70-410 Installing and Configuring Windows Server 2012

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20410A
Installing and Configuring Windows Server®
2012
ii 20410A: Installing and Configuring Windows Server® 2012
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at

http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of
the Microsoft group of companies. All other trademarks are property of their respective owners
Product Number: 20410A
Part Number: X18-48636
Released: 07/2012
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.
i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. “MPN Member” means an active silver or gold-level Microsoft Partner Network program member in good
standing.
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 10 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:

User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.

i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control.
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
“customize” refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Programs and Services. The Licensed Content may contain third party programs or
services. These license terms will apply to your use of those third party programs or services, unless other
terms accompany those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the
other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
• modify or create a derivative work of any Licensed Content,
• publicly display, or make the Licensed Content available for others to access or use,
• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
• work around any technical limitations in the Licensed Content, or
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to

o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres
dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si
votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre
égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised June 2012

20410A: Installing and Configuring Windows Server® 2012 xi
xii 20410A: Installing and Configuring Windows Server® 2012
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Stan Reimer - Content Developer and Lead Subject Matter Expert

Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author.
Stan has extensive experience consulting on Active Directory® Domain Services (AD DS) and Microsoft
Exchange Server deployments for some of the largest companies in Canada. Stan is the lead author for
two Active Directory books for Microsoft Press®. For the last nine years, Stan has been writing courseware
for Microsoft Learning, specializing in Active Directory and Exchange Server courses. Stan has been a
Microsoft Certified Trainer (MCT) for 12 years.
Damir Dizdarevic - Content Developer and Subject Matter Expert

Damir Dizdarevic, an MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology
Specialist (MCTS), and Microsoft Certified IT Professional (MCITP), is a manager and trainer of the Learning
Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir has more than 17 years of
experience on Microsoft platforms, and he specializes in Windows Server®, Exchange Server, security and
virtualization. He has worked as a subject matter expert and technical reviewer on many Microsoft®
Official Curriculum (MOC) courses, and has published more than 400 articles in various Information
Technology (IT) magazines, such as Windows ITPro and INFO Magazine. Damir is also a frequent and
highly rated speaker on most of Microsoft conferences in Eastern Europe. Additionally, he is a Microsoft
Most Valuable Professional (MVP) for Windows Server Infrastructure Management.
Gary Dunlop - Subject Matter Expert

Gary Dunlop is based in Winnipeg, Canada, and is a technical consultant and trainer for Broadview
Networks. He has authored a number of Microsoft Learning titles, and has been an MCT since 1997.
Siegfried Jagott - Content Developer

Siegfried Jagott is a Principal Consultant and Team Lead for the Messaging and Collaboration team at
Atos Germany. He is an award winning author of Microsoft Exchange Server 2010 Best Practices (Microsoft
Press) and has authored and technically reviewed several MOC courses on various topics such as MOC
10165: Updating Your Skills from Microsoft Exchange Server 2003 or Exchange Server 2007 to Exchange
Server 2010 SP1. Siegfried has coauthored various other Windows® operating system, System Center
Virtual Machine Manager (SC VMM) and Exchange books, and is a frequent presenter on these topics at
international conferences such as the IT & Dev Connections conference, held in spring 2012, in Las Vegas.
Siegfried has planned, designed, and implemented some of the world’s largest Windows and Exchange
Server infrastructures for international customers. He received an MBA from Open University in England,
and is an MCSE since 1997.
Jason Kellington - Subject Matter Expert

Jason Kellington (MCT, MCITP, and MCSE) is a consultant, trainer, and author. He has experience working
with a wide range of Microsoft technologies, and focuses on enterprise network infrastructure. Jason
works in several capacities with Microsoft. He is a content developer for Microsoft Learning courseware
titles, a senior technical writer for Microsoft IT Showcase, and an author for Microsoft Press.
20410A: Installing and Configuring Windows Server® 2012 xiii
Vladimir Meloski - Content Developer

Vladimir is a MCT, an MVP on Exchange Server, and consultant, providing unified communications and
infrastructure solutions based on Microsoft Exchange Server, Microsoft Lync® Server, and Microsoft
System Center. Vladimir has devoted 16 years of professional experience in information technology.
Vladimir has been involved in Microsoft conferences in Europe and in the United States as a speaker,
moderator, proctor for hands-on labs, and technical expert. He has been also involved as a subject matter
expert and technical reviewer for several MOC courses.
Nick Portlock - Subject Matter Expert

Nick has been an MCT for 15 years. He is a self-employed IT trainer, consultant, and author. Last year,
Nick taught in over 20 countries. He specializes in AD DS, Group Policy, and Domain Name System (DNS),
and has consulted with a variety of companies over the last decade. He has reviewed more than 100
Microsoft courses. Nick is a member of the Windows 7 Springboard Series Technical Expert Panel (STEP)
program.
Brian Svidergol - Technical Reviewer

Brian Svidergol specializes in Microsoft infrastructure and cloud-based solutions based around Windows
operating systems, AD DS, Exchange Server, System Center, virtualization, and Microsoft Desktop
Optimization Package (MDOP). He holds the MCT, MCITP (Enterprise Administrator (EA)), MCITP
(Virtualization Administrator (VA)), MCITP (Exchange 2010), and several other Microsoft and industry
certifications. Brian authored Microsoft Official Curriculum (MOC) course 6426C: Configuring and
Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory. He has also
worked for several years on Microsoft certification exam development and related training content.
Orin Thomas - Subject Matter Expert

Orin Thomas is an MVP, an MCT, and has a variety of MCSE and MCITP certifications. He has written more
than 20 books for Microsoft Press, and is a contributing editor at Windows IT Pro magazine. He has been
working in IT since the early 1990's. He regularly speaks at events such as TechED in Australia, and around
the world on Windows Server, Windows Client, System Center, and security topics. Orin founded and runs
the Melbourne System Center Users Group.
Byron Wright - Content Developer and Subject Matter Expert

Byron Wright is a partner in a consulting firm, where he performs network consulting, computer systems
implementation, and technical training. Byron is also a sessional instructor for the Asper School of
Business at the University of Manitoba, teaching management information systems and networking. Byron
has authored and co-authored a number of books on Windows Server operating systems, Windows Vista,
and Exchange Server, including the Windows Server 2008 Active Directory Resource Kit.
xiv 20410A: Installing and Configuring Windows Server® 2012
Contents
Module 1: Deploying and Managing Windows Server 2012
Lesson 1: Windows Server 2012 Overview 1-2
Lesson 2: Overview of Windows Server 2012 Management 1-14
Lesson 3: Installing Windows Server 2012 1-19
Lesson 4: Post-Installation Configuration of Windows Server 2012 1-24
Lesson 5: Introduction to Windows PowerShell 1-32
Lab: Deploying and Managing Windows Server 2012 1-37
Module 2: Introduction to Active Directory Domain Services

Lesson 1: Overview of AD DS 2-2
Lesson 2: Overview of Domain Controllers 2-8
Lesson 3: Installing a Domain Controller 2-13
Lab: Installing Domain Controllers 2-18
Module 3: Managing Active Directory Domain Services Objects

Lesson 1: Managing User Accounts 3-3
Lesson 2: Managing Group Accounts 3-15
Lesson 3: Managing Computer Accounts 3-22
Lesson 4: Delegating Administration 3-27
Lab: Managing Active Directory Domain Services Objects 3-30
Module 4: Automating Active Directory Domain Services Administration

Lesson 1: Using Command-line Tools for Administration 4-2
Lesson 2: Using Windows PowerShell for Administration 4-7
Lesson 3: Performing Bulk Operations with Windows PowerShell 4-13
Lab: Automating AD DS Administration by Using Windows PowerShell 4-20
Module 5: Implementing IPv4

Lesson 1: Overview of TCP/IP 5-2
Lesson 2: Understanding IPv4 Addressing 5-6
Lesson 3: Subnetting and Supernetting 5-11
Lesson 4: Configuring and Troubleshooting IPv4 5-16
Lab: Implementing IPv4 5-23
20410A: Installing and Configuring Windows Server® 2012 xv
Module 6: Implementing DHCP

Lesson 1: Installing a DHCP Server Role 6-2
Lesson 2: Configuring DHCP Scopes 6-7
Lesson 3: Managing a DHCP Database 6-12
Lesson 4: Securing and Monitoring DHCP 6-16
Lab: Implementing DHCP 6-21
Module 7: Implementing DNS

Lesson 1: Name Resolution for Windows Clients and Servers 7-2
Lesson 2: Installing and Managing a DNS Server 7-10
Lesson 3: Managing DNS Zones 7-16
Lab: Implementing DNS 7-20

Lesson 1: Overview of IPv6 8-2
Lesson 2: IPv6 Addressing 8-8
Lesson 3: Coexistence with IPv6 8-13
Lesson 4: IPv6 Transition Technologies 8-17
Module 9: Implementing Local Storage

Lesson 1: Overview of Storage 9-2
Lesson 2: Managing Disks and Volumes 9-11
Lesson 3: Implementing Storage Spaces 9-20
Lab: Implementing Local Storage 9-25
Module 10: Implementing File and Print Services

Lesson 1: Securing Files and Folders 10-2
Lesson 2: Protecting Shared Files and Folders using Shadow Copies 10-15
Lesson 3: Configuring Network Printing 10-18
Lab: Implementing File and Print Services 10-23
Module 11: Implementing Group Policy

Lesson 1: Overview of Group Policy 11-2
Lesson 2: Group Policy Processing 11-10
Lesson 3: Implementing a Central Store for Administrative Templates 11-15
Lab: Implementing Group Policy 11-19
xvi 20410A: Installing and Configuring Windows Server® 2012
Module 12: Securing Windows Servers Using Group Policy Objects

Lesson 1: Windows Security Overview 12-2
Lesson 2: Configuring Security Settings 12-6
Lab A: Increasing Security for Server Resources 12-15
Lesson 3: Restricting Software 12-21
Lesson 4: Configuring Windows Firewall with Advanced Security 12-25
Lab B: Configuring AppLocker and Windows Firewall 12-29
Module 13: Implementing Server Virtualization with Hyper-V

Lesson 1: Overview of Virtualization Technologies 13-2
Lesson 2: Implementing Hyper-V 13-8
Lesson 3: Managing Virtual Machine Storage 13-15
Lesson 4: Managing Virtual Networks 13-22
Lab: Implementing Server Virtualization with Hyper-V 13-27
Lab Answer Keys

Module 1 Lab: Deploying and Managing Windows Server 2012 L1-1
Module 2 Lab: Installing Domain Controllers L2-9
Module 3 Lab: Managing Active Directory Domain Services Objects L3-13
Module 4 Lab: Automating AD DS Administration by Using
Windows PowerShell L4-21
Module 5 Lab: Implementing IPv4 L5-25
Module 6 Lab: Implementing DHCP L6-29
Module 7 Lab: Implementing DNS L7-35
Module 8 Lab: Implementing IPv6 L8-41
Module 9 Lab: Implementing Local Storage L9-45
Module 10 Lab: Implementing File and Print Services L10-49
Module 11 Lab: Implementing Group Policy L11-55
Module 12 Lab A: Increasing Security for Server Resources L12-59
Module 12 Lab B: Configuring AppLocker and Windows Firewall L12-65
Module 13 Lab: Implementing Server Virtualization with Hyper-V L13-71
About This Course xvii
About This Course

This section provides you with a brief description of the course—20410A: Installing and Configuring
Windows Server® 2012— audience, suggested prerequisites, and course objectives.
Course Description
Note: This first release (A) Microsoft® Official Curriculum (MOC) version of course 20410A has been
developed on prerelease software (Windows® 8 Release Preview and Windows Server® 2012 Release
Candidate (RC)). Microsoft Learning will release a B version of this course after the release to
manufacturing (RTM) version of the software is available.
This course is part one of a series of three courses, which provide the skills and knowledge necessary to
implement a core Windows Server 2012 infrastructure in an existing enterprise environment.
The three courses in total will collectively cover implementing, managing, maintaining, and provisioning
services and infrastructure in a Windows Server 2012 environment.
While there is some cross-over in skillset and tasks across the courses, this course will primarily cover the
initial implementation and configuration of those core services, such as Active Directory® Domain Services
(AD DS), networking services, and initial Hyper-V® configuration.
Audience
This course is intended for Information Technology (IT) Professionals who have good Windows operating
system knowledge and experience, and want to acquire the skills and knowledge necessary to implement
the core infrastructure services in an existing Windows Server 2012 environment.
The secondary audience consists of those seeking certification in the 70-410, Installing and Configuring
Windows Server 2012 exam.
Student Prerequisites
This course requires that you meet the following prerequisites:
• A good understanding of networking fundamentals

• An understanding and experience configuring security and administration tasks in an enterprise
environment
• Experience supporting or configuring Windows operating system clients
• Good hands-on Windows client operating system experience with Windows Vista®, Windows 7, or
Windows 8.
Students would also benefit from having some previous Windows Server operating system experience.
Course Objectives
After completing this course, students will be able to:
• Install and Configure Windows Server 2012.
• Describe AD DS.
• Manage AD DS objects.
• Automate AD DS administration.
xviii About This Course
• Implement TCP/IPv4.
• Implement Dynamic Host Configuration Protocol (DHCP).
• Implement Domain Name System (DNS).
• Implement IPv6.
• Implement local storage.
• Share files and printers.
• Implement Group Policy.
• Use Group Policy Objects to secure Windows Servers.

• Implement server virtualization using Hyper-V.
Course Outline
This section provides an outline of the course:
Module 1, Deploying and Managing Windows Server 2012
Module 2, Introduction to Active Directory Domain Services

Module 3, Managing Active Directory Domain Services Objects
Module 4, Automating Active Directory Domain Services Administration
Module 5, Implementing IPv4
Module 6, Implementing DHCP
Module 7, Implementing DNS
Module 8, Implementing IPv6

Module 9, Implementing Local Storage
Module 10, Implementing File and Print Services
Module 11, Implementing Group Policy
Module 12, Securing Windows Servers Using Group Policy Objects
Module 13, Implementing Server Virtualization with Hyper-V
Exam/Course Mapping
This course, 20410A: Installing and Confiruging Windows Server® 2012 , has a direct mapping of its
content to the objective domain for the Microsoft exam 70-410: Installing and Configuring Windows
Server 2012.
The table below is provided as a study aid that will assist you in preparation for taking this exam and to
show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directly
covered in the examination and will utilize the unique experience and skills of your qualified Microsoft
Certified Trainer.
About This Course xix
Note The exam objectives are available online at the following URL
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab2.
Exam Objective Domain: Exam 70-410: Installing and

Configuring Windows Server 2012 Course Content
Install and Configure Servers Module Lesson Lab
This objective may include but is not limited Mod 1 Lesson 1 Mod 1 Ex 1
to: Plan for a server installation; plan for
server roles; plan for a server upgrade;
install Server Core; optimize resource
utilization by using Features on Demand;
Install migrate roles from previous versions of
servers. Windows Server
This objective may include but is not limited Mod 1 Lesson 1/2 Mod 1 Ex 1/2/3
to: Configure Server Core; delegate
administration; add and remove features in
offline images; deploy roles on remote Mod 3 Lesson 4 Mod 1 Ex 2
servers; convert Server Core to/from full
Configure GUI; configure services; configure NIC
servers. teaming
This objective may include but is not limited Mod 9 Lesson 2/3 Mod 9 Ex 3/4
to: Design storage spaces; configure basic
and dynamic disks; configure MBR and GPT
disks; manage volumes; create and mount
Configure virtual hard disks (VHDs); configure storage
local storage. pools and disk pools
Configure Server Roles and Features
This objective may include but is not limited Mod 10 Lesson 1/2 Mod 10 Ex 1/2
to: Create and configure shares; configure
share permissions; configure offline files;
configure NTFS permissions; configure
Configure file access-based enumeration (ABE); configure
and share Volume Shadow Copy Service (VSS);
access. configure NTFS quotas
to: Configure the Easy Print print driver;
Configure configure Enterprise Print Management;
print and configure drivers; configure printer pooling;
document configure print priorities; configure printer
services. permissions
This objective may include but is not limited Mod 1 Lesson 1/2/4
to: Configure WinRM; configure down-level
Configure server management; configure servers for
servers for day-to-day management tasks; configure Mod 12 Lesson 3 Mod 12 Ex 2
remote multi-server management; configure Server
management. Core; configure Windows Firewall
xx About This Course

Configure Hyper-V
Create and Mod 13 Lesson 2 Mod 13 Ex 3
configure This objective may include but is not limited
virtual to: Configure dynamic memory; configure
machine smart paging; configure Resource Metering;
settings. configure guest integration services
Create and This objective may include but is not limited Mod 9 Lesson 1
configure to: Create VHDs and VHDX; configure
virtual differencing drives; modify VHDs; configure
machine pass-through disks; manage snapshots; Mod 13 Lesson 2/3 Mod 13 Ex 3/4
storage. implement a virtual Fibre Channel adapter
to: Implement Hyper-V Network
Virtualization; configure Hyper-V virtual
Create and switches; optimize network performance;
configure configure MAC addresses; configure
virtual network isolation; configure synthetic and
networks. legacy virtual network adapters
Deploy and Configure Core Network Services
Mod 1 Lesson 4 Mod 1 Ex 1/2
This objective may include but is not limited
to: Configure IP address options; configure
Configure subnetting; configure supernetting;
IPv4 and IPv6 configure interoperability between IPv4 and Mod 5 Lesson 2/3/4 Mod 5 Ex 1/2
addressing. IPv6; configure ISATAP; configure Teredo Mod 8 Lesson 3/4 Mod 8 Ex 2
Deploy and Mod 6 Lesson 1/2/3/4 Mod 6 Ex 1/2
configure This objective may include but is not limited
Dynamic Host to: Create and configure scopes; configure a
Configuration DHCP reservation; configure DHCP options;
Protocol configure client and server for PXE boot;
(DHCP) configure DHCP relay agent; authorize
service. DHCP server
This objective may include but is not limited Mod 7 Lesson 1/2/3 Mod 7 Ex 1/2/3
to: Configure Active Directory integration of
Deploy and primary zones; configure forwarders;
configure configure Root Hints; manage DNS cache;
DNS service. create A and PTR resource records
About This Course xxi

Install and Administer Active Directory
This objective may include but is not limited Mod 2 Lesson 3 Mod 2 Ex 1/2
to: Add or remove a domain controller from
a domain; upgrade a domain controller;
install Active Directory Domain Services (AD
DS) on a Server Core installation; install a
domain controller from Install from Media
Install domain (IFM); resolve DNS SRV record registration
controllers. issues; configure a global catalog server
This objective may include but is not limited Mod 1 Lesson 4
to: Automate the creation of Active
Create and Directory accounts; create, copy, configure,
manage and delete users and computers; configure
Active templates; perform bulk Active Directory
Mod 3 Lesson 1 Mod 3 Ex 2
Directory operations; configure user rights; offline
users and domain join; manage inactive and disabled Mod 4 Lesson 1/2/3 Mod 4 Ex 1/2/3
computers. accounts
This objective may include but is not limited Mod 3 Lesson 2/4 Mod 3 Ex 1/2/3
to: Configure group nesting; convert groups
including security, distribution, universal,
Create and domain local, and domain global; manage
manage group membership using Group Policy;
Active enumerate group membership; delegate
Directory the creation and management of Active Mod 4 Lesson 1 Mod 4 Ex 4
groups and Directory objects; manage default Active
organizational Directory containers; create, copy,
units (OUs). configure, and delete groups and OUs
Create and Manage Group Policy
This objective may include but is not limited Mod 11 Lesson 1/2/3 Mod 11 Ex 1/2
to: Configure a Central Store; manage
Create Group starter GPOs; configure GPO links; configure
Policy objects multiple local group policies; configure
(GPOs). security filtering
his objective may include but is not limited Mod 12 Lesson 2 Mod 12 Lab A
to: Configure User Rights Assignment; Ex 1/2/3
configure Security Options settings;
configure Security templates; configure
Configure Audit Policy; configure Local Users and
security Groups; configure User Account Control
policies. (UAC)
xxii About This Course

Create and Manage Group Policy
Configure This objective may include but is not limited Mod 12 Lesson 3 Mod 12 Lab B
application to: Configure rule enforcement; configure Ex 1
restriction Applocker rules; configure Software
policies. Restriction Policies
This objective may include but is not limited Mod 12 Lesson 4 Mod 12 Lab B
to: Configure rules for multiple profiles Ex 2
using Group Policy; configure connection
security rules; configure Windows Firewall
Configure to allow or deny applications, scopes, ports,
Windows and users; configure authenticated firewall
Firewall. exceptions; import and export settings
Important Attending this course in itself will not successfully prepare you to pass any associated
certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In
addition to attendance at this course, you should also have the following:
• Minimum of one years real world, hands-on experience Installing and configuring a Windows Server
Infrastructure
• Additional study outside of the content in this handbook
There may also be additional study and preparation resources, such as practice tests, available for you to
prepare for this exam. Details of these are available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab3
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam is
available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab1
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to
change at any time and Microsoft bears no responsibility for any discrepancies between the version
published here and the version available online and will provide no notification of such changes.
About This Course xxiii
Course Materials
The following materials are included with your kit:
• Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
• Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
• Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’s
needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc Site:

Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to
supplement the Course Handbook.
• Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and
answers and Module Reviews and Takeaways sections, which contain the review questions and
answers, best practices, common issues and troubleshooting tips with answers, and real-world
issues and scenarios with answers.
• Resources: Include well-categorized additional resources that give you immediate access to the
most up-to-date premium content on TechNet, MSDN®, and Microsoft Press®.
Student Course files on the http://www.microsoft.com/learning/companionmoc Site: Includes

the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and
demonstrations.
• Course evaluation At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
• To provide additional comments or feedback on the course, send e-mail to

support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail
to mcphelp@microsoft.com.
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft® Hyper-V to perform the labs.
xxiv About This Course
Important At the end of each lab, you must close the virtual machine and must not save
any changes. To close a virtual machine without saving the changes, perform the following
steps:
1. On the virtual machine, on the Action menu, click Close.
2. In the Close dialog box, in the What do you want the virtual machine to do? list, click
Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine used in this course.
Virtual machine Role

A domain controller running Windows Server 2012 in the Adatum.com
20410A-LON-DC1
domain.
20410A-LON-SVR1 A member server running Windows Server 2012 in the Adatum.com domain.
A member server running Windows Server 2012 in the Adatum.com domain.

20410A-LON-SVR2
This server will be located on a second subnet.
20410A-LON-SVR3 A blank virtual machine on which students will install Windows Server 2012.
A stand-alone server running Windows Server 2012 that will be used for
20410A-LON-SVR4
joining domains and initial configuration.
20410A-LON-HOST1 A bootable VHD for running Windows Server 2012 as the host for Hyper-V.
20410A-LON-CORE A standalone server running Windows Server 2012 Server Core.
20410A-LON-RTR A router that is used for network activities that require a separate subnet.
20410A-LON-CL1 A client computer running Windows 8 and Microsoft Office 2010 Service Pack
1 (SP1) in the Adatum.com domain.
20410A-LON-CL2 A client computer running Windows 8 and Office 2010 SP1 in the
Adatum.com domain that is located in a second subnet.
Software Configuration
The following software is installed on each virtual machine:
• Microsoft Network Monitor 3.4 is installed on LON-SVR2.
Course Files
There are lab files associated with the labs in this course. The lab files are located in the folder
E:\Labfiles\LabXX on NYC-DC1.
About This Course xxv
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.
• Hardware level 6 with 8 gigabytes (GB) of random access memory (RAM)

1-1
Module 1
Deploying and Managing Windows Server 2012
Contents:
Module Overview 1-1
Lesson 1: Windows Server 2012 Overview 1-2
Lesson 2: Overview of Windows Server 2012 Management 1-14
Lesson 3: Installing Windows Server 2012 1-19
Lesson 4: Post-Installation Configuration of Windows Server 2012 1-24
Lesson 5: Introduction to Windows PowerShell 1-32
Lab: Deploying and Managing Windows Server 2012 1-37

Module Review and Takeaways 1-45
Module Overview
Understanding the capabilities of a new server operating system enables you to leverage that operating
system effectively. If you do not understand the capabilities of your new operating system, you may end
up using it like you used the previous operating system, and you may forego the advantages of the new
system. By understanding how to utilize your new Windows Server® 2012 operating system fully, and by
understanding the tools that are available to manage that functionality you will provide your organization
with more value.
This module introduces the new Windows Server 2012 administrative interface. In this module, you will
learn about the different roles and features that are available with the Windows Server 2012 operating
system. You will also learn about the different installation options from which you can choose when
deploying Windows Server 2012.
This module discusses the configuration steps that you can perform both during installation and after
deployment to ensure that the servers can begin functioning in its assigned role. You will also learn how
to use Windows PowerShell® to perform common administrative tasks in Windows Server 2012.
Objectives
After completing this module, you will be able to:
• Describe Windows Server 2012.
• Describe the management tools available in Windows Server 2012.
• Install Windows Server 2012.
• Perform post-installation configuration of Windows Server 2012.
• Perform basic administrative tasks using Windows PowerShell.

1-2 Deploying and Managing Windows Server 2012
Lesson 1
Windo
ows Serv
ver 2012 Overv
view
Befoore deploying Windows Servver 2012, you need to underrstand how each of the Wind dows Server 20012
enefit your organization’s serrvers. You also
edittions might be o need to knoww whether a paarticular hardw
ware
configuration is appropriate forr Windows Servver 2012, wheether a virtual ddeployment m might be more
suitable than a ph ment, and which installation source allowss you to deploy Windows Se
hysical deploym erver
2012 in an efficien
nt manner. If you
y do not havve an understaanding of thesse issues, you ccould end up
costting your orga
anization time and money byy making a cho must later correct.
oice that you m
Thiss lesson provid

des an overview
w of the variouus Windows Seerver 2012 ediitions, installattion options, ro
oles,
and features. Usinng this informa
ation, you will be able to dettermine which
h Windows Servver 2012 editio on
and installation options are righ
ht for your org
ganization.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe the place of a loca
ally deployed server
s on a mo
odern networkk.
• Explain the difference betw

ween the privatte and public cclouds.
• List the different editions of Windows Serrver 2012.

• Describe the difference bettween a Serverr Core installattion of Window
ws Server 2012
2 and tradition
nal
installation off Windows Serrver 2012.
• unction of the server roles th

Explain the fu hat are availab le on computeers running W
Windows Serverr
2012.
• Explain the purpose of vario

ous Windows Server 2012 feeatures.
On
n Premises Servers
As an
a IT professioonal, you proba ably have hearrd
aboout cloud comp puting. You might have hearrd
howw software and d services are being
b moved to t a
pubblic or private cloud
c because e the cloud is at
a the
heart of the futuree of enterprise
e computing. You Y
could also have heard that Wind dows Server 2012 is
readdy for the clou
ud. As an IT proofessional who o has
worrked with locally deployed se ervers for most of
your career, it would be reasona able to ask, “Iff
everything is movving to the cloud, why do I need
n
to le
earn about deploying Windo ows Server 201 12
loca
ally?”
The reality is, not every service and

a applicatioon used on a d aily basis shou
uld be hosted in the cloud.
Loca
ally-deployed servers form thet backbone of an organizaational networrk. Locally-dep ployed servers
provvide the follow
wing resourcess to clients:
• Infrastructure ources, including Domain Naame

e services. Servvers provide cliients with infraastructure reso
System (DNS)) and Dynamicc Host Configu uration Protoco ol (DHCP) servvices. These services allow clients
to connect annd communica ate with other resources. Witthout these seervices, clients wwould not be able
to connect either to each other
o or to rem
mote resourcess, including ressources hosted d in the cloud.
20410A: Installing and Configuring Windows Server® 2012 1-3
• Shared files and printers. Servers provide a centralized location that allows users to store and share
documents. Servers also host resources such as shared printers that allow groups of users to leverage
resources more efficiently. Without these centralized locally deployed resources, sharing files and
backing up files centrally would be a more complex and time-intensive process. While it might be
possible to host some of this information in the cloud, it doesn’t always make sense to send a job to a
printer that is in the next room through a server hosted at a remote location.
• Hosted applications. Servers host applications such as Microsoft® Exchange Server, Microsoft SQL
Server®, Microsoft Dynamics®, and Microsoft System Center. Clients access these applications to
accomplish different tasks, such as accessing e-mail or self-service deployment of desktop
applications. In some cases, these resources can be deployed to the cloud. In many cases these
resources must be hosted locally for performance, cost, and regulatory reasons. The choice on
whether to host these resources locally or in the cloud depends on the specifics of the individual
organization.
• Network access. Servers provide authentication and authorization resources to clients on the network.
By authenticating against a server, a user and client can prove their identity. Even when many of an
organization’s servers are located in the cloud, people still need to have some form of local
authentication and authorization infrastructure.
• Application, Update, and Operating System deployment. Servers are often deployed locally to assist
with the deployment of applications, updates, and operating systems to clients on the organizational
network. Because of intensive bandwidth utilization, these servers must be in proximity to the clients
to which they are providing this service.
Each organization will have its own requirements. An organization in an area that has limited Internet
connectivity is going to rely more on servers on the premises than an organization that has access to
high-speed broadband. It is important that, even in a case of Internet connectivity issues, work in an
organization can continue. Productivity will be negatively affected if the failure of the organization’s
Internet connection suddenly means that no one is able to access their shared files and printers.
While Windows Server 2012 is promoted as being ready for the cloud, remember that, for all the cloud-
ready features the product has, the operating system is still eminently suited to the traditional workhorse
tasks that server operating systems have performed for at least the last two decades. If you have been
working as an IT professional for some time, it is likely that you will configure and deploy Windows Server
2012 to perform the same or similar workloads that you configured for servers running Windows Server
2003 and maybe even for Windows NT 4.
Question: What is the difference between a server and a client operating system?
Question: How has the role of the server evolved over time from the Microsoft
Windows NT 4.0 Server operating system to Windows Server 2012?
Wh
hat Is Clou
ud Computting?
Clou
ud computing is a general de
escription thatt
encompasses seve
eral different technologies.
The most common forms of clo

oud computing
g are:
• Infrastructuree as a Service (IaaS).
(I With this
form of cloud d computing, youy can run a full
virtual machin ne in the cloudd. The cloud
hosting provider manages the t hypervisorr
platform, and d you manage the virtual ma achine
that runs on the
t cloud provvider’s
infrastructuree. Windows Azure™ Compute is
an example ofo IaaS. You can run Window ws
Server 2012 asa a virtual machine in an Iaa aS
cloud, but in some cases th he operating syystem will hostt the virtual m achines in an IaaS cloud.
• Platform as a Service (PaaS)). With PaaS, the cloud hostiing provider p

provisions you with a particu
ular
platform. For example, a prrovider may allow you to ho st databases. YYou manage the database ittself,
and the cloud
d hosting provvider hosts the database servver. SQL Azuree™ is an examp ple of Platform
m as a
Service.
• Software as a Service (Saas)). The cloud hoosting provideer hosts your a pplication and
d all of the
infrastructure
e that supportss that applicatiion. You purch
hase and run a software app plication from a
cloud hostingg provider. Winndows InTune™ ™ and Microso oft Office 365 are examples of SaaS.
Pub
blic and Priv
vate Cloudss
A pu
ublic cloud is a cloud service that is hosted
d by a cloud seervices provideer, and is madee available for
blic use. A public cloud may host a single tenant, or hostt tenants from multiple orgaanizations. As ssuch,
pub
blic cloud security is not as sttrong as privatte cloud secur ity, but public cloud hosting
pub g typically costts less
because costs are absorbed by multiple tenan nts.
In contrast, privatte clouds are cloud infrastruccture that is deedicated to a ssingle organizaation. Private cclouds
mayy be hosted byy the organizattion itself, or may
m be hosted d by a cloud seervices provideer who ensuress that
the cloud servicess are not share ed with any othher organizatio on.
Privvate clouds are

e more than sim mply large scale hypervisor d deployments; they can use tthe System Center
2012 managemen nt suite, which makes it posssible to providee self-service d
delivery of servvices and
appplications. For example,
e in an
n organization that has its owwn private clouud, it would bee possible for users
to use
u a self-servicce portal to reequest multi-tieer applicationss including weeb-server, dataabase-server, aand
storrage compone ents. Windows Server 2012 and the compo onents of the SSystem Center 2012 suite are e
configured in such a way that th his service request can be prrocessed autom hout requiring the
matically, with
man nual deployme ent of virtual machines
m and database
d serveer software.
Question: Which type of clloud would yo

ou use to deplo
oy a custom viirtual machine
e running
Windows Servver 2012?
20410A: Installling and Configuringg Windows Server® 2012 1-5
Options
O forr Windowss Server 20
012
Th
here are severaal different editions of Wind
dows
erver 2012 from which to ch
Se hoose. These ed ditions
allow organizations to select a version of Windows
W
Se
erver 2012 thaat best meets their
t needs, ratther
th
han pay for fea
atures that theey do not require.
When
W deployingg a server for a specific role,,
syystems administrators can saave substantially by
se
electing the ap
ppropriate edittion.
Th
he following ta
able lists the Windows
W Serve
er 2012
ed
ditions.
Edition Description
D
Windows Servver 2012 Provides all ro

oles and featurres available on the Window ws Server 2012
Standard edittion platform. Supp ports up to 644 sockets and uup to 4 terabyttes (TB) of RAM
M.
Includes two virtual
v machinee licenses.
Windows Servver 2012 Provides all ro

oles and featurres that are avaailable on the Windows Servver
Datacenter ed
dition 2012 platformm. Includes unliimited virtual machine licenses for virtual
machines run on the same h hardware. Sup ports 64 socke ets, up to 640
processor corees, and up to 4 TB of RAM.
Windows Servver 2012 Aimed at small business ow ners, this editi on allows onlyy 15 users, can
nnot be
Foundation edition joined
j to a do
omain, and inc ludes limited sserver roles. Su
upports one
processor core
e and up to 322 GB of RAM.
Windows Servver 2012 Next edition of

o Small Busineess Server. Must be root servver in domain. It
Essentials on as a Hyper--V®, Failover C
cannot functio Clustering, Servver Core, or Re
emote
Desktop Services server. It h
has limits for 25 users and 500 devices. Suppports
two processorr cores and 64 GB of RAM.
Microsoft Hyp
per-V Stand-alone Hyper-V
H platfo
orm for virtual machines with h no UI. No licensing
Server 2012 d normally. Supports
cost (free) for host OS, but vvirtual machin es are licensed
64 sockets and d 4 TB of RAMM. Supports domain join. Doe es not supportt other
Windows Servver 2012 roles other than lim mited file servicces features.
Windows Storage Entry-level unified storage aappliance. Limited to 50 users, one processor
Server 2012 core, 32 GB off RAM. Supporrts domain join n.
Workgroup
Windows Storage Supports 64 so ockets, but is llicensed on a ttwo-socket inccrementing basis.

Server 2012 Standard
S Supports 4 TBB of RAM. Inclu udes two virtuaal machine lice enses. Supportts
domain join. Supports
S somee roles includin ng DNS and DHCP Server ro oles, but
does not supp port others inccluding Active Directory® Do omain Services
nd Active Dire
(AD DS), Activve Directory Ceertificate Servicces (AD CS), an ectory
Federation Services (AD FS)..
Windows MultiPoint Supports multtiple users acceessing the sam

me host compu uter directly ussing
Server 2012 Standard
S separate mouse, keyboard, aand monitors. Limited to on ne socket, 32 GGB of
RAM, and a maximum
m of 122 sessions. Sup
pports some rooles including D DNS
and DHCP Serrver roles, but does not supp port others inccluding AD DS, AD CS,
and AD FS. Do
oes not supporrt domain join n.
Ed
dition De
escription
Windows
W MultiPPoint Su
upports multip
ple users accesssing the same host compute er directly usin
ng
Se
erver 2012 Pre
emium separate mouse,, keyboard, annd monitors. Liimited to two sockets, 4 TB o
of
RA
AM, and a maxximum of 22 seessions. Suppo orts some roles including DN NS
an
nd DHCP Serveer roles, but do
oes not support others including AD DS, A AD CS,
an
nd AD FS. Supp
ports domain jjoin.
Note: For mo
ore information
n about the diffferences betw
ween Windowss Server 2012 e
editions,
see the Windows Server Catalog
g at http://ww
ww.windowsserrvercatalog.com
m/svvp.aspx.
Wh
hat Is Serv
ver Core?
Servver Core is a minimal
m installa
ation option fo
or
Winndows Server 2012
2 that you manage from
Winndows PowerSh hell or a comm mand line ratheer
thann by using GUI-based tools. A Windows Se erver
2012 Server Core installation offfers fewer
commponents and administrative e managementt
options than the full
f installation n of Windows
Servver 2012. Serveer Core installa
ation is the default
n when installing Windows Server
installation option S
2012. Server Core e has the followwing advantag ges
over a traditional Windows Servver 2012
depployment:
• Reduced upd date requireme ents. Because Server
S Core insstalls fewer components, its deployment
requires you to
t install fewer software upddates. This red uces the amou unt of time req
quired for an
administratorr to service Serrver Core.
• Reduced hard dware footprin

nt. Server Core
e computers reequire less RAM
M and less harrd disk space. W
When
virtualized, th
his means that you can deplo
oy more serve rs on the samee host.
Incrreasing numbeers of Microsofft server appliccations are dessigned to run on computers with Server Core–
installed operating systems. Forr example, youu can install SQ
QL Server 2012 2 on computerrs running the
Servver Core–installed version off Windows Servver 2008 R2.
There are two wayys of installing

g Windows Serrver 2012 in a SServer Core co
onfiguration:
• Server Core. The

T standard deployment
d off Server Core. It is possible to
o convert to th
he full version of
Windows Servver 2012 with the graphical administration n componentss only if you haave access to aan
installation so
ource with all server
s files, succh as a mounteed Windows im mage file (.wim
m) image.
• Server Core with

w Managem ment. Also knowwn as Server C
Core-Full Serveer. This works tthe same as a
deployment of
o Windows Se erver 2012 with the graphicaal component,, except that th he graphical
components are not installeed nor remove ed. You can co
onvert between n Server Core with Managem ment
and Windowss Server 2012 with
w a graphiccal interface byy installing thee graphical features, but with
hout
needing to sp
pecify an installation source.
You can switch from Server Core to the graphical version of Windows Server 2012 by running the
following Windows PowerShell cmdlet, where c:\mount is the root directory of a mounted image that
hosts the full version of the Windows Server 2012 installation files:
Import-Module ServerManager
Install-WindowsFeature -IncludeAllSubFeature User-Interfaces-Infra -Source c:\mount
Installing the graphical components gives you the option of performing administrative tasks using the
graphical tools. You can also add the graphical tools using the sconfig.cmd menu-driven command-line
tool. You will learn more about how to perform this task in Lesson 4, “Post-installation Configuration of
Windows Server 2012.”
Once you have performed the necessary administrative tasks, you can return the computer to its original
Server Core configuration. You can switch a computer that has the graphical version of Windows Server
2012 to Server Core by removing the following features:
• Graphical Management Tools and Infrastructure
• Server Graphical Shell
Note: Be careful when removing graphical features, as some servers will have other
components installed that are dependent upon those features.
When connected locally, you can use the tools that are listed in the following table to manage Server Core
deployments of Windows Server 2012.
Tool Function
Cmd.exe Allows you to run traditional command-line tools such as ping.exe,

ipconfig.exe, and netsh.exe.
PowerShell.exe Launches a Windows PowerShell session on the Server Core deployment. You
can then perform Windows PowerShell tasks normally.
Sconfig.cmd A command-line menu-driven administrative tool that allows you to perform

most common server administrative tasks.
Notepad.exe Allows you to use the Notepad.exe text editor within the Server Core
environment.
Regedt32.exe Provides registry access within the Server Core environment.
Msinfo32.exe Allows you to view system information about the Server Core deployment.
Taskmgr.exe Launches the Task Manager.
Note: If you accidentally close the command window on a computer that is running Server
Core, you can recover the command window by performing the following steps:
1. Press Ctrl+Alt+DEL, and then select Task Manager.
2. From the File menu, click New Task (Run…), and then type cmd.exe.
Server Core supports most—but not all—Windows Server 2012 roles and features. You cannot install the
following roles on a computer running Server Core:
• AD FS
• Application Server
• Network Policcy and Access Services (NPA

AS)
• Windows Dep
ployment Servvices (Windowss DS)
Even if a role is avvailable to a co

omputer that is running the Server Core in
nstallation optiion, a specific role
servvice that is asso
ociated with thhat role may not
n be availablee.
Note: You can check which roles on Serve

er Core are avvailable and wh
hich are not byy running
the query Get-WiindowsFeaturre | where-ob bject {$_.Insta llState -eq “R
Removed”}.
The Windows Servver 2012 admiinistration para adigm focusess more on man naging many sservers from oone
console than the traditional
t meethod of managing each servver separately.. This means thhat when you want
to perform
p an admministrative task, you are mo
ore likely to m anage multiple computers tthat are runnin
ng the
Servver Core opera
ating system frrom one comp puter, than youu are to conneect to each com
mputer individ
dually.
Youu can enable re
emote manage ement of a com
mputer that is running Serveer Core throug gh sconfig.cmd
d, or
by running
r the following comm mand:
Netsh.exe firewall set serv

vice remotead
dmin enable A
ALL
Wiindows Server 2012 Roles

To properly
p plan how
h you are going
g to use
2 to support your
orgaanization’s reqquirements, yo ou need to be fully
f
awaare of what roles are availablle as part of th
he
opeerating system.. Each version of Windows Server
ship
ps with a differrent set of role
es. As new verssions
of Windows
W er are released, some roles are
Serve
enhanced and oth hers are depre ecated. For the most
partt, the roles tha
at are available
e in Windows Server
S
2012 are familiar to IT professio onals that have
e
man naged Window ws Server 2008 8 and Windows
Servver 2003.
Win
ndows Server 2012
2 supports the server role
es that are listeed in the follow
wing table.
Ro
ole Function
Active Directoryy Certificate Se

ervices Allows youu to deploy ceertification autthorities and
AD CS)
(A related ro le services.
AD DS A centralizzed store of in
nformation aboout network
objects, in
ncluding user aand computer accounts. Useed
for authenntication and aauthorization.
AD FS Provides w
web single sign
n-on (SSO) and
d secured iden
ntify
federation
n support.
Active Directoryy Lightweight Directory Supports sstorage of appplication-specific data for

ervices (AD LD
Se DS) directory- aware applica tions that do n
not require the
e full
infrastructture of AD DS..
Role Function
Active Directory Rights Management Allows you to apply rights management policies to
Services (AD RMS) prevent unauthorized access to sensitive documents.
Application Server Supports centralized management and hosting of high-

performance distributed business applications, such as
those built with Microsoft .NET Framework 4.5,
and .NET Enterprise Services.
DHCP Server Provisions client computers on the network with

temporary IP addresses.
DNS Server Provides name resolution for TCP/IP networks.
Fax Server Supports sending and receiving of faxes. Also allows

you to manage fax resource on the network.
File and Storage Services Supports the management of shared folders storage,
distributed file system (DFS), and network storage.
Hyper-V® Enables you to host Virtual Machines on computers

that are running Windows Server 2012.
Network Policy and Access Services Authorization infrastructure for remote connections,
including Health Registration Authority (HRA) for
Network Access Protection (NAP).
Print and Document Services Supports centralized management of document tasks,

including network scanners and networked printers.
Remote Access Supports Seamless Connectivity, Always On, and Always

Managed features based on DirectAccess. Also supports
Remote Access through virtual private network (VPN)
and dial-up connections.
Remote Desktop Services (RDS) Supports access to virtual desktops, session-based

desktops, and RemoteApp programs.
Volume Activation Services Allows you to automate and simplify the management
of volume license keys and volume key activation.
Allows you to manage a Key Management Service
(KMS) host or configure AD DS–based activation for
computers that are members of the domain.
Web Server (IIS) The Windows Server 2012 web server component.
Windows DS Allows you to deploy server operating systems to

clients over the network.
Windows Server Update Services (WSUS) Provides a method of deploying updates for Microsoft
products to network computers.
When you deploy a role, Windows Server 2012 automatically configures aspects of the server’s
configuration (such as firewall settings), to support the role. Windows Server 2012 also automatically
deploys role dependencies simultaneously. For example, when you install the WSUS role, the Web Server
(IIS) role components that are required to support the WSUS role are also installed automatically.
1-10 Deployingg and Managing Winndows Server 2012
Youu add and remove roles using

g the Add Role es and Featurees Wizard, which is availablee from the Win
ndows
Servver 2012 Serve
er Manager console. If you are using Serveer Core, then yyou can also ad
dd and remove e
es using the Install-Window
role wsFeature and d Remove-Win ndowsFeature e Windows Po owerShell cmdlets.
Question: Which roles are often co-locatted on the sam

me server?
Wh
hat Are the
e Featuress of Windo
ows Serverr 2012?
Win
ndows Server 2012
2 features are
a independe ent
com
mponents that often supportt role services or
o
support the server directly.
For example, Windows Server BackupB is a featture

as itt only providess backup supp port for the loccal
servver. It is not a resource
r that can
c be used byy
othe er servers on the network.

2 includes the
t features th
hat
are listed in the fo
ollowing table..
Fe
eature Descriptio
on
.N
NET Framework 3.5 Features Installs .NEET Frameworkk 3.5 technolog
gies.
.N
NET Framework 4.5 Features Installs .NEET Frameworkk 4.5 technolog
gies. This featu
ure is
installed bby default.
Ba
ackground Intelligent Transffer Service Allows asyynchronous traansfer of files tto ensure that
(B
BITS) other netwwork applicatio
ons are not ad dversely impaccted.
Windows
W BitLoccker® Drive Encryption Supports ffull-disk and fu
ull-volume enccryption, and
startup en
nvironment pro otection.
BiitLocker netwo
ork unlock Provides a network-baseed key protecttor that can
unlock loccked BitLockerr–protected do
omain-joined
operating systems.
Windows
W BrancchCache® Allows thee server to fun ction as eitherr a hosted cach
he
server or a BranchCachee content serve er for
BranchCacche clients.
Client for NFS Provides aaccess to files sstored on netw

work file system
m
(NFS) servvers.
Data Center Bridging Allows you

u to enforce b
bandwidth allocation on
Convergedd Network Ad dapters.
En
nhanced Stora
age Provides ssupport for additional functionality availab
ble
in Enhanc ed Storage Acccess (IEEE 166 67 protocol)
device, inccluding data aaccess restrictio
ons.
Fa
ailover Clustering A high-avvailability featu
ure that allows Windows Servver
2012 to paarticipate in faailover clustering.
Group Policy Management An admin istrative manaagement tool ffor administeriing

Feature Description
Group Policy across an enterprise.
Ink and Handwriting Services Allows use of Ink Support and Handwriting
Recognition.
Internet Printing Client Supports use of Internet Printing Protocol.
IP Address Management (IPAM) Server Centralized management of IP address and namespace

infrastructure.
Internet SCSI (iSCSI) Target Storage Provides iSCSI target and disk management services to
Provider Windows Server 2012.
Internet Storage name Service (iSNS) Supports discovery services of iSCSI storage area
Server service networks (SANs).
Line Printer Remote (LPR) Port Monitor Allows computer to send print jobs to printers that are
shared using the Line Printer Daemon (LPD) service.
Management Open Data Protocol (OData) Allows you to expose Windows PowerShell cmdlets
IIS Extension through an OData–based web service running on the
IIS platform.
Media Foundation Supports media file infrastructure.
Message Queuing Supports message delivery between applications.
Multipath input/output (I/O) Supports multiple data paths to storage devices.
Network Load Balancing (NLB Allows traffic to be distributed in a load balanced

manner across multiple servers that host the same
stateless application.
Peer Name Resolution Protocol (PNRP) Name resolution protocol that allows applications to
resolve names on the computer.
Quality Windows Audio Video Experience Supports audio and video streaming applications on IP
home networks.
Remote Access Server (RAS) Connection Allows you to create connection manager profiles that
Manager Administration Kit simplify remote access configuration deployment to
client computers.
Remote Assistance Allows remote support through invitations.
Remote Differential Compression (RDC) Transfers the differences between files over a network,
minimizing bandwidth utilization.
Remote Server Administration Tools Collection of consoles and tools for remotely managing
roles and features on other services.
Remote Procedure Call (RPC) over HTTP Relays RPC traffic over HTTP as an alternative to VPN
Proxy connections.
Simple TCP/IP Services Supports basic TCP/IP services, including Quote of the
Day.
Feature Description
Simple Mail Transfer Protocol (SMTP) Supports transfer of email messages.

Server
Simple Network Management Protocol Includes SNMP agents that are used with the network
(SNMP) Service management services.
Subsystem for UNIX-based Applications Supports Portable Operating System Interface for UNIX
(POSIX)–compliant UNIX-based applications.
Telnet Client Allows outbound connections to Telnet servers and

other Transmission Control Protocol (TCP)-based
services.
Telnet Server Allows clients to connect to the server using the Telnet
protocol.
Trivial File Transfer Protocol (TFTP) Client Allows you to access TFTP servers.
User Interfaces and Infrastructure Contains the components necessary to support the
graphical interface installation option on Windows
Server 2012. On graphical installations, this feature is
installed by default.
Windows Biometric Framework (WBF) Allows use of fingerprint devices for authentication.
Windows Feedback Forwarder Supports sending of feedback to Microsoft when

joining a Customer Experience Improvement Program
(CEIP).
Windows Identity Foundation 3.5 Set of .NET Framework classes that support
implementing claims based identity on .NET
applications.
Windows Internal Database Relational data store that can only be used by Windows
roles and features such as WSUS.
Windows PowerShell Task-based command-line shell and scripting language

used to administer computers running Windows
operating systems. This feature is installed by default.
Windows PowerShell Web Access Allows remote management of computers by running

Windows PowerShell sessions in a web browser.
Windows Process Activation service (WAS) Allows applications hosting WCF services that to not
use HTTP protocols to use features of IIS.
Windows Search service Allows fast searches of files hosted on a server for
clients compatible with the Windows Search Service.
Windows Server Backup Backup and recovery software for Windows Server
2012.
Windows Server Migration Tools Collection of Windows PowerShell cmdlets that assist in
the migration of server roles, operating system settings,
files, and shares from computers running previous
versions of Windows Server operating systems to
Feature Description
Windows Server 2012.
Windows Standards-Based Storage Set of Application Programming Interfaces (APIs) that

Management allow the discovery, management, and monitoring of
storage devices that use standards such as Storage
Management Initiative Specification (SMI-S).
Windows System Resource Manager Allows you to control the allocation of CPU and
(WSRM) memory resources.
Windows TIFF IFilter Supports Optical Character Recognition on Tagged

Image File Format (TIFF) 6.0-compliant files.
WinRM IIS Extension Windows Remote Management for IIS.
Windows Internet Naming Service (WINS) Supports name resolution for NetBIOS names.
Server
Wireless local area network (LAN) Service Allows the server to use a wireless network interface.
Windows on Windows (WoW) 64 Support Supports running 32-bit applications on Server Core
installations. This feature is installed by default.
XPS Viewer Supports the viewing and singing of documents in XPS

formats
Features on Demand
Features on Demand is a Windows Server 2012 installation option where features are not available directly
on the deployed server, but can be added if you have access to a remote source, such as a mounted
image of the full operating system. The advantage of a Features on Demand installation is that it requires
less hard disk space than a traditional installation. The disadvantage is that you must have access to a
mounted installation source if you want to add a role or feature, something that is not necessary if you
perform an installation of Windows Server 2012 with the graphical features enabled.
Question: Which feature do you need to install to support NetBIOS name resolution for
client computers running a Microsoft Windows NT 4.0 workstation?
Lesson 2
Overviiew of Window
W ws Serve
er 2012 Manag
gement
Initiially configurin
ng a server corrrectly can save
e you from su bstantial probblems later. Windows Server 2012
provvides multiple tools to perfo orm specific ad which is appropriate for a givven
dministrative taasks, each of w
set ofo circumstancces. The Windo ows Server 201 12 managemeent interface allso enhances tthe ability for sserver
admministrators to perform admiinistrative task ks on more thaan one server ssimultaneouslyy.
In th
his lesson you will learn about the differen
nt managemen ou can use to perform
nt tools that yo
admministrative tassks on computers that are running the Win
ndows Server 2 2012 operatingg system.
Lessson Objectiives
Afte
ou will be able to:
• Describe Servver Manager.
• Describe how
w to use admin
nistrative tools..
• Describe how
w to use Serverr Manager to perform
p a varieety of tasks.
• Describe how
w to configure services.
• w to configure remote manag

Describe how gement.
Wh
hat Is Serv
ver Manage
er?
Servver Manager iss the primary graphical
g tool that
you will use to maanage computters running
Winndows Server 2012.
2 You can use the Serverr
Man nager console to manage bo oth the local seerver
and remote servers. You can alsso manage servers
as groups.
g By man naging serverss as groups, yo
ou can
perfform the samee administrativve tasks quicklyy
acro
oss multiple se
ervers that eith
her perform the e
sam
me role, or are members of th he same group p.
You
u can use the server manager console to
wing tasks on both local servvers
perfform the follow
and remote servers:
• Add roles and

d features
• Launch Windows PowerShe

ell sessions
• View events
• Perform serve
er configuratio
on tasks
Besst Practice Analyzers

A
Servver Manager inncludes a Best Practices Analyzer tool for aall Windows Seerver 2012 roles. With Best
Pracctices Analyzerr, you can dete
ermine whethe er roles on youur network aree functioning eefficiently or iff there
are problems thatt you need to remediate. Besst Practices An nalyzer examinnes how a role functions—
including querying associated event
e logs for warning
w and eerror events—sso you can be aware of health
issues associated with
w specific ro oles before thoose health issuues cause a failure that impaacts the server
funcctionality.
20410A: Installinng and Configuring W
Windows Server® 20012 1-15
Administra
A tive Tools
When
W you use Server
S Manageer to perform a
sp
pecific role-related or feature e-related
ad
dministrative task,
t the conso
ole launches th
he
ap
ppropriate adm ministrative tool. When you install a
ro
ole or feature using
u Server Manager
M locallyy or
re
emotely, the ap ppropriate adm ministrative to
ool is
also loaded. Forr example, if yo ou use Server
Manager
M to insttall the DHCP role on anothe er
se
erver, the DHC CP console will automaticallyy be
nstalled on the local server. You
in Y can install the
omplete set off administrative tools for Win
co ndows
erver 2012 by installing the Remote Serverr
Se
Administration Tools feature.
Th
he tools that administrators
a most common
nly use, (aside from Window
ws PowerShell, which you will learn
ab
bout in Lessonn 5), include:
• Active Directory Administtrative Center.. With this connsole, you can perform Activve Directory
administrattive tasks such as raising dommain and foresst functional leevels and enab
bling the Activve
Directory Recycle
R Bin. You also use thiss console to maanage Dynam ic Access Conttrol.
• Active Directory Users an

nd Computers. With this tooll, you can creaate and manag ge Active Direcctory
users, compputers, and gro
oups. You can also use this ttool to create O
Organizationaal Units (OUs).
• DNS Conso ole. With the DNS

D console, yo
ou can configuure and manag
ge the DNS Se
erver role. Thiss
includes cre
eating forward
d and reverse lookup zones aand managing
g DNS records.
• Event Viewer. You can use the Event Viewer to view eevents recordeed in the Wind
dows Server 20
012
event logs.
• Group Policcy Management Tool. With this

t tool, you ccan edit Group
p Policy Objeccts (GPOs) and
manage the eir application
n in AD DS.
• er Tool. You can use this tooll to manage w

IIS Manage websites.
• Performancce Monitor. Yo ou can use thiss console to vieew record perfformance dataa by selecting
counters asssociated with specific resources that you w want to monittor.
• Resource Monitor.
M You ca
an use this con
nsole to view rreal-time inforrmation on CPU, memory, diisk and
network utilization.
• u this console to manage the execution of scheduled tasks.

Task Scheduler. You can use
Yo
ou can access each of these tools from the
e Tools menu in Server Man
nager.
Note: You can

c also pin fre
equently used tools to the W
Windows Serveer 2012 taskbaar, or to the
Sttart menu.
Demonstra
D ation: Using Server Manager
M
In
n this demonsttration, you will see how Servver Manager iss used to perfo
orm the follow
wing tasks:
• Log on to Windows
W Serve
er 2012 and view the Windo
ows Server 201
12 desktop.
• Add a featu
ure by Using th
he Add Roles and
a Features W
Wizard.
• View role-related events.
• Run the Best Practice Analyzer for a role.
• List the tools available from Server Manager
• Restart Windows Server 2012.
Demonstration Steps
Log on to Windows Server 2012 and view the Windows Server 2012 desktop
• Log on to LON-DC1, and then close the Server Manager console.
Add a feature by Using the Add Roles and Features Wizard

1. Open Server Manager from the taskbar.
2. Start the Add Roles and Features Wizard.
3. Select Role-based or featured-based installation.

4. Select Select a server from the server pool, verify that LON-DC1.Adatum.com is selected, and
then click Next.
5. On the Select server roles page, select Fax Server.

6. In the Add Roles and Features Wizard dialog box, click Add Features.
7. On the Select features page, click BranchCache.
8. On the Fax Server page, click Next.

9. On the Print and Document Services page, click Next.
10. On the Select role services page, click Next.
11. On the Confirmation page, select the Restart the destination server automatically if required
check box, click Yes, click Install and then click Close.
12. Click the flag icon next to Server Manager Dashboard, and review the messages.
View role-related events

1. Click the Dashboard node.
2. In the Roles and Server Groups pane, under DNS, click Events.
3. On the DNS - Events Detail View, change the time period to 48 hours, and the Event Sources to
All.
Run the Best Practice Analyzer for a role

1. Under DNS, click BPA results.
2. Select All on the Severity Levels drop-down menu, and then click OK.
List the tools available from Server Manager

• Click on the Tools menu, and review the tools that are installed on LON-DC1.
Log off the currently logged-on user

1. On the Start menu, click Administrator, and then click Sign Out.
2. Log on to LON-DC1 using the Adatum\Administrator account and the password Pa$$w0rd.
Restart
R Wind
dows Serverr 2012
• In a Windows PowerShelll window, type
e the following
g command, and then press Enter:
Shutdown /r /t 60
Configuring
C g Services
Seervices are pro
ograms that run in the backg ground
an
nd provide serrvices to clients and the hostt server.
Yoou can manag ge services throough the Services
co
onsole, which is available thrrough the Too ols
menu
m in Server Manager. When securing a
co
omputer, you should
s disable
e all services exxcept
th
hose that are required by the e roles, feature
es, and
ap
pplications tha at are installed on the serverr.
Sttartup Type
es
Se
ervices use one
e of the follow
wing startup tyypes:
• Automatic. The service starts automaticcally

when the se
erver boots.
• Automatic (Delayed Startt). The service starts automattically after thee server has bo
ooted.
• Manual. The service mustt be started manually, eitherr by a program

m or by an adm
ministrator.
• Disabled. The service is disabled and ca

annot be starteed.
Note: If a seerver is behaviing problemattically, open th

he Services connsole, sort by sstartup type,
an
nd then locatee those services that are conffigured to starrt automaticallly, and which aare not in a
ru
unning state.
Service Reco
overy
Re
ecovery option
ns determine what
w a service does in the evvent that it fails. You access the Recovery ttab by
op
pening the DNNS Server Prop
perties windoww. On the Recoovery tab, you have the follow wing recoveryy
op
ptions:
• Take no acttion. The servicce remains in a failed state u

until attended to by an administrator.
• Restart the Service. The service restarts automaticallyy.
• Run a Program. Allows yo

ou to run a pro
ogram or a scrript.
• Restart the Computer. Th estarts after a preconfigured

he computer re d number of m
minutes.
Yo
ou can configu ure different re
ecovery option
ns for the first failure, the seccond failure, aand subsequen
nt
fa n also configure a period of time after whiich the servicee failure clock rresets.
ailures. You can
Managed
M Service Accou
unts
Managed
M servicce accounts are
e special doma ain-based acco
ounts that you u can use with services. The
ad
dvantage of a managed servvice account iss that the accoount password is rotated auto omatically acccording
to
o a schedule. These
T passwordd changes are automatic, annd do not requ uire administraator interventioon. This
minimizes
m the chance
c that the
e service accou
unt password wwill be compro omised, sometthing that hap ppens
be
ecause adminiistrators traditionally assign simple passwoords to servicee accounts withh the same serrvice
acrooss a large nummber of serverrs, and never bother

b to updaate those passw
words. Virtual accounts are
servvice-specific acccounts that arre local rather than domain--based. The paassword for virrtual accounts is
rotaated and mana aged by the opperating system m.
Question: What is the adva

antage of a ma mpared with a traditional
anaged servicee account com
domain-based service acco
ount?
Co
onfiguring Remote Manageme
M ent
You
u rarely performm systems adm ministration fro
om
the server room. Almost
A all task
ks that you perrform
on a daily basis will
w be performe ed using remo ote
mannagement tech hnologies. Witth Windows Re emote
Mannagement, you u can use Rem mote Shell, remote
Winndows PowerSh hell, and remo ote manageme ent
tools to manage a computer remotely.
You emote Management from Server
u can enable Re
Man
nager by perfoorming the following steps:
1. In the Server Manager conssole, click the Local

L
Server node.
2. In the Properrties dialog bo

ox for the local server, next tto Remote Ma
anagement, cclick Disabled.. This
opens the Co
onfigure Remo ote Managem ment dialog bo ox.
3. In the Config
gure Remote Management
M t dialog box, seelect the Enab
ble Remote M
Management O
Of
This Server From
F Other Computers che
eck box, and thhen click OK.
You
u can enable re
emote manageement from th he command liine by runningg the command WinRM -qcc. You
can disable Remo
ote Manageme ent by using th
he same metho
od that you usse to enable it.. You can disab
ble
rem
mote managem ment on a computer running the Server Co
ore installation
n option using the sconfig.cmmd
tool.
Rem
mote Desktop
Remmote Desktop is the tradition nal method byy which system
ms administrato
ors remotely co
onnect to the
servvers that they manage.
m You can
c configure Remote Deskttop on a comp puter that runn
ning the full ve
ersion
of Windows
W Serve
er 2012 by perrforming the fo
ollowing steps :
1. In the Server Manager conssole, click the Local

L Server n
node.
2. Next to Remo
ote Desktop, click Disabled
d.
3. In the System
m Properties dialog
d box, on the Remote ttab, select onee of the follow
wing options:
o Don’t alllow connectio

ons to this co
omputer. The d of remote deskktop is disabled.
default state o
o Allow co
onnections fro
om computerrs running anyy version of R Remote Desktop. Allows
connectio
ons from Remote Desktop clients that do not support N Authentication
Network Level A n
o Allow Coonnections on nly from Commputers runni ng Remote D Desktop with N

Network Leve el
ws secure connections from ccomputers run
Authentication. Allow nning Remote Desktop clientts that
support network-level
n authentication
n.
You
u can enable an mote Desktop on computerss that are runn
nd disable Rem ning the Serverr Core installattion
option by using th
he sconfig.cm
md command-line tool.
Lesson
n3
Installing Wiindows Server 2012
When
W preparingg to install Win
ndows Server 2012,
2 you neeed to understan
nd whether a particular hard dware
co Y also need to know whetther a Server C
onfiguration iss appropriate. You Core deployment might be m more
su
uitable than a full graphical user
u interface (GUI) deploymment, and whicch installation source allows you to
de
eploy Window ws Server 2012 in an efficientt manner.
In
n this lesson yo
ou will learn ab
bout the proceess of installing
g Windows Server 2012, including the metthods
th
hat you can use to install thee operating sysstem, the diffeerent installatio
on options, the
e minimum sysstem
re
equirements, and
a the decisio ons that you neeed to make w when using thee Installation WWizard.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe th
he different me
ethods that yo
ou can use to in
nstall Window
ws Server 2012..
• Identify the
e different installation types that you can cchoose when installing the W
Windows Serve
er 2012.
• Determine whether a com mputer or virtu
ual machine m
meets the minim
mum hardware requirementts
necessary to install Windo
ows Server 2012.
• Describe th
he decisions that you need to
o make when performing a W
Windows Servver 2012 installation.
In
nstallation
n Methods
Microsoft
M distrib
butes Windowws Server 2012 on
op mage format. ISO
ptical media and in an .iso im
fo
ormat is becom ming more com mmon as
orrganizations acquire softwarre over the Internet
ra
ather than phyysically.
Once
O you have the operating system from
Microsoft,
M you can
c then use your
y own meth hod to
eploy the operating system. You can install
de
Windows
W Server 2012 by usinng a variety of
methods,
m includ
ding the follow
wing:
• Optical Media
o Disadvantages includ
de:
Re
equires that the
e computer ha
as access to a D
DVD-ROM drivve.
Is usually
u slower than USB med
dia.
Yo
ou cannot upda
ate the installa
ation image w ithout replacin
ng the media.
Yo DVD-ROM at a time.
ou can only perform one insttallation per D
• USB Media
o Advanttages include:
Alll computers allow boot from

m USB media.
Th
he image can be drivers become available.
b updated as new software updates and d
The answer file can be stored on a USB drive, minimizing the amount of interaction that the
administrator must perform.
o Disadvantages include:
It requires the administrator to perform special steps to prepare USB media from ISO file.
• Mounted ISO image

o Advantages include:
With virtualization software, you can mount the ISO image directly, and install Windows
Server 2012 on the virtual machine.
• Network Share
It is possible to boot a server off a boot device (DVD or USB drive) and install from
installation files hosted on a network share.
o Disadvantages include:
This method is much slower than using Windows Deployment Services. If you already have
access to a DVD or USB media, it is simpler to use those tools for operating system
deployment.
• Windows DS
You can deploy Windows Server 2012 from WIM image files or specially prepared VHD files.
You can use the Windows Automated Installation Kit (AIK) to configure lite-touch
deployment.
Clients perform a Pre-Boot eXecution Environment (PXE) boot to contact the WDS server and
the operating system image is transmitted to the server over the network.
WDS allows multiple concurrent installations of Windows Server 2012 using multicast
network transmissions.
• System Center Configuration Manager
System Center Configuration Manager allows you to fully automate the deployment of
Windows Server 2012 to new servers that do not have an operating system installed. This
process is called Zero Touch deployment.
• Virtual Machine Manager Templates
Windows Server 2012 is usually deployed in private cloud scenarios from preconfigured
virtual machine templates. You can configure multiple components of the System Center
suite to allow self-service deployment of Windows Server 2012 virtual machines.
Question: What is another method that you can use to deploy Windows Server 2012?
In
nstallation
n Types
How you deploy Windows Server 2012 on a
sp
pecific server depends
d on the circumstance es of
th
hat deploymen t a server that is
nt. Deploying to
ru
unning Window ws Server 20088 R2 requires
diifferent actions than deployiing to a serverr
ru
unning an x86 edition of Win ndows Server 2003.
2
When
W you are performing
p the
e installation of
o the
Windows
W Server 2012 operatiing system, you can
ch
hoose one of thet options in the following table.
Installation Option Desscription
Fresh installattion Allows you to pe erform a fresh install on a neew disk or volu
ume. Fresh
insstallations are the
t most frequ uently used, an nd take the shortest amountt of
tim
me. You can alsso use this opttion to configu ure Windows SServer 2012 to
perform a dual boot
b if you wannt to keep thee existing operating system.
Upgrade Ann upgrade presserves the filess, settings, and applications iinstalled on the
original server. You
Y perform an n upgrade wheen you want to o keep all of th
hese
items and want to t continue to use the same server hardwaare. You can o only
upgrade to Wind dows Server 20012 from x64 vversions of Windows Server 2003,
Windows Server 2003 R2, Wind dows Server 20 008, and Wind dows Server 20 008 R2.
You can only upg grade to an eqquivalent or neewer edition oof Windows Server
2012. You launch h an upgrade b by running settup.exe from w within the origginal
operating system m.
Migration Use e migration when migrating g from an x86 vversion of Win

ndows Server 2 2003,
Windows Server 2003 R2, or W Windows Server 2008. You caan use the Win ndows
Serrver Migration
n Tools featuree in Windows SServer 2012 to
o transfer files aand
setttings.
When
W you perfoorm a fresh insstallation, you can deploy WWindows Serverr 2012 to an unpartitioned d disk, or
to
o an existing vo
olume. You ca an also install Windows
W Serveer 2012 to a sp
pecially-prepared VHD file in
na
“b
boot to VHD” scenario.
s Boott to VHD requires special preeparation and is not an optio on that you caan
ch
hoose when pe erforming a tyypical installation using the W
Windows Setup p wizard.
Ha
ardware Re
equiremen
nts for Win
ndows Servver 2012
Hardware requirements define the t minimum
harddware that is required
r to run
n the Windowss
Servver 2012 serve
er. Your actual hardware
requuirements migght be greater, and depend on o
the services that the
t server is hoosting, the loadd on
the server, and the responsivene ess of your serrver.
Eachh role service and
a feature places a unique load
on network,
n disk I/O,
I processor,, and memory
reso
ources. For exaample, the file server role pla
aces
diffe
erent stresses on
o server hard dware than the e
DHC CP role.

2 is supporrted on Hyper--V®
and certain other non-Microsofft virtualization
n platforms. W
Windows Serverr 2012 virtualizzed deployme ents
need to match the e same hardware specificatio ons as physicaal deploymentss. For example
e, when creatin
ng a
virtu
ual machine to
o host Window ws Server 2012 2, you need to ensure that yo
ou configure the virtual macchine
withh enough mem mory and hard disk space.
Win
ndows Server 2012
2 has the fo
ollowing minim
mum hardwaree requirementts:
• Processor architecture: x86--64

• Processor spe
eed: 1.4 gigahe
ertz (GHz)
• Memory (RAM
M): 512 megab
bytes (MB)
• Hard disk drivve space: 32 GB,

G more if the server has mo
ore than 16 GB
B of RAM
The Datacenter ed
dition of Wind
dows Server 20
012 supports th
he following h
hardware maximums:
• 640 logical prrocessors
• 4 TB of RAM
• 63 failover clu
uster nodes
Additional Reeading: For more

m informatio
on about the W
Windows Servver Virtualizatio
on
Validation Program, see http://w
www.windowsservercatalog..com/svvp.aspxx.
Question: Why does a servver need more hard disk drivve space if it has more than 16 GB of
RAM?
In
nstalling Windows
W Server
S 2012
2
Thhe process of deploying
d a se
erver operatingg
syystem is simple er today than iti has been in the
pa ast. The personn performing thet deployment has
to
o make fewer decisions,
d althoough the decisions
th
hat they do ma ake are critical to the success of the
de eployment. A typical installa ation of Windoows
Se y do not havve an existing answer
erver 2012, if you
fille, involves performing the following
f stepss:
1.. on source. Options for

Connect to the installatio
this include
e:
o Insert a DVD-ROM co ontaining the

Windows Server 2012 2 installation files,
f
and booot from the DVD-ROM.
D
o Connecct a specially prepared

p USB drive that hostts the Window
ws Server 2012
2 installation files.
o m a PXE boot, and connect to

Perform t a Windows DS server.
2.. On the firstt page of the Windows

W Setup
p wizard, selecct the following:
o Langua
age to install
o Time and currency fo

ormat
o Keyboa
ard or input method
m
3.. On the seco

ond page of th
he Windows Se etup wizard, c lick Install no
ow. You can alsso use this pag
ge to
select Repa
air Your Compputer. Use thiss option in thee event that an
n installation h
has become co orrupted,
and you are
e no longer ab
ble to boot into
o Windows Seerver 2012.
4.. In the Wind dows Setup wizard, on the Select The Ope erating System You Want To Install pag ge,
choose from m the available
e operating syystem installatiion options. Th
he default option is Server C
Core
Installation.
5.. On the Lice

ense Terms pa age, review the
e terms of thee operating sysstem license. Y
You must choo
ose to
accept the license terms before you cann proceed with h the installation process.
6.. On the Wh
hich Type Of Installation Do
o You Want p
page, you havee the following
g options:
o Upgrade. Select this option if you have an existi ng installation

n of Windows SServer that you want
to upgrade to Windoows Server 201 12. You shouldd launch upgraades from with hin the previouus
version
n of Windows Server
S rather than
t booting ffrom the installlation source.
o Custom
m. Select this option
o if you want
w m a new installation.
to perform
7.. On the Wh here do you want

w to install Windows pa ge, choose an n available diskk on which to iinstall
Windows Server 2012. Yo ou can also chooose to repart ition and reformat disks from m this page. W
When
you click Next, the installation process will copy filess and reboot th
he computer sseveral times.
8.. On the Setttings page, prrovide a passw

word for the loccal Administraator account.
Lesson 4
Post-In
nstallatiion Con
nfigurattion of W
Window
ws Serve
er 2012
2
The Windows Servver 2012 installation processs involves answ
wering a minim mal number off questions. On nce
you have completted installation o perform seveeral post-instal lation configuration steps before
n, you need to
you can deploy it in a productio
on environmen nt. These stepss allow you to prepare the seerver for the ro
ole it
will play on your organization’s
o network.
Thiss lesson coverss how to perform a range of post-installatiion configurattion tasks, inclu
uding configuring
netwwork addressin ng informationn, setting a serrver’s name an
nd joining it to
o the domain, aand understan
nding
prodduct activationn options.
Lessson Objectiives
Afte
ou will be able to:
• Describe how
w to Server Manager to perfo
orm post-instaallation configu
uration tasks.
• Describe how
w to configure the network.
• Describe how
w to join an Acttive Directory domain.
• Explain how to
t activate Win
ndows Server 2012.
2
• Describe how
w to perform post-installation
n configuratio
on of a Server C
Core compute
er.
Ov
verview of Post-Insta
allation Co
onfiguratio
on
Unliike previous ve
ersions of Windows operatin ng
systems, the Wind dows Server 20012 installationn
proccess minimizess the number of questions th hat
you need to answ wer. For examp ple, you no longer
need to configure e network conn nections, a
com
mputer name, a user accountt, and domain
memmbership inforrmation. The only
o informatio
on
thatt you provide during
d the insttallation proce
ess is
the password for the default loccal Administrator
acco
ount.
u use the Local Server node in the Server
You
nager console to perform th
Man he following tasks:
• Configure the
e IP address
• Set the comp
puter name
• Join an Active
e Directory domain
• Configure the
e time zone
• Enable autom
matic updates
• Add roles and

d features
• Enable remotte desktop

• Configure Windows Firewall settings
Configuring
C g Server Network
N Se
ettings
To
o communicatte on the netw work, a server needs
n
co
orrect IP addreess informationn. Once you ha ave
co
ompleted insta allation, you ne
eed to either set
s or
ch
heck the server’s IP address configuration.
c By
de
efault, a newlyy-deployed serrver attempts to
t
ob
btain IP address information n from a DHCP P server.
Yo
ou can view a server’s IP add dress configura
ation by
clicking the Loccal Server nodde in Server Ma anager.
If the server hass an IPv4 addre

ess in the APIP
PA
ra
ange of 169.25 54.0.1 to 169.254.255.254, thhen the
se
erver has not been
b configure
ed with an IP address
a
from a DHCP se erver. This mayy be because a DHCP
se
erver has not been
b configure
ed on the netwwork, or, if therre is a DHCP s erver, because
e there is a pro
oblem
with
w the networrk infrastructure that blocks the adapter frrom receiving an address.
Note: If you
u are using only an IPv6 netw
work, then an IPv4 address iin this range iss not
nd IPv6 address information is still configu red automaticcally. You will learn more
problematic, an
bout implementing IPv6 in Module
ab M 8, “Imp
plementing IPvv6.”
Configuratio
C on Using Serrver Manag
ger
Yo
ou can configu
ure IP address information fo
or a server maanually by perfforming the fo
ollowing steps:
1.. In the Serve
er Manager co
onsole, click on next to the nettwork adapterr that you want to
n the address n
configure. This
T will open the Network Connections
C w
window.
2.. Right-click on the networrk adapter for which you waant to configurre an address, and then clickk
Properties.
3.. In the Adap es dialog box, click Internett Protocol Version 4 (TCP//IPv4), and the
pter Propertie en click
Properties.
4.. In the Interrnet Protocol Version 4 (TCCP/IPv4) Prop
perties dialog
g box, enter the following IPvv4
address infoormation, and then click OK
K twice:
o IP addrress
o Subnett Mask
o Defaultt Gateway
o Preferrred DNS serverr
o Alterna
ate DNS serverr
Command-L
C ine IPv4 Ad
ddress Confiiguration
Yo
ou can set IPv4
4 address information manu ually from an eelevated commmand prompt b by using the n
netsh.exe
co
ommand from m the interface ipv4 context. For example, tto configure th
he adapter nammed Local Are ea
Connection witth the IPv4 adddress 10.10.10
0.10 and subneet mask 255.25 55.255.0, type the following
co
ommand:
Netsh int
terface ipv4 set address “Local Area
a Connection”
” static 10.1
10.10.10
255.255.2
255.0
You
u can use the same context of
o the netsh.exxe command to o configure DNNS configuratiion. For examp ple, to
configure the ada
apter named Local Area Con nnection to u se the DNS server at IP addrress 10.10.10.5
5 as
the primary DNS server, type th
he following co
ommand:
Netsh interface ipv4 set dnsserver

rs “Local Are
ea Connection
n” static 10.10.10.5 prim
mary
You
u will learn more about confiiguring IPv4 in
n Module 5, “Im
mplementing IIPv4.”
Nettwork Card Teaming

With Network Carrd Teaming, yo ou can increasse the availabillity of a netwo
ork resource. WWhen you conffigure
Network Card Tea aming, a compputer uses onee network addrress for multip e event that one of
ple cards. In the
the cards fails, the
e computer is able
a to maintaain communicaation with other hosts on the network that are
usin
ng that shared address. Netw work card teamming does not require that th he network caards be the samme
moddel or use the same driver. To
T team netwo ork cards, perfoorm the follow wing steps:
1. Ensure that th
he server has more
m than one
e network adap
pter.
2. In Server Ma
anager, click th
he Local Serve
er node.
3. Next to Netw
work Adapter Teaming, clicck Disabled. TThis will launch
h the NIC Team
ming dialog b
box.
4. In the NIC Te
eaming dialog
g box, hold dow ork adapter that
wn the Ctrl ke y, and then cliick each netwo
you want to add
a to the team.
5. Right-click on
n these selecte
ed network ada
apters, and theen click Add tto New Team..
6. In the New Team

T dialog bo
ox, provide a name
n for the tteam, and then
n click OK.
Ho
ow to Join the Doma
ain
Whe en you install Windows
W Servver 2012, the
commputer is assigned a random name. Prior to o
joining a domain, you should co onfigure the se
erver
with
h the name it will
w use in the domain. As a best b
pracctice, you shouuld use a consistent naming
scheeme when devvising a compu uter name.
Commputers should d be given nam mes that reflecct
theiir function andd location, not names with
perssonal ties, such
h as pet namess, or fictional oro
historical characteers. It is simpleer for everyone
e to
deteermine that a server named MEL-DNS1 is a
DNS S server in Melbourne, than it is to determ mine
thatt a server named Copernicuss holds the DN NS role in the M
Melbourne offfice.
You
u change this name
n using the ager console byy performing tthe following steps:
e Server Mana
1. In Server Ma
anager, click th
he Local Serve
er node.
2. In the Properrties window, click

c the active
e text next to C
Computer Nam
me. This will laaunch the Systtem
Properties dialog box.
3. In the System
m Properties dialog
d box, in the Compute r Name tab, cclick Change.
4. uter Name/Domain Chang

In the Compu ges dialog boxx, enter the new
w name that yyou want to assign
to the compu
uter.
5. Restart the co
omputer to implement the name
n change.
Prrior to joining the domain, be

b sure to com
mplete the follo
owing steps to
o verify that the
e new server iss ready
to
o be domain-jo oined:
• Ensure thatt you are able to resolve the IP address of the domain coontroller and ccontact that do
omain
controller. Using
U the Ping
g tool to ping the
t domain co ontroller by ho
ostname accom mplishes both of these
goals.
• Complete one
o of the follo
owing tasks:
o Create a computer account in the domain that m matches the naame of the com
mputer that yo
ou want
to join to the domain
n. This is often done when laarge numbers of computers need to be joined to
the domain automattically.
o Join the computer to

o the domain using
u a securitty account thatt has the rightt to perform do
omain-
join op
perations.
• Verify that the security acccount that is used for the d omain operat ion already exxists within the
e
domain.
Now that you have

h renamed your Windowss Server 2012 sserver and havve verified that it is ready to be
omain-joined, you can join the
do t server to th
he domain.
To
o join the dom
main using Servver Manager, perform
p the fo
ollowing steps::
1.. In Server Manager,

M click
k the Local Serrver node.
2.. In the Prop

perties window
w, next to Work
kgroup, click W
WORKGROUP
P.
3.. In the Syste

em Properties dialog box, on
o the Compu b, click Change.
uter Name tab
4.. In the Com

mputer Name//Domain Chan nges dialog bo mber Of area, click the Dom
ox, in the Mem main
option. Enter the new domain name, an
nd then click O
OK.
5.. In the Wind

dows Security
y dialog box, enter
e o join the computer to
domain ccredentials thaat allow you to
the domainn.
6.. Restart the computer.
Performing
P g Offline Domain
D Joiin
Offline
O Domain Join is a featu ure you can use e to
jo
oin a computerr to the domaiin when that
co
omputer does not have an activea network
co
onnection. This feature can be b useful in sittuations
where
w connectivvity is intermitttent, such as when
w
yo
ou are deployiing a server to a remote site
co
onnected via satellite
s uplink.. For example, if you
were
w deploying servers to locations in Outb back
Australia or islands in the Sou uth Pacific.
Use the djoin.exxe command line tool to perrform
an
n offline doma an perform an offline
ain join. You ca
do
omain join by performing th he following stteps:
1.. Log on to the
t domain controller with a user account that has the aappropriate rig
ghts to join oth
her
computers to the domain
n.
2.. Open an elevated comma and prompt an

nd use the djo
oin.exe commaand with the /p provision opttion.
You also ne
eed to specify the domain to
o which you waant to join thee computer, th
he name of the
e
computer you u will be joinin

ng to the doma ain, and the naame of the savvefile that youu will transfer to the
target of the offline domainn join. For example, to join tthe computer C Canberra to th
he domain
adatum.com using the save efile Canberra--join.txt, type tthe following ccommand:
djoin.exe /provision /domain adatu

um.com /machi
ine canberra /savefile c:\canberra-
join.txt
3. Transfer the generated

g save
efile to the new
w computer, aand then run th
he djoin.exe coommand with the
/requestODJJ option. For example, to perform the offliine domain joiin, after transfe
erring the save
efile
Canberra-joinn.txt to compu
uter Canberra, you would run n the following
g command frrom an elevate ed
command pro ompt on Canb berra:
djoin.exe /requestODJ /loadfile ca

anberra-join. txt /windows
spath %system
mroot% /local
los
4. Restart the co
omputer to complete the do
omain-join opeeration.
Question: In what situation

n would you perform an offl ine domain jo
oin rather than a
traditional do
omain join?
Activating Windows
W Se
erver 2012
2
Youu must activate e every copy of Windows Serrver
2012 that you insttall, to ensure that your
orga orrectly licensed and to receive
anization is co
notiices for producct updates. Wiindows Server 2012
requ n after installation. Unlike
uires activation
prevvious versions of the Window ws server operrating
system, there is noo longer an acctivation gracee
periiod. If you do not perform activation, you
cannot perform operating
o syste
em customization.
There are two gen neral strategies that you cann use
for activation:
a
• Manual activa
ation. Suitable
e when you are
e
deploying a small
s number ofo servers.
• Automatic acctivation. Suitable when you are deploying
g larger numbeers of servers.
With manual activvation, you entter the producct key and the server contacts Microsoft or an administrrator
perfforms the activvation over the
e phone or thrrough a speciaal clearinghousse website.
You ger console by performing th

u can perform manual activation from the Server Manag he following stteps:
1. Click the Loca

al Server node
e.
2. In the Properrties window, next

n to Producct ID, click No
ot Activated.
3. In the Windo
ows Activation
n dialog box, enter
e the prod
duct key, and tthen click Actiivate.
4. If a direct con
nnection cannoot be establish
hed to the Miccrosoft activati on servers, dettails will displaay
about perform ming activation using a website from a deevice that has aan Internet con nnection, or byy
using a local telephone num mber.
Because compute ers running thee Server Core installation opttion do not haave the Server Manager conssole,
you can perform manual activattion using the slmgr.vbs co ommand. Use tthe slmgr.vbss /ipk comman nd to
ente
er the productt key, and slmg
gr.vbs /ato too perform activvation once thhe product keyy is installed.
Prrevious version
ns of the Wind dows Server op perating system
m allowed you u to generalizee a Windows im
mage
ussing the sysprrep utility, but limited the nu
umber of timess due to activaation being reaarmed each tim
me you
peerformed this task, and due to an overall limit of three rrearms per insttallation. With Windows Servver
012, you can rearm a deployyment up to 99
20 99 times.
Yo
ou can perform m manual activvation using either the retai l product key, or the multiplle activation key. You
ca o activate onlyy a single com puter. Howeveer, a multiple aactivation key has a
an use a retail product key to
se
et number of activations
a that you can use. Using a multi ple activation key, you can aactivate multip ple
omputers up to a set activation limit.
co
OEM
O keys are a special type of
o activation ke
ey that are proovided to a maanufacturer an nd allow autommatic
acctivation whenn a computer is first poweredd on. This typee of activation key is typicallyy used with
omputers that are running client operating
co g systems such h as Windows 7 and Window ws 8. OEM keyys are
ra
arely used withh computers th hat are running
g server operaating systems.
Pe ale server depl oyments can b

erforming activation manually in large-sca be cumbersomme. Microsoft p
provides
a method of acttivating large numbers of co
omputers auto omatically with
hout having to enter productt keys
on
n each system manually.
Automatic
A Activation
A
In
n previous verssions of the Windows Server operating sysstem, you could use KMS to perform centrralized
ultiple clients. The Volume Activation
acctivation of mu A Servvices server rol e in Windows Server 2012 allows
ou to manage a KMS server through a new
yo w interface. Th he process of installing a KM
his simplifies th MS key
onn the KMS servver. When you u install Volum
me Activation SServices, you caan also configure Active Direectory-
ba n. Active Direcctory-based activation allowss automatic acctivation of do
ased activation omain-joined
co
omputers. Whe en you use Vo olume Activatioon Services, eaach computer activated musst periodically ccontact
th
he KMS server to renew its activation statu us.
Yo on Management Tool (VAMTT) 3.0 in conju nction with Vo

ou use the Vollume Activatio olume Activation
Se
ervices to perform activation
n of multiple computers on n networks that are not conne
ected directly tto the
In
nternet. You ca
an use VAMT tot generate license reports aand manage client and serveer activation onn
en
nterprise netw
works.
Configuring
C g a Server Core Insta
allation
Pe
erforming posst installation on
o a computerr
ru
unning the Serrver Core operating system option
o
ca
an be dauntingg to administra ators that havee not
pe
erformed the task
t before. Instead of havinng GUI-
ba
ased tools thatt simplify the post-installatio
p on
co
onfiguration process, IT proffessionals are faced
f
with
w performing g complex con nfiguration tasks from
a command-line e interface.
Th
he good news is that you can perform the e
majority
m of postt-installation configuration
c tasks
t
ussing the sconfig.cmd comma and-line tool. Using
th
his utility minim
mizes the posssibility of the
Administrator making
m syntax errors when using more com
mplicated com
mmand-line utiilities.
Yo
ou can use sco
onfig.cmd to perform
p the folllowing tasks:
• Configure Domain
D and Workgroup
W info
ormation
• Configure the
t computer’ss name
• Add local Administrator accounts
• Configure Remote Management
• Enable Windows Update
• Download and install updates
• Enable Remote Desktop
• Configure Network Address information
• Set the date and time
• Perform Windows Activation

• Enable the Windows Server GUI
• Log off
• Restart the server
• Shut down the server
Configure IP Address Information

You can configure the IP address and DNS information using sconfig.cmd or netsh.exe. To configure IP
address information using sconfig.cmd, perform the following steps:
1. From a command-line command, run sconfig.cmd.
2. Choose option 8 to configure Network Settings.

3. Choose the index number of the network adapter to which you want to assign an IP address.
4. In the Network Adapter Settings area, choose between one of the following options:
o Set Network Adapter Address
o Set DNS Servers
o Clear DNS Server Settings
o Return to Main Menu
Change Server Name

You can change a server’s name using the netdom command with the renamecomputer option. For
example, to rename a computer to Melbourne, type the following command:
Netdom renamecomputer %computername% /newname:Melbourne
You can change a server’s name using sconfig.cmd by performing the following steps:
2. Choose option 2 to configure the new computer name.

3. Type the new computer name, and then press Enter.
You must restart a server for the configuration change to take effect.
Joining the Domain

You can join a Server Core computer to a domain using the netdom command with the join option. For
example, to join the adatum.com domain using the Administrator account, and to be prompted for a
password, issue the command:
Netdom join %computername% /domain:adatum.com /UserD:Administrator /PasswordD:*

Note: Prior to joining the domain, verify that you are able to ping the DNS server by
hostname.
To join a Server Core computer to the domain using sconfig.cmd, perform the following steps:
2. Choose option 1 to configure Domain/Workgroup.
3. To choose the Domain option, type D and then press Enter.
4. Type the name of the domain to which you want to join the computer.
5. Provide the details in domain\username format, of an account that is authorized to join the domain.
6. Type the password associated with that account.
To restart the computer, complete a domain join operation it is necessary.
Adding Roles and Features

You can add and remove roles and features on a computer that is running the Server Core installation
option by using the Get-WindowsFeature, Install-WindowsFeature, and Remove-WindowsFeature
Windows PowerShell cmdlets. These cmdlets are available after you load the ServerManager Windows
PowerShell module.
For example, you can view a list of roles and features that are installed by executing the following
command:
Get-WindowsFeature | Where-Object {$_.InstallState -eq “Installed”}
You can install a Windows role or feature using the Install-WindowsFeature cmdlet. For example, to
install the NLB feature, execute the command:
Install-WindowsFeature NLB
Not all features are directly available for installation on a computer running the Server Core operating
system. You can determine which features are not directly available for installation by running the
following command:
Get-WindowsFeature | Where-Object {$_.InstallState -eq “Removed”}
You can add a role or feature that is not directly available for installation by using the -Source parameter
of the Install-WindowsFeature cmdlet. You must specify a source location that hosts a mounted
installation image that includes the full version of Windows Server 2012. You can mount an installation
image using the DISM.exe command-line utility.
Add the GUI

You can configure a Server Core computer with the GUI using the sconfig.cmd command-line utility. To
do this, choose option 12 from within the sconfig.cmd Server Configuration menu.
Note: The process of adding and removing the graphical component of the Windows Server
2012 operating system by using the Install-WindowsFeature cmdlet was covered in Lesson 1.
You can also use the dism.exe command-line tool to add and remove Windows roles and features from a
Server Core deployment, even though this tool is used primarily for managing image files.
Lesson 5
Introduction to
t Wind
dows Po
owerShell
Winndows PowerSh hell is a commmand-line shell and task-baseed scripting teechnology built into the Windows
Servver 2012 opera
ating system thhat simplifies the
t automatioon of common systems admiinistration taskks.
With Windows Po owerShell, you can automate e common taskks, leaving you u more time fo
or more difficu
ult
systems administrration tasks.
In th
his lesson, youu will learn abo
out Windows PowerShell,
P an d why Window
ws PowerShell is perhaps the
e
mosst critical piece dministrator’s toolkit.
e of a server ad
Thiss lesson describ

bes how to usee the Windows PowerShell’ss built-in discooverability to le
earn how to usse
speccific cmdlets and to find rela
ated cmdlets. This
T lesson also o discusses hoow to leverage the Windows
Pow g Environment (ISE) to assist you in creating effective Windows PowerSShell
werShell Integrrated Scripting
scrip
pts.
Lessson Objectiives
Afte
ou will be able to:
• Describe the purpose of Wiindows PowerShell.
• Describe Windows PowerSh hell cmdlet syn mands associated

ntax, and explaain how to dettermine comm
with a particu
ular cmdlet.
• Describe com
mmon Window
ws PowerShell cmdlets
c used tto manage serrvices, processe
es, roles and
features.
• Describe the functionality of
o Windows Po
owerShell ISE.
Wh
hat Is Wind
dows Pow
werShell?
Winndows PowerSh hell is a scripting language
desiigned to assistt you in performing day-to-d day
admministrative tassks. Windows PowerShell
P is made
m
up of
o cmdlets that you execute at a Windowss
PowwerShell promp pt, or combine e into Window ws
PowwerShell scriptss. Unlike otherr scripting
lang
guages that we ere designed initially for ano other
purpose, but have e been adapted for system
admministration tassks, Windows PowerShell
P is
desiigned with sysstem administrration tasks in mind.
An increasing
i num
mber of Microssoft products—
—
suchh as Microsoft Exchange Server 2010—havve
grapphical interfaces that build Windows
W PoweerShell commaands. These prroducts allow yyou to view the
gennerated Windows PowerShell script, so you u can execute tthe task at a laater time witho
out having to g
go
thro
ough all of thee steps in the GUI.
G Being ablee to automate complex taskss simplifies a sserver
adm
ministrator’s job, and saves time.
Youu can extend Windows

W PoweerShell function
nality by addin
ng modules. Fo or example, thhe Active Direcctory
mod dule includes Windows
W PowerShell cmdletts that are speccifically useful for performin
ng Active Direcctory-
related managem ment tasks. The DNS Server module
m includees Windows Po owerShell cmd dlets that are
speccifically useful for performing DNS server--related manag gement tasks.
Windows
W PowerShell
P l Cmdlet Syntax
S
Windows
W PowerShell cmdlets use a verb-no oun
syyntax. Each noun has a collecction of associiated
veerbs. The available verbs difffer with each cmdlet’s
c
nooun.
Common Windows PowerShe

ell cmdlet verb
bs
in
nclude:
• Get
• New
• Set
• Restart
• Resume
• Stop
• Suspend
• Clear
• Limit
• Remove
• Add
• Show
• Write
Yo
ou can learn th
he available ve
erbs for a partiicular Window
ws PowerShell n
noun by execu
uting the comm
mand:
Get-Help -Noun NounNa

ame
Yo
ou can learn th
he available Windows
W PowerShell nouns fo
or a specific veerb by executing the commaand:
Get-Help -Verb VerbNa

ame
Windows
W PowerShell parametters start with a dash. Each W
Windows PoweerShell cmdlett has its own
o parameters. You can learn what the paraameters are fo
asssociated set of or a particular W
Windows Pow werShell
cm
mdlet by execu uting the command:
Help Cmdl
ltName
Yoou can determ

mine which Win
ndows PowerS Shell cmdlets aare available byy executing th
he Get-Command
cm
mdlet. Which Windows
W PowerShell cmdletts are availablee depends on wwhich module es are loaded. Y
You can
lo
oad a module using
u the Import-Module cmdlet.
c
Co
ommon Cm
mdlets for Server Administratio
on
There are certain cmdlets that youy are more likely
to use
u as a server administrator. These primarrily
relate to services, event logs, prrocesses, and
ServverManager ru unning on the server.
Serrvice Cmdlets
You
u can use the fo
ollowing Winddows PowerShell
cmd ge services on a computer th
dlets to manag hat is
runn
ning Windowss Server 2012:
• Get-Service. View the prop

perties of a serrvice.
• e. Creates a new
New-Service w service.
• vice. Restarts an existing servvice.

Restart-Serv
• vice. Resumes a suspended service.

Resume-Serv
• Set-Service. Configures the
e properties off a service.
• Start-Service
e. Starts a stop
pped service.
• Stop-Service
e. Stops a runn
ning service.
• Suspend-Serrvice. Suspend
ds a service.
Eve
ent Log Cmd
dlets
You
u can use the fo dows PowerShell cmdlets to manage even t logs on a com
ollowing Wind mputer that is
runn
• Get-EventLo
og. Displays eve
ents in the spe
ecified event lo
og.
• Log. Deletes alll entries from the specified event log.

Clear-EventL
• Log. Sets eventt log age and size limits.
Limit-EventL
• New-EventLo og. Creates a new event log and a new evvent source on
n a computer rrunning Windo
ows
Server 2012.
• Remove-Eve
entLog. Removves a custom event
e log and unregisters all event sourcess for the log
• Show-EventL
Log. Shows the event logs of
o a computer.
• Write-EventL
Log. Allows yo
ou to write eve
ents to an even
nt log.
Pro
ocess Cmdle
ets
You
u can use the fo dows PowerShell cmdlets to manage proceesses on a com
ollowing Wind mputer that is
runn
• Get-Process.. Provides information on a process.

p
• Start-Process. Starts a proccess.
• Stop-Processs. Stops a proccess.

• Wait-Process. Waits for the process to sttop before acccepting input.
• Debug-Proce o one or more running proceesses.

ess. Attaches a debugger to
ServerManag
ger Module
e
Th
he ServerMana ager module allows
a you to add
a one of thr ee cmdlets thaat are useful fo
or managing ffeatures
an
nd roles. These
e cmdlets are:
• Get-Windo owsFeature. View

V a list of avvailable roles aand features. A
Also displays w
whether the feaature is
installed, an
nd whether the feature is available. An unaavailable featu ure can only bee installed if yo
ou have
access to ann installation source.
s
• Install-Win
ndowsFeaturee. Installs a parrticular Windo
ows Server rolee or feature. Th
he Add-
WindowsF Feature cmdlet is aliased to this
t command d and is availab
ble in previouss versions of W
Windows
operating systems.
s
• Remove-W
WindowsFeatu
ure. Removes a particular W
Windows Serverr role or featurre.
What
W Is Windows PowerShell ISE?
Windows
W PowerShell ISE is an n integrated sccripting
en
nvironment that provides yo ou with assistance
when
w using Win ndows PowerShell. It provide es
co
ommand comp onality, and allows
pletion functio
yo
ou to see all avvailable commmands and the
pa
arameters thatt can be used with
w those
co
ommands.
Windows
W PowerShell ISE simpplifies the proccess of
ussing Windows PowerShell be ecause you can n
exxecute cmdlets from the ISE.. You can also use a
sccripting window within Wind dows PowerShell ISE
to
o construct and d save Window ws PowerShell scripts.
Thhe ability to view cmdlet parrameters ensures that you arre aware of th e full functionality of each ccmdlet,
annd can create syntactically-ccorrect Window ws PowerShell commands.
Windows
W PowerShell ISE provvides color-cod
ded cmdlets to oubleshooting
o assist with tro g. The ISE also
provides you with debugging g tools that you
u can use to d ebug simple aand complex W Windows Powe erShell
sccripts.
Yo
ou can use the
e Windows Pow
werShell ISE en
nvironment to
o view availablee cmdlets by m module. You can then
de
etermine whicch Windows Po
owerShell mod dule you need to load to acccess a particulaar cmdlet.
Demonstra
D ation: Using Window
ws PowerSh
hell ISE
In
n this demonsttration, you will see how to complete
c the ffollowing taskss:
• Use Window
ws PowerShelll ISE to importt the ServerMaanager modulee
• View the cm
mdlets made available
a in the
e ServerManag
ger Module
• ature cmdlet frrom Windows PowerShell IS E

Use the Gett-WindowsFea
Demonstrati
D ion Steps
Use
U Window
ws PowerShe
ell ISE to import the Se
erverManager module
1.. Ensure thatt you are logge
ed on to LON--DC1 as Admin
nistrator.
2.. In Server Manager,

M click
k Tools, and th
hen click Wind
dows PowerSh
hell ISE.
3. At the prompt, type Import-Module ServerManager.
View the cmdlets made available in the ServerManager Module

• In the Commands pane, use the Modules drop-down menu to select the Server Manager module.
Use the Get-WindowsFeature cmdlet from Windows PowerShell ISE

1. Click Get-WindowsFeature, and then click Show Details.
2. In the ComputerName field, type LON-DC1, and then click Run.
Demonstration: Using Windows PowerShell

In this demonstration, you will see how to use Windows PowerShell to display the running services and
processes on a server.
Demonstration Steps
Use Windows PowerShell to display the running services and processes on a server
1. On LON-DC1, open a Windows PowerShell session.
2. Execute the following commands, and then press Enter:
Get-Service | where-object {$_.status -eq “Running”}

Get-Command -Noun Service
Get-Process
Get-Help Process
3. Right-click on the Windows PowerShell icon on the taskbar and click Run as Administrator.
Lab: Deploying and Managing Windows Server 2012

Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London,
England. An IT office and a data center are located in London to support the London location and other
locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.
You have been working for A. Datum for several years as a desktop support specialist. In this role, you
visited desktop computers to troubleshoot application and network problems. You have recently accepted
a promotion to the server support team. As a new member of the team you help to deploy and configure
new servers and services into the existing infrastructure based on the instructions given to you by your IT
manager.
The marketing department has purchased a new web-based application. You need to install and configure
the servers for this application in the data center. One server has a graphic interface and the second server
is configured as Server Core.
Objectives
After completing this lab, you will be able to:
• Deploy Windows Server 2012.

• Configure Windows Server 2012 Server Core.
• Manage servers by using Server Manager.
• Manage servers with Windows PowerShell.
Lab Setup
Estimated time: 60 minutes
Virtual Machines 20410A-LON-DC1

20410A-LON-CORE
User Name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
5. Repeat steps 1 to 3 for 20410A-LON-CORE. Do not log on until directed to do so.
Exercise 1: Deploying Windows Server 2012

Scenario
The first Windows Server® 2012 server that you are installing for the Marketing department will host an
SQL Server 2012 database engine instance. You want to configure the server so that it will have the full
GUI, as this will allow the application vendor to run support tools directly on the server, rather than
requiring a remote connection.
The main tasks for this exercise are as follows:
1. Install the Windows Server 2012 server.
2. Change the server name.
3. Change the date and time.

4. Configure the network and network teaming.
5. Add the server to the domain.
X Task 1: Install the Windows Server 2012 server

1. In the Hyper-V Manager console, open the settings of 20410A-LON-SVR3
2. Configure the DVD drive to use the Windows Server 2012 image file named Win2012_RC.ISO. This
file is located at C:\Program Files\Microsoft Learning\20410\Drives.
3. Start 20410A-LON-SVR3. In the Windows Setup Wizard, on the Windows Server 2012 page, verify
the following settings, click Next, and then click Install Now.
o Language to install: English (United States)
o Time and currency format: English (United States)

o Keyboard or input method: US
4. Click to install the Windows Server 2012 Release Candidate Datacenter (Server with a GUI)
operating system.
5. Accept the license terms and then click Custom: Install Windows only (advanced).
6. Install Windows Server 2012 on Drive 0.
Note: Depending on the speed of the equipment, the installation will take approximately 20
minutes. The virtual machine will restart several times during this process.
7. Enter the password Pa$$w0rd in both the Password and Reenter password boxes, and then click
Finish to complete the installation.
X Task 2: Change the server name

1. Log on to LON-SVR3 as Administrator with the password Pa$$w0rd.
2. In Server Manager, on the Local Server node, click on the randomly-generated name next to
Computer name.
3. In the System Properties dialog box, on the Computer Name tab, click Change.
4. In the Computer name box, type LON-SVR3, and then click OK.
5. Click OK again, and then click Close.

6. Restart the computer.
X Task 3: Change the date and time

1. On LON-SVR3, on the taskbar, click the time display, and then click Change date and time settings.
2. Click Change Time Zone, and set the time zone to your current time zone.
3. Click Change Date and Time, and verify that the date and time that display in the Date and Time
Settings dialog box match those in your classroom.
4. Close the Date and Time dialog box.
X Task 4: Configure the network and network teaming

1. On LON-SVR3, click Local Server, and then next to NIC Teaming, click Disabled.
2. Press and hold the Ctrl key and then in the Adapters And Interfaces area, click both Local Area
Connection and Local Area Connection 2.
3. Right-click on the selected network adapters, and then click Add to New Team.
4. Enter LON-SVR3 in the Team name, box, click OK, and then close the NIC Teaming dialog box.
Refresh the console pane.
5. Next to LON-SVR3, click IPv4 Address Assigned by DHCP, IPv6 Enabled.
6. In the Network Connections dialog box, right-click LON-SVR3, and then click Properties.
7. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
8. Enter the following IP address information, then and click OK.
o IP address: 172.16.0.101
o Subnet Mask: 255.255.0.0

o Default Gateway: 172.16.0.1
o Preferred DNS server: 172.16.0.10
9. Close all dialog boxes.
X Task 5: Add the server to the domain

1. On LON-SVR3, in the Server Manager console, click Local Server.
2. Next to Workgroup, click WORKGROUP.
3. On the Computer Name tab, click Change.
4. Click the Domain option, and in the Domain box, enter adatum.com.
5. Enter the following account details
o Username: Administrator
o Password: Pa$$w0rd
6. In the Computer Name/Domain Changes dialog box, click OK.
7. Restart the computer to apply changes.
8. In the System Properties dialog box, click Close.
9. After LON-SVR3 restarts, log on as adatum\Administrator with the password Pa$$w0rd.
Results: After finishing this exercise, you will have deployed Windows Server 2012 on LON-SVR3. You also
will have configured LON-SVR3 including name change, date and time, networking, and network teaming.
Exercise 2: Configuring Windows Server 2012 Server Core

Scenario
The web-based tier of the marketing application is a .NET application. To minimize the operating system
footprint and reduce the need to apply software updates, you have chosen to host the IIS component on
a computer running the Server Core installation option of the Windows Server 2012 operating system.
To enable this, you will need to configure a computer that is running Windows Server 2012 with the
Server Core installation option.
1. Change the server name.
2. Change the computer’s date and time.

3. Configure the network.
4. Add the server to the domain.

1. Log on to LON-CORE using the account Administrator with the password Pa$$w0rd.
2. On LON-CORE, type sconfig.cmd.
3. Click option 2 to select Computer Name.
4. Set the computer name as LON-CORE.

5. In the Restart dialog box, click Yes to restart the computer.
6. After the computer restarts, log on to server LON-CORE using the Administrator account.
7. At the command prompt, type hostname, and then press Enter to verify the computer’s name.
X Task 2: Change the computer’s date and time

1. On LON-CORE, in the sconfig.cmd main menu, type 9 to select Date and Time:
2. Click Change time zone, and then set the time zone to the same time zone that your classroom uses.
3. In the Date and Time dialog box, click Change Date and Time, and verify that the date and time
match those in your location. Click OK three times to dismiss the dialog boxes.
4. Exit sconfig.cmd.
X Task 3: Configure the network

1. On LON-CORE, at the command prompt, type sconfig.cmd, and then press Enter.
2. Type 8 to configure Network Settings.
3. Type the number of the network adapter that you want to configure.
4. Type 1 to set the Network Adapter Address.
5. Select static IP address configuration, and then enter the address 172.16.0.111.
6. At the Enter subnet mask prompt, type 255.255.0.0.
7. At the Enter default gateway prompt, type 172.16.0.1.
8. Type 2 to configure the DNS server address.
9. Set the preferred DNS server to 172.16.0.10.
10. Do not configure an alternate DNS server address.

11. Exit sconfig.cmd.
12. Verify network connectivity to lon-dc1.adatum.com using the Ping tool.

1. On LON-CORE, at the command prompt, type sconfig.cmd, and then press Enter.
2. Type 1 to switch to configure Domain/Workgroup.
3. Type D to join a domain.

4. At the Name of domain to join prompt, type adatum.com.
5. At the Specify an authorized domain\user prompt, type adatum\administrator.
6. At the Type the password associated with the domain user prompt, type Pa$$w0rd.
7. At the prompt, click Yes.
8. Restart the server.
9. Log on to server LON-CORE with the adatum\administrator account using the password
Pa$$w0rd.
Results: After finishing this exercise you will have configured a Windows Server 2012 Server Core
deployment, and verified the server’s name.
Exercise 3: Managing Servers

Scenario
After deploying the servers LON-SVR3 and LON-CORE for hosting the Marketing application, you need to
install appropriate server roles and features to support the application. With this in mind, you will install
the Windows Server Backup feature on both LON-SVR3 and LON-CORE. You will install the Web Server
role on LON-CORE.
You also need to configure the World Wide Web Publishing service on LON-CORE with the following
settings:
• Startup type: Automatic
• Log on as: Local System Account
• First failure: Restart the Service

• Second failure: Restart the Service
• Subsequent failures: Restart the server
• Reset fail count after: 1 days
• Restart service after: 1 minute
• Restart computer after: 1 minute
1. Create a server group.
2. Deploy features and roles to both servers.
3. Review services, and change a service setting.

