down list box, click Folder Classifier,
and then in the Property-Choose a property to assign to files drop-down list box, click Expiration
Date.
8. Click the Evaluation type tab, click Re-evaluate existing property values, ensure that the
Aggregate the values radio button is selected, and then click OK.
9. In File Server Resource Manager, in the Actions pane, click Run classification with all rules now.
10. In the Run classification window, select the Wait for classification to complete radio button, and
then click OK.
11. Review the Automatic classification report that displays in Internet Explorer, and ensure that the
report lists the same number of classified files as in the Corporate Documentation folder.
Task 4: Create a file management task to expire corporate documents

1. In File Server Resource Manager, select and then right-click File Management Tasks, and then click
Create File Management Task.
2. In the Create File Management Task window, on the General tab, in the Task name text box, type
Expired Corporate Documents, and then ensure that the Enable check box is selected.
4. In the Browse For Folder window, select E:\Labfiles\Corporate Documentation, and then click OK.
5. In the Create File Management Task window, on the Action tab, in the Type drop-down list box,
ensure that File expiration is selected, and then in the Expiration directory box, type
E:\Labfiles\Expired.
6. Click the Notification tab, and then click Add.

7. In the Add Notification window, in the Event Log tab, select the Send warning to event log check
box, and then click OK.
8. Click the Condition tab, select the Days since the file was last modified check box, and then in the
same row, replace the default value of 0 with 1.
Note: This value is for lab purposes only. In a real scenario, the value would be 365 days or
more, depending on the companys policy.
9. Click the Schedule tab, ensure that the Weekly radio button is selected, select the Sunday check
box, and then click OK.
10. Leave the File Server Resource Manager open.
Task 5: Verify that corporate documents are expired

1. In File Server Resource Manager, click File Management Tasks, right-click Expired Corporate
Documents, and then click Run File Management Task Now.
2. In the Run File Management Task window, click Wait for the task to complete, and then click OK.
3. Review the File management task report that displays in Internet Explorer, and ensure that report lists
the same number of classified files as in the Corporate Documentation folder.
4. In Server Manager, click Tools, and then click Event Viewer.
5. In the Event Viewer console, expand Windows Logs, and then click Application.
6. Review events with numbers 908 and 909. Notice that 908 FSRM started a file management job,
and 909 FSRM finished a file management job.
Results: After completing this exercise, you will have configured a file classification infrastructure so that
the latest version of the documentation is always available to users.
To prepare for the next lab

When you finish the lab, revert 20417A-LON-SVR2. To do this, complete the following steps.
2. In the Virtual Machines list, right-click 20417A-LON-SVR2, and then click Revert.
Keep all other virtual machines running for the next lab.
Lab B: Implementing BranchCache

Exercise 1: Configuring the Main Office Servers for BranchCache
Task 1: Configure LON-DC1 to use BranchCache
iSCSI Services, select the BranchCache for Network Files check box, and then click Next.
9. Click Close and then close Server Manager.
10. Point to the lower-right corner of the screen, click Search, in the Search text box, type gpedit.msc,
and then press Enter.
11. In the Local Group Policy Editor console, in the navigation pane, under Computer Configuration,
expand Administrative Templates, expand Network, and then click Lanman Server.
12. On the Lanman Server result pane, in the Setting list, right-click Hash Publication for BranchCache,
and then click Edit.
13. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication
actions list, select the Allow hash publication only for shared folders on which BranchCache is
enabled check box, and then click OK.
Task 2: Simulate a slow link to the branch office

1. In the Local Group Policy Editor console, in the navigation pane, under Computer Configuration,
expand Windows Settings, right-click Policy-based QoS, and then click Create new policy.
2. In the Policy-based QoS Wizard, on the Create a QoS policy page, in the Policy name text box, type
Limit to 100 Kbps, click the Specify Outbound Throttle Rate check box, and in the Specify
Outbound Throttle Rate text box type 100, and then click Next.
3. On the This QoS policy applies to page, click Next.
4. On the Specify the source and destination IP addresses page, click Next.
5. On the Specify the protocol and port numbers page, click Finish.
6. Close the Local Group Policy Editor.
Task 3: Enable a file share for BranchCache

1. On the taskbar, click the Windows Explorer icon.
2. In the Windows Explorer window, browse to Local Disk (C:).
3. In the Local Disk (C:) window, on the menu, click the Home tab, and then click New Folder.
4. Type Share, and then press Enter.

5. Right-click Share, and then click Properties.
6. In the Share Properties dialog box, on the Sharing tab, click Advanced Sharing.
7. Select the Share this folder check box, and then click Caching.
8. In the Offline Settings dialog box, select the Enable BranchCache check box, and then click OK.
9. In the Advanced Sharing dialog box, click OK.
10. In the Share Properties dialog box, click Close.
11. Point to the lower-right corner of the screen, click Search, in the Search text box, type cmd, and then
press Enter.
12. At the command prompt, type the following command, and then press Enter:
Copy C:\windows\system32\write.exe c:\share
13. Close the command prompt.
Task 4: Configure client firewall rules for BranchCache

2. In Server Manager, on the menu bar, click Tools, and then from the Tools drop-down list box, click
Group Policy Management.
3. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, right-click Default Domain Policy, and then click Edit.
4. In the Group Policy Management Editor, in the navigation pane, under Computer Configuration,
expand Policies, expand Windows Settings, expand Security Settings, and then expand Windows
Firewall with Advanced Security.
5. In Windows Firewall with Advanced Security, in the navigation pane, expand Windows Firewall with
Advanced Security, and then click Inbound Rules.
6. In the Group Policy Management Editor, on the Action menu, click New Rule.
7. In the New Inbound Rule Wizard, on the Rule Type page, click Predefined, click BranchCache
Content Retrieval (Uses HTTP), and then click Next.
8. On the Predefined Rules page, click Next.
9. On the Action page, click Finish to create the firewall inbound rule.
10. In the Group Policy Management Editor, in the navigation pane, click Inbound Rules, and then in the
Group Policy Management Editor console, on the Action menu, click New Rule.
11. On the Rule Type page, click Predefined, click BranchCache Peer Discovery (Uses WSD), and
then click Next.
12. On the Predefined Rules page, click Next.
13. On the Action page, click Finish.
14. Close the Group Policy Management Editor and Group Policy Management console.
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.
Exercise 2: Configuring the Branch Office Servers for BranchCache

Task 1: Install the BranchCache feature on LON-SVR1
1. On LON-SVR1, in Server Manager, click Add roles and features.

iSCSI Services, and then select the BranchCache for Network Files check box.
7. On the Select features page, click BranchCache, and then click Next.
9. Click Close.
Task 2: Start the BranchCache host server

2. In Server Manager, on the menu bar, click Tools, and then from the Tools drop-down list, click
Active Directory Users and Computers.
3. In Active Directory Users and Computers, right-click Adatum.com, point to New, and then click
Organizational Unit.
4. In the New Object - Organization Unit window, type BranchCacheHost, and then click OK.
5. Click the Computers container.

6. Click LON-SVR1, and then drag it to BranchCacheHost.
7. Click Yes to clear the warning about moving objects.
8. Close Active Directory Users and Computers.
9. In Server Manager, on the menu bar, click Tools, and then from the Tools drop-down list, click
Group Policy Management.
10. In Group Policy Management, under Domains, expand Adatum.com, right-click BranchCacheHost,
and then click Block Inheritance.
11. On LON-DC1, close all open windows.
12. Restart LON-SVR1 and log on as Adatum\Administrator with the password Pa$$w0rd.
14. In the Windows PowerShell window, type the following cmdlet, and then press Enter:
Enable-BCHostedServer
RegisterSCP
15. In the Windows PowerShell window, type the following cmdlet, and then press Enter:
Get-BCStatus
16. Close Windows PowerShell.

Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
Exercise 3: Configuring Client Computers for BranchCache

Task 1: Configure client computers to use BranchCache in Hosted Cache mode
1. On LON-DC1, on the taskbar, click Server Manager.
2. In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select Group
Policy Management.
3. In the Group Policy Management console, in the navigation pane, expand Forest: Adatum.com,
expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit.
4. In the Group Policy Management Editor, in the navigation pane, under Computer Configuration,
expand Policies, expand Administrative Templates, expand Network, and then click BranchCache.
5. In the BranchCache results pane, in the Setting list, right-click Turn on BranchCache, and then click
Edit.
6. In the Turn on BranchCache dialog box, click Enabled, and then click OK.
7. In the BranchCache results pane, in the Setting list, right-click Enable Automatic Hosted Cache
Discovery by Service Connection Point, and then click Edit.
8. In the Enable Automatic Hosted Cache Discovery by Service Connection Point dialog box, click
Enabled, and then click OK.
9. In the BranchCache results pane, in the Setting list, right-click Configure BranchCache for network
files, and then click Edit.
10. In the Configure BranchCache for network files dialog box, click Enabled, in the Type the
maximum round trip network latency (milliseconds) after which caching begins text box, type
0, and then click OK. This setting is required to simulate access from a branch office and is not
typically required.
11. Close the Group Policy Management Editor.
12. Close the Group Policy Management Console.
13. Start 20412A-LON-CL1, and log on as Adatum\Administrator with the password Pa$$w0rd.
14. On the Start screen, in the lower-right corner of the screen, click Search, in the Search text box, type
cmd, and then press Enter.
gpupdate /force
netsh branchcache show status all
17. Start 20412A-LON-CL2, and log on as Adatum\Administrator with the password Pa$$w0rd.
18. On the Start screen, in the lower-right corner of the screen, click Search, in the Search text box, type
cmd, and then press Enter.
gpupdate /force
netsh branchcache show status all
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
Exercise 4: Monitoring BranchCache

Task 1: Configure Performance Monitor on LON-SVR1
2. In Server Manager, on the menu bar, click Tools, and then from the Tools drop-down list box, click
4. In the Performance Monitor results pane, click the Delete (Delete Key) icon.
5. In the Performance Monitor results pane, click the Add (Ctrl+N) icon.
6. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click
Add, and then click OK.
7. On the Change Graph type button, select Report.

2. Point to the lower-right corner of the screen, click Search, in the Search text box, type perfmon, and
then press Enter.
7. Change graph type to Report. Notice that the value of all performance statistics is zero.

2. Point to the lower-right corner of the screen, click Search, in the Search text box, type perfmon, and
then press Enter.
7. Change graph type to Report. Notice that the value for all performance statistics is zero.
Task 4: Test BranchCache in the Hosted Cache mode

3. In Windows Explorer, navigate to \\LON-DC1.adatum.com\Share, and then press Enter.
4. In the Share window, in the Name list, right-click write.exe, and then click Copy.
5. In the Share window, click Minimize.
6. On the desktop, right-click anywhere, and then click Paste.
7. Read the performance statistics on LON-CL1. This file was retrieved from LON-DC1 (Retrieval: Bytes
from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes
Served)

10. In the Windows Explorer address bar, type \\LON-DC1.adatum.com\Share, and then press Enter.
11. In the Share window, in the Name list, right-click write.exe, and then click Copy.
12. In the Share window, click Minimize.
13. On the desktop, right-click anywhere, and then click Paste.
14. Read the performance statistics on LON-CL2. This file was obtained from the hosted cache (Retrieval:
Bytes from Cache).
15. Read the performance statistics on LON-SVR1. This server has offered cached data to clients (Hosted
Cache: Client file segment offers made).
Results: At the end of this exercise, you will have verified that BranchCache is working as expected.

following steps.

L3-25
Module 3: Implementing Dynamic Access Control

Lab: Implementing Dynamic Access Control
Exercise 1: Planning the Dynamic Access Control Implementation
Task 1: Plan the Dynamic Access Control deployment
The scenario requires following:
1. Folders that belong to the Research team should be accessible and modifiable only by employees
that belong to the Research team.
2. Files classified with classification High should be accessible only to managers.
3. Managers should access confidential files only from workstations that belong to the ManagersWKS
security group.
You can meet these requirements by implementing claims, resource properties, and file classifications, as
follows:
1. Create the appropriate claims for users and devices. The user claim uses department as the source
attribute, and the device claim uses description as source attribute.
2. Configure the resource property for the research department.

3. Configure central access rules and central access policies to protect the resources. At the same time,
you should configure file classification for confidential documents.
4. Apply a central access policy to folders in which files for the research departments and managers are
located.
5. As a solution for users who receive error messages, you should implement Access Denied Assistance.
Task 2: Prepare AD DS to support Dynamic Access Control

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console, right-click Adatum.com, click New, and then
click Organizational Unit.
3. In the New Object Organizational Unit dialog box, in the Name field, type Test, and then click
OK.
4. Click the Computers container.
5. Press and hold the Ctrl key, click the LON-SVR1, LON-CL1, and LON-CL2 computers, right-click, and
then select Move.
6. In the Move window, click Test, and then click OK.
7. Close the Active Directory Users and Computers console.

8. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
9. Expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
10. Right-click the Managers OU, and then click Block Inheritance. This is to remove the block
inheritance setting used in a later module in the course.
11. Click the Group Policy Objects container.
12. In the results pane, right-click Default Domain Controllers Policy, and then click Edit.
L3-26 Module 3: Implementing Dynamic Access Control
Administrative Templates, expand System, and then click KDC.
14. In the right pane, double-click KDC support for claims, compound authentication and Kerberos
armoring.
15. In the KDC support for claims, compound authentication and Kerberos armoring window, select
Enabled, in the Options section, click the drop-down list, select Supported, and then click OK.
16. Close the Group Policy Management Editor console and Group Policy Management Console.
17. On the taskbar, click the Windows PowerShell icon.
18. At the Windows PowerShell command-line interface, type gpupdate /force, and then press Enter.
After Group Policy updates, close the Windows PowerShell window.
19. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
20. Expand Adatum.com, right-click Users, click New, and then click Group.
21. In the Group name field, type ManagersWKS, and then click OK.
22. Click the Test OU.
23. Right-click LON-CL1, and then click Properties.
24. Click the Member Of tab, and then click Add.
25. In the Select Groups window, type ManagersWKS, click Check Names, click OK, and then click OK
again.
26. Click the Managers organization unit (OU).
27. Right-click Aidan Delaney, and then select Properties.

28. Click the Organization tab. Ensure that the Department field is populated with the value Managers,
and then click Cancel.
29. Click the Research OU.

30. Right-click Allie Bellew, and select Properties.
31. Click the Organization tab. Ensure that the Department field is populated with the value Research,
and then click Cancel.
Results: After completing this exercise, you will have planned for Dynamic Access Control deployment,
and you will have prepared AD DS for Dynamic Access Control implementation.
Exercise 2: Configuring User and Device Claims

Task 1: Review the default claim types
Center.
2. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control.
3. In the central pane, double-click Claim Types.
4. Verify that there are no default claims defined.
5. In the navigation pane, click Dynamic Access Control, and then double-click Resource Properties.
6. Review the default resource properties. Note that all properties are disabled by default.
7. In the navigation pane, click Dynamic Access Control, and then double-click Resource Property
Lists.
8. In the central pane, right-click Global Resource Property List, and then click Properties.
9. In the Global Resource Property List, in the Resource Properties section, review the available resource
properties, and then click Cancel.
Task 2: Configure claims for users

1. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Claim Types.
2. In the Claim Types container, in the Tasks pane, click New, and then click Claim Type.
3. In the Create Claim Type window, in the Source Attribute section, select department.
4. In the Display name text box, type Company Department.
5. Select both User and Computer check boxes, and then click OK.
Task 3: Configure claims for devices

1. In the Active Directory Administrative Center, in the Tasks pane, click New, and then select Claim
Type.
2. In the Create Claim Type window, in the Source Attribute section, click description.
3. Clear the User check box, select the Computer check box, and then click OK.
Results: After completing this exercise, you will have reviewed the default claim types, configured claims
for users, and configured claims for devices.
Exercise 3: Configuring Resource Property Definitions

Task 1: Configure resource property definitions
1. In the Active Directory Administrative Center, click Dynamic Access Control.
2. In the central pane, double-click Resource Properties.
3. In the Resource Properties list, right-click Department, and then click Enable.
4. In the Resource Properties list, right-click Confidentiality, and then click Enable.
5. In the Global Resource Property List, ensure that both the Department and Confidentiality
properties are enabled.
6. Double-click Department.
7. Scroll down to the Suggested Values section, and then click Add.
8. In the Add a suggested value window, in both Value and Display name text boxes, type Research,
and then click OK two times.
9. Click Dynamic Access Control, and then double-click Resource Property Lists.
10. In the central pane, double-click Global Resource Property List, ensure that both Department and
Confidentiality display and then click Cancel. If they do not display, click Add, add these two
properties, and then click OK.

Task 2: Classify files

1. On LON-SVR1, in Server Manager, click Tools, and then click File Server Resource Manager.
2. In the File Server Resource Manager console, expand Classification Management.
3. Select and then right-click Classification Properties, and then click Refresh.
4. Verify that Confidentiality and Department properties are listed.
5. Click Classification Rules.
6. In the Actions pane, click Create Classification Rule.
7. In the Create Classification Rule window, for the Rule name, type Set Confidentiality.

9. In the Browse For Folder dialog box, expand Local Disk (C:), click the Docs folder, and then click
OK.
10. Click the Classification tab.

11. Make sure that following settings are set, and then click Configure:
o Classification method: Content Classifier
o Property: Confidentiality
o Value: High
12. In the Classification Parameters dialog box, click the Regular expression drop-down list, and then
click String.
13. In the Expression field (next to the word String,) type secret, and then click OK.
14. Click the Evaluation Type tab, select Re-evaluate existing property values, click Overwrite the
existing value, and then click OK.
15. In the File Server Resource Manager, in the Actions pane, click Run Classification with all rules now.
16. Click Wait for classification to complete, and then click OK.
17. After the classification is complete, you will be presented with a report. Verify that two files were
classified. You can confirm this in the Report Totals section.
18. Close the report.
19. Open a Windows Explorer window, and browse to the C:\Docs folder.
20. Right-click Doc1.txt, click Properties, and then click the Classification tab. Verify that
Confidentiality is set to High.
21. Repeat step 20 on files Doc2.txt and Doc3.txt. Doc2.txt should have same Confidentiality as
Doc1.txt, while Doc3.txt should have no value. This is because only Doc1 and Doc2 have the word
secret in their content.
Task 3: Assign properties to a folder

1. On LON-SVR1, open Windows Explorer, and browse to drive C.
2. In drive C, right-click the Research folder, and then click Properties.
3. Click the Classification tab, and then click Department. In the Value section, click Research, click
Apply, and then click OK.
Results: After completing this exercise, you will have configured resource properties for files, classified
files, and assigned properties to a folder.
Exercise 4: Configuring Central Access Rules and Central Access Policies

Task 1: Configure central access rules
Center.
2. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Central Access Rules.
3. In the Tasks pane, click New, and then click Central Access Rule.
4. In the Central Access Rule dialog box, in the Name field, type Department Match.
5. In the Target Resources section, click Edit.
6. In the Central Access Rule dialog box, click Add a condition.

7. Set a condition as follows: Resource-Department-Equals-Value-Research, and then click OK.
8. In the Permissions section, click Use following permissions as current permissions.
9. In the Permissions section, click Edit.

10. Remove permission for Administrators.
11. In Advanced Security Settings for Permissions, click Add.
12. In Permission Entry for Permissions, click Select a principal.
13. In the Select User, Computer, Service Account or Group window, type Authenticated Users, click
Check Names, and then click OK.
14. In the Basic permissions section, select the Modify, Read and Execute, Read and Write check boxes.
15. Click Add a condition.
16. Click the Group drop-down list, and then click Company Department.
17. Click the Value drop-down list, and then select Resource.
18. In the last drop-down list, select Department.
Note: You should have this expression as a result: User-Company Department-Equals-

Resource-Department.
19. Click OK three times.
20. In the tasks pane, click New, and then click Central Access Rule.
21. For the name of rule, type Access Confidential Docs.
22. In the Target Resources section, click Edit.
23. In the Central Access Rule window, click Add a condition.
24. In the last drop-down list, click High.
Note: You should have this expression as a result: Resource-Confidentiality-Equals-

Value-High.
25. Click OK.
26. In the Permissions section, click Use following permissions as current permissions.
27. In the Permissions section, click Edit.
28. Remove permission for Administrators.
29. In Advanced Security Settings for Permissions, click Add.
30. In the Permission Entry for Permissions, click Select a principal.
31. In the Select User, Computer, Service Account or Group window, type Authenticated Users, click
Check Names, and then click OK.
32. In the Basic permissions section, select the Modify, Read and Execute, Read and Write check boxes.
33. Click Add a condition.
34. Set the first condition to:

User-Group-Member of each-Value-Managers, and then click Add a condition.
Note: If you cannot find Managers in the last drop-down list, click Add items. Then in the
Select User, Computer, Service Account or Group window, type Managers, click Check Names,
and then click OK.
35. Set the second condition to: Device-Group-Member of each-Value-ManagersWKS.
Note: If you cannot find ManagersWKS in the last drop-down list, click Add items. Then in
the Select User, Computer, Service Account or Group window, type ManagersWKS, click Check
Names, and then click OK.
36. Click OK three times.
Task 2: Create a central access policy

1. On LON-DC1, in the Active Directory Administrative Center, click Dynamic Access Control, and then
double-click Central Access Policies.
2. In the tasks pane, click New, and then click Central Access Policy.
3. In the Name field, type Protect confidential docs, and then click Add.
4. Click the Access Confidential Docs rule, click >>, and then click OK twice.
5. In the tasks pane, click New, and then click Central Access Policy.
6. In the Name field, type Department Match, and then click Add.
7. Click the Department Match rule, click >>, and then click OK twice.
Task 3: Publish a central access policy by using Group Policy

2. In the Group Policy Management Console, under Domains, expand Adatum.com, right click Test,
and then click Create a GPO in this domain, and link it here.
3. Type DAC Policy, and then click OK.

4. Right-click DAC Policy, and then click Edit.
5. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security
Settings, expand File System, right-click Central Access Policy, and then click Manage Central
Access Policies.
6. Click both Department Match and Protect confidential docs, click Add, and then click OK.
Task 4: Apply the central access policy to resources

2. Type gpupdate /force, and then press Enter.
3. Close the command prompt window.
4. Open Windows Explorer, browse to drive C, right-click the Docs folder, and then click Properties.
5. In the Properties dialog box, click the Security tab, and then click Advanced.
6. In the Advanced Security Settings for Docs window, click the Central Policy tab, and then click
Change.
7. On the drop-down list, select Protect confidential docs, and then click OK two times.
8. Right-click the Research folder, and then click Properties.
9. In the Properties dialog box, click the Security tab, and then click Advanced.
10. In the Advanced Security Settings for Research window, click the Central Policy tab, and then click
Change.
11. In the drop-down list, select Department Match, and then click OK two times.
Task 5: Configure access denied remediation settings

2. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy objects.
3. Right-click DAC Policy, and then select Edit.
4. Under Computer Configuration, expand Policies, expand Administrative Templates, expand

System, and then click Access-Denied Assistance.
5. In the right pane, double-click Customize Message for Access Denied errors.
6. In the Customize Message for Access Denied errors window, click Enabled.
7. In the Display the following message to users who are denied access text box, type You are
denied access because of permission policy. Please request access.
8. Select the Enable users to request assistance check box.
9. Review other options but do not make any changes, and then click OK.
10. In the right pane of the Group Policy Management Editor, double-click Enable access-denied
assistance on client for all file types.
11. Click Enabled, and then click OK.
13. Switch to LON-SVR1, on the taskbar click the Windows PowerShell icon.
14. At the Windows PowerShell command-line interface, type gpupdate /force, and then press Enter.
Results: After completing this exercise, you will have configured central access rules and central access
policies for Dynamic Access Control.
Exercise 5: Validating and Remediating Dynamic Access Control

Task 1: Validate Dynamic Access Control functionality
1. Start and then log on to LON-CL1 as Adatum\April with the password Pa$$w0rd.
2. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon.
3. In the Windows Explorer address bar, type \\LON-SVR1\Docs, and then press Enter.
4. In the Docs folder, try to open Doc3. You should be able to open that document. Close notepad.
5. In the Windows Explorer address bar, type \\LON-SVR1\Research, and then press Enter. You should
be unable to access folder.
6. Click Request assistance. Review options for sending messages, and then click Close.
7. Log off LON-CL1.
8. Log on to LON-CL1 as Adatum\Allie with the password Pa$$w0rd.
10. In the Windows Explorer address bar, type \\LON-SVR1\Research, and then press Enter.
11. Verify that you can access this folder and open documents inside, because Allie is a member of the
Research team.

13. Log on to LON-CL1 as Adatum\Aidan with the password Pa$$w0rd.
15. In the Windows Explorer address bar, type \\LON-SVR1\Docs.
16. Verify that you can access this folder and open all files inside.
18. Start and then log on to LON-CL2 as Adatum\Aidan with the password Pa$$w0rd.
19. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon. In the Windows
Explorer address bar, type \\LON-SVR1\Docs. You should be unable to view Doc1 or Doc2, because
the LON-CL2 is not permitted to view secret documents.
Results: After completing this exercise, you will have validated Dynamic Access Control functionality.
Exercise 6: Implementing new resource policies

Task 1: Configure staging for a central access policy
1. On LON-DC1, open Server Manager, click Tools, and then select Group Policy Management.
2. In the Group Policy Management Console, expand Forest:adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy object.
3. Right-click DAC Policy, and then select Edit.
4. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration,
expand Audit Policies, and then click Object Access.
5. Double-click Audit Central Access Policy Staging, select all three check boxes, and then click OK.
6. Double-click Audit File System, select all three check boxes, and then click OK.
7. Close the Group Policy Management Editor and the Group Policy Management console.
Task 2: Configure staging permissions

1. On LON-DC1, open Server Manager, and then open Active Directory Administrative Center.
2. In the navigation pane, click Dynamic Access Control.

3. Double-click Central Access Rules.
4. Right-click Department Match, and then select Properties.
5. Scroll down to the Proposed Permissions section, click Enable permission staging configuration,
and then click Edit.
6. Click Authenticated Users, and then click Edit.
7. Change the condition to: User-Company Department-Equals-Value-Marketing, and then click OK.
8. Click OK two more times to close all windows.
9. Switch to LON-SVR1 and open Windows PowerShell.
10. Type gpupdate /force and press Enter.

11. Close Windows PowerShell window.
Task 3: Verify staging

1. Log on to LON-CL1 as Adatum\Adam with the password Pa$$w0rd.
2. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon. In the Windows
Explorer address bar, click the yellow icon, and then type \\LON-SVR1\Research.
3. Try to open the Research folder and its files. You will not be able to open it.
5. Open Server Manager, click Tools, and then select Event Viewer.
6. Expand Windows Logs, and then navigate to Security Log.
7. Look for Events with ID 4818.
8. Read the content of these logs.
Task 4: Use effective permissions to test Dynamic Access Control

1. On LON-SVR1, open Windows Explorer.
2. In the Windows Explorer window, navigate to C:\Research, right-click Research, and then click
Properties.
3. In the Properties dialog box, click the Security tab, click Advanced, and then click Effective Access.
4. Click select a user.
5. In the Select User, Computer, Service Account, or Group window, type April, click Check Names, and
then click OK.
6. Click View effective access.
7. Review the results. The user April should not have access to this folder.
8. Click Include a user claim.
9. On the drop-down list, click Company Department.
10. In the Value text box, type Research.
11. Click View Effective access. The user should now have access.
12. Close all open windows.
Results: After completing this exercise, you will have implemented new resource policies.


L4-35
Module 4: Implementing Network Load Balancing

Lab: Implementing Network Load Balancing
Exercise 1: Implementing an NLB Cluster
Task 1: Verify website functionality for standalone servers
1. On LON-SVR1, on the taskbar, click the Windows Explorer icon.
2. Navigate to the folder c:\inetpub\wwwroot.
3. Double-click the file iis-8.png. This will open the file in Microsoft Paint.
4. Ensure that the Paint Brush tool is selected, and then in the palette, click the color Red.
5. Use the mouse to mark the IIS Logo distinctively, using the color red.
6. Save the changes that you made to iis-8.png, and then close Microsoft Paint.
9. Click to the Start screen.
10. Click the Internet Explorer icon.
11. In the Internet Explorer address bar, type the address http://LON-SVR1 and then press Enter. Verify
that the web page displays the IIS logo with the distinctive color red mark that you added.
12. In the Internet Explorer address bar, enter the address http://LON-SVR2 and then press Enter. Verify
that the web page does not display the marked IIS logo.
Task 2: Install the Windows Network Load Balancing feature

2. In the Server Manager console, click the Tools menu, and then click Windows PowerShell ISE.
3. In the blue PowerShell ISE window, enter the following command and then press Enter:
Invoke-Command -Computername LON-SVR1,LON-SVR2 -command {Install-WindowsFeature

NLB,RSAT-NLB}
Task 3: Create a new Windows Server 2012 NLB cluster

1. On LON-SVR1, in the Windows PowerShell ISE window, type the following command, and then press
Enter:
New-NlbCluster -InterfaceName "Local Area Connection" -OperationMode Multicast -

ClusterPrimaryIP 172.16.0.42 -ClusterName LON-NLB
2. In the Windows PowerShell ISE window, type the following command, and then press Enter:
Invoke-Command -Computername LON-DC1 -command {Add-DNSServerResourceRecordA

zonename adatum.com name LON-NLB Ipv4Address 172.16.0.42}
L4-36 Module 4: Implementing Network Load Balancing
Task 4: Add a second host to the cluster

On LON-SVR1, in the Windows PowerShell ISE window, type the following command and then press
Enter:
Add-NlbClusterNode -InterfaceName "Local Area Connection" -NewNodeName "LON-SVR2" -

NewNodeInterface "Local Area Connection"
Task 5: Validate the NLB cluster

1. On LON-SVR1, in the Server Manager Console, click the Tools menu, and then click Network Load
Balancing Manager.
2. In the Network Load Balancing Manager, verify that nodes LON-SVR1 and LON-SVR2 display with the
status of Converged for the LON-NLB cluster.
3. Right-click the LON-NLB cluster, and then click Cluster properties.
4. On the Cluster Parameters tab, verify that the cluster is set to use the Multicast operations mode.
5. On the Port Rules tab, verify that there is a single port rule named All that starts at port 0 and ends
at port 65535 for both TCP and UDP protocols, and that it uses Single affinity.
Results: After this exercise, you should have successfully implemented an NLB cluster.
Exercise 2: Configuring and Managing the NLB Cluster

Task 1: Configure port rules and affinity
2. In Windows PowerShell, type each of the following commands, pressing Enter after each command:
Cmd.exe
Mkdir c:\porttest
Exit
New-Website Name PortTest PhysicalPath C:\porttest Port 5678
New-NetFirewallRule DisplayName PortTest Protocol TCP LocalPort 5678
4. Click drive C, double-click the porttest folder, and then double-click iis-8.png. This will open
Microsoft Paint.
5. Select the color blue from the palette.
6. Use the Blue paintbrush to mark the IIS Logo in a distinctive manner.
7. Save the changes to iis-8.png, and then close Microsoft Paint.
9. Click to the Start screen.
10. On the Start screen, click the Internet Explorer icon.
11. In the Internet Explorer address bar, type http://LON-SVR2:5678 and then press Enter.
12. Verify that the IIS Start page with the IIS logo distinctively marked with blue displays in Internet
Explorer.
14. On LON-SVR1, switch to Network Load Balancing Manager.

15. In the Network Load Balancing Manager, right click LON-NLB, and then click Cluster Properties.
16. In the Cluster Properties dialog box, on the Port Rules tab, select the All port rule, and then click
Remove.
17. On the Port Rules tab, click Add.
18. In the Add/Edit Port Rule dialog box, enter the following information, and then click OK:
o Protocols: Both
o Affinity: None
19. Click OK.
20. On the Port Rules tab, click Add.
21. In the Add/Edit Port Rule dialog box, enter the following information, and then click OK:
o Protocols: Both

L4-38 Module 4: Implementing Network Load Balancing
23. In the Network Load Balancing Manager, right click LON-SVR1, and then click Host Properties.
24. In the Port Rules tab, click the port rule that has 5678 as the Start and End value, and then click Edit.
25. Click the Handling priority value, and change it to 10.
26. Click OK twice to close both the Add/Edit Port Rule dialog box and the Host Properties dialog box.
Task 2: Validate port rules

2. Switch to the Start screen.
3. On the Start screen, click the Internet Explorer icon.

4. In the Internet Explorer address bar, type http://lon-nlb, and then press Enter.
5. Click the Refresh icon 20 times. Verify that you see web pages with and without the distinctive red
marking.
6. On LON-DC1, verify that you have Internet Explorer open.
7. In the address bar, enter the address http://LON-NLB:5678, and press Enter.
8. In the address bar, click the Refresh icon 20 times. Verify that you are able to view only the web page
with the distinctive blue marking.
Task 3: Manage host availability in the NLB Cluster

2. Select the Network Load Balancing Manager.

3. Right-click LON-SVR1, click Control Host, and then click Suspend.
4. Click the LON-NLB node. Verify that node LON-SVR1 displays as Suspended, and that node
LON-SVR2 displays as Converged.
5. Right-click LON-SVR1, click Control Host, and then click Resume.
6. Right-click LON-SVR1, click Control Host, and then click Start.
7. Click the LON-NLB node. Verify that both nodes LON-SVR1 and LON-SVR2 now display as
Converged. You may have to refresh the view.
Results: After this exercise, you should have successfully configured and managed an NLB cluster.
Exercise 3: Validating High Availability for the NLB Cluster

Task 1: Validate website availability when the host is unavailable
2. Type the following command, and then press Enter:
Shutdown /r /t 5
4. On LON-DC1, open Internet Explorer.
5. In the Internet Explorer address bar, type the address http://LON-NLB, and then press Enter.
6. Refresh the website 20 times. Verify that the website is available while LON-SVR1 reboots, but that it
does not display the distinctive red mark on the IIS logo until LON-SVR1 has completed the reboot
cycle.
Task 2: Configure and validate Drainstop

1. Log on to LON-SVR1 with the username Adatum\Administrator and the password Pa$$word.
2. In Server Manager, click the Tools menu, and then click Network Load Balancing Manager.
3. In the Network Load Balancing Manager console, right-click LON-SVR2, click Control Host, and then
click Drainstop.
5. In Internet Explorer, in the address bar, type http://lon-nlb, and then press Enter.
6. Refresh the site 20 times, and verify that only the welcome page with the red IIS logo displays.
Results: After this exercise, you should have successfully validated high availability for the NLB cluster.

4. Repeat steps 2 and 3 for 20412-LON-SVR1, and 20412-LON-SVR2.

L5-41
Module 5: Implementing Failover Clustering

Lab: Implementing Failover Clustering
Exercise 1: Configuring a Failover Cluster
Task 1: Connect cluster nodes to the iSCSI targets
1. On LON-SVR3, in Server Manager, click Tools, and then click iSCSI Initiator.
3. Click the Discovery tab.
4. Click Discover Portal.
5. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
6. Click the Targets tab.
7. Click Refresh.
8. In the Targets list, select iqn.1991-05.com.microsoft:LON-SVR1-target1-target, and then click

Connect.
9. Select Add this connection to the list of Favorite Targets, and then click OK two times.
10. On LON-SVR4, in Server Manager, click Tools, and then click iSCSI Initiator.
15. Click the Targets tab.
16. Click Refresh.
17. In the Targets list, select iqn.1991-05.com.microsoft:LON-SVR1-target1-target, and then click

Connect.
18. Select Add this connection to the list of Favorite Targets, and then click OK two times.
19. On LON-SVR3, in Server Manager, click Tools, and then click Computer Management.
20. Expand Storage, and then click Disk Management.
21. Right-click Disk 1, and then click Online.
22. Right-click Disk 1, and then click Initialize disk. In the Initialize Disk dialog box, click OK.
23. Right-click the unallocated space next to Disk 1, and then click New Simple Volume.
24. On the Welcome page, click Next.
25. On the Specify Volume Size page, click Next.
26. On the Assign Drive Letter or Path page, click Next.
27. On the Format Partition page, in the Volume Label box, type Data. Select the Perform a quick
format check box, and then click Next.
28. Click Finish. (Note: If the Microsoft Windows window pops up with prompt to format the disk, click
Cancel.)
L5-42 Module 5: Implementing Failover Clustering
29. Repeat steps 21 through 28 for Disk 2 and Disk 3. (Note: Use Data2 and Data3 for Volume Labels).
30. Close the Computer Management window.
31. On LON-SVR4, in Server Manager, click Tools, and then click Computer Management.
33. Right-click Disk Management, and then click Refresh.