X Task 1: Create a server group

1. Log on to LON-DC1 with the Administrator account and the password Pa$$w0rd.
2. In the Server Manager console, click Dashboard, and then click Create a server group.
3. Click the Active Directory tab, and then click Find Now.
4. In the Server group name box, type LAB-1.
5. Add LON-CORE and LON-SVR3 to the server group.
6. Click LAB-1. Press and hold the Ctrl key to select both LON-CORE and LON-SVR3.
7. When both are selected, scroll down and under the Performance section; select both LON-CORE
and LON-SVR3.
8. Right-click LON-CORE, and then click Start Performance Counters.
X Task 2: Deploy features and roles to both servers

1. In Server Manager on LON-DC1, click the LAB-1 server group, right-click LON-CORE, and then click
Add Roles and Features.
2. Click Next, click Role-based or feature-based installation, and then click Next.
3. Verify that LON-CORE.Adatum.com is selected, and then click Next.
4. Select the Web Server (IIS) Server role.
5. Select the Windows Server Backup feature.
6. Add the Windows Authentication role service, and then click Next.
7. Select the Restart the destination server automatically if required check box, and then click
Install.
8. Click Close.
9. Right-click LON-SVR3, click Add Roles and Features, and then click Next.
10. Click Role-based or feature-based installation, and then click Next.
11. Verify that LON-SVR3.Adatum.com is selected, and then click Next twice.
12. Click Windows Server Backup, and then click Next.
13. Select the Restart the destination server automatically if required check box, click Install, and
then click Close.
14. In Server Manager, click the IIS node, and verify that LON-CORE is listed.
X Task 3: Review services, and change a service setting

1. On LON-CORE, in a command prompt window, enter the command netsh.exe firewall set service
remoteadmin enable ALL
2. Log on to LON-DC1 with the adatum\Administrator account.
3. In Server Manager, click LAB-1, right-click LON-CORE, and then click Computer Management.
4. Expand Services and Applications, and then click Services.
5. Verify that the Startup type of the World Wide Web Publishing service is set to Automatic.
6. Verify that the service is configured to use the Local System account.
7. Configure the following service recovery settings:
o First failure: Restart the Service
o Second failure: Restart the Service
o Subsequent failures: Restart the Computer.
o Reset fail count after: 1 days
o Reset service after: 1 minute
8. Configure the Restart Computer option to 2 minutes, and close the Service Properties dialog box.
9. Close the Computer Management console.
Results: After finishing this exercise you will have created a server group, deployed roles and features, and
configured the properties of a service.
Exercise 4: Using Windows PowerShell to Manage Servers

Scenario
The Marketing application vendor has indicated that they can provide some Windows PowerShell scripts
to configure the web server that is hosting the application. You need to verify that remote administration
is functional before running the scripts.
1. Use Windows PowerShell® to connect remotely to servers and view information.
2. Use Windows PowerShell to install new features remotely.
X Task 1: Use Windows PowerShell® to connect remotely to servers and view

information
1. On LON-DC1, in Server Manager, click the LAB-1 server group.
2. Right-click LON-CORE, and then click Windows PowerShell.
3. Type Import-Module ServerManager.
4. Type Get-WindowsFeature, and review roles and features.
5. Use the following command to review the running services on LON-CORE:
Get-service | where-object {$_.status -eq “Running”}
6. Type get-process to view a list of processes on LON-CORE.
7. Review the IP addresses assigned to the server with the following command:
Get-NetIPAddress | Format-table
8. Review the most recent 10 items in the security log with the following command:
Get-EventLog Security -Newest 10
9. Close Windows PowerShell.
X Task 2: Use Windows PowerShell to install new features remotely

1. On LON-DC1, on the taskbar, click the Windows PowerShell icon.
2. Type import-module ServerManager.
3. Type the following command to verify that the XPS Viewer feature has not been installed on LON-
SVR3
Get-WindowsFeature -ComputerName LON-SVR3
4. To deploy the XPS Viewer feature on LON-SVR3, type the following command, and then press Enter:
Install-WindowsFeature XPS-Viewer -ComputerName LON-SVR3
5. Type the following command to verify that the XPS Viewer feature has now been deployed on LON-
SVR3:
6. From the Tools drop down in the Server Manager console, choose Windows PowerShell ISE.
7. In the Untitled1.ps1 script pane, type the following:
Install-WindowsFeature WINS -ComputerName LON-SVR3
Install-WindowsFeature WINS -ComputerName LON-CORE
8. Save the script as InstallWins.ps1 in a new folder named Scripts.

9. Press F5 to execute InstallWins.ps1.
Results: After finishing this exercise you will have used Windows PowerShell to perform a remote
installation of features on multiple servers.
X To prepare for the next module

When you have completed the lab, revert the virtual machines back to their initial state. To do this,
1. On the host computer, switch to the Hyper-V Manager console.

2. In the Virtual Machines list, right click 20410A-LON-DC1, and the click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-CORE and 20410A-LON-SVR3.

Module Review and Takeaways

Review Questions
Question: What is the benefit of using Windows PowerShell to automate common tasks?
Question: What are the advantages to performing a Server Core deployment compared to
the Full GUI deployment?
Question: What tool can you use to determine which cmdlets are contained in a Windows
PowerShell module?
Question: Which role can you use to manage Key Management Services (KMS)?
Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip
Remote management connections fail.
Windows PowerShell cmdlets not available.
Cannot install the GUI features on Server

Core deployments.
Unable to restart a computer running

Server Core.
Unable to join the domain.

2-1
Module 2
Introduction to Active Directory Domain Services
Contents:
Module Overview 2-1
Lesson 1: Overview of AD DS 2-2
Lesson 2: Overview of Domain Controllers 2-8
Lesson 3: Installing a Domain Controller 2-13
Lab: Installing Domain Controllers 2-18
Module Overview
Active Directory® Domain Services (AD DS) and its related services form the foundation for enterprise
networks that run Windows® operating systems. The AD DS database is the central store of all the domain
objects, such as user accounts, computer accounts, and groups. AD DS provides a searchable hierarchical
directory, and provides a method for applying configuration and security settings for objects in the
enterprise. In this module, we will study the structure of AD DS, and various components, such as forest,
domain, and organizational units (OUs).
The process of installing AD DS on a server is refined and improved with Windows Server® 2012. This
module also examines some of the choices that are now available for installing AD DS on a server.
Objectives
• Describe the structure of Active Directory® Domain Services (AD DS).
• Describe the purpose of domain controllers.
• Install a domain controller.

2-2 Introduction to Active Directoryy Domain Services
Lesson 1
Overviiew of AD
A DS
The AD DS databa ase stores info
ormation on usser identity, co
omputers, grouups, services annd resources. IIt also
hostts the service that
t authenticaates user and computer acco ounts when th
hey log on to tthe domain. AD D DS
form
ms a security boundary,
b in ad
ddition to it be
eing a searchaable database o
of objects in th
he domain. ADD DS
provvides the struccture with whicch you can con nfigure and m
manage objectss in the databaase.
In th
his lesson, you
u will explore how
h OUs work,, and why you would use theem. You will examine why so ome
AD DS domain co ontrollers have additional rolles. You will exxplore various ways that you
u can promote a
2 server to be a domain controller.
c
Lessson Objectiives
Afte ou will be able to:
• Describe the components of

o AD DS.
• Describe AD DS domains.
• Describe OUss and their purrpose.
• d trees, and explain how you

Describe AD DS forests and u can deploy th
hem in a netw
work.
• Explain how a Schema provvides a set of rules that manaage the objectts and attributtes that are sto
ored
in the AD DS domain datab
base.
Ov
verview of AD DS
AD DS is compose ed of both phyysical and logical
commponents. Und derstanding the e way the
commponents of AD DS work tog gether is an
impportant part of supporting AD DS services. With
the knowledge off how the AD DS D componentts
worrk together, yo ou can efficienttly manage yo our
netwwork, and control what resources your use ers
can access. In add dition, there arre many other
options including installation an nd configuring g of
softtware and updates, managin ng the security
infra mote access, DirectAccess,
astructure, rem
BrannchCache and certificate han ndling to mention a
few. Group Policyy is a very powe erful tool to manage
m all of t hese, and a cleear understand
ding of the AD
D DS
commponents is the e key to successful use of Grroup Policy.
Phy
ysical Comp
ponents
AD DS informatio
on is stored in a single file on
n each domain
n controllers’ h
hard disk. The ffollowing table
e lists
som
me of the physiical componennts and where they are storeed.
Ph
hysical component De
escription
Domain controlllers Contain copies of the AD DS database.
Data store Thhe file on each

h domain conttroller that stores the AD DS
in
nformation.
Physical component Description
Global catalog servers Host the global catalog, which is a partial, read-only copy of all
the objects in the forest. A global catalog speeds up searches for
objects that might be stored on domain controllers in a different
domain in the forest.
Read-only domain A special install of AD DS in a read-only form. This is often used

controller (RODC) in Branch Offices where security and IT support are often less
advanced than in the main corporate centers.
Logical Components
AD DS logical components are structures that are used to implement an appropriate Active Directory
design for an organization. The following table describes some of the types of logical structures that an
Active Directory database might contain.
Logical component Description
Partition A section of the AD DS database. Although the database is one file:

NTDS.DIT, it is viewed, managed and replicated as if it consisted of
distinct sections or instances, and these are the partitions, also
referred to as naming contexts.
Schema Defines the list of attributes that all objects in AD DS can have.
Domain A logical, administrative boundary for users and computers.
Domain tree A collection of domains that share a common root domain and a
Domain Name System (DNS) namespace.
Forest A collection of domains that share a common AD DS.
Site A collection of users, groups, and computers as defined by their

physical locations. Sites are useful in planning administrative tasks
such as replication of the AD DS.
OU These are containers in AD DS, which provide a framework for

delegating administrative rights and also for linking Group Policy.
Additional Reading: For more information about domains and forests, please see Domains
and Forests Technical Reference at http://go.microsoft.com/fwlink/?LinkId=104447.
AD
D DS Doma
ains
An ADA DS domain n is a logical grouping of useer,
com
mputer, and group objects fo or the purpose
e of
man nagement and d security. All of
o these objectts are
storred in the AD DS
D database, and a a copy of this
t
dataabase is stored
d on every dom main controller in
the AD DS domain.
There are several types of objeccts that can be

e
storred in the AD DS
D database, including user
accoounts. User acccounts provide
e a mechanism m by
which to authenticate and then authorize use ers to
acceess resources on
o the network k. When a user
wannts to log on too the domain, they must do so at
omputer that is a member off the AD DS do
a co omain. For thiss reason, each domain-joine ed computer mmust
have an account in AD DS. The domain also stores groups, w which are the mechanism fo or grouping
toge ether objects for
f administrattive or securityy reasons, for iinstance user aaccounts and ccomputer acco
ounts.
An AD
A DS domain n is an adminisstrative center. It holds an Ad dministrator aaccount and a Domain Admiins
group, which have e full control over
o every obje
ect in the dommain; however, unless they are in the forest root
dommain, their rang he domain. Passsword and acccount rules are
ge of control is limited to th e managed at the
dommain level by default.
d Although a domain constitutes
c a ssecurity bound dary that is larg
gely self-manaaging
and autonomous, the Enterprise e Admins grou up in the foresst root domain n has full contrrol over every oobject
in every domain in the AD DS fo orest.
Wh
hat Are OU
Us?
An Organizationa
O al Unit (OU) is a container ob
bject
with
hin a domain that
t you can use to consolidate
userrs, groups, com
mputers, and other
o objects. There
T
are two reasons to o create OUs:
• To configure objects contaiined within the e OU.
You can assiggn Group Policcy Objects to th he
OU, and the settings
s apply to all objects
within the OU U. Group Policyy Objects (GPO Os)
are policies th
hat administrators create to
manage and configure com mputer and use er
accounts. The e most commo on way to deploy
these policiess is to link them
m to OUs.
• To delegate administrative
a control of objects within thee OU. You can gement permissions
n assign manag
on an OU, theereby delegatiing control of that OU to a u within AD DS other than the
user or group w e
administratorr.
u can use OUs to represent th

You he hierarchical, logical structtures within yo
our organizatio
on. For examp
ple,
you can create OU Us that represeent the departtments within yyour organization, the geog graphic regions
with
hin your organnization, or cre a a combina tion of both d
eate OUs that are departmental aand geographiic
regiions. You can then
t manage thet configurattion and use o f user, group, and computerr accounts bassed on
your organizationnal model.
Every AD DS domain contains a standard set of containers and OUs that are created when you install
AD DS, including the following:
• Domain container. Serves as the root container to the hierarchy.
• Builtin container. Stores a number of default groups.
• Users container. The default location for new user accounts and groups that you create in the
domain. The users container also holds the administrator and guest accounts for the domain, and
some default groups.
• Computers container. The default location for new computer accounts that you create in the domain.
• Domain controllers OU. The default location for the computer accounts for domain controllers
computer accounts. This is the only OU that is present in a new installation of AD DS.
Note: None of the default containers in the AD DS domain can have Group Policies linked
to them, except for the default domain controllers OU and the domain itself. All the other
containers are just folders. To link Group Policies to apply configurations and restrictions, create a
hierarchy of OUs, and then link Group Policies to them.
Hierarchy Design
The design of an OU hierarchy is dictated by the administrative needs of the organization. The design
could be based on geographic, functional, resource, or user classifications. Whatever the order, the
hierarchy should make it possible to administer AD DS resources as effectively and with as much flexibility
as possible. For example, if all computers that IT administrators use must be configured in a certain way,
you can group all computers in an OU, and then assign a policy to manage its computers. To simplify
administration, you also can create OUs inside other OUs.
For example, your organization might have multiple offices, and each office might have a set of
administrators who are responsible for managing user and computer accounts in the office. In addition,
each office might have different departments with different computer configuration requirements. In this
situation, you could create an OU for the office that is used to delegate administration, and create a
department OU inside the office OU to assign desktop configurations.
Although there is no technical limit to the number of levels in your OU structure, for the purpose of
manageability limit your OU structure to a depth of no more than 10 levels. Most organizations use five
levels or fewer to simplify administration. Note that Active Directory-enabled applications can have
restrictions on the OU depth within the hierarchy, or the number of characters that can be used in the
distinguished name (the full Lightweight Directory Access Protocol (LDAP) path to the object in the
directory).
Wh
hat Is an AD
A DS Fore
est?
A fo
orest is a collecction of one orr more domain n
tree
es. A tree is a collection of onne or more
dommains.. The first domain that is created in the t
fore
est is called thee forest root do
omain. The forrest
roott domain holdss a few objectss that do not exist
e
in other
o F example, the
domains in the forest. For
fore
est root domain holds two sp pecial roles, the
scheema master an nd the domain n naming mastter. In
adddition, the Enteerprise Adminss group and th he
Scheema Admins group
g exist onlly in the forestt root
dommain. The Enterprise Admins group has full
control over everyy domain in th he forest.
mples of why more than one
Exam e domain mayy be required i n the forest:
• In certain circcumstances, it might be adva antageous to h have more thaan one domain n in the
organization, and these are e typically strucctured in a treee. For instancee, The A. Datum Corporation n
might be the domain at the e root of a foreest. Another d omain could b be added to th he tree as a child
domain of ad datum.com, an nd have a name that is based d on the DNS sstructure and includes the name
of the parent domain, for example
e atl.adaatum.com.
• There may be e a requiremen nt to have diffeerent namespaaces in the forrest. If A. Datumm Ltd
(adatum.com) and Fabrikam m, Inc. (fabrika
am.com) were to merge, then although the e organization
n
exists in one forest,
f uld add a tree to accommod
you cou date the secon nd namespace. Apart from th he
different nam
mespaces, all obbjects in this fo
orest would fu
unction as if th
he domains we ere both in the
e same
tree.
Wh
hat Is the AD
A DS Sch
hema?
The schema is the e AD DS component that deffines
all objects
o and atttributes that AD
A DS uses to store
s
dataa. It is sometim
mes referred to o as the blueprrint
for AD
A DS.
AD DS stores and retrieves inforrmation from a

wide variety of ap d services. AD DS
pplications and
stan
ndardizes how data is stored in the directo ory so
thatt it can store and replicate data from these e
various sources. ByB standardizinng how data is
storred, AD DS can n retrieve, update, and repliccate
dataa, while ensuring that the inttegrity of the data
d
is maintained.
m
AD DS uses objects as units of storage.

s All objjects are defin
ned in the scheema. Each time e that the direcctory
handles data, the directory queries the schem ma for an appro opriate object definition. Based on the objject
defiinition in the schema, the dirrectory createss the object annd stores the d
data.
Object definitionss control the tyypes of data th

hat the objectss can store, and the syntax oof the data. Using
this information, the
t schema en nsures that all objects
o ons. As a result,
conforrm to their sta ndard definitio
AD DS can store, retrieve, and validate
v the daata that it man ages, regardleess of the application that is the
orig
ginal source of the data. Onlyy data that has an existing oobject definitio
on in the schemma can be storred in
the directory. If a new type of data needs to be stored, a new object definition for the data must first be
created in the schema.
In AD DS, the schema defines the following:
• Objects that are used to store data in the directory
• Rules that define what types of objects you can create, what attributes must be defined when you
create the object (mandatory), and what attributes are optional
• Structure and the content of the directory itself
You can use an account that is a member of the Schema Administrators to modify the schema
components in a graphical form. Examples of objects that are defined in the schema include user,
computer, group, and site. Among the many attributes are location, accountExpires, buildingName,
company, manager, and displayName.
The schema master is one of the single master operations domain controllers in AD DS. Because it is a
single master, you must make changes to the schema by targeting the domain controller that holds the
schema master operations role.
The schema is replicated among all domain controllers in the forest. Any change that is made to the
schema is replicated to every domain controller in the forest from the schema operations master role
holder, typically the first domain controller in the forest.
Because the schema dictates how information is stored, and because any changes that are made to the
schema affect every domain controller, changes to the schema should be made only when necessary,
through a tightly controlled process, and after you have performed testing to ensure that there will be no
adverse effects to the rest of the forest.
Although you might not make any change to the schema directly, some applications make changes to the
schema to support additional features. For example, when you install Microsoft® Exchange Server 2010
into your AD DS forest, the installation program extends the schema to support new object types and
attributes.
Additional Reading
For more information about Windows Server 2012 Release Candidate, see
http://www.microsoft.com/en-us/server-cloud/windows-server/v8-default.aspx.
For more information about Windows Server 2012 Overview, see http://www.microsoft.com/en-
us/server-cloud/windows-server/v8-overview.aspx.
For more information about Windows Server 2012 Capabilities, see
http://www.microsoft.com/en-us/server-cloud/windows-server/2012-capabilities.aspx.
For more information about Windows Server 8 (a one-hour long video), see
http://channel9.msdn.com/Events/BUILD/BUILD2011/SAC-973F.
Lesson 2
Overviiew of Domain
D n Contro
ollers
Because domain controllers
c are responsible fo
or all authenticcations, domain controller d
deployment is
critical to the corrrect functionin
ng of the netwoork.
Thiss lesson examines domain co ontrollers, the logon processs, and the impo
ortance of the
e DNS in that
on, this lesson discusses the purpose of thee global catalo
proccess. In additio og.
All domain
d contro ntially the same, but there arre certain operrations that caan only be
ollers are essen
perfformed on spe
ecific domain controllers
c callled operations masters, whicch are discusse
ed at the end o
of this
lesson.
Lessson Objectiives
Afte
ou will be able to:
• Describe the purpose of do

omain controlle
ers.
• Describe the purpose of the

e global catalo
og.
• Describe the AD DS logon process,
p and th
he importancee of DNS and sservice (SRV) resource record
ds in
the logon pro
ocess.
• Describe the functionality of

o SRV records.
• Explain the fu
unctions of ope
erations maste
ers.
Wh
hat Is a Do
omain Con
ntroller?
A doomain controlller (DC) is a server that is
configured to store a copy of th he AD DS direcctory
dataabase (NTDS.DDIT) and a copyy of the System m
Voluume (SYSVOL) folder. All domain controlle ers
exceept read-only domain contro ollers (RODCs)) store
a re
ead/write copyy of both NTDS S.DIT and the
SYSVVOL folder. NTTDS.DIT is the database itself, and
the SYSVOL folder contains all thet template
settings for GPOs..
You
u can use the AD A DS replicatiion service to
syncchronize chang ges and updattes to the AD DS D
dataabase between n the domain controllers
c in the
t
dommain. The SYSV VOL folders are e replicated eitther by the filee replication seervice (FRS), or by the newer
Disttributed File Syystem (DFS) Re eplication. Thee domain contrrollers in each domain repliccate all the chaanges
and updates betw ween each othe er, and unless they are an RO ODC, they all sstore a read/w write copy of thhe
AD DS database. Domain
D contro
ollers host several other Actiive Directory–related service es, including th
he
Kerbberos service, which
w is used by user and co omputer accou unts for logonn authenticatio on. You can
optionally configu ure domain co ontrollers to hoost a copy of th he Active Direectory Global C Catalog, which is
desccribed in the next
n topic. Dommain controlle ers also run somme important services includ ding Kerberos,,
which provides logon and passw word change capabilities,
c an
nd the Key Disttribution cente er (KDC). The KKDC is
the service that issues the Ticket to Get Ticketts (TGT) to an aaccount that logs on to the AD DS domain.
An AD
A DS domain n should alwayys have a minim mum of two d domain controllers. This way,, if one of the
dom
main controllerrs fails, there iss a backup to ensure
e continuuity of the AD DS domain seervices. When yyou
de
ecide to add more
m than two
o domain contrrollers, consideer the size of yyour organizattion and the
pe
erformance requirements; however, two domain
d contro llers should bee considered aan absolute miinimum.
In
n a branch officce where security may be lesss than optimaal, there are so
ome additional measures thaat can
bee deployed to reduce the immpact of a brea ach of defensees. If an RODC is compromised, the potenttial loss
off information is
i much lower than with a fu ull read-write d
domain contro oller. If a hard drive is stolen,, then
BiitLocker ensures that there is a very low ch
hance of an inttruder being aable to gain an ny useful informmation
from it.
Note: An RODC is a domain controlle er that holds a read-only cop py of the AD DDS database.
Yo
ou can deployy an RODC in a remote site where
w users miight have difficculty logging o
on over an
un
nreliable Wide e Area Network (WAN) conn nection. Ratherr than deploy a full read/writte domain
co
ontroller, which might present a security riisk, you could install a RODCC, which can authenticate
ussers locally witthout providing any write ca
apability to thee AD DS databbase.
Note: Winndows BitLockker® is a drive encryption

e sysstem that is avvailable for Win
ndows Server
opperating systems, and for ce
ertain Windows client operatting system veersions. BitLockker securely
enncrypts the entire operating system so thaat the computeer cannot startt without being supplied a
se
ecret key and (optionally)
( pa
assing an integgrity check. A ddisk stays encrrypted even if yyou transfer
it to another co
omputer.
What
W Is the
e Global Catalog?
Within
W a single domain, the ADA DS database
ontains all the information about every ob
co bject in
th
hat domain. Th his informationn is not replicated
ou
utside the dom main. For exam mple, a query for an
ob
bject in AD DS S is directed to
o one of the do omain
co
ontrollers for that
t domain. Iff there is more
e than
on
ne domain in the t forest, then that query will
w not
provide any results for objects in a differentt
do
omain. For this reason, you can c configure one or
more
m domain co ontrollers to sttore a copy off the
global catalog. The global cattalog is a distributed
da
atabase that contains a searchable represe entation
off every object from all the domains in a multi-domain fo ult, the only global catalog sserver
orest. By defau
hat is created is the first dom
th main controllerr in the forest rroot domain.
Thhe global catalog does not contain

c all attrributes for eac h object. Insteead, the globall catalog maintains
th a most likely to be useful in
he subset of atttributes that are n cross-domaiin searches. Th hese attributes might
in
nclude firstnamme, displayna ame, and locattion. There co ould be a variety of reasons w why you would d
peerform a searcch against a gloobal catalog ra ather than a d
domain controller that is nott a global catallog. For
exxample, when an Exchange server
s receivess an incoming email, it needs to search forr the recipient’s
acccount so thatt it can decide how to route the message. By automaticaally querying a global catalog, the
Exxchange server is able to loccate the recipie ent in a multi-ddomain enviro onment. When n a user logs on to
th ectory accountt, the domain controller perfforming the a uthentication must contact a global
heir Active Dire
ca
atalog to check for universall group memb berships beforee the user is au uthenticated.
In
n a single domain, all domainn controllers shhould be conffigured as hold
ders of the glo
obal catalog; hoowever,
in
n a multi-domaain environme ent, the Infrastrructure masterr should not b
be a global cataalog server. W
Which
doomain controllers are config
gured to hold a copy of the g global catalog
g depends on rreplication trafffic and
2-10 Introduction to Active Directory Domain Services
netwwork bandwidth. Many orga

anizations are opting
o to makke every domaain controller a global catalog
servver.
hould a domain
Question: Sh n controller be
e a global cataalog?
The AD DS Logon
L Proccess
Whe en you log on to AD DS, you ur system look ks in
DNS S for SRV records to locate the nearest suitable
dom main controllerr. SRV records are records th hat
speccify informatioon on available e services, and are
recoorded in DNS by b all domain controllers. Byy
usinng DNS lookup ps, clients can locate a suitabble
dom main controllerr to service theeir logon requests.
If th
he logon is succcessful, the loccal security
authhority (LSA) buuilds an access token for the user.
The access token contains the security identiffiers
(SIDDs) for the userr and any grou ups of which thhe
userr is a member.. This provides the access
creddentials for anyy process initia
ated by that user. For examp ple, after loggiing on to AD DDS, a user runss
®
Microsoft Office Word
W and attempts to open n a file. Word u
uses the credeentials in the u
user’s access to
oken
to check
c the level of the user’s permissions
p fo
or that file.
Sites are used by a client system

m when it need
ds to contact a domain controller. It starts by looking up
p SRV
recoords in DNS. Then the client system attempt to connect to a domain ccontroller in thhe same site be
efore
tryin
ng elsewhere.
Admministrators can define sites in AD DS. Sitess will usually aalign with partss of the netwo
ork that have g
good
connectivity and bandwidth.
b Fo
or example, the ere might be a branch officee that is conne ected to the maain
data
acenter by an unreliable WA AN link. In this case, it would be better to d define the dataacenter and th
he
bran
nch office as se
eparate sites in
n AD DS.
SRV
V records are reegistered in DNS by the Nett Logon servicee that is runnin
ng on each do omain controlle er. If
the SRV records are not entered d in DNS corre
ectly, you can ttrigger the dom
main controlle er to reregisterr
thosse records by restarting
r the Net Logon serrvice on that d
domain contro oller. This proce
ess only reregiisters
the SRV records; if you want to reregister the host record in
nformation in DDNS, you musst run ipconfig g
/reg
gisterdns fromm a command prompt, just as a you would ffor any other ccomputer.
Note: A SIDD is a unique number in the formf of S-1-5--21-41300862 81-375220012 29-

271587809-500, where
w S-1-5-21 represents th he type of ID, the next threee blocks of num mbers
(41330086281-375 52200129-2715 587809) are th he number of tthe database w where the acco ount is
storred (usually the
e AD DS doma ain), and the laast section (5000) is the relativve ID (RID), wh
hich is the
partt of the SID tha
at uniquely ideentifies that acccount in the d
database. Everry user and com mputer
accoount and everyy group that you
y create have a unique SID D but they onlyy differ from e each other
by virtue
v of the unique RID. Youu can tell that this particularr SID is the SID
D for the admin nistrator
accoount because it ends with thhe “well-known n” RID 500.
Alth
hough the logo on process app pears to the usser as a single event, it is acttually made upp of two parts.. The
userr provides cred
dentials, usuallly a user accou
unt name and password, which are then checked againsst the
AD DS database. IfI the user acco ount name and the passworrd match the in nformation that is stored in the
AD DS database, the
t user becom mes an authen nticated user, aand is issued a ticket-grantinng ticket (TGT)) by
the domain controller. At this point, the user does not havee access to anyy resources on the network. A
seco
ondary process in the background submitss the TGT to th he domain con equests access to
ntroller, and re
th
he local machine. The domaiin controller isssues a ticket to o the user, wh
ho is then able to interact with the
lo
ocal computer.. At this point in the process,, the user is au
uthenticated too AD DS and loogged on to the local
machine.
m
When
W a user subsequently atttempts to connect to anotheer computer o on the networkk, the secondary
process is run again, and the TGT is submittted to the nea rest domain c ontroller. Wheen the domainn
co
ontroller returnns the ticket, the user can acccess the comp
puter on the n h generates a logon
network, which
evvent at that co
omputer.
Note: A domain-joined
d computer also logs on to A AD DS when th hey start—a facct that is
offten overlookeed. You do nott see the transa action when th he computer u uses its compu uter account
na
ame and a passsword to log on o to AD DS. Once
O authenti cated, the com
mputer becom mes a member
off the Authenticcated Users grroup. Although h the computeer logon proceess does not haave any
visual confirmattion in the form
m of a graphicc user interfacee (GUI), there aare event log eevents that
ecord the activvity. Additionally, if auditing is enabled, theere are more eevents that are
re e viewable in
th
he Security Logg of the Event Viewer.
Demonstra
D ation: View
wing the SR
RV Record
ds in DNS
Th
he demonstrattion shows the e various typess of SRV record
ds that the dom
main controlle
ers register in D
DNS.
Th
hese records are
a crucial to thhe operability of AD DS, beccause they are used to find d
domain contro ollers for
lo
ogon, password d changes, andd Group Policyy Object (GPO)) editing. SRV records are also used by do omain
co
ontrollers to find replication partners.
Demonstrati
D ion Steps
View
V the SRV
V records by
y using DNS
S Manager
1.. Open the DNS
D Managerr window, and explore the u nderscore DNS domains.
2.. View the diifferent SRV re

ecords that are
e registered byy domain contrrollers to provvide alternate p
paths so
that clients can discover them.
t
What
W Are Operations
O s Masters??
Although all do omain controlle ers are essentially
eqqual, there aree some tasks th hat can only be e
pe erformed by ta argeting one particular
p dommain
coontroller. For example,
e if youu need to add an
addditional domain to the fore est, then you must
m be
abble to connectt to the domain naming masster. The
do omain controllers that have these roles are e called
op perations masters, single ma aster roles, or Flexible
F
Siingle Master Operations
O MOs) (pronounced
(FSM
“ffizz-mos”). Theey are distributted as follows:
• Each forest has one schem

ma master and
d one
domain nam ming master.
• Each AD DS S domain has one

o RID maste
er, one infrastrructure masterr, and one prim
mary domain
controller (PDC} emulator.
The following is a list of Single Master Roles:
• Schema master. The domain controller where any schema changes are made. To make changes you
would typically log on the schema master as a member of both the Schema Admins and Enterprise
Admins groups. A user who is a member of both of these groups and who has the appropriate
permissions could also edit the schema by using a script.
• Domain naming master. The domain controller that records additions and removals of domains and
also domain name changes.
• RID master. Whenever an object is created in AD DS, the domain controller where the object is
created assigns the object a unique identifying number known as a SID. To ensure that no two
domain controllers assign the same SID to two different objects, the RID master allocates blocks of
RIDs to each domain controller within the domain.
• Infrastructure master. This role is responsible for maintaining inter-domain object references, such as
when a group in one domain contains a member from another domain. In this situation, the
infrastructure master is responsible for maintaining the integrity of this reference. For example, when
you look at the security tab of an object, the system looks up the SIDs that are listed and translates
them into names. In a multi-domain forest, the infrastructure master looks up SIDs from other
domains. The Infrastructure role should not reside on a global catalog server. The exception is when
you follow best practices and make every domain controller a global catalog. In that case, the
Infrastructure role is disabled because every domain controller knows about every object in the forest.
Note: The Infrastructure role should not reside on a global catalog server. For example, the
security tab on an object (file, folder, printer) has a list of SIDs with a matrix of permissions
assigned. To ease administration, these SIDs are converted into names such as users and groups,
usually before you even see the SIDs appear. If there is more than one domain in the AD DS
forest, then there may be SIDs from remote domains in the security tab, and because they are not
recognized on the local domain, a mechanism is necessary to look up the actual names. The
infrastructure master does this by referring to a GC. If the infrastructure master is also configured
as a GC, then the infrastructure service is disabled.
• PDC emulator. The domain controller that holds the PDC emulator role is the time source for the
domain. The domain controllers that hold the PDC emulator role in the forest sync with the domain
controller that has the PDC emulator role in the forest root domain. You set this domain controller to
synchronize with an external atomic time source. The PDC emulator is the domain controller that
receives urgent password changes. If a user’s password is changed, the information is sent
immediately to the domain controller holding the PDC emulator role. This means that if a user’s
password was changed and they subsequently tried to logon, if they were authenticated by a domain
controller in a different location that hadn’t yet received an update about the new password, it would
contact the domain controller holding the PDC emulator role and check for recent changes. When a
group policy other than a local group policy is opened for editing, the copy that is edited is the one
stored on the PDC emulator.
Note: The global catalog is not one of the Operations Master roles.
Question: Why would you make a domain controller a global catalog server?
Lesson
n3
Installing a Domain
D Contro
oller
Soometimes you need to install additional do omain control lers on your WWindows Serve er 2012 operatting
syystem. It mightt be that the existing
e domain controllers aare overworked
d and you nee ed additional
re
esources. Perhaaps you are planning for a new
n remote offfice that requires you to dep ploy one or moore
doomain controllers. You also might be setting up a test laab or a backupp site. The instaallation metho
od that
yoou use varies with
w the circum mstances.
Th
his lesson exam mines several ways
w to install additional do main controlleers. It demonsttrates the proccess of
ussing Server Ma all AD DS on a local machinee and on a rem
anager to insta mote server. Th his lesson also
diiscusses installing AD DS on a Server Core installation, a nd installing A
AD DS on a computer using a
sn
napshot of the e AD DS databa ase that is storred on removaable media. Yo ou will also exaamine the proccess of
up
pgrading a do omain controlleer from an earrlier Windows o operating systtem to Window ws Server 2012 2.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• w to install a domain controlller by using th

Explain how he GUI.
• Explain how
w to install a domain controlller on a Serveer Core installaation of Windo
ows Server 201
12.
• Explain how
w to upgrade a domain conttroller.
• Explain how
w to install a domain controlller by using In
nstall from Meedia (IFM).
In
nstalling a Domain Controller
C by Using a GUI
Prrior to Windowws Server 20122, it was comm
mon
t dcpromo..exe tool to install
practice to use the
doomain controllers. If you atte
empt to run
dccpromo on a Windows Servver 2012 server, you
re
eceive the follo
owing error me essage:
The Active Directory Domain Services

“T S
In
nstallation Wizard
W elocated in Server
is re
Manager.
M Fo or more information
n, see
htttp://go.micrrosoft.com/fw
wlink/?LinkId==22092
1”
”
e dcpromo.exe
Note: The e tool is a tool that
yo
ou run on a se
erver to make the
t server an AD A DS domain n controller. Un
ntil Windows SServer 2012,
dccpromo.exe haas been the prreferred metho od to install AD
D DS, and it ussually runs in G
GUI mode;
ho
owever, in Win
ndows Server 2012,
2 this tool is replaced wiith Server Mannager. Dcprom mo.exe is still
su
upported for unattended
u insstallations fromm the comman nd–line interfacce.
When
W you run Server
S Manage er, you can chooose whether the operation is performed on the local
co
omputer, on a remote comp puter, or by me embers of a seerver pool. You u then choose to add the Acctive
Directory
D Dommain Services role. At the en nd of the initiaal installation p
process, the AD
D DS binaries aare
in
nstalled, but AD at server. A meessage to that effect displayss in Server Manager.
D DS is not yett set up on tha
You can select the link to Promote this server to a domain controller, and then AD DS promotion
wizard runs. You are then asked the following questions about the proposed structure.
Required information Description
Add a domain controller to an existing Choose whether an additional domain

domain controller is added to a domain.
Add a new domain to an existing forest Create a new domain in the forest.
Add a new forest Create a new forest.
Specify the domain information for this Supply information about the existing
operation domain to which the new domain controller
will connect.
Supply the credentials to perform this Enter the name of a user account that has
operation the rights to perform this operation.
Some other information you need to collect before running the promotion is listed in the following table.
Required information Description
DNS name for the AD DS domain For example, adatum.com
NetBIOS name for the AD DS domain For example, adatum
Whether the new forest needs to support Will there also be Windows Server 2008
Domain controllers running previous domain controller?
versions of Windows operating systems
(affects choice of functional level)
Whether this domain controller will contain Your DNS must be functioning well to
DNS support AD DS
Location to store the database files (For By default, these files will be stored in
example, NTDS.DIT, edb.log, or edb,chk) C:\windows\NTDS
The wizard continues through several different pages where you can enter prerequisites such as the
NetBIOS domain name, DNS configuration, whether this domain controller should be a global catalog
server, and the Directory Services Restore Mode password. Finally, you must reboot to complete the
installation.
Note: If you need to reinstall the AD DS database from a backup, reboot the domain
controller in Directory Services Restore Mode. When the domain controller boots up, it is not
running the AD DS services; instead, it is running as a member server in the domain. To log on to
that server in the absence of AD DS, log on using the Directory Services Recovery Mode
password.
In
nstalling a Domain Controller
C on a Serveer Core Installation of Window
ws
Server 2012 2
In
nstall AD DS byy using Server Manager to re emotely
co
onnect to the server
s core serrver. Once youu install
th
he AD DS binaries and the se erver is rebootted, you
ca
an complete th he installation and configura ation in
onne of three wa
ays:
• In Server Manager,
M click the
t notificationn icon
to complete the post-dep ployment
configuratio
on. This starts the configurattion
and setup of
o the domain controller.
• Create an answer
a file and
d run dcpromo o
/unattend::”D:\answerfiile.txt” where
“D:\answerffile.txt” is the path
p to the answer
file.
• Run dcprom
mo /unattend
d with the app
propriate switcches, for examp
ple:
dcpromo /unattend
/ /In
nstallDns:yes /confirmgl obal catalog
g:yes
/replicaO
OrNewDomain:replica /replicadomaindn
nsname:”mynewwdomain.com”
/database
ePath:"c:\ntd
ds" /logPath:"c:\ntdslog
gs" /sysvolpaath:"c:\sysvool"
/safeMode
eAdminPassword:Pa$$w0rd /rebootOnCom
mpletion:yes
Upgrading
U a Domain
n Controlle
er
Th
here are two ways
w to upgrad de to a Window ws
Se
erver 2012 dom main controlleer: you can eith her
uppgrade the op perating systemm on existing domain
d
co
ontrollers, or in
ntroduce Wind dows Server 20 012
se
ervers as doma ain controllers.. Of the two, th
he
se
econd is the prreferred metho od, because th here are
noo old or disuseed code and files remaining.
In
nstead, you havve a clean insttallation of thee
Windows
W Server 2012 operatiing system and d
AD DS database e.
Upgrading
U to
o Windows Server 2012
Fo
or an organizaation to upgrad de an AD DS domain
d
from one runnin ng at Window ws Server 2008 functional leveel to an AD DSS domain runn
ning at Window
ws
Seerver 2012 fun
nctional level, all
a the domain
n controllers mmust first be up
pgraded from tthe Window Se
erver
20008 operating system to the e Windows Server 2012 operrating system.
Yoou can achieve

e this by upgra
ading all of the
e existing dom
main controllerrs to Windows Server 2012, oor by
in
ntroducing neww domain conttrollers running Windows Seerver 2012, and d then phasing
g out the existting
doomain controllers.
Although there is no reason to
t prevent Winndows Server 22012 servers frrom being parrt of a Window ws Server
20
008 domain, when
w the time comes to have
e domain conttrollers running Windows Se erver 2012, you u must
up
pgrade the sch
hema. To upgrrade the schemma, you must rrun the adpreep tool that is iincluded in the
e
Windows
W Server 2012 installation media.
To upgrade
u the scchema, log on to the schema a master for th
he forest, and in the supportt\adprep direcctory,
run adprep /foreestprep from an
a elevated cm md.exe window w. You must bee a member off all of the following
groups to have th
he necessary rig
ghts to run this command:
• Schema Admins for the fore

est
• Enterprise Ad
dmins for the forest
• Domain Adm
mins for the dom
main where th
he schema masster resides
In addition, you must

m run the ad dprep comma and again in eaach domain w where you plan n to introduce
2 servers ass domain controllers. To do tthis, on the Inffrastructure m
master for the
dommain, in an elevvated cmd.exe e window, run adprep /dom mainprep /gpp prep.
Introduce Win
ndows Serve
er 2012 Dom
main Contro
ollers
There are two wayys to introducee Windows Server 2012 dom main controllerrs into your do
omain. You can n
eith
her upgrade Windows
W Serverr 2008 to Wind
dows Server 20012, or you can have a cleann installation. T
To
upg o a Windows Server 2008 d omain controlller to Window
grade the operrating system of ws Server 2012 2:
1. Insert the insttallation disk for Windows Se

erver 2012, an
nd run Setup.
2. After the lang
guage selection page, select Install now.
3. erating system selection wind

After the ope dow and the liicense acceptaance page, on the Which typ pe of
installation do
d you want?? window, choo ose Upgrade: Install Windo ows and keep p files, setting
gs,
and apps.
With this type of upgrade,

u there
e is no need to
o preserve use rs’ settings and
d reinstall app
plications;
everything is upgraded in place
e. Remember to check for haardware and so oftware compaatibility before
e
doin
ng an upgrade e.
To introduce a cle
ean install of Windows
W Serve
er 2012 as a do
omain membeer:
1. Deploy and configure

c a new
w installation of
o Windows Seerver 2012 and
d join it to the
e domain.
2. Promote the new server to be a domain controller
c he domain by using Server M
in th Manager or on
ne of
the other methods describe
ed previously.
Note: You can

c upgrade directly
d from Windows
W Serve r 2008 and Wiindows Server 2008 R2
to Windows
W er 2012. To upgrade servers that are runni ng an earlier vversion of Windows
Serve
Servver, you must either
e perform
m an interim up
pgrade to Winndows Server 2 2008 or Windo ows Server
2008 R2, or perform a clean insttall.
Insstalling a Domain
D Co
ontroller by
b Using IFFM
If yo
ou have an intervening netw work that is slow,
unreeliable, or costtly, you might find it necessa ary to
addd another domain controller at a remote
locaation or branch h office. In thiss scenario, it is
ofteen better to deeploy AD DS to o a server by using
u
the Install from Media
M (IFM) meethod.
For example, if yo
ou connect to a server in the
rem
mote office andd use Server Manager to insttall
AD DS, you will neeed to copy th
he entire AD DS
D
data
abase and the SYSVOL folde er to the new
main controllerr. This process must take place
dom
over a potentially unreliable wide area network (WAN) connection. As an alternative, and to significantly
reduce the amount of traffic copied over the WAN link, you can make a backup of AD DS by using the
NTDSUTIL tool. When you run Server Manager to install AD DS, you can then select the option to Install
from Media. Most of the copying is then done locally (perhaps from a USB drive), and the WAN link is
used only for security traffic, and to ensure that the new domain controller receives any changes that are
made after you create the IFM backup.
To install a domain controller by using IFM, browse to a writable domain controller but not an RODC. Use
the NTDSUTIL tool to create a snapshot of the AD DS database, and then copy it to the server that will be
promoted to a domain controller. Use Server Manager to promote the server to a domain controller by
selecting the Install from Media option, and by providing the local path to the IFM directory that you
created previously.
The full procedure is as follows:
1. On the full domain controller, type the following commands (where C:\IFM is the destination
directory that will contain the snapshot of the AD DS database) at an administrative command
prompt, and press Enter after each line:
Ntdsutil
activate instance ntds
ifm
create SYSVOL full C:\IFM
2. On the server that you are promoting to a domain controller, perform the following steps:
a. Use Server Manager to add the AD DS Role.

b. Wait while the AD DS binaries are installed.
c. In Server Manager, click the notification icon to complete the post-deployment configuration
and a wizard runs.
d. At the appropriate time during the wizard, select the option to install from IFM, and then provide
the local path to the snapshot directory.
AD DS then installs from the snapshot. When the domain controller reboots, it contacts other domain
controllers in the domain and updates AD DS with any changes that were made since the snapshot was
created.
Additional Reading: For more information about the steps necessary to install AD DS, see
http://technet.microsoft.com/en-us/library/hh472162.aspx.
Question: What is the reason to specify the Directory Services Restore Mode password?
Lab: Installing Domain Controllers

Scenario
You have been asked by your manager to install a new domain controller in the data center to improve
logon performance. You have been asked also to create a new domain controller for a branch office by
using IFM.
Objectives
After performing this lab, you will be able to:
• Install a domain controller.
• Install a domain controller by using IFM.
Lab Setup
Virtual Machines 20410A-LON-DC1 (start first)

20410A-LON-SVR1
20410A-LON-RTR
20410A-LON-SVR2
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
1. In Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
o User name: Administrator
o Domain: Adatum
4. Repeat steps 1 to 3 for 20410A-LON-SVR1, 20410A-LON-RTR, and 20410A-LON-SVR2.
Exercise 1: Installing a Domain Controller

Scenario
Users have been experiencing slow logon in London during peak usage times. The server team has
determined that the domain controllers are overwhelmed when many users are authenticating
simultaneously. To improve logon performance, you are adding a new domain controller in the London
data center.
1. Add an Active Directory® Domain Services (AD DS) role to a member server.
2. Configure a server as a domain controller.
3. Configure a server as a global catalog server.
X Task 1: Add an Active Directory® Domain Services (AD DS) role to a member server
1. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. From Server Manager, add LON-SVR1 to the server list.
3. Add the Active Directory Domain Services server role to LON-SVR1. Add all required features as
prompted.
4. Installation will take several minutes, when the installation is succeeded, click Close to close the Add
Roles and Features Wizard.
X Task 2: Configure a server as a domain controller

1. Use Server Manager on LON-DC1 perform post-deployment configuration to promote LON-SVR1 to
a domain controller with the following options:
a. Add a domain controller to the existing adatum.com domain
b. Use the credentials Adatum\Administrator with the password Pa$$w0rd.

c. For Domain Controller Options, install the Domain Name System but remove the selection to
install the Global Catalog.
d. DSRM password: Pa$$w0rd.

e. All other options: default.
X Task 3: Configure a server as a global catalog server

1. Log on to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. Use Active Directory Sites and Services to make LON-SVR1 a global catalog server.
Results: After completing this exercise, you will have explored Server Manager and promoted a member
server to be a domain controller.
Exercise 2: Installing a domain controller by using IFM

Scenario
You have now been assigned by management to manage one of the new branch offices that are being
configured. A faster network connection is scheduled to be installed in a few weeks. Until that time,
network connectivity is very slow.
It has been determined that the branch office requires a domain controller to support local logons. To
avoid problems with the slow network connection, you are using IFM to install the domain controller in
the branch office.
1. Use the NTDSUTIL tool to generate Install from Media (IFM).
2. Add the AD DS role to the member server.
3. Use IFM to configure a member server as a new domain controller.

X Task 1: Use the NTDSUTIL tool to generate Install from Media (IFM)
• On LON-DC1, open an administrative command-line interface, and use NTDSUTIL to create an IFM
backup of the AD DS database and of the SYSVOL folder.
X Task 2: Add the AD DS role to the member server

1. Switch to LON-SVR2, and log on as Adatum\Administrator with the password Pa$$w0rd.
2. Open a command prompt and map K: to \\LON-DC1\C$\IFM.
3. Add the AD DS server role to LON-SVR2.
X Task 3: Use IFM to configure a member server as a new domain controller

1. Open a command prompt and use Robocopy to copy the IFM backup from K: to c:\ifm on
LON-SVR2.
2. Use Server Manager on LON-SVR2 to perform the post-deployment configuration of AD DS using the
following options:
a. Add a domain controller to the existing adatum.com domain
b. Use Adatum\Administrator with the password Pa$$w0rd for credentials.

c. DSRM password: Pa$$w0rd
d. Use the IFM media to configure and install AD DS.
e. Accept all other defaults.
3. Restart LON-SVR2 to complete the AD DS installation.
Results: After completing this exercise, you will have installed an additional domain controller for the
branch office by using IFM.

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-RTR, and 20410A-LON-SVR2.


Review Questions
Question: What are the two main purposes of organizational units?
Question: Why would an organization need to deploy an additional tree in the AD DS

forest?
Question: Which deployment method would you use if you had to install an additional
domain controller in a remote location that had a limited WAN connection?
Question: If you needed to promote a Server Core installation of Windows Server 2012 to be
a domain controller, which tools could you use?
3-1
Module 3
Managing Active Directory Domain Services Objects
Contents:
Module Overview 3-1
Lesson 1: Managing User Accounts 3-3
Lesson 2: Managing Group Accounts 3-15
Lesson 3: Managing Computer Accounts 3-22
Lesson 4: Delegating Administration 3-27
Lab: Managing Active Directory Domain Services Objects 3-30
Module Overview
User accounts are fundamental components of network security. Stored in Active Directory® Domain
Services (AD DS), they identify users for the purposes of authentication and authorization. Because of their
importance, an understanding of user accounts and the tasks related to supporting them are critical
aspects of administering a Microsoft Windows® enterprise network.
Although users and computers, and even services, change over time, business roles and rules tend to
remain more stable. Your business probably has a finance role, which requires certain capabilities in the
enterprise. The user or users who perform that role might change over time, but the role will remain
relatively the same. For that reason, it is not sensible to manage an enterprise by assigning rights and
permissions to individual users, computers, or service identities. Instead, you should associate
management tasks with groups. Consequently, it is important that you know how to use groups to
identify administrative and user roles, to filter Group Policy, to assign unique password policies, and to
assign rights and permissions.
Computers, like users, are security principals:
• They have an account with a logon name and password that Windows changes automatically on a
periodic basis.
• They authenticate with the domain.
• They can belong to groups, and have access to resources, and you can configure them by using
Group Policy.
Managing computers—both the objects in Active Directory and the physical devices—is one of the day-
to-day tasks of most IT pros. New computers are added to your organization, taken offline for repairs,
exchanged between users or roles, and retired or upgraded. Each of these activities requires managing the
computer’s identity, which is represented by its object, or account, and AD DS. As a result, it is important
that you know how to create and manage computer objects.
In small organizations, one person may be responsible for performing all of these day-to-day
administrative tasks. However, in large enterprise networks, with thousands of users and computers, that is
not feasible. It is important for an enterprise administrator to know how to delegate specific
3-2 Managing Active Directory Domain Services Objects
administrative tasks to designated users or groups to ensure that enterprise administration is efficient and
effective.
Objectives
• Manage user accounts with graphical tools.
• Manage groups with graphical tools.
• Manage computer accounts.
• Delegate permissions to perform AD DS administration.

Lesson
n1
Mana
aging User Accounts
A user object in n AD DS is far more
m than justt a handful of properties relaated to the use
er’s security identity,
orr account. It is the cornerstone of identity and access in AD DS. Thereffore, consistennt, efficient, an
nd
se
ecure processe es regarding thhe administration of user acccounts are thee cornerstone oof enterprise security
management.
m
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• S objects by ussing various AD DS manage ment tools.

View AD DS
• Explain how
w to create use
er accounts tha
at you can usee in an enterprrise network.
• Describe ho
ow to configurre important user-account
u a ttributes.
• Describe ho
ow to create user profiles.
• Explain how
w to use user-a
account templlates to create user accountss.
• Manage user accounts.
AD
A DS Adm
ministration Tools
Be
efore you can begin creating
g and managin ng user,
group, and com
mputer accounts, it is importa
ant that
yo
ou understandd which tools you
y can use to
pe
erform these various
v managgement tasks.
Active
A Directtory Administration Sn
nap-
In
ns
Most
M AD DS administration iss performed with the
ollowing snap--ins and consoles:
fo
• Active Directory Users an

nd Computers. This
snap-in maanages most co ommon day-to o-day
resources, including userss, groups, com mputers,
and organizzational units. This is likely to
o be the most heavily used ssnap-in for an Active Directo
ory
administrattor.
• Active Directory Sites and

d Services. Thiss snap-in manaages replicatio
on, network to
opology, and re
elated
services.
• Active Directory Domainss and Trusts. This snap-in co maintains trustt relationships and
onfigures and m
the forest functional level.
• Active Directory Schema. This schema examines

e and modifies the d definition of A
Active Directoryy
attributes and
a object classses. It is the blueprint for AD
D DS. It is rare ly viewed, and
d even more raarely
changed. Therefore, the Active
A Directory Schema snaap-in is not insstalled, by defaault.
Note: To administer AD
D DS from a co omputer that iss not a domain n controller, yoou must
in
nstall Remote Server
S Adminisstration Tools (RSAT). RSAT iis a feature thaat can be instaalled from the
Fe
eatures node of
o Server Manaager on Windo ows Server® 20012.
You also can install RSAT on Windows clients, including Windows Vista® Service Pack 1 (or
newer), Windows® 7, and Windows 8. After you download the RSAT installation files from
Microsoft’s website, run the Setup Wizard, which steps you through the installation. After
installing RSAT, you must turn on the tool or tools that you want to be visible. To do this, use the
Turn Windows Features On or Off command in the Programs And Features application in
Control Panel.
Additional Reading: To download the RSAT installation files, see
http://www.microsoft.com/downloads.
Active Directory Administrative Center

Windows Server 2012 provides another option for managing AD DS objects. The Active Directory
Administrative Center provides a graphical user interface (GUI) built upon Windows PowerShell®. This
enhanced interface allows you to perform AD DS object management by using task-oriented navigation.
Tasks that you can perform by using the Active Directory Administrative Center include:
• Create and manage user, computer, and group accounts.
• Create and manage organizational units (OUs).
• Connect to, and manage, multiple domains within a single instance of the Active Directory
Administrative Center.
• Search and filter Active Directory data by building queries.
Windows PowerShell
You can use the Active Directory Module for Windows PowerShell to create and manage objects in AD DS.
Windows PowerShell is not just a scripting language. It also enables you to run commands that perform
administrative tasks, such as creating new user accounts, configuring services, deleting mailboxes, and
similar functions.
Windows PowerShell is installed by default on Windows Server 2012, but the Active Directory Module is
only present when:
• You install the AD DS or Active Directory Lightweight Directory Services (AD LDS) server roles.
• You run Dcpromo.exe to promote a computer to a domain controller.
• You install RSAT.
Directory Service Command-Line Tools

You also can use the Directory Service command-line tools, in addition to Windows PowerShell. These
tools enable you to create, modify, manage, and delete AD DS objects, such as users, groups, and
computers. You can use the following commands:
• Dsadd. Use to create new objects.
• Dsget. Use to display objects and their properties.
• Dsmod. Use to edit objects and their properties.
• Dsmove. Use to move objects.
• Dsquery. Use to query AD DS for objects that match criteria that you supply.
• Dsrm. Use to delete objects.

Note: It iss possible to pipe the resultss of the Dsque ry command tto other Directtory Service
ommands. For example, typiing the followiing at a comm
co mand prompt rreturns the offiice telephone
nu
umber of all users that have a name startin ng with John:
dsquery user –name
– John* | dsget user –office
–
Creating
C Usser Accoun
nts
In
n AD DS, all use
ers that requirre access to ne
etwork
re
esources must be configured d with a user account.
W this user account, users can authentica
With ate to
th
he AD DS dom main and receivve access to ne etwork
re
esources.
A user account is an object that contains all of the

in
nformation thaat defines a use
er in Windowss Server
20012. A user acccount includess the user nam
me and
paassword, as weell as group memberships. A user
acccount also co
ontains many other
o settings that
t
yo
ou can configu ure based upon your organizzational
re
equirements.
With
W a user acco
ount, you can::
• Allow or de
eny users perm
mission to log on
o to a compu
uter based on their user acco
ount identity.
• Grant userss access to pro

ocesses and serrvices for a speecific security ccontext.
• Manage users’ access to resources

r such
h as AD DS objjects and theirr properties, sh
hared folders, ffiles,
directories, and printer queues.
A user account enables a userr to log on to computers

c and
d domains witth an identity tthat the domaain can
au
uthenticate. When
W creating a user accountt, you must proovide a user lo
ogon name, wwhich must be u unique
in
n the domain/fforest in which
h the user acco
ount is created
d.
To
o maximize security, you sho
ould avoid multiple users shaaring one acco each user that logs on
ount, so that e
to
o the network has a unique user
u account and
a password.
Note: Although AD DS accounts are the t focus of thhis course, youu also can store
e user
acccounts in the local security accounts man nager (SAM) daatabase of eacch computer, e enabling local
lo
ogon and access to local reso ources. Local user
u accounts aare, for the mo
ost part, beyonnd the scope
off this course.
Creating
C Use
er Accounts
A user account includes the user
u name and password, wh hich serve as th
he logon credeentials for a usser. A
usser object also
o includes seve
eral other attrib
butes that des cribe and mannage the user.
Yo
ou can use the
e Active Directtory Users or Computers
C con
nsole, Active D
Directory Administrative Centter,
Windows
W PowerShell, or the dsadd.exe
d com ool to create a user object.
mmand-line to
Too create a userr object by using the Active Directory Userrs or Computeers console, pe
erform the follo
owing
stteps:
1.. Right-click the OU or the
e container in which
w you wan
nt to create the user, point to New, and th
hen click
User.
2.. In the First name box, tyype the user’s first

f name.
3. In the Initials box, type the user’s middle initial(s).
Note: The Initials property is meant for the initials of a user’s middle name, not the initials
of the user’s first or last name.
4. In the Last name box, type the user’s last name.
5. The Full name box is populated automatically, although you can make modifications to it, if
necessary.
The Full name box is used to create several attributes of a user object, most notably, the common
name (CN) and display name properties. The CN of a user is the name displayed in the details pane of
the snap-in, and it must be unique within the container or OU. If you are creating a user object for a
person with the same name as an existing user in the same OU or container, you need to enter a
unique name in the Full name field.
6. In the User logon name box, type the name with which the user will log on, and from the drop-
down list, select the user principal name (UPN) Suffix that will be appended to the user logon name
following the @ symbol.
User names in AD DS can contain special characters, including periods, hyphens, and apostrophes.
These special characters let you generate accurate user names, such as O’Hare and Smith-Bates.
However, certain applications may have other restrictions, so we recommend that you use only
standard letters and numerals until you fully test the applications in your enterprise for compatibility
with special characters.
The list of available UPN suffixes can be managed by using the Active Directory Domains and Trusts
snap-in. Right-click the root of the snap-in, click Properties, and use the UPN Suffixes tab to add or
remove suffixes. The DNS name of your AD DS domain is always available as a suffix, and you cannot
remove it.
7. In the User logon name (pre-Windows 2000) box, enter the pre-Windows 2000 logon name, often
called the downlevel logon name. In the AD DS database, the name for this attribute is
sAMAccountName.
Note: It is important to implement a user-account naming strategy, especially in large

networks where users may share the same name full name. A combination of last name and first
name, and where necessary, additional characters, should yield a unique user account name.
Strictly speaking, it is only the UPN name that must be unique within your AD DS forest. The Full
name needs to be unique only within the organizational unit where it resides, while the
downlevel name must be unique within that domain.
8. Click Next.
9. Enter a temporary password for the user in the Password and Confirm password boxes.
10. Select the User must change password at next logon check box.
We recommend that you always select this option, so that the user can create a new password
unknown to the IT staff. Appropriate support staff can reset the user’s password, if necessary to log on
as the user or access the user’s resources. Only users should know their own passwords on a day-to-
day basis.
11. Click Next.

12
2. Review the summary, and
d then click Fin
nish.
The New Object

O – User in
nterface allowss you to config
gure a limited number of acccount-related
properties, such as name and password d settings. How object in AD DS supports dozens of
wever, a user o
additional properties,
p which you can coonfigure after yyou create thee object.
3. Right-click the user objecct that you created, and then

13 n click Properrties.
14
4. Configure the
t user prope
erties.
15
5. Click OK.
Configuring
C g User Acccount Attrributes
When
W you creatte a user accou
unt in AD DS, you
y
also configure all
a the associatted account
properties, or atttributes.
Note: The e attributes tha

at are associatted with
a user account are
a defined as part of the AD D DS
scchema, which members of th he Schema Admins
se
ecurity group can
c modify. Ge enerally, the scchema
dooes not change frequently. However,
H when an
ennterprise-level application, such as Microso oft
Exxchange Serve er 2010, is intro
oduced, many schema
chhanges are reqquired. These changes
c enable
obbjects, includin
ng user objects, to have additional attributtes.
When
W you use Active
A Directorry Users and Computers
C to ccreate a new u
user object, you are not requ
uired to
deefine many atttributes beyon
nd those requirred to allow th he user to logo
on by using the account. Sinnce you
ca
an associate a user object wiith many attrib
butes, it is impportant that yoou understand what these attributes
arre, and how yo em in your organization.
ou can use the
Attribute
A Cattegories
Th
he attributes of
o a user object fall into seve
eral broad cateegories that ap
ppear on tabs o
of the user pro
operties
diialog box, and include
• Account atttributes: The Account

A tab. Th
hese propertiees include logoon names, passswords, and acccount
flags. You can
c configure many
m of these
e attributes wh
hen you create a new user with the Active
Directory Users
U and Computers snap-in n. The Accountt Properties seection details tthe account atttributes.
• Personal information: The e General, Adddress, Telepho nes, and Orgaanization tabs. The General tab
contains the name prope erties that you configure wheen you create a user object, along with the e basic
description and contact information. Th he Address an d Telephones tabs provide d detailed contaact
informationn. The Telepho ones tab also iss where the No
otes field is loccated, which ccorresponds too the
info attribu
ute. It is a very useful general-purpose textt field that man ny enterprises underuse. The e
Organizatioon tab shows the t job title, de epartment, co mpany, and organizational rrelationships.
• User config
guration management: The Profile
P tab. Herre, you can co nfigure the usser’s profile path,
logon script, and home fo
older.
• Group mem mbership: The Member Of ta ab. You can ad
dd the user to, and remove tthe user from, groups.
You also ca
an change the user’s primaryy group.
• Remote Desktop Services: The Remote Desktop Services Profile, Environment, Remote control,
Sessions, and Personal Virtual Desktop tabs. These tabs enable you to configure and manage the
user’s experience when the user connects to a Remote Desktop Services session.
• Remote access: The Dial-in tab. You can enable and configure remote access permission for a user on
the Dial-in tab.
• Applications: The COM+ tab. This tab enables you to assign the user to an Active Directory COM+
partition set. This feature facilitates the management of distributed applications.
Viewing All Attributes

The Attribute Editor tab allows you to view and edit all attributes of a user object.
Note: The Attribute Editor tab is not visible until you enable Advanced Features from the
View menu of the Microsoft Management Console (MMC).
The Attribute Editor displays all system attributes of the selected object. The Filter button enables you to
choose to see even more attributes, including backlinks and constructed attributes.
Backlinks are attributes that result from references to the object from other objects. The easiest way to
understand backlinks is to look at an example: the memberOf attribute:
• When a user is added to a group, it is the group’s member attribute that is changed. The
distinguished name of the user is added to this multivalued attribute.
• The member attribute of a group is called a forward link attribute.
• A user’s memberOf attribute is updated automatically by AD DS when the user is referred to by a

group’s member attribute. In other words, you do not ever write directly to the user’s memberOf
attribute. AD DS maintains it dynamically.
A constructed attribute is one of the results from a calculation that AD DS performs. An example is the
tokenGroups attribute. This attribute is a list of the security identifiers (SIDs) of all the groups to which
the user belongs, including nested groups. To determine the value of tokenGroups, AD DS must calculate
the effective membership of the user, which takes a few processor cycles. Because of this, the attribute is
not stored as part of the user object, nor is it dynamically maintained. Instead, it is calculated when
needed. Because of the processing required to produce constructed attributes, the Attribute Editor tab
does not display them by default. In addition, you cannot use constructed attributes in Lightweight
Directory Access Protocol (LDAP) queries.
Modifying Attributes for Multiple Users
The Active Directory Users and Computers snap-in enables you to modify the properties of multiple user
objects simultaneously. To modify attributes of multiple users in the Active Directory Users and Computers
snap-in:
1. Select several user objects by holding the Ctrl key as you click each user, or by using any other
multiple-selection technique. Be certain that you select only objects of one class, such as users.
2. After you select the objects, right-click any one of them, and then click Properties.
When you have selected the user objects, a subset of properties is available for modification:
• General: Description, Office, Telephone Number, Fax, Web page, E-mail
• Account: UPN suffix, Logon hours, Computer restrictions (logon workstations), all Account options,
and Account expires
• Address: Street, P.O. Box, City, State/province, ZIP/Postal Code, and Country/region
• Profile: Profile path, Logo

on script, and Home
H folder
• Organizatio
on: Job Title, Department,
D Co
ompany, and M
Manager
Creating
C Usser Profile
es
So
ome of the op ptional propertties that you ca
an
co
onfigure for yoour user accou
unts are located on
th
he Profile tab of
o the Accoun nt Property pa age.
Yo
ou can configu perties on this page:
ure three prop
• Profile path
h. This is eitherr a local, or moore
usually, a UNC
U path. The user’s desktop p
settings are
e stored in the profile. Once you
define a useer profile by using a UNC pa ath,
then whichever domain computer
c services a
user’s logon op settings will be
n, their deskto
available. This is known asa a roaming profile.
Note: It iss good practice to use a subfolder of the u

user’s home fo
older for the usser’s profile
ath.
pa
• Logon scrip pt. This is the name

n of a batcch file that con
ntains comman nds that execuute when the uuser logs
on. Typicallly, you use the ese commandss to create drivve mappings. R Rather than usse a logon scrip
pt batch
file, it is mo
ore usual for ad dministrators to
t implement logon scripts b by using Group Policy Objeccts
(GPOs) or Group
G Policy Preferences.
P If you
y use a logi n script, this vaalue should be
e in the form o
of a
filename (w with extension)) only. Scripts should
s be storred in the C:\W
Windows\SYSV VOL\domain\sccripts
folder on all domain conttrollers.
• Home folde er. This value enables

e you too create a pers onal storage aarea in which u users can save their
personal doocuments. You u can specify either
e usually, a UNC path to the user’s
a local p ath, or more u
folder. You also must speecify a drive lettter that is useed to map a neetwork drive to
o the specified
d UNC
path.
When
W configuring the profile path and hom me folder locattions, if you usse the variable
e %username% % in the
paath, this is substituted for the actual user name
n during aapplication of tthe propertiess. Additionally, so long
ass the shared pa arent folder exxists, and the administrator
a mmodifying the account prop perties has at le
east
Modify
M File permmissions on thhe shared folde er, then the usser’s subfolder is created auttomatically. In this
in
nstance, the filee permissions are modified on o the newly-ccreated subfollder so that the user has full control
off his or her home folder.
3-10 Managingg Active Directory Doomain Services Objeccts
Cre
eating Use
er Accountts with Use
er Account Templates
Users in a domain n often share many
m similar
properties. For example, all sale es representativves
can belong to the e same securityy groups, log ono to
the network durin ng similar hourrs, and have ho ome
fold
ders and roamiing profiles sto ored on the same
servver. Because off this, to save time
t when creating
a neew user, you caan copy an existing user acccount
rath
her than createe a blank accou unt and popullate
eachh property.
If yo
ou want to creeate multiple users
u with broa
adly
simiilar properties,, you can use a user accountt
temmplate. A user account
a template is a generiic
userr account that you have pop pulated with co
ommon propeerties. For exammple, you can create a tempplate
accoount for sales representativees, which you then
t configuree with group m
memberships, llogon hours, a
hom me folder, and roaming profile path.
To create
c a user account
a templa
ate, perform th
he following stteps:
1. Create a user account, and prepopulate it with the app

propriate attrib
butes.
2. Disable the user account te

emplate so that the templatee account cann
not be used to
o log on to the
e
network.
To create
c a user based
b on the te
emplate, perfo
orm the follow
wing steps:
1. nd then click C opy. The Copyy Object – Use

Right-click the user account template, an er Wizard appe
ears.
2. In the First name box, type
e the user’s firsst name.
3. In the Last na
ame box, type
e the user’s lastt name.
4. Modify the Fu
ull name value, if necessary..
5. In the User lo
ogon name bo ox, type the usser logon nam
me, and then seelect the appro
opriate UPN su
uffix
from the dropp-down list.
6. In the User lo
ogon name (p
pre-Windows 2000) box, tyype the user’s u
user name.
7. Click Next.
8. In the Passwo
ord box and the Confirm password box, type the user’’s password.
9. Select the app

propriate passsword options.
10. If you created
d the new userr account by co
opying a disab
bled user acco
ount, clear the Account is
disabled che eck box to enab
ble the new acccount.
It is important to understand th
hat not all attributes are copiied. The follow
wing list summ
marizes the
attributes that are
e copied:
• N properties are copied fro

General tab. No om the Generaal tab.
• Address tab. P.O. box, city, state or provinnce, ZIP or posstal code, and country or reg
gion are copie
ed.
Note that the
e street addresss itself is not copied.
c
• Account tab. Logon hours, logon worksta

ations, accountt options, and account expirration are copiied.
• Profile tab. Prrofile path, log

gon script, hom
me drive, and h
home folder p
path are copied
d.
• Organization tab. Department, company,, and managerr are copied.
• Member Of tab. Group membership and primary group are copied.
It is not useful to configure any other attributes in the template, because they will not be copied.
Demonstration: Managing User Accounts by Using Active Directory Users

and Computers
After you have created a user account, there are a number of tasks that you perform that are considered
Account Management tasks, and may include:
• Renaming a user account.
• Resetting a user password.
• Unlocking a user account.

• Disabling or enabling a user account.
• Moving a user account.
• Deleting a user account.
Renaming a User Account

When you need to rename a user account, there can be one or more attributes that you must change.
To rename a user in the Active Directory Users and Computers snap-in, perform the following steps:
1. Right-click the user, and then click Rename.
2. Type the new common name (CN) for the user, and press Enter.
The Rename User dialog box appears and prompts you to enter additional name attributes.
3. Type the Full name (which corresponds to the CN and Name attributes).
4. Type the First name and Last name.
5. Type the Display name.

6. Type the User logon name and User logon name (pre-Windows 2000).
Reset a User Password

When attempting to log on, a user who forgets the logon password will see a logon error message.
Before the user can log on successfully, you must reset the password. You do not need to know the user’s
old password to do so.
To reset a user’s password in the Active Directory Users and Computers snap-in:
1. Right-click the user object, and then click Reset Password.
The Reset Password dialog box appears.
2. Enter the new password in both the New Password and Confirm Password boxes.
It is a best practice to assign a temporary, unique, strong password for the user.
3. Select the User Must Change Password at Next Logon check box.
It is a best practice to force the user to change the password at the next logon, so that the user
creates a password known only by the user.
4. Click OK.
5. Communicate the temporary password to the user in a secure manner.
Unlocking a User Account

An Active Directory domain supports account lockout policies. A lockout policy is designed to prevent
intruders from penetrating the enterprise network by attempting to log on repeatedly with various
passwords until they find the correct password. When users attempt to log on with an incorrect password,
a logon failure is generated. When too many logon failures occur within a specified period of time, which
you define in the lockout policy, the account is locked out. The next time that users attempt to log on, a
notification clearly states the account lockout.
Your lockout policy can define a period of time after which a lockout account is unlocked automatically.
But when users try to log on and discover that they are locked out, it is likely they will contact the help
desk for support.
To unlock a user account in the Active Directory Users and Computers snap-in, perform the following
steps:
1. Right-click the user object, and then click Properties.

2. Click the Account tab.
3. Select the Unlock Account check box.
Windows Server 2012 also provides the option to unlock a user’s account when you choose the Reset
Password command.
To unlock a user account while resetting the user’s password, perform the following step:
• In the Reset Password dialog box, select the Unlock the user’s account check box.
This method is particularly handy when a user’s account is locked out because the user did, in fact, forget
the password. You can now assign a new password, specify that the user must change the password at the
next logon, and unlock the user’s account: all in one dialog box.
Note: Watch for drives mapped with alternate credentials, because this is a common cause
of account lockout. If the password is changed, and the Windows client attempts repeatedly to
connect to the drive, that account is locked out.
Disabling and Enabling User Accounts

User accounts are security principals that can be given access to network resources. Each user is a member
of Domain Users and of the Authenticated Users special identity. By default, each user account has at least
Read access to the information stored in Active Directory. For this reason, it is important not to leave user
accounts open. This also means that you should configure password policies, auditing, and procedures to
ensure that accounts are being used appropriately.
If a user account is provisioned before it is needed, or if the employee for whom you have set up an
account is, or will be, absent for an extended period, disable the account.
To disable an account in the Active Directory Users and Computers snap-in:
• Right-click a user, and then click Disable Account.

If an account is disabled already, the Enable Account command appears when you right-click the user.
Moving a User Account

To move a user object in the Active Directory Users and Computers snap-in, perform the following steps:
1. Right-click the user, and then click Move.

2. Click the folder to which you want to move the user account, and then click OK.
Alternatively, you can drag the user object to the destination OU.
Deleting a User Account

When an account is no longer necessary, you can delete it from your directory.
To delete a user account in Active Directory Users and Computers, perform the following steps:
1. Select the user and press Delete; or right-click the user, and then click Delete.
You are prompted to confirm your choice because of the significant implications of deleting a
security principal.
2. Confirm the prompt by clicking OK.
Demonstration
This demonstration shows how to:
1. Open Active Directory Users and Computers.
2. Delete a user account.
3. Create a template account.

4. Create a new user account from a template.
5. Modify the user account properties.
6. Rename the user account.
7. Move the user account.
Demonstration Steps
Open Active Directory Users and Computers

1. Log on as Administrator.
Delete a user account

• Locate Ed Meadows in the Managers OU, and delete the account.
Create a template account

1. Create a folder called C:\userdata, and share it. Grant Everyone Full Control shared permissions on
the folder. Note that the NTFS permissions remain unaffected.
2. Create a new user account called _Managers_template. Ensure that the account is created in a
disabled state with a strong password.
3. Modify the properties of the template account so that it has a Home folder located in the new shared
folder.
Create a new user account from a template

1. Copy the template account, and then configure the new user account with the Full name Ed
Meadows, and the logon name of Ed.
2. Configure a strong password, and then enable the account.
Modify the user account properties

1. Open the Ed Meadows account, and then verify that the Home folder has been automatically
defined as part of the copy process.
2. View additional properties.
Rename the user account

• Rename the account Ed Meadows2, but cancel the operation after viewing the options for renaming
the various account names.
Move the user account

• Move the Ed Meadows account to the IT OU.
Lesson
n2
Mana
aging Group Acccountss
While
W it might be
b practical, evven desirable, to assign perm missions and abilities to indivvidual user acccounts
in
n small networks, it becomess impractical an nd inefficient iin large enterpprise networkss. For example,, if many
ussers need the same
s level of access
a to a folder, it is more efficient to crreate a group tthat contains tthe
re
equired user acccounts, and assign
a the grouup the require d permissions . This has the aadded benefit of
en
nabling you to o change a use er’s file permisssions by addin ng or removing g them from ggroups rather tthan
ed
diting the file permissions diirectly.
Be
efore implemeenting groups in your organization, you m
must understannd about the sccope of variou us
Windows
W Server group types, and how bestt to use these tto manage acccess to resourcces or to assign
management
m rights and abilitties.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe grroup types.
• Describe grroup scopes.
• Explain how
w to implemen
nt group mana
agement.
• Describe de
efault groups and
a special ide
entities.
• Manage groups in Windo

ows Server.
Group
G Type
es
In
n a Windows Server enterprisse, there are tw wo
tyypes of groupss: security and distribution. When
W
yoou create a gro
oup, you choo ose the group type
t in
th
he New Objecct – Group dialog box.
Distribution grooups, which aree not security--

en
nabled, are use ed primarily byy email applica
ations.
Th
his means thatt they do not have
h SIDs, so they
ca
annot be given n permission to
o resources. Seending
a message to a distribution group sends the e
message
m to all group
g members.
Se
ecurity groupss are security principals
p with SIDs.
Yo
ou can therefoore use these groups
g in perm
mission
en
ntries in accesss control lists (ACLs)
( to contrrol security forr resource acceess. You also ccan use securitty
groups as a mea ans of distribuution for email applications. If you want to o use a group tto manage seccurity, it
must
m be a securrity group.
e default group type is Security.

Note: The
Beecause you can use security groups for bo oth resource acccess and emaail distribution,, many organizzations
usse only securitty groups. How
wever, we recoommend that i f a group is ussed only for em mail distributio
on, you
sh
hould create th he group as a distribution grroup. Otherwisse, the group iis assigned a SSID, and the SID is
ad
dded to the usser’s security access token, which
w can lead to an unnecesssary size increease of the seccurity
to
oken.
Note: The benefit

b of using
g distribution groups becom mes more evideent in large-sccale
Exch
hange Server deployments,
d especially
e wheere there is a n
need to nest th
hese distributio
on groups
acro
oss the enterprrise.
Gro
oup Scope
es
Winndows Server supports
s the no otion of group
p
scop
ping. The scop
pe of a group determines
d bo
oth
the range of a gro
oup’s abilities or
o permissionss, and
the group membe ership. There are
a four group
scop
pes:
• Local. These exist

e on stand--alone servers or
workstations, on domain-m member serverss that
are not doma ain controllers,, or on domainn-
member work kstations. Locaal groups are truly
local, which means
m that theey are available
e only
on the compu uter where the ey exist. The
important chaaracteristics off a local group
p are:
o You can assign abilitiess and permissio

ons only on lo
ocal resources, meaning on tthe local comp
puter.
o Memberss can be from anywhere in the AD DS foreest, and can incclude:
Any security princiipals from the domain: userss, computers, g

global groups,, or domain loccal
grou
ups.
Userrs, computers, and global gro
oups from anyy domain in the forest.

oups from anyy trusted domaain.
Univversal groups defined

d in any domain in thee forest.
• Domain Local. These are ussed primarily to o manage acc ess to resources or to assignn managementt
responsibilitie main local groups exist on d omain contro llers in an AD DS forest, and
es (rights). Dom d
consequentlyy, the group’s scope
s main in which tthey reside. Th
is localizzed to the dom he important
characteristics of domain lo ocal groups are e:

ons only on do
omain local reesources, mean
ning on all
computeers in the local domain.
o Memberss can be from anywhere in the AD DS foreest, and can incclude:
Any security princiipals from the domain: userss, computers, g

global groups,, or domain loccal
grou
ups.

oups from anyy domain in the forest.

oups from anyy trusted domaain.
Univversal groups defined

d in any domain in thee forest.
• Global. These
e are used prim
marily to consoolidate users thhat have similaar characteristiics. For examp
ple,
global groups often are use
ed to consolida ate users that are part of a d
department orr geographic
location. The important cha
aracteristics off global groupss are:
ons anywhere in the forest.
o Memberss can be only from

f the local domain, and ccan include:
Ussers, computerrs, and global groups

g from th
hen local dom
main.
• Universal. These
T groups are
a most usefu ul in multidom ain networks aas they combin ne the charactteristics
of both dommain local gro
oups and globa mportant charaacteristics of universal
al groups. Speccifically, the im
groups are::
o You can assign abilities and permisssions anywhe re in the foresst, as with glob
bal groups
o ers can be from

Membe m anywhere in
n the AD DS fo
orest, and can include:
Ussers, computerrs, and global groups

g from a ny domain in the forest.
Un
niversal groupss defined in an
ny domain in tthe forest.
o Properrties of universal groups are propagated to o the global caatalog, and maade available aacross
the entterprise on all domain contro ollers that hosst the global caatalog role. Th
his makes unive ersal
groupss’ membership p lists more acccessible, whichh can be usefull in multidomaain scenarios. FFor
example, if a universa al group is use
ed for email diistribution purrposes, the proocess for deterrmining
the meembership list typically is quiicker in distrib uted multidommain networkss.
Im
mplementting Group
p Managem
ment
Adding groups to other groups—a process called
neesting—can crreate a hierarch hy of groups that
su
upport your bu usiness roles and manageme ent
ules. Now that you have learrned the business
ru
puurposes and teechnical characteristics of grroups, it
is time to align the two in a sttrategy for gro
oup
management.
m
Eaarlier in this lessson, you learn

ned what typees of
obbjects can be members
m ach group scope.
of ea
Now is time to identify what typest of objects
sh
hould be mem mbers of each group
g scope. This
T
le
eads to the besst practice for group nesting g,
knnown as IGDLA A, which is:
• Identities
• Global grou
ups
• Domain loccal groups
• Access
Id
dentities (user and computerr accounts) are e members of g global groupss, which repressent business roles.
Th
hose role grou ups (global grooups) are memmbers of doma in local group ps, which repre esent managem ment
ru
ules, for exampple, determininng who has Reead permission n to a specific ccollection of fo
olders. These rrule
groups (domain n local groups)) are granted access
a to resou
urces. In the caase of a shared d folder, access is
granted by adding the domaiin local group to the folder’ss ACL, with a p permission thaat provides the e
ap
ppropriate leve el of access.
Note: This approach of groups nesting was earlier known as AGDLP, which stands for:
accounts, global groups, domain local groups, permissions. The terminology used in this course,
IGDLA, has more general scope of application, and it also aligns with industry-standard
terminology.
In a multidomain forest, there are universal groups also, which fit in between global and domain local
groups. global groups from multiple domains are members of a single universal group. That universal
group is a member of domain local groups in multiple domains. You can remember the nesting as
IGUDLA.
IGDLA Example
This best practice for implementing group nesting translates well even in multi-domain scenarios.
Consider the following, which describes usage of IGDLP scenario.
This figure on the slide represents a group implementation that reflects not only the technical view of
group management best practices (IGDLA), but also the business view of role-based, rule-based
management.
Consider the following scenario:
The sales force at Contoso, Ltd. has just completed its fiscal year. Sales files from the previous year are in a
folder called Sales. The sales force needs Read access to the Sales folder. Additionally, a team of auditors
from Woodgrove Bank, a potential investor, require Read access to the Sales folder to perform the audit.
You would perform the following steps to implement the security required by this scenario:
1. Assign users with common job responsibilities or other business characteristics to role groups
implemented as global security groups. Do this separately in each domain. Salespeople at Contoso
are added to a Sales role group; Auditors at Woodgrove Bank are added to an Auditors role group.
2. Create a group to manage access to the Sales folders with Read permission. This is implemented in
the domain containing the resource that is being managed. In this case, the Sales folder resides in the
Contoso domain. The resource access management rule group is created as a domain local group,
ACL_Sales Folders_Read.
3. Add the role groups to the resource access management rule group to represent the management
rule. These groups can come from any domain in the forest or from a trusted domain, such as
Woodgrove Bank. Global groups from trusted external domains, or from any domain in the same
forest, can be members of a domain local group.
4. Assign the permission that implements the required level of access. In this case, grant the Allow Read
permission to the domain local group.
This strategy results in two single points of management, reducing the management burden. There is one
point of management that defines who is in Sales, and one that defines who is an Auditor. Those roles, of
course, are likely to have access to a variety of resources beyond simply the Sales folder. There is another
single point of management to determine who has Read access to the Sales folder. Furthermore, the Sales
folder may not just be a single folder on a single server. It could be a collection of folders across multiple
servers, each of which assigns the Allow Read permission to the single domain local group.
Default
D Gro
oups and Special
S Ide
entities
Default
D Grou
ups
Thhere are a nummber of groups that are crea ated
utomatically on a Windows Server
au S 2012 Seerver.
Thhese are called
d default local groups, and th
hey
in
nclude well-kno own groups, such as
Administrators, Backup Opera ators, and Remmote
Desktop Users. There are additional groups that
arre created in a domain, bothh in the Builtin and
Users containerrs, including Doomain Adminss,
En
nterprise Admins, and Schem ma Admins. Th he
fo
ollowing list prrovides a summmary of capabilities of
th
he subset of de efault groups that
t have significant permisssions and userr rights related
d to the manag
gement
off AD DS:
• Enterprise Admins
A (in thee Users contain
ner of the fore st root domain n). This group is a member o of the
Administrattors group in every
e domain in the forest, g
giving it compplete access to the configuration of
all domain controllers. It also owns the Configuration n partition of tthe directory aand has full con
ntrol of
the domainn naming context in all foresst domains.
• Schema Ad dmins (Users Co e Forest Root Domain). This group owns aand has full control of
ontainer of the
the Active Directory
D schema.
• Administrattors (Built-in Container

C of Ea
ach Domain). TThis group hass complete con ntrol over all d
domain
controllers and data in thhe domain nam ming context. IIt can change the membersh hip of all otherr
administrattive groups in the domain, and the Admin istrators group p in the forest root domain ccan
change thee membership of Enterprise Admins,
A Schemma Admins, an nd Domain Admins. The
Administrattors group in the
t forest roott domain is argguably the mo ost powerful seervice administtration
group in th
he forest.
• Domain Ad dmins (Users Container of Each Domain). TThis group is ad dded to the AAdministrators group
of its domaain. It therefore
e inherits all off the capabilitiies of the Adm oup. It is also, by
ministrators gro
default, add
ded to the loca al Administrators group of eeach domain m member comp puter, giving Domain
Admins ow wnership of all domain
d computers.
• Server Operators (Built-in n Container of Each Domain)). This group ccan perform m maintenance taasks on
domain con ntrollers. It hass the right to lo
og on locally, start and stop orm backup and
p services, perfo
restore opeerations, forma at disks, create down domain controllers. Byy
e or delete sha res, and shut d
default, thiss group has no o members.
• Account Op perators (Built-in Container of

o Each Domaain). This group p can create, mmodify, and de elete
accounts fo
or users, groupps, and computers located in n any OU in th e domain (exccept the Domaain
Controllers OU), and in thhe Users and Computers
C con
ntainer. Account Operators ccannot modifyy
accounts th
hat are membe ministrators or Domain Admiins groups, nor can they modify
ers of the Adm
those groups. Account Operators also canc log on loccally to domain n controllers. B
By default, thiss group
has no memmbers.
• Backup Operators (Built-iin Container of

o Each Domain n). This group can perform b
backup and re estore
operations on domain coontrollers, and log on locally and shut dowwn domain con ntrollers. By de
efault,
this group has no membe ers.
• Print Operaators (Built-in Container

C of Each
E Domain). This group ca n maintain priint queues on domain
controllers. It also can log
g on locally an
nd shut down d
domain controollers.
You need to carefully manage the default groups that provide administrative privileges, because they
typically have broader privileges than are necessary for most delegated environments, and because they
often apply protection to their members.
The Account Operators group is a good example of this. If you examine the capabilities of the Account
Operators group in the preceding list, you can see that its rights are very broad—it can even log on locally
to a domain controller. In very small networks, such rights would probably be appropriate for one or two
individuals who typically would be domain administrators anyway. In large enterprises, the rights and
permissions granted to Account Operators usually are far too broad.
Additionally, the Account Operators group is, like the other administrative groups, a protected group.
Protected groups are defined by the operating system and cannot be unprotected. Members of a
protected group become protected. The result of protection is that the permissions (ACLs) of members
are modified so that they no longer inherit permissions from their OU, but rather receive a copy of an ACL
that is quite restrictive. For example, if you add Jeff Ford to the Account Operators group, his account
becomes protected, and the help desk, which can reset all other user passwords in the Employees OU,
cannot reset Jeff Ford’s password.
You should try to avoid adding users to the following groups that do not have members by default:
Account Operators, Backup Operators, Server Operators, and Print Operators. Instead, create custom
groups to which you assign permissions and user rights that achieve your business and administrative
requirements.
For example, if Scott Mitchell should be able to perform backup operations on a domain controller, but
should not be able to perform restore operations that could lead to database rollback or corruption, and
should not be able to shut down a domain controller, do not put Scott in the Backup Operators group.
Instead, create a group and assign it only the Backup Files And Directories user right, then add Scott as a
member.
Special Identities
Windows and AD DS also support special identities, which are groups for which membership is controlled
by the operating system. You cannot view the groups in any list (in the Active Directory Users and
Computers snap-in, for example), you cannot view or modify the membership of these special identities,
and you cannot add them to other groups. You can, however, use these groups to assign rights and
permissions. The most important special identities, often referred to as groups (for convenience), are
described in the following list:
• Anonymous Logon. This identity represents connections to a computer and its resources that are
made without supplying a user name and password. Prior to Windows Server 2003, this group was a
member of the Everyone group. Beginning with Windows Server 2003, this group is no longer a
default member of the Everyone group.
• Authenticated Users. This represents identities that have been authenticated. This group does not
include Guest, even if the Guest account has a password.
• Everyone. This identity includes Authenticated Users and the Guest account. On computers that are
running versions of Windows that precede Windows Server 2003, this group includes Anonymous
Logon.
• Interactive. This represents users accessing a resource while logged on locally to the computer that is
hosting the resource, as opposed to accessing the resource over the network. When a user accesses
any given resource on a computer to which the user is logged on locally, the user is added to the
Interactive group automatically for that resource. Interactive also includes users logged on through a
Remote Desktop connection.
• Network. This represents users accessing a resource over the network, as opposed to users who are
logged on locally at the computer that is hosting the resource. When a user accesses any given
resource over the network, the user is automatically added to the Network group for that resource.
The importance of these special identities is that you can use them to provide access to resources based
on the type of authentication or connection, rather than the user account. For example, you could create
a folder on a system that allows users to view its contents when they are logged on locally to the system,
but that does not allow the same users to view the contents from a mapped drive over the network. You
could achieve this by assigning permissions to the interactive special identity.
Demonstration: Managing Groups

This demonstration shows how to:
1. Create a new group.
2. Add members to the group.
3. Add a user to the group.

4. Change the group type and scope.
Demonstration Steps
Create a new group

2. Create a new Global Security group in the IT OU called IT Managers.
Add members to the group

• Select multiple users, and then add them to the new group.
Add a user to the group

• Open the properties of Ed Meadows, and from the Member Of tab, add him to the IT Managers
group.
Change the group type and scope

• Open the properties of the IT Managers group, and on the General tab, change the group scope to
Universal and the type to Distribution.
Lesson 3
Manag
ging Co
omputerr Accou
unts
A co
omputer accou unt begins its life cycle when
n you create itt and join it to your domain. Thereafter, daay-to-
day administrative
e tasks include
e the followingg:
• Configuring computer
c prop
perties.
• Moving the computer

c betw
ween OUs.
• Managing the
e computer itsself.
• Renaming, re
esetting, disabling, enabling, and eventuallly deleting thee computer obj
bject.
It is important tha
at you know ho m these variouss computer-m anagement tasks so you can
ow to perform n
configure and ma aintain the com
mputer objectss within your o
organization.
Lessson Objectiives
Afte
ou will be able to:
• Explain the purpose of the AD DS Compu

uters containerr.
• Describe how
w to configure the location of
o computer acccounts.
• Explain how to
t control who
o has permissio
on to create co
omputer accou
unts.
• Describe com
mputer accountts and the secu
ure channel.
• Explain how to
t reset the seccure channel.
Wh
hat Is the Computer
C rs Containe
er?
Befo
ore you createe a computer object
o in the
dire
ectory service, you must have
e a place to pu
ut it.
Whe en you create a domain, the e Computers

container is createed by default (CN=Compute
( ers).
Thiss container is not
n an OU. It iss an object of the
t
Con
ntainer class.
There are subtle but
b important differences
betwween a containner and an OU U. You cannot
crea
ate an OU with hin a containerr, so you canno
ot
subdivide the Com mputers OU. You
Y also canno ot link
a GPPO to a contaiiner. Therefore
e, we recomme end
ustom OUs to host computer
thatt you create cu
ects, instead of using the Co
obje omputers conta ainer.
Specifying the Locatiion of Com

mputer Acccounts
Most
M organizatiions create at least two OUs for
co
omputer objeccts: one to hosst computer acccounts
or client computers, such as desktops, laptops,
fo
an
nd other user systems,
s and another
a for serrvers.
Th
hese two OUs are in addition n to the Doma ain
Controllers OU that is created d by default duuring
th
he AD DS instaallation.
Computer objeccts are created d in both OUs. There

is no technical difference
d betwween a compu uter
obbject in a clien
nt’s OU and a computer
c obje
ect in a
erver’s or domain controller’s OU; computer
se
obbjects are commputer objects.. However, sep parate
OUs
O typically arre created to provide
p uniquee scopes of maanagement, so
o that you can delegate
management
m of client objectss to one team and managem ment of server objects to ano
other.
Yo ative model might necessitatte further divid

our administra ding your clien nt and server O
OUs. Many
orrganizations create sub-OUss beneath a server OU, to co ollect and manage specific tyypes of serverss. For
exxample, you might
m create an nd print serverrs, and an OU for database sservers. By doing so,
n OU for file an
yo
ou can delegatte permissionss to manage co omputer objeccts in the apprropriate OU to o the team of
ad
dministrators for
f each type of o server. Simillarly, geographhically-distribuuted organizattions with locaal
deesktop-supporrt teams often divide a parent OU for clien nts into sub-O OUs for each sitte. This approaach
en
nables each sitte’s support te
eam to create computer
c objeects in the site for client com
mputers, and to o join
co
omputers to th he domain by using those co omputer objeccts.
Th
hese specific examples
e aside
e, what is mostt important is tthat your OU sstructure refleccts your
ad
dministrative model
m so that your OUs can provide singlee points of maanagement forr the delegatioon of
ad
dministration.
Additionally, byy using separatte OUs, you caan create vario

ous baseline co
onfigurations bby using differeent
GPOs that are liinked to the cllient and the server OUs. Wi th Group Policcy, you can specify configuraation
fo
or collections of
o computers byb linking GPO Os that contain
n configuration
n instructions tto OUs. It is co
ommon
fo
or organizationns to separate clients into de
esktop and lapptop OUs. You then can link GPOs that spe ecify
de
esktop or lapto op configuratiion to the appropriate OUs.
Controlling
C g Permissio
ons to Create Computer Accounts
Th
hree condition
ns are required
d for you to joiin a
co
omputer to ann Active Directo
ory domain:
• d be created in the
A computer object should
directory se
ervice.
• You must have
h appropriaate permissions on
the computter object. The e permissions allow
a
you to join a physical commputer with a name
that matche es that of the object in AD DS
D to
the domain n.
• You must be
b a member of o the local
Administrattors group on the computerr. This
allows you to change the
e computer’s domain or wor kgroup memb
bership.
Note: It is not mandatory to create a computer object in the directory service, but it is
highly recommended. However, many administrators join computers to a domain without first
creating a computer object. When you do this, Windows attempts to join the domain to an
existing object. When Windows does not find the object, it fails back and creates a computer
object in the default Computer container.
The process of creating a computer account in advance is called prestaging a computer. There are two
major advantages of prestaging a computer:
• The account is in the correct OU and is therefore delegated according to the security policy defined
by the ACL of the OU.
• The computer is within the scope of GPOs linked to the OU, before the computer joins the domain.
After you have been given permission to create computer objects, you can do so by right-clicking the OU
and choosing Computer from the New menu. Enter the computer name, following the naming
convention of your enterprise, and select the user or group that will be allowed to join the computer to
the domain with this account. The two computer names—Computer Name and Computer Name (Pre-
Windows 2000)—should be the same. There, very rarely, is a justification for configuring them separately.
Note: You can use the Redircmp.exe command-line tool to reconfigure the default
computer container. For example, if you want to change the default computer container to an
organizational unit called mycomputers, use the following syntax:
redircmp ou=mycomputers,DC=contoso,dc=com
Delegating Permissions
By default, the Enterprise Admins, Domain Admins, Administrators, and Account Operators groups have
permission to create computer objects in any new OU. However, as discussed earlier, we recommend that
you tightly restrict membership in the first three groups, and that you do not add Administrators to the
Account Operators group.
Instead, you should delegate the permission to create computer objects (called Create Computer Objects)
to appropriate administrators or support personnel. This permission, assigned to an OU’s group, allows
group members to create computer objects in that OU. For example, you might allow your desktop
support team to create computer objects in the clients OU, and allow your file server administrators to
create computer objects in the file servers OU.
To delegate permissions to create computer accounts, you can use the Delegate Control Wizard to choose
a custom task to delegate. The next lesson discusses delegation.
Computer
C Accounts
A and
a Secure Channells
Evvery member computer
c in an AD DS doma ain
maintains
m a com
mputer accoun nt with a user name
n
(ssAMAccountN Name) and passsword, just lik ke a
usser account do oes. The computer stores its
pa assword in thee form of a local security autthority
(LLSA) secret, and
d changes its password
p with
h the
do omain approximately every 30 days. The
NetLogon servicce uses the cre edentials to logg on to
thhe domain, wh hich establishess the secure chhannel
with
w a domain controller.
c
Computer accounts and the secure

s relation
nships
be
etween compu uters and theirr domain are robust.
Nevertheless, ce os might arise in which a com
ertain scenario mputer is no lo
onger able to aauthenticate w
with the
do
omain. Examples of such sce enarios include
e:
• After reinstalling the operating system on a workstattion, the worksstation is unab

ble to authenticcate,
even thoug gh the techniciian used the sa
ame computerr name as was used in the previous installaation.
Because the e new installattion generated nd because thee new computter does not know the
d a new SID, an
original com
mputer accoun nt password in
n the domain, it does not beelong to the do
omain and can nnot
authenticatte to the doma ain.
• A computer has not been n used for an extended

e perio od, perhaps beecause the use
er is on vacatio
on or
working aw
way from the office.
o Computers change theeir passwords every 30 days,, and AD DS
rememberss the current and previous pa assword. If thee computer is unused withinn this period,
authenticattion can fail.
• A computer’s LSA secret gets out of synnchronization with the passw word that the domain know ws. You
can think of
o this as the co
omputer forgeetting its passw
word. Although h it did not forrget its passwo
ord, it
just disagre
ees with the do
omain over whhat the passwo ord really is. W
When this happ pens, the comp puter
cannot authhenticate, and the secure ch
hannel cannot be created.
Resetting
R the Secure Channel
Th
he most comm omputer-account
mon signs of co
problems are:
• Messages ata logon indica ate that a dommain

controller cannot
c be conttacted, that the
computer account
a might be missing, th hat the
password ono the computter account is
incorrect, or
o that the trusst relationship
(another wa ay of saying th
he secure relatiionship)
between th he computer and the domain n has
been lost.
• Error messaages or events in the event loog
indicate sim
milar problemss or suggest th
hat
passwords, trusts, secure channels, or re
elationships w
with the domain or a domain n controller havve
failed. One such error is NETLOGON
N henticate, whicch appears in the
Evvent ID 3210: FFailed To Auth
computer’ss event log.
• A computer account is missing

m in AD DS.
D
When the secure channel fails, you must reset the secure channel. Many administrators do this by
removing the computer from the domain, putting it in a workgroup, and then rejoining the domain. This
is not a good practice, because it has the potential to delete the computer account altogether. This loses
the computer’s SID, and more importantly, its group memberships. When you rejoin the domain, even
though the computer has the same name, the account has a new SID, and all the group memberships of
the previous computer object must be recreated. If the trust with the domain has been lost, do not
remove a computer from the domain, and then rejoin it. Instead, reset the secure channel.
To reset the secure channel between a domain member and the domain, use the Active Directory Users
and Computers snap-in, DSMod.exe, NetDom.exe, or NLTest.exe. If you reset the account, the
computer’s SID remains the same, and it maintains its group memberships.
To reset the secure channel by using the Active Directory Users and Computers snap-in:
1. Right-click a computer, and then click Reset Account.
2. Click Yes to confirm your choice.
3. Rejoin the computer to the domain, and then restart the computer.
To reset the secure channel by using DSMod:
1. At a command prompt, type the following command:
dsmod computer “ComputerDN” –reset.
2. Rejoin the computer to the domain, and then restart the computer.
To reset the secure channel by using NetDom, at a command prompt, type the following command,
where the credentials belong to the local Administrators group of the computer:
netdom reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *}
This command resets the secure channel by attempting to reset the password on both the computer and
the domain, so it does not require rejoining or rebooting.
To reset the secure channel by using NLTest, on the computer that has lost its trust, at a command
prompt, type the following command:
NLTEST /SERVER:SERVERNAME /SC_RESET:DOMAIN\DOMAINCONTROLLER
You also can use Windows PowerShell with Active Directory Module to reset a computer account. The
following example demonstrates how to reset the secure channel between the local computer and the
domain to which it is joined. You must run this command on the local computer:
Test-ComputerSecureChannel –Repair
Note: You also can reset a remote computer’s password with Windows PowerShell:
invoke-command -computername Workstation1 -scriptblock {reset-computermachinepassword}
Lesson
n4
Deleg
gating Adminis
A stration
n
Although a sing gle person can easily manage e a small netwwork with a han ndful of user aand computer
acccounts, as thee network grow ws, so too doees the volume o of work that reelates to netwwork managem ment. At
ome point, it iss necessary forr teams with particular speci alizations to eevolve, each wiith responsibility for
so
so
ome specific asspect of netwo ork manageme ent. In AD DS eenvironments,, it is common practice to crreate
OUs
O to bring de epartmental or geographic structure
s to th e networked o objects, and too enable config
guration
off administrativve delegation. It is importantt that you know w why and ho ow to create OUs, and how to
deelegate admin nistrative tasks to users on obbjects within th
hose OUs.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe AD
D DS permissio
ons.
• Determine a user’s effective AD DS permissions on an

n AD DS objecct.
• Delegate ad
dministrative control
c pecified user orr group of useers of an AD DSS object.
to a sp
AD
A DS Perm
missions
All AD DS objeccts, such as use ers, computerss, and
groups, can be secured by using a list of
pe ermissions. The permissions on an object area
caalled access coontrol entries (A
ACEs), and theey are
asssigned to users, groups, or computers,
c wh
hich are
also known as security
s pals. ACEs are saved
princip
in
n the object’s DACL,
D which iss part of the ob
bject’s
ACL. The ACL co ontains the sysstem access coontrol
lisst (SACL) that includes auditing settings.
Ea
ach object in AD
A DS has its own
o ACL. If you have
ufficient permissions, you can modify the
su
peermissions to control
c the levvel of access onna
sp
pecific AD DS object.
o The delegation of ad dministrative coontrol involvess assigning pe
ermissions thatt
manage
m access to objects andd properties in
n AD DS. Just aas you can givee a group the ability to chan
nge files
in
n a folder, you can give a grooup the abilityy, for example, to reset passw
words on user objects.
Thhe DACL of ann object also alllows you to asssign permissio ons to an objeect’s specific prroperties. For
exxample, you ca an allow (or deeny) permissio on to change pphone and emaail options. Th his is, in fact, no
ot just
onne property. Itt is a property set that includ
des multiple, sp
pecific propertties. Using pro
operty sets, you u can
ea
asily manage permissions
p to commonly ussed collectionss of properties. But, you could assign more e
granular permisssions and allo ow or deny perrmission to chaange just som e of the inform mation, such as the
mobile
m telephone number or the street add dress.
Assigning the help desk perm or each individ ual user object is tedious. Evven so,
mission to resett passwords fo
in
n AD DS, it is not a good practice to assign
n permissions tto individual o
objects. Instead
d, you should aassign
peermissions at the
t level of org
ganizational units.
Th
he permissionss you assign to o an OU are inherited by all objects in the OU. So, if you u give the help
p desk
peermission to re eset passwordss for user obje
ects and attachh that permissiion to the OU that contains the
ussers, all user objects within that OU will inh
herit that perm
mission. In justt one step, you
u have delegatted that
ad
dministrative task.
t
Chilld objects inheerit the permissions of the pa

arent containeer or OU. That container or O OU in turn inherits
its permissions
p fro
om its parent container
c OU. If it is a first-leevel container or OU, it inherits the permisssions
fromm the domain itself. The reasson child objeccts inherit perm missions from their parents is that, by defaault,
eachh new object is created with the Include inheritable pe ermissions froom this objecct’s parent option
enabled.
Efffective AD DS Permissions
Effe
ective permissioons are the ressulting permissions
for a security principal, such as a user or group,
baseed on the cum mulative effect of each inherited
and explicit ACE. Your
Y ability to
o reset a user’s
passsword, for example, may be due to your
memmbership in a group that is allowed
a the Reeset
Passsword permisssion on an OU several levels
aboove the user obbject. The inhe erited permissio on
assigned to a group to which yo ou belong resu ults in
an effective
e permission of Allow w: Reset Passwo ord.
Youur effective perrmissions can beb complicated
wheen you conside er Allow and Deny
D permissioons,
explicit and inheriited ACEs, and d the fact that you may belon
ng to multiplee groups, each of which mayy be
assigned differentt permissions.
To calculate
c effective permissions for a specific user or a gro
oup, an AD DSS object, or forr a file or folde
er,
you can perform the
t following procedure:
1. Right-click the object, file or
o folder, click Properties, an
nd then click tthe Security taab.
2. Click Advancced, click the Effective

E Perm
missions tab, aand then click Select.
3. In the Enter the

t object name to select field,
f type the name of a useer or group, an nd then click O OK.
The selected check boxes in
ndicate the efffective permisssions of the usser or group fo
or that file or ffolder.
Note: You also

a can use th he DSACLS com mmand-line to
ool to view or modify AD DSS
perm
missions. For example,
e to gra
ant Amy Read and Execute ppermissions onn computer ob
bjects
with
hin the Help Desk
D OU, use th
he following syyntax:
dsA
Acls "OU=Help Desk,OU,DC= =Adatum,DC=C Com" /G Dom ain\Amy:GRGEE;computer
Permmissions, whetther assigned to

t your user acccount or to a group to whicch you belong g, are equivalent.
Thiss means that, in the end, an ACE
A applies to o you, the userr. The best praactice is to man
nage permissio ons by
assigning them to o groups, but it is also possib
ble to assign A
ACEs to individual users or co omputers. A
permmission that has been assignned directly to you, the user,, is neither moore important n nor less imporrtant
thann a permission
n assigned to a group to which you belong g.
ow permissionss, which allow access, are cum

Allo mulative. Wheen you belong to several gro oups, and thosse
groups have been n granted perm missions that allow
a a variety of tasks, you w
will be able to perform all off the
task
ks assigned to all of those grroups, and task user account.
ks assigned dirrectly to your u
Denny permissions, which deny access,

a override equivalent AAllow permissio
ons. If you are
e in one group that
has been allowed the permissio nother group that has been denied permission
on to reset passswords, and an
to reset passwords, the Deny pe
ermission prevvents you fromm resetting passwords.
Note: Use Deny permissions rarely. In fact, it is unnecessary to assign Deny permissions,
because if you do not assign an Allow permission, users cannot perform the task. Before
assigning a Deny permission, check to see if you could achieve your goal by removing an Allow
permission instead. For example, if you want to delegate an Allow permission to a group, but
exempt only one member from that group, you can use a Deny permission on that specific user
account while the group still has an Allow permission.
Each permission is granular. Even if you have been denied the ability to reset passwords, you may still
have the ability, through other Allow permissions, to change the user’s logon name or email address.
In this lesson, you learned that child objects inherit the inheritable permissions of parent objects by
default, and that explicit permissions can override inheritable permissions. This means that an explicit
Allow permission will actually override an inherited Deny permission.
Unfortunately, the complex interaction of user, group, explicit, inherited, Allow, and Deny permissions can
make evaluating effective permissions tedious. You can use the permissions reported by the DSACLs
command or on the Permissions tab of the Advanced Security Settings dialog box to begin evaluating
effective permissions, but it is still a manual task.
Demonstration: Delegating Administrative Control

In this demonstration, you will see how to:
1. Delegate a standard task.
2. Delegate a custom task.
3. View AD DS permissions resulting from these delegations.
Demonstration Steps
Delegate a standard task

2. Use the Delegate Control Wizard to grant the IT group the following standard management tasks on
the IT OU:
o Create, delete, and manage user accounts
o Reset user passwords and force password change at next logon
o Read all user information
Delegate a custom task

• Use the Delegate Control Wizard to grant the following permissions on the IT OU to the IT group:
o Full Control on computer objects
o Create computer objects
o Delete computer objects
View AD DS permissions resulting from these delegations

1. Enable the Advanced Features view in Active Directory Users and Computers.
2. View the Properties of the IT OU.
3. Use the Security tab to verify the assigned permissions. Close all open windows.
Lab: Managing Active Directory Domain Services Objects

Scenario
England. An IT office and a data center are located in London to support the London office and other
You have been working for A. Datum for several years as a desktop-support specialist. In this role, you
a promotion to the server support team. One of your first assignments is configuring the infrastructure
service for a new branch office.
To begin deployment of the new branch office you are preparing AD DS objects. As part of this
preparation, you need to create an OU for the branch office and delegate permission to manage it. Then
you need to create users and groups for the new branch office. Finally, you need to reset the secure
channel for a computer account that has lost connectivity to the domain in the branch office.
Objectives
• Delegate administration for a branch office.