37. Close the Computer Management window.
Task 2: Install the failover clustering feature

1. On LON-SVR3, in Server Manager, click Add roles and features.
2. On the Before you begin page, click Next.

6. On the Select features page, in the Features list, click Failover Clustering. In the Add features that
are required for Failover Clustering? window, click Add Features. Click Next.
9. Repeat steps 1 through 8 on LON-SVR4.
Task 3: Validate the servers for failover clustering

1. On LON-SVR3, in the Server Manager, click Tools, and then click Failover Cluster Manager.
2. In the Actions pane of the Failover Cluster Manager, click Validate Configuration.
3. In the Validate a Configuration Wizard, click Next.
4. In the Enter Name box, type LON-SVR3, and then click Add.
5. In the Enter Name box, type LON-SVR4.
6. Click Add, and then click Next.
7. Verify that Run all tests (recommended) is selected, and then click Next.
8. On the Confirmation page, click Next.
9. Wait for the validation tests to finish (it might take up to 5 minutes), and then on the Summary page,
click View Report.
10. Verify that all tests completed without errors. Some warnings are expected.
12. On the Summary page, remove the check mark next to Create the cluster now using the validated
nodes, click Finish.
Task 4: Create the failover cluster

1. On LON-SVR3, in Failover Cluster Manager, in the center pane, under Management, click Create
Cluster.
2. In the Create Cluster Wizard on the Before You Begin page, read the information.
3. Click Next, in the Enter server name box, type LON-SVR3, and then click Add. Type LON-SVR4,
and then click Add.
4. Verify the entries, and then click Next.
5. In Access Point for Administering the Cluster, in the Cluster Name box, type Cluster1.
6. Under Address, type 172.16.0.125, and then click Next.
7. In the Confirmation dialog box, verify the information, and then click Next.
8. On the Summary page, click Finish to return to the Failover Cluster Manager.
Task 5: Configure Cluster Shared Volumes

1. On LON-SVR3, in the Failover Cluster Manager console, expand cluster1.Adatum.com, and then
expand Storage, and click Disk.
2. In the right pane, locate a disk that is assigned to Available Storage (you can see this is in Assigned
To column). Right-click that disk, and select the Add to Cluster Shared Volumes option. (If possible
use Cluster Disk 2).
3. Make sure that disk is assigned to Cluster Shared Volume.
Results: After this exercise, you will have installed and configured the failover clustering feature.
Exercise 2: Deploying and Configuring a Highly Available File Server

Task 1: Add the File Server application to the failover cluster
1. On LON-SVR3, in Server Manager, click Dashboard and then click Add roles and features.
2. On the before your begin page click Next.
3. On the Select installation type page click Next.
4. On the Select destination server page click Next.
5. On the Select server roles page, expand File and Storage Services (Installed), expand File and
iSCSI services and select File Server.
6. Click Next two times.
7. On the Confirmation page, click Install.
8. When installation succeeded message appears click Close.
9. Repeat steps 1-8 on LON-SVR4.
10. On LON-SVR3, open the Failover Cluster Manager, and then expand Cluster1.Adatum.com.
11. Right-click Roles, and then click Configure Role.
12. On the Before You Begin page, click Next.
13. On the Select Role page, select File Server, and then click Next.
14. On the File Server Type page, click Scale-Out File Server for application data, and then click Next.
15. On the Client Access Point page, in the Client Access Name box, type AdatumFS, and then click
Next.
17. On the Summary page, click Finish.
Task 2: Add a shared folder to a highly available file server

1. On LON-SVR3, in the Failover Cluster Manager, click Roles, right-click AdatumFS, and then click Add
File Share.
2. In the New Share Wizard, on the Select the profile for this share page, click SMB Share Quick,
3. On the Select the server and the path for this share page, click Select by volume, and then click
Next.
4. On the Specify share name page, in the Share name box, type Data, and then click Next.
5. On the Configure share settings page, verify that Enable continuous availability is selected, and
then click Next.
6. On the Specify permissions to control access page, click Next.

7. On the Confirmation page, click Create.
8. On the View results page, click Close.
Task 3: Configure failover and failback settings

1. On LON-SVR3, in the Failover Cluster Manager, click Roles, right-click AdatumFS, and then click
Properties.
2. Click the Failover tab and then click Allow failback.
3. Click Failback between, and set values to 4 and 5 hours.

4. Click the General tab.
5. Select both LON-SVR3 and LON-SVR4 as preferred owners.
6. Move LON-SVR4 up.
7. Click OK.
Task 4: Validate cluster quorum settings

1. Open the Failover Cluster Manager console.
2. In the Failover Cluster Manager console, click Cluster1.Adatum.com.

3. In the central pane, review the value for Quorum Configuration. It should be set to Node and Disk
Majority.
Results: After this exercise, you will have deployed and configured a highly available file server.
Exercise 3: Validating the Deployment of the Highly Available File Server

Task 1: Validate the highly available file server deployment
1. On LON-DC1, open Windows Explorer, and in the Address bar, type \\AdatumFS\, and then press
Enter.
2. Verify that you can access the location and that you can open the Data folder. Create a test text
document inside this folder.
3. On LON-SVR3, open the Failover Cluster Manager.
4. Expand Cluster1.adatum.com, and then click Roles. Note the current owner of AdatumFS.
Note: You can view the owner in the Owner node column. It will be either LON-SVR3 or
LON-SVR4.
5. Right-click AdatumFS, and then click Move, and then click Select Node.
6. In the Move Clustered Role dialog box, click OK.

7. Verify that AdatumFS has moved to a new owner.
8. Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
Task 2: Validate the failover and quorum configuration for the file server role
1. On LON-SVR3, in the Failover Cluster Manager, click Roles.
2. Verify the current owner for the AdatumFS role.
Note: You can view the owner in the Owner node column, which will be either LON-SVR3
or LON-SVR4.
3. Expand Nodes, and then select the node that is the current owner of the AdatumFS role.
4. Right-click the node, click More Actions, and then click Stop Cluster Service. In the Stop Cluster
Service dialog box, click Yes.
5. Verify that AdatumFS has moved to another node. To do this, click the other node, and verify that
AdatumFS is running.
6. Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
7. Switch to the LON-SVR3 computer. In the Failover Cluster Manager, right-click the stopped node,
click More Actions, and then click Start Cluster Service.
8. Expand Storage and then click Disks. In the center pane, right-click the disk that is assigned to Disk
Witness in.
Note: You can view can view this in the Assigned to column.
9. Click Take Offline, and then click Yes.
10. Switch to LON-DC1, and verify that you can still access the \\AdatumFS\ location. By doing this, you
verify that the cluster is still running, even if the witness disk is offline.
11. Switch to LON-SVR3, and in the Failover Cluster Manager console, click Storage, right-click the disk
that is in Offline status, and then click Bring Online.
Results: After this exercise, you will have tested the failover and failback scenarios.
Exercise 4: Configuring Cluster-Aware Updating on the Failover Cluster

Task 1: Configure Cluster-Aware Updating
1. On LON-DC1, in Server Manager, click Add roles and features.
2. In the Add roles and features Wizard, on the Before you begin page, click Next.


6. On the Select features page, in the list of features, click Failover Clustering. In Add features that
are required for Failover Clustering? dialog box, click Add Features. Click Next.
9. On LON-DC1, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
10. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, select
Cluster1. Click Connect.
11. In the Cluster Actions pane, click Preview updates for this cluster.
12. In the Cluster1-Preview Updates window, click Generate Update Preview List. After several minutes,
updates will be shown in the list. Review updates and then click Close.
Note: An Internet connection is required for this step to complete successfully. Make sure
that MSL-TMG1 server is up and running and that you can access Internet from LON-DC1.
Task 2: Update the failover cluster and configure self-updating

1. On LON-DC1, in the Cluster-Aware Updating console, click Apply updates to this cluster.
2. On the Getting Started page, click Next.

3. On the Advanced options page, review the options for updating, and then click Next.
4. On the Additional Update Options page, click Next.
5. On the Confirmation page, click Update, and then click Close.
6. In the Cluster nodes pane, you can review the progress of updating.
Note: Remember that one node of the cluster is in Waiting state and the other node is
restarting after it is updated.
7. Wait until the process is finished. Process is finished when both nodes have Succeeded in Last Run
status column.
Note: This may require a restart of both the nodes.
8. Log on to LON-SVR3 with the username as Adatum\Administrator and password as Pa$$w0rd.

9. On LON-SVR3, in the Server Manager, click Tools, and then click Cluster-Aware Updating.
10. In the Cluster-Aware Updating dialog box, in the Connect to a failover cluster drop-down list,
select Cluster1. Click Connect.
11. Click the Configure cluster self-updating options in the Cluster Actions pane.
12. On the Getting Started page, click Next.

13. On the Add CAU Clustered Role with Self-Updating Enabled page, click Add the CAU clustered
role, with self-updating mode enabled, to this cluster, and then click Next.
14. On the Specify self-updating schedule page, click Weekly, in the Time of day box, select 4:00 AM,
and then in the Day of the week box, select Sunday. Click Next.
15. On the Advanced Options page, click Next.
16. On the Additional Update Options page, click Next.
17. On the Confirmation page, click Apply.
18. After the clustered role is added successfully, click Close.
Results: After this exercise, you will have configured Cluster-Aware Updating on the Failover Cluster.

4. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR3, 20412A-LON-SVR4 and

MSL-TMG1.
L6-49
Module 6: Implementing Failover Clustering with Hyper-V

Lab: Implementing Failover Clustering with
Hyper-V
Exercise 1: Configuring Hyper-V Replicas
Task 1: Boot the physical host machines from VHD
1. Restart the classroom computer, and in the Windows Boot Manager, select either
20412A-LON-HOST1 or 20412A-LON-HOST2.
Note: If you start LON-HOST1, your partner must start LON-HOST2.
2. Log on to the server as Adatum\Administrator with password Pa$$w0rd.
3. On LON-HOST1, from Server Manager, click Tools, and then click Hyper-V manager.
4. Ensure that virtual machine 20412A-LON-DC1 is running.
5. Repeat steps 3 and 4 on LON-HOST2, and ensure that virtual machine 20412A-LON-SVR1 is running.
Task 2: Import the LON-CORE virtual machine on LON-HOST1

1. On LON-HOST1, open the Hyper-V Manager console.
2. In the Actions pane, click Import Virtual Machine.
3. In the Import Virtual Machine Wizard, on the Before You Begin page, click Next.
4. On the Locate Folder page, click Browse.

5. Browse to folder E:\Program Files\Microsoft Learning\20412\Drives\20412A-LON-CORE, click
Select Folder, and then click Next.
Note: The drive letter may differ based on the number of drives on the physical host
machine.
6. On the Select Virtual Machine page, click 20412A-LON-CORE, and then click Next.
7. On the Choose Import Type page, click Next.
Task 3: Configure a replica on both host machines

1. On LON-HOST2, open the Microsoft Hyper-V Manager console.
2. In Hyper-V Manager, right-click LON-HOST2, and then click Hyper-V Settings.
3. In Hyper-V Settings for LON-HOST2, click Replication Configuration.
4. In the Replication Configuration pane, click Enable this computer as a Replica server.
5. In the Authentication and ports section, select Use Kerberos (HTTP).
6. In the Authorization and storage section, click Allow replication from any authenticated server,
and then click Browse.
L6-50 Module 6: Implementing Failover Clustering with Hyper-V
7. Click Computer, double-click Local Disk (E), click New folder, in the Name text box, type
VMReplica, and then press Enter.
8. Select the E:\VMReplica\ folder, and then click Select Folder.
9. In Hyper-V Settings for LON-HOST2, click OK.
10. In the Settings dialog box, read the notice, and then click OK.
11. Point to the lower left-hand corner of the desktop, and then click Settings.
12. Click Control Panel, click System and Security, and then click Windows Firewall.
13. Click Advanced settings.
14. In Windows Firewall with Advanced Security, click Inbound Rules.
15. In the right pane, in the rule list, find the rule named Hyper-V Replica HTTP Listener (TCP-In).
Right-click the rule, and then click Enable Rule.
16. Close the Windows Firewall with Advanced Security console, and then close Windows Firewall.
Task 4: Configure replication for the LON-CORE virtual machine

1. On LON-HOST1, open Hyper-V Manager, click LON-HOST1, right-click 20412A-LON-CORE, and
then click Enable Replication.
3. On the Specify Replica Server page, click Browse.

4. In the Select Computer window, type LON-HOST2, click Check Names, click OK, and then click
Next.
5. On the Specify Connection Parameters page, review settings, ensure that Use Kerberos
authentication (HTTP) is selected, and then click Next.
6. On the Choose Replication VHDs page, ensure that 20412A-LON-CORE.vhd is selected, and then
click Next.
7. On the Configure Recovery History page, select Only the latest recovery point, and then click
Next.
8. On the Choose Initial Replication Method page, click Send initial copy over the network, select
Start replication immediately, and then click Next.
9. On the Completing the Enable Replication Wizard page, click Finish.
10. Wait 10-15 minutes. In the Hyper-V Manager console, you can monitor the progress of the initial
replication in the Status column.
11. When replication completes, ensure that 20412A-LON-CORE appears on LON-HOST2 in Hyper-V
Manager.
Task 5: Validate a planned failover to the replica site

1. On LON-HOST2, in Hyper-V Manager, right-click 20412A-LON-CORE, select Replication, and then
click View Replication Health.
2. Review the content in the window that appears, ensure that there are no errors, and then click Close.
3. On LON-HOST1, open Hyper-V Manager, and verify that 20412A-LON-CORE is turned off.
4. Right-click 20412A-LON-CORE, select Replication, and then click Planned Failover.

5. In the Planned Failover window, ensure that Start the Replica virtual machine after failover is
selected, and then click Fail Over.
6. In the Planned Failover window, click Close.
7. On LON-HOST2, in Hyper-V Manager, ensure that 20412A-LON-CORE is running.
8. On LON-HOST1, right-click 20412A-LON-CORE, point to Replication, and then click Remove

replication.
9. In the Remove replication dialog box, click Remove Replication.
10. On LON-HOST2, right-click 20412A-LON-CORE, and then click Shut Down.
11. In the Shut Down Machine dialog box, click Shut Down.
Results: After completing this exercise, you will have configured a Hyper-V Replica.
Exercise 2: Configuring a Failover Cluster for Hyper-V

Task 1: Connect to the iSCSI target from both host machines
1. On LON-HOST1, from the taskbar, click the Server Manager icon to open Server Manager, click
Tools, click iSCSI Initiator, and then at the Microsoft iSCSI prompt, click Yes.
5. Click the Targets tab, and then click Refresh.
6. In the Targets list, select iqn.1991-05.com.microsoft:lon-svr1-target1-target, and then click

Connect.
7. Select Add this connection to the list of Favorite Targets, and then click OK twice.
8. On LON-HOST2, from the taskbar, click the Server Manager icon to open Server Manager, click
Tools, and then click iSCSI Initiator.
10. Click the Discovery tab, and then click Discover Portal.
12. Click the Targets tab, and then click Refresh.
13. In the Discovered targets list, select iqn.1991-05.com.microsoft:lon-svr1-target1-target, and

then click Connect.
14. Select Add this connection to the list of Favorite Targets, and then click OK twice.
15. On LON-HOST2, in Server Manager, click Tools, and then click Computer Management.
16. Expand Storage, click Disk Management, right-click Disk 2, and then click Online.
17. Right-click Disk 2 again, and then click Initialize Disk.
18. In the Initialize Disk dialog box, click OK.
19. Right-click the unallocated space next to Disk 2, and then click New Simple Volume.
20. On the Welcome page, click Next.

21. On the Specify Volume Size page, click Next.
22. On the Assign Drive Letter or Path page, click Next.
23. On the Format Partition page, in the Volume label box, type ClusterDisk, select the Perform a
quick format check box, and then click Next.
24. Click Finish.

25. Repeat steps 17 through 24 for Disk 3 and Disk 4. In step 23, provide the name ClusterVMs for
Disk 3, and the name Quorum for Disk 4.
26. On LON-HOST1, in Server Manager, click Tools, and then click Computer Management.
28. Right-click Disk Management, and then click Refresh.

Task 2: Configure failover clustering on both host machines

1. On LON-HOST1, on the taskbar, click the Server Manager icon to open Server Manager.
2. From the Dashboard, click Add roles and features.

7. On the Select features page, in the Features list, click Failover Clustering.
8. At the Add features that are required for failover clustering prompt, click Add Features, and
then click Next.
10. When installation completes, click Close.
11. Repeat steps 1 through 10 on LON-HOST2.