• Create and configure user accounts in AD DS.
• Manage computer objects in AD DS.
Lab Setup

20410A-LON-CL1
User name Administrator
Password Pa$$w0rd
1. On the host computer, from Start, point to Administrative Tools, and then click Hyper-V Manager.

a. User name: Administrator
c. Domain: Adatum
5. Repeat steps 2 to 4 for 20410A-LON-CL1.

Exercise 1: Delegating Administration for a Branch Office

Scenario
A. Datum delegates management of each branch office to a specific group. This allows an employee who
works onsite to be configured as an administrator when required. Each branch office has a branch
administrators group that is able to perform full administration within the branch office organizational
unit. There is also a branch office help desk group that is able to manage users in the branch office
organizational unit, but not other objects. You need to create these groups for the new branch office and
delegate permissions to the groups.
1. Delegate administration for Branch Administrators.

2. Delegate a user administrator for the Branch Office Help Desk.
3. Add a member to the Branch Administrators.
4. Add a member to the Branch Help Desk group.
X Task 1: Delegate administration for Branch Administrators

1. On LON-DC1, open Active Directory Users and Computers, and create a new organizational unit in
the Adatum.com domain called Branch Office 1.
2. Create the following global security groups in the Branch Office 1 organizational unit:
o Branch 1 Help Desk
o Branch 1 Administrators
o Branch 1 Users
3. Move Holly Dickson from the IT organizational unit to the Branch Office 1 organizational unit.
4. Move the following users to the Branch Office 1 organizational unit:
o Development\Duncan Bart
o Managers\Ed Meadows
o Marketing\Connie Vrettos
o Research\Barbara Zighetti
o Sales\Arlene Huff
5. Move the LON-CL1 computer to the Branch Office 1 organizational unit, and then restart the
computer.
6. Log on to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
7. On LON-DC1, in Active Directory Users and Computers, use the Delegate Control Wizard to
delegate administration of the Branch Office 1 organizational unit to the Branch 1 Administrators
security group.
8. Delegate the following common tasks:
o Create, delete and manage groups
o Modify the membership of a group

o Manage Group Policy links
9. Delegate the following custom tasks:
o Create and delete computer objects in the current OU
o Full control of computer objects in the current OU
X Task 2: Delegate a user administrator for the Branch Office Help Desk
1. On LON-DC1, in Active Directory Users and Computers, use the Delegate Control Wizard to delegate
administration of the Branch Office 1 organizational unit to the Branch 1 Help Desk security group.
2. Delegate the following common tasks:
X Task 3: Add a member to the Branch Administrators

1. Add Holly Dickson to the Branch 1 Administrators global group.
2. Add the Branch 1 Administrators global group to the Server Operators domain local group. Log
off -LON-DC1.
3. Log on as Adatum\Holly with a password Pa$$w0rd. You can logon locally at a domain controller
because Holly belongs, indirectly, to the Server Operators domain local group.
4. From Server Manager, open Active Directory Users and Computers. Confirm your current
credentials in the User Account Control dialog box.
5. Attempt to delete Sales\Aaren Ekelund. You are unsuccessful as you lack the required permissions.
6. Try to delete Branch Office 1\Ed Meadows. You are successful because you have the required
permissions.
X Task 4: Add a member to the Branch Help Desk group

1. Add Bart Duncan to the Branch 1 Help Desk global group.
2. Close Active Directory Users and Computers, and then close Server Manager.
3. Open Server Manager, and then open Active Directory Users and Computers. In the User
Account Control dialog box, specify Adatum\Administrator and Pa$$w0rd as the required
credentials. To modify the Server Operators membership list, you must have permissions beyond
those available to the Branch 1 Administrators group.
4. Add the Branch 1 Help Desk global group to the Server Operators domain local group. Log off
LON-DC1.
5. Log on as Adatum\Bart with the password Pa$$w0rd. You can logon locally at a domain controller
because Bart belongs, indirectly, to the Server Operators domain local group.
6. Open Server Manager and then open Active Directory Users and Computers. Confirm your
current credentials in the User Account Control dialog box.
7. Try to delete Branch Office 1\Connie Vrettos. You are unsuccessful because you lack the required
permissions.
8. Reset Connie’s password to Pa$$w0rd. You are successful. Log off LON-DC1.
Results: After this exercise, you should have successfully created the necessary OU and delegated
administration of it to the appropriate group.
Exercise 2: Creating and Configuring User Accounts in AD DS

Scenario
You have been a given a list of new users for the branch office, and you need to begin creating them.
1. Create a template user for the branch office.

2. Configure the template’s settings.
3. Create a new user for the branch office, based on the template.
4. Log on as a user to test account settings.
X Task 1: Create a template user for the branch office

1. On LON-DC1, create a folder called C:\branch1-userdata, and then share it.
2. Modify the shared folder permissions so that the Everyone group as Full Control Allow permissions.
3. From Server Manager, open Active Directory Users and Computers and create a new user with the
following properties in the Branch Office 1 organizational unit:
o Full name: _Branch_template
o User logon name: _Branch_template
o Account is disabled
X Task 2: Configure the template’s settings

• Modify the following properties of the _Branch_template account:
o City: Slough
o Group: Branch 1 Users
o Home folder: \\lon-dc1\branch1-userdata\%username%
X Task 3: Create a new user for the branch office, based on the template
1. Copy the _Branch_template user account, and configure the following properties:
o First name: Ed
o Last name: Meadows

o User must change password at next logon is cleared.
o Account is disabled is cleared.
2. Verify that the following properties have been copied during account creation:
o City: Slough
o Home folder path: \\lon-dc1\branch1-userdata\Ed

o Group: Branch 1 Users
3. Log off from LON-DC1.
X Task 4: Log on as a user to test account settings

1. Switch to LON-CL1 and log off.
2. Log on to LON-CL1 as Adatum\Ed with the password Pa$$w0rd. You are able to log on successfully.
3. Verify that you have a drive mapping for Z: to Ed’s home folder on LON-DC1, and then log off.
Results: After this exercise, you should have successfully created and tested a user account created from a
template.
Exercise 3: Managing Computer Objects in AD DS

Scenario
A workstation has lost its connectivity to the domain and cannot properly authenticate users. When users
attempt to access resources from this workstation, access is denied. You need to reset the computer
account to recreate the trust relationship between the client and the domain.
1. Reset a computer account.
2. Observe the behavior when a client logs on.
3. Rejoin the domain to reconnect the computer account.
X Task 1: Reset a computer account

1. On LON-DC1, log on as Adatum\Holly with the password Pa$$w0rd.
2. Open Active Directory Users and Computers. Confirm your credentials in the User Account
Control dialog box.
3. Navigate to Branch Office 1.
4. Reset the LON-CL1 computer account.
X Task 2: Observe the behavior when a client logs on

• Switch to LON-CL1 and attempt to log on as Adatum\Ed with the password Pa$$w0rd. A message is
displayed that explains that The trust relationship between this workstation and the primary
domain failed. Click OK to acknowledge the message.
X Task 3: Rejoin the domain to reconnect the computer account

2. Open Control Panel. Switch to Large icons view, and then open System.
3. View the Advanced system settings, and then select the Computer Name tab. Use the Network ID
button to rejoin the computer to the domain.
4. Complete the wizard to rejoin the computer to the domain. Use the following to help complete the
wizard:
o User name: administrator

o Domain: Adatum
o Do you want to enable a domain user account on this computer: No
5. Restart the computer when prompted.
6. Log on as Adatum\Ed with the password of Pa$$w0rd. You are successful because the computer
had been successfully rejoined.
Results: After this exercise, you should have successfully reset the trust relationship.
X Prepare for the next module

2. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-DC1.


Review Questions
Question: Members of a Sales department in a company that has branches in multiple cities
travel frequently between domains. How can you provide these members with access to
printers on various domains that are managed by using domain local groups?
Question: You are responsible for managing accounts and access to resources for your
group members. A user in your group transfers into another department within the
company. What should you do with the user’s account?
Question: What is the main difference between the Computers container and an OU?
Question: When should you reset a computer account? Why is it better to reset the
computer account than to disjoin and rejoin it to the domain?
Best Practices
Best Practices for User Account Management

• Do not let users share user accounts. Always create a user account for each individual, even if that
person will not be with your organization for long.
o Educate users about the importance of password security.

o Ensure that you choose a naming strategy for user accounts that enables you to identify the user
to whom the account relates. Also ensure that your naming strategy uses unique names within
your domain.
Best Practices for Group Management

• When managing access to resources, try to use both domain local group and role groups.
o Use Universal groups only when necessary because they add weight to replication traffic.
o Use Windows PowerShell with Active Directory Module for batch jobs on groups.
o Avoid adding users to built-in and default groups.
Best Practices Related to Computer Account Management

• Always provision a computer account before joining computers to a domain, and then place them in
appropriate OUs.
o Redirect the default Computer container to another location.

o Reset the computer account, instead of disjoining and rejoining.
o Integrate the Offline Domain Join functionality with unattended installations.
Real-world Issues and Scenarios

1. A project manager in your department is starting a group project that will continue for the next year.
Several users from your department and other departments will be dedicated to the project during
this time. The project team must have access to the same shared resources. The project manager must
be able to manage the user accounts and group accounts in AD DS. However, you do not want to
give the project manager permission to manage anything else in AD DS. What is the best way to do
this?
2. You are working as an IT technician in Contoso, Ltd. You are managing the Windows Server-based
infrastructure. You have to find a method for joining new Windows® 8-based computers to a domain
during the installation process, without intervention of a user or an administrator.
Tools
Tool Use Where to find it
Active Directory Users and Manage groups Administrative Tools

Computers
Windows Power Shell with Manage groups Installed as Windows Feature

Active Directory Module
DS utilities Manage groups Command line
Windows PowerShell with Computer account Administrative Tools

Active Directory Module management
Djoin.exe Offline domain join Command line
Redircmp.exe Change default computer Command line

container
DSACLS View and modify AD DS Command line

permissions
4-1
Module 4
Automating Active Directory Domain Services
Administration
Contents:
Module Overview 4-1
Lesson 1: Using Command-line Tools for Administration 4-2
Lesson 2: Using Windows PowerShell for Administration 4-7
Lesson 3: Performing Bulk Operations with Windows PowerShell 4-13
Lab: Automating AD DS Administration by Using Windows PowerShell 4-20
Module Overview
You can use command-line tools and Windows PowerShell® to automate Active Directory® Domain
Services (AD DS) administration. Automating administration speeds up processes that you might
otherwise perform manually. Windows PowerShell includes cmdlets for performing AD DS administration
and for performing bulk operations. You can use bulk operations to change many AD DS objects in a
single step rather than updating each object manually.
Objectives
• Use command-line tools for AD DS administration.
• Use Windows PowerShell cmdlets for AD DS administration.
• Perform bulk operations by using Windows PowerShell.

4-2 Automatingg Active Directory Doomain Services Administration
Lesson 1
Using Comma
and-line
e Tools for Adm
ministraation
Winndows Server® 2012 includess several comm mand-line tool s that you can
n use to perforrm AD DS
ministration. Many organizations create scrripts that use ccommand-linee tools to automate the creation
adm
and managementt of AD DS objects such as user accounts aand groups. Yo ou must underrstand how to use
thesse command-line tools to en
nsure that if re
equired, you caan modify the scripts that yo
our organizatio
on
usess.
Lessson Objectiives
Afte
ou will be able to:
• Describe the benefits of usiing command--line tools for AD DS adminiistration.
• Describe how
w and when to use csvde.
• w and when to use ldifde.

Describe how
• w and when to use DS comm

Describe how mands.
Benefits of Using
U Com
mmand-Line Tools fo
or Adminisstration
Man ny administrattors prefer to use
u graphical tools,
t
suchh as Active Dirrectory Users and
a Computerss, for
AD DS administration wheneverr possible.
Graphical tools arre intuitive to use
u because th hey
visu
ually represent information and
a provide op ptions
in th
he form of rad
dio buttons and d dialog boxess.
Whe en information n is represente
ed graphically, you
do not
n need to memorize
m synta
ax.
Graphical tools woork well in many situations, but

theyy cannot be au
utomated. To automate
a AD DS
adm
ministration, yo
ou need comm mand-line toolss.
Commmand-line to ed in scripts, or they
ools can be use
can be used by otther applicatio
ons.
Som
me benefits of using comman
nd-line tools are:
a
• Faster implem
mentation of bulk
b operationss. For examplee, you can expo ort a list of new
w user accounnts
from a human resources ap pplication. You
u use a commaand-line tool o or script to creaate the new usser
accounts base
ed on the expo orted informattion. This is mu
uch faster than
n manually cre eating each ne
ew
user account individually.
• Customized processes
p for AD
A DS adminisstration. You caan use a custo omized graphiccal program to o
gather inform
mation about a new group, and
a then creat e the new gro oup. When the information iss
gathered, the
e graphical proogram can veriify that the infformation formmat—such as tthe naming
convention——is correct. Theen, the graphiccal program usses a comman nd-line tool to create the new
w
group. This process allows company-spec
c cific rules to bee enforced.
• AD DS adminnistration on se ot run graphiccal administration tools such as

erver core. Servver core canno
Active Directtory Users an
nd Computerss. However, yo u can use com mmand-line tools on server ccore.
Note: Serve
er core can be administered remotely by u
using graphical tools.
What
W Is Csv
vde?
Csvde
Cs is a commmand-line too ol that exports or
im
mports Active Directory
D ects to or from a
obje
co
omma-separatted values (.csvv) file. Many
ap
pplications aree capable of exxporting or importing
daata from .csv files.
f This make
es csvde usefu ul for
in
nteroperability with other ap pplications, succh as
daatabases or sppreadsheets.
Thhe main limitation of csvde is that it canno ot

modify
m existing Active Directo
ory objects; it can
c
onnly create neww objects. For example,
e you can
c use
cssvde to createe a set of new user
u accounts, but
ou cannot use it to modify the properties of the
yo
usser accounts after they are created.
c You ca an also use csv
vde to export object properties. For example, you
ca
an use csvde to t export a list of users and their
t email add
dresses.
Ex
xport Objeccts by Using
g csvde
To
o export objeccts by using csvde, as a minimum, you neeed to specify the filename off the .csv file to
o which
da ported. With only the filenam
ata will be exp me specified, a ll objects in th
he domain will be exported.
Th
he basic syntaxx to use csvde
e for export is:
Csvde –f filename
Other
O options that you can usse with csvde are listed in th
he following taable.
Option
O Description
-d RootDN Specifies the

e distinguishedd name of the container from
m which the exxport
will begin. The default is th
he domain.
-p SearchSco
ope Specifies the
e scope of the search relativee to the contaiiner specified by the
option -d. Thhe SearchSco pe option can n be either base (this object oonly),
onelevel (obbjects within th
his container), or subtree (th
his container aand all
subcontainers). The defaullt is subtree.
-r Filter Limits the ob

bjects returned
d to those thatt match the filter. The filter iis based
on Lightweigght Directory A
Access Protocool (LDAP) querry syntax.
-l ListOfAtrriibutes Specifies the

e attributes to be exported. U
Use the LDAP name for each
h
attribute, and separate theem with comm mas.
After the exportt completes, th

he .csv file will contain a heaader row and o
one row for eaach object thatt was
exxported. The header
h row is a comma-sepa arated list with the names off the attributess for each obje
ect.
Create
C Objeccts by Using
g csvde
Th
he basic syntaxx for using csv
vde to create objects
o is:
Cs
svde –i –f fi
ilename –k
Th
he -i paramete
er specifies import mode. Thhe -f parameteer identifies thee file name fro
om which to im mport.
Th
he -k parametter instructs csvde to ignore error messagees, including t he “Object Alrready Exists” errror
messsage. The supppress errors option

o is usefu
ul when imporrting objects to
o ensure that aall of the objeccts
possible are created, instead of stopping wheen partially com
mplete.
The .csv file that iss being used for an import must
m have a heeader row thatt contains nam
mes of LDAP
attributes for the data in the .cssv file. Each row
w must contain
n exactly the ccorrect numbe
er of items as
speccified in the heeader row.
You
u cannot use cssvde to imporrt passwords, because
b passw
words in a .csv ffile are not pro
otected. As a rresult,
userr accounts crea
ated by csvde
e have a blank password and
d are disabled.
Note: For more

m information about para
ameters for csv
vde, at a comm
mand prompt,, type
de /?, and then press Enter.
csvd
Additional Reading: For more informa ation about LD

DAP query synttax, see
http
p://go.microso
oft.com/fwlink//?LinkId=168752.
Additional Reading: For more informa ation about LD

DAP query synttax, see
http
p://go.microso
oft.com/fwlink//?LinkId=168752
Wh
hat Is Ldifd
de?
Ldiffde is a command-line tool that
t you can use
u to
export, create, mo e AD DS objects.
odify, or delete
Like
e csvde, ldifde e uses data thaat is stored in a file.
The file must be inn LDAP Data Interchange Fo ormat
(LDIIF). Most applications canno ot export or import
dataa in LDIF format. It is more liikely that you can
obta ain data in LDIF format fromm another direcctory
servvice.
An LDIF file is textt-based, with blocks
b of lines
com
mposing a single operation such as creating or
moddifying a user object. Each line within the
ope
eration specifiees something about
a the
ope
eration, such ass an attribute or
o the type of operation. A b
blank line sepaarates multiple
e operations w
within
the LDIF file.
The following is an example of an
a LDIF file that creates a sin
ngle user.
dn: CN=Bonnie Kearney,OU=Em

mployees,OU=U
User Accounts
s,DC=adatum,D
DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Bonnie Kearney
sn: Kearney
title: Operations
description: Operations (Lo
ondon)
givenName: Bonnie
displayName: Kearney, Bonnie
company: Contoso, Ltd.
sAMA
AccountName: bonnie.kear
rney
userPrincipalName: bonnie.k
kearney@adatu
um.com
mail: bonnie.kearney@adatum
m.com
For each operation in an LDIF file, the changetype line defines the operation to be performed. The valid
values are add, modify, or delete.
Export Objects by Using ldifde

When using ldifde to export objects, the minimum information you must provide is a filename to hold
the data. When no other options are selected, all objects in the domain are exported. The basic syntax for
exporting objects by using LDIFE is:
Ldifde –f filename
Some other options you can use when exporting objects ldifde are listed in the following table.
Option Description
-d RootDN The root of the LDAP search. The default is the root of the
domain.
-r Filter An LDAP search filter that limits the results returned.
-p SearchScope The scope, or depth, of the search. This can be:

• subtree (the container and all child containers)
• base (the immediate child objects of the container only)
• onelevel (the container and its immediate child containers)
-l ListOfAttributes A comma-separated list of attributes to include in the export.
-o ListOfAttributes A comma-separated list of attributes to exclude in the export.
Import Objects by Using ldifde

When you use ldifde to import objects, you must specify the operation to perform on the object. For
each operation in an LDIF file, the changetype line defines the operation to be performed.
The basic syntax for using ldifde to import objects is:
Ldifde –i –f filename –k
The -i parameter specifies import mode. The -f parameter identifies the file name to import from. The -k
parameter instructs ldifde to ignore errors, including the “Object Already Exists” error. The option
suppress errors is useful when importing objects to ensure that all objects possible are created instead of
stopping when partially complete.
You cannot use ldifde to import passwords, because passwords in an LDIF file would not be secure. As a
result, user accounts created by ldifde have a blank password and are disabled.
Wh
hat Are DS
S Comman
nds?
2 includes command-line
c e
tools called DS coommands, whicch are suitable
e for
use in scripts. You
u can use DS coommand-line tools
to create,
c view, modify, and remmove AD DS
obje
ects. The followwing table desscribes DS
com
mmand-line tools.
To
ool Description
DSadd Creates AD DS objects.
DSget Displays pro

operties of AD DS objects.
DSquery Searches forr AD DS objectts.
DSmod Modifies AD
D DS objects.
DSrm Removes AD
D DS objects.
DSmove Moves AD D
DS objects.
Use
er Managem
ment Comm
mand Examp
ples
The following are examples of commands
c tha
at you could tyype at a comm
mand prompt.
To modify
m the dep
partment of a user account, type:
Dsmo
od user “cn=Joe Healy,ou=Managers,dc
c=adatum,dc=c
com” –dept IT
T
To display
d the em
mail of a user acccount, type:
Dsget user “cn=Joe Healy,ou=Managers,dc

c=adatum,dc=c
com” –email
To delete
d a user account,
a type:
Dsrm
m “cn=Joe Healy,ou=Managers,dc=adatu
um,dc=com”
To create
c a new user
u account, tyype:
Dsadd user “cn=Joe Healy,ou=Managers,dc

c=adatum,dc=c
com”
Question: What criteria wo

ould you use to
o select betweeen using csvd
de, ldifde, and
d the DS
commands?
Lesson
n2
Using
g Windo
ows Pow
werShelll for Ad
dministration
Windows
W PowerShell is the prreferred scriptiing environmeent in Window
ws Server 2012.. It is much eassier to
usse than previous scripting languages such as Microsoft® Visual Basic SScripting Editio
on (VBScript).
Windows
W PowerShell includess an extensive list of cmdletss to manage A
AD DS objects. Cmdlets can b be used
to
o create, modiffy, and remove e user accountts, groups, com
mputer accoun nts, and organizational unitss.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• ws PowerShelll cmdlets to manage user acccounts.

Use Window
• Use Window
ws PowerShelll cmdlets to manage groupss.
• Use Window
ws PowerShelll cmdlets to manage compu
uter accounts.
• ws PowerShelll cmdlets to manage organizzational units ((OUs).

Use Window
Using
U Wind
dows Powe
erShell Cm
mdlets to M
Manage Ussers
Yoou can use Windows PowerS Shell cmdlets to
t
crreate, modify, and delete use
er accounts. Th
hese
cm
mdlets can be used for indivvidual operatio
ons or as
pa t perform bulk operations. Some
art of a script to
f managing user accounts are in
off the cmdlets for
th
he following ta able.
Cmdlet
C De
escription
New-ADUserr Crreates user acccounts.
Set-ADUser Modifies
M properrties of user acccounts.
Remove-ADU
User De
eletes user acccounts.
Set-ADAccou
untPassword Re
esets the passw
word of a userr account.
Set-ADAccou
untExpiration
n Modifies
M the exp
piration date o
of a user accou
unt.
Unlock-ADA
Account Unnlocks a user aaccount when it is locked aftter exceeding the
acccepted numb er of incorrectt login attemppts.
Enable-ADAcccount En
nables a user aaccount.
Disable-ADA
Account Diisables a user aaccount.
4-8 Automating Active Directory Domain Services Administration
Create New User Accounts

When you use the New-ADUser cmdlet to create new user accounts, you can set most user properties
including a password. For example:
• If you do not use the –AccountPassword parameter, no password is set and the user account is
disabled. The –Enabled parameter cannot be set as $true when no password is set.
• If you use the –AccountPassword parameter to specify a password, then you must specify a variable
that contains the password as a secure string, or choose to be prompted for the password. A secure
string is encrypted in memory. If you set a password then you can enable the user account by setting
the –Enabled parameter as $true.
Some commonly used parameters for the New-ADUser cmdlet are listed in the following table.
Parameter Description
AccountExpirationDate Defines the expiration date for the user account.
AccountPassword Defines the password for the user account.
ChangePasswordAtLogon Requires the user account to change passwords at the next logon.
Department Defines the department for the user account.
Enabled Define whether the user account is enabled or disabled.
HomeDirectory Defines the location of the home directory for a user account.
HomeDrive Defines the drive letters that are mapped to the home directory
for a user account.
GivenName Defines the first name for a user account.
Surname Defines the last name for a user account.
Path Defines the OU or container where the user account will be

created.
The following is a command you could use to create a user account with a prompt for a password:
New-ADUser “Joe Healy” –AccountPassword (Read-Host –AsSecureString “Enter

password”) -Department IT
Question: Are the parameters for all cmdlets that you use to manage user accounts the
same?
Using
U Wind
dows Powe
erShell Cm
mdlets to M
Manage Grroups
Yo
ou can use Windows PowerS Shell to create,
modify,
m and dellete groups. Thhese cmdlets can
c be
ussed for individual operationss or as part of a script
to
o perform bulk k operations. Some
S of the cm
mdlets
fo
or managing groups
g are liste
ed in the follow
wing
ta
able.
Cmdlet
C De
escription
New-ADGrou
up Crreates new gro
oups.
Set-ADGroup
p Modifies
M properrties of groupss.
Get-ADGroup Diisplays propertties of groups .
Remove-ADG
Group De
eletes groups.
Add-ADGrou
upMember Ad
dds members to groups.
Get-ADGroupMember Diisplays membeership of groups.
Remove-ADG
GroupMembe
er Re
emoves memb
bers from grou
ups.
Add- Ad
dds group me mbership to o
objects.
GroupMembe
ADPrincipalG ership
Get- Diisplays group membership o

of objects.
ADPrincipalG
GroupMembe
ership
Remove- Re
emoves group
p membership from an objecct.
GroupMembe
ADPrincipalG ership
Create
C New Groups
G
Yo
ou can use thee New-ADGro oup cmdlet to create groupss. However, wh hen you createe groups using
g the
New-ADGroup
N p cmdlet, you must
m use the GroupScope
G p e group name. This is
parameter in aaddition to the
th
he only require
ed parameter. The following table lists com
mmonly used p parameters for New-ADGro oup.
Name Defines the name of the group.
GroupScope Defines the scope of the group as DomainLocal, Global, orr

versal. You mu
Univ ust provide th is parameter.
DisplayName
e Defines the LDAP display name for the object.
GroupCatego
ory Defines whether itt is a security g
group or a disttribution group. If you
do not
n specify eithher, a security group is creatted.
ManagedBy Defines a user or group that can manage the group.
Path Defines the OU or container in which the group is created.
SamAccountName Defines a name that is backward compatible with older operating

systems.
The following command is an example of what you could type at a Windows PowerShell prompt to create
a new group:
New-ADGroup –Name “CustomerManagement” –Path “ou=managers,dc=adatum,dc=com” –GroupScope

Global –GroupCategory Security
Manage Group Membership

There are two sets of cmdlets that you can use to manage group membership: *-ADGroupMember and
*-ADPrincipalGroupMembership. The distinction between these two sets of cmdlets is the perspective
used when modifying group membership. They are:
• The *-ADGroupMember cmdlets modify the membership of a group. For example, you add or
remove members of a group.
o You cannot pipe a list of members to these cmdlets.
o You can pass a list of groups to these cmdlets.
• The *-ADPrincipalGroupMembership cmdlets modify the group membership of an object such as a

user. For example, you can modify a user account to add it as a member of a group.
o You can pipe a list of members to these cmdlets.
o You cannot provide a list of groups to these cmdlets.
Note: When you pipe a list of objects to a cmdlet, you pass a list of objects to a cmdlet.
More information about how to pipe a list of objects is covered in Lesson 3: Performing Bulk
Operations with Windows PowerShell.
The following is a command you could use to add a member to a group.

Add-ADGroupMember CustomerManagement –Members “Joe Healy”
Using
U Wind
dows Powe
erShell Cm
mdlets to M
Manage Co
omputer A
Accounts
Yoou can use Windows PowerS Shell to create,
modify,
m and dellete computer accounts. These
mdlets can be used for indivvidual operatio
cm ons or as
pa t perform bulk operations. Some
art of a script to
f managing computer acco
off the cmdlets for ounts
arre listed in the following tab
ble.
Cmdlet
C Description
New-ADCom
mputer Creates a neew computer account.
Set-ADComp
puter Modifies prroperties of a ccomputer acco
ount.
Get-ADComp
puter Displays pro
operties of a ccomputer acco
ount.
Remove-ADC
Computer Deletes a co
omputer accou
unt.
Test-ComputterSecureCha
annel Verifies or rrepairs the trusst relationship
p between a
computer aand the domai n.
Reset-Compu
uterMachineP
Password Resets the p
password for a computer acccount.
Create
C New Computer
C Accounts
A
Yoou can use the
e New-ADCom mputer cmdle et to create a n
new computer account before the computter is
jo
oined to the do
omain. You do
o this so you ca
an create the ccomputer acco
ount in the corrrect OU beforre
deeploying the computer.
c
Th
he following ta
able lists comm
monly used pa
arameters for N
New-ADComp
puter.
Name Defines thee name of the ccomputer acco

ount.
Path Defines thee OU or contain

ner where the computer acccount
will be crea ted.
Enabled Defines wheether the com mputer accountt is enabled orr

disabled. Byy default, the ccomputer acco
ount is enabledd and
a random p password is generated.
Th
he following iss an example that
t you can use to create a computer acccount:
Ne
ew-ADComputer –Name LON-SVR8 –Path “ou=marketing
g,dc=adatum,d
dc=com –Enabl
led $true
Repair
R the Trrust Relatio
onship for a Computer A
Account
Yo
ou can use thee Test-CompuuterSecureCha annel cmdlet w
with the –Reppair parameterr to repair a lost trust
re
elationship bettween a computer and the domain.
d You m mdlet on the ccomputer with the lost
must run the cm
4-12 Automating Active Directory Domain
D Services Adm
ministration
trusst relationship. The following

g is a command
d that you cou
uld use to repaair the trust relationship for a
commputer account:
Testt-ComputerSecureChannel -Repair
-
Using Windo
ows PowerrShell Cmd
dlets to Maanage OUs
Youu can use Wind dows PowerShell to create,
mod dify, and delette OUs. These cmdlets
c can be
usedd for individua o as part of a script
al operations or
to perform
p bulk operations.
o Somme of the cmd dlets
for managing OUs are listed in the following table.
Cm
mdlet Deescription
New-ADOrgan
N nizationalUnitt Crreates OUs.
Se
et-ADOrganizzationalUnit M
Modifies properties of OUs.
Get-ADOrganizationalUnit D isplays properrties of OUs.
Remove-ADOrrganizationalU
Unit D eletes OUs.
Cre
eate New OU
Us
You
u can use New w-ADOrganiza ationalUnit cmmdlet to createe a new OU to represent dep
partments or
phyysical locations within in your organization.
The following table shows comm
monly used pa
arameters for tthe New-ADO
Organizationa
alUnit cmdlet.
Pa
arameter Descrip
ption
Name
N Definees the name off the new OU.
Pa
ath Definees the location
n of the new O
OU.
ProtectedFrom
mAccidentalDe
eletion Preven
nts the OU fro om being deletted accidentally.
The deefault value is $true.
The following is an example you

u can use when you want to
o create a new organizationaal unit:
New-ADOrganizationalUnit –Name Sales –P

Path
“ou=
=marketing,dc=adatum,dc=
=com” -Protec
ctedFromAccid
dentalDeletio
on $true
Question: In the slide exam

mple, is the Pro
otectedFromA
AccidentalDe
eletion parame
eter
required?
Lesson
n3
Perfo
orming Bulk
B Op
peration
ns with Window
ws Pow
werShell
Windows
W PowerShell is a pow
werful scripting
g environmentt that you can use to perform
m bulk operations,
which
w would no ormally be tedious to perform
m manually. Y
You can also peerform some b bulk operation
ns in
graphical tools.
To
o perform bulk k operations using
u Windowss PowerShell, yyou must first understand ho ow to create queries
fo
or a list of AD DS
D objects, and how to workk with .csv filess. Then you can create scriptts that perform
m the
bu
ulk operationss that you requuire.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe bu
ulk operations.
• Use graphiccal tools to perform bulk op

perations.
• Query AD DS
D objects by using
u Window
ws PowerShell.
• ws PowerShell .
Modify AD DS objects byy using Window
• Use .csv file

es.
• Modify and
d execute Wind
dows PowerSh
hell scripts to p
perform bulk o
operations.
What
W Are Bulk
B Opera
ations?
A bulk operation n is a single acction that channges
multiple
m objectss. Performing a bulk operatio on is
much
m faster thaan changing many
m objects
in m also be more accurate, because
ndividually. It may b
peerforming man ny individual actions
a increasses the
lik
kelihood of ma aking a typogrraphical error.
Yo
ou can perform m bulk operatiions with grap
phical
to
ools, at a commmand prompt, or by using sccripts.
Ea
ach method fo or performing bulk operation ns has
diifferent capabilities. For exam
mple:
• Graphical to
ools tend to be limited in th
he
properties that
t they can modify.
m
• Command--line tools tend

d to be more flexible
f than g raphical tools when defining
g queries, and they
have more options for modifying objecct properties.
• d-line actions for the most ccomplexity and

Scripts can combine multtiple command d flexibility.
Th
he general pro
ocess for perfo
orming bulk op
perations is as follows:
1.. Define a qu
uery. You use the
t query to seelect the objeccts that you waant to modify. For example, you
may want to
t modify all user accounts in a specific OU
U.
2.. Modify the objects define

ed by the querry. When using g graphical toools, you typicaally select the o
objects
that you waant to modify, and then editt the propertiees of those obj ects. When using command d-line
tools, you may
m use a list of
o objects or variables
v to ideentify the objects that you w
want to modifyy.
Demonstration: Using Graphical Tools to Perform Bulk Operations

You can use Active Directory Administrative Center and Active Directory Users and Computers to modify
the properties of multiple objects at the simultaneously. To perform a bulk operation with using graphical
tools, perform the following steps:
1. Perform a search or create a filter to display the objects that you want to modify.
2. Select the objects.
3. Examine the properties of the objects.
4. Modify the properties that you want to change.
When you use graphical tools to modify multiple user accounts simultaneously, you are limited to
modifying the properties that displayed in the user interface.
• Create a query for all users.
• Configure the company attribute for all users.
• Verify that the company attribute has been modified.
Note: When you use graphical tools to modify multiple user accounts simultaneously, you
are limited to modifying the properties that display in the user interface.
Demonstration Steps
Create a query for all users

1. On LON-DC1, open Active Directory Administrative Center.
2. Browse to Global Search, and add the criteria Object type is
user/inetOrgPerson/computer/group/organization unit.
3. Verify that the criteria that you added is for the type User, and perform the search.
Configure the Company attribute for all users

1. Select all the user Accounts and modify their properties.
2. Type the Company as A. Datum.
Verify that the Company attribute has been modified

• Open the properties of Adam Barr, and verify that the company is A. Datum.
Querying
Q Objects
O witth Window
ws PowerSShell
In
n Windows Pow werShell, you use
u the Get-* cmdlets
to
o obtain lists of objects, such
h as user accou
unts.
Yoou can also use these cmdlets to generate e
quueries for obje
ects on which you
y can perforrm bulk
opperations. Thee following tabble lists commo
only
ussed parameterrs with the Gett-AD* cmdletss.
D
SearchBase Defines the AD

D DS path to b
begin searchin
ng, for example
e, the domain or an
OU.
SearchScope
e Defines at wha
at level below the SearchBa ase a search shhould be perfo
ormed.
You can choose to search o nly in the basee, one level do
own, or the enttire
subtree.
ResultSetSize
e Defines how many
m objects tto return in ressponse to a qu
uery. To ensure
e that
all objects are returned, youu should set thhis to $null.
Properties Defines whichh object prope rties to return and display. T

To return all
pe an asterisk (*). You do no
properties, typ ot need to use this paramete er to
use a propertyy for filtering.
Create
C a Que
ery
Yo
ou can use the
e Filter parameter or the LD
DAPFilter para meter to creatte queries for objects with th
he Get-
AD*
A cmdlets. Th he Filter param
meter is used for
f queries wriitten in Windoows PowerShelll Expression
La
anguage. The LDAPFilter pa arameter is use
ed for queries written as LDA
AP query strings. Windows
Po
owerShell Exprression Langua
age is preferre
ed because:
• It is easier to es in Windows PowerShell Exxpression Lang

t write querie guage.
• You can use

e variables inside the queries.
• There is auttomatic conve

ersion of variab
ble types, when
n required.
Th
he following ta
able lists comm
monly used op
perators you caan use in Wind
dows PowerSh
hell Expression
La
anguage.
Operator
O D
Description
-eq EEqual to
-ne N
Not equal to
-lt LLess than
-le LLess than or eq

qual to
-gt G
Greater than
4-16 Automating Active Directory Domain
D Services Adm
ministration
Op
perator Desscription
-g
ge Greeater than or eequal to
-like Usees wildcards fo

or pattern matching
The following is a command tha

at you could use
u to show all of the properrties for a user account:
Get-ADUser Administrator –P
Properties *

at you could use
u to return a ll the user acco
ounts in the M
Marketing OU, and
all itts child OUs:
Get-ADUser –SearchBase “ou=

=Marketing,dc
c=adatum,dc=c
com” –SearchS
Scope subtree
e

at you could use
u to show all of the user acccounts with a last logon datte
olde
er than a speciific date:
Get-ADUser –Filter ‘lastlogondate –lt “January

“ 1, 2
2012”’
The following is a command tha at you could use

u to show all of the user acccounts in the Marketing
dep
partment that have
h gon date older than a specifi c date:
a last log
Get-ADUser –Filter ‘lastlogondate –lt “January

“ 1, 2
2012” –and de
epartment –eq
q “Marketing”’
Note: For more

m information about filtering with Get--AD* cmdlets, see
http
p://technet.miccrosoft.com/en
n-us/library/hhh531527(v=wss.10) .
Question: What is the diffe

erence betwee
en using –eq a nd –like when
n comparing sttrings?
Mo
odifying Objects
O witth Window
ws PowerS hell
To perform
p a bulk
k operation, yoou need to passs the
list of
o objects thatt you have queeried to another
cmd dlet to modify the objects. In
n most cases, you
y
use the Set-AD* cmdlets
c to moodify the objeccts.
To pass
p the list of queried objeccts to another
cmddlet for furtherr processing, you
y use the pip pe ( | )
character. The pip pe character paasses each object
from
m the query to o a second cmd dlet, which the
en
perfforms a specifiied operation on each objecct.
The following is a command tha at you could use

u for
thosse accounts thhat do not have
e the companyy
attribute set. This code would generate
g a list of
o
userr accounts and pany attribute to A. Datum.
d set the comp
Get-ADUser –Filter ‘company

y –eq “$null”
”’ | Set-ADUs
ser –Company “A. Datum”
Th
he following iss a command that
t you couldd use to generaate a list of useer accounts th
hat have not lo
ogged
on
n since a speciific date, and then
t disables them:
t
Ge
et-ADUser –Fi
ilter ‘lastlogondate –lt “January 1, 2012”’ | Di
isable-ADAcco
ount
Use
U Objects from a Textt File
In
nstead of using g a list of objeccts from a queery to perform a bulk operattion, you can u use a list of objjects in
a text file. This is useful when you need a lisst of objects to
o modify or rem move, and it iis not possiblee to
geenerate that list by using a query.
q For exam
mple, the humman resources d department m may generate a list of
usser accounts to o be disabled. There is no qu uery that can iidentify a list o
of users that haave left the
orrganization.
When
W you use a text file to sp
pecify a list of objects,
o the teext file needs to
o have the nam
me of each ob
bject on
a single line.
Th
he following example disables the user acccounts that aree listed in a teext file:
Ge
et-Content C:\users.txt | Disable-ADAccount
Question: Which attributtes of a user acccount can yo

ou use when crreating a queryy by using
the Filter parameter?
p
Working
W with
w CSV Files
A .csv file can co
ontain much more
m information
th
han a simple lisst. Similar to a spreadsheet, a .csv
fille can have muultiple rows annd columns of
in
nformation. Eacch row in the .csv
. file represents a
single object, annd each colum mn in the .csv file
re
epresents a pro operty of the object.
o This is useful
u
fo
or bulk operatiions such as crreating user acccounts
where
w multiple pieces of information aboutt each
ob bject are required.
Yo
ou can use the e Import-Csv cmdlet to read d the
co
ontents of a .cssv file into a va
ariable, and th
hen
work
w with the data.
d After the data is importted into
he variable, you can then reffer to each individual row off data and each
th h individual coolumn of data.. Each
co
olumn of data has a name th hat is based on
n the header ro
ow (the first ro
ow) of the .csvv file. You can rrefer to
ea
ach column byy name.
Th
he following iss an example a .csv file with a header row:
Fi
irstName,Last
tName,Department
Gr
reg,Guzik,IT
Ro
obin,Young,Re
esearch
Qi
iong,Wu,Marke
eting
Use
U Foreach to Process CSV Data
In
n many cases, you
y are creatin ng script that will
w be reused for multiple .ccsv files, and yo
ou do not kno ow how
many
m rows therre are in each .csv
. file. You ca
an use a foreaach loop to process each row w in a .csv file. This
tyype of loop do
oes not requiree that you know w how many rrows there are.
The following is a command that you could use to import a .csv file into a variable, and use a foreach
loop to display the first name from each row in a .csv file:
$users=Import-CSV C:\users.csv
Foreach ($i in $users) {
Write-Host “The first name is: $i.FirstName”
}
Question: In the foreach loop, how does $i change?
Demonstration: Performing Bulk Operations with Windows PowerShell

You can use a script to combine multiple Windows PowerShell commands to perform more complex
tasks. Within a script, you often use variables and loops to process data. Windows PowerShell scripts have
a .ps1 extension.
The execution policy on a server determines whether scripts are able to run. The default execution policy
on Windows Server 2012 is RemoteSigned. This means that local scripts can run without being digitally
signed. You can control the execution policy on by using the Set-ExecutionPolicy cmdlet.
• Configure the department for users in the Research OU.
• Create a LondonBranch OU.
• Run the script to create new user accounts in LondonBranch.
• Verify that the new user accounts were created in LondonBranch.
Demonstration Steps
Configure the department for users in the Research OU
1. On LON-DC1, open a Windows PowerShell prompt.
2. At the Windows PowerShell prompt, search for user accounts in the Research OU using the following
command:
Get-ADUser –Filter * –SearchBase “ou=Research,dc=adatum,dc=com”
3. Set the department attribute of all users in the Research OU using the following command:
Get-ADUser –Filter * –SearchBase “ou=Research,dc=adatum,dc=com” | Set-ADUser –

Department Research
4. Display a table-formatted list of users in the Research department. Display the distinguished name
and department by using the following command:
Get-ADUser –Filter ‘department –eq “Research”’ | Format-Table

DistinguishedName,Department
5. Use the Properties parameter to allow the previous command to display the department correctly.
Use the following command:
Get-ADUser –Filter ‘department –eq “Research”’ –Properties Department | Format-Table

DistinguishedName,Department
Create a LondonBranch OU
• At the Windows PowerShell prompt, create a new OU named LondonBranch using the following
command:
New-ADOrganizationalUnit LondonBranch –Path “dc=adatum,dc=com”
Run the script to create new user accounts in LondonBranch

1. Open E:\Labfiles\Mod04\DemoUsers.csv, and read the header row.
2. Edit DemoUsers.ps1, and review the contents of the script. Note that the script:
o Refers to the location of the .csv file.
o Uses a foreach loop to process the .csv file contents.
o Refers to the columns defined by the header in the .csv file.
3. At the Windows PowerShell prompt, change to the E:\Labfiles\Mod04 directory and run the following
command:
.\DemoUsers.ps1
Verify that the new user accounts were created in LondonBranch

1. In Server Manager, open Active Directory Administrative Center tool.
2. In Active Directory Administrative Center, browse to Adatum (local)>LondonBranch, and verify that
the user accounts were created. Note that the passwords are disabled because no password was set
during creation.
Lab: Automating AD DS Administration by Using Windows

PowerShell
Scenario
A. Datum Corporation is a global engineering and manufacturing company with a head office based in
London, England. An IT office and a data center are located in London to support the London location
and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows
8 clients.
As part of configuring a new branch office, you need to create user and group accounts. Creating multiple
users with graphical tools is inefficient, so, you will be using Windows PowerShell.
Objectives
• Create user accounts and group accounts by using Windows PowerShell.
• Use Windows PowerShell to create user accounts in bulk.
• Modify user accounts in bulk.
Lab Setup
Lab Setup

20410A-LON-CL1
Password Pa$$w0rd
5. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.
Exercise 1: Creating User Accounts and Groups by Using Windows

PowerShell
Scenario
A. Datum Corporation has a number of scripts that have been used in the past to create user accounts by
using command-line tools. It has been mandated that all future scripting will be done by using Windows
PowerShell. As the first step in creating scripts, you need to identify the syntax required to manage AD DS
objects in Windows PowerShell.
1. Create a user account by using Windows PowerShell.
2. Create a group by using Windows PowerShell.
X Task 1: Create a user account by using Windows PowerShell

2. At the Windows PowerShell prompt, create a new OU named LondonBranch.
New-ADOrganizationalUnit LondonBranch
3. Create a new user account for Ty Carlson in the LondonBranch OU using the following command:
New-ADUser –Name Ty –DisplayName “Ty Carlson” –GivenName Ty –Surname Carlson –Path

“ou=LondonBranch,dc=adatum,dc=com”
4. Set the password for the new account as Pa$$w0rd, using the following command:
Set-ADAccountPassword Ty
5. Enable the new user account using the following command:
Enable-ADAccount Ty
6. On LON-CL1, log on as Ty using a password of Pa$$w0rd.
7. Verify that logon is successful and then sign out of LON-CL1.
X Task 2: Create a group by using Windows PowerShell

1. On LON-DC1, at the Windows PowerShell prompt, create a new global security group for users in the
London branch office, using the following command:
New-ADGroup LondonBranchUsers –Path “ou=LondonBranch,dc=adatum,dc=com” –GroupScope

2. At the Windows PowerShell prompt, add Ty as a member of LondonBranchUsers, using the following
command:
Add-ADGroupMember LondonBranchUsers –Members Ty
3. At the Windows PowerShell prompt, confirm that Ty has been added as a member of
LondonBranchUsers, using the following command:
Get-ADGroupMember LondonBranchUsers
Results: After completing this exercise, you will have created user accounts and groups by using Windows
PowerShell.
Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk

Scenario
You have been given a .csv file that contains a large list of new users for the branch office. It would be
inefficient to create these users individually with graphical tools. Instead, you will use a Windows
PowerShell script to create the users. A colleague that is experienced with scripting has provided you with
a script that she created. You need to modify the script to match the format of your CSV file.
1. Prepare the .csv file.
2. Prepare the script.

3. Run the script.
X Task 1: Prepare the .csv file

1. On LON-DC1, read the contents in E:\Labfiles\Mod04\LabUsers.ps1 to identify the header
requirements for the .csv file
2. Edit the contents in C:\Labfiles\Mod04\LabUsers.csv and add the appropriate header.
X Task 2: Prepare the script

1. On LON-DC1, use Windows PowerShell ISE to modify the variables in LabUsers.ps1.
o $csvfile: E:\Labfiles\Mod04\labUsers.csv
o $OU: “ou=LondonBranch,dc=adatum,dc=com”
2. Save the modified LabUsers.ps1.
3. Review the contents of the script.
X Task 3: Run the script

1. On LON-DC1, open a Windows PowerShell prompt, and run E:\Labfiles\Mod04\LabUsers.ps1.
2. At the Windows PowerShell prompt, verify that the users were created by using the following
command:
Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com”
3. On LON-CL1, log on as Luka using a password of Pa$$w0rd.
Results: After completing this exercise, you will have used Windows PowerShell to create user accounts in
bulk.
Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk

Scenario
You have received a request to update all user accounts in the new branch office OU with the correct
address of the new building. You have also been asked to ensure that all of the new user accounts in the
branch office are configured to force the users to change their passwords at their next logon. You decide
to run a script to force all user accounts in the London branch to change their password the next time that
they log on.
1. Force all user accounts in LondonBranch to change password at next logon.
2. Configure the address for user accounts in LondonBranch.

3. To prepare for the next module.
X Task 1: Force all user accounts in LondonBranch to change password at next logon
2. At the Windows PowerShell prompt, create a query for user accounts in the LondonBranch OU using
the following command:
Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com” | Format-Wide

DistinguishedName
3. At the Windows PowerShell prompt, modify the previous command to force all user accounts to
change their password at the next logon.
Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com” | Set-ADUser –

ChangePasswordAtLogon $true
X Task 2: Configure the address for user accounts in LondonBranch

1. On LON-DC1, open Active Directory Administrative Center tool.
2. Open the properties for all user accounts in LondonBranch.
3. Set the address for multiple users as follows:
o Street: Branch Office

o City: London
o Country/Region: United Kingdom
Results: After completing this exercise, you will have modified user accounts in bulk.

When you finish the lab, revert all virtual machines back to their initial state by performing the
following steps:
4. Repeat steps 2 to 3 for 20410A-LON-DC1.


Question: A colleague is creating a Windows PowerShell script that creates user accounts
from data in a .csv file, but is experiencing errors when attempting to set a default password.
Why might this be happening?
Question: You are an administrator for a school district that creates 20,000 new user
accounts for students each year. The administration system for students can generate a list of
the new students and then export it as a .csv file. After the data has been exported to a .csv
file, what information do you need to work with the data in a script?
Question: The Research department in your organization has been renamed to Research and
Development. You need to update the Department property of users in the Research
department to reflect this change.
Question: You have created a query for user accounts with the department property set to
Research by using the Get-ADUser cmdlet and the –Filter parameter. What is the next step
to update the department property to Research and Development?
5-1
Module 5
Implementing IPv4
Contents:
Module Overview 5-1
Lesson 1: Overview of TCP/IP 5-2
Lesson 2: Understanding IPv4 Addressing 5-6
Lesson 3: Subnetting and Supernetting 5-11
Lesson 4: Configuring and Troubleshooting IPv4 5-16
Module Overview
Internet Protocol Version 4 (IPv4) is the network protocol used on the Internet and local area networks. To
ensure that you can you understand and troubleshoot network communication, it is essential that you
understand how IPv4 is implemented.. In this module, you will see how to implement anIPv4 addressing
scheme, and determine and troubleshoot network-related problems.
Objectives
At the end of this module, you will be able to:
• Describe the TCP/IP protocol suite.

• Describe IPv4 addressing.
• Determine a subnet mask necessary for supernetting or subnetting.
• Configure IPv4 and troubleshoot IPv4 communication.

5-2 Implementing IPv4
Lesson 1
Overviiew of TCP/IP
T
Trannsmission Control Protocol/ Internet Protoocol (TCP/IP) iss an industry standard suite of protocols th
hat
provvides commun nication in a heeterogeneous network. This lesson providees an overview w of IPv4 and hhow it
relates to other prrotocols to enaable network communicatio
c on. It also coveers the conceptt of sockets wh
hich
are used by appliccation to accept network communicationss. Combined to ogether this ovverview providdes a
founndation for un
nderstanding anda troublesho ooting networkk communicattion.
Lessson Objectiives
At the end of this lesson, you will
w be able to:
• Describe the elements of th

he TCP/IP suite
e of protocols.
• Describe the individual protocols that ma

ake up the TCP
P/IP suite.
• Describe TCP/IP application

n layer protoco
ols.
• Describe a so
ocket and identtify port numb
bers for specifiied protocols.
The TCP/IP Protocol

P Su
uite
The tasks perform med by TCP/IP in the
com
mmunication process
p are disttributed betwe
een
prottocols. These protocols
p are organized
o into
o four
distinct layers of the
t TCP/IP stacck:
• Application layer. Applications use the
application la
ayer protocols to access netw
work
resources.
• Transport layyer. The transport layer prottocols

control data transfer
t reliabiility on the
network.
• Internet laye
er. The interne
et layer protoco
ols
control packe
et movement between
b netwo
orks.
• Network inte erface layer. The

T network innterface layer protocols defi ne how datagrams from the
e
Internet layerr are transmitte
ed on the med
dia.
Ben
nefits of Arcchitecture Layers
L
Rath
her than creating a single prrotocol, dividin
ng the networkk functions intto a stack of se
eparate protoccols
provvides several benefits:
b
• Separate prottocols make it easier to supp

port a variety o
of computing platforms.
• Creating or modifying
m ort new standaards does not require modiffication of the entire
protocols to suppo
protocol stack.
• Having multipple protocols operating

o he same layer makes it possiible for applicaations to selecct the
at th
protocols that provide onlyy the level of se
ervice required
d.
• Because the stack
s is split into layers, the development
d o
of the protoco ols can proceed
d simultaneou
usly by
personnel wh
ho are uniquelyy qualified in thet operationss of the particu
ular layers.
Protocols
P in
n the TCP//IP Suite
Th
he Open Syste ems Interconne ection (OSI) model
efines distinct layers related to packaging,,
de
ending, and receiving data trransmissions over
se o a
ne
etwork. The layered suite of protocols thatt form
th
he TCP/IP stackk carry out theese functions.
Application
A Layer
L
Thhe application layer of the TCP/IP
T model
co
orresponds to the applicatio on, presentation, and
ession layers of the OSI model. This layer provides
se p
ervices and utilities that enab
se ble application
ns to
acccess network resources.
Transport La
ayer
Th
he transport la
ayer correspon
nds to the transport layer of the OSI modeel and is responnsible for end--to-end
co
ommunication n using TCP or User Datagram m Protocol (UD DP). The TCP/ IP protocol suite offers application
programmers th he choice of TC
CP or UDP as a transport layyer protocol:
• TCP. Providdes connectionn-oriented reliable commun ications for ap pplications. Coonnection-oriented
communica ends the data. To
ation confirms that the destination is readyy to receive daata before it se
make comm munication reliable, TCP con packets are recceived. Reliablle communication is
nfirms that all p
desired in most
m cases and
d is used by most applicationns. Web serverrs, File Transfeer Protocol (FTP)
clients, and
d other applica
ations that movve large amouunts of data usse TCP.
• UDP. Provides connectionless and unre eliable commuunication. Wheen using UDP, reliable delive ery is the
responsibiliity of the application. Appliccations use UD
DP for faster co
ommunication with less overrhead
than TCP. Applications
A su
uch as streamin ng audio and vvideo use UDP P so that a sing
gle missing paacket will
not delay playback.
p UDP is also used byy applications that send smaall amounts off data, such as Domain
Name Syste em (DNS) nam me lookups.
Th
he transport la
ayer protocol that
t ation uses is deetermined by tthe developerr of an applicattion,
an applica
an
nd is based on
n the communication require ements of the application.
In
nternet Laye
er
Thhe Internet layyer correspondds to the netwo ork layer of th e OSI model aand consists off several separaate
protocols, including: IP; Addre ess Resolution Protocol (ARP P); Internet Gro
oup Managem ment Protocol (IGMP);
annd Internet Coontrol Message e Protocol (ICMMP). The proto ocols at the Intternet layer en
ncapsulate tran
nsport
la
ayer data into units
u called pa
ackets, addresss them, and rou ute them to th heir destinations.
Th
he Internet layyer protocols are:
a
• IP. IP is resp
ponsible for ro
outing and add
dressing. The W
Windows 8 op perating system m and the Win ndows
®
Server 201 12 operating system implemment a dual-layyer IP protocoll stack, including support forr both
IPv4 and IP Pv6.
• ARP. ARP iss used by IP to

o determine th he media accesss control (MA AC) address of local network
adapters—tthat is, adapteers installed on
n computers on n the local nettwork—from tthe IP address of a
local host. ARP
A is broadca ast-based, mea aning that ARP uter and are th
P frames cann ot transit a rou herefore
localized. Some implementations of TC CP/IP provide ssupport for Reeverse ARP (RAARP) in which tthe MAC
address of a network ada apter is used to
o determine thhe corresponding IP addresss.
• IGMP. IGM
MP provides sup outers in IPv4 networks.
pport for multtitasking appliccations over ro
• ICMP. ICMP sends error messages in an

n IP-based nettwork.
Nettwork Interrface Layer

The network interrface layer (som metimes referrred to as the liink layer or daata link layer) ccorresponds to
o the
data a link and physical layers of the OSI model. The networkk interface layeer specifies the e requirementss for
send ding and receiiving packets on
o the network media. This llayer is often n not formally co onsidered partt of
the TCP/IP protoccol suite becau use the tasks are performed by the combin nation of the n network adaptter
drivver and the nettwork adapter.
TCP/IP Appliications
Appplications use application
a layyer protocols too
com
mmunicate ove er the network k. A client and
servver must be using the same application
a layyer
prottocol to commmunicate. The following
f tablee lists
som
me common ap pplication layer protocols.
Prrotocol Description
D
HTTP
H Used
U for comm
munication bettween the web
b browsers and
d web servers.
HTTP/Secure
H (H
HTTPS) A version of HT
TTP that encryypts communiccation betwee
en web browse
ers
and
a web servers.
FT
TP Used
U to transfe
er files betweeen FTP clients aand servers.
Remote Desktoop Used

U to remotely control a ccomputer runn
ning Windows operating systtems
Protocol (RDP) over
o a network
k.
Se
erver Message
e Block Used
U by serverrs and client co
omputers for ffile and printerr sharing.
(S
SMB)
Siimple Mail Tra

ansfer Used
U to transfe
er email messaages over the IInternet.
Protocol (SMTP P)
Post Office Prottocol Used

U to retrievve messages frrom some emaail servers.
ve
ersion 3 (POP33)
What
W Is a Socket?
S
When
W an appliccation wants to
o establish
co
ommunication n with an application on a remote
ost, it creates a TCP or a UDP socket, as
ho
ap
ppropriate. A socket
s identifie
es the followin
ng as
pa
art of the commmunication prrocess:
• The transpo
ort protocol th
hat the applica
ation
uses, which
h could be TCPP or UDP
• The TCP or UDP port nummbers that the

e
applications are using
• The IPv4 orr IPv6 address of the source and
destination hosts
Th
his combinatio
on of transportt protocol, IP address,
a and p
port creates a ssocket.
Well-Known
W Ports
Applications aree assigned a port number be etween 0 and 65,535. The firrst 1,024 portss are known ass well-
kn
nown ports and d have been assigned to spe ecific applicatioons. Applicatio
ons listening fo
or connectionss use
onsistent port numbers to make
co m it easier fo
or client appliccations to con plication listens on a
nnect. If an app
no
on-standard port
p number, th hen you need to specify the port number when connectting to it. Clien nt
ap
pplications typpically use a random source port number aabove 1,024. TThe following ttable identifiess some
off these well-kn
nown ports.
Port Protocol Ap
pplication
80 TCP HT
TTP used by a web server
443 TCP HT
TTPS for a sec ure web serveer
110 TCP PO
OP3 used for eemail retrieval
25 TCP SM
MTP that is useed for sending
g email messag
ges
53 UDP DNS used for m

most name reso
olution requessts
53 TCP DNS used for zo

one transfers
20, 21 TCP FT
TP used for filee transfers
Yo
ou need to be aware of the port numbers that applicatio
ons use, so yo u can configure firewalls to allow
co
ommunicationn. Most applica
ations have a default
d umber for this purpose, but it can be chan
port nu nged
when
w required. For example, some web-bassed applicationns run on a poort other than port 80 or porrt 443.
Question: Are
A there othe
er well-known ports that you
u can think of??
Lesson 2
Understandin
ng IPv4 Addressing
Und
derstanding IPvv4 network coommunication is critical to en
nsuring that yo ou can implem
ment, troubleshhoot,
and maintain IPv4
4 networks. On ne of the core components o of IPv4 is addrressing. Undersstanding
add
dressing, subne
et masks, and default
d gatewa u to identify the proper communication
ays allows you
betw
ween hosts. To
o identify IPv4 communicatio on errors you need to underrstand how the e process is
supposed to workk. .
Lessson Objectiives
w be able to:
• Describe the information re

equired to con
nfigure an IPv44 host.
• Identify publiic and private IPv4 addressess.
• Understand how
h dotted de
ecimal notation
n relates to bin
nary numbers.
• Describe a sim
mple IPv4 netw
work with classsfull addressin g.
• Describe a co
omplex IPv4 ne
etwork with cla
assless addresssing.
IPv
v4 Addresssing
To configure
c netw
work connectivvity, you must be
fam
miliar with IPv4 addresses and d how they woork.
Network commun nication for a computer
c is
ected to the IPvv4 address of that computerr.
dire
Eachh networked computer
c mustt be assigned a
uniq
que IPv4 addre ess.
Eachh IPv4 addresss is 32 bits long

g. To make IP
adddresses more reeadable, they are
a shown in
dottted decimal nootation. Dotted d decimal notaation
divides a 32-bit IP
Pv4 address intto four groupss of 8
bits which are connverted to a de ecimal number
betwween zero and d 255. The decimal numbers are
sepaarated by a peeriod (dot). Eacch decimal nummber is called an octet.
Sub
bnet Mask
Each
h IPv4 addresss is composed of a network IDI and a host ID. The networrk IDi identifie
es the networkk on
which the computter is located. The host ID unniquely identiffies the compu
uter on that sp
pecific networkk. A
subn
net mask identifies which paart of an IPv4 address
a is the network ID, an
nd which part is the host ID.
In th
he simplest sce
enarios, each octet
o in a subn
net mask is eith
her 255 or 0. A 255 represen nts an octet that is
ost ID. For example, a compu
partt of the network ID, while a 0 represents an octet that is part of the ho uter
withh an IP addresss of 192.168.23
3.45 and a subbnet mask of 2255.255.255.0 has a networkk ID of 192.168 8.23.0
and a host ID of 0.0.0.45.
0
Note: The terms network,, subnet, and VLAN

V (Virtual Local Area Neetwork) are often used
inte
erchangeably. A large network is often sub
bdivided into s ubnets, and V
VLANs are conffigured on
swittches to repressent subnets.
Default
D Gate
eway
A default gatew
way is a device,, usually a routter, on a TCP/ IP network thaat forwards IP packets to oth
her
ne
etworks. The multiple
m internal networks inn an organizatiion can be refeerred to as an intranet.
O an intranet, any given nettwork might ha

On ave several rouuters that connnect it to othe
er networks, booth local
an
nd remote. You must configure one of thee routers as thee default gatew
way for local h
hosts. This enaables the
lo
ocal hosts to co
ommunicate with
w hosts on re emote networrks.
Beefore a host se
ends an IPv4 packet,
p it uses its
i own subnett mask to deteermine whethe er the destination host
is on the same network,
n or onn a remote nettwork. If the deestination hostt is on the sam
me network, th he
se
ending host traansmits the pa acket directly to
t the destinattion host. If thee destination h
host is on a diffferent
neetwork, the hoost transmits th
he packet to a router for del ivery.
When
W a host tra
ansmits a pack ket to a remote 4 consults thee internal routing table to de
e network, IPv4 etermine
th
he appropriatee router for the
e packet to rea
ach the destinaation subnet. IIf the routing ttable does nott
co
ontain any rou
uting informatiion about the destination su ubnet, IPv4 forrwards the paccket to the default
ga
ateway. The ho ost assumes thhat the defaultt gateway conttains the requiired routing in
nformation. Th he
de
efault gatewayy is used in moost cases.
Client computers usually obta ain their IP add

dressing inform mation from a Dynamic Host Configuratio on
Prrotocol (DHCPP) server. This is more straighhtforward than n manually ass igning a defau
ult gateway on
n each
hoost. Most serve
ers have a stattic IP configura
ation that is asssigned manuaally.
Question: How is networrk communication affected iif a default gatteway is config

gured
incorrectly??
Public
P and Private IPv4 Addressses
Devices and hosts that connect directly to the
t
In
nternet require
e a public IPv4 address. Hostts and
deevices that do not connect directly
d to the
In
nternet do not require a pubblic IPv4 address.
Public
P IPv4 Addresses
A
Puublic IPv4 addresses must bee unique. Interrnet
Assigned Numb bers Authority (IANA) assigns public
IP
Pv4 addresses to
t regional Intternet registrie
es (RIRs).
RIRs then assignn IPv4 addresses to Internet service
providers (ISPs). Usually, your ISP allocates you
y one
orr more public addresses fromm its address pool.
p
Th
he number of addresses thatt your ISP alloccates to
yo
ou depends up pon how manyy devices and hosts that youu have to conn
nect to the Inte
ernet.
Private
P IPv4 Addresses
Th
he pool of IPv4 4 addresses is becoming smaller, so RIRs aare reluctant to
o allocate supeerfluous IPv4
ad
ddresses. Techhnologies such as network ad ddress translattion (NAT) enaable administraators to use a
elatively small number of public IPv4 addre
re esses, and at t he same time,, enable local h
hosts to conne ect to
re
emote hosts an nd services on the Internet.
IANA defines the address rangees in the followwing table as p

private. Interneet-based route
ers do not forw
ward
packets originatin
ng from, or desstined to, these ranges.
Ne
etwork Range
10.0.0.0/8 10.0.0.0-1
10.255.255.2555
172.16.0.0/12 172.16.0.0
0-172.31.255.2255
192.168.0.0/16 192.168.0.0-192.168.2555.255
Ho
ow Dotted Decimal Notation
N Relates
R to Binary Nu
umbers
Whe en you assign IP addresses, you
y use dotted d
decimal notation. Dotted decimmal notation is
baseed on the deciimal number system.
s Howevver, in
the background, computers
c e IP addresses in
use
binaary. To understtand how to choose a subneet
massk for complexx networks, youu must undersstand
IP addresses in bin
nary.
Within an 8-bit occtet, each bit position

p has a
decimal value. A bit
b that is set to 0 always hass a
zeroo value. A bit that
t is set to 1 can be converrted
to a decimal value e. The low-ord der bit—the
righhtmost bit in th
he octet—reprresents a decim mal
valuue of 1. The hig
gh-order bit— —the leftmost bit
b in the octett—represents a decimal valu ue of 128. If alll bits
in an octet are sett to 1 the octeet’s decimal value is 255 (tha t is: 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1). That
is th
he highest possible value of an octet.
Mosst of the time, you can use a calculator to convert decim

mal numbers to o binary and vvice versa. The
ation included in Windows operating
Calcculator applica o systeems can perforrm decimal-to
o-binary
conversions, as shhown in the folllowing exampple.
Binary D otted decimal notation
10000011 0110
01011 0000001
11 00011000 1131.107.3.24
Simple IPv4
4 Impleme
entations
IP
Pv4 Addresss Classes
Thhe IANA organ nizes IPv4 addresses into classes.
Eaach class of ad
ddress has a diffferent defaultt subnet
mask
m that defines the number of valid hosts on the
neetwork. IANA has named the e IPv4 addresss classes
from Class A through Class E..
Classes A, B, andd C are IP netw

works that you u can
asssign to IP add
dresses on hostt computers. Class
C D
ad
ddresses are used by compu uters and applications
fo
or multicastingg. The IANA resserves Class E for
exxperimental usse. The following table lists the
t
ch
haracteristics of
o each IP addrress class.
Number oof Nu
umber of hostts
Class First octet Defaultt subnet maskk
networks pe
er network
A 1-127 255.0.0
0.0 126 16,777,214
B 128-191 255.255.0.0 16,384 65,534
C 192-223 255.255.255.0 2,097,152

2 254
Note: The e Internet no lo

onger uses rou
uting based on
n the default ssubnet mask o
of IPv4
ad
ddress classes.
Simple IPv4 Networks

Yo
ou can use sub bnetting to divvide a large ne
etwork into mu ultiple smaller networks. In ssimple IPv4 networks,
th
he subnet mask defines full octets
o as part of
o the networkk ID and host IID. A 255 repre esents an octe
et that is
pa
art of the netw
work ID, and a 0 represents an a octet that iss part of the host ID. For exaample, you can
n use
th
he 10.0.0.0 nettwork with a su
ubnet mask of 255.255.0.0 to o create 256 sm maller networks.
Note: Thee IPv4 address 127.0.0.1 is ussed as a loopbback address; yyou can use this address to
te
est the local co
onfiguration off the IPv4 prottocol stack. Co
onsequently, thhe network address 127 is
no
ot permitted for configuring g IPv4 hosts.
5-10 Implemennting IPv4
Mo
ore Compllex IPv4 Im
mplementa
ations
In complex netwo orks, subnet masks might not be
simple combinatio ons of 255 andd 0. Rather, yo
ou
migght subdivide one
o octet with some bits tha at are
for the
t network ID D, and some thhat are for the host
ID. This
T allows you u to have the specific
s numbe er of
subnets and hostss that you requuire. The follow
wing
exammple shows a subnet mask that
t can be use ed to
divide a class B ne
etwork into 16
6 subnets:
17
72.16.0.0/255
5.255.240.0
In many
m cases, ratther than using
g a dotted deccimal
reprresentation of the subnet ma ask, the numbber of
bits in the networrk ID is specifie
ed instead. This is called classsless interdom
main routing (CIDR). The follo
owing
is an
n example of CIDR:
C
172.16.0.0/20
Varriable Lengtth Subnet Masks

M
Mod dern routers suupport the usee of variable le
ength subnet mmasks (VLSMs)). VLSMs allow
w you to createe
subnets of different sizes when you subdivide e a larger netw
work. For exam
mple, you could
d subdivide a ssmall
netwwork with 256 addresses into o 3 smaller nettworks with 1228 addresses, 6
64 addresses, aand 64 addressses.
Thiss allows you to
o use IP addressses in a netwoork more efficiiently.
Question: Do
oes your organ
nization use sim
mple or comp
plex networking
g?
Lesson
n3
Subne
etting and
a Sup
pernetting
In
n most organizzations, you ne eed perform su ubnetting to ddivide your nettwork into smaaller subnets and
allocate those subnets for spe ecific purposess or locations. TTo do this you
u need to unde
erstand how to o select
th
he correct num
mber of bits to include in the e subnet maskss. In some casees, you may also need to com mbine
multiple
m networrks into a single larger netwoork through su upernetting.
Le
esson Objecctives
At the end of th
his lesson, you will be able to
o:
• Describe ho ed in a subnet mask.

ow bits are use
• Identify when to use subn

netting.
• Calculate a subnet mask that
t supports a specific num
mber of subnetts.
• Calculate a subnet mask that

t supports a specific num
mber of hosts.
• Identify an appropriate su
ubnet mask fo
or a scenario.
• Describe su
upernetting.
How
H Bits Are
A Used in
n a Subnett Mask
In
n simple netwo orks, subnet masks are comp posed of
fo
our octets, and d each octet haas a value of 255 or 0.
If the octet is 25
55, that octet is
i part of the network
n
ID
D. If the octet is 0, that octet is part of the host ID.
In
n complex netw works, you cann convert the subnet
s
mask
m to binary, and evaluate each bit in the
e
ubnet mask. A subnet mask is composed of
su o
co
ontiguous 1s and
a 0s. The 1s start at the lefftmost
biit and continue uninterrupteed until the bitts
ch
hange to all 0ss.
he network ID of a subnet mask

Th m can be ideentified
byy the 1s. The host
h ID can be identified by the
t 0s.
Any bits taken from
f the host ID and allocated to the netw
work ID must b
be contiguous with the origiinal
ne
etwork ID.
• Each bit tha

at is 1 is part of
o the network
k ID.
• Each bit tha
at is 0 is part of
o the host ID.
Th
he mathematiccal process use
ed to compare
e an IP addresss and a subnett mask is called
d ANDing.
When
W you use more
m bits for the
t subnet mask, you can haave more subn nets, but fewer hosts on each h
su
ubnet. Using more
m bits than you need allows for subnet growth, but li mits growth foor hosts. Using
g fewer
biits than you ne
eed allows for growth in the
e number of hoosts you can h ave, but limitss growth in sub
bnets.
The Benefits of Using Subnetting

S g
Wheen you subdivide a network into subnets, you
musst create a uniq
que ID for eacch subnet. Thesse
uniq
que IDs are deerived from thee main networrk
ID—
—you allocate some
s of the bits in the host ID to
the network ID. Thhis enables you to create mo ore
netw
works.
By using
u subnets, you can:
• Use a single, large network across multiple

physical locattions.
• Reduce netwo n by segmenting

ork congestion
traffic and red
ducing broadccasts on each
segment.
• Increase security by dividing the network
k and using fireewalls to contrrol communicaation.
• Overcome lim ogies, such as eexceeding thee maximum number of hostss that
mitations of current technolo
each segment can have.
Calculating Subnet
S Addresses
Befo
ore you definee a subnet massk, estimate ho
ow
manny subnets andd hosts for eacch subnet you may
requ
uire. This enab
bles you to use
e the appropria
ate
num
mber of bits for the subnet mask.
m
You
u can calculate the number ofo subnet bits that
t
n
you need in the network.
n Use thhe formula 2 ,
whe
ere n is the num
mber of bits. The
T result is the
num
mber of subnetts that your neetwork requirees.
The following table indicates the number of

subnets that you can
c create by using a specifiic
num
mber of bits.
Nu
umber of bits (n) Num
mber of subnets (2n)
1 2
2 4
3 8
4 16
5 32
6 64
To determine
d ou can use thee lowest value bit in the subnet mask. For
the subnet addresses quickly, yo
exam
mple, if you ch
hoose to subne
et the network k 172.16.0.0 byy using 3 bits, this mean the
e subnet mask is
2555.255.224.0. The
T decimal 22
24 is 11100000
0 in binary, an
nd the lowest b
bit has a value of 32, so that is the
in
ncrement betwween each subn
net address.
Th
he following ta
able shows exa
amples of calculating subnett addresses.
Binary network number Decimal netw

work number
172.16.00000
0000.00000000
0 172.16.0.0
172.16.00100
0000.00000000
0 172.16.32.0
172.16.01000
0000.00000000
0 172.16.64.0
172.16.01100
0000.00000000
0 172.16.96.0
172.16.10000
0000.00000000
0 172.16.128.00
172.16.10100
0000.00000000
0 172.16.160.00
172.16.11000
0000.00000000
0 172.16.192.00
172.16.11100
0000.00000000
0 172.16.224.00
Note: You u can use a subnet calculato

or to determinee the appropriiate subnets fo or your
neetwork, rather than calculating them manu ually. Subnet ccalculators aree widely availab
ble on the
In
nternet.
Calculating
C g Host Add
dresses
To
o determine host bits in the mask, determine the
re
equired numbe he supporting hosts
er of bits for th
n a subnet. Calculate the number of host bits
on b
re
equired by usinng the formula a 2n-2, where n is the
nu
umber of bits. This result mu ust be at least the
nu
umber of hostts that you nee ed for your nettwork,
an
nd is also the maximum
m nummber of hosts that
t you
ca
an configure on
o that subnet..
On
O each subnett, two host IDss are allocated
utomatically and cannot be used by comp
au puters.
An address with
h the host ID as
a all 0s represeents the
ne
etwork. An adddress with the host ID as all 1s is
he broadcast address for that network.
th
The following table shows how many hosts a class C netwo rk has availablle based on th
he number of h
host
bits.
Nu
umber of bits (n) Num
mber of hosts (2n-2)
1 0
2 2
3 6
4 14
5 30
6 62
You
u can calculate each subnet’ss range of hostt addresses byy using the foll owing processs:
1. The first host is one binary digit higher th

han the curren
nt subnet ID.
2. The last host is two binary digits

d lower th
han the next su
ubnet ID.
The following table shows exam
mples of calcula
ating host add
dresses.
Ne
etwork Host range
172.16.64.0/19 172.16.64.1 – 172.16.95.2554
172.16.96.0/19 172.16.96.1 – 172.16.127.2254
172.16.128.0/19
9 172.16.128.1
1 – 172.16.159..254
To create
c an apprropriate addressing scheme for your organ
nization, you m
must know howw many subne ets
you need, and how many hosts you need on each subnet. O Once you havee that information, you can
calcculate an appro
opriate subnett mask.
Disscussion: Creating
C a Subnettin
ng Schemee for a New
w Office
Read the following scenario and
d answer the
que
estions on the slide.
Youu are identifyin

ng an appropriate network
configuration for a new campuss. You have be een
allocated the 10.334.0.0/16 netw
work that you can
c
subnet as required d.
There are four buildings on the new campus, and
eachh should have its own subne et to allow for
t buildings. Each building will
routting between the
have up to 700 ussers. Each build ding will also have
h
prin
nters. The typiccal ratio of use
ers to printers is
i 50
to 1.
1
You
u also need to allocate a subnet for the serrver data centeer that will hold up to 100 se
ervers.
What
W Is Sup
pernetting
g?
Su
upernetting co ombines multiple small netw works
in
nto a single large network. This may be
ppropriate when you have a small network
ap k that
haas grown and the address sp pace needs to be
exxpanded. For example,
e a bra
anch office thaat is
ussing the netwo ork 192.168.166.0/24 might exhaust
all of its IP addrresses and be allocated
a the
ad
dditional netw work 192.168.17.0/24. If the default
d
ubnet mask of 255.255.255.0
su 0 is used for th
hese
neetworks then youy must perfo orm routing between
th
hem. You can use u supernetting to combine e them
in
nto a single network.
To
o perform supernetting, the networks thatt you are combbining must bee contiguous. For example,
19
92.168.16.0/24
4 and 192.168..17.0/24 can be
b supernetted d, but you cann
not supernet 1
192.168.16.0/24 and
19
92.168.54.0/24
4.
o subnetting. When you peerform superneetting, you allo

upernetting is the opposite of
Su ocate bits from
m the
ne
etwork ID to the host ID. The
e following tab
ble shows how
w many networks that you caan combine byy using
a specific numb
ber of bits.
Number of bits Nu
umber of netw
works combineed
1 2
2 4
3 8
4 16
6
Th
he following ta
able shows an example of su
upernetting tw
wo class C netw
works.
Network Range
192.168.0001
10000.0000000
00/24 192.1688.16.0-192.168
8.16.255
192.168.0001
10001.0000000
00/24 192.1688.17.0-192.168
8.17.255
192.168.0001
10000.0000000
00/23 192.1688.16.0-192.168
8.17.255
Lesson 4
Config
guring and
a Troublesho
ooting IIPv4
If IP
Pv4 is configureed incorrectly, then it affectss the availabili ty of services tthat are runnin
ng on a serverr. To
ensu ure the availabbility of network services, you need to und derstand how tto configure and troublesho oot
IPv44. Windows Server 2012 intro oduces the ability to configu ure IPv4 by usiing Windows P PowerShell. Th
his is
usefful for scripting
g.
The troubleshootiing tools in Windows Server 2012 are simiilar to previouss versions of W
Windows operaating
systems. Howeverr, you may nott be familiar with Network M
Monitor which can be used to o perform veryy
deta
ailed analysis of
o network commmunication.
Lessson Objectiives
w be able to:
• Configure IPvv4 manually to

o provide a static configuratiion for a serveer.
• Configure a server
s so that it obtains an IP
Pv4 configurattion automaticcally.
• Use IPv4 trou
ubleshooting to
ools.
• Describe the troubleshootin

ng process use
ed to resolve f undamental IP
Pv4 problems.
• Describe the function of Ne

etwork Monito
or.
• Use Network Monitor to ca
apture and ana
alyze network traffic.
Co
onfiguring IPv4 Manually
You
u typically conffigure servers with
w a static IP P
add
dress. This is do
one to ensure that
t you know
w and
can document the e IP addresses that are used for
various services on your networrk. For example e, a
DNSS server is acce
essed at a speccific IP addresss that
should not change.
IPv4
4 configuration
n includes:
• IPv4 address
• Subnet mask
• Default gatew
way
• DNS servers
Stattic configuratio
on requires tha
at you visit eacch computer aand input the IIPv4 configuraation manuallyy. This
metthod of compu uter managem ment is reasona able for serverss, but it is veryy time consuming for client
com
mputers. Manually entering a static configu uration also in creases the rissk of configuraation mistakes..
You
u can configuree a static IP ad
ddress either in
n the propertiees of the netwo
ork connection n or by using tthe
netssh command-lline tool. For example,
e the fo
ollowing comm mand configurres the interfacce named Locaal
Areaa Connection with
w the staticc IP address 10 0.10.0.10, the s ubnet mask off 255.255.0.0, and a default
gateeway of 10.10..0.1.
Netsh interfac
ce ipv4 set address
a name=
="Local Area Connection" source=static
addr=10.10.0.1
10 mask=255.2
255.0.0 gatew
way=10.10.0.1
1
Windows
W Server 2012 also has Windows PoowerShell® cmd dlets that you can use to maanage networkk
co
onfiguration. The
T following table
t describess some of the available Wind
dows PowerSh hell cmdlets th
hat are
avvailable for configuring IPv4
4.
Cmdlet Description
D off IPv4 configu
uration uses
Set-NetIPAd
ddress Modifies an exxisting IP addrress and sets th
he subnet
mask
Set-NetIPIntterface Enables or dis abled DHCP fo

or an interface
e
Set-NetRoutte Modifies routiing table entri es, including tthe

default gatew
way (0.0.0.0)
Set-DNSClientServerAddrresses Configures thee DNS server tthat is used for an

interface
Thhe following code is an exammple of the Wiindows Power Shell cmdlets tthat you can u use to configure the
in
nterface named d Local Area Connection
C 0.0.10, the subnet mask of
witth the static IP address 10.10
2555.255.0.0, and
d a default gatteway of 10.10
0.0.1.
Set-NetIPAddress –Interf
faceAlias “Lo
ocal Area Con
nnection” –IP
Pv4Address 10
0.10.0.10
PrefixLength 16
New-NetRoute
N –InterfaceA
Alias “Local Area Connect
tion” –Destin
nationPrefix 0.0.0.0/0
NextHop
N 10.10.0.1
Additiona al Reading: Foor more informmation about N et TCP/IP Cmddlets in Windo

ows
Po
owerShell see: http://technett.microsoft.com
m/en-us/librarry/hh826123.
Question: Do any compu es in your orgaanization havee static IP addresses?

uters or device
Configuring
C g IPv4 Auttomatically
y
DHCP for IPv4 enables
e you to
o assign autommatic
IP
Pv4 configurations for large numbers of
coomputers with hout having to assign each one
in
ndividually. Thee DHCP servicee receives requ
uests
fo
or IPv4 configuuration from coomputers thatt you
coonfigure to obbtain an IPv4 address automa atically.
It also assigns additional IPv4 settings from scopes
hat you define for each of yo
th our network’s subnets.
s
Thhe DHCP service identifies thhe subnet fromm which
th
he request origginated and asssigns IP
coonfiguration frrom the releva
ant scope.
DHCP helps sim

mplify the IP co
onfiguration prrocess,
bu
ut you must be aware that iff you use DHC n and the service is business-critical,
CP to assign IPvv4 information
yo
ou must do the following:
• Include resiilience in your DHCP service

e design so thaat the failure o er does not prrevent
of a single serve
the service from function ning.
• Configure the
e scopes on the DHCP server carefully. If yyou make a mistake, it can afffect the entire
e
network and prevent comm munication.
If yo
ou use a laptop to connect to h network might
t multiple nettworks, such ass at work and at home, each
requuire a differentt IP configurattion. Windows operations syystem support the use of Auttomatic Private IP
Add dressing (APIPAA) or an altern ddress for this situation.
nate static IP ad
Wheen you configu ure Windows-based computters to obtain an IPv4 address from DHCP P, use the Alterrnate
nfiguration tab to control th
Con he behavior if a DHCP serve r is not availab
ble. By default,, Windows use
es
APIP
PA to assign ittself an IP addrress automaticcally from the 169.254.0.0 to
o 169.254.255.2255 address raange,
but with no defauult gateway or DNS server; th his enables lim
mited functionaality.
APIP
PA is useful for troubleshootting DHCP; if the
t computer has an address from the APIPA range, it iss an
indication that the
e computer caannot commun nicate with a D
DHCP server.
IPv
v4 Trouble
eshooting Tools
Mosst IPv4 connecctivity troublesshooting is
perfformed at a coommand-line. Windows Servver
2008 includes a number of com mmand-line toools
thatt help you diag
gnose network k problems.
IPC
Config
Ipco
onfig is a comm mand-line toool that displays the
currrent TCP/IP neetwork configuuration.
Addditionally, you can use the ip
pconfig comm mand
to refresh DHCP and
a DNS settin ngs.
The following table describes th

he command-line
options for ipconfig.
Co
ommand Descriptio
on
ip
pconfig /all View deta
ailed configuraation informattion
ip
pconfig /relea
ase Release the leased conffiguration bacck to
the DHCP P server
ip
pconfig /renew Renew th
he leased confiiguration
ip
pconfig /displlaydns View the DNS resolver cache entries
ip
pconfig /flush
hdns Purge the
e DNS resolve cache
Pin
ng
Ping
g is a commannd-line tool tha
at verifies IP-le
evel connectiv ity to another TCP/IP compu uter. It sends ICMP
echo request messsages and dispplays the receiipt of correspo
onding echo reeply messagess. Ping is the
prim
mary TCP/IP co
ommand that youy use to troubleshoot con nnectivity; howwever, firewallss might block tthe
ICM
MP messages.
Tra
acert
Traccert is a comm
mand-line tool that identifies the path takeen to a destination computerr by sending a
serie
es of ICMP ech ho requests. Trracert then dissplays the list o n a source and a
of router interffaces between
desttination. This tool
t also deterrmines which router
r has faileed, and what t he latency (or speed) is. The
ese
results might not be accurate if the router is busy, because the ICMP packets are assigned a low priority
by the router.
Pathping
Pathping is a command-line tool that traces a route through the network in a manner similar to Tracert.
However, Pathping provides more detailed statistics on the individual steps, or hops, through the network.
Pathping can provide greater detail, because it sends 100 packets for each router, which enables it to
establish trends.
Route
Route is a command-line tool that allows to view and modify the local routing table. You can use this to
verify the default gateway which is listed as the route 0.0.0.0. In Windows Server 2012 you can also use
PowerShell cmdlets to view and modify the routing table. The cmdlets for viewing and modifying the local
routing table include Get-NetRoute, New-NetRoute, and Remove-NetRoute.
Telnet
You can use the Telnet Client feature to verify whether a server port is listening. For example, the
command telnet 10.10.0.10 25 attempts to open a connection with the destination server, 10.10.0.10, on
port 25, SMTP. If the port is active and listening, it returns a message to the Telnet client.
Netstat
Netstat is a command-line tool that enables you to view network connections and statistics. For example,
the command netstat –ab returns all listening ports and the executable that is listening.
Resource Monitor
Resource Monitor is a graphical utility that allows you to monitor system resource utilization. You can use
Resource Monitor to view TCP and UDP ports that are in use. You can also verify which applications are
using specific ports and the amount of data they are transferring on those ports.
Network Diagnostics
Use Windows Network Diagnostics to diagnose and correct networking problems. In the event of a
Windows Server networking problem, the Diagnose Connection Problems option helps you diagnose
and repair the problem. Windows Network Diagnostics returns a possible description of the problem and
a potential remedy. However, the solution might require manual intervention from the user.
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an
error. When these events occur, the Windows operating system records the event in an appropriate event
log. You can use Event Viewer to read the event log. IP conflicts are listed in the System event log and
might prevent services from starting.
The Troublesshooting Process

P
The first step in trroubleshooting g a network
problem is identiffying the scope e of the proble em.
The causes of a prroblem that afffects a single user
will most likely difffer from a pro oblem that affe ects
all users.
u If a probblem affects on nly a single use er,
then n the problem is likely relate ed to the
configuration of thatt one comp puter. If a probblem
affeects all users, th
hen it is likely that
t it is eitherr a
servver configuration issue or a network
n
configuration issu ue. If a problem m affects only a
group of users, th hen you need to t determine the t
commmon denomin nator among thatt group of users.
To troubleshoot
t network
n comm
munication pro oblems, you neeed to understand the overall communicattion
proccess. You can identify
i where
e the process iss breaking dow
wn and preven nting commun nication only iff you
und
derstand how the
t overall com mmunication process
p works. To understand the overall ccommunication
d to understand the routing and firewall co
proccess, you need on your network. To help ide
onfiguration o entify
the routing path through
t your network,
n you can
c use Tracerrt.
Som
me of the stepss that you can use to identifyy that cause off network com
mmunication p
problems are:
1. If you know what

w the correct network configuration forr the host should be, then use ipconfig to
o
verify that it is configured that
t way. If ipcconfig returns an address on
n the 169.254.0.0/16 networrk, it
indicates thatt the host faile
ed to obtain ann IP address fro
om DHCP.
2. Use ping to see

s if the remo ote host respon nds. If you usee ping to returrn the DNS name of the rem mote
host, you veriify both name resolution and d whether thee host responds. Be aware that Windows
Firewall on member
m serverss and client co
omputers often n blocks ping aattempts. In su
uch a case, lackk of a
ping response e may not indicate that the remote host iss not functionaal. If you can p ping other remmote
hosts on the same
s networkk it often indicaates that the p
problem is on tthe remote ho ost.
3. You can use an

a application to test the serrvice you are cconnecting to on the remote e host. For exaample,
use Windowss Internet Exploorer® to test co
onnectivity to a web server. You can also u
use Telnet to
connect to th
he port of the remote
r applicaation.
4. Use ping to see

s if the defau ult gateway re
esponds. Most routers respon nd to ping reqquests. If you d
do not
get a responsse when you ping the defaullt gateway, theen there is likeely a configuration error on tthe
client computter, such as the default gateway being connfigured incorrectly. It is also
o possible thatt the
router is expe
eriencing errorrs.
Note: You can

c force ping nstead of IPv6 by using the --4 option.
g to use IPv4 in
Question: Arre there any otther steps thatt you use to tro
oubleshoot neetwork connecctivity
problems?
What
W Is Ne
etwork Mo
onitor?
Network Monito or is a packet analyzer that enables
e
yoou to capture and examine network
n packeets on
th
he network to which your co omputer is connnected.
Capturing packets is an advan nced troublesh hooting
te
echnique that helps you to id dentify unusua al
ne etwork problems and work towards
t a reso
olution.
Foor example, byy examining th he packets
trransmitted on a network you u may be able to see
errrors that are not
n reported by b an applicatioon.
Yo
ou can install Network
N Moniitor on either
en
ndpoint in thee communication process, orr on a
hird computer.. If you install Network Monitor on
th
a third compute er, then you must
m configure port mirroringg on the netwoork switches. EEnsure that you
co
onfigure port mirroring
m to coopy the netwoork packets thaat are destined
d for endpointts in the
co
ommunication n process, to thhe switch port where the com mputer with NNetwork Monittor is connecte ed.
Network Monito or can monito or the packets sent
s to other ccomputers, beecause it operaates in promisccuous
mode.
m
Yoou can downlooad Network Monitor

M from the
t Microsoft download web bsite and instaall it on a workkstation
th
hat is running either
e Window
ws 8 or Windowws Server 20122. Once install ed, Network MMonitor binds to the
lo
ocal network addapters. When
n you launch Network
N Monittor, you can viiew existing caaptures, or beg gin a
neew capture.
Using
U Netwo
ork Monitorr
Once
O you have captured netw work packets, you
y must be a ble to interpreet what you seee, and whethe
er the
beehavior is expe T help you, Network Monit or displays thee packets in a summarized liist in the
ected or not. To
Frrame Summaryy pane.
Th
he Frame Sum
mmary pane dissplays all captu
ured packets, aand provides tthe following iinformation:
• Time and date:

d this enables you to dete
ermine in whicch order the packets were trransmitted.
• Source and he source and destination IP
d destination: this provides th P addresses so that you can
determine which
w computters are involveed in the dialo
og.
• Protocol na
ame: the higheest-level protocol that Netwoork Monitor caan identify is listed. For exam
mple,
ARP, (ICMPP, TCP, SMB, an
nd others. Knoowing the highh-level protoco
ol enables you to pinpoint w which
services mig
ght be experie
encing or causing the probleem that you arre troubleshoo oting.
When
W you selecct a frame in th
he Frame Summary pane, th
he Frame Detaiils pane updattes with the coontents
off that particula
ar frame. You can
c step throu
ugh the frame’’s details, exam
mining the con
ntent of each e
element
ass you proceed.
Ea
ach layer in the network archhitecture—from the applicattion on down— —encapsulates its data in thhe
co
ontainer of thee layer below. In other words, an HTTP req
quest is encapssulated in an IPv4 packet, wh
hich in
tu
urn, is encapsu
ulated in an Eth
hernet frame.
When
W you have e gathered a laarge amount of
o data, it can b
be difficult to d
determine which frames are e
re
elevant to yourr specific prob
blem. You can use
u filtering too show only th hose frames of interest. For e
example,
yo
ou can select to
t show only DNS–related
D paackets.
Demonstration: How to Capture and Analyze Network Traffic by Using

Network Monitor
You can use Network Monitor to capture and view packets that are transmitted on the network. This
allows you to view detailed information that would not normally be possible to see. This type of
information can be useful for troubleshooting.
Demonstration Steps
Prepare to perform a packet capture

1. Log on to LON-SVR2 as Adatum\Administrator with a password of Pa$$w0rd.
2. Open a Windows PowerShell prompt and run the following command:
• ipconfig /flushdns
3. Open Network Monitor 3.4, and create a new capture tab.
Capture packets from a ping request

1. In Network Monitor, start a packet capture.
2. At the Windows PowerShell prompt, ping LON-DC1.adatum.com.
3. In Network Monitor, stop the packet capture.
View ICMP echo request and echo response packets

1. In Network Monitor, scroll down and select the first ICMP packet.
2. Expand the Icmp portion of the packet to view that it is an Echo Request. This is a ping request.
3. Expand the Ipv4 portion of the packet to view the source and destination IP addresses.
4. Expand the Ethernet portion of the packet to view the source and destination MAC addresses.
5. Select the second ICMP packet.

6. In the Icmp portion of the packet, verify that it is an Echo Reply. This is the response to the ping
request.
Filter the display of packets for the DNSQueryName of LON-DC1.adatum.com

1. In Network Monitor, in the Display Filter pane, load the standard DNS filter DNSQueryName.
2. Edit the filter to apply for DNS queries for LON-DC1.adatum.com, and apply the filter.
3. Verify that the packets have been filtered to show only packets that match the filter.
Lab: Implementing IPv4

Scenario
A. Datum has an IT office and data center in London which supports the London location and other
locations. They have recently deployed a Windows 2012 Server infrastructure with Windows 8 clients. You
have recently accepted a promotion to the server support team. One of your first assignments is
configuring the infrastructure service for a new branch office.
After a security review, your manager has asked you to calculate new subnets for the branch office to
support segmenting network traffic. You also need to troubleshoot a connectivity problem on a server in
the branch office.
Objectives
• Calculate subnets for a given set of requirements.
• Troubleshoot IPv4 connectivity issues.
Lab Setup
Estimated Time: 45 minutes
Logon Information

20410A-LON-RTR
20410A-LON-SVR2
User Name Adatum\Administrator
Password Pa$$w0rd
o User name: Adatum\Administrator
5. Repeat steps 2-4 for 20410A-LON-RTR, and 20410A-LON-SVR2.
Exercise 1: Identifying Appropriate Subnets

Scenario
The new branch office is configured with a single subnet. After a security review, all branch office network
configurations are being modified to place servers on a separate subnet from the client computers. You
need to calculate the new subnet mask and the default gateways for the subnets in your branch.
The current network for your branch office is 192.168.98.0/24. This network needs to be subdivided into
three subnets as follows:
• One subnet with at least 100 IP addresses for clients
• One subnet with at least 10 IP addresses for servers
• One subnet with at least 40 IP addresses for future expansion
1. Calculate the bits required to support the hosts on each subnet.
2. Calculate subnet masks and network IDs.
X Task 1: Calculate the bits required to support the hosts on each subnet
1. How many bits are required to support 100 hosts on the client subnet?
2. How many bits are required to support 10 hosts on the server subnet?
3. How many bits are required to support 40 hosts on the future expansion subnet?
4. If all subnets are the same size can they be accommodated?
5. Which feature allows a single network to be divided into subnets of varying sizes?
6. How many host bits will you use for each subnet? Use the simplest allocation possible.
X Task 2: Calculate subnet masks and network IDs

1. Given the number of host bits allocated, what is the subnet mask that you will use for the client
subnet?
• The client subnet is using 7 bits for the host ID. Therefore, you will use 25 bits for the subnet
mask.
Binary Decimal
2. Given the number of host bits allocated, what is the subnet mask that you will use for the server
subnet?
• The server subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet
mask
Binary Decimal
3. Given the number of host bits allocated, what is the subnet mask that you will use for the future
expansion subnet?
• The future expansion subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the
subnet mask
Binary Decimal
4. For the client subnet, define the network ID, first available host, last available host, and broadcast
address. Assume that the client subnet is the first subnet allocated from the available address pool.
Description Binary Decimal
Network ID
First host
Last host
Broadcast
5. For the server subnet, define the network ID, first available host, last available host, and broadcast
address. Assume that the server subnet is the second subnet allocated from the available address
pool.
Network ID
First host
Last host
Broadcast
6. For the future allocation subnet, define the network ID, first available host, last available host, and
broadcast address. Assume that the future allocation subnet is the third subnet allocated from the
available address pool.
Network ID
First host
Last host
Broadcast
Results: After completing this exercise, you will have identified the subnets required to meet the
requirements of the lab scenario.
Exercise 2: Troubleshooting IPv4

Scenario
A server in the branch office is unable to communicate with the domain controller in the head office. You
need to resolve the network connectivity problem.
1. Prepare for troubleshooting.
2. Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1.
X Task 1: Prepare for troubleshooting

1. On LON-SVR2, open Windows PowerShell and ping LON-DC1 and verify that it is functional.
2. Run the Break.ps1 script that is located in E:\Labfiles\Mod05. This script creates the problem that
you will troubleshoot and repair in the next task.
X Task 2: Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1

1. Use your knowledge of IPv4 to troubleshoot and repair the connectivity problem between
LON-SVR2 and LON-DC1. Consider using the following tools:
• IPConfig
• Ping
• Tracert
• Route
• Network Monitor
2. When you have repaired the problem, ping LON-DC1 from LON-SVR2 to confirm that the problem is
resolved.
Note: If you have additional time, run an additional break script from \\LON-
DC1\E$\Labfiles\Mod05 and troubleshoot that problem.
Results: After completing this lab, you will have resolved an IPv4 connectivity problem.

When you are finished the lab, revert the virtual machines back to their initial state. To do this,
complete the following steps.
4. Repeat steps 2 and 3 for 20410A-LON-RTR and 20410A-LON-SVR2.


Review Questions
Question: You have just started as a server administrator for a small organization with a single
location. The organization is using the 131.107.88.0/24 address range for the internal network. Is
this a concern?
Question: You are working for an organization that provides web hosting services to other
organizations. You have a single /24 network from your ISP for the web hosts. You are almost out
of IPv4 addresses and have asked ISP for an additional range of addresses. Ideally, you would like
to supernet the existing network with the new network. Are there any specific requirements for
supernetting?
Question: You have installed a new web-based application that runs on a non-standard port
number. A colleague is testing access to the new web-based application, and indicates that he
cannot connect to it. What are the most likely causes of his problem?
Best Practices
When implementing IPv4, use the following best practices:
• Allow for growth when planning IPv4 subnets. This ensures that you do not need to change you IPv4
configuration scheme.
• Define purposes for specific address ranges and subnets. This allows you to easily identify hosts based
on their IP address and use firewalls to increase security.
• Use dynamic IPv4 addresses for clients. It is much easier to manage the IPv4 configuration for client
computers by using DHCP than with manual configuration.
• Use static IPv4 addresses for servers. When servers have a static IPv4 address, it is easier to identify
where services are located on the network.

IP conflicts
Multiple default gateways defined
Incorrect IPv4 configuration

Tools
Tool Use for Where to find it
Network Capture and analyze network traffic Download from Microsoft web site
Monitor
IPConfig View network configuration Command prompt
Ping Verify network connectivity Command prompt
Tracert Verify network path between hosts Command prompt
Pathping Verify network path and reliability Command prompt

between hosts
Route View and configure the local Command prompt

routing table
Telnet Test connectivity to a specific port Command prompt
Netstat View network connectivity Command Prompt

information
Resource View network connectivity Tools in Server Manager

monitor information
Windows Diagnose problem with a network Properties of the network connection

Network connection
Diagnostics
Event Viewer View network related system events Tools in Server Manager
6-1
Module 6
Implementing DHCP
Contents:
Module Overview 6-1
Lesson 1: Installing a DHCP Server Role 6-2
Lesson 2: Configuring DHCP Scopes 6-7
Lesson 3: Managing a DHCP Database 6-12
Lesson 4: Securing and Monitoring DHCP 6-16
Lab: Implementing DHCP 6-21
Module Overview
Dynamic Host Configuration Protocol (DHCP) plays an important role in the Windows Server® 2012
infrastructure. It is the primary means of distributing important network configuration information to
network clients, and it provides configuration information to other network-enabled services, including
Windows Deployment Services (Windows DS) and network access protection (NAP). To support and
troubleshoot a Windows Server-based network infrastructure, it is important that you understand how to
deploy, configure, and troubleshoot the DHCP server role.
Objectives
• Install the DHCP server role.
• Configure DHCP scopes.
• Manage a DHCP database.
• Secure and monitor the DHCP server role.

6-2 Implementing DHCP
Lesson 1
Installiing a DH
HCP Server Role
Usin
ng DHCP can help
h simplify client
c compute
er configuratio
on. This lesson describes the benefits of DH
HCP,
explains how the DHCP protoco ol works, and discusses
d how to control DHHCP in a Windo ows Server 20112
®
netw
work with Active Directory Domain Servicces (AD DS).
Lessson Objectiives
Afte
ou will be able to:
• Describe the benefits of usiing DHCP.
• Explain how DHCP

D allocates IP addresses to network cl ients.
• t DHCP lease generation process

Explain how the p works..
• Explain how the
t DHCP lease renewal proccess works.
• Describe the purpose of a DHCP

D relay agent.
• Explain how a DHCP server role is authorrized.

• Explain how to
t add and autthorize the DH
HCP server rolee.
Benefits of Using
U DHC
CP
The DHCP protocol simplifies co onfiguration of
o
Inte
ernet Protocol (IP) clients in a network
environment. Without using DH HCP, each time e you
addd a client to a network,
n you have
h to configu
ure it
with
h information about
a the netwwork on which h you
installed it, including the IP add
dress, the netw
work’s
subnet mask, and the default ga ateway for acccess
to other
o networkss.
Wheen you need to o manage many computers in a

netw
work, managin ng them manu ually can becom me a
time
e-consuming process.
p Manyy corporations
mannage thousand ds of computer devices, inclu uding
handhelds, desktoop computers, and laptops. It I is not feasib le to manuallyy manage the network IP
configurations forr organizationss of this size.
With the DHCP se erver role, you can help to en

nsure that all cclients have ap
ppropriate con
nfiguration
info
ormation; this helps
h to elimin
nate human errror during con nfiguration. WWhen key configguration
info
ormation chang ges in the netw
work, you can update it usinng the DHCP seerver role withhout having to
o
change the informmation directlyy on each computer.
DHCCP is also a keyy service for mobile
m users wh
ho change nettworks often. D
DHCP enables network
adm
ministrators to offer complexx network-conffiguration info
ormation to no ontechnical use
ers, without ussers
having to deal witth their network-configuration details.
DHC CP version 6 (vv6) stateful and
d stateless con
nfigurations arre supported fo
or configuringg clients in an IIPv6
environment. Statteful configura ation occurs when the DHCP Pv6 server assig
gns the IPv6 address to the cclient,
alon
ng with additio onal DHCP datta. Stateless coonfiguration occcurs when the subnet route er assigns the IPv6
adddress automaticcally, and the DHCPv6 serve er only assigns other IPv6 co nfiguration setttings.
NAP is part of a new toolset that

t can prevent full access tto the intranett for computerrs that do not comply
with
w system hea alth requiremeents. NAP with DHCP helps i solate potentially malware-iinfected comp puters
from the corporate network. DHCP NAP en nables administtrators to ensu ure that DHCPP clients are coompliant
with
w internal seccurity policies.. For example, all network cl ients must be up-to-date an nd have a valid d, up-
to us program installed before they
o-date antiviru t are assignned an IP conffiguration thatt allows full acccess to
th
he intranet.
Yoou can install DHCP

D as a role
e on a Window ws Server 20122 Server Core installation. A Server Core
in
nstallation allow
ws you to creaate a server witth a reduced aattack surface. To manage D DHCP from the e core
se
erver, you musst install and coonfigure the roole from the c ommand-line interface. You u also can man nage the
Core DHCP role e from a graphhical user interface (GUI)–bassed console w here the DHCP P role is installled
already.
How
H DHCP
P Allocatess IP Addressses
DHCP allocates IP addresses on o a dynamic basis,
ottherwise knowwn as a lease. Although
A you can
c set
th
he lease duration to unlimite ed, you typically set
th
he duration forr not more tha an a few hourss or
daays. The defau
ult lease time foor wired clientts is
eiight days, and for wireless clients it is three
e days.
DHCP uses IP broadcasts to in nitiate

coommunication ns. Therefore, DHCP
D servers are
a
lim
mited to comm munication witthin their IP suubnet.
Thhis means thatt in many netw works, there is a DHCP
seerver for each IP subnet.
Fo ered a DHCP client, it

or a computerr to be conside
ha gured to obtain an IP addresss automatical ly. By default, every computter is configure
as to be config ed to
ob dress automattically. In a nettwork where a DHCP server iis installed, a D
btain an IP add DHCP client will
re
espond to a DHHCP broadcastt.
If a computer iss configured with

w an IP addreess by an adm ministrator, than that computter has a staticc IP
adddress and is considered
c a non-DHCP
n client, and will no
ot communicatte with a DHCP server.
How
H DHCP
P Lease Generation Works
W
Yo ou use the fou
ur step DHCP lease-generatio on
process to assiggn an IP addresss to clients..
Understanding how each step p works helps youy
trroubleshoot prroblems when clients cannott obtain
ann IP address. The
T four steps are:
1.. The DHCP client

c broadcaasts a DHCPDIS SCOVER
packet to every
e compute er in the subnet. Only
a computerr that has the DHCP server role, or
a computerr or router that is running a DHCP
relay agentt responds. In the
t latter case,, the
DHCP relayy agent forwards the messag ge to
the DHCP server
s with which it is configured.
2. A DHCP Serve
er responds with a DHCPOFFER packet. Th
his packet conttains a potential address forr the
client..
3. The client recceives the DHC CPOFFER packe et. It might recceive packets ffrom multiple servers; in thaat
case, it usually selects the se
erver that mad
de the fastest rresponse to itss DHCPDISCOV VER. This typiccally is
the DHCP serrver closest to the client. Thee client then brroadcasts a DHHCPREQUEST that contains a
server identifier. This inform
ms the DHCP servers that recceive the broa dcast which se erver’s DHCPO OFFER
the client hass chosen to acccept.
4. The DHCP servers receive the DHCPREQU UEST. Those seervers that the client has nott accepted use e the
message as notification tha at the client de
eclines that serrver’s offer. The chosen serve er stores the IP
P
address clientt information in
i the DHCP database
d and r esponds with a DHCPACK m message. If for some
reason, the DHCP
D server cannot provide the
t address th hat was offered d in the initial DHCPOFFER, tthe
DHCP server sends a DHCP PNAK message e.
Additional Reading: For more informa ation about ho

ow DHCP techn
nology works see:
http
p://go.microso
oft.com/fwlink//?LinkID=1120
075&clcid=0x4409.
Ho
ow DHCP Lease
L Rene
ewal Work
ks
Whe en the DHCP lease reaches 50 5 percent of the
t
leasse time, the clie
ent attempts to
t renew the le ease.
Thiss is an automatic process tha at occurs in the
e
background. Com mputers might have the same e IP
adddress for a longg time if they operate
o continnually
on a network with hout being shu ut down.
To renew
r the IP address lease, the
t client
broaadcasts a DHC CPREQUEST me essage. The server
thatt leased the IP address originnally sends a
DHCCPACK messag ge back to the client; this
messsage containss any new para ameters that have
changed since the e original lease
e was created.
Client computers also attempt renewal

r during g the startup p process. This iss because clien
nt computers m might
have been moved d while they we ere offline; forr example, a la ptop computeer might be plugged into a n new
subnet. If renewall is successful, the lease perio od is reset. If t he renewal is uunsuccessful, tthen the clientt
commputer attemp pts to contact the
t configured d default gatew way. If the gateeway does nott respond, the client
assu
umes that it is on a new subn net and enterss the Discoveryy phase, wheree it attempts to o obtain an IP
configuration fromm any DHCP server.
The DHCP role on n Windows Serrver 2012 supp ports a new feaature, DHCP S erver Failover protocol. Thiss
prottocol enables synchronizatio on of lease info
ormation betw ween DHCP serrvers and incre eases DHCP se ervice
avaiilability. If one DHCP server is not available
e, the other D HCP servers co
ontinues to service clients in
n the
sam
me subnet.
What
W Is a DHCP
D Relay Agent
DHCP uses IP broadcasts to in nitiate
coommunication ns. Therefore, DHCP
D servers are
a
lim
mited to comm munication witthin their IP suubnet.
Thhis means thatt in many netw works, there is a DHCP
se here are a large
erver for each IP subnet. If th
nuumber of subn nets, it might be
b expensive to o
deeploy servers for
f every subnet. A single DH HCP
seerver might service collection ns of smaller subnets.
Foor the DHCP se erver to respond to a DHCP client
equest, it mustt be able to recceive DHCP requests.
re
Yoou can enable this by config guring a DHCP P relay
aggent on each subnet.
s A DHC CP relay agent is a
coomputer or router that listen ns for DHCP brroadcasts from
m DHCP clientss and then relaays them to DH
HCP
seervers in different subnets
W the DHCP relay agent, th

With he DHCP broa adcast packets can be relaye d into anotherr IP subnet acrross a
ro
outer. Then, yo
ou can configuure the agent in the subnet tthat requires IP
P addresses. Additionally, yo
ou can
co
onfigure the aggent with the IP address of the
t DHCP servver. The agent can then captture the client
broadcasts and forward them m to the DHCP server in anotther subnet. Yo ou can also relay DHCP packkets into
otther subnets using
u a router that
t is compattible with Requ
uest for Comm ment (RFC) 154 42.
DHCP
D Server Authoriization
DHCP allows a client
c compute er to acquire
co
onfiguration in nformation aboout the netwo ork in
which
w it starts. DHCP
D communication typica ally
occcurs before any authenticattion of the use er or
co
omputer; and because the DHCP D protocol is
baased on IP bro oadcasts, an incorrectly confiigured
DHCP server in a network can n provide invallid
in
nformation to clients.
c To avooid this, the serrver
must
m be authorized. DHCP au uthorization is the
process of regisstering the DHCP Server servvice in
th
he Active Direcctory domain to t support DHCP
clients.
Active
A Directtory Requirements
Yoou must autho orize the Windows Server 20 012 DHCP servver role in AD DDS before it caan begin leasin
ng
IP
P addresses. It is possible to have
h a single DHCP
D server p
providing IP ad
ddresses for subnets that conntain
multiple
m AD DS domains. The erprise Admin istrator accou nt must autho
erefore, an Ente orize the DHCP P server.
Note: Forr authorization

n purposes, you must have aan Enterprise A Administrator in all
do
omains with th
he exception of
o the forest rooot domain; in this instance, members of the Domain
Admins group have
h adequatee privilege to authorize
a a DH
HCP server.
Sttandalone DHCP
D Serve
er Considera
ations
A standalone DHCP server is a computer th
hat is running W Windows Serveer 2012, that is not part of aan AD
DS domain, andd that has the DHCP server role installed a nd configured
d. If the standaalone DHCP seerver
detects an authorized DHCP server in the domain, it does not lease IP addresses and shuts down
automatically.
Rogue DHCP Servers

Many network devices have built-in DHCP server software. Many routers can act as a DHCP server, but it is
often the case that these servers do not recognize DHCP-authorized servers and might lease IP addresses
to clients.
Additional Reading:
For more information about DHCP Resources see:
http://go.microsoft.com/fwlink/?LinkId=99882&clcid=0x409.
For more information about Networking Collection see:

http://go.microsoft.com/fwlink/?LinkId=99883&clcid=0x409.
Demonstration: Adding the DHCP Server Role

Demonstration Steps
Install and authorize the DHCP server role

1. Switch to LON-SVR1.
2. Open Server Manager and install the DHCP Server role.
3. In the Add Role Wizard, accept all default settings.
4. Close Server Manager.