12. On LON-HOST1, in Server Manager, click Tools, and then click Failover Cluster Manager.
13. In the Failover Cluster Manager, in the center pane, under Management, click Create Cluster.
14. In the Create Cluster Wizard, on the Before You Begin page, read the information, and then click
Next.
15. On the Select Servers page, in the Enter server name box, type LON-HOST1, and then click Add.
16. In the Enter server name box, type LON-HOST2, and then click Add.
17. Verify the entries, and then click Next.
18. On the Validation Warning page, click No. I dont require support from Microsoft for this
cluster, and then click Next.
19. In the Access Point for Administering the Cluster page, in the Cluster Name box, type VMCluster.
20. In the IP address name box, under Address, type 172.16.0.126, and then click Next.
21. In the Confirmation dialog box, verify the information, clear the Add all eligible storage to the
cluster check box, and then click Next.
22. On the Summary page, and then click Finish.
Task 3: Configure disks for the failover cluster

1. On LON-HOST1, in the Failover Cluster Manager, expand VMCluster.Adatum.com, expand Storage,
right-click Disks, and then click Add Disk.
2. In the Add Disks to a Cluster dialog box, verify that all disks are selected, and then click OK.
3. In the Failover Cluster Manager, verify that all disks appear available for cluster storage.
4. Select the ClusterVMs disk, right-click ClusterVMs, and then select Add to Cluster Shared
Volumes.
5. Right-click VMCluster.adatum.com, select More Actions, click Configure Cluster Quorum

Settings, and then click Next.
6. On the Select Quorum Configuration Option page, click Use typical settings, and then click Next.
Results: After completing this exercise, you will have configured a failover cluster for Hyper-V.
Exercise 3: Configuring a Highly Available Virtual Machine

Task 1: Move virtual machine storage to the iSCSI target
1. In the Failover Cluster Manager, verify that LON-HOST1 is the owner of the ClusterVMs disk. If it is
not, move the ClusterVMs disk to LON-HOST1.
2. On LON-HOST1, open a Windows Explorer window, and browse to E:\Program Files

\Microsoft Learning\20412\Drives\20412A-LON-CORE\Virtual Hard Disks.
3. Move the 20412A-LON-CORE.vhd virtual hard drive file to the C:\ClusterStorage\Volume1

location.
Task 2: Configure the virtual machine as highly available

1. On LON-HOST1, in the Failover Cluster Manager, click Roles and then in the Actions pane, click
Virtual Machines.
2. Click New Virtual Machine.
3. Select LON-HOST1, and then click OK.
4. In the New Virtual Machine Wizard, click Next.
5. On the Specify Name and Location page, in the Name text box, type TestClusterVM, click Store
the virtual machine in a different location, and then click Browse.
6. Browse to and select C:\ClusterStorage\Volume1, click Select Folder, and then click Next.
7. On the Assign Memory page, type 1536, and then click Next.
8. On the Configure Networking page, click select External Network, and then click Next.
9. On the Connect Virtual Hard Disk page, click Use an existing virtual hard disk, and then click
Browse.
10. Browse to C:\ClusterStorage\Volume1, click 20412A-LON-CORE.vhd, and then click Open.
11. Click Next, and then click Finish.
12. In the High Availability Wizard, on the Summary page, click Finish.
13. In Failover Cluster Manager, from the Roles node, right-click the TestClusterVM, and then click Start.
14. Ensure that the machine starts successfully.
Task 3: Perform live migration for the virtual machine

1. On LON-HOST1, open the Failover Cluster Manager., expand VMCluster.Adatum.com, and then
click Roles.
2. Right-click TestClusterVM, click Move, click Live Migration, and then click Select Node.
3. Click LON-HOST2, and then click OK.
4. Right-click TestClusterVM, and then click Connect.
5. Ensure that you can access and operate the virtual machine while it is migrating to another host.
6. Wait until migration completes.
Task 4: Perform storage migration for the virtual machine

1. On LON-HOST2, open Hyper-V Manager.
2. In the central pane, click 20412A-LON-SVR1-B.

3. In the Actions pane, click Move.
5. On the Choose Move Type page, click Move the virtual machine's storage, and then click Next.
6. On the Choose Options for Moving Storage page, click Move all of the virtual machines data to
a single location, and then click Next.
7. On the Choose a new location for virtual machine page, click Browse.
8. Browse to C:\, create a new folder called LON-SVR1, click Select Folder, and then click Next.
9. On the Summary page, click Finish. While the virtual machine is migrating, connect to it and verify
that it is fully operational.
10. After the move process completes, click Close.
11. Shut down all running virtual machines.
Results: After completing this exercise, you will have configured a highly available virtual machine.
To prepare for next module

1. Restart LON-HOST1.
2. When you are prompted with the boot menu, select Windows Server 2008 R2, and then press Enter.
3. Log on to the host machine as directed by your instructor.

L7-55
Module 7: Implementing Disaster Recovery

Lab: Implementing Windows Server Backup
and Restore
Exercise 1: Backing Up Data on a Windows Server 2012 Server
Task 1: Install Windows Server Backup
1. Switch on LON-SVR1.
2. In Server Manager, in the Welcome pane, click Add roles and features.

7. On the Select features page, select Windows Server Backup, and then click Next.

9. On the Installation progress page, wait until the Installation succeeded on LON-
SVR1.adatum.com message displays, and then click Close.
Task 2: Configure a scheduled backup

1. On LON-SVR1, in Server Manager, click Tools, and then click Windows Server Backup.
2. In the navigation pane, click Local Backup.
3. Click Backup Schedule.
4. In the Backup Schedule Wizard, on the Getting Started page, click Next.
5. On the Select Backup Configuration page, click Full server (recommended), and then click Next.
6. On the Specify Backup Time page, next to Select time of day, select 1:00 AM, and then click Next.
7. On the Specify Destination Type page, click Backup to a shared network folder, and then click
Next. Review the warning, and then click OK.
8. On the Specify Remote Shared Folder page, in the Location text box, type \\LON-DC1\Backup,
9. In the Register Backup Schedule dialog box, in the Username text box, type Administrator, in the
Password text box, type Pa$$w0rd, and then click OK.
10. Click Finish, and then click Close.
Task 3: Complete an on-demand backup

1. On LON-SVR1, in Server Manager, click Tools, and then click Windows Server Backup.
2. In the Actions pane, click Backup Once.
3. In the Backup Once Wizard, on the Backup Options page, click Different options, and then click
Next.
4. On the Select Backup Configuration page, click Custom, and then click Next.
5. On the Select Items for Backup page, click Add Items.

L7-56 Module 7: Implementing Disaster Recovery
6. Expand Local disk (C:), select the Financial Data check box, click OK, and then click Next.
7. On the Specify Destination Type page, click Remote shared folder, and then click Next.
8. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
9. On the Confirmation page, click Backup.
10. On the Backup Progress page, after the backup is complete, click Close.
Results: After completing this exercise, you will have configured the Windows Server Backup feature,
scheduled a backup task, and completed an on-demand backup.
Exercise 2: Restoring Files Using Windows Server Backup

Task 1: Delete a file from the server
1. On LON-SVR1, on the task bar, click Windows Explorer.
2. In Windows Explorer, browse to Local Disk (C:), right-click Financial Data, and then click Delete.
Task 2: Restore a file from backup

1. In the Windows Server Backup console, in the Actions pane, click Recover.
2. On the Getting Started page, click A backup stored on another location, and then click Next.
3. On the Specify Location Type page, click Remote shared folder, and then click Next.
4. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
5. On the Select Backup Date page, click Next.
6. On the Select Recovery Type page, click Next.
7. On the Select Items to Recover page, expand LON-SVR1, click Local Disk (C:), and on the right
pane, select Financial Data, and then click Next.
8. On the Specify Recovery Options page, under Another Location, type C:\, and then click Next.
9. On the Confirmation page, click Recover.
10. On the Recovery Progress page, click Close.
11. Open drive C:\, and ensure that the Financial Data folder is restored.
Results: After completing this exercise, you will have tested and validated the procedure for restoring a
file from backup
Exercise 3: Implementing Microsoft Online Backup and Restore

Task 1: Install the Microsoft Online Backup Service component
1. On LON-SVR1, on the taskbar, click the Windows Explorer icon.
2. In Allfiles (E:), in the details pane, double-click OBSInstaller.exe, and then click Run.
3. In the Microsoft Online Service Pre-Release Agreement dialog box, select I accept the Service
Agreement terms and conditions, and then click OK.
4. On the Prerequisites Check page, click Next.

5. On the Installation Settings page, specify the settings (if not default), and then click Next:
o Installation Folder: C:\Program Files
o Cache Location: C:\Program Files\Microsoft Online Backup Service Agent
6. On the Microsoft Update Opt-In page, select I don't want to use Microsoft Update, and then
click Install.
7. On the Installation page, ensure that the Microsoft Online Backup Service Agent installation has
completed successfully message displays, clear the Check for newer updates check box, and then
click Finish.
8. On LON-SVR1, click Start, and then click Microsoft Online Backup Service.
9. On LON-SVR1, click Start, and then click Microsoft Online Backup Service Shell.
Task 2: Register the server with Microsoft Online Backup Service

Before you register the server, you must rename LON-SVR1 to YOURCITYNAME-YOURNAME. For
example, NEWYORK-ALICE. This is because you will perform this exercise online, and therefore the
computer names used in this lab should be unique. If there is more than one student in the classroom
with a same name, add a number at the end of the computer name, such as NEWYORK-ALICE-1.
1. In the Server Manager window, on the Welcome to Server Manager page, click 1. Configure this
local server.
2. In the Server Manager window, on the Local Server page, click LON-SVR1.
3. In the System Properties window, click Change, in the Computer Name box, type YOURCITYNAME-
YOURNAME, click OK twice, and then click Close.
4. In a window that displays the message that you should restart your computer, click Restart Now.
5. Wait until YOURCITYNAME-YOURNAME has restarted, and then log on as Adatum\Administrator

with the password Pa$$w0rd.
6. Start the Microsoft Online Backup Service console, and then click Register Server.
7. In the Register Server Wizard, on the Account Credentials page, in the Username box, type
holuser@onlinebackupservice.onmicrosoft.com, in the Password box, type Pa$$w0rd, and then
click Next.
Note: In a real-life scenario, you would type the username and password of your Microsoft
Online Backup Service subscription account.
8. On the Proxy Configuration page, click Next.
9. On the Encryption Settings page, in the Enter passphrase and Confirm passphrase boxes, type
Pa$$w0rdPa$$w0rd, and then click Register.
10. On the Server Registration page, ensure that the Microsoft Online Backup Service is now
available for this server message displays, and then click Close.
Task 3: Configure an online backup and start a backup

1. Switch to the Microsoft Online Backup Service console, and then click Schedule Backup.
2. On the Getting started page, click Next.
3. On the Select Items to back up page, click Add Items.
4. In the Select Items dialog box, expand C:, select Financial Data, click OK, and then click Next.
L7-58 Module 7: Implementing Disaster Recovery
5. On the Specify Backup Time page, select Saturday, click 1:00 AM, click Add, and then click Next.
6. On the Specify Retention Setting page, accept the default settings, and then click Next.
7. On the Confirmation page, click Finish.
8. On the Modify Backup Progress page, click Close.
9. In the Microsoft Online Backup Service console, click Back Up Now.
10. In the Back Up Now Wizard, on the Confirmation page, click Back Up.
11. On the Backup progress page, wait until Backup is successfully completed message displays, and
then click Close.
Task 4: Restore files using the online backup

1. On LON-SVR1, on the taskbar, click the Windows Explorer icon, and then in the Windows Explorer
navigation pane, click Local Disk (C:).
2. In the Local Disk (C:) window, right-click Financial Data, and then click Delete.
3. Switch to the Microsoft Online Backup Service console, and then click Recover Data.
4. In the Recover Data Wizard, on the Getting Started page, select This server, and then click Next.
5. On the Select Recovery Mode page, select Browse for files, and then click Next.
6. On the Select Volume and Date page, in the Select the volume drop-down list box, select C:\. In
the calendar, click the date when you performed the backup, in the Time drop-down list, click the
time when you performed backup, and then click Next.
7. On the Select Items to Recover page, expand C:\, click the Financial Data folder, and then click
Next.
8. On the Specify Recovery Options page, select Original location and Create copies so that you
have both versions, and then click Next.
9. On the Confirmation page, click Recover.
10. On the Recovery Progress page, ensure that File(s) recovery job succeeded status message
displays, and then click Close.
11. In Windows Explorer, expand drive C:\, and ensure that the Financial Data folder is restored to drive
C.
Task 5: Unregister the server from the Microsoft Online Backup Service
1. Switch to the Microsoft Online Backup Service console, and then click Unregister Server.
2. On the Getting started page, click Unregister this server, and then click Next.
3. On the Account Credentials page, provide the following credentials:

4. Click Unregister.
5. On the Server Unregistration page, click Close.

Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.


4. Repeat steps 2 and 3 for 20412A-LON-SVR1, and MSL-TMG1.
L8-61
Module 8: Implementing Distributed Active Directory

Domain Services Deployments
Lab: Implementing Complex AD DS
Deployments
Exercise 1: Implementing Child Domains in AD DS
Task 1: Configure Domain Name System (DNS) for domain delegation
1. On LON-DC1, in Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, select and then right-click
Adatum.com, and then click New Delegation.
3. In the New Delegation Wizard, click Next, in the Delegated domain text box, type na, and then click
Next.
4. In the Name Servers box, click Add.
5. In the Server fully qualified domain name (FQDN) text box, type TOR-DC1.adatum.com, clear
<Click here to add an IP Address>, type 172.16.0.25, and then click OK.
6. In the Name Servers window, click Next.
7. In the Complete the New Delegation Wizard window, click Finish.
Task 2: Install a domain controller in a child domain

1. On TOR-DC1, in Server Manager, click Manage, and from the drop-down list box, click Add Roles
and Features.

3. On the Select installation type page, confirm that Role-based or feature-based installation is
4. On the Select destination server page, ensure that Select a server from the server pool is
selected, and that TOR-DC1.adatum.com is highlighted, and then click Next.
5. On the Select server roles page, click Active Directory Domain Services.
6. On the Add features that are required for Active Directory Domain Services? page, click Add
Features.
9. On the Active Directory Domain Services page, click Next.
10. On the Confirm installation selections page, click Install. (This may take a few minutes to
complete.)
11. When the Active Directory Domain Services (AD DS) binaries have installed, click the blue Promote
this server to a domain controller link.
12. In the Deployment Configuration window, click Add a new domain to an existing forest.
13. Verify that Select domain type is set to Child Domain, and that Parent domain name is set to
Adatum.com. In the New domain name text box, type na.
L8-62 Module 8: Implementing Distributed Active Directory Domain Services Deployments
14. Confirm that Supply the credentials to perform this operation is set to ADATUM\Administrator
(Current user), and then click Next. (If this is not the case, then use the Change button to enter the
credentials Adatum\Administrator, and the password Pa$$w0rd).
15. In the Domain Controller Options window, ensure that Domain functional level is set to Windows
Server 2012 Release Candidate.
16. Ensure that both the Domain Name system (DNS) server and Global Catalog (GC) check boxes are
selected.
17. Confirm that Site name: is set to Default-First-Site-Name.
18. Under Type the Directory Services Restore Mode (DSRM) password, type Pa$$w0rd in both text
boxes and then click Next.
19. On the DNS Options page, click Next.

20. On the Additional Options page, click Next.
21. On the Paths window, click Next.
22. On the Review Options window, click Next.
23. On the Prerequisites Check window, confirm that there are no issues, and then click Install.
Task 3: Verify the default trust configuration

1. Log on to TOR-DC1 as NA\Administrator using the password Pa$$w0rd.
2. When Server Manager opens, click Local Server. Verify that Windows Firewall shows Domain: On. If
it does not, then next to Local Area Connection click 172.16.0.25, IPv6 enabled. Right-click Local
Area Connection and then click Disable. Right-click Local Area Connection and then click Enable.
The Local Area Connection should now show Adatum.com.
3. In Server Manager, from the Tools menu, click Active Directory Domains and Trusts.
4. In the Active Directory Domains and Trusts console, expand Adatum.com, right-click
na.adatum.com and then click Properties.
5. Select the Trusts tab.
6. In the Domain trusted by this domain (outgoing trusts) box, click Adatum.com, and then click
Properties.
7. In the Adatum.com Properties window, click Validate and select Yes, validate the incoming trust.
8. In the User name text box, type administrator, and in the Password text box, type Pa$$w0rd, and
then click OK.
9. A message will display: The trust has been validated. It is in place and active.
Note: If you receive a message that the trust cannot be validated, or that the secure channel (SC)
verification has failed, ensure that you have completed step 2 and then wait for at least 10-15 minutes.
You can continue with the lab and come back later to verify this step.
10. Click OK.
11. Click OK twice to close the Adatum.com Properties dialog box.
Results: After completing this exercise, you will have implemented child domains in AD DS.
Exercise 2: Implementing Forest Trusts

Task 1: Configure stub zones for DNS name resolution
1. On LON-DC1, in Server Manager, click the Tools menu, and then from the drop-down menu, click
DNS.
2. In the DNS tree pane, expand LON-DC1, right-click Forward Lookup Zones, and then click New
Zone.
3. In the New Zone Wizard, click Next.
4. On the Zone Type window, click Stub zone, and then click Next.
5. On the Active Directory Zone Replication Scope window, click To all DNS servers running on
domain controllers in this forest: adatum.com, and then click Next.
6. In the Zone name: text box, type treyresearch.net, and then click Next.
7. On the Master DNS Servers window, click <Click here to add an IP Address or DNS Name>, type
172.16.10.10, click on the free space, and then click Next.
8. On the Completing the New Zone Wizard window, click Next and then Finish.
9. Select and then right-click the new stub zone treyresearch.net and then click Transfer from Master.
10. Right-click treyresearch.net and then click Refresh.
11. Confirm that the treyresearch.net stub zone has some records.
13. In Server Manager, click the Tools menu, and from the drop-down menu, click DNS.
14. In the tree pane, expand MUN-DC1, select and then right-click Forward Lookup Zones, and then
click New Zone.
15. In the New Zone Wizard, click Next.
16. On the Zone Type window, click Stub zone, and then click Next.
17. In the Active Directory Zone Replication Scope window, select To all DNS servers running on
domain controllers in this forest: Treyresearch.net and then click Next.
18. In the Zone name: text box, type adatum.com, and then click Next.
19. In the Master DNS Servers window, click <Click here to add an IP Address or DNS Name>, type
172.16.0.10, click on the free space, and then click Next.
20. In the Completing the New Zone Wizard window, click Next and then click Finish.
21. Select and then right-click the new stub zone adatum.com, and then click Transfer from Master.
22. Right-click adatum.com, and then click Refresh.
23. Confirm that the adatum.com stub zone has some records.
Task 2: Configure a forest trust with selective authentication

1. On LON-DC1, from the Tools menu, click Active Directory Domain and Trusts.
2. In the Active Directory Domains and Trusts management console window, right-click Adatum.com,
and then click Properties.
3. In the Adatum.com Properties window, click the Trusts tab, and then click New Trust.
L8-64 Module 8: Implementing Distributed Active Directory Domain Services Deployments
4. On the New Trust Wizard window, click Next.
5. In the Name text box, type treyresearch.net and then click Next.
6. In the Trust Type window, select Forest trust and click Next.
7. In the Direction of Trust window, select One-way: outgoing, and then click Next.
8. In the Sides of Trust window, select Both this domain and the specified domain and then click
Next.
9. In the User Name and Password window type Administrator as the user name and Pa$$w0rd as the
password in the appropriate boxes, and then click Next.
10. In the Outgoing Trust Authentication Level-Local Forest window, select Selective authentication,
11. In the Trust Selections Complete page, click Next.
12. On the Trust Creation Complete page, click Next.
13. On the Confirm Outgoing Trust page, click Next.
14. Click Finish.

15. In the Adatum.com Properties window, click the Trusts tab.
16. On the Trusts tab, under Domains trusted by this domain (outgoing trusts), select
treyresearch.net and click Properties.
17. In the treyresearch.net Properties window, click Validate.
18. Review the message that appears: The trust has been validated. It is in place and active.
19. Click OK, and then click No at the prompt.
20. Click OK twice.
21. Close Active Directory Domains and Trusts.
Task 3: Configure a server for selective authentication

1. On LON-DC1, in Server Manager, from the Tools menu, click Active Directory Users and
Computers.
2. In the Active Directory Users and Computers console, from the View menu, click Advanced Features.
3. Expand Adatum.com, and then click Computers.
4. Right-click LON-SVR1 and then click Properties.
5. Click the Security tab, and then click Add.
6. On the Select Users, Computers, Service Accounts, or Groups window, click Locations.
7. Click treyresearch.net and then click OK.
8. In the Enter the object name to select (examples:) text box, type treyresearch\it, and then click
Check Names. When prompted for credentials, type treyresearch\administrator with the password
of Pa$$w0rd. Click OK.
9. On the Select Users, Computers, Service Accounts, or Groups window, click OK.
10. In the LON-SVR1 Properties window, ensure that treyresearch\it is highlighted, and select the Allow
checkbox that is in line with Allowed to authenticate.
11. Click OK.

13. On the taskbar, click Windows Explorer.
14. Click Local Disk (C).
15. Right-click in the details pane, click New, and then click Folder.
16. In the Name text box, type IT-Data, and then press Enter.
17. Right-click IT-Data, and then click Properties.
18. In the IT-Data Properties window, click the Security tab, and then click Edit.
19. On the Permission for IT-Data window, click Add.

20. In the Enter the object names to select (examples:) text box, type treyresearch\it, and then click
Check Names. When the name resolves, click OK. If you are prompted for credentials, type
Treyresearch\administrator with the password of Pa$$w0rd. Click OK twice.
21. In the Permissions for IT-Data window, select treyresearch\it, click the Allow that is opposite the
Modify permission and then click OK.
22. Click the Sharing tab, select Advanced Sharing, and then click Share this folder.
23. Click Permissions, confirming that Everyone is highlighted, and then click Full Control.
24. Click OK twice, and then click Close.
25. Log off of MUN-DC1.
26. Log on to MUN-DC1 as treyresearch\Alice with the password Pa$$w0rd.
27. Hover your pointer in the lower-right corner of the desktop, and when the sidebar displays, click
Search.
28. In the Search text box, type \\LON-SVR1\IT-Data. The folder will open.
Results: After completing this exercise, you will have implemented forest trusts.

following steps.
4. Repeat steps 2 and 3 for 20412A-TOR-DC1, 20412-MUN-DC1, and 20412-LON-SVR1.

L9-67
Module 9: Implementing Active Directory Domain Services

Sites and Replication
Lab: Implementing AD DS Sites and
Replication
Exercise 1: Modifying the Default Site
Task 1: Install the Toronto domain controller
1. On TOR-DC1, click Manage, and from the drop-down list box, click Add Roles and Features.
3. On the Select installation type page, confirm that Role-based or feature-based installation is
4. On the Select destination server page, ensure that Select a server from the server pool is
selected, and that TOR-DC1.adatum.com is highlighted, and then click Next.
5. On the Select server roles page, click Active Directory Domain Services.
6. On the Add features that are required for Active Directory Domain Services? page, click Add
Features. Click Next.

8. On the Active Directory Domain Services page, click Next.
9. On the Confirm installation selections page, click Install. (This may take a few minutes to
complete.)
10. When the AD DS binaries have installed, click the blue Promote this server to a domain controller
link.
11. In the Deployment Configuration window, click Add a domain controller to an existing domain.
Click Next.
12. In the Domain Controller Options window, ensure that both the Domain Name system (DNS)
server and Global Catalog (GC) check boxes are selected.
13. Confirm that Site name: is set to Default-First-Site-Name, and then under Type the Directory
Services Restore Mode (DSRM) password, type Pa$$w0rd in both the Password and Confirm
password boxes. Click Next.
14. On the DNS Options page, click Next.
15. On the Additional Options page, click Next.
16. On the Paths window, click Next.

17. On the Review Options window, click Next.
18. On the Prerequisites Check window, confirm that there are no issues, and then click Install. The server
will automatically restart.
19. After TOR-DC1 restarts, log on as Adatum\Administrator with the password Pa$$w0rd.
L9-68 Module 9: Implementing Active Directory Domain Services Sites and Replication
Task 2: Rename the default site

1. If necessary, on LON-DC1 open the Server Manager console.
2. In Server Manager, click Tools, and then click Active Directory Sites and Services.
3. In the Active Directory Sites and Services console, in the navigation pane, expand Sites.
4. Right-click Default-First-Site-Name, and then click Rename.
5. Type LondonHQ, and then press Enter.
6. Expand LondonHQ. expand the Servers folder, and then verify that both LON-DC1 and TOR-DC1
belong to the LondonHQ site.
Task 3: Configure IP subnets associated with the default site

1. On LON-DC1, in the Active Directory Sites and Services console, in the navigation pane, expand Sites,
and then click the Subnets folder.
2. Right-click Subnets, and then click New Subnet.
3. In the New Object Subnet dialog box, under Prefix, type 172.16.0.0/24.
4. Under Select a site object for this prefix, select LondonHQ, and then click OK.
Results: After completing this exercise, you will have reconfigured the default site and assigned IP address
subnets to the site.
Exercise 2: Creating Additional Sites and Subnets

Task 1: Create the AD DS sites for Toronto
1. On LON-DC1, in the Active Directory Sites and Services console, in the navigation pane, right-click
Sites, and then click New Site.
2. In the New Object Site dialog box, next to Name, type Toronto.
3. Under Select a site link object for this site, select DEFAULTIPSITELINK, and then click OK.
4. In the Active Directory Domain Services dialog box, click OK. The Toronto site displays in the
navigation pane.
5. In the Active Directory Sites and Services console, in the navigation pane, right-click Sites, and then
click New Site.
6. In the New Object Site dialog box, next to Name, type TestSite.
7. Under Select a site link object for this site, select DEFAULTIPSITELINK, and then click OK. The
TestSite site displays in the navigation pane.
Task 2: Create IP subnets associated with the Toronto sites

and then click the Subnets folder.
4. Under Select a site object for this prefix, select Toronto, and then click OK.

7. Under Select a site object for this prefix, select TestSite, and then click OK.
8. In the navigation pane, click the Subnets folder. Verify the three subnets were created and associated
with their appropriate site as displayed in the details pane.
Results: After this exercise, you will have created two additional sites representing the IP subnet addresses
located in Toronto.
Exercise 3: Configuring AD DS Replication

Task 1: Configure site links between AD DS sites
expand Inter-Site Transports, and then click the IP folder.
2. Right-click IP, and then click New Site Link.
3. In the New Object Site Link dialog box, next to Name, type TOR-TEST.
4. Under Sites not in this site link, select Toronto, select TestSite, click Add, and then click OK.
5. Right-click TOR-TEST, and then click Properties.

6. In the TOR-TEST Properties dialog box, click Change Schedule.
7. In the Schedule for TOR-TEST dialog box, highlight the range from Monday 9am to Friday 3pm.
8. Select Replication Not Available, and then click OK.

9. Click OK to close TOR-TEST Properties.
10. Right-click DEFAULTIPSITELINK, and then click Rename.
11. Type LON-TOR, and then press Enter.
12. Right-click LON-TOR, and then click Properties.
13. Under Sites in this link, click TestSite, and then click Remove.
14. Next to Replicate Every, change the value to 60 minutes, and then click OK.
Task 2: Move TOR-DC1 to the Toronto site

expand LondonHQ, and then expand the Servers folder.
2. Right-click TOR-DC1, and then click Move.
3. In the Move Server dialog box, click Toronto, and then click OK.
4. In the navigation pane, expand the Toronto site, expand Servers, and then click TOR-DC1.
Task 3: Monitor AD DS site replication

1. On LON-DC1, on the taskbar, click the Windows PowerShell button.
2. At the command prompt, type the following, and then press Enter:
Repadmin /kcc
This command recalculates the inbound replication topology for the server.
L9-70 Module 9: Implementing Active Directory Domain Services Sites and Replication
Repadmin /showrepl
Verify that the last replication with TOR-DC1 was successful.
Repadmin /bridgeheads
This command displays the bridgehead servers for the site topology.
Repadmin /replsummary
This command displays a summary of replication tasks. Verify that no errors appear.
DCDiag /test:replications
Verify that all connectivity and replication test pass successfully.

7. Switch to TOR-DC1, and then repeat steps 1 through 6 to view information from the TOR-DC1
perspective.
Results: After this exercise, you will have configured site links and monitored replication.

following steps.

4. Repeat steps 2 and 3 for 20412A-TOR-DC1.

L10-71
Module 10: Implementing Active Directory Certificate

Services
Lab: Implementing Active Directory
Certificate Services
Exercise 1: Deploying a standalone root CA
Task 1: Install the Active Directory Certificate Services (AD CS) server role on
non-domain joined server
1. Log on to LON-CA1 as Administrator with the password Pa$$w0rd.
2. In the Server Manager console, click Add roles and features.

6. On the Select server roles page, select Active Directory Certificate Services. When Add Roles and
Features Wizard window displays, click Add Features, and then click Next.
8. On the Active Directory Certificate Services page, click Next.
9. On the Select role services page, ensure that Certification Authority is selected, and then click
Next.
11. On the Installation progress page, after installation completes successfully, click the text Configure
Active Directory Certificate Services on the destination server.
12. In the AD CS Configuration Wizard, on the Credentials page, click Next.
13. On the Role Services page, select Certification Authority. Click Next.
14. On the Setup Type page, select Standalone CA, and then click Next.
15. On the CA Type page, ensure that Root CA is selected, and then click Next.
16. On the Private Key page, ensure that Create a new private key is selected, and then click Next.
17. On the Cryptography for CA page, keep the default selections for Cryptographic Service Provider
(CSP) and Hash Algorithm, but set the Key length to 4096, and then click Next.
18. On the CA Name page, in the Common name for this CA box, type AdatumRootCA, and then click
Next.
19. On the Validity Period page, click Next.
20. On the CA Database page, click Next.
21. On the Confirmation page, click Configure.
22. On the Results page, click Close.
23. On the Installation progress page, click Close.

L10-72 Module 10: Implementing Active Directory Certificate Services
Task 2: Configure a new certificate revocation location

1. On LON-CA1, in the Server Manager console, click Tools, and then click Certification Authority.
2. In the certsrv [Certification Authority (Local)] console, right-click AdatumRootCA, and then click
Properties.
3. In the AdatumRootCA Properties window, click the Extensions tab.
4. In the Extensions tab, in the Select extension: drop-down list, select CRL Distribution Point (CDP)
and then click the Add button.
5. In the Location text box, type http://lon-svr1.adatum.com/CertData/, in the Variable

drop-down list box, click <CaName>, and then click Insert.
6. In the Variable drop-down list box, click <CRLNameSuffix>, and then click Insert. In the Variable
drop-down list box, click <DeltaCRLAllowed>, and then click Insert.
7. In the Location text box, position the cursor at the end of URL, type .crl, and then click OK.
8. Select options: Include in the CDP extensions of issued certificates and Include in CRLs. Clients
use this to find Delta CRL locations. Click Apply. In the Certification Authority pop-up window,
click No.
9. In the Select extension: drop-down list box, click Authority Information Access (AIA), and then
click Add.
10. In the Location text box, type http://lon-svr1.adatum.com/CertData/, then in Variable

drop-down box click <ServerDNSName>, and then click Insert.
11. In the Location text box, type an underscore (_), in the Variable drop-down list box, click
<CaName>, and then click Insert.
12. In the Variable drop-down list box, click <CertificateName>, and then click Insert.
13. In the Location text box, position the cursor at the end of URL, type .crt, and then click OK.
14. Select the Include in the AIA extension of issued certificates check box, and then click OK.
15. Click Yes to restart Certification Authority service.
16. In the Certification Authority console, expand AdatumRootCA, right-click Revoked Certificates,
point to All Tasks, and then click Publish.
17. In the Publish CRL window, click OK.
18. Right-click AdatumRootCA, and then click Properties.
19. In the AdatumRootCA Properties dialog box, click View Certificate.
20. In the Certificate window, click the Details tab.
21. On the Details tab, click Copy to File.
22. On the Certificate Export Wizard Welcome page, click Next.
23. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.
24. On the File to Export page, click Browse. In the File name text box, type \\lon-svr1\C$, and then
press Enter.
25. In the File name text box, type RootCA, click Save, and then click Next.
26. Click Finish, and then click OK three times.
27. Open a Windows Explorer window, and browse to C:\Windows\System32\CertSrv\CertEnroll.

Configuring Advanced Windows Server 2012 Service L10-73
28. In the Cert Enroll folder, select both files, right-click the highlighted files, and then click Copy.
29. In the Windows Explorer address bar, type \\lon-svr1\C$, and then press Enter.
30. Right-click the empty space, and then click Paste.
Results: After completing this exercise, you will have installed and configured a standalone root CA.
Exercise 2: Deploying an Enterprise Subordinate CA

Task 1: Install and configure AD CS role on LON-SVR1
2. In the Server Manager console, click Add roles and features.

6. On the Select server roles page, select Active Directory Certificate Services.
7. When the Add Roles and Features Wizard window displays, click Add Features, and then click Next.
9. On the Active Directory Certificate Services page, click Next.
10. On the Select role services page, ensure that Certification Authority is selected already, and select
Certificate Authority Web Enrollment.
11. When the Add Roles and Features Wizard window displays, click Add Features, and then click Next.
13. On the Installation progress page, after installation is successful, click the text Configure Active
Directory Certificate Services on the destination server.
14. In the AD CS Configuration Wizard, on the Credentials page, click Next.
15. On the Role Services page, select both Certification Authority and Certification Authority Web
Enrollment, and then click Next.
16. On the Setup Type page, select Enterprise CA, and then click Next.
17. On the CA Type page, click Subordinate CA, and then click Next.
18. On the Private Key page, ensure that Create a new private key is selected, and then click Next.
19. On the Cryptography for CA page, keep the default selections, and then click Next.
20. On the CA Name page, in the Common name for this CA text box, type Adatum-IssuingCA,, and
then click Next.
21. On the Certificate Request page, ensure that Save a certificate request to file on the target
machine is selected, and then click Next.
22. On the CA Database page, click Next.
23. On the Confirmation page, click Configure.

24. On the Results page, click Close.
25. On the Installation progress page, click Close.
Task 2: Install a subordinate Certification Authority (CA) certificate

1. On LON-SVR1, open a Windows Explorer window, and navigate to Local Disk (C:).
2. Right-click RootCA.cer, and then click Install Certificate.
3. In the Certificate Import Wizard, click Local Machine, and then click Next.
4. On the Certificate Store page, click Place all certificates in the following store, and then click
Browse.
5. Select Trusted Root Certification Authorities, and then click OK.
6. Click Next, and then click Finish. Click OK.
7. In the Windows Explorer window, select the adatumRootCA.crl and LON-CA1_AdatumRootCA.crt

files, right-click the files, and then click Copy.
8. Double-click inetpub.
9. Double-click wwwroot.
10. Create a new folder, and name it CertData.
11. Paste the two copied files into that folder.

12. Switch to Local Disk (C:).
13. Right-click the file LON-SVR1.Adatum.com_Adatum- IssuingCA.req, and then click Copy.
14. In the Windows Explorer address bar, type \\LON-CA1\C$, and then press Enter.
15. In the Windows Explorer window, right-click an empty space, and then click Paste. Make sure that
request file is copied to LON-CA1.
16. Switch to the LON-CA1 server.