Lesson
n2
Configuring DHCP Scopes
S
Yoou must configgure the DHCP P scopes after you install thee DHCP role on a server. A D
DHCP scope is the
primary method d by which youu can configurre options for a group of IP addresses. A DDHCP scope is based
on e settings speccific to hardwaare or custom groups of clients. This lesson
n an IP subnett, and can have n
exxplains DHCP scopes,
s and ho
ow to manage e them.
Le
esson Objecctives
After completin y will be able to:
ng this lesson, you
• he purpose of a DHCP scope.

Describe th
• Describe a DHCP reservattion.

• he DHCP Optio
Describe th ons.
• Describe th
he DHCP Class--Level Optionss.
• Explain how
w DHCP Optio
ons are applied
d.
• Create and configure a DHCP
D scope
What
W Are DHCP
D Scop
pes?
A DHCP scope is a range of IP P addresses thaat are
avvailable for lea
ase, and that are managed byb a
DHCP server. A DHCP scope typically
t is con
nfined
to
o the IP addressses in a given subnet.
Foor example, a scope

s for the network
1992.168.1.0/24 (subnet mask of 255.255.255.0),
su
upports a rangge from 192.16 68.1.1 through
1992.168.1.254. When
W a computer or device in the
1992.168.1.0/24 subnet requessts an IP addre
ess, the
ned the range in this example
sccope that defin
allocates an adddress between 192.168.1.1 and
1992.168.1.254.
Note: Rem member that the

t DHCP servver, if deployedd to the same subnet, consumes an IPv4
ad
ddress. This ad
ddress should be
b excluded frrom the IPv4 aaddress range.
To
o configure a scope,
s you mu
ust define the following
f prop
perties:
• Name and description: This property identifies the scope.
• IP address range: This property

p lists th ddresses that ccan be offered for lease, and usually
he range of ad
lists the enttire range of addresses for a given subnet..
• Subnet ma erty is used byy client compu ters to determ

ask: This prope mine their locattion in the
organizatio
on’s network in
nfrastructure.
• Exclusions: This propertyy lists single ad ocks of addressses that fall within the IP address
ddresses or blo
range, but that
t will not be offered for lease.
• Delay: Thiss property is th

he amount of time
t to delay b
before making
g DHCPOFFER..
• Lease duration: This propeerty lists the lea

ase duration. U
Use shorter durations for sco
opes with limitted IP
addresses, and longer durations for more e static networrks.
• Options: You
u can configure
e many option
nal properties on a scope, bu
ut typically you
u will configurre:
o option 00
03 – Router (th
he default gate
eway for the s ubnet)
o option 00
06 – Domain Name
N System (DNS) Servers
o option 01
15 – DNS suffix
IPv
v6 scopes
You
u can configure e the IPv6 scop
pe options as a separate sco
ope, in the DHC Pv6 node. There are
CP console’s IP
seve
eral different options
o to moddify, and an en
nhanced lease mechanism.
Whe
en configuring
g a DHCPv6 sccope, you mustt define the fo
ollowing propeerties:
• Name and description: Th

his property identifies the sco
ope.
• Pv6 address prrefix is analogo

Prefix: The IP ous to the IPv44 address rang
ge; in essence, it defines the
network addrress.
• Exclusions: This
T property lists single addresses or blockks of addressees that fall with
hin the IPv6 prrefix
b offered for lease.
but will not be
• Preferred life
e times: This property
p defin
nes how long leeased address es are valid.
• Options: As with e many option s.

w IPv4, you can configure
Wh
hat Is a DH
HCP Reserv
vation?
It offten is desirable to provide network
n device
es—
suchh as network printers—with
p a predetermin
ned IP
adddress.
Usinng a DHCP reservation, you can ensure tha at the

IP addresses that you set aside from
f a configu ured
scoppe are not assiigned to anoth her device. A DHCP
D
reseervation is a sp ess, within a scope,
pecific IP addre
thatt is reserved peermanently for lease to a spe ecific
DHC CP client. A DHHCP reservatio on also ensuress that
devices with reserrvations are gu uaranteed
an IP address even if a scope is depleted of
adddresses. Configuring reservations enables you y to
centtralize manage ement of fixedd IP addresses.
Con
nfiguring DHC
CP Reservatio
ons
To configure
c a resservation, you must know th he device’s nettwork interfacee media accesss control (MAC C)
adddress or physicaal address. This address indiccates to the D HCP server thaat the device sshould have a
rese
ervation. You can
c acquire a network
n interfa
ace’s MAC add dress by using the ipconfig//all command.
Typically, MAC adddresses for ne etwork printerss and other neetwork devicess are printed on the device. M Most
lapttop computerss also note thiss information on
o the bottom m of their chasssis.
The process for co
onfiguring a DHCP
D reservatio
on includes th
he following steeps:
1. Open the DHCP server role

e.
2. Expand the DHCP

D scope, an
nd then click Reservations.
R
3.. Click More

e Actions, and then click New
w Reservation
n.
What
W Are DHCP
D Optiions?
DHCP servers ca an configure more
m than just an IP
ad
ddress; they also provide information abou ut
ne
etwork resourcces, such as DN NS servers andd the
de
efault gatewayy. DHCP option ns are values for
co
ommon config guration data that
t applies to
o the
se
erver, scopes, reservations,
r and class options. You
ca
an apply DHCP he server, scope, user,
P options at th
an
nd vendor leve els. An option code identifies the
a most option codes com
DHCP options, and me from
th
he RFC documentation found d on the Internnet
En
ngineering Tassk Force (IETF) website.
Common
C DH
HCP Optionss
Th
he following ta
able lists the common option codes that W
Windows-baseed DHCP clientts request.
Option
O
Name
code
c
1 Subnet massk
3 Router
6 DNS serverss
15 DNS domain name
44 WINS/NBNSS servers (Windows Internet Naming Serviice / NetBIOS Name

Service)
46 WINS/NetBT node type (W

WINS / NetBIO
OS over TCP/IP
P)
47 NetBIOS sco
ope ID
51 Lease time
58 Renewal (T1
1) time value
59 Rebinding (T2)
( time value
e
31 Perform rou
uter discovery
33 Static route
43 Vendor-spe
ecific information
249 Classless sta

atic routes
6-10 Implemennting DHCP
Ho
ow Are DH
HCP Option
ns Applied
d?
DHC CP applies opttions to client computers
c in the
t
follo
owing order:
1. Server level. A server-level option is assig

gned
to all DHCP clients
c of the DHCP
D server.
2. Scope level. A scope-level option is assig

gned
to all clients of
o a scope.
3. Class level. A class-level opption is assigne
ed to
all clients that identify them
mselves as mem mbers
of a class.
4. Reserved clie ent level. A re
eservation-leve
el
option is assig
gned to one DHCP
D client.
Youu need to undeerstand these options

o when configuring D HCP, so you w will know which
h level settings has
prio
ority, when you
u are configuriing different se
ettings on mu ltiple levels.
If th
he DHCP optio on settings that are applied at
a each level co he options that are applied last
onflict, then th
override previously applied setttings. For exammple, if the deffault gateway is configured aat the scope le evel,
and a different deefault gatewayy is applied for a reserved clieent, then the rreserved clientt setting becom
mes
the effective settin
ng.
Youu can also conffigure addresss assignment policies at thee server level o or scope level.. Address
assignment policyy contains a se et of conditions that you def ine in order to
o lease differen
nt DHCP IP
adddresses and setttings to differe
ent types of DHCP
D clients, su
uch as computters, laptops, n
network printe
ers, or
IP phones.
p The co
onditions defined in these po olicies include multiple criterria, such as MA
AC address or
vendor informatio on, in order to differentiate various
v types oof clients.
De
emonstration: Creating and Co
onfiguring a DHCP SScope
Youu can create scopes using either the Microssoft Managem ment Console (MMC) for the DHCP server rrole,
or the Netsh netwwork configuraation comman nd-line tool. Thhe Netsh comm mand-line tool allows you too
mannage scopes reemotely if the DHCP server is running on a Server Core iinstallation of Windows Servver
2012. The Netsh command-line e tool is also useful for scriptting and autom
mating server provisioning.
Dem
monstration
n Steps
Autthorize the DHCP Serve

er
1. Switch to LON
N-SVR1.
2. Open the DHCP console.
3. Authorize the
e lon-svr1.ada
atum.com server in AD DS.
Configure scope and scope options in DHCP

1. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand and right-click IPv4, and
then click New Scope.
2. Create a new scope with the following properties:
o Name: Branch Office
o IP Address Range: 172.16.0.100–172.16.0.200
o Length: 16
o Exclusions: 172.16.0.190-172.16.0.200
o Other settings: use default values
o Configure options Router 172.16.0.1
3. Use default settings for all other pages, and then activate the scope.
Lesson 3
Manag
ging a DHCP
D Database
D e
The DHCP databa ase stores inforrmation aboutt the IP addresss leases. If theere is a problem
m, it is importaant
thatt you understa
and how to bacck up the dataabase and reso olve database issues. This lessson explains h how to
mannage the databbase and its daata.
Lessson Objectiives
Afte
ou will be able to:
• Describe the DHCP databasse.
• Explain how to
t back up and
d restore a DH
HCP database.
• Explain how to
t reconcile a DHCP databasse.
• Explain how to
t move a DHC
CP database.
Wh
hat Is a DH
HCP Datab
base?
The DHCP databa ase is a dynamic database
containing data th hat relates to scopes,
s addresss
leasses, and reservations. The database also
contains the data file that stores both the DHCP
configuration info ormation and the
t lease data for
cliennts that have leased an IP adddress from the
DHC CP server. By default,
d the DH
HCP database files
f
are stored in the %systemroot%
% %\System32\Dh hcp
fold
der.
DH
HCP Service Database Files
The following table describes so
ome of the DH
HCP
servvice database files.
f
Fille Descriptiion
Dhcp.mdb
D Dhcp.md
db is the DHCP
P server datab
base file.
Dhcp.tmp
D Dhcp.tm
mp is a tempora
ary file that th e DHCP datab
base uses as a swap file durin
ng
database
e index mainte
enance operattions. Followingg a system faillure, Dhcp.tmp
p
sometim
mes remains in the Systemrooot\System32\D Dhcp directoryy.
J5
50.log and J50.log and
a J50##### #.log are logs o
of all database transactions. The DHCP
J5
50#####.log databasee uses this log to recover da ta when necesssary.
J5
50.chk This is a checkpoint file
e.
Note: You should

s not rem
move or alter any
a of the DHC
CP service dataabase files.
Th
he DHCP serveer database is dynamic. It up
pdates as DHC P clients are assigned, or as they release their
TC t DHCP dataabase is not a distributed daatabase like the
CP/IP configurration parametters. Because the e
Windows
W net Name Servvice (WINS) serrver database, maintaining the DHCP serve
Intern er database is less
co
omplex.
Byy default, the DHCP

D databasse and related registry entriees are backed uup automaticaally at 60-minu ute
in
ntervals. You caan change thiss default intervval by changin
ng the value off BackupInterrval in the follo
owing
re
egistry key:
HK
KEY_LOCAL_MAC
CHINE\SYSTEM\
\CurrentControlSet\Servi ces\DHCPServ
ver\Parameter
rs
Yo
ou can also ba
ack up a DHCP
P database manually at any ttime.
Backing
B Up
p and Restoring a DH
HCP Datab
base
Yo
ou can back up a DHCP data abase manuallly, or
yo ure it to backup automatically. An
ou can configu
au
utomatic backkup is called a synchronous
s backup.
b
A manual backu up is called an asynchronouss
ba
ackup.
Automatic
A (S
Synchronou
us) Backup
Thhe default bacckup path for the
t DHCP back k is
syystemroot\Systtem32\Dhcp\B Backup. As a best
an modify this path in the server
practice, you ca
properties to pooint to another volume.
Manual
M (Asy
ynchronous)) Backup
If you have an immediate nee ed to create a backup, you ccan run the maanual backup o option in the D
DHCP
coonsole. This acction requires either
e administrative-level p ermissions, or that the user account be a member
off the DHCP ad dministrators group.
g
What
W Is Back
ked Up?
When
W a synchro
onous or asyncchronous back
kup occurs, thee entire DHCP database is saaved, including
g the
fo
ollowing:
• All scopes
• Reservation
ns
• Leases
• All options,, including servver options, sccope options, rreservation op

ptions, and classs options
• All registry keys and otheer configuratio

on settings (forr example, auddit log settingss and folder location
settings) that are set in DHCP
D server properties. Thes e settings are stored in the ffollowing regisstry key:
HKEY_LOCA
AL_MACHINE\SY
YSTEM\CurrentControlSet\
\Services\DHC
CPServer\Para
ameters
To back up this key, open

n Registry Editor and save th
he specified keey to a text file
e.
e DNS dynamic update credentials (user name, domain, and password

Note: The d) that the
DHCP server uses when registtering DHCP client computeers in DNS are not backed up
p with any
ba
ackup methodd.
Resstoring a Da
atabase
If yo
ou need to restore the datab base, use the Restore
R functio
on in the DHCPP server conso
ole. You will be
e
prompted for the backup’s loca ation. Once you have selecteed the location
n, DHCP servicee stops, and th
he
dataabase is restorred. To restore the database,, the user acco
ount must either have adminnistrative-level
permmissions, or bee a member off the DHCP administrators g roup.
Bacckup Security
Wheen the DHCP database
d file iss backed up, itt should be in a protected lo
ocation that on
nly the DHCP
adm
ministrators can
n access. This ensures
e that any network infformation in t he backup filees remains
prottected.
Usiing Netsh
You
u also can use commands
c in the Netsh DHC CP context to back up the d
database; this is useful for baacking
up the
t database tot a remote loccation using a script file.
The following commmand is a scrript that you ca he Netsh DHCP prompt to b

an use from th back up the DH
HCP
data
a for all scopess:
expo
ort "c:\My Folder\Dhcp Configuration
C n" all
To restore
r the DH
HCP database, use the follow
wing command
d:
impo
ort "c:\My Folder\Dhcp Configuration
C n" all
Note: The Netsh

N DHCP co
ontext does no
ot exist on servver computerss without the D
DHCP
servver role installe
ed.
Additional Reading: For more informattion about backking up the DH

HCP database see:
http
p://go.microso
oft.com/fwlink//?LinkId=99889&clcid=0x4009.
Reconciling a DHCP Database

Reconciling scopees can fix incon
nsistencies that can
affe
ect client comp
puters.
The DHCP Server service stores scope IP addrress-

leasse information in two forms:
• Detailed IP ad
ddress lease in
nformation, wh
hich
the DHCP dattabase stores
• Summary IP address
a lease information, which
w
the server’s Registry stores
Wheen you are recconciling scope
es, the detail and
a
sum
mmary entries are
a compared to find
inco
onsistencies.
To correct
c and rep
pair these inco
onsistencies, yo
ou must reconncile any scopee inconsistencies. After you sselect
and reconcile scope inconsisten ncies, the DHCP service eitheer restores those IP addresse es to the originnal
ownner, or creates a temporary reservation
r forr those addressses. These reseervations are vvalid for the leaase
time
e that is assign
ned to the scoppe. When the lease time exp pires, the addreesses are then recovered forr
futu
ure use.
20410A: Installinng and Configuring Windows Server® 20012 6-15
Moving
M a DHCP
D Data
abase
In
n the event tha
at you must move the DHCP P server
ole to another server, it is alsso advisable th
ro hat you
move
m the DHCP P database to the t same serve er. This
en ent leases are retained, and reduces
nsures that clie
th
he likelihood of
o client-config guration issuess.
Yo
ou move the database
d initially by backing it up
n to the old DHCP server. Th
on hen, shut down n the
DHCP service on the old DHC CP server. Nextt, copy
th
he DHCP datab base to the new server, wherre you
ca
an restore it ussing the norma al database restore
procedure.
Lesson 4
Securin
ng and Monito
oring DHCP
DHCCP protocol ha as no built-in method
m for au
uthenticating u
users. This meaans that if you do not take
preccautions, IP lea
ases could be granted to devvices and userrs who are unaauthorized.
DHCCP is a core service in many organization’ss network enviironments. If the DHCP serviice is not workking
properly, or if there is a situation that is causin
ng problems w with the DHCP P server, it is im
mportant that yyou
can identify the problem and de etermine pote ential causes to
o resolve the p
problem.
Thiss lesson explain
ns how to prevvent unauthorrized users from
m obtaining a lease, how to manage rogu
ue
DHC CP servers, andd how to confiigure DHCP se
ervers so that a specific grou
up can manage e them.
Lessson Objectiives
Afte
ou will be able to:
• Explain how to
t prevent an unauthorized computer from
m obtaining a lease.
• Explain how to
t restrict unau
uthorized, non
n–Microsoft DH
HCP servers fro
om leasing IP addresses.
• Explain how to
t delegate ad
dministration of
o the DHCP seerver role.
• Describe DHC
CP statistics.
• Describe DHC
CP audit loggin
ng.
• Identify comm
mon issues tha
at are possible with DHCP.
Pre
eventing an
a Unautho
orized Com
mputer fro
om Obtain
ning a Leasse
DHC CP by itself can
n be difficult to secure—it iss
desiigned to work before the ne ecessary
info
ormation is in place
p for a clieent computer to t
authhenticate with a domain con ntroller. This is why
you should take precautions
p to prevent
unauthorized com mputers from obtaining
o a lea
ase
with
h DHCP.
uld take to limit

Basiic precautions that you shou
unauthorized acce ess include:
• Ensuring tha at you reduce e physical acce ess: If
users can access an active network
n conneection
to the networrk, their computers are likelyy to
be able to obbtain an IP add
dress. If a netw
work port is nott being used, yyou should dissconnect it
physically from the switchin
ng infrastructuure.
• Enabling aud dit logging on n all DHCP seervers: This can n provide an hhistorical view of activity, in
addition to alllowing you to
o trace when an unauthorizeed user obtaineed an IP addre ess in the netw work.
Make sure to schedule time e at regular inttervals to revieew the audit lo
ogs.
• Requiring au uthenticated Layer 2 conne ections to the

e network: Mo ost enterprise hardware swittches
now support Institute of Ele ectrical and Ele
ectronics Engin
neers, Inc. (IEEEE) 802.1X authhentication. Th
his
allows for porrt-level user au
uthentication. Secure wirelesss standards, ssuch as Wi-Fi P Protected Acceess
(WPA) Enterpprise and WPA2 Enterprise, alsoa use 802.1X X authenticatio on.
• Implementting NAP: NA AP allows administrators to vvalidate that a client computter is complian nt with
system health requirements, such as running all the l atest Window ws operating syystem updates or
running an up-to-date an ntivirus client. If users who d
do not meet seecurity requirements try to aaccess
the network, they receive
e an IP addresss configuration n to access a reemediation neetwork where tthey can
receive the necessary upddates. The adm ministrator cann restrict access to the netwo
ork by allowing
g only
healthy commputers accesss to the internal local area n etwork (LAN).
Restricting
R Unauthorrized, Non–Microsofft DHCP Se
ervers from
m Leasing IP
Addresses
A
Many
M devices and network op perating systemms have
multiple
m DHCP server implem mentations. Nettworks
arre almost neve er homogeneo ous in nature;
th
herefore, it is possible
p that att some point a DHCP
se
erver that doess not check for Active Directtory–
uthenticated servers will be enabled
au e on the
neetwork. In this case, clients might
m obtain in
ncorrect
co
onfiguration data.
o eliminate an unauthorized
To d DHCP server, you
must
m first locate
e it, and then prevent
p it from
m
co
ommunicating g on the netwo ork by disabling it
physically, or byy disabling the
e DHCP service e.
If users complaiin that they do

o not have connnectivity to th
he network, chheck the IP add
dress of their D DHCP
se
erver. Use the ipconfig /all command
c to check
c the IP adddress of the D
DHCP Server fiield. If the IP aaddress
is not the IP add
dress of an autthorized DHCP erver in the network.
P server, then tthere is probably a rogue se
Yo e DHCP Serverr Locator utilityy (Dhcploc.exee) to locate thee DHCP servers that are activve on a
ou can use the
su
ubnet.
Delegating
D DHCP Ad
dministration
En
nsure that onlyy authorized persons
p can
ad
dminister the DHCP
D server ro
ole. You can do this
byy performing either
e of the fo
ollowing tasks::
• Limit the membership

m of the DHCP
Administrattors group.
• Assign userrs that require read-only acccess to

DHCP mem mbership of the e DHCP Users group.
Thhe DHCP Adm ministrators loca

al group is use
ed to
re
estrict and grant access to ad dminister DHCCP
se
ervers. Therefo ore, the DHCP Administrators group
is in the built-in
n groups on do omain controlllers, or
is on local serveers
Permissions
P Required to
o Authorize
e and Admin
nister DHCP
P
Authorization of
o a DHCP servvice is only available to Enterrprise administtrators. If the n
need exists forr a
do
own-level admministrator to authorize
a the domain,
d use Acctive Directoryy delegation.
• DHCP Admin
nistrators. Any user in the DHCP
D Adminisstrators group can manage tthe server’s DH
HCP
service.
• he DHCP Users group can haave read-only access to the DHCP console
DHCP Users.. Any user in th e.
Wh
hat Are DH
HCP Statisttics?
DHC CP statistics prrovide informaation about DH HCP
activvity and use. You
Y can use this console to
deteermine quicklyy whether therre is a problem m with
the DHCP service or with the ne etwork’s DHCP P
clien
nts. An example in which sta atistics might be
b
usefful is if the adm
ministrator nottices an excesssive
amo ount of negative acknowledg gement (NAK))
packets, which miight indicate th hat the server is not
provviding the correct data to clients.
Youu can configure

e the refresh ra
ate for the stattistics
in th
he General tab
b of server’s Properties winddow.
DH
HCP Server Statistics
S
DHC a overview of DHCP server usage. You can use this dataa to understan
CP server statisstics provide an nd
quicckly the state of
o the DHCP se erver. Information such as n umber of offeers, number of requests, total in-
use addresses, and d total availabble addresses can
c help to pro ovide a picturee of the server’’s health.
DH
HCP Scope Statistics
S
DHC CP scope statisstics provide much
m fewer details—such as total addressees in the scope e, how many
adddresses are in use,
u and how many m addresse es are availablee. If you noticee that there are
e a low numbe er of
adddresses available in the server statistics, it might
m be that oonly one scopee is near its deepletion point. By
ng scope statistics, an administrator can qu
usin uickly determin ne the status o of the particulaar scope with
resp
pect to the adddresses availabble.
Wh
hat Is DHC
CP Audit Lo
ogging?
The DHCP audit lo og provides a traceable log of
DHC CP server activvity. You can use this log to track
t
leasse requests, gra
ants, and denials. This
info
ormation allow ws you to troub bleshoot DHCP P
servver performancce. The log filees are stored inn the
%syystemroot%\system32\dhcp folder by default.
Youu can configure e the log file se
ettings in the
servver’s Propertiees window.
The DHCP audit lo og files are named based on n the

wee
ekday that the file was create ed. For example, if
audit logging is enabled on a Monday,
M the file
nam
me is DhcpSrvLLog-Mon.log.
Fields That Make

M Up a DHCP
D Auditt Log
Th
he following ta
able describes the fields in a DHCP audit lo
og.
Field Description
ID A DHCP se
erver event ID code.
Date The date on

o which this entry
e was logg
ged on the DH
HCP server.
Time The time at

a which this entry
e was logg ed on the DHC
CP server.
Description A descripttion of the DHCP server even

nt.
IP Address The IP add

dress of the DH
HCP client.
Host Name The host name

n of the DHCP client.
MAC The MAC address used by the client’s network adap

pter hardware..
Address
Common
C Eve
ent ID Code
es
Common eventt ID codes inclu
ude:
• ID,Date,Tim
me,Description,,IP Address,Ho
ost Name,MAC
C Address
• 00,06/22/99,22:35:10,Started,,,,
• 99,22:35:10,Authorization faiilure, stopped servicing,,dom
56, 06/22/9 main1.local,,
• 55, 06/22/9
99,22:45:38,Authorized(serviccing),,domain11.local
Discussion:
D Common
n DHCP Issues
Th
he following ta
able describes some commo on
DHCP issues. En
nter the possib
ble solutions in
n the
So
olution columnn, and then disscuss them witth the
class.
Issue Description Example Solution
Address The same IP address An administrator deletes a

conflicts is offered to two lease. However, the client
different clients. that had the lease is still
operating as if the lease is
valid. If the DHCP server
does not verify the IP
address, it might lease the
IP to another machine,
causing an address
conflict. This can also occur
if two DHCP servers have
overlapping scopes.
Failure to The client does not If a client’s network card

obtain a receive a DHCP driver is configured
DHCP address and instead incorrectly, it might cause
address receives an a failure to obtain a DHCP
Automatic Private IP address. Additionally, the
Addressing (APIPA) DHCP server or relay agent
self-assigned on the client’s subnet.
address.
Address The client is If the client is connected to

obtained obtaining an IP the wrong network or the
from an address from the DHCP relay agent is
incorrect wrong scope, incorrectly configured this
scope causing it to error could occur.
experience
communication
problems.
DHCP The DHCP database A hardware failure can

database become unreadable cause the database to
suffers data or is lost due to a become corrupted.
corruption hardware failure.
or loss
DHCP The DHCP server’s For example, if all the IPs

server IP scopes have been assigned to a scope are
exhausts its depleted. Any new leased this error occurs.
IP address clients requesting
pool an IP address are
refused.
Lab: Implementing DHCP

Scenario
A. Datum Corporation has an IT office and data center in London, which supports the London location
and other locations as well. A. Datum have recently deployed a Windows 2012 Server infrastructure with
Windows 8 clients.
You have recently accepted a promotion to the server support team. One of your first assignments is to
configure the infrastructure service for a new branch office. As part of this assignment, you need to
configure a DHCP server that will provide IP addresses and configuration to client computers. Servers are
configured with static IP addresses and do not use DHCP.
Objectives
After performing this lab you will be able to:
• Install and configure the DHCP server role.
• Configure the DHCP scope and options.

• Configure a client computer to use DHCP, and then test the configuration.
• Configure a lease as a reservation.
• Install and configure a DHCP relay.
• Test DHCP relay with client.
Lab Setup
Logon Information

20410A-LON-SVR1
20410A-LON-RTR
20410A-LON-CL1
20410A-LON-CL2
Password Pa$$w0rd
2. In Microsoft Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
o Domain: Adatum
5. Repeat steps 2 to 4 for 20410A-LON-SVR1 and 20410A-LON-CL1.

6. For the optional Exercise 2, you should repeat steps 2 to 4 for 20410A-LON-RTR, 20410A-LON-
SVR2, and 20410A-LON-CL2.
Exercise 1: Implementing DHCP

Scenario
As part of configuring the infrastructure for the new branch office, you need to configure a DHCP server
that will provide IP addresses and configuration to client computers. Servers are configured with static IP
addresses and usually do not use DHCP for obtaining IP addresses.
One of the client computers in the branch office needs to access an accounting application in the head
office. The network team uses firewalls based on IP addresses to restrict access to this application. The
network team has requested that you assign a static IP address to this client computer. Rather than
configuring a static IP address on the client computer manually, you decide to create a reservation in
DHCP for the client computer.

1. Install DHCP server role.
2. Configure the DHCP scope and options.
3. Configure client to use DHCP and then test the configuration.
4. Configure a lease as a reservation.
X Task 1: Install DHCP server role

2. Open Server Manager, and install the DHCP Server role.

3. In the Add Roles and Features Wizard, accept all defaults.
X Task 2: Configure the DHCP scope and options

2. In Server Manager, open the DHCP console.

3. Authorize the lon-svr1.adatum.com server in AD DS.
4. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, right-click IPv4, and
o Name: Branch Office
o Length: 16
o Exclusions: 172.16.0.190-172.16.0.200
o Configure options Router 172.16.0.1
o For all other settings use default values
6. Activate the scope.
X Task 3: Configure client to use DHCP and then test the configuration
1. To configure a client, switch to LON-CL1.
2. Reconfigure the Local Area Connection using the following information:
o Configure Internet Protocol Version 4 (TCP/IPv4)
o Obtain an IP address automatically
o Obtain DNS server address automatically
3. Open a command prompt, and initiate the DHCP process using the ipconfig /renew command.
4. To test the configuration, verify that LON-CL1 has received an IP address from the DHCP scope by
typing in the command prompt: ipconfig /all.
This command will return information, such as IP address, subnet mask and DHCP enabled status, which
should be Yes
X Task 4: Configure a lease as a reservation

1. Switch to LON-CL1.
2. In a command prompt, type ipconfig/all to display the physical address of the network adapter.
5. In the DHCP console, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, expand
Branch Office scope, right-click Reservations, and then click New Reservation.
6. Create a new reservation for LON-CL1 using the physical address of the LON-CL1 network adapter,
and the IP address 172.16.0.55.
7. On LON-CL1, use the ipconfig command to renew and then verify the IP address.
X Task 5: To prepare for the optional exercise

If you are going to complete the optional lab, revert the following virtual machines: 20410A-LON-CL1
and 20410-LON-SVR1.
Results: After completing these tasks, you will have implemented DHCP, configured DHCP scope and
options, and configured a DHCP reservation
Exercise 2: Implementing a DHCP Relay (Optional Exercise)

Scenario
Your manager has asked you to configure a DHCP relay for another subnet in your branch office. This
avoids the need to configure an addition DHCP server on the subnet.
1. Install DHCP relay.
2. Configure DHCP relay.
3. Test DHCP relay with client.
X Task 1: Install DHCP relay

1. Switch to LON-RTR.
2. In Server Manager, open Routing and Remote Access.
3. Use the following steps to add the DHCP Relay agent to the router:
o In the navigation pane, expand IPv4, right-click General and then click New Routing Protocol.
o In the Routing protocols list, click DHCP Relay Agent and then click OK.
X Task 2: Configure DHCP relay

1. Open Routing and Remote Access.
2. Use the following steps to configure the DHCP Relay agent:
o In the navigation pane, right-click DHCP Relay Agent and then click New Interface.
o In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and
then click OK.
o In the DHCP Relay Properties – Local Area Connection 2 Properties dialog box, click OK.
o Right-click DHCP Relay Agent and then click Properties.
o In the DHCP Relay Agent Properties dialog box, in the Server address box, type 172.16.0.21,
click Add, and then click OK.
3. Close Routing and Remote Access.
X Task 3: Test DHCP relay with client
Note: In order to test how a client receives an IP address from DHCP Relay in another
subnet, we need to create another DHCP scope.
3. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, right-click IPv4, and
o Name: Branch Office 2
o Length: 16
o Exclusions: 10.10.0.190-10.10.0.200
o Other settings use default value
o Configure options Router 10.10.0.1 and other setting use default values
5. Activate the scope.
6. To test the client, switch to LON-CL2.
7. Open the Network and Sharing Center window and configure Local Area Connection, Internet
Protocol Version 4 (TCP/IPv4) properties with following settings:
o Obtain IP address automatically
o Obtain DNS server address automatically
8. Open the command prompt.

9. In the command prompt, type following command:
ipconfig /renew
10. Verify that IP address and DNS server settings on LON-CL2 are obtained from DHCP Server scope
installed on LON-SVR1.
Note: IP address should be from following range: 10.10.0.100/16 to 10.10.0.200/16.
Results: After completing these tasks, you will have implemented DHCP relay agent.

4. Repeat steps 2 and 3 for 20410A-LON-SVR2, 20410A-LON-RTR, and 20410A-LON-CL2.


Module Review Questions
Question: You have two subnets in your organization and want to use DHCP to allocate
addresses to client computers in both subnets. You do not want to deploy two DHCP servers.
What factors must you consider?
Question: Your organization has grown, and your IPv4 scope is almost out of addresses. What
should you do?
Question: What information do you require to configure a DHCP reservation?
Question: Can you configure option 003 – Router as a Server-level DHCP scope option?
Best Practices
• Spend time designing your IP addressing scheme so that it will accommodate both your current and
IT infrastructure and any potential future IT infrastructure needs.
• Determine which devices need DHCP reservations, such as network printers, network scanners, or IP
based cameras.
• Secure your network from non-authorized, rogue DHCP servers.
• Configure the DHCP database on highly available disk drive configurations, such as redundant array
of independent disks (RAID)–5 or RAID–1, to provide DHCP service availability in case of single disk
failure.
• Back up the DHCP database regularly, and test the restore procedure in isolated, non-production
environment.
• Monitor the system utilization of DHCP servers, and upgrade the hardware of DHCP server if needed,
in order to provide better service performance.
Tools
IPConfig.exe Managing and troubleshooting client IP settings Command-line
Netsh.exe Configuring both client and server-side IP settings, Command-line

including those for DHCP server role
Regedit.exe Editing and fine-tuning settings, including those for Windows interface or
the DHCP server role Command line
Network Monitor Capture and analyze DHCP traffic on a subnet Download from the
Microsoft website
7-1
Module 7
Implementing DNS
Contents:
Module Overview 7-1
Lesson 1: Name Resolution for Windows Clients and Servers 7-2
Lesson 2: Installing and Managing a DNS Server 7-10
Lesson 3: Managing DNS Zones 7-16
Lab: Implementing DNS 7-20
Module Overview
Name resolution, one of the most important concepts of every network infrastructure, is the process of
software translating between names that users can read and understand, and numerical IP addresses,
which are necessary for TCP/IP communications. Client computers use the name resolution process when
locating hosts on the Internet, and when locating other hosts and services in an internal network. Doman
Name System (DNS) is one of the most common technologies for name resolution. Active Directory®
Domain Services (AD DS) depends heavily on DNS, as does Internet traffic. This module discusses some
basic name resolution concepts as well as installing and configuring DNS service and its components.
Objectives
• Describe name resolution for Windows® operating system clients and Windows Server® servers
• Install and manage DNS service
• Manage DNS zones

7-2 Implementing DNS
Lesson 1
Name Resoluttion forr Windo
ows Clie
ents and
d Servers
You
u can configuree a computer to
t communica ate over a netwwork by using a name in place of an IP adddress.
The computer use es name resolu
ution to find ann IP address th
hat correspond
ds to a name, such as a hostt
nam o computer n ames, the metthods used to resolve them, and
me. This lesson focuses on different types of
how
w to troubleshooot problems with
w name ressolution.
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
• Describe com
mputer names.
• Describe DNS
S.
• Describe DNS
S zones and re
ecords.
• Describe how
w Internet DNS
S names are resolved.
• Describe Link
k Local Multica
ast Name Reso
olution.
• Describe how
w a client resolvves a name.
• Troubleshoott name resoluttion.
Wh
hat Are Co
omputer Names?
N
The TCP/IP set of protocols iden ntifies source and
a
desttination computers by their IP addresses.
Howwever, computter users are much
m better at using
and remembering g names than numbers.
n Because
of this, administra
ators usually asssign names to o
commputers. Admin nistrators then
n link these nam mes
to computer
c IP ad
ddresses in a name
n resolution
system such as DN NS. These nam mes are in eithe er
hostt name formatt (which is recoognized by DN NS) or
in NetBIOS
N name format (which h is recognizedd by
Winndows Internett Name Service e (WINS)).
Name Type
The type of name e (host name or
o NetBIOS nam me) that an ap pplication uses is determinedd by the appliccation
developer. If the application
a devveloper design
ns an applicatiion to request network services through
Winndows sockets,, then host nam mes are used. If, on the otheer hand, the ap
pplication deve
eloper designss an
appplication to req
quest services through
t NetBIOS, a NetBIOSS name is used d. Most current applications,
including Internett applications, use Windows sockets—and thus use hostt names—to acccess network
servvices. NetBIOS is used by maany earlier Win
ndows operatin ng system app plications.
Earlier versions off Microsoft® Windows

W ®
h as Microsoft Windows 98 aand Windows Millennium Ed
, such dition,
requ
uire NetBIOS to t support networking capab bilities such ass file sharing. H
However, sincee Microsoft
Winndows 2000, all operating systems supportt NetBIOS for b backward com mpatibility with
h earlier versions of
Winndows, but do not require NetBIOS themse elves.
Note: You can

c use Windo ows sockets ap
pplications to sspecify the desstination host e
either by IP
add
dress or by hosst name. NetBIOS application
ns require the use of a NetB IOS name.
Host
H Names
A host name is a user-friendlyy name that is associated witth a computerr’s IP address tto identify it ass a
TC
CP/IP host. Thee host name can be up to 25 55 characters llong, and can contain alphabetic and num meric
ch
haracters, perio
ods, and hyphens.
Yoou can use host names in va arious forms. The two most ccommon forms are as an aliaas, and as a fully
quualified domaiin name (FQDN). An alias is a single namee associated wiith an IP addre
ess, such as payyroll.
Yoou can combin ne an alias with a domain naame to create an FQDN. An FQDN is structured for use o on the
nternet, and includes periodss as separatorss. An example of an FQDN iss payroll.conto
In oso.com.
NetBIOS
N Nam
mes
A NetBIOS nam me is a 16-charaacter name that identifies a NetBIOS resou urce on the neetwork. A NetBBIOS
naame can repreesent a single computer
c or a group of commputers. The firrst 15 characteers are used fo
or the
naame; the final character iden
ntifies the reso
ource or servicee that is being
g referred to on
n the compute er. The
155-character na
ame may include the computer name, the domain namee, and the nam me of the user who is
ogged on. The sixteenth charracter is a 1-byyte hexadecim
lo mal identifier.
Th
he NetBIOS na amespace is fla
at, meaning th
hat names can be used only o once within a network. You cannot
orrganize NetBIO
OS names intoo a hierarchical structure, as yyou can with FFQDNs.
Additionaal Reading: Fo mation about NeetBIOS name reesolution see:

or more inform
htttp://technet.m
microsoft.com//en-us/library//cc738412(WSS.10).aspx
What
W Is DN
NS?
DNS is a service
e that uses a diistributed data
abase to
re
esolve FQDNs and other hosst names to IP
ad
ddresses. All Windows
W server operating sysstems
in
nclude a DNS service.
s
When
W you use DNS,
D users on your network can
ocate network resources by typing
lo t in user--friendly
naames (for exam mple, microsofft.com), which the
omputer then resolves to an IP address. Th
co he
beenefit is that IP
Pv4 addresses may be difficu ult to
re
emember (for example,
e 131.1107.0.32), whille a
doomain name tyypically is easier to remember. In
ad
ddition, you ca an use host names that do not
n
ch
hange while th he underlying IP addresses can be changed
d to suit your organizational needs.
DNS uses a data abase of name es and IP addreesses to provid oftware performs
de this service.. DNS client so
quueries on and updates to the e DNS databasse. For examplle, within an o organization, a user who is trrying to
lo
ocate a print se
erver can use the
t DNS name ontoso.com, aand the DNS cllient software will
e printserver.co
re
esolve the namme to a printer’s IP address, such
s as 172.166.23.55. Even iff the printer’s IIP address changes,
th
he user-friendly name can re emain the same.
Originally,
O one file
f on the Inte ernet containe domain namess and their corresponding IP
ed a list of all d
ad
ddresses. This list quickly beccame too longg to manage a nd distribute. DNS was deve eloped to solve
e the
problems associated with usin ng a single inte
ernet file. With n of IPv6, DNS becomes even more
h the adoption
im
mportant, becaause IPv6 addrresses are more e complex thaan IPv4 addresses (for examp ple,
20
001:db8:4136:e38c:384f:3764 4:b59c:3d97).
DNS S groups information about network resou urces into a hieerarchical structure of domaains. The
hierrarchical structture of domain ed tree structu re beginning w
ns is an inverte with a root do
omain at its apex,
and descending in nto separate branches
b with common
c level s of parent doomains, and de escending
dowwnward even further into ind dividual child domains.
d The rrepresentation n of the entire hierarchical do
omain
structure is known n as a DNS nammespace.
The Internet uses a single DNS namespace

n with multiple ro ot servers. To participate in the Internet D
DNS
nam
mespace, a dom main name mu ust be registere
ed with a DNSS registrar. Thiss ensures that no two
orga
anizations atte
empt to use th
he same domain name.
If ho
osts that are lo
ocated on the Internet do no ot need to reso olve names in your domain, you can host a
dom wever, you musst still ensure tthat the domain name is unique
main internallyy, without regisstering it. How
fromm Internet dom main names, or connectivity to Internet ressources mightt be affected. A common way to
ensuure uniquenesss is to create an
a internal dom ocal domain. T he .local domaain is reserved for
main in the .lo
inte
ernal use in mu w that privatte IP addressess are reserved for internal usse.
uch the same way
In addition to reso
olving host names to IP addresses, DNS caan be used to:
• Locate domain controllers and
a global cattalog servers. TThis is used wh
hen logging on
n to AD DS.
• Resolve IP addresses to hosst names. This is useful when ntains only the IP address of a
n a log file con
host.
• Locate mail se
erver for email delivery. Thiss is used for th
he delivery of aall Internet em
mail.
DN
NS Zones and
a Record
ds
A DNS zone is a specific portionn of DNS
nammespace that contains
c DNS records.
r A DNSS
zone is hosted onn a DNS server that is responnsible
for responding too queries for re
ecords in a spe
ecific
dommain. For exammple, the DNS server that is
ponsible for resolving www.ccontoso.com to
resp o an
IP address would contain the co ontoso.com zo one.
Zon
ne content can be stored in a file or in the
AD DS database. WhenW the DNS S server storess the
zone in a file, thatt file is located
d in a local fold
der on
the server. When the zone is no ot stored in ADD DS,
onlyy one copy of the zone can be b writable copy,
while all others arre read-only.
The most commonly used typess of zones in Windows

W Serveer DNS are forw
ward lookup zzones and reve
erse
look
kup zones.
Forrward Looku
up Zones
Forw
ward lookup zones resolve hosth names to IP addresses, aand hosts com mmon resource e records inclu
uding
NAME), service (SRV), mail exchange (MX), start of authority (SOA), and
hostt (A), alias (CN d name server (NS)
ource records. Although forw
reso ward lookup zones
z are capaable of hosting g a number of different record
type
es, the most co ommon record d type is the hoost (A) record.. This record iss used when re
esolving a hostt
namme to an IP add dress.
Rev
verse Looku
up Zones
Reverse lookup zoones resolve IP
P addresses to domain namees. A reverse zo one functions in the same
man ard zone, but the IP addresss is the part of the query whiile the host naame is the retu
nner as a forwa urned
in
nformation. Reverse lookup zones
z host SOAA, NS, and poiinter (PTR) resource records. Reverse zone
es are
noot always conffigured, but yo
ou should conffigure them to
o reduce warniing and error mmessages.
Many
M standard Internet protoocols rely on re
everse zone loookup data to vvalidate forwaard zone inform
mation.
Fo
or example, if the forward lo
ookup indicatees that training
g.contoso.com is resolved to 192.168.2.45, you
ca
an use a reversse lookup to co
onfirm that 19 h training.conttoso.com.
92.168.2.45 is aassociated with
Many
M email servvers use a reveerse lookup as one way of reeducing spam.. By performing a reverse loo
okup,
mail servers tryy to detect open Simple Mail Transfer Prottocol (SMTP) sservers (open rrelays).
em
Having a reverse zone is impo ortant if you have applicatioons that rely onn looking up h hosts by their IP
adddresses. Manyy applications record this infformation in s ecurity or eve nt logs. If you see suspiciouss activity
from a particula
ar IP address, you
y can look up u the host nam me using the reverse zone information.
Resource
R Reccords
Th
he DNS zone file
f stores resource records. Resource
R reco rds specify a reesource type, and the IP add dress to
lo
ocate the resouurce. The mostt common resoource record iss an A resourcce record. This is a simple reccord
th
hat resolves a host
h name to an
a IP address. The host can bbe a workstation, server, or aanother netwo ork
deevice, such as a router.
Reesource recordds also help fin

nd resources foor a particular domain. For instance, when n a Microsoft
Exxchange server needs to find d the server that is responsib
ble for deliveri ng mail for an
nother domain, it
re
equests the ma ail exchanger (MX)
( resource record for thaat domain. Thiss record points to the “A” reecord of
he host that is running the SMTP mail servvice.
th
Re
esource record ds also can con ntain custom attributes.
a MX records, for in
nstance, have a preference attribute,
which
w is useful if
i an organizattion has multip ple mail serverrs. The MX rec ord tells the se
ending server which
mail
m server the receiving orga anization prefe
ers. SRV record
ds also contain
n information rregarding on w which
po
ort the servicee is listening, an
nd the protocool that you sho ommunicate with the service.
ould use to co
How
H Intern
net DNS Names Are Resolved
When
W resolving
g DNS names on o the Internett, an
enntire system off computers is used rather thhan just
a single server. There are hundreds of serve ers on
th
he Internet, callled root serverrs, which mana
age the
ovverall practice of DNS resoluution. These se
ervers
arre representedd by 13 FQDNss; a list of these
e 13
se
ervers are prelooaded on each h DNS server. When
W
yo
ou register a domain
d name ono the Interneet, you
arre paying to become part off this system.
o see how thesse servers work together to resolve

To
a DNS name lett us look at the
e name resoluttion
process for the name www.microsoft.com:
1.. A workstatiion queries the

e local DNS server for the IP address www
w.microsoft.com
m.
2.. If the local DNS server do

oes not have th
he information
n, then it queries a root DNSS server for the
e
location of the .com DNS S servers.
3.. The local DNS

D server que
eries a .com DN
NS server for t he location off the microsoftt.com DNS servvers.
4.. The local DNS
D server que
eries the microsoft.com DNS server for thee IP address of www.microsoft.com.
5.. microsoft.com is returned to tthe workstatio

The IP addrress of www.m on.
The name resolution process ca

an be modified
d by caching o
or forwarding:
• Caching. Afte
er a local DNS server resolve
es a DNS namee, it caches thee results for ap
pproximately 2
24
hours. Subseq
quent resolutio
on requests for the DNS nam
me are given th he cached info ormation.
• Forwarding. A DNS server can be configured to forwa rd DNS requessts to another DNS server in nstead
of querying root servers. Foor example, reqquests for all I nternet namess can be forwaarded to a DNSS
server at an In
nternet service
e provider (ISP
P).
Wh
hat Is Link-Local Mu
ulticast Nam
me Resolu
ution?
In Windows
W Serve er 2012, a new method for
reso
olving names to t IP addressess is Link-local
Mullticast Name Resolution
R (LLM
MNR). Because e of
various limitationss (which are be eyond the scope of
this lesson) it is ussually used only on localized d
netwworks. Althoug gh LLMNR is able to resolve IPv4
adddresses, it has been
b designedd specifically fo
or
IPv6
6; so if you want to use it, yo ou must have IPv6
supported and en nabled on yourr hosts.
LLM
MNR is commo
only used in ne
etworks where::
• There are no DNS or NetBIO

OS services for
name resolution.
• Implementatiion of these se
ervices is not practical
p for an
ny reason.
• These services are not available.
For example, you might want to

o set up a temporary networrk for testing p
purposes witho
out server
infra
astructure.
LLMMNR is supportted on Window ws Vista®, Windows Server 22008 and all neewer Windowss operating sysstems.
It usses a simple syystem of reque
est and reply messages
m to reesolve computeer names to IP
Pv6 or IPv4
adddresses.
To use
u LLMNR, yo ou need to turn on the Netw work Discoveryy feature for all nodes on the
e local subnet. This
featture is available in the Netwo ork and Sharin
ng Center. Be aaware that Nettwork Discoveery is usually
disa
abled for any network
n that you designate as
a Public.
If yo
ou want to con
ntrol the use of
o LLMNR on youry gure it via Group Policy. To
network, yyou can config
disaable LLMNR via
a Group Policyy, set the follow
wing Group Po olicy value:
Group Policy = Computer Configuration\

C \Administrativee Templates\N
Network\DNS C Client\Turn offf
Multicast Nam me Resolution.
Set this value to Enabled if you do not wa
ant to use LLM
MNR or to Disaabled if you waant to use LLM
MNR.
How
H a Client Resolve
es a Name
Windows
W opera
ating systems support
s a nummber of
diifferent metho
ods for resolvin
ng computer names,
n
su
uch as DNS, WINS,
W and the host
h name reso olution
process. DNS is the Microsoft standard for
re
esolving host names
n to IP Ad
ddresses and iss
de
escribed in detail in the seco
ond topic of th
his
Le
esson, What is DNS.
WINS
W
WINS
W provides a centralized database
d for
re
egistering dynaamic mapping gs of a networkk’s
NetBIOS namess. Support is reetained for WINNS to
provide backwa ard compatibility.
Yo
ou can resolve
e NetBIOS nam
mes by using:
• Broadcast messages. Broadcast messa ages, however,, do not work well on large networks becaause
routers do not propagate
e broadcasts.
• Lmhosts file on all computers. Using an Lmhosts fi le for NetBIOSS name resoluttion is a high
maintenancce solution, be
ecause you mu he file manuall y on all computers.
ust maintain th
Note: Thee DNS server role in Window ws Server 20088 R2 and Windows Server 2012 also
provides a new zone type, the
e GlobalName es zone, which you can use too contain sing
gle-label
na
ames that are unique across an entire foreest. This elimin
nates the need to use the Ne
etBIOS-based
WINS
W to provide support for single-label naames.
Host
H Name Resolution
R Process
P
When
W an appliccation specifiess a host name and uses Winddows sockets, TCP/IP uses th he DNS resolve er cache
annd DNS when attempting to o resolve the host name. Thee hosts file is lo
oaded into the
e DNS resolverr cache.
If NetBIOS overr TCP/IP is enabled, TCP/IP also uses NetBIIOS name reso olution methodds when resolvving
hoost names.
Windows
W opera
ating systems resolve
r host na
ames by:
1.. Checking whether

w the ho
ost name is the
e same as the llocal host nam
me.
2.. Searching the

t DNS resolvver cache. In DNS
D olver cache, entries from hosts file are pre--loaded.
client reso
3.. Sending a DNS

D request to
o its configure
ed DNS serverss.
4.. Converting the host name to a NetBIOS name and ch

hecking the lo
ocal NetBIOS n
name cache.
5.. Contacting the host’s con

nfigured WINS
S servers.
6.. Broadcastin
ng as many as three NetBIOS
S name query request messaages on the su
ubnet that is directly
attached.
7.. Searching the

t Lmhosts fille.
Note: You u can control the

t order used
d to resolve naames. For exam
mple, if you dissable
NetBIOS over TCP/IP, none off the NetBIOS name resolutiion methods aare attempted..
Alternatively, yo
ou can modify the NetBIOS node
n type, wh
hich changes th
he order in wh hich the
NetBIOS name resolution methods are attempted.
Tro
oubleshoo
oting Name Resolution
Like
e most of other technologiess, name resolution
som
metimes requires troubleshoo oting. Issues caan
occuur when the DNS
D server—an nd its zones annd
reso
ource records——are not confiigured properly.
Whe en resource re
ecords are caussing issues, it can
c
som
metimes be mo ore difficult to identify the isssue
because configura ation problems are not always
obvvious.
Too
ols and Com
mmands
The command-lin ne tools and co
ommands thatt you
use to troubleshoot these and other
o configuration
issues are as follow
ws:
• Nslookup: Use this tool to query DNS infformation. Thee tool is flexiblle and can pro ovide a lot of
valuable inforrmation aboutt DNS server sttatus. You also
o can use it to look up resource records an nd
n. Additionally, you can test zzone transfers,, security optio
validate their configuration ons, and MX reecord
resolution.
• Dnscmd: Use e this command-line tool to manage the D

DNS server rolee. This tool is u
useful in scriptting
batch files to help automate routine DNS S managementt tasks or to peerform simple unattended setup
and configura ation of new DNS
D servers on
n your networkk.
• Dnslint: Use this tool to dia

agnose commo gnoses configuration issues in
on DNS issuess. This tool diag
DNS quickly, and can generate a report in HTML formaat regarding th he status of the domain thatt you
are testing.
• IPconfig: Use e this commannd to view and d modify IP connfiguration deetails that the ccomputer usess. This
tool includes additional commmand-line options that yo ou can use to t roubleshoot and support DN NS
clients. You can view the cliient local DNS cache using tthe command ipconfig/disp playdns, and yyou
can clear the local cache ussing ipconfig//flushdns. If yoou want to re--register a hosst in DNS, you can
use ipconfig /registerdns..
• Monitoring ono DNS serve er: To test if the server can co with upstream servers you caan
ommunicate w
perform simpple local queriees and recursivve queries fromm the DNS servver Monitorin ng tab. You alsso can
schedule thesse tests for reg
gular intervals. The DNS servver Monitoring g tab is availab
ble only in
Windows Servver 2008 and Windows
W Server 2012 in thee DNS Server N
Name Propertie es window.
Tro
oubleshooting Process
Wheen you troubleeshoot name resolution,
r you
u must understtand what nam me resolution m
methods the
com
mputer is using
g, and in what order the com o clear the DNSS resolver cach
mputer uses theem. Be sure to he
betw
ween resolutio
on attempts. If you cannot co
onnect to a re mote host and
d suspect a name resolution
me resolution as follows:
problem, troublesshoot the nam
1. Open an elevvated comman
nd prompt, and
d then clear th
he DNS resolveer cache by typ
ping IPConfig
g
/flushdns.
2. Attempt to ping the remote e host by its IP

P address. Thiss helps identifyy whether the issue is related
d to
name resolution. If the ping
g succeeds witth the IP addreess but fails byy its host namee, then the pro oblem
is related to name
n resolutio
on.
3. Attempt to ping the remote e host by its host name. For accuracy, use the FQDN witth a trailing pe
eriod.
For example, if you are worrking at Contooso, Ltd, you w
would enter thee following command at the e
command pro ompt: Ping LO ON-dc1.conto oso.com.
4. If the ping is successful, then the problem is most likely not related to name resolution. If the ping is
unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the appropriate entry
to the end of the file. In the previous Contoso, Ltd example, you would add the following line and
save the file:
10.10.0.10 LON-dc1.contoso.com
5. Perform the Ping-by-host-name test once more. Name resolution should now be successful. Verify
that the name resolved correctly by examining the DNS resolver cache. To display the DNS resolver
cache, at a command prompt type IPConfig /displaydns.
6. Remove the entry that you added to the hosts file, and then clear the resolver cache once more.
7. At the command prompt, type the following command, and then examine the contents of the
filename.txt file to identify the failed stage in name resolution:
Nslookup.exe –d2 LON-dc1.contoso.com. > filename.txt
Note: You also should know how to interpret the DNS resolver cache output so that you
can identify whether the name resolution problem lies with the client computer’s configuration,
the name server, or the configuration of records within the name server zone database.
Unfortunately interpreting the DNS resolver cache output is beyond the scope of this lesson.
7-10 Implemennting DNS
Lesson 2
Installiing and
d Manag
ging a DNS
D Serrver
To use
u a DNS servvice, you must first install it. Installing the D
DNS service on a DNS server is a simple
proccedure. To ma
anage your DN NS service, it is important thaat you understtand the DNS sserver componnents
and their purpose
e. In this lesson
n, you will learn about DNS ccomponents, aand about how w to install and
d
mannage the DNS Server role.
Lessson Objectiives
Afte
ou will be able to:

o a DNS solution.
• Describe roott hints.
• Describe DNS
S queries.
• Describe forw
warding.
• Explain how DNS

D server cacching works.
• w to install the DNS server ro
Describe how ole.
Wh
hat Are the
e Compon
nents of a DNS Soluttion?
The components of a DNS soluttion include DNS
servvers, DNS serve
ers on the Inte
ernet, and DNS
S
reso
olvers, or DNS clients.
DN
NS Server
A DNS server answ wers recursive and iterative DNS
queeries. DNS servers also can ho
ost one or more
zones of a particu
ular domain. Zoones contain
diffe e records. DNS servers also can
erent resource
cachhe lookups to save time for common
c querries.
DN
NS Servers on
o the Intern
net
DNSS servers on th e accessible publicly.
he Internet are
These servers hostt information about public domains,
d such as common to
op level domaains (TLDs) (forr
exam
mple .COM, .N NET, and .EDU)).
DN
NS Resolver
The DNS resolver generates and d sends iterativve or recursivee queries to the DNS Server. A DNS resolveer can
be any
a computer that is perform ming a DNS lookup that req uires interactio on with the DN
NS server. DNSS
servvers also can isssue DNS requests to other DNS
D servers.
What
W Are Root
R Hintss?
As previously diiscussed in lessson one, topicc four,
ro
oot hints are a list of the 13 FQDNs
F on thee
In
nternet that yoour DNS serverr uses if it cann
not
re
esolve a DNS query
q by using a DNS forwarrder or
T root hints list the highest
itss own cache. The
ervers in the DNS hierarchy, and can provide the
se
neecessary inform
mation for a DNS
D server to perform
p
ann iterative que
ery to the next lowest layer of
o the
DNS namespace e.
Rooot Servers are e installed auto

omatically whe en you
in
nstall the DNS role. They are copied from the t
ca
ache.dns file th hat is included in the DNS roole
se
etup files. You also can add root
r hints to a DNS server to
o support lookkups for non-contiguous dom
mains
within
w a forest.
When
W a DNS seerver communiicates with a ro oot hint serverr, it uses only aan iterative qu
uery. If you sele
ect the
Do
D Not Use Re ecursion For ThisT Domain option
o (on thee DNS server properties wind dow), the serve er will
noot be able to perform
p queriees on the root hints. If you cconfigure the sserver using a forwarder, it w will
atttempt to sendd a recursive query to its forw
warding serve r; then if the fo orwarding servver does not aanswer
th
his query, the first
f server resp
ponds that the
e host could no ot be found.
It is important to
t understand that recursion n on a DNS serrver and recurssive queries arre not the same thing.
Reecursion on a DNS server me eans that the server
s uses its root hints to ttry to resolve a DNS query, wwhereas
a recursive querry is a query th
hat is made to a DNS server in which the rrequester asks the server to aassume
th ng a complete answer to thee query. The neext topics discu
he responsibilitty for providin uss recursive q
queries
in
n more detail.
What
W Are DNS
D Queries?
A DNS query is a name resolu ution query thaat is
se
ent to a DNS Server.
S The DNS server then
provides either an authoritativve or a non-
au
uthoritative response to the client query.
Note: It iss important to note that DNS

se
ervers also can
n act as DNS reesolvers and se
end
DNS queries to other DNS serrvers.
Authoritative
A e or Non-Authoritative
e
Responses
R
Th
he two types of
o responses arre:
• Authoritattive. An authoritative respon nse is one in w

which the serveer returns an an
nswer that it kknows is
correct, beccause the requ
uest is directed
d to the authorritative server that manages the domain. A DNS
server is authoritative when it hosts a primary
p or seco
ondary copy o of a DNS zone.
• Non-autho oritative. A noon-authoritativve response is one where thee DNS server tthat contains the
requested domain
d in its cache
c answers a query by ussing forwarders or root hintss. Because the answer
provided might not be accurate (because only the authoritative DNS server for the given domain can
issue that information), it is called non-authoritative response.
If the DNS server is authoritative for the query’s namespace, the DNS server checks the zone and then
does one of the following:
• Returns the requested address.
• Returns an authoritative “No, that name does not exist.”
Note: An authoritative answer can be given only by the server with direct authority for the
queried name.
If the local DNS server is non-authoritative for the query’s namespace, then the DNS server does one of
the following:
• Checks its cache and return a cached response.
• Forwards the unresolvable query to a specific server, called a forwarder.
• Uses well-known addresses of multiple root servers to find an authoritative DNS server to resolve the
query. This process uses root hints.
Recursive Queries
In a recursive query the requester asks the DNS server to provide a fully resolved name before returning
the answer. The DNS server may have to perform several queries to other DNS servers before it finds the
answer.
A recursive query has two possible results:
• The DNS server returns the IP address of the host requested.

• The DNS server cannot resolve an IP address.
For security reasons, it sometimes is necessary to disable recursive queries on a DNS server. In doing so,
the DNS server in question will not attempt to forward its DNS requests to another server. This is useful
when you do not want a particular DNS server to communicate outside its local network.
Iterative Queries
Iterative queries access domain name information that resides across the DNS system; by using them, you
can resolve names across many servers quickly and efficiently. When a DNS server receives a request that
it cannot answer using its local information or its cached lookups, it makes the same request to another
DNS server by using an iterative query. When a DNS server receives an iterative query, it might answer
with either the IP address for the domain name (if known), or with a referral to the DNS servers that are
responsible for the domain being queried.
What
W Is Forrwarding?
A forwarder is a network DNS S server that fo
orwards
quueries for exte
ernal names to DNS servers outside
o
th
hat network. Yo ou also can cre
eate and use
co
onditional forwwarders to forwward queries
acccording to sppecific domain names.
Once
O you desiggnate a networrk DNS server asa a
fo
orwarder, then other DNS servers in the ne etwork
fo
orward to it thee queries that they cannot reesolve
lo
ocally. By using
g a forwarder, you can mana age
naame resolution n for names ouutside of your
neetwork, such as
a names on th he Internet. This
im
mproves the effficiency of namme resolution for
yo
our network’s computers.
Th
he forwarder must
m be able to o communicatte with the DNNS server that is located on tthe Internet. This
means
m either yo equests to anotther DNS serv er, or configurre it to use roo
ou configure itt to forward re ot hints
to
o communicate e.
Best Pracctice: Use a central forwardinng DNS serverr for Internet n

name resolutioon. This can
im
mprove securitty because youu can isolate th
he forwarding DNS server in a perimeter n network,
which
w ensures that
t no server within
w the network is commmunicating direectly to the Internet.
Conditional
C Forwarder
A conditional fo
orwarder is a DNS
D server on a network thatt forwards DN S queries acco ording to the qquery’s
DNS domain na ame. For example, you can configure a DN NS server to forward all querries that it rece
eives for
na
ames ending with
w corp.conto e IP address off a specific DNS server, or to the IP addresses of
oso.com to the
multiple
m DNS seervers. This can
n be useful wh
hen you have m multiple DNS n namespaces in n a forest.
Conditional Fo
orwarding in Windows
W Serv
ver 2008 R2 aand 2012
n Windows Serrver 2008 R2 and Windows Server
In S 2012, thhe conditional forwarder con nfiguration hass been
moved
m to a nod c replicate t his informatio n to other DN
de in the DNS console. You can NS servers through
Active Directoryy integration.
Best Pracctice: Use cond

ditional forwarrders if you haave multiple in
nternal namesp
paces. This
provides for faster name resolution.
Ho
ow DNS Se
erver Caching Workss
DNS S caching incre
eases the perfo
ormance of the
orga anization’s DN
NS system by decreasing
d the time
it ta
akes to providee DNS lookupss.
Whe en a DNS server resolves a DNS
D name
succcessfully, it add
ds the name too its cache. Ovver
timee, this builds a cache of dommain names and
theiir associated IPP addresses forr most of the
dommains that the organization uses
u or accessees.
The default time to t keep a nam me in the cache e is
onee hour. The zon ne owner can change
c this byy
mod difying the SO OA record for th
he appropriate e
DNS S zone.
A ca
aching-only seerver is the ideal type of DNS
S server to usee as a forwardeer. It will not host any DNS zzone
a; it only answers lookup req
data quests for DNSS clients.
In Windows
W Serve
er 2012, you caan access the content
c of DN S server cachee by selecting tthe Advanced view
in th
he DNS Manag ger console. When
W you enab ble this view, ccached contentt displays as a node in DNS
Man nager. You can
n also delete siingle entries (o
or the entire caache) from DN NS server cache.
The DNS client caache is a DNS cache

c that the DNS client se rvice stores on
n the local com
mputer. To view w
clien
nt-side caching, at a comma and-line promp pt run the ipco onfig /displayydns comman nd. This will dissplay
the local DNS clie
ent cache. If yo
ou need to cleaar the local cacche, you can u
use ipconfig /fflushdns.
You
u can prevent DNS
D client caches from being overwritten with the DNS Cache Locking feature whicch is
avaiilable in Windo
ows Server 20008 R2 and Win ndows Server 22012. When en nabled the cacched records w
will
not be overwritten for the durattion of the tim
me to live (TTL)) value. Cache locking provid
des improved
secu
urity against ca
ache poisoningg attacks.
Ho
ow to Insta
all the DNS
S Server Ro
ole
The DNS server ro ole is not installed on Windoows
Servver 2012 by de efault. Instead, you must addd it in
ole-based manner when you configure the
a ro e
servver to perform the role. You install the DNS
servver role by usin
ng the Add Ro oles and Featurres
Wizzard in Server Manager.
M
Youu can also add the DNS serve er role from th

he
dommain controllerr Options pag ge of the Active
e
Dire
ectory Domain n Services Insta
allation Wizard
d,
during which you promote your server to a
dommain controllerr.
Oncce you install the DNS serverr role, the DNS

S
Mannager snap-in becomes available to add to o your adminisstrative consolles. The snap-iin is added
auto
omatically to the
t Server Man nager console and to the DNNS Manager co onsole. You caan run the DNSS
Mannager from the e run window by typing dnssmgmt.msc.
Wheen you install the

t DNS serveer role, the dnsscmd.exe com mmand-line tool is also adde ed. You can use
e the
DNSSCmd tool to script
s and auto
omate DNS co or help with th
onfiguration. Fo his tool, at the
e command pro ompt,
type
e: dnscmd.exe e /?
To administer a remote DNS server, add the Remote Server Administrative tools to your administrative
workstation, which must be running a Windows Vista SP1 or newer Windows operating system.
Demonstration: Installing the DNS Server Role

In many scenarios you will want to have more than one DNS server on your network. You can install
additional DNS servers by using Server Manager console. If you want to enable your DNS server to resolve
Internet names, you will probably want to enable forwarding.
Demonstration Steps
Install a second DNS server

1. On LON-SVR1, open Server Manager.
2. Start the Add Roles and Features Wizard.

3. Add the DNS Server role.
Configure Forwarding
• Configure the DNS Server with a forwarder on IP address 172.16.0.10.
Lesson 3
Manag
ging DN
NS Zone
es
DNS S service is a key
k service for AD DS. Servers and clients aalike use DNS tto locate domain controllerss and
otheer services within the network. You usuallyy install a DNSS server with a domain contrroller during do omain
controller promottion. The DNS server can the en host zone ddata in an Activve Directory database. In thiis
lesson, you will leaarn about Actiive Directory–iintegrated DN
NS zones.
Lessson Objectiives
Afte
ou will be able to:
• Describe DNS
S zone types.
• Describe dyna
amic updates.
• Describe Active Directory-in
ntegrated zones.
• Describe how
w to create an Active
A Directory-integrated zone.
Wh
hat Are DN
NS Zone Ty
ypes?
The four DNS zon
ne types are:
• Primary
• Secondary
• Stub
• Active Directo
ory–integrated
d
Primary zone
Whe en a zone thatt a DNS server hosts is a primmary
mary source for
zone, the DNS serrver is the prim
info
ormation about this zone, an nd it stores the e
masster copy of zoone data eitherr in a local file or in
AD DS. When the DNS server sttores the zone in a file, the p primary zone fiile by default iis named
zone_name.dns, and is located on o the server in the %windirr%\System32\D Dns folder. Wh hen the zone is not
storred in AD DS, this
t is the onlyy DNS server th hat has a writaable copy of th
he database.
Seccondary zon
ne
Whe ondary zone, tthe DNS serve r is a secondarry source for th
en a zone thatt a DNS server hosts is a seco he
zone information.. The zone at this
t server musst be obtained d from anotherr remote DNS server that alsso
hostts the zone. Th
his DNS server must have neetwork access tto the remote DNS server to o receive updated
zone information.. Because a seccondary zone is a copy of a primary zone that another sserver hosts, thhe
seco
ondary zone ca ed in AD DS. Secondary zonees can be usefful if you are re
annot be store eplicating dataa from
non
n-Windows DN NS zones.
Stu
ub zone
A sttub zone is a re
eplicated copyy of a zone tha
at contains onlly those resource records thaat are necessary to
idenntify that zone
e’s authoritative DNS servers. A stub zone rresolves namees between sep parate DNS
nam
mespaces, whicch might be ne ecessary when a corporate mmerger requirees that the DNS servers for twwo
sepa arate DNS nammespaces resolve names for clients in both h namespaces.
A stub zone con

nsists of the fo
ollowing:
• The delegated zone’s SOA

A resource reccord, NS resou
urce records, an
nd A resource records.
• The IP addrress of one or more master servers
s that yo
ou can use to u
update the stu
ub zone.
Th
he master servvers for a stub zone are one or more DNS servers that arre authoritative for the child zone.
he DNS server that is hosting
Usually this is th g the primary zzone for the d
delegated dom
main name.
Active
A Directtory–Integrated zone
If AD DS stores the zone, then
n DNS can use e the multimasster replication
n model to rep
plicate the prim
mary
zoone. This enab
bles you to editt zone data on
n more than on ne DNS serverr simultaneoussly.
What
W Are Dynamic
D Updates?
U
A dynamic upda ate is an update to DNS in real
time. Dynamic updates
u mportant for DNS
are im
clients that chan
nge locations - they can
dyynamically reg
gister and upda ate their resou
urce
re
ecords withoutt manual intervvention.
Th
he Dynamic Host Configurattion Protocol (DHCP)
(
client service pe
erforms the reggistration, regaardless
off whether the client’s IP address is obtaine
ed from
a DHCP server, or is fixed. Thee registration occurs
o
duuring the follo
owing events:
• When the client

c starts and the DHCP cllient
service is sttarted.
• When an IP
P address is configured, adde
ed, or changed
d on any netw
work connectio
on.
• When an ad
dministrator ru
uns the command-line comm
mand ipconfig
g /registerdn
ns.
Th
he process of dynamic
d updates is as follow
ws:
1.. The client identifies a name server and

d sends an upd date. If the namme server hostts only a secon ndary
zone then the
t name server refuses the e client’s updatte. If the zone is not an Activve Directory–
integrated zone, the clien
nt may have to
o do this severral times.
2.. Eventually, if the zone supports dynamic updates, thee client reachees a DNS serve
er that can writte to
the zone. This is the prim
mary server for a standard, filee-based zone or any domain
n controller th
hat is a
name serveer for an Activee Directory–inttegrated zone .
3.. If the zone is configured for secure dyn

namic updatess, the DNS servver refuses the
e change. The cclient
then authenticates and ree-sends the uppdate.
In
n some configu urations, you may
m not want clients
c to updaate their recorrds even in a d
dynamic updatte zone.
In
n this case you can configure e the DHCP server to registe r the records o on the clients’ behalf. By deffault, a
client registers that
t it is a (hosst/address) reccord, and the D
DHCP server reegisters the PTTR (pointer/revverse
lo
ookup) record.
Byy default, Wind

dows operatin ng systems atteempt to registeer their record
ds with their DNS server. You
u can
modify
m this beh
havior in the client IP configu ough Group Policy.
uration, or thro
Wh
hat Are Acctive Directory-Integ
grated Zon
nes?
In Lesson 1, you le
earned that DN NS server can store
zone data in the AD
A DS databasse provided th hat
the DNS server is an AD DS dom main controller.
Whe en this happenns, this createss an Active
Direectory–integratted zone.
The benefits of an
n Active Directtory–integrated
d
zone are significant:
• Multimasterr updates. Unlike standard

primary zones —which can only be modified
by a single prrimary server—
—Active Directory–
integrated zoones can be wrritten to by anyy
writable DC to which the zoone is replicate
ed.
This builds redundancy intoo the DNS infraastructure. In aaddition, Multtimaster updattes are particularly
important in geographicallyy distributed organizations
o tthat use dynammic update zones, because cclients
can update th heir DNS recorrds without ha
aving to conneect to a potenttially geographhically distant
primary serveer.
• Replication of
o DNS zone data d by using g AD DS repliccation. One o f the characteristics of Active
Directory replication is attriibute-level repplication in wh ich only changged attributes are replicated d. An
Active Directo
ory–integrated d zone can leve erage these beenefits of Activve Directory re
eplication, rath
her
than replicating the entire zone
z file as in traditional DN
NS zone transfeer models.
• Secure dynamic updates. An Active Dire

ectory–integraated zone can enforce secure
e dynamic upd
dates.
• Granular seccurity. As with other Active Directory
D obje cts, an Active Directory-inte
egrated zone allows
you to delega ate administration of zones, domains, and resource reco ords by modifyying the accesss
control list (A
ACL) on the zonne.
Question: Ca
an you think off any disadvan
ntages to storin
ng DNS inform
mation in AD D
DS?
De
emonstration: Creating an Actiive Directo
ory–Integrrated Zone
e
To create
c an Activve Directory in
ntegrated zone
e, you must insstall DNS serveer on a Domain Controller. A
All
changes in an Acttive Directory integrated
i zon
ne are replicateed to all otherr DNS servers o
on domain
controllers throug
gh AD DS repliication mechanism.
Dem
monstration
n Steps
Cre
eate an Active Directory–integrate
ed zone
1. On LON-DC1
1, open the DN
NS Manager co
onsole.
2. Start the New
w Zone Wizard.
3. Create new Active

A Directoryy–integrated forward
f lookup
p zone.
4. Name the zon

ne Contoso.co
om.
5. Allow only secure dynamic updates.
6. Review record
ds in the new zone.
z
Create a record
• w Host record in Adatum.com zone named

Create a New d www which points to 172
2.16.0.100.
Verify replication to a second DNS server

• Verify that new record is replicating to the LON-SVR1 DNS server.
Lab: Implementing DNS

Scenario
and other locations. A. Datum has recently deployed a Windows 2012 Server infrastructure with Windows
8 clients. You need to configure the infrastructure service for a new branch office.
Your manager has asked you to configure the domain controller in the branch office as a DNS server. You
have also been asked to create some new host records to support a new application that is being
installed. Finally, you need to configure forwarding on the DNS server in the branch office to support
Internet name resolution.
Objectives
After completing this lab you will be able to:
• Install and configure DNS.
• Create host records in DNS.

• Manage the DNS server cache.
Lab Setup
Logon Information

20410A-LON-SVR1
20410A-LON-CL1
Password Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 to 4 for 20410A-LON-SVR1 and 20410A-LON-CL1.
Exercise 1: Installing and Configuring DNS

Scenario
As part of configuring the infrastructure for the new branch office, you need to configure a DNS server
that will provide name resolution for the branch office. The DNS server in the branch office will also be a
domain controller. The Active Directory-integrated zones required to support logons will be replicated
automatically to the branch office.
1. Configure LON-SVR1 as a domain controller without installing the DNS server role.
2. Review configuration settings on the existing DNS server to confirm root hints.
3. Add the DNS server role for the branch office on the domain controller.
4. Verify replication of the Adatum.com Active Directory–integrated zone.
5. Use NSLookup to test non-local resolution.
6. Configure Internet name resolution to forward to the head office.
7. Use NSLookup to confirm name resolution.
X Task 1: Configure LON-SVR1 as a domain controller without installing the DNS server
role
1. Use Add roles and features task in Server Manager to add the Active Directory Domain Services
role to LON-SVR1.
2. Start the wizard to promote LON-SVR1 to domain controller.
3. Choose to add LON-SVR1 as additional domain controller in Adatum.com domain.

4. Do not install DNS Server.
X Task 2: Review configuration settings on the existing DNS server to confirm root
hints
1. On LON-DC1, open the DNS Manager console.
2. In DNS Manager, open the Properties window of LON-DC1.

3. Review root hints and forwarder configuration.
X Task 3: Add the DNS server role for the branch office on the domain controller
• Use Server Manager to add the DNS Server role to LON-SVR1.
X Task 4: Verify replication of the Adatum.com Active Directory–integrated zone

1. On LON-SVR1, open the DNS Manager console.
2. Expand Forward Lookup Zones, and verify that the Adatum.com and _msdcs.Adatum.com zones
are replicated.
If you do not see these zones, open Active Directory Sites and Services, and force replication between
LON-DC1 and LON-SVR1, and then try again.
X Task 5: Use NSLookup to test non-local resolution

1. On LON-SVR1, on Local Area Connection Network Adapter, in the preferred DNS server field,
remove the IP address 172.16.0.10.
2. Make 127.0.0.1 the preferred DNS server for LON-SVR1.
3. Open a command prompt window on LON-SVR1, and start nslookup.
4. Try to resolve www.nwtraders.msft with nslookup.
5. You will receive negative reply (this is expected).

X Task 6: Configure Internet name resolution to forward to the head office

2. Configure a forwarder for LON-SVR1 to be 172.16.0.10.
X Task 7: Use NSLookup to confirm name resolution

• On LON-SVR1, in a command prompt window, start nslookup and try to resolve
www.nwraders.msft. You should get reply and IP address.
Results: After completing this exercise, you will have installed and configured DNS on LON-SVR1.
Exercise 2: Creating Host Records in DNS

Scenario
Several new web-based applications are being implemented in the head office. Each application requires
that you configure a host record in DNS. You have been asked to create the new host records for these
applications.
1. Configure a client to use LON-SVR1 as a DNS server.
2. Create several host records in the Adatum.com domain for web apps.
3. Verify replication of new records to LON-SVR1.
4. Use the ping command to locate new records from LON-CL1.
X Task 1: Configure a client to use LON-SVR1 as a DNS server

1. Log on to LON-CL1 as Adatum\Administrator using the password Pa$$w0rd.
2. Open Control Panel.
3. Open the Properties window for the Local Area Network Connection adapter.
4. Configure preferred DNS server to be 172.16.0.21.
X Task 2: Create several host records in the Adatum.com domain for web apps
1. On LON-DC1, open DNS Manager.
2. Navigate to the Adatum.com forward lookup zone.
3. Create new record named www with IP address 17.16.0.100.
4. Create new record named ftp with IP address 172.16.0.200.
X Task 3: Verify replication of new records to LON-SVR1

1. On LON-SVR1, open DNS Manager.
2. Navigate to the Adatum.com forward lookup zone.

3. Ensure that records www and ftp display. (You might have to refresh the Adatum.com zone for these
records to appear.)
X Task 4: Use the ping command to locate new records from LON-CL1
1. On LON-CL1, open a command prompt window.
2. Ping www.adatum.com. Ensure that ping resolves this name to 172.16.0.100.

3. Ping ftp.adatum.com. Make sure that ping resolves this name to 172.16.0.200.
Results: After completing this exercise, you will have configured DNS records.
Exercise 3: Managing the DNS Server Cache

Scenario
After you changed some host records in zones configured on LON-DC1, you noticed that clients that use
LON-SVR1 as their DNS server, still get old IP addresses during name resolving process. You want to make
sure which component is caching this data.
1. Use the ping command to locate Internet record from LON-CL1.
2. Update Internet record to point to the LON-DC1 IP address, retry the location using ping.
3. Examine the content of the DNS cache.
4. Clear the cache, and retry ping.
X Task 1: Use the ping command to locate Internet record from LON-CL1
1. On LON-CL1, open a command prompt window.
2. Use ping to locate www.nwtraders.msft.
3. Ensure that name resolves to an IP address. Document the IP address.
X Task 2: Update Internet record to point to the LON-DC1 IP address, retry the
location using ping
1. On LON-DC1, open the DNS Manager console.
2. Navigate to the nwtraders.msft forward lookup zone.
3. Change the IP address for the record www to be 172.16.0.10.
4. From LON-CL1, ping www.nwtraders.msft

5. Note that you will still have this record resolved with old IP.
X Task 3: Examine the content of the DNS cache

1. On LON-SVR1, in the DNS Manager console, enable Advanced View.
2. Browse the content of the Cached Lookups container.

3. On LON-CL1, in a command prompt window, type ipconfig /displaydns.
4. Examine the cached content.
X Task 4: Clear the cache, and retry ping

1. Clear the cache on the LON-SVR1 DNS Server.
2. Retry the ping to www.nwtraders.msft on LON-CL1 (The result will still return the old IP address.)
3. Clear the client resolver cache on LON-CL1 by typing ipconfig /flushdns in a command prompt
window.
4. On LON-CL1, retry ping to www.nwtraders.msft. (The result should work.)

Results: After completing this exercise, you will have DNS Server cache examined.
X To prepare for next module

After you finish the lab, revert the virtual machines to their initial state.
4. Repeat steps 2 and 3 for 20410A-LON-SVR1 and 20410A-LON-CL1.


Review Questions
Question: You are troubleshooting DNS name resolution from a client computer. What must you
remember to do before each test?
Question: You are deploying DNS servers into an Active Directory domain, and your customer
requires that the infrastructure is resistant to single points of failure. What must you consider
when planning the DNS configuration?
Question: What benefits do you realize by using forwarders?
Best Practices:
When implementing DNS, use the following best practices:
• Always use host names instead of NetBIOS names.
• Use forwarders rather than root hints.
• Be sure to be aware of potential caching issues when troubleshooting name resolution.

• Use Active Directory-integrated zones instead of primary and secondary zones.

Client can sometimes cache invalid DNS

records.
DNS Server performs slowly.
Tools
Name of tool Used for Where to find it
DNS Manager console Manage DNS server role Administrative Tools
NSLookup command line tool Troubleshoot DNS Command line utility
Ipconfig command line tool Troubleshoot DNS Command line utility

8-1
Module 8
Implementing IPv6
Contents:
Module Overview 8-1
Lesson 1: Overview of IPv6 8-2
Lesson 2: IPv6 Addressing 8-8
Lesson 3: Coexistence with IPv4 8-13
Lesson 4: IPv6 Transition Technologies 8-17
Module Overview
IPv6 is a technology that helps the Internet support a growing user base and an increasingly large number
of IP-enabled devices. The current IPv4 has been the underlying Internet protocol for almost thirty years.
Its robustness, scalability, and limited feature set is now challenged by the growing need for new IP
addresses. This is due in large part to the rapid growth of new network-aware devices.
Objectives
• Describe the features and benefits of IPv6.

• Describe IPv6 addressing.
• Describe IPv6 coexistence with IPv4.
• Describe IPv6 transition technologies.

Lesson 1
Overviiew of IPv6
IPv6
6 has been included with Windows clients and servers sttarting with W
Windows Serverr 2008 and Win ndows
Vista. The use of IPv6 is becoming more comm
mon on corpo orate networkss and parts of tthe Internet.
It is important forr you to understand how thiss technology aaffects current networks, and d how to integ
grate
IPv66 into those neetworks. This le es the benefits of IPv6, and h
esson discusse how it differs frrom IPv4.
Lessson Objectiives
• Describe the benefits of IPvv6.
• Describe the differences be

etween IPv4 an
nd IPv6.
• Describe the IPv6 address space.
s
Benefits of IP
Pv6
IPv6
6 support is inccluded in Winddows Server 20012
and Windows 8. TheT following list of benefits
desccribes why IPvv6 is being imp
plemented.
Larrger addresss space

The IPv6 address space is 128-b bit, of which is
mucch larger than the 32-bit add dress space in IPv4.
A 322-bit address space
s has 232 or
o 4,294,967,29 96
possible addresses; a 128-bit ad ddress space has
2128 or
340,282,366,920,9 938,463,463,37 74,607,431,768 8,211,
456 (or 3.4x1038 or
o 340 undecillion) possible
adddresses. As the Internet continues to grow, IPv6
provvides for the re
equired largerr address space e.
Hie
erarchical ad
ddressing and routing infrastructu
ure
The IPv6 address space is design
ned to be morre efficient for routers, which
h means that e even though there
are many more adddresses, routeers can process data much m more efficientlyy because of aaddress
optimization.
Sta
ateless and stateful
s add
dress config
guration
IPv66 has auto-connfigure capability without Dyynamic Host C Configuration P Protocol (DHC CP), and it can
disccover router information so that
t hosts can access the Intternet; this is reeferred to as a stateless address
configuration. A stateful
s address configuration is when you use the DHCP Pv6 protocol.
Req
quired supp
port for Inte
ernet Protoccol security
y (IPsec)
The IPv6 standardds require suppport for the Auuthentication H Header (AH) and encapsulatting security
payload (ESP) heaaders that are defined
d by IPssec. Although ssupport for sp pecific IPsec authentication
metthods and crypptographic alggorithms are no ot specified, IP
Psec is defined
d from the starrt as the way to
o
prottect IPv6 packets. This guara
antees the availability of IPseec on all IPv6 h
hosts.
End-to-end communica
c tion
One
O of the design goals for IP Pv6 is to provid
de sufficient a ddress space sso that you doo not have to uuse
trranslation mechanisms such as network ad ddress translatiion (NAT). Thiss simplifies com
mmunication b because
IP
Pv6 hosts can communicate
c directly
d with each
e other oveer the Internet.. This also simpplifies support for
appplications succh as video con
nferencing and d other peer-tto-peer applicaations. Howevver, many
orrganizations may
m choose to continue using translation m mechanisms ass a security me easure.
Prioritized
P delivery
An IPv6 packet contains a field that specifiees how fast thee packet shoul d be processed; so traffic caan be
asssigned a priorrity. For examp
ple, when you are streaming g video traffic, it is critical thaat the packets arrive
in
n a timely manner. You can sets this field to network devicees determine that the packett
o ensure that n
deelivery is time--sensitive.
Im
mproved su
upport for siingle-subne
et environm
ments
IP
Pv6 has much better
b supportt of automatic configuration n and operation on single subnet networkss. You
ca
an use the automatic configu es in IPv6 to crreate temporaary ad-hoc nettworks through
uration feature h which
yo
ou can connecct and share information.
Ex
xtensibility
IP
Pv6 has been designed
d so that developers can extend it with much few
wer constraintss than IPv4.
Differences
D s Between IPv4 and IPv6
When
W the IPv4 address space was designed d, it was
unnimaginable th hat it could evver be exhausteed.
However, due to o changes in technology
t andd an
allocation practtice that did no ot anticipate th
he
i was clear by 1992
exxplosion of Intternet hosts, , it
th
hat a replacemment would be necessary.
IP
Pv6 addresses were
w made 1228 bits long so that
he address space can be subdivided into
th
hiierarchical routing domains that reflect mo odern-
daay Internet toppology. With 128
1 bits there area
en
nough bits to create multiple levels of hierrarchy,
an
nd flexibility fo
or designing hierarchical adddressing
nd routing. These are feature
an es that are currrently lacking on the IPv4-b
based Internet..
IP
Pv4 and IPv
v6 Comparisson
Th
he following ta
able highlightss the differencces between IP
Pv4 and IPv6.
IPv4 IPv6
Source and destination add

dresses are 32 Source and destinatio
on addresses are 128 bits
bits (4 bytes) long. (16 bytees) long.
IPsec supportt is optional. Microsoft

M IPsec su
upport is required. Any devicce or
port for IPsec in the Microsoft®
includes supp operatinng system impplementing IPvv6 must
Windows 200 00 and newer operating
o supportt IPsec.
systems, but it
i is not implemmented by all
vendors.
IPv4 IPv6
The IPv4 header contains no identification Packet-flow identification for QoS handling by
of packet flow for Quality of Service (QoS) routers is included in the IPv6 header using
handling by routers. the Flow Label field.
Fragmentation is done by both routers and Fragmentation is not done by routers, only by
the sending host. the sending host.
Header includes a checksum. Header does not include a checksum.
Header includes options. All optional data is moved to IPv6 extension

headers.
Address Resolution Protocol (ARP) uses ARP Request frames are replaced with
broadcast ARP Request frames to resolve multicast Neighbor Solicitation messages.
an IPv4 address to a link-layer address.
Internet Group Management Protocol IGMP is replaced with Multicast Listener

(IGMP) is used to manage local subnet Discovery (MLD) messages.
group membership.
Internet Control Message Protocol (ICMP) ICMP Router Discovery is replaced with
Router Discovery—which is optional—is required ICMPv6 Router Solicitation and
used to determine the IPv4 address of the Router Advertisement messages.
best default gateway.
Broadcast addresses are used to send There are no IPv6 broadcast addresses.
traffic to all nodes on a subnet. Instead, a link-local scope all-nodes multicast
address is used.
Must be configured either manually or Does not require either manual configuration
through DHCP. or DHCP.
Uses host (A) resource records in the Uses IPv6 host (AAAA) resource records in
Domain Name System (DNS) to map host DNS to map host names to IPv6 addresses.
names to IPv4 addresses.
Uses pointer (PTR) resource records in the Uses pointer (PTR) resource records in the
IN-ADDR.ARPA DNS domain to map IPv4 IP6.ARPA DNS domain to map IPv6 addresses
addresses to host names. to host names.
Must support a 576-byte packet size Must support a 1280-byte packet size (without
(possibly fragmented). fragmentation).
IPv6 Equivalents to IPv4

The following table shows IPv6 equivalents to some common IPv4 addresses.
IPv4 Address IPv6 Address
Unspecified address 0.0.0.0 Unspecified address is ::
Loopback address is 127.0.0.1 Loopback address is ::1
Autoconfigured addresses (169.264.0.0/16) Link-local addresses (FE80::/64)

IPv4 Address IPv6 Ad

ddress
Broadcast add
dresses Not ap
pplicable in IPvv6
Multicast add
dresses (224.0.0
0.0/4) IPv6 m ulticast addressses (FF00::/8)
IP
Pv6 Addre
ess Space
Thhe most distinguishing featu ure of IPv6 is itts use of
much
m larger add
dresses. IPv4 addresses
a are
exxpressed in fouur groups of decimal numbe ers, such
ass 192.168.1.1. Each grouping g of numbers
re
epresents a bin nary octet. In binary,
b 192.168 8.1.1 is
ass follows:
11
1000000.10101
1000.00000001.00000001 (4
oc
ctets = 32 Bi
its)
However, an IPvv6 address is fo

our times largeer than
an
n IPv4 addresss. Because of th
his, IPv6 addre
esses
arre expressed in
n hexadecimal (hex).
20
001:DB8:0:2F3B:2AA:FF:FE28:9C5A
Th
his might seemm complex for end users, butt the assumptiion is that use rs will rely on DNS names to o resolve
ho
osts and will ra
arely type IPv6
6 addresses ma Pv6 address in hex is also eassier to convertt
anually. The IP
be
etween binaryy and hexadeciimal than it is to
t convert bettween binary aand decimal. T This simplifies w
working
with
w subnets, an nd calculating hosts and nettworks.
Hexadecima
H l Numberin
ng System (B
Base 16)
In
n the hexadecimal numbering system, som me letters repreesent numberss because, therre must be 16 unique
syymbols for eacch position. Because 10 symb bols (0 throughh 9) already exxist, there musst be six new syymbols
fo
or the hex systeem; hence, thee letters A thro
ough F are useed. The hexadeecimal numberr 10 is equal to o the
deecimal numbe er 16.
Note: Youu can use the Calculator

C app
plication includ
ded with Wind
dows Server 20
012 to
co
onvert betwee
en binary, decim
mal, and hexaddecimal numb bers.
To
o convert an IP Pv6 binary add dress that is 12
28 bits long, yo
ou break it int o eight blockss of 16 bits. Yo
ou then
co
onvert each off these eight blocks of 16 bitts into four hexx characters. FFor each of thee blocks, you e evaluate
fo
our bits at a tim
me. You should d number each h section of fo
our binary num mbers 1, 2, 4, and 8, starting from
th
he right and moving
m left. Tha
at is:
• the first bit [0010] is assig

gned the value
e of 1.
• the second bit [0010] is assigned

a the va
alue of 2.
• the third bit [0010] is assiigned the valu

ued of 4.
• the fourth bit
b [0010] bit is assigned the
e value of 8
To e hexadecimal value for this section of fou r bits, add up the value of each bit that is set to
o calculate the
1.. In the examp e only bit that is set to 1 is th
ple of 0010, the he bit assigned
d the value 2. T
The rest are se
et to
ze
ero. Therefore,, the hex value
e of this section of four bits iis 2.
Converting From Binary to Hexadecimal

The following table describes converting 8-bits of binary into hexadecimal:
[0010][1111]
Binary 0010 1111
Values of each binary position 8421 8421
Adding values where the bit is 1 0+0+2+0=2 8+4+2+1=15 or hexadecimal F
The following example is a single IPv6 address in binary form. Note that the binary representation of the
IP address is quite long. The following two lines of binary numbers represents one IP address:
0010000000000001000011011011100000000000000000000010111100111011
0000001010101010000000001111111111111110001010001001110001011010
The 128-bit address is now divided along 16-bit boundaries (eight blocks of 16 bits):
0010000000000001 0000110110111000 0000000000000000 0010111100111011

0000001010101010 0000000011111111 1111111000101000 1001110001011010
Each block is further broken into sections of four bits. The following table shows the binary and
corresponding hexadecimal values for each section of four bits:
Binary Hexadecimal
[0010][0000][0000][0001] [2][0][0][1]
[0000][1101][1011][1000] [0][D][B][8]
[0000][0000][0000][0000] [0][0][0][0]
[0010][1111][0011][1011] [2][F][3][B]
[0000][0010][1010][1010] [0][2][A][A]
[0000][0000][1111][1111] [0][0][F][F]
[1111][1110][0010][1000] [F][E][2][8]
[1001][1100][0101][1010] [9][C][5][A]
Each 16-bit block is expressed as four hex characters, and is then delimited with colons. The result is as
follows:
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
You can simplify IPv6 representation further by removing the leading zeros within each 16-bit block.
However, each block must have at least a single digit. With leading zero suppression, the address
representation becomes the following:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
Compressing Zeros
When multiple contiguous zero blocks occur, you can compress these and represent them in the address
as a double-colon (::); this further simplifies the IPV6 notation. The computer recognizes “::” and
substitutes it with the number of blocks necessary to make the appropriate IPv6 address.
In the following example, the address is expressed using zero compression:
2001:DB8::2F3B:2AA:FF:FE28:9C5A
To determine how many 0 bits are represented by the “::”, you can count the number of blocks in the
compressed address, subtract this number from eight, and then multiply the result by 16. Using the
previous example, there are seven blocks. Subtract seven from eight, and then multiply the result (one) by
16. Thus, there are 16 bits or 16 zeros in the address where the double colon is located.
You can use zero compression only once in a given address. If you use it twice or more, then there is no
way to show how many 0 bits are represented by each instance of the double-colon (::).
To convert an address into binary, use the reverse of the method described previously:
1. Add in zeros using zero compression.
2. Add leading zeros.
3. Convert each hex number into its binary equivalent.

Lesson 2
IPv6 Addressi
A ng
An essential
e part of
o working witth IPv6 is unde
erstanding thee different address types and d when they arre
usedd. This allows you
y to understtand the overa all communicaation process b between IPv6 h hosts and perfform
trou
ubleshooting. YouY also need to understand d the processees available forr configuring a host with an IPv6
adddress to ensure e that hosts are
e properly configured.
Lessson Objectiives
• Describe IPv6
6 prefixes.
• Describe Uniccast IPv6 addre

ess types.
• Describe zone
e IDs.
• Describe address autoconfiguration for IP

Pv6.
• Configure IPvv6 client settings on a netwo

ork host.
IPv
v6 Prefixess
Likee the IPv4 addrress space, the e IPv6 address space
is diivided by alloccating portionss of the availabble
adddress space for various IP fun nctions. The higgh-
orde er bits (bits tha
at are at the beginning of th he
128-bit IPv6 address) define are eas statically in
n the
IP sppace. The high h-order bits an
nd their fixed values
v
are known as a format prefix.
Inte
ernet Assigned Numbers Autthority (IANA)
mannages IPv6, and has defined how the IPv6
add nitially. IANA has
dress space willl be divided in
also
o specified the format prefixe es.
IPv
v6 Format Prefixes
The following table shows the IPv6 address-sp
pace allocation
n by format prrefixes.
P refix hexadecimal Fracction of the ad

ddress
Allocation Prefix binary
y value
vaalue spacce
Re
eserved 0000 0000 - 1/2
256
Global unicast addresses

a 001 2 or 3 1/8
8
Link-local unica
ast addresses 1111 1110 1000
1 FFE8 1/1
1024
Unique local un
nicast 1111 1100 FFD 1/2
256
ddresses
ad
Multicast
M addre
esses 1111 1111 FFF 1/2
256
The remaining IPvv6 address spa

ace is unassigned.
IP
Pv6 Prefixess
Th
he prefix is thee part of the adddress that ind
dicates the bitss that have fixxed values, or tthat are the subnet
prefix’s bits. Pre
efixes for IPv6 subnets,
s routees, and addresss ranges are exxpressed in the e same way ass IPv4
Classless Interdo omain Routing g (CIDR) notations. An IPv6 p prefix is written in address/pprefix-length n notation.
Fo
or example, 20 001:DB8::/48 and 2001:DB8:0 0:2F3B::/64 aree IPv6 address prefixes.
Note: IPv6 does not use

e subnet mask
ks.
Unicast
U IPv
v6 Addresss Types
A unicast IPv6 address
a is an IP
Pv6 address thhat is
asssigned to a single interface in a single commputer.
Thhis is equivalen
nt to unicast addresses in IPvv4. IPv6
haas several type ddresses, and unlike
es of unicast ad
IP
Pv4, computerss typically have e multiple IPv6
6
ad
ddresses. Diffeerent address types
t are used for
diifferent purposes.
Th
he bits in unicaast IPv4 addreesses are split evenly
e
be
etween netwo ork ID and interface ID: the first 64
work ID, and the second 64 bits are
biits are the netw
th
he host ID. By default,
d the intterface ID porttion of
an
n IPv6 addresss is randomly generated.
g
Note: The
e interface ID in
i IPv6 is equivvalent to the I Pv4 host ID ass discussed in M
Module 5.
Global
G Unica
ast Addresse
es
Global unicast addresses
a are equivalent
e to public
p om an Internet
IPv4 ad dresses that are available fro
Seervice Provider (ISP). They arre routable and
d reachable gllobally on the IPv6 portion o of the Internett. The
fie
elds in the global unicast address are:
• Fixed portion set to 0011. The three hiigh-order bits are set to 0011. The address prefix for currrently
assigned global addresse
es is 2000::/3. Therefore,
T global unicast aaddresses beg
all g gin with either 2 or 3.
• Global rou uting prefix. This
T field identifies the globaal routing prefiix for a specificc organizationn’s site.
The combin nation of the three
t fixed bitss and the 45-b
bit global routiing prefix is ussed to create a 48-bit
site prefix, which
w is assign
ned to an orga anization’s ind ividual site. On
nce the assignment occurs, rrouters
on the IPv6 6 Internet then n forward IPv6 traffic that maatches the 48--bit prefix to thhe routers of the
organizatio on’s site.
• Subnet ID. The Subnet ID D is used within an organiza tion’s site to id dentify subnetts. This field’s ssize is
16 bits. The
e organization’s site can use these 16 bits w within its site tto create 65,53
36 subnets, or
multiple levvels of addresssing hierarchy, and an efficieent routing inffrastructure.
• Interface ID. The Interfacce ID identifiess the interfacee on a specific subnet within the site. This ffield’s
size is 64 biits. This is eithe
er randomly generated, or aassigned by DH HCPv6. In the past, the Interfface ID
was based on o the Media Access Contro ol (MAC) addreess of the netw work interface card to which the
address was bound.
Liink-Local Unicast Addrresses

All IPv6 hosts ha
ave a link-loca
al address that is used for co
ommunication only on the loocal subnet. Th
he link-
lo
ocal address is automatically generated and non-routablle. In this way, link-local add
dresses are sim
milar to
IPv4
4 Automatic Prrivate IP Addre
essing (APIPA) addresses. Ho
owever, a link--local address is an essential part
of IP
Pv6 communiccation.
Link
k-local addressses are used foor communicattion in many sscenarios wherre IPv4 would have used
broa ocal addresses are used when
adcasts. For exxample, link-lo n communicatting with a DH HCPv6 server. In
add al addresses arre used for neighbor discoveery which is thee IPv6 equivalent of ARP in IPv4.
dition, link-loca
The prefix for link
k-local addressses is always FE
E80::/64. The fiinal 64-bits aree the interface
e identifier.
Unique Local Unicast

U Add
dresses
Uniq
que local addrresses are the IPv6 equivalen
nt of IPv4 privaate addresses. These addressses are routable
with
hin an organization, but not on the Interne
et.
4 private IP addresses were a relatively sma

IPv4 all part of the overall IPv4 ad
ddress space, aand many
com
mpanies used the same addre ess space. Thiss caused probl ems when sep parate organizations tried to
o
com
mmunicate dire ectly. It also ca
aused problem ms when mergi ng the networrks of two orgaanizations following
a merger or a buyyout.
To avoid
a the dupllication probleems experienceed with IPv4 p private addressses, the IPv6 un
nique local address
n organization identifier. Thee 40-bit organization identifier is randomlyy
structure allocatess 40-bits to an
gen kelihood of two randomly ge
nerated. The lik enerated 40-b bit identifies beeing the same are very smalll. This
ensuures that each organization has a unique address
a space..
nization identiffier have the fiixed binary vallue of 1111110

The first seven bitts of the organ 0. All unique lo
ocal
adddresses have thhe address preffix of FC00::/7.. The Local (L) flag is set 1 to
o indicate a loccal address. AnnL
flag value set to 0 has not yet been
b defined. Therefore,
T uniqque local addrresses with the e L flag set to 1 have
the address prefixx of FD::/8.
Zone IDs
Eachh IPv6 host has a single link--local address. If
the host has multiple network in nterfaces, the same
link-local address is reused on each
e network
inte
erface. To allow
w hosts to idenntify link-local
commmunication on o each unique e network interface,
a zo
one ID is added d to the link-lo
ocal address. A
zone ID is used in the following format:
Address%zone_ID
Eachh sending hostt determines the

t zone ID tha at it
will associate with
h each interface. There is no
neggotiation of zone ID between n hosts. For
exammple, on the same
s network, host A might use 3 for the zzone ID on its interface, and
d host B might use 6
for the
t zone ID on n its interface.
Eachh interface in a Windows-ba ased host is asssigned a uniquue interface inddex, which is aan integer. In
adddition to physiccal network cards, interfaces also include lo
oopback and ttunnel interfacces. Windows--based
IPv6
6 hosts use thee interface inde
ex of an interface as the zonne ID for that interface. In th
he following
exammple, the interface ID for the network card d is 3.
fe80
0::2b0:d0ff:fee9:4143%3
Note: You u can view the e zone ID of a link-local addrresses by typin

ng IPconfig att a command
prompt. This will display the local IP configu
uration.
Address
A Au
utoconfigu
uration forr IPv6
In
n most cases, you
y will use autoconfiguratio on to
provide IPv6 hoosts with an IPvv6 address. There are
se
everal ways autoconfiguratio on can be
im
mplemented. You
Y control ho ow autoconfigu uration
is performed byy using a type of autoconfigu uration.
Autoconfigu
A ured Addresss States
During autocon nfiguration the
e IPv6 address of a
ho ost goes throuugh several sta
ates that definee the
liffecycle of the IPv6 address. Autoconfigure
A ed
ad n one or more of the following
ddresses are in
sttates:
• Tentative. In the tentativve state, verificcation is occur ring to determ

mine if the add
dress is unique.
Duplicate address
a detection performs verification.
v When an addresss is in the tentative state, a node
W
cannot rece
eive unicast traaffic.
• Valid. In th
he valid state, the
t address ha d as unique, a nd can send and receive uniicast
as been verified
traffic.
• ed state, the address enable s a node to seend and receive unicast traffiic to
Preferred. In the preferre
and from itt.
• Deprecated. In a depreca
ated state, the
e address is vallid, but its use is discouraged
d for new
communicaation.
• o send or receive unicast traffic.

Invalid. In the invalid state, the address no longer alllows a node to
Types of Auttoconfigura
ation
Tyypes of autoco
onfiguration in
nclude:
• Stateless. Address
A configguration is onlyy based on thee receipt of Ro
outer Advertise
ement messagges. This
includes a router
r prefix but
b does not in nclude addition nal configuration options su
uch as DNS serrvers.
• Stateful. Configuration iss based on the
e use of a stateeful address co
onfiguration protocol such aas
DHCPv6 to obtain addressses and otherr configuration n options. A hoost uses statefu
ul address
configuratio
on when:
o It receives instruction
ns to do so in Router
R Advert isement messaages.
o There are
a no routers present on the local link.
• ased on receipt of Router Ad

Both. Conffiguration is ba messages and on DHCPv6.
dvertisement m
Sttateful Configuration
With
W stateful co onfiguration, organizations
o can
c control howw IPv6 addres ses are assigne
ed using DHCPPv6. If
th
here are any sp
pecific scope options
o that yo
ou need to con
nfigure—such as the IPv6 ad ddresses of DN
NS
se
ervers—then a DHCPv6 serve er is necessaryy.
When
W IPv6 attempts to comm
municate with a DHCPv6 servver, it uses mu
ulticast IPv6 ad
ddresses. This iss
diifferent than with
w IPv4, which uses broadcast IPv4 addreesses.
Demonstration: Configuring IPv6 Client Settings

In most cases, IPv6 is configured dynamically by using DHCPv6 or router advertisements. However, you
can also configure IPv6 manually with a static IPv6 address. The process for configuring IPv6 is similar to
the process for configuring IPv4.
Demonstration Steps
View IPv6 configuration by using IPconfig.