17. In the Certificate Authority console, right-click AdatumRootCA, point to All Tasks, and then click
Submit new request.
18. In the Open Request File window, navigate to Local Disk (C:), select file
LON-SVR1.Adatum.com_Adatum- IssuingCA.req, and then click Open.
19. In the Certification Authority console, click the Pending Requests container. Right click Pending
Requests item and click Refresh.
20. In the right pane, right-click the request (with ID 2), point to All Tasks, and then click Issue.
21. Click the Issued Certificates container.
22. In the right pane, double-click the certificate, and then click the Details tab.
23. Click Copy to File.
24. On the Certificate Export Wizard Welcome page, click Next.
25. On the Export File Format page, select Cryptographic Message Syntax Standard PKCS #7
Certificates (.P7B), select Include all certificates in the certification path if possible and then
click Next.
26. On the File to Export page, click Browse.
27. In the File name text box, type \\lon-svr1\C$, and then press Enter.
28. In the File name text box, type SubCA, click Save, and then click Next.
29. Click Finish, and then click OK twice.
31. In Server Manager, click Tools, and then click Certification Authority.
32. In the Certification Authority console, right-click Adatum-IssuingCA, point to All Tasks, and then
click Install CA Certificate.
33. Navigate to Local Disk (C:), click the SubCA.p7b file, and then click Open.
34. Wait for 15-20 seconds, and then on the toolbar, click the green icon to start the CA service.
35. Ensure that CA starts successfully.
Task 3: Publish the RootCA certificate through Group Policy

1. On LON-DC1, open Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console, expand Forest:Adatum.com, expand Domains, expand
Adatum.com, right-click Default Domain Policy, and then click Edit.
3. In the Computer Configuration node, expand Policies, expand Windows Settings, expand
Security Settings, expand Public Key Policies, right-click Trusted Root Certification Authorities,
and then click Import.
4. Click Next.
5. On the File to Import page, click Browse.
6. In the file name text field, type \\lon-svr1\C$, and then press Enter.
7. Select file RootCA.cer, and then click Open.
8. Click Next two times, and then click Finish.
9. Click OK.
Results: After completing this exercise, you will have deployed and configured an enterprise subordinate
CA
Exercise 3: Configuring Certificate Templates

Task 1: Create a new template based on the Web server template
1. On LON-SVR1, in the Certification Authority console, expand Adatum-IssuingCA, right-click
Certificate Templates, and then select Manage.
2. In the Certificate Templates Console, locate the Web Server template in the list, right-click it, and
then select Duplicate Template.
3. Click the General tab.
4. In the Template display name field, type Adatum Web Server, and set the Validity period to 3
years
5. Click the Request Handling tab, select Allow private key to be exported, and then click OK.
Task 2: Create a new template for users that includes smart card logon
1. In the Certificate Templates Console, right-click the User certificate template, and then click
Duplicate Template.
2. In the Properties of New Template dialog box, click the General tab, and in the Template display
name text box, type Adatum Smart Card User.
3. On the Subject Name tab, clear both the Include e-mail name in subject name and the E-mail
name check boxes.
4. On the Extensions tab, click Application Policies, and then click Edit.
5. In the Edit Application Policies Extension dialog box, click Add.

6. In the Add Application Policy dialog box, select Smart Card Logon, and then click OK twice.
7. Click the Superseded Templates tab, and then click Add.
8. Click the User template, and then click OK.
9. On the Security tab, click Authenticated Users. Under Permissions for Authenticated Users, select
the Allow check box for Read, Enroll and Autoenroll, and then click OK.
Task 3: Configure the templates so they can be issued

1. On LON-SVR1, in the Certification Authority console, right-click Certificate Templates, point to New,
and then click Certificate Template to Issue.
2. In the Enable Certificate Templates window, select Adatum Smart Card User and Adatum Web
Server, and then click OK.
Task 4: Update the Web server certificate on the LON-SVR2 Web Server
2. Open Windows PowerShell window from taskbar and type gpupdate /force and press Enter. If
prompted to do so, restart the server, and logon with same credentials as in step 1.
3. From Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
4. In the IIS console, click LON-SVR2, click No at the Internet Information Services (IIS) Manager
prompt, and then in the central pane, double-click Server Certificates.
5. In the Actions pane, click Create Domain Certificate.
6. On the Distinguished Name Properties page, complete the following fields, and then click Next::
o Common name: lon-svr2.adatum.com
o Organization: Adatum
o Organizational Unit: IT
o City/locality: Seattle
o State/province: WA
o Country/region: US
7. On the Online Certification Authority page, click Select.
8. Click Adatum-IssuingCA, and then click OK.
9. In the friendly name text box, type lon-svr2, and then click Finish.
10. Ensure that the certificate displays in the Server Certificates console.
11. In the IIS console, expand LON-SVR2, expand Sites, and then click Default Web Site.
12. In the Actions pane, click Bindings.
13. In the Site Bindings window, click Add.
14. In the Type drop-down list box, click https.
15. In the SSL certificate drop-down list box, click lon-svr2, click OK, and then click Close.
16. Close the IIS console.
Results: After completing this exercise, you will have created and published new certificate templates.
Exercise 4: Configuring Certificate Enrollment

Task 1: Configure autoenrollment for users
2. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain
Policy, and then click Edit.
3. Expand User Configuration, expand Policies, expand Windows Settings, expand Security Settings,
and then click to highlight Public Key Policies.
4. In the right pane, double-click Certificate Services Client Auto-Enrollment.
5. In the Configuration Model drop-down list box, click Enabled.

6. Select the Renew expired certificates, update pending certificates, and remove revoked
certificates option.
7. Select the Update certificates that use certificate templates option.
8. Click OK to close the properties window.
9. In the right pane, double-click the Certificate Services Client Certificate Enrollment Policy
object.
10. On the Enrollment Policy tab, set the Configuration Model to Enabled, and ensure that the
certificate enrollment policy list displays the Active Directory Enrollment Policy (it should have a
checkmark next to it, and a status of Enabled).
11. Click OK to close the window.
12. Close both the Group Policy Management Editor and the Group Policy Management console.
Task 2: Verify autoenrollment

1. On LON-SVR1, open Windows PowerShell from task bar.
2. Type gpupdate /force, and then press Enter.
3. After the policy is refreshed, type mmc.exe, and then press Enter.
4. In Console1, click File, and then in the File menu, click Add/Remove Snap-in.
5. Click Certificates, and then click Add>.
6. Click Finish, and then click OK.
7. Expand Certificates Current User, expand Personal, and then click Certificates.
8. Verify that certificate based on Adatum Smart Card User template is issued for administrator.
9. Close Console1.
Task 3: Configure the Enrollment Agent for smart card certificates

1. On LON-SVR1, in the Server Manager console, click Tools, and then open Certification Authority.
2. In the certsrv console, expand Adatum-IssuingCA, right-click Certificate Templates, and then click
Manage.
3. In the Certificate Templates console, double-click Enrollment Agent.
4. Click the Security tab, and then click Add.
5. In the Select Users, Computers, Service Accounts, or Groups window, type Allie, click Check Names,
and then click OK.
6. On the Security tab, click Allie Bellew, select Allow for Read and Enroll permissions, and then click
OK.
8. In the certsrv console, right-click Certificate Templates, point to New, and then click Certificate
Template to Issue.
9. In the list of templates, click Enrollment Agent, and then click OK.
10. Switch to LON-CL1, and log on as Adatum\Allie with the password Pa$$w0rd.
11. Open a command prompt window, and at a command prompt, type mmc.exe, and then press Enter.
12. In Console1, click File, and then click Add/Remove Snap-in.
13. Click Certificates, and then click Add>.
14. Click OK
15. Expand Certificates Current User, expand Personal, click Certificates, right-click Certificates,
point to All Tasks, and then click Request New Certificate.
16. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
17. On the Select Certificate Enrollment Policy page, click Next.
18. On the Request Certificates page, select Enrollment Agent, and then click Enroll.
19. Click Finish.
21. In the Certification Authority console, right-click Adatum-IssuingCA, and then click Properties.
22. Click the Enrollment Agents tab.
23. Click Restrict Enrollment agents.
24. On the pop-up window that displays, click OK.
25. In the Enrollment agents section, click Add.

26. In the Select User, Computer or Group field, type Allie, click Check Names, and then click OK.
27. Click Everyone, and then click Remove.
28. In the certificate templates section, click Add.

29. In the list of templates, select Adatum Smart Card User, and then click OK.
30. In the Certificate Templates section, click <All>, and then click Remove.
31. In the Permission section, click Add.
32. In the Select User, Computer or Group field, type Marketing, click Check Names, and then click
OK.
33. In the Permission section, click Everyone, and then click Remove.
34. Click OK.
Results: After completing this exercise, you will have configured and verified autoenrollment for users,
and configured an enrollment agent for smart cards.
Exercise 5: Configuring Certificate Revocation

Task 1: Configure Certified Revocation List (CRL) distribution
1. On LON-SVR1, in the Certification Authority console, right-click Revoked Certificates, and then click
Properties.
2. In the Revoked Certificates Properties window, set the CRL publication interval to 1 Day and the
Delta CRL publication interval to 1 hour, and then click OK.
3. Right-click Adatum-IssuingCA, and then click Properties.
4. In the Properties window, click the Extensions tab.
5. On the Extensions tab, review the values for CDP.

6. Click Cancel.
Task 2: Install and configure an Online Responder

1. On LON-SVR1, open Server Manager.

3. Click Next three times.
4. On the Select server roles page, expand Active Directory Certificate Services (Installed), and then
select Online Responder.
5. Click Add Features.
6. Click Next two times, and then click Install.
7. When the message displays that installation succeeded, click Configure Active Directory Certificate
Services on the destination server.
8. In AD CS Configuration Wizard, click Next.
9. Select Online Responder, and then click Next.
10. Click Configure, and then click Close two times.
12. In the Certification Authority console, right-click Adatum-IssuingCA, and then click Properties.
13. In the Adatum-IssuingCA Properties dialog box, on the Extensions tab, in the Select extension
list, click Authority Information Access (AIA), and then click Add.
14. In the Add Location dialog box, type http://LON-SVR1/ocsp, and then click OK.
15. Select the Include in the AIA extension of issued certificates check box.
16. Select the Include in the online certificate status protocol (OCSP) extension check box, and then
click OK.
17. In the Certificate Authority dialog box, restart AD CS by clicking Yes.
18. In the certsrv console, expand Adatum-IssuingCA, right-click the Certificate Templates folder, and
then click Manage.
19. In the Certificate Templates console, double-click the OCSP Response Signing template.
20. In the OCSP Response Signing Properties dialog box, click the Security tab, under Permissions for
Authenticated Users, select the Allow for Enroll check box, and then click OK.
21. Close the Certificate Templates console.
22. In the Certification Authority console, right-click the Certificate Templates folder, point to New, and
then click Certificate Template to Issue.
23. In the Enable Certificate Templates dialog box, select the OCSP Response Signing template, and
then click OK.
24. On LON-SVR1, in Server Manager, click Tools, and then click Online Responder Management.
25. In the ocsp Management console, right-click Revocation Configuration, and then click Add
Revocation Configuration.
26. In the Add Revocation Configuration Wizard, click Next.
27. On the Name the Revocation Configuration page, in the Name box, type AdatumCA Online
Responder, and then click Next.
28. On the Select CA Certificate Location page, click Next.
29. On the Choose CA Certificate page, click Browse, click the Adatum-IssuingCA certificate, click OK,
30. On the Select Signing Certificate page, verify that Automatically select a signing certificate is
selected, and Auto-Enroll for an OCSP signing certificate are both selected, and then click Next.
31. On the Revocation Provider page, click Finish. The revocation configuration status will appear as
Working.
32. Close the Online Responder console.
Results: After completing this exercise, you will have configured certificate revocation settings.
Exercise 6: Configuring Key Recovery

Task 1: Configure the CA to issue Key Recovery Agent (KRA) certificates
2. In the Certification Authority console, expand the Adatum-IssuingCA node, right-click the
Certificates Templates folder, and then click Manage.
3. In the Details pane, right-click the Key Recovery Agent certificate, and then click Properties.
4. In the Key Recovery Agent Properties dialog box, click the Issuance Requirements tab.
5. Clear the CA certificate manager approval check box.

6. Click the Security tab. Notice that Domain Admins and Enterprise Admins are the only groups that
have the Enroll permission, and then click OK.
8. In the Certification Authority console, right-click Certificate Templates, point to New, and then click
Certificate Template to Issue.
9. In the Enable Certificate Templates dialog box, select the Key Recovery Agent template, and then
click OK.
10. Close the Certification Authority console.
Task 2: Acquire the KRA certificate

1. On LON-SVR1, open Windows PowerShell window. At a command prompt, type MMC.exe, and then
press Enter.
2. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add.
4. In the Certificates snap-in dialog box, select My user account, click Finish, and then click OK.
5. Expand the Certificates - Current User node, and right-click Personal.

6. Point to All Tasks, and then click Request New Certificate.
8. On the Select Certificate Enrollment Policy page, click Next.

9. On the Request Certificates page, select the Key Recovery Agent check box. Click Enroll, and then
click Finish.
10. Refresh the console, and view the KRA in the personal store; that is, scroll across the certificate
properties and verify that the Certificate Template Key Recovery Agent is present.
11. Close Console1 without saving changes.
Task 3: Configure the CA to allow key recovery

1. On LON-SVR1, in the Certification Authority console, right-click Adatum-IssuingCA, and then click
Properties.
2. In the Adatum-IssuingCA Properties dialog box, click the Recovery Agents tab, and then select
Archive the key.
3. Under Key recovery agent certificates, click Add.
4. In the Key Recovery Agent Selection dialog box, click the certificate that is for Key Recovery Agent
purpose (it will most likely be last on the list), and then click OK twice.
5. When prompted to restart the CA, click Yes.
Task 4: Configure a custom template for key archival

1. On LON-SVR1, in the Certification Authority console, right-click the Certificates Templates folder,
and then click Manage.
2. In the Certificate Templates console, right-click the User certificate, and then click Duplicate
Template.
3. In the Properties of New Template dialog box, on the General tab, in the Template display name
box, type Archive User.
4. On the Request Handling tab, select the Archive subject's encryption private key check box. Click
OK on the popup window.
5. Click the Subject Name tab, clear the E-mail name and Include e-mail name in subject name
check boxes, and then click OK.
7. In the Certification Authority console, right-click the Certificates Templates folder, point to New,
and then click Certificate Template to Issue.
8. In the Enable Certificate Templates dialog box, select the Archive User template, and then click
OK.
9. Close the Certification Authority console.
Task 5: Verify key archival functionality

1. Log on to the LON-CL1 virtual computer as Adatum\Aidan, using the password Pa$$w0rd.
2. On the Start screen, type mmc.exe and then press Enter.
3. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. Click OK.
5. Expand the Certificates - Current User node, right click Personal, click All Tasks, and then click
Request New Certificate.
7. Click Next.
8. On the Request Certificate page, select the Archive User check box, click Enroll, and then click
Finish.
9. Refresh the console, and view that a certificate is issued to Aidan, based on the Archive User
certificate template.
10. Simulate the loss of a private key by deleting the certificate. In the central pane, right-click the
certificate that you just enrolled, select Delete, and then click Yes to confirm.
12. Open the Certification Authority console, expand Adatum-IssuingCA, and then click Issued
Certificates store.
13. In the details pane, double-click a certificate with Requestor Name Adatum\Aidan, and Certificate
Template name of Archive User.
14. Click the Details tab, copy the Serial Number, and then click OK. (You may either copy the number
to Notepad (select it and press CTRL+C), or write it down on paper.)
15. Open Windows PowerShell console from task bar.
16. In the command prompt window that appears, type the following command (where <serial number>
is the serial number that you copied), and then press Enter:
certutil getkey <serial number> outputblob
Note: If you paste the serial number from Notepad, remove spaces between numbers.
17. Verify that outputblob file now displays in the C:\Users\Administrator.Adatum folder.
18. To convert the outputblob file into a .pfx file, in the command prompt window, type the following
command, and press Enter:
Certutil recoverkey outputblob aidan.pfx
19. When prompted, type Pa$$w0rd as the new password, and then confirm the password.
20. After the command executes, close the Windows PowerShell window.
21. Browse to C:\Users\Administrator.ADATUM, and then verify that aidan.pfxthe recovered keyis
created.
22. Copy aidan.pfx file to \\lon-cl1\C$.
23. Switch to LON-CL1, and ensure that you are still logged on as Aidan.
24. Browse to drive C and double-click the aidan.pfx file.
25. On the Welcome to the Certificate Import Wizard page, click Next.
26. On the File to Import page, click Next.

27. On the Password page, enter Pa$$w0rd as password, and then click Next.
28. On the certificate store page, click Next, click Finish, and then click Ok.
29. Expand the Certificates - Current User node, expand Personal, and then click Certificates.
30. Refresh the console, and verify that the certificate for Aidan is restored.
Results: After completing this exercise, you will have implemented key archival, and tested private key
recovery.

following steps.
4. Repeat steps 2 and 3 for 20412A-LON-CL1, 20412A-LON-SVR1, 20412A-LON-CA1 and 20412A-

LON-SVR2.
L11-85
Module 11: Implementing Active Directory Rights

Management Services
Lab: Implementing AD RMS
Exercise 1: Installing and Configuring AD RMS
Task 1: Configure Domain Name System (DNS) and the Active Directory Rights
Management Services (AD RMS) service account
2. In Server Manager, click Tools, and then click Active Directory Administrative Center.
3. Select and then right-click Adatum (local), click New, and then click Organizational Unit.
4. In the Create Organizational Unit dialog box, in the Name field, type Service Accounts, and then
click OK.
5. Right-click the Service Accounts OU, click New, and then click User.
6. On the Create User dialog box, enter the following details, and then click OK:
7. Right-click the Users container, click New, and then click Group.
8. In the Create Group dialog box, enter the following details, and then click OK:
o Group name: ADRMS_SuperUsers
o E-mail: ADRMS_SuperUsers@adatum.com
9. Right-click the Users container, click New, and then click Group.
10. In the Create Group dialog box, enter the following details, and then click OK.
o Group name: Executives
o E-mail: executives@adatum.com
11. Double-click the Managers OU.
12. Hold down the Ctrl key, and click the following users:
o Aidan Delaney
o Bill Malone
13. In the Tasks pane, click Add to group

14. In the Select Groups dialog box, type Executives, and then click OK.
16. In Server Manager, click Tools, and then click DNS.

17. In the DNS Manager console, expand LON-DC1, and expand Forward Lookup Zones.
L11-86 Module 11: Implementing Active Directory Rights Management Services
18. Select and then right-click Adatum.com, and click New Host (A or AAAA).
19. In the New Host dialog box, enter the following information, and then click Add Host:
o Name: adrms
20. Click OK, and then click Done, and close the DNS Manager console.
Task 2: Install and configure the AD RMS server role

1. Log on to LON-SVR1 with the Adatum\Administrator account and the password Pa$$word.
2. In Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next three times.
4. On the Server Roles page, click Active Directory Rights Management Services.
5. In the Add Roles and Features dialog box, click Add Features, and then click Next four times.
6. Click Install, and then click Close.
7. In Server Manager, click the AD RMS node.
8. Next to Configuration required for Active Directory Rights Management Services at LON-SVR1, click
More.
9. On the All Servers Task Details page, click Perform Additional Configuration.
10. In the AD RMS Configuration: LON-SVR1.adatum.com dialog box, click Next.
11. On the AD RMS Cluster page, click Create a new AD RMS root cluster, and then click Next.
12. On the Configuration Database page, click Use Windows Internal Database on this server, and
then click Next.
13. On the Service Account page, click Specify.
14. In the Windows Security dialog box, enter the following details, click OK, and then click Next:
o Username: ADRMSSVC
15. On the Cryptographic Mode page, click Cryptographic Mode 2, and then click Next.
16. On the Cluster Key Storage page, click Use AD RMS centrally managed key storage, and then
click Next.
17. On the Cluster Key Password page, enter the password Pa$$w0rd twice, and then click Next.
18. On the Cluster Web Site page, verify that Default Web Site is selected, and then click Next.
19. On the Cluster Address page, provide the following information, and then click Next:
o Connection Type: Use an unencrypted connection (http://)
o Fully Qualified Domain Name: adrms.adatum.com
o Port: 80
20. On the Licensor Certificate page, type Adatum AD RMS, and then click Next.
21. On the SCP Registration page, click Register the SCP now, and then click Next.
22. Click Install, and then click Close.