1. On LON-DC1, open a Windows PowerShell® prompt.
2. Use ipconfig to view the link-local IPv6 address on Local Area Connection.
3. Use the Get-NetIPAddress cmdlet to view network configuration.
Configure IPv6 on LON-DC1

1. On LON-DC1, use Server Manager to open the properties window of Local Area Connection for the
Local Server.
2. Open the properties of Internet Protocol Version 6 (TCP/IPv6), and enter the following
information:
o Use the following IPv6 address
o IPv6 address: FD00:AAAA:BBBB:CCCC::A

o Subnet prefix length: 64
o Use the following DNS server addresses
o Preferred DNS server: ::1
Configure IPv6 on LON-SVR1

1. On LON-DC1, use Server Manager to open the properties window of Local Area Connection for the
Local Server.
2. Open the properties window of Internet Protocol Version 6 (TCP/IPv6), and enter the following:
o Use the following IPv6 address
o IPv6 address: FD00:AAAA:BBBB:CCCC::15
o Subnet prefix length: 64
o Use the following DNS server addresses
o Preferred DNS server: FD00:AAAA:BBBB:CCCC::A
Verify IPv6 communication is functional

1. On LON-SVR1, open a Windows PowerShell prompt.
2. Use ipconfig to view the IPv6 address for Local Area Connection.
3. Use ping -6 to test IPv6 communication with LON-DC1.
4. Use ping -4 to test IPv4 communication with LON-DC1

Lesson
n3
Coexiistence with IP
Pv4
Frrom its inception, IPv6 was designed
d for lo
ong-term coexxistence with IP
Pv4; in most caases your netw
work will
usse both IPv4 and IPv6 for maany years. Connsequently, yo u need to und
derstand how tthey coexist.
Thhis lesson provvides an overview of the tech
hnologies thatt support the ttwo IP protoco ols’ coexistencee. This
le
esson also desccribes the diffe
erent node typ
pes and IP stacck implementa tions of IPv6. Finally, this lessson
exxplains how DNS resolves na ames to IPv6 addresses and tthe various typpes of IPv6 traansition techno ologies.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe IP
P node types.
• Describe methods
m to provide coexisten
nce for IPv4 an
nd IPv6.
• Configure DNS
D to supporrt IPv6.
• Explain IPv6
6 over IPv6 tun
nneling.
What
W Are Node
N Type
es?
When
W planning an IPv6 netwo ork, you should know
what
w types of nodes or hosts are on the nettwork.
Describing the nodes
n ollowing ways helps
in the fo
to
o define their capabilities
c on the network. This is
im
mportant if you u use tunneling, because cerrtain
kiinds of tunnelss require specific node typess,
in
ncluding the fo
ollowing:
• IPv4-only node. A node that impleme ents

only IPv4 (a
and has only IP
Pv4 addresses)) and
does not suupport IPv6.
• IPv6-only node. A node that impleme ents

only IPv6 (a
and has only IP
Pv6 addresses)) and
does not su his node is able to communiicate only with
upport IPv4. Th h IPv6 nodes and application ns, and
is not commmon today. Ho owever, it mighht become mo
ore prevalent aas smaller deviices, such as ce
ellular
phones and d handheld computers, use thet IPv6 proto
ocol exclusivelyy.
• IPv6/IPv4 node. A node that impleme ents both IPv4 and IPv6. Win
ndows Server 2
2008 and Wind
dows
Vista or late
er use IPv4 and
d IPv6 by defa
ault.
• IPv4 node.. A node that implements IPv4. It can be aan IPv4-only no

ode or an IPv6
6/IPv4 node.
• IPv6 node.. A node that implements IPv6. It can be aan IPv6-only no

ode or an IPv6
6/IPv4 node.
Coexistence occcurs when the largest numbe er of nodes (IP
Pv4 or IPv6 no des) can comm municate using g an
IP
Pv4 infrastructu
ure, an IPv6 infrastructure, or
o an infrastruccture that is a ccombination o
of IPv4 and IPvv6. You
will
w achieve true e migration wh hen all IPv4 no
odes are conveerted to IPv6-o only nodes. Ho
owever, for thee
fo
oreseeable futuure, you can acchieve practica when as many IPv4-only nodes as possible are
al migration w
co
onverted to IPvv6/IPv4 nodess. IPv4-only no odes can comm municate with IPv6-only nod des only when you are
ussing an IPv4-to
o-IPv6 proxy or
o translation gateway.
g
IPv
v4 and IPv
v6 Coexiste
ence
Rathher than replacing IPv4, mosst organizationns
addd IPv6 to their existing
e IPv4 network.
n Starting
withh Windows Serrver 2008 and Windows Vista,
Winndows operatin ng systems suppport the
simuultaneous use of IPv4 and IP Pv6 through a dual
IP la
ayer architectu
ure. The Windo ows XP and
2 operating
g systems usedda
less efficient dual stack architecture.
Dual IP Layer Architecture

A e
A dual IP layer arcchitecture, wass implementedd
begginning with Windows
W Vista, and continuin
ng
thro
ough Windowss Server 2012 and a Windows 8.
Thiss architecture contains
c both IPv4 and IPv6 Internet layerrs with a singlee implementattion of transpoort
er protocols such as TCP and
laye d User Datagraam Protocol (UUDP). Dual stacck allows for easier migration to
IPv6
6, and there arre fewer files to Pv6 is also available without
o maintain to provide IPv6 cconnectivity. IP
addding any new protocols
p in the network-carrd configuratio
on.
Dual Stack Arcchitecture

Duaal stack archite has separate prrotocol stacks that
ecture containss both IPv4 and IPv6 Interneet layers, and h
contain separate implementatio
i ons of transport layer protoccols, such as TC
CP and UDP. T Tcpip6.sys, the IPv6
prottocol driver in Windows Servver 2003 and Windows
W XP, ccontains a sepaarate implemeentation of TCP and
UDPP.
DN
NS Infrastruccture Requirements
Justt as DNS is use
ed as a supportting service on
n an IPv4 netw
work, it is also rrequired on an
n IPv6 networkk.
Whe en IPv6 is adde
ed to the netw
work, you need d to ensure thaat the records that are necesssary to suppo
ort
IPv6
6 name-to-add dress and addrress-to-name resolution
r are added. The DNS records thaat are required d for
coexxistence are:
• Host (A) resource records fo

or IPv4 nodes
• IPv6 host (AA
AAA) resource records
• up pointer (PTR) resource records for IPv4 and IPv6 nodes

Reverse looku
ost cases, the IPv6 host (AAA

Note: In mo AA) resource reecords that IPvv6 nodes require are
regiistered in DNS
S dynamically.
Wheen a name can n be resolved to

t both an IPv4 4 and IPv6 adddress, both adddresses are returned to the client.
The client then se
elects which ad
ddress to use based
b on prefixx polices. You can view the pprefix policies in
Win
ndows Server 2012
2 by using the Get-NetP PrefixPolicy cm
mdlet.
Each o it. In most caases, IPv6 is prreferred over IPv4. For example,
h prefix has a precedence level assigned to
wheen you ping a host, the ping command willl use the IPv6 address insteaad of the IPv4 address.
The following table displays the typical prefix policies for Windows Server 2012.
Prefix Precedence Label Description
::1/128 50 0 IPv6 loopback
fc00::/7 45 13 Unique local
::/0 40 1 Default gateway
::ffff:0:0/96 10 4 IPv4 compatible address
2002::/16 7 14 6to4
2001::/32 5 5 Teredo
::/96 1 10 IPv4 compatible address (depreciated)
fec0::/10 1 11 Site local (depreciated)
3ffe::/16 1 12 6Bone (depreciated)
Additional Reading: For more information about prefix policies see

http://technet.Microsoft.com/library/bb877985.
Demonstration: Configuring DNS to Support IPv6

Similar to IPv4 nodes, IPv6 nodes use dynamic DNS automatically-created host records. You can also
manually create host records for IPv6 addresses. An IPv6 host (AAAA) resource record is a unique record
type and different that IPv4 host (A) resource record.
Demonstration Steps
Configure an IPv6 host (AAAA) resource record
1. On LON-DC1, in Server Manager, open the DNS tool and browse to the Adatum.com forward lookup
zone.
2. In DNS Manager, verify that IPv6 addresses have been registered dynamically for LON-DC1 and LON-
SVR1.
3. Create a new host record in Adatum.com with the following settings:

o Name: WebApp
o IP address: FD00:AAAA:BBBB:CCCC::A
Verify name resolution for an IPv6 host (AAAA) resource record

1. On LON-SVR1, if necessary, open a Windows PowerShell prompt.
2. Use ping to test communication with WebApp.adatum.com.

Wh
hat Is IPv6
6 Over IPv4
4 Tunnelin
ng?
IPv6
6 over IPv4 tun
nneling is the encapsulation
e of
IPv6
6 packets with an IPv4 heade er so that IPv6
packets can be sent over an IPvv4-only
infra
astructure. Witthin the IPv4 header:
h
• The IPv4 Pro

otocol field is set
s to 41 to ind
dicate
an encapsulatted IPv6 packeet.
• The Source and
a Destinatio on fields are se
et to
IPv4 addressees of the tunne
el endpoints. You
Y
can configuree tunnel endpo oints manuallyy as
part of the tu
unnel interface, or they can be
b
derived autommatically.
Unliike tunneling for

f the Point-tto-Point Tunne eling Protocol (PPTP) and Laayer Two Tunnneling Protocol
(L2T
TP), there is no
o exchange of messages for tunnel
t setup, m
maintenance, or terminationn. Additionallyy, IPv6
over IPv4 tunnelinng does not prrovide securityy for tunneled IPv6 packets. This means that when you u use
IPv6
6 tunneling, it does not need
d to establish a protected co onnection first..
Lesson
n4
IPv6 Transiti
T on Tech
hnologiies
Trransitioning froom IPv4 to IPvv6 requires coeexistence betw
ween the two p protocols. Too many applicaations
annd services relyy on IPv4 for itt to be remove
ed quickly. Ho
owever, there aare several technologies thatt aid
trransition by allowing commu unication betwween IPv4-onlyy and IPv6-onl y hosts. There are also techn
nologies
th
hat allow IPv6 communicatio on over IPv4 neetworks.
his lesson provvides information about Intra-Site Automaatic Tunnel Addressing Proto
Th ocol (ISATAP), 6to4,
an
nd Teredo, wh hich help provide connectivitty between IPvv4 and IPv6 tecchnology. Thiss lesson also
ad
ddresses PortPProxy, which provides compa atibility for app
plications.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe ISATAP.
• Describe 6tto4.
• Describe Te
eredo.
• Describe Po
ortProxy.
• Describe th
he transition prrocess from IPv4 to IPv6.
What
W Is ISA
ATAP?
IS
SATAP is an address-assignm ment technolog gy that
yo
ou can use to provide unicasst IPv6 connecctivity
beetween IPv6/IPPv4 hosts acro oss an IPv4 intrranet.
IS
SATAP hosts do o not require anya manual
co
onfiguration, and
a can create e ISATAP addre esses
ussing standard address autoconfiguration
mechanisms.
m Yoou mainly use ISATAP within an
orrganizations’ site,
s and althou ugh the ISATAAP
co
omponent is enabled
e by deffault, it only asssigns
IS
SATAP-based addresses
a if it can
c resolve the e name
IS
SATAP on yourr network.
An ISATAP addrress that is bassed on a privatte IPv4

ad
ddress is forma
atted like the following
f exammple:
[64-bit uniccast prefix]:0:5EFE:w.x.y.z
An ISATAP addrress that is bassed on a publicc IPv4 addresss is formatted like the follow
wing example:
[64-bit uniccast prefix]:200

0:5EFE:w.x.y.z.
Fo D00::5EFE:192.168.137.133 iss an example o
or example, FD of a private IPvv4 address, and
d
20
001:db8::200:5
5EFE:131.107.1
137.133 is an example of a p ublic IPv4 adddress.
What
W Is an IS
SATAP Routter?
IS
SATAP allows IPv6 clients on an IPv4-only intranet
i mmunicate without addition
to com nal manual
co A ISATAP router advertises an IPv6 prefix,, and allows th
onfiguration. An he clients to co
ommunicate w
with
otther IPv6 clients on other IPvv6 subnets.
How ISATAP Tunneling

T Works
W
Youu can initiate IS
SATAP tunnelin ng in many wa ays, but the sim
mplest way is tto configure an ISATAP hostt
reco
ord in DNS tha at resolves to the
t IPv4 addre ess of the ISATA
AP router. Winndows hosts th hat can resolve
e this
nam
me automatically begin using g the specified
d ISATAP routeer. By using thiis method, youu can configurre
ISAT
TAP for several computers siimultaneously..
Youu can also defin
ne ISATAP nam
me resolution in
i a hosts file, but this is nott recommende
ed because it iss
diffiicult to manag
ge.
Note: By deefault, Window

ws Server 2008 8 or newer DNSS servers have a Global Query Block
List that prevents ISATAP resolu
ution, even if th d is created and properly con
he host record nfigured.
Youu need to remo ove ISATAP fro
om the Global Query Block LList in DNS if yyou are using aan ISATAP
hostt record to con
nfigure ISATAP
P clients.
Oth
her ways you ca
an configure hosts
h with an ISATAP router are:
• Use the Wind

dows PowerShe
ell cmdlet Set--NetIsatapCo
onfiguration ––Router x.x.x..x.
• Use Netsh In
nterface IPv6 ISATAP Set Router
R x.x.x.x..
• Configure the
e ISATAP Rou
uter Name Gro
oup Policy settting.
Note: All ISA

ATAP nodes are connected to t a single IPvv6 subnet. Thiss means that all ISATAP
nod
des are part of the same AD DS site which may not be deesirable.
As such,
s you shouuld use ISATAPP only for limited testing. Forr intranet-widee deployment,, you
should instead deeploy native IPvv6 support.
Wh
hat Is 6to4
4?
6to4 ogy that you use to provide
4 is a technolo
uniccast IPv6 connectivity betwe een IPv6 sites and
a
hostts across the IP
Pv4 Internet. 6to4
6 treats the
et as a single link. In the
entiire IPv4 Interne
follo
owing 6to4 ad ddress, WWXX:YYZZ is the co olon-
hexadecimal repre esentation of w.x.y.z,
w a publiic
IPv44 address:
2002:WWXX:Y
YYZZ:Subnet_IID:Interface_ID
D,
Ena
abling 6to4 Router Fun
nctionality in
Win
ndows Operating Systeems
To enable
e Window ws Server 2012
2 as a 6to4 rouuter,
you enable Intern
net Connectionn Sharing (ICS). When you en
nable ICS on a computer thaat is running a
Win
ndows operatinng system, thee following occcurs:
• IPv6 forwarding is enabled on the 6to4 tu

unneling and p
private interfa ces.
• The private in
nterface conne
ects to a single
e subnet, and u
uses private IP
Pv4 addresses ffrom the
192.168.0.0/224 prefix.
• A 64-bit IPv6 subnet prefix is selected forr advertisemen

nt on the privaate intranet. Th
he 6to4 compo onent
derives the in
ntranet subnet prefix from 20 002:WWXX:YY YZZ:InterfaceIn
ndex::/64, in whhich InterfaceIn
ndex
is the private interface’s ind
dex.
• Router advertisement me
essages are sen
nt on the privaate interface.
Th
he router adve
ertisement messages advertise the ICS com
mputer as a deefault router an
nd contain the
e
erived 6to4 subnet prefix.
de
How
H 6to4 Tu
unneling Wo
orks
Within
W a site, local IPv6 routers advertise 20 002:WWXX:YYZ ZZ:Subnet_ID:::/64 subnet prrefixes so that hosts
au
utoconfigure 6to4 6 addressess. IPv6 routers within the sitee deliver trafficc between 6to4 hosts. Hosts on
in
ndividual subne ets are configuured automatically with a 644-bit subnet ro oute for direct delivery to neeighbors
an
nd a default ro oute with the next-hop
n addrress of the advvertising routerr. IPv6 traffic that does not m
match
an
ny of the subn net prefixes thaat the site usess is forwarded to a 6to4 routter on the site border. The 6to4
ro
outer on the site border has a 2002::/16 ro oute that forwaards traffic to oother 6to4 sitees and a defau
ult route
off ::/0 that forw wards traffic to a 6to4 relay on
o the IPv4 Inteernet.
Ex
xample
n the example network show
In wn in the slide, Host A and H ost B can com mmunicate with h each other bbecause
off a default route using the next-hop addre ess of the 6to44 router in Sitee 1. When Hostt A communiccates
with
w Host C in another
a site, Host A sends thhe traffic to thee 6to4 router iin Site 1 as IPvv6 packets. Thee 6to4
outer in Site 1, using the 200
ro 02::/16 route in
n its routing taable and the 6tto4 tunnel inte erface, encapsulates
th
he traffic with an
a IPv4 heade er and tunnels it to the 6to4 router in Site 2. The 6to4 ro outer in Site 2 rreceives
th
he tunneled tra affic, removes the IPv4 header, and using tthe subnet preefix route in itss routing table e,
fo
orwards the IPvv6 packet to Host
H C.
Fo
or example, Hoost A resides ono subnet 1 within Site 1 and d uses the pubblic IPv4 addre
ess of 157.60.91 1.123.
Host C resides on
o subnet 2 wiithin Site 2 and d uses the pubblic IPv4 addreess of 131.107.210.49. The taable that
ap
ppears in the slide,
s lists the addresses
a in th
he IPv4 and IPvv6 headers wh outer in Site 1 sends
hen the 6to4 ro
th
he IPv4-encapssulated IPv6 packet to the 6tto4 router in SSite 2.
What
W Is Terredo?
Teeredo tunnelinng enables you u to tunnel acrross the
IP
Pv4-only Internnet when the clients
c are behind an
IP
Pv4 NAT. Tered do was created d because man ny
In
nternet connecctions use priva ate IPv4 addre esses
beehind a NAT. Teredo
T is a lastt-resort transittion
te
echnology for IPv6 connectivvity. If native IP Pv6,
IS
SATAP, or 6to4 4 connectivity is i present betw ween
coommunicating g nodes, Teredo is not used. As
more
m IPv4 NATss are upgraded d to support 6to4,
6
annd as IPv6 connnectivity beco omes ubiquitou us,
Teeredo will be used
u less frequuently, until eventually
it is not used at all.
Teredo Components
Th
he Teredo com
mponents are as
a follows:
• Teredo clieent. Supports a Teredo tunn

neling interfacee through whicch packets are
e tunneled to o
other
Teredo clients or nodes on
o the IPv6 Internet through h a Teredo relaay.
• Teredo serrver. Connectss to both the IP Pv4 and IPv6 I nternet. The ro ole of the Tere
edo server is to
o assist
in the initia
al Teredo clientt configurationn, and to facili tate the initiall communication between Teredo
clients in diifferent sites or between Terredo clients annd IPv6-only ho osts on the IPvv6 Internet.
• Teredo relay y. Forwards pacckets between

n Teredo clientts on the IPv4 Internet and IPv6-only hostss on
the IPv6 Interrnet.
• Teredo host--specific relay y. Has interfaces on, and connnects to, the IPv4 and IPv6 Internet.
Additionally, a Teredo host-specific relay can communiicate directly w with Teredo cliients over the IPv4
out needing an intermediate
Internet witho e Teredo relayy. The connectiivity to the IPvv4 Internet can
n be
through a public IPv4 addre ess or throughh a private IPv44 address and a neighboring g NAT. The
connectivity to
t the IPv6 Internet can be through a direcct connection to the IPv6 Internet, or thro ough
an IPv6 transiition technolog
gy, such as 6too4.
Wh
hat Is PorttProxy?
Youu can use the PortProxy
P serviice as an
appplication-layer gateway for nodes or
appplications that do
d not supporrt IPv6. PortPro oxy
facilitates the com
mmunication between
b nodess or
appplications that cannot
c connecct using a commmon
add ernet layer prottocol (IPv4 or IPv6),
dress type, Inte
and TCP port. This service’s primmary purpose is i to
allow IPv6 nodes to communica ate with IPv4-oonly
TCPP applications.
PorttProxy can prooxy only TCP data,

d and it suppports
onlyy application-layer protocolss that do not
emb bed address orr port information inside the e
appplication-layer data. PortProxxy cannot chan nge address in
nformation at tthe application
n level, and is n
not
flexible. Additionaally, you will fa
are better using gies to addresss many of the issues
g other tunne ling technolog
thatt you typically would address by using PorrtProxy.
Som e PortProxy can be helpful and provide so

me areas where olutions during
g a transition p
phase include w
when:
• An IPv4-only node can acce

ess an IPv6-on
nly node.
• An IPv6-only node can acce

ess an IPv4-on
nly node.
• An IPv6 node
e can access an
n IPv4-only serrvice that is run
nning on a Po
ortProxy computer.
Additional Reading: For more informa ation about IPvv6 transition teechnologies se
ee
http
p://go.Microso
079&clcid=0x4409.
Process
P forr Transition
ning to IPv
v6–Only
Thhe industry-wide migration from
f IPv4 to IP
Pv6 is
exxpected to takke considerable e time. This waas taken
in
nto consideration when desig gning IPv6 and d as a
re
esult, the transition plan for IPv6 is a multistep
process that alloows for extendded coexistencce.
To
o achieve the goal
g of a pure IPv6 environm
ment,
usse the followin
ng general guidelines:
• Upgrade yo our applicationns to be independent

of either IPvv6 or IPv4. Forr example, you
u can
change app plications to usse new Windows
Sockets app plication programming interrfaces
(APIs) so th
hat name resolution, socket
creation, annd other functions are indep pendent regard
dless of wheth
her you are using IPv4 or IPv6.
• Upgrade roouting infrastru

ucture for native IPv6 routin g. You must u
upgrade routerrs to support b
both
native IPv6 routing and IP
Pv6 routing prrotocols.
• Upgrade de evices to support IPv6. The majority
m of currrent networking hardware ssupports IPv6, but
many otherr types of devices do not. Yoou need to verrify that all nettwork attached
d devices—succh as
printers and
d scanners—also support IPvv6.
• Update thee DNS infrastruucture to support IPv6 addreess and pointer (PTR) resourcce records. You might
have to upggrade the DNS S infrastructure
e to support th he new IPv6 host address (AAAAA) resource e
records (req
quired) and poointer (PTR) resource recordss in the IP6.ARRPA reverse doomain, but thiss is
optional. Additionally, en
nsure that the DNS
D servers su
upport DNS traaffic over IPv6
6 and DNS dyn namic
update for IPv6 host address (AAAA) re esource record ds so that IPv6 hosts can register their nam
mes and
IPv6 addressses automaticcally.
• Upgrade hoosts to IPv6/IPv4 nodes. You u must upgrad e hosts to use both IPv4 and d IPv6. You alsso must
add DNS re
esolver supporrt to process DNS
D query resu ults that contaiin both IPv4 and IPv6 addresses.
You can de
eploy ISATAP in n a limited cap
pacity to test IP
Pv6 and DNS ffunctionality.
Most
M organizatiions will most likely add IPv66 to an existingg IPv4 environ nment and con ntinue to have
oexistence for an extended period
co p of time. There are stilll in existence many legacy aapplications annd
deevices that do not support IPPv6, and coexiistence is muc h simpler than n using transitiion technologiies such
ass ISATAP.
IP
Pv6 is enabled by default for Windows Vistta or newer cli ents and Wind dows Server 20 008 or newer sservers.
As a best practice, you should
d not disable IP
Pv6 unless theere is a techniccal reason to do so. Some feaatures in
Windows
W operaating systems rely
r on IPv6.

Scenario
A. Datum Corporation has an IT office and data center in London, which support the London location and
other locations. They have recently deployed a Windows Server 2012 infrastructure with Windows 8
clients. You now need to configure the infrastructure service for a new branch office.
The IT manager at A. Datum has been briefed by several application vendors about newly added support
for IPv6 in their products. A. Datum does not have IPv6 support in place at this time. The IT manager
would like you to configure a test lab that uses IPv6. As part of the test lab configuration, you also need to
configure ISATAP to allow communication between an IPv4 network and an IPv6 network.
Objectives
• Configure IPv6.
• Configure an ISATAP router.
Lab Setup
Logon Information

20410A-LON-RTR
20410A-LON-SVR2
Password Pa$$w0rd

o Domain: Adatum
5. Repeat steps 2 to 4 for 20410A-LON-RTR and 20410A-LON- SVR2.
Exercise 1: Configuring an IPv6 Network

Scenario
As the first step in configuring the test lab, you need to configure LON-DC1 as an IPv4–only node, and
LON-SVR2 as an IPv6–only node. You also need to configure LON-RTR to support IPv6 routing.
1. Verify IPv4 routing.
2. Disable IPv6 on LON-DC1.
3. Disable IPv4 on LON-SVR2.
4. Configure an IPv6 network on LON-RTR.
5. Verify IPv6 on LON-SVR2.
X Task 1: Verify IPv4 routing

1. On LON-SVR2, open a Windows PowerShell prompt.
2. Ping LON-DC1 to verify that IPv4 is routing through LON-RTR.
3. Use ipconfig to verify that LON-SVR2 has only a link-local IPv6 address.
X Task 2: Disable IPv6 on LON-DC1

1. On LON-DC1, in Server Manager, on the Local Server, open the Local Area Connection properties.
2. Disable IPv6 for Local Area Connection.
X Task 3: Disable IPv4 on LON-SVR2

1. On LON-SVR2, in Server Manager, open the properties of Local Area Connection on the Local
Server.
2. Disable IPv4 for Local Area Connection.
X Task 4: Configure an IPv6 network on LON-RTR

1. On LON-RTR, open Windows PowerShell.
2. Use the following New-NetRoute cmdlet to add an IPv6 network on Local Area Connection 2 to the
local routing table:
New-NetRoute –InterfaceAlias “Local Area Connection 2” –DestinationPrefix 2001:db8:0:1::/64 –

Publish Yes
3. Use the following Set-NetIPInterface cmdlet to enable router advertisements on Local Area
Connection 2:
Set-NetIPInterface –InterfaceAlias “Local Area Connection 2” –AddressFamily IPv6 –Advertising

Enabled
4. Use ipconfig to verify that Local Area Connection 2 has an IPv6 address on the 2001:db8:0:1::/64
network.
X Task 5: Verify IPv6 on LON-SVR2

• On LON-SVR2, use ipconfig to verify that Local Area Connection 2 has an IPv6 address on the
2001:db8:0:1::/64 network.
Results: After completing the exercise, students will have configured an IPv6–only network.
Exercise 2: Configuring an ISATAP Router

Scenario
After configuring the infrastructure for an IPv4–only network and an IPv6–only network, you need to
configure ISATAP to support communication between the IPv4–only nodes and the IPv6–only nodes.
1. Add an ISATAP host record to DNS.
2. Enable the ISATAP router on LON-RTR.

3. Remove ISATAP from the DNS Global Query Block List.
4. Enable ISATAP on LON-DC1.
5. Test connectivity.
X Task 1: Add an ISATAP host record to DNS

1. On LON-DC1, in Server Manager, open the DNS tool.
2. Add an ISATAP host record that resolves to 172.16.0.1.
X Task 2: Enable the ISATAP router on LON-RTR

1. On LON-RTR, use the following Set-NetIsatapConfiguration cmdlet to enable ISATAP:
Set-NetIsatapConfiguration –Router 172.16.0.1
2. Use the following Get-NetIPAddress cmdlet to identify the interface index of the ISATAP interface
with 172.16.0.1 in the link-local address.
Interface index:
Get-NetIPAddress | Format-Table InterfaceAlias,InterfaceIndex,IPv6Address
3. Use the Get-NetIPAddress cmdlet to verify the following on the ISATAP interface:
o Forwarding is enabled
o Advertising is disabled
Get-NetIPInterface –InterfaceIndex IndexYouRecorded –PolicyStore ActiveStore | Format-List
4. Use the following Set-NetIPAddress cmdlet to enable router advertisements on the ISATAP
interface:
Set-NetIPInterface –InterfaceIndex IndexYouRecorded –Advertising Enabled
5. Use the following New-NetRoute cmdlet to configure a network route for the ISATAP interface:
New-NetRoute –InterfaceIndex IndexYouRecorded –DestinationPrefix 2001:db8:0:2::/64 –Publish

Yes
6. Use the following Get-NetIPAddress cmdlet to verify that the ISATAP interface has an IPv6 address
on the 2001:db8:0:2::/64 network:
Get-NetIPAddress –InterfaceIndex IndexYouRecorded

X Task 3: Remove ISATAP from the DNS Global Query Block List
1. On LON-DC1, open Regedit and browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters.
2. Modify GlobalQueryBlockList to remove isatap.
3. Restart the DNS service.
4. Ping isatap to verify it can be resolved. The name should resolve and you should receive four request
timed out messages from 172.16.0.1.
X Task 4: Enable ISATAP on LON-DC1

1. On LON-DC1, use the following Set-NetIsatapConfiguration cmdlet to enable ISATAP:
Set-NetIsatapConfiguration –State Enabled
2. Use ipconfig to verify that the Tunnel adapter for ISATAP has an IPv6 address on the 2001:db8:0:2/64
network.
X Task 5: Test connectivity

1. On LON-SVR2, use the following ping command to test connectivity to the ISATAP address for LON-
DC1:
ping 2001:db8:0:2:0:5efe:172.16.0.10
2. User Server Manager to modify the properties of TCP/IPv6 on the Local Area Connection 2, and add
2001:db8:0:2:0:5efe:172.16.0.10 as the preferred DNS server.
3. Use the ping command to test connectivity to LON-DC1.
Results: After completing this exercise, students will have configured an ISATAP router on LON-RTR to
allow communication between an IPv6–only network and an IPv4–only network.

After you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps.


Review Questions
Question: What is the main difference between 6to4 and Teredo?
Question: How can you provide a DNS server dynamically to an IPv6 host?
Question: Your organization is planning to implement IPv6 internally. After some research,
you have identified unique local IPv6 addresses as the correct type of IPv6 addresses to use
for private networking. To use unique local IPv6 addresses, you must select a 40-bit identifier
that is part of the network. A colleague suggests using all zeros for the 40 bits. Why is this
not a good idea?
Question: How many IPv6 addresses should an IPv6 node be configured with?
Best Practice:
Use the following best practices when implementing IPv6:
• Do not disable IPv6 on Windows 8 or Windows Server 2012.

• Enable coexistence of IPv4 and IPv6 in your organization rather than using transition
technologies.
• Use unique local IPv6 addresses on your internal network.
• Use Teredo to implement IPv6 connectivity over the IPv4 Internet.

9-1
Module 9
Implementing Local Storage
Contents:
Module Overview 9-1
Lesson 1: Overview of Storage 9-2
Lesson 2: Managing Disks and Volumes 9-11
Lesson 3: Implementing Storage Spaces 9-20
Lab: Implementing Local Storage 9-25
Module Overview
Storage is one of the key components that you must consider when planning and deploying Windows
Server® 2012 operating systems. Most organizations require a great deal of storage because users work
regularly with applications that create new files that need to be stored in a central location. Storage
demands increase when users keep their files for longer periods of time. Every time a user logs on to a
server, an audit trail is created in an event log, which also uses storage. Even as files are created, copied,
and moved, storage is required.
This module introduces you to different storage technologies. It discusses how to implement the storage
solutions in Windows Server 2012, and how to use Storage Spaces, a new feature that you can use to
combine disks into pools that are then managed automatically.
Objectives
After completing this module you will be able to:
• Explain the various storage technologies.
• Manage disks and volumes.
• Implement Storage Spaces.

9-2 Implementing Local Storage
Lesson 1
Overviiew of Storage
S
Wheen you plan a server deployment, one of the t key compo onents that yoou will require is storage. The
ere
are various types of storage tha orage, to storage that is remotely
at you can utilize, from locallly attached sto
acce
essed via Etherrnet, or even connected
c withh optical fiber.. You should bbe aware of each solution’s
ben
nefits as well ass its limitationss.
As you
y prepare to o deploy storag ge for your environment, yo
ou will need too make some im
mportant decisions.
Thiss lesson addressses questions you might consider, such ass the following
g:
• Does the storrage need to be

b fast?
• Does the storrage need to be

b highly availa
able?
• How much storage does yo
our deploymen
nt actually req uire?
• How much re esilience do yo d to the initial storage requirrement to ensu

ou need to add ure that your
investment re
emains secure in the future?
Lessson Objectiives
• Describe disk
k types and perrformance.
• Describe direct-attached storage.
• Describe netw
work-attached storage.
• Describe storage area netw

work (SAN).
• Describe Redundant Array of Independen
nt Disks (RAID)).
• Describe RAID
D levels.
Dissk Types and Perform

mance
There are various types of disks available thatt you
can use to provide e storage to se
erver and clien
nt
systems. The speeed of disks is measured
m in Inp
put
Outtputs per seconnd (IPOS).The most common n
type
es of disks are::
• Enhanced Inteegrated Drive Electronics

E (EID
DE).
EIDE is based on standards that were crea ated
in 1986. The Integrated
I Drive Electronics (IDE)
interface suppports both the
e Advanced
Technology Attachment
A 2 (ATA-2)
( and
Advanced Tecchnology Attachment Packe et
Interface (ATAAPI) standardss. Enhanced reffers
to the ATA-2 (Fast ATA) staandard, which provides fasteer transfer ratess and allows foor multiple
channels, eacch connecting two devices. Inn practice, thee terms EIDE, IDDE, and ATA are synonymou us.
These drives are
a commonlyy found connected using a 440-wire cable o or 80-wire cable, and can on nly
have two devvices chained at
a any time. Du ue to the addrressing standarrds of this techhnology, there e is a
128 gigabyte (GB) limitation on storage using
u EIDE. Furrther, the speeeds of EIDE are
e limited to a
maximum of 133 megabyte es (MB) per seccond. EIDE driives are almostt never used o on servers todaay.
• Serial Advanced Technology Attachment (SATA). SATA is a computer bus interface, or channel, for
connecting the motherboard or device adapters to mass storage devices such as hard disk drives and
optical drives. SATA was designed to replace EIDE. It is able to use the same low-level commands, but
SATA host adapters and devices communicate via a high-speed serial cable over two pairs of
conductors. SATA was introduced in 2003 and can operate at speeds of 1.5, 3.0, and 6.0 GB per
second, depending on the SATA revision (1, 2 or 3 respectively). SATA drives are less expensive than
other drive options, but also provide less performance. Organizations may choose to deploy SATA
drives when they require large amounts of storage, but not high performance. SATA disks are
generally low-cost disks that provide mass storage. However, for the lower cost they are also less
reliable compared to serial attached SCSI (SAS) disks.
A variation on the SATA interface is eSATA, which is designed to enable high-speed access to
externally-attached SATA drives.
• Small computer system interface (SCSI). SCSI is a set of standards for physically connecting and
transferring data between computers and peripheral devices. SCSI was originally introduced in 1978
and was designed as an interface on a lower-level communication, subsequently allowing it to take
less processing power and perform transactions at higher speeds. SCSI became a standard in 1986.
Similar to EIDE, SCSI was designed to run over parallel cables; however, recently the usage has been
expanded to run over other mediums. The 1986 parallel specification of SCSI had initial speed
transfers of 40 MB per second. The more recent 2003 implementation, Ultra 640 SCSI, also known as
Ultra 5, can transfer data at speeds of 5,120 MB per second. SCSI disks provide higher performance
than SATA disks, but are also more expensive.
• SAS. SAS is a further implementation of the SCSI standard. SAS depends on a point-to-point serial
protocol that replaces the parallel SCSI bus technology, and uses the standard SCSI command set. SAS
offers backwards-compatibility with second generation SATA drives. SAS drives provide are reliable
and made for 24 hours a day, seven days a week (24/7) operations in data centers. With up to 15,000
rotations per minute (RPM), these disks are also the fastest traditional hard disks.
• Solid State Drives (SSDs). SSDs are data storage devices that use solid-state memory to store data
rather than using the spinning disks and movable read/write heads that are used in other disks. SSDs
use microchips to store the data and do not contain any moving parts. SSDs provide fast disk access,
use less power, and are less susceptible to failure from being dropped than traditional hard disks
(such as SAS drives), but are also much more expensive per GB of storage. SSDs typically use a SATA
interface so you can usually replace hard disk drives with SSDs without any modifications.
Note: Fibre Channel, fire-wire, or USB-attached disks are also available storage options.
They define either the transport bus or the disk type. For example, USB-attached disks use mostly
with SATA or SSD drives to store data.
Wh
hat Is Direct Attache
ed Storage
e?
Alm
most all servers provide some e built-in storage.
Thiss type of storag
ge is referred tot as direct
atta
ached storage (DAS).
( DAS can n include diskss that
are physically locaated inside the e server, conneected
dire
ectly with an exxternal array, or
o disks that arre
connected to the server with a USB U cable or an a
alternative communications me ethodology.
Prim
marily, DAS stoorage is physically connected d to
the server. Becausse of this, if the
e server sufferss a
powwer failure, the
e storage is una available. DAS
commes in various disk
d types such h as SATA, SAS S or
SSDD, which affect the speed and d the performa ance
of the storage, and has both advantages and disadvantagess.
Adv
vantages off Using DAS
S
A tyypical DAS systtem is made up of a data sto orage device th hat includes a number of haard disk drives that
are connected dirrectly to a com
mputer through h a host bus addapter (HBA). Between the D DAS and the
com
mputer, there are
a no network k devices such as hubs, switcches, or routerrs. Instead, the storage is
connected directlyy to the serverr that utilizes itt, making DASS the easiest sttorage system to deploy and
d
maintain.
DASS is also usuallyy the least exp

pensive storage e available tod
day, and is wid
dely available in various speeeds
and sizes to accommmodate vario ous installation
ns. In addition to being inexxpensive, DAS iis very easy to
configure. In most instances, yo ou would simply plug in the d device, ensuree that the runn
ning Windows
ope
erating system recognizes it, and then use Disk Managem ment to configgure the disks.
Dissadvantagess of Using DAS

D
Storring data locally on DAS makes data centralization moree difficult becaause the data is located on
mulltiple servers. This
T can make it more complex to back up p the data and for users, to loocate the dataa they
are looking for. Fuurthermore, if any one devicce that has DA S connected to it suffers a p
power outage, the
storrage on that coomputer is unaavailable.
DAS S also has drawwbacks in its acccess methodoologies. Due too the way read ds and writes aare handled byy the
servver operating system,
s DAS ca an be slower th
han other storrage technolog gies. Another d
drawback is th
hat
DAS S shares the prrocessing power and server memory
m to whhich it is conneected. This me
eans that on ve
ery
busyy servers, disk access may sloow when the operating
o systeem is overloadded.
What
W Is Ne
etwork Attached Storage?
Network
N attached storage (NAAS) is storage that
t is
co
onnected to a dedicated storage device an nd then
acccessed over the network. NAS is differentt than
DAS in that the storage is nott directly attached to
eaach individual server, but ratther is accessib
ble
accross the netwwork to many servers. NAS ha as two
diistinct solution
ns: a low-end appliance
a (NAS S only),
an
nd an enterprise-class NAS that
t integratess with
SA
AN.
Ea
ach NAS devicce has a dedica ated operating g system
th
hat solely controls the accesss to the data on
o the
deevice, which re
educes the oveerhead associa ated
with
w sharing the e storage devicce with other server
s servicess. An example of NAS softwaare is Windowss®
Sttorage Server, a feature of Windows
W Serve
er 2012.
Too enable NAS storage, you need

n a storage
e device. Frequ
uently, these devices are apppliances that do not
haave any serverr interfaces succh as keyboardds, mice and mmonitors. Insteaad, to configure the device, you
provide a netwo ork configuration and then access
a the devvice across the network. You can then creaate
neetwork shares on the device by using the name of the N NAS and the sh hare created. T
These shares arre then
acccessible to users on the nettwork.
Tooday, most SA AN solutions offfer SAN and NAS

N together. The backend head units, dissks, and techno ologies
arre identical; the access method is the only thing that chaanges. Enterprrises often provision storage from
he SAN to the servers using FCOE
th F or iSCSI, while NAS se rvices are madde available viaa CIFS and NFSS; the
diisk drives (agggregates) are th
he same, the methods
m for w riting are the ssame, and the overhead and d
re
eliability are th
he same.
Advantages
A of Using NA
AS
NAS is an ideal choice for org ganizations tha at are looking for a simple a nd cost-effective way to achhieve
fa
ast data accesss for multiple clients
c at the file level. Users of NAS beneffit from perform
mance and
productivity gaiins because the processing power
p of the N
NAS device is d
dedicated soleely to the distriibution
off the files.
NAS also fits niccely into the market

m as a mid
d-priced solutiion. It is not exxpensive, but iit suits more needs
th
han DAS in thee following ways:
• NAS storag
ge is usually mu
uch larger than DAS.
• NAS offers a single location for all criticcal files, ratherr than inter-disspersing them on various servers or
devices with DAS.
• NAS offers centralized sto

orage at an afffordable price .
• NAS units are

a accessible from
f any operrating system. They often haave multi-protoocol support aand can
serve up da
ata via CIFS and NFS at the same
s time thuss Windows and d Linux hosts aat the same tim
me.
NAS can also be e considered a Plug and Playy solution thatt is easy to insttall, deploy, an
nd manage, wiith or
without
w IT staff at hand.
Disadvantag
D es of Using NAS
NAS is slower thhan SAN techn nologies. NAS is frequently aaccessed via Etthernet protoccols. Because oof this, it
re n the network supporting the NAS solution
elies heavily on n. For this reasson, NAS is commonly used as a file
sh
haring/storage e solution and cannot (and should not) be used with datta-intensive ap pplications succh as
Microsoft
M Exchaange Server an QL Server®.
nd Microsoft SQ
NASS is affordable for small to mid-size

m busine
esses and, simiilar to DAS, ha s overheads of an operating
g
system that reads and writes da ata in different ways than a SSAN solution. NNAS systems aare more frequuently
prone to the posssibility of data loss dependin ng on the size o
of the data beeing copied.
NAS S is also slowerr than SAN tecchnologies. NA AS is frequentlyy accessed viaa Ethernet prottocols. Because
e of
this,, it relies heaviily on the netw
work that is suppporting the N
NAS solution. FFor this reasonn, NAS is commmonly
usedd as a file sharring and storag ge solution; it cannot and shhould not be u used with data intensive
appplications such as Microsoft® Exchange Server and Micro osoft SQL Serveer®.
Additional Reading: For more informa ation about Wiindows Storag

ge Server, see
http
p://go.microso
647.
Wh
hat Is a SA
AN?
The third type of storage is a sto orage area nettwork
(SANN). A SAN is a specialized hig gh speed netwwork
thatt connects com mputer systems or host serve ers to
highh-performance e storage subssystems. A SANN
usua ally includes various compon nents such as host
bus-adapters (HBA witches to help route
As), special sw
w logical unit
trafffic, and storage disk arrays with
nummbers (LUNs) for storage.
A SAAN enables multiple servers to access a poool of

storrage in which any
a server can potentially acccess
any storage unit. A SAN uses a network like any
otheer network, such as a local area network (LLAN).
Youu can, therefore
e, use a SAN too connect man ny different deevices and hossts to provide aaccess to any d
device
from
m anywhere.
Unliike DAS or NA
AS, a SAN is controlled by a hardware
h devicce and offers tthe fastest acccess to the storrage
and offers methodds to minimizee overhead (su
uch as using raaw disks).
Adv
vantages off Using SAN
N
SANN technologiess read and writte at block leve els, making daata access mucch faster. For e example, with most
DASS and NAS soluutions, if you write
w a file of 8 GB, the entiree file will havee to be read/written and its
checksum calculatted. With SAN N, the file is written to the dissk based on th he block size fo
or which the SAAN is
set up. This speed
d is accomplishhed by fiber acccess methodo ologies and blo ock level writin
ng, instead of
having to read/wrrite an entire file
f by using a checksum.
SAN
Ns also provide
e:
• Centralization
n of storage in
nto a single pool, which enab
bles storage reesources and server resource
es to
grow indepen ndently. They also
a enable sto orage to be dyynamically assiigned from the pool when itt is
required. Storrage on a give
en server can be
b increased o r decreased ass needed witho out complex
reconfiguringg or re-cabling
g of devices.
• Common infrrastructure for attaching storrage, which en

nables a singlee common man
nagement model
for configurattion and deplo
oyment.
• Storage devicces that are inh

herently shared by multiple systems.
• Data transfer directly from device to deviice without serrver intervention.

• A high leve
el of redundancy. Most SANss are deployed d with multiplee network deviices and pathss
through thee network. As well, the stora ntains redundaant components such as pow
age device con wer
supplies and hard disks.
Disadvantag
D es of Using SAN
Th
he main drawb back to SAN teechnology is th
hat due to thee complexities in the configu uration, SAN offten
re
equires managgement tools and expert skillls. It is also con
nsiderably mo re expensive than DAS or NA AS; an
ntry level SAN can often cosst as much as a fully loaded sserver with a D
en DAS or an NASS device, and tthat is
without
w any SAN disks or con
nfiguration.
To
o manage a SA AN, you often use command d-line tools. Yo
ou must have a firm understanding of the
unnderlying techhnology, includ
ding the LUN setup,
s the Fibrre Channel bacck end, the blo
ock sizing, and
d so on.
In
n addition, each storage vend dor often implements SANs using differen nt tools and features. Becausse of
th
his, organizatio
ons often havee dedicated pe o manage the SAN deployment.
ersonnel whosee only job is to
Note: SAN Ns can be imp

plemented usinng a variety of technologies. The most com
mmon
op d Internet SCSI (iSCSI).
ptions are Fibrre Channel and
What
W Is RA
AID?
RA AID is a techno
ology that youu can use to coonfigure
sttorage systemss that provide high reliabilityy and
(p
potentially) higgh performancce. RAID implements
sttorage systemss by combining g multiple diskks into a
single logical unnit called a RAID array, which,
de epending on the
t configuratiion, can withsttand
th
he failure of onne or more of the physical hard
diisks, or provide
e higher perfoormance than is i
avvailable by using a single dissk.
RA
AID provides an a important component—
c
re
edundancy—th hat you can usse when planning and
de
eploying Wind dows Server 20 012 servers. In most
orrganizations, itt is important that the servers are availablee all of the tim ers provide highly-
me. Most serve
edundant components such as redundant power suppliees, and redund
re dant network aadapters. The g
goal of
th
his redundancyy is to ensure that
t the serverr remains avail able even wheen a single com mponent on th he
se
erver fails. By implementing RAID, you can n provide the ssame level of rredundancy for the storage ssystem.
How
H RAID Works
W
RA
AID enables fa
ault tolerance by
b using addittional disks to ensure that th
he disk subsysttem can continnue to
fu
unction even iff one or more disks in the su
ubsystem fail. R
RAID uses two options for en
nabling fault
to
olerance:
• Disk mirrorring. With disk mirroring, all of the informaation that is w written to one d
disk is also writtten to
another dissk. If one of the
e disks fails, th
he other disk iss still available.
• Parity information. Parityy information iss used in the eevent of a diskk failure to calcculate the information
that was stoored on a disk k. If you use thiis option, the sserver or RAIDD controller callculates the paarity
information n for each blocck of data thatt is written to tthe disks, and then stores th his information
n on
another dissk or across mu ultiple disks. Iff one of the dissks in the RAID
D array fails, th
he server can u
use the
data that iss still available on the functio onal disks alonng with the parrity informatio on to recreate the
data that was
w stored on the t failed disk.
RAID subsystems can also provide potentially better performance than single disks by distributing disk
reads and writes across multiple disks. For example, when implementing disk striping, the server can read
information from all hard disks in the stripe set. When combined with multiple disk controllers, this can
provide significant improvements in disk performance.
Note: Although RAID can provide a greater level of tolerance for disk failure, you should
not use RAID to replace traditional backups. If a server has a power surge or catastrophic failure
and all of the disks fail, then you would still need to rely on standard backups.
Hardware RAID vs. Software RAID

You implement hardware RAID by installing a RAID controller in the server, and then configuring RAID by
using the RAID controller configuration tool. With this implementation, the RAID configuration is hidden
from the operating system while the RAID arrays are exposed to the operating system as single disks. The
only configuration you need to perform in the operating system is to create volumes on the disks.
Software RAID is implemented by exposing all of the disks available on the server to the operating system
and then configuring RAID from within the operating system. Windows Server 2012 supports the use of
software RAID, and you can use Disk Management to configure several different levels of RAID.
When choosing to implement hardware or software RAID, consider the following:
• Hardware RAID requires disk controllers that are RAID-capable. Most disk controllers shipped with
new servers have this functionality.
• To configure hardware RAID, you need to access the disk controller management program. Normally,
you can access this during the server boot process or by using a web page that runs management
software.
• Implementing disk mirroring for the disk containing the system and boot volume with software RAID
can require additional configuration when a disk fails. Because the RAID configuration is managed by
the operating system, you must configure one of the disks in the mirror as the boot disk. If that disk
fails, you may need to modify the boot configuration for the server to start the server. This is not an
issue with hardware RAID, because the disk controller will access the available disk and expose it to
the operating system.
• In older servers, you may get better performance with software RAID when using parity because the
server processor can calculate parity more quickly than the disk controller can. This is no longer an
issue with newer servers, where you may get better performance on the server because you can
offload the parity calculations to the disk controller.
Question: Should all disks be configured with the same amount of fault tolerance?
RAID
R Levels
When
W implementing RAID, yo ou need to deccide
what
w level of RA
AID to implement. The most
co
ommon Raid le evels are RAID D 1 (also knownn as
mirroring),
m RAIDD 5 (also know wn as striped se
et with
diistributed parity) and RAID 1+0 1 (also know wn as
mirrored
m set in a stripe set). The table beloww lists
he features for each differentt RAID level.
th
Space
Level Desscription Performan
nce Red undancy Comments
utilizatiion
RAID 0 Strriped set High read All spacce on A siingle disk Use only in
witthout parity orr and write the dis ks is failu
ure results here
situations wh
mirroring performannce availab
ble in t he loss of you require h
high
Daata is written all d
data performance e
seqquentially to and can tolerate
each disk data loss
RAID 1 Miirrored set Good Can on nly use Cann tolerate a Frequently u
used
witthout parity orr performan
nce the ammount singgle disk for system an
nd
strriping of spacce that failu
ure boot volume es
Daata is written is availaable with hardware
to both disks on the RAID
sim
multaneously smallesst disk
RAID 2 Daata is written Extremely One orr more Cann tolerate a Requires that all
in bits to each high disks u sed for singgle disk disks be
dissk with parity performannce parity failu
ure synchronizedd
written to Not currentlyy
sepparate disk or used
dissks
RAID 3 Daata is written Very high One di sk Cann tolerate a Requires that all
in bytes to each performannce used foor singgle disk disks be
dissk with parity parity failu
ure synchronizedd
written to Rarely used
sepparate disk or
dissks
RAID 4 Daata is written Good readd One di sk Cann tolerate a Rarely used
in blocks to performannce, used foor singgle disk
each disk with poor write
e parity failu
ure
parity written to performannce
a dedicated
d disk
k
Space
Level Description Performance Redundancy Comments
utilization
RAID 5 Striped set with Good read The Can tolerate a Commonly used
distributed performance, equivalent of single disk for data storage
parity poor write one disk used failure where
Data is written performance for parity performance is
in blocks to not critical, but
each disk with maximizing disk
parity spread usage is
across all disks important
RAID 6 Striped set with Good read The Can tolerate Commonly used
dual distributed performance, equivalent of two disk for data storage
parity poor write two disks failures where
Data is written performance used for performance is
in blocks to parity not critical but
each disk with maximizing disk
double parity usage and
written across all availability are
disks important
RAID Striped sets in a Very good Only half the Can tolerate Not commonly
0+1 mirrored set read and disk space is the failure of used
A set of drives is write available due two or more
striped, and performance to mirroring disks as long
then the strip as all failed
set is mirrored disks are in the
same striped
set
RAID Mirrored set in a Very good Only half the Can tolerate Frequently used
1+0 stripe set read and disk space is the failure of in scenarios
Several drives write available due two or more where
are mirrored to performance to mirroring disks as long performance
a second set of as both disks and redundancy
drives, and then in a mirror do are critical, and
one drive from not fail the cost of the
each mirror is required
striped additional disks
is acceptable
Lesson
n2
Mana
aging Disks
D and
d Volum
mes
Id
dentifying whicch storage technology that you
y will want tto deploy is th he first critical sstep in making
g sure
th
hat your enviro
onment is prep pared for data storage requi rements. This, however, is only the first ste ep.
Th u will need to take to preparre for data sto
here are otherr steps that you orage requirem ments.
Fo
or example, onnce you have identified the best
b olution, or havve chosen a mix of storage
storage so
so
olutions, you need
n to figure out the best way
w to managee that storage.. Ask yourself tthe following
qu
uestions:
• What disks will you alloca

ate to a storag
ge pool?
• Will the typ

pe of file system
ms be the sam
me for all disks??
Th
his lesson addresses these an
nd similar questions, includin
ng why it is im
mportant to maanage disks, an
nd what
to
ools you need to manage disscs.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe se
electing a partiition table form
mat.
• Describe th
he difference between
b basic and dynamic d
disk types.
• Explain a re
esilient file systtem.
• ow to select a file system.

Describe ho
• Explain mount points and

d links.
• Create mou
unt points and
d links.
• Describe th
he process of extending
e and shrinking volu
umes.
Selecting a Partition Table Form

mat
A partition table
e format, or pa
artition style, refers to
th
he method tha at an operatingg system such as
Windows
W Server 2012 uses to organize parttitions
orr volumes on a disk. For Winndows operatin ng
syystems, you can decide betwween master bo oot
re
ecord (MBR) an nd GUID partittion table (GPT T).
MBR
M
Thhe MBR partitiion table forma at is the standard
pa heme that has been used on hard
artitioning sch
diisks since the first
f personal computers
c cam
me out
in
n the 1980s. Thhe MBR partitio on table forma at has
th
he following ch haracteristics:
• Supports a maximum of four

f primary partitions
p per d
drive
• A partition can have maxximum of 2 terrabytes (TB) (2..19 x 10^12 byytes)
• If you initia
alize a disk larg
ger than 2 TB using
u MBR, thee disks are only able to store
e volumes up tto 2 TB
and the resst of the storag ge will not be used.
u You musst convert the disk to GPT if you want to u
use all of
its space.
9-12 Implemennting Local Storage
Note: You should

s use the
e MBR partitionn table formatt for disk drivees that never su
urpass 2 TB
in siize. This provid
des you with a bit more spacce because GPPT requires mo ore disk space than MBR.
GPT
T
The GPT was introoduced with Windows
W Server 2003 and Wiindows® XP 64 4-bit Edition too overcome th
he
limitations of MBR
R, and to addrress larger disk
ks. GPT has thee following chaaracteristics:
• GPT is the succcessor of MBR
R partition tab
ble format
• Supports a maximum
m of 128 partitions pe
er drive
• A partition ca
an have up to 8 zettabytes (Z
ZB)
• A hard disk ca
an have up to 18 exabytes (E
EB), with 512 kkilobytes (KB) logical block aaddressing (LB
BA)
Note: If you
ur hard disk is larger than 2 TB,
T you should
d use the GPT partition table
e format.
Additional Reading: For frequently ask ked questions about the GU ID partitioning
g table disk
arch
hitecture, see http://support
h .microsoft.com
m/kb/302873.
Sellecting a Disk
D Type
Whe en selecting a type of disk fo
or use in Wind
dows
Servver 2012, you can
c choose be etween basic disks
d
and dynamic disk ks.
Bassic Disk
Basiic storage usess normal partittion tables tha at are
usedd by all versionns of the Wind dows operating g
system. A disk tha at is initialized for basic stora
age is
calle
ed a basic diskk. A basic disk contains
c basic
parttitions, such ass primary partiitions and exte ended
parttitions. You can subdivide exxtended partitiions
into
o logical drivess.
By default,
d when youy initialize a disk in Windoows, the disk iss configured aas a basic disk. You can easilyy
convert basic disk ks to dynamic disks
d without any
a loss of datta; however, w when convertin ng a dynamic d disk to
basiic disk, all data
a on the disk will
w be lost.
Somme applications cannot addre ess data that iss stored on dyynamic disks. TThere is also no
o performance e gain
by converting
c bassic disks to dyn
namic disks. Foor these reason ns, most admin nistrators do n
not convert baasic
disk
ks to dynamic disks
d hey need to use some of the additional volume configurration options that
unless th
are available with dynamic diskss.
Dyn
namic Disk
Dynnamic storage is supported in n all Windows operating sysstems includingg the Window ws XP operating g
systems and the Microsoft
M Wind dows NT® Servver 4.0 operati ng system. A d
disk that is inittialized for dyn
namic
storrage is called a dynamic diskk. A dynamic disk contains dyynamic volumes. With dynam mic storage, yoou
can perform disk and volume management
m without
w the neeed to restart W
Windows operaating systems.
Whe en you configu ure dynamic disks,
d me is a storage unit
you creatte volumes ratther than partitions. A volum
thatt is made from
m free space onn one or more disks. You can n format the voolume with a ffile system, and can
assign a drive letter or configure it with a mount point.
The following is a list of the dynamic volumes that are available:
• Simple volumes. A simple volume uses free space from a single disk. It can be a single region on a
disk, or consist of multiple, concatenated regions. A simple volume can be extended within the same
disk or on to additional disks. If a simple volume is extended across multiple disks, it becomes a
spanned volume.
• Spanned volumes. A spanned volume is created from free disk space that is linked together from
multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume
cannot be mirrored, and is not fault-tolerant; therefore, if you lose one disk, you will lose the entire
spanned volume.
• Striped volumes. A striped volume has data that is spread across two or more physical disks. The data
on this type of volume is allocated alternately and evenly to each of the physical disks. A striped
volume cannot be mirrored or extended, and is not fault-tolerant. This means that the loss of one disk
causes the immediate loss of all the data. Striping is also known as RAID-0.
• Mirrored volumes. A mirrored volume is a fault-tolerant volume that has all data duplicated onto two
physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If
one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume
cannot be extended. Mirroring is also known as RAID-1.
• RAID-5 volumes. A RAID-5 volume is a fault-tolerant volume that has data striped across a minimum
of three or more disks. Parity is also striped across the disk array. If a physical disk fails, the portion of
the RAID-5 volume that was on that failed disk can be re-created from the remaining data and the
parity. A RAID-5 volume cannot be mirrored or extended.
Required Disk Volumes

Regardless of which type of disk you use, you must configure both a system volume and a boot volume
on one of the hard disks in the server:
• System volumes. The system volume contains the hardware-specific files that are needed to load
Windows operating system (for example, Bootmgr and BOOTSECT.bak). The system volume can—but
does not have to—be the same as the boot volume.
• Boot volumes. The boot volume contains the Windows operating system files that are located in the
%Systemroot% and %Systemroot%’System32 folders. The boot volume can—but does not have to—
be the same as the system volume.
Note: When you install the Windows 8 operating system or the Windows Server 2012
operating system in a clean installation, a separate system volume is created to enable encrypting
the boot volume by using Windows BitLocker® drive encryption.
Additional Reading: For more information about how basic disks and volumes work, see
http://go.microsoft.com/fwlink/?LinkID=199648.
For more information about dynamic disks and volumes, see

http://go.microsoft.com/fwlink/?LinkID=199649.
Sellecting a File
F System
m
Wheen you configu ure your disks in Windows Server
2012, you can chooose between FAT, NTFS, and
ReFS file systems.
File
e Allocation
n Table (FAT
T)
The file allocation table (FAT) is the most simpplistic
of the file systemss that Window ws operating
systems support. TheT FAT file syystem is
characterized by a table that ressides at the ve
ery
top of the volume he volume, two
e. To protect th
copies of the FAT file system are e maintained in
i
casee one becomes damaged. In n addition, the file
a the root directory must be
allocation tables and
ocation so that the system’s boot files can
storred in a fixed lo n be correctly located.
A disk formatted with

w FAT is allo ocated in clustters, whose sizzes are determ mined by the sizze of the volum me.
Whe en a file is crea
ated, an entry is created in the directory, aand the first clu uster number containing daata is
esta
ablished. This entry
e in the tab
ble either indiccates that this is the last clusster of the file,, or points to tthe
nextt cluster. Theree is no organizzation to the FAT
F directory sstructure, and ffiles are given the first open n
loca
ation on the drrive.
Because of the sizze limitation with

w the file allo ocation table, tthe original reelease of FAT ccould only acce
ess
parttitions that we
ere less than 2 GB in size. To enable larger disks, Microso oft developed FAT32. FAT32
supports partitionns of up to 2 TB.
FATT does not provvide any securrity for files on the partition. You should never use FAT oor FAT32 as th
he file
system for disks attached to Windows Server 2012 servers. Y You might connsider using FA
AT or FAT32 too
form
mat external media
m such as USB
U flash media.
exFAAT (Extended FAT)

F is a file syystem designed d where FAT32 is not
d especially fo r flash drives. It can be used
suitable, such as when
w you need d a disc formatt that works w
with a television n, which requires a disc that is
larg
ger than 2 TB. exFAT
e is suppo mber of media devices, such as modern flat panel TVs, m
orted in a num media
centters, and porta
able media pla ayers.
NTFS
NTFFS is the standa
ard file system
m for all Windoows operating systems begin nning with Win ndows NT Servver
4.0. Unlike FAT, th
here are no speecial objects on
o the disk, and d there is no d
dependence on n the underlying
harddware, such ass 512-byte secttors. In additio
on, in NTFS theere are no speecial locations o
on the disk, su
uch as
the tables.
NTFFS is an improvvement over FA AT in several ways,
w such as b better supportt for metadata, and the use oof
advanced data strructures to imp prove performmance, reliabilitty, and disk sp
pace utilization
n. NTFS also haas
addditional extensiions such as se
ecurity access control
c lists (A
ACLs), which yo
ou can use for auditing, file
system journaling, and encryption.
NTFFS is required for

f a number of o Windows Se erver 2008 R2 roles and features such as A Active Directoryy®
Dommain Services (AD
( DS), Volum
me Shadow Se ervices (VSS), D
Distributed Filee System (DFS) and File
Rep
plication Servicces (FRS). NTFS
S also providess a much higheer level of secuurity than FAT or FAT 32.
Resilient File Sysstem (ReFS)

The Resilient File System
S (ReFS) was introduce ed with Windo ows Server 2012 to enhance the capabilitie es of
NTFFS. ReFS was developed to im mprove upon NTFS N by offeri ng larger maxximum sizes fo or individual files,
dire
ectories, disk vo
olumes, and other items. Ad meaning better data
dditionally, ReFFS offers greater resiliency, m
verification, error correction, an
nd scalability.
Re
eFS uses features from NTFSS, and is designned to maintaiin backward co ompatibility w
with its older W
Windows
op
perating system versions. Windows 8 clien nts or older Wiindows client o operating systems can read and
write
w ard-drive partiitions and to shares on a serrver, just as theey can with tho
to ReFS ha ose running N NTFS.
Yoou should use ReFS with verry large volumes and very larrge file shares to overcome the NTFS limittation of
errror checking and
a correction n. Because ReFS was not ava ilable prior to Windows Servver 2012 (the o only
ch
hoice was NTFS), it makes se ense to use ReFFS with Windoows Server 201 12 instead of N
NTFS to achievve better
errror checking, better reliabiliity, and less co
orruption.
Additionaal Reading: Foor more inform

mation on howw FAT works, see
htttp://go.microsoft.com/fwlin
nk/?LinkID=199652.
Fo
or more informmation on how w NTFS works, see http://go.m m/fwlink/?LinkID=199654.
microsoft.com
Question: What file syste

em do you currrently use on your file serveer? Will you co
ontinue to use
it?
What
W Is a Resilient
R File System??
Thhe Resilient File System (ReFFS) is a new fea
ature in
Windows
W Server 2012. ReFS iss based on thee NTFS
fille system, and provides the following
f adva
antages:
• Metadata in
ntegrity with checksums
c
• Expanded protection
p aga
ainst data corru
uption
• Maximizes reliability, especially during a loss

while NTFS hass been known to
of power (w
experience corruption in similar
circumstancces)
• Large volum
me, file, and diirectory sizes
• ualization, which makes creaating and man
Storage pooling and virtu naging file systems easier
• Data stripin
ng for perform
mance (bandwid
dth can be maanaged) and reedundancy forr fault tolerancce
• Disk scrubb
bing for protecction against la
atent disk erro
ors
• Resiliency to
t corruptions with recovery for maximum
m volume availaability
• Shared storrage pools acro

oss machines for
f additional failure toleran
nce and load b
balancing
Re
eFS inherits so
ome features frrom NTFS, inclluding the follo
owing:
• BitLocker drive encryption
• Access-control lists for se

ecurity
• Update seq
quence numbe
er (USN) journa
al
• Change nottifications
• Symbolic lin
nks, junction points,
p mount points and rep
parse points
• Volume sna
apshots
• File IDs
Because ReFS uses a subset of features from NTFS, N it is desi gned to mainttain backward compatibility with
NTFFS. Therefore, Windows
W 8 clie
ents or older Windows
W clientt operating syystems can read and write to o ReFS
hardd-drive partitio
ons and sharess on a server, just as they can n with those ruunning NTFS. However, as
imp
plied in its nam
me, the new file e system offerss greater resilieency, meaning g better data vverification, errror
corrrection, and sccalability.
Beyond its greater resiliency, Re
eFS also surpassses NTFS by ooffering larger maximum size
es for individu
ual
filess, directories, disk
d volumes, and
a other item ms, as listed in tthe following ttable.
Atttribute Limit
Maximum
M size of
o a single file ~16 exabytees (EB) (18.446
6.744.073.709.5
551.616 bytes))
Maximum
M size of
o a single volu
ume 2^78 bytes wwith 16 KB clu
uster size
(2^64 * 16 * 2^10)
Windows sttack addressingg allows 2^64
4 bytes
Maximum
M number of files in a directory 2^64
Maximum
M number of directorries in a 2^64
vo
olume
Maximum
M file name
n length 32,000 Unico
ode characterss
Maximum
M path length 32,000
Maximum
M size of
o any storage
e pool 4 petabytes (PB)
Maximum
M number of storage
e pools in a No limit
syystem
Maximum
M number of spaces in a storage No limit
po
ool
Wh
hat Are Mo
ount Pointts and Link
ks?
With the NTFS and ReFS file sysstems, you can n
crea
ate mount points and links to refer to files,
dire
ectories, and vo
olumes.
Mo
ount Points
Mou unt points are used in Windo ows operatingg
systems to make a portion of a disk or the entire
disk
k useable by thhe operating syystem. Most
commmonly, moun nt points are asssociated with drive
lette
er mappings so o that the opeerating system can
gain e disk through the drive lette
n access to the er.
Sincce the Microso

oft Windows 20 000 Server
opeerating system was first introduced, you ha ave been able to enable volu ume mount po oints, which yo
ou can
thenn use to mounnt a hard disk to
t an empty fo older that is loccated on anotther drive. For example, if yo
ou add
a neew hard disk to
o a server, rath
her than moun nting the drivee using a drive letter, you can
n assign a fold
der
namme such as C:\ddatadrive to thhe drive. Whenn you do this, aany time you aaccess the C:\ddatadrive folde
er,
you are actually accessing the new
n hard disk.
Volume mount points can be useful in the following scenarios:
• If you are running out of drive space on a server and you want to add disk space without modifying
the folder structure. You can add the hard disk, and configure a folder to point to the hard disk.
• If you are running out of available letters to assign to partitions or volumes. If you have several hard
disks that are attached to the server, you may run out of available letters in the alphabet to which to
assign drive letters. By using a volume mount point, you can add additional partitions or volumes
without using more drive letters.
• If you need to separate disk input/output (I/O) within a folder structure. For example, if you are using
an application that requires a specific file structure, but which uses the hard disks extensively, you can
separate the disk I/O by creating a volume mount point within the folder structure.
Note: You can assign volume mount points only to empty folders on an NTFS partition.
This means that if you want to use an existing folder name, you must first rename the folder,
create and mount the hard disk using the required folder name, and then copy the data to the
mounted folder.
Links
A link is a special type of file that contains a reference to another file or directory in the form of an
absolute or relative path. Windows supports the following two types of links:
• A symbolic file link (also known as a soft link)
• A symbolic directory link (also known as a directory junction)
A link which is stored on a server share could refer back to a directory on a client that is not actually
accessible from the server where the link is stored. Because the link processing is done from the client, the
link would work correctly to access the client, even though the server cannot access the client.
Links operate transparently: applications that read or write to files that are named by a link behave as if
they are operating directly on the target file. For example, you can use a symbolic link to link to a Hyper-
V® parent virtual hard disk file from another location. Hyper-V uses the link to work with the parent virtual
hard drive (VHD) as it would use the original file. The benefit of using symbolic links is that you do not
need to modify the properties of your differencing VHD.
Note: In Hyper-V, you can use a differencing virtual hard disk (VHD) to save space by
making changes only to the child VHD, when the child VHD is part of a parent/child VHD
relationship.
Links are sometimes easier to manage than mount points. Mount points force you to place the files on the
root of the volumes, whereas with links you can be more flexible with where you save files.
You can create links in a Windows Explorer window, or by using the mklink.exe tool in a command-line
interface window.
Demonstration: Creating Mount Points and Links

In this demonstration, you will see how to create a mount point and then assign it to a folder. Then you
will see the process of creating a link between folders and a link for a file, and see how to use both links.
Demonstration Steps
Create a mount point

1. Log on to LON-SVR1 with the username Adatum\Administrator and the password Pa$$w0rd.
2. Open Computer Management, and then expand Disk Management.
3. In Disk Management, initialize Disk2 with GPT (GUID Partition Table).
4. On Disk 2, create a Simple Volume with the following parameters:
o Size: 4000 MB
o Do not assign a drive letter or drive path
o File system: NTFS
o Volume label: MountPoint

5. Wait until the volume is created, right-click MountPoint, and then click Change Drive Letter and
Paths.
6. Change the drive letter as follows:

o Mount in the following empty NTFS folder
o Create new Folder C:\MountPointFolder and use it as mount point.
7. On the taskbar, open a Windows Explorer window, and then click Local Disk (C:). You should now
see the MountPointFolder with a size of 4,095,996 KB assigned to it. Notice the icon that is assigned
to the mount point.
Create a link between folders

1. In Windows Explorer, on drive C, create a shortcut to C:\Windows\System32 with the name
System32 Shortcut.
2. In Windows Explorer, in the right pane, double-click System32 Shortcut. Notice how the shortcut
path changes automatically to the correct path in the Address bar.
Create a link for a file

1. In Windows Explorer, on drive C, create a shortcut to C:\Windows\System32\mspaint.exe and
name it Paint Shortcut.
2. In Windows Explorer, in the right pane, double-click Paint Shortcut. Note how the link opens Paint.
Using links can be very useful if you want to refer to a file such as a virtual hard disk that is located on
another drive.
Extending and
a Shrink
king Volum
mes
In
n versions of Windows
W prior to Windows Seerver
20
003 or Window ws Vista®, you required additional
oftware to shrink or extend a volume on your
so
diisk. Since Winddows Server 20 003 and Windows
uded in the Windows
Vista, this functionality is inclu
opperating system so you can use the Disk
Management
M sn
nap-in to resizze NTFS volummes.
When
W you wantt to resize a vo
olume, you mu
ust be
aw
ware of the following:
• ave the ability to shrink or extend
You only ha
NTFS volum
mes. FAT, FAT3 32 or exFAT vo olumes
cannot be resized.
r
• You can on
nly extend ReFS
S volumes, nott shrink them.
• To extend a volume, the available disk space must bee adjacent to tthe volume thaat is extended. If free
space is nott adjacent to the
t volume, yoou will not be aable to extend
d the disk.
• You can exttend a volume e using free space on the sam me disk as welll as other diskks. When you eextend a
volume with other disks, you create a dynamic
d disk wwith a striped vvolume. In a sttriped volume,, if one
disk fails, alll data on the volume
v is lost.. Also, a striped
d volume cann not contain booot or system
partitions, thus
t you cannoot extend your boot partitio ons by using an nother disk.
• When you want

w to shrink
k a partition, im
mmovable filess such as pagee files are not rrelocated. Thiss means
that you ca
annot reclaim space
s beyond the location w where these filees are on the vvolume. If you have
the requirement to shrink
k a partition more,
m you needd to delete or m
move the imm movable files. FFor
example, yoou can removee the page file e, shrink the vo
olume, and theen add the pag ge file back ag
gain.
Note: As a best practicee for shrinking

g volumes, youu should defraggment the files on the
vo
olume before you
y shrink it. This
T method re eturns the maxximum amoun nt of free disk sspace.
During the defrragment proceess, you can ideentify any imm
moveable files..
• If bad clusters are found on the partitio

on, you will no
ot be able to sh
hrink it.
o modify a vollume, you can use Disk Management, the Diskpart.exe tool, or the Ressize-Partition
To n
cm
mdlet.
Additionaal Reading: Foor more inform

mation about h
how to extend
d a basic volum
me, see
htttp://technet.m
microsoft.com//de-de/library//cc771473.
Fo
or more inform
mation about how
h to shrink a basic volumee, see http://teechnet.microso
oft.com/de-
de
e/library/cc731894.
Lesson 3
Implem
menting
g Storag
ge Spacces
Man naging physica al disks that arre attached dirrectly to a servver has proven
n to be a tedious task for
adm
ministrators. Too overcome this problem, ma any organizatiions used SAN Ns that essentiaally grouped
phyysical disks together.
SAN
Ns require speccial configuration, however, and sometimees special hard dware, which m makes them
expensive. To ove ercome these isssues, you can
n use Storage SSpaces, which iis a Windows SServer 2012 fe
eature
thatt pools disks to
ogether and presents them tot the operatin This lesson explains
ng system as a single disk. T
w to configure and implemen
how nt the Storagee Spaces featurre.
Man naging physica al disks that arre attached dirrectly to a servver has proven
n to be a tedious task for
adm
ministrators. Too overcome this problem, ma any organizatiions used SAN Ns that essentiaally grouped
phyysical disks together.
SAN
Ns require speccial configuration, however, and sometimees special hard dware, which m makes them
expensive. To ove ercome these isssues, you can
n use Storage SSpaces, which iis a Windows SServer 2012 fe
eature
thatt pools disks to
ogether and presents them tot the operatin This lesson explains
ng system as a single disk. T
w to configure and implemen
how nt the Storagee Spaces featurre.
Lessson Objectiives
Afte
ou will be able to:
• Describe the use of Storage

e Spaces.
• Describe vario or configuring virtual disks.
ous options fo
• Describe adva
anced manage
ement optionss for Storage S paces.
• Configure Sto
orage Spaces.
Wh
hat Is the Storage
S Sp
paces Feature?
Storrage Spaces is a storage virtu ualization capa ability
thatt is built into Windows
W Serve
er 2012 and
Winndows 8. It is a feature that iss available for both
NTFFS and ReFS vo olumes, that prrovides redund dancy
and pooled storag ge for numeroous internal and
exte
ernal drives of differing sizess and interface es.
Youu can use Stora age Spaces to add
a physical disks
d
of any
a type and siize to a storage pool, and th hen
crea
ate highly available virtual disks from it. Th he
prim
mary advantag ge of Storage Spaces
S is that you
y
do not
n manage single disks, butt can manage
mulltiple disks as one
o unit.
To create
c a highlyy-available virttual disk, you need
n the follow
wing:
• Disk drive. Th
his is a volume that you can access
a from yo
our Windows o
operating syste
em, for examp
ple, by
using a drive letter.
• Virtual disk (o
or storage spacce). This is veryy similar to a p
physical disk froom the perspe ective of users and
applications. However, virtu ual disks are more
m flexible beecause they innclude thin pro ovisioning or ju
ust-
in-time (JIT) allocations,
a and
d they include e resiliency to pphysical disk faailures with bu
uilt-in function
nality
such as mirrooring.
• Storage poo ol. A storage pool

p is a collecttion of one or more physical disks that you can use to create
d to a storage pool any avail able physical d
virtual diskss. You can add disk that is nott formatted orr
attached too another storaage pool.
• Physical dissk. Physical disks are disks su

uch as SATA orr SAS disks. If yyou want to ad
dd physical dissks to a
storage poo ol, the disks neeed to satisfy the
t following rrequirements:
o One phhysical disk is required
r to cre
eate a storage pool; a minim
mum of two ph
hysical disks is
ed to create a resilient mirror virtual disk.
require
o A minimum of three physical disks are required tto create a virttual disk with resiliency thro
ough
parity.
o Three-w
way mirroring requires at lea
ast five physic al disks.
o Disks must
m be blank and unformatted; no volum
me must exist o
on them.
o Disks can
c be attached using a varie ety of bus inte rfaces includin
ng iSCSI, SAS, SSATA, SCSI, an
nd USB.
If you want
w to use failover clusterin
ng with storag e pools, you ccannot use SAT TA, USB or SCSSI disks.
Virtual
V Disk
k Configurration Opttions
Yo
ou can create virtual disks frrom storage po ools. If
yo
our storage poool contains more
m than one disk,
yo
ou can also cre
eate redundan nt virtual disks.. To
co al disks or Storrage Spaces in Server
onfigure virtua
Manager
M or Win
ndows PowerS Shell, you need d to
co
onsider the red
dundancy funcctionality show wn in
th
he following ta
able.
Feature Desccription
Storage layou
ut Thiss feature defin
nes the numbeer of disks from m the storage p pool that are
allo
ocated. Valid options
o includee:
• Simple.
S A simplle space has daata striping buut no redundancy. In data sttriping,
lo
ogically sequential data is seegmented acro oss all disks in a way that acccess to
th
hese sequentia al segments caan be made to o different phyysical storage ddrives.
Striping
S makes it possible to access multiple segments of data concurrrently.
Do
D not host im mportant data o on a simple vo olume, because e it provides n
no
fa
ailover capabilities when thee disk that is sttoring the dataa fails.
• Two-way
T and three-way
t mirrrors. Mirror spaaces maintain two or three ccopies
of
o the data that they host (tw wo data copiess for two-way mirrors and th hree
data
d copies forr three-way miirrors). Duplicaation happens with every write to
ensure
e that all data copies arre always curreent. Mirror spaaces also stripe
e the
data
d across muultiple physical drives. Mirrorr spaces providde the benefit of
greater
g data th
hroughput and d lower access latency. They also do not introduce
a risk of corrup
pting at-rest daata, and do noot require the eextra journalinng stage
when
w writing data.
d
• Parity.
P A parity space is very similar to a simmple space. Daata, along with
h parity
nformation, is striped across multiple physsical drives. Parity enables Sttorage
in
Spaces
S to contiinue to servicee read and writte requests even when a drivve has
fa
ailed. Parity is always rotatedd across availaable disks to en
nable I/O
Feature Description
optimization. Storage spaces require a minimum of three physical drives for
parity spaces. Parity spaces have increased resiliency through journaling.
Disk sector size A storage pool’s sector size is set when it is created. If the list of drives being
used contains only 512 and/or 512e drives, then the pool is defaulted to 512e.
If, however, the list contains at least one 4-KB drive, then the pool sector size is
defaulted to 4 KB. Optionally, an administrator can explicitly define the sector
size that all contained spaces in the pool will inherit. After an administrator
defines this, the Windows operating system will only permit you to add drives
that have a compliant sector size, that is: 512 or 512e for a 512e storage pool,
and 512, 512e, or 4 KB for a 4-KB pool.
Drive allocation • This defines how the drive is allocated to the pool. Options are:
• Data Store. This is the default allocation when any drive is added to a pool.
Storage spaces can automatically select available capacity on data-store
drives for both storage space creation and JIT allocation.
• Manual. Administrators can choose to specify manual as the usage type for
drives that are added to a pool. A manual drive is not used automatically as
part of a storage space unless it is specifically selected at the creation of that
storage space. This usage property makes it possible for administrators to
specify particular types of drives for use by only certain Storage Spaces.
• Hot Spare. Drives added as Hot-Spares to a pool are reserve drives that are
not used in the creation of a storage space. If a failure occurs on a drive that
is hosting columns of a storage space, a reserve drive is called upon to replace
the failed drive.
Provisioning • You can provision a virtual disk by using two different schemes:
schemes
• Thin provisioning space. Thin provisioning is a mechanism that allows storage
to be easily allocated on a just-enough and JIT basis. Storage capacity in the
pool is organized into provisioning slabs that are not allocated until the point
in time when datasets grow to require the storage. As opposed to the
traditional fixed storage allocation method—where large pools of storage
capacity are allocated but may remain unused—thin provisioning optimizes
utilization of available storage. Organizations are also able to save on
operating costs such as electricity and floor space that are associated with
keeping unused drives operating. The downside of using thin provisioning is
lower performance of your disks.
• Fixed provisioning space. With Storage Spaces, fixed provisioned spaces also
employ the flexible provisioning slabs. The difference between thin
provisioning and a fixed provisioning space is that the storage capacity in the
fixed provisioning space is allocated at the same time that the space is
created.
Cluster disk Failover clustering prevents interruption to workloads or data in the event of a
requirement machine failure. For a pool to support failover, clustering all assigned drives
must support a multi-initiator protocol, such as SAS.
Note: You can use Storage Spaces to create both thin and fixed provisioning virtual disks
within the same storage pool. Having both provisioned types in the same storage pool is
convenient, particularly when they are related to the same workload. For example, you can
choose to have a thin provisioning space to host a database and a fixed provisioning space to
host its log.
Question: What do you call

c a virtual disk that is largeer than the am
mount of disk sspace
available on
n the physical disks portion of the storagee pool?
Advanced
A Managem
M ent Options for Storrage Space
es
Seerver Managerr provides you with basic
management
m of virtual disks and
a storage po ools. In
Seerver Managerr, you can crea ate storage pools, add
o and remove physical disks from pools, an
to nd
crreate, manage, and delete viirtual disks. For
y can view the
exxample, in Servver Manager you
physical disks th
hat are attache ed to a virtual disk,
annd Server Man nager will displlay if any of th
hese
diisks are unhealthy.
Fa
ailed disks in a virtual disk or storage pool are
orrected by removing the disk that is causing the
co
problem. Tools such as defrag gmenting, scan n disk.
orr chkdsk do not apply for re epairing a storage pool. To rreplace a failed
d disk, you add
d a new disk too the
po
ool. The new disk
d will autom matically resyncchronize whenn disk mainten nance occurs. TThis will occur during
da
aily maintenan nce, or you can n trigger it manually.
Windows
W PowerShell® provide
es advanced management
m o
options for virttual disks and storage pools.. Some
exxamples of the
e command-linne interfaces are listed in thee following tab
ble.
Windows
W Pow
werShell cmdle
et Description
n
Get-StorageP
Pool Lists storag
ge pools
Get-VirtualD
Disk Lists virtuall disks
Repair-VirtualDisk Repairs a V
Virtual Disk
Get-PhysicalDisk | Where{$_.HealthSta
atus –ne Lists unheaalthy physical d
disks
“Healthy”}
Reset-PhysiccalDisk Removes a physical disk ffrom a storage

e pool
Get-VirtualD
Disk | Get-Phy
ysicalDisk Lists physiccal disks that are used for a vvirtual
disk
Additionaal Reading: Too learn more about

a storage cmdlets in Wiindows PowerSShell, see
htttp://technet.m
microsoft.com//en-us/library//hh848705.asp
px.
Demonstra
D ation: Conffiguring Sttorage Spaaces
In
n this demonsttration, you will see how to create
c a storag
ge pool, a simp
ple virtual diskk, and a volume.
Demonstrati
D ion Steps
Create
C a storrage pool
1.. On LON-SV
VR1, in Server Manager, acce
ess File and Sttorage Service
es and Storag
ge Pools.
2. In the STORAGE POOLS pane, create a New Storage Pool named StoragePool1, and add all of the
available disks.
Create a simple virtual disk and a volume

1. In the VIRTUAL DISKS pane, create a New Virtual Disk with these settings:
o Storage pool: StoragePool1
o Disk name: Simple vDisk
o Storage layout: Simple
o Provisioning type: Thin
o Size: 2 GB
2. On the View results page, wait until the creation is completed, make sure the Create a volume
when this wizard closes check box is selected.
3. In the New Volume Wizard, create a volume with these settings:
o Virtual disk: Simple vDisk
o File system: ReFS

o Volume label: Simple Volume
Lab: Implementing Local Storage

Scenario
Your manager has asked to add disk space to a file server. After creating volumes, your manager has also
asked you to resize those volumes based on updated information he has been given. Finally, you need to
make data storage redundant by creating a 3-way mirrored virtual disk.
Objectives
• Install and configure a new disk.
• Resize volumes.
• Configure a storage pool.
• Configure a redundant storage space.
Lab Setup

20410A-LON-SVR1
Password Pa$$w0rd
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

o Domain: Adatum
4. Repeat steps 1 to 3 for 20410A-LON-SVR1.

Exercise 1: Installing and Configuring a New Disk

Scenario
The file server in your branch office is low on disk space. You need to add a new disk to the server and
create volumes based on specifications provided by your manager.
1. Initialize a new disk.
2. Create and format two simple volumes on the disk.

3. Verify the drive letter in a Windows® Explorer window.
X Task 1: Initialize a new disk

1. Log on to LON-SVR1 with username of Adatum\Administrator and the password of Pa$$w0rd.
2. In Server Manager, open Computer Management, and then access Disk Management.
3. Initialize Disk 2 and configure it to use GPT (GUID Partition Table).
X Task 2: Create and format two simple volumes on the disk

1. In the Computer Management console, on Disk 2, create a Simple Volume with the following
attributes:
o Volume size: 4000 MB
o Drive Letter: F
o File system: NTFS
o Volume label: Volume1
2. In the Computer Management console, on Disk 2, create a Simple Volume with the following
attributes:
o Volume size: 5000 MB
o Drive Letter: G
o File system: ReFS

o Volume label: Volume2
X Task 3: Verify the drive letter in a Windows® Explorer window

1. Use Windows Explorer to make sure you can access the following volumes:
o Volume1 (F:)
o Volume2 (G:),
2. On Volume2 (G:), create a folder named Folder1.
Results: After you complete this lab, you should have initialized a new disk, created two simple volumes,
and formatted them. You should also have verified that the drive letters are available in Windows
Explorer.
Exercise 2: Resizing Volumes

Scenario
After installing the new disk in your file server, you are contacted by your manager who indicates that the
information he gave you was incorrect. He now needs you to resize the volumes without losing any data.
1. Shrink Volume1.
2. Extend Volume2.
X Task 1: Shrink Volume1

• Use Disk Management to shrink Volume1 (F:) by 1000 MB.
X Task 2: Extend Volume2

1. Use Disk Management to extend Volume2 (G:) by 1000 MB.
2. Use Windows Explorer to verify that the folder Folder1 is still on drive G.
Results: After this lab, you should have made one volume smaller, and extended another.
Exercise 3: Configuring a Redundant Storage Space

Scenario
Your server does not have a hardware-based RAID card, but you have been asked to configure redundant
storage. To support this feature, you need to create a storage pool.
After creating the storage pool, you will also need to create a redundant virtual disk. As the data is critical,
the request for redundant storage specifies that you need to use a three-way mirrored volume. Shortly
after the volume is in use, a disk fails and you have to add another disk to the storage pool to replace it.
1. Create a storage pool from five disks that are attached to the server.
2. Create a three-way mirrored virtual disk.

3. Copy a file to the volume, and verify that it is visible in Windows Explorer.
4. Remove a physical drive.
5. Verify that the mspaint.exe file is still accessible.
6. Add a new disk to the storage pool.
7. To prepare for the next module.
X Task 1: Create a storage pool from five disks that are attached to the server
2. In the left pane, click File and Storage Services, and then in the Servers pane, click Storage Pools.
3. Create a storage pool with the following settings:
o Name: StoragePool1
o PhysicalDisk3
o PhysicalDisk4
o PhysicalDisk5
o PhysicalDisk6
o PhysicalDisk7
X Task 2: Create a three-way mirrored virtual disk

1. On LON-SVR1, in Server Manager, in the VIRTUAL DISKS pane, create a virtual disk with the following
settings:
o Storage pool: StoragePool1
o Name: Mirrored Disk
o Storage Layout: Mirror

o Resiliency settings: Three-way mirror
o Provisioning type: Thin
o Virtual disk size: 10 GB
2. In the New Volume Wizard, create a volume with the following settings:
o Virtual disk: Mirrored Disk
o Drive letter: H
o File system: ReFS
o Volume label: Mirrored Volume
X Task 3: Copy a file to the volume, and verify that it is visible in Windows Explorer
1. On the Start screen, type command prompt, and then press Enter.
2. Type the following command:
Copy C:\windows\system32\mspaint.exe H:\
3. Open Windows Explorer from the taskbar, and access Mirrored Volume (H:). You should now see
mspaint.exe in the file list.
X Task 4: Remove a physical drive

• On Host machine, in Hyper-V Manager, in the Virtual Machines pane, change 20410A-LON-SVR1
settings to the following:
o Remove Hard Drive 20410A-LON-SVR1-Disk5.vhdx.
X Task 5: Verify that the mspaint.exe file is still accessible

2. Use Windows Explorer and browse to H:\mspaint.exe to ensure access to the file is still available.
3. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage
Pools” button. Notice the warning that displays next to Mirrored Disk.
4. Open Mirrored Disk Properties, and access the Health pane.

Notice that the Health Status indicates a Warning. The Operational Status should indicate Incomplete
or Degraded.
X Task 6: Add a new disk to the storage pool

Pools” button.
3. In the STORAGE POOLS pane, right-click StoragePool1, click Add Physical Disk, and then click
PhysicalDisk8 (LON-SVR1).
Results: After completing this lab, you should have created a storage pool and added five disks to it. Then
you should have created a three-way mirrored, thinly provisioned virtual disk from the storage pool. You
should have also copied a file to the new volume and verified that it is accessible. Next, you should have
verified that the virtual disk was still available and could be accessed after removing a physical drive.
Finally, you should have added another physical disk to the storage pool.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps.
4. Repeat steps 2 and 3 for 20410A-LON-SVR1.


Review Questions
Question: Your current volume runs out of disk space. You have another disk available in the
same server. What actions in Windows can you perform to help you add disk space?
Question: What are the two different types of disks in Disk Management?
Question: What are the most important implementations of RAID?
Question: You attach five 2 TB disks to your Windows Server 2012 computer. You want to
manage them almost automatically, and if one disk fails, you want to make sure the data is
not lost. What feature can you implement to accomplish this?
Best Practices
The following are recommended best practices:
• If you want to shrink a volume, defragment the volume first so you can reclaim more space from the
volume.
• Use the GPT partition table format for disks larger than 2 TB.
• For very large volumes, use ReFS.
• Do not use FAT or FAT32 on Windows Server disks.

• Use the Storage Spaces feature to let the Windows operating system manage your disks.
Tools
Disk Management • Initialize disks. In Server Manager on the

Tools menu (part of
• Create and modify volumes.
Computer Management)
Diskpart.exe • Initialize disks. Command prompt

• Create and modify volumes from a
command prompt.
Mklink.exe • Create a symbolic link to a file or folder. Command prompt
Chkdsk.exe • Check a disk for a NTFS–formatted Command prompt

volume. Cannot be used for ReFS or Virtual
Disks.
Defrag.exe • Disk defragmentation tool for NTFS– Command prompt

formatted volumes. Cannot be used for
ReFS or Virtual Disks.
10-1
Module 10
Implementing File and Print Services
Contents:
Module Overview 10-1
Lesson 1: Securing Files and Folders 10-2
Lesson 2: Protecting Shared Files and Folders using Shadow Copies 10-15
Lesson 3: Configuring Network Printing 10-18
Lab: Implementing File and Print Services 10-23
Module Overview
Accessing files and printers on the network is one of the most common activities in the Windows Server®
environment. Reliable, secure access to files and folders and print resources is often the first requirement
of a Windows Server 2012-based network. To provide access to file and print resources on your network,
you must understand how to configure these resources within Windows Server 2012 server, and how to
configure appropriate access to the resources for users in your environment.
This module discusses how to provide these important file and print resources from Windows Server 2012.
You will learn how to enable and configure file and print services in Windows Server 2012, and you will
learn important considerations and best practices for working with file and print services.
Objectives
• Secure shared files and folders.
• Protect shared files and folders by using shadow copies.
• Configure network printing.

10-2 Implemennting File and Print Services
Lesson 1
Securin
ng Filess and Fo
olders
The files and foldeers that your servers
s store tyypically contain
n your organizzation’s busine
ess and functio
onal
data
a. Providing ap ppropriate acccess to these files and folderss, usually over the network, is an importan
nt part
of managing
m a print services in Window
file and ws Server 20122.
Thiss lesson gives you

y informatio on necessary too secure files aand folders on
n your Window
ws Server 2012
servvers, so that yo
our organizatio
on’s data is ava
ailable and pro otected.
Lessson Objectiives
Afte
ou will be able to:
• Explain NTFS file system pe

ermissions.
• Describe a shared folder.
• Explain permissions inherita

ance.
• Explain how effective

e permissions work when
w you acce ss shared foldeers.
• Explain access-based enum
meration.
• Describe Offline files.
• Create and co
onfigure a shared folder.
Wh
hat Are NT
TFS Permisssions?
t files or folders
NTFFS permissions are assigned to
e that is formatted with NTFS.
on a storage drive
The permissions that you assignn to NTFS files and
fold
ders govern use
er access to th
hese files and
fold
ders.
The following points describe th

he key aspectss of
NTFFS permissions:
• NTFS permisssions can be asssigned to an

individual file
e or folder, or sets
s of files or
folders.
• NTFS permisssions can be asssigned individdually

to objects tha
at include userrs, groups, and
d computers.
• NTFS permisssions are contrrolled by denying or grantin g specific typees of NTFS file and folder access,
such as read or
o write.
• NTFS permisssions can be innherited from parent

p folders . By default, th
he NTFS permiissions that aree
o assigned to newly created folders or filees within that p
assigned to a folder are also parent folder.
NTFS Permissiion Types

There are two assignable NTFS permissions ca
ategories: stan
ndard, and advvanced.
Standard Permiissions
Stan
ndard permissions provide thhe most comm
monly used pe rmission settin
ngs for files an
nd folders. You
u
assign standard permissions in the
t main NTFSS Permissions A
Assignment window.
The following table details the standard permissions options for NTFS files and folders.
File permissions Description
Full Control Grants the user complete control of the file or folder, including control of
permissions.
Modify Grants the user permission to read, write, or delete a file or folder,
including creating a file or folder.
Read and Execute Grants the user permission to read a file and start programs.
Read Grants the user permission to see file or folder content and start programs.
Write Grants the user permission to write to a file.
List folder contents Grants the user permission to view a list of the folder’s contents.
(folders only)
Note: Granting users Full Control permissions on a file or a folder gives them the ability to
perform any file system operation on the object, and the ability to change permissions on the
object. They can also remove permissions on the resource for any or all users, including you.
Advanced Permissions
Advanced permissions can provide a much greater level of control over NTFS files and folders. Advanced
permissions are accessible by clicking the Advanced button, and then accessing the Security tab of a file
or folder’s Properties sheet.
The following table details the Advanced permissions for NTFS files and folders.
Traverse The Traverse Folder permission applies only to folders. This permission
Folder/Execute File grants or denies the user’s ability to browse through folders to reach other
files or folders, even if the user has no permissions for the traversed folders.
The Traverse Folder permission takes effect only when the group or user is
not granted the Bypass Traverse Checking user right.
The Bypass Traverse Checking user right checks user rights in the Group
Policy snap-in. By default, the Everyone group is given the Bypass Traverse
Checking user right.
The Execute File permission grants or denies access to program files that are
running.
If you set the Traverse Folder permission on a folder, the Execute File
permission is not automatically set on all files in that folder.
List Folder/Read The List Folder permission grants the user permission to view file names and
Data subfolder names. The List Folder permission applies only to folders and
affects only the contents of that folder. This permission is not affected if the
folder on which you are setting the permission is listed in the folder list. In
addition, this setting has no effect on viewing the file structure from a
command-line interface.
The Read Data permission grants or denies the user permission to view data
in files. The Read Data permission applies only to files,
10-4 Implementing File and Print Services
Read Attributes The Read Attributes permission grants the user permission to view the basic
attributes of a file or a folder such as read-only and hidden attributes.
Attributes are defined by NTFS.
Read Extended The Read Extended Attributes permission grants the user permission to view
Attributes the extended attributes of a file or folder. Extended attributes are defined by
applications, and can vary by application.
Create Files/Write The Create Files permission applies only to folders, and grants the user
Data permission to create files in the folder.
The Write Data permission grants the user permission to make changes to
the file and overwrite existing content by NTFS. The Write Data permission
applies only to files.
Create The Create Folders permission grants the user permission to create folders in
Folders/Append the folder. The Create Folders permission applies only to folders.
Data The Append Data permission grants the user permission to make changes to
the end of the file, but not to delete or overwrite existing data. The Append
Data permission applies only to files.
Write Attributes The Write Attributes permission grants the user permission to change the
basic attributes of a file or folder, such as read-only or hidden. Attributes are
defined by NTFS.
The Write Attributes permission does not imply that you can create or
delete files or folders; it includes only the permission to make changes to the
attributes of a file or folder. To grant Create or Delete permissions, see the
Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and
Files, and Delete entries in this table.
Write Extended The Write Extended Attributes permission grants the user permission to
Attributes change the extended attributes of a file or folder. Extended attributes are
defined by programs, and can vary by program.
The Write Extended Attributes permission does not imply that the user can
create or delete files or folders; it includes only the permission to make
changes to the attributes of a file or folder. To grant Create or Delete
permissions, see the Create Files/Write Data, Create Folders/Append Data,
Delete Subfolders and Files, and Delete entries in this table.
Delete Subfolders The Delete Subfolders and Files permission grants the user permission to
and Files delete subfolders and files, even if the Delete permission is not granted on
the subfolder or file. The Delete Subfolders and Files permission applies only
to folders.
Delete The Delete permission grants the user permission to delete the file or folder.
If you have not been assigned Delete permission on a file or folder, you can
still delete the file or folder if you are granted Delete Subfolders and Files
permissions on the parent folder.
Read Permissions Read Permissions grants the user permission to read permissions about the
file or folder, such as Full Control, Read, and Write.
Change Permissions Change Permissions grants the user permission to change permissions on
the file or folder, such as Full Control, Read, and Write.
Take Ownership The Take Ownership permission grants the user permission to take
ownership of the file or folder. The owner of a file or folder can change
permissions on it, regardless of any existing permissions that protect the file
or folder.
Synchronize The Synchronize permission assigns different threads to wait on the handle
for the file or folder, and then synchronize with another thread that may
signal it. This permission applies only to multiple-threaded, multiple-process
programs.
Note: Standard permissions are combinations of several individual Advanced permissions

that are grouped into commonly file and folder usage scenarios.
NTFS Permissions Examples

The following are basic examples of assigning NTFS permissions.
Example 1
For the Marketing Pictures folder, an administrator has chosen to assign Adam Carter Allow permissions
for the Read permission type. Under default NTFS permissions behavior, Adam Carter will have Read
access to the files and folders that are contained in the Marketing Pictures folder.
Example 2
When applying NTFS permissions, the results are cumulative. For example, let us carry on with the given
example and say that Adam Carter is also a part of the Marketing group. The Marketing group has been
given Write permissions on the Marketing Pictures folder. When we combine the permissions assigned to
Adam Carter’s user account with the permissions assigned to the Marketing group, Adam would have
both Read and Write permissions for the Marketing Pictures folder.
Important Rules for NTFS Permissions

There are two groupings of NTFS permissions:
• Explicit vs. Inherited. When you apply NTFS permissions, permissions that are explicitly applied to a
file or a folder take precedence over those that are inherited from a parent folder.
• Deny vs. Allow. After NTFS permissions have been divided into explicit and inherited permissions, any
Deny permissions that exist override conflicting Allow permissions within the group.
Therefore, taking these rules into account, NTFS permissions apply in the following order:
1. Explicit Deny
2. Explicit Allow
3. Inherited Deny
4. Inherited Allow
It is important to remember that NTFS permissions are cumulative, and these rules apply only when two
NTFS permission settings conflict with each other.
Note: Permissions inheritance is discussed in more detail later in this lesson.

How to Config
gure NTFS Permissions
P
You
u can view and configure NTFS permissions by following these steps:
1. Right-click the file or folderr for which you
u want to assig
gn permissionss, and then click Properties.
2. In the Properrties window, click

c the Securrity tab. In thiss tab, you can select the currrent users or g
groups
that have beeen assigned peermissions to view
v the speciffic permissionss assigned to eeach principal.
3. To open an editable permisssions dialog box u can modify eexisting permissions or add new
b so that you
users or groups, click the Ed
dit button.
Wh
hat Are Sh
hared Folde
ers?
Shared folders aree a key compo onent to grantiing
acce
ess to files on your
y server froom the networrk.
Wheen you share a folder, the fo older and all off its
contents are made available to multiple userss
simu
ultaneously ovver the networrk. Shared folders
maintain a separa ate set of permmissions from the
NTFFS permissions, which apply to the folder’ss
contents. These permissions are e used to proviide
an extra
e level of security for files and folders that
t
are made available on the netw work.
Mosst organization
ns deploy dedicated file servvers
to host
h shared folders. You can store files in shared
ders according to categories or functions. For
fold F example, yyou can put sh
hared files for tthe Sales
deppartment in one shared foldeer, and shared files for the M
Marketing depaartment in ano other.
Note: The sharing

s process applies only to the folder llevel. You cann
not share an in
ndividual
file or a group of files.
Acccessing a Sh
hared Folder
Users typically acccess a shared folder
f over the
e network by u using its Univeersal Naming C
Convention (UN NC)
add
dress. The UNC C address conta ains the name of the server on which the ffolder is hosteed, and the acttual
sharred folder nam
me, separated byb a backward d slash (\) and preceded by ttwo backward slashes (\\). Fo
or
exammple, the UNC C path for the Sales shared foolder on the LLON-SVR1 servver would be \\\LON-SVR1\Saales.
Sha
aring a Fold
der on the Network
N
Win
ndows Server 2012
2 provides different wayss to share a follder:
• Select the app

propriate drive
e, and then in the Files and SStorage Servicces section in SServer Manage
er,
select the New
w Share task.
• Use the File Sharing

S Wizard
d, either from the
t folder’s rigght-click menu
u, or by clicking
g the Share button
on the Sharinng tab of the folder’s
f Properrties window.
• Use Advanced d Sharing by clicking

c the Ad
dvanced Shariing button on
n the Sharing ttab of the fold
der’s
Properties window.
• Use the Netsh
h command-line tool from a command–lin
ne window.
Note: When sharing a folder, you will be asked to give the shared folder a name. This name
does not have to be the same name as the actual folder. It can be a descriptive name that better
describes the folder contents to network users.
Administrative Shares
You can create administrative (or hidden) shared folders that need to be available from the network, but
should be hidden from users browsing the network. You can access an administrative shared folder by
typing in its UNC path, but the folder will not display if you browse the server by using a Windows®
Explorer window. Administrative shared folders also typically have a more restrictive set of permissions
assigned to the shared folder to reflect the administrative nature of the folder’s contents.
To hide a shared folder, append the dollar symbol ($) to the folder’s name. For example, a shared folder
on LON-SVR1 named Sales can be made into a hidden shared folder by naming it Sales$. The shared
folder is accessible over the network by using the UNC path \\LON-SVR1\Sales$.
Note: Shared folder permissions apply only to users who access the folder over the
network. They do not affect users who access the folder locally on the computer where the folder
is stored.
Shared Folder Permissions

Just like NTFS permissions, you can assign shared folder permissions to users, groups, or computers.
However, unlike NTFS permissions, shared folder permissions are not configurable for individual files or
folders within the shared folder. Shared folder permissions are set once for the shared folder, itself and
apply universally to the entire contents of the shared folder for users who access the folder over the
network.
When you create a shared folder, the default assigned shared permission for the Everyone group is set to
Read.
The following table lists the permissions that you can grant to a shared folder.
Shared folder
Description
permission
Read Users can view folder and file names, view file data and attributes, run program files
and scripts, and navigate the folder structure within the shared folder.
Change Users can create folders, add files to folders, change data in files, append data to
files, change file attributes, delete folders and files, and perform all tasks permitted
by the Read permission.
Full Control Users can change file permissions, take ownership of files, and perform all tasks
permitted by the Change permission.
Note: When you assign Full Control permissions on a shared folder to a user, that user can
modify permissions on the shared folder, which includes removing all users, including you, from
the shared folders permissions list. In most cases, you should grant Change Permission instead of
Full Control permission.
Permissions Inheritancce
By default,
d NTFS and
a shared folders use
inheeritance to proopagate permissions through hout
a fo
older structure.. When you cre eate a file or a
der, it is automatically assigned the permissions
fold
thatt are set on any folders that exist above it
(parrent folders) in
n the hierarchyy of the folder
structure.
How Inheritan
nce Is Applie
ed
Con
nsider the follo
owing example
e structure:
Ad
dam Carter
Marketing group
ew York Editorrs group
Ne
Folder or File Assigned Permissions A

Adam’s Permisssions
Marketing (foldeer) Read – Marketing

M R
Read
Marketing Pictures (folder) None set R
Read (inherited
d)
Neew York (folde
er) Write – New
N York Edito
ors R
Read(i) + Write
e
Fa
all_Composite.jjpg (file) None set R
Read(i) + Write
e(i)
In th
his example, Adam
A is a mem
mber of two gro
oups that are assigned perm
missions for file
es or folders w
within
the folder structure. They are ass follows:
• The top-level folder, Marke

eting, has an asssigned permi ssion for the M
Marketing Gro
oup giving them
m
Read access.
• In the next level, the Marke

eting Pictures folder
f has no eexplicit permisssions set, but because of
permissions in dam has Read access to this folder and its contents from
nheritance, Ad m the permissio
ons
that are set on the Marketinng folder.
• In the third le
evel, the New York
Y folder has Write permisssions assigned d to one of Ad
dam’s groups— —New
York Editors. In addition to this explicitly assigned Writee permission, tthe New York folder also inh
herits
the Read perm mission from the
t Marketing folder. These permissions p pass down to file and folder
objects, cumu ny explicit Read and Write peermissions sett on those filess.
ulating with an
• The fourth an nd last level is the

t Fall_Comp posite.jpg file. Even though nno explicit permissions have been
set for this file
e, Adam has both
b Read and Write access tto the file due to the inherited permissions
from both the e Marketing fo older and the New
N York fold der.
Perrmission Co
onflicts
Sommetimes, expliccitly set permisssions on a file permissions inherited from a
e or folder will conflict with p
pareent folder. In these
t cases, the
e explicitly asssigned permisssions always ovverride the inhherited permissions.
In th
he given exam mple, if Adam Carter
C was den nied Write acceess to the pareent Marketing folder, but theen
explicitly granted Write access tot the New Yo granted Writee access permisssions would take
ork folder, the g
preccedence over thet inherited deny
d Write acccess permissio n.
Blocking
B Inh
heritance
Yoou can also dissable the inheritance behavior for a file orr a folder (and its contents) o
on an NTFS drive to
exxplicitly define f a set of objjects without i ncluding any o
e permissions for ed permissions from
of the inherite
ny parent folders. Windows Server 2012 provides an opttion for blocking inheritance
an e on a file or a folder
Too block inherittance on a file or folder, com
mplete the follo
owing steps:
• der where you want to blockk inheritance, aand then click Properties.
Right-click the file or fold
• In the Prop w, click the Security tab, and then click thee Advanced button.
perties window
• In the Adva
anced Securityy Settings wind
dow, click the C
Change Perm
missions button
n.
• In the next Advanced Seccurity Settings window, click the Disable inheritance bu
utton.
At this point, yo
ou are prompted to either co
onvert the inheerited permisssions into explicit permission
ns or
re
emove all inherited permissio
ons from the object
o to start with a blank ppermissions slaate.
Resetting
R De
efault Inheriitance Beha
avior
After you block inheritance, changes
c made to permission ns on the paren nt folder structture no longerr have
an
n effect on thee permissions forf the child object (and its ccontents) that has blocked innheritance, un nless you
eset that behavvior from one of the parent folders by seleecting the Rep
re place all child objects with
in
nheritable perrmissions from m this object check box. WWhen you select this check bo ox, the existing
g set of
pe
ermissions on the current fo older are propa
agated down tto all child objects in the tree e structure, an
nd
ovverride all explicitly assigned
d permissions for
f those files and folders. T his check box is located dire ectly
un
nder the Inclu ude inheritablle permissions from this ob bject’s parentt check box.
Effective Pe
ermissionss
Access to a file or folder in Windows
W Serverr 2012 is
granted based on o a combinattion of permisssions.
When
W a user atttempts to acceess a file or folder, the
pe pendent on various
ermission thatt applies is dep
fa
actors, includin
ng:
• Explicitly de
efined and inh
herited permisssions
that apply to
t the user.
• Explicitly de
efined and inh
herited permisssions
that apply to
t the groups to which the user
u
belongs.
• How the usser is accessing

g the file or follders—
locally, or over
o the netwo
ork.
Efffective NTFS permissions

p are
e the cumulativve permissionss that are assig
gned to a userr for a file of fo
older
baased on the faactors listed ab
bove. The follow
wing principlees determine eeffective NTFS permissions:
• Cumulative e permissions are

a the combin nation of the h
highest NTFS ppermissions grranted to the uuser and
to all the groups of which
h the user is a member. For eexample, if a u
user is a membber of a groupp that
has Read permission and is a member of o a group thaat has Modify ppermission, the user is assign
ned
cumulative Modify permiissions.
• Deny permissions overrid de equivalent Allow

A permissiions. However,, an explicit Allow permission can
override an ny permission. For example, if a user is den
n inherited Den nied Write acccess to a folderr via an
inherited Deny
D permission, but is expliccitly granted WWrite access too a subfolder o or a particular ffile, the
explicit Allo
ow overrides th
he inherited Deny
D for the paarticular subfo lder or file.
• You can apply permissions to a user or to a group. Assigning permissions to groups is preferred
because they are more efficient than managing permissions that are set for many individuals.
• NTFS file permissions take priority over folder permissions. For example, if a user has Read permission
to a folder, but has been granted Modify permission to certain files in that folder, the effective
permission for those files will be set to Modify.
• Every object in an NTFS drive or in Active Directory® Domain Services (AD DS) is owned. The owner
controls how permissions are set on the object and to whom permissions are granted. For example, a
user who creates a file in a folder where they have Modify permissions can change the permissions on
the file to Full Control.
Effective Permissions Tool

Windows Server 2012 provides an Effective Permissions tool that shows the effective NTFS permissions on
a file or folder for a user, based on permissions assigned to the user account and groups that the user
account belongs to. You can access Effective Permissions tool by using the following steps:
1. Right-click the file or folder for which you want to analyze permissions, and then click Properties.
2. In the Properties window, click the Advanced button.
3. In the Advanced Security Settings window, click the Effective Permissions tab.
4. Choose a user or group to evaluate by using the Select button.
Combining NTFS Permissions and Shared Folder Permissions

NTFS permissions and shared folder permissions work together to control access to file and folder
resources that are accessed from a network. When you configure access to network resources on an NTFS
drive, use the most restrictive NTFS permissions to control access to folders and files, and combine them
with the most restrictive shared folder permissions to control access to the network.
How Combining NTFS and Shared Folder Permissions Works

When you apply both NTFS and shared folder permissions, remember that the more restrictive of the two
permissions dictates the access that a user will have to a file or folder. . The following two examples
explain this further:
• If you set the NTFS permissions on a folder to Full Control, but you set the shared folder permissions
to Read, then that user has only Read permission when accessing the folder over the network. Access
is restricted at the shared folder level, and any greater access at the NTFS permissions level does not
apply.
• Likewise, if you set the shared folder permission to Full Control, and you set the NTFS permissions to
Write, then the user will have no restrictions at the shared folder level, but the NTFS permissions on
the folder will grant only Write permissions to that folder.
The user must have appropriate permissions on both the NTFS file or folder and the shared folder. If no
permissions exist for the user (either as an individual or as the member of a group) on either resource,
access is denied.
Considerations for Combined NTFS and Shared Folder Permissions

The following are several considerations that make administering permissions more manageable:
• Grant permissions to groups instead of users. Groups can always have individuals added or deleted,
while permissions on a case-by-case basis are difficult to track and cumbersome to manage.
• Use Deny permissions only when necessary. Because Deny permissions are inherited, assigning deny
permissions to a folder can result in users not being able to access files further down in the folder
structure tree. You should assign Deny permissions only in the following situations:
20410A: Installingg and Configuring W
o To excllude a subset of
o a group tha
at has Allow peermissions
o n when you ha ve granted Fu

To excllude one specific permission ull Control perm
missions to a u
user or a
group
• Never denyy the Everyone e group accesss to an object. If you deny evveryone accesss to an object, you
deny Administrators acce ess—including yourself. Insteead, remove thhe Everyone group from the e
permissionss list, as long as
a you grant pe ermissions for the object to other users, groups, or computers.
• Grant permmissions to an object

o a high in the ffolder structurre as possible, so that the seccurity
that is as
settings are
e propagated throughout
t the tree. For exaample, instead of bringing groups representing all
departments of the comp pany together into a Read fo older, assign D
Domain Users ((which is a deffault
group for all
a user accounnts on the dom main) to the shaare. In this maanner, you elim
minate the nee ed to
update dep partment groups before new w users receivee the shared foolder.
• Use NTFS permissions
p insstead of shared nfiguring both NTFS
d permissions for fine-graineed access. Con
and shared folder permisssions can be difficult.
d der assigning tthe most restrictive permissiions for
Consid
a group tha
at contains ma any users at the shared foldeer level, and th
hen use NTFS p
permissions too assign
permissionss that are more specific.
What
W Is Acccess-Based
d Enumera
ation?
With
W access-bassed enumeration, users see only o the
filles and folderss which they have permission n to
acccess. Access-b based enumeration providess a
be etter user expe erience becausse it displays a less
coomplex view of o the contentss of a shared fo older,
making
m it easierr for users to find the files th
hat they
ne eed. Windows Server 2012 allowsa access-b based
ennumeration off folders that a server shares over
th
he network.
Enabling Acccess-Based Enumeratio

on
To
o enable accesss-based enum
meration for a shared
fo
older:
1.. Open Serve

er Manager.
2.. In the navig

gation pane, click File and Storage
S Servicces.
3.. In the navig

gation pane, click Shares.
4.. In the Share

es pane, right--click the share
ed folder for w
which you wan
nt to enable acccess-based
enumeratioon, and then cllick Properties.
5.. In the Prop

perties window
w, click Setting
gs, and then seelect the Enablle access-base
ed enumeratiion
check box.
When
W the Enab
ble access-bassed enumerattion check boxx is selected, access-based enumeration is
en
nabled on the shared folder.. This setting iss unique to eaach shared fold
der on the servver.
Note: Thee File and Storage Services console

c is the o
only place in t he Windows SServer 2012
in
nterface where
e you can confiigure access-bbased enumeraation for a shared folder. Acccess-based
en
numeration is not available in
i any of the properties
p wind
dows that are accessible by right-clicking
th
he shared folde
er in Windowss Explorer.
Wh
hat Are Offfline Files??
An offline
o file is a copy of a netw
work file that is
storred on a client computer. Byy using offline files
f
userrs can access network-based
n d files when their
clien
nt computer iss disconnected d from the netw work.
Offline files and foolders are editted or modified d by

the client, and the e changes are synchronized with
the network copyy of the files the next time the
cliennt is reconnectted to the netw work. The
syncchronization scchedule and behavior
b of offfline
filess is controlled by the client operating
o syste
em.
Offline files are avvailable to the following

ope
erating systemss:
• Windows 8
• Windows Servver 2012 clients
• Windows 7
• Windows Servver 2008 R2
• Windows Servver 2008
• Windows Vistta®
• Windows XP
On a Windows Se erver 2012 com

mputer, you vie
ew the Offline Settings wind
dow for a share ed folder by clicking
the Caching butto anced Sharing window . Thee following opttions are availaable within the
on in the Adva e
Offline Settings window:
w
• Only the filees and programs that userss specify are aavailable offliine. This is the
e default optio
on
when you sett up a shared folder.
f When youy use this op
ption, no files o
or programs are available offfline
by default, an
nd users controol which files and
a programs they want to aaccess when th hey are not
connected to o the network.
• No files or programs
p m the shared folder are avaailable offline
from e. This option blocks client
computers froom making co
opies of the file
es and program
ms on the sharred folder.
• All files and programs tha at users open n from the shaared folder arre automatica ally available
offline. Whenever a user accesses the shared folder orr drive and opeens a file or prrogram in it, th hat file
or program iss automaticallyy made availab ble offline to t hat user. Files and programss that are
automaticallyy made availabble offline remain in the offli ne files cache and synchronize with the ve ersion
on the server until the cach
he is full or the
e user deletes tthe files. Files aand programs that are not
opened are not
n available offfline.
• Optimized fo or performan nce. If you sele

ect the Optimiized for perfoormance check box, executaable
files (.exe, .dll) that are run from the share ed folder by a client computter are automaatically cached d on
that client computer. The next n time the client
c computeer runs the exeecutable files, it will access itss local
cache instead d of the shared d folder on thee server.
Note: The Offline Files feature must be enabled on the client computer for files and
programs to be cached automatically. In addition, the Optimized for performance option does
not have any effect on client computers that use Windows Vista or older, as these operating
systems perform the program-level caching automatically, as specified by this option.
Configuring the Always Work Offline Setting

You can configure Windows Server 2012 and Windows 8 computers to use the Always available offline
mode when accessing shared folders. When you configure this option, client computers always use the
locally cached version of the files from a network share, even if they are connected to the file server by a
high-speed network connection.
This configuration typically results in faster access to files for client computers, especially when
connectivity or speed of a network connection is intermittent. Synchronization with the files on the server
occurs according to the offline files configuration of the client computer.
How to Enable the Always Work Offline Mode

To enable Always work offline mode, you use Group Policy to enable the Configure slow-link mode
setting, and you set the latency value to 1:
1. On an AD DS domain controller, open Group Policy Management Console.

2. To optionally create a new Group Policy Object (GPO) for Offline Files settings, right-click the
appropriate domain or Organizational Unit (OU), and then click Create a GPO in this domain, and
Link it here.
3. In the console tree, right-click the GPO for which you want to configure the Offline Files settings, and
then click Edit.
4. In the Group Policy Management Editor, in the console tree, under Computer Configuration,
expand Policies, expand Administrative Templates, expand Network, and then expand Offline
Files.
5. Right-click Configure slow-link mode, and then click Edit.

6. In the Configure slow-link mode window, click Enabled.
7. In the Options box, click Show.
8. In the Show Contents window, in the Value name box, specify the shared folder path for which you
want to enable Always Offline mode.
Note: To enable Always Offline mode on all file shares, type a wildcard character (*).
9. In the Value box, type 1 to set the latency threshold to one millisecond, and then click OK.
Demonstration: Creating and Configuring a Shared Folder

Creating and configuring a shared folder is typically done within Windows Explorer, from the Sharing tab
on the Properties window of the file or folder. When creating a shared folder, always ensure that you set
permissions that are appropriate for all of the files and folders within the shared folder location.
Demonstration Steps
Create a shared folder

2. Create a folder named Data on drive E.
3. Share the Data folder.
Assign permissions for the shared folder

• Grant the Authenticated Users Change permissions for \\LON-SVR1\Data.
Configure access-based enumeration

1. Open Server Manager.
2. Navigate to the Share pane in the File and Storage Services management console.
3. Open the Data Properties window for the \\LON-SVR1\Data, and enable access-based enumeration.
Configure offline files

1. Open the Data Properties window for E:\Data.
2. Navigate to the Sharing tab and open the advanced sharing settings.
3. Open the caching settings, and then disable offline files.
Lesson
n2
Prote
ecting Shared Files
F and
d Folde
ers using
g Shado
ow Copies
Sh
hadow copies are used to re estore previouss versions of fi les and folderss. It is much faaster to restore
ea
previous version m a shadow copy than from a traditional b
n of a file from backup copy, w which might be e stored
offfsite. Files and
d folders can be
b recovered byb administrato ors, or directlyy by end users.
Th
his lesson intro
oduces you to shadow copie
es, and shows yyou how to co
onfigure a sche
edule of drive
sn
napshots in Wiindows Server 2012.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe sh
hadow copies.
• Describe co f scheduling shadow copiees.
onsiderations for
• ethods for restoring data from shadow cop

Identify me pies.
• Restore datta from a shad

dow copy.
What
W Are Shadow
S Co
opies?
A shadow copy is a static imag ge (or a snapsh hot) of
a set of data, su
uch as a file or folder. Shadow w
coopies provide the
t capability to recover file es and
olders based on snapshots th
fo hat are taken of
o
sttorage drives. After
A a snapshhot is taken, yoou can
view and potentially restore previous
p versio
ons of
filles and folderss that existed at
a the time tha at the
sn
napshot was ta aken.
A shadow copy does not mak ke a complete copy of

all files for each
h snapshot. Instead, after a sn
napshot
is taken, Windows Server 2012 tracks chang ges to
th
he drive. A spe ecific amount of
o disk space iss
allocated for traacking the changed disk bloccks. When you of a file, some of the
u access a prevvious version o
coontent might be b in the curre
ent version of the
t file, and so
ome might be in the snapsho ot.
Byy default, the changed

c disk blocks
b are storred on the sam but this behavvior can
me drive as thee original file, b
bee modified. Yoou can also deffine how much h disk space is allocated for shadow copie es. Multiple snaapshots
ed disk space iss full, after wh ich, older snap
arre retained unttil the allocate pshots are remmoved to make e room
fo
or new snapsho ots. The amount of disk spacce that is used d by a snapsho ot is based on tthe size of diskk
ch
hanges betwee en snapshots.
Be omplete copy of files, shado

ecause a snapsshot is not a co ow copies cann
not be used ass a replacemennt for
trraditional back
kups. If the disk
k containing a drive is lost o
or damaged, th
hen the snapshhots of that drive are
also lost.
Sh
hadow copies are suitable fo or recovering data
d files, but n —such as databases—
not for more ccomplex data—
th
hat need to bee logically conssistent before a backup is peerformed. A daatabase that is restored from
m
previous versionns is likely to be
b corrupt andd require datab base repairs.
Co
onsideratio
ons for Sch
heduling Shadow Co
opies
The default sched dule for creatin
ng shadow cop pies is
Mon nday through Friday at 07:00 0 A.M., and ag
gain
at noon.
n You can modify the de efault schedule
e as
desiired for your organization.
o
en scheduling shadow copie

Whe es:
• Consider thatt increasing the frequency off

shadow copie es increases the load on the
server. You sh
hould not scheedule drive sha
adow
copies more than
t once each hour.
• Increase the frequency

f of shadow copies for
frequently changing data. This
T increases the
t
likelihood tha
at recent file ch
hanges are cap
ptured.
• Increase the frequency

f of shadow copies for importantt data. This inccreases the like
elihood that re
ecent
file changes are
a captured.
Restoring Da
ata from a Shadow Copy
C
Prevvious versions of files can be
e restored by either
e
userrs or administrrators. Most ussers are unawa
are
thatt they can do this
t and they will
w need
instructions on hoow to restore a previous verssion
of a file.
Admministrators can access previous versions of o files

dire
ectly on the serrver that stores the files. Use
ers
can access previous versions of files over the
netwwork from a file share. In both cases, previious
verssions are accesssed from the Properties win ndow
of the file or folde
er.
Whe en viewing preevious versionss of a folder, you
y
nd select only the file that yo
can browse the avvailable files an ou need. If mu ultiple versionss of files are
avaiilable, you can
n review each version
v before deciding whicch one to resto ore. Finally, yo
ou can copy a
prevvious version of
o a file to an alternate
a o its previous location. This
locattion instead off restoring it to
prevvents overwriting the currennt file version.
ndows XP SP2 or newer, Windows Vista, an

Win nd Windows 7 operating system clients are e capable of
essing previous file versions without installing any addit ional softwaree. For Windowss XP clients thaat are
acce
runn
ning Windowss XP SP1 or old der operating systems,
s you m
must install thee Previous Verrsions Client.
Demonstration: Restoring Data from a Shadow Copy

Shadow copies can be created using the default schedule, or you can modify the schedule to provide
more frequent snapshots. In either case, you will only see the versions of the file as it has changed. Taking
a shadow copy of a file that doesn’t change has no actual effect on the shadow copy. No additional
versions are available, and no space is used in the snapshot, for that particular file.
Demonstration Steps
Configure shadow copies

1. On LON-SVR1, open Windows Explorer.
2. Enable Shadow Copies for Local Disk (C:).
Create a new file

1. Open Windows Explorer.
2. Create a folder in drive C named Data.
3. Create a text file named TestFile.txt in the Data folder.

4. Change the contents of TestFIle.txt by adding the text Version 1.
Create a shadow copy

1. In Windows Explorer, right-click Local Disk (C:) and then click Configure Shadow Copies.
2. In the Shadow Copies window, click Create Now.
3. When the shadow copy is complete, click OK.
Modify the file

1. In Windows Explorer, double-click TestFile.txt to open the document.
2. In Notepad, type Version 2.
3. Close Notepad, and click Save to save the changes.
Restore a previous version

1. In Windows Explorer, right-click TestFile.txt, and then click Restore previous versions.
2. Restore the most recent version.
3. In the warning window, click Restore.
4. Open TestFile.txt to open the document and verify that the previous version is restored.
Lesson 3
Config
guring Network
N k Printing
By using
u the Printt and Document Services role in Windows Server 2012, yyou can share printers on a
netw
work and centtralize print serrver and netwo
ork printer maanagement. Byy using the Prinnt Management
console, you can monitor
m print queues, and re
eceive importaant notificatio ns regarding p
print server acttivity.

2 introduce
es new featurees and importaant changes to
o the Print and Document Se ervices
role
e that you can use to manage your networrk printing envvironment bettter. This lesson
n explains the
imp ntroduces new network printting features that are availab
portant aspectss of network printing, and in ble in
Winndows Server 2012.
2
Lessson Objectiives
Afte
er completing the lesson, you will be able to:
• Identify the benefits

b of netw
work printing.
• Describe Enha
anced Point an
nd Print.
• Identify securrity options forr network prin
nting.
• Create multip
ple configurations for a printt device.
• Describe printer pooling.

• Describe Bran
nch Office Dire
ect Printing.
• Identify meth
hods for deployying printers to
t clients.
Benefits of Network
N Printing
Youu can configure e network prin nting by using
2 as a printt server for use
ers. In
this configurationn, client compu uters submit prrint
jobss to the printer server for delivery to a prinnter
thatt is connected to the networrk.
The biggest beneffit of using Windows Server 2012

as a print server iss centralized management
m of
o
prin
nting. Instead ofo managing client
c connectioons
to many
m individuaal devices, you manage theirr
connection to the e server. Printeer drivers are
installed centrally on the server,, and then
distributed to worrkstations.
By centralizing
c printing on a serrver, you also simplify
s troub leshooting. It is relatively easy to determin
ne
wheether printing problems are caused by the printer, serve r, or client com mputer.
A ne
etwork printerr is more expen nsive than thoose typically ussed for local prrinting but it aalso has significcantly
lower consumable es costs and beetter quality printing. Thereffore, the cost oof printing is sstill minimized,,
because the initial cost of the printer is spread
d over all the ccomputers thaat connect to tthat printer. Fo or
exam
mple, a single network printter could servicce 100 users o or more.
Network printers can also be pu

ublished in AD
D DS, which allo
ows users to seearch for printters in their do
omain.
What
W Is Enh
hanced Po
oint and Prrint?
En
nhanced Pointt and Print is a new function in
Windows
W Server 2012 that ma akes it easier to install
drivers for netwwork printers. Enhanced
E Poinnt and
Prrint uses the new version 4 (v4)
( driver typee that is
in
ntroduced in Windows
W Serve er 2012 and Windows
8..
Understandi
U ng V3 Drive
ers and V4
Drivers
D
Thhe Windows printer
p driver sttandard that iss used
in
n previous verssions of Windo ows Server has existed
in
n relatively the same form sin nce the introduction
off version 3 (v3) drivers in Windows 2000
opperating systems. With v3 drrivers, printer manufacturers
m s created custo
omized print ddrivers for each h
sp
pecific device that
t they prodduced, to ensure that Window ws application
ns could use alll of their printter’s
eatures. Under the v3 model, printer infrastructure manaagement requiires administraators to maintaain
fe
drivers for each print device in the environm ment, and sepaarate 32 and 6
64-bit drivers ffor a single priint
deevice, to suppoort both platfoorms.
In
ntroducing the V4 Printer Driver
Windows
W Server 2012 and Wiindows 8 include support fo r v4 print driveers, and enables improved p print
deevice driver management an nd installation.. Under the v44 model, print devices manuffacturers can ccreate
Prrint Class Drive
ers that support similar printting features aand printing la nguage that m
may be commo on to a
la
arge set of devvices. Common n printing langguages may in nclude Printer CControl Languuage (PCL), .ps or XML
Paaper Specificattion (XPS).
Version 4 driverrs are typicallyy delivered by using

u Windowws Update or W Windows Softw ware Update Se ervices.
Unlike v3 driverrs, v4 drivers are not delivere
ed from a prin ter store that is hosted on th
he print serverr.
Th
he V4 driver model
m providess the following
g benefits:
• Sharing a printer
p does no
ot require provvisioning driveers that match the client arch
hitecture.
• Driver files are isolated on a per-driver basis, preventting driver file naming confliicts.
• A single driiver can suppo

ort multiple de
evices.
• Driver pack
kages are smaller and more streamlined
s han v3 drivers, resulting in faaster driver installation
th
times.
• The printer driver and the

e printer user interface can b
be deployed in
ndependently..
Using
U Enhanced Point and
a Print forr Driver Insttallation
Under the v4 model,
m printer sharing
s and drriver installatio
on operates automatically un nder Enhancedd Point
annd Print. When ed on a client computer, thee server and client work toge
n a network prrinter is installe ether to
id nt device. The driver then insstalls directly ffrom the driver store on the client machine, or
dentify the prin
from Windows Update or Win ndows Softwarre Update Servvices.
With
W Enhanced Point and Prin nt, the print de d to be maintained on the prrint
evice drivers n o longer need
se
erver. Driver in
nstallation for network
n print devices becom mes faster becaause printer drrivers no longe
er need
to
o be transferreed over the nettwork from serrver to client.
If the driver store on the clien

nt machine doees not contain
n a driver for th
he network printer that is be
eing
in
nstalled, and if an appropriatte driver canno
ot be obtained
d from Window Windows Server
ws Update or W
Upd date Services, Windows

W uses a fallback mechanism to en
nable cross-plaatform printing
g using the print
drivver from the prrint server.
Seccurity Opttions for Network

N Prrinting
Whe en a printer is shared over a network, in many
m
casees no security is required. Th
he printer is
considered to be open access, thatt is everyon
ne is
allowed to print on
o it. This is the
e default
configuration for a printer that is shared on a
Winndows server.
The permissions that are availab

ble for shared
prin
nting include:
• Print: This pe
ermission allow
ws users to prin
nt
documents on the printer. By default, the e
Everyone gro oup is assigned
d this permissio
on.
• Manage thiss printer: This permission allows users to m modify printer settings, incluuding updatingg
drivers. By de mission is given to Administrrators, Server O
efault, this perm Operators, and
d Print Operattors.
• Manage doccuments: This permission allows users to m modify and deelete print jobss in the queue.. This
permission is assigned to CREATOR OWN NER, which meeans that the u
user who create es a print job
manages thatt job. Administtrators, Server Operators, an
nd Print Operators also have this permissio on for
all print jobs.
De
emonstration: Creating Multip
ple Configu
urations fo
or a Print D
Device
Creaating multiple configurationns for a print device enables you to assign print queues tto specific users or
groups to print high priority job
bs to a printer that is being u
used by other users. When a print job is seent to
the high priority print
p queue, th he job before any jobs coming from the normal
he print server will process th
prio
ority queue.
Dem
monstration
n Steps
Cre
eate a share
ed printer
1. Open the Devvices and Printter window.
2. Add a printerr using the LPT

T1 local port, and
a the Broth
her Color Leg Type1 Class d
driver.
3. Name the printer AllUsers..

4. Share the prin
nter using the default setting
gs.
Cre
eate a secon
nd shared printer that uses
u the sam
me port
1. Open the Devvices and Printter window.
2. Add a printerr using the LPT

T1 local port, and
a the Broth
her Color Leg Type1 Class d
driver.
3. Name the printer Executives.
4. Share the prin

nter using the default setting
gs.
In
ncrease prin
nting prioritty for a high
h priority prrint queue
1.. Open the Executives
E Printer properties window.
2.. Increase the
e Priority to 10
0.
What
W Is Printer Pooling?
Prrinter pooling is a way to com
mbine multiple e
physical printers into a single logical unit. To
T client
co
omputers, the printer pool appears to be a single
printer. When jo obs are submittted to the printer
po
ool, they can be
b processed by b any available
printer in the prrinter pool.
Prrinter pooling increases the scalability and d

avvailability of ne
etwork printing by using a printer
p
poool. If one prinnter in the poo
ol is unavailablle (for
exxample, from a large print jo ob, a paper jamm, or
be a jobs are sent to the remaining
eing offline), all
printers. If a printer pool doess not have suffficient
ca
apacity, you ca an add anothe er printer to the printer pool without perfo
orming any clie
ent configuration.
o a server by specifying mu
A printer pool iss configured on ultiple ports forr a printer. Eacch port is the location
off one physical printer. In mo
ost cases, the ports
p are an IP address on th e network, insstead of a local LPT or
USB connection n.
Th
he requiremen
nts for a printe
er pool are as follows:
f
• Printers mu
ust use the sam
me driver: Cliennts use a singlee printer driveer for generatin
ng print jobs. A
All
printers mu
ust accept prin
nt jobs in the sa
ame format. In n many cases, this means thaat a single prin nter
model is ussed.
• Printers sho
ould be in the same location n: The printers in a printer po
ool should be located physiccally
close together. When use eir print jobs, tthey must checck all printers in the printer pool to
ers retrieve the
find their document. There is no way fo or users to kno ow which printter has printed d their docume ent.
What
W Is Bra
anch Office
e Direct Printing?
Brranch Office Direct
D Printing reduces netwo ork
osts for organizations that have centralized
co d their
Windows
W Server roles. When Branch Office Direct
bled, Windows clients obtain printer
Prrinting is enab
nformation from the print server, but send the
in
print jobs directtly to the printter. The print data
d no
lo
onger travels too the central server and then n back
to
o the branch office
o printer. This
T configurattion
re
educes traffic between
b the cllient computer, the
print server, andd the branch office
o printer, and
a
re
esults in increa
ased network efficiency.
e
Brranch Office Direct
D Printing is transparent to the
userr. In addition, the

t user can print
p even if th
he print server is unavailablee for some reasson (for exampple if
the wide area network (WAN) link to the data a center is dow
wn). This is beccause the printter information
n is
cach
hed on the clie ent computer in the branch office..
Con
nfiguring Branch Office Direct Printing
Bran
nch Office Dire
ect Printing is configured byy an administraator using the Print Manage
ement console or a
Win
ndows PowerSh hell® command d-line interface.
To configure
c Bran
nch Office Dire
ect Printing fro
om the Print M
Management co
onsole, use the
e following ste
eps:
1. In Server Man
nager, open th
he Print Manag
gement conso le.
2. In the navigattion pane, exp

pand Print Servvers, and then expand the print server thatt is hosting the
e
network printter for which Branch
B Office Direct
D Printing
g will be enableed.
3. Click the Prin

nters node, rig
ght-click on the desired prin ter, and then cclick Enable B
Branch Office
Direct Printing.
To configure
c Bran
nch Office Dire e interface, type the
ect Printing usiing a Windowss PowerShell ccommand-line
follo
owing command at a Windo ows PowerShelll window com mmand promptt:
Set
t-Printer -na
ame "<Printer Name Here>" -ComputerN
Name <Print S
Server Name H
Here> -
Ren
nderingMode BranchOffice
B
De
eploying Printers to Clients
Depploying printerrs to clients is a critical part of
o
mannaging printing services on the t network. A
welll-designed system for deploying printers is
b used to manage hundred
scalable and can be ds or
thou
usands of commputers.
The options for de

eploying printters are:
• Group Policy preferences. You
Y can use Grroup
Policy prefere
ences to deplooy shared printters
to Windows XP,
X Windows Vista,
V Windowss 7,
and Windowss 8 clients. Thee printer can be
associated with either the user
u account or
o
computer acccount, and can n be targeted by
b
group. For Windows
W XP com mputers, you must
m install thee Group Policyy Preference C
Client Extension.
• GPO created by Print Mana agement. The Print Managem n add printers to a
ment administtrative tool can
GPO for distribution to client computers based on eitheer a user account or a comp puter account.
Windows XP computers mu ust be configured to run Pusshprinterconneections.exe.
• Manual installlation. Each usser can add prrinters manual ly by either brrowsing the ne etwork or using the
Add Printer Wizard;
W It is important to notte that networrk printers thatt are installed manually are
available onlyy to the user thhat installed th
hem. If multipl e users share a computer, thhey must eachh
install the printer manually..
Lab: Implementing File and Print Services

Scenario
Your manager has recently asked you to configure file and print services for the branch office. This
requires you to configure a new shared folder that is used by multiple departments, configure shadow
copies on the file servers, and configure a printer pool.
Objectives
After performing this Lab you will be able to:
• Create and configure a file share.
• Configure a shadow copy
• Create and configure a printer pool.
Lab Setup
Logon Information
Virtual Machines 20410A-LON-CL1

20410A-LON-DC1
20410A-LON-SVR1
Password Pa$$w0rd
2. In Hyper-V® Manager, click 20410A-LON-DC1 and in the Actions pane, click Start.

o Domain: Adatum
5. Repeat steps 2 to 4 for 20410A-LON-SVR1.
6. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.
Exercise 1: Creating and Configuring a File Share

Scenario
Your manager has asked you to create a new shared folder for use by all departments. There will be a
single file share with separate folders for each department. To ensure that users only see files to which
they have access, you need to enable access-based enumeration on the share.
There have been problems in other branch offices with conflicts when offline files are used for shared data
structures. To avoid conflicts, you need to disable Offline Files for this share.
1. Create the folder structure for the new share.
2. Configure NTFS permissions on the folder structure.

3. Create the shared folder.
4. Test access to the shared folder.
5. Enable access-based enumeration.
6. Test access to the share.
7. Disable Offline Files for the share.
X Task 1: Create the folder structure for the new share

1. Log on to LON-SVR1 as Adatum\Administrator with a password Pa$$w0rd.
2. Open a Windows Explorer window, and create the following folders:
o E:\Data
o E:\Data\Development
o E:\Data\Marketing
o E:\Data\Research
o E:\Data\Sales
X Task 2: Configure NTFS permissions on the folder structure

1. In Windows Explorer, block the NTFS permissions inheritance for E:\Data, and when prompted,
convert inherited permissions into explicit permissions.
2. In Windows Explorer, remove permissions for LON-SVR1\Users on subdirectories in E:\Data.

3. In Windows Explorer, add the following NTFS permissions for the folder structure:
Folder Permissions
E:\Data No change
E:\Data\Development Modify: Adatum\Development
E:\Data\Marketing Modify: Adatum\Marketing
E:\Data\Research Modify: Adatum\Research
E:\Data\Sales Modify: Adatum\Sales
X Task 3: Create the shared folder

1. In Windows Explorer, share the E:\Data folder.
2. Assign the following permissions to the shared folder:

o Change: Adatum\Authenticated Users
X Task 4: Test access to the shared folder

1. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd.
Note: Bernard is a member of the Development group.
3. Navigate to \\LON-SVR1\Data.
4. Attempt to open the Development, Marketing, Research, and Sales folders.
Note: Bernard should have access to the Development folder. However, although
Bernard can still see the other folders, he does not have access to their contents.
5. Log off LON-CL1.
X Task 5: Enable access-based enumeration

1. Switch to LON-SVR1
2. Open Server Manager.

3. Select File and Storage Management.
4. Select Shares.
5. Open the Properties window for the Data share, and from the Settings page, enable Access-based
enumeration.
X Task 6: Test access to the share

2. Click the Desktop tile and then open a Windows Explorer window, and navigate to \\LON-
SVR1\Data.
Note: Bernard can now view only the Development folder, the folder for which he has
been assigned permissions.
3. Open the Development folder to confirm access.
4. Log off LON-CL1.
X Task 7: Disable Offline Files for the share

3. Navigate to E:\
4. Open the Properties window for the Data folder, and disable Offline file caching.
Results: After finishing this exercise, you will have created a new shared folder for use by multiple
departments.
Exercise 2: Configuring Shadow Copies

Scenario
A. Datum Corporation stores daily backups offsite for disaster recovery. Every morning the backup from
the previous night is taken offsite. To recover a file from backup requires the backup tapes to be shipped
back onsite. The overall time to recover a file from backup can be a day or more.
Your manager has asked you to ensure that shadow copies are enabled on the file server so you can
restore recently modified or deleted files without using a backup tape. Because the data in this branch
office changes frequently, you have been asked to configure a shadow copy to be created once per hour.
1. Configure shadow copies for the file share.
2. Create multiple shadow copies of a file.
3. Recover a deleted file from a shadow copy.
X Task 1: Configure shadow copies for the file share

3. Navigate to drive E, right-click Allfiles (E:), and then click Configure Shadow Copies.
4. Enable Shadow Copies for the E:\ drive.

5. Configure the settings to schedule hourly shadow copies for the E:\ drive.
X Task 2: Create multiple shadow copies of a file

1. On LON-SVR1, switch to Windows Explorer, and navigate to the E:\Data\Development folder.
2. Create a new text file named Report.txt.

3. Switch the Shadow Copies window, and then click Create Now.
X Task 3: Recover a deleted file from a shadow copy

1. Switch back to the Windows Explorer window.
2. Delete the Report.txt file.
3. Open the Properties window for E:\Data\Development, and then click the Previous Versions tab.
4. Open the most recent version of the Development folder, and then copy the Report.txt file.
5. Paste the file back into the Development folder.

6. Close Windows Explorer and all open windows.
Results: After finishing this exercise, you will have enabled shadow copies on the file server.
Exercise 3: Creating and Configuring a Printer Pool

Scenario
Your manager has asked you to create a new shared printer for your branch office. However, instead of
creating the shared printer on the local server in the branch office, he has asked you to create the shared
printer in the head office and use Branch Office Direct Printing. This allows the printer to be managed in
the head office, but prevents print jobs from traversing WAN links.
To ensure high availability of this printer, you need to format it as a pooled printer. Two physical print
devices of the same model have been installed in the branch office for this purpose.
1. Install the Print and Document Services server role.
2. Install a printer.
3. Configure printer pooling.
4. Install a printer on a client computer.
X Task 1: Install the Print and Document Services server role

2. Install the Print and Document Services role, and accept the default settings.
X Task 2: Install a printer

1. On LON-SVR1 use the Print Management console to install a printer with following parameters:
a. IP Address: 172.16.0.200
b. Driver: Microsoft XPS Class Driver
c. Name: Branch Office Printer
2. Enable Branch Office Direct Printing.

3. List the printer in AD DS.
X Task 3: Configure printer pooling

1. In the Print Management console, create a new port on LON-SVR1 with the following configuration:
a. Type: Standard TCP/IP port

b. IP Address: 172.16.0.201
c. Connection: Generic Network Card
2. Open the Branch Office Printer Properties page, and on the Ports tab, enable printer pooling.
3. Select port 172.16.0.201 as the second port.
X Task 4: Install a printer on a client computer

1. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.
2. Add a printer, selecting the Branch Office Printer on LON-SVR1 printer.
Results: After finishing this exercise, you will have Installed the Print and Document Services server role
and installed a printer with printer pooling.

After you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps.
2. In the Virtual Machines list, right-click 20410A-LON-SVR1, and then click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-CL1 and 20410A-LON-DC1.


Review Questions:
Question: How does inheritance affect explicitly assigned permissions on a file?
Question: Why should you not use shadow copies as a means for data backup?
Question: In which scenarios could Branch Office Direct Printing be beneficial?
Tools
Effective Permissions Assessing combined permissions Under Advanced, on the Security

Tool for a file, folder or shared folder. tab of the Properties page of a file,
folder or shared folder.
Netsh command-line Configuring Windows Server 2012 Command prompt.

tool networking components.
Print Management Managing the print environment The Tools menu in Server Manager.
administrative in Windows Server 2012.
11-1
Module 11
Implementing Group Policy
Contents:
Lesson 1: Overview of Group Policy 11-2
Lesson 2: Group Policy Processing 11-10
Lesson 3: Implementing a Central Store for Administrative Templates 11-15
Lab: Implementing Group Policy 11-19
Module Overview
Maintaining a consistent environment across an organization is challenging. Administrators need a
mechanism to configure and enforce user and computer settings and restrictions. Group Policy can
provide that consistency by enabling administrators to centrally manage and apply configuration settings.
This module provides an overview of Group Policy and provides details about how to implement group
policies.
Objectives
• Create and manage Group Policy Objects.

• Describe Group Policy processing.
• Implement a central store for administrative templates.

11-2 Implemennting Group Policy
Lesson 1
Overviiew of Group
G Policy
P
Group Policy allowws you to conttrol the compuuting environm ment. It is impoortant to undeerstand how GGroup
Policy functions, so
s you can app ply Group Policy correctly. T his lesson provvides an overvview of Group Policy
structure, and deffines local and domain group policies. It allso describes tthe types of se
ettings availablle for
usess and groups.
Group Policy allowws you to conttrol the compuuting environm ment. It is impoortant to undeerstand how GGroup
Policy functions, so
s you can app ply Group Policy correctly. T his lesson provvides an overvview of Group Policy
structure, and deffines local and domain group policies. It allso describes tthe types of se
ettings availablle for
usess and groups.
Lessson Objectiives
Afte
ou will be able to:

o Group Policyy.
• Describe multiple local Gro
oup Policy Obje
ects (GPOs).
• Describe storage options fo

or domain GPO
Os.
• Describe GPO
O policies and preferences.
• Describe startter GPOs.
• Describe the process of delegating GPO management.

m
• Describe the process of creating and man

naging GPOs.
Co
omponentss of Group
p Policy
Group Policies are e configurationn settings thatt
allow administrato ors to enforce settings by
mod difying the commputer-specific and user-specific
regiistry settings on
o domain-bassed computerss. You
can group Group Policies together, to make GPOs, G
which you can the en apply to seccurity principle
es
(use
ers, groups or computers).
c
GPOs
A GPO
G is an objecct that contain
ns one or moree
policy settings tha at apply config
guration settin
ng for
userrs, computers, or both. GPOs are stored in
SYSVVOL, and can be managed by b using the Group
Policy Manageme ent Console (GGPMC). Within the GPMC, yo ou can open an nd edit a GPO by using the GGroup
®
Policy Manageme ent Editor. GPO o apply settings to
Os are logicallyy linked to Acttive Directory containers to
the objects in those containers.
Gro
oup Policy Settings
S
A Group Policy se
etting is the mo
ost granular co
omponent of G Group Policy. It defines a specific configurration
change to apply to
t an object (a computer or a user, or both h) within Activve Directory Do omain Servicess
(AD
D DS). Group Poolicy has thoussands of config
gurable setting
gs. These settings can affectt nearly every aarea
of the computing environment.. Not all settinggs can be app lied to all oldeer versions of W
Windows Serve er®
®
and Windows op perating systemms. Each new version
v introduuces new settings and capab bilities that only
apply to that specific version. If a computer has a Group Policy setting applied that it cannot process, it
simply ignores it.
Most policy settings have three states:
• Not Configured. The GPO will not modify the existing configuration of the particular setting for the
user or computer.
• Enabled. The policy setting will be applied.
• Disabled. The policy setting is specifically reversed.
By default, most settings are set to Not Configured.
Note: Some settings are multi-valued or have text string values. These are typically used to
provide specific configuration details to applications or operating system components. For
example, a setting may provide the URL of the home page for Windows Internet Explorer® or
blocked applications.
The effect of the change depends on the policy setting. For example, if you enable the Prohibit Access to
Control Panel policy setting, users will be unable to open Control Panel. If you disable the policy setting,
you ensure that users can open Control Panel. Notice the double negative in this policy setting: You
disable a policy that prevents an action, so you allow the action.
Group Policy Settings Structure

There are two distinct areas of Group Policy settings:
• User settings. These are settings that modify the HKey Current User hive of the registry.
• Computer settings. These are settings that modify the HKEY Local Machine hive of the registry.
User and computer settings each have three areas of configuration, as described in the following table.
Section Description
Software settings Contain software settings that can be deployed to either the user or the
computer. Software that is deployed to a user is specific to that user.
Software that is deployed to the computer is available to all users of that
computer.
Windows operating system Contain script settings and security settings for both user and computer,
settings and Internet Explorer maintenance for the user configuration.
Administrative templates Contain hundreds of settings that modify the registry to control various
aspects of the user and computer environment. New administrative
templates may be created by Microsoft or other vendors. You can add
these new templates to the GPMC. For example, Microsoft has Office
2010 templates that are available for download, and that you can add to
the GPMC.
Group Policy Management Editor

The Group Policy Management Editor (GPME) displays the individual Group Policy settings that are
available in a GPO. These are displayed in an organized hierarchy that begins with the division between
computer settings and user settings, and then expands to show the Computer Configuration node and
the User Configuration node. The Group Policy Management Editor is where all Group Policy settings and
preferences are configured.
Gro
oup Policy Preferences
P
In addition to the Group Policy sections show
wn in the previo
ous table, a Prreferences nod
de is present under
both the Computer Configuration and User Configuration
C n
nodes in the GGroup Policy MManagement Editor.
Prefferences provid
de even more capabilities with
w which to co onfigure the eenvironment, aand are discusssed
later in this modu
ule.
Loccal Group Policy

All systems
s runninng the Microso oft® Windows 2000 operatin ng systems or n newer also havve local Group
p
Policies that are available. Locall policy setting n be exported and
gs only apply t o the local maachine, but can
impported to otherr computers.
Wh
hat Are Mu
ultiple Loccal GPOs?
In Windows
W operaating systems prior to Windo ows
Vista®, there was only
o one available user
configuration in the local Group p Policy. That
configuration wass applied to alll users who log gged
on from
f that local computer. Th his is still true, but
Winndows Vista® and
a newer clien nt operating
systems, and Wind dows Server 2008 and newe er
Winndows Server operating
o ems have an added
syste
featture–multiple local
l GPOs. In Windows 8 an nd
Winndows Server 2012,
2 it is now possible to ha ave
diffe
erent user setttings for differeent local userss; this
is on
nly available fo
or the users’ co onfigurations in
Group Policy. The ere is only one set of computter configuratiions available that affects alll users of the
commputer.
Win
ndows 8 and Windows
W Serve
er 2012 provide
e this ability w
with the followiing three layerrs of Local Gro
oup
Policy Objects:
• Local Group Policy

P (contain
ns the compute
er configuratio
on settings)
• Administrator and Non-Administrator Group Policy

• User-specific Local Group Policy
P
Note: The exception

e his feature is domain controlllers. Due to th
to th he nature of th
heir role,
dom
main controllerrs cannot havee local Group Policies
P
How the Layerrs Are Proce

essed
The layers of Loca
al Group Policyy Objects are processed
p in th
he following o
order:
1. Local Group Policy

P
2. Administrators and Non-Ad
dministrators Group
G Policy
3. User-specific Local Group Policy

P
With the exceptio

on of the categgories of Administrator or No on-Administraator, it is not possible to app
ply
loca
al Group Policies to groups, but only to ind user accounts. Domain userss are subject to
dividual local u o the
loca
al Group Policyy, or the Administrator or No
on-Administraator settings, a s appropriate.
Note: Domain administtrators can disa

able processin
ng Local Group
p Policy Objectts on clients
th
hat are running
g Windows clie
ent operating systems and WWindows Serveer operating syystems by
en
nabling the Tuurn Off Local Group Policyy Objects Proccessing policy setting in a do
omain Group
Po
olicy Object.
Storage of Domain GPOs

G
Group Policy seettings are pressented as GPOOs in the
Group Policy Management to ool, but a GPO is
acctually two com
mponents: a Group
G Policy te
emplate,
an
nd a Group Po olicy container.
Group
G Policy
y Template
Group Policy templates are th he actual collecction of
se
ettings that you can change. Group Policy
te
emplates are sttored in the
%SystemRoot%
% %\PolicyDefinitions folder. Windows
Seerver 2012 conntains Group Policy
P templatees with
th
housands of co onfigurable setttings. When you
y
crreate a new Grroup Policy, thhe Group Policyy
Management
M Edditor presents the templatess in a new GPO
O. When you eedit and save the GPO, a new
w Group
Poolicy containerr is created.
Group
G Policy
y Container
Thhe Group Policcy container iss an Active Dire
ectory object tthat is stored iin the Active DDirectory datab base.
Ea
ach Group Policy container includes
i a glob
bally unique id dentifier (GUID D) attribute thaat uniquely ide
entifies
th
he object withiin AD DS. The Group Policy container
c defi nes basic attributes of the G
GPO such as lin nks and
ve
ersion numberrs, but it does not contain an ny of the settinngs. Instead, thhe settings aree contained in the
Group Policy template, which h is a collectionn of files stored
d in the SYSVO OL of each dom main controlle er.
SY
YSVOL is located in the %SysstemRoot% \SYSVOL\Doma in\Policies\GPOGUID path, w where GPOGU UID is
th
he GUID of the e Group Policyy container. Wh hen you makee changes to th he settings of a GPO, the chaanges
arre saved to the
e Group Policyy template of the
t server from m which the GP PO was opene ed.
Byy default, when Group Policyy refresh occurs, the Group Policy client-s ide extensionss (CSEs) apply ssettings
n a GPO only iff the GPO has been updated
in d.
Th
he Group Policcy Client can iddentify an upddated GPO by its version num mber. Each GP PO has a versio on
nu
umber that is incremented eache time a change is made.. The version n number is store ed as an attrib
bute of
he Group Policcy container, and in a text file
th e, GPT.ini, in th
he Group Policcy Template fo older. The Group
olicy Client knows the versio
Po on number of each
e GPO thatt it has previouusly applied. Iff, during Group Policy
re
efresh, the Gro
oup Policy Client discovers thhat the version n number of th
he Group Policcy container haas been
ch
hanged, the CS SEs will be info
ormed that thee GPO is upda ted.
When
W editing a Group Policy,, the version on the computeer that has thee primary dom main controller (PDC)
em
mulator Flexib ble Single Mastter Operations (FSMO) role i s the version b being edited. IIt does not maatter
what
w computer you are using g to perform th
he editing, thee GPMC is focu used on the PDDC emulator by
de
efault. It is posssible to chang
ge the focus off the GPMC to o edit a version
n on a differen
nt domain conttroller.
Wh
hat Are Grroup Policiies and Pre
eferences??
Group Policy Prefferences are a feature in the
2 operating
g system.
Prefferences includ
de more than 20 Group Policcy
exte ge of configurable
ensions that exxpand the rang
settings within a GPO.
G Preferencces help to red
duce
the need for logon scripts.
Note: Winddows XP operating systems need n

to have
h the Groupp Policy client--side extension
ns
installed to process Group Policcy preferences..
These can be dow wnloaded from m the Microsoftt
dowwnload website e.
Cha
aracteristicss of Preferences
Prefferences have the following characteristicss:
• Preferences exist
e for both computers
c and
d users.
• Unlike Group p Policy setting

gs, preferencess are not enforrced, and userss can change tthe configurations
that are estab
blished by prefferences.
• Preferences can
c be manage
ed through the
e Remote Servver Administration Tools (RSA
AT).
• Preferences can
c be applied only once at startup
s or logo
on, or refresheed at intervals.
• Unlike Group
p Policy setting
gs, preferencess are not remo
oved when the GPO is no lon
nger applied, b
but
you can chan
nge this behaviior.
• Preferences can
c easily be ta
argeted to certtain users or co ough a variety of ways, such as
omputers thro
security group membershipp or operating system versio on.
• Preferences are
a not available for local gro
oup policies.
• Unlike Group
p Policy, the user interface off the setting is not disabled.
Com
mmon Usess for Group Policy Prefe
erences
Alth
hough you can n configure ma hrough Group Policy preferences, some of the more com
any settings th mmon
usess are as follows:
• Drive mappin
ngs for users
• Configuring desktop
d shortccuts for users or
o computers
• Setting enviro
onment variab
bles
• Mapping prin
nters
• Setting power options
• Configuring Start
S menus
• Configuring data
d sources
• Configuring Internet option

ns
• Scheduling ta
asks
What
W Are Starter
S GPO
Os?
Sttarter GPOs are templates th hat assist in the
e
crreation of GPO Os. When creatting new GPOss, you
ca
an choose to use u a starter GP PO as the sourrce. This
makes
m it easier and faster to create
c multiple e GPOs
with
w the same baseline
b configguration.
Available
A Setttings
Sttarter GPOs ca an only contain
n settings from
m the
Administrative Templates
T nodde of either thee User
Configuration section or the Computer
C
Configuration section. The So oftware Settinggs and
Windows
W Settin
ngs nodes of Group Policy arre not
avvailable, becauuse these nodees involve interraction
off services and are more commplex and dom main-dependen
nt.
Ex
xporting Sttarter GPOs
Yo
ou can export starter GPOs to t a Cabinet file (.cab) and t hen load that .cab file into aanother enviroonment
th
hat is complete ely independent of the sourcce domain/forrest. Exporting a starter GPO O allows you to
o send
th
he .cab file to other
o administtrators, who caan then use it iin other areas.. For example, you may create a
GPO that define es Internet Exp
plorer security settings. If youu want all sitess and domainss to employ thhe same
se
ettings, then yoou could expo ort the starter GPO
G to a .cab file, and then distribute it.
When
W to Use
e Starter GP
POs
Th
he most comm mon situation in which you would
w use a staarter GPO is w
when you want a group of se ettings
or a type of computer role. For
fo F example, yo ou may want aall corporate laaptops to have
e the same deesktop
re
estrictions, or all
a file servers to Group Policy seettings, but enable variationss for
t have the same baseline G
diifferent departtments.
In
ncluded Starter GPOs
Th
he GPMC inclu udes a link to create
c a Starte
er GPO folder, which contain ns a number off predefined sttarter
GPOs. These poolicies provide preconfigured d security-orie nted settings ffor enterprise clients (EC) an
nd
Sp
pecialized Secu d Functionality (SSLF) clients for both user and computerr settings on W
urity – Limited Windows
Vista and Windoows XP SP2 op perating system
ms. You can usse these polici es as starting points when yyou
de
esign security policies.
Delegating
D Managem
ment of GP
POs
Administrators can delegate somes of the Group
Po
olicy administrrative tasks to other users. These
ussers do not have to be doma ain administrators;
th
hey can be use ers that are gra
anted certain rights
r to
GPOs. For exam mple, a user wh ho manages a
paarticular Organ nizational Unitt (OU) could be
b
ta
asked with performing reporrting and analyysis
duuties, while thee help desk grroup is allowedd to edit
GPOs for that OU.
O A third gro oup of develop pers
might
m be put in
n charge of cre eating Window ws
Management
M In
nstrumentation n (WMI) filters.
11-8 Implementing Group Policy
The following Group Policy tasks can be delegated independently:
• Creating GPOs
• Editing GPOs
• Managing Group Policy links for a site, domain, or OU
• Performing Group Policy modeling analysis
• Reading Group Policy results data
• Creating WMI filters
The Group Policy Creator Owners group lets its members create new GPOs, and edit or delete GPOs that
they have created.
Group Policy Default Permissions

By default, the following users and groups have full access to manage Group Policy:
• Domain Admins
• Enterprise Admins
• Creator Owner
• Local System
The Authenticated User group has Read and Apply Group Policy permissions only.
Permissions for Creating GPOs

By default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can create new
GPOs. You can use two methods to grant a group or user this right:
• Add the user to the Group Policy Creator Owners group

• Explicitly grant the group or user permission to create GPOs by using GPMC
Permissions for Editing GPOs

To edit a GPO, the user must have both Read and Write access to the GPO. You can grant this permission
by using the GPMC.
Managing GPO Links

The ability to link GPOs to a container is a permission that is specific to that container. In GPMC, you can
manage this permission by using the Delegation tab on the container. You can also delegate it through
the Delegation of Control Wizard in Active Directory Users and Computers.
Group Policy Modeling and Group Policy Results

You can delegate the ability to use the reporting tools in the same fashion, either through GPMC or
through the Delegation of Control Wizard in Active Directory Users and Computers.
Creating WMI Filters

You can delegate the ability to create and manage WMI filters in the same fashion, either through GPMC
or through the Delegation of Control Wizard in Active Directory Users and Computers.
Demonstration: Creating and Managing GPOs

In this demonstration, you will see how to use the GPMC to create a new GPO. You will also see how you
can use the Group Policy Management Editor to edit the GPO settings. Finally, you will see how Windows
PowerShell® is used to create a GPO.
Demonstration Steps
Create a GPO by using the GPMC

• Log on to LON-DC1 as Administrator and create a policy named Prohibit Windows Messenger.
Edit a GPO with the Group Policy Management Editor

1. Edit the policy to prohibit the use of Windows Messenger.
2. Link the Prohibit Windows Messenger GPO to the domain.
Use Windows PowerShell to create a GPO

• Use Windows PowerShell to create a GPO named Desktop Lockdown.
Lesson 2
Group Policy Processsing
Undderstanding ho ow Group Policcy is applied iss the key to beeing able to deevelop a Group p Policy strate
egy.
Thiss lesson shows you how Grou up Policy is asssociated with AActive Directo
ory objects, how w it is processe
ed,
and how to contro ol the applicattion of Group Policy. After crreating the GPPOs and config guring the setttings
you want to applyy, they must be e linked to conntainers. GPOss are applied inn a specific ordder. This orderr may
deteermine what settings are app plied to objectts. There are tw
wo default pollicies that are aautomatically
crea
ated. These po d to deliver passsword and seccurity settingss for the domain and for dom
olicies are used main
controllers. The ap
pplication of policies
p can alsso be controlleed through seccurity filtering..
Lessson Objectiives
Afte
ou will be able to:
• Describe a GP
PO link.
• Describe how
w GPOs are app
plied to contaiiners and objeects.
• Describe the Group Policy processing
p ord
der.
• Describe the default GPOs.
• Describe GPO
O security filterring.
GP
PO Links
Oncce you have created a GPO and a defined all the
settings that you want
w it to delivver, the next step is
to liink the policy to
t an Active Directory
D contaainer.
A GPO link is the logical connecction of the po olicy
to a container. Yo ou can link a single GPO to
mulltiple containers by using the e GPMC. You can c
link GPOs to the following
f types of containerss:
• Sites
• Domains
• OUs
Oncce a GPO is linked to a conta ainer, by defauult the
policy is applied to all the objeccts in the conta
ainer, and sub sequently all tthe child contaainers under th
hat
pare
ent object. This is because th he default permmissions of thee GPO are suc h that Authenticated Users h have
Read and Apply Group
G Policy permission. You u can modify tthis behavior bby managing p permissions on n the
GPO
O.
You
u can disable links to contain
ners, which rem
moves the conffiguration setttings. You can also delete lin
nks.
Dele
eting links doe
es not delete the actual GPOO, only the logiical connection to the contaainer.
GPOOs cannot be linked directly to users, groups or computeers. In additionn, GPOs cannoot be linked to the
system containerss of AD DS, inccluding Builtin,, Computers, U
Users, or Manaaged Service A
Accounts. The AAD DS
system containerss receive Group Policy settings from GPOs linked to the domain level o only.
Applying
A GPOs
G
Computer confiiguration settings are applie ed at
sttartup, and the
en are refresheed at regular in
ntervals.
Any startup scripts are run at computer starrtup.
Thhe default inte
erval is every 90
9 minutes, butt this is
coonfigurable. Th
he exception to the set interrval is
do omain controllers, which havve their settinggs
re
efreshed everyy five minutes.
User settings are applied at lo

ogon and are
re
efreshed at reggular, configurable intervals; the
de
efault is also 90
9 minutes. Any logon scripts are
ru
un at logon.
Note: A number
n of user settings requ
uire two
ogons before the user sees th
lo he effect of the
e GPO. This is because userss logging on to o the same
co
omputer use cached credenttials to speed up u logons. Thiis means that, although the policy
se
ettings are being delivered to the compute er, the user is aalready loggedd on and thus the settings
will
w not take efffect until the next
n logon. Thee folder redire ction setting iss an example o
of this.
Yoou can change e the refresh innterval by conffiguring a Gro up Policy settiing. For compu uter settings, tthe
re
efresh interval setting is foun nd in the Computer Configu uration\Policcies\Administtrative
Teemplates\Sysstem\Group Policy P node. Foor user setting
gs, the refresh interval is foun
nd at the
co
orresponding settings
s underr User Configuration. An excception to the refresh intervaal is security se ettings.
Thhe security setttings section of
o the Group Policy
P will be reefreshed at leaast every 16 ho
ours, regardlesss of the
in
nterval that you u set for the re
efresh interval..
Yo
ou can also reffresh Group Po
olicy manuallyy. The comman nd line utility G
Gpupdate refrreshes and dellivers
an
ny new Group Policy configu urations. The Gpupdate
G /fo
orce command d refreshes all tthe Group Policy
se
ettings. There is
i also a new Windows
W PoweerShell Invoke
e-Gpupdate cm mdlet, which p performs the ssame
fu
unction.
A new feature in Windows Server 2012 is Re emote Policy R Refresh. This feeature allows aadministratorss to use
th
he GPMC to target an OU an nd force Group
p Policy refresh
h on all of its ccomputers andd their currenttly
lo
ogged-on userrs. To do this, you
y right-click any OU, and tthen click Gro oup Policy Update. The upd date
occcurs within 10
0 minutes.
Group
G Policcy Processsing Orderr
GPOs are not ap pplied simultaneously; rathe er, they
arre applied in a logical order. GPOs that aree
pplied later in the process off applying GPO
ap Os
ovverwrite any coonflicting policy settings tha
at were
ap
pplied earlier.
GPOs are applie

ed in the follow
wing order:
• Local groupp policies: Each

h system running
Windows 2000 or newer potentially already
has a local Group Policy configured.
c
• Site group po
olicies: Policies that are linked to sites are p
processed nexxt.
• Domain grou up policies: Policies that are linked to the d

domain are pro ocessed next. T
There are often
multiple policces at the dom
main level. Thesse policies are processed in o
order of prefe
erence.
• OU group po olicies: Policies linked to OUss are processed policies contain settings thatt are
d next. These p
unique to thee objects in thaat OU. For example, the Salees users may have special reqquired settingss. You
can link a pollicy to the Sale
es OU to delive
er those setting
gs.
• Child OU policies: Any policcies that are lin

nked to child O
OUs are proceessed last.
Objects in the con ntainers receivve the cumulative effect of alll polices in theeir processing order. In the ccase
of a conflict between settings, the last policy applied
a takes effect. For exaample, a domaain-level policyy may
restrict access to registry
r editingg tools, but yo
ou could configgure an OU-leevel policy and link it to the IIT OU
to reverse that poolicy. Because the OU-level policy
p is applieed later in the process, accesss to registry tools
wouuld be available.
Note: Other methods succh as Enforcem ng can change the effect

ment and Inherritance Blockin
of policies
p on con
ntainers.
If multiple
m policies are applied at
a the same levvel, the admin istrator can asssign a prefere
ence value to
control the order of processing.. The default preference
p ord er is the orderr in which the policies were
linked.
You ble the user orr computer configuration off a particular G

u can also disab GPO. If one secction of a policcy is
kno
own to be emp pty, then you should disable the empty secction to speed up policy pro ocessing. For
exam
mple, if you ha hat only delivers user deskto p configuratio
ave a policy th on, you could ddisable the
com
mputer-side of the policy.
Wh
hat Are the
e Default GPOs?
G
Durring the installa
ation of the AD
D DS role, two
o
defa
ault GPOs are created: Defau ult Domain Poolicy,
and Default Doma ain Controller Policy.
Deffault Domain Policy

Thiss policy is linke
ed to the doma ain and affectss all
secuurity principless in the domain. It contains the
t
passsword policy settings, the acccount lockoutt
settings, and Kerb beros policy. As a best practice,
this policy should not have othe er settings
configured. If you u need to configure other setttings
to apply
a to the en ntire domain thhen you should
crea
ate new policie es to deliver th
he settings, andd
thenn link the policcies to the dommain.
Deffault Domain Controlle

ers Policy
Thiss GPO is linked
d to the domaiin controllers’ OU, and shou ld only affect d
domain contro ollers. This policy is
desiigned to provide auditing se
ettings and use er rights, and sshould not be used for other purposes.
GPO
G Securiity Filtering
Byy nature, a GPO applies to all the security
principles in the
e container, annd all child con
ntainers
be
elow the paren w to change that
nt. You may wish
be
ehavior and ha ave certain GPPOs apply onlyy to
pa
articular security principles. For example, you
y
m want to exempt certain users
may u in an OUU from a
re u can accomplish this
estrictive deskttop policy. You
th
hrough security filtering.
Ea
ach GPO has an a Access Conttrol List (ACL) that
t
de
efines permissions to that GPO. The defau ult
pe
ermission is fo
or Authenticateed Users to havve the
Re
ead and Applyy Group Policyy permission ap pplied.
e permissions in the ACL, you can control which securityy principles recceive permissio
Byy adjusting the on to
ave the GPO settings applied
ha d. There are tw
wo approachess you might taake to do this: deny access to o the
Group Policy, or limit permisssions to Group
p Policy.
Note: Thee Authenticate

ed Users group
p includes all u
user and comp
puter accountss that have
be
een authentica
ated to AD DSS.
Deny
D Access to Group Policy
P
If most security principles in the
t container should
s receivee the policy setttings but som
me should not, then
yoou can exemptt particular seccurity principle
es by denying them access tto the Group P Policy. For exam
mple, if
t Sales OU should receive a policy excep
all the users in the pt the Sales Maanagers group p. Then you caan
exxempt that gro oup (or user) by
b adding thatt group to the ACL of the GP PO, and then ssetting the perrmission
to
o Deny.
Liimit Permisssions to Gro

oup Policy
Alternatively, if you have crea
ated a GPO thaat should only be applied to
o a few securityy principles in a
co
ontainer, you can
c remove the Authenticate ed Users grou p from the ACCL, add the seccurity principlees that
sh
hould receive the
t GPO settin ngs, and then grant
g them thee Read and Ap pply Group Poolicy permission ns. For
exxample, you may
m have a GPO O with computer configurattion settings thhat should onlyy apply to lapttop
co
omputers. You u could removee the Authentiicated Users g roup from thee ACL, add the computer acccounts
a then grant them the Read and Apply Group Policy permission.
off the laptops, and
Note: Nevver deny accesss to the Authe

enticated Userr group. If you
u do, then secu
urity
principles would
d never receive
e the GPO setttings.
he ACL of a GP
Th d in the GPMC by selecting t he GPO in thee Group Policy Object folder and
PO is accessed
hen clicking the Delegation>Advanced ta
th ab.
Disscussion: Identifying
g Group Po
olicy Appliication
Sce
enario
The slide illustrate
es a portion off the A. Datum
m
Corporation’s AD DS structure, which contains the
Sale
es OU with its child
c OUs and the Servers OU.
O
• GPO1 is linkeed to the Adatuum domain

container. The GPO configu ures power options
that turn off the
t monitors anda disks afterr 30
estricts access to
minutes of inactivity, and re
registry editin
ng tools.
• GPO2 has setttings to lock down

d the deskktops
of the Sales Users
U OU, and configure prin
nters for Sales Users.
• GPO3 configu
ures power op ops in the Sale s Laptops OU..
ptions for lapto
• GPO4 configu
ures a differen nsure that the servers never go into powerr save
nt set of powerr options to en
mode.
Somme users in thee Sales OU havve administrativve rights on th
heir computerss, and have cre
eated local po
olicies
to specifically grant access to Co
ontrol Panel.
Question: What power opttions will the servers in the SServers OU recceive?
Question: What power opttions will the la
aptops in the SSales Laptops OU receive?
Question: What power opttions will all otther computerrs in the domain receive?
Question: Will users in the Sales Users OU who have crreated local po
olicies to grant access to
Control Panel be able to acccess Control Panel?
P
Question: If you
y needed to nel to some ussers, how would you do
o grant access to Control Pan
it?
Question: Ca
an GPO2 be ap
pplied to otherr department O
OUs?
De
emonstration: Using Group Po
olicy Diagn
nostic Toolls
In th
his demonstration you will see how to use e Gpupdate to refresh Group p Policy, displaay Resultant Se
et of
Policy (RSoP), and
d output the reesults to an HT
TML file. You w
will also see ho
ow to use the G Group Policy
Mod deling Wizard to test policie
es.
Dem
monstration
n Steps
Use
e Gpupdate
e to refresh Group Policcy, display R
RSOP, and o
output the rresults to an
n
HTML file
1. On LON-DC1
1, use Gpupdate to refresh the GPOs.
2. Use Gpresultt /H to create an HTML file that

t displays th
he current GPO
O settings.
3. Open the HTML report and

d review the re
esults.
Use
e the Group
p Policy Mod
deling Wiza
ard to test tthe policy
• Use the Group Policy Mode
eling Wizard to
o simulate a po
olicy applicatio n the Managerrs OU
on for users in
who log onto
o any computeer.
Lesson
n3
Imple
ementinng a Cen
ntral Sto
ore for Administrative
e
Tempplates
In
n a large organ
nization, there may be manyy GPOs and mu ultiple adminisstrators managging them. Wh hen an
ad
dministrator eddits a GPO, thee template file
es are pulled frrom the local wworkstation. The central storre
provides a singlle folder in SYS
SVOL that contains all of thee templates req quired to create and edit GPPOs.
Th
his lesson discusses the files that make up the templatess, and discussees how to creatte a central stoore
lo
ocation to provvide consistenccy in the tempplates that adm
ministrators usee.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe th
he central store
e.
• dministrative templates.
Describe ad
• Describe ho
ow administrattive templates work.
• Describe managed
m and unmanaged po
olicy settings.
What
W Is the
e Central Store?
S
If your organiza ation has multiiple administra ation
workstations,
w th
here could be potential
p issuees when
edditing GPOs. Iff you do not have a Central Store in
which
w to hold thhe template files, then the
workstation
w youu are editing frrom will use thhe
.admx (ADMX) and a .adml (AD DML) files that are
sttored in the loccal PolicyDefinnitons folder. If
diifferent administration work kstations have
diifferent operatting systems or are at differe ent
se
ervice pack levvels, there mayy be difference es in the
ADMX and ADM ML files. For exxample, the AD DMX
annd ADML files that are stored on a Window ws 7
workstation
w with no service pack installed maym not be thee same as the files that are stored on a Windows
Seerver 2012 dom main controlle er.
he Central Store addresses this issue. The Central

Th C Store p
provides a sing
gle point from m which administration
workstations
w can download th he same ADMX X and ADML ffiles when editting a GPO. The local workstation
th
hat the administrator is using
g to perform administration
a always checkss to see if a Ceentral Store exiists
be
efore loading the local ADM MX and ADML files in the Gro oup Policy Objject Editor. Wh hen the local
workstation
w dettects a Central Store, it then downloads th e template filees. In this way, there is a con
nsistent
ad
dministration experience
e mong multiple workstations.
am
Yo
ou must createe and provision the Central Store
S manuallyy. First you mu ust create a folder on a dommain
co
ontroller, name
e the folder PoolicyDefinitioons, and store the folder at
C:\Windows\SYSVOL\sysvol\{D Domain Name e}\Policies\. Th
his folder will n
now be your Central Store. Y You
must
m then copyy all the contennts of the C:\W
Windows\PolicyyDefinitions fo older to the Ce
entral Store. Th
he
ADML files in th
his folder are also
a in a langua age-specific fo
older (such as en-US).
Wh
hat Are Ad
dministratiive Templa
ates?
An administrative
a template is made
m up of two
o XML
filess types: ADMX and ADML.
• ADMX files sp
pecify the registry setting to
change. AMDDX files are language-neutral.
• ADML files ge enerate the user interface to

o
configure thee Administrativve Templates policy
p
e Group Policyy Management
settings in the
Editor. ADMLL files are langu
uage-specific.
ADMMX and ADMLL files are store ed in the

%SyystemRoot%\P PolicyDefinition
ns folder. You can
also
o create your own
o custom ad dministrative
mplates in XML format. Administrative templates that con
tem ntrol Microsofft Office produ
ucts (such as O
Office
Word, Office Exceel® and Office PowerPoint®)a are also availab
ble from the M
Microsoft down nload website..
Adm
ministrative Templates have the following characteristicss:
• They are orga

anized into sub
bfolders that house
h configurration options for specific arreas of the
environment,, such as netwo
ork, system, an
nd Windows co omponents.
• The settings in the computeer section editt the HKEY_LO

OCAL_MACHIN e, and settings in
NE registry hive
the user section edit the HK
KEY_CURRENT T_USER registryy hive.
• Some settings exist for both mputer. For exxample, there iis a setting to prevent Windo
h user and com ows
Messenger fro
om running in n both the userr and the com puter templattes. In case of cconflicting setttings,
the computerr setting preva
ails.
• Some settings are available
e only to certaiin versions of W
Windows operrating systemss, such as severral
new settings that can be ap
pplied only to the Windows 7 and newer o operating systeems versions.
Double-clicking the settings will display the
t supported versions for th hat setting. An
ny setting that
cannot be proocessed by an older Window ws operating syystem is simplly ignored by tthat system.
AD
DM Files
Prio
or to Windows Vista, adminisstrative templa ates had an .ad
dm (ADM) file extension. AD DM files were
langguage-specificc, and were difficult to custom
mize. ADM filees are stored in n SYSVOL as ppart of the Gro oup
Policy template. Iff an ADM file is
i used in multtiple GPOs, theen the file is sttored multiple times. This
incrreases the size of SYSVOL, an
nd therefore in ncreases the sizze of Active Directory replicaation traffic.
Ho
ow Adminiistrative Te
emplates Work
W
Admministrative Templates have settings for alm most
every aspect of th
he computing environment. Each
setting in the tem
mplate correspo onds to a regisstry
setting that controls an aspect ofo the computting
environment. For example, whe en you enable the
setting that preve
ents access to Control
C Panel, this
changes the value e in the registrry key that con
ntrols
thatt aspect.
The Administrative Templates node is organized as shown in the following table.
Section Nodes
Computer settings • Control Panel

• Network
• Printers
• System
• Windows Components
• All Settings
User settings • Control Panel

• Desktop
• Network
• Shared Folders
• Start Menu and Taskbar
• System
• Windows Components
• All Settings
Most of those nodes contain multiple subfolders to further organize settings into logical groupings. Even
with this organization, finding the setting you need can be a daunting task. To help you locate settings,
the All Settings folder allows you to filter the entire list of settings by either the computer or the user
section. The following filter options are available:
• Managed or unmanaged
• Configured or not configured
• Commented
• By keyword
• By platform
You can also combine multiple criteria. For example, you could filter to find all the configured settings
that apply to Internet Explorer 10 by using the keyword ActiveX.
Ma
anaged an
nd Unmana
aged Policcy Settingss
There are two typ pes of policy se
ettings: manag ged,
and unmanaged. All policy settiings in a GPO’s
Adm ministrative Templates are managed
m policies.
The Group Policy service contro ols the manage ed
policy settings and removes a policy
p setting when
w
it is no longer within scope of thhe user or
com mputer. The Grroup Policy serrvice does not
control unmanage ed policy settings. These policy
settings are persisstent. The Grouup Policy service
doe es not remove unmanaged policy
p settings.
Ma
anaged Policcy Settings
A managed
m policyy setting has th
he following
characteristics:
• The user interface (UI) is loccked, so that a user cannot cchange the settting. Managed policy settin ngs
result in the appropriate
a UI being disable ed. For examplle, if you config
gure the deskttop wallpaper
through a Gro oup Policy setting, then the user will see t hose settings ggreyed out in his or her locaal user
interface.
• Changes are made in restriccted areas of the

t registry, to
o which only ad
dministrators h
have access. These
reserved regisstry keys are:
o HKLM\So
oftware\Policie
es (computer settings)
s
o HKCU\So
oftware\Policie
es (user setting
gs)
o HKLM\So
oftware\Microssoft\Windows\\Current Versio
on\Policies (co
omputer settin
ngs)
o HKCU\So
oftware\Microssoft\Windows\\Current Versio
on\Policies (usser settings)
• Changes mad de by a Group Policy setting and the UI locckout are releaased if the use er or computerr falls
out of scope of the GPO. Fo or example, if you delete a GGPO, managed d policy settinggs that had be een
applied to a user
u will be released. This me eans that, gen erally, the settting resets to its previous staate.
Additionally, the UI interfacce for the setting is enabled..
Unmanaged Policy Settings

In contrast, an unmanaged policy setting mak kes a change tthat is persistent in the registry. If the GPO
O no
longger applies, the setting rema
ains. This is often called tattoooing the regisstry—in other words, making ga
permmanent chang ge. To reverse the
t effect of th he policy settinng, you must d deploy a changge that revertss the
configuration to the
t desired staate. Additionally, an unmanaaged policy settting does not lock the UI fo or that
setting. By defaultt, the Group Policy Managem ment Editor hiides unmanaged policy settings to discourrage
you from implementing a configuration that is difficult to r evert. Many of the settings tthat are available in
Group Policy prefferences are un nmanaged setttings.
Lab: Implementing Group Policy

Scenario
A. Datum Corporation is a global engineering and manufacturing company with a head office based in
London, England. An IT office and a data center are located in London to support the London location
8 clients.
In your role as a member of the server support team, you help to deploy and configure new servers and
services into the existing infrastructure based on the instructions given to you by your IT manager.
Your manager has asked you to create a central store for ADMX files to ensure that everyone can edit
GPOs that have been created with customized ADMX files. You also need to create a starter GPO that
includes Internet Explorer settings, and then configure a GPO that applies GPO settings for the Marketing
department and the IT department.
Objectives
• Configure a Central Store.
• Create GPOs.
Lab Setup

20410A-LON-SVR1
Password Pa$$w0rd
Lab Setup Instructions

5. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on until directed to do so.
Exercise 1: Configuring a Central Store

Scenario
A. Datum recently implemented a customized ADMX template to configure an application. A colleague
obtained the ADMX files from the vendor before creating the Group Policy Object with the configurations
settings. The settings were applied to the application as expected.
After implementation, you noticed that you are unable to modify the application settings in the Group
Policy Object from any location other than the workstation that was originally used by your colleague. To
resolve this issue, your manager has asked you to create a Central Store for administrative templates. After
you create the Central Store, your colleague will copy the vendor ADMX template from the workstation
into the Central Store.
1. View the location of administrative templates in a Group Policy Object (GPO).
2. Create a central store.
3. Copy administrative templates to the central store.
4. Verify the administrative template location in GPMC.
X Task 1: View the location of administrative templates in a Group Policy Object (GPO)
1. Log on to LON-DC1 as Administrator with a password of Pa$$w0rd.
2. Start the Group Policy Management Console (GPMC).
3. Open the Default Domain Policy and view the location of the administrative templates.
X Task 2: Create a central store

1. Open Windows Explorer and browse to C:\Windows\SYSVOL\sysvol\Adatum.com\Policies.
2. Create a folder named PolicyDefinitions which will be used for the Central Store.
X Task 3: Copy administrative templates to the central store

• Copy the contents of the default PolicyDefinitions folder located at C:\Windows\PolicyDefinitions
to the new PolicyDefinitions folder located at C:\Windows\SYSVOL\sysvol\Adatum.com\Policies.
X Task 4: Verify the administrative template location in GPMC

• Verify that the Group Policy Object Editor is using the ADMX files from the central PolicyDefinitions
folder, by viewing the location information text of the Administrative templates folder.
Results: After completing this exercise, you will have configured a Central Store
Exercise 2: Creating GPOs

Scenario
After a recent meeting of the IT Policy committee, management has decided that A. Datum will use Group
Policy to restrict access to the General page of Internet Explorer for users.
Your manager has asked you to create a starter GPO that can be used for all departments with default
restriction settings for Internet Explorer. You then need to create the GPOs that will deliver the settings for
members of all departments except for the IT department.
1. Create a Windows Internet Explorer® Restriction default starter GPO
2. Configure the Internet Explorer Restriction starter GPO
3. Create a domain Internet Explorer Restrictions GPO From the Internet Explorer Restrictions starter
GPO
4. Test Application of the GPO for Domain Users
5. Use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy
6. Test the GPO application for IT Department Users
7. Test Application of the GPO for other domain users
8. To prepare for the next module
X Task 1: Create a Windows Internet Explorer® Restriction default starter GPO

1. Open the GPMC and create a starter GPO named Internet Explorer Restrictions.
2. Type a comment that states This GPO disables the General page in Internet Options.
X Task 2: Configure the Internet Explorer Restriction starter GPO

• Configure the starter GPO named Internet Explorer Restrictions to disable the General page of
Internet Options.
X Task 3: Create a domain Internet Explorer Restrictions GPO From the Internet
Explorer Restrictions starter GPO
• Create a new GPO named IE Restrictions that is based on the Internet Explorer Restrictions starter
GPO, and link it to the Adatum.com domain.
X Task 4: Test Application of the GPO for Domain Users

1. Log on to LON-CL1 as Adatum\Brad, with a password of Pa$$w0rd.
2. Open the Control Panel.
3. Attempt to change your homepage.
4. Open Internet Options to verify that the General tab has been restricted.
5. Sign out of LON-CL1.
X Task 5: Use security filtering to exempt the IT Department from the Internet Explorer
Restrictions policy
• On LON-DC1, open Group Policy Management, and configure security filtering on the IE Restrictions
policy to deny access to the IT department.
X Task 6: Test the GPO application for IT Department Users

1. Log on to LON-CL1 as Brad, with a password of Pa$$w0rd.
3. Attempt to change your homepage. Verify that the Internet Properties dialog opens to the General
page, and all settings are available.

X Task 7: Test Application of the GPO for other domain users

1. Log on to LON-CL1 as Boris, with a password of Pa$$w0rd.
3. Attempt to change your homepage.
4. Open Internet Options to verify that the General tab has been restricted.
Results: After completing this lab, you will have created a GPO.

following steps:
4. Repeat steps 2 and 3 for 20410A-LON-CL1.


Review Questions
Question: What are some of the advantages and disadvantages of using site-level GPOs?
Question: You have a number of logon scripts that map network drives for users. Not all
users need these drive mappings, so you must ensure that only the desired users receiving
the mappings. You want to move away from using scripts. What is the best way to map
network drives without using scripts for selected users?
Best Practices
The following are recommended best practices:
• Do not use the Default Domain and Default Domain Controllers policies for other uses. Instead, create
new policies.
• Limit the use of security filtering and other mechanisms that make diagnostics more complex.
• Disable the User or Computer sections of policies, if they have no settings configured.
• If you have multiple administration workstations, create a Central Store.
• Add comments to your GPOs to explain what the policies are doing.
• Design your OU structure to support Group Policy application.

A user is experiencing abnormal behavior on their workstation.
All users in a particular OU are having issues, and the OU has

multiple GPOs applied.
Tools
Group Policy Management Controls all aspects of Group In Server Manager, on the Tools
Console (GPMC) Policy menu
Group Policy Object Editor Use to configure settings in Accessed by editing any GPO
GPOs
Resulting Set of Policies Use to determine what settings In the GPMC

(RSoP) are applying to a user or
computer
Group Policy Modeling Use to test what would occur if In the GPMC
Wizard settings were applied to users
or computers, prior to actually
applying the settings
Local Group Policy Editor Use to configure Group Policy Accessed by creating a new
settings that apply only to the Microsoft Management Console
local computer (MMC) on the local computer, and
adding the Group Policy Object
Editor snap-in
12-1
Module 12
Securing Windows Servers Using Group Policy Objects
Contents:
Lesson 1: Windows Security Overview 12-2
Lesson 2: Configuring Security Settings 12-6
Lab A: Increasing Security for Server Resources 12-15
Lesson 3: Restricting Software 12-21
Lesson 4: Configuring Windows Firewall with Advanced Security 12-25
Lab B: Configuring AppLocker and Windows Firewall 12-29

Module Overview
Protecting IT infrastructure has always been a priority to organizations. Many security risks are threatening
companies and their critical data. Failure to have adequate security policies can lead to data loss, server
unavailability, and companies losing credibility.
To protect from security threats, companies must have well-designed security policies that include many
components, from organizational to IT-related. Security policies must be evaluated on a regular basis,
because as security threats evolve, so IT must also evolve.
Before you start designing security policies to help protect your organization’s data, services, and IT
infrastructure, you must learn how to identify security threats, how to plan your strategy to mitigate
security threats, and how to secure your Windows Server® 2012 infrastructure.
Objectives
• Describe Windows security.

• Configure security settings by using Group Policy.
• Restrict unauthorized software from running on servers and clients.
• Configure Windows Firewall® with Advanced Security.

12-2 Securing Windows Servers Using Group Policy Objjects
Lesson 1
Windo
ows Security Ov
verview
w
As organizations
o expand
e their availability
a of network
n data, aapplications, aand systems, ensuring netwo ork
infra
astructure secuurity becomes more challeng ging. Security technologies in the Window ws Server 20122
opeerating system enable organizations to pro ovide better prrotection for th heir network rresources and
orgaanizational asssets in increasingly complex environmentss and business scenarios. This lesson review ws the
tools and conceptts that are available for implementing secu urity within a WWindows 8 and Windows Se erver
2012 infrastructurre.

2 includes numerous
n feattures that provvide different methods for immplementing
secu
urity. These fea
atures combine to form the core of Windo ows Server 201 12’s security fu
unctionality.
Undderstanding these features and their associated conceptss, as well as beeing familiar w with their basicc
imp
plementation, isi critical to ma
aintaining a se
ecure environm ment.
Lessson Objectiives
Afte
er this lesson, you
y will be ablle to:
• Describe secu
urity risks for Windows
W Serve
er 2012, and th
he costs associiated with them
m.
• Describe how
w the defense-iin-depth model addresses seecurity.
• Describe bestt practices for increasing Win
ndows Server 22012 security.
Disscussion: Identifying
g Security Risks and Costs
The first step in de
efending yourr systems is
iden
ntifying the pootential securitty risks and the
eir
asso
ociated costs. Once
O you do that,
t you can make
m
inte
elligent decisio
ons about how to allocate
reso
ources to mitiggate those risks.
Review the question on the slide and participate in

the discussion to identify some of the risks an
nd
asso
ociated costs to
o Windows-ba ased networks.
Appplying Deefense-In-D
Depth to
Inccrease Secu
urity
Youu can mitigate risks to your organization’s
o
commputer network by providing g security at va
arious
infra
astructure laye
ers. The term defense-in-dep
d pth is
ofte
en used to describe the use of
o multiple seccurity
techhnologies at different points throughout your
y
orgaanization.
Defense-in-depth h technologies include layerss of
secu
urity that exten
nd from user policies
p all the way
dowwn to the appliication and the
e data itself.
Policies, Procedures, and Awareness

Security policy measures need to operate within the context of organizational policies regarding security
best practices. For example, enforcing a strong user password policy is not helpful if users write their
passwords down and stick them to their computer screens, so users must be taught how to protect their
passwords. Another example of security best practice is ensuring that users do not leave their desktop
computer without first locking the desktop or logging off from the computer. When establishing a
security foundation for your organization’s network, it is a good idea to start with establishing appropriate
policies and procedures and making users aware of them. Then you may progress to the other aspects of
the defense-in-depth model.
Physical Security
If any unauthorized person can gain physical access to a computer on your network, then most other
security measures are not useful. You must ensure that computers containing the most sensitive data,
such as servers, are physically secure, and that access is granted to authorized personnel only.
Perimeter
These days, no organization is an isolated enterprise. Organizations operate within the Internet, and many
organization network resources are available from the Internet. This might include building a website to
describe your organization’s services, or making internal services such as web conferencing and email
accessible externally, so that users can work from home or from branch offices.
Perimeter networks mark the boundary between public and private networks. Providing reverse proxy
servers in the perimeter network enables you to provide more secure corporate services across the public
network.
Many organizations implement so-called network access quarantine control, where computers that
connect to the corporate network are checked for different security criteria, such as whether the computer
has the latest security updates, antivirus updates, and other company-recommended security settings. If
these conditions are true, the computer is allowed to connect to corporate network. If not, the computer
is placed in isolated network, called quarantine, with no access to corporate resources. Once the computer
has its security settings remediated, it is removed from the quarantine network and is allowed to connect
to corporate resources.
Note: A reverse proxy, such as Microsoft® Forefront® Threat Management Gateway 2010,
enables you to publish services, such as email or web services, from the corporate intranet
without placing the email or web servers in the perimeter, or exposing them to external users.
Microsoft Forefront Threat Management acts as both reverse proxy and as a firewall solution.
Networks
Once you connect computers to a network, either internal or public, they are susceptible to a number of
threats. These threats include eavesdropping, spoofing, denial of service, and replay attacks. This is
especially relevant when communication takes place over public networks by employees who are working
from home, or from remote offices. You should deploy a firewall solution, such as Microsoft Forefront
Threat Management Gateway 2010, to protect from different types of network threats.
Host
The next layer of defense is the layer that is used for the host computer. You must keep computers secure
with the latest security updates. You also have to configure security policies, such as password complexity,
and configure host firewall and install antivirus software. Steps mentioned above contain a process that is
called security hardening.
Application
Appplications are only
o as secure as your latest security updatte. You should
d consistently u
use the Windo ows
Upddate feature in Windows ope erating systemms to keep you r applications up-to-date. MMoreover,
app
plications mustt be tested by IT security admministrators, w
whether they haave any securiity vulnerabilities
thatt might allow an
a external atttacker to comppromise appliccations or otheer network commponents. Steps
menntioned above e contain a pro
ocess that is called applicatio
on hardening.
Datta
The final layer of security
s is data
a security. To help
h ensure th
he protection o of your networrk, ensure the
proper use of file user permissio ons by using Access
A mplement the encryption off
Control Lists (ACLs), im
confidential data with Encryptio on File System (EFS), and perrform backupss of data regularly.
Additional Reading: For the latest Miccrosoft securityy bulletin and advisory information, see
http
n-us/security/d
default.aspx.
Additional Reading: For more informa ation about co mmon types o

of network attaacks, see
http
n-us/library/ccc959354.aspx .
Question: Hoow many layerrs of the defen

nse-in-depth m
model should yyou implement in your
organization??
Best Practice
es for Incre
easing Security
Connsider the follo
owing best practices for
incrreasing securityy:
• Apply all avaiilable security updates as qu uickly
as possible fo
ollowing their release.
r You shhould
strive to implement securityy updates as so oon
as possible to
o ensure that your
y systems are
protected froom known vuln nerabilities.
Microsoft pub blicly releases the details of
known vulnerrabilities after an update hass
been released d, which can leead to an increeased
volume of ma alware attemp pting to exploitt the
vulnerability. However, you u must still ensure
that you adeq quately test uppdates before they are appli ed widely with
hin your organ
nization.
• Follow the prrinciple of leastt privilege. Pro

ovide users and d service accounts with the lowest permission
levels require
ed to complete e their necessary tasks. This eensures that an ny malware ussing those
credentials is limited in its impact. It also limits the abiliity of users to accidentally d
delete data or
modify critica
al operating syystem settings.
• ole logon. Logging on locallyy at a console is a greater rissk to a server tthan accessing
Restrict conso g data
remotely. This is because so
ome malware can c only infectt a computer b by using a use er session at the
desktop. If yo
ou allow adminnistrators to usse Remote Dessktop Connecttion for server administration,
ensure that enhanced security features su uch as user acccount control are enabled.
• Restrict physical access. If so

omeone has physical
p access to your servers, that person
n has virtually
unlimited acccess to the data on that serve
er. An unautho orized person could use a wwide variety of tools
to quickly resset the password on local administrator acccounts and alllow local accesss, or use a USSB
drive to introduce malware e.
Additional Reading: For more information about best practices for enterprise security, see
http://technet.microsoft.com/en-us/library/cc750076.aspx.
Lesson 2
Config
guring Security
S y Setting
gs
Oncce you have learned about security threatss and risks, and d about best ppractices for increasing securrity,
you can start conffiguring securiity for your Wiindows® 8 and d Windows Serrver 2012 environment. In th his
lesson, you will lea
arn how to configure securitty settings. To apply those seecurity setting
gs to multiple u
users
and computers in your organiza ation, you will use Group Po olicy. For example, you can u use Group Policcy to
configure password policy settin ngs and then deploy
d them oon multiple useers.
Group Policy has a large securitty component that you can u use to configu
ure security forr both users an
nd
com
mputers. You ca an apply securrity consistentlly across the o n Active Directory® Domain
organization in
Servvices (AD DS) by
b defining seccurity settings in a Group Po olicy Object (G
GPO) that is asssociated with a site,
dom
main, or Organ nizational Unit (OU).
Lessson Objectiives
Afte
ou will be able to:
• Describe how
w to configure Security temp
plates.
• Describe wha
at user rights are and how to
o configure theem.
• Describe how
w to configure Security Optio
ons.
• w to configure User Account Control.
Describe how
• w to configure Auditing.
Describe how
• w to configure Restricted Gro

Describe how oups.
• Describe how
w to configure Account Policy Settings.
Co
onfiguring Security Templates
T
Secuurity templates are files that you can use to
t
mannage and conffigure security settings on
Winndows-based computers.
c Depending on th he
various categoriess of security se
ettings, securityy
tem
mplates are diviided into logiccal sections. Yo
ou
can configure eacch of the followwing sections
acco
ording to a company’s needs and requestss:
• Account policcies: password policy, accoun

nt
lockout policyy, and Kerbero
os policy
• Local policiess: audit policy, user rights
assignment, and
a security op ptions
• em, and security event log seettings

Event log: application, syste
• Restricted gro
oups: memberrship of groupss that have speecial rights and permissions
• System servicces: startup and

d permissions for system serrvices
• Registry: perm
missions for registry keys
• File system: permissions
p forr folders and fiiles
When
W you configure a securitty template, yo
ou can use it to
o configure a ssingle computter or to config
gure
multiple
m compu uters on the ne
etwork. The following are a ffew ways that you can config gure and distrribute
th
he security tem
mplates:
• The seceditt.exe command

d-line tool
• The Securitty Templates sn

nap-in
• The Securitty Configuratio
on and Analysis Wizard
• Group Policcy
• Security Co
ompliance Man
nager
Configuring
C g User Rig
ghts
User
U rights assig
gnment refers to the ability to
t
peerform actionss on the operaating system. Each
E
co
omputer has itts own set of user
u rights, succh as the
rig
ght to change e the system tim
me. Most rightts are
granted either tot the Local Syystem or to the e
Administrator.
Th
here are two tyypes of user rights:
• Privileges define
d access to
o computer annd
domain ressources. For exxample, rights to
t back
up files and
d directories.
• Logon rightts define who is

i authorized to
t log
on to a com
mputer, and ho ow they can lo
og on. For exam
mple, logon rig
ghts may defin
ne the right to
o log on
to a system
m locally.
ou can configu
Yo ure rights thro
ough Group Po
olicy. The defau
ult domain po
olicy has no rig
ghts defined byy
de
efault.
Yo
ou can configu
ure settings for User Rights by
b accessing: C
Computer Co nfiguration\PPolicies
\W
Windows Setttings\Security y Settings\Local Policies\U
User Rights Asssignment fro
om the Group
p Policy
Management
M Console
C (GPMMC).
So
ome exampless of commonlyy used user rights (and policiies configured by them) are::
• Add worksttations to dom

main. Determin
nes which userss or groups caan add workstaations to the d
domain.
• Allow log on
o locally. Dete
ermines which users can log on the compu
uter.
• Allow log on
o through Remmote Desktop Services. Deteermines which
h users or grou
ups have permission to
log on as Remote Deskto
op Services Clie
ent.
• Back up file
es and directorries. Determine
es which userss have permisssions to back u
up files and follders on
a computerr.
• Change the e system time. Determines which
w users or g
groups have right to change
e the time and
d date
on the internal clock of th
he computer.
• Force shutd
down from a reemote system. Determines w
which users aree allowed to sh
hut down a co
omputer
from a remote location on
o the networkk.
• Shut down the system. Determines which of the userrs who are logg
ged on locallyy to a compute
er are
allowed to shut down the
e computer.
Co
onfiguring Security Options
O
Youu can use Group Policy to configure securitty
options. The computer security settings that you
y
can configure in security
s option
ns include the
follo
owing:
• Administrator and Guest acccount names
• Access to disk
k and CD/DVD
D drives
• Digital data signatures
• Driver installa
ation behavior
• Logon promp
pts
• User account control
You
u can also conffigure settings for security op
ptions by acceessing Computter Configuration\Policies
\Windows Settinggs\Security Setttings\Local Poolicies\Securityy Options from
m the GPMC.
The following are examples of commonly
c use
ed security opttions:
• Interactive lo
ogon: Do nott display last user
u name. Deetermines wheether the name
e of the last usser to
log on to the computer displays in the Windows
W logon window.
• Accounts: Reename admin nistrator accou unt. Determin nes whether a d
different account name is
associated with the securityy identifier (SID
D) for the acco
ount Administrrator.
• Accounts: Reename admin nistrator accou unt. Determin nes whether a d

different account name is
associated with the securityy identifier (SID
D) for the acco
ount Administrrator.
• Devices: Restrict CD-ROM M access to loccally logged- on user only.. Determines w

whether a CD-ROM
is accessible to
t both local and remote use
ers simultaneo
ously.
Co
onfiguring User Acco
ount Contrrol
Admministrative acccounts carry with
w them a hig gher
deggree of securityy risk. When an n administrativve
accoount is loggedd on, its privilegges allow acceess to
the entire Window ws operating system,
s including
the registry, system files, and coonfiguration
settings. As long as
a an administrative accountt is
loggged on, the system is vulnera able to attack and
has the potential to be compromised.
User Account Con ntrol (UAC) is a security featu

ure
thatt helps prevent unauthorized d changes to a
com
mputer, by askiing the user foor permission or
o
adm
ministrator creddentials beforee performing
actions that could
d potentially afffect the compputer's operati on or that chaange settings tthat affect mulltiple
userrs.
By default,
d both standard users and administrrators access reesources and rrun applications in the securrity
context of a stand
dard user. The UAC prompt provides
p a wayy for a user to elevate his orr her status from a
stan
ndard user account to an administrator acccount withoutt logging off, sswitching userss, or using Run n As.
UACC creates a moore secure enviironment in which to run annd install appliccations.
When an application requires administrator-level permission, UAC notifies the user as follows:
• If the user is an administrator, the user confirms to elevate his or her permission level and continue.
This process of requesting approval is known as Admin Approval Mode.
Note: In Windows Server 2012, the built-in Administrator account does not run in Admin
Approval Mode. The result is that no UAC prompts display when using the local Administrator
account.
• If the user is not an administrator, then a username and password for an account that has
administrative permissions needs to be entered. Providing administrative credentials temporarily
gives the user administrative privileges, but only to complete the current task. After the task is
complete, permissions change back to those of a standard user.
When using this process of notification and elevation to administrator account privileges, changes cannot
be made to the computer without the user knowing. This can help prevent malicious software (malware)
and spyware from being installed on or making changes to a computer.
UAC allows the following system-level changes to occur without prompting, even when a user is logged
on as a local user:
• Install updates from Windows Update
• Install drivers from Windows Update or those that are packaged with the operating system
• View Windows operating system settings

• Pair Bluetooth devices with the computer
• Reset the network adapter, and perform other network diagnostic and repair tasks
Modifying UAC Behavior

You can modify the UAC notification experience to adjust the frequency and behavior of UAC prompts. To
modify UAC behavior on a single computer, access the Windows Server 2012 control panel in System and
Security.
You can also configure UAC settings by accessing from the GPMC: Computer Configuration\Policies
\Windows Settings\Security Settings\Local Policies\Security Options.
The following are examples of some GPO settings that you can configure for UAC:
• User Account Control: Run all administrators in Admin Approval Mode. Controls the behavior of
all UAC policy settings for the computer. If this setting is disabled, UAC will not run on this computer.
• User Account Control: Administrator Approval Mode for the built-in Administrator account.
When you enable this setting, the built-in Administrator account uses Admin Approval Mode.
• User Account Control: Detect application installations and prompt for elevation. This setting
controls the behavior of application installation detection for the computer.
• User Account Control: Only elevate executables that are signed and validated. When you enable
this setting, a Public Key Infrastructure (PKI) check is performed on the executable file to verify that it
originates from a trusted source. If the file is verified, then the file is permitted to run.
Note: By default, UAC is not configured or enabled in Server Core installations of Windows
Server 2012.
12-10 Securingg Windows Servers Using
U Group Policy Objects
Co
onfiguring Auditing
Typically, one of the
t componen nts of an
orga anization’s seccurity strategy is recording user
u
activvities behaviorr, such as successful or
unsuccessful attem mpts to accesss business-critical
dataa that is stored
d in different fo
olders, or succcessful
or unsuccessful
u lo
ogon attempts on different
servvers.
Recording these security-related

s d events is callled
secu
urity auditing. Security auditiing produces
secu
urity event log
gs that adminisstrators can vie
ew in
the Security Eventt Log in Event Viewer.
Afte
er configuring auditing, information in seccurity
event logs can help your organization audit their compliancce with importtant business-related and
secu
urity-related data by tracking
g precisely deffined activitiess such as:
• A group adm
ministrator who
o has modified settings or daata on servers that contain fiinance informaation.
• An employee e within a defin
ned group thatt has accessed
d an importantt folder contain
ning data from
m
different departments.
• A user who iss trying to log on to his or he

er account rep
peatedly withoout success from an internal
company com mputer. You might
m find that the employeee who owns that user accoun nt was on a vacation
that week, whhich means some other emp ployee was tryi ng to log on w
with a differen
nt user accountt.
u can configure
You e security audiiting settings by
b accessing frrom the GPMCC: Computer C
Configuration
n
\Po
olicies\Windowws Settings\S Security Settin ngs\Local Pollicies\Audit P
Policy.
The following are examples of some

s GPO setttings that you can configuree for UAC:
• Audit accoun
nt logon even nts. Determinees whether thee operating sysstem audits eaach time the
computer validates an acco
ount’s credentiials.
• Audit accoun nting manage ement. Determ mines whetherr to audit each h event of acco
ount managemment,
word, or enabling
such as creatiing, changing, renaming, or deleting a useer account, chaanging a passw
or disabling a user account.
• Audit objectt access. Deterrmines whethe er operating syystem audits h have access to non-Active
Directory objects, such as fo
olders or files. Before config uring audit seettings with Gro oup Policy, yo
ou
must configure system acce ess control listss (SACLs) on fo
olders or files tto allow auditing for a speciific
type of action
n, such as write
e, read, or mod dify.
• Audit systemm events. Dete ermines whethher the operatiing system aud
dits system-related events, ssuch
as attemptingg to change th
he system timee, attempting a system startu
up or shutdowwn, or the security
log size excee
eding a configurable thresho
old warning.
Additional Reading: For more informa ation about seccurity auditing

g, see
http
n-us/library/hh
h849638.aspx.
Configuring
C g Restricte
ed Groupss
In
n some cases, you
y may want to control the e
membership
m of certain group
ps in a domain——such
ass the local adm
ministrators gro
oup—to preve ent the
ad
ddition of othe nts to those groups.
er user accoun
Yo
ou can use thee Restricted Grroups policy too
co
ontrol group membership
m byy specifying what
w
members
m are pllaced in a grou
up. If you defin
ne a
Re
estricted Groups policy and then refresh Group
G
Po
olicy, any curre
ent member of o a group thatt is not
on ed Groups policy members list is
n the Restricte
re
emoved, includ ding default members
m such as
a
do
omain adminisstrators.
Although you can control dom main groups byb assigning Reestricted Grouups policies to domain contro ollers,
yo
ou should use this setting prrimarily to con h as Enterprise Admins
nfigure membeership of criticaal groups such
an
nd Schema Ad dmins. You can n also use this setting to conttrol the membbership of built-in local grou
ups on
workstations
w an
nd member serrvers. For exam mple, you can place the Help pdesk group innto the local
Administrators group on all workstations.
w
Yo
ou cannot speecify local userss in a domain GPO. Local us ers who curren ntly are in the local group th
hat the
Re
estricted Groups policy conttrols will be rem
moved. The on nly exception tto this is that tthe local
Administrators account is alwways in the locaal Administrato
ors group.
Yo
ou can configu
ure the setting
gs for Restricted Groups by aaccessing from
m the GPMC:
Computer Con nfiguration\Po olicies\Windo ows Settings\\Security Settings\Restricte
ed Groups.
Configuring
C g Accountt Policy Settings
Account policie es protect yourr organization’’s
acccounts and da ata by mitigating the threat of
acccount passwo e attacks. Securing
ord brute force
yo
our network en nvironment re equires that all users
uttilize strong pa
asswords. Passsword policy seettings
co
ontrol the com mplexity and liffetime of user
paasswords. You can configure e password policy
se
ettings through Group Policyy.
Im
mplementin
ng Account Policies
Th
he policy settin
ngs under Acccount policies are
a
im
mplemented att the domain level. A Windo ows
Se
erver 2012 dom main can have e multiple passsword
an
nd account locckout policies, which are callled fine-graineed password p
policies. You caan apply these
multiple
m policies to a user or to
t a global seccurity group in
n a domain, bu
ut not to an orrganizational u
unit
(O
OU).
Note: If you
y need to ap pply a fine-grained password d policy to useers of an OU, yyou can use a
sh
hadow group, which
w is a glob
bal security gro
oup that is log
gically mapped d to an OU.
12-12 Securing Windows Servers Using Group Policy Objects
You can configure Account policy settings by accessing from the GPMC: Computer Configuration
\Policies\Windows Settings\Security Settings\Account Policies.
Account Policies Components

Account policy components include password policies, account lockout policies, and Kerberos policy.
Password Policy
Password policies that you can configure are listed in the following table.
Policy Function Best Practice
Password must meet Requires passwords to: Enable this setting. These
complexity • Be at least six characters long. complexity requirements can
requirements help ensure a strong password.
• Contain a combination of at least Strong passwords are more
three of the following types of difficult to decrypt than those
characters: uppercase letters, containing simple letters or
lowercase letters, numbers, and numbers.
symbols (punctuation marks).
• Must not contain the user’s user
name or screen name.
Enforce password Prevents users from creating a new The greater number ensures
history password that is the same as their better security. The default value
current password or a recently is 24. Enforcing password history
used password. To specify how ensures that passwords that have
many passwords are remembered, been compromised are not used
provide a value. For example, a repeatedly.
value of 1 means that only the last
password will be remembered, and
a value of 5 means that the
previous five passwords will be
remembered.
Maximum password Sets the maximum number of days By default it is 42 days; it is

age that a password is valid. After this recommended that you set is at
number of days, the user will have 90 days. Setting the number of
to change the password. days too high provides hackers
with an extended window of
opportunity to determine the
password. Setting the number of
days too low frustrates users who
have to change their passwords
too frequently, and could result
in more frequent calls to the IT
help desk.
Minimum password Sets the minimum number of days Set the minimum password age
age that must pass before a password to at least 1 day. By doing so,
can be changed. you require that the user can
only change their password once
a day. This will help enforce
other settings.
For example, if the past five
passwords are remembered, this
will ensure that at least five days
must pass before the user can
reuse the original password. If
the minimum password age is
set to 0, the user can change
their password six times on the
same day and begin reusing the
original password on the same
day.
Minimum password Specifies the fewest number of Set the length to between 8 and
length characters that a password can 12 characters (provided that they
have. also meet complexity
requirements). A longer
password is more difficult to
crack than a shorter password,
assuming the password is not a
word or a common phrase.
Store passwords by Provides support for applications Do not use this setting unless
using reversible that require knowledge of a user you use a program that requires
encryption password for authentication it. Enabling this setting decreases
purposes. the security of stored passwords.
Account Lockout Policy

Account Lockout Policies that you can configure are listed in the following table.
Account lockout Specifies the number of failed login A setting of 50 allows for
threshold attempts that are allowed before reasonable user error, and limits
the account is locked. repeated login attempts for
For example, if the threshold is set malicious purposes.
to 3, the account will be locked out
after a user enters incorrect login
information three times.
Account lockout Allows you to specify a timeframe, After the threshold has been
duration in minutes, after which the account reached and the account is
automatically unlocks and resumes locked out, the account should
normal operation. If you specify 0, remain locked long enough to
then the account will be locked block or deter any potential
indefinitely until an administrator attacks, but short enough not to
manually unlocks it. interfere with productivity of
legitimate users. A duration of
30 to 90 minutes should work
well in most situations.
Reset account Defines a timeframe for counting Using a timeframe between 30

lockout counter after the incorrect login attempts. If the and 60 minutes is usually
policy is set for one hour, and the sufficient to deter automated
account lockout threshold is set for attacks and manual attempts by
three attempts, a user can enter an attacker to guess a password.
the incorrect login information
three times within one hour. If they
enter incorrect information twice,
but get it correct the third time,
the counter will reset after one
hour has elapsed (from the first
incorrect entry) so that future
failed attempts will again start
counting at one.
Kerberos Policy
This policy is for domain user accounts, and determines Kerberos-related settings, such as ticket lifetimes
and enforcement. Kerberos policies do not exist in Local Computer Policy.
Lab A: Increasing Security for Server Resources

Scenario
a promotion to the server support team. As a new member of the team you help to deploy and configure
manager.
Your manager has given you some security-related settings that need to be implemented on all member
servers. You also need to implement file system auditing for a file share used by the Marketing
department. Finally, you need to implement auditing for domain logons.
Objectives
• Use Group Policy to secure member servers.

• Audit File System Access.
• Audit Domain Logons.
Lab Setup
5. Repeat steps 2-4 for 20410A-LON-SVR1 and steps 2-3 for 20410A-LON-CL1. Do not log on to
LON-CL1 until directed to do so.
Exercise 1: Using Group Policy to Secure Member Servers

Scenario
A. Datum uses the Computer Administrators group to provide administrators with permissions to
administer member servers. As part of the installation process for a new server, the Computer
Administrators group from the domain is added to the local Administrators group on the new server.
Recently, this important step was missed when configuring several new member servers.
To ensure that the Computer Administrators group is always given permission to manage member servers,
your manager has asked you to create a GPO that sets the membership of the local Administrators group
on member servers to include Computer Server Administrators. . This GPO also needs to enable Admin
Approval Mode for UAC.
1. Create a Member Servers Organizational Unit (OU) and move servers into it.
2. Create a Server Administrators group.
3. Create a Member Server Security Settings GPO and link it to the Member Servers OU.
4. Configure group membership for local administrators to include Server Administrators and Domain
Admins.
5. Verify that Computer Administrators has been added to the local Administrators group.
6. Modify the Member Server Security Settings Group Policy Object (GPO) to remove Users from Allow
log on locally.
7. Modify the Member Server Security Settings GPO to enable User Account Control: Admin Approval
Mode for the Build-in Administrator Account.
8. Verify that a standard user cannot log on to a member server.
X Task 1: Create a Member Servers Organizational Unit (OU) and move servers into it
1. On LON-DC1, open Active Directory Users and Computers.
2. Create new OU called Member Servers OU.

3. Move servers LON-SVR1 and LON-SVR2 to Member Servers OU.
X Task 2: Create a Server Administrators group

• On LON-DC1, in Member Servers OU, create a new global security group called Server
Administrators.
X Task 3: Create a Member Server Security Settings GPO and link it to the Member
Servers OU
1. On LON-DC1, open the Group Policy Management Console.
2. In the Group Policy Management Console window, in the Group Policy Objects container, create a
new GPO with a name Member Server Security Settings.
3. In the Group Policy Management Console, link the Member Server Security Settings to Member
Servers OU.
X Task 4: Configure group membership for local administrators to include Server

Administrators and Domain Admins
1. On LON-DC1, open Group Policy Management Console.
2. Edit the Default Domain Policy.
3. Navigate to Computer Configuration, click Policies, click Windows Settings, click Security
Settings, and then click Restricted Groups.
4. Add the Server Administrators and Domain Admins groups to the Administrators group.
5. Close the Group Policy Management Editor.

X Task 5: Verify that Computer Administrators has been added to the local
Administrators group
1. Switch to LON-SVR1, and log on as Adatum\Administrator with a password of Pa$$w0rd.
2. Open a Windows PowerShell® window, and from a Windows PowerShell command prompt, type
following command:
gpupdate/force
3. Open Server Manager, open the Computer Management console, and then expand Local Users and
Groups.
4. Confirm that the Administrators group contains both ADATUM\Domain Admins and
ADATUM\Server Administrators as members.
X Task 6: Modify the Member Server Security Settings Group Policy Object (GPO) to
remove Users from Allow log on locally
1. Switch to LON-DC1.
2. On LON-DC1, in the Group Policy Management Console, edit the Member Server Security Settings
GPO.
3. In the Group Policy Management Editor window, browse to Computer Configuration\Policies
\Windows Settings\Security Settings\Local Policies\User Rights Assignment, and configure
Allow log on locally for Domain Admins and Administrators security groups.
X Task 7: Modify the Member Server Security Settings GPO to enable User Account
Control: Admin Approval Mode for the Build-in Administrator Account
1. On LON-DC1, in the Group Policy Management Console, edit the Member Server Security Settings
GPO.

\Windows Settings\Security Settings\Local Policies\Security Options, and enable User Account
Control: Admin Approval Mode for the Built-in Administrator account.
X Task 8: Verify that a standard user cannot log on to a member server

2. Open Windows PowerShell, and from a Windows PowerShell command prompt, type following
command:
gpupdate/force
3. Log off of LON-SVR1.
4. Try to log back on to LON-SVR1 as Adatum\Adam with a password of Pa$$w0rd.

5. Verify that you cannot log on to LON-SVR1.
Results: After completing this exercise, you should have used Group Policy to secure Member servers.
Exercise 2: Auditing File System Access

Scenario
The manager of the Marketing department has concerns that there is no way to track who is accessing
files that are on the departmental file share. Your manager has explained that only users with permissions
are allowed to access the files. However, the manager of the Marketing department would like to try
logging access to the files that are in the file share to see which users are accessing specific files.
Your manager has asked you to enable auditing for the file system that is on the Marketing department
file share, and to review the results with the manager of the Marketing department.
1. Modify the Member Server Security Settings GPO to enable object access auditing.
2. Create and share a folder.
3. Enable auditing on the HR folder for Domain Users.
4. Create a new file in the file share from LON-CL1.