23. Click to the Start screen, click Administrator, and then click Sign Out.
Note: You must sign out before you can manage AD RMS.
Task 3: Configure the AD RMS Super Users group

1. Log on to LON-SVR1 with the Adatum\Administrator account and the password Pa$$w0rd.
2. In Server Manager, click Tools, and then click Active Directory Rights Management Services.
3. In the Active Directory Rights Management Services console, expand the LON-SVR1 node, and then
click Security Policies.
4. In the Security Policies area, under Super Users, click Change super user settings.
5. In the Actions pane, click Enable Super Users.
6. In the Super Users area, click Change super user group.
7. In the Super Users dialog box, in the Super user group text box, type
ADRMS_Superusers@adatum.com, and then click OK.
Results: After completing this exercise, you should have installed and configured AD RMS.
Exercise 2: Configuring AD RMS Templates

Task 1: Configure a new rights policy template
1. Ensure that you are logged on to LON-SVR1.
2. In the Active Directory Rights Management Services console, click the LON-SVR1\Rights Policy
Templates node.
3. In the Actions pane, click Create Distributed Rights Policy Template.
4. In the Create Distributed Rights Policy Template Wizard, on the Add Template Identification
information page, click Add.
5. On the Add New Template Identification Information page, enter the following information, and
then click Add:
o Language: English (United States)
o Name: ReadOnly
o Description: Read only access. No copy or print
6. Click Next.
7. On the Add User Rights page, click Add.
8. On the Add User or Group page enter executives@adatum.com, and then click OK.
9. When executives@adatum.com is selected, under Rights, click View. Verify that Grant owner
(author) full control right with no expiration is selected, and then click Next.
10. On the Specify Expiration Policy page, choose the following settings and then click Next:
o Content Expiration: Expires after the following duration (days): 7
o Use license expiration: Expires after the following duration (days): 7
11. On the Specify Extended Policy page, click Require a new use license every time content is
consumed (disable client-side caching), click Next, and then click Finish.
Task 2: Configure the rights policy template distribution

2. In the Windows PowerShell window, issue the following commands, each followed by Enter:
Cmd.exe
mkdir c:\rmstemplates
net share RMSTEMPLATES=C:\rmstemplates /GRANT:ADATUM\ADRMSSVC,FULL
mkdir c:\docshare
net share docshare=c:\docshare /GRANT:Everyone,FULL
3. To exit the Windows PowerShell window, type exit twice.
4. Switch to the Active Directory Rights Management Services console.
5. Click the Rights Policy Templates node, and in the Distributed Rights Policy Templates area, click
Change distributed rights policy templates file location.
6. In the Rights Policy Templates dialog box, click Enable Export.

7. In the Specify Templates File Location (UNC), type \\LON-SVR1\RMSTEMPLATES, and then click OK.
9. Navigate to the C:\rmstemplates folder, and verify that ReadOnly.xml is present.
10. Close the Windows Explorer window.
Task 3: Configure an exclusion policy

1. Switch to the Active Directory Rights Management Services console.
2. Click the Exclusion Policies node, and then click Manage application exclusion list.
3. In the Actions pane, click Enable Application Exclusion.
4. In the Actions pane, click Exclude Application
5. In the Exclude Application dialog box, enter the following information, and then click Finish:
o Application File name: Powerpnt.exe
o Minimum version: 14.0.0.0
o Maximum version: 16.0.0.0
Results: After completing this exercise, you should have configured AD RMS templates.
Exercise 3: Implementing the AD RMS Trust Policies

Task 1: Export the Trusted User Domains policy
2. In the Windows PowerShell window, issue the following commands, and then press Enter:
Cmd.exe
mkdir c:\export
net share export=c:\export /GRANT:Everyone,FULL
3. To close the Windows PowerShell window, type exit twice.
4. In the Active Directory Rights Management Services console, expand the Trust Policies node, and
then click the Trusted User Domains node.
5. In the Actions pane, click Export Trusted User Domains.
6. In the Export Trusted User Domains As dialog box, navigate to \\LON-SVR1\export, set the file
name to ADATUM-TUD.bin, and then click Save.
7. Log on to MUN-DC1 with the TREYRESEARCH\Administrator account and the password

Pa$$w0rd.
8. In Server Manager, click Tools, and then click Active Directory Rights Management.
9. In the Active Directory Rights Management Services console, expand MUN-DC1, expand the Trust
Policies node, and then click the Trusted User Domains node.
10. In the Actions pane, click Export Trusted User Domains.
11. In the Export Trusted User Domains As dialog box, navigate to \\LON-SVR1\export, set the file
name to TREYRESEARCH-TUD.bin, and then click Save.
Task 2: Export the Trusted Publishing Domains policy

2. In the Active Directory Rights Management Services console, under the Trust Policies node, click the
Trusted Publishing Domains node.
3. In the Actions pane, click Export Trusted Publishing Domains.
4. In the Export Trusted Publishing Domain dialog box, click Save As.
5. In the Export Trusted Publishing Domain File As dialog box, navigate to \\LON-SVR1\export, set
the file name to ADATUM-TPD.xml, and then click Save.
6. In the Export Trusted Publishing Domain dialog box, enter the password Pa$$w0rd twice, and
then click Finish.
9. In the Actions pane, click Export Trusted Publishing Domains.
10. In the Export Trusted Publishing Domain dialog box, click Save As.
11. In the Export Trusted Publishing Domain File As dialog box, navigate to \\LON-SVR1\export, set
the file name to TREYRESEARCH-TPD.xml, and then click Save.
12. In the Export Trusted Publishing Domain dialog box, enter the password Pa$$w0rd twice, and
then click Finish.
Task 3: Import the Trusted User Domain policy from the partner domain
Trusted User Domains node.
3. In the Actions pane, click Import Trusted User Domain.
4. In the Import Trusted User Domain dialog box, enter the following details, and then click Finish:
o Trusted user domain file: \\LON-SVR1\Export\TREYRESEARCH-TUD.bin

o Display Name: Trey Research
Trusted User Domains node.
7. In the Actions pane, click Import Trusted User Domain.
8. In the Import Trusted User Domain dialog box, enter the following details, and then click Finish:
o Trusted user domain file: \\LON-SVR1\Export\ADATUM-TUD.bin

o Display Name: Adatum
Task 4: Import the Trusted Publishing Domains policy from the partner domain
2. In the Active Directory Rights Management Services console, under the Trust policies node, click the
3. In the Actions pane, click Import Trusted Publishing Domain.
4. In the Import Trusted Publishing Domain dialog box, enter the following information, and then
click Finish:
o Trusted publishing domain file: \\LON-SVR1\export\ TREYRESEARCH-TPD.xml
o Display Name: Trey Research
6. In the Active Directory Rights Management Services console, under the Trust policies node, click the
7. In the Actions pane, click Import Trusted Publishing Domain.
8. In the Import Trusted Publishing Domain dialog box, provide the following information, and then
click Finish:
o Trusted publishing domain file: \\LON-SVR1\export\adatum-tpd.xml
o Display Name: Adatum
Task 5: Configure anonymous access to the AD RMS licensing server

2. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
3. In Internet Information Services (IIS) Manager, expand LON-SVR1\Sites\Default Web Site\_wmcs.
4. Right-click licensing, and then click Switch to Content View.
5. Right-click license.asmx, and then click Switch to Features View.
6. Double-click Authentication, click Anonymous Authentication, and in the Actions pane, click
Enable.
7. Right-click licensing, and then click Switch to Content View.
8. Right-click ServiceLocator.asmx, and then click Switch to Features View.
9. Double-click Authentication, click Anonymous Authentication, and in the Actions pane, click
Enable.
10. Close Internet Information Services (IIS) Manager.
Results: After completing this exercise, you should have implemented the AD RMS trust policies.
Exercise 4: Verifying the AD RMS Deployment

Task 1: Create a rights-protected document
1. Log on to LON-CL1 as Adatum\Aidan using the password Pa$$w0rd.
2. On the Start screen, type Word. In the Results area, click Microsoft Word 2010.
3. In the User Name dialog box, click OK.
4. In the Welcome to Microsoft Office 2010 dialog box, click Don't make changes, and then click
OK.
This document is for executives only, it should not be modified.
6. Click File, click Protect Document, click Restrict Permission by People, and then click Manage
Credentials.
7. In the Windows Security dialog box, enter the following credentials.
o User name: Aidan
8. Enable Remember My Credentials, and then click OK.

9. In the Select User dialog box, click OK.
10. In the Permission dialog box, enable Restrict Permission to this document.
11. In the Read text box, type bill@adatum.com, and then click OK.
12. Click Save.
13. In the Save As dialog box, save the document to the \\lon-svr1\docshare location as Executives
Only.docx.
14. Click to the Start screen, click the Aidan Delaney icon, and then click Sign out.
Task 2: Verify internal access to protected content

1. Log on to LON-CL1 as Adatum\Bill using the password Pa$$w0rd.
2. On the Start screen, click Desktop.

4. In the Windows Explorer window, navigate to \\lon-svr1\docshare.
5. Double-click the Executives Only document.
7. In the Microsoft Word dialog box, click Yes.
8. In the Windows Security dialog box, enter the following credentials, select Remember my
credentials, and then click OK.
o Username: Bill
9. In the Select User dialog box, ensure that bill@adatum.com is selected, and then click OK.
10. In the Microsoft Office dialog box, click OK.
OK.
12. When the document opens, verify that you are unable to modify or save the document.
13. Select a line of text in the document.
14. Right-click the text, and verify that you cannot make changes.
15. Click View Permission, review the permissions, and then click OK.
16. Click to the Start screen, click the Bill Malone icon, and then click Sign out.
Task 3: Open the rights-protected document as an unauthorized user

1. Log on to LON-CL1 as Adatum\Carol using the password Pa$$w0rd.
2. On the Start menu, click Desktop.

5. Double-click the Executives Only document.
6. Verify that Carol is unable to open the document.
7. Click to the Start screen, click the Carol Troup icon, and then click Sign out.
Task 4: Open and edit the rights-protected document as an authorized user at Trey
Research.
1. Log on to LON-CL1 as Adatum\Aidan using the password Pa$$w0rd.
2. On the Start screen, type Word. In the Results area, click Microsoft Word 2010.
This document is for Trey Research only, it should not be modified.
4. Click File, click Protect Document, click Restrict Permission by People, and then click Manage
Credentials.
5. In the Select User dialog box, click OK.
6. In the Permission dialog box, enable Restrict Permission to this document.
7. In the Read text box, enter april@treyresearch.net, click OK, and then click Save.
8. In the Save As dialog box, save the document to the \\lon-svr1\docshare location as
TreyResearch-Confidential.docx.
9. Click to the Start screen, click the Aidan Delaney icon, and then click Sign Out.
10. Log on to MUN-CL1 as TREYRESEARCH\APRIL.
11. On the Start screen, click Desktop.

14. In the Windows Security dialog box, enter the following credentials, and then click OK:
o Username: Adatum\Administrator
15. Copy the file TreyResearch-Confidential.docx to the desktop.
16. Double-click the file.
18. In the Microsoft Word dialog box, click Yes.
19. In the Windows Security dialog box, enter the following credentials, select Remember my
credentials, and then click OK:
o Username: April
20. In the Select User dialog box, ensure that april@treyresearch.com is selected, and then click OK.
21. In the Microsoft Office dialog box, click OK.
OK.
23. When the document opens, verify that you are unable to modify or save the document.
24. Select a line of text in the document and verify.
25. Right-click the text, and verify that you cannot make changes.
26. Click View Permission, review the permissions, and then click OK.
Results: After completing this exercise, you should have verified that the AD RMS deployment is
successful.

following steps.

4. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-MUN-DC1, 20412A-LON-CL1, and

20412A-MUN-CL1.
L12-95
Module 12: Implementing Active Directory Federation

Services
Lab: Implementing AD FS
Exercise 1: Configuring AD FS Prerequisites
Task 1: Configure DNS forwarders
1. On LON-DC1, in Server Manager, click Tools, and then click DNS.
2. Expand LON-DC1, and then click Conditional Forwarders.
3. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
4. In the DNS Domain dialog box, type TreyResearch.net.
5. Click in the IP address column, and type 172.16.10.10. Press Enter, and then click OK.
6. Close the DNS Manager.
7. On MUN-DC1, in Server Manager, click Tools, and then click DNS.
8. Expand MUN-DC1, and then click Conditional Forwarders.
9. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
10. In the DNS Domain box, type Adatum.com.

11. Click in the IP address column, and type 172.16.0.10. Press Enter, and then click OK.
12. Close the DNS Manager.
Task 2: Exchange root certificates to enable certificate trusts

1. On LON-DC1, access the Search page.
2. In the Search box, type \\MUN-DC1.treyresearch.net\certenroll, and then press Enter
3. In the CertEnroll window, right-click the MUN-DC1.TreyResearch.net_TreyResearchCA.crt file, and

then click Copy.
4. In the left pane, click Documents, and then paste the file into the Documents folder.
5. Open a Windows PowerShell command prompt, type MMC, and then press Enter.
6. In the Console1 window, click File, and then click Add/Remove Snap-in.
7. Click Group Policy Management Editor, and then click Add.
8. In Group Policy Object, click Browse.
9. Click Default Domain Policy, and then click OK.
11. Double-click Default Domain Policy. In the console tree, expand Computer Configuration >
Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root
Certification Authorities.
12. Right-click Trusted Root Certification Authorities, and then click Import.
L12-96 Module 12: Implementing Active Directory Federation Services
15. In the Open window, click MUN-DC1.TreyResearch.net_TreyResearchCA.crt, click Open, and then
click Next.
16. On the Certificate Store page, verify that Place all certificates in the following store is selected,
verify that the Trusted Root Certification Authorities store is listed, and then click Next.
17. On the Completing the Certificate Import Wizard page, click Finish, and then click OK.
18. Close the Group Policy Management Editor without saving changes.
19. On MUN-DC1, access the Search page.
20. In the Search box, type \\LON-DC1.adatum.com\certenroll, and press Enter.

21. In the CertEnroll window, right-click the LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt file, and
then click Copy.
22. In the left pane, click Documents, and paste the file into the Documents folder.
23. Open a Windows PowerShell command prompt, type MMC, and then press Enter.
24. In the Console1 window, click File, and then click Add/Remove Snap-in.
25. Click Certificates, and then click Add.

26. Click Computer Account, and click Next.
27. Verify that Local computer is selected, click Finish, and then click OK.
28. Expand Certificates, and then click Trusted Root Certification Authorities.
29. Right-click Trusted Root Certification Authorities, point to All Tasks, and then click Import.

32. In the Open window, click LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt, click Open, and then
click Next.
33. On the Certificate Store page, verify that Place all certificates in the following store is selected,
verify that the Trusted Root Certification Authorities store is listed, and then click Next.
34. On the Completing the Certificate Import Wizard page, click Finish, and then click OK.
35. Close Console1 without saving changes.
Task 3: Request and install a certificate for the web server

1. On LON-SVR1, in Server Manager, click Tools, and then click Internet Information Services (IIS)
Manager.
2. In the console tree, click LON-SVR1 (Adatum\Administrator). Click No to dismiss the message that
displays.
3. In middle pane, double-click Server Certificates.
4. In the Actions pane, click Create Domain Certificate.

5. On the Distinguished Name Properties page, enter the settings as listed below, and then click
Next.
o Common name: LON-SVR1.adatum.com
o Organization: A. Datum
o Organization unit: IT
o City/locality: London
o State/province: England
o Country/region: GB
6. On the Online Certification Authority page, in Specify Online Certification Authority, click Select
to search for a certification authority (CA) server in the domain.
7. Select Adatum-LON-DC1-CA, and then click OK.
8. In Friendly name, type LON-SVR1.adatum.com, and then click Finish.
Task 4: Bind the certificate to the claims-aware application on the web server, and
verify application access
1. On LON-SVR1, in Internet Information Services (IIS) Manager, expand Sites, click Default Web Site,
and then in the Actions pane, click Bindings.
2. In the Site Bindings dialog box, click Add.
3. In the Add Site Binding dialog box, under Type, select https, and under Port, verify that 443 is
selected. In the SSL Certificate drop-down list, click LON-SVR1.adatum.com, and then click OK.
4. Click Close, and then close Internet Information Services (IIS) Manager.
5. On LON-DC1, open Windows Internet Explorer.
6. Connect to https://lon-svr1.adatum.com/adatumtestapp.
7. Verify that you can connect to the site, but that you receive a 401 access denied error. This is
expected because you have not yet configured AD FS for authentication.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum
and Trey Research, and you exchanged root certificates between the two organizations. You also installed
and configured a web certificate on the application server.
Exercise 2: Installing and Configuring AD FS

Task 1: Install and configure AD FS
1. On the LON-DC1, in Server Manager, click Manage, and then click Add Roles and Features.

5. On the Select server roles page, select the Active Directory Federation Services check box, click
Add Features, and then click Next.
7. On the Active Directory Federation Services (AD FS) page, click Next.
8. On the Select role services page, click Next.

9. On the Confirm installation selections page, click Install, and wait for the installation to finish. Do
not close the window.
Task 2: Create a standalone federation server using the AD FS Federation Server

1. On the Installation progress page, click Run the AD FS Management snap-in.
2. In the Overview pane, click the AD FS Federation Server Configuration Wizard link.
3. On the Welcome page, ensure that Create a new Federation Service is selected, and then click
Next.
4. On the Select Stand-Alone or Farm Deployment page, click Stand-alone federation server, and
then click Next.
5. On the Specify the Federation Service Name page, ensure that the SSL certificate selected is LON-
DC1.Adatum.com, the Port is 443, and the Federation Service name is LON-DC1.Adatum.com,
6. On the Ready to Apply Settings page, verify that the correct configuration settings are listed, and
then click Next.
7. Wait for the configuration to finish, and then click Close.
Task 3: Verify that FederationMetaData.xml is present and contains valid data

1. Log on to the LON-CL1 virtual machine as Adatum\Brad using the password Pa$$w0rd.
2. Click the Desktop tile, and then open Internet Explorer.

3. Click the Tools icon at the top right corner, and then click Internet options
4. On the Security tab, click Local intranet.
5. Click Sites, and clear the Automatically detect intranet network check box.
6. Click Advanced, and in the Add this website to the zone box, type
https://lon-dc1.adatum.com, and then click Add.
7. Type https://lon-svr1.adatum.com, click Add, and then click Close.
8. Click OK twice.
9. Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06
/federationmetadata.xml.
10. Verify that the xml file opens successfully, and scroll through its contents.
Results: In this exercise, you installed and configured the AD FS server role, and verified a successful
installation by viewing the Federation Meta Data .xml contents.
Exercise 3: Configuring AD FS for a Single Organization

Task 1: Configure a Token-signing certificate for LON-DC1.Adatum.com
1. On the LON-DC1 virtual machine, in Server Manager, click Tools, and then click Windows
PowerShell.
2. At the prompt, type set-ADFSProperties AutoCertificateRollover $False, and then press Enter.
This step is required so that you can modify the certificates that AD FS uses.
3. Close the Windows PowerShell window.

4. In Server Manager, click Tools, and then click AD FS Management.
5. In the AD FS console, in the left pane, expand Service, and then click Certificates.
6. Right-click Certificates, and then click Add Token-Signing Certificate.
7. In the Select a token signing certificate dialog box, click the first certificate with the name LON-
DC1.Adatum.com, and then click Click here to view certificate properties.
8. Verify that the certificate purposes includes Proves your identity to a remote computer and
Ensures the identity of a remote computer, and click OK. The certificate may also have other
purposes, but these two are required. If the certificate does not have the intended purposes, view the
properties of the other certificates until you find one with the intended purposes. Click OK.
9. When the AD FS Management warning dialog box displays, click OK.
Note: Verify that the certificate has a subject of CN=LON-DC1.Adatum.com. If no name

displays under the Subject when you add the certificate, delete the certificate, and add the next
certificate in the list.
10. Right-click the newly-added certificate, and then click Set as Primary. Review the warning message,
and then click Yes.
11. Select the certificate that has just been superseded, right-click the certificate, and then click Delete.
Click Yes to confirm the deletion.
Task 2: Configure the Active Directory claims provider trust

1. On LON-DC1, in the AD FS console, expand Trust Relationships, and then click Claims Provider
Trusts.
2. In the middle pane, right-click Active Directory, and then click Edit Claim Rules.
3. In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.
4. In the Add Transform Claim Rule Wizard, in the Select Rule Template page, under Claim rule
template, select Send LDAP Attributes as Claims, and then click Next.
5. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
6. In the Attribute Store drop-down list, select Active Directory.
7. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type:
o E-Mail-Addresses = E-Mail Address
o User-Principal-Name = UPN
o Display-Name = Name
Task 3: Configure the claims application to trust incoming claims by running the
Windows Identity Foundation Federation Utility
1. On LON-SVR1, click to the Start screen, and then click Windows Identity Foundation Federation
Utility.
2. On the Welcome to the Federation Utility wizard page, in Application configuration location,
type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the web.config file of
the Windows Identity Foundation sample application.
3. In Application URI, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the path to

the sample application that will trust the incoming claims from the federation server. Click Next to
continue.
4. On the Security Token Service page, select Use an existing STS, type
https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml for the STS
WS-Federation metadata document location, and then click Next to continue.
5. On the Security token encryption page, select No encryption, and then click Next.
6. On the Offered claims page, review the claims that will be offered by the federation server, and then
click Next.
7. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility wizard, scroll through the items to understand what each item is doing, and then
click Finish.
8. Click OK.
Task 4: Configure a relying party trust for the claims-aware application

1. On LON-DC1, in the AD FS Management console, click AD FS.
2. In the middle pane, click Required: Add a trusted relying party.
3. In the Add Relying Party Trust Wizard, on the Welcome page, click Start.
4. On the Select Data Source page, select Import data about the relying party published online or
on a local network, and then type https://lon-svr1.adatum.com/adatumtestapp.
5. Click Next to continue. This action prompts the wizard to check for the Metadata of the application
that the web server role hosts.
6. On the Specify Display Name page, in the Display name box, type ADatum Test App, and then
click Next.
7. On the Choose Issuance Authorization Rules page, ensure that the Permit all users to access this
relying party is selected, and then click Next.
8. On the Ready to Add Trust page, review the relying party trust settings, and then click Next.
9. On the Finish page, click Close. The Edit Claim Rules for ADatum Test App window opens.
Task 5: Configure claim rules for the relying party trust

1. In the Edit Claim Rules for Adatum Test App properties dialog box, on the Issuance Transform
Rules tab, click Add Rule.
2. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, under Claim rule
template, select Pass Through or Filter an Incoming Claim, and then click Next. This action passes
an incoming claim through to the user by means of Integrated Windows authentication.
3. On the Configure Rule page, in Claim rule name, type Pass through Windows Account name
rule. In the Incoming claim type drop-down list, select Windows account name, and then click
Finish.
4. Click Add Rule.
5. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
6. On the Configure Rule page, in Claim rule name, type Pass through E-mail Address rule, in the
Incoming claim type drop-down list, select E-mail Address, and then click Finish.
7. Click Add Rule.
9. On the Configure Rule page, in Claim rule name, type Pass through UPN rule, in the Incoming
claim type drop-down list, select UPN, and then click Finish.
10. Click Add Rule.

12. On the Configure Rule page, in Claim rule name, type Pass through Name rule, in the Incoming
claim type drop-down list, select Name, and then click Finish.
13. Click Apply, and then click OK.
Task 6: Test access to the claims-aware application

1. On LON-CL1, open Internet Explorer.
2. Connect to https://lon-svr1.adatum.com/AdatumTestApp/
Note: Ensure that you type the trailing forward slash (/).
3. If you are prompted for credentials, type Adatum\Brad with password Pa$$w0rd, and then press
Enter. The page renders, and you see the claims that were processed to allow access to the web site.
Results: In this exercise, you configured a Token signing certificate and configured a claims provider trust
for Adatum.com. You also should have configured the sample application to trust incoming claims, and
configured a relying party trust and associated claim rules. You also tested access to the sample Windows
Identity Foundation application in a single organization scenario.
Exercise 4: Configuring AD FS for Federated Business Partners

Task 1: Add a claims provider trust for the TreyResearch.net AD FS server
1. On LON-DC1, if required, in Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS console, expand Trust Relationships, and then click Claims Provider Trusts.
3. In the Actions pane, click Add Claims Provider Trust.
4. On the Welcome page, click Start.
5. On the Select Data Source page, select Import data about the claims provider published online
or on a local network, type https://mun-dc1.treyresearch.net, and then click Next.
6. On the Specify Display Name page, click Next.
7. On the Ready to Add Trust page, review the claims provider trust settings, and then click Next to
save the configuration.
8. On the Finish page, click Close.

9. In the Edit Claim Rules for mun-dc1.treyresearch.net properties dialog box, on the Acceptance
Transform Rules tab, click Add Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming Claim, and then click
Next.
11. In the Claim rule name text box, type Pass through Windows account name rule.
12. In the Incoming claim type drop-down list, select Windows account name.
13. Select Pass through all claim values, and then click Finish. Click Yes.
14. Click OK, and then close the AD FS console.

15. On LON-DC1, in Server Manager, click Tools, and then click Windows PowerShell.
Set-ADFSClaimsProviderTrust TargetName mun-dc1.treyresearch.net

SigningCertificateRevocationCheck None
17. Close the Windows PowerShell window.
Task 2: Configure a relying party trust on MUN-DC1 for the A. Datum claims-aware
application
1. On the MUN-DC1, in Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS console, on the Overview page, click Required: Add a trusted relying party.
3. On the Welcome page, click Start.
4. On the Select Data Source page, select Import data about the relying party published online or
on a local network, type https://lon-dc1.adatum.com, and then click Next.
5. On the Specify Display Name page, in the Display name text box, type Adatum TestApp, and then
click Next.
6. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying
party, and then click Next.
7. On the Ready to Add Trust page, review the relying party trust settings, and then click Next to save
the configuration.
8. On the Finish page, click Close. The Edit Claim Rules for Adatum TestApp window opens.
9. In the Edit Claim Rules for Adatum TestApp window, on the Issuance Transform Rules tab, click Add
Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming claim, and then click
Next.
11. In the Claim rule name box, type Pass through Windows account name rule, in the Incoming
Claim type drop-down list, select Windows account name.
12. Select Pass through all claim values, and then click Finish.
13. Click OK, and then close the AD FS console.
Task 3: Verify access to the A. Datum test application for Trey Research users
1. On MUN-DC1, open Internet Explorer, and connect to
https://lon-svr1.adatum.com/adatumtestapp/.
Note: The logon process has changed, and you must now select an authority that can
authorize and validate the access request. The Home Realm Discovery page (the Sign In page)
appears and you must select an authority.
2. On the Sign In page, select mun-dc1.treyresearch.net, and then click Continue to Sign in.
3. When prompted for credentials, type TreyResearch\April with the password Pa$$w0rd, and then
press Enter. You should be able to access the application.

5. Open Internet Explorer, and connect to https://lon-svr1.adatum.com/adatumtestapp/ again.
6. When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press
Enter. You should be able to access the application.
Note: You are not prompted for a home realm again. Once users have selected a home
realm and been authenticated by a realm authority, they are issued an _LSRealm cookie by the
relying party federation server. The default lifetime for the cookie is 30 days. Therefore, to log on
multiple times, you should delete that cookie after each logon attempt to return to a clean state.
Task 4: Configure claim rules for the claim provider trust and the relying party trust
to allow access only for a specific group
1. On MUN-DC1, open the AD FS console, expand Trust Relationships, and then click Relying Party
Trusts.
2. Select Adatum TestApp, and in the Actions pane, click Edit Claim Rules.
3. On the Edit Claim Rules for Adatum TestApp window, on the Issuance Transform Rules tab, click
Add Rule.
4. On the Select Rule Template page, under Claim rule template, select Send Group Membership as
a Claim, and then click Next.
5. On the Configure Rule page, in the Claim rule name field, type Permit Production Group Rule.
6. Next to Users Group, click Browse, type Production, and then click OK.
7. Under Outgoing claim type, click Group.
8. Under Outgoing claim value, type Production, and then click Finish. Click OK.
9. On LON-DC1, if required, open the AD FS Management console.

10. In the AD FS console, expand Trust Relationships, and then click Claim Provider Trusts.
11. Select mun-dc1.treyresearch.net, and in the Actions pane, click Edit Claim Rules.
12. On the Acceptance Transform Rules tab, click Add Rule.
14. On the Configure Rule page, in Claim rule name, type Send Production Group Rule.
15. In the Incoming claim type drop-down list, click Group, and then click Finish. Click Yes, and then
click OK.
16. In the AD FS console, under Trust Relationships, click Relying Party Trusts.
17. Select the Adatum Test App, and in the Actions pane, click Edit Claim Rules.
18. On the Issuance Transform Rules tab, click Add Rule.
19. Under Claim rule template, click Pass Through or Filter an Incoming Claim, and then click Next.
20. Under Claim rule name, type Send TreyResearch Group Name Rule.
21. In the Incoming claim type drop-down list, click Group, and then click Finish.
22. On the Edit Claim Rules for Adatum Test App window, on the Issuance Authorization Rules tab,
select the rule named Permit Access to All Users, and then click Remove Rule. Click Yes to confirm.
With no rules, no users are permitted access.
23. On the Issuance Authorization Rules tab, click Add Rule.
24. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based
on an Incoming Claim, and then click Next.
25. On the Configure Rule page, in Claim rule name, type Permit TreyResearch Production Group
Rule, in the Incoming claim type drop-down list, select Group, in Incoming claim value, type
Production, select the option to Permit access to users with this incoming claim, and then click
Finish.
27. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based
on an Incoming Claim, and then click Next.
28. On the Configure Rule page, in the Claim rule name field, type Temp, in the Incoming claim type
drop-down list, select UPN, in the Incoming claim value field, type @adatum.com, select the
option to Permit access to users with this incoming claim, and then click Finish.
29. Click the Temp rule, and click Edit Rule.
30. In the Edit Rule Temp dialog box, click View Rule Language.
31. Press Ctrl + C to copy the rule language to the clipboard, and then click OK.
32. Click Cancel.
33. Click the Temp rule, click Remove Rule, and then click Yes.
35. On the Select Rule Template page, under Claim rule template, select Send Claims Using a
Custom Rule, and then click Next.
36. On the Configure Rule page, in the Claim rule name field, type ADatum User Access Rule.
37. Click in the Custom rule box, and then press Crtl + V to paste the clipboard contents into the box.
Edit the first URL to match the following text, and then click Finish.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~

"^(?i).+@adatum\.com$"]=> issue(Type =
http://schemas.microsoft.com/authorization/claims/permit, Value = PermitUsersWithClaim);
Note: This rule enables access to anyone who presents a claim that includes the User
Principal Name (UPN) of @adatum.com. The Value line in the first URL defines the attribute that
much be matched in the claim. In this line, ^ indicates the beginning of the string to match, (?i)
means that the text is case insensitive, .+ means that one or more characters will be added, and $
means the end of the string.
38. Click OK to close the property page, and save the changes to the relying party trust.
Task 5: Verify restrictions and accessibility to the claims-aware application

1. On MUN-DC1, open Internet Explorer, and connect to https://lon-
svr1.adatum.com/adatumtestapp/.
2. When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press
Enter. April is not a member of the Production group, so she should not be able to access the
application.
4. Re-open Internet Explorer, click the Tools icon in the top right corner, and then click Internet
options.
5. Under Browsing history, click Delete, click Delete again, and then click OK.
6. Connect to https://lon-svr1.adatum.com/adatumtestapp/.
7. On the Sign In page, click mun-dc1.treyresearch.net and then click Continue to Sign in.
8. When prompted for credentials, type TreyResearch\Morgan with password Pa$$w0rd, and then
press ENTER. Morgan is a member of the Production group, and should be able to access the
application.
Results: In this exercise, you configured a claims provider trust for TreyResearch on Adatum.com. and a
relying party trust for Adatum on TreyResearch. You verified access to the A. Datum claim-aware
application. Then you configured the application to restrict access from TreyResearch to specific groups,
and you verified appropriate access.
To shut down the virtual machines

2. In the Virtual Machines list, right-click 20412A-MUN-DC1, and then click Revert.
4. Repeat steps 2 and 3 for 20412A-LON-CL1, 20412A-LON-SVR1, and 20412A-LON-DC1.


70-412 Configuring Advanced Windows Server 2012 Servicesk

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

70-412 Configuring Advanced Windows Server 2012 Servicesk

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

Microsoft and the trademarks listed at

Product Number: 20412A

Part Number: X18-48644

a. If you are a Authorized Learning Center:

b. If you are a MPN Member.

c. If you are an End User:

2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable

13. APPLICABLE LAW.

This limitation applies to

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous

Revised December 2011

Stan Reimer Content Developer

Damir Dizdarevic Subject Matter Expert/Content Developer

Orin Thomas Content Developer

Vladimir Meloski Content Developer

Nick Portlock Author

Gary Dunlop Subject Matter Expert

Ulf B. Simon-Weidner Technical Reviewer

Module 2: Implementing Advanced File Services

Module 3: Implementing Dynamic Access Control

Module 4: Implementing Network Load Balancing

Module 5: Implementing Failover Clustering

Module 6: Implementing Failover Clustering with Hyper-V

Lab: Implementing Failover Clustering with Hyper-V 6-31

Module 7: Implementing Disaster Recovery

Module 8: Implementing Distributed Active Directory Domain Services Deployments

Module 9: Implementing Active Directory Domain Services Sites and Replication

Module 10: Implementing Active Directory Certificate Services

Module 11: Implementing Active Directory Rights Management Services

Module 12: Implementing Active Directory Federation Services

Lab Answer Keys

About This Course

Configuring local storage

Configuring roles and features

Configuring file and print services

Configuring IPv4 and IPv6 addresses

Installing domain controllers

Creating and managing group policies

Configuring local security policies

Configuring Windows Firewall

Configuring Windows Server 2012 Hyper-V

Equivalent knowledge of 20411A: Administering Windows Server 2012 course

Deploying and managing Windows Server images

Installing and configuring Update Services

Installing and configuring Distributed Files System (DFS)

Installing and configuring File Server Resource Manager (FSRM)

Configuring file and disk access, and audit policies

Configuring DNS security and integration with AD DS

Configuring Domain Controllers

Plan and implement an AD DS deployment that includes multiple locations.

Implement an Active Directory Certificate Services (AD CS) deployment.

Implement an Active Directory Rights Management Services (AD RMS) deployment.

Exam 70-412: Configuring Advanced Windows Server 2012 Services

Exam 70-412: Configuring Advanced Windows Server 2012 Services

Exam 70-412: Configuring Advanced Windows Server 2012 Services

Exam 70-412: Configuring Advanced Windows Server 2012 Services

Lab Answer Keys: provide step-by-step lab solution guidance.

To provide additional comments or feedback on the course, send an email to

Virtual Machine Environment

Virtual Machine Configuration

1. On the virtual machine, on the Action menu, click Close.

Virtual machine Role