5. View the results in the security log on the domain controller.
X Task 1: Modify the Member Server Security Settings GPO to enable object access
auditing
1. On LON-DC1, in the Group Policy Management console, edit the Member Server Security Settings
GPO.

\Windows Settings\Security Settings\Local Policies\Audit Policy, and enable Audit object
access with both Success and Failure settings.
X Task 2: Create and share a folder

1. On LON-SVR1, on drive C, create a new folder with the name HR.
2. Configure the HR folder with Read/Write sharing permissions for user Adam.
X Task 3: Enable auditing on the HR folder for Domain Users

1. On LON-SVR1, in the Local Disk (C:) window, configure auditing on the HR folder, with following
settings:
o Select a principal: Domain Users
o Type: All
o Permission: Read & execute, List folder content, Read, Write
o Leave other settings with their default values.
2. Open a command prompt window and refresh Group Policy using the gpupdate /force command.
X Task 4: Create a new file in the file share from LON-CL1

3. Open a command prompt window, and type the following command:
gpupdate/force
4. Close the command prompt window.

5. Log off LON-CL1 and then log on again, as Adatum\Adam with a password of Pa$$w0rd.
6. Open the HR folder on LON-SVR1, by using following Universal Naming Convention (UNC) path:
\\LON-SVR1\HR.
7. Create a text document with a name Employees.
8. Log off of LON-CL1.
X Task 5: View the results in the security log on the domain controller
1. Switch to LON-SVR1, and start Event Viewer.
2. In the Event Viewer window, expand Windows Logs, and then open Security.
3. Verify that following event and information displays:

o Source: Microsoft Windows Security Auditing
o Event ID: 4663
o Task category: File System
o An attempt was made to access an object.
Results: After completing this exercise, you should have enabled file system access auditing.
Exercise 3: Auditing Domain Logons

Scenario
After a security review, the IT policy committee has decided to begin tracking all user logons to the
domain. Your manager has asked you to enable auditing of domain logons and verify that they are
working.
1. Modify the Default Domain Policy GPO.
2. Run GPUpdate.
3. Log on to LON-CL1 with an incorrect password.
4. Review event logs on LON-DC1.
5. Log on to LON-CL1 with the correct password.
6. Review event logs on LON-DC1.
X Task 1: Modify the Default Domain Policy GPO

1. On LON-DC1, in the Group Policy Management Console, edit the Default Domain Policy Group
Policy Object.

\Windows Settings\Security Settings\Local Policies\Audit Policy, and then enable Audit account
logon events with both Success and Failure settings.
3. Update Group policy by using the Gpupdate /force command.

X Task 2: Run GPUpdate

3. Open the a command prompt window, and type the following command:
gpupdate/force
4. Close the command prompt window, and log off LON-CL1.
X Task 3: Log on to LON-CL1 with an incorrect password

• Log on to LON-CL1 as Adatum\Adam with a password of password.
Note: This password is intentionally incorrect to generate a security log which shows that
that an unsuccessful login attempt has been made.
X Task 4: Review event logs on LON-DC1

1. On LON-DC1, start Event Viewer.
2. In the Event Viewer window, expand Windows Logs, and then click Security.
3. Review the event logs for the following message: “Logon failure. A logon attempt was made with
an unknown user name or a known user name with a bad password.”
X Task 5: Log on to LON-CL1 with the correct password

• Log on to LON-CL1 as Adatum\Adam with a password of Pa$$w0rd.
Note: This password is correct, and you should be able to log on successfully as Adam.

1. On LON-DC1, start Event Viewer.
3. Review the event logs for the following message: “A user successfully logged on to a computer.”
Results: After completing this exercise, you should have enabled domain logon auditing.
X To prepare for the next lab

• To prepare for the next lab, leave the virtual machines running.
Lesson
n3
Restriicting Software
S e
Users need acce ess to the appllications that help
h them do ttheir jobs. How wever, unnecessary or unwanted
ap
pplications oftten get installe
ed on client computers, whetther unintentio onally or for m
malicious or no
on-
buusiness purposses. Unsupportted or unused software is no ot maintained or secured byy the administrrators;
th
herefore, that software
s couldd be attacked and
a used as an n entry point ffor attackers to
o gain unautho orized
acccess or spread
d computer virruses. Consequ mportance for yyou to ensure that
uently, it is of tthe utmost im
onnly necessary software
s gets installed on all the computeers in your orgaanization. It is also vital thatt you
prevent softwarre from runnin ng that is not allowed
a or is no o longer used or supported..
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe ho estriction policies are used to

ow software re o restrict unau
uthorized softw
ware from runn
ning on
servers and
d clients.
• Describe th
he purpose of AppLocker
A ®
.
• Describe ApppLocker ruless and how to use

u them to reestrict unautho
orized software
e from running
g on
servers and
d clients.
• Describe ho
ow to create AppLocker
A rule
es.
What
W Are Software
S Restriction
R Policies?
In
ntroduced in thhe Windows XP operating syystem
an
nd the Window ws Server 2003 3 operating system,
so
oftware restricttion policies (SRP) give
ad
dministrators tools
t that theyy can use to ideentify
an
nd specify which application ns are permitteed to
ru
un on client co
omputers. SRP settings are
onfigured and deployed to clients
co c by using
g
Group Policy.
So
oftware Restricction Policies policies
p are use
ed in
Windows
W Server 2012 to provvide Windows XP and
Windows
W Vista® compatibilityy. An SRP set iss made
up
p of the follow
wing rules and security levelss.
Rules
R
Ru
ules govern hoow SRP respon nds to an appliication that is being run or i nstalled. Ruless are the key
co
onstructs withiin an SRP, and a group of ru
ules together d determine howw an SRP respo onds to applicaations
be
eing run. Ruless can be based
d on one of the following criiteria that app
ply to the primary executable e file for
th
he application in question:
• Hash. A cryyptographic fin

ngerprint of the file.
• Certificate. A software pu
ublisher certificcate that is useed to digitally sign a file.
• Path. The lo
ocal or UNC pa
ath to where the
t file is storeed.
• Zone. The Internet zone.

Seccurity Levelss
Each
h applied SRP is assigned a security
s level that
t governs thhe way that thhe operating syystem reacts w when
the application th
hat is defined in the rule is ru
un. The three aavailable securrity level settin
ngs are as follo
ows:
• Disallowed. The
T software identified in th
he rule will nott run, regardlesss of the accesss rights of the
e user.
• Basic User. Allows

A the softw
ware identified
d in the rule to
o run as a stan
ndard, non-adm
ministrative usser.
• Unrestricted
d. Allows the so
oftware identiffied in the rulee to run unresttricted by SRP..
Usin
ng these three settings, there
e are two prim
mary ways to u se SRPs:
• If an administtrator has a co
omprehensive list of all the sooftware that s hould be allow
wed to run on
clients, the De
efault Securityy Level can be set to Disallow
wed. All appliccations that sh
hould be allow
wed to
run can be identified in SRP P rules that wo
ould apply eithher the Basic U
User or Unrestricted securitty
level to each individual app plication, depe
ending on the security requirrements.
• If an administtrator does noot have a comp prehensive list of the softwarre that should be allowed too run
on clients, the
e Default Secuurity Level can be set to Unre estricted or B
Basic User, deppending on security
requirementss. Any applications that shou uld not be allow wed to run cann then be idenntified by using
g SRP
rules, which would
w use a security level settting of Disallo
owed.
Softtware Restrictio und in Group Policy at the fo

on Policy settings can be fou ollowing locattion:
Com
mputer Config guration\Poliicies\Window ws Settings\Se
ecurity Setting gs
\Software Restriction Policiess.
Additional Reading: For more informa ation about usiing software reestriction Policcies to
prottect against un
nauthorized so
oftware, see htttp://go.microssoft.com/fwlin
nk/?LinkId=203 3296.
Wh
hat Is AppLocker?
ApppLocker, which h was introduce ed in the
Win
ndows 7 operating system an nd Windows
Servver 2008 R2, is a security settting that contrrols
which applications users are allo owed to run.
ApppLocker provid des administrattors a variety of
o
metthods for determining quickly and concise ely the
iden
ntity of applicaations that the
ey may want to o
restrict, or to whicch they may want
w to permit
acceess. AppLocker is applied thrrough Group Policy
P
to computer
c objects within an OU.
O Individual
ApppLocker rules can
c also be app plied to individ
dual
AD DS users or grroups.
App
pLocker also co ontains option
ns for monitoring or auditing g the applicatioon of rules. Ap
ppLocker can hhelp
orgaanizations prevent unlicense
ed or maliciouss software from m executing, aand can selectiively restrict
ActiiveX® controls from being in
nstalled. It can also reduce thhe total cost off ownership byy ensuring thaat
worrkstations are standardized
s across
a the ente erprise, and thaat users are ru
unning only the software and d
app
plications that are
a approved by the enterprrise.
Usin ng AppLocker technology, co

ompanies can reduce admin nistrative overhhead and help p administratorrs
control how userss can access an dows Installer ffiles (.msi and .msp
nd use files, such as .exe filess, scripts, Wind
filess), and DLLs.
Yo
ou can use Ap
ppLocker to resstrict software that:
• Is not allow
wed to be used
d in the compa
any.
• Is no longer used or it is replaced

r with newer version
n.
• Is no longer supported in
n the companyy.
• Should be used
u only by specific
s departments.
Yo ure AppLockerr settings by browsing in GP
ou can configu PMC to: Computer Configuration\Policie
es
\W
Windows Setttings\Security
y Settings\Ap pplication Conntrol Policies..
AppLocker is avvailable in the following Windows operatin

ng system edittions:
• Windows Server 2008 R2 Standard ope

erating system
• Windows Server 2008 R2 Enterprise operating system

m
• Windows Server 2008 R2 Datacenter op

perating syste m
• Windows Server 2008 R2 for Itanium-b
based Systems operating systtem
• Windows Server 2012
• Windows 7 Ultimate operating system
• Windows 7 Enterprise op
perating system
m
• Windows 8
Additionaal Reading: Foor more informmation about A

AppLocker, see
htttp://technet.m
px.
AppLocker
A Rules
AppLocker defin nes rules based on file attrib butes
th
hat are derived d from the digital signature of o the
fille. File attributtes in the digittal signature in
nclude:
• Publisher name
• Product name
• File name
• File version
Default
D Conffiguration
Th
he default connfiguration for AppLocker co ontains
a set of default rules for each rule collectionn. This
se
et of rules ensu
ures that the fiiles that are ne
ecessary for W
Windows operatting systems to run and ope
erate
no
ormally are allowed to run.
Allow
A and De
eny Rule Acctions
Allow
A and Denny are rule actions that allow
w or deny execu ution of appliccations based on a list of
ap pplications thaat you configure. The Allow action on rulees limits execution of applicaations to an allowed
ons, and blockss everything else. The Deny action on rulees takes the op
lisst of applicatio pposite approaach and
allows the execu ution of any application except those on a list of denied
d applications. These actionss also
provide a mean ns to identify exceptions to those actions.
You should use AppLocker when software is being used that is:
• Not allowed for use in the company. Give an example of software that can disrupt employees’
business productivity, such as social networking software, or software that streams video files or
pictures that can use a large amount of network bandwidth.
• No longer used. Software that is not needed in the company is no longer maintained.
• No longer supported. Software that is not updated with security updates might pose a security risk.
Enforce or Audit Only

When AppLocker policy is set to Enforce, rules are enforced and all events are audited. When AppLocker
policy is set to Audit Only, rules are evaluated and events are written in to the AppLocker Log, but no
enforcement takes place.
Demonstration: Creating AppLocker Rules

• Create a GPO to enforce the default AppLocker Executable rules.

• Apply the GPO to the domain.
• Test the AppLocker rule.
Demonstration Steps
Create a GPO to enforce the default AppLocker Executable rules
1. On LON-DC1, open the Group Policy Management console.
2. Create a new GPO named WordPad Restriction Policy.

3. Edit the WordPad Restriction Policy’s Security Settings by using AppLocker to create a new
Executable Rule.
4. Set the permission of the new rule to Deny, the condition to Publisher, and then select
wordpad.exe. If prompted, click OK to create default rules.
5. In the Group Policy Management Editor, browse to Computer Configuration\ Policies

\Windows Settings\Security Settings\ Application Control Policies\ AppLocker.
6. In AppLocker, configure enforcement with Enforce rules.
7. In the Group Policy Management Editor, browse to Computer Configuration\ Policies

\Windows Settings\Security Settings\System Services.
8. Configure Application Identity Properties with Define this policy setting and Select service
startup mode with Automatic.
Apply the GPO to the Contoso.com domain

1. Open a command prompt window, type gpupdate /force, and then press Enter.
2. Start and then log on to 20410A-LON-SVR1 as Adatum\Alan, with the password, Pa$$w0rd.
3. In the command prompt window, type gpupdate /force, and then press Enter. Wait for the policy to
update.
Test the AppLocker rule

• Attempt to start WordPad, and then verify that WordPad does not start.
Lesson
n4
Configuring Windows Firew
wall witth Advaanced Security
Windows
W Firewa all with Advanced Security iss an importantt tool for enhaancing the secu urity of Windo
ows
Se
erver 2012. This snap-in helpps to prevent several
s differen
nt security issu
ues such as port scanning orr
malware.
m Windo ows Firewall with
w Advanced Security has m multiple firewall profiles, each of which appplies
un
nique settings to different tyypes of networrks. You can mmanually config gure Windowss Firewall rules on
ea
ach server, or configure
c them
m centrally by using Group P Policy.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe th
he features of Windows
W Firew
wall with Adva nced Security..
• Describe Firewall Profiles.
• Describe Co
onnection Security Rules.
• Describe ho
ow to deploy Windows
W Firew
wall rules.
What
W Is Windows Firewall with
h Advanced
d Securityy?
Windows
W Firewaall with Advanced Security iss a
hoost-based firew
wall that is included in Wind dows
Seerver 2012. This snap-in runss on the local
co
omputer and restricts
r netwoork access to annd from
th
hat computer. Unlike a perim meter firewall, which
w
provides protecction only from m threats on thhe
In
nternet, a host--based firewall provides protection
from threats wh herever they originate. For exxample,
fo
or a host that is not behind a firewall, it pro
otects
from LAN or Intternet.
In
nbound and
d Outbound
d Rules
In
nbound rules control
c commuunication that is
in other device orr computer on the network, with the host computer. By default, all inb
nitiated by ano bound
co
ommunication n is blocked except the trafficc that is expliccitly allowed byy an inbound rule.
Outbound
O ruless control comm munication tha at is initiated b
by the host commputer, and iss destined for a device
orr computer on n the network. By default, all outbound co mmunication is allowed except the traffic that is
exxplicitly blockeed by an outbo ound rule. If yo
ou choose to b block all outbo
ound commun nication except the
trraffic that is explicitly allowed
d, you must ca arefully catalogg the softwaree that is allowe
ed to run on th
hat
coomputer and the t network co ommunication required by t hat software.
Yoou can create inbound and outbound

o rule
es based on Usser Datagram Protocol (UDP P) and Transmiission
Control Protocool (TCP) ports. You can also create
c inboundd and outboun nd rules that aallow a specificc
exxecutable netw
work access, re
egardless of the port numbeer that is being
g used.
Connection
C Security
S Rulles
Yo
ou use Connecction Security Rules to config Protocol Securrity (IPsec) for Windows Servver
gure Internet P
20
012. When the ese rules are co
onfigured, youu can authenticcate communiication betwee en computers, and
th
hen use that in
nformation to create
c firewall rules based o n specific userr and compute er accounts.
Additional Enh
hancementss
Win
ndows Firewall with Advance
ed Security is a Microsoft Maanagement Co
onsoles (MMC)) snap-in that aallows
you to perform ad
dvanced config
guration of Windows Firewaall.
Win
ndows Firewall in Windows Vista,
V ndows Server 2008
Windowss 7, Windows 88, Windows Seerver 2008, Win
R2, and Windows Server 2012 has
h the following enhancemeents:
• Supports filte
ering for both incoming and outgoing trafffic.
• Provides a MMC snap-in th

hat you can use
e to configuree advanced setttings.
• Integrates fire
ewall filtering and IPsec prottection setting
gs.
• Enables you to
t configure ru
ules to control network traffiic.
• work location-aware profiles.

Provides netw
• Enables you to
t import or exxport policies.
You
u can configure ewall settings on each comp
e Windows Fire puter individuaally, or with Grroup Policy at::
Com
mputer Configuration\Policie
es\Windows Se ettings\Securitty Settings\Windows Firewalll with Advanced
Secu
urity.
Note: Wind dows Server 20

012 introduces the additionaal option for ad
dministering W
Windows
Firewall by using the
t Windows PowerShell
P command-line in nterface.
Disscussion: Why
W Is a Host-Based
d Firewall Important??
Win
ndows Firewall with Advance
ed Security is
enabled by default on Windowss Server 2012.
Review the discussion question and participatte in a
disccussion to idenntify the benefits of using a host-
h
base ed firewall succh as Windowss Firewall with
Advvanced Securityy.
Question: Why is it important to use a ho

ost-
based firewall such as Wind
dows Firewall with
w
Advanced Seccurity?
Firewall Proffiles
Winndows Firewall with Advance ed Security is a
netwwork-aware ap pplication thatt uses firewall
e a consistent configuration for
proffiles to provide
netwworks of a speecific type. Win
ndows Server 20122
allows you to defiine a network as either a dom main
netwwork, a public network, or a private netwo ork.
With Windows Firrewall with Advvanced Securitty,

you can define a configuration
c set for each tyype of
netwwork; each con nfiguration sett is referred to as a
firew
wall profile. Firrewall rules are
e activated onlly for
speccific firewall prrofiles.
Windows
W Firewa
all with Advanced security in
ncludes the folllowing profilees:
Profile De
escription
Public Usse when you are

a connected to an untrusteed public netw work.
Otther than dom main networks, all networks aare categorized d as Public. Byy
de
efault, the Pubblic (most restrrictive) profile is used in Windows Vista,
Windows
W 7, and
d Windows 8.
Private Usse when you are

a connected behind a firew wall.
A network is cattegorized as p rivate only if aan administrato
or or an
ap
pplication iden work as privatee. This profile is referred to aas
ntifies the netw
th
he Home profille in Windows Vista, Window ws 7, and Winddows 8.
Domain Usse when your computer

c is paart of a Windo ows operating system
do
omain.
Windows
W operating systems aautomatically i dentify netwo orks on which it
ca
an authenticate e access to thee domain conttroller. No other networks
ca
an be placed in n this categoryy. This profile i s referred to aas the Work
prrofile in Windo
ows Vista, Wind dows 7, and W Windows 8.
Windows
W Server 2012 allows multiple firewa all profiles to b
be active on a server simultaaneously. This means
th
hat a multi-hom
med server tha at is connected d to both the internal netwo ork and the peerimeter netwo ork can
ap
pply the doma ain firewall pro
ofile to the inte
ernal network, and the publiic or private firrewall profile tto the
pe
erimeter network.
Connection
C n Security Rules
A connection se ecurity rule forrces authentica ation
beetween two pe eer computerss before they can c
esstablish a conn
nection and tra ansmit secure
in
nformation. They also secure e that traffic byy
en
ncrypting the data that is traansmitted betw ween
co
omputers. Win ndows Firewall with Advance ed
ecurity uses IPsec to enforce
Se e these rules.
he configurable connection security rules are:

Th
• Isolation. An isolation rulee isolates computers

by restrictin
ng connections that are base ed on
credentials such as doma ain membership or
health statuus. Isolation ru
ules allow you to
t
implement an isolation sttrategy for servvers or domai ns.
• n. You can use an authenticaation exemptio

Authenticattion Exemption on to designatte connectionss that do
not require
e authenticatio
on. You can designate compu uters by a speccific IP addresss, an IP addresss range,
a subnet, or a predefined
d group such as
a a gateway.
• Serve-to-Seerver. A server--to-server rule protects conn omputers. This type of

nections betweeen specific co
rule usuallyy protects connnections betwe een servers. W
When creating tthe rule, speciffy the networkk
endpoints between
b whichh communicattions are proteected. Then deesignate requirrements and th he
authenticattion that you want
w to use.
• Tunnel. With a tunnel rule, you can prote

ect connection s between gatteway computters. Typically, you
would use a tunnel
t rule when connecting g across the Intternet betweeen two securityy gateways.
• Custom. Use a custom rule to authenticatte connectionss between two o endpoints whhen you cannoot set
up authenticaation rules that you need byy using the oth
her rules availaable in the new
w Connection
Security Rule Wizard.
How Firewall Rules

R and Connection Security
S Rulles Work To
ogether
w traffic through the firewall, but do not ssecure that tra ffic. To secure traffic with IPsec,
Firewall rules allow
you can create co onnection secu urity rules. How
wever, connecttion security ruules do not alloow traffic throough a
firew
wall. You mustt create a firew
wall rule to do this. Connecti on security rules are not app plied to prograams
and services; theyy are applied between
b omputers that make up the ttwo endpointss.
the co
De
eploying Fiirewall Rulles
Howw you deploy Windows
W Firew
wall rules is an
imp
portant conside
eration. Choossing the
app
propriate meth
hod ensures that rules are
dep
ployed accurate
ely and with minimum
m effort. You
can deploy Windoows Firewall ru
ules in the follo
owing
wayys:
• Manually. You u can individually configure

firewall rules on each server. However, in an
environment with more tha an a few serverrs,
this is labor-in
ntensive and prone
p to error.. This
method is typ nly during testing
pically used on
and troublesh hooting.
• Using Group Policy. The pre eferred way to

o distribute fireewall rules is b
by using Group
p Policy. After
creating and testing a GPO with the requ uired firewall ruules, you can qquickly and accurately deplooy the
firewall rules to a large num
mber of compuuters.
• Exporting andd importing firrewall rules. Windows

W Firewaall with Advanced Security aalso gives you tthe
option to impport and exporrt firewall ruless. You can expport firewall rules to create a backup beforre you
manually con nfigure firewall rules during troubleshootin
t ng. When you import firewall rules, they are
treated as a complete
c set and replace all currently conffigured firewall rules.
Lab B: Configuring AppLocker and Windows Firewall

Scenario
a promotion to the server support team. As a new member of the team, you help to deploy and configure
manager.
Your manager has asked you to implement AppLocker to restrict non-standard applications from running.
He also has asked you to create new Windows Firewall rules for any member servers running web-based
applications.
Objectives
• Configure AppLocker Policies.

• Configure Windows Firewall.
Lab Setup

20410A-LON-SVR1
Password Pa$$w0rd
5. Repeat steps 2-4 for 20410A-LON-SVR1 and 20410A-LON-CL1.

Exercise 1: Configuring AppLocker® Policies

Scenario
Your manager has asked you to configure new AppLocker policies to control the use of applications on
user desktops. The new configuration should allow programs to be run only from approved locations. All
users must be able to run applications from the C:\Windows directory and from C:\Program Files.
You also need to add an exception to run a custom-developed application that resides in a non-standard
location. The first stage of the implementation will log compliance with rules. The second stage of
implementation will prevent unauthorized programs from running.
1. Create an OU for Client Computers.
2. Move LON-CL1 to the Client Computers OU.
3. Create a Software Control GPO and link it to the Client Computers OU.
4. Run GPUpdate on LON-SVR1.

5. Run app1.bat in the C:\CustomApp folder.
6. View AppLocker events in an event log.
7. Create a rule that allows software to run from C:\CustomApp.
8. Modify Software Control GPO to enforce the rules.
9. Verify that an application can still be run from C:\CustomApp.
10. Verify that an application cannot be run from the Documents folder.
X Task 1: Create an OU for Client Computers

3. Create new OU called Client Computers OU.
X Task 2: Move LON-CL1 to the Client Computers OU

• On LON-DC1, in the Active Directory Users and Computers console, move LON-CL1 to Client
Computers OU.
X Task 3: Create a Software Control GPO and link it to the Client Computers OU
new Group Policy Object (GPO) with a name Software Control GPO.
3. Edit the Software Control GPO.
4. In the Group Policy Management Editor window, browse to Computer Configuration/ Policies/
Windows Settings/ Security Settings/ Application Control Policies/ AppLocker.
5. Create default rules for Executable Rules, Windows Installer Rules, Script Rules, and Packaged
app Rules.
6. Configure the rule enforcement for Executable rules, Windows Installer Rules, Script Rules, and
Packaged app Rules with Audit only option.
7. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, and then expand Security Settings, click System Services and then double-click
Application Identity.
8. In the Application Identity Properties dialog box, select the Define this policy setting and under
Select service startup mode, select Automatic, and then click OK.
10. In the Group Policy Management Console, link the Software Control GPO to Member Servers OU.
X Task 4: Run GPUpdate on LON-SVR1

gpupdate/force
3. Close the command prompt window and restart LON-SVR1.
X Task 5: Run app1.bat in the C:\CustomApp folder

2. At the command prompt, type following command:
C:\CustomApp\app1.bat
X Task 6: View AppLocker events in an event log

1. On LON-SVR1, start Event Viewer.
2. In the Event Viewer window, browse to Application and Services Logs/ Microsoft/AppLocker, and
review the events.
3. Click MSI and Scripts, and review the event logs for App1.bat.
X Task 7: Create a rule that allows software to run from C:\CustomApp

1. On LON-DC1, edit the Software Control GPO with the following settings Computer Configuration/
Policies/ Windows Settings/ Security Settings/ Application Control Policies/ AppLocker.
2. Create an AppLocker script rule with following settings:
o Permissions: Allow
o Conditions: Path
o Path: %OSDRIVE%\CustomApp\app1.bat
o Name and Description: Custom App Rule
X Task 8: Modify Software Control GPO to enforce the rules

1. Use the Enforce rules option to configure rule enforcement for Executable rules, Windows
Installer Rules, Script Rules, and Packaged app Rules.
X Task 9: Verify that an application can still be run from C:\CustomApp


gpupdate/force
3. Close the command prompt window and restart LON-SVR1.
5. Open a command prompt and verify that you can run the app1.bat application, which is located in
the C:\CustomApp folder.
X Task 10: Verify that an application cannot be run from the Documents folder
1. On LON-SVR1, from CustomApp folder, copy app1.bat to the Documents folder.
2. Verify that application cannot be run from Documents folder, and that the following message
appears: “This program is blocked by Group Policy. For more information, contact your system
administrator.”
Results: After completing this exercise, you should have used Group Policy to configure Windows Firewall
with Advanced Security to create rules to allow inbound network communication through TCP port 8080.
Exercise 2: Configuring Windows Firewall

Scenario
Your manager has asked you to configure Windows Firewall rules for a set of new application servers.
These application servers have a web-based application that is listening on a non-standard port. You need
to configure Windows Firewall to allow network communication through this port. You will use security
filtering to ensure that the new Windows Firewall rules apply only to the application servers.
1. Create a group called Application Servers.

2. Add LON-SRV1 as a group member.
3. Create a new Application Servers GPO.
4. Link the Application Servers GPO to the Member Servers OU.
5. Use security filtering to limit the Application Server GPO to members of Application Server group.
6. Run GPUpdate on LON-SRV1.
7. View the firewall rules on LON-SRV1.
X Task 1: Create a group called Application Servers

• On LON-DC1, in Active Directory Users and Computers, in the Member Servers OU, create a new
global security group called Application Servers.
X Task 2: Add LON-SRV1 as a group member

• In the Active Directory Users and Computers console, in the Member Servers OU, open Application
Servers Properties, and then and then add LON-SVR1 as a group member.
X Task 3: Create a new Application Servers GPO

new Group Policy Object (GPO) with a name Application Servers GPO.
3. In the Group Policy Management Editor, under In the Group Policy Management Editor window,
browse to Computer Configuration/ Policies/ Windows Settings/ Security Settings
/ Application Control Policies/ Windows Firewall with Advanced Security.
4. Configure an inbound rule with the following settings:
o Rule Type: Custom
o Protocol type: TCP

o Specific Ports: 8080
o Scope: Any IP address
o Action: Allow the connection
o Profile: Domain
o Name: Application Server Department Firewall Rule
X Task 4: Link the Application Servers GPO to the Member Servers OU

• In the Group Policy Management Console, link the Application Servers GPO to the Member
Servers OU.
X Task 5: Use security filtering to limit the Application Server GPO to members of
Application Server group
1. On LON-DC1, open Group Policy Management Console, expand the Member Servers OU, and then
click Application Servers GPO.
2. In the right-hand pane, under Security Filtering, remove Authenticated Users, and configure
Application Servers GPO to apply only to the Application Servers security group.
X Task 6: Run GPUpdate on LON-SRV1

1. Switch to LON-SRV1.
gpupdate/force
4. Restart LON-SVR1 and then log back on as Adatum\Administrator with the password of
Pa$$w0rd.
X Task 7: View the firewall rules on LON-SRV1

2. Start Windows Firewall with Advanced Security.
3. In Windows Firewall with Advanced Security window, in Inbound rules, verify that Application
Server Department Firewall Rule you created using Group Policy earlier, is configured.
4. Verify that you cannot edit Application Server Department Firewall Rule, because it is configured
through Group Policy.
Results: After completing this exercise, you should have configured AppLocker policies for all users whose
computer accounts are located in the Client Computers OU organizational unit. The policies you
configured should allow these users to run applications that are located in the folders C:\Windows and
C:\Program Files, and run the custom-developed application app1.bat in the C:\CustomApp folder.

When you finish the lab, revert the virtual machines to their initial state by performing the following
steps:


Review Questions
Question: Does the defense-in-depth model prescribe specific technologies that you should
use to protect Windows Server operating system servers?
Question: What setting must you configure to ensure that users are allowed only three
invalid logon attempts?
Question: You want to place an application control policy on a new type of executable file.
What must you do before you can create a rule for this executable code?
Question: You are creating a GPO with standardized firewall rules for the servers in your
organization. You tested the rules on a stand-alone server in your test lab. The rules appear
on the servers after the GPO is applied, but they are not taking effect. What is the most likely
cause of this problem?
Question: Last year, your organization developed a security strategy that included all aspects
of a defense-in-depth model. Based on that strategy, your organization implemented
security settings and policies on the entire IT infrastructure environment. Yesterday, you read
in an article that new security threats were detected on the Internet, but now you realize that
your company strategy does not include a risk analysis and mitigation plan for those new
threats. What should you do?
Best Practices
The following are best practices:
• Always make a detailed security risk assessment before planning which security features your
organization should deploy.
• Create a separate GPO for security settings that applies to different type of users in your organization,
because each department might have different security needs.
• Make sure that the security settings that you configure are reasonably easy to use so that they are
accepted by employees. Frequently, very strong security policies are too complex or difficult for
employees to adopt.
• Always test security configurations that you plan to implement with a GPO in an isolated, non-
production environment. Only deploy policies in your production environment after this testing is
completed successfully.

The user cannot log on locally to a server.
After configuring auditing, there are too

many events logged in the Security Event
Log in Event Viewer.
Some users complain that their business

applications can no longer access
resources on the server.
Tools
Group Policy A graphical tool that you Server Manager/Tools

Management use to create, edit, and
Console (GPMC) apply Group Policy Objects
(GPOs).
AppLocker Applies security settings that GPO Editor in GPMC

control which applications
are allowed to be run by
users.
Windows A host-based firewall that is Server Manager/Tools if configured

Firewall with included as a feature in individually, or GPO Editor in GPMC
Advanced Windows Server 2012 and for deploying with Group Policy
Security Windows Server 2008.
Security Deploying security policies Download from the Microsoft website

Compliance based on Microsoft Security at http://technet.microsoft.com/en-
Manager Guide recommendations us/solutionaccelerators/cc835245.aspx
and industry best practices. .
13-1
Module 13
Implementing Server Virtualization with Hyper-V
Contents:
Lesson 1: Overview of Virtualization Technologies 13-2
Lesson 2: Implementing Hyper-V 13-8
Lesson 3: Managing Virtual Machine Storage 13-15
Lesson 4: Managing Virtual Networks 13-22
Lab: Implementing Server Virtualization with Hyper-V 13-27
Module Overview
Server virtualization has only been a part of the Windows Server operating system since the release of
Windows Server 2008 and the introduction of the Hyper-V role. Server virtualization allows organizations
to save money through server consolidation. Because of these efficiencies, server administrators need to
be able to distinguish which server workloads might run effectively in virtual machines, and which server
workloads must remain deployed in a more traditional server environment.
This module introduces you to the Hyper-V® role, the components of the role, how best to deploy the
role, and the new features of the Hyper-V role that are introduced with Windows Server 2012.
Objectives
• Understand and describe Microsoft's virtualization technologies.
• Implement Hyper-V.
• Manage virtual machine storage.
• Manage virtual networks.

13-2 Implemennting Server Virtualizzation with Hyper-V
Lesson 1
Overviiew of Virtualiz
V zation Technol
T ogies
Youu can deploy many
m different types of virtua
alization on neetworks wheree Windows ope erating systemms are
marily deployed. The type off virtualization that you choo
prim ose depends oon what you ne eed to accomp plish.
hough this module is primarily concerned with server virrtualization, in this lesson yo
Alth ou will learn ab
bout
otheer types of virttualization andd the situations in which it iss appropriate tto deploy them
m.
Lessson Objectiives
Afte
ou will be able to:
• Describe servver virtualizatio

on using Hyper-V.
• Describe Windows® AzureTM

M
.
• Explain when you would usse desktop virttualization.
• Determine the componentss required to implement preesentation virtu

ualization.
• Explain the be
enefits of Micrrosoft Applicattion Virtualizattion (App-V) o
over traditionaal application
deployment
Serrver Virtua
alization with
w Hyperr-V
With server virtua
alization, you can
c create sepa arate
virtu
ual machines, and run them concurrently using
u
the resources of a single server operating systtem.
These virtual machines are know wn as guests. The
T
commputer runningg Hyper-V is known as the host.
Virtual machine guests

g functionn as normal
commputers. When n users are loggged on remote ely
usin
ng Remote Dessktop Connecttion (RDC) or a
Winndows PowerSh hell® remote session, you would
w
have to examine thet properties of a compute er
clossely to determine whether it is a virtual
macchine or a tradditionally deplo
oyed physical
macchine. Virtual machine
m guestts that are hostted on the sam
me hypervisor are independe ent of one ano
other.
Youu can run multiple virtual ma achines that are using differeent operating ssystems on a h
host server
simu ultaneously, provided the ho ost server has enough
e resou rces.
Virtual Machin
nes and Harrdware Usag
ge
By implementing virtual machin nes, you use ha ardware more efficiently. In most cases, a service or
appplication does not
n consume morem than a frraction of the rresources that are available on the host
commputer. When deployed as virtual machine es, you can org ganize multiplee services and applications ffrom
sepaarate virtual machines
m on to
o the same hosst server so thaat the resourcees of that host server are use ed
morre effectively. For
F example, iff you have fou ur separate serrvices and app plications that eeach consume e from
10 to
t 15 percent ofo a host serveer's hardware resources,
r you can install theese services an
nd applicationss in
virtu
ual machines, and then place e them on the e same hardwaare where on aaverage, they w will consume a total
of 40
4 to 60 percen nt of the host server's hardw
ware.
Thiss is a simplified
d example. In real
r world environments, youu must make aadequate prep parations before co-
loca
ating virtual machines; you have
h e that the hard ware resourcee needs of all the virtual macchines
to ensure
thatt are hosted on n the host hyp hypervisor’s hardware resourrces.
pervisor do nott exceed the h
Service and Application

A n Isolation in
n Virtual Ma
achines
Ke
eeping one pa articular service
e or applicatio
on functioning in a reliable m
manner can be e challenging. TThis
ta
ask becomes even more com mplicated if youu need to depploy multiple seervices and appplications on tthe
sa
ame server. For example, you u might need tot deploy app plication A andd application B at a branch ooffice.
Th
hese applicatio
ons conflict wh hen run on thee same compu uter, but you caan only afford enough hardw ware for
on
ne server. Running these applications with hin virtual macchines can solvve this problem
m.
Server Conso
olidation
With
W server virtualization, you u can consolida ate onto a sing
gle host, serveers that would otherwise nee ed to
ru
un on separatee hardware. Be ecause each virrtual machine on a host is iso olated from th
he other virtuaal
machines
m on the same host, itt is possible to
o deploy servicces and applicaations—such aas Exchange Se erver
20010, SQL Serveer 2012, and Active
A Directoryy® domain co ontrollers—on the same phyysical compute er, but
hoosted within virtual machine es. This means that an organ nization only needs to deployy one physicall server
in
n place of the three
t servers that they wouldd have needed d in the past.
Best Pracctice: Microsofft recommends that you nott deploy a Miccrosoft Exchang ge mailbox
se
erver on the saame computerr that holds a domain
d contro
oller role. Micro
osoft also reco
ommends
th
hat you not de eploy a SQL Server 2012 data abase engine iinstance on th e same compu uter that
ho
osts the domain controller ro ole. Instead, deploy each of these workloaads on separatte virtual
machines
m and then run those virtual machin nes as guests o
on the same seerver virtualizaation host;
th
his is a supportted configurattion.
Simplifying Server
S Deployment
Yo
ou can also use virtualization
n to simplify th
he process of sserver deploym
ment:
• There are virtual
v machine e templates for common serrver configurattions included with productss such as
Microsoft System
S Center 2012 - Virtual Machine Man nager (VMM). You can configure these temmplates
rather conffiguring virtuall machines from the very be ginning.
• al machine self-service portaals that enablee end users to provision approved

You can alsso create virtua
servers and
d applications automatically
a without
w requirring the directt intervention o
of the systemss
administrattion team. You u create these virtual
v machin
ne self-service portals with V VMM and Microsoft
System Cennter 2012 - Serrvice Managerr.
What
W Is Windows Azure?
Windows
W Azuree is cloud-base ed platform wh here
ou can purchase capacity, either for virtual
yo
machines
m or forr applications, such as SQL Server
da
atabases on SQ QL Azure. As a cloud-based hosting
so
olution, you pa ay for capacityy you use, rather than
pa
aying a fixed rate.
r For examp ple, rather than
pa
aying a month hly flat rate to rent a server on
o a
ra
ack at a hosting provider, the e cloud hosting
provider charge es you based on o use. You pay less
when
w the serverr is experiencin ng minimal use and.
yo
ou pay more as a use increase es.
Cloud-based ca apacity is elastiic, meaning it can

grow or shrink quickly
q as requuired. For exammple, in a trad itionally hosteed solution, yo
ou might choosse a
sp
pecific server chassis.
c Then, iff you need to increase capaccity rapidly, yo ou would have e to switch to aanother
class of server harrdware, which would require e you to migra te from the firrst physical host. All of this taakes
timee and planning g. Similarly if your
y need for capacity
c decreeases, you wou
uld need to decide whether
mig wer class of hardware is wortth the cost, or if your organiization should continue to p
grating to a low pay for
a cla
ass of hardwarre that you do not need righ ht now—and m may or may no ot need in the future. By usin ng a
hostting provider, capacity is sca aled automaticcally and your organization iis charged for only what you u use,
all without
w the complexity of migration.
Thiss can be very useful

u when yo ou have to pro ovide proof-of--concept soluttions when prooposing projeccts.
Rathher than purch hase test hardwware and have e to deploy a pproof-of-conceept solution to
o that hardwarre to
demmonstrate a pro oject's feasibility, you can qu
uickly deploy a cloud based virtual machin ne . Once the p
proof-
of-cconcept solutioon is validated
d, you can choo ose to discard it, or keep it d
depending on operational
concerns. This is cheaper
c than acquiring
a hardware for a prooof-of-conceptt solution whicch may be
disccarded if the project does no ot go ahead orr turns out to bbe infeasible.
Hosting Websites or Prod

duction App
plications
Clouud-based platfforms like Win
ndows Azure also allow you tto deploy app plications withoout having to
dep
ploy the underlying server infrastructure. For example, if you need a daatabase, insteaad of having to
o
dep
ploy both Wind dows Server 20012 and SQL Server
S 2012, an database, you can
nd then deployy the specific d
rentt the cloud-based database server, and theen host the daatabase there.
For a successful clloud strategy, you must be able

a to determ
mine correctly w
which servicess and applicatio
ons
are more econom mical to host wiith a host provvider, and whicch services and
d applications are more
economical to host on premisess. Many factors that are uniq que to an orgaanization are in
nvolved in making
this determinationn, and a strategy that is bestt for one organnization may nnot be appropriate for anothher.
De
esktop Virttualization
n
Clie
ent Hyper-V
V
Youu can install the
e Hyper-V rolee on computerrs
thatt are running Windows
W 8 Pro
o and Window ws 8
Ente his allows you to
erprise operatiing systems. Th
run virtual machin ne guests on client compute ers.
Client Hyper-V, th he Hyper-V feaature in Windo ows 8
Pro and Windowss 8 Enterprise, has the same
proccessor requirements as Hype er-V on Windo ows
Servver 2012: the computer
c must have an x64
plattform that supports second-level address
nslation (SLAT), and have a minimum
tran m of 4
gigaabytes (GB) of random accesss memory (RA AM).
Clie
ent Hyper-V on Windows 8
The Client Hyper--V role on Winndows 8 suppo orts many of th he features thaat are availablee with Hyper-VV on
2 but doess not support enterprise
e feattures such as vvirtual machine e migration. Client
Hypper-V also does not support publishing applications thatt are installed o on the virtual machine guesst to
the host operatingg system’s Start menu. This was
w a feature tthat was preseent in Window ws XP Mode on n
Winndows 7, whichh used Virtual PC (Virtual PC is the client vvirtualization feeature availablle to some
com
mputers runninng specific edittions of the Windows 7 operrating system).
Clie
ent Hyper-V in enterprise
e environme
ents
In enterprise
e ent Hyper-V is often used fo r developmen
environments, Clie nt purposes, orr to allow specific
userrs to run previous versions of
o the Windowws operating syystem so that tthey can accesss applications that
arre incompatiblle with Window ws 8. When large numbers o of people with

hin an organizaation need reg
gular
acccess to a prevvious version of
o the Window ws operating syystem, you sho deploying Microsoft
ould consider d
En
nterprise Desk ktop Virtualizattion (MED-V).
MED-V
M
MED-V
M is a centtrally managed
d form of cliennt-hosted virtuualization. MED
D-V allows admministrators to
o
ce
entrally deployy and manage virtual machin nes running on n clients. MED
D-V allows applications that aare
co
ompatible with h previous verssions of the Windows
W client operating systtem, such as W
Windows XP, too be
puublished in succh a way so that they are acccessible throug gh the Window ws 8 Start men
nu. MED-V is aavailable
ass part of the Microsoft
M Deskttop Optimization Pack.
Additionaal Reading: Fo mation about M

or more inform MED-V see:
htttp://www.miccrosoft.com/en
n-us/windows//enterprise/prooducts-and-te chnologies/mdop/med-
v.aspx.
Virtual
V Deskttop Infrastrructure
Virtual Desktop Infrastructure e (VDI) is a form
m of desktop vvirtualization wwhere client operating systems are
hoosted centrallyy as virtual machines. Clientss connect to thhese virtual maachines using client softwaree such
ass RDC. Using the Add Roles anda Features Wizard,
W you caan configure a server to supp port VDI by ch
hoosing
a Remote Deskttop Services in nstallation. Youu can also instaall the Remotee Desktop Virtuualization Hosst role
fe
eature in addition to the Hyp per-V role, whe en configuring g a host serverr to function as a VDI server..
VDI can simplifyy the managem

ment of client operating systtems in the following ways:
• For all the client

c compute
ers that are ho gle server, it is easier to ensu
osted on a sing ure that they are
backed up regularly.
• The client virtual

v machine
es can be hostted on a highlyy available Hyp
per-V host.
• In the event that a client computer breaks, users are still able to acccess their virtu
ual machine ussing
other RDC methods.
VDI is also one method of alloowing organizzations to impllement “Bring Your Own Devvice” (BYOD) p policies.
In g their own computer to thee office and usee RDC softwarre to connect tto the
n this scenario, workers bring
virtual machine that has been n assigned to them.
Presentatio
P on Virtualizzation
Prresentation virrtualization difffers from desk
ktop
virtualization in the following ways:
• In desktop virtualization, each user is assigned

their own virtual
v machine e that is runnin
ng a
client operaating system. In presentation n
on, users log on and run separate
virtualizatio
sessions on a server or seervers. For exammple,
users Alex and
a Brad migh ht be logged onto
o the
same remote desktop serrver, running different
d
sessions usiing RDC.
• With deskto op virtualizatio

on, the applica
ations
run within virtual
v machines.With presen ntation
virtualizatio
on, the desktopp and the applications run o
on the host serrver.
On networks that use Windows Server 2012, presentation

p vvirtualization iss provided by tthe Remote
Desktop Services server role. Cliients can accesss presentation n virtualizationn in the follow
wing ways:
• Full Desktopp. Clients can use
u a remote desktop
d client ssuch as RDC to
o access a full desktop sessio
on
and to run ap
pplications on the Windows Server 2012 h ost server.
• RemoteApp applications. Rather than use u a full deskttop client like RDC, RemoteA App allows
applications that
t run on the
e host Window ws Server 20122 server to be ddisplayed on tthe client computer.
RemoteApp applications
a ca
an be deployedd as Windows Installer (.msi)) files using traaditional softw
ware
deployment methods.
m This allows you to associate file ttypes with Rem
moteApp applications.
• Remote Deskktop Web Access. Clients can access a weeb site on a sp ured server and
pecially configu
launch RemoteApp applications and Rem
mote Desktop ssessions from ttheir browser.
Rem
mote Desktop Gateway
y
Remmote Desktop GatewayG allow
ws external clie
ents to access R Remote Deskto op and RemotteApp withoutt
usin
ng virtual priva ate network (V VPN), or the Windows 7 and Windows 8 op perating systemms DirectAccess
featture. Remote Desktop
D Gatew ervice that you can install on a computer running Windo
way is a role se ows
Servver 2012. Remote Desktop Gateway G serverrs are deployed d on perimeteer networks. Yo ou can configu
ure
the RDC client witth the address of Remote De esktop Gatewaay servers. When you do thiss, the client checks
to see if it is on thhe organization nal network. Iff it is, it makes a direct conneection to the R
Remote Desktoop
servver. If it is not, it routes the connection
c to the
t Remote Deesktop server through the R Remote Deskto op
Gateway.
Ap
pplication Virtualizat
V tion
App plication Virtuaalization, also known
k as Appp-V,
usess special clientt software, knoown as the App p-V
Client, that is insta
alled on the client to allow
appplications to eitther run on or be streamed to t
nt computers. App-V, like Med-V,
clien M is availa
able
as part
p of the Miccrosoft Desktop p Optimization n
Pack, and is not a native Windo ows Server 2012 role
or fe
eature.
Application iso
olation
Appp-V isolates the
e application from
f the operaating
system and runs itt in a special separate virtual
environment. Thiss means that applications tha at
you cannot installl and run direcctly on a host operating
o systeem, because oof compatibilitty problems, arre
able
e to run as Appp-V applications. For example, application ns written for W
Windows XP th hat cannot run
n on
the Windows 8 op perating system m can be run on
o Windows 8 if deployed th hrough App-V V. With App-V,, you
can also run appliications that might
m be comp patible with thee host operating system, butt may be
problematic when n run togetherr. For example,, you can use AApp-V to deplloy and run diffferent versionns of
Microsoft Office Word
W simultanneously.
Application streaming
Ano
other useful fea ature of App-VV is application
n streaming. WWhen an appliccation is stream
med only thosse
partts of the appliccation that are
e being used are transmitted d to the client computer. This speeds up
app
plication deployment becausse only part—n not all—of thee application m
must be transmmitted across th
he
netw
work to the client computer.
Application portability
When deployed with Microsoft System Center 2012 Configuration Manager, App-V allows applications to
follow users across multiple computers, without requiring a traditional installation on those client
computers. For example, a user can log on to a colleague's computer and have App-V stream that
application to them so that they can use it on that computer. The application is not installed locally, and
when the user logs off, the application is no longer available to other users of the computer.
Lesson 2
Implem
menting
g Hyperr-V
Undderstanding ho ow Hyper-V woorks and how virtual machin nes function is critical to effe
ectively deployying
servver virtualizatio
on in a Window
ws Server 2012
2 network envvironment. Wh hen you plan a server
virtu
ualization strattegy using Win
ndows Server 2012
2 as a virtu
ual machine ho ost, you need to know what you
can and cannot do.
Thiss lesson discusses Hyper-V, the hardware requirements

r ffor deploying Hyper-V on a computer run nning
2 the different compone ents of a virtuaal machine andd the benefits o hine
of virtual mach
inte
egration servicees. It also discu
usses how to measure
m virtuaal machine resoource use with
h Windows
PowwerShell cmdle ets.
Lessson Objectiives
Afte
ou will be able to:
• Install the Hyper-V server ro

ole.
• Describe the appropriate ha
ardware for Hyyper-V deployyment.
• Describe virtu
ual machine co
omponents.
• Configure dynamic memory.

• Configure virttual machine integration
i serrvices.
• Configure virttual machine start

s and stop actions.
• er-V resource metering taskss.

Perform Hype
Ab
bout Hyperr-V
Hypper-V is the hardware virtualization role
avaiilable in Windoows Server 201 12. Hardware
virtu
ualization provvides virtual machines
m with direct
d
acceess to the hostt's hardware. This
T is in contra ast to
softtware virtualiza
ation productss, such as Virtu
ual
Servver 2005 R2, thhat provide access indirectly
usin
ng the operatin ng system.
Youu use the Hypeer-V role to con

nfigure Windo ows
Servver 2012 to fun
nction as a hyp
pervisor. Wind
dows
Servver 2012 can then host virtuaal machine guests
thatt are running supported
s opeerating systems. In
som
me documentation, the virtua al machine host (in
this case the Winddows Server 20012 computer that is runnin g Hyper-V) is referred to as the parent partition
and virtual machines running on the Hyper-V V host are referrred to as child
d partitions.
Youu can deploy Hyper-V

H to a co
omputer runniing Windows SServer 2012 byy using the Ad dd Roles and
Feattures Wizard. You
Y can install the Hyper-V role on both W Windows Serveer 2012 Full GUI and Windows
er Core. There is also a Serve
Servver 2012 Serve er Hyper Core eedition of Win ndows Server 2
2012, which
includes only the components necessary
n to ho
ost virtual macchines. Virtual machine adm
ministration is d
done
loca
ally through Windows
W PowerrShell, or remo otely through tthe Hyper-V m manager consoole.
Hardware
H Requireme
R ents for Hy
yper-V
When
W deciding on the hardwware to use withha
se
erver on which
h you will install the Hyper-V
V role,
yo
ou need to enssure the follow
wing:
• The server must have an x64 platform that
t
supports SLLAT and Data Execution
E Prevvention.
• The CPU caapacity of the host

h server mu
ust
equirements of the guest virtual
meet the re
machines.
A virtual machine hosted on Hyper-V in

n
Windows Server 2012 can n support a ma
aximum
of 1 TB of RAM
R and up to
o 32 virtual
processors.
• The server must have enoough memory to support th e memory req quirements of aall of the virtual
machines thhat must run concurrently,
c plus
p enough m memory to run the host Wind
dows Server 20 012
operating system.
s The server must havee at least 4 GB
B of RAM.
• The storagee subsystem pe erformance must meet the iinput/output ((I/O) needs of the guest virtu ual
machines. Whether
W deplooyed locally orr on SANs, it m
may be necessaary to place diffferent virtual
machines on
o separate ph hysical disks, to h performancee redundant array of indepe
o deploy a high endent
disks (RAID
D), solid-state drives
d (SSD), hyybrid-SSD, or a combination
n of all three.
• The host se
erver's network
k adapters must be able to ssupport the neetwork through hput requiremments of
the guest virtual
v machine
es. This may re g multiple nettwork adapterss and using multiple
equire installing
Network Interface Card (NIC) teams forr virtual machiines that have high networkk use requirements.
Virtual
V Macchine Hard
dware
Virtual machinees use virtual (oor, simulated)
ha
ardware. The host
h operating g system, Wind dows
Se
erver 2012 with the Hyper-V V role installed, uses
th
he virtual hardware to media ate access to actual
ha
ardware. For example,
e a virtu
ual network ad dapter
ca
an be mapped d to a virtual neetwork that is in turn
mapped
m to an actual
a network k interface.
es have the following simulatted

Virtual machine
ha
ardware by deefault:
• BIOS. Simuulates the computer's BIOS. Just as

on a standaalone compute er you can con
nfigure
various facttors on the virttual machine such
s as:
o The bo he virtual machine's virtual h

oot order for th hardware
o From which
w device itt will boot (for example, from
m a DVD drive , Integrated D
Drive Electroniccs (IDE),
legacy network adap
pter, or floppy disk)
o Num Lock
13-10 Implementing Server Virtualization with Hyper-V
• Memory. Allows you to allocate memory resources to the virtual machine. An individual virtual
machine can be allocated up to 1 TB of memory. You will learn about configuring memory later in
this lesson.
• Processor. Allows you to allocate processor resources to the virtual machine. You can allocate up to
32 virtual processors to a single virtual machine.
• IDE Controller 0. A virtual machine can only support two IDE controllers and, by default, two are
allocated to each virtual machine. Each IDE controller can support two devices. You can connect
virtual hard disks or virtual DVD drives to an IDE controller. If booting from a hard disk drive or DVD-
ROM, the boot device must be connected to an IDE controller. Use IDE controllers to connect virtual
hard disks and DVD-ROMs to virtual machines that use any operating systems that do not support
integration services.
• IDE Controller 1. Allows additional virtual hard drives and DVD-ROMs to be deployed to the virtual
machine.
• SCSI Controller. A small computer system interface (SCSI) controller can only be used on virtual
machines that you deploy with any operating systems that support integration services.
• Synthetic Network Adapter. Synthetic network adapters represent computer network adapters. You
can only use synthetic network adapters with supported virtual machine guest operating systems.
• COM 1. Allows you to configure a connection through a named pipe.
• COM 2. Allows you to configure an additional connection through a named pipe.
• Diskette Drive. Allows you to map a VHD floppy disk image to a virtual diskette drive.
You can add the following hardware to a virtual machine by editing the virtual machine's properties and
clicking on Add Hardware:
• SCSI Controller. You can add up to four virtual SCSI devices. Each controller supports up to 64 disks.
• Network Adapter. A single virtual machine can have a maximum of eight synthetic network
adapters. You will learn more about synthetic network adapters in Lesson 4.
• Legacy Network Adapter. Legacy network adapters allow you to use network adapters with any
operating systems that do not support integration services. You can also use legacy network adapters
to allow network deployment of operating system images. A single virtual machine can have up to
four legacy network adapters. You will learn more about legacy network adapters in Lesson 4.
• Fibre Channel adapter. Allows a virtual machine to connect directly to a Fibre Channel storage area
network (SAN). A Fibre Channel adapter requires that the Hyper-V host have a Fibre Channel host bus
adapter (HBA) that also has a Windows Server 2012 driver that supports Virtual Fibre Channel.
• RemoteFX 3D video adapter. The RemoteFX 3D video adapter allows virtual machines to display
high performance graphics by leveraging DirectX and graphics processing power on the host
Windows Server 2012 serve.
Additional Reading: For more information about Virtual Fibre Channel adapters see:
http://technet.microsoft.com/en-us/library/hh831413.aspx.
Configuring
C g Dynamicc Memory
y
In
n the first relea
ase of Hyper-VV with Window ws
Se
erver 2008, you could only assign
a a static amount
a
off memory to virtual
v machinees. Unless you took
pecial precautions to measurre the precise amount
sp
off memory thatt a virtual machine required, you
were
w likely to eiither under allocate or over allocate
memory.
m
Dynamic Memo ory allows you to allocate a

minimum
m amou unt of memoryy to a virtual machine,
m
an
nd then to allo
ow the virtual machine
m to req
quest
ad
dditional memmory as needed d. Dynamic Me emory
w introduced with Windows Server 2008 R2
was
Se
ervice Pack 1 (SP1).
( Rather th
han attempting to guess how w much memo ory a virtual m
machine requirees,
Dynamic Memo ory allows you to configure Hyper-V
H so thaat the virtual m
machine is allo
ocated as much h as it
ne
eeds. You can choose a miniimum value, which
w will alwa ys be allocatedd to the virtuaal machine. You can
also choose a maximum
m valuee, which the virtual machinee will not exceeed even if the vvirtual machinne
re
equests more memory.
m Virtual machines must
m support H Hyper-V integrration services to use dynamic
memory.
m
W Windows Server 2012, an administrato

With or can modify dynamic mem mory minimum m and maximum m
memory
m values while the virtu
ual machine is running. This was not possiible with Wind
dows Server 20
008 R2
SP erform this task from a Virtual Machine's ssettings dialog box.
P1. You can pe
Smart Paging
g
Another new memory feature e that is availab
ble in Window ws Server 2012 is Smart Pagin ng. Smart Paging
provides a soluttion to the pro
oblem of minim mum memory allocation relaated to virtual machine starttup.
Virtual machine es can require more memoryy during startu up than they reequire during normal operattion. In
th
he past, it was necessary to allocate
a the miinimum memo ory required fo ensure that startup
or startup, to e
occcurred—this meant that the e amount of memory
m more than the virtual machin
allocatted could be m ne
ne
eeded during normal operattion. Smart Paging uses diskk paging to asssign additional temporary m memory
o a virtual macchine when it is starting up. This
to T allows you u to allocate m
memory based on what the vvirtual
machine
m needs when it is opeerating normallly, rather thann the amount tthat it needs d during startup.
Unfortunately, Smart
S Paging results in lowe er performancee because it usses disk resourrces that are used by
th
he host server and other virtual machines.
Note: About configurattion: You can configure

c virtu
ual machine m
memory using tthe
Se
et-VMMemorry Windows Po owerShell cmddlet.
Additionaal Reading: Fo mation about Hyyper-V Dynam

or more inform mic Memory se
ee:
htttp://technet.m
px.
V
Co
onfiguring Virtual Ma
achine Integration SServices
Oncce you have installed guests onto the host
servver you can usee install Virtua
al Machine
egration Servicces to improve the performance
Inte
of both
b the host and
a the guestss—the guest iss said
to be
b integrated in nto the host seerver.
Sup
pported operatting systems caan use integration
servvices componeents, and adapter functionaliity
suchh as SCSI adap
pters and synth
hetic network
adapters. Hyper-VV supported virtual machine
gueest operating systems include
e:
• Windows Servver 2008 R2 with

w SP1
• Windows Servver 2008 with Service Pack 2 (SP2)
• Windows Servver 2003 R2 with

w SP2
• Windows Hom
me Server 201
11
• Windows MultiPoint Serverr 2011
• Windows Sma
all Business Se
erver 2011
• Windows Servver 2003 with SP2

• CentOS 6.0-6
6.2
• CentOS 5.5-5
5.7
• Red Hat Enterprise Linux 6.0-6.2

• Red Hat Enterprise Linux 5.5-5.7
• SUSE Linux En er 11 with SP1or SP2

nterprise Serve
• SUSE Linux En
nterprise Serve
er 10 with Servvice Pack 4 (SP
P4)
• Windows 7 with
w SP1
• Windows Vistta® with SP2
• Windows XP with Service Pack 3 (SP3)
Note: Support for the Windows XP opeerating system ends in April 2014. Supportt for
Win
ndows Server 2003
2 and Wind
dows Server 20
003 R2 expiress in July 2015.
Yo
ou can install the
t Hyper-V inntegration servvices componeents on an opeerating system m by accessing the
Virtual Machinee Connection window,
w and thhen in the Acttion menu, cliccking the Inserrt Integration
n
Se
ervices Setup Disk item. Yo
ou can then insstall the relevaant operating ssystem drivers either manuaally or
au
utomatically. You
Y can also ennable the follo
owing virtual mmachine integrration compon nents:
• Operating system shutd

down. Allows the
t Hyper-V s erver to initiatte a graceful sh
hutdown of th
he guest
virtual machine.
• Time synch hronization. Allows

A the virtu
ual machine to essor for the purposes
o use the host server's proce
of time synchronization.
• ange. Allows the
Data excha ost to write daata to the regisstry of the virtual machine
t Hyper-V ho
• Heartbeat.. Allows Hyperr-V to determine if the virtuaal machine hass become unre
esponsive.
• Backup (vo olume snapsh hot). Allows thhe Volume Shaadow Copy Serrvice (VSS) proovider to create
e
snapshots of
o the virtual machine
m for the purposes of backup operaation, without interrupting th
he
virtual machines' normal operations.
Configuring
C g Virtual Machine
M Sttart and Sttop Action
ns
Virtual Machine e start and stopp actions allow
w you to
co
onfigure what steps the Hyp per-V host perfforms
with
w specific virtual machines when the Hyp per-V
hoost is started or
o shut down. YouY can use viirtual
machine
m start and stop actionns to ensure thhat
crritical virtual machines
m alwayys start automa atically
whenever
w a Hypper-V host is re
estarted, and that
t
th
hey are shut do own gracefullyy if the server receives
r
a shutdown com mmand.
Yoou configure startup

s and shutdown setting gs for
eaach individual virtual machinne by editing the
t
properties of thhe virtual machhine. You do th
his by
rig
ght clicking on
n the virtual machine
m and cliicking Settingss.
Yo
ou can configu
ure the followiing options in the Automaticc Start Actionss window:
• Nothing. The
T virtual macchine is not sta
arted automattically when the Hyper-V hosst starts, even if the
virtual machine was in a running
r state when
w the Hyp
per-V host was shut down.
• Automaticcally start if itt was running

g when the serrvice stopped d. The virtual m
machine will sttart if it
was runningg when the Hyyper-V host received the commmand to shu ut down, or in the event thatt the
virtual machine was runnning when the server suffered be powered offf.
d a failure thatt caused it to b
• Always staart this virtuall machine auttomatically. TThe virtual macchine always sttarts when the
e Hyper-
V host startts. You can con
nfigure a startu
up delay to en
nsure that multiple virtual machines do noot
attempt staartup at the same time.
ou can configu
Yo ure the followiing options in the Automaticc Stop Actionss window:
• Save the virtual machin ne state. Savess the active staate of the virtu
ual machine, in
ncluding memo
ory to
disk. Allowss the virtual machine to be resumed
r when n the Hyper-V host restarts.
• he virtual macchine. The virttual machine iss powered off with the possibility of data loss.
Turn off th
• Shut down n the guest op perating syste hut down in a graceful manner.
em. The virtuaal machine is sh
This option
n is only availab on services co mponents aree installed on the virtual macchine.
ble if integratio
V
Note: You can

c also config
gure virtual ma
achine automaatic start and aautomatic stop
p actions
by using
u the Set-V
VM cmdlet with the Autom maticStartActio
on and Autom maticStopAction
para
ameters.
Hy
yper-V Ressource Mettering
Resoource metering allows you to track the
reso on of virtual machines hosted
ource utilizatio d on
2 computers with the Hyper-V
role
e installed.
With resource me
etering, you can measure thee
follo
owing parame
eters on individ
dual Hyper-V virtual
v
macchines:
• Average GPU use
• Average physsical memory use,

u including:
o Minimum
m memory use
e
o Maximum
m memory use
e
• Maximum dissk space alloca

ation
• Incoming nettwork traffic fo

or a network ad
dapter
• Outgoing nettwork traffic fo
or a network adapter
By measuring
m howw much of these resources each
e virtual maachine uses, ann organization can bill
deppartments or cuustomers baseed on their hossted virtual maachines use, raather than charrging a flat fee
e per
virtu
ual machine. An
A organization with only intternal customeers can also usse these measu urements to se ee
pattterns of use an
nd plan future expansions.
u perform resource metering

You g tasks using Windows
W PoweerShell cmdletss in the Hyper--V Windows
Pow o GUI tool that allow you to p
werShell module. There is no perform this taask. You can u
use the followin
ng
cmd
dlets to perform resource meetering tasks:
• Enable-VMR
ResourceMete
ering. Starts co
ollecting data o
on a per virtuaal machine bassis.
• Disable-VMR
ResourceMete
ering. Disables resource mettering on a peer virtual mach
hine basis.
• Reset-VMRe
esourceMeteriing. Resets virttual machine rresource meteering counters..
• Measure-VM
M. Displays reso
ource metering statistics for a specific virtu
ual machine.
Additional Reading: For more informattion about reso

ource metering
g for Hyper-V see:
http
n-us/library/hh
h831661.aspx.
Lesson
n3
Mana
aging Virtual Machine
M e Storag
ge
Hyper-V provides many differrent virtual ma achine storagee options. If yo
ou know whichh option is app
propriate
fo
or a given situa
ation, then youu can ensure that a virtual m
machine perforrms well. Howeever, if you do
o not
un
nderstand the different virtuual machine stoorage options,, you may end d up deploying
g virtual hard d
disks
th
hat consume unnecessary
u sp
pace or that pla
ace an unneceessary perform mance burden oon the host Hyyper-V
se
erver.
In
n this lesson, yo
ou will learn about different virtual hard d
disk types, diffeerent virtual haard disk formaats, and
th
he benefits and d limitations of using virtual machine snappshots.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
• Explain the purpose of virtual hard disk

k.
• Create a virrtual hard disk

k type.
• Manage virrtual hard disks.
• Deploy diffferencing diskss to reduce sto

orage.
• Use virtual machine snap

pshots.
What
W Is a Virtual
V Harrd Disk?
A virtual hard disk is a special file format that
re
epresents a traditional hard disk
d drive. You u can
co w partitions and
onfigure a virtual hard disk with
ann operating syystem. Virtual hard
h disks can be
ussed with virtua
al machines, annd you can alsso
mount
m virtual hard disks using
g the Window ws
Seerver 2008, Wiindows Server 2008 R2, Wind dows
Seerver 2012, and Windows 8, and Windowss 7
opperating systems. Windows Server 2012
su
upports boot tot virtual hard disk; this allowws you
to
o configure the e computer to boot into a
Windows
W Server 2012 operatiing system tha at is
deeployed on a virtual
v hard dissk, or into certtain
edditions of the Windows
W 8 op
perating system m that
is deployed on a virtual hard disk. You can create
a virtual hard disk using:
• The Hyper--V manger con

nsole.
• The Disk Management co

onsole.
• The diskparrt command-liine tool.

• The New-V
VHD Windows PowerShell cm
mdlet.
Note: Somme editions off Windows 7 an

nd the Window
ws Server 2008
8 R2 operating
g system also
su
upport boot to
o virtual hard disk.
d
V
VHDX vs. VHD

D
Virtual hard disks use the .vhd extension.
e Win
ndows Server 22012 introducees the new VHDX format forr
virtu
ual hard disks. The VHDX forrmat has the fo
ollowing beneefits over the V
VHD format that was used in
n
Hypper-V on Windows Server 20 008 and Windo ows Server 20008 R2:
• VHDX virtual hard disks can a 64 TB. VHD vvirtual hard diisks were limited to 2 TB.
n be as large as
• The VHDX virrtual hard disk

k file structure means that th e disk is less likely to becom
me corrupt if th
he
host server su pected power outage.
uffers an unexp
• VHDX virtual hard disk form

mat supports better
b alignmeent when deplo
oyed to a large
e sector disk.
• VHDX virtual hard disks allo

ow larger block size for dynaamic and diffeerencing disks, which provide
es
mance for these workloads.
better perform
Youu can convert an a existing VHD file to VHDX

X format using
g the Edit Virtu
ual Hard Disk w
wizard, if you hhave
upggraded a Windows Server 2008 or Window ws Server 2008 R2 Hyper-V server to Windows Server 2012. It
is also possible to convert from VHDX format to VHD. You w will learn moree about conveerting virtual hard
diskks later in this lesson.
l
SM
MB Share Sup
pport
2 now supp ports virtual haard disks that aare stored on SMB 3 file shaares. This is an
n internet SCSI (iSCSI) or Fibrre Channel SAN
alternative to storring virtual harrd disk files on N devices. Whhen
creaating a virtual machine in Hyyper-V on Win ndows Server 22012, you can specify a netw work share. You u
speccify this when choosing the virtual hard diisk location or attaching an eexisting virtual hard disk. Th he file
sharre must suppo ort SMB 3. Thiss limits you to placing virtuall hard disks on n file shares that are hosted on file
servvers with Winddows Server 20 012. Older verssions of Windo ows Server do not support SMB 3.
ual Hard Disk formats see:

Additional Reading: For more informattion about Virtu
http
n-us/library/hh
h831446.aspx.
Cre
eating Virttual Disk Types
T
Whe en you configuure a virtual haard disk, you can
c
choose between several
s differen
nt disk types,
including fixed, dyynamic, and pass through.
Differencing diskss will be discusssed later in in this
lesson.
Cre
eating Fixed
d Virtual Hard Disks
Whe en you create a fixed virtual hard disk, all of
o the
hardd disk space is allocated during the creatioon
proccess. This has the
t advantage e of minimizing g
frag
gmentation, wh hich improves virtual hard disk
perfformance whe en hosted on trraditional storaage
devices. This has the
t disadvanta age of requirinng
you to allocate alll space used by the fixed virttual hard disk at the time that the disk is ccreated.. In maany
situations. you willl not know precisely how much disk spacee a virtual macchine needs. Iff you use fixed hard
disk
ks, you may en nd up allocating space to stoorage that is noot actually required.
To create a fixed virtual hard disk, perform the following steps:
1. Open the Hyper-V Manager console.
2. On the Actions pane, click New, and then click Hard Disk.
3. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
4. In the New Virtual Hard Disk Wizard, on the Choose Disk Format page, click either VHD or VHDX,
and then click Next.
5. On the Choose Disk Type page, click Fixed size, and then click Next.
6. On the Specify Name and Location page, enter a name for the virtual hard disk, and then specify a
folder in which to host the virtual hard disk file.
7. On the Configure Disk page, choose one of the following options:
o Create a new blank virtual hard disk of the specified size.
o Copy the contents of a specified physical disk. Allows you to replicate an existing physical disk
on the server as a virtual hard disk. The fixed hard disk will be the same size as the disk that you
have replicated. Replicating an existing physical hard disk does not alter data on the existing disk.
o Copy the contents of a specified virtual hard disk. Allows you to create a new fixed hard disk
based on the contents of an existing virtual hard disk.
Note: You can create a new fixed hard disk using the New-VHD Windows PowerShell
cmdlet with the -Fixed parameter.
Note: Disk fragmentation is less of an issue when virtual hard disks are hosted on RAID
volumes, or on SSDs. Improvements in Hyper-V (since it was first introduced with Windows Server
2008) also minimize the performance differences between dynamic and fixed virtual hard disks.
Dynamic Disks
When you create a dynamic virtual hard disk, you specify a maximum size for the file. The disk itself only
uses the amount of space that needs to be allocated, and will grow as necessary. For example, if you
create a new virtual machine and specify a dynamic disk, only a small amount of disk space will be
allocated to the new disk. For a VHD format virtual hard disk, approximately 260 kilobytes (KB) are
allocated. For a VHDX format virtual hard disk, approximately 4,096 KB are allocated.
As storage is allocated, the dynamic virtual hard disk will grow. If you delete files from a dynamically
expanding virtual hard disk, the virtual hard disk file will not shrink. You can only shrink a dynamically
expanding virtual hard disk file by performing a shrink operation. You will learn how to shrink virtual hard
disks later in this lesson.
You perform similar steps when creating a dynamically expanding virtual hard disk to when you create a
fixed virtual hard disk. The difference is that on the Choose Disk Type page, you choose the Dynamically
Expanding type.
Note: You can create a new dynamic hard disk using the New-VHD Windows PowerShell
cmdlet with the -Dynamic parameter.
Pass-Through Disks
Pass-through disks allow the virtual machine to access a physical disk drive, rather than to use a virtual
hard disk. You can use pass-through disks to connect a virtual machine directly to an iSCSI logical unit
V
nummber (LUN). When

W you use pass-through
p disks,
d the virtuaal machine mu
ust have exclussive access to the
targ
get disk. To do this, you must use the disk management console on th he host to takee the disk offlin
ne.
Oncce the disk is offline,
o n connect it to one of the virrtual machine' s disk controllers.
you can
u can attach a pass-through disk by performing the follo

You owing steps:
1. Ensure that th
he target hard disk is offline.
2. Use the Hype

er-V console to
o edit an existing virtual macchine's properrties.
3. DE or SCSI controller, click Add, and then cclick Hard Driive.

Click on an ID
4. In the Hard Drive

D dialog bo
ox, select Physsical Hard Dis k. From the drrop-down men
nu, select the d
disk
that you want to use as the
e pass-throughh disk.
Note: You do d not have to o shut a virtual machine dow

wn if you conneect the pass-thhrough
disk
k to a virtual machine's
m SCSI controller. If you
y want to coonnect to a virttual machine'ss IDE
controller, then yoou must first shut down the virtual machin
ne.
Question: Why might you consider using

g fixed virtual hard disks insttead of dynam
mic virtual
hard disks.
Question: In what types off situations mig

ght you encou
unter difficultiees if you use dyynamically
expanding disks.
Ma
anaging Virtual Hard
d Disks
Fromm time to timee, you will need to perform
maintenance operations on virtual hard disks. For
exammple you might want to com mpact a virtual hard
disk
k to free up spaace, or converrt a virtual hard
d disk
to another
a formatt as your needs change. You can
perfform the follow
wing maintena ance operation ns on
virtu
ual hard disks:
• Convert the disk

d from fixed
d to dynamic.
• Convert the disk

d from dyna
amic to fixed.
• Convert a virttual hard disk in VHD format to
VHDX.
• Convert a virttual hard disk in VHDX format to VHD.
Whe en you converrt a virtual hardd disk, the conntents of the exxisting virtual hard disk are copied to a ne ewly
creaated virtual hard disk that ha
as the settings that you havee chosen. For eexample, when n converting frrom a
fixed virtual hard disk to a dynaamic virtual hard disk, a new dynamic virtu ual hard disk iss created, the
contents of the exxisting fixed virtual hard diskk are copied to
o the new dynaamic virtual haard disk, and tthen
the existing fixed virtual hard diisk is deleted, with
w the new d dynamic virtuaal hard disk taking its place.
To convert
c a virtual hard disk, perform
p the following steps:
1. In the Hyper--V Manager co

onsole, from th
he Actions pan
ne, click Edit D
Disk.
2. In the Edit Virrtual Hard Disk

k Wizard, on the Before You
u Begin page,, click Next.
3. On the Local Virtual Hard Disk page, click Browse. Seelect the virtuaal hard disk that you want to
o
convert.
4.. On the Cho

oose Action page,
p select Co
onvert, and theen click Next.
5.. On the Connvert Virtual Hard

H Disk pag ge, choose bettween VHD an nd VHDX format. The current disk
format will already be sellected. If you want
w to converrt between theese two formats, choose the
appropriatee format, and then
t click Nex xt. You do not have to chang ge format.
6.. On the Connvert Virtual Hard

H Disk pagge, choose bettween Fixed Siize and Dynam mically Expanding. If
you also wa
ant to convert the hard disk type, choose tthe appropriatte type, and th
hen click Nextt.
7.. On the Con

nfigure Disk page,
p choose the
t destination
n location for tthe disk.
Yo d that is nott using all of the space that it is allocated For

ou can also shrink a dynamicc virtual hard disk
exxample, a dyna amic virtual ha
ard disk might be allocated 660 GB on the p parent volume e, but only use e 20 GB
off that space. You shrink a virrtual hard disk by selecting tthe Compact o option in the EEdit Virtual Haard Disk
Wizard.
W
Yo
ou cannot shriink fixed virtua
al hard disks. You
Y must first cconvert a fixed
d virtual hard d
disk to dynam
mic
be
efore you can compact the disk.
d
Yo
ou can use thee resize-partittion and the resize-vhd Win
ndows PowerSShell cmdlets tto compact a
dyynamically exp
panding virtua
al hard disk.
Yoou can also use the Edit Virtual Hard Disk Wizard to exp ou can expand both dynamiccally
pand a disk. Yo
exxpanding and fixed virtual hard disks.
Reducing
R Storage
S Ne
eeds with Differenci ng Disks
Differencing dissks are separatte virtual hard disks
th
hat record the changes made e to a parent disk.
d
Differencing dissks allow you to
t reduce the amount
a
off hard disk spaace consumed by virtual hard disks
att the cost of diisk performancce. Differencinng disks
work
w well with SSD,
S and wherre there is a lim
mited
am
mount of spacce available on n the host volume and
th
he disk perform mance compen nsates for the
peerformance drrawbacks of ussing a differenccing
diisk.
Yo
ou can link mu ultiple differen
ncing disks to a single
pa
arent disk. How wever, if you modify
m the parrent
diisk, the links to
o all of the diffferencing diskss will fail.
Yo
ou can reconn nect a differenccing disk to the parent using Disk tool, which is available in the
g the Inspect D
Actions pane off the Hyper-V Manager conssole. You can aalso use the Inspect Disk too ol to locate thee parent
diisk of a differe
encing disk.
To
o create a diffe
erencing disk, perform the fo
ollowing stepss:
1.. Open the Hyper-V

H Manager console.
2.. In the Actio

ons pane, click
k New, and the
en click Hard D
Disk.
3.. In the New Virtual Hard Disk
D Wizard, on the Before Y
You Begin paage, click Nextt.
4.. oose Disk Format page, clicck VHD, and th

On the Cho hen click Nextt.
5.. On the Cho

oose Disk Typ
pe page, click Differencing,
D and then clickk Next.
6.. On the Spe
ecify Name an
nd Location page,
p provide tthe location off the parent haard disk.
V
Youu can create a differencing

d viirtual hard disk
k using the Ne
ew-VHD Wind dows PowerShell cmdlet. Forr
exammple, to create
e a new differe
encing disk na amed c:\diff-diisk.vhd that usses the virtual hard disk
c:\p
parent.vhd, use
e the following
g Windows Pow werShell commmand:
New-VHD c:\diff-disk.vhd -P
ParentPath C:\parent.vhd
Using Snapsh
hots
Snapshots represe ent the state ofo a virtual macchine
at a particular poiint in time. The ey are a static
image of the set ofo data on the virtual machin ne at
the moment the snapshot
s is tak
ken. Snapshotss are
storred in either .avhd or .avhdx format depen nding
on the
t virtual hard d disk format. You can take a
snappshot of a virtual machine frrom the Action n
men nu of the Virtuual Machine Co onnection window,
or from the Hyper-V console. Ea ach virtual machine
can have a maxim mum of 50 snap pshots.
Youu can take snappshots at any time,

t even wheen a
virtu
ual machine is shut down. When
W you take a
snappshot of a running virtual machine, the snapshot includees the contentts of the virtuaal machine’s
mem mory.
Whe en taking snappshots of multiple virtual ma

achines that arre part of the ssame group, fo
or example a vvirtual
dommain controllerr and virtual member
m server,, you should taake these snap
pshots simultaneously. This
ensuures that itemss such as compputer account passwords aree synchronized d between thee virtual DC and the
virtu
ual member se erver.
Remmember that when

w you reverrt to a snapsho
ot, you are revverting to a com
mputer’s state
e at that point in
time
e. If you take a computer ba ack to a point before
b it had p
performed a co omputer passw word change w with a
dommain controllerr, you will need
d to rejoin tha
at computer to o the domain o or run the netd
dom resetpw wd
commmand.
Sna
apshots vs. Backups
Snapshots are nott a replacemen nt for backups. Snapshot datta is stored onn the same volu ume as the virrtual
hardd disks. If the volume
v hosting these files fa
ails, both the s napshot and tthe virtual hard
d disk files willl be
lost.
Exp
porting Snapshots
Youu can perform a virtual mach hine export of a snapshot. W
When you perfo orm an export of the snapshot,
Hypper-V will creatte full virtual hard
h e at the time the
disks that represent thee state of the vvirtual machine
snappshot was takeen. If you choo ose to export an
a entire virtuaal machine, alll snapshots asssociated with tthe
virtu
ual machine will
w also be exported.
Diffferencing Disk
D Files
Whe en you create a snapshot, Hyyper-V writes differencing d disk (.avhd, or ..avhdx) files, w
which store the
e data
thatt differentiatess the snapshot from the prevvious snapshott, or from the parent virtual hard disk. Wh hen
you delete snapsh hots, this data is either discarded, or mergeed back into the previous sn napshot or parrent
virtu
ual hard disk. For
F example:
• he data is disc arded. With H
If you delete the most recent snapshot, th Hyper-V in Winndows Server 2
2012,
this space is reclaimed
r imm
mediately rathe
er than when t he virtual macchine is shut down.
• If you delete the second most recent snapshot, the data is merged so that the earlier and latter
snapshot states of the virtual machine retain their integrity.
Managing Snapshots
When you apply a snapshot, the virtual machine reverts to the configuration as it existed at the time the
snapshot was taken. Reverting to a snapshot does not delete existing snapshots. If you revert to a
snapshot after making a configuration change, you will be prompted to take a snapshot. It is only
necessary to create a new snapshot if you want to return to that current configuration.
It is possible to create snapshot trees that have different branches. For example, if you took a snapshot of
a virtual machine on Monday, Tuesday and then on Wednesday, and if on Thursday you apply the
Tuesday snapshot and then made changes to the configuration of the virtual machine, you will have
created a new branch that diverts from the original Tuesday snapshot. You can have multiple branches as
long as you do not exceed the 50 snapshots per virtual machine limit.
V
Lesson 4
Manag
ging Virrtual Ne
etworkss
Hypper-V provides several differe ent options for network com mmunication b between virtual machines. Hyyper-
V allows you to co onfigure virtua
al machines that communicaate with an extternal networkk in a manner
simiilar to tradition
nally deployedd physical hostts. It also allow
ws you to confiigure virtual m
machines so thaat
theyy are only able e to communiccate with a lim
mited number o of other virtual machines thaat are hosted o
on the
sam
me Hyper-V host in Windowss Server 2012. Knowing the o options availab V virtual networks
ble for Hyper-V
ensu c leverage those options to
ures that you can t best meet yyour organizat ion's needs.
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
• ual switches.
Describe virtu
• Configure nettwork virtualizzation.
• Manage a virtual machine MAC

M address pool.
p
• Configure virttual network adapters.
a
Wh
hat Is a Virrtual Switcch?
on of a network
A virtual switch is a virtual versio
swittch. The term virtual
v networkk, which was used
in Windows
W Serveer 2008, has beeen replaced byb the
term
m virtual switchh in Windows Server 2012. Virtual
V
swittches control how
h network traffic flows
betwween virtual machines
m that are
a hosted on the
Hypper-V server, and between virtual machines and
the rest of the orgganizational ne etwork. You
man nage virtual swwitches through the virtual sw witch
man nager which is accessible thrrough the Actions
panne of the Hyper-V Manager console.
c Hyperr-V
on Windows
W Serveer 2012 suppo orts three different
typees of virtual sw
witches:
• e this type of switch to map a network to a specific netw

External. Use work adapter o or network adaapter
team. Window ws Server 20122 supports mapping an exteernal network tto a wireless network adapte er if
you have insttalled the Wireeless local area
a network (LAN
N) Service on tthe host Hyperr-V server, and
d if
the Hyper-V server
s has a co
ompatible adapter.
• Internal. Use
e internal virtua
al switches to communicate
c between the vvirtual machin
nes on the Hyp
per-V
host, and to communicate
c between the virtual
v machinees and the Hyp
per-V host itse
elf.
• Private. Use private switche

es only to com
mmunicate bettween virtual m
machines on thhe Hyper-V ho
ost;
you cannot use private swittches to commmunicate betweeen the virtual machines and
d the Hyper-V
V host
itself.
Whe en configuring
g a virtual netw N (VLAN) ID to be associated with
work, you can also configuree a virtual LAN
the network. This allows you to extend existinng VLANs on thhe external neetwork to VLAN Ns within the
Hypper-V host's ne
etwork switch. VLANs allow you on network trafffic, and function as separate
y to partitio e
logical networks. Traffic
T can onlly pass from one VLAN to annother if it passses through a router.
Yo
ou can configu
ure the followiing extensionss for each virtu
ual switch typee:
• Microsoft NDIS Capture

e. This extensio data travelling across the virtual switch to be
on allows for d
captured.
• Microsoft Windows Filttering Platforrm. This extenssion allows datta travelling accross the virtual
switch to be filtered.
Additionaal Reading: Fo mation about Viirtual Switchess see:

or more inform
htttp://technet.m
px.
Hyper-V
H Ne
etwork Virrtualization
Hyper-V Netwo ork Virtualizatio
on allows you to
isolate virtual machines
m that share
s the samee
Hyper-V host, butb are from different organiizations.
Foor example, if you provide an Infrastructurre as a
Seervice (IaaS) to
o differing businesses, you will
w want
to
o isolate their virtual
v machines from each other.
o
Network Virtualization allows you to go beyyond
baasic traffic partitioning by asssigning these virtual
machines
m parate VLANs as a way of iso
to sep olating
neetwork traffic. You would primarily deployy
Network Virtualization in scen narios where you
y
were
w using Hyp per-V to host virtual
v machinees for
annother organizzation.
When
W you configure Network n, each guest vvirtual machinee has two IP addresses that function
k Virtualization
in
n the following
g manner:
• Customer IP address. Th his address is assigned

a by th e customer to
o the virtual maachine. This IP
P
address is configured
c in such
s a way tha ernal network can
at communicattion with the ccustomer's inte
occur even though the viirtual machine e might be hossted on a Hypeer-V server thaat is connectedd to a
separate puublic IP networrk. To display the
t customer IIP address, exeecute IPCONF FIG in a command-
line windoww on the virtuaal machine.
• Provider IP he IP address aassigned by thee hosting provvider. This address is
P address. Thiis address is th
visible to th
he hosting pro
ovider and to other
o hosts on the physical nnetwork but it is not visible ffrom the
virtual machine.
Network Virtualization allows you to host multiple
m machi nes that use thhe same custo
omer address— —for
exxample, 192.16 68.15.101—on n the same Hyp
per-V host, beecause the virtu
ual machines w
will be assigne
ed
diifferent provid
der IP addresse
es.
Additionaal Reading: Fo mation about N etwork Virtuallization see:

or more inform
htttp://technet.m
px.
V
Ma
anaging Virtual Macchine MAC
C Addressees
Unle
ess you specifyy a static mediia access contrrol
(MA
AC) address, Hyyper-V dynam mically allocates a
MAC address to each
e achine network
virtual ma
adapter from a poool of MAC ad ddresses. You can
c
configure the add
dress range of this pool from m
MAC Address Ran t Virtual Switch
nge setting of the
Mannager console.. By default, a Hyper-V host has a
ol of 255 MAC addresses.
poo
Whe en virtual macchines use private or internall

netw
works, the MA AC address thatt is allocated to
netw
work adapters is not likely too be of concerrn
because the Hype er-V host will ensure
e that
dup
plicate MAC ad ddresses are noot assigned to different virtu
ual machines. H
However, when you have mu ultiple
Hypper-V hosts and d those compu uters host virtu
ual machines tthat use adaptters connected
d to external
netw
works, you sho ould ensure that each Hyperr-V host uses a different poo ol of MAC addresses. This ensures
thatt separate Hyp
per-V hosts tha at connect to the
t same netw work do not asssign the same MAC addresses to
the virtual machinnes that they host.
h
Whe en virtual macchines are alloccated IP addreesses through a Dynamic Ho ost Configuratio
on Protocol (DDHCP)
rese
ervation, you should conside er using static MAC
M addressees. A DHCP resservation ensures that a partticular
IP address is alwayys allocated to
o a specific MAAC address.
You
u can configure
e the MAC add
dress range byy performing t he following ssteps:
1. Open the Hyp

per-V Manage
er console.
2. at you wish to configure.

Select the Hyyper-V host tha
3. On the Action
ns pane, selectt Virtual Switcch Manager.
4. Under Globall Network Setttings, click MA
AC Address Raange.
5. Specify a min
nimum and a maximum
m rang
ge for the MAC
C address.
MAC addresses arre in hexadecim mal format. When

W ng ranges for multiple Hype
configurin er-V hosts, you
u
should consider changing the values
v econd from th e last pair of d
of the se owing table displays
digits. The follo
exam
mples of rangees for multiple
e Hyper-V hostts.
Hy
yper-V Host MAC
C Address Ran
nge
Host 1 Min
nimum: 00-15-5D-0F-AB-00
Maxximum: 00-15--5D-0F-AB-FF
Host 2 Min
nimum: 00-15-5D-0F-AC-00
Maxximum: 00-15--5D-0F-AC-FF
Host 3 Min
nimum: 00-15-5D-0F-AD-00
Maxximum: 00-15--5D-0F-AD-FF
Configuring
C g Virtual Network
N Adapters
A
Virtual networkk adapters alloww the virtual machine
m
gu
uest operatingg system to communicate ussing the
virtual switches that you conffigure using the
Virtual Switch Manager
M consoole. You can ed dit the
properties of a virtual
v machin
ne to modify th he
properties of a network adaptter. From the
Network Adapter pane on the e virtual machine's
se
ettings dialog box, you can configure
c the
fo
ollowing:
• Virtual Switch. Determin
nes which virtuual
switch the network
n adaptter connects to
o.
• VLAN ID. Allows

A you to specify
s a VLAN
N ID
that the virtual machine will
w use for commmunication tthat passes thrrough this adaapter.
• Bandwidth h Managemen nt. Allows you to specify a m

minimum and a maximum baandwidth to be
o the adapter by Hyper-V. The minimum b
allocated to ocation is reserved by Hyperr-V for
bandwidth allo
the network adapter, eve en when other virtual networrk adapters onn virtual machiines hosted on
n the
Hyper-V ho ost are functioning at capacity.
Bo
oth synthetic network
n adaptters and legacyy network adaapters support the following advanced features:
• MAC addre n. You can configure a MAC address to be assigned from

ess allocation m the MAC add dress
pool, or you can configurre the network
k adapter to usse a fixed MAC
C address. You
u can also conffigure
MAC addre ess spoofing. This
T is useful when the virtuaal machine neeeds to provide specific netwo
ork
h as when the virtual machin
access, such ne is running a mobile devicce emulator that requires nettwork
access.
• DHCP Guard. Drops DHC CP messages from

f virtual maachines that a re functioning
g as unauthorizzed
DHCP serve ers. This may be
b necessary inn scenarios whhere you are m
managing a Hyp per-V server th
hat
hosts virtua
al machines for others, but does
d not have direct control over the configuration of th hose
virtual machines.
• Router Guard. Drops rou uter advertisemment and redirrection messag ges from virtual machines th
hat are
configured as unauthorizzed routers. Th his may be neccessary in scenaarios where yo
ou do not have
e direct
control ove
er the configurration of virtua
al machines.
• Port Mirrooring. Allows you

y to copy inccoming and ou utgoing packeets from a netw
work adapter tto
another virttual machine that
t you have configured fo r monitoring.
• NIC Teamiing. Allows you

u to add the virtual
v networkk adapter to an
n existing team
m on the host Hyper-V
server.
Syynthetic netwoork adapters re equire the gue est operating ssystem to suppport integratio
on services. In aaddition
to
o the Advanced d features liste
ed earlier, syntthetic networkk adapters supp
port the follow
wing hardware e
accceleration fea
atures:
• Virtual Maachine Queue.. This feature uses

u hardware packet filterin network traffic directly
ng to deliver n
to the guesst. This improvves performancce as the packeet does not neeed to be copiied from the hhost
operating system
s to the virtual
v he host computer has
machine. Virtual Mac hine Queue reequires that th
a network adapter
a that su
upports this fe
eature.
• IPsec task offloading. This feature allows calculation-intensive security association tasks to be
performed by the host's network adapter. In the event that sufficient hardware resources are not
available, the guest operating system performs these tasks. You can configure a maximum number of
offloaded security associations between a range of 1 and 4,096. IPsec task offloading requires guest
operating system and network adapter support.
• SR-IOV. Single-root I/O virtualization (SR-IOV) allows multiple virtual machines to share the same
Peripheral Component Interconnect Express (PCIe) physical hardware resources. If sufficient resources
are not available, then network connectivity falls back to be provided through the virtual switch.
Single-root I/O virtualization (SR-IOV) requires specific hardware and special drivers to be installed on
the guest operating system.
Legacy network adapters emulate common network adapter hardware. You use legacy network adapters
in the following situations:
• You want to support network boot installation scenarios for virtual machines. For example, you want
to deploy an operating system image from a Windows Deployment Services (Windows DS) server or
through Configuration Manager.
• You need to support operating systems that do not support integration services and do not have
drivers for the synthetic network adapter.
Legacy network adapters do not support the hardware acceleration features that synthetic network
adapters support. You cannot configure virtual machine queue, IPsec task offloading, or Single-root I/O
virtualization for legacy network adapters.
Lab: Implementing Server Virtualization with Hyper-V

Scenario
8 clients. Your assignment is to configure the infrastructure service for a new branch office.
To more effectively use the server hardware that is currently available at branch offices, your manager has
decided that all branch office servers will run as virtual machines. You must now configure a virtual
network and a new virtual machine for these branch offices.
Objectives
After performing this lab you will be able to:
• Install the Hyper-V Server role.
• Configure virtual networking.
• Create and configure a virtual machine.

• Use virtual machine snapshots.
Lab Setup
Logon Information
Virtual Machines 20410A- LON-HOST1
Password Pa$$w0rd
1. Reboot the classroom computer and choose 20410A-LON-HOST1 from the Windows Boot
Manager
2. Log on to LON-HOST1 with the Administrator account and the password Pa$$w0rd.
Exercise 1: Installing the Hyper-V Server Role

Scenario
The first step in migrating to a virtualized environment for the branch office is installing the Hyper-V
server role on a new server.
1. Install the Hyper-V server role.
2. Complete Hyper-V role installation and verify settings.
X Task 1: Install the Hyper-V server role

1. Reboot the classroom computer and from the Windows Boot Manager, choose
20410A-LON-HOST1.
2. Log onto the computer with the Administrator account and the password Pa$$w0rd.
3. In Server Manager, click Local Server and then configure the following network settings:
o IP Address: 172.16.0.31
o Subnet mask: 255.255.0.0
o Default gateway: 172.16.0.1
4. Use the Add Roles and Features Wizard to add the Hyper-V role to LON-HOST1 with the following
options:
o Do not create a virtual switch
o Use the Default stores locations
o Allow the server to restart automatically if required.
5. After a few minutes, the server will automatically restart. Ensure that you restart the machine from the
boot menu as 20410A-LON-HOST1. The computer will restart several times
X Task 2: Complete Hyper-V role installation and verify settings

1. Log on to LON-HOST1 using the account Administrator with the password Pa$$word.
2. When the Hyper-V tools installation completes, click Close.
3. Open the Hyper-V Manager console and then click LON-HOST1.
4. Edit the Hyper-V settings of LON-HOST1, and configure the following settings:
o Keyboard: Use on the virtual machine
o Virtual Hard Disks: C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks
Results: After this exercise, you will have deployed the Hyper-V role to a physical server.
Exercise 2: Configuring Virtual Networking

Scenario
After installing the Hyper-V server role on the new server, you need to configure the virtual network. You
need to create both a network that is connected to the physical network, and a private network that can
be used only for communication between virtual machines. The private network will be used once virtual
machines are configured for high availability. You also need to configure a specific range of MAC
addresses for the virtual machines.
1. Configure the external network.
2. Create a private network.
3. Create an internal network.
4. Configure the MAC address range.
X Task 1: Configure the external network

1. Open the Hyper-V console, and then click on LON-HOST1.
2. Use the Virtual Switch Manager to create a new External virtual network switch with the following
properties:
o Name: Switch for External Adapter

o External Network: Mapped to the host computer's physical network adapter. (This will vary
depending on the host computer.)
X Task 2: Create a private network

1. On LON-HOST1, open the Hyper-V Manager console.
2. Use the Virtual Switch Manager to create a new virtual switch with the following properties.
o Name: Private Network

o Connection type: Private network
X Task 3: Create an internal network

2. Use the Virtual Switch Manager to create a new virtual switch with the following properties.
o Name: Internal Network
o Connection type: Internal network
X Task 4: Configure the MAC address range

2. Use the Virtual Switch Manager to configure the following MAC Address Range settings:
o Minimum: 00-15-5D-0F-AB-A0
o Maximum: 00-15-5D-0F-AB-EF
Results: After this exercise, you will have configured virtual switch options on a physically deployed
Windows Server 2012 server running the Hyper-V role.
Exercise 3: Creating and Configuring a Virtual Machine

Scenario
You have been asked to deploy two virtual machines to LON-HOST1. You have copied a sysprepped VHD
file that hosts a Windows Server 2012 installation.
To minimize disk space use at the cost of performance, you are going to create two differencing files
based on the sysprepped VHD. You will then use these differencing files as the virtual hard disk files for
the new virtual machines.
1. Create differencing disks.
2. Create virtual machines.
3. Enable resource metering.
X Task 1: Create differencing disks

1. Use Windows Explorer to create the following folders:
o E:\Program Files\Microsoft Learning\Base \LON-GUEST1
o E:\Program Files\Microsoft Learning\Base \LON-GUEST2

Note: The drive letter may depend upon the number of drives on the physical host
machine.
2. In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o Disk Format: VHD
o Disk Type: Differencing
o Name: LON-GUEST1.vhd
o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
o Parent Location: E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd

3. Open Windows PowerShell, import the Hyper-V module, and then run the following command:
New-VHD “E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd”

-ParentPath “E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd”
4. Inspect disk E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd.

5. Verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files
\Microsoft Learning\Base\Base12A-WS2012-RC.vhd as a parent.
X Task 2: Create virtual machines

1. On LON-HOST1, in the Hyper-V Manager console, in the Actions pane, click New, and then click
Virtual Machine.
2. Create a virtual machine with the following properties:
o Name: LON-GUEST1
o Memory: 1024 MB
o Use Dynamic Memory: Yes

o Networking: Private Network
o Connect Virtual Hard Disk: E:\Program Files\Microsoft Learning\Base\LON-GUEST1

\lon-guest1.vhd
3. Open Windows PowerShell, import the Hyper-V module, and execute the following command:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath “E:\Program

Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd” -SwitchName "Private
Network"
4. Use the Hyper-V Manager console, edit the settings of LON-GUEST2. Configure the following:
5. Automatic Start Action: Nothing.
6. Automatic Stop Action: Shut down the guest operating system.
X Task 3: Enable resource metering

• At the Windows PowerShell command-line prompt, import the Hyper-V module and enter the
following commands:
Enable-VMResourceMetering LON-GUEST1
Results: After this exercise, you will have deployed two separate virtual machines using a sysprepped
virtual hard disk file as a parent disk for two differencing disks.
Exercise 4: Using Virtual Machine Snapshots

Scenario
You are in the process of developing a strategy to mitigate the impact of incorrectly applied change
requests. As a part of this strategy development, you are testing the speed and functionality of using
virtual machine snapshots to roll back to a previously existing stable configuration.
In this exercise, you will deploy Windows Server 2012 in a virtual machine. You will create a stable
configuration for that virtual machine, and then take a virtual machine snapshot. You will then modify the
configuration, and then roll back to the snapshot.
1. Deploy Windows Server 2012 in a virtual machine.
2. Create a virtual machine snapshot.
3. Modify the virtual machine.
4. Revert to the existing virtual machine snapshot.
5. View resource metering data.
X Task 1: Deploy Windows Server 2012 in a virtual machine

1. Use the Hyper-V Manager console to start LON-GUEST1.
2. Open the Virtual Machine Connection Window and perform the following steps to deploy Windows
Server 2012 on the virtual machine:
o On the Settings page, click Skip.
o On the Settings page, select I accept the license terms for using Windows and click Accept.
o On the Settings page, click Next to accept the Region and Language settings.
o On the Settings page enter the password Pa$$w0rd twice and click Finish.
3. Log on to the virtual machine using the account Administrator and the password Pa$$w0rd.
4. Reset the name of the virtual machine to LON-GUEST1, and then restart the virtual machine.
X Task 2: Create a virtual machine snapshot

1. Log on to the LON-GUEST1 virtual machine, and verify that the name of the computer is set to LON-
GUEST1.
2. Create a snapshot of LON-GUEST1, and name the snapshot Before Change.
X Task 3: Modify the virtual machine

1. Log on to the LON-GUEST1 virtual machine, and use the Server Manager console to change the
computer's name to LON-Computer1.
2. Reboot the virtual machine.
3. Log on to the LON-GUEST1 virtual machine, and verify that the server name is set to
LON-Computer1.
X Task 4: Revert to the existing virtual machine snapshot

1. Revert the virtual machine.
2. Verify that the Computer Name of the virtual machine is set to LON-GUEST1.
X Task 5: View resource metering data

1. On LON-HOST1, import the Hyper-V Windows PowerShell module and issue the following command:
Measure-VM LON-GUEST1
2. Note the average CPU, average RAM, and total disk use figures and then close the PowerShell
window.
Results: After this exercise, you will have used virtual machine snapshots to recover from a virtual
machine misconfiguration.
X Revert the virtual machines

After you finish the lab, restart the computer in Windows Server 2008 R2.
1. Click on the Windows PowerShell icon on the Taskbar.
2. In the Windows PowerShell window, enter the following command and press enter:
Shutdown /r /t 5
3. From the Windows Boot Manager, choose Windows Server 2008 R2


Review Questions
Question: In which situations should you use a fixed memory allocation rather than dynamic
memory?
Question: In which situations must you use VHDX format virtual hard disks as opposed to VHD
format virtual hard disks?
Question: You want to deploy a Windows Server 2012 Hyper-V virtual machine's virtual hard
disk on a file share. What operating system must the file server be running to support this
configuration?

Cannot deploy Hyper-V on an x64

platform.
Virtual Machine does not use dynamic

memory.
Best Practices
When implementing server virtualization with Hyper-V, use the following best practices:
• Ensure that the processor on the computer that will host Hyper-V supports SLAT. Servers that support
the Hyper-V role on Windows Server 2008 and Windows Server 2008 R2 may not support Hyper-V on
Windows Server 2012.
• Ensure that a virtual machine host is provisioned with adequate RAM. Having multiple virtual
machines paging the hard disk drive because they are provisioned with inadequate memory will
decrease performance for all virtual machines on the Hyper-V host.
• Monitor virtual machine performance carefully. A virtual machine that uses a disproportionate
amount of server resources can adversely impact the performance of all other virtual machines that
are hosted on the same Hyper-V server.
Tools
You can use the following tools with Hyper-V to deploy and manage virtual machines.
Sysinternals Use to convert physical You can download this tool from the
disk2vhd tool hard disks to VHD format. Microsoft TechNet website.
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
L1-1
Module 1: Deploying and Managing Windows Server 2012

Lab: Deploying and Managing Windows
Server 2012
Exercise 1: Deploying Windows Server 2012
X Task 1: Install the Windows Server 2012 server
1. Open the Hyper-V® Manager console.
2. Click 20410A-LON-SVR3. In the Actions pane, click Settings.
3. Under Hardware, click DVD Drive.
4. Click Image file, and then click Browse.
5. Browse to C:\Program Files\Microsoft Learning\20410\Drives, and then click Win2012_RC.ISO.

6. Click Open and then click OK.
7. In the Hyper-V Manager console, double-click 20410A-LON-SVR3 to open the Virtual Machine
Connection Window.
8. In the Virtual Machine Connection Window, In the Action menu, click Start.
9. In the Windows Setup Wizard, on the Windows Server 2012 page, verify the following settings, and
then click Next.
o Language to install: English (United States)
o Time and currency format: English (United States)
o Keyboard or input method: US
10. On the Windows Server 2012 page, click Install now.
11. On the Select the operating system you want to install page, select Windows Server 2012
Release Candidate Datacenter (Server with a GUI), and then click Next.
12. On the License terms page, review the operating system license terms. Select the I accept the
license terms check box, and then click Next.
13. On the Which type of installation do you want?, click Custom: Install Windows only (advanced).
14. On the Where do you want to install Windows? page, verify that Drive 0 Unallocated Space has
enough space for the Windows Server 2012 operating system, and then click Next.
Note: Depending on the speed of the equipment, the installation will take approximately
20 minutes. The virtual machine will restart several times during this process.
15. On the Settings page, enter the password Pa$$w0rd in both the Password and Reenter password
boxes, and then click Finish.

1. Log on to LON-SVR3 as Administrator with the password Pa$$w0rd.
2. In Server Manager, click Local Server.

L1-2 20410A: Installing and Configuring Windows Server® 2012
3. Click on the randomly-generated name next to Computer name. This will launch the System
Properties dialog box.
5. In the Computer Name/Domain Changes dialog box, in the Computer name text box, enter the
name LON-SVR3, and then click OK.
7. Close the System Properties dialog box.
8. In the Microsoft Windows dialog box, click Restart Now.
X Task 3: Change the date and time

1. Log on to server LON-SVR3 Administrator with the password Pa$$w0rd.
2. On the taskbar, click the time display. A pop-up window with a calendar and a clock displays.
3. On the pop-up window, click Change date and time settings.

4. In the Date and Time dialog box, click Change Time Zone.
5. In the Time Zone Settings dialog box, set the time zone to your current time zone, and then click
OK.
6. In the Date and Time dialog box, click Change Date and Time.
7. Verify that the date and time that display in the Date and Time Settings dialog box match those in
your classroom, and then click OK.
8. Click OK to close the Date and Time dialog box.
X Task 4: Configure the network and network teaming

1. In the Server Manger console on LON-SVR3, click Local Server.
2. Next to NIC Teaming, click Disabled.

3. In the NIC Teaming dialog box, press and hold the Ctrl key, and then in the Adapters And
Interfaces workspace, click both Local Area Connection and Local Area Connection 2.
4. Right-click the selected network adapters, and then click Add to New Team.
5. In the New Teaming dialog box, in the Team name field. type LON-SVR3, and then click OK.
6. Close the NIC Teaming dialog box. Refresh the Server Manager console.
7. In the Server Manager console, next to LON-SVR3, click IPv4 Address Assigned by DHCP, IPv6
Enabled.
8. In the Network Connections dialog box, right-click LON-SVR3, and then click Properties.
9. In the LON-SVR3 Properties dialog, select Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
10. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, enter the following IP address
information, and then click OK.
o IP address: 172.16.0.101
o Default Gateway: 172.16.0.1

Module 1: Deploying and Managing Windows Server 2012 L1-3
11. Click Close to close the LON-SVR3 Properties dialog box.
12. Close the Network Connections dialog box.

1. On LON-SVR3, in the Server Manager console, click Local Server.
2. Next to Workgroup, click WORKGROUP.
4. In the Computer Name/Domain Changes dialog box, in the Member Of area, click the Domain
option.
5. In the Domain box, enter adatum.com, and then click OK.

6. In the Windows Security dialog box, enter the following details, and then click OK:
o Username: Administrator
8. When informed that you must restart the computer to apply changes, click OK.
9. In the System Properties dialog box, click Close.
11. After LON-SVR3 restarts, log on as adatum\Administrator with the password Pa$$w0rd.
Results: After finishing this exercise, you will have deployed Windows Server 2012 on LON-SVR3. You also
will have configured LON-SVR3 including name change, date and time, networking, and network teaming.
Exercise 2: Configuring Windows Server 2012 Server Core

1. Log on to LON-CORE using the account Administrator with the password Pa$$w0rd.
2. At the command prompt, type sconfig.cmd.
3. To select Computer Name, type 2, and then press Enter.
4. Enter the computer name LON-CORE, and then press Enter.
5. In the Restart dialog box, click Yes.
6. Log on to server LON-CORE using the Administrator account.
7. At the command prompt, type hostname, and then press Enter to verify the computer’s name.
X Task 2: Change the computer’s date and time

1. When logged on to server LON-CORE with the Administrator account, at the command prompt,
type sconfig.cmd, and then press Enter.
2. To select Date and Time, type 9, and then press Enter.
3. In the Date and Time dialog box, click Change time zone. Set the time zone to the same time zone
that your classroom uses, and then click OK.
4. In the Date and Time dialog box, click Change Date and Time, and verify that the date and time
match those in your location. Click OK two times to dismiss the dialog boxes.
5. In the command prompt window, type 15, and then press Enter to exit Server Configuration.
X Task 3: Configure the network

1. Ensure that you are logged on to server LON-CORE using the account Administrator and password
Pa$$w0rd.
2. At the command prompt, type sconfig.cmd, and then press Enter.
3. To configure Network Settings, type 8, and then press Enter.
4. Type the index number of the network adapter that you want to configure, and then press Enter.
5. On the Network Adapter Settings page, type 1, and then press Enter. This sets the Network Adapter
Address.
6. To select static IP address configuration, type S, and then press Enter.
7. At the Enter static IP address: prompt, type 172.16.0.111, and then press Enter.
8. At the Enter subnet mask prompt, Type 255.255.0.0, and then press Enter.
9. At the Enter default gateway prompt, type 172.16.0.1, and then press Enter.
10. On the Network Adapter Settings page, type 2, and then press Enter. This configures the DNS
server address.
11. At the Enter new preferred DNS server prompt, type 172.16.0.10, and then press Enter.
12. In the Network Settings dialog box, click OK.
13. Press Enter to not configure an alternate DNS server address.
14. Type 4, and then press Enter to return to the main menu.
15. Type 15, and then press Enter to exit sconfig.cmd.
16. At the command prompt, type ping lon-dc1.adatum.com to verify connectivity to the domain
controller from LON-CORE.

1. Ensure that you are logged on to server LON-CORE using the account Administrator with password
Pa$$w0rd.
2. At the command prompt, type sconfig.cmd, and then press Enter.

3. To switch to configure Domain/Workgroup, type 1, and then press Enter.
4. To join a domain, type D, and then press Enter.
5. At the Name of domain to join prompt, type adatum.com.
6. At the Specify an authorized domain\user prompt, type adatum\administrator, and then press
Enter.
7. At the Type the password associated with the domain user prompt, type Pa$$w0rd and then
press Enter.
8. At the Change Computer Name prompt, click Yes.
9. At the Enter new computer name prompt, press Enter.

10. To restart the server, type 13, and then press Enter.
11. In the Restart dialog box, click Yes.
12. Log on to server LON-CORE with the adatum\administrator account and the password Pa$$w0rd.
Results: After finishing this exercise, you will have configured a Windows Server 2012 Server Core
deployment, and verified the server’s name.
Exercise 3: Managing Servers

X Task 1: Create a server group
1. Log on to LON-DC1 with the Administrator account and the password Pa$$w0rd.
2. In the Server Manager console, click Dashboard, and then click Create a server group.
3. In the Create Server Group dialog box, click the Active Directory tab, and then click Find Now.
4. In the Server group name box, type LAB-1.
5. Use the arrow to add LON-CORE and LON-SVR3 to the server group. Click OK to close the Create
Server Group dialog box.
6. Click LAB-1. Press and hold the Ctrl key, and then select both LON-CORE and LON-SVR3.
7. When both are selected, scroll down and under the Performance section; select both LON-CORE
and LON-SVR3.
8. Right-click LON-CORE, and then click Start Performance Counters.
X Task 2: Deploy features and roles to both servers

1. In Server Manager on LON-DC1, click LAB-1.
2. Scroll to the top of the pane, right-click LON-CORE, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next.
4. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
5. On the Select destination server page, verify that LON-CORE.Adatum.com is selected, and then
click Next.
6. On the Select server roles page, select Web Server (IIS), and then click Next.
7. On the Features page, select Windows Server Backup, and then click Next.
8. On the Web Server Role (IIS) page, click Next.
9. On the Select Role Services page, add the Windows Authentication role service, and then click
Next.
10. On the Confirm installation selections page, select the Restart the destination server
automatically if required check box, and then click Install.
11. Click Close to close the Add Roles and Features Wizard.
12. In Server Manager, right-click LON-SVR3, and then click Add Roles and Features.
13. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
14. On the Select installation type page, click Role-based or feature-based installation.
15. On the Select destination server page, verify that LON-SVR3.Adatum.com is selected, and then
click Next.
16. On the Server Roles page, click Next.
17. On the Select features page, click Windows Server Backup, and then click Next.
19. Once the install commences, click Close.
20. In Server Manager, click the IIS node, and verify that LON-CORE is listed.
X Task 3: Review services, and change a service setting

1. Log on to LON-CORE with the adatum\Administrator account and using the password Pa$$w0rd.
2. At a command prompt, type netsh.exe firewall set service remoteadmin enable ALL, and then
press Enter.
3. Log on to LON-DC1 with the adatum\Administrator account and the password Pa$$w0rd.
4. In Server Manager, click LAB-1.
5. Right-click LON-CORE, and then click Computer Management.

6. In the Computer Management console, expand Services and Applications, and then click Services.
7. Right-click the World Wide Web Publishing service, and then click Properties. Verify that the
Startup type is set to Automatic.
8. In the World Wide Web Publishing Service dialog box, on the Log On tab, verify that the service is
configured to use the Local System account.
9. In the World Wide Web Publishing Service dialog box, on the Recovery tab, configure the
following settings:
o First failure: Restart the Service
o Second failure: Restart the Service
o Subsequent failures: Restart the Computer.
o Reset fail count after: 1 days
o Reset service after: 1 minute
10. In the World Wide Web Publishing Service Properties dialog box, on the Recovery tab, click the
Restart Computer Options button.
11. In the Restart Computer Options dialog box, in the Restart Computer After box, type 2, and then
click OK.
12. Click OK to close the World Wide Web Publishing Services Properties dialog box.
Results: After finishing this exercise, you will have created a server group, deployed roles and features,
and configured the properties of a service.
Exercise 4: Using Windows PowerShell to Manage Servers

X Task 1: Use Windows PowerShell® to connect remotely to servers and view
information
1. Log on to LON-DC1 with the adatum\Administrator account and the password Pa$$w0rd.
2. In the Server Manager console, click LAB-1.
3. Right-click LON-CORE, and then click Windows PowerShell.

4. At the command prompt, type Import-Module ServerManager, and then press Enter.
5. Type Get-WindowsFeature to review the roles and features installed on LON-CORE.
6. Type the following command to review the running services on LON-CORE:
Get-service | where-object {$_.status -eq “Running”}
7. Type get-process, and then press Enter to view a list of processes on LON-CORE.
8. Type the following command to review the IP addresses assigned to the server:
Get-NetIPAddress | Format-table
9. Type the following command to review the most recent 10 items in the security log:
Get-EventLog Security -Newest 10
X Task 2: Use Windows PowerShell to install new features remotely

2. At the Windows PowerShell command prompt, type import-module ServerManager, and then
press Enter.
3. To verify that the XPS Viewer feature has not been installed on LON-SVR3, type the following
command, and then press Enter:
4. To deploy the XPS Viewer feature on LON-SVR3, type the following command, and then press Enter:
Install-WindowsFeature XPS-Viewer -ComputerName LON-SVR3
5. To verify that the XPS Viewer feature has now been deployed on LON-SVR3, type the following
command and then press Enter:
6. In the Server Manager console, from the Tools drop-down menu, click Windows PowerShell ISE.
7. In the Windows PowerShell ISE window, in the Untitled1.ps1 script pane, type the following, pressing
Enter after each line:
Install-WindowsFeature WINS -ComputerName LON-SVR3
Install-WindowsFeature WINS -ComputerName LON-CORE
8. Click the Save icon. Select the root of Local Disk (C:). Create a new folder named Scripts, and then
save the script in that folder as InstallWins.ps1.
9. Press F5 to run the script.
Results: After finishing this exercise, you will have used Windows PowerShell to perform a remote
installation of features on multiple servers.

1. On the host computer, switch to the Hyper-V Manager console.
2. In the Virtual Machines list, right click 20410A-LON-DC1, and the click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-CORE and 20410A-LON-SVR3.

L2-9
Module 2: Introduction to Active Directory Domain Services

Lab: Installing Domain Controllers
Exercise 1: Installing a Domain Controller
X Task 1: Add an Active Directory® Domain Services (AD DS) role to a member server
2. In Server Manager, in the left column, select All Servers.
3. Right-click All Servers and then click Add Servers.
4. In the Add Servers dialog box, in the Name (CN) box, type LON-SVR1 and then click Find Now.
5. Under Name, click LON-SVR1 and then click the arrow to add the server to the Selected column.
6. Click OK to close the Add Servers dialog box.
7. In Server Manager, in the Servers window, right-click LON-SVR1, and select Add Roles and Features.

9. In the Select installation type window, ensure that Role-based or feature-based installation is
selected, and then click Next.
10. On the Select destination server page, ensure that Select a server from the server pool is
selected. In the Server Pool window, verify that LON-SVR1.Adatum.com is highlighted, and then
click Next.
11. On the Select server roles page, select the Active Directory Domain Services check box, click Add
Features, and then click Next.
12. On the Select features page, click Next.
13. On the Active Directory Domain Services page, click Next.

15. Installation will take several minutes, when the installation is succeeded, click Close to close the Add
Roles and Features Wizard.
X Task 2: Configure a server as a domain controller

1. On LON-DC1, in Server Manager on the menu bar, on the left of the Manage button, click the yellow
Alert button.
2. In the Post-deployment Configuration window that appears, click Promote this server to a domain
controller. The wizard continues.
3. In the Deployment Configuration page, ensure that the radio button next to Add a domain
controller to an existing domain is selected, and then, beside the Domain line, click Select.
4. In the Windows Security dialog box that opens, enter Adatum\Administrator in the Username box
and in the Password box, type Pa$$w0rd, and then click OK.
5. In the Select a domain from the forest window, click adatum.com, and then click OK.
6. In the Deployment Configuration window, click Next.
7. On the Domain Controller Options page, ensure that Domain Name System (DNS) server is
selected, and then deselect the check box next to Global Catalog (GC).
Note: You would usually want to enable the global catalog as well, but for the purpose of
this lab, this is done in the next section.
8. In the Type the Directory Services Restore Mode (DSRM) password section, type Pa$$w0rd in
both text boxes, and then click Next.
9. On the DNS Options page, click Next.
10. On the Additional Options page, click Next.
11. On the Paths page, accept the default folders, and then click Next.
12. On the Review Options page, click View Script, examine the Windows PowerShell® script that the
wizard generates, close the Notepad window, and then click Next.
13. On the Prerequisites Check page, read any warning messages, and then click Install.
14. When the task completes successfully, click Close.
X Task 3: Configure a server as a global catalog server

1. Log on to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager, click Tools and then click Active Directory Sites and Services.
3. When the Active Directory Sites and Services window opens, expand Sites, expand Default-First-
Site-Name, expand Servers, and then expand LON-SVR1.
4. In the left column, right-click NTDS Settings and select Properties.
5. In the NTDS Settings Properties dialog box, select the check box next to Global Catalog.
6. Click OK and close Active Directory Sites and Services.
Results: After completing this exercise, you will have explored Server Manager and promoted a member
server to be a domain controller.
Exercise 2: Installing a domain controller by using IFM

X Task 1: Use the NTDSUTIL tool to generate Install from Media (IFM)
2. Hover the mouse in the lower right corner of the desktop, and when the side bar appears, click Start.
3. On the Start screen, type CMD and then press Enter.
4. In the Command Prompt window, type the following, pressing Enter after each line:
Ntdsutil
Activate instance ntds
Ifm
Create sysvol full c:\ifm
X Task 2: Add the AD DS role to the member server

1. Switch to LON-SVR2, and log on as Adatum\Administrator with the password Pa$$w0rd.
2. Hover the mouse in the lower right corner of the desktop, and when the side bar appears, click Start.
3. On the Start screen, type CMD and then press Enter.

Module 2: Introduction to Active Directory Domain Services L2-11
4. Type the following command, and then press Enter:
Net use k: \\LON-DC1\c$\IFM
5. Switch to Server Manager.
6. From the list on the left, click Local Server.
7. In the toolbar, click Manage, and then click Add Roles and Features.
8. On the Before you begin page, click Next.
9. On the Select installation type page, ensure that Role-based or feature-based installation is
selected, and then click Next.
10. On the Select destination server page, verify that LON-SVR2.Adatum.com is highlighted, and then
click Next.
11. On the Select server roles page, click Active Directory Domain Services, in the Add Roles and
Features Wizard window, click Add Features, and then click Next.
12. In the Select Features window, click Next.
14. On the Confirm installation selections page, click Restart the destination server automatically if
required. Click Yes at the message box.
15. Click Install.
16. After the installation is succeeded, click Close.
X Task 3: Use IFM to configure a member server as a new domain controller

1. On LON-SVR2, in the command prompt window, type the following command, and then press Enter:
Robocopy k: c:\ifm /copyall /s
3. In the Server Manager toolbar, to the left of the Manage button, click the yellow Alert button.
4. In the Post-deployment Configuration window, click Promote this server to a domain controller.
5. On the Deployment Configuration page, ensure that Add a domain controller to an existing
domain is selected, and confirm that adatum.com is entered as the target domain. Click Next.
6. On the Domain Controller Options page, ensure that both Domain Name System (DNS) server
and global catalog are selected. For the DSRM password, enter Pa$$w0rd in both boxes, and then
click Next.
7. On the DNS Options page, click Next.
8. On the Additional Options page, select the check box next to Install from media, in the text box,
type C:\ifm and then click verify.
9. When the path has been verified, click Next.
10. On the Paths page, click Next.
11. On the Review Options page, click Next, and then observe the wizard as it performs a check for
prerequisites.
12. Click Install and wait while AD DS is configured. While this task is running, read the information
messages that display on the screen.
13. Wait for the server to restart.
Results: After completing this exercise, you will have installed an additional domain controller for the
branch office by using IFM.


4. Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-RTR, and 20410A-LON-SVR2.
L3-13
Module 3: Managing Active Directory Domain Services

Objects
Lab: Managing Active Directory Domain
Services Objects
Exercise 1: Delegating Administration for a Branch Office
X Task 1: Delegate administration for Branch Administrators
2. From Server Manager, click Tools.
3. Click Active Directory Users and Computers.
4. In Active Directory Users and Computers, click Adatum.com.

5. Right-click Adatum.com, point to New, and then click Organizational Unit.
6. In the New Object – Organizational Unit dialog box, in the Name box, type Branch Office 1, and
then click OK.
7. Right-click Branch Office 1, point to New, and then click Group.
8. In the New Object – Group dialog box, in the Group name box, type Branch 1 Help Desk, and then
click OK.
10. In the New Object – Group dialog box, in the Group name box, type Branch 1 Administrators, and
then click OK.
12. In the New Object – Group dialog box, in the Group name box, type Branch 1 Users, and then click
OK.
13. In the navigation pane, click IT.
14. In the details pane, right-click Holly Dickson, and then click Move.
15. In the Move dialog box, click Branch Office 1, and then click OK.
16. In the navigation pane, click the Development organizational unit.
17. In the details pane, right-click Bart Duncan, and then click Move.
19. In the navigation pane, click the Managers organizational unit.
20. In the details pane, right-click Ed Meadows, and then click Move.
22. In the navigation pane, click the Marketing organizational unit.
23. In the details pane, right-click Connie Vrettos, and then click Move.
25. In the navigation pane, click the Research organizational unit.
26. In the details pane, right-click Barbara Zighetti, and then click Move.
28. In the navigation pane, click the Sales organizational unit.
29. In the details pane, right-click Arlene Huff, and then click Move.
31. In the navigation pane, click Branch Office 1.
32. In the navigation pane, click Computers.
33. In the details pane, right-click LON-CL1, and then click Move.
36. Pause your mouse pointer in the lower-right corner of the display, and then click Settings.
37. Click Power, and then click Restart.
38. When the computer has restarted, log on as Adatum\Administrator with the password of
Pa$$w0rd.
39. Switch to the LON-DC1 computer.
40. If necessary, switch to Active Directory Users and Computers.
41. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next.
42. On the Users or Groups page, click Add.
43. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select
(examples): box, type Branch 1 Administrators, and then click OK.
44. On the Users or Groups page, click Next.
45. On the Tasks to Delegate page, in the Delegate the following common tasks list, select the
following check boxes, and then click Next:
o Create, delete and manage groups
o Manage Group Policy links

46. On the Completing the Delegation of Control Wizard page, click Finish.

(examples): box, type Branch 1 Administrators, and then click OK.
51. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
Module 3: Managing Active Directory Domain Services Objects L3-15
52. On the Active Directory Object Type page, select Only the following objects in the folder, select
the following check boxes, and then click Next:
o Computer objects
o Create selected objects in this folder
o Delete selected objects in this folder

53. On the Permissions page, select the General check box, and the Full Control check box, and then
click Next.
X Task 2: Delegate a user administrator for the Branch Office Help Desk
(examples): box, type Branch 1 Help Desk and then click OK.
5. On the Tasks to Delegate page, in the Delegate the following common tasks list, select the
following check boxes, and then click Next:
X Task 3: Add a member to the Branch Administrators

2. In the details pane, right-click Holly Dickson, and then click Add to a group.
3. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type
Branch 1 Administrators, and then click OK.
4. In the Active Directory Domain Services dialog box, click OK.
5. In the details pane, right-click Branch 1 Administrators, and then click Add to a group.
Server Operators, and then click OK.
8. On your host computer, in the 20410A-LON-DC1 window, on the Action menu, click Ctrl+Alt+Delete.
9. On LON-DC1, click Sign out.
10. Log on to LON-DC1 as Adatum\Holly with the password Pa$$w0rd. You can logon locally at a
domain controller because Holly belongs, indirectly, to the Server Operators domain local group.
11. On the desktop, in the task bar click Server Manager.
12. In the User Account Control dialog box, in the User name box, type Holly. In the Password box,
type Pa$$w0rd, and then click Yes.

15. In Active Directory Users and Computers, expand Adatum.com.
16. In the navigation pane, click Sales.
17. In the details pane, right-click Aaren Ekelund, and then click Delete.
18. Click Yes to confirm.
19. Click OK to acknowledge that you do not have permissions to perform this task.
21. In the details pane, right-click Ed Meadows, and then click Delete.
22. Click Yes to confirm. You are successful because you have the required permissions.
X Task 4: Add a member to the Branch Help Desk group

1. In the details pane, right-click Bart Duncan, and then click Add to a group.
Branch 1 Help Desk, and then click OK.
4. Close Active Directory Users and Computers.
5. Close Server Manager. To modify the Server Operators membership list, you must have permissions
beyond those available to the Branch 1 Administrators group.
6. On the desktop, click Server Manager.

7. In the User Account Control dialog box, in the User name box, type Adatum\Administrator. In the
Password box, type Pa$$w0rd, and then click Yes.
8. In Server Manager, click Tools.
9. In the Tools list, click Active Directory Users and Computers.
12. In the details pane, right-click Branch 1 Help Desk, and then click Add to a group.
Server Operators, and then click OK.
17. Log on as Adatum\Bart with the password Pa$$w0rd. You can logon locally at a domain controller
because Bart belongs, indirectly, to the Server Operators domain local group.
18. On the desktop, click Server Manager.
19. In the User Account Control dialog box, in the User name box, type Bart. In the Password box,

24. In the details pane, right-click Connie Vrettos, and then click Delete.
25. Click Yes to confirm. You are unsuccessful because you lack the required permissions. Click OK.
26. Right-click Connie Vrettos, and then click Reset Password.
27. In the Reset Password dialog box, in the New password and Confirm password boxes, type
Pa$$w0rd, and then click OK.
28. Click OK to confirm the successful password reset.
29. On your host computer, in the 20410A-LON-DC1 windows, on the Action menu, click
Ctrl+Alt+Delete.
Results: After this exercise, you should have successfully created the necessary OU and delegated
administration of it to the appropriate group.
Exercise 2: Creating and Configuring User Accounts in AD DS

X Task 1: Create a template user for the branch office
1. On LON-DC1, on the Taskbar, click Windows Explorer.
2. Click Desktop, and then double-click Computer.

3. Double-click Local Disk (C:).
4. On the menu, click Home, and then click New folder.
5. Type branch1-userdata, and then press Enter.

6. Right-click branch1-userdata, and then click Properties.
7. In the branch1-userdata Properties dialog box, on the Sharing tab, click Advanced Sharing.
8. Select the Share this folder check box, and then click Permissions.
9. In the Permissions for branch1-userdata dialog box, select the Full Control Allow check box, and
then click OK.
10. In the Advanced Sharing dialog box, click OK, and then in the branch1-userdata Properties dialog
box, click Close.
12. Click Active Directory Users and Computers, and then expand Adatum.com.
13. Right-click Branch Office1, point to New, and then click User.
14. In the New Object – User dialog box, in the Full name box, type _Branch_template.
15. In the User logon name box, type _Branch_template, and click Next.
16. In the Password and Confirm password boxes, type Pa$$w0rd.
17. Select the Account is disabled check box, and then click Next.
18. Click Finish.

X Task 2: Configure the template’s settings

1. From within the Branch Office 1 OU, right-click _Branch_template, and then click Properties.
2. In the _Branch_template Properties dialog box, on the Address tab, in the City box, type Slough.
3. Click the Member Of tab.
4. Click Add. In the Select Groups dialog box, in the Enter the object names to select (examples):
box, type Branch 1 Users, and then click OK.
5. Click the Profile tab.
6. Under Home folder, click Connect, and in the To: box, type \\lon-dc1\branch1-userdata
\%username%.
7. Click Apply, and then click OK.
X Task 3: Create a new user for the branch office, based on the template
1. Right-click _Branch_template, and then click Copy.
2. In the New Object – User dialog box, in the First name box, type Ed.
3. In the Last name box, type Meadows.
4. In the User logon name box, type Ed, and then click Next.
5. In the Password and Confirm password boxes, type Pa$$w0rd.

6. Clear the User must change password at next logon check box.
7. Clear the Account is disabled check box, and then click Next.
8. Click Finish.
9. Right-click Ed Meadows, and then click Properties.
10. In the Ed Meadows Properties dialog box, click the Address tab. Notice that the City is configured.
11. Click the Profile tab. Notice that the home folder location is configured
12. Click the Member Of tab. Notice that Ed belongs to the Branch 1 Users group. Click OK.
X Task 4: Log on as a user to test account settings

2. On your host computer, in the 20410A-LON-CL1 window, on the menu, click Ctrl+Alt+Delete.
3. On LON-CL1, click Sign out.

4. Log on to LON-CL1 as Adatum\Ed with the password of Pa$$w0rd.
5. On the Start screen, click Desktop.
6. On the Taskbar, click Windows Explorer.
7. In the navigation pane, click Desktop, and then in details, double-click Computer.
8. Verify that Drive Z is mapped to \\lon-dc1\branch1userdata\Ed.
9. Double-click Ed (\\lon-dc1\branch1-userdata) (Z:).

10. If you receive no errors, you have been successful.
11. On your host computer, in the 20410A-LON-CL1 window, on the Action menu, click Ctrl+Alt+Delete.
12. On LON-CL1, click Sign out.
Results: After this exercise, you should have successfully created and tested a user account created from a
template.
Exercise 3: Managing Computer Objects in AD DS

X Task 1: Reset a computer account
1. On LON-DC1, log on as Adatum\Holly with the password Pa$$w0rd.
2. On the task bar, click Server Manager.
3. In the User Account Control dialog box, in the User name box, type Holly. In the Password box,
8. In the details pane, right-click LON-CL1, and then click Reset Account.
9. In the Active Directory Domain Services dialog box, click Yes.
X Task 2: Observe the behavior when a client logs on

2. Log on as Adatum\Ed with the password Pa$$w0rd.
3. A message is displayed that explains that The trust relationship between this workstation and the
primary domain failed.
4. Click OK.
X Task 3: Rejoin the domain to reconnect the computer account

2. On the Start screen, right-click the display, click All apps, and in the Apps list, click Control Panel.
3. In Control Panel, in the View by list, click Large icons.
4. Click System.
5. In the navigation list, click Advanced system settings.
6. In System Properties, click the Computer Name tab.
7. Click Network ID.
8. On the Select the option that describes your network page, click Next.
9. On the Is your company network on a domain page, click Next.
10. On the You will need the following information page, click Next.
11. On the Type your user name, password, and domain name for your domain account page, in
the Password box, type Pa$$w0rd. The other fields are completed. Click Next.
12. In the User Account and Domain Information dialog box, click Yes.
13. On the Do you want to enable a domain user account on this computer? page, click Do not add
a domain user account, and then click Next.
14. Click Finish, and then click OK.
16. Log on as Adatum\Ed with the password of Pa$$w0rd. You are successful because the computer
had been successfully rejoined.
Results: After this exercise, you should have successfully reset the trust relationship.

4. Repeat steps 2 and 3 for 20410A-LON-DC1.

L4-21
Module 4: Automating Active Directory Domain Services

Administration
Lab: Automating AD DS Administration by
Using Windows PowerShell
Exercise 1: Creating User Accounts and Groups by Using Windows
PowerShell
X Task 1: Create a user account by using Windows PowerShell
2. At the Windows PowerShell® prompt, type the following command, and then press Enter:
New-ADOrganizationalUnit LondonBranch
New-ADUser –Name Ty –DisplayName “Ty Carlson” –GivenName Ty –Surname Carlson –Path

“ou=LondonBranch,dc=adatum,dc=com”
Set-ADAccountPassword Ty
5. When prompted for the current password, press Enter.
6. When prompted for the desired password, type Pa$$w0rd, and then press Enter.
7. When prompted to repeat the password, type Pa$$w0rd, and then press Enter.
8. At the Windows PowerShell prompt, type Enable-ADAccount Ty, and then press Enter.
9. On LON-CL1, log on as Ty using a password of Pa$$w0rd.
10. Verify that logon is successful and then sign out of LON-CL1.
X Task 2: Create a group by using Windows PowerShell

1. On LON-DC1, at the Windows PowerShell prompt, type the following command, and then press
Enter:
New-ADGroup LondonBranchUsers –Path “ou=LondonBranch,dc=adatum,dc=com” –GroupScope

Add-ADGroupMember LondonBranchUsers –Members Ty
Get-ADGroupMember LondonBranchUsers
Results: After completing this exercise, you will have created user accounts and groups by using Windows
PowerShell.
Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk

X Task 1: Prepare the .csv file
1. On LON-DC1, on the taskbar, click the Windows Explorer icon.
2. In the Windows® Explorer window, expand E:, expand Labfiles, and then click Mod04.
3. Right-click LabUsers.ps1, and then click Edit.
4. In Windows PowerShell ISE, read the comments at the top of the script, and then identify the
requirements for the header in the .csv file.
5. Close Windows PowerShell ISE.

6. In Windows Explorer, double-click LabUsers.csv.
7. In the How do you want to open this type of file (.csv) window, click Notepad.
8. In Notepad, type the following line at the top of the file:

FirstName,LastName,Department,DefaultPassword
9. Click File, and then click Save.
10. Close Notepad.
X Task 2: Prepare the script

1. On LON-DC1, in Windows Explorer, right-click LabUsers.ps1, and then click Edit.
2. In Windows PowerShell ISE, under Variables, replace C:\path\file.csv with

E:\Labfiles\Mod04\LabUsers.csv.
3. Under Variables, replace “ou=orgunit,dc=domain,dc=com” with
“ou=LondonBranch,dc=adatum,dc=com”.
4. Click File, and then click Save.

5. Scroll down and review the contents of the script.
6. Close Windows PowerShell ISE.
X Task 3: Run the script

2. At the Windows PowerShell prompt, type cd E:\Labfiles\Mod04, and then press Enter.
3. Type .\LabUsers.ps1, and then press Enter.
Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com”
5. Close the Windows PowerShell prompt.
6. On LON-CL1, log on as Luka using a password of Pa$$w0rd.
Results: After completing this exercise, you will have used Windows PowerShell to create user accounts in
bulk.
Module 4: Automating Active Directory Domain Services Administration L4-23
Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk

X Task 1: Force all user accounts in LondonBranch to change password at next logon
1. On LON-DC1, on the task bar, click the Windows PowerShell icon.
2. At the Windows PowerShell Prompt, type the following command, and then press Enter:
Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com” | Format-Wide

DistinguishedName
3. Verify that only users from the LondonBranch organizational unit are listed.
4. At the Windows PowerShell prompt, type the following command, and then press Enter:
Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com” | Set-ADUser –

ChangePasswordAtLogon $true
X Task 2: Configure the address for user accounts in LondonBranch

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. In Active Directory Administrative Center, in the Navigation pane, browse to Adatum (local) >
LondonBranch.
3. Click the Type column header to sort based on the object type.
4. Select all user accounts, right-click the user accounts, and then click Properties.
5. In the Multiple Users window, under Organization, select the Address check box.
6. In the Street box, type Branch Office.

7. In the City box, type London.
8. In the Country/Region box, select United Kingdom, and then click OK.
9. Close Active Directory Administrative Center.

10.
Results: After completing this exercise, you will have modified user accounts in bulk.

When you finish the lab, revert all virtual machines back to their initial state by performing the
following steps:
4. Repeat steps 2 to 3 for 20410A-LON-DC1.

L5-25

Exercise 1: Identifying Appropriate Subnets
X Task 1: Calculate the bits required to support the hosts on each subnet
1. How many bits are required to support 100 hosts on the client subnet?
Seven bits are required to support 100 hosts on the client subnet (27-2=126, 26-2=62).
2. How many bits are required to support 10 hosts on the server subnet?
Four bits are required to support 10 hosts on the server subnet (24-2=14,23-2=6).
3. How many bits are required to support 40 hosts on the future expansion subnet?
Six bits are required to support 40 hosts on the future expansion subnet (26-2=62, 25-2=30).
4. If all subnets are the same size, can they be accommodated?
No. If all subnets are the same size, then all subnets must use 7 bits to support 126 hosts. Only a
single class C–sized address with 254 hosts has been allocated. Three subnets of 126 hosts would not
fit.
5. Which feature allows a single network to be divided into subnets of varying sizes?
Variable length subnet masking allows you to define different subnet masks when subnetting.
Therefore, variable length subnet masking allows you to have subnets of varying sizes.
6. How many host bits will you use for each subnet? Use the simplest allocation possible.
The client subnet is 7 host bits. This allows for up to 126 hosts and uses half of the allocated address
pool.
The server and future expansion subnets are 6 host bits. This allows for up to 62 hosts on each subnet
and uses the other half of the address pool.
X Task 2: Calculate subnet masks and network IDs

1. Given the number of host bits allocated, what is the subnet mask that you will use for the client
subnet?
• The client subnet is using 7 bits for the host ID. Therefore, you will use 25 bits for the subnet
mask.
Binary Decimal
11111111.11111111.11111111.10000000 255.255.255.128
2. Given the number of host bits allocated, what is the subnet mask that you will use for the server
subnet?
• The server subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet
mask.
Binary Decimal
11111111.11111111.11111111.11000000 255.255.255.192
3. Given the number of host bits allocated, what is the subnet mask that you will use for the future
expansion subnet?
• The future expansion subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the
subnet mask.
Binary Decimal
11111111.11111111.11111111.11000000 255.255.255.192
4. For the client subnet, define the network ID, first available host, last available host, and broadcast
address. Assume that the client subnet is the first subnet allocated from the available address pool.
Network ID 11000000.10101000.1100010.00000000 192.168.98.0
First host 11000000.10101000.1100010.00000001 192.168.98.1
Last host 11000000.10101000.1100010.01111110 192.168.98.126
Broadcast 11000000.10101000.1100010.01111111 192.168.98.127
5. For the server subnet, define the network ID, first available host, last available host, and broadcast
address. Assume that the server subnet is the second subnet allocated from the available address
pool.
Network ID 11000000.10101000.1100010.10000000 192.168.98.128
First host 11000000.10101000.1100010.10000001 192.168.98.129
Last host 11000000.10101000.1100010.10111110 192.168.98.190
Broadcast 11000000.10101000.1100010.10111111 192.168.98.191

Module 5: Implementing IPv4 L5-27
6. For the future allocation subnet, define the network ID, first available host, last available host, and
broadcast address. Assume that the future allocation subnet is the third subnet allocated from the
available address pool.
Network ID 11000000.10101000.1100010.11000000 192.168.98.192
First host 11000000.10101000.1100010.11000001 192.168.98.193
Last host 11000000.10101000.1100010.11111110 192.168.98.254
Broadcast 11000000.10101000.1100010.11111111 192.168.98.255
Results: After completing this exercise, you will have identified the subnets required to meet the
requirements of the lab scenario.
Exercise 2: Troubleshooting IPv4

X Task 1: Prepare for troubleshooting
1. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type ping LON-DC1, and then press Enter.
3. Open a Windows Explorer window, and browse to \\LON-DC1\E$\Labfiles\Mod05.
4. Right-click Break.ps1 and click Run with Powershell.

5. Close Windows Explorer.
X Task 2: Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1

1. On LON-SVR2, at the Windows PowerShell prompt, type ping LON-DC1, and then press Enter. Notice
that the destination host is unreachable.
2. Type tracert LON-DC1, and then press Enter. Notice that the host is unable to find the default
gateway, and that it is not the default gateway that is responding back.
3. Type ipconfig, and then press Enter. Notice that the default gateway is configured correctly.
4. Type ping 10.10.0.1, and then press Enter. Notice that the default gateway is responding, but that
packets are not being routed there.
5. Type Get-NetRoute, and then press Enter. Notice that the entry for the default gateway (0.0.0.0) is
correct, but there is an unnecessary entry for the 172.16.0.0 network.
6. Type Remove-NetRoute –DestinationPrefix 172.16.0.0/16, and then press Enter. This removes the
unnecessary route to the 172.16.0.0 network. The default gateway will be used for routing instead.
7. Press Y, and then press Enter to confirm removed of the route from active routes.
8. Type ping LON-DC1, and then press Enter. Notice that the ping is now successful.
X Task 3: To Prepare for the next module

Results: After completing this lab, you will have resolved an IPv4 connectivity problem.
L6-29
Module 6: Implementing DHCP

Lab: Implementing DHCP
Exercise 1: Implementing DHCP
X Task 1: Install DHCP server role
2. In Server Manager, click Add roles and features.
4. On the Select installation type page, click Next.
5. On Select destination server page, click Next.
6. On the Select server roles page, select the DHCP Server check box.
7. In the Add Roles and Features Wizard window click Add Features, and then click Next.

9. On the DHCP Server page, click Next.
10. On the Confirm installation selections page, click Install.
11. On the Installation progress page, wait until the following information appears – Installation
succeeded on lon-svr1.adatum.com, and then click Close.
X Task 2: Configure the DHCP scope and options

1. In the Server Manager Dashboard, click Tools, and then click DHCP.
2. In the DHCP console, expand lon-svr1.adatum.com.

3. Right-click lon-svr1.adatum.com, and then click Authorize.
4. In the DHCP console, right-click lon-svr1.adatum.com, and then click Refresh. Notice that the icons
next to IPv4 IPv6 changes color from red to green, which means that DHCP server has been
authorized in Active Directory® Domain Services (AD DS).
5. In the DHCP console, in the navigation pane, click lon-svr1.adatum.com, expand IPv4, right-click
IPv4, and then click New Scope.
6. In the New Scope Wizard, click Next.
7. On the Scope Name page, in the Name box, type Branch Office, and then click Next.
8. On the IP Address Range page, complete the page using the following information:
o Start IP address: 172.16.0.100
o End IP address: 172.16.0.200
o Length: 16
o Subnet mask: 255.255.0.0, and then click Next.
9. On the Add Exclusions and Delay page, complete the page using the following information:
o End IP address: 172.16.0.200, click Add, and then click Next
10. On the Lease Duration page, click Next.

11. On the Configure DHCP Options page, click Next.
12. On the Router (Default Gateway) page, in the IP address box, type 172.16.0.1, click Add, and then
click Next.
13. On the Domain Name and DNS Servers page, click Next.
14. On the WINS Servers page, click Next.

15. On the Activate Scope page, click Next.
16. On the Completing the New Scope Wizard page, click Finish.
X Task 3: Configure client to use DHCP and then test the configuration
1. To configure a client, switch to the LON-CL1 computer.
2. Move the mouse on the lower right corner of the screen, click on Search icon, and then in the Search
box, type Control Panel. Press Enter.
3. In Control Panel, under Network and Internet, click View Network Status and Tasks.
4. In the Network and Sharing Center window, click Change Adapter Settings.
5. In the Network Connections window, right click Local Area Connection, and then click Properties.
6. In the Local Area Connection Properties window, click Internet Protocol Version 4 (TCP/IPv4), and
then click Properties.
7. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, select Obtain an IP address
automatically radio button, then select Obtain DNS server address automatically radio button,
click OK, and then click Close.
8. Move the mouse on the lower right corner of the screen, click on Search icon, and then in Search
box, type Command Prompt. Press Enter.
9. Type ipconfig /renew, and then press Enter.
10. To test the configuration, verify that LON-CL1 has received an IP address from the DHCP scope by
typing in the command prompt: ipconfig /all.
This command will return information, such as IP address, subnet mask and DHCP enabled status,
which should be Yes.
X Task 4: Configure a lease as a reservation

2. In the command prompt, type ipconfig /all, and then press Enter.
3. Write down the Physical Address of LON-CL1 network adapter.
5. In the Server Manager dashboard, click Tools, and then click DHCP.
6. In the DHCP console, expand lon-svr1.adatum.com, expand IPv4, expand Branch Office, right-click
Reservations, and then click New Reservation.
7. In the New Reservation window:
o in the Reservation Name field, type LON-CL1
o in the IP address field, type 172.16.0.155
o in the MAC address field, type the physical address you wrote down in step 3
Module 6: Implementing DHCP L6-31
o click Add and then click Close.
9. In a command prompt, type ipconfig /release, and then press Enter. This causes LON-CL1 to release
any currently leased IP addresses.
10. In a command prompt, type ipconfig /renew, and then press Enter. This causes LON-CL1 to lease
any reserved IP addresses.
11. Verify that IP address of LON-CL1 is now 172.16.0.155.
X Task 5: To prepare for the optional exercise

If you are going to do the optional lab, revert the virtual machines that are no longer required. To do
this, complete the following steps.
Results: After completing these tasks, you will have implemented DHCP, configured DHCP scope and
options, and configured a DHCP reservation
Exercise 2: Implementing a DHCP Relay (Optional Exercise)

X Task 1: Install DHCP relay
1. Switch to LON-RTR.
2. In Server Manager, click on Tools, and then click Routing and Remote Access.
3. In the navigation pane, expand LON-RTR (local), expand IPv4, right-click General, and then click
New Routing Protocol.
4. In the Routing protocols list, click DHCP Relay Agent, and then click OK.
X Task 2: Configure DHCP relay

1. In the navigation pane, right-click DHCP Relay Agent and then click New Interface.
2. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then
click OK.
3. In the DHCP Relay Properties – Local Area Connection 2 Properties dialog box, click OK.
4. Right-click DHCP Relay Agent and then click Properties.
5. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 172.16.0.21, click
Add, and then click OK.
6. Close Routing and Remote Access
X Task 3: Test DHCP relay with client
Note: In order to test how a client receives an IP address from DHCP Relay in another
subnet, we need to create another DHCP scope.
2. In the Server Manager Dashboard, click Tools, and then click DHCP.
3. In the DHCP console, expand lon-svr1.adatum.com.
4. In the DHCP console, in the navigation pane, click lon-svr1.consoto.com, expand IPv4, right-click
IPv4, and then click New Scope.
5. In the New Scope Wizard, click Next.
6. On the Scope Name page, in the Name box, type Branch Office 2, and then click Next.
7. On the IP Address Range page, complete the page using the following information, and then click
Next:
o Length: 16
8. On the Add Exclusions and Delay page, complete the page using the following information, click
Add, and then click Next:

9. On the Lease Duration page, click Next.
10. On the Configure DHCP Options page, click Next.
11. On the Router (Default Gateway) page, in the IP address box, type 10.10.0.1, click Add, and then
click Next.
12. On the Domain Name and DNS Servers page, click Next.
13. On the WINS Servers page, click Next.
14. On the Activate Scope page, click Next.
15. On the Completing the New Scope Wizard page, click Finish.
16. To test the client, switch to LON-CL2.
17. On the Start screen, type Control Panel. Press Enter.
18. Under Network and Internet, click View network status and tasks.
19. In the Network and Sharing Center window, click Change Adapter Settings, right-click Local Area
Connection, and then click Properties.
20. In the Local Area Connection Properties window, click Internet Protocol Version 4 (TCP/IPv4) and
then click Properties.
21. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click on Obtain IP address
automatically, then click on Obtain DNS server address automatically, click OK and then click
Close.
22. Navigate to the lower right corner, choose search from the right menu and then type cmd and press
Enter to start Command Prompt.
23. In the command prompt, type following command: ipconfig /renew

Module 6: Implementing DHCP L6-33
24. Verify that IP address and DNS server settings on LON-CL2 are obtained from DHCP Server scope
Branch Office 2 installed on LON-SVR1.
Note: IP address should be from following range: 10.10.0.100/16 to 10.10.0.200/16
X Task 4: To Prepare for the next module

4. Repeat steps 2 and 3 for 20410A-LON-SVR2, 20410A-LON-RTR, and 20410A-LON-CL2.
Results: After completing these tasks, you will have implemented DHCP relay agent.
L7-35
Module 7: Implementing DNS

Lab: Implementing DNS
Exercise 1: Installing and Configuring DNS
X Task 1: Configure LON-SVR1 as a domain controller without installing the DNS server
role
1. Log on to LON-SVR1 as Adatum\Administrator using the password of Pa$$w0rd.
2. In the Server Manager console, click Add roles and features.
5. On the Select destination server page, make sure that LON-SVR1.Adatum.com is selected, and
then click Next.
6. On the Select server roles page, select Active Directory Domain Services.
7. When Add Roles and Features Wizard window displays, click Add Features, and then click Next.

11. On the Installation progress page, when the Installation succeeded message displays, click Close.
12. In the Server Manager console, on the navigation page, click AD DS.
13. At the title bar where Configuration required for Active Directory Domain Services at LON-SVR1
displays, click More.
14. On the All Server Task Details and Notifications page, click Promote this server to a domain
controller.
15. In the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration
page, ensure that Add a domain controller to an existing domain is selected, and then click Next.
16. On the Domain Controller Options page, clear the Domain Name System (DNS) server check box,
and leave only Global Catalog (GC) selected. Type Pa$$w0rd in both text fields, and then click
Next.
17. On the Additional Options page, click Next.
18. On the Paths page, click Next.
19. On the Review Options page, click Next.
20. On the Prerequisites Check page, click Install.
Note: Server will automatically restart as part of the procedure.
21. After LON-SVR1 restarts, log on as Adatum\Administrator.

X Task 2: Review configuration settings on the existing DNS server to confirm root
hints
1. Log on to LON-DC1 as Adatum\Administrator using the password Pa$$w0rd.
2. In the Server Manager console, click Tools.
3. Click DNS.
4. In the DNS Manager console, click and then right-click LON-DC1, and then select Properties.
5. Click the Root hints tab. Ensure that root hints servers display.
6. Click the Forwarders tab. Ensure that the list displays no entries, and that the Use root hints if no
forwarders are available option is selected.
7. Click Cancel.
8. Close the DNS Manager console.
X Task 3: Add the DNS server role for the branch office on the domain controller
1. On LON-SVR1, in the Server Manager console, click Add roles and features.

4. On the Select destination server page, ensure that LON-SVR1.Adatum.com is selected, and then
click Next.
5. On the Select server roles page, select DNS Server.
6. When the Add Roles and Features Wizard window displays, click Add Features, and then click Next.
7. On the Select Features page, click Next.
8. On the DNS Server page, click Next.
10. On the Installation progress page, when the message Installation succeeded displays, click Close.
X Task 4: Verify replication of the Adatum.com Active Directory–integrated zone

1. On LON-SVR1, in the Server Manager console, click Tools.
2. Select DNS.
3. In the DNS Manager console, expand LON-SVR1, and then expand Forward Lookup Zones. This
container will most likely be empty.
4. Switch back to Server Manager, click Tools, and then select Active Directory Sites and Services.
5. In the Active Directory Sites and Services console, expand Sites, expand Default-First-Site-Name,
expand Servers, expand LON-DC1, and then click NTDS Settings.
6. In the right pane, right-click the LON-SVR1 replication connection, and select Replicate Now.
Note: If you receive an error message, proceed to the next step and then retry this step
after 3-4 minutes.
7. In the navigation pane, expand LON-SVR1, and then click NTDS Settings.
Module 7: Implementing DNS L7-37
8. In the right pane, right-click the LON-DC1 replication connection, and then select Replicate Now.
Click OK.
9. Switch back to the DNS Manager console, right-click Forward Lookup Zones, and then select
Refresh.
10. Ensure that both the _msdcs.Adatum.com and Adatum.com containers display.
11. Close DNS Manager.
X Task 5: Use NSLookup to test non-local resolution

1. On LON-SVR1, switch to the Start screen, and type Control Panel. Press Enter.
2. In Control Panel, click View network status and tasks.
3. Click Change adapter settings.
4. Right-click Local Area connection, and then select Properties.
5. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

6. In the preferred DNS server field, remove the IP address, type 127.0.0.1, click OK, and then click
Close.
7. On LON-SVR1, right-click the taskbar, and select Task Manager.
8. In the Task Manager window, click More details.
9. Click the File menu, and then click Run new task.
10. In the Create new task window, type cmd, and then press Enter.
11. In the command prompt window, type nslookup, and press Enter.
12. At the nslookup prompt, type www.nwtraders.msft, and then press Enter. You will not receive any
reply, because that zone does not exist on the DNS server on LON-SVR1.
13. In the command prompt window type quit, and press Enter.
14. Leave the command prompt window open.
X Task 6: Configure Internet name resolution to forward to the head office

2. In the DNS Manager console, right-click LON-SVR1, and then click Properties.
3. Click the Forwarders tab, and then click Edit.
4. In the Edit Forwarders window, type 172.16.0.10, and then click OK two times.
X Task 7: Use NSLookup to confirm name resolution

1. On LON-SVR1, switch to a command prompt window.
2. In the command prompt window, type nslookup, and then press Enter.
3. At the nslookup prompt, type www.nwtraders.msft, and then press Enter.

4. Ensure that you receive an IP address for this host as a non-authoritative answer.
5. Type quit, and then press Enter.
Results: After completing this exercise, you will have installed and configured DNS on LON-SVR1.
Exercise 2: Creating Host Records in DNS

X Task 1: Configure a client to use LON-SVR1 as a DNS server
1. On LON-CL1, log on as Adatum\Administrator using the password Pa$$w0rd.
2. On the Start screen, type Control Panel. Press Enter.
3. In Control Panel, click View network status and tasks.

4. Click Change adapter settings.
5. Right-click Local Area connection, and then select Properties.
6. Select Internet Protocol Version 4 (TCP/Ipv4), and then click Properties.
7. Delete the IP address for preferred DNS server. In the preferred DNS server box, type 172.16.0.21,
click OK, and then click Close.
X Task 2: Create several host records in the Adatum.com domain for web apps
1. On LON-DC1, in the Server Manager console, click Tools, and then click DNS.
2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, and then click on
Adatum.com.
3. Right-click Adatum.com, and select New Host (A or AAAA).

4. In the New Host window, configure the following settings:
a. Name: www
b. IP address: 172.16.0.100
5. Click Add Host, and then click OK.
6. In the New Host window, configure the following settings:
o Name: ftp
o IP address: 172.16.0.200
7. Click Add Host, click OK, and then click Done.
X Task 3: Verify replication of new records to LON-SVR1

1. On LON-SVR1, in the Server Manager console, click Tools, and then click DNS.
2. In the DNS Manager console, expand LON-SVR1, expand Forward Lookup Zones, and then click
Adatum.com.
3. Ensure that both www and ftp resource records display. (If they do not display, right-click
Adatum.com, and then select Refresh). It may take a couple of minutes for the records to appear.
X Task 4: Use the ping command to locate new records from LON-CL1
1. On LON-CL1, right-click the taskbar, and then select Task Manager.

3. Open the File menu, and then select Run new task.
5. In the Command prompt window, type ping www.adatum.com, and then press Enter.
6. Make sure that name resolves to 172.16.0.100. ( You will not receive replies.)
7. Type ping ftp.adatum.com, and then press Enter.

Module 7: Implementing DNS L7-39
8. Ensure that name resolves to 172.16.0.200 (You will not receive replies.)
9. Close the command prompt window and the Task Manager.
Results: After completing this exercise, you will have configured DNS records.
Exercise 3: Managing the DNS Server Cache

X Task 1: Use the ping command to locate Internet record from LON-CL1
1. On LON-CL1, right-click the taskbar, then and select Task Manager.
3. Open the File menu, and select Run new task.

5. In the command prompt window, type ping www.nwtraders.msft, and then press Enter.
6. Ping will not work, but ensure that the name resolves to an IP address.
7. Leave the command prompt window open.
X Task 2: Update Internet record to point to the LON-DC1 IP address, retry the
location using ping
1. On LON-DC1, open DNS Manager.
2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, and then click
nwtraders.msft.
3. In the right pane, right-click www, and then select properties.
4. Change the IP address to 172.16.0.10, and then click OK.
5. Switch back to LON-CL1.
6. In the command prompt window, type ping www.nwtraders.msft, and then press Enter. Ping will
not work, and the old IP address will still be displayed in command prompt window.
X Task 3: Examine the content of the DNS cache

1. Switch to LON-SVR1, and in the Server Manager console, click Tools, and then click DNS.
2. Select LON-SVR1, click the View menu, and then select Advanced.
3. Expand LON-SVR1, expand the Cached Lookups node, expand .(root), expand msft, and then click
nwtraders.
4. In the right pane, examine the cached content.
6. In the command prompt window, type ipconfig /displaydns, and then press Enter.
7. Look for cached entries.
X Task 4: Clear the cache, and retry ping

1. On LON-SVR1, in the DNS Manager console, right-click LON-SVR1, and then select Clear Cache.
3. In a command prompt window, at a command prompt, type ping www.nwtraders.msft, and then
press Enter. The return will still be the old IP address.
4. In a command prompt window, type ipconfig /flushdns, and then press Enter.
5. In the command prompt window, type ping www.nwtraders.msft, and press Enter.
6. Ping now should work on address 172.16.0.10.
X Task 5: To prepare for next module

When you are finished the lab, revert the virtual machines to their initial state.
Results: After completing this exercise, you will have DNS Server cache examined.
L8-41

Exercise 1: Configuring an IPv6 Network
X Task 1: Verify IPv4 routing
1. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type ping lon-dc1, and then press Enter. Notice that there are
four replies from 172.16.0.10.
3. Type ipconfig, and then press Enter.
4. Verify that the only IPv6 address listed is a link-local address.
X Task 2: Disable IPv6 on LON-DC1

1. On LON-DC1, in Server Manager, click Local Server.
2. In the Properties window, beside Local Area Connection, click 172.16.0.10, IPv6 enabled.
3. In the Network Connections window, right-click Local Area Connection, and then click Properties.
4. In the Local Area Connection Properties window, clear the Internet Protocol Version 6 (TCP/IPv6)
check box, and then click OK.
5. Close the Network Connections window.
6. In Server Manager, verify that Local Area Connection lists only 172.16.0.10. You may need to
refresh the view.
X Task 3: Disable IPv4 on LON-SVR2

1. On LON-SVR2, in Server Manager, click Local Server.
2. In the Properties window, next to Local Area Connection, click 10.10.0.24, IPv6 enabled.
3. In the Network Connections window, right-click Local Area Connection 2, and then click Properties.
4. In the Local Area Connection 2 Properties window, clear the Internet Protocol Version 4 (TCP/IPv4)
check box, and then click OK.
6. In Server Manager, verify that Local Area Connection now lists only IPv6 enabled. You may need to
refresh the view.
X Task 4: Configure an IPv6 network on LON-RTR

1. On LON-RTR, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type the following cmdlet, and then press Enter:
New-NetRoute –InterfaceAlias “Local Area Connection 2” –DestinationPrefix 2001:db8:0:1::/64 –

Publish Yes
3. At the Windows PowerShell prompt, type the following cmdlet, and then press Enter:
Set-NetIPInterface –InterfaceAlias “Local Area Connection 2” –AddressFamily IPv6 –Advertising

Enabled
4. Type ipconfig, and then press Enter. Notice that Local Area Connection 2 now has an IPv6 address on
the 2001:db8:0:1::/64 network.
X Task 5: Verify IPv6 on LON-SVR2

• On LON-SVR2, at the Windows PowerShell prompt, type ipconfig, and then press Enter. Notice that
Local Area Connection 2 now has an IPv6 address on the on the 2001:db8:0:1::/64 network.
Results: After completing the exercise, students will have configured an IPv6–only network.
Exercise 2: Configuring an ISATAP Router

X Task 1: Add an ISATAP host record to DNS
1. On LON-DC1, in Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
3. Right-click Adatum.com, and then click New Host (A or AAAA).
4. In the New Host window, in the Name box, type ISATAP.

5. In the IP address box, type 172.16.0.1, and then click Add Host.
6. Click OK to clear the success message.
7. Click Done to close the New Host window.
8. Close DNS Manager.
X Task 2: Enable the ISATAP router on LON-RTR

1. On LON-RTR, at the Windows PowerShell prompt, type the following command, and then press Enter:
Set-NetIsatapConfiguration –Router 172.16.0.1
Get-NetIPAddress | Format-Table InterfaceAlias,InterfaceIndex,IPv6Address
3. Record the InterfaceIndex of isatap interface that has an IPv6 address that includes 172.16.0.1.
Interface index:
Get-NetIPInterface –InterfaceIndex IndexYouRecorded –PolicyStore ActiveStore | Format-List
5. Verify that Forwarding is enabled for the interface and that Advertising is disabled.
Set-NetIPInterface –InterfaceIndex IndexYouRecorded –Advertising Enabled
New-NetRoute –InterfaceIndex IndexYouRecorded –DestinationPrefix 2001:db8:0:2::/64 –Publish

Yes
Get-NetIPAddress –InterfaceIndex IndexYouRecorded

Module 8: Implementing IPv6 L8-43
9. Verify that an IPv6 address is listed on the 2001:db8:0:2::/64 network.
X Task 3: Remove ISATAP from the DNS Global Query Block List
1. On LON-DC1, at the Windows PowerShell prompt, type regedit, and then press Enter.
2. In the Registry Editor window, expand HKEY_LOCAL_MACHINE, expand SYSTEM, expand

CurrentControlSet, expand Services, expand DNS, click Parameters, and double-click
GlobalQueryBlockList.
3. In the Edit Multi-String window, delete isatap, and then click OK.
4. If an error appears indicating that there was an empty string, click OK to continue.
5. Close the Registry Editor.

6. At the Windows PowerShell prompt, type Restart-Service DNS –Verbose, and then press Enter.
7. Type ping isatap, and then press Enter. The name should resolve and you should receive four request
timed out messages from 172.16.0.1.
X Task 4: Enable ISATAP on LON-DC1

1. On LON-DC1, at the Windows PowerShell prompt, type the following command, and then press
Enter:
Set-NetIsatapConfiguration –State Enabled
2. Type ipconfig, and then press Enter.

3. Verify that the Tunnel adapter for ISATAP has an IPv6 address on the 2001:db8:0:2/64 network.
Notice that this address includes the IPv4 address of NYC-DC1.
X Task 5: Test connectivity

1. On LON-SVR2, at the Windows PowerShell prompt, type the following command, and then press
Enter:
ping 2001:db8:0:2:0:5efe:172.16.0.10
2. In Server Manager, if necessary, click Local Server.
3. In the Properties window, next to Local Area Connection 2, click IPv6 enabled.
4. In the Network Connections window, right-click Local Area Connection 2, and then click Properties.
5. In the Local Area Connection 2 Properties window, click Internet Protocol Version 6 (TCP/IPv6),
and then click Properties.
6. In the Internet Protocol Version 6 (TCP/IPv6) Properties window, click Use the following DNS server
addresses.
7. In the Preferred DNS server box, type 2001:db8:0:2:0:5efe:172.16.0.10, and then click OK.
8. In the Local Area Connection 2 Properties window, click Close.
10. At the Windows PowerShell prompt, type ping LON-DC1, and then press Enter. Notice that four
replies are received from LON-DC1.
X Task 6: To prepare for the next module

following steps.

Results: After completing this exercise, students will have configured an ISATAP router on LON-RTR to
allow communication between an IPv6–only network and an IPv4–only network.
L9-45
Module 9: Implementing Local Storage

Lab: Implementing Local Storage
Exercise 1: Installing and Configuring a New Disk
X Task 1: Initialize a new disk
1. Log on to LON-SVR1 with username of Adatum\Administrator and the password of Pa$$w0rd.
2. In Server Manager, click the Tools menu, in the Tools drop-down list, click Computer Management.
3. In the Computer Management console, under the Storage node, click Disk Management.
4. In the Disks pane, right-click Disk2, and then from drop-down list, click Online.
5. Right-click Disk2, and then click Initialize Disk.
6. In the Initialize Disk dialog box, select the Disk 2 check box, ensure that all other Disk check boxes
are cleared, click GPT (GUID Partition Table), and then click OK.
X Task 2: Create and format two simple volumes on the disk

1. In the Computer Management console, in Disk Management, right-click the black marked box right
of Disk 2, and then click New Simple Volume.
2. In the New Simple Volume Wizard, on Welcome to the New Simple Volume Wizard page, click
Next.
3. On the Specify Volume Size page, in the Simple volume size MB field, type 4000, and then click
Next.
4. On Assign Drive Letter or Path page, ensure that the Assign the following drive letter check box
is selected, and that F is selected in from the drop-down menu, and then click Next.
5. On the Format Partition page, from the File system drop-down menu, click NTFS, in the Volume
label text box, type Volume1, and then click Next.
6. On Completing the New Simple Volume Wizard page, click Finish.
7. in the Disk Management window, right-click the black marked box right of Disk 2, and then click New
Simple Volume.
8. In the New Simple Volume Wizard, on Welcome to the New Simple Volume Wizard page, click
Next.
9. On the Specify Volume Size page, in the Simple volume size in MB field, type 5000, and then click
Next.
10. On the Assign Drive Letter or Path page, ensure that the Assign the following drive letter check
box is selected, and that G is selected in from the drop-down list, and then click Next.
11. On the Format Partition page, from the File system drop-down menu, click ReFS, in the Volume
label text box, type Volume2, and then click Next.
12. On the Completing the New Simple Volume Wizard page, click Finish.
X Task 3: Verify the drive letter in a Windows® Explorer window

1. On the taskbar, open a Windows Explorer window, expand Computer, and then click Volume1 (F:).
2. In Windows Explorer, click Volume2 (G:), right-click Volume2 (G:), point to New, and then click
Folder.
3. In the New folder field, type Folder1, and then press Enter.
Results: After you complete this lab, you should have initialized a new disk, created two simple volumes,
and formatted them. You should also have verified that the drive letters are available in Windows
Explorer.
Exercise 2: Resizing Volumes

X Task 1: Shrink Volume1
1. On LON-SVR1, switch to the Computer Management console.
2. In the Computer Management console, in Disk Management, in the middle-pane, right-click

Volume1 (F:), and then click Shrink Volume.
3. In the Shrink F: window, in the Enter the amount of space to shrink in MB field, type 1000, and
then click Shrink.
X Task 2: Extend Volume2

1. On LON-SVR1, in Disk Management, in the middle-pane, right-click Volume2 (G:), and then click
Extend Volume.
2. In Extend Volume Wizard, on the Welcome to the Extended Volume Wizard page, click Next.
3. On the Select Disks page, in the Select the amount of space in MB field, type 1000, and then click
Next.
4. On the Completing the Extended Volume Wizard page, click Finish.

5. In a Windows Explorer window, click Volume2 (G:), and verify that Folder1 is available on the
volume.
Results: After this lab, you should have made one volume smaller, and extended another.
Exercise 3: Configuring a Redundant Storage Space

X Task 1: Create a storage pool from five disks that are attached to the server
1. On LON-SVR1, on the taskbar, click the Server Manager icon.
2. In the left pane, click File and Storage Services, and then in the Servers pane, click Storage Pools.
3. In the STORAGE POOLS pane, click TASKS, and then in the TASKS drop-down menu, click New
Storage Pool.
4. In the New Storage Pool Wizard window, on the Before you begin page, click Next.
5. On the Specify a storage pool name and subsystem page, in the Name box, type StoragePool1,
6. On the Select physical disks for the storage pool page, click the following Physical disks, and then
click Next:
o PhysicalDisk3
o PhysicalDisk4
o PhysicalDisk5
Module 9: Implementing Local Storage L9-47
o PhysicalDisk6
o PhysicalDisk7
7. On the Confirm selections page, click Create.
8. On the View results page, wait until the creation completes, then click Close.
X Task 2: Create a three-way mirrored virtual disk

1. On LON-SVR1, in Server Manager, in the Storage Spaces pane, click StoragePool1.
2. In the VIRTUAL DISKS pane, click TASKS, and then from the TASKS drop-down menu, click New
Virtual Disk.
3. In the New Virtual Disk Wizard window, on the Before you begin page, click Next.
4. On the Select the server and storage pool page, click StoragePool1, and then click Next.
5. On the Specify the virtual disk name page, in the Name box, type Mirrored Disk, and then click
Next.
6. On the Select the storage layout page, in the Layout list, select Mirror, and then click Next.
7. On the Configure the resiliency settings page, click Three-way mirror, and then click Next.
8. On the Specify the provisioning type page, click Thin, and then click Next.
9. On the Specify the size of the virtual disk page, in the Virtual disk size box, type 10, and then click
Next.

11. On the View results page, wait until the creation completes, ensure that the Create a volume when
this wizard closes check box is selected, and then click Close.
12. In the New Volume Wizard window, on the Before you begin page, click Next.
13. On the Select the server and disk page, in the Disk pane, click the Mirrored Disk virtual disk, and
then click Next.
14. On the Specify the size of the volume page, click Next to confirm the default selection.
15. On the Assign to a drive letter or folder page, ensure that H is selected in the Drive letter drop-
down menu, and then click Next.
16. On the Select file system settings page, in the File system drop-down menu, select ReFS, in the
Volume label box, type Mirrored Volume, and then click Next.
18. On the Completion page, wait until the creation completes, and then click Close.
X Task 3: Copy a file to the volume, and verify that it is visible in Windows Explorer
1. Click to the Start screen, type command prompt, and then press Enter.
2. In the command prompt window, type the following command, and then press Enter:
Copy C:\windows\system32\mspaint.exe H:\
4. On the taskbar, click the Windows Explorer icon, and in the Windows Explorer window, click Mirrored
Volume (H:).
5. Verify that mspaint.exe displays in the file list.

X Task 4: Remove a physical drive

1. On Host machine, in Hyper-V Manager, in the Virtual Machines pane, right-click 20410A-LON-SVR1,
and then click Settings.
2. In Settings for 20410A-LON-SVR1, in the Hardware pane, click Hard Drive 20410A-LON-SVR1-
Disk5.vhdx.
3. In the Hard Drive pane, click Remove, and then click OK. Click Continue.
X Task 5: Verify that the mspaint.exe file is still accessible

2. On the taskbar, click the Windows Explorer icon, and in the Windows Explorer window, click Mirrored
Volume (H:).
3. In the file list pane, verify that mspaint.exe is still available.
Pools” button. Notice the warning that displays next to Mirrored Disk.
6. In the VIRTUAL DISK pane, right-click Mirrored Disk, and then click Properties.
7. In the Mirrored Disk Properties window, in the left pane, click Health.
Notice that the Health Status indicates a Warning. The Operational Status should indicate Incomplete
or Degraded.
8. Click OK to close the Mirrored Disk Properties window.
X Task 6: Add a new disk to the storage pool

Pools” button.
3. In the STORAGE POOLS pane, right-click StoragePool1, and then click Add Physical Disk.
4. In the Add Physical Disk window, click PhysicalDisk8 (LON-SVR1), and then click OK..
Results: After completing this lab, you should have created a storage pool and added five disks to it. Then
you should have created a three-way mirrored, thinly provisioned virtual disk from the storage pool. You
should have also copied a file to the new volume and verified that it is accessible. Next, you should have
verified that the virtual disk was still available and could be accessed after removing a physical drive.
Finally, you should have added another physical disk to the storage pool.

following steps.

L10-49
Module 10: Implementing File and Print Services

Lab: Implementing File and Print Services
Exercise 1: Creating and Configuring a File Share
X Task 1: Create the folder structure for the new share
1. Log on to LON-SVR1 as Adatum\Administrator with a password Pa$$w0rd.
2. On the taskbar, click the Windows Explorer shortcut.
3. In a Windows® Explorer window, in the navigation pane, expand Computer, and then click Allfiles
(E:).
4. On the menu toolbar, click Home, click New folder, type Data, and then press Enter.
5. Double-click the Data folder.
6. On the menu toolbar, click Home, click New folder, type Development, and then press Enter.
7. Repeat Step 6 for the following new folder names:

o Marketing
o Research
o Sales
X Task 2: Configure NTFS permissions on the folder structure

1. In Windows Explorer, navigate to drive E, right-click the Data folder, and then click Properties.
2. In the Data Properties window, click Security, and then click Advanced.
3. In the Advanced Security Settings for Data window, click Disable Inheritance.
4. In the Block Inheritance window, click Convert inherited permissions into explicit permissions on
this object.
5. Click OK to close the Advanced Security Settings for Data window.
6. Click OK to close the Data Properties window.
7. In Windows Explorer, double-click the Data folder.
8. Right-click the Development folder, and then click Properties.
9. In the Development Properties window, click Security, and then click Advanced.
10. In the Advanced Security Settings for Development window, click Disable Inheritance.
11. In the Block Inheritance window, click Convert inherited permissions into explicit permissions on
this object.
12. Remove the two permissions entries for Users (LON-SVR1\Users), and then click OK.
13. On the Security tab, click Edit.

14. In the Permissions for Development window, click Add.
15. Type Development, click Check names, and then click OK.
16. Select the check box for Allow Modify in the Permissions for Development section.
17. Click OK to close the Permissions for Development window.

18. Click OK to close the Development Properties window.
19. Repeat steps 8 through 18 for the Marketing, Research, and Sales folders, assigning Modify
permissions to the Marketing, Research, and Sales groups for their respective folders.
X Task 3: Create the shared folder

2. On the Data Properties window, click the Sharing tab, and then click Advanced Sharing.
3. In the Advanced Sharing Window, select the Share this folder check box, and then click
Permissions.
4. In the Permissions for Data window, click Add.

5. Type Authenticated Users, click Check names, and then click OK.
6. In the Permissions for Data window, click Authenticated Users, and then select the Allow checkbox
for the Change permission.
7. Click OK to close the Permissions for Data window.
8. Click OK to close the Advanced Sharing window.
9. Click Close to close the Data Properties window.
X Task 4: Test access to the shared folder

Note: Bernard is a member of the Development group.
2. On the Start screen, click the Desktop tile.
3. On the taskbar, click the Windows Explorer icon.
4. In Windows Explorer, in the address bar, type \\LON-SVR1\Data, and then press Enter.
5. Double-click the Development folder.
Note: Bernard should have access to the Development folder.
6. Attempt to access the Marketing, Research, and Sales folders. NTFS permissions on these folders will
prevent you from doing this.
Note: Bernard can still see the other folders, even though he does not have access to
their contents.
7. Log off LON-CL1.
X Task 5: Enable access-based enumeration

2. On the taskbar, click the Server Manager icon.
3. In Server Manager, in the navigation pane, click File and Storage Services.
4. On the File and Storage Services page, in the navigation pane, click Shares.
Module 10: Implementing File and Print Services L10-51
5. In the Shares pane, right-click Data, and then click Properties.
6. Click Settings, and then select the Enable access-based enumeration check box.
7. Click OK to close the Data Properties window.
8. Close Server Manager.
X Task 6: Test access to the share

2. Click the Desktop tile.
4. In Windows Explorer, in the address bar, type \\LON-SVR1\Data, and then press Enter.
Note: Bernard can now view only the Development folder, the folder for which he has
been assigned permissions.
5. Double-click the Development folder.
Note: Bernard should have access to the Development folder.
6. Log off LON-CL1.
X Task 7: Disable Offline Files for the share

4. On the Data Properties window, click the Sharing tab, click Advanced Sharing, and then click
Caching.
5. In the Offline Settings window, select No files or programs from the shared folder are available
offline, and then click OK.
6. Click OK to close the Advanced Sharing window.
7. Click Close to close the Data Properties window.
Exercise 2: Configuring Shadow Copies

X Task 1: Configure shadow copies for the file share
3. Navigate to drive E, right-click Allfiles (E:), and then click Configure Shadow Copies.
4. In the Shadow Copies window, click the E:\ drive, and then click Enable.
5. In the Enable Shadow Copies window, click Yes.
6. In the Shadow Copies window, click Settings.
7. In the Settings window, click Schedule.

8. In the E:\ window, change Schedule Task to Daily, change Start time to 12:00 AM, and then click
Advanced.
9. In the Advanced Schedule Options window, select Repeat task, and then set the frequency to every
1 hours.
10. Select Time, and change the time value to 11:59PM.
11. Click OK twice.
12. Click OK to close the Settings window.
13. Leave the Shadow Copies window open.
X Task 2: Create multiple shadow copies of a file

1. On LON-SVR1, open a Windows Explorer window, and navigate to the E:\Data\Development folder.
2. On the menu toolbar, click Home, click New item, and then click Text Document.
3. Type Report, and then press Enter.

4. Switch back to the Shadow Copies window, and then click Create Now.
X Task 3: Recover a deleted file from a shadow copy

1. On LON-SVR1, switch back to the Windows Explorer window.
2. Right-click Report.txt, and then click Delete.

3. In Windows Explorer, right-click on the Development folder, and then click Properties.
4. In the Development Properties window, click the Previous Versions tab.
5. Click the most recent folder version for Development , and then click Open.
6. Confirm that the Report .txt is in the folder, right-click Report.txt, and then click Copy.
7. Close the Windows Explorer window that just opened.
8. In the other Windows Explorer window, right-click on the Development folder, and then click Paste.
10. Click OK and close all open windows.
Exercise 3: Creating and Configuring a Printer Pool

X Task 1: Install the Print and Document Services server role
1. On LON-SVR1, on the taskbar, click the Server Manager shortcut.
2. In Server Manager, on the menu toolbar, click Manage, and then click Add Roles and Features.
3. Click Next, select Role-based or feature-based Installation, and then select Next again.
4. On the Select destination server page, select the server on which you want to install the Print and
Document Services. The default server is the local server. Click Next.
5. On the Select Server Roles page, select the Print and Document Services check box. In the Add
Roles and Features Wizard window, click Add Features, and then click Next in the Select server roles
window
6. On the Select Features page, click Next.
7. On the Print and Document Services page, review the Notes for the administrator, and then click
Next.
Module 10: Implementing File and Print Services L10-53
8. On the Select Role Services page, click Next until the Confirm Installation Selections page
displays. Click Install to install the required role services.
9. Click Close.
X Task 2: Install a printer

1. On LON-SVR1, in the Server Manager, click Tools and then click Print Management.
2. Expand Printer Servers, expand LON-SVR1, right-click Printers, and then click Add Printer.
3. Click Add a TCP/IP or Web Services Printer by IP address or hostname, and then click Next.
4. Change the Type of Device to TCP/IP Device,
5. In the Host name box, type 172.16.0.200 clear the Auto detect printer driver to use check box,
6. Under Device Type, click Generic Network Card, and then click Next.
7. Click Install a new driver, and then click Next.
8. Click Microsoft as the Manufacturer, under Printers, click Microsoft XPS Class Driver, and then
click Next.
9. Change the Printer Name to Branch Office Printer, and then click Next.
10. Click Next two times to accept the default printer name and share name, and to install the printer.
11. Click Finish to close the Network Printer Installation Wizard.
12. In the Print Management console, right-click the Branch Office Printer, and then click Enable
Branch Office Direct Printing.
13. In the Print Management console, right-click the Branch Office Printer, and then select Properties.
14. Click the Sharing tab, select the List in the directory check box, and then click OK.
X Task 3: Configure printer pooling

1. In the Print Management console, right-click Ports under LON-SVR1, and then click Add Port.
2. In the Printer Ports window, select Standard TCP/IP Port, and then click New Port.
3. In the Add Standard TCP/IP Printer Port Wizard, click Next.
4. In the Printer Name or IP Address field, type 172.16.0.201, and then click Next.
5. In the Additional port information required window, click Next.
6. Click Finish to close the Add Standard TCP/IP Printer Port Wizard.
7. Click Close to close the Printer Ports window.
8. In the Print Management console, click Printers, right-click Branch Office Printer, and then click
Properties.
9. On the Branch Office Printer Properties page, click the Ports tab, select the Enable printer
pooling check box, and then click the 172.16.0.201 port to select it as the second port.
10. Click OK to close the Branch Office Printer Properties page.
11. Close the Print Management Console.

X Task 4: Install a printer on a client computer

2. On LON-CL1, on the Start screen, type Contol Panel. Press Enter.
3. Under Hardware and Sound, click Add a device.
4. In the Add a device window, click on Branch Office Printer on LON-SVR1. Click Next. The device
installs automatically.

following steps.
2. In the Virtual Machines list, right-click 20410A-LON-SVR1, and then click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-CL1 and 20410A-LON-DC1.

L11-55
Module 11: Implementing Group Policy

Lab: Implementing Group Policy
Exercise 1: Configuring a Central Store
X Task 1: View the location of administrative templates in a Group Policy Object (GPO)
1. Log on to LON-DC1 as Administrator with a password of Pa$$w0rd.
2. In Server Manager, click Tools, and then click Group Policy Management.
3. In the Group Policy Management Console (GPMC), expand Forest: Adatum.com, expand Domains,
expand Adatum.com and then expand the Group Policy Objects folder.
4. Right-click the Default Domain Policy, and then click Edit.

5. In the Group Policy Management Editor, expand the Default Domain Policy, expand User
Configuration, expand Policies, and then click Administrative Templates.
6. Point your mouse over the Administrative Templates folder, and note that the location is
Administrative Templates: Policy definitions (.admx files) retrieved from the local computer.
X Task 2: Create a central store

1. On the taskbar, click the Folder icon to launch a Windows® Explorer window.
2. Expand Local Disk (C:), expand Windows, expand SYSVOL, expand sysvol, expand Adatum.com,
and then click Policies.
3. In the details pane, right-click on a blank area, click New, and then click Folder.
4. Name the folder PolicyDefinitions.
X Task 3: Copy administrative templates to the central store

1. In Windows Explorer, navigate back to C:\Windows, and open the PolicyDefinitions folder.
2. Select the entire contents of the PolicyDefinitions folder. (Hint: click in the details pane, and then
use the Ctrl+A keys to select all of the content.)
3. Right-click the selection, and then click Copy.
4. Expand Local Disk (C:), expand Windows, expand SYSVOL, expand sysvol, expand Adatum.com,
Browse to C:\Windows\SYSVOL\sysvol\Adatum.com\Policies and open the PolicyDefinitions
folder.
5. Right-click in the empty folder area, and then click Paste.
X Task 4: Verify the administrative template location in GPMC

1. In the GPMC, right-click the Default Domain Policy, and then click Edit.
2. Expand Polices, point your mouse over the Administrative Templates folder, and view the local
information text. Note that it now says Administrative Templates: Policy definitions (ADMX files)
retrieved from the Central Store.
Results: After completing this exercise, you will have configured a Central Store
Exercise 2: Creating GPOs

X Task 1: Create a Windows Internet Explorer® Restriction default starter GPO
1. In the GPMC right-click the Starter GPOs folder, and then click New.
2. In the New Starter GPO dialog box, in the Name field, type Internet Explorer Restrictions, and in
the Comment field, type This GPO disables the General page in Internet Options, and then click
OK.
X Task 2: Configure the Internet Explorer Restriction starter GPO

1. Expand the Starter GPOs folder, right-click the Internet Explorer Restrictions GPO, and then click
Edit.
2. Expand User Configuration, Administrative Templates, and then click All Settings.
3. Right-click All Settings, and then click Filter Options.
4. In the Filter Options dialog box, select the Enable Keyword Filters check box.
5. In the Filter for word(s): field, type General page.
6. In the drop-down box, select Exact, and then click OK.
7. Double-click the Disable the General page setting, click Enabled, and then click OK.
8. Close the Group Policy Starter GPO Editor.
X Task 3: Create a domain Internet Explorer Restrictions GPO From the Internet
Explorer Restrictions starter GPO
1. In the GPMC, right-click the Adatum.com domain, and then click Create a GPO in this domain, and
link it here.
2. In the New GPO dialog box, in the Name field, type IE Restrictions.
3. Under Source Starter GPO, click the drop down box, select Internet Explorer Restrictions, and then
click OK.
X Task 4: Test application of the GPO for domain users

1. Log on to LON-CL1 as Adatum\Brad with a password of Pa$$w0rd.
2. Move your mouse to the bottom, right of the desktop and in the flyout, click the Search charm.
3. In the Apps search box, type Control Panel.
4. In the Search Apps results, click Control Panel.
5. In the Control Panel window, click Network and Internet.
6. In the Network and Internet dialog box, click Change your homepage. A message box appears
informing you that this feature has been disabled.
7. Click OK to acknowledge the message.
8. Click Internet Options. Notice that in the Internet Properties dialog box the General page does
not appear.
9. Close all open windows, and sign out.

Module 11: Implementing Group Policy L11-57
X Task 5: Use security filtering to exempt the IT Department from the Internet Explorer
Restrictions policy
2. In the GPMC expand the Group Policy Objects folder, and then in the left pane, click the IE
Restrictions policy.
3. In the details pane, click the Delegation tab.
4. Click the Advanced button.

5. In the IE Restrictions Security Settings dialog box, click Add.
6. In the Select Users, Computers, Service Accounts, or Groups field, type IT, and then click OK.
7. In the IE Restrictions Security Settings dialog box, click the IT (Adatum\IT) group, next to the
Apply group policy permission, select the Deny check box, and then click OK.
8. Click Yes to acknowledge the Windows Security dialog box.
X Task 6: Test the GPO application for IT Department Users

1. Log on to LON-CL1 as Brad with a password of Pa$$w0rd.
2. Move your mouse to the bottom, right corner of the desktop, and in the flyout, click the Search
charm.

4. In the Apps results window, click Control Panel.
6. In the Network and Internet dialog box, click Change your homepage. The Internet Properties
dialog opens to the General page, and all settings are available.
X Task 7: Test Application of the GPO for other domain users

1. Log on to LON-CL1 as Boris with a password of Pa$$w0rd.
2. Move your mouse to the bottom, right corner of the desktop, and in the flyout, click the Search
charm.
4. In the Apps results window, click Control Panel.
6. In the Network and Internet dialog box, click Change your homepage. A message box appears
informing you that this feature has been disabled.
7. Click OK to acknowledge the message.
8. Click Internet Options. In the Internet Properties dialog box, notice that the General page does
not display.
Results: After completing this lab, you will have created a GPO.

following steps:

4. Repeat steps 2 and 3 for 20410A-LON-CL1.
L12-59
Module 12: Securing Windows Servers Using Group Policy

Objects
Lab A: Increasing Security for Server
Resources
Exercise 1: Using Group Policy to Secure Member Servers
X Task 1: Create a Member Servers Organizational Unit (OU) and move servers into it
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console, in the navigation pane, right-click
Adatum.com, click New, and then click Organizational Unit.
3. In the New Object - Organizational Unit window, type Member Servers OU, and then click OK.
4. In the Active Directory Users and Computers console, in the navigation pane, click Computers
container.
5. Press and hold the Ctrl key. In the details pane, click LON-SVR1 and LON-SVR2, right-click the
selection and then click Move.
6. In the Move window, click Member Servers OU, and then click OK.
X Task 2: Create a Server Administrators group

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console, in the navigation pane, right-click the Member
Servers OU, click New, and then click Group.
3. In the New Object – Group window, in the Group Name field, type Server Administrators, and then
click OK.
X Task 3: Create a Member Server Security Settings GPO and link it to the Member
Servers OU
1. On LON-DC1, in the Server Manager window, click Tools, and then click Group Policy
Management.
2. In the Group Policy Management window, expand Forests: Adatum.com, expand Domains, expand
Adatum.com, right-click Group Policy Objects, and then click New.
3. In the New GPO window, in the Name: field, type Member Server Security Settings, and then click
OK.
4. In the Group Policy Management Console window, right-click Member Servers OU, and then click
Link an Existing GPO.
5. In the Select GPO window, in Group Policy Objects window, click Member Server Security Settings,
and then click OK.
X Task 4: Configure group membership for local administrators to include Server

Administrators and Domain Admins
1. On LON-DC1, in the Group Policy Management Console window, expand Forest: Adatum.com,
expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit.
2. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, and then click Restricted Groups.
3. Right-click Restricted Groups, and then click Add Group.
4. In the Add Group dialog box, in the Group name field, type Administrators, and then click OK.
5. In the Administrators Properties dialog box, next to Members of this group, click Add.
6. In the Add Member dialog box, type Adatum\Server Administrators, and then click OK.
7. Next to Members of this group, click Add.
8. In the Add Member dialog box, type Adatum\Domain Admins, and then click OK twice.
X Task 5: Verify that Computer Administrators has been added to the local
Administrators group
3. On the taskbar, click the Windows PowerShell® icon.
4. At the Windows PowerShell command prompt, type the following command:
gpupdate/force
5. In the Server Manager window, click Tools, and then click Computer Management.
6. In the Computer Management console, expand Local Users and Groups, click Groups, and then in
the right pane, double-click Administrators.
7. Confirm that the Administrators group contains both ADATUM\Domain Admins and
ADATUM\Server Administrators as members. Click Cancel.
X Task 6: Modify the Member Server Security Settings Group Policy Object (GPO) to
remove users from Allow log on locally
2. On LON-DC1, in the Group Policy Management Console, expand Forest: Adatum.com, expand
Domains, expand Adatum.com, and then click Group Policy Objects.
3. In the right pane, right-click Member Server Security Settings, and then click Edit.
expand Windows Settings, expand Security Settings, expand Local Policies, and then click User
Rights Assignment.
5. In the right pane, right-click Allow log on locally, and then click Properties.
6. In the Allow log on locally Properties window, select the Define these policy settings check box, and
then click Add User or Group.
Module 12: Securing Windows Servers Using Group Policy Objects L12-61
7. In the Add User or Group window, type Domain Admins, and then click OK.
8. Click Add User or Group.
9. In the Add User or Group window, type Administrators, and then click OK twice.
X Task 7: Modify the Member Server Security Settings GPO to enable User Account
Control: Admin Approval Mode for the Build-in Administrator Account
expand Windows Settings, expand Security Settings, expand Local Policies, and then click
Security Options.
4. In the right pane, right-click User Account Control: Admin Approval Mode for the Built-in
Administrator account, and then click Properties.
5. In the User Account Control: Admin Approval Mode for the Built-in Administrator account Properties
window, select the Define this policy settings check box, ensure that Enabled radio button is
selected, and then click OK.
X Task 8: Verify that a standard user cannot log on to a member server

On the taskbar, click the Windows PowerShell icon.
2. From the Windows PowerShell command prompt, type following command:
gpupdate/force

4. Try to log on to LON-SVR1 as Adatum\Adam with a password of Pa$$w0rd.
5. Verify that you cannot log on to LON-SVR1, and that a logon error message displays.
Results: After completing this exercise, you should have used Group Policy to secure Member servers.
Exercise 2: Auditing File System Access

X Task 1: Modify the Member Server Security Settings GPO to enable object access
auditing
2. On LON-DC1, in the Group Policy Management console, expand Forest: Adatum.com, expand
expand Windows Settings, expand Security Settings, expand Local Policies, click Audit Policy, and
then in the right pane, right-click Audit object access, and then click Properties.
5. In the Audit object access Properties window, select the Define these policy settings check box,
select both the Success and Failure check boxes, and then click OK.
X Task 2: Create and share a folder

1. On LON-SVR1, on the taskbar, click Windows Explorer, and then, in navigation pane, click
Computer.
2. In the Computer window, double-click Local Disk (C) click Home, click New folder, and then type
HR.
3. In the Computer window, right-click the HR folder, click Share with, and then click Specific people.
4. In the File Sharing window, type Adam, click Add.

5. Change the Permission Level to Read/Write and then click Share and then click Done.
X Task 3: Enable auditing on the HR folder for Domain Users

1. On LON-SVR1, in the Local Disk (C:) window, right-click the HR folder, and then click Properties.
2. In the HR Properties window, click the Security tab, and then click Advanced.
3. In the Advanced Security Settings for HR window, click the Auditing tab, and then click Add.
4. In the Auditing Entry for HR window, click Select a principal.
5. In the Select User, Computer, Service Account or Group window, in the Enter the object name to
select field, type Domain Users, and then click OK.
6. In the Auditing Entry for HR window, from the Type drop-down menu, select All.
7. In the Auditing Entry for HR window, under Permission list, select the Write check box, and then
click OK three times.
8. Switch to the Start screen, type cmd, and then press Enter.
9. In the command prompt window, type following command:
gpupdate /force
X Task 4: Create a new file in the file share from LON-CL1


3. On the Start screen, type cmd, and then press Enter.
4. In the command prompt window, type the following command:
gpupdate /force
6. Log off LON-CL1, and then log on again as Adatum\Adam with a password of Pa$$w0rd.
7. On the Start screen, type \\LON-SVR1\HR, and then press Enter.
8. In HR window, click Home, click New item, click Text Document, in the file name field, type
Employees, and then press Enter.
9. Log off of LON-CL1.

X Task 5: View the results in the security log on the domain controller
2. In the Server Manager window, click Tools, and then click Event Viewer.
4. Verify that following event and information displays:
o Source: Microsoft Windows Security Auditing
o Event ID: 4663
o Task category: File System
o An attempt was made to access an object.
Results: After completing this exercise, you should have enabled file system access auditing.
Exercise 3: Auditing Domain Logons

X Task 1: Modify the Default Domain Policy GPO
2. In the right pane, right-click Default Domain Policy, and then click Edit.
expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit
Policy. In the right pane, right-click Audit account logon events, and then click Properties.
4. In Audit account logon events Properties window, select the Define these policy settings check box,
select both the Success and Failure check boxes, and then click OK.
5. Update Group policy by using the Gpupdate /force command.
X Task 2: Run GPUpdate

3. On the Start screen, type cmd, and then press Enter.
gpupdate/force
5. Close the command prompt window, and log off LON-CL1.
X Task 3: Log on to LON-CL1 with an incorrect password

• Log on to LON-CL1 as Adatum\Adam with a password of password.
Note: This password is intentionally incorrect to generate a security log which shows that
that an unsuccessful login attempt has been made.

1. On LON-DC1, in Server Manager, click Tools, and then click Event Viewer.
3. Review the event logs for following message: “Logon failure. A logon attempt was made with an
unknown user name or a known user name with a bad password.”
X Task 5: Log on to LON-CL1 with the correct password

• Log on to LON-CL1 as Adatum\Adam with a password of Pa$$w0rd.
Note: This password is correct, and you should be able to log on successfully as Adam.

1. Log on to LON-DC1.
2. In the Server Manager window, click Tools, and then click Event Viewer.
4. Review the event logs for the following message: “A user successfully logged on to a computer.”
X Task 7: To prepare for the next lab

• To prepare for the next lab, leave the virtual machines running.
Results: After completing this exercise, you should have enabled domain logon auditing.
Lab B: Configuring AppLocker and Windows

Firewall
Exercise 1: Configuring AppLocker® Policies
X Task 1: Create an OU for Client Computers
2. In Server Manager, click Tools, and then click Active Directory Users and Computers.
3. In the Active Directory Users and Computers console, in the navigation pane, right-click
Adatum.com, click New, and then click Organizational Unit.
4. In the New Object - Organizational Unit window, type Client Computers OU, and then click OK.
X Task 2: Move LON-CL1 to the Client Computers OU

1. On LON-DC1, in the Active Directory Users and Computers console, in the navigation pane, click
Computers container.
2. In the details pane, right-click LON-CL1, and then click Move.
3. In the Move window, click Client Computers OU, and then click OK.
X Task 3: Create a Software Control GPO and link it to the Client Computers OU
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console window, expand Forests: Adatum.com, expand Domains,
expand Adatum.com, right-click Group Policy Objects, and then click New.
3. In New GPO window, in the Name: text box, type Software Control GPO, and then click OK.
4. In the right pane, right-click Software Control GPO, and then click Edit.
expand Windows Settings, expand Security Settings, expand Application Control Policies, and
then expand AppLocker.
6. Under AppLocker, right-click Executable Rules, and then click Create Default Rules.
7. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules.
8. In the navigation pane, click AppLocker, and then in the right pane, click Configure rule
enforcement.
9. In the AppLocker Properties window, under Executable rules, select the Configured check box, and
then from the drop-down menu, select Audit only.
10. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules, and
then click OK.
11. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, and then expand Security Settings, click System Services and then double-click
Application Identity.
12. In the Application Identity Properties dialog box, select the Define this policy setting and under
Select service startup mode, select Automatic, and then click OK.

14. In the Group Policy Management Console, right-click Member Servers OU, and then click Link an
Existing GPO.
15. In the Select GPO window, in Group Policy Objects list, click Software Control GPO, and then click
OK.
X Task 4: Run GPUpdate on LON-SVR1

2. Move the mouse pointer in the lower right corner, and then click Search.
3. In the Search box, type cmd, and then press Enter.
4. In command prompt window, type following command:
gpupdate/force
6. Move the mouse pointer in the lower right corner, click Settings, click Power, and then click Restart.
X Task 5: Run app1.bat in the C:\CustomApp folder

2. Point the mouse pointer over the lower right corner of the screen, and then, when it appears, click
Search.

4. At the command prompt, type following command:
C:\CustomApp\app1.bat
X Task 6: View AppLocker events in an event log

1. On LON-SVR1, open the Server Manager window, click Tools, and then click Event Viewer.
2. In the Event Viewer window, expand Application and Services Logs, expand Microsoft, expand
Windows, and then expand AppLocker.
3. Click MSI and Scripts, and review the event logs for App1.bat.
X Task 7: Create a rule that allows software to run from C:\CustomApp

2. In the Group Policy Management window, in the Group Policy Objects node, edit the Software
Control GPO.
3. In the console tree, double-click Application Control Policies, double-click AppLocker, right-click
Script rules, and then click Create New Rule.
4. On the Before You Begin page, click Next.
5. On the Permissions page, select the Allow radio button, and then click Next.
6. On the Conditions page, click Path radio button, and then click Next.
7. On Path page, in the Path field, type the following path: %OSDRIVE%\CustomApp\app1.bat to
enter the targeted folder for the applications, and then click Next.
8. On Exception page, click Next, on the Name and Description page, in the Name field, type
Custom App Rule, and then click Create.
X Task 8: Modify Software Control GPO to enforce the rules

1. In the Software control GPO window, in navigation pane, click AppLocker, and then in the right
pane, click Configure rule enforcement.
2. In AppLocker Properties window, under Executable rules, select the Configured check box, and then
from drop-down menu, select Enforce rules.
3. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules, and
then click OK.
4. Close Group Policy Management Editor.
X Task 9: Verify that an application can still be run from C:\CustomApp

gpupdate/force
6. Point the mouse pointer over the lower-right corner, click Settings, click Power, and then click
Restart.
7. Log on to LON-SVR1 as Adatum\Tony with a password of Pa$$w0rd.
8. Open a command prompt.
9. Verify that you can still run c:\customapp\app1.bat.
X Task 10: Verify that an application cannot be run from the Documents folder
1. On LON-SVR1, on the taskbar, click on Windows Explorer, and then in navigation pane click on
Computer. In the Computer window, double-click Local Disk (C:), double-click the CustomApp
folder, right-click app1.bat, and then click Copy.
2. In CustomApp window, on the navigation pane, right-click the Documents folder, and then click
Paste.
3. In command prompt, type C:\Users\Tony\Documents\app1.bat.
4. Verify that application cannot be run from Documents folder, and that the following message
displays: “This program is blocked by Group Policy. For more information, contact your system
administrator.”
5. Close all open windows and log off.
Results: After completing this exercise, you will have configured AppLocker policies for all users whose
computer accounts are located in the Client Computers OU organizational unit. The policies you
configured should allow these users to run applications that are located in the folders C:\Windows and
C:\Program Files, and run the custom-developed application app1.bat in the C:\CustomApp folder.
Exercise 2: Configuring Windows Firewall

X Task 1: Create a group called Application Servers
2. In the Server Manager window, click Tools, and then click Active Directory Users and Computers.
3. In the Active Directory Users and Computers console, in the navigation pane, right-click the Member
Servers OU, click New, and then click Group.
4. In the New Object – Group window, in the Group Name field, type Application Servers, and then
click OK.
X Task 2: Add LON-SRV1 as a group member

1. In the Active Directory Users and Computers console, in the navigation pane, click the Member
Servers OU, in the details pane right-click Application Servers group, and then click Properties.
2. In the Application Server Properties window, click Members tab, and then click Add.
3. In Select Users, Computers, Service Accounts or Groups, click Object Types, click Computers, and
then click OK.
4. In Enter the object names to select, type LON-SVR1, and then click OK.
X Task 3: Create a new Application Servers GPO

2. In the Group Policy Management Console, expand Forests: Adatum.com, expand Domains, expand
Adatum.com, right-click Group Policy Objects, and then click New.
3. In the New GPO window, in the Name: field, type Application Servers GPO, and then click OK.
4. In the Group Policy Management Console, right-click Application Servers GPO, and then click Edit.
5. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security,
and then click Windows Firewall with Advanced Security - LDAP://CN={GUID}.
6. In the Group Policy Management Editor, click Inbound Rules.
7. Right-click Inbound Rules, and then click New Rule.
8. In the New Inbound Rule Wizard, on the Rule Type page, click Custom, and then click Next.
9. On the Program page, click Next.

10. On the Protocol and Ports page, in the Protocol type list, click TCP.
11. In the Local port list, click Specific Ports, in the text box, type 8080, and then click Next.
12. On the Scope page, click Next.

13. On the Action page, click Allow the connection, and then click Next.
14. On the Profile page, clear the Private and Public check boxes, and then click Next.
15. On the Name page, in the Name box, type Application Server Department Firewall Rule, and then
click Finish.

X Task 4: Link the Application Servers GPO to the Member Servers OU

1. On LON-DC1, In the Group Policy Management Console, right-click Member Servers OU, and then
click Link an Existing GPO.
2. In the Select GPO window, in Group Policy objects list, click Application Servers GPO, and then
click OK.
X Task 5: Use security filtering to limit the Application Server GPO to members of
Application Server group
1. On LON-DC1, in the Group Policy Management Console, click Member Servers OU.
2. Expand the Member Servers OU, and then click the Application Servers GPO link.
3. In the Group Policy Management Console message box, click OK.
4. In the right-hand pane, under Security Filtering, click Authenticated Users, and then click Remove.
5. In the confirmation dialog box, click OK.
6. In the details pane, under Security Filtering, click Add.
7. In the Select User, Computer, or Group dialog box, type Application Servers, and then click OK.
X Task 6: Run GPUpdate on LON-SRV1

1. Switch to LON-SRV1 and log on as Adatum\Administrator.
4. In the command prompt window, type following command, and then press Enter:
gpupdate/force
6. Restart LON-SVR1 and then log back on as Adatum\Administrator with the password of
Pa$$w0rd.
X Task 7: View the firewall rules on LON-SRV1

2. In Server Manager, click Tools, and then click Windows Firewall with Advanced Security.
3. In the Windows Firewall with Advanced Security window, click Inbound rules.
4. In the right pane, verify that Application Server Department Firewall Rule that you created earlier
using Group Policy is configured.
5. Verify that you cannot edit the Application Server Department Firewall Rule, because it is
configured through Group Policy.

When you finish the lab, revert the virtual machines to their initial state by performing the following
steps:

Results: After completing this exercise, you should have used Group Policy to configure Windows Firewall
with Advanced Security to create rules to allow inbound network communication through TCP port 8080.
L13-71
Module 13: Implementing Server Virtualization with Hyper-V

Lab: Implementing Server Virtualization
with Hyper-V
Exercise 1: Installing the Hyper-V Server Role
X Task 1: Install the Hyper-V server role
1. Reboot the classroom computer and from the Windows Boot Manager, choose 20410A-LON-
HOST1.
2. Log onto LON-HOST1 with the Administrator account and the password Pa$$w0rd.
3. In Server Manager, click Local Server.
4. In the Properties pane, click the IPv4 address assigned by DHCP link.
5. In the Network Connections dialog box, right-click the network object and then click Properties.
6. In the Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and then click
Properties.
7. On the General tab, click Use the following IP address and configure the following:
o IP Address: 172.16.0.31

o Default gateway: 172.16.0.1
8. On the General tab, click Use the following DNS server addresses and then configure the
following:
9. Click OK to close the Properties dialog box.
10. Click Close.

11. Close the Network Connections dialog box.
12. In the Server Manager console, from the Manage menu, click Add Roles and Features.
13. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
14. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
15. On the Select destination server page, ensure that LON-HOST1 is selected, and then click Next.
16. On the Select server roles page, select Hyper-V.
17. In the Add Roles and Features Wizard dialog box, click Add Features.
18. On the Select server roles page, click Next.

20. On the Hyper-V page, click Next.
21. On the Virtual Switches page, verify that no selections have been made, and then click Next.
22. On the Virtual Machine Migration page, click Next.
23. On the Default Stores page, review the location of the Default Stores, and then click Next.
24. On the Confirm installation selections page, select Restart the destination server automatically
if required.
25. In the Add Roles and Features Wizard, review the message regarding automatic restarts, and then
click Yes.
26. On the Confirm Installation Selections page, click Install.
27. After a few minutes, the server will restart automatically. Ensure that you restart the machine from the
boot menu as 20410A-LON-HOST1. The computer will restart several times.
X Task 2: Complete Hyper-V role installation and verify settings

1. Log on to LON-HOST1 using the account Administrator with the password Pa$$word.
2. When the installation of the Hyper-V tools completes, click Close to close the Add Roles and
Features Wizard.
3. In the Server Manager console, click the Tools menu, and then click Hyper-V Manager.
4. In the Hyper-V Manager console, click LON-HOST1.
5. In the Hyper-V Manager console, in the Actions pane, with LON-HOST1 selected, click Hyper-V
Settings.
6. In the Hyper-V Settings for LON-HOST1 dialog box, click on the Keyboard item. Verify that the
Keyboard is set to the Use on the virtual machine option.
7. In the Hyper-V Settings for LON-HOST1 dialog box, click on the Virtual Hard Disks item. Verify
that the location of the default folder to store Virtual Hard Disk files is
C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks, and then click OK.
Results: After this exercise, you should have deployed the Hyper-V role to a physical server.
Exercise 2: Configuring Virtual Networking

X Task 1: Configure the external network
1. In the Hyper-V Manager console, click LON-HOST1.
2. From the Actions menu, click Virtual Switch Manager.
3. In the Virtual Switch Manager for LON-HOST1 dialog box, select New virtual network switch.
Ensure that External is selected, and then click Create Virtual Switch.
4. In the Virtual Switch Properties area, enter the following information, and then click OK:
o Name: Switch for External Adapter
o External Network: Mapped to the host computer's physical network adapter. (This will vary
depending on the host computer.)
5. In the Apply Networking Changes dialog box, review the warning, and then click Yes.
X Task 2: Create a private network

1. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1.
3. Under Virtual Switches, click New virtual network switch.

Module 13: Implementing Server Virtualization with Hyper-V L13-73
4. Under Create virtual switch, select Private, and then click Create Virtual Switch.
5. In the Virtual Switch Properties section of the Virtual Switch Manager dialog box, configure the
following settings, and then click OK:
o Name: Private Network
o Connection type: Private network
X Task 3: Create an internal network

3. Under Virtual Switches, select New virtual network switch.

4. Under Create virtual switch, select Internal and then click Create Virtual Switch.
5. In the Virtual Switch Properties section, configure the following settings, and then click OK:
o Name: Internal Network
o Connection type: Internal network
X Task 4: Configure the MAC address range

1. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1
2. On the Actions menu, click Virtual Switch Manager.

3. Under Global Network Settings, click MAC Address Range.
4. On MAC Address Range settings, configure the following values, and then click OK:
o Minimum: 00-15-5D-0F-AB-A0
o Maximum: 00-15-5D-0F-AB-EF
5. Close the Hyper-V Manager console.
Results: After this exercise, you should have configured virtual switch options on a physically deployed
Windows Server 2012 server running the Hyper-V role.
Exercise 3: Creating and Configuring a Virtual Machine

X Task 1: Create differencing disks
1. On the taskbar, click Windows Explorer.
2. Click Computer, and then browse to the following location:

E:\Program Files\Microsoft Learning\Base. (Note: The drive letter may depend upon the number
of drives on the physical host machine)
3. Verify that the Base12A-WS2012-RC.vhd hard disk image file is present.
4. Click the Home tab, and then click the New Folder icon twice to create two new folders. Right-click
each folder and rename each folders to each name listed below:
o LON-GUEST1
o LON-GUEST2

6. In the Server Manager console, click the Tools menu and click Hyper-V Manager.
7. In the Actions pane, click New, and then click Hard Disk.
8. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
9. On the Choose Disk Format page, select VHD, and then click Next.
10. On the Choose Disk Type page, select Differencing, and then click Next.
11. On the Specify Name and Location page, specify the following details, and then click Next:
o Name: LON-GUEST1.vhd

12. On the Configure Disk page, type the location: E:\Program Files\Microsoft Learning
\Base\Base12A-WS2012-RC.vhd, and then click Finish.
13. On the taskbar, click the PowerShell icon.

14. At the PowerShell prompt, type the following command to import the Hyper-V module, and then
press Enter.
Import-Module Hyper-V
15. At the PowerShell prompt, type the following command to create a new differencing disk to be used
with LON-GUEST2 and then press Enter:
New-VHD “E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd”

-ParentPath “E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd”
16. Close the PowerShell window.

17. In the Actions pane of the Hyper-V Manager console, click Inspect Disk.
18. In the Open dialog box, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\, click
LON-GUEST2.vhd, and then click Open.
19. In the Virtual Hard Disk Properties dialog box, verify that LON-GUEST2.vhd is configured as a
differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base
\Base12A-WS2012-RC.vhd as a parent, and then click Close.
X Task 2: Create virtual machines

2. In the Hyper-V Manager console, in the Actions pane, click New, and then click Virtual Machine.
3. In the New Virtual Machine Wizard, on the Before You Begin page, click Next.
4. On the Specify Name and Location page, select Store the virtual machine in a different location,
enter the following values, and then click Next:
o Name: LON-GUEST1
5. On the Assign Memory page, enter a value of 1024 MB, select the Use Dynamic Memory for this
virtual machine option, and then click Next.
6. On the Configure Networking page, for the connection, choose Private Network, and then click
Next.
7. On the Connect Virtual Hard Disk page, choose Use an existing virtual hard disk. Click Browse
and browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1.vhd. Click
Open and then click Finish.
8. On the Taskbar, click the PowerShell icon.
9. At the PowerShell prompt, enter the following command to import the Hyper-V module:
10. At the PowerShell prompt, enter the following command to create a new virtual machine named
LON-GUEST2:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath “E:\Program

Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd” -SwitchName "Private
Network"
11. Close the PowerShell window.
12. In the Hyper-V Manager console, click LON-GUEST2.

13. In the Actions pane, under LON-GUEST2, click Settings.
14. In the Settings for LON-GUEST2 on LON-HOST1 dialog box, click Automatic Start Action, and set
the Automatic Start Action to Nothing.
15. In the Settings for LON-GUEST2 on LON-HOST1 dialog box, click Automatic Stop Action, and set
the Automatic Stop Action to Shut down the guest operating system.
16. Click OK to close the Settings for LON-GUEST2 on LON-HOST1 dialog box.
X Task 3: Enable resource metering

1. On the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, enter the following command to import the Hyper-V module:
3. At the Windows PowerShell prompt, enter the following commands to enable resource metering on
the virtual machines:
Results: After this exercise, you should have deployed two separate virtual machines using a sysprepped
virtual hard disk file as a parent disk for two differencing disks.
Exercise 4: Using Virtual Machine Snapshots

X Task 1: Deploy Windows Server 2012 in a virtual machine
1. In the Hyper-V Manager console, click on LON-GUEST1.
2. In the Actions pane, click Start.
3. Double click LON-GUEST1 to open the Virtual Machine Connection Window.

4. In the LON-GUEST1 on LON-HOST1 - Virtual Machine Connection Window, on the Settings page,
click Skip.
5. On the Settings page, select the I accept the license terms for using Windows check box, and
then click Accept.
6. On the Settings page, click Next to accept the Region and Language settings.
7. On the Settings page, enter the password Pa$$w0rd twice, and then click Finish.
8. In the LON-GUEST1 on LON-HOST1 - Virtual Machine Connection window, from the Action menu,
click Ctrl+Alt+Delete. Log on to the virtual machine using the account Administrator and the
password Pa$$w0rd.
9. On the virtual machine, in the Server Manager console click Local Server, and then click the
randomly assigned name next to the computer name.
11. Set the Computer Name to LON-GUEST1, and then click OK.
13. Click Close to close the System Properties dialog box.
X Task 2: Create a virtual machine snapshot

1. Log on to the LON-GUEST1 virtual machine using the Administrator account and the password
Pa$$w0rd.
2. In the Server Manager console, click the Local Server node, and verify that the name of the computer
is set to LON-GUEST1.
3. In the Virtual Machine Connection window, from the Action menu, click Snapshot.
4. In the Snapshot Name dialog box, enter the name Before Change, and then click Yes.
X Task 3: Modify the virtual machine

1. In the Server Manager console, click Local Server, and then next to Computer name, click
LON-GUEST1.
3. Set the Computer Name to LON-Computer1, and then click OK.
5. Close the System Properties dialog box.
6. In the Microsoft Windows dialog box, click Restart Now..
7. Log back on to the LON-GUEST1 virtual machine using the Administrator account and the
password Pa$$w0rd.
8. In the Server Manager console, click Local Server, and verify that the server name is set to
LON-Computer1.
X Task 4: Revert to the existing virtual machine snapshot

1. In the Virtual Machine Connection window, from the Action menu, click Revert.
3. In the Server Manager console, in the Local Server node in the Virtual Machines list, verify that the
Computer Name is set to LON-GUEST1.
X Task 5: View resource metering data

1. On LON-HOST1, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell command-line prompt, enter the following command to import the
Hyper-V module:
3. At the Windows PowerShell command-line prompt, enter the following command to retrieve
resource metering information:
Measure-VM LON-GUEST1
4. Note the average CPU, average random access memory (RAM), and total disk usage figures.
5. Close the Windows PowerShell window.
X Task 6: Revert the virtual machines

1. Click on the Windows PowerShell icon on the Taskbar.
2. In the Windows PowerShell window, enter the following command and press enter:
Shutdown /r /t 5
3. From the Windows Boot Manager, choose Windows Server 2008 R2
Results: After this exercise, you should have used virtual machine snapshots to recover from a virtual
machine misconfiguration.

70-410 Installing and Configuring Windows Server 2012

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

70-410 Installing and Configuring Windows Server 2012

Uploaded by

Copyright:

Available Formats

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

Microsoft and the trademarks listed at

Product Number: 20410A

Part Number: X18-48636

a. If you are a Microsoft IT Academy Program Member:

b. If you are a Microsoft Learning Competency Member:

d. If you are an End User:

e. If you are a Trainer.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

11. APPLICABLE LAW.

This limitation applies to

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES

Revised June 2012

Stan Reimer - Content Developer and Lead Subject Matter Expert

Damir Dizdarevic - Content Developer and Subject Matter Expert

Gary Dunlop - Subject Matter Expert

Siegfried Jagott - Content Developer

Jason Kellington - Subject Matter Expert

Vladimir Meloski - Content Developer

Nick Portlock - Subject Matter Expert

Brian Svidergol - Technical Reviewer

Orin Thomas - Subject Matter Expert

Byron Wright - Content Developer and Subject Matter Expert

Module 2: Introduction to Active Directory Domain Services

Module 3: Managing Active Directory Domain Services Objects

Module 4: Automating Active Directory Domain Services Administration

Module 5: Implementing IPv4

Module 6: Implementing DHCP

Module 7: Implementing DNS

Module 8: Implementing IPv6

Module 9: Implementing Local Storage

Module 10: Implementing File and Print Services

Module 11: Implementing Group Policy

Module 12: Securing Windows Servers Using Group Policy Objects

Module 13: Implementing Server Virtualization with Hyper-V

Lab Answer Keys

About This Course

• A good understanding of networking fundamentals

• Experience supporting or configuring Windows operating system clients

• Install and Configure Windows Server 2012.

• Implement Dynamic Host Configuration Protocol (DHCP).

• Implement Domain Name System (DNS).

• Implement local storage.

• Share files and printers.

• Implement Group Policy.

• Use Group Policy Objects to secure Windows Servers.

Module 1, Deploying and Managing Windows Server 2012

Module 2, Introduction to Active Directory Domain Services

Module 4, Automating Active Directory Domain Services Administration

Module 5, Implementing IPv4

Module 6, Implementing DHCP

Module 7, Implementing DNS

Module 8, Implementing IPv6

Module 10, Implementing File and Print Services

Module 11, Implementing Group Policy

Module 12, Securing Windows Servers Using Group Policy Objects

Module 13, Implementing Server Virtualization with Hyper-V

Exam Objective Domain: Exam 70-410: Installing and

Exam Objective Domain: Exam 70-410: Installing and

Exam Objective Domain: Exam 70-410: Installing and

Exam Objective Domain: Exam 70-410: Installing and

• Additional study outside of the content in this handbook

Course Companion Content on the http://www.microsoft.com/learning/companionmoc Site:

Student Course files on the http://www.microsoft.com/learning/companionmoc Site: Includes